《Asia-24-Ye-One-Flip-Is-All.pdf》由会员分享,可在线阅读,更多相关《Asia-24-Ye-One-Flip-Is-All.pdf(37页珍藏版)》请在三个皮匠报告上搜索。
1、#BHASIA BlackHatEventsOne Flip is All It Takes:Identifying Syscall-Guard Variables for Data-Only Attacks Speaker:Hengkai YeThe Pennsylvania State UniversityOther Contributors:Hong Hu,Song Liu,Zhechang Zhang2TeamHengkai YePh.D.StudentPenn State UniversitySong LiuPh.D.StudentPenn State UniversityZhech
2、ang ZhangPh.D.StudentPenn State UniversityHong HuAssistant ProfessorPenn State University3Current Exploit Method:Control-Flow HijackingMemory-Access PrimitivesArbitrary ReadArbitrary WriteControl DataReturn Address Function PointerControl-FlowHijackingCode InjectionCode Reuse4Control-Flow HijackingM
3、emory-Access PrimitivesArbitrary ReadArbitrary WriteCode InjectionCode ReuseControl DataReturn Address Function PointerCode-Pointer IntegrityControl-Flow IntegrityCurrent Exploit Method:Control-Flow Hijacking5Control-Flow HijackingMemory-Access PrimitivesArbitrary ReadArbitrary WriteCode InjectionCo
4、de ReuseControl DataReturn Address Function PointerNon-Control DataData-Only AttackData-Oriented ProgrammingBlock-Oriented ProgrammingNext Gen Exploit Method:Data-Only AttackCode-Pointer IntegrityControl-Flow Integrity67Data-Only AttackChen,Shuo,et al.Non-control-data attacks are realistic threats.U
5、SENIX security symposium.Vol.5.2005.CGI-BIN configuration string in Null Httpd Load CGI-BIN configuration:/usr/local/httpd/cgi-binServerClient/cgi-bin/:a CGI requestcalculator:executable name POST/cgi-bin/calculator Search calculator in/usr/local/httpd/cgi-binRun calculatorif foundWhat if configurat
6、ion/usr/local/httpd/cgi-bin gets corrupted?8Data-Only AttackChen,Shuo,et al.Non-control-data attacks are realistic threats.USENIX security symposium.Vol.5.2005.CGI-BIN configuration string in Null Httpd Load CGI-BIN configuration:/usr/local/httpd/cgi-binServerClient/cgi-bin/:a CGI requestsh:executab
7、le name Heap corruptionOverwrite CGI-BIN to/binSearch sh in/binRun/bin/sh and remove/tmp/root-private-filePOST/cgi-bin/sh rm/tmp/root-private-file9Data-Only AttackShuo Chen et al.at USENIX Security05Attack:Root privilege in WU-FTPD serverCritical Data:seteuid(pw-pw_uid);Yang Yu at BlackHat USA14Atta
8、ck:Code execution in IE browser Critical Data:if(safemode&0 xB=0)Turn_on_God_Mode();Bing Sun et al.at BlackHat Asia17Attack:Bypass Control Flow Guard in WindowsCritical Data:gIsCFGEnabled Moritz Jodeit et al.at HITB GSEC16Attack:Bypass EMET in WindowsCritical Data:EnableProtectionPtr10Control-Flow H
9、ijackingMemory-Access PrimitivesArbitrary ReadArbitrary WriteCode InjectionCode ReuseControl DataReturn Address Function PointerNon-Control DataData-Only AttackData-Oriented ProgrammingBlock-Oriented ProgrammingNext Gen Exploit Method:Data-Only AttackCode-Pointer IntegrityControl-Flow Integrity11Con
10、trol-Flow AttackMemory-Access PrimitivesArbitrary ReadArbitrary WriteCode InjectionCode ReuseControl DataReturn Address Function PointerNon-Control DataData-Only AttackData-Oriented ProgrammingBlock-Oriented ProgrammingNext Gen Exploit Method:Data-Only Attack?Code-Pointer IntegrityControl-Flow Integ
11、rity?How to Automatically Identify Security-Critical Non-Control Data(Critical Data)12Spotting Critical Data is Challenging Previous work Manual inspection:tedious human efforts,not scalable FlowStitch Security15:rely on explicit sources/sinks e.g.,argument of setuid KENALI NDSS16:rely on error code
12、s in Linux KernelCritical data No common low-level properties(e.g.,data type,memory location)Difficult to infer high-level semantics13Our ContributionAutomatic identification of syscall-guard variablesBranch forceCorruptibility assessmentA framework-VIPER34 unknown syscall-guard variables from 13 pr
13、ograms4 new data-only attacks on SQLite and V8https:/ ExampleChen,Shuo,et al.Non-control-data attacks are realistic threats.USENIX security symposium.Vol.5.2005.How to identify“authenticated”?15Motivating ExampleChen,Shuo,et al.Non-control-data attacks are realistic threats.USENIX security symposium
14、.Vol.5.2005.How to identify“authenticated”?Most data-only attacks rely on security-related syscallsSecurity-related syscalls are often guarded by security checksSyscall-Guard Branch:security checks as conditional branches Syscall-Guard Variable:variables in syscall-guard branches VIPER:identify sysc
15、all-guard variables16Does Syscall-Guard Variable Matter?A=syscall argumentsC=syscall-guard variables11 syscall arguments6 syscall-guard variables17Challenges Identify sole contribution of each variable Symbolic execution can identify a complete path Limitation:cannot tell which variables are more cr
16、itical Efficient and scalable analysis Static analysis Limitations:indirect calls,inter-procedural analysis,etc18Branch Force:Identify Syscall-Guard Branches Flip every branch during execution Hook syscalls to find newly invoked ones If yes,the flipped is a syscall-guard branchISS1IIS2ISn19Corruptib
17、ility Assessment Backward Data-Flow Analysis Generate data flow of syscall-guard variables Assessment(for each memory node in the data flow)Metric 1:memory location Global Heap Stack Metric 2:number of memory-write instructions Assumption:every memory-write could be abusedVariableRatorBranchForcer20
18、Workflow of VIPERRecordpassrecordbinaryRecordexecuteoriginalsyscallsbranchesFlippassflipbinaryFlipexecutenewsyscallsComparebranchsyscallinputRecordexecuteexecutiontraceSyscall-guardvariableBranchSyscallInputCorruptibilityprogramLLVM IRBackwarddataflowanalysismemorylocation#memorywrite insnUnique Bra
19、nch FlippingForkserversaveuniqflippedbranchesRecord execution trace on LLVM IR levelSimulate execution based on recorded traceProgramInput21Evaluation(setting)20 programs for evaluation 9 programs with known data-only attacks(e.g.,OpenSSH)7 programs from FuzzBench(e.g.,SQLite)4 other well-tested pro
20、grams(e.g.,V8)Corpus Testcases in source code repository Online corpus(e.g.,FuzzBench Dataset)Fuzz with AFL+22Evaluation(identified syscall-guard variables)3636 syscallsyscall-guard variables from 14 programsguard variables from 14 programs361623Evaluation(exploitability investigation)4Exploit Const
21、ructionCVE InvestigationGDB Emulation24Evaluation(time costs)We can combine VIPER with other tools for automatic exploit generation25Case Study:Attacks on SQLiteSQLite:Most widely deployed database engine Used in Android,iOS,Chrome,Safari,Opera VIPER result 7 syscall-guard variables 3 new data-only
22、attacks on top 3 syscall-guard variables(demo 1)p-doXdgOpen:arbitrary command execution(demo 2)p-zTempFile:arbitrary file deletion isDelete:arbitrary file deletion26Case Study 1:Command Execution on SQLiteHow SQLite handles query results Print on stdout Save to a file(.output filename)Edit before sa
23、ving(.once e/.once x)How VIPER identified p-doXdgOpen BranchForce flips if(p-doXdgOpen)and catches execve VariableRator generates data flow graph for p-doXdgOpen and p-zTempFile27Case Study 1:Command Execution on SQLiteData-flow Graph of p-doXdgOpen28Case Study 1:Command Execution on SQLiteData-flow
24、 Graph of p-zTempFile29Case Study 1:Command Execution on SQLiteOne memory bug to corrupt p-doXdgOpen and p-zTempFile CVE 2017-6983(Kun Yang at BlackHat USA17)Arbitrary write primitive Bypass ASLR is feasible30Demo 131Case Study 2:File Deletion on SQLitezTempFile is also used in other places Flip if(
25、p-zTempFile=0)and catches unlink Both syscall-guard variable and syscall argument are zTempFile One shot exploit32Demo 233Case Study 3:New Attack on V8 V8:Chromium JavaScript engine Used in Google Chrome,Microsoft Edge,Opera,Node.js 3,586 KLoC in the latest versionVIPER result 2 potential syscall-gu
26、ard variables 1 highly corruptible variable Location:global variable Memory-Write instructions:93,512,60734Case Study 3:New Attack on V8 Our Attack(CVE-2021-30632)Arbitrary read privilege Bypass ASLR Arbitrary write privilege Set options.enable_os_system to 135Demo36ConclusionVIPER:automatically spotting syscall-guard variables for data-only attacksDesign branch force and corruptibility assessmentFind 34 previous unknown syscall-guard variablesBuild 4 new data-only attacks on SQLite and V8Open SourceVIPER:https:/ YouThank YouQuestion?hengkaipsu.edu