Automatic Diagnosis and Response to Memory Corruption Vulnerabilities

  • Slides: 27
Download presentation
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense Laboratory Department of Computer Science North Carolina State University Presenter: Radha Maldhure for CDA 6133 Spring’ 08

Overview • • • Memory Corruption Address Space Randomization System Overview System Architecture State

Overview • • • Memory Corruption Address Space Randomization System Overview System Architecture State Transition of Program Diagnosis Signature Generation Experimental Evaluation Contribution Weakness Suggestions References

Memory Corruption • Memory Location are unintentionally modified due to programming errors • Attack:

Memory Corruption • Memory Location are unintentionally modified due to programming errors • Attack: – Successful attack allows a remote code execution – Unsuccessful attack causes program crash or strange program behavior • Most popular means to take control of target system • Type: Buffer Overflow, Integer overflow

Memory Corruption: Example Code Memory Corruption by Buffer Overflow Attacker’s Packet Attacker’s code Ret.

Memory Corruption: Example Code Memory Corruption by Buffer Overflow Attacker’s Packet Attacker’s code Ret. Addr Ret Local Var Ret Add For example: User_input( ) is some routine in X Local Var Stack frame for User_input() Local Buffer Process Memory layout for X

Address Space Randomization Code Normal Memory Layout Code Argument Ret Addr Argument Local Var

Address Space Randomization Code Normal Memory Layout Code Argument Ret Addr Argument Local Var Ret Addr Local Var Local Buffer 2000 4000 Memory layout with Randomizati on-on

Example: Memory corruption with ASR Code Memory Corruption by Buffer Overflow The return address

Example: Memory corruption with ASR Code Memory Corruption by Buffer Overflow The return address points to wrong Memory location CRASH!!! Stack frame Ret. Addr Ret Argument Local Var Local Buffer

System Overview

System Overview

System Architecture

System Architecture

Terms needed for Model Some definitions: Memory attack Corrupting Instruction( c ) = multiple

Terms needed for Model Some definitions: Memory attack Corrupting Instruction( c ) = multiple corrupting instruction = tricked to overwrite critical program data Initial Corrupting Instruction( i ) = Corrupting program data based on network input Take over Instruction( t ) = Control flow transfer Instruction Faulting Instruction( f ) = Cause process to crash

State Transition of a randomized program under memory corruption attack t with correct addr

State Transition of a randomized program under memory corruption attack t with correct addr prediction initial corrupting instr c Critical Data Corruption Normal k initial corrupting instr c (c=f) Case 1 Security Compromise t with incorrect addr prediction(t = f) t with incorrect addr prediction(t=f) Case 3 Case 4 faulting instr f Crash Inconsistent Execution Case 2 : K= Non-takeover instr i with incorrect addr prediction( i=f )

Case 1 Corrupting Instruction is the Faulting instruction( c = f ) Sample program

Case 1 Corrupting Instruction is the Faulting instruction( c = f ) Sample program b c buf b c dwgfbfns hhhwdhw vhdvhvdhj hdhvdhvd dsadjvdvh vdqwdgg gdggdggg int foo( int b, int *c ) { buf[10]; Get. User. Name(buf) (*c)++; return *c } Input to Get. User. Name( ) is large This causes buffer overflow and accesses illegal memory location and hence the system crashes!!!!

Case 2 The attack corrupts some critical data without crash. However, process crashes when

Case 2 The attack corrupts some critical data without crash. However, process crashes when executing non-takeover instruction int foo( int b, int *c ) { buf[10]; Get. User. Name(buf) (*c)++; return *c } Program crashes as third statement executes!! Stack frame b c buf 0000

Case 3 Take-over instruction is the faulting instruction Invalid memory 4000 Stack frame b

Case 3 Take-over instruction is the faulting instruction Invalid memory 4000 Stack frame b Ret addr 20 c 0000 buf Jmp 4000

Case 4 Successfully executes take-over instruction, and continues to execute for some time before

Case 4 Successfully executes take-over instruction, and continues to execute for some time before crash Invalid memory 4000 Stack frame b Ret addr 20 c 0000 buf Jmp 4000

Diagnosis Who? By monitor & Diagnosis engine on memory access violation exception How? –

Diagnosis Who? By monitor & Diagnosis engine on memory access violation exception How? – Identifying faulting instruction – Converting case 4 crashes – Tracing corrupting instruction

Identifying faulting Instruction Goal: Find address of faulting Instruction ‘f’ Two cases: Simple case:

Identifying faulting Instruction Goal: Find address of faulting Instruction ‘f’ Two cases: Simple case: f = preceding instruction of current PC Complex case: f = indirect control flow transfer instruction PC = invalid memory address that causes access violation If not Complex case then its Simple case!!

Complex case C = { m } = indirect control flow instructions in program

Complex case C = { m } = indirect control flow instructions in program Decode and compute target addr(a) for m Keep the instruction Instr a X x Y y a = Current PC register Use break points f = last instr before memory access violation

Converting Case 4 Eliminate the possibility of Case 4 crash – No way to

Converting Case 4 Eliminate the possibility of Case 4 crash – No way to differentiate cases – Uses random re-execution – Convert to other cases

Converting Case 4( condt. ) Case 3 Converted 4000 Memory access violation exception Jmp

Converting Case 4( condt. ) Case 3 Converted 4000 Memory access violation exception Jmp 4000 Case 4 OR Case 1 or Case 2 Make invalid Jmp 4000 t Jmp 4000 Memory Layout-A Memory Layout-B

Tracing Corrupting Instruction Basic Idea • Trace back to the instruction that writes corrupted

Tracing Corrupting Instruction Basic Idea • Trace back to the instruction that writes corrupted data until network input data Not Sure How it works!!

Signature Generation Two types Pure Message Signature • Use critical byte sequence from attack

Signature Generation Two types Pure Message Signature • Use critical byte sequence from attack • Unacceptable false positive rate Correlate Message Signature with program execution state • Low false positive rate • Speeds up message filtering • High detection rate

Experimental Evaluation Effectiveness of Diagnosis

Experimental Evaluation Effectiveness of Diagnosis

Contribution • • Automation improves the efficiency of problem diagnosis Model for defense and

Contribution • • Automation improves the efficiency of problem diagnosis Model for defense and analysis of memory corruption attacks

Weaknesses • Address Space Randomization is susceptible to bruteforce attacks • Implementation of the

Weaknesses • Address Space Randomization is susceptible to bruteforce attacks • Implementation of the suggested prototype requires extensions • Gives little information about the type of occurred memory corruption • At some points, the explanation is difficult to understand

How To Improve • Explanation and Diagrams must be accompanied with examples • Few

How To Improve • Explanation and Diagrams must be accompanied with examples • Few terms like memory corruption, address space randomization must be elaborated

References • Wikipedia • Address Space Layout Permutation, by Chongkyung Kil

References • Wikipedia • Address Space Layout Permutation, by Chongkyung Kil

QUESTIONS? ?

QUESTIONS? ?