Framing Signals - A Return to Portable Shellcode

2014 IEEE Symposium on Security and Privacy Pub Date : 2014-05-18 DOI:10.1109/SP.2014.23

Erik Bosman, H. Bos

{"title":"Framing Signals - A Return to Portable Shellcode","authors":"Erik Bosman, H. Bos","doi":"10.1109/SP.2014.23","DOIUrl":null,"url":null,"abstract":"Signal handling has been an integral part of UNIX systems since the earliest implementation in the 1970s. Nowadays, we find signals in all common flavors of UNIX systems, including BSD, Linux, Solaris, Android, and Mac OS. While each flavor handles signals in slightly different ways, the implementations are very similar. In this paper, we show that signal handling can be used as an attack method in exploits and backdoors. The problem has been a part of UNIX from the beginning, and now that advanced security measures like ASLR, DEP and stack cookies have made simple exploitation much harder, our technique is among the lowest hanging fruit available to an attacker. Specifically, we describe Sigreturn Oriented Programming (SROP), a novel technique for exploits and backdoors in UNIX-like systems. Like return-oriented programming (ROP), sigreturn oriented programming constructs what is known as a 'weird machine' that can be programmed by attackers to change the behavior of a process. To program the machine, attackers set up fake signal frames and initiate returns from signals that the kernel never really delivered. This is possible, because UNIX stores signal frames on the process' stack. Sigreturn oriented programming is interesting for attackers, OS developers and academics. For attackers, the technique is very versatile, with pre-conditions that are different from those of existing exploitation techniques like ROP. Moreover, unlike ROP, sigreturn oriented programming programs are portable. For OS developers, the technique presents a problem that has been present in one of the two main operating system families from its inception, while the fixes (which we also present) are non-trivial. From a more academic viewpoint, it is also interesting because we show that sigreturn oriented programming is Turing complete. We demonstrate the usefulness of the technique in three applications. First, we describe the exploitation of a vulnerable web server on different Linux distributions. Second, we build a very stealthy proof-of-concept backdoor. Third, we use SROP to bypass Apple's code signing and security vetting process by building an app that can execute arbitrary system calls. Finally, we discuss mitigation techniques.","PeriodicalId":196038,"journal":{"name":"2014 IEEE Symposium on Security and Privacy","volume":"2 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-05-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"97","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE Symposium on Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2014.23","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 97

Abstract

Signal handling has been an integral part of UNIX systems since the earliest implementation in the 1970s. Nowadays, we find signals in all common flavors of UNIX systems, including BSD, Linux, Solaris, Android, and Mac OS. While each flavor handles signals in slightly different ways, the implementations are very similar. In this paper, we show that signal handling can be used as an attack method in exploits and backdoors. The problem has been a part of UNIX from the beginning, and now that advanced security measures like ASLR, DEP and stack cookies have made simple exploitation much harder, our technique is among the lowest hanging fruit available to an attacker. Specifically, we describe Sigreturn Oriented Programming (SROP), a novel technique for exploits and backdoors in UNIX-like systems. Like return-oriented programming (ROP), sigreturn oriented programming constructs what is known as a 'weird machine' that can be programmed by attackers to change the behavior of a process. To program the machine, attackers set up fake signal frames and initiate returns from signals that the kernel never really delivered. This is possible, because UNIX stores signal frames on the process' stack. Sigreturn oriented programming is interesting for attackers, OS developers and academics. For attackers, the technique is very versatile, with pre-conditions that are different from those of existing exploitation techniques like ROP. Moreover, unlike ROP, sigreturn oriented programming programs are portable. For OS developers, the technique presents a problem that has been present in one of the two main operating system families from its inception, while the fixes (which we also present) are non-trivial. From a more academic viewpoint, it is also interesting because we show that sigreturn oriented programming is Turing complete. We demonstrate the usefulness of the technique in three applications. First, we describe the exploitation of a vulnerable web server on different Linux distributions. Second, we build a very stealthy proof-of-concept backdoor. Third, we use SROP to bypass Apple's code signing and security vetting process by building an app that can execute arbitrary system calls. Finally, we discuss mitigation techniques.

查看原文本刊更多论文

分帧信号——对可移植Shellcode的回归

自20世纪70年代最早实现以来，信号处理一直是UNIX系统的一个组成部分。现在，我们可以在所有常见的UNIX系统中找到信号，包括BSD、Linux、Solaris、Android和Mac OS。虽然每种风格处理信号的方式略有不同，但实现都非常相似。在本文中，我们证明了信号处理可以作为一种攻击方法来利用和后门。这个问题从一开始就是UNIX的一部分，现在先进的安全措施，如ASLR、DEP和堆栈cookie使简单的利用变得更加困难，我们的技术是攻击者最容易获得的成果之一。具体来说，我们描述了面向信号返回的编程(SROP)，这是一种在类unix系统中利用漏洞和后门的新技术。与面向返回的编程(ROP)一样，面向签名返回的编程构建了所谓的“怪异机器”，攻击者可以通过编程来改变进程的行为。为了给机器编程，攻击者设置了虚假的信号帧，并从内核从未真正传递过的信号中启动返回。这是可能的，因为UNIX将信号帧存储在进程堆栈上。面向Sigreturn的编程对于攻击者、操作系统开发人员和学者来说都很有趣。对于攻击者来说，该技术非常通用，其先决条件与现有的利用技术(如ROP)不同。此外，与ROP不同，面向符号返回的编程程序是可移植的。对于操作系统开发人员来说，该技术提出了一个从一开始就存在于两个主要操作系统家族中的一个中的问题，而修复(我们也提出)是非平凡的。从更学术的角度来看，它也很有趣，因为我们展示了面向签名返回的编程是图灵完备的。我们在三个应用中演示了该技术的有用性。首先，我们描述了在不同的Linux发行版上利用易受攻击的web服务器。其次，我们建立了一个非常隐蔽的概念验证后门。第三，我们使用SROP绕过苹果的代码签名和安全审查过程，构建一个可以执行任意系统调用的应用程序。最后，我们讨论了缓解技术。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 IEEE Symposium on Security and Privacy

自引率

0.00%

发文量