rop 공격 기법에 대한 최신 연구 현황myucc.cafe24.com/pdf/세션2/(1)_rop 공격...
TRANSCRIPT
ROP 공격 기법에 대한
최신 연구 현황
2013.04.17
조성제
sjcho at dankook.ac.kr
Computer Security & OS Lab
Dept. of Software Science, DKU
– 2 –
NetSec-Kr’13
목차
개요 (도입)
배경 지식 Buffer Overflow (또는 스택 오버플로우)
Return-to-Libc
Return-Oriented Programming (ROP) 개념 및 특징
공격기법
방어기법 (대응책)
ROP without Returns 공격기법
방어기법 (대응책)
Computer Security & OS Lab., DKU
Ahmad-Reza Sadeghi & Lucas Davi, “Runtime Attacks: Buffer Overflow and Return-Oriented Programming”, Technische Universitat Darmstadt, Jan. 2011
Edward J. Schwartz, Return-Oriented Programming, 18732: Software Security, CMU, 2012
기타 참고문헌
다음 발표자료를 많이 참조(인용)하였습니다.
Computer Security & OS Lab., DKU
– 4 –
NetSec-Kr’13
도입 (배경)
런타임 공격이 애플리케이션들에 주요 위협 실행 시에 제어 흐름이 조작 가능
런타임 공격은 악의적 코드(payload)를 주입
런타임 공격 이유 SW는 C/C++과 같은 unsafe language로 작성
다양한 메모리 관련 취약점이 존재
대표적인 예: Buffer overflow (Stack overflow)
Computer Security & OS Lab., DKU
– 5 –
NetSec-Kr’13
버퍼 오버플로우 기초
새로운 (악성) 코드 주입
Code pointer (return address)를 조작
Computer Security & OS Lab., DKU
#include <unistd.h>
void Test()
{
char buff[4];
printf("Some input: ");
gets(buff);
puts(buff);
}
int main(int argc, char *argv[ ])
{
Test();
return 0;
}
– 6 –
NetSec-Kr’13
버퍼 오버플로우 기초
주로 shellcode가 주입되어 shell을 획득
Code injection – the layout of the stack
frame for injecting malicious codes
Overflow the buffer, injecting the code
and pointing back to the code
Computer Security & OS Lab., DKU
문제점 • No bounds-checking functions: strcpy(), strcat(), scanf(), memcpy(), etc • 스택에 writable하면서 동시에 스택에서 executable함
– 7 –
NetSec-Kr’13
기본적인 대응책
런타임 공격의 대응책 W X – Writable Xor eXecutable
Linux [PaXa] 및 Windows DEP (Data Execution Prevention)에 구현
[Mic06]
Supported by chip manufactures such as Intel and AMD (NX/XD bit)
ASLR (Address Space Layout Randomization): 주소 랜덤화
Linux PaX Kernel Patch에 구현 [PaXb]
Windows Vista 및 Windows 7에서 지원됨 [HT07]
컴파일러 기반 방어기법
Stack canaries, Pointer encryption, Bound checkers, Variable
reordering, 등
☞ 우회기법들로 인해 여전히, SW에는 주요 위협이 되고 있음
Computer Security & OS Lab., DKU
– 8 –
NetSec-Kr’13
Return-to-libc 개념
Code injection 대신 existing code (예: libc 함수)를 사용 예) system(“/bin/sh”); execve (argv[0], argv, NULL);
Computer Security & OS Lab., DKU
#include <stdio.h> void echo ( ) { char buffer[80];
gets (buffer); puts (buffer); } int main ( ) { echo ( ); printf ( "Done" ); return 0; }
– 9 –
NetSec-Kr’13
Return-to-libc 개념 echo() 복귀 시, system() 함수가 새로운 shell을 launch
Computer Security & OS Lab., DKU
Bypass W X model
• 개념 및 특징
• 공격기법
• 방어기법 (대응책)
Return-Oriented Programming
Computer Security & OS Lab., DKU
만약 공격자가 f(“foo”)를 수행하고 싶은데… - f()가 libc에 없거나 - f()가 libc에 있지만
랜덤화되어 있다면 ???
– 11 –
NetSec-Kr’13
The Big Picture
Computer Security & OS Lab., DKU
함수로 복귀하는 대신, “명령어들의 순차들”
(gadgets)로 복귀
– 12 –
NetSec-Kr’13
Return-Oriented Programming
Arbitrary (Turing-complete) computation without the need to
inject malicious code
call any library function
modify the original code
☞ 그러나 여전히 스택 내용(복귀주소 포함)을 변조 또는 조작
ROP 공격은 다음과 같은 다양한 구조나 시스템에 적용 가능 Intel x86 [Sha07]
ARM [Kor09]
The SPARC Machine [BRSS08]
Atmel AVR [FC08]
Z80 Voting Machines [CFK+09]
PowerPC [Lin09]
Computer Security & OS Lab., DKU
Apple iPhone • JailbreakMe [Hal10] • Steal SMS Databse [IW10]
Desktop PCs • Acrobat Reader [jdu10] • Adobe Flashplayer [Ado10]
Special-purpose machines • Z80 voting machine [CFK+09]
– 13 –
NetSec-Kr’13
ROP 개요
개념 Return-to-libc 기법으로 arbitrary computation 을 수행
방법 Use small instruction sequences (e.g., of libc) instead of using whole
functions
Instruction sequence는 2 ~ 5개의 instruction들로 구성
All sequences end with a ret instruction
Instruction sequences are chained together to a gadget
A gadget performs a particular task (e.g., load, store, xor, branch)
Afterwards, the adversary enforces his desired actions
by combining the gadgets
☞ 스택의 복귀주소를 조작함
Computer Security & OS Lab., DKU
– 14 –
NetSec-Kr’13
ROP 공격 예 (1/7)
1. 프로그램이 사용자 입력을 기다리고 있음
Computer Security & OS Lab., DKU
– 15 –
NetSec-Kr’13
ROP 공격 예 (2/7)
2. 공격자(사용자) 입력이 버퍼를 넘치게 함
3. 입력은 복귀 주소들과 하나의 인자를 포함
Computer Security & OS Lab., DKU
– 16 –
NetSec-Kr’13
ROP 공격 예 (3/7)
4. foo() 가 복귀 시에 1st sequence가 수행
Computer Security & OS Lab., DKU
– 17 –
NetSec-Kr’13
ROP 공격 예 (4/7)
5. Return 명령이 next sequence로 제어 흐름을 전이
Computer Security & OS Lab., DKU
– 18 –
NetSec-Kr’13
ROP 공격 예 (5/7)
6. Sequence 2의 return이 Sequence 3으로 제어흐름을 전이
7. 스택에서 Argument를 꺼내 옴
Computer Security & OS Lab., DKU
– 19 –
NetSec-Kr’13
ROP 공격 예 (6/7)
8. Sequence 3의 return 명령 수행
Computer Security & OS Lab., DKU
– 20 –
NetSec-Kr’13
ROP 공격 예 (7/7)
9. Sequence 3의 return은 제어흐름을 Sequence 4로 전이
10. Sequence 4의 return은 제어흐름을 Gadget 2로 전이
Computer Security & OS Lab., DKU
– 21 –
NetSec-Kr’13
의도되지 않은 명령 순차
Unintended instruction sequences (의도되지 않은 명령 순차들)
A sequence of instructions ending in a ret instruction that was never intended by the programmer
These sequences can be found by jumping in the middle of a valid instruction resulting in a new unintended instruction sequence
x86 구조에서 의도되지 않은 명령 순차들이 있는 이유는 다음 두 가지 이유 때문 Variable-length instructions
Unaligned memory access
If the native machine word is of size N then an unaligned memory access
means reading from an address that is not divisible by N
Computer Security & OS Lab., DKU
– 22 –
NetSec-Kr’13
의도되지 않은 명령 순차 찾기
libc에 다음 명령들이 포함되어 있다고 가정
Computer Security & OS Lab., DKU
b8에서부터 바이트 스트림을 해석하지 않고, 세 번째 바이트인 00에서부터 해석하면 다음의 unintended instruction sequence를 얻을 수 있음
– 23 –
NetSec-Kr’13
Gadget 의 예 : Memory Load (1/4)
Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register
Computer Security & OS Lab., DKU
1) Sequence 1이 실행 시작
– 24 –
NetSec-Kr’13
Gadget 의 예 : Memory Load (2/4)
2) pop 0x8010AB8D in register %eax
Computer Security & OS Lab., DKU
Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register
– 25 –
NetSec-Kr’13
Gadget 의 예 : Memory Load (3/4)
3) Sequence 1의 ret 명령에 의해 제어흐름이 Sequence 2로 이동
Computer Security & OS Lab., DKU
Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register
– 26 –
NetSec-Kr’13
Gadget 의 예 : Memory Load (4/4)
4) move 0xDEADBEEF in register %eax
Computer Security & OS Lab., DKU
Goal: Load the word 0xDEADBEEF (pointed to by 0x8010ABCD) into the %eax register
– 27 –
NetSec-Kr’13
방어기법 (대응책)
컴파일러 기반 해결책 복귀주소 직전에 canary를 배치
StackGuard [CPM+98], ProPolice [Hir]
복귀주소들을 별도의 shadow stack에 백업 (이중화)
Return address defender [CH01], Stack shield [Ven]
한계점
소스코드 필요하고, 의도하지 않은 명령순차를 탐지하는 것은 어려움
JIT-Compiler 기반 Dynamic Binary Instrumentation Program shepherding [KBA02]
ROPdefender [DSW10]
Checks each return address against valid return addresses hold in a separate
shadow stack
return 빈도수를 계산: DynIMA [DSW09], DROP [CXS+09]
한계점
JIT-based instrumentation adds high performance overhead
Computer Security & OS Lab., DKU
– 28 –
NetSec-Kr’13
방어기법 (대응책)
Shadow stack 방법
Computer Security & OS Lab., DKU
• 공격기법
• 방어기법 (대응책)
ROP without Returns (return 사용하지 않는 ROP)
Computer Security & OS Lab., DKU
복귀 주소 검사(checker)를 우회하는 것이 가능한가? (yes)
– 30 –
NetSec-Kr’13
ROP without Returns [CDD+10]
특징
복귀 주소들을 보호하는 대응책들을 우회 가능
Intel x86 및 ARM 등에 적용 가능한 공격 기법
Turing-complete gadget set and practical attack instantiation for both platforms without any return instruction
접근방법 return-like sequences 사용
후보 군은 indirect jumps
Intel 구조: jmp *%eax
ARM 구조: blx r3
방해 요소
%eax, r3 등의 대상 레지스터가 미리 사전에 초기화되어야 함
Returns automatically update the stack pointer; indirect jumps not
Computer Security & OS Lab., DKU
– 31 –
NetSec-Kr’13
ROP without Returns
Return-like Sequences
Intel
pop %eax; jmp *%eax
① Pop target address into %eax
② The pop instruction automatically increases the stack pointer by four bytes (similar to a return)
③ Jump to the address stored in %eax
ARM
No pop-jump sequence present
Use Update-Load-Branch Sequence
① (Update) { adds r6,#4: Add four bytes to r6
② (Load) { ldr r5, [r6]: Load target address into r5
③ (Branch) { blx r5: Branch to target address
문제점
위 두 플랫폼에서 Return-like sequences 는 희귀함
Computer Security & OS Lab., DKU
– 32 –
NetSec-Kr’13
ROP without Returns
해결책 Use a unique Update-Load-Branch (ULB) sequence after each instruction
sequence
ULB는 trampoline 으로 사용됨
모든 다른 순차는 ULB로의 간접분기(indirect jump)로 끝나야 함
Computer Security & OS Lab., DKU
– 33 –
NetSec-Kr’13
ROP without Returns [DDS10]
System call gadget
General workflow of a BLX-attack
Computer Security & OS Lab., DKU
– 34 –
NetSec-Kr’13
방어기법 (대응책)
Control Flow Integrity (CFI) [ABEL05, ABE+06]
특수 명령어를 사용하여 모든 분기 대상에 레이블을 붙임
수행 시에 간접분기 대상이 valid label ID인지를 확인함
Address Space Layout Randomization (ASLR) 스택, 힙, 라이브러리 등의 기본 주소를 랜덤화
사례
Linux PaX Kernel Patch [PaXb]
MS Vista 이후의 Windows 시스템 [HT07]
한계
특정 코드 부분은 랜덤화되지 않아, 공격자는 어떤 gadgets을 구성 가능
» GOT (Global Offset Table) 엔트리 덮어쓰기 공격 [RMPB09]
정보 누수 및 무작위 공격 가능 [SjGM+04, SD08]
G-Free (Gadget-less binaries) 기법 [OBL+10]
재컴파일을 통해 의도되지 않은 명령어 순차를 제거
복귀 주소를 암호화, jump 및 call 명령도 보호
Computer Security & OS Lab., DKU
– 35 –
NetSec-Kr’13
요약 및 이슈
스택 오버플로우 취약점, Return-to-Libc 공격
ROP, ROP without returns
여러 방어기법이 제안되고 있지만 완벽하지는 않음
모든 주소 영역이 랜덤화 되지는 않음
오버헤드 유발
현재 ASLR의 약점으로 인해 ROP가 여전히 가능
프로그램이 커질수록 ROP 공격 가능성 높음
계속적인 연구 필요
Computer Security & OS Lab., DKU
– 36 –
NetSec-Kr’13
참고문헌 [ABE+06] Martin Abadi, Mihai Budiu, Ulfar Erlingsson, George C. Necula, and Michael Vrable. XFI: software
guards for system address spaces. In OSDI '06: Proceedings of the 7th symposium on Operating systems design and implementation, pages 75-88. USENIX Association, 2006.
[ABEL05] Martin Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. Control-flow integrity: Principles, implementations, and applications. In CCS '05: Proceedings of the 12th ACM Conference on Computer and Communications Security, pages 340-353. ACM, 2005.
[Ado10] Adobe Systems. Security Advisory for Flash Player, Adobe Reader and Acrobat: CVE-2010-1297. http://www.adobe.com/support/security/advisories/apsa10-01.html, 2010.
[BRSS08] E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In CCS '08: Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 27-38. ACM, 2008.
[CDD+10] S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In CCS '10: Proceedings of the 17th ACM Conference on Computer and Communications Security, pages 559-572. ACM, 2010.
[CFK+09] Stephen Checkoway, Ariel J. Feldman, Brian Kantor, J. Alex Halderman, Edward W. Felten, and Hovav Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of EVT/WOTE 2009, 2009.
[CH01] T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks. In Int’l Conf. on Distributed Computing Systems, pages 409-417. IEEE Computer Society, 2001.
[CPM+98] Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In SSYM'98: Proceedings of the 7th conference on USENIX Security Symposium, pages 63-78. USENIX Association, 1998.
Computer Security & OS Lab., DKU
– 37 –
NetSec-Kr’13
참고문헌 [CXS+09] Ping Chen, Hai Xiao, Xiaobin Shen, Xinchun Yin, Bing Mao, and Li Xie. DROP: Detecting
return-oriented programming malicious code. In Atul Prakash and Indranil Gupta, editors, Fifth International Conference on Information Systems Security (ICISS 2010), volume 5905 of Lecture Notes in Computer Science, pages 163-177. Springer, 2009.
[DDS10] L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy, Return-Oriented Programming without Returns on ARM, HGI-TR-2010-002, Ruhr University Bochum, Germany
[DSW09] L. Davi, A.-R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proceedings of the 4th ACM Workshop on Scalable Trusted Computing (STC'09), pages 49-54. ACM, 2009.
[DSW10] Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. http://www.trust.rub.de/media/ trust/veroeffentlichungen/2010/03/20/ROPdefender.pdf, March 2010.
[FC08] Aurelien Francillon and Claude Castelluccia. Code injection attacks on harvard-architecture devices. In CCS '08: Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 15-26. ACM, 2008.
[FPC09] Aurelien Francillon, Daniele Perito, and Claude Castelluccia. Defending embedded systems against control flow attacks. In Proceedings of the 1st Workshop on Secure Execution of Untrusted Code (SecuCode'09), pages 19-26. ACM, 2009.
[FS01] Mike Frantzen and Mike Shuey. StackGhost: Hardware facilitated stack protection. In SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium, pages 55-66. USENIX Association, 2001.
Computer Security & OS Lab., DKU
– 38 –
NetSec-Kr’13
참고문헌 [Hal10] Josh Halliday. Jailbreakme released for apple devices. http://www.guardian.co.uk/
technology/blog/2010/aug/02/jailbreakme-released-apple-devices-legal, August 2010.
[Hir] Hiroaki Etoh. GCC extension for protecting applications from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp.
[HT07] Michael Howard and Matt Thomlinson. Windows vista isv security. http://msdn.microsoft.com/en-us/library/bb430720.aspx, April 2007.
[IW10] Vincenzo Iozzo and Ralf-Philipp Weinmann. Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN. http://blog.zynamics.com/2010/03/24/ralf-philipp-weinmann-vincenzo-iozzo-own-the-iphone-at-pwn2own/, Mar 2010.
[jdu10] jduck. The latest adobe exploit and session upgrading. http://blog.metasploit.com/2010/03/latest-adobe-exploit-and-session.html, 2010.
[KBA02] Vladimir Kiriansky, Derek Bruening, and Saman P. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, pages 191-206. USENIX Association, 2002.
[Kor09] Tim Kornau. Return oriented programming for the ARM architecture. http://zynamics.com/downloads/kornau-tim--diplomarbeit--rop.pdf, 2009. Master thesis, Ruhr-University Bochum, Germany.
[Lin09] Felix Lindner. Developments in Cisco IOS forensics. CONFidence 2.0. http://www.recurity-labs.com/content/pub/FX_Router_Exploitation.pdf, November 2009.
[Mic06] Microsoft. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.
Computer Security & OS Lab., DKU
– 39 –
NetSec-Kr’13
참고문헌
[OBL+10] Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, and Engin Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In ACSAC'10, Annual Computer Security Applications Conference, December 2010.
[PaXa] PaX Team. http://pax.grsecurity.net/.
[PaXb] PaX Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.
[RMPB09] Giampaolo Fresi Roglia, Lorenzo Martignoni, Roberto Paleari, and Danilo Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC 2009). IEEE, 2009.
[SD08] Alexander Sotirov and Mark Dowd. Bypassing browser memory protections in Windows Vista. http://www.phreedom.org/research/bypassing-browser-memory-protections/, August 2008. Presented at Black Hat 2008.
[Sha07] Hovav Shacham. The geometry of innocent esh on the bone: Return-into-libc without function calls (on the x86). In CCS '07: Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 552{561. ACM, 2007.
[SjGM+04] Hovav Shacham, Eu jin Goh, Nagendra Modadugu, Ben Pfa, and Dan Boneh. On the eectiveness of address-space randomization. In CCS '04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 298{307. ACM, 2004.
[Ven] Vendicator. Stack Shield: A "stack smashing" technique protection tool for Linux. http://www.angelfire.com/sk/stackshield.
Computer Security & OS Lab., DKU
– 40 –
NetSec-Kr’13
Q&A
sjcho at dku.edu
Computer Security & OS Lab., DKU