Attacking dynamic code

The Continuing Arms Race Pub Date : 2018-03-01 DOI:10.1145/3129743.3129750

Felix Schuster, Thorsten Holz

{"title":"Attacking dynamic code","authors":"Felix Schuster, Thorsten Holz","doi":"10.1145/3129743.3129750","DOIUrl":null,"url":null,"abstract":"Typically, code-reuse attacks exhibit unique characteristics in the control flow (and the data flow) that allow for generic protections, regardless of the language an application was programmed in. For example, if one can afford to monitor all return instructions in an application while maintaining a full shadow call stack, even advanced ROP-based attacks [Göktas et al. 2014a, Carlini and Wagner 2014, Davi et al. 2014, Göktaş et al. 2014b, Schuster et al. 2014] cannot be mounted [Frantzen and Shuey 2001, Abadi et al. 2005a, Davi et al. 2011]. In this chapter, we present a form of code-reuse attack we call Counterfeit Object-Oriented Programming (COOP) that is different: COOP exploits the fact that each C++ virtual function is address taken, which means that a static code pointer exists to it. Accordingly, C++ applications usually contain a high ratio of address-taken functions, typically a significantly higher one compared to C applications. If, for example, an imprecise CFI solution does not consider C++ semantics, then these functions are all likely valid indirect call targets [Abadi et al. 2005a] and can thus be abused. COOP exclusively relies on C++ virtual functions that are invoked through corresponding calling sites as gadgets. Hence, without deeper knowledge of the semantics of an application developed in C++, COOP's control flow cannot reasonably be distinguished from a benign one. Another important difference to existing codereuse attacks is that in COOP conceptually no code pointers (e.g., return addresses or function pointers) are injected or manipulated. As such, COOP is immune to defenses that protect the integrity and authenticity of code pointers. Moreover, in COOP, gadgets do not work relative to the stack pointer. Instead, gadgets are invoked relative to the this-ptr on a set of adversary-defined counterfeit objects. Note that in C++ the this-ptr allows an object to access its own address. Addressing relative to the this-ptr implies that COOP cannot be mitigated by defenses that prevent the stack pointer to point to the program's heap [Fratric 2012], which is typically the case for ROP-based attacks launched through a heap-based memory corruption vulnerability. The counterfeit objects used in a COOP attack typically overlap such that data can be passed from one gadget to another. Even in a simple COOP program, positioning counterfeit objects manually can become complicated. Hence, we implemented a programming framework that leverages the Z3 SMT solver [de Moura and Bjørner 2008] to derive the object layout of a COOP program automatically. The main results of this chapter were published in a previous conference paper [Schuster et al. 2015] and in a Ph.D. dissertation [Schuster 2015]. In this chapter, we streamline the presentation and highlight the challenges when attempting to protect against COOP-like attacks. Certain details are omitted and interested readers are referred to closely related publications on this topic.","PeriodicalId":267501,"journal":{"name":"The Continuing Arms Race","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2018-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"The Continuing Arms Race","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3129743.3129750","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Typically, code-reuse attacks exhibit unique characteristics in the control flow (and the data flow) that allow for generic protections, regardless of the language an application was programmed in. For example, if one can afford to monitor all return instructions in an application while maintaining a full shadow call stack, even advanced ROP-based attacks [Göktas et al. 2014a, Carlini and Wagner 2014, Davi et al. 2014, Göktaş et al. 2014b, Schuster et al. 2014] cannot be mounted [Frantzen and Shuey 2001, Abadi et al. 2005a, Davi et al. 2011]. In this chapter, we present a form of code-reuse attack we call Counterfeit Object-Oriented Programming (COOP) that is different: COOP exploits the fact that each C++ virtual function is address taken, which means that a static code pointer exists to it. Accordingly, C++ applications usually contain a high ratio of address-taken functions, typically a significantly higher one compared to C applications. If, for example, an imprecise CFI solution does not consider C++ semantics, then these functions are all likely valid indirect call targets [Abadi et al. 2005a] and can thus be abused. COOP exclusively relies on C++ virtual functions that are invoked through corresponding calling sites as gadgets. Hence, without deeper knowledge of the semantics of an application developed in C++, COOP's control flow cannot reasonably be distinguished from a benign one. Another important difference to existing codereuse attacks is that in COOP conceptually no code pointers (e.g., return addresses or function pointers) are injected or manipulated. As such, COOP is immune to defenses that protect the integrity and authenticity of code pointers. Moreover, in COOP, gadgets do not work relative to the stack pointer. Instead, gadgets are invoked relative to the this-ptr on a set of adversary-defined counterfeit objects. Note that in C++ the this-ptr allows an object to access its own address. Addressing relative to the this-ptr implies that COOP cannot be mitigated by defenses that prevent the stack pointer to point to the program's heap [Fratric 2012], which is typically the case for ROP-based attacks launched through a heap-based memory corruption vulnerability. The counterfeit objects used in a COOP attack typically overlap such that data can be passed from one gadget to another. Even in a simple COOP program, positioning counterfeit objects manually can become complicated. Hence, we implemented a programming framework that leverages the Z3 SMT solver [de Moura and Bjørner 2008] to derive the object layout of a COOP program automatically. The main results of this chapter were published in a previous conference paper [Schuster et al. 2015] and in a Ph.D. dissertation [Schuster 2015]. In this chapter, we streamline the presentation and highlight the challenges when attempting to protect against COOP-like attacks. Certain details are omitted and interested readers are referred to closely related publications on this topic.

查看原文本刊更多论文

攻击动态代码

通常，代码重用攻击在控制流(和数据流)中表现出允许通用保护的独特特征，而不管应用程序是用什么语言编程的。例如，如果能够在维护完整的影子调用堆栈的同时监控应用程序中的所有返回指令，那么即使是高级基于rop的攻击[Göktas等人，2014a, Carlini和Wagner 2014, Davi等人，2014,Göktaş等人，2014b, Schuster等人，2014]也无法安装[Frantzen和Shuey 2001, Abadi等人，2005a, Davi等人，2011]。在本章中，我们提出了一种不同的代码重用攻击形式，我们称之为伪面向对象编程(COOP): COOP利用了这样一个事实，即每个c++虚函数都是地址占用的，这意味着存在一个指向它的静态代码指针。因此，c++应用程序通常包含高比例的地址占用函数，通常比C应用程序高得多。例如，如果一个不精确的CFI解决方案没有考虑c++语义，那么这些函数都可能是有效的间接调用目标[Abadi等人，2005a]，因此可能被滥用。COOP完全依赖于c++虚函数，虚函数通过相应的调用站点作为gadget调用。因此，如果不深入了解用c++开发的应用程序的语义，就不能合理地将COOP的控制流与良性的控制流区分开来。与现有代码滥用攻击的另一个重要区别是，在COOP中，概念上没有注入或操纵代码指针(例如，返回地址或函数指针)。因此，COOP不受保护代码指针完整性和真实性的防御的影响。此外，在COOP中，gadget并不相对于堆栈指针工作。相反，gadget是相对于一组对手定义的伪造对象上的this-ptr调用的。注意，在c++中this-ptr允许对象访问自己的地址。相对于this-ptr的寻址意味着不能通过防止堆栈指针指向程序堆的防御来缓解COOP，这是通过基于堆的内存损坏漏洞发起的基于rop的攻击的典型情况。COOP攻击中使用的伪造对象通常是重叠的，这样数据就可以从一个设备传递到另一个设备。即使在简单的COOP程序中，手动定位假冒对象也会变得复杂。因此，我们实现了一个编程框架，该框架利用Z3 SMT求解器[de Moura and Bjørner 2008]自动派生出COOP程序的对象布局。本章的主要结果发表在之前的会议论文[Schuster et al. 2015]和博士论文[Schuster 2015]中。在本章中，我们简化了演示，并强调了在尝试防范类似coop的攻击时所面临的挑战。某些细节被省略，感兴趣的读者可以参考与此主题密切相关的出版物。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

The Continuing Arms Race

自引率

0.00%

发文量