rop 공격 기법에 대한 최신 연구 현황myucc.cafe24.com/pdf/세션2/(1)_rop 공격...

ROP 공격 기법에 대한

최신 연구 현황

2013.04.17

조성제

sjcho at dankook.ac.kr

Computer Security & OS Lab

Dept. of Software Science, DKU

– 2 –

NetSec-Kr’13

목차

개요 (도입)

배경 지식 Buffer Overflow (또는 스택 오버플로우)

Return-to-Libc

Return-Oriented Programming (ROP) 개념 및 특징

공격기법

방어기법 (대응책)

ROP without Returns 공격기법


Computer Security & OS Lab., DKU

Ahmad-Reza Sadeghi & Lucas Davi, “Runtime Attacks: Buffer Overflow and Return-Oriented Programming”, Technische Universitat Darmstadt, Jan. 2011

Edward J. Schwartz, Return-Oriented Programming, 18732: Software Security, CMU, 2012

기타 참고문헌

다음 발표자료를 많이 참조(인용)하였습니다.


– 4 –

NetSec-Kr’13

도입 (배경)

런타임 공격이 애플리케이션들에 주요 위협 실행 시에 제어 흐름이 조작 가능

런타임 공격은 악의적 코드(payload)를 주입

런타임 공격 이유 SW는 C/C++과 같은 unsafe language로 작성

다양한 메모리 관련 취약점이 존재

대표적인 예: Buffer overflow (Stack overflow)


– 5 –

NetSec-Kr’13

버퍼 오버플로우 기초

새로운 (악성) 코드 주입

Code pointer (return address)를 조작


#include <unistd.h>

void Test()

{

char buff[4];

printf("Some input: ");

gets(buff);

puts(buff);

}

int main(int argc, char *argv[ ])

{

Test();

return 0;

}

– 6 –

NetSec-Kr’13

버퍼 오버플로우 기초

주로 shellcode가 주입되어 shell을 획득

Code injection – the layout of the stack

frame for injecting malicious codes

Overflow the buffer, injecting the code

and pointing back to the code


문제점 • No bounds-checking functions: strcpy(), strcat(), scanf(), memcpy(), etc • 스택에 writable하면서 동시에 스택에서 executable함

– 7 –

NetSec-Kr’13

기본적인 대응책

런타임 공격의 대응책 W X – Writable Xor eXecutable

Linux [PaXa] 및 Windows DEP (Data Execution Prevention)에 구현

[Mic06]

Supported by chip manufactures such as Intel and AMD (NX/XD bit)

ASLR (Address Space Layout Randomization): 주소 랜덤화

Linux PaX Kernel Patch에 구현 [PaXb]

Windows Vista 및 Windows 7에서 지원됨 [HT07]

컴파일러 기반 방어기법

Stack canaries, Pointer encryption, Bound checkers, Variable

reordering, 등

☞ 우회기법들로 인해 여전히, SW에는 주요 위협이 되고 있음


– 8 –

NetSec-Kr’13

Return-to-libc 개념

Code injection 대신 existing code (예: libc 함수)를 사용 예) system(“/bin/sh”); execve (argv[0], argv, NULL);


#include <stdio.h> void echo ( ) { char buffer[80];

gets (buffer); puts (buffer); } int main ( ) { echo ( ); printf ( "Done" ); return 0; }

– 9 –

NetSec-Kr’13

Return-to-libc 개념 echo() 복귀 시, system() 함수가 새로운 shell을 launch


Bypass W X model

• 개념 및 특징

• 공격기법

• 방어기법 (대응책)

Return-Oriented Programming


만약 공격자가 f(“foo”)를 수행하고 싶은데… - f()가 libc에 없거나 - f()가 libc에 있지만

랜덤화되어 있다면 ???

– 11 –

NetSec-Kr’13

The Big Picture


함수로 복귀하는 대신, “명령어들의 순차들”

(gadgets)로 복귀

– 12 –

NetSec-Kr’13

Return-Oriented Programming

Arbitrary (Turing-complete) computation without the need to

inject malicious code

call any library function

modify the original code

☞ 그러나 여전히 스택 내용(복귀주소 포함)을 변조 또는 조작

ROP 공격은 다음과 같은 다양한 구조나 시스템에 적용 가능 Intel x86 [Sha07]

ARM [Kor09]

The SPARC Machine [BRSS08]

Atmel AVR [FC08]

Z80 Voting Machines [CFK+09]

PowerPC [Lin09]


Apple iPhone • JailbreakMe [Hal10] • Steal SMS Databse [IW10]

Desktop PCs • Acrobat Reader [jdu10] • Adobe Flashplayer [Ado10]

Special-purpose machines • Z80 voting machine [CFK+09]

– 13 –

NetSec-Kr’13

ROP 개요

개념 Return-to-libc 기법으로 arbitrary computation 을 수행

방법 Use small instruction sequences (e.g., of libc) instead of using whole

functions

Instruction sequence는 2 ~ 5개의 instruction들로 구성

All sequences end with a ret instruction

Instruction sequences are chained together to a gadget

A gadget performs a particular task (e.g., load, store, xor, branch)

Afterwards, the adversary enforces his desired actions

by combining the gadgets

☞ 스택의 복귀주소를 조작함


– 14 –

NetSec-Kr’13

ROP 공격 예 (1/7)

1. 프로그램이 사용자 입력을 기다리고 있음


– 15 –

NetSec-Kr’13


2. 공격자(사용자) 입력이 버퍼를 넘치게 함

3. 입력은 복귀 주소들과 하나의 인자를 포함


– 16 –

NetSec-Kr’13


4. foo() 가 복귀 시에 1st sequence가 수행


– 17 –

NetSec-Kr’13


5. Return 명령이 next sequence로 제어 흐름을 전이


– 18 –

NetSec-Kr’13


6. Sequence 2의 return이 Sequence 3으로 제어흐름을 전이

7. 스택에서 Argument를 꺼내 옴


– 19 –

NetSec-Kr’13


8. Sequence 3의 return 명령 수행


– 20 –

NetSec-Kr’13


9. Sequence 3의 return은 제어흐름을 Sequence 4로 전이

10. Sequence 4의 return은 제어흐름을 Gadget 2로 전이


– 21 –

NetSec-Kr’13

의도되지 않은 명령 순차

Unintended instruction sequences (의도되지 않은 명령 순차들)

A sequence of instructions ending in a ret instruction that was never intended by the programmer

These sequences can be found by jumping in the middle of a valid instruction resulting in a new unintended instruction sequence

x86 구조에서 의도되지 않은 명령 순차들이 있는 이유는 다음 두 가지 이유 때문 Variable-length instructions

Unaligned memory access

If the native machine word is of size N then an unaligned memory access

means reading from an address that is not divisible by N


– 22 –

NetSec-Kr’13

의도되지 않은 명령 순차 찾기

libc에 다음 명령들이 포함되어 있다고 가정


b8에서부터 바이트 스트림을 해석하지 않고, 세 번째 바이트인 00에서부터 해석하면 다음의 unintended instruction sequence를 얻을 수 있음

– 23 –

NetSec-Kr’13

Gadget 의 예 : Memory Load (1/4)

Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register


1) Sequence 1이 실행 시작

– 24 –

NetSec-Kr’13


2) pop 0x8010AB8D in register %eax



– 25 –

NetSec-Kr’13


3) Sequence 1의 ret 명령에 의해 제어흐름이 Sequence 2로 이동



– 26 –

NetSec-Kr’13


4) move 0xDEADBEEF in register %eax



– 27 –

NetSec-Kr’13


컴파일러 기반 해결책 복귀주소 직전에 canary를 배치

StackGuard [CPM+98], ProPolice [Hir]

복귀주소들을 별도의 shadow stack에 백업 (이중화)

Return address defender [CH01], Stack shield [Ven]

한계점

소스코드 필요하고, 의도하지 않은 명령순차를 탐지하는 것은 어려움

JIT-Compiler 기반 Dynamic Binary Instrumentation Program shepherding [KBA02]

ROPdefender [DSW10]

Checks each return address against valid return addresses hold in a separate

shadow stack

return 빈도수를 계산: DynIMA [DSW09], DROP [CXS+09]

한계점

JIT-based instrumentation adds high performance overhead


– 28 –

NetSec-Kr’13


Shadow stack 방법


• 공격기법

• 방어기법 (대응책)

ROP without Returns (return 사용하지 않는 ROP)


복귀 주소 검사(checker)를 우회하는 것이 가능한가? (yes)

– 30 –

NetSec-Kr’13

ROP without Returns [CDD+10]

특징

복귀 주소들을 보호하는 대응책들을 우회 가능

Intel x86 및 ARM 등에 적용 가능한 공격 기법

Turing-complete gadget set and practical attack instantiation for both platforms without any return instruction

접근방법 return-like sequences 사용

후보 군은 indirect jumps

Intel 구조: jmp *%eax

ARM 구조: blx r3

방해 요소

%eax, r3 등의 대상 레지스터가 미리 사전에 초기화되어야 함

Returns automatically update the stack pointer; indirect jumps not


– 31 –

NetSec-Kr’13

ROP without Returns

Return-like Sequences

Intel

pop %eax; jmp *%eax

① Pop target address into %eax

② The pop instruction automatically increases the stack pointer by four bytes (similar to a return)

③ Jump to the address stored in %eax

ARM

No pop-jump sequence present

Use Update-Load-Branch Sequence

① (Update) { adds r6,#4: Add four bytes to r6

② (Load) { ldr r5, [r6]: Load target address into r5

③ (Branch) { blx r5: Branch to target address

문제점

위 두 플랫폼에서 Return-like sequences 는 희귀함


– 32 –

NetSec-Kr’13

ROP without Returns

해결책 Use a unique Update-Load-Branch (ULB) sequence after each instruction

sequence

ULB는 trampoline 으로 사용됨

모든 다른 순차는 ULB로의 간접분기(indirect jump)로 끝나야 함


– 33 –

NetSec-Kr’13

ROP without Returns [DDS10]

System call gadget

General workflow of a BLX-attack


– 34 –

NetSec-Kr’13


Control Flow Integrity (CFI) [ABEL05, ABE+06]

특수 명령어를 사용하여 모든 분기 대상에 레이블을 붙임

수행 시에 간접분기 대상이 valid label ID인지를 확인함

Address Space Layout Randomization (ASLR) 스택, 힙, 라이브러리 등의 기본 주소를 랜덤화

사례

Linux PaX Kernel Patch [PaXb]

MS Vista 이후의 Windows 시스템 [HT07]

한계

특정 코드 부분은 랜덤화되지 않아, 공격자는 어떤 gadgets을 구성 가능

» GOT (Global Offset Table) 엔트리 덮어쓰기 공격 [RMPB09]

정보 누수 및 무작위 공격 가능 [SjGM+04, SD08]

G-Free (Gadget-less binaries) 기법 [OBL+10]

재컴파일을 통해 의도되지 않은 명령어 순차를 제거

복귀 주소를 암호화, jump 및 call 명령도 보호


– 35 –

NetSec-Kr’13

요약 및 이슈

스택 오버플로우 취약점, Return-to-Libc 공격

ROP, ROP without returns

여러 방어기법이 제안되고 있지만 완벽하지는 않음

모든 주소 영역이 랜덤화 되지는 않음

오버헤드 유발

현재 ASLR의 약점으로 인해 ROP가 여전히 가능

프로그램이 커질수록 ROP 공격 가능성 높음

계속적인 연구 필요


– 36 –

NetSec-Kr’13

참고문헌 [ABE+06] Martin Abadi, Mihai Budiu, Ulfar Erlingsson, George C. Necula, and Michael Vrable. XFI: software

guards for system address spaces. In OSDI '06: Proceedings of the 7th symposium on Operating systems design and implementation, pages 75-88. USENIX Association, 2006.

[ABEL05] Martin Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. Control-flow integrity: Principles, implementations, and applications. In CCS '05: Proceedings of the 12th ACM Conference on Computer and Communications Security, pages 340-353. ACM, 2005.

[Ado10] Adobe Systems. Security Advisory for Flash Player, Adobe Reader and Acrobat: CVE-2010-1297. http://www.adobe.com/support/security/advisories/apsa10-01.html, 2010.

[BRSS08] E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In CCS '08: Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 27-38. ACM, 2008.

[CDD+10] S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In CCS '10: Proceedings of the 17th ACM Conference on Computer and Communications Security, pages 559-572. ACM, 2010.

[CFK+09] Stephen Checkoway, Ariel J. Feldman, Brian Kantor, J. Alex Halderman, Edward W. Felten, and Hovav Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of EVT/WOTE 2009, 2009.

[CH01] T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks. In Int’l Conf. on Distributed Computing Systems, pages 409-417. IEEE Computer Society, 2001.

[CPM+98] Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In SSYM'98: Proceedings of the 7th conference on USENIX Security Symposium, pages 63-78. USENIX Association, 1998.


– 37 –

NetSec-Kr’13

참고문헌 [CXS+09] Ping Chen, Hai Xiao, Xiaobin Shen, Xinchun Yin, Bing Mao, and Li Xie. DROP: Detecting

return-oriented programming malicious code. In Atul Prakash and Indranil Gupta, editors, Fifth International Conference on Information Systems Security (ICISS 2010), volume 5905 of Lecture Notes in Computer Science, pages 163-177. Springer, 2009.

[DDS10] L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy, Return-Oriented Programming without Returns on ARM, HGI-TR-2010-002, Ruhr University Bochum, Germany

[DSW09] L. Davi, A.-R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proceedings of the 4th ACM Workshop on Scalable Trusted Computing (STC'09), pages 49-54. ACM, 2009.

[DSW10] Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. http://www.trust.rub.de/media/ trust/veroeffentlichungen/2010/03/20/ROPdefender.pdf, March 2010.

[FC08] Aurelien Francillon and Claude Castelluccia. Code injection attacks on harvard-architecture devices. In CCS '08: Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 15-26. ACM, 2008.

[FPC09] Aurelien Francillon, Daniele Perito, and Claude Castelluccia. Defending embedded systems against control flow attacks. In Proceedings of the 1st Workshop on Secure Execution of Untrusted Code (SecuCode'09), pages 19-26. ACM, 2009.

[FS01] Mike Frantzen and Mike Shuey. StackGhost: Hardware facilitated stack protection. In SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium, pages 55-66. USENIX Association, 2001.


– 38 –

NetSec-Kr’13

참고문헌 [Hal10] Josh Halliday. Jailbreakme released for apple devices. http://www.guardian.co.uk/

technology/blog/2010/aug/02/jailbreakme-released-apple-devices-legal, August 2010.

[Hir] Hiroaki Etoh. GCC extension for protecting applications from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp.

[HT07] Michael Howard and Matt Thomlinson. Windows vista isv security. http://msdn.microsoft.com/en-us/library/bb430720.aspx, April 2007.

[IW10] Vincenzo Iozzo and Ralf-Philipp Weinmann. Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN. http://blog.zynamics.com/2010/03/24/ralf-philipp-weinmann-vincenzo-iozzo-own-the-iphone-at-pwn2own/, Mar 2010.

[jdu10] jduck. The latest adobe exploit and session upgrading. http://blog.metasploit.com/2010/03/latest-adobe-exploit-and-session.html, 2010.

[KBA02] Vladimir Kiriansky, Derek Bruening, and Saman P. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, pages 191-206. USENIX Association, 2002.

[Kor09] Tim Kornau. Return oriented programming for the ARM architecture. http://zynamics.com/downloads/kornau-tim--diplomarbeit--rop.pdf, 2009. Master thesis, Ruhr-University Bochum, Germany.

[Lin09] Felix Lindner. Developments in Cisco IOS forensics. CONFidence 2.0. http://www.recurity-labs.com/content/pub/FX_Router_Exploitation.pdf, November 2009.

[Mic06] Microsoft. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.


http://www.guardian.co.uk/

http://blog.metasploit.com/2010/03/latest-adobe-exploit-and-session.html











http://www.recurity-labs.com/content/pub/FX_Router_Exploitation.pdf



– 39 –

NetSec-Kr’13

참고문헌

[OBL+10] Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, and Engin Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In ACSAC'10, Annual Computer Security Applications Conference, December 2010.

[PaXa] PaX Team. http://pax.grsecurity.net/.

[PaXb] PaX Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.

[RMPB09] Giampaolo Fresi Roglia, Lorenzo Martignoni, Roberto Paleari, and Danilo Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC 2009). IEEE, 2009.

[SD08] Alexander Sotirov and Mark Dowd. Bypassing browser memory protections in Windows Vista. http://www.phreedom.org/research/bypassing-browser-memory-protections/, August 2008. Presented at Black Hat 2008.

[Sha07] Hovav Shacham. The geometry of innocent esh on the bone: Return-into-libc without function calls (on the x86). In CCS '07: Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 552{561. ACM, 2007.

[SjGM+04] Hovav Shacham, Eu jin Goh, Nagendra Modadugu, Ben Pfa, and Dan Boneh. On the eectiveness of address-space randomization. In CCS '04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 298{307. ACM, 2004.

[Ven] Vendicator. Stack Shield: A "stack smashing" technique protection tool for Linux. http://www.angelfire.com/sk/stackshield.


http://www.phreedom.org/research/bypassing-browser-memory-protections/









http://www.angelfire.com/sk/stackshield

http://www.angelfire.com/sk/stackshield

– 40 –

NetSec-Kr’13

Q&A

sjcho at dku.edu


rop 공격 기법에 대한 최신 연구 현황myucc.cafe24.com/pdf/세션2/(1)_rop 공격...

Documents