Everybody be cool, this is a ROPpery


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Here go rants about how hard exploitation is
  • Here goes the ode of ROP
  • Everybody be cool, this is a ROPpery

    1. 1. Everybody be cool, this is a roppery!<br />Vincenzo Iozzo (vincenzo.iozzo@zynamics.com) zynamics GmbH<br />Tim Kornau (tim.kornau@zynamics.com) zynamics GmbH<br />Ralf-Philipp Weinmann (ralf-philipp.weinmann@uni.lu) Université du Luxembourg <br />BlackHat Vegas 2010<br />
    2. 2. Overview<br />Introduction <br />Gentle overview<br />Finding gadgets<br />Compile gadgets <br />Some fancy demos<br />Further work<br />
    3. 3. Introduction<br />Exploitation with non-executable pages is not much fun<br />
    4. 4. But we have funny ideas<br />Exploitation with non-executable pages is not much fun.. Unless you use “return-oriented programming”<br />
    5. 5. Gentle introduction<br />
    6. 6. But life is hard<br />Code signing<br />Sandboxing<br />ROP<br />We were lucky!<br />
    7. 7. Code Signing<br />Used to make sure that only signed (Apple verified) binaries can be executed<br /><ul><li> If a page has write permissions it can’t have executable permissions
    8. 8. No executable pages on the heap
    9. 9. Only signed pages can be executed</li></li></ul><li>ROP<br />Instructions<br />returnsequence<br />Variables for the gadget<br />Address of the next gadget<br />Instructions<br />return sequence<br />Variables for the gadget<br />Address of the next gadget<br />Instructions<br />return sequence<br />Variables for the gadget<br />Address of the next gadget<br />Instructions<br />return sequence<br />Variables for the gadget<br />Address of the next gadget<br />Instruction sequences<br />within the attacked binary<br />Attacker controlled<br />memory<br />
    10. 10. ROP - Workflow<br />Find the gadgets<br />Chain them to form a payload<br />Test the payload on your target<br />
    11. 11. Finding Gadgets Overview<br />Goal definition <br />Motivation<br />Strategy<br />Algorithms<br />Results<br />Further improvement<br />
    12. 12. Goal definition<br />Build an algorithm which is capable of locating gadgets within a given binary automatically without major side effects.<br />
    13. 13. Motivation I<br />Little spirits need access to a wide range of devices.<br />Because what is a device without a spirit?<br />
    14. 14. Motivation II<br />We want to be able to execute our code:<br /><ul><li> in the presents of non-executable protection (AKA NX bit)
    15. 15. when code signing of binaries is enabled.
    16. 16. but we do not aim at ASLR.</li></li></ul><li>Strategy I<br /><ul><li> Build a program from parts of another program
    17. 17. These parts are named gadgets
    18. 18. A gadget is a sequence of (useable) instructions
    19. 19. Gadgets must be combinable
    20. 20. end in a “free-branch”
    21. 21. Gadgets must provide a useful operation
    22. 22. for example A + B </li></li></ul><li>Strategy II<br /><ul><li> The subset of useful gadgets must be locatable in the set of all gadgets
    23. 23. Only the “simplest” gadget for an operation should be used
    24. 24. Side effects of gadgets must be near to zero to avoid destroying results of previous executed code sequences.
    25. 25. Use the REIL meta language to be platform independent.</li></li></ul><li>Strategy III<br />A small introduction to the REIL meta language<br /><ul><li> small RISC instruction set (17 instructions)
    26. 26. Arithmetic instructions (ADD, SUB, MUL, DIV, MOD, BSH)
    27. 27. Bitwise instructions (AND, OR, XOR)
    28. 28. Logical instructions (BISZ, JCC)
    29. 29. Data transfer instructions (LDM, STM, STR)
    30. 30. Other instructions (NOP, UNDEF, UNKN)
    31. 31. register machine
    32. 32. unlimited number of temp registers
    33. 33. side effect free
    34. 34. no exceptions, floating point, 64Bit, ..</li></li></ul><li>Algorithms<br /><ul><li> Stage I -> Collect data from the binary
    35. 35. Stage II -> Merge the collected data
    36. 36. Stage III -> Locate useful gadgets in merged data</li></li></ul><li>Algorithms stage I (I)<br />Goal of the stage I algorithms:<br /><ul><li> Collect data from the binary</li></ul>Extract expression trees from native instructions<br />Extract path information <br />A<br />B<br />+<br />D<br />C<br />R0<br />15<br />E<br />
    37. 37. Algorithms stage I (II)<br />Details of the stage I algorithms:<br />Expression tree extraction<br /><ul><li> Handlers for each possible REIL instruction</li></ul>Most of the handlers are simple transformations<br />STM and JCC need to be treated specially <br />Path extraction <br /><ul><li>Path is extracted in reverse control flow order</li></ul>+<br />*<br />*<br />OP<br />BISZ<br />OP<br />COND<br />COND<br />
    38. 38. Algorithms stage II (I)<br />Goal of the stage II algorithms:<br /><ul><li> Merge the collected data from stage I</li></ul>Combine the expression trees for single native instructions along a path<br />Determine jump conditions on the path<br />Simplify the result <br />
    39. 39. Algorithms stage II (II)<br />Details of the stage II algorithms:<br /><ul><li> Combine the expression trees for single native instructions along a path</li></ul>0x00000001 ADD R0, R1, R2<br />0x00000002 STR R0, R4<br />0x00000003 LDMFD SP! {R4,LR}<br />0x00000004 BX LR<br />
    40. 40. Algorithms stage II (III)<br />Details of the stage II algorithms:<br /><ul><li> Determine jump conditions on the path:
    41. 41. Simplify the result:</li></ul>Z FLAG MUST BE FALSE<br />0x00000001 SOME INSTRUCTION<br />0x00000002 BEQ 0xADDRESS<br />0x00000003 SOME INSTRUCTION<br />0x00000004 SOME INSTRUCTION<br />Generate condition tree<br />R0 = ((((((R2+4)+4)+4)+4) OR 0) AND 0xFFFFFFFF)<br />R0 = R2+16 <br />
    42. 42. Algorithms stage III (I)<br />Goal of the stage III algorithms:<br /><ul><li> Search for useful gadgets in the merged data
    43. 43. Use a tree match handler for each operation.
    44. 44. Select the simplest gadget for each operation
    45. 45. Use a complexity value to determine the gadget which is least complex. (side-effects)</li></li></ul><li>Algorithms stage III (II)<br />Details of the stage III algorithms:<br /><ul><li> Search for useful gadgets in the merged data</li></ul>Trees of a gadget candidate are compared to the tree of a specific operation.<br />Can you spot the match ?<br />
    46. 46. Algorithms stage III (III)<br />Details of the stage III algorithms:<br /><ul><li> Select the simplest gadget for each operation</li></ul>There are in most cases more instruction sequences which provide a specific operation. The overall complexity of all trees is used to determine which gadget is the simplest. <br />
    47. 47. Results of gadget finding<br /><ul><li> Algorithms for automatic return-oriented programming gadget search are possible.
    48. 48. The described algorithms automatically find the necessary parts to build the return-oriented program.
    49. 49. Searching for gadgets is not only platform but also very compiler dependent. </li></li></ul><li>Further improvement<br /><ul><li> Abstract gadget description language
    50. 50. Bring more platforms to REIL
    51. 51. Better understand the implications of different compilers used to build the analyzed binaries.</li></li></ul><li>Chaining gadgets<br />
    52. 52. Chaining gadgets<br /><ul><li>… by hand is like playing Tetris
    53. 53. With very ugly blocks
    54. 54. Each gadget set defines custom ISA
    55. 55. We have better scores that at...</li></li></ul><li>Chaining gadgets<br />
    56. 56. Chaining gadgets<br />Hence we have decided to <br />bring in some help...<br />
    57. 57. The Wolf<br /><ul><li> A ROP compiler for gadget sets with side-effects
    58. 58. Very basic language
    59. 59. Allows for easy ROPperies on ARM devices</li></li></ul><li>Living with side-effects<br /><ul><li>allowread: specifies readable memory ranges
    60. 60. allowcorrupt: expendable memory ranges
    61. 61. [corruption may occur here]
    62. 62. protect: registers must stay invariant
    63. 63. [SP and PC implicitly guarded]</li></li></ul><li>Statements<br /><ul><li> (multi-)assignment
    64. 64. Conditional goto statement
    65. 65. Call statement (calling lib functions)
    66. 66. Data definitions
    67. 67. Labels for data/code</li></li></ul><li>Multi-assignment<br /><ul><li> Example from PWN2OWN payload:</li></ul> (r0, r1, r2) <<_| (mem[sockloc], sin, SIZE_SIN)<br />memory read<br />constant<br />targets<br />data reference<br />assignment operator<br />
    68. 68. Loops<br /><ul><li>define label for
    69. 69. conditional jump
    70. 70. label(clear_loop)
    71. 71. r1 = 256
    72. 72. (mem[r0], r2, r1) <<_| (0, (3*r1) & 255, r1-1)
    73. 73. r0 = r0+4
    74. 74. gotoifnz(r1, clear_loop)</li></ul>RHS may contain arithmetic-logical <br />calculations: <br /><ul><li>+,-,*,/, %, ^, |, &, <<, >> </li></li></ul><li>Hired help: STP<br /><ul><li> Mr. Wolf is a high-level problem solver: </li></ul>he likes to delegate<br /><ul><li> Menial work: let someone else do it
    75. 75. In this case STP
    76. 76. [Simple Theorem Prover]</li></li></ul><li>What is STP?<br /><ul><li> Constraint solver for problems involving bit-vectors and arrays
    77. 77. Open-source, written by Vijay Ganesh
    78. 78. Used for model-checking, theorem proving, EXE, etc.
    79. 79. Gives Boolean answer whether formula is satisfiable & assignment if it is</li></li></ul><li>STP formulae<br />Just a bunch of assertions in QF_ABV<br /><ul><li>Simple example:
    80. 80. x0 : BITVECTOR(4);
    81. 81. ...
    82. 82. x9 : BITVECTOR(4);
    83. 83. ASSERT (BVPLUS(4,BVMULT(4,x0, 0hex6), 0hex0, 0hex0,
    84. 84. BVMULT(4,x3, 0hex7), BVMULT(4,x4, 0hex4),
    85. 85. BVMULT(4,x5, 0hex6), BVMULT(4,x6, 0hex4),
    86. 86. 0hex0, 0hex0, BVMULT(4,x9, 0hex8),0hex0) = 0hex7);</li></li></ul><li>High-level algorithm<br /><ul><li> For multi-assignments</li></ul>Find all gadgets assigning to targets<br />Verify constraints for each (protect/memread/memcorrupt)<br />Find all gadgets for expressions on RHS<br />Chain expression gadgets<br />Connect LHS and RHS <br />
    87. 87. Notes on chaining algorithm<br /><ul><li> Chaining for arithmetic/logical expressions may use registers/memory locations for temporary results
    88. 88. Multi-assignments give us freedom
    89. 89. Algorithm sometimes may fail because constraints cannot be satisfied [insufficient gadgets]</li></li></ul><li>Wrapping up<br /><ul><li> We showed that return-oriented programming is a valuable addition to your offensive ARM targeting arsenal.
    90. 90. Automatic chaining of gadgets with side effects is possible and feasible.
    91. 91. A roppery is fun and Mr. Wolf helps if things get bloddy. </li></li></ul><li>K got the payload, now?<br />You could test it on a jailbroken phone<br /><ul><li> Does not match reality
    92. 92. No code signing for instance
    93. 93. Still an option if exploit reliability is not your primary concern</li></li></ul><li>K got the payload, now? ..Take 2<br />You could test it on a developer phone<br /><ul><li> Have a small application to reproduce a “ROP scenario”
    94. 94. Depending on the application you’re targeting the sandbox policy is different
    95. 95. Still closer to reality</li></li></ul><li>Simple plan<br /><ul><li> Allocate a buffer on the heap
    96. 96. Fill the buffer with the shellcode
    97. 97. Point the stack pointer to the beginning of the stack
    98. 98. Execute the payload
    99. 99. Restore</li></li></ul><li>Future work<br /><ul><li> Port to other platforms (eg: x86)
    100. 100. Abstract language to describe gadgets
    101. 101. Try to avoid “un-decidable” constraints
    102. 102. Make it more flexible to help when ASLR is in place </li></li></ul><li>Thanks for your time<br />Questions?<br />