This makes it possible to hack proprietary closedbinary services or opensource servers manually compiled and installed from source where the binary remains unknown to the attacker Tra ditional techniques are usually paired against a particular binar ID: 5079 Download Pdf
This makes it possible to hack proprietary closedbinary services or opensource servers manually compiled and installed from source where the binary remains unknown to the attacker Tra ditional techniques are usually paired against a particular binar
scsstanfordedu dm Stanford CA 94305 Education Massachusetts Institute of Technology Cambridge MA PhD in Electrical Engineering and Computer Science September 2000 Thesis title Selfcertifying F
We 64257rst pro pose a clean de64257nition of the goals of private browsing and survey its implementation in different browsers We conduct a measurement study to determine how often it is used and on what categories of sites Our results suggest that
Abstract We show that the MEMS gyroscopes found on mod ern smart phones are suf64257ciently sensitive to measure acoustic signals in the vicinity of the phone The re sulting signals contain only very lowfrequency infor mation 200Hz Nevertheless we
Trausti Saemundsson, . Reykjavik University. Introduction. I am Trausti Saemundsson, a MSc student at Reykjavik University in Iceland . My supervisor is Ymir Vigfusson . I´m here in London doing research with Gregory Chockler on a multitenant cache algorithm .
C memory layout. We talked about the heap and stack last time.. Heap: dynamically allocated data (so grows and shrinks depending on objects created). Stack: grows and shrinks as functions are called and return.
We describe several secure protocols that support private proximity test ing at various levels of granularity We study the use of location tags generated from the physical environment in order to strengthen the security of proximity testing We imple
stanfordedu Sergei Vassilvitskii Stanford University Stanford CA sergeicsstanfordedu ABSTRACT The kmeans method is an old but popular clustering algo rithm known for its observed speed and its simplicity Until recently however no meaningful theoretic
stanfordedu Adam Barth Stanford University abarthcsstanfordedu Abstract The security policy of browsers provides no isolation be tween documents from the same origin scheme host and port even if those documents have different security char acteristic
b The rolling shutter used by sensors in these cameras also produces warping in the output frames we have exagerrated the effect for illustrative purposes c We use gyroscopes to measure the cameras rotations during video capture d We use the measure
Published bydanika-pritchard
This makes it possible to hack proprietary closedbinary services or opensource servers manually compiled and installed from source where the binary remains unknown to the attacker Tra ditional techniques are usually paired against a particular binar
Download Pdf - The PPT/PDF document "Hacking Blind Andrea Bittau Adam Belay A..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
astackvulnerabilityandonemayspeculatethatitisbeingusedbyaproprietaryservice.3)Hackinganopen-sourceserverforwhichthebinaryisunknown.Thisappliestomanuallycompiledinstal-lationsorsource-baseddistributionssuchasGentoo.Weevaluateallthreescenarios.Ideally,fortherstsce-nariowewouldtestourtechniquesagainstproductionservicesforwhichweholdnoinformationaboutthesoftware,butweareconstrainedforobviouslegalreasons.Tosimulatesuchascenario,wetestedagainstatoyproprietaryserviceacolleagueofourswroteforwhichwehadnoinformationaboutsource,binary,orfunctionality.Forthesecondscenario,wetargetarealvulnerabilityintheyaSSLlibrary[3].ThislibrarywasusedbyMySQLinpastandweusethatasthehostapplication.Forthethirdscenario,wetargetarecent(2013)vulnerabilityinnginx[2]andwriteagenericexploitthatdoesnotdependonaparticularbinary.Thisisparticularlyusefulastheexploitwillworkonanydistributionandvulnerablenginxversionwithoutrequiringanattackertowriteaspecicexploitforeachdistributionandversioncombination(asisdonetoday).Weimplementedanewsecuritytool,Braille,thatmakesBROPattackshighlyautomated.Braillecanyieldashellonavulnerableserverinapproximately4,000requests,aprocessthatcompletesinunder20minutesand,insomesituations,injustafewminutes.AnattackerneedonlyprovideafunctionthatconstructsarequestofaminimumlengthtocrashtheserverandappendastringprovidedbyBraille.Thefunctionmustalsoreturnasinglebitbasedonwhethertheservercrashesornot.Ourcontributionsare:1)AtechniquetodefeatASLRonservers(generalizedstackreading).2)AtechniquetoremotelyndROPgadgets(BROP)sothatsoftwarecanbeattackedwhenthebinaryisunknown.3)Braille:atoolthatautomaticallyconstructsanexploitgiveninputonhowtotriggerastackoverowonaserver.4)Therst(toourknowledge)publicexploitforng-inx'srecentvulnerability,thatisgeneric,64-bit,anddefeats(full/PIE)ASLR,canariesandNX.5)SuggestionsfordefendingagainstBROPattacks.Insummary,ASLRmustbeappliedtoallexecutablesegments(PIE)andre-randomizationmustoccuraftereachcrash(atoddswithfork-onlyservers).Holdingthebinaryfromtheattackerorpurposefullyalteringitmaynotbeaneffectivesecuritycountermeasure.II.BRIEFHISTORYOFBUFFEROVERFLOWSBufferoverowsareaclassicvulnerabilitywithalonghistoryofexploits[4].Conceptually,theyarerelativelyeasytoattack.Forinstance,avulnerableprogrammightreaddatafromthenetworkintoabuffer.Then,assumingtheprogramlackssufcientboundscheckstolimitthesizeoftheincomingdata,anattackercouldoverwritememorybeyondtheendofthebuffer.Asaresult,criticalcontrol-owstate,suchasreturnaddressesorfunctionpointers,couldbemanipulated.Stackbufferoverowstendtobeespeciallydangerousbecausereturnaddressesareimplicitlynearbyinmemoryduetofunctioncallingconventions.However,attacksthattargetbuffersontheheaparealsoviable[5].Intheearlydaysofstackbufferoverows,itwascommonforanattackertoincludemaliciouscodeaspartofthepayloadusedtooverowthebuffer.Asaresult,theattackercouldsimplysetthereturnaddresstoaknownlocationonthestackandexecutetheinstructionsthatwereprovidedinthebuffer.Suchcodeinjectionattacksarenolongerpossibleoncontemporarymachinesbecausemodernprocessorsandoperatingsystemsnowhavetheabilitytomarkdatamemorypagesasnon-executable(e.g.,NXonx86).Asaresult,ifanattackertriestoruncodeonthestack,itwouldonlycauseanexception.Aninnovativetechnique,knownasreturn-orientedpro-gramming(ROP)[1],wasdevelopedtodefeatdefensesbasedonnon-executablememory.Itworksbylinkingtogethershortcodesnippetsalreadypresentintheprogram'saddressspace.Suchcodesnippets,calledgadgets,canbecombinedtoformarbitrarycomputation.Asaresult,attackerscanuseROPtogaincontrolofprogramswithoutanydependenceoncodeinjection.SimplervariationsofROParesometimespossible.Forexample,withreturn-to-libcattacks,ahigh-levellibraryfunctioncanbeusedasthereturnaddress.Inparticular,thesystem()functionisusefulforattackersbecauseitcanrunarbitraryshellcodewithonlyasingleargument[6].Theseattackswereveryeffectiveon32-bitsystemswhereargumentswerepassedonthestack,alreadyundercontroloftheattacker.On64-bitsystems,argumentsarepassedinregisters,soadditionalgadgetsareneededtopopulateregisters.Addressspacelayoutrandomization(ASLR)[7],[8]wasintroducedasanadditionaldefenseagainstbufferoverowattacks.Itworksbyrandomizingthelocationofcodeanddatamemorysegmentsintheprocessaddressspace.Inmanyim-plementationscodesegmentrandomizationisonlyappliedtolibraries,butfulladdressspacerandomizationisalsopossible.ASLRcreatesamajorchallengeforattackersbecauseitmakestheaddresslocationsofcode(oreventhestack)impossibletopredictinadvance.Unfortunately,on32-bitplatforms,ASLRisconstrainedbythenumberofavailablebits(usually16)forrandomization.Asaresult,brute-forceattackscanbequiteeffective[9].However,on64-bitplatformstherearetypicallytoomanyrandombitsforbrute-forcingtobefeasible.Insuchcases,ASLRcanstillbecircumvented,butonlywhencombinedwithavulnerabilitythatleaksinformationabouttheaddressspacelayout,suchasaformatstring[10].InadditiontothelargeraddressspaceforASLRandtheneedtolocateadditionalgadgetstollargumentregisters,64-bitsystemspresentathirdcomplicationforattackers.Becausethearchitecturelimitsvirtualaddressesto48-bits,user-levelmemorypointersarerequiredtocontainzero-valuedbytes.Thesezeroscauseearlyterminationofoverowsrelyingonstringoperationssuchasstrcpy().Canaries[11]areanothercommondefenseagainstbufferoverowattacks.Canariescannotpreventbufferoverows,buttheycandetectthemretroactivelyandterminatetheprogrambeforeanattackercaninuencecontrolow.Forexample,withstackcanaries,asecretvaluethatwasdeterminedinadvanceisplacedjustbeforeeachsavedframepointerandreturnaddress.Then,whenafunctionreturns,thesecret versionoftheattackthatreliesneitherontheBROPgad-getnorthePLT.TheattackndsallthegadgetslistedinSectionVIII-A,namelytheregisterpopsandsyscall.Theattackoutlineis:1)Findallpopx;retgadgets.2)Findasyscallgadget.3)Identifythepopgadgetspreviouslyfound.Theattackerstartsbyndingastopgadgetandallpopx;retinstructions.Thedifcultyisnowinidentifyingthepopinstructionsandndingasyscallgadget.Theideaistoidentifythepopinstructionsbasedonsystemcallbehavioraftertweakingsystemcallarguments,inasimilarwayastohowstrcmpwasfoundintheoptimizedattack.Thereisabootstrapproblem,however,becausetondsyscallonemustcontrolthesystemcallnumber(rax),soonemusthaveaprioriidentiedpoprax;ret.Thesolutionistochainallpopinstructionsfoundbytheattacker,poppingthedesiredsystemcallnumber,andoneofthemwilllikelyberax.Thesystemcalltouseispause()whichtakesnoargumentsandsoignoresallotherregisters.Italsostopsprogramexecutionuntilasignalisraisedandsoitactsasastopgadget,makingitidentiable.Theattackercannowappendtheprobeaddressforsyscalltothepopchaintondasystemcallgadget.Onceanaddressthatmakestheprogrampauseisfound,theattackercaneliminatethepopsonebyonetondwhichonecontrolsrax.Atthispointtheattackerhastheaddressofasyscallgadgetandapoprax;retgadget.Theattackeralsoholdsalistofunidentiedpops.Theseareidentiedbyusingthefollowingsystemcalls:1)Firstargument(poprdi):nanosleep(len,rem).Thiswillcauseasleepoflennanoseconds(nocrash).remispopulatedifthesleepisinter-rupted,anditcanbeaninvalidaddressasitischeckedonlyafterthesleep.2)Secondargument(poprsi):kill(pid,sig).Ifsigiszero,nosignalissent,otherwiseoneissent(causingacrash).Thepidneednotbeknown:itcanbezerowhichsendsthesignaltoalltheprocessesintheprocessgroup.Toverifywhetherthesignalissent,theattackercanopenmultipleconnections(goingtodifferentworkerprocesses)toseeifthoseconnectionsarekilledornot.3)Thirdargument(poprdx):clock_nano-sleep(clock,flags,len,rem).Similartonanosleepbuttakestwoadditionalarguments,makingthethirdargumentcontrolthesleeplength.Onecannowcallwriteandcontinuetheattackbydumpingthe.textsegmentandndingmoregadgets.Whilethisattackismoregeneral,itismorecomplextoperformbecauseitrequirestwoscansofthe.textsegment:onetondalistofpopgadgets,andonetondasyscallgadget.Asignicantoptimizationisthatallpoprax;retgad-getswefoundweremisalignedparsesofaddrsp,0x58;ret.Thisinformationcanbeusedtoclassifypopraxgadgetsindependentlyofsyscallgadgetsandsignicantlyspeeduptheattackonenolongerneedstoscantheentire.textsegmenttwice.Onecanscanfortheaddrsp,0x58gadgetbysettingupthestackwith11trapsfollowedbythestopgadget.Toverifythegadget,theattackerjumpstothemisalignedparsethatyieldspoprax,verifyingthatonlyonewordispopped,whichcanbedonebysettingupthestackwithasingletrapfollowedbythestopgadget.J.Otherlow-leveldetailsInthissectionwelistanumberofnotsoobviouslow-levelattackdetails,manyofwhichaddedtotheattack'sstability.a)Stackreadingwithzeros:Wefoundthataneffectivewaytostackreadisplacingzerosinwordslikethesavedframepointer.Itislikelytondaninstructionpointerthatdoesnotcrashtheprogramregardlessoftheframepointer.Italsomakesstackreadingmorerobustwhendifferentworkerprocessesarebeingused,eachwithaslightlydifferentframepointer.Itmaybeimpossibletonishreadingapartiallyreadframepointerwhenbeingsenttoadifferentworkerprocesssinceallvalueswillcauseacrash.Forcingazerowordinthiscasewilleliminatethisproblem.b)Furtherstrcmpverication:Tofurtherverifystrcmp,werunitagainstthelastbyteofthevsyscallpage,whichismappedatastaticlocation.strcmpwillterminatepriortoreachingtheendofvsyscall,notcausingacrash.Mostotherfunctionsinsteadwillattempttoreadpastthevsyscallpagecausingacrash.Thiswillprunefunctionsthatdonotnormallycrashwhensuppliedtworeadablearguments.c)Dealingwithsmallbuffers:SometimesattackersmustminimizethelengthofROPchainsandbeabletoexploitsmallbuffers.Thissituationoccurs,forexample,duetoshortreadsorhavingtokeepsomememoryintact(e.g.,nottouchingacanary),whichlimitsthelengthoftheoverowandthebufferspaceavailable.TheyaSSL+MySQLexploitrequiresthisoptimizationinordertoavoidcorruptingacanary.ThisisachecklistforconductingBROPwithshortROPchainsofatmost8words(64bytes):FindactualPLTentriesbasedontheiraddress,notbasedontheirpushnumberandslowpath.ThiswillmakePLTinvocationashorterROPchain.DumpthebinarywithaminimalROPchain:strcmpaddresstodump,donotsetrsiagain(alreadysetforstrcmp),andcallwrite.Ifzeroisread,thedumpedaddresscontainedazero.Otherwiseasmallamountofthebinary(uptoazero)willberead.Continuethisuntilapoprdxisfound.Afterthatusepoprdxtocontrolthelengthratherthanstrcmp(shorterROPchain).Createtheshellcodeenvironmentinmultiplestages:oneconnectiontoduptheattacker'ssocket,onetoread/bin/shintomemory,andonetoexecve.Alltheseconnections(apartfromexecve)mustterminatetheROPchainwithastopgadgettopreventacrashsincetheworkerprocessisbeingpreparedincrementally.d)Dealingwithfewevent-basedworkers:Therearesit-uationswhereanapplicationisconguredwithveryfewevent-basedworkerswhichcanallbecomeunresponsiveduringthe TABLEIII.BROPGADGETFREQUENCY. Binary BROPcount expectedscanlength(density) proprietaryservice 194 154 MySQL 639 501 nginx 130 566 Apache 65 860 OpenSSH 78 972 Figure15.Attackcomplexityfornginx.Thenumberofrequestsneededforeachphaseareshown.Broadlyspeaking,theattack'scomplexityissplitinfourparts:stackreading,ndingthePLT,ndingtheBROPgadget,anddumpingthebinarytonishtheattack.ThedatashowsthenumberofBROPgadgetspresent,andtheirdensity::textsize 7BROPcount(recallthat7bytescanbeskippedperprobeduetothesizeofthegadget).TheBROPgadgetsappearsverypopularandcanbefoundinunder1,000addressprobes.Notethatinpracticemorerequestswillneededtoverifythegadgetandweedoutfalsepositives.AftertheBROPgadgetisfound,ndingwritetakesonlyafewadditionalrequests,andcanusuallybefoundinapproximately2,000requeststotal.Atthispointtheattackisalmostcomplete.Onemaychoosetomanuallywriteveryspecicpartsofthebinarytominimizethenumberofrequestsbasedontheinformationlearned.Otherwise,ourBrailletoolstartsdumpingthebinaryfromitsstart,untiltheentiresymboltableisdumpedsothatashellcodecanbeconstructed.Theattacktypicallycompleteswithin500additionalrequests(about2,500total).InthecaseofyaSSL,ittookmanymorerequeststodumpthebinarybecausethebufferbeingoverowedwasveryshortandsoBraillewaslimitedinhowlongtheROPchaincouldbe.Braillewasforcedtodumpthebinaryinsmallchunkstondapoprdx;ret(araregadget)beforetherestofthebinarycouldbedownloadedinlargerchunks.Figure15showsthecomplexityoftheattackfornginx.Theattack'soverheadcanbesplitintofourparts:stackreading(35%),ndingthePLT(29%),ndingtheBROPgadget(20%)andnishingoff(16%).Notethatifcanariesarenotused(orcanbebypassed,likeinyaSSL)andthePIEagisnotused(thedefault)thenstackreadingcanbeavoidedaltogether.FindingthePLTlargelydependsonthesizeoftheexecutableandhowmanyPLTentriesareskippedduringascan.TheBROPgadgetscanwilldependonitsfrequency,aspreviouslymentioned.Theattackcancompletewithin20minutes.MySQLtookalongtimebecauseittookawhileforittorestartaftereachcrash.nginxwasfastest(onlyoneminute)becauseanon-timebasedstopgadgetwasused.AnHTTPkeep-aliveconnectionwasusedandsoaftertheexploitrequest,anormalrequestwassenttocheckiftheconnectionwasstillalive.Intheproprietaryservercaseinstead,atimeouthadtobeusedtodetermineiftheserverwasstillalivewhichmadetheattackslower.Theattackclearlyisnoisybutwearguethatifitexecutesfastenough,theattackermaybeabletoperformwhateveractivityheneedstodobeforegettingcaught.nginxforexamplelogseachcrash,inaleownedbyroot.Theserverrunsasnobodysotheattackerwouldnotbeabletoerasethelogs.Wenotice,however,thattheworkerprocesseskeepledescriptorstothelogsopen,makingitpossibletowriteashellcodetocallftruncatetoerasetracesoftheattack.B.StabilityThethreeserversuseworkerprocessesverydifferently,exercisingBROPindifferentways.InallcasestheBROPattackwasreliableandcompletedunassistedwithouthangingorcausingdenial-of-service.MySQLis(typically)singleprocess,multi-threaded.Onacrash,ascript(mysqld safe)reexecutestheserver.TheBROPattackworksunderthedefaultconguration(noPIE,butcanaries)despitethere-executionbecausethecanaryisneverhitthankstohowthebugisbeingexercised.IfcompiledwiththePIEag,theattackwouldnotworkasonecouldn'treada(changing)returnaddressfromthestacktodefeatASLR.Thisdoesnotapplytonginxandthetoyproprietaryservicewhereduetotheirforkingnature,theattackwouldsucceedevenwhenPIEisused.nginxhasmultipleworkerprocessesandhasasingle-threaded,event-basedarchitecture.Mostdistributionscong-urefourworkerprocessesbydefault.Thismakesitatrickyscenariobecauseaninniteloopbasedstopgadgetwouldhogtheworkercompletely,andonegetsonlyfourshotsbydefault.Thestopgadgetherewasreturningtoahigherstackframe,whichavoidedanyblocking.Withaspecializedexploit,weareabletoexploitnginxevenwhenconguredtouseasingleworker.Theproprietaryserverforkedonceperconnection.Thismakestheattackveryreliableasthereisavirtuallyinnitenumberofworkerprocessesavailable.Wedidnotknowaprioriaboutthedetailsoftheserverbutitcontainedafewuniquethings.Thestackoverowwasonestackframeabovetheactualbugastherewasafunctionthatwrappedthereadsystemcall.Theserveralsocontainedasingleloop,dependentonavariableusedtoexittheloopwhenshuttingtheservicedown.Thiscreatedtheadditionalchallengethattheloopwasnoteasilyusableasaninniteloopgadget.ThestopgadgetsforyaSSL+MySQL,nginxandthepro-prietaryserverrespectivelywere:futex,returningtoahighercallframe,andsleep.TheyaSSL+MySQLscenarioofferedaverysmalloverowbufferandshowsthatBROPcanworkevenwithsmallbuffers(64bytesaresufcient).ThekeytothesuccessandstabilityoftheBROPattackisthattheattackerneedstoscanforasingleitematanygiven TABLEIV.CODEDIVERSITYWHENTHESAMEVERSIONOFNGINX(1.4.0)ISCOMPILEDWITHDIFFERENTDEBIANLINUXVERSIONS. TextSize TextStart #ofGadgets Squeeze 0x5fc58 0x4031e0 206 Wheezy 0x61f0c 0x4032f0 255 Jessie(testing) 0x5fbd2 0x402ee0 323 C.Client-sidevs.server-sideItmaybepossibletolaunchaBROP-likeattackonclients.BrowserslikeChrome,forexample,launchpluginsinaseparateprocessforrobustness.JavaScriptcanbeusedtocreatemultiplevulnerablepluginobjects,attemptanexploit,anddetectwhethertheyhavecrashedornotwithoutuserinteraction.Wenote,however,thatthereistypicallylowerhangingfruitontheclient-side.HavingtheexecutionpowerofJavaScriptavailablecanoffermoresignalingmechanismstotheattackercomparedtoacoarse-grainedcrash/no-crashasusedinserver-sideBROP.Aninterestingdistinctionbetweenclient-sideandserver-sideisthatoftenclient-sideattacksarelesstargeted.Forexample,anattackermaywanttoownanygivennumberofclientstostealinformationorconstructabotnet.Thismakesexploitsforoldertargetswithfewerprotections(e.g.,WindowsXP)stillvaluable,astherestillarepeoplerunningthosecongurations.Server-sideattacksinsteadareoftentargetedasonewantstoattackaparticularsite.Relyingon32-bittargetsorspecicbinaryinstallations,orsimplymovingontothenextvictimmaynotbeanoption.ThismakesBROPveryvaluableontheserver-sideasitgivesanattackeralargerhammerwhenneeded.D.VarianceinbinariesCounterintuitively,closed-sourcesystems(thoughopen-binary)makewritingexploitssimpler.ManyexploitsthattargetWindowsareveryrobustastheybuildROPchainsonDLLsthatseldomchange,andsoonlyafewversionsexist.Inanopen-sourcesetting,therearemultiplebinaryvariantsandtheattackermustbuildadifferentROPchainforeach.TableIVshowsthesizeandstartaddressofdifferentdistributionsoftheexactsamenginxversion.Asweseethereisalotofvariabilitybasedonthebuildenvironment,theversionofthelibrariesitwaslinkedagainst,andthecompilerversion,eventhoughthesameLinuxdistributionwasbeingused.EvenasinglebytedifferenceoroffsetwilldefeatastaticallyprecomputedROPchain.Worsefortheattacker,asystemmaybemanuallycompiledbytheenduser,makingitimpossiblefortheattackertobuildaROPchainofineasthebinaryisunknown.InsuchcasesBROPisanecessity.Evenifaserverusesaprecompiledbinary,itcanbedifculttodeterminewhichparticularoneisbeingused:remoteOSngerprintingrevealsanapproximatekernelversion,notadistribution.BROPinfactcanbeusedtongerprintdistributionsandapplications(e.g.,basedonwhethercanariesarepresent,vsyscallbehavior,etc.).E.RemotefuzztestingTheBROPattackcouldbeapowerfultoolforhackingproprietaryclosed-binaryserviceswhencoupledwitharemotefuzztester.Wenotethatintwooftheexampleapplicationswetargeted,theoverowoccurredbecausealengthwasspeciedinthepacketbutalargervaluewassent.Itcertainlyispossibletowriteafuzztesterthathasknowledgeaboutaprotocolandattemptstooverowbysupplyingincorrectlengths[17].Interestingly,prettymuchthesamechunkedencodingvulnerabilitythatappearedinnginxhasalreadyappearedinApacheinthepast[18].Itmaybepossibletowritefuzztestersforparticularprotocolconditionsthatareknowntobehardtoimplementcorrectly,orthathavebeenknowntobeexploitedinthepast.XIII.BROPPREVENTIONThefollowingisadiscussionofdefensemechanismsthatwillpreventtheBROPattack,includingtwoprecautionswesuggestserverdevelopersuse.ThereisalotofpriorresearchinROPattackdefensemechanisms,andmanyofthosetechniquesareapplicabletodefendingagainstBROP.Thus,thislistisbynomeanscomprehensive.A.RerandomizationThemostbasicprotectionagainsttheBROPattackistorerandomizecanariesandASLRasoftenaspossible.Theseprotectionmechanismsareeffective,butserverdevelopersunderminethembynotrerandomizingwhenworkerprocessescrash.Thesimplestmethodistoforkandexectheprocessonacrashorspawn,whichrerandomizesboththecanaryandASLR.Itisimportantthatanychildprocessesforkedarerandomizedindependentlysothatanyinformationlearnedfromonechildcannotbeusedagainstanotherone.Therehasbeenresearchonrerandomizingbinariesatruntime.OnesuchtechniqueisworkbyGiuffridaetal.thatusesamodiedcompilertomigratetherunningstatebetweentwoinstances(withadifferentASLRrandomization)[19].Wealsoprototypedare-randomizationtechniquethatmovesabinary'stextsegmenttoanewlocationusingmmap/munmap,andusesapagefaulthandlertodeterminewhetherpointersshouldberewrittenastheyarefaultedon.Anevensimplerimprovementwedevelopedistoreran-domizethecanaryonaper-userorper-requestbasis.Wesuggestserverswriteanewcanarybeforeenteringaper-requestfunction.Onthereturnthroughthatfunctiontheoldcanaryshouldberestoredsothatexecutioncancontinuenormally.Whilethisprotectsagainstthebugsinnginxandourproprietaryserver,theparticularattackagainstyaSSLcanavoidthecanaryentirely.B.SleeponcrashSystemslikeNetBSD'ssegvguard[20]andgrsec'sdeter_bruteforceforLinux[21]proposedelayingaforkafterasegmentationfault.Thistechniquecanslowdownattackssuchthatanadministratorcannoticesomethingiswrongandaddresstheproblem.Thedownsideofthisapproachisthatbugsnowcanbecomeeasydenialofserviceattacks.Itisalsounclearwhatagoodvalueforthedelayis.grsecproposesa30seconddelay.Whilethisissufcientformostsetups,overnightattacksonasmallsitemightgounnoticed:ouroptimizedBROPattackfornginxcancompletein1,000requests,makingtheattacktimeroughly8hours. todefendagainstourattack,wesuggestthatsystemsshouldrerandomizeASLRandcanariesafteranycrash,andthatnolibraryorexecutableshouldbeexemptfromASLR.Brailleisavailableat:http://www.scs.stanford.edu/brop/.ACKNOWLEDGMENTSWethankouranonymousreviewersandEladEfratfortheirfeedback.WealsothankMarkHandleyandBradKarpwhohelpedshapeearlyversionsofthiswork.EricSmithsuggestedusingout-of-orderTCPsegmentsinsteadofIPfragmentation.ThisworkwasfundedbyDARPACRASHandagiftfromGoogle.REFERENCES[1]R.Roemer,E.Buchanan,H.Shacham,andS.Savage,Return-orientedprogramming:Systems,languages,andapplications,ACMTrans.Inf.Syst.Secur.,vol.15,no.1,pp.2:12:34,Mar.2012.[Online].Available:http://doi.acm.org/10.1145/2133375.2133377[2]mitre.Cve-2013-2028.[Online].Available:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028[3].Cve-2008-0226.[Online].Available:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0226[4]A.One,SmashingTheStackForFunAndProt,Phrack,vol.7,no.49,Nov.1996.[Online].Available:http://phrack.com/issues.html?issue=49&id=14#article[5]M.Kaempf.Vudomalloctricksbymaxx.[Online].Available:http://www.phrack.org/issues.html?issue=57&id=8&mode=txt[6]S.Designer.Gettingaroundnon-executablestack(andx).[Online].Available:http://seclists.org/bugtraq/1997/Aug/63[7]P.Team.Paxaddressspacelayoutrandomization(aslr).[Online].Available:http://pax.grsecurity.net/docs/aslr.txt[8]S.Bhatkar,D.C.DuVarney,andR.Sekar,Addressobfuscation:anefcientapproachtocombataboardrangeofmemoryerrorexploits,inProceedingsofthe12thconferenceonUSENIXSecuritySymposium-Volume12,ser.SSYM'03.Berkeley,CA,USA:USENIXAssociation,2003,pp.88.[Online].Available:http://dl.acm.org/citation.cfm?id=1251353.1251361[9]H.Shacham,M.Page,B.Pfaff,E.-J.Goh,N.Modadugu,andD.Boneh,Ontheeffectivenessofaddress-spacerandomization,inProceedingsofthe11thACMconferenceonComputerandcommunicationssecurity,ser.CCS'04.NewYork,NY,USA:ACM,2004,pp.298307.[Online].Available:http://doi.acm.org/10.1145/1030083.1030124[10]geraandriq.Advancesinformatstringexploitation.[Online].Available:http://www.phrack.org/archives/59/p59 0x07 Advances%20in%20format%20string%20exploitation by riq%20&%20gera.txt[11]C.Cowan,C.Pu,D.Maier,H.Hintony,J.Walpole,P.Bakke,S.Beattie,A.Grier,P.Wagle,andQ.Zhang,Stackguard:automaticadaptivedetectionandpreventionofbuffer-overowattacks,inProceedingsofthe7thconferenceonUSENIXSecuritySymposium-Volume7,ser.SSYM'98.Berkeley,CA,USA:USENIXAssociation,1998,pp.55.[Online].Available:http://dl.acm.org/citation.cfm?id=1267549.1267554[12]H.Etoh,GCCextensionforprotectingapplicationsfromstack-smashingattacks(ProPolice),2003,http://www.trl.ibm.com/projects/security/ssp/.[Online].Available:http://www.trl.ibm.com/projects/security/ssp/[13]BulbaandKil3r,Bypassingstackguardandstackshield,PhrackMagazine,May2000.[Online].Available:http://phrack.org/issues.html?issue=56&id=5#article[14]Kingcope.Aboutagenericwaytoexploitlinuxtargets.[Online].Available:http://www.exploit-db.com/wp-content/themes/exploit/docs/27074.pdf[15]G.F.Roglia,L.Martignoni,R.Paleari,andD.Bruschi,Surgicallyreturningtorandomizedlib(c),inProceedingsofthe2009AnnualComputerSecurityApplicationsConference,ser.ACSAC'09.Washington,DC,USA:IEEEComputerSociety,2009,pp.6069.[Online].Available:http://dx.doi.org/10.1109/ACSAC.2009.16[16]Ubuntusecurityfeatures.[Online].Available:https://wiki.ubuntu.com/Security/Features[17]Peachfuzzer.[Online].Available:http://peachfuzzer.com/[18]mitre.Cve-2002-0392.[Online].Available:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0392[19]C.Giuffrida,A.Kuijsten,andA.S.Tanenbaum,Enhancedoperatingsystemsecuritythroughefcientandne-grainedaddressspacerandomization,inProceedingsofthe21stUSENIXconferenceonSecuritysymposium,ser.Security'12.Berkeley,CA,USA:USENIXAssociation,2012,pp.4040.[Online].Available:http://dl.acm.org/citation.cfm?id=2362793.2362833[20]E.Efrat.Segvguard.[Online].Available:http://www.netbsd.org/elad/recent/man/security.8.html[21]grsecurity.Deterexploitbruteforcing.[Online].Avail-able:http://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity and PaX Conguration Options#Deter exploit bruteforcing[22]M.Abadi,M.Budiu,U.Erlingsson,andJ.Ligatti,Control-owintegrity,inProceedingsofthe12thACMConferenceonComputerandCommunicationsSecurity,ser.CCS'05.NewYork,NY,USA:ACM,2005,pp.340353.[Online].Available:http://doi.acm.org/10.1145/1102120.1102165[23]V.Pappas,M.Polychronakis,andA.D.Keromytis,TransparentROPexploitmitigationusingindirectbranchtracing,inProceedingsofthe22ndUSENIXconferenceonSecurity,ser.SEC'13.Berkeley,CA,USA:USENIXAssociation,2013,pp.447462.[Online].Available:http://dl.acm.org/citation.cfm?id=2534766.2534805[24]R.Wartell,V.Mohan,K.W.Hamlen,andZ.Lin,Binarystirring:Self-randomizinginstructionaddressesoflegacyx86binarycode,inProceedingsofthe2012ACMConferenceonComputerandCommunicationsSecurity,ser.CCS'12.NewYork,NY,USA:ACM,2012,pp.157168.[Online].Available:http://doi.acm.org/10.1145/2382196.2382216[25]J.Hiser,A.Nguyen-Tuong,M.Co,M.Hall,andJ.W.Davidson,Ilr:Where'dmygadgetsgo?inProceedingsofthe2012IEEESymposiumonSecurityandPrivacy,ser.SP'12.Washington,DC,USA:IEEEComputerSociety,2012,pp.571585.[Online].Available:http://dx.doi.org/10.1109/SP.2012.39[26]V.Pappas,M.Polychronakis,andA.D.Keromytis,Smashingthegadgets:Hinderingreturn-orientedprogrammingusingin-placecoderandomization,inProceedingsofthe2012IEEESymposiumonSecurityandPrivacy,ser.SP'12.Washington,DC,USA:IEEEComputerSociety,2012,pp.601615.[Online].Available:http://dx.doi.org/10.1109/SP.2012.41[27]K.Onarlioglu,L.Bilge,A.Lanzi,D.Balzarotti,andE.Kirda,G-free:defeatingreturn-orientedprogrammingthroughgadget-lessbinaries,inProceedingsofthe26thAnnualComputerSecurityApplicationsConference.ACM,2010,pp.4958.[28]T.C.Team.Addresssanitizer-clang3.4documentation.[Online].Available:http://clang.llvm.org/docs/AddressSanitizer.html[29]D.Dhurjati,S.Kowshik,andV.Adve,SAFECode:Enforcingaliasanalysisforweaklytypedlanguages,inProceedingsofthe2006ACMSIGPLANConferenceonProgrammingLanguageDesignandImplementation,ser.PLDI'06.NewYork,NY,USA:ACM,2006,pp.144157.[Online].Available:http://doi.acm.org/10.1145/1133981.1133999[30]Intel.Introductiontointelmemoryprotectionexten-sions.[Online].Available:http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions[31]T.GoodspeedandA.Francillon,Half-BlindAttacks:MaskROMBootloadersareDangerous,inWOOT,2009.[32]A.N.Sovarel,D.Evans,andN.Paul,Where'sthefeeb?:Theeffectivenessofinstructionsetrandomization,inUsenixSecurity,2005.[33]A.Zabrocki.Scrapsofnotesonremotestackoverowexploitation.[Online].Available:http://www.phrack.org/issues.html?issue=67&id=13#article[34]Kingcope.nginx1.3.9/1.4.0x86bruteforceremoteexploit.[Online].Available:http://www.exploit-db.com/exploits/26737/[35]M.Labes.Mwrlabspwn2own2013write-up-webkitexploit.[Online].Available:https://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up---webkit-exploit/
© 2021 docslides.com Inc.
All rights reserved.