On the Impact of Memory Corruption Vulnerabilities in Client Applications Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum vorgelegt von Robert Gawlik aus Tichau 2016 Tag der m¨undlichen Pr¨ufung:7. September 2016 Gutachter: Prof. Dr. Thorsten Holz, Ruhr-Universit¨atBochum Zweitgutachter: Prof. Dr. Herbert Bos, Vrije Universiteit Amsterdam Abstract Client programs are omnipresent in our digital age. Especially, web browsers are used by an enormous number of users for various tasks. These tasks include information gather- ing, social media activities or communication with each other. As the popularity of web browsers has grown, attackers shifted their attention towards this kind of client-side soft- ware to compromise systems. Because of their huge code base and tremendous complexity, exploitable vulnerabilities exist in a vast number in these programs. In this thesis, various impacts of memory corruption vulnerabilities in client-side soft- ware are investigated from an offensive and a defensive perspective. The exploitation pro- cess of vulnerabilities in web browsers may obey certain steps, carried out subsequently. Usually, an adversary needs to find information about the address space of the vulnerable program. This important step is called information leak or memory disclosure. Once the attacker has gained enough knowledge about the address space of the program, she is able to hijack the control flow. This thesis considers information leaks and control-flow hijacking from attackers' and defenders' viewpoints. We extend the technique of information leaks with a behavior in web browsers which was not known to that extend before (crash resistance). Therefore, the program is kept alive, although it should terminate due to critical memory errors, such as an illegal read access. This allows to evaluate defenses from an adversarial perspective, which promise to keep address space information of the program a secret from attackers. Information leaks are also approached from a defensive perspective. To detect this step of an exploit we introduce a concept for script engines, i. e., JavaScript. Therefore, two simultaneous processes of the same program are executed in parallel and their execution flow is synchronized. As we enforce a different address space layout in both of them, a memory disclosure manifests itself differently in both processes and can be unveiled. This thesis also addresses control-flow hijacking. Code reuse is currently the most com- mon method to perform arbitrary computations after gaining control of the execution. For an adversary it is important to assess the quantity of code she can reuse. Hence, we in- troduce a framework to help evaluating specific control-flow integrity defenses. Therefore, we attempt to analyze a given program in an architecture independent way to maximize the amount of reusable code which conforms to CFI policies. Attackers are able to hijack the control flow in browsers with vtable hijacking. This thesis approaches this widely used, offensive technique from a defensive perspective. Vir- tual function tables (vtables) injected by attackers into the address space differ from real vtables. By using various heuristics and techniques we are the first to show that a vtable- hijacking mitigation for binary-only code is possible. i Zusammenfassung In unserem digitalen Zeitalter sind clientseitige Anwendungen allgegenw¨artig. Insbeson- dere Webbrowser werden von sehr vielen Benutzern f¨uretliche T¨atigkeiten verwendet. Darunter f¨alltdie Informationsgewinnung, die Aktivit¨atin sozialen Medien oder die Kom- munikation der Benutzer untereinander. Da die Popularit¨atvon Webbrowsern gewachsen ist, haben auch Angreifer ihre Aufmerksamkeit auf diese Clientanwendungen gerichtet, um in Computersysteme einzubrechen. Wegen ihrer großen Codebasis und enormen Kom- plexit¨atexistieren viele ausnutzbare Speicherfehler in diesen Programmen. In dieser Dissertation werden verschiedene Auswirkungen von Speicherfehlern in Client- anwendungen aus offensiven und defensiven Gesichtspunkten untersucht. Der Ausnutzungs- prozess von Schwachstellen (engl. Exploit) kann in verschiedene, aufeinanderfolgende Schrit- te unterteilt werden. Der Angreifer ben¨otigtmeist Informationen ¨uber den Adressraum des verwundbaren Programms. Dieser wichtige Schritt wird auch Informationsleck (engl. Information Leak) oder Speicherenth¨ullung (engl. Memory Disclosure) genannt. Sobald der Angreifer gen¨ugendWissen ¨uber den Adressraum des Programms gesammelt hat, ist er in der Lage, den Kontrollfluss des Programms zu ¨ubernehmen. Dieser Schritt wird auch als Control-Flow Hijacking bezeichnet. In dieser Dissertation werden Information Leaks und Control-Flow Hijacking aus der Perspektive von Angreifern als auch Verteidigern betrachtet. Wir kombinieren die Technik von Information Leaks mit einem Verhalten in Browsern, welches bisher in diesem Ausmaß unbekannt war (Absturzresistenz, engl. Crash Resis- tance). Dabei wird das Programm am Laufen gehalten, obwohl es aufgrund kritischer Spei- cherfehler, wie beispielsweise eines illegalen Lesezugriffs, terminieren sollte. Dieser Ansatz erlaubt es uns, aus der Angreiferperspektive Verteidigungsans¨atzezu beurteilen, die ver- sprechen, den Adressraum vor Angreifern geheimzuhalten. Aus der Sicht eines Verteidigers werden Information Leaks ebenfalls betrachtet. Um diesen Schritt eines Angriffs zu erken- nen wird ein Konzept f¨ursog. Scripting-Umgebungen, wie JavaScript, vorgestellt. Dabei werden zwei Prozesse des gleichen Programms in ihrer Ausf¨uhrungsynchronisiert. Da wir in beiden einen unterschiedlichen Adressraum erzwingen, manifestiert sich ein Information Leak unterschiedlich in beiden Prozessen und kann detektiert werden. Auch widmet sich diese Dissertation dem Schritt der Kontrollfluss¨ubernahme. Die Wiederverwendung von Code ist momentan die g¨angigsteMethode beliebige Berechnun- gen durchzuf¨uhren,sobald der Programmfluss kontrolliert wird. Aus der Sicht eines An- greifers ist es wichtig zu wissen, wie viel Code wiederverwendbar ist. Daher wird ein System vorgestellt, welches helfen soll, spezielle Defensivmaßnahmen { sog. Control-Flow Integrity-L¨osungen(CFI) { zu beurteilen. Dabei wird architekturunabh¨angigversucht, die Menge an wiederverwendbarem Code, der CFI-Regeln entspricht, zu maximieren. Angreifer k¨onnenin Browsern den Kontrollfluss ¨uber sog. Vtable Hijacking ¨ubernehmen. Diese Dissertation betrachtet diese weitverbreitete, offensive Technik aus der Perspek- tive eines Verteidigers. Spezielle Funktionstabellen (sog. Vtables), die von Angreifern im Adressraum abgelegt werden, unterscheiden sich von echten Vtables. Unter der Benutzung verschiedener Heuristiken und Techniken zeigen wir als Erste, dass eine Abschw¨achung von Vtable Hijacking-Angriffen f¨urbin¨areProgramme m¨oglich ist. iii Acknowledgements It is a great pleasure to thank everybody who made this thesis possible. First of all I want to sincerely thank my advisor Prof. Dr. Thorsten Holz for giving me the opportunity of being part of the Systems Security group at the Ruhr University Bochum. He provided me with a pleasant and productive research environment and always supported me during the last four years. I had the chance to focus on research topics I was interested in and was able to collaborate with many friendly people sharing the same passion for security research. I am very happy for working together with many colleagues on many challenging and exciting projects. I am thankful to Sebastian Vogl, Thomas Kittel and Jonas Pfoh for a fruitful, effective collaboration and the time we spent together at various places. I had pro- ductive discussions with Benjamin Kollenda, Philipp Koppe, Jannik Pewny about thrilling ideas and research topics. Many of them culminated in highly interesting projects or pub- lications. During the time at lab it was a pleasure to work with Behrad Garmany, with whom I was sharing an office for the last three years. We had many valuable conversations and a lot of fun not only at our working place. I am also thankful for all people at the chair for the time we spent at the university or elsewhere. Since the day I started they gave me the feeling of belonging to the same glorious team. I was very fortunate to work with, publish with or get inspired by Carsten Willems, Ralf Hund, Felix Schuster, Tilman Frosch, Johannes Hoffmann, Thomas Hupperich, Sebastian Uellenbeck, Teemu Rytilahti, Patrick Wollgast, Moritz Contag, Andre Pawlowski, Johannes Dahse, Christian R¨opke, Apostolis Zarras and Marc K¨uhrer. I want to thank my parents and Corina Costea for their support during all the time. Without you I would not have been able to either start or finish this thesis. v Contents 1 Introduction 1 1.1 The Arms Race between Attacks and Defenses . 3 1.2 Thesis Contributions . 4 1.3 Thesis Organization . 7 1.4 Publications . 8 2 Enabling Crash-Resistance to Evaluate Memory Secrecy Protections 9 2.1 Introduction . 9 2.1.1 Subverting Information Hiding . 10 2.1.2 Novel Memory Probing Method . 10 2.2 Technical Background . 11 2.2.1 Adversary Model . 11 2.2.2 Randomization Techniques . 12 2.2.3 Security by Information Hiding . 13 2.3 Unveiling Hidden Memory . 15 2.3.1 Fault-Tolerant Functionality . 15 2.3.2 Crash-Resistance . 16 2.3.3 Memory Oracles . 18 2.3.4 Web Workers as Probing Agents . 20 2.3.5 Finding Unreachable Memory Regions . 20 2.3.6 Subverting Hidden Code Layouts . 24 2.4 Conquering (Re-)Randomization . 25 2.4.1 Defeating