SCP: SCP: A System Call Protector against A System Call Protector against
Buffer Overflow Attacks Buffer Overflow Attacks
先進防禦實驗室國立中央大學 資訊工程系
22
OutlineOutline
Introduction Attacking Method Related Work SCP System Design Experimental Result Conclusion Future Work
33
IntroductionIntroduction
Buffer Overflow Attack• Easily launched• Huge amount of targets• Strongly damage• One of the most dangerous threats in the
Internet Developing an efficient and effective approach
becomes a critical and emergent issue.
44
Difficulty in ProtectionDifficulty in Protection
Many countermeasures were proposed, but were defeated by new mutants.
55
Function and Stack FrameFunction and Stack Frame
b
return address add_g
address of G’s
frame point
C[0]
H’s stack
frame
G(int a)
{
H(3);
add_g:
}
H( int b)
{ char c[100];
int i;
while((c[i++]=getch())!=EOF)
{
}
}
C[99]
Input String: xyz
Z
Y
X
G’s stack frame
0xabc
0xaba0xabb
66
Stack Smashing Attack – PrincipleStack Smashing Attack – Principle
Stack Smashing Attack• Overflow a return address to transfer program
execution flow into injected code (shell code)
77
Stack Smashing Attack - ExampleStack Smashing Attack - Example
b
return address add_g
address of G’s
frame point
C[0]
H’s stack
frame
addrress oxabc
G(int a)
{
H(3);
add_g:
}
H( int b)
{ char c[100];
int i;
while((c[i++]=getch())!=EOF)
{
}
}
C[99]
Injected Code0xabc
Attack String: xxInjected Codexy0xabc
Length=108 bytes
0xaba0xabb x
x
x
y
88
Return-into-libc AttackReturn-into-libc Attack
Overwrite the return address to execute a library function, e.g. system(), inside the attacked process.
buffer
EBP
EIP (RA)
Fake RA
Pointer to system()’s arg
system()ESP
String format: AAA…address to system()
system()’s return address
pointer to system()’s arg
“/bin/sh”High Address
Low Address
99
Heap Overflow AttackHeap Overflow Attack
Similar to stack overflow, but on the heap area
1010
Other MutantsOther Mutants
function pointer attack Jump table attack setjmp/longjmp attack
1111
Related WorkRelated Work
Some Countermeasures• StackGuard / StackShield• Address Obfuscation (ASLR/PaX)• Exec Shield• Binary Obfuscation• PointGuard™• Instruction Set Randomization• RAD
1212
Related Work - StackGuardRelated Work - StackGuard StackGuard -- add canary word before return address
Bypassing StackGuard
return address
canary word
Buffer
High Address
Low Address
…
return address
Buffer
…
Saved return address
…
High Address
Low Address
1313
Related Work – ASLR/PaXRelated Work – ASLR/PaX Address Obfuscation
• PaX/ASLR project- Randomize the base address of memory regions
-- Randomize the base address of stack/heap-- Randomize the starting address of dynamic-linked libraries-- Randomize the locations of routines and static data
• Internal fragmentation problem• Crash problem• Derandomization Attack• Local attack• Non-relocatable code
1414
Related Work – Bound CheckRelated Work – Bound Check
Bound Check• Bound Check for C Program
• Require source code / recompile• Runtime overhead are huge
- 4x / 5x when best case- 10x general case- 100x worst case
1515
Related Work – Exec ShieldRelated Work – Exec Shield Exec Shield
• Data/Stack section non-executable• Code section non-writable
• Compatibility problem - ELF file format -- Add PT_GNU_STACK and PT_GNU_HEAP - Nested function - Recompile / porting - sigreturn() system call• Return into libc attack can be launched
1616
Related Work - PointGuardRelated Work - PointGuard
PointGuard™• Encrypt pointer, decrypt when reference object
1717
Related Work - ISRRelated Work - ISR
Instruction Set Randomization• Hardware solution, encrypt / decrypt CPU
instructions
porting binaries
1818
Related Work - RADRelated Work - RAD
RAD• Return Address Defender• Compiler solution• Push return address to RAR when prologue• Pop return address from RAR when eprolog
ue
Need recompile
1919
SCP System Principle and GoalSCP System Principle and Goal Principle
• Prevent attackers from executing int 80 offered by them• Prevent attackers from executing int 80 existed in the attacke
d system
Goal• Low overhead• Efficient to protect• Do not require source code• Compatibility• Use less system resource (memory)• Easy to maintain
2020
AssumptionAssumption
Assumption• Malicious code have to use system calls to
damage an attacked system• Vulnerable programs use dynamic linked
libraries
2121
System Call Invocation ConventionSystem Call Invocation Convention
movl system_call_number, %eaxmovl first_argument, %ebx…int $0x80
2222
System Call Path with/without System Call Path with/without SCPSCP
2323
Detailed System Call Path Detailed System Call Path without SCPwithout SCP
6. return
5. return
User Space
Kernel Space
( user program )open();
( libc wrapper routine )__libc_open()
( kernel )sys_open()
High Address
Low Address1. go to PLT
4. trap into kernel
( PLT )jmp *GOT[__libc_open]
( GOT entry )Address of __libc_open
2. lookup GOT
3. call wrapper routine
2424
Secure Enter KernelSecure Enter Kernel
Pseudo Code
(b) Trap Code(a) Secure Enter Kernel
save_all_registers;page = 0; size = 0;if (page == 0 ) { page = mmap2(); size = copy_trap_code(page); notify_kernel(page+6);}restore_all_registers;call page;
int $0x80; (sysenter)return_to_libc;
machine code:\x8B\x44\x24\x04\xCD\x80\x83\xC4\x08\xC3
2525
ReplacementReplacement
• Use secure enter kernel to replace ALL sysenter (int $0x80)
2626
Detailed System Call Path with Detailed System Call Path with SCPSCP
New system call path (with SCP system)
8. return
7. return
User Space
Kernel Space
( user program )open();
( libc wrapper routine )__libc_open()
( kernel )sys_open()
1. go to PLT
5. trap into kernel
( PLT )jmp *GOT[__libc_open]
( GOT entry )Address of __libc_open
2. lookup GOT
3. call wrapper routine
( trap page )int $0x80
4. call trap page
6. return
High Address
Low Address
read();
jmp *GOT[__libc_read]
Address of __libc_read
__libc_read()
sys_read()
2727
Lazy Binding under SCPLazy Binding under SCP
loader (ld-linux.so.2) kernel
program
glibc: printf() here
2. Loading program
1. Notify kernel the RA
Inject code
3. Load libc.so.6
6. Normal system call
4. Call printf()
5. Notify kernel the RA
2828
Lazy Binding under SCPLazy Binding under SCP
loader (ld-linux.so.2) kernel
program
glibc: printf() here
2. Loading program
1. Notify kernel the RA
Inject code
3. Load libc.so.6
6. Normal system call
4. Call printf()
5. Notify kernel the RA
2929
SCP Protection Mechanism – LiSCP Protection Mechanism – Limit the number of mit the number of notify_kernel()
Avoid attacker’ using to change the address of the only legal int 80.
Limit the number of notify_kernel() to two:• loader (ld-linux.so.2) and glib (libc.so.6) have their
own global variable segment; hence, there are two global variable pages in a process.
Each page variable will cause the system to create a new trap page.
3030
SCP Protection Mechanism - SCP Protection Mechanism - Fake Trap PageFake Trap Page
Insert fake trap pages around to real trap page to avoid attackers’ detection of the real int 80 instruction.
3131
Attack AnalysisAttack Analysis
• Attacker can scan the attacked process’s address space to find the real int $0x80
• Possible solution: - Non-readable but executable code
segment - … future work
(user program)system_call
(PLT) (GOT)(libc)
wrapper routine(heap)
int $0x80
3232
Efficiency Test – Injected CodeEfficiency Test – Injected Code
• Buffer overflow attack with injected code
3333
Efficiency Test – Change Legal Efficiency Test – Change Legal inint 80t 80 Address Address
• Calling notify_kernel test
3434
Performance Test – Micro Performance Test – Micro BenchmarkBenchmark
• 10,000,000 times per system call
System CallOriginal libc & Kerne
l(μsec)
Secure libc & Secure Kernel
(μsec)Increment
mmap 4.83598861 5.04285570 4.28 %
open 5.70100183 12.31045995 115.93 %
read 4.44757121 4.65731530 4.72 %
write 28.61905470 28.86815789 0.87 %
3535
Number of Page Faults under OrigiNumber of Page Faults under Original libc and Kernelnal libc and Kernel
avg timediff = 0.0000073216265842318534575253186069687672 sec = 7.32162658 usecCommand exited with non-zero status 81 Command being timed: "./micro-test.open" User time (seconds): 0.69 System time (seconds): 122.31 Percent of CPU this job got: 100% Elapsed (wall clock) time (h:mm:ss or m:ss): 2:03.00 Average shared text size (kbytes): 0 Average unshared data size (kbytes): 0 Average stack size (kbytes): 0 Average total size (kbytes): 0 Maximum resident set size (kbytes): 0 Average resident set size (kbytes): 0 Major (requiring I/O) page faults: 82 Minor (reclaiming a frame) page faults: 7 Voluntary context switches: 0 Involuntary context switches: 0 Swaps: 0 File system inputs: 0 File system outputs: 0 Socket messages sent: 0 Socket messages received: 0 Signals delivered: 0 Page size (bytes): 4096 Exit status: 81
3636
Number of Page Faults under SCP Number of Page Faults under SCP libc and Kernellibc and Kernel
avg timediff = 0.0000123534624044317750067014868853298992 sec = 12.35346240 usecCommand exited with non-zero status 82 Command being timed: "./micro-test.open" User time (seconds): 0.68 System time (seconds): 173.26 Percent of CPU this job got: 99% Elapsed (wall clock) time (h:mm:ss or m:ss): 2:53.94 Average shared text size (kbytes): 0 Average unshared data size (kbytes): 0 Average stack size (kbytes): 0 Average total size (kbytes): 0 Maximum resident set size (kbytes): 0 Average resident set size (kbytes): 0 Major (requiring I/O) page faults: 104 Minor (reclaiming a frame) page faults: 13 Voluntary context switches: 0 Involuntary context switches: 0 Swaps: 0 File system inputs: 0 File system outputs: 0 Socket messages sent: 0 Socket messages received: 0 Signals delivered: 0 Page size (bytes): 4096 Exit status: 82
3737
Performance Test – Micro Performance Test – Micro BenchmarkBenchmark
• 100,000 times per command
CommandOriginal libc & Kernel
(μsec)Secure libc & Secure Kernel
(μsec)Increment
ls 0.00781023 0.00922095 18.06 %
make 0.01481522 0.01697969 14.61 %
sysctl 0.02905236 0.03447007 18.65 %
tar 0.00804451 0.00940219 16.88 %
gcc 0.98855523 1.00293709 01.45 %
3838
ConclusionConclusion
We propose a new method to protect system calls by registering valid int 80 on premise• Low performance overhead• Protect programs against all known code injection style BOAs• No modification to source code or executable files is required• Compatible with existing systems and applications• Not increase the workload of program maintenance• Terminate attacked processes normally• Effective in defending local BO attacks
3939
Future WorkFuture Work
More secure• Implement “executable but non-readable”
region in segment section on i386• The NX Bit chip• AMD 64 CPU
4040
Thanks Q & A