CS 519419 Cyber Attacks Defense Address Space Layout

  • Slides: 22
Download presentation
CS 519/419 Cyber Attacks & Defense Address Space Layout Randomization (ASLR) 10/23/18

CS 519/419 Cyber Attacks & Defense Address Space Layout Randomization (ASLR) 10/23/18

Defense • Base and bound check • Stack Cookie • Data execution prevention (DEP,

Defense • Base and bound check • Stack Cookie • Data execution prevention (DEP, NX, etc. )

Defense • Base and bound check • Stack Cookie • Data execution prevention (DEP,

Defense • Base and bound check • Stack Cookie • Data execution prevention (DEP, NX, etc. ) • Address Space Layout Randomization (ASLR)

Stack Buffer Overflow + Run Shellcode SHELLCODE RETURN ADDR EEEE SAVED %ebp DDDD COOKIE

Stack Buffer Overflow + Run Shellcode SHELLCODE RETURN ADDR EEEE SAVED %ebp DDDD COOKIE BUFFER CCCC BUFFER BBBB BUFFER AAAA BUFFER We need to know where the shellcode is!

Stack Buffer Overflow + Run Shellcode SHELLCODE RETURN ADDR EEEE SAVED %ebp DDDD COOKIE

Stack Buffer Overflow + Run Shellcode SHELLCODE RETURN ADDR EEEE SAVED %ebp DDDD COOKIE BUFFER CCCC BUFFER BBBB BUFFER AAAA BUFFER We need to know where the shellcode is!

Address Space Layout Randomization • Attackers need to know which address to control (jump/overwrite)

Address Space Layout Randomization • Attackers need to know which address to control (jump/overwrite) • Stack - shellcode • Library - system() • Heap – chunks (will learn this later) • Then, let’s randomize it! • Attackers do not know where to jump… • Win!

ASLR - History • Linux Pa. X adapt this first in 2002 • Open.

ASLR - History • Linux Pa. X adapt this first in 2002 • Open. BSD – 2003 • Linux – 2005 • Windows – Vista in 2007 • i. OS – i. OS 4. 3 in 2011 • Android – Android 4. 0 ICS in 2011

ASLR - History • Linux Pa. X adapt this first in 2002 • Open.

ASLR - History • Linux Pa. X adapt this first in 2002 • Open. BSD – 2003 • Linux – 2005 • Windows – Vista in 2007 • i. OS – i. OS 4. 3 in 2011 • Android – Android 4. 0 ICS in 2011

ASLR: Randomize Addresses per Each Execution

ASLR: Randomize Addresses per Each Execution

How Random is the Address? Space Entropy Chance 32 bit stack 19 bits 1

How Random is the Address? Space Entropy Chance 32 bit stack 19 bits 1 in 524288 32 bit heap 13 bits 1 in 8192 32 bit library 8 bits 1 in 512 64 bit stack 30 bits 1 in 1 G… 64 bit heap 28 bits 1 in 128 M 64 bit library 28 bits 1 in 128 M 64 bit Windows 19 bits 1 in 524288

Overhead? CODE PRINTF • <1% in 64 bit • printf(”asdf”) • Access all strings

Overhead? CODE PRINTF • <1% in 64 bit • printf(”asdf”) • Access all strings via relative address from current %rip • lea 0 x 23423(%rip), %rdi ”asdf” • ~ 3% in 32 bit • Cannot address using %eip • How? • call +5; pop %ebx; add $0 x 23423, %ebx; • push %ebx DATA GETTING EIP

Then, How to Bypass ASLR? • Brute-force • Get a core dump • Set

Then, How to Bypass ASLR? • Brute-force • Get a core dump • Set that address • Run! • Eventually the address will be matched. . • See the table • Requires too many trials in some cases… Space Entropy Chance 32 bit stack 19 bits 1 in 524288 32 bit heap 13 bits 1 in 8192 32 bit library 8 bits 1 in 512 64 bit stack 30 bits 1 in 1 G… 64 bit heap 28 bits 1 in 128 M 64 bit library 28 bits 1 in 128 M 64 bit Windows 19 bits 1 in 524288

Leak address • Information Leak • Leak the target address! • Use shellcode –

Leak address • Information Leak • Leak the target address! • Use shellcode – stack buffer or argv, envp, stack top, etc. • Libc? Where is the system()? • But leaking the exact target address could be difficult

Understanding ASLR Characteristics • How do they randomize the address? • Change the BASE

Understanding ASLR Characteristics • How do they randomize the address? • Change the BASE address of each area • Use relative addressing in the area • Relative addressing? • Kernel let program know where the start is • 0 xffffd 800 if stack starts at 0 xffffe 000 • STACK_START – 0 x 800 is that address • System? • LIBC_BASE + SYSTEM_OFFSET == system() • Attacker cannot know this

Relative Addressing Addresses are different, But their distances are the same

Relative Addressing Addresses are different, But their distances are the same

ASLR Bypass Strategy • Stack • Leak one address • Calculate the distance between

ASLR Bypass Strategy • Stack • Leak one address • Calculate the distance between the leaked one and the one with your interest • BUFFER_ADDRESS – LEAKED_ADDRESS = OFFSET • Leak one address in your exploit • LEAKED_ADDRESS + OFFSET = LEAKED_ADDRESS • Calculate the OFFSET from the core dump!

ASLR Bypass Strategy • Library • ldd first • Open that library with gdb

ASLR Bypass Strategy • Library • ldd first • Open that library with gdb • Print functions! • Prints offset • Attacking Library • Leak one library address • Find what is the base address (LEAK is BASE + SOME_OFFSET) • Calculate SYSTEM (LEAK – SOME_OFFSET + SYSTEM_OFFSET)

CAVEAT • To have a strong defense, system have to randomize all addresses •

CAVEAT • To have a strong defense, system have to randomize all addresses • Code, data, stack, heap, library, mmap(), etc. • However, Code/data still merely randomized • Why? Some compatibility issue…

Position Independent Executable (PIE) /bin/cat from Ubuntu 16. 04. 3 /bin/sh from Ubuntu 16.

Position Independent Executable (PIE) /bin/cat from Ubuntu 16. 04. 3 /bin/sh from Ubuntu 16. 04. 3

Assignment: Week-5 • aslr-1 • Leaks buffer address • aslr-2 • Leaks some stack

Assignment: Week-5 • aslr-1 • Leaks buffer address • aslr-2 • Leaks some stack address (use relative addressing to get the buffer address!) • aslr-3 • Leaks some variables in the stack (use relative addressing, too) • aslr-4 • Leaks the address of printf (use relative addressing to figure out system()’s address)

Assignment: Week-5 • aslr-5 • Program contains a function that you can leak some

Assignment: Week-5 • aslr-5 • Program contains a function that you can leak some addresses. Call that to leak. • After that, use that address for your exploit (without invoking a new process() again) • aslr-6 • Code address is also randomized (Position Independent Executable!) • How? Brute-force! • Please choose easy target with low entropy… • The stack entropy is reduced (See the disassembly in main)

Assignment: Week-5 • ASLR: connect to vm-ctf 3. eecs. oregonstate. edu • Use the

Assignment: Week-5 • ASLR: connect to vm-ctf 3. eecs. oregonstate. edu • Use the same credentials (id, private key, etc. ) • Challenges are in /home/labs/week 4 • Use setup 4 • Due: 11/01 2: 00 pm