Defeating Instruction Set Randomization

1

• Defeating Instruction Set Randomization
• Nora Sovarel

2
Buffer Overflow

• the vulnerability of the decade
• Known since 1998
• Lots of defenses proposed
• Non-Executable Buffers
• Array Bounds checking
• Address Space Layout Randomization
• StackGuard/PointGuard
• Instruction Set Randomization

3
Why is still an issue in 2004?

• I dont know ?
• Maybe, lack of interest
• Maybe, none of the defences is good enough
• What about Instruction Set Randomization?

4
Attack String - execve

• BUFFER OVERFLOWS DEMYSTIFIED, by
  murat_at_enderunix.org
• "\x31\xc0" / xorl eax,eax /
• "\x50" / pushl eax /
• "\x68""//sh" / pushl 0x68732f2f /
• "\x68""/bin" / pushl 0x6e69622f /
• "\x89\xe3" / movl esp,ebx /
• "\x50" / pushl eax /
• "\x53" / pushl ebx /
• "\x89\xe1" / movl esp,ecx /
• "\x99" / cdql /
• "\xb0\x0b" / movb 0x0b,al /
• "\xcd\x80" / int 0x80 /

5
Instruction Set Randomization
31 12 gt 23 c0 ac gt 6c 50 7d gt 2d 68 9c
gt f4 2f a2 gt 8d 2f 55 gt 7a 73 38 gt
4b 68 cc gt a4 68 31 gt 59 2f 0c gt 23 62
7d gt 1f 69 91 gt f8
6e 82 gt ec 89 ac gt 25 e3 03 gt e0 50 bc
gt ec 53 90 gt c3 89 ac gt 25 e1 7d gt
9c 99 97 gt 0e b0 a2 gt 12 0b 0c gt 07 cd
90 gt 5d 80 dc gt 5c
6
Instruction Set Randomization

• Code Actually Executed
• 23 6c 2d f4 and 0xfffffff4(ebp,ebp
  ,1),ebp
• 8d 7a 4b lea 0x4b(edx),edi
• a4 movsb
  ds(esi),es(edi)
• 59 pop ecx
• 23 1f and (edi),ebx
• f8 clc
• ec in (dx),al
• 25 e0 ec c3 25 and 0x25c3ece0,eax
• 9c pushf
• 0e push cs
• 12 07 adc (edi),al
• 5d pop ebp
• 5c pop esp
• 00 00 add al,(eax)

• Code Intended to Be Executed
• 31 c0 xor eax,eax
• 50 push eax
• 68 2f 2f 73 68 push 0x68732f2f
• 68 2f 62 69 6e push 0x6e69622f
• 89 e3 mov esp,ebx
• 50 push eax
• 53 push ebx
• 89 e1 mov esp,ecx
• 99 cltd
• b0 0b mov 0xb,al
• cd 80 int 0x80

7
Can the key be guessed?

• 32 bit key gt 4,294,967,296 possibilities
• 32 bit key, guess 16 bits and 16 bits gt
• 2 65,536 131,072 possibilities
• 32 bit key, guess 8 bits at a time gt
• 4 256 1,024 possibilities

8
Problems

• Randomized instruction set emulation to disrupt
  binary code injection attacks, Barrantes all

9
Solutions

• Use a 16 or 8 bits instruction
• Notice a good guess
• Infinite loop
• Normal behavior

10
Infinite Loop

• Use jump near two bytes instruction
• Advantage
• Can be used against any application with a buffer
  overflow vulnerability
• Disadvantage
• Large number of possibilities

11
Normal Behavior

• Use ret one byte instruction
• Advantage
• Very fast 256 tries at most
• Disadvantages
• Needs a response from application
• Needs special conditions to work

12
Assumptions

• Use TCP to connect
• Same randomization key for each restart
• or
• Same randomization key for all forked processes

13
Jump Attack
14
Ret Attack

• Instructions executed
• leave restores ebp
• ret normal return from function
• ret injected instruction

15
Results

• Simple application with a buffer overflow
  vulnerability
• ISR implementation uses the same key for each
  forked process
• Ret attack works and guesses the key most of the
  times
• Jump attack
• Works when checks one key at each run
• Unexpected behavior after a large number of tries

16
Future Work

• Fix the jump attack to guess the key
• Attack a real application with a buffer overflow
  vulnerability
• Attack a real ISR implementation

17
Conclusions

• Under the specified assumptions the attack is
  possible
• x86 arhitecture helps the attacker
• Infinite loops are sometimes useful