SCP: SCP: A System Call Protector against A System Call Protector against

Buffer Overflow Attacks Buffer Overflow Attacks

先進防禦實驗室國立中央大學 資訊工程系

22

OutlineOutline

Introduction Attacking Method Related Work SCP System Design Experimental Result Conclusion Future Work

33

IntroductionIntroduction

Buffer Overflow Attack• Easily launched• Huge amount of targets• Strongly damage• One of the most dangerous threats in the

Internet Developing an efficient and effective approach

becomes a critical and emergent issue.

44

Difficulty in ProtectionDifficulty in Protection

Many countermeasures were proposed, but were defeated by new mutants.

55

Function and Stack FrameFunction and Stack Frame

b

return address add_g

address of G’s

frame point

C[0]

H’s stack

frame

G(int a)

{

H(3);

add_g:

}

H( int b)

{ char c[100];

int i;

while((c[i++]=getch())!=EOF)

{

}

}

C[99]

Input String: xyz

Z

Y

X

G’s stack frame

0xabc

0xaba0xabb

66

Stack Smashing Attack – PrincipleStack Smashing Attack – Principle

Stack Smashing Attack• Overflow a return address to transfer program

execution flow into injected code (shell code)

77

Stack Smashing Attack - ExampleStack Smashing Attack - Example

b

return address add_g

address of G’s

frame point

C[0]

H’s stack

frame

addrress oxabc

G(int a)

{

H(3);

add_g:

}

H( int b)

{ char c[100];

int i;

while((c[i++]=getch())!=EOF)

{

}

}

C[99]

Injected Code0xabc

Attack String: xxInjected Codexy0xabc

Length=108 bytes

0xaba0xabb x

x

x

y

88

Return-into-libc AttackReturn-into-libc Attack

Overwrite the return address to execute a library function, e.g. system(), inside the attacked process.

buffer

EBP

EIP (RA)

Fake RA

Pointer to system()’s arg

system()ESP

String format: AAA…address to system()

system()’s return address

pointer to system()’s arg

“/bin/sh”High Address

Low Address

99

Heap Overflow AttackHeap Overflow Attack

Similar to stack overflow, but on the heap area

1010

Other MutantsOther Mutants

function pointer attack Jump table attack setjmp/longjmp attack

1111

Related WorkRelated Work

Some Countermeasures• StackGuard / StackShield• Address Obfuscation (ASLR/PaX)• Exec Shield• Binary Obfuscation• PointGuard™• Instruction Set Randomization• RAD

1212

Related Work - StackGuardRelated Work - StackGuard StackGuard -- add canary word before return address

Bypassing StackGuard

return address

canary word

Buffer

High Address

Low Address

…

return address

Buffer

…

Saved return address

…

High Address

Low Address

1313

Related Work – ASLR/PaXRelated Work – ASLR/PaX Address Obfuscation

• PaX/ASLR project- Randomize the base address of memory regions

-- Randomize the base address of stack/heap-- Randomize the starting address of dynamic-linked libraries-- Randomize the locations of routines and static data

• Internal fragmentation problem• Crash problem• Derandomization Attack• Local attack• Non-relocatable code

1414

Related Work – Bound CheckRelated Work – Bound Check

Bound Check• Bound Check for C Program

• Require source code / recompile• Runtime overhead are huge

- 4x / 5x when best case- 10x general case- 100x worst case

1515

Related Work – Exec ShieldRelated Work – Exec Shield Exec Shield

• Data/Stack section non-executable• Code section non-writable

• Compatibility problem - ELF file format -- Add PT_GNU_STACK and PT_GNU_HEAP - Nested function - Recompile / porting - sigreturn() system call• Return into libc attack can be launched

1616

Related Work - PointGuardRelated Work - PointGuard

PointGuard™• Encrypt pointer, decrypt when reference object

1717

Related Work - ISRRelated Work - ISR

Instruction Set Randomization• Hardware solution, encrypt / decrypt CPU

instructions

porting binaries

1818

Related Work - RADRelated Work - RAD

RAD• Return Address Defender• Compiler solution• Push return address to RAR when prologue• Pop return address from RAR when eprolog

ue

Need recompile

1919

SCP System Principle and GoalSCP System Principle and Goal Principle

• Prevent attackers from executing int 80 offered by them• Prevent attackers from executing int 80 existed in the attacke

d system

Goal• Low overhead• Efficient to protect• Do not require source code• Compatibility• Use less system resource (memory)• Easy to maintain

2020

AssumptionAssumption

Assumption• Malicious code have to use system calls to

damage an attacked system• Vulnerable programs use dynamic linked

libraries

2121

System Call Invocation ConventionSystem Call Invocation Convention

movl system_call_number, %eaxmovl first_argument, %ebx…int $0x80

2222

System Call Path with/without System Call Path with/without SCPSCP

2323

Detailed System Call Path Detailed System Call Path without SCPwithout SCP

6. return

5. return

User Space

Kernel Space

( user program )open();

( libc wrapper routine )__libc_open()

( kernel )sys_open()

High Address

Low Address1. go to PLT

4. trap into kernel

( PLT )jmp *GOT[__libc_open]

( GOT entry )Address of __libc_open

2. lookup GOT

3. call wrapper routine

2424

Secure Enter KernelSecure Enter Kernel

Pseudo Code

(b) Trap Code(a) Secure Enter Kernel

save_all_registers;page = 0; size = 0;if (page == 0 ) { page = mmap2(); size = copy_trap_code(page); notify_kernel(page+6);}restore_all_registers;call page;

int $0x80; (sysenter)return_to_libc;

machine code:\x8B\x44\x24\x04\xCD\x80\x83\xC4\x08\xC3

2525

ReplacementReplacement

• Use secure enter kernel to replace ALL sysenter (int $0x80)

2626

Detailed System Call Path with Detailed System Call Path with SCPSCP

New system call path (with SCP system)

8. return

7. return

User Space

Kernel Space

( user program )open();

( libc wrapper routine )__libc_open()

( kernel )sys_open()

1. go to PLT

5. trap into kernel

( PLT )jmp *GOT[__libc_open]

( GOT entry )Address of __libc_open

2. lookup GOT

3. call wrapper routine

( trap page )int $0x80

4. call trap page

6. return

High Address

Low Address

read();

jmp *GOT[__libc_read]

Address of __libc_read

__libc_read()

sys_read()

2727

Lazy Binding under SCPLazy Binding under SCP

loader (ld-linux.so.2) kernel

program

glibc: printf() here

2. Loading program

1. Notify kernel the RA

Inject code

3. Load libc.so.6

6. Normal system call

4. Call printf()

5. Notify kernel the RA

2828

Lazy Binding under SCPLazy Binding under SCP

loader (ld-linux.so.2) kernel

program

glibc: printf() here

2. Loading program

1. Notify kernel the RA

Inject code

3. Load libc.so.6

6. Normal system call

4. Call printf()

5. Notify kernel the RA

2929

SCP Protection Mechanism – LiSCP Protection Mechanism – Limit the number of mit the number of notify_kernel()

Avoid attacker’ using to change the address of the only legal int 80.

Limit the number of notify_kernel() to two:• loader (ld-linux.so.2) and glib (libc.so.6) have their

own global variable segment; hence, there are two global variable pages in a process.

Each page variable will cause the system to create a new trap page.

3030

SCP Protection Mechanism - SCP Protection Mechanism - Fake Trap PageFake Trap Page

Insert fake trap pages around to real trap page to avoid attackers’ detection of the real int 80 instruction.

3131

Attack AnalysisAttack Analysis

• Attacker can scan the attacked process’s address space to find the real int $0x80

• Possible solution: - Non-readable but executable code

segment - … future work

(user program)system_call

(PLT) (GOT)(libc)

wrapper routine(heap)

int $0x80

3232

Efficiency Test – Injected CodeEfficiency Test – Injected Code

• Buffer overflow attack with injected code

3333

Efficiency Test – Change Legal Efficiency Test – Change Legal inint 80t 80 Address Address

• Calling notify_kernel test

3434

Performance Test – Micro Performance Test – Micro BenchmarkBenchmark

• 10,000,000 times per system call

System CallOriginal libc & Kerne

l(μsec)

Secure libc & Secure Kernel

(μsec)Increment

mmap 4.83598861 5.04285570 4.28 %

open 5.70100183 12.31045995 115.93 %

read 4.44757121 4.65731530 4.72 %

write 28.61905470 28.86815789 0.87 %

3535

Number of Page Faults under OrigiNumber of Page Faults under Original libc and Kernelnal libc and Kernel

avg timediff = 0.0000073216265842318534575253186069687672 sec = 7.32162658 usecCommand exited with non-zero status 81 Command being timed: "./micro-test.open" User time (seconds): 0.69 System time (seconds): 122.31 Percent of CPU this job got: 100% Elapsed (wall clock) time (h:mm:ss or m:ss): 2:03.00 Average shared text size (kbytes): 0 Average unshared data size (kbytes): 0 Average stack size (kbytes): 0 Average total size (kbytes): 0 Maximum resident set size (kbytes): 0 Average resident set size (kbytes): 0 Major (requiring I/O) page faults: 82 Minor (reclaiming a frame) page faults: 7 Voluntary context switches: 0 Involuntary context switches: 0 Swaps: 0 File system inputs: 0 File system outputs: 0 Socket messages sent: 0 Socket messages received: 0 Signals delivered: 0 Page size (bytes): 4096 Exit status: 81

3636

Number of Page Faults under SCP Number of Page Faults under SCP libc and Kernellibc and Kernel

avg timediff = 0.0000123534624044317750067014868853298992 sec = 12.35346240 usecCommand exited with non-zero status 82 Command being timed: "./micro-test.open" User time (seconds): 0.68 System time (seconds): 173.26 Percent of CPU this job got: 99% Elapsed (wall clock) time (h:mm:ss or m:ss): 2:53.94 Average shared text size (kbytes): 0 Average unshared data size (kbytes): 0 Average stack size (kbytes): 0 Average total size (kbytes): 0 Maximum resident set size (kbytes): 0 Average resident set size (kbytes): 0 Major (requiring I/O) page faults: 104 Minor (reclaiming a frame) page faults: 13 Voluntary context switches: 0 Involuntary context switches: 0 Swaps: 0 File system inputs: 0 File system outputs: 0 Socket messages sent: 0 Socket messages received: 0 Signals delivered: 0 Page size (bytes): 4096 Exit status: 82

3737

Performance Test – Micro Performance Test – Micro BenchmarkBenchmark

• 100,000 times per command

CommandOriginal libc & Kernel

(μsec)Secure libc & Secure Kernel

(μsec)Increment

ls 0.00781023 0.00922095 18.06 %

make 0.01481522 0.01697969 14.61 %

sysctl 0.02905236 0.03447007 18.65 %

tar 0.00804451 0.00940219 16.88 %

gcc 0.98855523 1.00293709 01.45 %

3838

ConclusionConclusion

We propose a new method to protect system calls by registering valid int 80 on premise• Low performance overhead• Protect programs against all known code injection style BOAs• No modification to source code or executable files is required• Compatible with existing systems and applications• Not increase the workload of program maintenance• Terminate attacked processes normally• Effective in defending local BO attacks

3939

Future WorkFuture Work

More secure• Implement “executable but non-readable”

region in segment section on i386• The NX Bit chip• AMD 64 CPU

4040

Thanks Q & A