30 research outputs found

    Shining Light On Shadow Stacks

    Full text link
    Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge,i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations. We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibility, and security. For performance comparisons we use SPEC CPU2006, while security and compatibility are qualitatively analyzed. Based on our study, we renew calls for a shadow stack design that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead, but sacrifices compatibility. We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and the deployability of Shadesmar. Our comprehensive analysis, including detailed case studies for our novel design, allows compiler designers and practitioners to select the correct shadow stack design for different usage scenarios.Comment: To Appear in IEEE Security and Privacy 201

    Binary Exploitation in Industrial Control Systems: Past, Present and Future

    Get PDF
    Despite being a decades-old problem, binary exploitation still remains a serious issue in computer security. It is mainly due to the prevalence of memory corruption errors in programs written with notoriously unsafe but yet indispensable programming languages like C and C++. For the past 30 years, the nip-and-tuck battle in memory between attackers and defenders has been getting more technical, versatile, and automated. With raised bar for exploitation in common information technology (IT) systems owing to hardened mitigation techniques, and with unintentionally opened doors into industrial control systems (ICS) due to the proliferation of industrial internet of things (IIoT), we argue that we will see an increased number of cyber attacks leveraging binary exploitation on ICS in the near future. However, while this topic generates a very rich and abundant body of research in common IT systems, there is a lack of systematic study targeting this topic in ICS. The present work aims at filling this gap and serves as a comprehensive walkthrough of binary exploitation in ICS. Apart from providing an analysis of the past cyber attacks leveraging binary exploitation on ICS and the ongoing attack surface transition, we give a review of the attack techniques and mitigation techniques on both general-purpose computers and embedded devices. At the end, we conclude this work by stressing the importance of network-based intrusion detection, considering the dominance of resource-constrained real-time embedded devices, low-end embedded devices in ICS, and the limited ability to deploy arbitrary defense mechanism directly on these devices

    Defeating Code-Reuse Attacks with Binary Instrumentation

    Get PDF
    La programmation orientée retour (ROP) est une technique par laquelle un attaquant peut introduire un comportement arbitraire dans un programme vulnérable. ROP est actuellement l’un des moyens les plus efficaces pour contourner les dispositifs de protection modernes. Ce type d’attaque a connu un essor phénoménal au cours des cinq dernières années. Les techniques utilisées pour se protéger contre ce type d’exploit génèrent un taux de faux négatif élevé car elles sont facilement contournables. De plus, elles ont tendance à ajouter une surcharge importante sur le programme qu’elles protègent. Dans la première partie de ce travail, nous avons étudié ces solutions proposées ou utilisées pour détecter ou atténuer les attaques ROP. Dans la deuxième partie, nous présentons une nouvelle approche pour détecter les attaques ROP lors de l’exécution. Cette partie vise à présenter nos Indicateurs de Compromis (IOC) qui pourraient être utilisés pour améliorer le taux de détection des attaques RDP. Nous avons également proposé une technique de mesure permettant de mesurer ces indicateurs lors de l’exécution en utilisant des techniques d’instrumentation dynamique de binaires (Dynamic Binary Instrumentation). Nos indicateurs proposés essaient d’identifier une attaque au moment de l’exécution en vérifiant la présence de certaines caractéristiques. Cette approche permet de détecter les attaques ROP sans compter sur toute autre information complémentaire comme le code source ou le support du compilateur. La dernière partie de ce travail couvre le sujet de la phase expérimentale, plus précisément, le prototype réalisé dans le but de prouver l’efficacité de nos indicateurs proposés ainsi que la technique de mesure proposée. Les résultats de cette phase expérimentale montrent que seuls les deux premiers indicateurs sont capables de détecter les attaques ROP. ----------ABSTRACT: Return Oriented Programming (ROP) is a technique by which an attacker can induce arbitrary behavior inside a vulnerable program without injecting a malicious code. It is presently one of the most effective ways to bypass modern protection mechanisms such as Data Execution Prevention (DEP) which prevents attackers from executing the malicious code already injected into the memory. ROP is also considered as one of the most flexible attacks, its level of flexibility, unlike other attacks, reaches the Turing completeness. The tremendous success of ROP attacks made the headlines in the cybersecurity space, they became one of the top security concerns and one of the most powerful cross-platform weapons. Several efforts have been undertaken to study this threat and to propose better defence mechanisms (mitigation or prevention), yet the majority of them are not deeply reviewed nor officially implemented. Furthermore, similar studies show that the techniques proposed to prevent ROP-based exploits usually yield a high false-negative rate and a higher false-positive rate, not to mention the overhead that they introduce into the protected program. The first part of this research work aims at providing an in-depth analysis of the currently available anti-ROP solutions (deployed and proposed), focusing on inspecting their defense logic and summarizing their weaknesses and problems. The second part of this work aims at introducing our proposed Indicators Of Compromise (IOC) that could be used to improve the detection rate of ROP attacks. The three suggested indicators could detect these attacks at run-time by checking the presence of some futures during the execution of the targeted program. We also proposed a measurement technique that allows measuring these indicators at run-time. The last part of this work covers the subject of the experimental phase. More specifically, the Proof of Concept performed with the objective of proving the effectiveness of our proposed indicators, as well as the proposed measurement technique. The results of this experimental phase show that only the first two indicators are able to detect ROP attacks. Another important finding was about the non-expected ROP features discovered and visualized during the experiment. These features could be used to strengthen our indicators in future works

    On Generating Gadget Chains for Return-Oriented Programming

    Get PDF
    With the increased popularity of embedded devices, low-level programming languages like C and C++ are currently experiencing a strong renewed interest. However, these languages are, meaning that programming errors may lead to undefined behaviour, which, in turn, may be exploited to compromise a system's integrity. Many programs written in these languages contain such programming errors, most infamous of which are buffer overflows. In order to fight this, there exists a large range of mitigation techniques designed to hinder exploitation, some of which are integral parts of most major operating systems' security concept. Even the most sophisticated mitigations, however, can often be bypassed by modern exploits, which are based on the principle of code reuse: they assemble, or chain, together existing code fragments (known as gadgets) in a way to achieve malicious behaviour. This technique is currently the cornerstone of modern exploits. In this dissertation, we present ROPocop, an approach to mitigate code-reuse attacks. ROPocop is a configurable, heuristic-based detector that monitors program execution and raises an alarm if it detects suspicious behaviour. It monitors the frequency of indirect branches and the length of basic blocks, two characteristics in which code-reuse attacks differ greatly from normal program behaviour. However, like all mitigations, ROPocop has its weaknesses and we show that it and other similar approaches can be bypassed in an automatic way by an aware attacker. To this end, we present PSHAPE, a practical, cross-platform framework to support the construction of code-reuse exploits. It offers two distinguishing features, namely it creates concise semantic summaries for gadgets, which allow exploit developers to assess the utility of a gadget much quicker than by going through the individual assembly instructions. And secondly, PSHAPE automatically composes gadgets to construct a chain of gadgets that can invoke any arbitrary function with user-supplied parameters. Invoking a function is indeed the most common goal of concurrent exploits, as calling a function such as mprotect greatly simplifies later steps of exploitation. For a mitigation to be viable, it must detect actual attacks reliably while at the same time avoiding false positives and ensuring that protected applications remain usable, i.e., do not crash or become very slow. In the tested sample set of applications, ROPocop detects and stops all twelve real attacks with no false positives. When executed with ROPocop, real-world programs exhibit only some slight input lag at startup but otherwise remain responsive. Yet, we further show how PSHAPE can be used to fully automatically create exploits that bypass various mitigations, for example, ROPocop itself. We also show gadgets PSHAPE found easily, that have great relevance in real exploits, and which previously required intense manual searches to find. Lastly, using PSHAPE, we also discovered a new and very useful gadget type that greatly simplifies gadget chaining

    Three Decades of Deception Techniques in Active Cyber Defense -- Retrospect and Outlook

    Full text link
    Deception techniques have been widely seen as a game changer in cyber defense. In this paper, we review representative techniques in honeypots, honeytokens, and moving target defense, spanning from the late 1980s to the year 2021. Techniques from these three domains complement with each other and may be leveraged to build a holistic deception based defense. However, to the best of our knowledge, there has not been a work that provides a systematic retrospect of these three domains all together and investigates their integrated usage for orchestrated deceptions. Our paper aims to fill this gap. By utilizing a tailored cyber kill chain model which can reflect the current threat landscape and a four-layer deception stack, a two-dimensional taxonomy is developed, based on which the deception techniques are classified. The taxonomy literally answers which phases of a cyber attack campaign the techniques can disrupt and which layers of the deception stack they belong to. Cyber defenders may use the taxonomy as a reference to design an organized and comprehensive deception plan, or to prioritize deception efforts for a budget conscious solution. We also discuss two important points for achieving active and resilient cyber defense, namely deception in depth and deception lifecycle, where several notable proposals are illustrated. Finally, some outlooks on future research directions are presented, including dynamic integration of different deception techniques, quantified deception effects and deception operation cost, hardware-supported deception techniques, as well as techniques developed based on better understanding of the human element.Comment: 19 page

    Thwarting Advanced Code-reuse Attacks

    Full text link
    Code-reuse attacks are the leading mechanism by which attackers infiltrate systems. Various mitigation techniques have been proposed to defend against these attacks, the most prominent one being control-flow integrity (CFI). CFI is a principled approach that restricts all indirect control flows to adhere to a statically determined control-flow graph (CFG). CFI has gained widespread adoption in industry -- such as Microsoft Control Flow Guard and Intel Control-flow Enforcement Technology. However, recent attacks dubbed CFG mimicry attacks, like control flow bending and counterfeit object-oriented programming, have shown that code-reuse attacks are still possible without violating CFI. Furthermore, data-oriented programming (DOP) has generalized non-control data attacks to achieve Turing-complete computation; it accomplishes this by repeatedly corrupting non-control data to execute a sequence of instructions within the legitimate control flow of the program. In this dissertation, we present techniques to mitigate these advanced code-reuse attacks. First, this dissertation presents a novel approach to thwart advanced control flow attacks called ProxyCFI. ProxyCFI replaces all code pointers in a program with a less powerful construct: pointer proxies. Pointer proxies are random identifiers associated with each legitimate control flow edge in the program. Pointer proxy values are defined per-function and are re-randomized at program load time to mitigate their disclosure. To ensure that the approach covers the entire control flow of the program, we have a load-time verifier built-in the program loader that performs reachability analyses of the code and verify that there is no vulnerable control flow transfer. ProxyCFI delivers these protections incurring minimal performance overhead, while stopping a broad range of real-world attacks and achieving a 100% coverage of the RIPE x86-64 attack suite. Second, this dissertation evaluates the effectiveness of previously proposed stack layout randomization techniques against attacks that only utilize relative offset between allocations (e.g., data-oriented programming) and demonstrate that they are ineffective at stopping real-world DOP exploits. We then propose Smokestack, a runtime stack-layout randomization technique that addresses the problems with prior approaches. Smokestack instruments programs to randomize their stack layout at runtime for each invocation of a function. By doing so, Smokestack minimizes the utility of information gained in the probes of chained DOP attacks for later attack stages. Our evaluation on SPEC benchmarks and various real-world applications shows that Smokestack, with a cryptographically secure pseudo random generator, can stop DOP attacks with an average slowdown of 8.7%. Lastly, we present a technique to randomize heap allocations at runtime to prevent attackers from orchestrating advanced control flow attacks as well as DOP attacks through heap-resident variables. To this end, we explored the use of multi-variant execution (MVX) with each variant having uniquely seeded random heap allocators. This capability enables our system to automatically track heap allocation pointers without the need for storing explicit meta-data. We then re-randomize heap allocations to thwart attacks that perform runtime probes to discover allocations. This technique will provide modular heap allocation protection while maintaining compatibility with legacy binaries. In all, this thesis presents novel techniques that carve out a new space in advanced code-reuse attack protections, offering a protection strength as good or better than prior solutions. These techniques provide additional protections for advanced control flow attacks and DOP attacks, while incurring minimal performance overheads.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/155142/1/misiker_1.pd

    Advanced Code-reuse Attacks: A Novel Framework for JOP

    Get PDF
    Return-oriented programming is the predominant code-reuse attack, where short gadgets or borrowed chunks of code ending in a RET instruction can be discovered in binaries. A chain of ROP gadgets placed on the stack can permit control flow to be subverted, allowing for arbitrary computation. Jump-oriented programming is a class of code-reuse attack where instead of using RET instructions, indirect jumps and indirect calls are utilized to subvert the control flow. JOP is important because can allow for important mitigations and protections against ROP to be bypassed, and some protections against JOP are imperfect. This dissertation presents a design science study that proposes and creates the Jump-oriented Programming Reversing Open Cyber Knowledge Expert Tool, the JOP ROCKET. This is a novel framework for jump-oriented programming (JOP) that can help facilitate binary analysis for exploit development and code-reuse attacks. The process for manually developing exploits for JOP is a time-consuming and tedious process, often fraught with complications, and an exhaustive review of the literature shows there is a need for a mature, sophisticated tool to automate this process, to allow users to easily enumerate JOP gadgets for Windows x86 binaries. The JOP ROCKET fulfills this unmet need for a fully-featured tool to facilitate JOP gadget discovery. The JOP ROCKET discovers dispatcher gadgets as well as functional gadgets, and it performs classification on gadgets, according to registers used, registers affected, and operations performed. This allows researchers to utilize this tool to be very granular and specific about what gadgets they discover. Additionally, there are a variety of options available to modify how the gadgets are discovered, and this will expand or narrow the quantity of gadgets discovered. This design science research presents original significant contributions in the form of an instantiation and five new or highly reworked and enhanced methods. Some of these methods pertain directly to JOP, while others could be adapted and utilized in other reverse engineering projects. The JOP ROCKET allows researchers to enumerate JOP gadgets for software easily, allowing for a JOP exploit to be more efficiently constructed, whereas before the task would have been a time-consuming process requiring expert knowledge and the use of multiple tools
    corecore