ThwarVng Memory Disclosure Apacks using DestrucVve Code Reads
Recommend Documents
Make executable memory indeterminate after it has been read. Problem. Executable memory can be read. Memory disclosure bugs. Dynamic code reuse ...
... memory to closed source COTS binaries, especially on Windows ... from code in (Windows) COTS binaries. 2) Protects .
Solu on: Virtualize the host and use Intel EPT to mark execute-âonly. Guest. Virtual (V) Addr. Code. Guest. Physical (
a developer to navigate source code by forming a spa- ... To navigate using the CT Scrollbar, a developer can ..... In Proc. of Interact '99, IOS press, pp. 163-.
without any privileges to steal sensitive data in memory [58]. Malicious unprivileged ... tion of HTM in commercial-off-the-shelf (COTS) platforms. Transactional ...
Oct 16, 2015 - Memory disclosure; Binary rewriting; Destructive code reads. 1. INTRODUCTION ... solution does not work w
Oct 16, 2015 - namely 1 the search for usable code reuse gadgets in either static code [22] or .... fine-grained ASLR is
Dec 9, 2014 - imposition, contribution or charge payable to a government ...... A digital signature would assist the cou
Dec 9, 2014 - Records to be kept by a Communications Service Provider . .... such as web-based email, messaging applicat
Boost.ASIO. – Clean, lightweight, portable abstraction of sockets and other
features. – Not a lot of higher-level protocol support. – Has support for both ...
Pointers are used to keep track of dynamic memory. Memory Allocation: malloc().
○ Additional memory to create dynamic data ... The anatomy of a malloc() call.
memory conflict buffer and repair code provided by the compiler. With this ..... instructions not determined to have a definite depen- dency. Associated with each ...
Will you be looking for Memory Stick Recovery Professional discount codes? * ... USB flash drive photo restore: DDR Prof
Changes in the correlated activity in the population code can increase neural ... for the first time, that the memory for ... are taken together, the ensemble code.
solution for your lost data recovery from memory card. ... Data Recovery Software helps you to restore all Deleted files
on classical digital signal processing applications, show that our ... Keywords â Memory mapping, Energy Consumption, C code, Integer linear program, Signal ... the algorithm to reduce the storage requirements, and re-computation issues to ... assu
system and is renamed, producing a sequential program that is single-valued. ...... The number of names reclaimed depends largely on the useful parallelism ... imentation range from small (25 lines) to medium large. (about 400 lines). They.
Jan 1, 2013 - key words: memory disclosure attack, virtual machine, memory dedupli- cation. 1. ..... The other. VMs detect the secret marker using the memory disclosure attack. ... Papers [4],[5] mention that data life time in memory is.
recovered from the volatile memory of Android devices using two different methods. More specifically, in the first method [12] the authors used the Linux Memory ...
New system to keep you and your data safe. ⢠Easy to use communication with your mobile phone. ⢠Your mobile phone n
voluntarily disclosed unknown personal stories to fellow teammates. Social identity ... encourages changes in team outcomes observed within the current study. Keywords: PDMS ... took place before a critical cup match, which allowed the.
compact flash cards only. Formatting CompactFlash. • Only Class C file systems
are supported on Cisco Compact Flash (CF). • We recommend that you format ...
This camera does not support operation with a computer running .... See âInstalling the Software from the CD-ROMâ on
the camera and then release it. This will cause ...... This software provides an extended tool set including a ... You n
ThwarVng Memory Disclosure Apacks using DestrucVve Code Reads
DestrucVve Code Reads. DetecVng read operaVons into executable memory. RAM. Bytes intended as code. Bytes intended as da
HEISENBYTE:
Thwar/ng Memory Disclosure A>acks using Destruc/ve Code Reads Adrian Tang
Simha Sethumadhavan Salvatore Stolfo
CCS 2015 -‐ Oct 12-‐16, Denver, US
Key Idea: Destruc/ve Code Reads Problem
Executable memory can be read Memory disclosure bugs Dynamic code reuse a>acks
Our Solu,on Make executable memory indeterminate aRer it has been read 1/21
Our Inspira/on Observer Effect:
“The act of observing a system inevitably changes the state of the system.”
HEISENBYTE’s destruc/ve code reads: “Reading executable memory changes the executable state of the read memory.”
Werner Heisenberg, in 1933 (German theore6cal physicist)
Image credits: Wikipedia
2/21
Execu/ng memory aRer reading it yields unpredictable behavior
HEISENBYTE in a Slide Dynamic Code Reuse A8ack
Prior Defenses
Our Work
Memory disclosure
Memory disclosure
Memory disclosure
+
Scan memory at run/me for gadgets
+
+
XnR (CCS’14) Scan memory at HideM (CODASPY’15) run/me for gadgets Readactor (Oakland’15)
+
+
Scan memory at run/me for gadgets
+
Chain gadgets to generate shellcode
Chain gadgets to generate shellcode
Chain gadgets to generate shellcode
Redirect control flow
Redirect control flow
Redirect control HEISENBYTE flow (This talk)
+
+
Tolerates discovery of code reuse gadgets, but prevents them from being used as intended
3/21
Extends the benefits of execute-‐only memory to closed source COTS binaries, especially on Windows
+
Why defend at Step ? Extends the benefits of execute-‐only memory to closed source COTS binaries, especially on Windows 1) Addresses the problem of incomplete separa/on of data from code in (Windows) COTS binaries 2) Protects transparently legacy programs that mix data and code in executable JIT dynamic code
4/21
Outline • Destruc/ve Code Reads • System Implementa/on • Evalua/on • Future Work
Destruc/ve Code Reads Detec/ng read opera/ons into executable memory RAM
Bytes intended as data
Bytes intended as code
5/21
Destruc/ve Code Reads Detec/ng read opera/ons into executable memory RAM
Mark this memory page as execute-‐only
5/21
Destruc/ve Code Reads Detec/ng read opera/ons into executable memory RAM
5/21
Destruc/ve Code Reads Detec/ng read opera/ons into executable memory RAM
Outline • Destruc/ve Code Reads • System Implementa/on • Evalua/on • Future Work
System Implementa/on Offline Sta/c Binary Rewri/ng
Ini/aliza/on of Executable Memory
Ac/ve Monitoring Mode
6/21
System Implementa/on Offline Sta/c Binary Rewri/ng
Configure Execute-‐only Memory
Ac/ve Monitoring Mode
6/21
Key Requirements for Destruc/ve Code Reads “When” to mediate? Detect read opera/ons into executable memory “How” to mediate? Maintain separate code/data views for same (virtual) memory address Hardware-‐Assisted Nested Paging is a key enabler 7/21
Hardware-‐Assisted Nested Paging Hardware feature to improve virtualiza/on performance: Translate guest to host addresses in hardware Different implementa/ons: Intel EPT* AMD RVI Virtual (V) Addr
When to Mediate (1) Efficient detec/on of reads into executable memory Problem: OS na/ve paging cannot mark memory as execute-‐only
Physical (P) Addr
Virtual (V) Addr R_X
Code
HOST
9/21
Code
Page Tables V P
When to Mediate (1) Efficient detec/on of reads into executable memory Problem: OS na/ve paging cannot mark memory as execute-‐only Solu,on: Virtualize the host and use Intel EPT to mark execute-‐only
Guest Physical (P) Addr Addr Physical (P)
Guest Virtual (V) Addr Addr Virtual (V) R_X
Code
GUEST HOST
9/21
Host Machine (M) Addr __X
Code
Guest Page Page Tables V P
Code
Host EPT P M
HOST
Reads into this page will trap into hypervisor
How to Mediate (2) Efficient maintenance of separate code/data views Goal: Induce different program behavior at the same virtual address depending on read or execute opera/on Solu,on: Manipulate EPT to redirect memory transla/on at run/me Guest Physical (P) Addr
Guest Virtual (V) Addr R_X
Code
Host Machine (M) Addr __X
Code
Code RW_
GUEST
10/21
Guest Page Tables V P
Host EPT Host EPT P M1 P M M2
M1
“Copy” Data M2
HOST
Change transla/on at run/me
Architecture (Para-‐virtualized) Offline
Live Target System
Rewritten binary Relocated data .reloc
Loaded application Guest page tables
EPT
Guest mode component
Guest Kernel
Host mode component
Host
Heisenbyte
11/21
Guest User
Configure execute-‐only mem When and how to mediate Destroy code when read
Architecture (Para-‐virtualized) Offline
Live Target System
Rewritten binary Relocated data .reloc
Loaded application Guest page tables
EPT
Guest mode component
Guest Kernel
Host mode component
Host
Heisenbyte
11/21
Guest User
Iden/fy executable mem Induce COW
Tracking Run/me Executable Memory How to iden/fy executable memory we want to protect?
(1) Sta/c program binaries • Windows OS-‐provided run/me callbacks for • New/exi/ng processes • Loaded libraries (2) Dynamic JIT code • Inline hooking of Windows memory management APIs • Perform hypercalls to hypervisor when • Exec buffer à Non-‐exec • Non-‐exec buffer à Exec • Exec buffer à Freed
[More in paper …] Op6miza6ons and Windows-‐specific implementa6on details 12/21
Tracking Run/me Executable Memory Challenges
Challenge 1: Shared physical memory pages across processes
Solu,on: Induce Copy-‐On-‐Write (COW) on pages with 1-‐byte iden/ty write opera/on to each page Challenge 2: Demand paging – pages could be paged out
Solu,on: Make pages resident in physical memory using MmProbeAndLockPages() kernel API
13/21
Some Caveats to HEISENBYTE • Cannot handle code that reads/writes to itself • Eg. Self-‐modifying code
• Cannot mi/gate a>acks that reveal contents of memory without directly reading executable memory • Eg. Fault-‐based side-‐channel a>acks (Blind-‐ROP)
40 0. pe rlb en ch 40 1. bz ip 2 40 3. gc c 42 9. m cf 44 5. go bm k 45 6. hm m er 45 8. sj en g 46 4. h2 64 re 47 f 1. om ne tp p 47 3. as 48 ta 3. r xa la nc bm k
0
“Destruc/ve code reads” overhead depends on how imperfect the separa/on of data from code in executable sec/ons 15/21
40 0. pe rlb en ch 40 1. bz ip 2 40 3. gc c 42 9. m cf 44 5. go bm k 45 6. hm m er 45 8. sj en g 46 4. h2 64 re 47 f 1. om ne tp p 47 3. as 48 ta 3. r xa la nc bm k
40 Peak RSS Memory Overhead (%) 0. pe rlb en ch 40 1. bz ip 2 40 3. gc c 42 9. m cf 44 5. go bm k 45 6. hm m er 45 8. sj en g 46 4. h2 64 re 47 f 1. om ne tp p 47 3. as 48 ta 3. r xa la nc bm k
10
8 6 4 2 0
Peak RSS memory avg overhead: ~0.8%
17/21
Evalua/on -‐ Security HEISENBYTE corrupts code with debug trap code 0xCC CraRed dynamic code reuse exploits and monitor for invoked debug trap
(1) Dynamic code
• Self-‐injected bug in toy program that mimics the crea/on of a JIT code buffer
(2) Sta/c code
• CVE-‐2013-‐2551: Internet Explorer Bug
Exploits on both sta/c programs and dynamic JIT code triggered debug traps 18/21
Evalua/on – Demo on Win8 / IE10
19/21
Outline • Destruc/ve Code Reads • System Implementa/on • Evalua/on • Future Work
Future Work • Improve code/data separa/on task in disassembly for Windows COTS binaries • Record read opera/ons into executable memory to guide disassembly and binary rewri/ng
• Lower overhead of destruc/ve code reads
• Use new virtualiza/on-‐based hardware features in Haswell+ processors (Eg. New #VE excep/on)
• Explore value of destruc/ve data reads
20/21
Conclusions Key Idea: Make exec. mem. indeterminate aRer it has been read • New security concept: “Destruc/ve code reads” • One applica/on: Mi/gate memory disclosure a>acks • Heisenbyte is a prac/cal solu/on • Works with imperfect disassembly on COTS binaries • No instrumenta/on on the binaries • JIT code works too
