27C3 - Version 1.6.3

27th Chaos Communication Congress
We come in peace

Mathias Payer
Day Day 2 - 2010-12-28
Room Saal 3
Start time 14:00
Duration 01:00
ID 4149
Event type Lecture
Track Hacking
Language used for presentation English

I Control Your Code

Attack Vectors Through the Eyes of Software-based Fault Isolation

Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program.

This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit.

User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed.

This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors.

Observable Attack Vectors

  • Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer).
  • Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function.
  • Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed.
  • Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel.
  • Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value.
  • Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code.
  • Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls.

The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture.

Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits.

Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete.

  • fastBT: A fast binary translator that enables different security extensions. http://nebelwelt.net/fastBT
  • 26c3 talk: Hacking the Hackers (user space virtualization and encapsulation mixed with system call authorization to prevent exploits)
  • Watson, R. N. "Exploiting Concurrency Vulnerabilities in System Call Wrappers"
  • Levy, Elias. "Smashing the stack for fun and profit"
  • c0ntex. "Bypassing non-executable-stack during exploitation using return-to-libc"
  • Shacham, Hovav; Page, Matthew; Pfaff, Ben; Goh, Eu-Jin; Modadugu, Nagendra; and Boneh, Dan. "On the Effectiveness of Address-Space Randomization"
  • Borisov, Nikita; Johnson, Rob; Sastry, Naveen; and Wagner, David; 2005; "Fixing Races for Fun and Profit: How to abuse atime"
  • Phrack #60, Basic Integer Overflows
  • Seccomp vulnerabilities due to x86_64 and ia32 compatibility issues: http://scarybeastsecurity.blogspot.com/2009/02/linux-kernel-minor-seccomp.html