NonControlData Attacks Are Realistic Threats Shuo Chen, Jun Xu, Emre C' Sezer, Prachi Gauriar, and R

1
Non-Control-Data Attacks Are Realistic
ThreatsShuo Chen, Jun Xu, Emre C. Sezer, Prachi
Gauriar, and Ravishankar K. IyerPresented by
Stephen KargOctober 12, 2005
2
Control-Data Attack

• Control Data Data loaded to program counter
  during execution.
• e.g. return address, function pointer
• Currently the most dominant attack.
• The common pattern of most memory attacks weve
  seen so far
• Hijack target programs.
• Inject own code or out-of-context library.
• Make system calls to spawn root shell.

3
Non-Control-Data Attack(a.k.a. Pure Data
Exploits)

• Also memory corruption, but control-flow remains
  unaffected.
• No shell code, no system calls.
• Virtually unseen in the wild.
• Q Why so rare?
• A Harder to mount attack, requires
  application-specific semantic knowledge.
• Q So why do we care?
• A Necessity is the mother of invention.

4
Thesis

• As Control-Data defenses continue to improve,
  attackers will be more motivated to seek
  alternatives.
• Non-Control-Data attacks result in security
  compromises just as severe as Control-Data
  attacks (i.e. root privilege escalation).
• Inadequate protections currently in place.

5
How do they work?

• Use known exploits to overwrite NCD
• Stack Overflow
• Format string vulnerabilities
• Heap overflow
• Signed integer overflow
• NCD often associated with authentication or
  access control privileges.
• Manual source-code analysis needed to expose NCD
  exploits.

6
Security-Critical NCD

• Configuration Data
• User Input
• User Identity Data
• Decision-Making Data
• All can be corrupted to gain access to various
  well know network server applications.

7
1. Configuration Data Attack

• Site-specific config. files in common server
  applications (ftp, ssh, http, etc.) can define
  access control policies.
• E.g. Linux Null HTTPD servers CGI-BIN
  configuration string
• restricts users from executing programs outside
  specified path.
• Use heap corruption to transform string
• /usr/local/httpd/cgi-bin\0 ? /bin\0
• Can then run /bin/sh as legitimate CGI program.
• Root shell access with 3 POST commands!

8
(No Transcript)
9
2. User Identity Data Attack

• Known format-string exploit on the popular WU-FTP
  server used to corrupt data structure so EUID can
  be reverted to 0 (yay!).
• put and get commands invoke
• pw-gtpw_uid cached copy of user ID on heap.

10
(No Transcript)
11
3. User Input Data Attack

• Stack overflow on GHTTPD used to gain root with a
  single GET command!
• GET AAAA\xdc\xd7\xff\xbf lt-lt-/cgi-bin/../../../..
  /bin/sh
• Classic TOCTTOU attack with invalid path.
• Server checks 1st part of command for the old
  /.. trick.
• Pointer to the now ok URL is then corrupted to
  reference illegal string in 2nd part of GET.

12
(No Transcript)
13
(No Transcript)
14
4. Decision-Making Data Attack

• Integer Overflow exploit on multiple SSH servers
  allows attacker to log on as root.
• Client responds to root password request with
  packet formulated to trigger overflow in the
  detect_attack() function )
• Overflow corrupts value of the boolean flag
  authenticated to non-zero value. Done.

15
(No Transcript)
16
Defensive Techniques that Dont Work

• StackSheild wont work, no address change.
• IDS System Call Tracing?
• Wont work, unchanged.
• Non-Executable-Memory protections?
• Irrelevant. No injected code.
• Memory/Type Safety Enforcement
• Can prevent some NCD attacks but with very high
  overhead and migration costs, currently
  unsuitable for high-traffic network applications.

17
Defensive Techniques Mitigations

• StackGuard and FormatGuard are still effective
  against both attacks using those initial
  exploits.
• Minimize lifetime of critical data structures or
  reinitialize w/safe values (e.g. authenticated).
• Encrypt sensitive configuration data.

18
Other Potential Defenses/Research

• PointGuard (pointer encryption compiler
  technique). Still needs work.
• Address-Space randomization.
• Helpful but will not stop determined attack.
• Taintcheck - partially effective.
• Brutal overhead cost (5-37x), false-positives
• Extend IDS to include data-flow analysis (in
  addition to control-flow).
• Heuristic analysis of function parameter
  signatures.

19
Conclusions

• IDS based on just Control Flow integrity
  insufficient.
• Current defensive techniques are not
  comprehensive, and only provide partial coverage
  of NCD exploits.
• No generic memory protection available at a
  reasonable (runtime) cost.
• Safer running closed-source? apps??