Defcon 23 - Daniel Selifonov - drinking from LETHE

1. Drinking from LETHE: New methods of exploiting and mitigating memory corruption vulnerabilities Daniel Selifonov DEF CON 23 August 7, 2015

2. Show of Hands 1. Have you written programs in C or C++? 2. Have you implemented a classic stack smash exploit? 3. … a return-to-libc or return-oriented- programming exploit? 4. … a return-to-libc or ROP exploit that used memory disclosure or info leaks?

3. Motivations ● Software is rife with memory corruption vulnerabilities ● Most memory corruption vulnerabilities are directly applicable to code execution exploits ● And there's no end in sight...

4. Motivations (II) ● Industrialized ecosystem of vulnerability discovery and brokering weaponized exploits ● Little of this discovery process feeds into fixes... The other AFL

5. Motivations (III) ● State actor (e.g. NSA Tailored Access Operations group) budgets: ≈ $∞ ● Bug bounties just drive up prices ● Target supply, not demand for exploits...

6. The Plan ● Sever the path between vulnerability and (reliable) exploit ● Why do programmers keep hitting this fundamental blindspot? ● Defenses are born in light of attack strategies

7. Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; }

9. Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; } <return address to C runtime exit>

11. Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; } <return address to C runtime exit> <return address to >

13. Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; } <return address to C runtime exit> <return address to > <4 bytes for 'int a'>

14. Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; } <return address to C runtime exit> <return address to > <4 bytes for 'int a'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'>

16. Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; } <return address to C runtime exit> <return address to > <4 bytes for 'int a'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <return address to >

18. Memory Safety #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; } <return address to C runtime exit> <return address to > <4 bytes for 'int a'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <return address to >

26. Part II: Code Injection

27. Smashing the Stack (1996) #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; } <return address to > <return address to C runtime exit> <4 bytes for 'int a'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <return address to >

31. Smashing the Stack (1996) #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; } <return address to > <return address to C runtime exit> <4 bytes for 'int a'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'>

32. Smashing the Stack (1996) #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; } <return address to > <4 bytes for 'int a'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'>

33. Smashing the Stack (1996) #include <stdio.h> int main() { foo(); bar(11, 12); return 0; } void foo() { int a; char b[23]; gets(b); printf("Hey %s!n",b); } int bar(int x, int y) { return x + y; } <return address to > <4 bytes for 'int a'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'> <4 bytes for 'char b[]'>

34. Paging/Virtual Memory 0xdeadbeef

35. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111

36. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) 111011101111 (3823)

37. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) 111011101111 (3823) Page Directory (1024 entries)

38. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) 111011101111 (3823) Page Directory (1024 entries) CR3

39. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) 111011101111 (3823) Page Directory (1024 entries) CR3

40. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) 111011101111 (3823) Page Directory (1024 entries) CR3 PDE

41. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) 111011101111 (3823) Page Directory (1024 entries) Page Table (1024 ents) CR3 PDE

44. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) 111011101111 (3823) Page Directory (1024 entries) Page Table (1024 ents) CR3 PDE PTE

45. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) 111011101111 (3823) Page Directory (1024 entries) Page Table (1024 ents) Page 4096 bytes CR3 PDE PTE

48. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) 111011101111 (3823) Page Directory (1024 entries) Page Table (1024 ents) Page 4096 bytes CR3 PDE PTE Byte

49. Paging/Virtual Memory 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) 111011101111 (3823) Page Directory (1024 entries) Page Table (1024 ents) Page 4096 bytes CR3 PDE PTE Byte

50. Page Table Entries 32 0 Physical address of next level Read/ Write User/ Supervisor

51. Paging made fast: TLB 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731)

52. Paging made fast: TLB 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) Page (4096 bytes)

55. Paging made fast: TLB 0xdeadbeef 11011110101011011011111011101111 1101111010 (890) 1011011011 (731) Page (4096 bytes) Virtual Address Physical Address Aggregate Permissions TLB Entry:

56. PaX PAGEEXEC (2000) User/ Supervisor: Emulates Non-Exec Instruction TLB: Data TLB: Virtual Addr Physical Addr Permission Virtual Addr Physical Addr Permission Instruction Pointer: PaX Page Fault Strategy: if (supervisor page && IP on faulting page) { Terminate } else { Set user page in PTE Prime Data TLB Set supervisor page in PTE }

57. PaX PAGEEXEC (2000) User/ Supervisor: Emulates Non-Exec Instruction TLB: Data TLB: Virtual Addr Physical Addr Permission Virtual Addr Physical Addr Permission Instruction Pointer: PaX Page Fault Strategy: if (supervisor page && IP on faulting page) { Terminate } else { Set user page in PTE Prime Data TLB Set supervisor page in PTE } 1

62. PaX PAGEEXEC (2000) User/ Supervisor: Emulates Non-Exec Instruction TLB: Data TLB: Virtual Addr Physical Addr Permission Virtual Addr Physical Addr Permission Instruction Pointer: ~ User/~ PaX Page Fault Strategy: if (supervisor page && IP on faulting page) { Terminate } else { Set user page in PTE Prime Data TLB Set supervisor page in PTE } 0

67. PaX PAGEEXEC (2000) User/ Supervisor: Emulates Non-Exec Instruction TLB: Data TLB: Virtual Addr Physical Addr Permission Virtual Addr Physical Addr Permission Instruction Pointer: ~ User/~ PaX Page Fault Strategy: if (supervisor page && IP on faulting page) { Terminate } else { Set user page in PTE Prime Data TLB Set supervisor page in PTE } ~ User/~ 1

68. Page Level Permissions User Supervisor PaX/NX Not-Writable Read/Execute Read Writable Read/Write/Execute Read/Write For mapped pages:

69. Part III: Code Reuse

70. Return to libc (1997) ... <Shell code> <Shell code> <Shell code> <Shell code> <Shell code> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <smashed return address to ~ >

71. Return to libc (1997) ... <Shell code> <Shell code> <Shell code> <Shell code> <Shell code> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <nop> <smashed return address to ~ >

72. Return to libc (1997) ... sh” /bas “/bin <pointer to > <dummy value> <smashed ret to libc system() > ... <vulnerable buffer>

73. Return to libc (1997) ... sh” /bas “/bin <pointer to > <dummy value> <smashed ret to libc system() > ... <vulnerable buffer> ... <pointer to “/bin/bash”> <saved return address> <local variable for system()> <local variable for system()> ... ...

74. Return to libc (1997) ... sh” /bas “/bin <pointer to > <dummy value> <smashed ret to libc system() > ... <vulnerable buffer> ... <pointer to “/bin/bash”> <saved return address> <local variable for system()> <local variable for system()> ... ...

75. Return Oriented Programming ('07) ... <argument popping gadget addr> <argument 2> <argument 1> <argument popping gadget addr> <gadget addr 2> <argument 2> <argument 1> <argument popping gadget addr> <gadget addr 1> push eax ret pop eax ret pop ebx ret mov [ebx],eax ret xchg ebx,esp ret pop edi pop ebp ret

76. Address Space Layout Randomization (2003) 0...00 f...ff Stack Heap mmap Library A Library B Library C Program Code Stack Heap mmap Library A Library B Library C Program Code

77. Part IV: Memory Disclosure & Advanced Code Reuse

78. Offset Fix Ups Library Relative 0..00 libc

79. Offset Fix Ups Library Relative 0..00 libc Library Relative 0..23: location of system()

80. Offset Fix Ups Library Relative 0..00 libc Library Relative 0..23: location of system() Library Relative 0..46: location of printf()

81. Offset Fix Ups Library Relative 0..00 libc Library Relative 0..23: location of system() Library Relative 0..46: location of printf() Randomized Virtual Addr for printf: 0xdefc0b46

82. Offset Fix Ups Library Relative 0..00 libc Library Relative 0..23: location of system() Library Relative 0..46: location of printf() Randomized Virtual Addr for printf: 0xdefc0b46 Randomized Virtual Addr for system: 0xdefc0b23

83. Offset Fix Ups Library Relative 0..00 libc Library Relative 0..23: location of system() Library Relative 0..46: location of printf() Randomized Virtual Addr for printf: 0xdefc0b46 Randomized Virtual Addr for system: 0xdefc0b23

84. Fine Grained ASLR ● Smashing the Gadgets (2012) ● Address Space Layout Permutation (2006) lib-func-a lib-func-b lib-func-b lib-func-f lib-func-c lib-func-a lib-func-d lib-func-c lib-func-f lib-func-d Function level FG-ASLR: mov eax, [ebp-4] mov ebx, [ebp-8] add eax, ebx xor ecx, ecx push eax push ebx push ecx call foo mov edx, [ebp-4] mov esi, [ebp-8] add edx, esi xor edi, edi push edx push esi push edi call foo

85. Just-in-Time Code Reuse (2013) Code Ptr: 0xdeadbeef

86. Just-in-Time Code Reuse (2013) Code Ptr: 0xdeadbeef 4K Page @ 0xdeadb000

87. Just-in-Time Code Reuse (2013) Code Ptr: 0xdeadbeef 4K Page @ 0xdeadb000 ... mov eax, [ebp-4] mov ebx, [ebp-8] add eax, ebx push eax push ebx call 0x64616d6e ...

88. Just-in-Time Code Reuse (2013) Code Ptr: 0xdeadbeef 4K Page @ 0xdeadb000 ... mov eax, [ebp-4] mov ebx, [ebp-8] add eax, ebx push eax push ebx call 0x64616d6e ...

89. Just-in-Time Code Reuse (2013) Code Ptr: 0xdeadbeef 4K Page @ 0xdeadb000 ... mov eax, [ebp-4] mov ebx, [ebp-8] add eax, ebx push eax push ebx call 0x64616d6e ... 4K Page @ 0x64616000

92. The Value of One Pointer? Volcano and Hobbit: sold separately.

93. Part V: Conceal & Forget

94. C++ Virtual Function Tables Instance of class Dog Vtable ptr Member: name Member: age Member: breed Instance of class Cat Vtable ptr Member: name Member: fav. catnip Member: sharp claws? Function ptr: feed() Function ptr: pet() Function ptr: sound() Function ptr: feed() Function ptr: pet() Function ptr: sound() Animal → Dog, Animal → Cat class Cat : public Animal { … void sound() { printf(“Meow!”); } … } class Dog : public Animal { … void sound() { printf(“Woof!”); } … }

95. C++ Virtual Function Tables Instance of class Dog Vtable ptr Member: name Member: age Member: breed Instance of class Cat Vtable ptr Member: name Member: fav. catnip Member: sharp claws? Function ptr: feed() Function ptr: pet() Function ptr: sound() Function ptr: feed() Function ptr: pet() Function ptr: sound() Animal → Dog, Animal → Cat class Cat : public Animal { … void sound() { printf(“Meow!”); } … } class Dog : public Animal { … void sound() { printf(“Woof!”); } … }

96. Knights and Knaves Instance of class Dog Vtable ptr Member: name Member: age Member: breed Function ptr: feed() Function ptr: pet() Function ptr: sound()

97. Knights and Knaves Instance of class Dog Vtable ptr Member: name Member: age Member: breed Function ptr: feed() Function ptr: pet() Function ptr: sound() Function ptr? feed() Function ptr? feed() Function ptr? feed() Function ptr? pet() Function ptr? pet() Function ptr? pet() Function ptr? sound() Function ptr? sound() Function ptr? sound()

98. Knights and Knaves Instance of class Dog Vtable ptr Member: name Member: age Member: breed Function ptr? feed() Function ptr? feed() Function ptr? feed() Function ptr? pet() Function ptr? pet() Function ptr? pet() Function ptr? sound() Function ptr? sound() Function ptr? sound()

101. Execute Only Memory Code Ptr: 0xdeadbeef 4K Page @ 0xdeadb000 ... mov eax, [ebp-4] mov ebx, [ebp-8] add eax, ebx push eax push ebx call 0x64616d6e ...

102. Execute Only Memory Code Ptr: 0xdeadbeef 4K Page @ 0xdeadb000 ... mov eax, [ebp-4] mov ebx, [ebp-8] add eax, ebx push eax push ebx call 0x64616d6e ...

103. Necessary vs. Sufficient ● Code reuse requires: – No ASLR: A priori knowledge of place – ASLR: A priori knowledge of relative place + runtime discovery of offset – FG-ASLR: Runtime discovery of value at discovered place ● No runtime discovery? No discovery of value or place and no code to reuse: – XO-M + FG-ASLR = <3

104. Elephant in the Room Two words: memory overhead https://www.flickr.com/photos/mobilestreetlife/4179063482

105. Blunting the Edge ● Oxymoron (2014) – Key idea: call fs:0x100 mov eax, [ebp-4] mov ebx, [ebp-8] add eax, ebx xor ecx, ecx push eax push ebx push ecx call fs:0x100 ... 0x110: jmp ... 0x10c: jmp ... 0x108: jmp ... 0x104: jmp ... 0x100: jmp 0xdefc23defc23 0xfc: jmp ... 0xf8: jmp ... 0xf4: jmp ... ... Start of fs segment at random addr...

106. Xen, Linux, & LLVM ● Xen 4.4 introduced PVH mode (Xen 4.5 → PVH dom0) – PVH uses Intel Extended Page Tables for PFN → MFN translations – EPT supports explicit R/W/E permissions ● Linux mprotect M_EXECUTE & ~M_READ sets EPT through Xen – Xen injects violations into Linux #PF handler ● LLVM for FG-ASLR and execute-only codegen

107. Part VI: Closing Thoughts

108. Takeaways Non-Writable Readable EPT ~R X Read/Execute Execute Only NX Read Nothing Writable Readable EPT ~R X Read/Write/Execute Write/Execute NX Read/Write Write

109. Takeaways Non-Writable Readable EPT ~R X Read/Execute Execute Only NX Read Nothing Writable Readable EPT ~R X Read/Write/Execute Write/Execute NX Read/Write Write Constant Data

110. Takeaways Non-Writable Readable EPT ~R X Read/Execute Execute Only NX Read Nothing Writable Readable EPT ~R X Read/Write/Execute Write/Execute NX Read/Write Write Constant Data Stack/Heap/mmap

111. Takeaways Non-Writable Readable EPT ~R X Read/Execute Execute Only NX Read Nothing Writable Readable EPT ~R X Read/Write/Execute Write/Execute NX Read/Write Write Constant Data Stack/Heap/mmap Program/Library Code

115. FIN ● Code: <TBD> ● White Paper: <TBD> ● Email: ds@thyth.com ● Twitter: @dsThyth ● PGP: – 201a 7b59 a15b e5f0 bc37 08d3 bc7f 39b2 dfc0 2d75

Defcon 23 - Daniel Selifonov - drinking from LETHE

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Defcon 23 - Daniel Selifonov - drinking from LETHE

Similar to Defcon 23 - Daniel Selifonov - drinking from LETHE (20)

More from Felipe Prado

More from Felipe Prado (20)

Recently uploaded

Recently uploaded (20)

Defcon 23 - Daniel Selifonov - drinking from LETHE