DOCSLIB.ORG

Andrei Homescu Michael Stewart Stefan Brunthaler Per Larsen Michael Franz University of California Irvine Return-Oriented Programming

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Andrei Homescu Michael Stewart Stefan Brunthaler Per Larsen Michael Franz University of California Irvine Return-Oriented Programming Andrei Homescu Michael Stewart Stefan Brunthaler Per Larsen Michael Franz University of California Irvine Return-oriented Programming Gadget 1 Simplified ROP jailbreak attack ... OPEN 0x080 RETURN Gadget 3 Gadget 2 ... ... CONNECTION ADD EAX, EBX Gadget 3 RETURN POP EBP ... RETURN TO THE Stack growth RETURN Gadget 4 ... WHITEHOUSE 0x1C0 RETURN 2 Return-oriented Programming Original version: hand-picked set of gadgets from libc; downside: specific to library (Debian 5 libc) Later work uses automated scanners: Scan for 1-instruction gadgets Match using expression trees Use postconditions Formulate gadget outputs as boolean functions SMT solver 3 Complicated Gadgets More than one instruction per gadget Complex instruction operands (memory offsets, immediates) Interference between instructions 4 Gadget Examples ADD EAX, [EBX+0x35CFE022] 03 83 22 E0 CF 35 LEA EAX, [EBX+2*EAX+0x20] 8D 44 43 20 INC [0x98560F0E] FF 05 0E 0F 56 98 ADD EAX, EBX 01 D8 INC EAX 40 ADD EAX, 0x20 83 C0 20 POP EBP 5D 5 Goals for Our Gadget Set Ubiquity In as many binaries as possible Computational Power Turing-complete Simplicity 6 Key Insight for Ubiquity Smaller gadgets occur more frequently 7 Microgadget Set Focus on very small gadgets (2-3 bytes) Grouped into classes, by operation 1 instruction + RET in each gadget Expectation: find this set very frequently in large binaries (ubiquity) 8 Smallest Gadget RET C3 9 2 Byte Microgadgets XCHG EAX,reg for register-to-register moves POP reg for loading constants LAHF / PUSHF for loading flags INC / DEC reg CLC /SAHF / DAA / ... to clear carry flag PUSHA to copy ESP into another register LEAVE to change ESP LODSD / STOSD for memory accesses PUSH reg for control flow (function calls) 10 2 Byte Microgadgets XCHG EAX,reg for register-to-register moves POP reg for loading constants LAHF / PUSHF for loading flags INC / DEC reg CLC /SAHF / DAA / ... to clear carry flag PUSHA to copy ESP into another register LEAVE to change ESP LODSD / STOSD for memory accesses PUSH reg for control flow (function calls) 13 AFack example Gadget 1 load addr of mmap Gadget 2 into reg load return ESP No into EBP ASLR! arg 1 Gadget 3 arg 2 arg 3 PUSH reg arg 4 RET Gadget 5 arg 5 Stack growth arg 6 load word Gadget 4 of payload LEAVE Gadget 6 RET ... STOSD Gadget N RET PUSH EAX RET 15 3 Byte Microgadgets ADD / ADC / SUB / SBB XOR / NOT / NEG AND / OR One memory load, if 2-byte version not available One memory store, if 2-byte version not available One operation to copy ESP at the beginning For ASLR-proof mmap call: just add given value to ESP 16 CondiIonal Branches Needed for Turing-completeness; tricky Supported operation: “branch if A < B” Addition/subtraction => CF => branch Branch target is loaded from a table pointer$to$address$table CF 0 1 ROP$program$ Condi3onal$ True(case( False(case( …more$code… …more$code… False(address True(address code branch code code 17 Turing-completeness Model implements subneg variant of OISC (one- instruction set computer) Only needed 3 operations: Subtraction Less-than comparison Conditional branching subneg and subleq are known to be Turing-complete Bonus operations: Addition Boolean operations Extra memory load/stores 20 Evaluaon Total binaries Distribution All no XCHG XCHG no XCHG XCHG mmap mmap c-mode c-mode i-mode i-mode no ASLR ASLR Kubuntu 1337 404 262 27 8 17 9 7.10 Ubuntu 1492 434 212 31 4 21 6 9.04 Ubuntu 1587 497 164 35 10 24 12 10.04 Kubuntu 1655 565 271 45 15 39 15 11.10 21 AFack Example Gadget 1 load addr of mmap Gadget 2 into reg copy ESP to EBP Gadget 3 add offset to EBP arg 1 arg 2 Gadget 4 arg 3 PUSH reg arg 4 RET Gadget 6 arg 5 Stack growth arg 6 load word Gadget 5 of payload LEAVE Gadget 7 RET ... STOSD Gadget N RET PUSH EAX RET 22 Conclusion - Goals Ubiquity In as many binaries as possible Simplicity Computational Power Turing-complete 23 Future Work Make classes larger Port to 64 bits: not trivial! Extend model to other return/jump instructions Measure probability of binary from given distribution to contain microgadgets Build distribution of n-grams in binaries 24 .
Load more

Recommended publications
  • CONFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software.” in Proc
    Xiaoyang Xu, Masoud Ghaffarinia, Wenhao Wang, Kevin W. Hamlen, and Zhiqiang Lin. “CONFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software.” In Proc. 28th USENIX Security Symposium, August 2019. CONFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software Xiaoyang Xu Masoud Ghaffarinia∗ Wenhao Wang∗ University of Texas at Dallas University of Texas at Dallas University of Texas at Dallas Kevin W. Hamlen Zhiqiang Lin University of Texas at Dallas Ohio State University Abstract one of the strongest known defenses against modern control- flow hijacking attacks, including return-oriented program- CONFIRM (CONtrol-Flow Integrity Relevance Metrics) is a new evaluation methodology and microbenchmarking suite ming (ROP) [60] and other code-reuse attacks. These attacks for assessing compatibility, applicability, and relevance of trigger dataflow vulnerabilities (e.g., buffer overflows) to ma- control-flow integrity (CFI) protections for preserving the in- nipulate control data (e.g., return addresses) to hijack victim tended semantics of software while protecting it from abuse. software. By restricting program execution to a set of legiti- Although CFI has become a mainstay of protecting certain mate control-flow targets at runtime, CFI can mitigate many classes of software from code-reuse attacks, and continues of these threats. to be improved by ongoing research, its ability to preserve Inspired by the initial CFI work [1], there has been prolific intended program functionalities (semantic transparency) of new research on CFI in recent years, mainly aimed at improv- diverse, mainstream software products has been under-studied ing performance, enforcing richer policies, obtaining higher in the literature.
    [Show full text]
  • Lightweight Distros on Test
    GROUP TEST LIGHTWEIGHT DISTROS LIGHTWEIGHT DISTROS GROUP TEST Mayank Sharma is on the lookout for distros tailor made to infuse life into his ageing computers. On Test Lightweight distros here has always been a some text editing, and watch some Linux Lite demand for lightweight videos. These users don’t need URL www.linuxliteos.com Talternatives both for the latest multi-core machines VERSION 2.0 individual apps and for complete loaded with several gigabytes of DESKTOP Xfce distributions. But the recent advent RAM or even a dedicated graphics Does the second version of the distro of feature-rich resource-hungry card. However, chances are their does enough to justify its title? software has reinvigorated efforts hardware isn’t supported by the to put those old, otherwise obsolete latest kernel, which keeps dropping WattOS machines to good use. support for older hardware that is URL www.planetwatt.com For a long time the primary no longer in vogue, such as dial-up VERSION R8 migrators to Linux were people modems. Back in 2012, support DESKTOP LXDE, Mate, Openbox who had fallen prey to the easily for the i386 chip was dropped from Has switching the base distro from exploitable nature of proprietary the kernel and some distros, like Ubuntu to Debian made any difference? operating systems. Of late though CentOS, have gone one step ahead we’re getting a whole new set of and dropped support for the 32-bit SparkyLinux users who come along with their architecture entirely. healthy and functional computers URL www.sparkylinux.org that just can’t power the newer VERSION 3.5 New life DESKTOP LXDE, Mate, Xfce and others release of Windows.
    [Show full text]
  • 4C24fb34-Ubuntu-Server-Guide.Pdf
    Introduction Welcome to the Ubuntu Server Guide! Download the Ubuntu server guide as a PDF. This is the preliminary and in development for the next Ubuntu LTS, Focal Fossa. Contents may have errors and omissions. Changes, Errors, and Bugs If you find any errors or have suggestions for improvements to pages, please use the link at thebottomof each topic titled: “Help improve this document in the forum.” This link will take you to the Server Discourse forum for the specific page you are viewing. There you can share your comments or let us know aboutbugs with each page. Support There are a couple of different ways that Ubuntu Server Edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- priced support contracts on a per desktop or per server basis. For more information see the Ubuntu Advantage page. Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions. See the Ubuntu Support page for more information. Installation This chapter provides a quick overview of installing Ubuntu 20.04 Server Edition. For more detailed instruc- tions, please refer to the Ubuntu Installation Guide. Preparing to Install This section explains various aspects to consider before starting the installation. System Requirements Ubuntu 20.04 Server Edition provides a common, minimalist base for a variety of server applications, such as file/print services, web hosting, email hosting, etc.
    [Show full text]
  • Praise for the Official Ubuntu Book
    Praise for The Official Ubuntu Book “The Official Ubuntu Book is a great way to get you started with Ubuntu, giving you enough information to be productive without overloading you.” —John Stevenson, DZone Book Reviewer “OUB is one of the best books I’ve seen for beginners.” —Bill Blinn, TechByter Worldwide “This book is the perfect companion for users new to Linux and Ubuntu. It covers the basics in a concise and well-organized manner. General use is covered separately from troubleshooting and error-handling, making the book well-suited both for the beginner as well as the user that needs extended help.” —Thomas Petrucha, Austria Ubuntu User Group “I have recommended this book to several users who I instruct regularly on the use of Ubuntu. All of them have been satisfied with their purchase and have even been able to use it to help them in their journey along the way.” —Chris Crisafulli, Ubuntu LoCo Council, Florida Local Community Team “This text demystifies a very powerful Linux operating system . in just a few weeks of having it, I’ve used it as a quick reference a half dozen times, which saved me the time I would have spent scouring the Ubuntu forums online.” —Darren Frey, Member, Houston Local User Group This page intentionally left blank The Official Ubuntu Book Sixth Edition This page intentionally left blank The Official Ubuntu Book Sixth Edition Benjamin Mako Hill Matthew Helmke Amber Graner Corey Burger With Jonathan Jesse, Kyle Rankin, and Jono Bacon Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks.
    [Show full text]
  • SIGCHI Conference Paper Format
    Alternatives to Traditional Laboratory-based Usability Testing in Free/Libre/Open Source Software Celeste Lyn Paul KDE www.kde.org [email protected] ABSTRACT usability testing in FLOSS projects. The university In this workshop position paper, two case studies of laboratory-based usability testing study and the pilot of the alternative ways to conduct usability testing in community-based usability testing study have also been Free/Libre/Open Source Software (FLOSS) projects are summarized in [2]. described. The first case study involves making the usability test a university project and using students to University Laboratory-based Usability Testing conduct the testing. The second case study involves using The first example is a case of laboratory-based usability members of the open source user community to help testing for Kubuntu's Ubiquity [6] software. Ubiquity is the organize the usability test, recruit participants, and conduct installation software for the Kubuntu Linux distribution. It the usability test. These two case studies provide a helps guide the user partition the disk drive, set up a user beginning point for discussing ways of adjusting traditional account, and install system files to the computer. The usability methods for FLOSS practices. Kubuntu development team was concerned about the usability of the software, and was interested in getting Author Keywords feedback via usability testing. free/libre/open source software, usability testing. The usability test was set up as a semester project at the ACM Classification Keywords University of Baltimore in Maryland in an interaction H5.m. Information interfaces and presentation (e.g., HCI): design methods graduate course.
    [Show full text]
  • Ubuntu Server Guide Basic Installation Preparing to Install
    Ubuntu Server Guide Welcome to the Ubuntu Server Guide! This site includes information on using Ubuntu Server for the latest LTS release, Ubuntu 20.04 LTS (Focal Fossa). For an offline version as well as versions for previous releases see below. Improving the Documentation If you find any errors or have suggestions for improvements to pages, please use the link at thebottomof each topic titled: “Help improve this document in the forum.” This link will take you to the Server Discourse forum for the specific page you are viewing. There you can share your comments or let us know aboutbugs with any page. PDFs and Previous Releases Below are links to the previous Ubuntu Server release server guides as well as an offline copy of the current version of this site: Ubuntu 20.04 LTS (Focal Fossa): PDF Ubuntu 18.04 LTS (Bionic Beaver): Web and PDF Ubuntu 16.04 LTS (Xenial Xerus): Web and PDF Support There are a couple of different ways that the Ubuntu Server edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- priced support contracts on a per desktop or per-server basis. For more information see the Ubuntu Advantage page. Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions.
    [Show full text]
  • R.E.I.N.A. Towards Pervasive Interface Agents That Transcend The
    R.E.I.N.A. Towards Pervasive Interface Agents that Transcend the Physical-Digital Worlds by Elena Chong Loo Kodama B.S., Rose-Hulman Institute of Technology (2016) Submitted to the Program in Media Arts and Sciences, School of Architecture and Planning in partial fulfillment of the requirements for the degree of Master of Science in Media Arts and Sciences at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2020 ○c Massachusetts Institute of Technology 2020. All rights reserved. Author................................................................ Program in Media Arts and Sciences August 17, 2020 Certified by. Joseph A. Paradiso Alexander W Dreyfoos (1954) Professor Program in Media Arts and Sciences Thesis Advisor Accepted by . Tod Machover Academic Head, Program in Media Arts and Sciences 2 R.E.I.N.A. Towards Pervasive Interface Agents that Transcend the Physical-Digital Worlds by Elena Chong Loo Kodama Submitted to the Program in Media Arts and Sciences, School of Architecture and Planning on August 17, 2020, in partial fulfillment of the requirements for the degree of Master of Science in Media Arts and Sciences Abstract Our generation is spending more time in front of computer screens, in part due to the onset of the COVID-19 pandemic. In front of our screens, we see multiple notes, fold- ers, windows, and applications that somehow replicate a metaphoric desk. The way we navigate this digital system has not changed much in the past four decades. How- ever, in the last two years, the technological landscape is showing sign of a potential shift that could enable novel ways of navigating the physical and digital information spaces.
    [Show full text]
  • Allscripts Unity Cardioperfect Interface – Installation and Configuration Guide
    Welch Allyn Vital Signs Allscripts Unity Interface Installation and configuration guide ii Welch Allyn Vital Signs Allscripts Unity Interface © 2018 Welch Allyn. All rights are reserved. To support the intended use of the product described in this publication, the purchaser of the product is permitted to copy this publication, for internal distribution only, from the media provided by Welch Allyn. No other use, reproduction, or distribution of this publication, or any part of it, is permitted without written permission from Welch Allyn. Welch Allyn assumes no responsibility for any injury to anyone, or for any illegal or improper use of the product, that may result from failure to use this product in accordance with the instructions, precautions, warnings, or statement of intended use published in this manual. Software in this product is copyrighted by Welch Allyn or its vendors. All rights are reserved. The software is protected by United States of America copyright laws and international treaty provisions applicable worldwide. Under such laws, the licensee is entitled to use the copy of the software incorporated with this instrument as intended in the operation of the product in which it is embedded. The software may not be copied, decompiled, reverse-engineered, disassembled or otherwise reduced to human- perceivable form. This is not a sale of the software or any copy of the software; all right, title and ownership of the software remain with Welch Allyn or its vendors. User responsibility This product is designed to perform in conformity with the description thereof contained in this operation manual, when installed, operated, maintained and repaired in accordance with the instructions provided.
    [Show full text]
  • ION IMPLEMENTATION of the DTN PROTOCOL DTN Devkit
    ION DTNIMPLEMENTATION DevKit – Hands-On PortionOF of THE the ION DTNCourse PROTOCOL ©2020 The MITRE Corporation. All rights reserved. Approved 1 for public release. Distribution unlimited 19‐03234‐1. If you have issues, please send questions Purpose to: [email protected] • Part of the ION course involves hands‐on labs: • Visualize how ION works and how data flows using ION • Get experience configuring ION nodes • Code a simple ION application • The labs use a pre‐built virtual machine that comes with • ION • An emulation mechanism with a GUI • A number of pre‐built scenarios with applications that use ION • Separate scenarios will be distributed during the class for use / discussion • Tools (Wireshark, visualizations for the ION contact plan, etc.) • These slides describe how to install the pre‐built virtual machine to be ready to run the exercises ©2020 The MITRE Corporation. All rights reserved. Approved for 2 public release. Distribution unlimited 19‐03234‐1. Overview • Install Oracle VirtualBox • The pre‐built VM is an Ubuntu machine that can be run under Windows or Mac • Pull the DTNDevKit .iso image • https://www.nasa.gov/content/dtn • Scroll to the bottom • Use the link for the DTN Development/Deployment Kit • Note: the username and password are both ‘cvm’ (no quotes) • Create a virtual machine in VirtualBox that uses the DevKit VM • Creates a VM that boots the DTNDevKit .iso image • (Optional) Create a mutable copy of the VM • The .iso image is fixed –changes won’t be saved between reboots • ‘Installing’ the .iso onto your own VM allows changes to persist ©2020 The MITRE Corporation.
    [Show full text]
  • Creating the “Easy” Experience for Clients Brian Conrad, CVPM Meadow Hills Veterinary Center Kennewick, WA
    Creating the “Easy” Experience for Clients Brian Conrad, CVPM Meadow Hills Veterinary Center Kennewick, WA Year after year we sit and preach to our staff about offering WOW Service and instill into them that they must exceed client expectations every week, every day, at every appointment….How are we doing? I will guarantee we are not doing as well as we think we are. Have you ever taken a moment to consider what it is you are asking them? You tell them: “Go Exceed Expectations”. What in the hell does that mean? First off, do we know what the client expectations are? For a few that can answer that honestly as Yes, then tell me how does the client perceive if the client expectation has been exceeded? If we as the management and leadership team struggle to define this, imagine our poor receptionist who hears time and time again to go exceed expectations. After all, his/her next pay raise could be counting on it. While I am playing devil’s advocate slightly and yes, I truly do believe in incredible client service and exceeding expectations but I have found over the years it is very subjective. We have focused at Meadow Hills Veterinary Center where I manager on “Making it EASY” for the client. If you tell your staff to make it EASY to do business with your clients than they have a much better understanding of their role. After all, we can list out all kinds of ways to make life easy for our clients and their pets.
    [Show full text]
  • Guide for Security-Focused Configuration Management of Information Systems
    NIST Special Publication 800-128 Guide for Security-Focused Configuration Management of Information Systems Arnold Johnson Kelley Dempsey Ron Ross Sarbari Gupta Dennis Bailey This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-128 I N F O R M A T I O N S E C U R I T Y NIST Special Publication 800-128 Guide for Security-Focused Configuration Management of Information Systems Arnold Johnson Kelley Dempsey Ron Ross Computer Security Division Information Technology Laboratory Sarbari Gupta Dennis Bailey Electrosoft Services, Inc. Reston, VA This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-128 August 2011 INCLUDES UPDATES AS OF 10-10-2019; SEE PAGE IV U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • VS-1140 Certified Ubuntu Professional Reading Material
    Certified Ubuntu Professional Sample Material Certified Ubuntu Professional 1.1.1. GETTING STARTED Ubuntu is a Debian-based Linux operating system, with Unity as its default desktop environment (GNOME was the previous desktop environment). It is based on free software and named after the Southern African philosophy of ubuntu (literally, "human- ness"), which often is translated as "humanity towards others" or "the belief in a universal bond of sharing that connects all humanity". According to some metrics, Ubuntu is the most popular desktop Linux distribution to date. See Installed base section. Development of Ubuntu is led by Canonical Ltd. a company based on the Isle of Man and owned by South African entrepreneur Mark Shuttleworth. Canonical generates revenue through the sale of technical support and other services related to Ubuntu. The Ubuntu project is publicly committed to the principles of open source development; people are encouraged to use free software, study how it works, improve upon it, and distribute it. Features Ubuntu is composed of many software packages, the majority of which are free software. Free software gives users the freedom to study, adapt/modify, and distribute it. Ubuntu can also run proprietary software. Ubuntu Desktop is built around Unity, a graphical desktop environment. Ubuntu comes installed with a wide range of software that includes LibreOffice, Firefox, Empathy, Transmission, and several lightweight games (such as Sudoku and chess).[16][17] Additional software that is not installed by default (including software that used to be in the default installation such as Evolution, GIMP, Pidgin, and Synaptic) can be downloaded and installed using the Ubuntu Software Center[18] or other APT-based package management tools.
    [Show full text]