compilers, memory errors and hardening techniques · advanced compiler design, 18.5.2016 antonio...

Advanced Compiler Design, 18.5.2016

Antonio Hüseyin BarresiCo-founder & CEOxorlab AG

Compilers, Memory Errors and Hardening Techniques

1

2

http://knowledge.zurich.com/risk-interconnectivity/time-to-wake-up-to-the-risks-of-cyber-crime

Executive Opinion Survey 2015

3

What does that have to do with

Compilers?

4

This talk

• Cyber attacks and compilers

• Memory errors and exploitation

• Hardening techniques and run-time security

5

About

Antonio Barresi

[email protected]

@AntonioHBarresi

Co-founder of

https://www.xorlab.com

6

Cyber attacks cost the world economy >400 $ billion yearly

Net losses: Estimating the Global Cost of Cybercrime, Economic impact of cybercrime II, Center for Strategic and International Studies, June 2014

7

Cyber crime is a growth industry


8

•

• Direct financial losses, loss of competitivenessand other impact

• High-income countries suffer the most

• 0.9% of GDP in average

• Loss of 5.8 Bn CHF (CH 2013, GDP 646 Bn CHF)


9

Example

100 banks, 30 countries, 2 years

$1 Billion

10

The great bank robbery

https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/

11



12



13



14



15



16

-2012-0158 is a buffer overflowVulnerability in the ListView / TreeView

ActiveX controls in the MSCOMCTL.OCX library

https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/

17

Exploit and Zero-Day Attack

Exploit = exploit is a piece of software, a chunk of

data, or a sequence of commands that takes advantage

of a bug

Zero-Day Attack = zero-day attack or threat is an

attack that exploits a previously unknown vulnerability in

http://en.wikipedia.org/wiki/Exploit_(computer_security)http://en.wikipedia.org/wiki/Zero-day_attack

18

Software attacks

• Attacking software is an important capability for attackers

• Scales well

• Can be done remotely

• Very powerful

19

Arbitrarycode-execution

20

Goal of an attacker

22

Most important thing

Profitability

23

Profit

Revenue (Costs + expenses + taxes)

24

Cyber criminals

• Have costs and expenses too!

• An economic decision

• Fighting cyber crime meanslimiting its profitability

25

Cyber criminals

• Have costs and expenses too!

• An economic decision

• Fighting cyber crime meansprofitability

26

Software hardening

• Compile and run-time techniques

• To make software exploitation harder

• But also slower

Exploit mitigations since the 90s

27

1972 1988 1996 2000 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15

The Anderson Report

MorrisWorm

/GSSEH Overwrite

/SAFESEH

DEPLin + Win

XP SP2/GS/SAFESEH

ASLRWindowsVista

Integrity levelsWindows Vista

ASLRLinux

Advancedret2libcPaX ASLR

PaX PAGEEXEC

Smashingthe stack

StackGuardret2libc

vtguardWin8 + IE10

ROPGuard

Win8 «Sandbox»Win32k lockdown +App Container

Fully enforced

ASLR

NozzleHeap spraying protection

Heap spraying in browsers

EMET 5.2

Control Flow GuardVS15 +Win10 or 8.1 U3

ROP JOP + COP

Attacker Return

28

Mitigating Software Vulnerabilities, July 2011, Microsoft

Attacker Return

29

Mitigating Software Vulnerabilities, July 2011, Microsoft

Increase costs

Hardening value chain

30

SourceCompiler &

Linker BinaryHardware

Operating system

Application

Run-time libraries

Hardening value chain

31

SourceCompiler &

Linker BinaryHardware

Operating system

Application

Run-time librariesStack canaries

Pointer obfuscation

Compiler warnings

/SAFESEH/GS

vtguard & Virtual Table Verification

Control-flow guardStaticanalysis tools

NX-bit for DEP

DEP & ASLR

DEP & ASLR

Sandboxing

SEHOP

GOT protection

Hardened heap

Heap-spraying protection

Compiler optimizations

Annotations

ROP mitigations (EMET)

32

Software attacks

Victim Attacker

Exploits memory error within

vulnerable victim software

Runs a vulnerable web

server software

Runs an exploit that triggers a

memory error within the web

server software

$>./exploit 192.168.1.28

Runs a malicious web server

serving HTML documents that

trigger a memory error within

the web browser

Sends a malicious

PDF attachement by

email

GET /index.html HTTP/1.1Host: www.vulnsite.comKeep-Alive: 300Connection: keep-aliveCookie: CID=r2t5uvjq435r4q7ib3vtdjq120f83jf8... <binary data>

Runs a vulnerable web

browser or PDF reader

Attacks

33

Memory corruption

34

•

• C/C++

• Two basic types exist

• Spatial and temporal memory errors

• Allow attackers to corrupt memory in a more or less controllable way

Allow low-level access to memory

• Typed pointers & pointer arithmetic

• No automatic bounds checking / index checking

Weakly enforced typing

• Cast (almost) anything to pointers

Explicit memory management

• Like malloc() & free() in C

«Unsafe» languages

35

#include <stdio.h>#include <math.h>

long computation(int x, int y, int z, double f) {return (long)(((x*y)/z)*sin(f));

}

void main(){

*(int*)computation(32, 64, 2, M_PI/6) = 128;return;

}

shell:~$ gcc -o segfault segfault.c -lmshell:~$ ./segfaultSegmentation fault (core dumped)shell:~$

«Unsafe» languages - C

36

#include <stdio.h>#include <string.h>

#define STDIN 0

void vulnFunc() {char buf[1024];read(STDIN, buf, 2048);

}

shell:~$ gcc -o vuln vuln.c -fno-stack-protectorshell:~$ ./vulnread> hi there!shell:~$ ./vulnread> AAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA...Segmentation fault (core dumped)shell:~$

void main() {printf("read> ");vulnFunc();return;

}

«Unsafe» languages - C

37

Spatial error Temporal error

Array / Object

[out of bounds]

start

*ptr

Array / Object

• De-reference pointer that is out of bounds

• De-reference pointer to freed memory

*ptr

Types of memory errors

38

Spatial error Temporal error

Array / Object

Attacker supplied dataoverwrites/reads data/pointers

• Overwrite data or pointers

• Used or de-referenced later

• Make application allocate memory in the freed area

• Used as old type

Attacker supplied dataused as wrong type

*ptr

*ptrstart

Exploiting memory errors

39

Overwrite data or pointers

• That might be used to overwrite data or pointers

• Function pointers, sensitive data, index values, control-flow sensitive data etc.

Leak information

• E.g., corrupt a length field

Construct attacker primitives

• Write primitive (write any value to arbitrary address)

• Read primitive (read from any address)

Attackers use memory errors to

40

• Out-of-bounds bugs / Buffer overflows

• On stack or heap

• Dangling pointer / Use-after-free

• Integer bugs, signedness bugs

• Format string bugs

• Uninitialized memory

• NULL pointer dereference

Types of bugs

41

Victim Attacker

<html><head></head><body>... <html or javascript thattriggers the memory corruptionvulnerability> ...</body></html>

0xe8a0f000

Heap

Corrupted

0x41414141

Code

Stack

Write primitive

*0xe8a0f000 = 0x41414141

Memory corruption attack

42

43http://www.cs.berkeley.edu/~dawnsong/papers/Oakland13-SoK-CR.pdf

• Code corruption attack

• Control-flow hijack attack

• Data-only attack

• Information leak

Attack types

• Most powerful attack

• Hijack control-flow

• To attacker supplied arbitrary machine code

• To existing code (code-reuse attack)

• Corrupt code pointers

• Return addresses, function pointers, vtable entries, exception handlers, jmp_bufs

Control-flow hijack attack

44

Most ISAs support indirect branch instructions

E.g., x86 ret, indirect jmp, indirect call

branch *fptrfptr: 0xafe08044

Code

0x8056b30

good_func:0x08056b30


45

fptr corrupted by attacker

branch *fptr

Attacker goal: hijack control-flow to injected

fptr: 0xafe08044

Code

Corrupted

evil_code:


46

0x00000000

0xffffffff

%eip

0x084a4504

Code

Heap

Stack

0x084a4504

call *0xe0fa4404

func:

0xe0fa4404

0x00000000

0xffffffff

0x084a4504

0xe0fa4404

Code

Heap

Stack

0xfffc8408

call *0xe0fa4404

func:

AttackerCode

0xfffc8408

%eip

Indirect call to func() Hijacked indirect call


47

0x00000000

0xffffffff

Code

Heap

Stack

call/jmp/ret

attackercode &

data

attackercode &

data

<code from binary>

rw-

rw-

r-x

Make data regions non-executable(by default)

Changing protection flags or allocating rwx memory still possible

Required for JITs

Non-eXecutable data (NX)

48

Code regions will be non-writable

• Else code corruption attacks possible

Also known as

• Data Execution Prevention (DEP) on Windows

• NX, Non-eXecutable Memory on Linux

• W^X, on OpenBSD

Implemented by hardware where available (NX-bit)

Non-eXecutable data (NX)

49

Binary images need to provide separate sections / segments that can be mapped exclusively as

• rw- OR r-x

• Linker support required

Self-modifying code not allowed

• Compiler support required

• If code is generated just-in-time,explicit rwx allocation required

NX / DEP implementation issues

50

0x00000000

0xffffffff

Code

Heap

Stackattackercode &

data

attackercode &

data

rw-

rw-

r-x

Only use existing code

Code-reuse attack

• ret2libc, ret2bin, ret2*

• Return-oriented programming (ROP)

• Jump/Call-oriented programming

Use code-reuse technique to change protection flags

Make memory executable• mprotect/VirtualProtect

• mmap/VirtualAlloc

Bypassing NX / DEP

51

Stack during vulnFunc()

%ebp

%esp

void vulnFunc() {char buf[1024];read(STDIN, buf, 2048);

}

Stack after read()

%ebp

%esp

Stack-based buffer overflow

%eip and %ebp under control

Local variables and buffers under attacker control

arguments

return address

saved ebp

return address

saved ebp

buf[1024]

main() stack frame

rw-

arguments

return address

saved ebp

overwritten retaddr

overwritten ebp

buf[1024]

overwritten frame

rw-

Code-reuse attack

52

Stack after read()

%ebp

%esp

Before NX/DEP

Return to attacker supplied code

Shellcode

Use existing code

Executable or librariesE.g., mprotect()

arguments

return address

saved ebp

overwritten retaddr

overwritten ebp

buf[1024]

AttackerCode

“Shellcode“

overwritten frame

rw-

Code-reuse attack

53

Stack after read()

%ebp

%esp

Let's call mprotect()

mprotect(address_shellcode, 4096, 0x1|0x2|0x4)

0x1 | 0x2 | 0x4 = RWX

mprotect() will make the stackexecutable

and return to our shellcode

arguments

return address

saved ebp

address mprotect()

dummy ebp

buf[1024]

AttackerCode

“Shellcode“

address shellcode

4096

0x1|0x2|0x4

rw-

Code-reuse attack

54

Stack after mprotect()

%ebp

%esp

After mprotect() our stack is executable again

mprotect() will return to our shellcode

x64 or ARM:

Fill registers with parameters before invoking mprotect()

arguments

return address

saved ebp

address mprotect()

dummy ebp

buf[1024]

AttackerCode

“Shellcode“

address shellcode

4096

0x1|0x2|0x4

rwx

Code-reuse attack

55

%ebp

%esp

Use available code snippets endingwith ret instruction

Called gadgets / ROP chain

E.g., write primitive

Code

arguments

return address

saved ebp

address gadget1

dummy ebp

buf[1024]

value

address gadget2

address

rw-

dummy value

address gadget3

address gadget4

r-x

pop %edx;ret;

1

pop %eax;pop %ebx;ret;

2

mov %edx, (%eax);mov $0x0, %eax;ret;

3

Return-oriented programming

56

• Turing complete although not required

• Can be initiated over call or jmp as well

• Need to be in control of memory %esp is pointing to

Or make %esp point to area under control

• Also possible with jmp or call gadgets

Return-oriented programming

57

To hijack control-flow or to corrupt memory an attacker needs to know where things are in memory

Addresses of data or pointers to corrupt

Addresses of injected shellcode/payload

Addresses of gadgets

Addresses in memory

58

Once upon a time...

Addresses were more or less predictable

Executables and libraries were prelinked to certain addresses

Stack and Heap base addresses were fixed

• With differences at runtime for specific locationsdue to the dynamic behaviour of the process

Addresses in memory

59

Today most Operating Systems implementAddress Space Layout Randomization

Randomize memory layout of processes to makeaddress prediction or guessing hard

What can be randomized?

• OS: Stack, heap and memory mapping base addresses

• OS, compiler, linker: Exectuables and libraries• Position-independent or relocatable code

ASLR

60

0x00000000

0xffffffff

mm base range

Executable

Heap

Stack

Library 2

Library 1

Memory Mapping

heap base range

stack base range

libraries base range

executable base range

aligned

page-aligned

page-aligned

page-aligned

page-aligned

Use source of randomness to randomize within ranges

Randomization of layout

61

In general: Usage of fixed addresses not allowed

Code should be position-independent or relocatable

Linux/ELF:• PIC & PIE supported, libraries all PIC, executables sometimes still prelinked

Windows/PE:• No PIC support! But libraries/executables relocatable!

x86 32bit PIE/PIC slower, no IP relative data addressing

Relocated PE images not sharable between processes

ASLR implementation issues

62

Enough entropy?

• Base range size

• Alignment constraints

• Address width (64bit is better than 32bit)

Randomization strategy

Per process, system-wide per boot

Source of randomness

ASLR only effective without exceptions

ASLR effectiveness

63

Low entropy

Brute-force addresses (multiple attempts required)

Memory leaks (information disclosure)

Leak addresses to derive base addresses

Construct and enforce a leak by memory corruption

Application and vulnerability specific attacks

Force predictable memory state

• Heap-spraying / Heap massaging

Pointer inference

• Use a side-channel

Avoid using exact addresses

• Only corrupt least significant bytes i.e. offsets

Bypassing ASLR

64

Victim Attacker


HTTP/1.1 200 OKDate: Fri, 12 Mar 2014 23:59:00 GMTContent-Type: text/htmlContent-Length: 1354Allow: GET,POST,OPTIONS,HEADCache-Control: public,max-age=30<binary data... 0x414162320xffed4460 0x77ff2332 0x...>

<html><head>...

Heap

Code

Stack

0xffed4460


1

2

3

Trigger memory leak

Parse response for leaked memoryand construct exploit

Exploit memory error withtailored exploit

Runs web server software with

memory leak and exploitable

memory corruption

vulnerability

Memory leak

65

arguments

return address

saved ebp

address mprotect()

dummy ebp

buf[1024]Attacker

Code“Shellcode“

address shellcode

4096

0x1|0x2|0x4

rwx

vulnExecutable

Heap

Stack

libc

libc data

0x0efa4604

mprotect:

0x0efa4604

0x0ebb0880

0x0dfff000libc base

?

static offset

mprotect = leaked pointer – static offset

0x0ebb0880 = 0x0efa4604 - 0x003f3d84

Memory leak

66

void memLeak() {char buf[256];scanf("%s", buf);printf(buf);

}

shell:~$ gcc -o memleak memleak.cmemleak.c: In function ‘memLeak’:memleak.c:9:2: warning: format not a string literal and no format arguments [-Wformat-security]shell:~$ ./memleakecho> hihishell:~$ ./memleakecho> %llx,%llx,%llx,%llx,%llx,%llx,%llx,%llx1,7fabf517cac0,a,ffffffff,0,6c6c252c786c6c25,252c786c6c252c78,786c6c252c786c6cshell:~$

void main() {printf("echo> ");memLeak();printf("\n");return;

}

Memory leak format string bug

67

http://en.wikipedia.org/wiki/HeartbleedSimplified Heartbleed explanation by FenixFeather licensed under CC

Heartbleed CVE-2014-0160 - OpenSSL

68

http://en.wikipedia.org/wiki/Heartbleed

Constructed arbitrary readCVE-2011-2371 Firefox vulnerability

69

DEP & ASLR are generic defenses

Exploitation becomes harder for all vulnerability classes &attack techniques

Together quite effective• If implemented correctly

Injecting code and corrupting pointers with exact addresses is in general desirable for attackers

DEP & ASLR

70

A determined attacker will use code-reuse

techniques and memory leaks to bypass

DEP & ASLR.

DEP & ASLR are not enough

71

Raise exploit development costs with additional protections

• The more line of defenses, the better!

• Implement protections against specific vulnerability classes and exploitation techniques

Additional protections

72

May require source code changes (annotations)and/or recompilation of the application

Compile-time and checks at run-time

Additional protections

73

• Stack canaries / cookies

• Pointer obfuscation

• /GS

• /SAFESEH (link-time, provide list ofvalid handlers)

• SEHOP (run-time, walk down SEH chain i.e. integrity check)

• Virtual Table Verification (VTV) & vtguard

• Control-Flow Guard

74

Stack canary / cookie

Mitigations deployment delay

75

• Deployment of exploit mitigations requires time

• Source or binary compatibility risk

• Support from multiple sides required

Attackers have time to adapt

Exploit mitigations since the 90s

76

1972 1988 1996 2000 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15

The Anderson Report

MorrisWorm

/GSSEH Overwrite

/SAFESEH

DEPLin + Win

XP SP2/GS/SAFESEH

ASLRWindowsVista

Integrity levelsWindows Vista

ASLRLinux

Advancedret2libcPaX ASLR

PaX PAGEEXEC

Smashingthe stack

StackGuardret2libc

vtguardWin8 + IE10

ROPGuard

Win8 «Sandbox»Win32k lockdown +App Container

Fully enforced

ASLR

NozzleHeap spraying protection

Heap spraying in browsers

EMET 5.2

Control Flow GuardVS15 +Win10 or 8.1 U3

ROP JOP + COP

Modern mitigations

77

• ROP mitigations (EMET)

• Control-Flow Integrity

• Control-Flow Guard (CFG)

ROP mitigations (EMET)

78

• Run-time checks

• Detect ongoing ROP attacks

• Hook into sensitive APIs

Control-flow integrity (CFI)

79

• Original publication in 2005«Control-Flow Integrity Principles, Implementations, and Applications»

• Many CFI implementations proposed since then• Compiler-based, binary-only (static rewriting)

• Check indirect control-flow transfers and limitthe set of allowed targets

Control-flow integrity (CFI)

80

• CFI approachesXFI (2006), HyperSafe (2010), CFIMon (2012), MoCFI (2012), BinCFI (2013), KCoFI (2014), MCFI (2014)

• -Grained Control-Flow Integrity through Binary

Mathias Payer, Antonio Barresi, Thomas R. Gross

• -Flow Bending: On the Effectiveness of Control-

Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, Thomas R. Gross

Control-flow guard (CFG)

81

• First adoption of a practicalControl-Flow Integrity (CFI) implementation

• Requires recompilation and OS support• VS15 + Windows 10 or 8.1 U3

• Restricts indirect call targetsto a static global set of locations


82

Compiler &Linker Binary

Application

Run-time libraries

Guard CF

Function

Table

validFunc1

validFunc2

...

http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf


83


Application

Run-time libraries

Guard CF

Function

Table

validFunc1

validFunc2

...


CFGBitmap

011010100101

100101011001

010101010100

101010101010

01110110....

..........


84


Application

Run-time libraries

Guard CF

Function

Table

validFunc1

validFunc2

...


CFGBitmap

011010100101

100101011001

010101010100

101010101010

01110110....

..........


85


Application

Run-time libraries

Guard CF

Function

Table

validFunc1

validFunc2

...


ntdll!LdrpValidateUserCallTarget

CFGBitmap

011010100101

100101011001

010101010100

101010101010

01110110....

..........

Future?

86

• Hardening techniques make exploit development harder and increase the costs of an attack

• But there is no magic bullet

•

code-reuse techniques to bypass all mitigations(ret2libc is 1997)

Pwn2own 2016

87

http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/http://blog.trendmicro.com/pwn2own-day-2-event-wrap/

88

Conclusion

Conclusion

89

• Compilers help mitigate software attacks

• Software hardening increases costs of attacks

• Attackers still find ways to bypass all protections

Questions ?

[email protected]

91

$ cat xorlab.info

[email protected]

Universitätsstrasse 68092 Zürich

$

compilers, memory errors and hardening techniques · advanced compiler design, 18.5.2016 antonio...

Documents