Transcript Framing Signals*A Return to Portable Shellcode

Best Student Paper Award
Framing Signals—
A Return to Portable
Shellcode
Erik Bosman and Herbert Bos
Vrije Universiteit, Amsterdam
35th Security and Privacy
(May, 2014)
Outline
• Introduction
• Signal Delivery on UNIX Systems
• SROP
• Turing-Complete Interpreter
• Mitigation
A Seminar at Advanced Defense Lab
2014/6/16
2
Introduction
Kernel Space
User Space
System Call,
Interrupt
System Kernel
Application
Signal
A Seminar at Advanced Defense Lab
2014/6/16
3
In This Paper…
• While each flavor handles signals in slightly different ways, the
different implementations are all very similar.
• We show that the implementation can be used as an attack method in
exploits and backdoors.
A Seminar at Advanced Defense Lab
2014/6/16
4
Stack Smashing Attacks
Stack
• But…
• W^X (OpenBSD)
• Exec Shield (Linux)
Return Address
• DEP (Windows)
Shellcode
Buffer
A Seminar at Advanced Defense Lab
2014/6/16
5
Code Reuse Attacks
Stack
Code
Return Address
Return Address
Return Address
Buffer
A Seminar at Advanced Defense Lab
2014/6/16
6
Ret-to-libc vs. ROP
Ret-to-libc
ROP/JOP
SROP
Complexity
Few function addresses Many gadgets
Few gadgets
Code source
Only functions in
library
Any executable segment
As ROP
To defeat
ASLR
• Information leak
• Information leak
As ROP
• Non-randomized library
To change
shellcode
Easy
Hard
A Seminar at Advanced Defense Lab
Easy
2014/6/16
7
Signal Delivery on Early UNIX Systems
Code
Stack
ip
User
Code
Signal Handler
sp
User Context
Signal
Frame
Signal Parameters
Kernel
Code
Return Address
Signal Dispatcher
A Seminar at Advanced Defense Lab
2014/6/16
8
UNIX V6 Interrupt Routine
A Seminar at Advanced Defense Lab
2014/6/16
9
sigreturn System call (4.3BSD)
Code
User
Code
Signal Handler
Stack
ip
User Context
Invoke sigreturn
Signal Parameters
Kernel
Code
Return Address
Signal Dispatcher
A Seminar at Advanced Defense Lab
sp
2014/6/16
10
A Signal Frame in Linux x86-64
A Seminar at Advanced Defense Lab
2014/6/16
11
SROP
Code
User
Code
Signal Handler
Stack
ip
User Context
Invoke sigreturn
Signal Parameters
Kernel
Code
Return Address
Signal Dispatcher
A Seminar at Advanced Defense Lab
sp
2014/6/16
12
A Seminar at Advanced Defense Lab
2014/6/16
13
A example of sigreturn chain in SROP
Stack
sp
sp
sp
rip: syscall
rax: sys_yyy num
Other register:
Syscall arguments
mov sigreturn, %rax
syscall
ret
ip
ip
ip
Ret: sigreturn
rip: syscall
rax: sys_xxx num
Other register:
Syscall arguments
sp
sp
Code
rax
sigreturn
sys_xxx
sys_yyy
Ret: sigreturn
A Seminar at Advanced Defense Lab
2014/6/16
14
SROP Pre-conditions
• The attacker should have control over the instruction pointer.
• The stack pointer should be located on attacker controlled data and
NULL bytes must be allowed.
• The attacker knows the address of a piece of data controlled by the
attacker.
• The attacker knows the location of code calling sigreturn, or
syscall.
A Seminar at Advanced Defense Lab
2014/6/16
15
Finding a sigreturn Gadget
A Seminar at Advanced Defense Lab
2014/6/16
16
Linux x86-64 vsyscall page
A Seminar at Advanced Defense Lab
2014/6/16
17
A Linux x86-64 SROP Exploit
A Seminar at Advanced Defense Lab
2014/6/16
18
SROP as a Backdoor
A Seminar at Advanced Defense Lab
2014/6/16
19
A SROP syscall proxy on iOS
A Seminar at Advanced Defense Lab
2014/6/16
20
Turing-Complete Interpreter
A Seminar at Advanced Defense Lab
2014/6/16
21
Mitigation
• Signal Frame Canaries
A Seminar at Advanced Defense Lab
2014/6/16
22
Q&A
A Seminar at Advanced Defense Lab
2014/6/16
23