Professional Documents
Culture Documents
Basic Control
Hijacking Attacks
Dan Boneh
Control hijacking attacks
• Attacker’s goal:
Take over target machine (e.g. web server)
• Execute arbitrary code on target by hijacking
application control flow
• Examples:
– Buffer overflow and integer overflow attacks
– Format string vulnerabilities
– Use after free
Dan Boneh
First example: buffer overflows
Extremely common bug in C/C++ programs.
• First major exploit: 1988 Internet Worm. Fingerd.
Source: web.nvd.nist.gov
Dan Boneh
What is needed
• Understanding C functions, the stack, and the heap.
• Know how system calls are made
• The exec() system call
• Attacker needs to know which CPU and OS used on the target machine:
– Our examples are for x86 running Linux or Windows
– Details vary slightly between CPUs and OSs:
• Stack Frame structure (Unix vs. Windows, x86 vs. ARM)
• Little endian vs. big endian
Dan Boneh
Linux process memory layout (x86_64)
shared libraries
0x0000 7F1F6 XXXX XXXX
arguments
return address
rbp stack base pointer
exception handlers
Stack
local variables Growth
rsp callee saved registers
low
(esp in 32-bit mode)
Dan Boneh
What are buffer overflows?
Suppose a web server contains a function: void func(char *str) {
char buf[128];
After func() is called stack looks like:
strcpy(buf, str);
do-something(buf);
argument: str }
return address
stack base pointer
char buf[128]
rsp
Dan Boneh
What are buffer overflows?
What if *str is 136 bytes long? void func(char *str) {
After strcpy: char buf[128];
strcpy(buf, str);
do-something(buf);
argument: str }
return address
stack base pointer Poisoned return address!
*str
Problem:
char buf[128] no bounds checking in strcpy()
rsp
Dan Boneh
Stack
Basic stack exploit
high
Program P: exec(“/bin/sh”)
(exact shell code by Aleph One)
return address
FP1 method #1
vptr FP2 method #2
FP3
method #3
data vtable
vptr
data
buf[256] vtable
Dan Boneh
A reliable exploit?
<SCRIPT language="text/javascript">
shellcode = unescape("%u4343%u4343%..."); // allocate in heap
overflow-string = unescape(“%u2332%u4276%...”);
cause-overflow(overflow-string ); // overflow buf[ ]
</SCRIPT>
data
ptr
buf[256] vtable shellcode
Dan Boneh
Heap Spraying [SkyLined]
heap
vtable
Dan Boneh
Control Hijacking
More Control
Hijacking Attacks
Dan Boneh
More Hijacking Opportunities
• Integer overflows: (e.g. MS DirectX MIDI Lib)
• Double free: double free space on heap
– Can cause memory mgr to write data to specific location
– Examples: CVS server
• Use after free: using memory after it is freed
• Format string vulnerabilities
Dan Boneh
Integer Overflows (see Phrack 60)
Dan Boneh
Integer overflow exploit stats
700
600
500
400
300
200
100
0
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 ⋯ 2015 2016 2017 2018 2019 2020
Dan Boneh
Format string problem
int func(char *user) {
fprintf(stderr, user);
}
Printing:
printf, fprintf, sprintf, …
vprintf, vfprintf, vsprintf, …
Logging:
syslog, err, warn
Dan Boneh
Exploit
• Dumping arbitrary memory:
– Walk up stack until desired pointer is found.
– printf( “%08x.%08x.%08x.%08x|%s|”)
Dan Boneh
High impact security vulns. in Chrome 2015 – 2020 (C++)
document.getElementById("c1").onpropertychange = changer;
document.getElementById("form").reset();
</script>
Dan Boneh
What just happened?
c1.doReset() causes changer() to be called and free object c2
Dan Boneh
What just happened?
c1.doReset() causes changer() to be called and free object c2
object c2 FP1
vptr FP2 ShellCode
FP3
data vtable
Use after free !
document.getElementById("c1").onpropertychange = changer;
document.getElementById("form").reset();
</script>
Dan Boneh
Ceng 452: Network Security
Isolation
The confinement
principle
Dan Boneh
Running untrusted code
We often need to run buggy/unstrusted code:
– programs from untrusted Internet sites:
• mobile apps, Javascript, browser extensions
– honeypots
app 1 app 2
⇒ difficult to manage
Dan Boneh
Approach: confinement
Confinement: ensure misbehaving app cannot harm rest of system
app1 app2
OS1 OS2
process 1
process 2
Operating System
Dan Boneh
Approach: confinement
Confinement: ensure misbehaving app cannot harm rest of system
Dan Boneh
Implementing confinement
Key component: reference monitor
– Mediates requests from applications
• Enforces confinement
• Implements a specified protection policy
– Must always be invoked:
• Every application request must be mediated
– Tamperproof:
• Reference monitor cannot be killed
… or if killed, then monitored process is killed too
– Small enough to be analyzed and validated Dan Boneh
A old example: chroot
To use do: (must be root)
chroot /tmp/guest root dir “/” is now “/tmp/guest”
su guest EUID set to “guest”
• Reboot system
Dan Boneh
Freebsd jail
Stronger mechanism than simple chroot
Dan Boneh
System call interposition
Observation: to damage host system (e.g. persistent changes)
app must make system calls:
– To delete/overwrite files: unlink, open, write
– To do network attacks: socket, bind, connect, send
Implementation options:
– Completely kernel space (e.g., Linux seccomp)
– Completely user space (e.g., program shepherding)
– Hybrid (e.g., Systrace)
Dan Boneh
Early implementation (Janus) [GWTB’96]
fopen(“/etc/passwd”, “r”)
OS Kernel
Monitor kills application if request is disallowed
Dan Boneh
Example policy
Sample policy file (e.g., for PDF reader)
Chrome renderer
process starts
… Renderer process
renders site
user space
BPF filter input: syscall number, syscall args., arch. (x86 or ARM)
Filter returns one of:
– SECCOMP_RET_KILL: kill process
– SECCOMP_RET_ERRNO: return specified error to caller
– SECCOMP_RET_ALLOW: allow syscall
Dan Boneh
Installing a BPF filter
• Must be called before setting BPF filter.
• Ensures set-UID, set-GID ignored on subequent execve()
⇒ attacker cannot elevate privilege
App 1
App 2
App 3
making sys calls filtered by
secomp-BPF Docker engine
host OS
• Whoever starts container hardware
can specify BPF policy
– default policy blocks many syscalls, including ptrace
Dan Boneh
Docker sys call filtering
Run nginx container with a specific filter called filter.json:
$ docker run --security-opt seccomp=filter.json nginx
Example filter:
“defaultAction”: “SCMP_ACT_ERRNO”, // deny by default
“syscalls”: [
{ "names": ["accept”], // sys-call name
"action": "SCMP_ACT_ALLOW", // allow (whitelist)
"args": [ ] } , // what args to allow
…
]
Dan Boneh
Ostia: SCI with minimal kernel support
Monitored app disallowed from making monitored sys calls
– Minimal kernel change (… but app can call close() itself )
Sys-call delegated to an agent that decides if call is allowed
– Can be done without changing app … using a libc stub
⇒ Incorrect state syncing will not result in policy violation
monitored user space
application agent
libc policy file
fopen(“/etc/passwd”, “r”) for app
OS Kernel
Dan Boneh
Isolation
Isolation via
Virtual Machines
Dan Boneh
Virtual Machines
VM2 VM1
Apps Apps
Guest OS 2 Guest OS 1
Virtual Machine Monitor (VMM, hypervisor)
Host OS
Hardware
Classified VM Public VM
malware
secret
covert
doc listener
channel
hypervisor
Dan Boneh
An example covert channel
Both VMs use the same underlying hardware
At 1:00am listener does CPU intensive calc. and measures completion time
b=1 ⇒ completion-time > threshold
Guest OS Guest OS
Xen hypervisor
Hardware
Type 1 hypervisor:
VMs from different customers may run on the same machine no host OS
• Hypervisor must isolate VMs … but some info leaks
Dan Boneh
VM isolation in practice: end-user
Qubes OS: a desktop/laptop OS where everything is a VM
• Runs on top of the Xen hypervisor
• Access to peripherals (mic, camera, usb, …) controlled by VMs
Applications:
Dan Boneh
Hypervisor detection
Dan Boneh
Hypervisor detection (red pill techniques)
• VM platforms often emulate simple hardware
– VMWare emulates an ancient i440bx chipset
… but report 8GB RAM, dual CPUs, etc.
Dan Boneh
Software Fault Isolation [Whabe et al., 1993]
Dan Boneh
Software Fault Isolation
SFI approach: Partition process memory into segments
app #1 app #2
Solution:
Dan Boneh
Cross domain calls
caller callee
domain domain
call stub draw:
call draw
return
br addr br addr
br addr ret stub br addr
br addr br addr
• Only stubs allowed to make cross-domain jumps
• Jump table contains allowed exit points
– Addresses are hard coded, read-only segment
Dan Boneh
SFI Summary
• Performance
– Usually good: mpeg_play, 4% slowdown
Dan Boneh
Isolation: summary
• Many sandboxing techniques:
Physical air gap, Virtual air gap (hypervisor),
System call interposition (SCI), Software Fault isolation (SFI)
Application specific (e.g. Javascript in browser)
Dan Boneh