ThwarVng Memory Disclosure Apacks using ... - Adrian Tang
Recommend Documents
... memory to closed source COTS binaries, especially on Windows ... from code in (Windows) COTS binaries. 2) Protects .
DestrucVve Code Reads. DetecVng read operaVons into executable memory. RAM. Bytes intended as code. Bytes intended as da
Make executable memory indeterminate after it has been read. Problem. Executable memory can be read. Memory disclosure bugs. Dynamic code reuse ...
able to reproduce the reported fault on their internal test ..... gether with the vendor-stipulated OPPs (as shaded stars) ...... USTNONE_1.0-11282015.pdf.
conclude that f(x) = x for all x â R. Awesome. But instead I have f(y + 2) â f(y)=2. I want to substitute x = 2 to m
Mar 4, 2016 - to promote hippocampal neurogenesis during SCO treatment by increasing ... With the exception of the CON group, SCO was injected once.
without any privileges to steal sensitive data in memory [58]. Malicious unprivileged ... tion of HTM in commercial-off-the-shelf (COTS) platforms. Transactional ...
Oct 16, 2015 - Memory disclosure; Binary rewriting; Destructive code reads. 1. INTRODUCTION ... solution does not work w
Oct 16, 2015 - namely 1 the search for usable code reuse gadgets in either static code [22] or .... fine-grained ASLR is
EMBEDDING THE WATERMARK. The image is partitioned in blocks of 8 x 8 pixel size, sim- ilar to the block size considered by the JPEG compression algorithm.
Feb 5, 1999 - rier has a characteristic frequency which decreases expo- nentially with ..... of the L + 1 classes: those with no troughs, and those with a trough in the m-th ..... things by playing with the hands-on Java applets for these mod-.
Adrian Furnham. Adrian Furnham was educated at the London School of
Economics where he obtained a distinction in an MSc Econ., and at Oxford
University ...
At midday when children huddle over their studies. In the evening when families bow their heads. They leave the door to
At midday when children huddle over their studies. In the evening when families bow their heads. They leave the door to
Autovehiculefautoturisme, tractoare, maşini agricole, şalupe, iahturi şi alte
mijloace de transport care sunt supuse ... sau echivalente, inclusiv fonduri private
tie pensii sau alte sisteme cu acumulare. .... Venituri din premii şi din jocuri tie
The system is broken up into three parts; a visual barcode, MyPay Android ......
Figure 17 Credit Card Example (Source: http://www.credit-‐cards.co.za/credit-‐.
Pointers are used to keep track of dynamic memory. Memory Allocation: malloc().
○ Additional memory to create dynamic data ... The anatomy of a malloc() call.
memory conflict buffer and repair code provided by the compiler. With this ..... instructions not determined to have a definite depen- dency. Associated with each ...
Mar 10, 2017 - Marin County has received complaints regarding the increasing number of commercial and oversized vehicles
Adrian High School Music Booster Band Camp Scholarship Application ... participation in AHS Music Booster Fundraisers an
Jan 1, 2013 - key words: memory disclosure attack, virtual machine, memory dedupli- cation. 1. ..... The other. VMs detect the secret marker using the memory disclosure attack. ... Papers [4],[5] mention that data life time in memory is.
Page | 1. Victor Adrian Prisacariu. E-mail: [email protected]. Website: www.
robots.ox.ac.uk/~victor. CURRENT POSITION: •. Post-Doctoral Research ...
ELLEN TATTELMAN, M. D. Health effects of garlic. Am. Fam. Physician, 2005 ..... 8 (18), 2951-2963. [90]. Wang, H. C.; Pao, J.; Lin, S. Y.; Sheen, L. Y. Molecular.
Il Barbiere di Siviglia. Rossini. Shreveport Opera. 2012. Fiorello/Officer. Il
Barbiere ... Sweeney Todd. Sondheim. Aspen Music Festival. 2011. Sid. Albert
Herring.
ThwarVng Memory Disclosure Apacks using ... - Adrian Tang
Solu on: Virtualize the host and use Intel EPT to mark execute-âonly. Guest. Virtual (V) Addr. Code. Guest. Physical (
HEISENBYTE:
Thwar/ng Memory Disclosure A>acks using Destruc/ve Code Reads Adrian Tang
Simha Sethumadhavan Salvatore Stolfo
CCS 2015 -‐ Oct 12-‐16, Denver, US
Key Idea: Destruc/ve Code Reads Problem
Executable memory can be read Memory disclosure bugs Dynamic code reuse a>acks
Our Solu,on Make executable memory indeterminate aRer it has been read 1/21
Our Inspira/on Observer Effect:
“The act of observing a system inevitably changes the state of the system.”
HEISENBYTE’s destruc/ve code reads: “Reading executable memory changes the executable state of the read memory.”
Werner Heisenberg, in 1933 (German theore6cal physicist)
Image credits: Wikipedia
2/21
Execu/ng memory aRer reading it yields unpredictable behavior
HEISENBYTE in a Slide Dynamic Code Reuse A8ack
Prior Defenses
Our Work
Memory disclosure
Memory disclosure
Memory disclosure
+
Scan memory at run/me for gadgets
+
+
XnR (CCS’14) Scan memory at HideM (CODASPY’15) run/me for gadgets Readactor (Oakland’15)
+
+
Scan memory at run/me for gadgets
+
Chain gadgets to generate shellcode
Chain gadgets to generate shellcode
Chain gadgets to generate shellcode
Redirect control flow
Redirect control flow
Redirect control HEISENBYTE flow (This talk)
+
+
Tolerates discovery of code reuse gadgets, but prevents them from being used as intended
3/21
Extends the benefits of execute-‐only memory to closed source COTS binaries, especially on Windows
+
Why defend at Step ? Extends the benefits of execute-‐only memory to closed source COTS binaries, especially on Windows 1) Addresses the problem of incomplete separa/on of data from code in (Windows) COTS binaries 2) Protects transparently legacy programs that mix data and code in executable JIT dynamic code
4/21
Outline • Destruc/ve Code Reads • System Implementa/on • Evalua/on • Future Work
Destruc/ve Code Reads Detec/ng read opera/ons into executable memory RAM
Bytes intended as data
Bytes intended as code
5/21
Destruc/ve Code Reads Detec/ng read opera/ons into executable memory RAM
Mark this memory page as execute-‐only
5/21
Destruc/ve Code Reads Detec/ng read opera/ons into executable memory RAM
5/21
Destruc/ve Code Reads Detec/ng read opera/ons into executable memory RAM
Outline • Destruc/ve Code Reads • System Implementa/on • Evalua/on • Future Work
System Implementa/on Offline Sta/c Binary Rewri/ng
Ini/aliza/on of Executable Memory
Ac/ve Monitoring Mode
6/21
System Implementa/on Offline Sta/c Binary Rewri/ng
Configure Execute-‐only Memory
Ac/ve Monitoring Mode
6/21
Key Requirements for Destruc/ve Code Reads “When” to mediate? Detect read opera/ons into executable memory “How” to mediate? Maintain separate code/data views for same (virtual) memory address Hardware-‐Assisted Nested Paging is a key enabler 7/21
Hardware-‐Assisted Nested Paging Hardware feature to improve virtualiza/on performance: Translate guest to host addresses in hardware Different implementa/ons: Intel EPT* AMD RVI Virtual (V) Addr
When to Mediate (1) Efficient detec/on of reads into executable memory Problem: OS na/ve paging cannot mark memory as execute-‐only
Physical (P) Addr
Virtual (V) Addr R_X
Code
HOST
9/21
Code
Page Tables V P
When to Mediate (1) Efficient detec/on of reads into executable memory Problem: OS na/ve paging cannot mark memory as execute-‐only Solu,on: Virtualize the host and use Intel EPT to mark execute-‐only
Guest Physical (P) Addr Addr Physical (P)
Guest Virtual (V) Addr Addr Virtual (V) R_X
Code
GUEST HOST
9/21
Host Machine (M) Addr __X
Code
Guest Page Page Tables V P
Code
Host EPT P M
HOST
Reads into this page will trap into hypervisor
How to Mediate (2) Efficient maintenance of separate code/data views Goal: Induce different program behavior at the same virtual address depending on read or execute opera/on Solu,on: Manipulate EPT to redirect memory transla/on at run/me Guest Physical (P) Addr
Guest Virtual (V) Addr R_X
Code
Host Machine (M) Addr __X
Code
Code RW_
GUEST
10/21
Guest Page Tables V P
Host EPT Host EPT P M1 P M M2
M1
“Copy” Data M2
HOST
Change transla/on at run/me
Architecture (Para-‐virtualized) Offline
Live Target System
Rewritten binary Relocated data .reloc
Loaded application Guest page tables
EPT
Guest mode component
Guest Kernel
Host mode component
Host
Heisenbyte
11/21
Guest User
Configure execute-‐only mem When and how to mediate Destroy code when read
Architecture (Para-‐virtualized) Offline
Live Target System
Rewritten binary Relocated data .reloc
Loaded application Guest page tables
EPT
Guest mode component
Guest Kernel
Host mode component
Host
Heisenbyte
11/21
Guest User
Iden/fy executable mem Induce COW
Tracking Run/me Executable Memory How to iden/fy executable memory we want to protect?
(1) Sta/c program binaries • Windows OS-‐provided run/me callbacks for • New/exi/ng processes • Loaded libraries (2) Dynamic JIT code • Inline hooking of Windows memory management APIs • Perform hypercalls to hypervisor when • Exec buffer à Non-‐exec • Non-‐exec buffer à Exec • Exec buffer à Freed
[More in paper …] Op6miza6ons and Windows-‐specific implementa6on details 12/21
Tracking Run/me Executable Memory Challenges
Challenge 1: Shared physical memory pages across processes
Solu,on: Induce Copy-‐On-‐Write (COW) on pages with 1-‐byte iden/ty write opera/on to each page Challenge 2: Demand paging – pages could be paged out
Solu,on: Make pages resident in physical memory using MmProbeAndLockPages() kernel API
13/21
Some Caveats to HEISENBYTE • Cannot handle code that reads/writes to itself • Eg. Self-‐modifying code
• Cannot mi/gate a>acks that reveal contents of memory without directly reading executable memory • Eg. Fault-‐based side-‐channel a>acks (Blind-‐ROP)
40 0. pe rlb en ch 40 1. bz ip 2 40 3. gc c 42 9. m cf 44 5. go bm k 45 6. hm m er 45 8. sj en g 46 4. h2 64 re 47 f 1. om ne tp p 47 3. as 48 ta 3. r xa la nc bm k
0
“Destruc/ve code reads” overhead depends on how imperfect the separa/on of data from code in executable sec/ons 15/21
40 0. pe rlb en ch 40 1. bz ip 2 40 3. gc c 42 9. m cf 44 5. go bm k 45 6. hm m er 45 8. sj en g 46 4. h2 64 re 47 f 1. om ne tp p 47 3. as 48 ta 3. r xa la nc bm k
40 Peak RSS Memory Overhead (%) 0. pe rlb en ch 40 1. bz ip 2 40 3. gc c 42 9. m cf 44 5. go bm k 45 6. hm m er 45 8. sj en g 46 4. h2 64 re 47 f 1. om ne tp p 47 3. as 48 ta 3. r xa la nc bm k
10
8 6 4 2 0
Peak RSS memory avg overhead: ~0.8%
17/21
Evalua/on -‐ Security HEISENBYTE corrupts code with debug trap code 0xCC CraRed dynamic code reuse exploits and monitor for invoked debug trap
(1) Dynamic code
• Self-‐injected bug in toy program that mimics the crea/on of a JIT code buffer
(2) Sta/c code
• CVE-‐2013-‐2551: Internet Explorer Bug
Exploits on both sta/c programs and dynamic JIT code triggered debug traps 18/21
Evalua/on – Demo on Win8 / IE10
19/21
Outline • Destruc/ve Code Reads • System Implementa/on • Evalua/on • Future Work
Future Work • Improve code/data separa/on task in disassembly for Windows COTS binaries • Record read opera/ons into executable memory to guide disassembly and binary rewri/ng
• Lower overhead of destruc/ve code reads
• Use new virtualiza/on-‐based hardware features in Haswell+ processors (Eg. New #VE excep/on)
• Explore value of destruc/ve data reads
20/21
Conclusions Key Idea: Make exec. mem. indeterminate aRer it has been read • New security concept: “Destruc/ve code reads” • One applica/on: Mi/gate memory disclosure a>acks • Heisenbyte is a prac/cal solu/on • Works with imperfect disassembly on COTS binaries • No instrumenta/on on the binaries • JIT code works too
