Lecture 6 - Control Hijacking and Defenses: CS Department City University of Hong Kong

Lecture 6 – Control Hijacking and
Defenses
CS Department
City University of Hong Kong
Slides partially adapted from lecture notes by M. Goodrich&R. Tamassia,

W. Stallings&L. Brown, Dan Boneh, and Dawn Song.
An Information Security Short Course
1
(Summer 2020)
Control Hijacking
Advanced
Hijacking Attacks

2
(Summer 2020)
Heap Spray Attacks
A reliable method for exploiting heap overflows

3
(Summer 2020)
Heap-based control hijacking
• Compiler generated function pointers (e.g. C++ code)
FP1
method #1
ptr FP2 method #2

FP3
method #3
data vtable
Object T
• Suppose vtable is on the heap next to a string object:
data
buf[256] vtable
ptr
4
(Summer 2020) object T
Heap-based control hijacking
• Compiler generated function pointers (e.g. C++ code)
FP1
method #1
ptr FP2 method #2

FP3
method #3
data vtable
Object T
shell
code
• After overflow of buf we have:
data
buf[256] vtable
ptr
5
(Summer 2020) object T
A reliable exploit?
<SCRIPT language="text/javascript">
shellcode = unescape("%u4343%u4343%...");
overflow-string = unescape(“%u2332%u4276%...”);
cause-overflow( overflow-string ); // overflow buf[ ]
</SCRIPT>
Problem: attacker does not know where browser

places shellcode on the heap
???
data
buf[256] vtable
ptr
shellcode
6
(Summer 2020)
Heap Spraying [SkyLined 2004]
Idea: 1. use Javascript to spray heap

with shellcode (and NOP slides)
2. then point vtable ptr anywhere in spray area
NOP slide shellcode
heap
vtable
heapShort
An Information Security spray area
Course
7
(Summer 2020)
Javascript heap spraying
var nop = unescape(“%u9090%u9090”)
while (nop.length < 0x100000) nop += nop
var shellcode = unescape("%u4343%u4343%...");
var x = new Array ()

for (i=0; i<1000; i++) {
x[i] = nop + shellcode;
}
• Pointing func-ptr almost anywhere in heap will

cause shellcode to execute.
8
(Summer 2020)
Many heap spray exploits
[RLZ’08]
• Improvements: Heap Feng Shui [S’07]

– Reliable heap exploits on IE without spraying
– Gives attacker full control of IE heap from Javascript
9
(Summer 2020)
(partial) Defenses
• Protect heap function pointers (e.g. PointGuard)
• Better browser architecture:

– Store JavaScript strings in a separate heap from browser heap
• OpenBSD heap overflow protection:

prevents
cross-page
overflows
non-writable pages
• Nozzle [RLZ’08] : detect sprays by prevalence of code on heap

10
(Summer 2020)
References on heap spraying
[1] Heap Feng Shui in Javascript,
by A. Sotirov, Blackhat Europe 2007
[2] Engineering Heap Overflow Exploits with JavaScript

M. Daniel, J. Honoroff, and C. Miller, WooT 2008
[3] Nozzle: A Defense Against Heap-spraying Code Injection

Attacks,
by P. Ratanaworabhan, B. Livshits, and B. Zorn
[4] Interpreter Exploitation: Pointer inference and JiT spraying,

by Dion Blazakis
11
(Summer 2020)
Race Condition Vulnerability
in Software Development

12
(Summer 2020)
General Race Condition Problem
When two concurrent threads of execution access a shared
resource in a way that unintentionally produces different results
depending on the timing of the threads or processes.
Race Condition can occur

here if there are two
simultaneous withdraw
requests.
13
General Race Condition Problem
• Assume current balance = $100.

• Request 1 to withdraw $90.
• Before the server updates the balance, request 2 tries
to withdraw $90 which will approved as current
balance is still $100.
• Hence, $180 will be withdrawn with $10 in the
account as balance 14
Race Condition
● Happens when:
○ Multiple processes access and manipulate the same data
concurrently.
○ The outcome of execution depends on a particular order.
● If a privileged program has a race condition

○ attackers may be able to affect the output of the
privileged program by putting influences on the
uncontrollable events.
15
Race condition Requirement
• Necessary properties for a race condition
– Concurrency property
• At least two control flows executing concurrently
– Shared object property
• The concurrent flows must access a common shared
race object
– Change state property
• At least one control flow must alter the state of the
race object

16
(Summer 2020)
What’s going wrong?
● Time-Of-Check To
Time-Of-Use
(TOCTTOU)
● Occurs when
checking for a
condition before
using a resource.
17
A more useful example
● Root-owned Set-UID
program.
● Effective UID : root
● Real User ID : seed
● A Set-UID program that checks if you have the right to write to a file.
● Specially, it writes to a file in the /tmp directory (world-writable)
● The program should check if the real User ID match with the ID of the owner
● access() checks the real User ID
● open() only checks the effective User ID
● access() is the predicate that is essential to prevent unauthorized writes
● Like the account withdrawn example
● Vulnerability risk between check (access) and execution (open with write flag)
● The question is: how can an attack leverage this vulnerability?
18
Attack goal
Goal : To write to a protected file like
/etc/passwd.
To achieve this goal we need to make
/etc/passwd as our target file without
changing the file name in the program.
● Symbolic link (soft link) helps us to achieve it.
● It is a special kind of file that points to
another file.
19
Background on context switch
The high-level attack intuition is to

concurrently run an attack program to achieve
a desirable CPU execution order as intended
20
Attack logic
To win the race condition
(TOCTTOU window), we
need two processes :
● Run vulnerable
program in a loop
● Run the attack

program
21
Understanding the attack
Let’s consider steps for two Attack program runs: A1,A2,A1,A2…….
programs : Vulnerable program runs :

A1 : Make “/tmp/X” point to V1,V2,V1,V2…..
a file owned by us As the programs are running

A2 : Make “/tmp/X” point to simultaneously, the instructions will be
interleaved (mixture of two sequences)
/etc/passwd
A1, V1 , A2, V2 : vulnerable prog opens
V1 : Check user’s permission /etc/passwd for editing.
on “/tmp/X”
V2 : Open the file
22
Countermeasures
● Atomic Operations: To eliminate the window between
check and use
● Repeating Check and Use: To make it difficult to win
the “race”.
● Sticky Symlink Protection: To prevent creating
symbolic links.
● Principles of Least Privilege: To prevent the damages
after the race is won by the attacker.
23
Atomic Operations
f = open(file ,O_WRITE | O_REAL_USER_ID
● This is just an idea, not implemented

in the real OS and libraries.
● With this option, open() will only
check the real User ID.
● Therefore, open() achieves check and
use on it’s own and the operations are
atomic.
24
Repeating Check and Use
❸
❶
● Check-and-use is done three times.

● Check if the inodes are same.
● For a successful attack, “/tmp/XYZ”
needs to be changed 5 times.
● The chance of winning the race 5
times is much lower than a code
with one race condition.
25
Sticky Symlink Protection
To enable the sticky symlink protection for world-writable sticky directories:
● When the sticky symlink protection is enabled, symbolic links inside a sticky
world-writable can only be followed when the owner of the symlink matches
either the follower or the directory owner.
26
Sticky Symlink Protection
● Symlink protection allows fopen() when the owner of the

symlink match either the follower (EID of the process) or the
directory owner.
● In our vulnerable program (EID is root), /tmp directory is also
owned by the root, the program will not allowed to follow
the symbolic link unless the link is created by the root.
27
Principle of Least Privilege
Principle of Least Privilege:

A program should not use more privilege than
what is needed by the task.
● Our vulnerable program has more privileges than
required while opening the file.
● seteuid() and setuid() can be used to discard or
temporarily disable privileges.
28
Principle of Least Privilege
Right before opening
the file, the program
should drop its
privilege by setting
EID = RID
After writing, privileges are restored

by setting EUID = root
29
End of Segment

30
(Summer 2020)

Lecture 6 - Control Hijacking and Defenses: CS Department City University of Hong Kong

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 6 - Control Hijacking and Defenses: CS Department City University of Hong Kong

Uploaded by

Copyright:

Available Formats

Lecture 6 – Control Hijacking and

Slides partially adapted from lecture notes by M. Goodrich&R. Tamassia,

An Information Security Short Course

A reliable method for exploiting heap overflows

An Information Security Short Course

ptr FP2 method #2

• Suppose vtable is on the heap next to a string object:

ptr FP2 method #2

Problem: attacker does not know where browser

Idea: 1. use Javascript to spray heap

NOP slide shellcode

var shellcode = unescape("%u4343%u4343%...");

var x = new Array ()

• Pointing func-ptr almost anywhere in heap will

• Improvements: Heap Feng Shui [S’07]

• Better browser architecture:

• OpenBSD heap overflow protection:

• Nozzle [RLZ’08] : detect sprays by prevalence of code on heap

[2] Engineering Heap Overflow Exploits with JavaScript

[3] Nozzle: A Defense Against Heap-spraying Code Injection

[4] Interpreter Exploitation: Pointer inference and JiT spraying,

An Information Security Short Course

Race Condition can occur

• Assume current balance = $100.

● If a privileged program has a race condition

An Information Security Short Course

● It is a special kind of file that points to

The high-level attack intuition is to

● Run the attack

programs : Vulnerable program runs :

a file owned by us As the programs are running

● This is just an idea, not implemented

● Check-and-use is done three times.

● Symlink protection allows fopen() when the owner of the

Principle of Least Privilege:

After writing, privileges are restored

An Information Security Short Course

You might also like