Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Return-oriented Programming:
Exploitation without Code Injection
     Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Sha...
Bad code versus bad behavior

         “Bad”                          “Good”
        behavior                        behav...
The Return-oriented programming thesis


       any sufficiently large program codebase




     arbitrary attacker comput...
Security systems endangered:
     W-xor-X aka DEP
 
          Linux, OpenBSD, Windows XP SP2, MacOS X
      
          H...
Return-into-libc and W^X
W-xor-X
     Industry response to code injection exploits
 
     Marks all writeable locations in a process’ address spac...
Return-into-libc
     Divert control flow of exploited program into libc code
 
          system(), printf(), …
      

...
The Return-oriented programming thesis:
return-into-libc special case

                attacker control of stack




     ...
Our return-into-libc generalization
     Gives Turing-complete exploit language
 
          exploits aren’t straight-line...
Return-oriented programming
                                                       …
     connect back to attacker        ...
Related Work
     Return-into-libc: Solar Designer, 1997
 
          Exploitation without code injection
      

     Re...
Mounting attack
     Need control of memory around %esp
 
     Rewrite stack:
 
          Buffer overflow on stack
     ...
Principles of
return-oriented programming
Ordinary programming: the machine level

        insn      insn                 insn         insn           insn




     ...
Return-oriented programming:
the machine level
                            insns … ret        insns … ret
                ...
No-ops                                                                 C library
                                         ...
Immediate constants
                                                               pop %ebx; ret



             mov $0xde...
Control flow
                                            pop %esp; ret




                jmp +4


            instructio...
Gadgets: multiple instruction sequences

                                  mov (%eax), %ebx; ret
                  pop %ea...
A Gadget Menagerie
Gadget design
     Testbed: libc-2.3.5.so, Fedora Core 4
 
     Gadgets built from found code sequences:
 
          loa...
“The Gadget”: July 1945




22           Return-oriented Programming: BH2008
Immediate rotate of memory word

                                                 roll %cl, 0x017383f8(%ebx)
             ...
Conditional jumps on the x86
     Many instructions set %eflags
 
     But the conditional jump insns perturb %eip, not %...
Conditional jump, phase 1: load CF




                                             neg %eax
%esp                         ...
Conditional jump, phase 2:
store CF to memory


                                                            movl %ecx, (%e...
Computed jump, phase 3:
compute delta-or-zero

                               andl %esi, (%ecx)
                          ...
Computed jump, phase 4:
perturb %esp using computed delta



                                                         addl...
Finding instruction sequences

                      (on the x86)
Finding instruction sequences
     Any instruction sequence ending in “ret” is useful —
 
     could be part of a gadget
...
Unintended instructions — ecb_crypt()
                                     c7
                                     45
  ...
Is return-oriented programming
                   x86-specific?

                  (Spoiler: Answer is no.)
Assumptions in original attack
     Register-memory machine
 
          Gives plentiful opportunities for accessing memor...
SPARC: the un-x86
     Load-store RISC machine
 
          Only a few special instructions access memory
      

     Re...
Return-oriented programming on SPARC
     Use Solaris 10 libc: 1.3 MB
 
     New techniques:
 
          Use instruction...
SPARC Architecture

                                                       Registers              Stack
     Registers:
 ...
SPARC Architecture
                                 Address                Storage
                                 Low Me...
Dataflow strategy
     Via register
 
          On restore, %i registers become %o registers
      
          First sequ...
Gadget operations implemented
                                                                    Control Flow
     Memory...
Gadget: Addition
     v1 = v2 + v3
 

        Inst. Seq.   Preset                 Assembly
                     %l7 = &%i...
Gadget: Branch Equal
                 Inst. Seq.           Preset       Assembly
                                      %l7...
Automation
Option 1: Write your own
      Hand-coded gadget layout
                                                            /sh0
...
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
Upcoming SlideShare
Loading in …5
×

Return-Oriented Programming: Exploits Without Code Injection

4,675 views

Published on

Published in: Technology
  • Dating for everyone is here: ♥♥♥ http://bit.ly/2Qu6Caa ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❤❤❤ http://bit.ly/2Qu6Caa ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Return-Oriented Programming: Exploits Without Code Injection

  1. 1. Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham University of California, San Diego
  2. 2. Bad code versus bad behavior “Bad” “Good” behavior behavior Application Attacker code code Problem: this implication is false! 2 Return-oriented Programming: BH2008
  3. 3. The Return-oriented programming thesis any sufficiently large program codebase arbitrary attacker computation and behavior, without code injection (in the absence of control-flow integrity) 3 Return-oriented Programming: BH2008
  4. 4. Security systems endangered: W-xor-X aka DEP   Linux, OpenBSD, Windows XP SP2, MacOS X   Hardware support: AMD NX bit, Intel XD bit   Trusted computing   Code signing: Xbox   Binary hashing: Tripwire, etc.   … and others   4 Return-oriented Programming: BH2008
  5. 5. Return-into-libc and W^X
  6. 6. W-xor-X Industry response to code injection exploits   Marks all writeable locations in a process’ address space   as nonexecutable Deployment: Linux (via PaX patches); OpenBSD;   Windows (since XP SP2); OS X (since 10.5); … Hardware support: Intel “XD” bit, AMD “NX” bit   (and many RISC processors) 6 Return-oriented Programming: BH2008
  7. 7. Return-into-libc Divert control flow of exploited program into libc code   system(), printf(), …   No code injection required   Perception of return-into-libc: limited, easy to defeat   Attacker cannot execute arbitrary code   Attacker relies on contents of libc — remove system()?   We show: this perception is false.   7 Return-oriented Programming: BH2008
  8. 8. The Return-oriented programming thesis: return-into-libc special case attacker control of stack arbitrary attacker computation and behavior via return-into-libc techniques (given any sufficiently large codebase to draw on) 8 Return-oriented Programming: BH2008
  9. 9. Our return-into-libc generalization Gives Turing-complete exploit language   exploits aren’t straight-line limited   Calls no functions at all   can’t be defanged by removing functions like system()   On the x86, uses “found” insn sequences, not code   intentionally placed in libc difficult to defeat with compiler/assembler changes   9 Return-oriented Programming: BH2008
  10. 10. Return-oriented programming … connect back to attacker again: … mov i(s), ch decr i while socket not eof read line cmp ch, ‘|’ jnz again jeq pipe … fork, exec named progs … stack: libc: load decr ? cmp jnz ? jeq 10 Return-oriented Programming: BH2008
  11. 11. Related Work Return-into-libc: Solar Designer, 1997   Exploitation without code injection   Return-into-libc chaining with retpop: Nergal, 2001   Function returns into another, with or without frame pointer   Register springs, dark spyrit, 1999   Find unintended “jmp %reg” instructions in program text   Borrowed code chunks, Krahmer 2005   Look for short code sequences ending in “ret”   Chain together using “ret”   11 Return-oriented Programming: BH2008
  12. 12. Mounting attack Need control of memory around %esp   Rewrite stack:   Buffer overflow on stack   Format string vuln to rewrite stack contents   Move stack:   Overwrite saved frame pointer on stack;   on leave/ret, move %esp to area under attacker control Overflow function pointer to a register spring for %esp:   set or modify %esp from an attacker-controlled register   then return   12 Return-oriented Programming: BH2008
  13. 13. Principles of return-oriented programming
  14. 14. Ordinary programming: the machine level insn insn insn insn insn instruction pointer Instruction pointer (%eip) determines which instruction   to fetch & execute Once processor has executed the instruction, it   automatically increments %eip to next instruction Control flow by changing value of %eip   14 Return-oriented Programming: BH2008
  15. 15. Return-oriented programming: the machine level insns … ret insns … ret C library insns … ret insns … ret insns … ret stack pointer Stack pointer (%esp) determines which instruction   sequence to fetch & execute Processor doesn’t automatically increment %esp; — but   the “ret” at end of each instruction sequence does 15 Return-oriented Programming: BH2008
  16. 16. No-ops C library ret nop nop nop instruction stack pointer pointer No-op instruction does nothing but advance %eip   Return-oriented equivalent:   point to return instruction   advances %esp   Useful in nop sled   16 Return-oriented Programming: BH2008
  17. 17. Immediate constants pop %ebx; ret mov $0xdeadbeef, %eax 0xdeadbeef (bb ef be ad de) instruction stack pointer pointer Instructions can encode constants   Return-oriented equivalent:   Store on the stack;   Pop into register to use   17 Return-oriented Programming: BH2008
  18. 18. Control flow pop %esp; ret jmp +4 instruction stack pointer pointer Ordinary programming:   (Conditionally) set %eip to new value   Return-oriented equivalent:   (Conditionally) set %esp to new value   18 Return-oriented Programming: BH2008
  19. 19. Gadgets: multiple instruction sequences mov (%eax), %ebx; ret pop %eax; ret (word to load) stack pointer Sometimes more than one instruction sequence needed   to encode logical unit Example: load from memory into register:   Load address of source word into %eax   Load memory at (%eax) into %ebx   19 Return-oriented Programming: BH2008
  20. 20. A Gadget Menagerie
  21. 21. Gadget design Testbed: libc-2.3.5.so, Fedora Core 4   Gadgets built from found code sequences:   load-store   arithmetic & logic   control flow   system calls   Challenges:   Code sequences are challenging to use:   short; perform a small unit of work   no standard function prologue/epilogue   haphazard interface, not an ABI   Some convenient instructions not always available (e.g., lahf)   21 Return-oriented Programming: BH2008
  22. 22. “The Gadget”: July 1945 22 Return-oriented Programming: BH2008
  23. 23. Immediate rotate of memory word roll %cl, 0x017383f8(%ebx) ret 0xdecafbad 0x00000004 pop %ecx pop %edx ret pop %ebx %esp ret 0xdeadbeef + 0x017383f8 23 Return-oriented Programming: BH2008
  24. 24. Conditional jumps on the x86 Many instructions set %eflags   But the conditional jump insns perturb %eip, not %esp   Our strategy:   Move flags to general-purpose register   Compute either delta (if flag is 1) or 0 (if flag is 0)   Perturb %esp by the computed amount   24 Return-oriented Programming: BH2008
  25. 25. Conditional jump, phase 1: load CF neg %eax %esp ret (As a side effect, neg sets CF if its argument is nonzero) 25 Return-oriented Programming: BH2008
  26. 26. Conditional jump, phase 2: store CF to memory movl %ecx, (%edx) ret adc %cl, %cl ret 0x00000000 pop %ecx %esp pop %edx ret (CF goes here) 26 Return-oriented Programming: BH2008
  27. 27. Computed jump, phase 3: compute delta-or-zero andl %esi, (%ecx) rolb $0x5d, 0x5e5b6cc4(%ebx) +0x5e5b6cc4 ret Bitwise and with delta (in %esi) pop %ecx pop %ebx esp delta ret pop %esi ret 0xdecafbad 0xdecafbad negl 94(%ebx) pop %edi pop %ebp mov %esi, %esi pop %ebx %esp ret ret 2s-complement negation: 0 becomes 0…0; (CF here) +94 1 becomes 1…1 0xbadc0ded 27 Return-oriented Programming: BH2008
  28. 28. Computed jump, phase 4: perturb %esp using computed delta addl (%eax), %esp addb %al, (%eax) addb %cl, 0(%eax) addb %al, (%eax) pop %eax %esp ret ret (perturbation here) 28 Return-oriented Programming: BH2008
  29. 29. Finding instruction sequences (on the x86)
  30. 30. Finding instruction sequences Any instruction sequence ending in “ret” is useful —   could be part of a gadget Algorithmic problem: recover all sequences of valid   instructions from libc that end in a “ret” insn Idea: at each ret (c3 byte) look back:   are preceding i bytes a valid length-i insn?   recurse from found instructions   Collect instruction sequences in a trie   30 Return-oriented Programming: BH2008
  31. 31. Unintended instructions — ecb_crypt()  c7  45  d4  01 movl $0x00000001, -44(%ebp) 00  00   00 add %dh, %bh f7  c7    07  test $0x00000007, %edi  00 movl $0x0F000000, (%edi) 00   00   0f 95 } xchg %ebp, %eax setnzb -61(%ebp) 45 } inc%ebp c3 } ret 31 Return-oriented Programming: BH2008
  32. 32. Is return-oriented programming x86-specific? (Spoiler: Answer is no.)
  33. 33. Assumptions in original attack Register-memory machine   Gives plentiful opportunities for accessing memory   Register-starved   Multiple sequences likely to operate on same register   Instructions are variable-length, unaligned   More instruction sequences exist in libc   Instructions types not issued by compiler may be available   Unstructured call/ret ABI   Any sequence ending in a return is useful   True on the x86 … not on RISC architectures   33 Return-oriented Programming: BH2008
  34. 34. SPARC: the un-x86 Load-store RISC machine   Only a few special instructions access memory   Register-rich   128 registers; 32 available to any given function   All instructions 32 bits long; alignment enforced   No unintended instructions   Highly structured calling convention   Register windows   Stack frames have specific format   34 Return-oriented Programming: BH2008
  35. 35. Return-oriented programming on SPARC Use Solaris 10 libc: 1.3 MB   New techniques:   Use instruction sequences that are suffixes of real functions   Dataflow within a gadget:   Use structured dataflow to dovetail with calling convention   Dataflow between gadgets:   Each gadget is memory-memory   Turing-complete computation!   Conjecture: Return-oriented programming likely   possible on every architecture. 35 Return-oriented Programming: BH2008
  36. 36. SPARC Architecture Registers Stack Registers:   Low Memory %i[0-7], %l[0-7], %o[0-7] ...   ... ... Register banks and the out 4 ...   local 4 %l, %i 4 save “sliding register window” out 3 in 4 local 3 %l, %i 3 save “call; save”;   out 2 in 3 “ret; restore” local 2 %l, %i 2 save out 1 in 2 local 1 %l, %i 1 save ... in 1 ... ... ... High Memory 36 Return-oriented Programming: BH2008
  37. 37. SPARC Architecture Address Storage Low Memory Stack   Top of the stack %sp Saved registers %l[0-7] Frame Ptr: %i6/%fp %sp - %sp+31   Saved registers %i[0-7] %sp+32 - %sp+63 Stack Ptr: %o6/%sp Return struct for next call   %sp+64 - %sp+67 Outgoing arg. 1-5 space for caller %sp+68 - %sp+91 Return Addr: %i7   Outgoing arg. 6+ for caller (variable) %sp+92 - up %sp+ Register save area   Current local variables (variable) %fp- Top of the frame (previous %sp) %fp Prev. saved registers %l[0-7] %fp - %fp+31 Prev. saved registers %i[0-7] %fp+32 - %fp+63 Return struct for current call %fp+64 - %fp+67 Incoming arg. 1-5 space for callee %fp+68 - %fp+91 Incoming arg. 6+ for callee (variable) %fp+92 - up High Memory 37 Return-oriented Programming: BH2008
  38. 38. Dataflow strategy Via register   On restore, %i registers become %o registers   First sequence puts output in %i register   Second sequence reads from corresponding %o register   Write into stack frame   On restore, spilled %i, %l registers read from stack   Earlier sequence writes to spill space for later sequence   38 Return-oriented Programming: BH2008
  39. 39. Gadget operations implemented Control Flow Memory Math       BA: jump T1 v1 = &v2 v1++       BE: if (v1 == v2): v1 = *v2 v1--       jump T1, *v1 = v2 v1 = -v2       else T2 v1 = v2 + v3   Assignment     BLE: if (v1 <= v2):   v1 = v2 - v3 v1 = Value     jump T1,   Logic v1 = v2     else T2   v1 = v2 & v3 Function Calls     BGE: if (v1 >= v2):   v1 = v2 | v3 call Function     jump T1,   v1 = ~v2   System Calls else T2     v1 = v2 << v3   call syscall with   v1 = v2 >> v3 arguments   39 Return-oriented Programming: BH2008
  40. 40. Gadget: Addition v1 = v2 + v3   Inst. Seq. Preset Assembly %l7 = &%i0 ld [%i0], %l6 (+2 Frames ) st %l6, [%l7] m[&%i0] = v2 %i0 = &v2 ret restore %l7 = &%i3 ld [%i0], %l6 (+1 Frame ) st %l6, [%l7] m[&%i3] = v3 %i0 = &v3 ret restore %i0 = v2 (stored ) add %i0, %i3, %i5 %i3 = v3 (stored ) st %i5, [%i4] v1 = v2 + v3 %i4 = &v1 ret restore 40 Return-oriented Programming: BH2008
  41. 41. Gadget: Branch Equal Inst. Seq. Preset Assembly %l7 = &%i0 ld [%i0], %l6 (+2 Frames ) st %l6, [%l7] if (v1 == v2): m[&%i0] = v1 %i0 = &v1 ret restore jump T1 %l7 = &%i2 ld [%i0], %l6 (+1 Frame ) st %l6, [%l7] else: m[&%i2] = v2 %i0 = &v2 ret jump T2 restore %i0 = v1 (stored ) cmp %i0, %i2 (v1 == v2) %i2 = v2 (stored ) ret restore if (v1 == v2): %i0 = T2 (NOT EQ) be,a 1 ahead %i0 = T1 %l0 = T1 (EQ) - 1 sub %l0,%l2,%i0 else: %l2 = -1 ret %i0 = T2 restore %i3 = &%i6 st %o0, [%i3] m[&%i6] = %o0 (+1 Frame ) ret restore %i6 = T1 or T2 ret jump T1 or T2 (stored ) restore 41 Return-oriented Programming: BH2008
  42. 42. Automation
  43. 43. Option 1: Write your own Hand-coded gadget layout   /sh0 /bin (word to zero) linux-x86% ./target `perl

×