AsiaBSDCon 2019 Proceedings March 21-24, 2019 Tokyo, Japan Copyright c 2019 BSD Research. All rights reserved. Unauthorized republication is prohibited. Published in Japan, March 2019 INDEX P01A: Adventure in DRMland Or how to write a FreeBSD ARM64 009 DRM Driver Emmanuel Vadot P01B: Removing ROP Gadgets from OpenBSD 013 Todd Mortimer P02A: Powerpc64 Architecture Support in FreeBSD Ports 023 Piotr Kubaj P02B: Design and Implementation of NetBSD Base System 031 Package Distribution Service Ken’ichi Fukamachi, Yuuki Enomoto P03A: Doubling FreeBSD Request-Response Throughputs over – TCP with PASTE Michio Honda P03B: LLVM and the state of sanitizers on BSD 041 David Carlier P04A: Monitoring FreeBSD Systems What to (Not) Monitor 047 Andrew Fengler P04B: Intel HAXM—A Hardware-Assisted Acceleration Engine in 053 the NetBSD kernel Kamil Rytarowski P05A: Managing System Images with ZFS 057 Allan Jude P05B: bhyvearm64: Generic Interrupt Controller Version 3 065 Virtualization Alexandru Elisei, Mihai Carabas P06A: BSD Unix Solutions in the Australian NFP/NGO Health 073 Sector Jason Tubnor P06B1: bhyve - Improvements to Virtual Machine State Save and 081 Restore Darius Mihai, Mihai Carabas P06B2: FreeBSD - Live Migration feature for bhyve 089 Maria-Elena Mih˘ailescu,Mihai Carabas P07A: Yet Another Container Migration on FreeBSD 097 Yuhei Takagawa, Katsuya Matsubara P07B: Finalizing Booting Requirements for a Guest Running Under 103 bhyvearm Nicolae-Alexandru Ivan, Mihai Carabas P08A: Parallel, Multi-Axis Regression and Performance Testing 109 with FreeBSD, OpenZFS, and bhyve Michael Dexter P08B: FreeBSD Virtualization - Improving block I/O compatibility in 115 bhyve Sergiu Weisz, Mihai Carabas P09A: ZRouter: Remote update of firmware 119 Hiroki Mori P09B: Porting Go to NetBSD/arm64 123 Maya Rashish P10A: Improving security of the FreeBSD boot process 125 Kornel Duleba, Michał Stanek P10B: Another Path for Software Quality? Automated Software 131 Verification and OpenBSD Moritz Buhl !"" 1 -0 ./ = 1 ! %) 12 1$ 57>>55 1 ?@ # 5AB5 1 9 ) : !" #$" 12 !% " %& = 1 '$( ) 1 ! !!!! % ) # 4 ;"5>-A-01 * +,- C @ .15AB-!" 1 ./ -0 %)) 1 1 !% % 1 & :%)! 1 12 " D5AB," )1 #-0 1$3 1 77-E5A!#1 12 4." 4." !" 12! *12 1 1 ! 1 1 5 # $% & ' 6# % ) " # 7 8 9 #-0 F -0 ! B! % " ! " 1 1 5! # 1 1 1 $ / $ 1 # 4 5 7! = : : !% 1# ! ;"% 1 G+$"+!- ! () & * + !, & -. * #$") 7'$( ( : !" '$( : .121C : : 6 !# 1 !% + : 1 8'#9 6 1 '41C ! ;" !%3 + '41C 1C : 1 ) ! 81 ! % #$" << !% = )+"/ + & & " %& ) !# .1 = #$" H 12 6 #F # ! % 1 %1 5 !#/ '$(1 < !'$( 1 G8""#% 1 -0 3 ! @ 1 1 ! 9 % @ ; . . ! = & B ! % @ . . . ! % @ $ .= . . @./.= : 2 ! % 1!3! 6 > <! $ ./ 6 !% . % ! % %. ! 8 .= 9 . % ! 6 ./ % ./ $( ! ) .!% +-6+-6 . 6 .', :! 6 . 7" 3! = 4'# 1!-! . ! " # / % ? 6 ', "$"" &4 . 56 ! 7" !, 6. ) " # 01 6 6;% - 5! % ?; 6< % ?<! ', A(4 4 ', A(4 ! % . ( ( # ! !" #$ # # # )# ) !" # # % . 8 ! %" #$ " @ . 5 . # # . . # ! # # # > %" #$ & # & * # ! ) # ) # & # ! # %" ! ' !" ! # . . #$ " 9 & # & !% # . " # %" ! ' !" 10 = 4 - !*4 - % <8 5" ! % 5" ! - = ! - = = ' - = = 9 - - ! - ; = ! % 4 4! % = == = = #178(711: - ! 48 8"$- 5" -!% - 5" # % # - 6 - % " ' --9 # % # &'(()&**+,)&*'-(&.+/00 6 ! *4 - . . ! <4 "' + # = ! - ! # # =- - ! 2152 ),5: % -3 - ' ! ! &"#% #&" - *+! * = - ; = !% 6 - - 5" ! $ ! = / 0" ! ! * - - ; 11 12 Removing ROP Gadgets from OpenBSD Todd Mortimer [email protected] Abstract tems, including recent attacks exploiting CVE-2018-57671, CVE-2018-74452 and CVE-2018-16865/63. Return Oriented Programming (ROP) is a common exploita- Numerous techniques have been proposed to mitigate tion technique that reuses existing code fragments (gadgets) against ROP exploits, including return address verification to construct shellcode in a compromised program. Recent techniques [2] and control flow verification [1] which aim to changes in OpenBSD’s compiler have started to reduce the prevent control flow being redirected towards a ROP chain. number of gadgets in x86 and arm64 binaries, with the aim of Attempts have also been made to attempt to remove or render making ROP exploitation more difficult or impossible. This unusable ROP gadgets themselves [4]. This paper describes paper will cover how ROP gadgets emerge from legitimate ROP exploit mitigations in OpenBSD which are motivated by code, how OpenBSD’s compiler removes these gadgets, and gadget reduction and removal, though some mitigations also the effects on performance, code size, and ROP tool capabil- verify return control flow through return address verification. ities. We find that it is possible to meaningfully reduce the In order to mount a successful ROP attack against a vulner- number of ROP gadgets in programs, and to effectively hinder able binary, the attacker must first catalogue all of the gadgets ROP tool capabilities. available in a given binary, then identify a sequence of gad- gets which will result in their desired effect. This process of scanning binaries for gadgets and then constructing ROP 1 Background chains which have a desired outcome is somewhat tedious and error prone, so numerous tools exist to make this easy, such 4 5 6 7 Return oriented programming (ROP) [5] is an exploitation as ROPGadget , ropper , angrop , or pwntools . In this paper technique that uses fragments of existing programs in unin- we will rely on the output from one of these tools, ROPGad- tended ways to effect control over a compromised process. In get, to measure our effectiveness. Specifically, we will use contrast to traditional shellcode injection, ROP attacks inject the number of unique gadgets found by this tool to measure a series of return addresses - a ROP Chain - into memory the effectiveness of gadget removal in the OpenBSD kernel and which, when execution returns to the first address in the and libc, which we have chosen because they are large and chain, cause execution to iterate through a series of small code diverse binary objects, and are popular exploitation targets. fragments which have the same effect as traditional shellcode. ROPGadget also includes an option to generate a ROP chain ROP is a powerful technique in environments which disable that results in an exploited program executing a command simultaneous writable and executable memory (W⊕X), since shell. Obtaining a command shell is a common exploitation it does not rely on injecting executable code into program goal, since once an attacker has a command shell they can memory, but instead relies only on program fragments that execute arbitrary other commands on the compromised sys- already exist. These program fragments are called gadgets, tem. We will use this feature to estimate the effectiveness and each gadget consists of a (typically small) sequence of of our efforts to impede mounting successful ROP attacks instructions followed by a return. On aligned architectures, 1https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/ these returns are part of the intended instruction stream that 2https://www.secureauth.com/labs/advisories/mikrotik-routeros-smb- make up the program, but on unaligned architectures such buffer-overflow 3https://www.openwall.com/lists/oss-security/2019/01/09/3 as x86, these returns can also emerge from jumping into the 4 instruction stream at unintended offsets and causing the exist- https://github.com/JonathanSalwan/ROPgadget 5https://github.com/sashs/ropper ing code to be interpreted differently from what was intended. 6https://github.com/salls/angrop ROP techniques have been used in attacks on real world sys- 7http://docs.pwntools.com/en/stable/ 13 against OpenBSD binaries. The output from the ROPGadget to the intended stream of instructions. These polymorphic