Protection Mechanisms against Software Exploitation

1
Protection Mechanisms against Software
Exploitation
TPM Technical Presentation Milestone

• Joseph Hong
• 2B Software Engineering
• University of Waterloo
• July 25th, 2011

2
Outline

• Definition/Motives
• Buffer Overflow Attacks
• Protection Mechanisms
• Address Space Layout Randomization(ASLR)
• Data Execution Prevention(NX bit)
• Stack Cookie(Canary words)
• Summary

3
Definition/Motives

• Act of taking advantage of vulnerabilities to
  cause unintended behaviour on computer software
• Privilege Escalation
• Unauthorized Data Access
• Arbitrary Code Execution
• Motives
• Obtain government/trade secrets
• Gain reputation
• Unlock all features
• Usually carried out over the internet

4
Buffer Overflow Attacks

• Most widely used
• Low-level executables have inherent risk
• Platform/Architecture independent
• Stack-based Exploitation
• Heap-based Exploitation

5
Call Stack Overview

• Return address of the caller gets pushed
• Stack frame is allocated for stack variable
• Stack register points to the top element of the
  call stack

1 int main()
2
3 int dummy
4 foo()
5
10
11 void foo()
12
13 char buffer1000
14 int i
15
20 return
21
Line 4, ESP0x6803F0
Line 11, ESP0x6803EC
Line 15, ESP0x680000
Line 21, ESP0x6803EC
0x6803F0 Dummy
0x6803F4-
0x6803EC Address to Line 5
0x6803F0 Dummy
0x6803F4-
0x680000 0x6803E4 buffer1000
0x6803E8 i
0x6803EC Address to Line 5
0x6803F0 dummy
6
Stack-based Buffer Overflow Attacks
strcpy(buffer,input)

• Find a function that takes data into the buffer
  without checking its size
• Pass garbage data shellcode to overwrite call
  stack

0x680000 0x6803E4 buffer1000
0x6803E8 i
0x6803EC Address to Line 4
0x6803F0 dummy
0x680000 0x6803E8 Garbage Data
0x6803EC ???
0x6803F0 Shellcode
7
Stack-based Buffer Overflow Attacks
ESP0x6803EC
strcpy(buffer,input)

• Location of stack changes on each program startup
• Do not know where the shellcode will be located
  at
• ESP register points to the shellcode
• X86 instruction jmp esp (opcodeFF E4) sets
  PCESP

0x680000 0x6803E8 Garbage Data
0x6803EC ???
0x6803F0 Shellcode
0x680000 0x6803E8 Garbage Data
0x6803EC Addr. to jmp esp instr.
0x6803F0 Shellcode
8
Stack-based Buffer Overflow Attacks
ESP0x6803EC
strcpy(buffer,input)

• Find FF E6 in one of core modules
• Set return address to this instruction
• Return pointer now points to jmp esp
  instruction
• Also known as jump trampolining

0x680000 0x6803E8 Garbage Data
0x6803EC ???
0x6803F0 Shellcode
0x680000 0x6803E8 Garbage Data
0x6803EC 0x7C941EED
0x6803F0 Shellcode
9
Address Space Layout Randomization(ASLR)

• Precise location of jmp esp must be known for
  successful attack
• ASLR works by randomizing the base address of
  modules
• The address will change on every startup
• On 32-bit system upper 16bit is randomized
• On 64-bit system middle 32bit is randomized
• Very effective due to much greater bits of
  entropy
• Supported by all mainstream OSes
• Prone to Heap Spray Attacks

10
Heap Spray Attacks

• Can be used to bypass ASLR
• Used by most browser exploits since 2004
• Allocates huge amount of memory using javascript
• Filled with NOP instruction (No-Operation) with
  shell code at the end (NOP slide)
• Jump to random address and hope to land in the
  allocated memory
• Surprisingly very high chance of success

11
Heap Spray Attacks (example)

• var x new Array()
• // Fill 200MB of memory
• // with copies of the
• // NOP slide and shellcode
• for(var i0ilt200i)
• xi nop shellcode

0x680000 0x6803E8 Garbage Data
0x6803EC Addr to Probable Nop Slide
12
Data Execution Prevention(NX/XD bit)

• No-eXecute bit(AMD) or eXecute Disable bit(Intel)
• First introduced in 2000 by AMD for x86
  Architecture
• Controls executability of memory page
• Shell code in the stack/heap will not be directly
  executable

13
Stack Cookie

• Also called as canary words
• Values placed between stack frame and return
  address
• Checks for corruption before returning
• Corruption indicates buffer overflow
• Enabled by default on GCC(as Stack-Smashing
  Protector) and Visual Studio(/GS flag)

14
Stack Cookie
0x680000 0x6803E4 buffer1000
0x6803E8 I
0x6803EC cookie
0x6803F0 Address to Line 4
0x6803F4 dummy

• Compiler adds automated checking function around
  the implementation
• Aborts the program when a corruption is detected

void foo() char buf256
strcpy(buf,input)

• random_cookierand()
• void foo()
• int cookierandom_cookie
• char buf256
• strcpy(buf,input)
• if(cookie!random_cookie)
• abort()

15
Stack Cookie

• Provides maximum protection
• Level of protection depends on many factors
• Is the cookie guessable/calculatable?
• Where is the original cookie located?
• Original cookie may be overwritten
• Does it raise exception or simply abort the
  program?
• Exception handler may be overwritten (SEH
  Overwrite attack)
• Aborting program is usually safer
• Has performance overhead

16
Best Practices

• These are the last line of defence
• No protection mechanisms are completely
  fail-proof
• Consider security from ground up

17
Summary

• Definition of software exploitation
• How stack buffer overflow works
• Mechanisms that are in place

18
References

• Reverse Engineering and the ANI Vulnerability
  Alex Sortirov
• lthttp//www.phreedom.org/presentations/reverse-eng
  ineering-ani/gt
• Exploit (computer security) lthttp//en.wikipedia.o
  rg/wiki/Exploit_(computer_security)