Title: NonControlData Attacks Are Realistic Threats Shuo Chen, Jun Xu, Emre C' Sezer, Prachi Gauriar, and R
1Non-Control-Data Attacks Are Realistic
ThreatsShuo Chen, Jun Xu, Emre C. Sezer, Prachi
Gauriar, and Ravishankar K. IyerPresented by
Stephen KargOctober 12, 2005
2Control-Data Attack
- Control Data Data loaded to program counter
during execution. - e.g. return address, function pointer
- Currently the most dominant attack.
- The common pattern of most memory attacks weve
seen so far - Hijack target programs.
- Inject own code or out-of-context library.
- Make system calls to spawn root shell.
3Non-Control-Data Attack(a.k.a. Pure Data
Exploits)
- Also memory corruption, but control-flow remains
unaffected. - No shell code, no system calls.
- Virtually unseen in the wild.
- Q Why so rare?
- A Harder to mount attack, requires
application-specific semantic knowledge. - Q So why do we care?
- A Necessity is the mother of invention.
4Thesis
- As Control-Data defenses continue to improve,
attackers will be more motivated to seek
alternatives. - Non-Control-Data attacks result in security
compromises just as severe as Control-Data
attacks (i.e. root privilege escalation). - Inadequate protections currently in place.
5How do they work?
- Use known exploits to overwrite NCD
- Stack Overflow
- Format string vulnerabilities
- Heap overflow
- Signed integer overflow
- NCD often associated with authentication or
access control privileges. - Manual source-code analysis needed to expose NCD
exploits.
6Security-Critical NCD
- Configuration Data
- User Input
- User Identity Data
- Decision-Making Data
- All can be corrupted to gain access to various
well know network server applications.
71. Configuration Data Attack
- Site-specific config. files in common server
applications (ftp, ssh, http, etc.) can define
access control policies. - E.g. Linux Null HTTPD servers CGI-BIN
configuration string - restricts users from executing programs outside
specified path. - Use heap corruption to transform string
- /usr/local/httpd/cgi-bin\0 ? /bin\0
- Can then run /bin/sh as legitimate CGI program.
- Root shell access with 3 POST commands!
8(No Transcript)
92. User Identity Data Attack
- Known format-string exploit on the popular WU-FTP
server used to corrupt data structure so EUID can
be reverted to 0 (yay!). - put and get commands invoke
- pw-gtpw_uid cached copy of user ID on heap.
10(No Transcript)
113. User Input Data Attack
- Stack overflow on GHTTPD used to gain root with a
single GET command! - GET AAAA\xdc\xd7\xff\xbf lt-lt-/cgi-bin/../../../..
/bin/sh - Classic TOCTTOU attack with invalid path.
- Server checks 1st part of command for the old
/.. trick. - Pointer to the now ok URL is then corrupted to
reference illegal string in 2nd part of GET.
12(No Transcript)
13(No Transcript)
144. Decision-Making Data Attack
- Integer Overflow exploit on multiple SSH servers
allows attacker to log on as root. - Client responds to root password request with
packet formulated to trigger overflow in the
detect_attack() function ) - Overflow corrupts value of the boolean flag
authenticated to non-zero value. Done.
15(No Transcript)
16Defensive Techniques that Dont Work
- StackSheild wont work, no address change.
- IDS System Call Tracing?
- Wont work, unchanged.
- Non-Executable-Memory protections?
- Irrelevant. No injected code.
- Memory/Type Safety Enforcement
- Can prevent some NCD attacks but with very high
overhead and migration costs, currently
unsuitable for high-traffic network applications.
17Defensive Techniques Mitigations
- StackGuard and FormatGuard are still effective
against both attacks using those initial
exploits. - Minimize lifetime of critical data structures or
reinitialize w/safe values (e.g. authenticated). - Encrypt sensitive configuration data.
18Other Potential Defenses/Research
- PointGuard (pointer encryption compiler
technique). Still needs work. - Address-Space randomization.
- Helpful but will not stop determined attack.
- Taintcheck - partially effective.
- Brutal overhead cost (5-37x), false-positives
- Extend IDS to include data-flow analysis (in
addition to control-flow). - Heuristic analysis of function parameter
signatures.
19Conclusions
- IDS based on just Control Flow integrity
insufficient. - Current defensive techniques are not
comprehensive, and only provide partial coverage
of NCD exploits. - No generic memory protection available at a
reasonable (runtime) cost. - Safer running closed-source? apps??