with code pointer integrityseclab.cs.sunysb.edu/lszekeres/talks/szekeres-2014-threads.pdf ·...
TRANSCRIPT
Preventing control-flow hijackswith
Code Pointer Integrity
László Szekeres
Stony Brook University
Joint work with Volodymyr Kuznetsov, Mathias Payer, George Candea, R. Sekar, Dawn Song
Problem
• C/C++ is unsafe and unavoidable today
• All of our systems have C/C++ parts
• All of them have exploitable vulnerabilities
• They all can be compromised
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Control-flow hijack attack[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Control-flow hijack defenses[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Control-flow hijack defenses
DEP
[Eternal War in Memory, IEEE S&P ‘13]
Cookies
Control-flow hijack defenses
DEP
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Cookies
Control-flow hijack defenses
CFI
DEP
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Cookies
Control-flow hijack defenses
CFI
DEP
ASLR
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Cookies
Control-flow hijack defenses
CFI
DEP
ASLR
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Cookies
Control-flow hijack defenses
CFI
DEP
ASLR
Memory Safety
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Cookies
Control-flow hijack defenses
CFI
DEP
ASLR
Memory Safety
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Cookies
Control-flow hijack defenses
CFI
DEP
ASLR
Memory Safety
Code Pointer Integrity
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Code Pointer Integrity?
Code Pointer Integrity?
[Eternal War in Memory, IEEE S&P ‘13]
Make pointer out-of-bounds
Make pointer dangling
Use pointer to write
Use pointer to read
Modify a code pointer...
… to target code address
Use pointer by indir. call/jmp
Execute injected code
Exec. gadgets or functions
Control-flow hijack
Use pointer by ret instruction
Code Pointer Integrity
• Joint work with Volodymyr Kuznetsov, Mathias Payer, George Candea, R. Sekar, Dawn Song
• It prevents all control-flow hijacks
• It has only 8% runtime overhead in average
[OSDI ’14]
Outline
Outline
Safe Stack
Outline
Safe Stack
Code Pointer Separation
Outline
Safe Stack
Code Pointer Separation
Code Pointer Integrity
Safe StackEnforcing the integrity of return addresses
Integrity of return addresses
...
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
char buff[16]
Stack
Integrity of return addresses
...
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
char buff[16]
Stack
Integrity of return addresses
...
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
char buff[16]
p[idx]=val;
Stack
Stack cookies
...
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
...
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
RANDOM CANARY
char buff[16] char buff[16]
Shadow stack
...
int i(local variable)
saved %ebp #2(base pointer)
saved %eip #2(ret. address.)
func call argument
...
...
...
...
saved %eip #0(ret. address.)
...
char buff[16]
saved %ebp #0(base pointer)
saved %eip #1(ret. address.)
saved %ebp #1(base pointer)
saved %eip #2(ret. address.)
saved %ebp #2(base pointer)
Stack Shadow stack
Protected region
Shadow stack
...
int i(local variable)
saved %ebp #2(base pointer)
saved %eip #2(ret. address.)
func call argument
...
...
...
...
saved %eip #0(ret. address.)
...
char buff[16]
saved %ebp #0(base pointer)
saved %eip #1(ret. address.)
saved %ebp #1(base pointer)
saved %eip #2(ret. address.)
saved %ebp #2(base pointer)
Stack Shadow stack
Protected region
Safe Stack
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
...
......
...
...
char buff[16]
Safe stack (original stack)Unsafe stack
Protecting the Safe Stack
movl $42, (%rsp)
movl $42, %ds:(%eax)
movl $42, %ss:(%esp)
Regular Data Segment
Safe StackSegment
x86-32
Safe StackSegment
x86-64
How effective is the Safe Stack?
• Strictly stronger protection than stack cookies or shadow stack
• Only the Safe Stack provides guaranteed protection against return address corruption
• Stops all ROP attacks alone!
Safe Stack overhead
-5.00%-4.00%-3.00%-2.00%-1.00%0.00%1.00%2.00%3.00%4.00%5.00%
40
0_p
erlb
ench
(C
)
40
1_b
zip
2 (
C)
40
3_g
cc (
C)
42
9_m
cf (
C)
44
5_g
ob
mk
(C)
45
6_h
mm
er (
C)
45
8_s
jen
g (C
)
46
2_l
ibq
uan
tum
…
46
4_h
26
4re
f (C
)
47
1_o
mn
etp
p…
47
3_a
star
(C
++)
48
3_x
alan
bm
k…
43
3_m
ilc (
C)
44
4_n
amd
(C
++)
44
7_d
ealII
(C
++)
45
0_s
op
lex
(C++
)
45
3_p
ovr
ay (
C++
)
47
0_l
bm
(C
)
48
2_s
ph
inx3
(C
)
SPEC 2006 Benchmark
0% avg.
Safe Stack overhead
0 %
5%
10%
Perf
. ove
rhea
dSPEC 2006 Benchmark
Code Pointer SeparationProtecting function pointers
Integrity of function pointers
func_ptr
int
int_ptr
...
...
buffer
Heap
Integrity of function pointers
func_ptr
int
int_ptr
...
...
buffer
Heap
Integrity of function pointers
func_ptr
int
int_ptr
...
...
buffer
Heap
p[idx]=val;
Protected region
Code Pointer Separation (CPS)
func_ptr
int
int_ptr
...
...
...
func_ptr
...
...
...
...
buffer
...
Heap Safe Pointer Store
Protected region
Protected region
Code Pointer Separation (CPS)
data_ptr
func_ptr
...
...
func_ptr
...
Heap Safe Pointer Store
int i(local variable)
saved %ebp(base pointer)
saved %eip (ret. address.)
func call argument
...
...
char buff[8]
Safe stack (original stack)Unsafe stack
Protecting the Safe Pointer Store
movl $42, %fs:(%rax)
movl $42, (%rsp)
movl $42, %ds:(%eax)
movl $42, %gs:(%eax)
movl $42, %ss:(%esp)
Regular Data Segment
Safe StackSegment
x86-32
Safe StackSegment
x86-64
Safe Pointer StoreSegment
Safe Pointer StoreSegment
How effective is CPS?
obj->func();
obj
do_good()
do_bad()
func
How effective is CPS?
obj->func();
obj
do_good()
do_bad()
func
CPS vs. CFI
CFI CPS
Callscan go to
any function whose address is taken
any function whose address is taken and stored in memory at the current point of execution
Returncan go to
any call site only their actual caller
CFI attacksGöktaş et al., IEEE S&P ‘14Göktaş et al., Usenix Sec ‘14Davi et al., Usenix Sec ‘14 Carlini et al., Usenix Sec ‘14
Practical CFI solutionsClassic CFI, CCS ‘05CCFIR, IEEE S&P ‘13binCFI, Usenix Sec ‘13kBouncer, Usenix Sec ‘13
CPS overhead
-5.00%
0.00%
5.00%
10.00%
15.00%
20.00%
40
0_p
erlb
ench
(C
)
40
1_b
zip
2 (
C)
40
3_g
cc (
C)
42
9_m
cf (
C)
44
5_g
ob
mk
(C)
45
6_h
mm
er (
C)
45
8_s
jen
g (C
)
46
2_l
ibq
uan
tum
(C
)
46
4_h
26
4re
f (C
)
47
1_o
mn
etp
p (
C++
)
47
3_a
star
(C
++)
48
3_x
alan
bm
k (C
++)
43
3_m
ilc (
C)
44
4_n
amd
(C
++)
44
7_d
ealII
(C
++)
45
0_s
op
lex
(C++
)
45
3_p
ovr
ay (
C++
)
47
0_l
bm
(C
)
48
2_s
ph
inx3
(C
)
SPEC 2006 Benchmark2% avg.
Code Pointer IntegrityGuaranteed protection of all code pointers
Issue #1
obj->func();
obj
do_good()
do_bad()
func
Issue #1: pointer coverage
obj->func();
obj
do_good()
do_bad()
func
Issue #1: pointer coverage
obj->func();
obj
do_good()
do_bad()
func
Issue #2
obj=&objs[idx]obj->func();
objs
do_good()
do_bad()
func
do_well()func
+idx
Issue #2: spatial safety
obj=&objs[idx]obj->func();
objs
do_good()
do_bad()
func
do_well()func
+idx
Issue #3
obj
do_good()func
do_bad()
delete obj;…obj->func();
Issue #3
obj
do_good()
do_bad()
delete obj;…obj->func();
Issue #3: temporal safety
obj
do_good()
do_bad()
delete obj;…obj->func();
Protected region
Safe Pointer Store
CPS → Code Pointer Integrity
obj_ptr
int
func_ptr
int_ptr
buf
func_ptr
Protected region
Safe Pointer Store
Issue #1: pointer coverage
obj_ptr
int
func_ptr
int_ptr
buf
obj_ptr
func_ptr
Protected region
Safe Pointer Store
Issue #2: spatial safety
obj_ptr
int
func_ptr
int_ptr
buf
obj_ptr
func_ptr
lower_bound
func_ptr
upper_bound
func_ptr
Protected region
Issue #3: temporal safety
obj_ptr
int
func_ptr
int_ptr
buf
obj_ptr
func_ptr
lower_bound
func_ptr
upper_bound
func_ptr
uid
-
Safe Pointer Store
CPI overhead
-10.00%
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
40
0_p
erlb
ench
(C
)
40
1_b
zip
2 (
C)
40
3_g
cc (
C)
42
9_m
cf (
C)
44
5_g
ob
mk
(C)
45
6_h
mm
er (
C)
45
8_s
jen
g (C
)
46
2_l
ibq
uan
tum
(C
)
46
4_h
26
4re
f (C
)
47
1_o
mn
etp
p (
C++
)
47
3_a
star
(C
++)
48
3_x
alan
bm
k (C
++)
43
3_m
ilc (
C)
44
4_n
amd
(C
++)
44
7_d
ealII
(C
++)
45
0_s
op
lex
(C++
)
45
3_p
ovr
ay (
C++
)
47
0_l
bm
(C
)
48
2_s
ph
inx3
(C
)
SPEC 2006 Benchmark8% avg.
Implementationand case studies
Levee in LLVM/Clang
clang –fsafe-stack
clang –fcps
clang –fcpi
Get the prototype from: http://levee.epfl.ch
Control-flow hijack protected FeeBSD
• Complete FreeBSD distribution (modulo kernel)
• >100 extra packages
Summary
Summary
Safe Stack0% avg.
Summary
Safe Stack
Code Pointer Separation2% avg.
0% avg.
Summary
Safe Stack
Code Pointer Separation
Code Pointer Integrity8% avg.
2% avg.
0% avg.
Thank you!
Questions?