compilers, memory errors and hardening techniques · advanced compiler design, 18.5.2016 antonio...
TRANSCRIPT
Advanced Compiler Design, 18.5.2016
Antonio Hüseyin BarresiCo-founder & CEOxorlab AG
Compilers, Memory Errors and Hardening Techniques
1
2
http://knowledge.zurich.com/risk-interconnectivity/time-to-wake-up-to-the-risks-of-cyber-crime
Executive Opinion Survey 2015
3
What does that have to do with
Compilers?
4
This talk
• Cyber attacks and compilers
• Memory errors and exploitation
• Hardening techniques and run-time security
6
Cyber attacks cost the world economy >400 $ billion yearly
Net losses: Estimating the Global Cost of Cybercrime, Economic impact of cybercrime II, Center for Strategic and International Studies, June 2014
7
Cyber crime is a growth industry
Net losses: Estimating the Global Cost of Cybercrime, Economic impact of cybercrime II, Center for Strategic and International Studies, June 2014
8
•
• Direct financial losses, loss of competitivenessand other impact
• High-income countries suffer the most
• 0.9% of GDP in average
• Loss of 5.8 Bn CHF (CH 2013, GDP 646 Bn CHF)
Net losses: Estimating the Global Cost of Cybercrime, Economic impact of cybercrime II, Center for Strategic and International Studies, June 2014
9
Example
100 banks, 30 countries, 2 years
$1 Billion
10
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
11
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
12
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
13
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
14
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
15
The great bank robbery
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
16
-2012-0158 is a buffer overflowVulnerability in the ListView / TreeView
ActiveX controls in the MSCOMCTL.OCX library
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
17
Exploit and Zero-Day Attack
Exploit = exploit is a piece of software, a chunk of
data, or a sequence of commands that takes advantage
of a bug
Zero-Day Attack = zero-day attack or threat is an
attack that exploits a previously unknown vulnerability in
http://en.wikipedia.org/wiki/Exploit_(computer_security)http://en.wikipedia.org/wiki/Zero-day_attack
18
Software attacks
• Attacking software is an important capability for attackers
• Scales well
• Can be done remotely
• Very powerful
19
Arbitrarycode-execution
20
Goal of an attacker
21
22
Most important thing
Profitability
23
Profit
Revenue (Costs + expenses + taxes)
24
Cyber criminals
• Have costs and expenses too!
• An economic decision
• Fighting cyber crime meanslimiting its profitability
25
Cyber criminals
• Have costs and expenses too!
• An economic decision
• Fighting cyber crime meansprofitability
26
Software hardening
• Compile and run-time techniques
• To make software exploitation harder
• But also slower
Exploit mitigations since the 90s
27
1972 1988 1996 2000 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
The Anderson Report
MorrisWorm
/GSSEH Overwrite
/SAFESEH
DEPLin + Win
XP SP2/GS/SAFESEH
ASLRWindowsVista
Integrity levelsWindows Vista
ASLRLinux
Advancedret2libcPaX ASLR
PaX PAGEEXEC
Smashingthe stack
StackGuardret2libc
vtguardWin8 + IE10
ROPGuard
Win8 «Sandbox»Win32k lockdown +App Container
Fully enforced
ASLR
NozzleHeap spraying protection
Heap spraying in browsers
EMET 5.2
Control Flow GuardVS15 +Win10 or 8.1 U3
ROP JOP + COP
Attacker Return
28
Mitigating Software Vulnerabilities, July 2011, Microsoft
Attacker Return
29
Mitigating Software Vulnerabilities, July 2011, Microsoft
Increase costs
Hardening value chain
30
SourceCompiler &
Linker BinaryHardware
Operating system
Application
Run-time libraries
Hardening value chain
31
SourceCompiler &
Linker BinaryHardware
Operating system
Application
Run-time librariesStack canaries
Pointer obfuscation
Compiler warnings
/SAFESEH/GS
vtguard & Virtual Table Verification
Control-flow guardStaticanalysis tools
NX-bit for DEP
DEP & ASLR
DEP & ASLR
Sandboxing
SEHOP
GOT protection
Hardened heap
Heap-spraying protection
Compiler optimizations
Annotations
ROP mitigations (EMET)
32
Software attacks
Victim Attacker
Exploits memory error within
vulnerable victim software
Runs a vulnerable web
server software
Runs an exploit that triggers a
memory error within the web
server software
$>./exploit 192.168.1.28
Runs a malicious web server
serving HTML documents that
trigger a memory error within
the web browser
Sends a malicious
PDF attachement by
GET /index.html HTTP/1.1Host: www.vulnsite.comKeep-Alive: 300Connection: keep-aliveCookie: CID=r2t5uvjq435r4q7ib3vtdjq120f83jf8... <binary data>
Runs a vulnerable web
browser or PDF reader
Attacks
33
Memory corruption
34
•
• C/C++
• Two basic types exist
• Spatial and temporal memory errors
• Allow attackers to corrupt memory in a more or less controllable way
Allow low-level access to memory
• Typed pointers & pointer arithmetic
• No automatic bounds checking / index checking
Weakly enforced typing
• Cast (almost) anything to pointers
Explicit memory management
• Like malloc() & free() in C
«Unsafe» languages
35
#include <stdio.h>#include <math.h>
long computation(int x, int y, int z, double f) {return (long)(((x*y)/z)*sin(f));
}
void main(){
*(int*)computation(32, 64, 2, M_PI/6) = 128;return;
}
shell:~$ gcc -o segfault segfault.c -lmshell:~$ ./segfaultSegmentation fault (core dumped)shell:~$
«Unsafe» languages - C
36
#include <stdio.h>#include <string.h>
#define STDIN 0
void vulnFunc() {char buf[1024];read(STDIN, buf, 2048);
}
shell:~$ gcc -o vuln vuln.c -fno-stack-protectorshell:~$ ./vulnread> hi there!shell:~$ ./vulnread> AAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA...Segmentation fault (core dumped)shell:~$
void main() {printf("read> ");vulnFunc();return;
}
«Unsafe» languages - C
37
Spatial error Temporal error
Array / Object
[out of bounds]
start
*ptr
Array / Object
• De-reference pointer that is out of bounds
• De-reference pointer to freed memory
*ptr
Types of memory errors
38
Spatial error Temporal error
Array / Object
Attacker supplied dataoverwrites/reads data/pointers
• Overwrite data or pointers
• Used or de-referenced later
• Make application allocate memory in the freed area
• Used as old type
Attacker supplied dataused as wrong type
*ptr
*ptrstart
Exploiting memory errors
39
Overwrite data or pointers
• That might be used to overwrite data or pointers
• Function pointers, sensitive data, index values, control-flow sensitive data etc.
Leak information
• E.g., corrupt a length field
Construct attacker primitives
• Write primitive (write any value to arbitrary address)
• Read primitive (read from any address)
Attackers use memory errors to
40
• Out-of-bounds bugs / Buffer overflows
• On stack or heap
• Dangling pointer / Use-after-free
• Integer bugs, signedness bugs
• Format string bugs
• Uninitialized memory
• NULL pointer dereference
Types of bugs
41
Victim Attacker
<html><head></head><body>... <html or javascript thattriggers the memory corruptionvulnerability> ...</body></html>
0xe8a0f000
Heap
Corrupted
0x41414141
Code
Stack
Write primitive
*0xe8a0f000 = 0x41414141
Memory corruption attack
42
43http://www.cs.berkeley.edu/~dawnsong/papers/Oakland13-SoK-CR.pdf
• Code corruption attack
• Control-flow hijack attack
• Data-only attack
• Information leak
Attack types
• Most powerful attack
• Hijack control-flow
• To attacker supplied arbitrary machine code
• To existing code (code-reuse attack)
• Corrupt code pointers
• Return addresses, function pointers, vtable entries, exception handlers, jmp_bufs
Control-flow hijack attack
44
Most ISAs support indirect branch instructions
E.g., x86 ret, indirect jmp, indirect call
branch *fptrfptr: 0xafe08044
Code
0x8056b30
good_func:0x08056b30
Control-flow hijack attack
45
fptr corrupted by attacker
branch *fptr
Attacker goal: hijack control-flow to injected
fptr: 0xafe08044
Code
Corrupted
evil_code:
Control-flow hijack attack
46
0x00000000
0xffffffff
%eip
0x084a4504
Code
Heap
Stack
0x084a4504
call *0xe0fa4404
func:
0xe0fa4404
0x00000000
0xffffffff
0x084a4504
0xe0fa4404
Code
Heap
Stack
0xfffc8408
call *0xe0fa4404
func:
AttackerCode
0xfffc8408
%eip
Indirect call to func() Hijacked indirect call
Control-flow hijack attack
47
0x00000000
0xffffffff
Code
Heap
Stack
call/jmp/ret
attackercode &
data
attackercode &
data
<code from binary>
rw-
rw-
r-x
Make data regions non-executable(by default)
Changing protection flags or allocating rwx memory still possible
Required for JITs
Non-eXecutable data (NX)
48
Code regions will be non-writable
• Else code corruption attacks possible
Also known as
• Data Execution Prevention (DEP) on Windows
• NX, Non-eXecutable Memory on Linux
• W^X, on OpenBSD
Implemented by hardware where available (NX-bit)
Non-eXecutable data (NX)
49
Binary images need to provide separate sections / segments that can be mapped exclusively as
• rw- OR r-x
• Linker support required
Self-modifying code not allowed
• Compiler support required
• If code is generated just-in-time,explicit rwx allocation required
NX / DEP implementation issues
50
0x00000000
0xffffffff
Code
Heap
Stackattackercode &
data
attackercode &
data
rw-
rw-
r-x
Only use existing code
Code-reuse attack
• ret2libc, ret2bin, ret2*
• Return-oriented programming (ROP)
• Jump/Call-oriented programming
Use code-reuse technique to change protection flags
Make memory executable• mprotect/VirtualProtect
• mmap/VirtualAlloc
Bypassing NX / DEP
51
Stack during vulnFunc()
%ebp
%esp
void vulnFunc() {char buf[1024];read(STDIN, buf, 2048);
}
Stack after read()
%ebp
%esp
Stack-based buffer overflow
%eip and %ebp under control
Local variables and buffers under attacker control
arguments
return address
saved ebp
return address
saved ebp
buf[1024]
main() stack frame
rw-
arguments
return address
saved ebp
overwritten retaddr
overwritten ebp
buf[1024]
overwritten frame
rw-
Code-reuse attack
52
Stack after read()
%ebp
%esp
Before NX/DEP
Return to attacker supplied code
Shellcode
Use existing code
Executable or librariesE.g., mprotect()
arguments
return address
saved ebp
overwritten retaddr
overwritten ebp
buf[1024]
AttackerCode
“Shellcode“
overwritten frame
rw-
Code-reuse attack
53
Stack after read()
%ebp
%esp
Let's call mprotect()
mprotect(address_shellcode, 4096, 0x1|0x2|0x4)
0x1 | 0x2 | 0x4 = RWX
mprotect() will make the stackexecutable
and return to our shellcode
arguments
return address
saved ebp
address mprotect()
dummy ebp
buf[1024]
AttackerCode
“Shellcode“
address shellcode
4096
0x1|0x2|0x4
rw-
Code-reuse attack
54
Stack after mprotect()
%ebp
%esp
After mprotect() our stack is executable again
mprotect() will return to our shellcode
x64 or ARM:
Fill registers with parameters before invoking mprotect()
arguments
return address
saved ebp
address mprotect()
dummy ebp
buf[1024]
AttackerCode
“Shellcode“
address shellcode
4096
0x1|0x2|0x4
rwx
Code-reuse attack
55
%ebp
%esp
Use available code snippets endingwith ret instruction
Called gadgets / ROP chain
E.g., write primitive
Code
arguments
return address
saved ebp
address gadget1
dummy ebp
buf[1024]
value
address gadget2
address
rw-
dummy value
address gadget3
address gadget4
r-x
pop %edx;ret;
1
pop %eax;pop %ebx;ret;
2
mov %edx, (%eax);mov $0x0, %eax;ret;
3
Return-oriented programming
56
• Turing complete although not required
• Can be initiated over call or jmp as well
• Need to be in control of memory %esp is pointing to
Or make %esp point to area under control
• Also possible with jmp or call gadgets
Return-oriented programming
57
To hijack control-flow or to corrupt memory an attacker needs to know where things are in memory
Addresses of data or pointers to corrupt
Addresses of injected shellcode/payload
Addresses of gadgets
Addresses in memory
58
Once upon a time...
Addresses were more or less predictable
Executables and libraries were prelinked to certain addresses
Stack and Heap base addresses were fixed
• With differences at runtime for specific locationsdue to the dynamic behaviour of the process
Addresses in memory
59
Today most Operating Systems implementAddress Space Layout Randomization
Randomize memory layout of processes to makeaddress prediction or guessing hard
What can be randomized?
• OS: Stack, heap and memory mapping base addresses
• OS, compiler, linker: Exectuables and libraries• Position-independent or relocatable code
ASLR
60
0x00000000
0xffffffff
mm base range
Executable
Heap
Stack
Library 2
Library 1
Memory Mapping
heap base range
stack base range
libraries base range
executable base range
aligned
page-aligned
page-aligned
page-aligned
page-aligned
Use source of randomness to randomize within ranges
Randomization of layout
61
In general: Usage of fixed addresses not allowed
Code should be position-independent or relocatable
Linux/ELF:• PIC & PIE supported, libraries all PIC, executables sometimes still prelinked
Windows/PE:• No PIC support! But libraries/executables relocatable!
x86 32bit PIE/PIC slower, no IP relative data addressing
Relocated PE images not sharable between processes
ASLR implementation issues
62
Enough entropy?
• Base range size
• Alignment constraints
• Address width (64bit is better than 32bit)
Randomization strategy
Per process, system-wide per boot
Source of randomness
ASLR only effective without exceptions
ASLR effectiveness
63
Low entropy
Brute-force addresses (multiple attempts required)
Memory leaks (information disclosure)
Leak addresses to derive base addresses
Construct and enforce a leak by memory corruption
Application and vulnerability specific attacks
Force predictable memory state
• Heap-spraying / Heap massaging
Pointer inference
• Use a side-channel
Avoid using exact addresses
• Only corrupt least significant bytes i.e. offsets
Bypassing ASLR
64
Victim Attacker
GET /index.html HTTP/1.1Host: www.vulnsite.comKeep-Alive: 300Connection: keep-aliveCookie: CID=r2t5uvjq435r4q7ib3vtdjq120f83jf8... <binary data>
HTTP/1.1 200 OKDate: Fri, 12 Mar 2014 23:59:00 GMTContent-Type: text/htmlContent-Length: 1354Allow: GET,POST,OPTIONS,HEADCache-Control: public,max-age=30<binary data... 0x414162320xffed4460 0x77ff2332 0x...>
<html><head>...
Heap
Code
Stack
0xffed4460
GET /index.html HTTP/1.1Host: www.vulnsite.comKeep-Alive: 300Connection: keep-aliveCookie: CID=r2t5uvjq435r4q7ib3vtdjq120f83jf8... <binary data>
1
2
3
Trigger memory leak
Parse response for leaked memoryand construct exploit
Exploit memory error withtailored exploit
Runs web server software with
memory leak and exploitable
memory corruption
vulnerability
Memory leak
65
arguments
return address
saved ebp
address mprotect()
dummy ebp
buf[1024]Attacker
Code“Shellcode“
address shellcode
4096
0x1|0x2|0x4
rwx
vulnExecutable
Heap
Stack
libc
libc data
0x0efa4604
mprotect:
0x0efa4604
0x0ebb0880
0x0dfff000libc base
?
static offset
mprotect = leaked pointer – static offset
0x0ebb0880 = 0x0efa4604 - 0x003f3d84
Memory leak
66
void memLeak() {char buf[256];scanf("%s", buf);printf(buf);
}
shell:~$ gcc -o memleak memleak.cmemleak.c: In function ‘memLeak’:memleak.c:9:2: warning: format not a string literal and no format arguments [-Wformat-security]shell:~$ ./memleakecho> hihishell:~$ ./memleakecho> %llx,%llx,%llx,%llx,%llx,%llx,%llx,%llx1,7fabf517cac0,a,ffffffff,0,6c6c252c786c6c25,252c786c6c252c78,786c6c252c786c6cshell:~$
void main() {printf("echo> ");memLeak();printf("\n");return;
}
Memory leak format string bug
67
http://en.wikipedia.org/wiki/HeartbleedSimplified Heartbleed explanation by FenixFeather licensed under CC
Heartbleed CVE-2014-0160 - OpenSSL
68
Constructed arbitrary readCVE-2011-2371 Firefox vulnerability
69
DEP & ASLR are generic defenses
Exploitation becomes harder for all vulnerability classes &attack techniques
Together quite effective• If implemented correctly
Injecting code and corrupting pointers with exact addresses is in general desirable for attackers
DEP & ASLR
70
A determined attacker will use code-reuse
techniques and memory leaks to bypass
DEP & ASLR.
DEP & ASLR are not enough
71
Raise exploit development costs with additional protections
• The more line of defenses, the better!
• Implement protections against specific vulnerability classes and exploitation techniques
Additional protections
72
May require source code changes (annotations)and/or recompilation of the application
Compile-time and checks at run-time
Additional protections
73
• Stack canaries / cookies
• Pointer obfuscation
• /GS
• /SAFESEH (link-time, provide list ofvalid handlers)
• SEHOP (run-time, walk down SEH chain i.e. integrity check)
• Virtual Table Verification (VTV) & vtguard
• Control-Flow Guard
74
Stack canary / cookie
Mitigations deployment delay
75
• Deployment of exploit mitigations requires time
• Source or binary compatibility risk
• Support from multiple sides required
Attackers have time to adapt
Exploit mitigations since the 90s
76
1972 1988 1996 2000 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
The Anderson Report
MorrisWorm
/GSSEH Overwrite
/SAFESEH
DEPLin + Win
XP SP2/GS/SAFESEH
ASLRWindowsVista
Integrity levelsWindows Vista
ASLRLinux
Advancedret2libcPaX ASLR
PaX PAGEEXEC
Smashingthe stack
StackGuardret2libc
vtguardWin8 + IE10
ROPGuard
Win8 «Sandbox»Win32k lockdown +App Container
Fully enforced
ASLR
NozzleHeap spraying protection
Heap spraying in browsers
EMET 5.2
Control Flow GuardVS15 +Win10 or 8.1 U3
ROP JOP + COP
Modern mitigations
77
• ROP mitigations (EMET)
• Control-Flow Integrity
• Control-Flow Guard (CFG)
ROP mitigations (EMET)
78
• Run-time checks
• Detect ongoing ROP attacks
• Hook into sensitive APIs
Control-flow integrity (CFI)
79
• Original publication in 2005«Control-Flow Integrity Principles, Implementations, and Applications»
• Many CFI implementations proposed since then• Compiler-based, binary-only (static rewriting)
• Check indirect control-flow transfers and limitthe set of allowed targets
Control-flow integrity (CFI)
80
• CFI approachesXFI (2006), HyperSafe (2010), CFIMon (2012), MoCFI (2012), BinCFI (2013), KCoFI (2014), MCFI (2014)
• -Grained Control-Flow Integrity through Binary
Mathias Payer, Antonio Barresi, Thomas R. Gross
• -Flow Bending: On the Effectiveness of Control-
Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, Thomas R. Gross
Control-flow guard (CFG)
81
• First adoption of a practicalControl-Flow Integrity (CFI) implementation
• Requires recompilation and OS support• VS15 + Windows 10 or 8.1 U3
• Restricts indirect call targetsto a static global set of locations
Control-flow guard (CFG)
82
Compiler &Linker Binary
Application
Run-time libraries
Guard CF
Function
Table
validFunc1
validFunc2
...
http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
Control-flow guard (CFG)
83
Compiler &Linker Binary
Application
Run-time libraries
Guard CF
Function
Table
validFunc1
validFunc2
...
http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
CFGBitmap
011010100101
100101011001
010101010100
101010101010
01110110....
..........
Control-flow guard (CFG)
84
Compiler &Linker Binary
Application
Run-time libraries
Guard CF
Function
Table
validFunc1
validFunc2
...
http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
CFGBitmap
011010100101
100101011001
010101010100
101010101010
01110110....
..........
Control-flow guard (CFG)
85
Compiler &Linker Binary
Application
Run-time libraries
Guard CF
Function
Table
validFunc1
validFunc2
...
http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf
ntdll!LdrpValidateUserCallTarget
CFGBitmap
011010100101
100101011001
010101010100
101010101010
01110110....
..........
Future?
86
• Hardening techniques make exploit development harder and increase the costs of an attack
• But there is no magic bullet
•
code-reuse techniques to bypass all mitigations(ret2libc is 1997)
Pwn2own 2016
87
http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/http://blog.trendmicro.com/pwn2own-day-2-event-wrap/
88
Conclusion
Conclusion
89
• Compilers help mitigate software attacks
• Software hardening increases costs of attacks
• Attackers still find ways to bypass all protections
Questions ?