FIT5003 Software Security
Attack and Defence March 2020
1
Terminology
• Attack
• The activity to realize a threat on a system (i.e. attack the system)
• E.g. steal information from a bank
• Defence
• A technique to stop attacks from happening in the first place.
• E.g. encrypt all the information stored in the bank
2
Attack Methodology
• What does a typical program look like and what valuables does it contain? • What is the adversary’s motivation for attacking your program?
• What information does he start out with as he attacks your program?
• What is his overall strategy for reaching his goals?
• What tools does he have at his disposal?
• What specific techniques does he use to attack the program?
3
Attack Methodology
P
Core Semantics
Protection Semantics
Stripped Unstripped
Stripped binary (blackbox)
scanf, printf scanf, printf
test,…
4
Attack Methodology
Black- box
Dynamic
Static
Locate Protection
Alter Binary
Test
P
Core Semantics
Protection Semantics
Stripped binary (blackbox)
5
Attack Methodology
P
Core Semantics
Protection Semantics
P
Core Semantics
Protection Semantics
Attack Semantics
Stripped binary (blackbox)
6
Attack Methodology
STRIDE Threat Model
Threat
Spoofing
Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
Property we want
Authentication Integrity Nonrepudiation Confidentiality Availability Authorization
7
Attack Methodology (STRIDE)
Spoofing
Impersonating another person/process
Cookie Replay / Session Hijacking CSRF (Cross-site request forgery)
8
Attack Methodology (STRIDE)
Tampering
Unauthorized alternations
XSS
SQL Injection
9
Attack Methodology (STRIDE)
Repudiation
Denying claims/unproven actions
Audit Log Deletion Insecure Backup
10
Attack Methodology (STRIDE)
Information Disclosure
Exposure to unauthorized person/process
Eavesdropping Verbose Exception
11
Attack Methodology (STRIDE)
Denial of Service (DOS)
Service unavailability Website defacement
12
Attack Methodology (STRIDE)
Elevation of Privilege
Increasing person/process access level
Exploit software vulnerability (e.g. Buffer Overflow) Logic Flow Attacks
13
Buffer Overflow Attack
A bit of History
1972: first public mention in “Computer Security Technology Planning Study” [1]
1988: Morris Worm exploited a buffer overflow in the finger daemon [2]
1996: Famous tutorial “Smash the Stack for Fun and Profit” published in Phrack 49 by Elias Levy (aka Aleph One) [3]
[1] Anderson, James P. Computer Security Technology Planning Study.
Volume 2. Anderson (James P) and Co Fort Washington PA, 1972
[2] Spafford, Eugene H. “The internet worm incident.” European Software Engineering Conference. Springer, Berlin, Heidelberg, 1989
[3] One, Aleph. “Smashing the stack for fun and profit (1996).” See http://www. phrack. org/show. Php
15
Buffer Overflow Attack
A bit of History
2017: Exploiting buffer overflows in Intel ME [1] Intel ME: proprietary autonomous subsystem in Intel’s
processor running even if the computer is asleep Recent example on how to bypass stack cookie
[1] Ermolov, Mark, and Maxim Goryachy. “How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine.”
Black Hat Europe (2017).
16
Buffer Overflow Attack
Buffer
Container for data Bytes in memory
0
1
2
3
4
5
buf
17
Buffer Overflow Attack
Buffer
Container for data Bytes in memory
buf[6] = ‘o’;
0
1
2
3
4
5
buf
?
18
Buffer Overflow Attack
buf[6] = ‘o’;
buf Consequence
Nothing Segmentation fault Custom Code Execution
?
0
1
2
3
4
5
19
Buffer Overflow Attack
buf[6] = ‘o’;
0
1
2
3
4
5
buf Nothing
?
For performance reasons, the OS might allocate multiple of 8 bytes
Overflowing buf by a few bytes might not result in an error
20
Buffer Overflow Attack
buf[6] = ‘o’;
buf Segmentation Fault
?
0
1
2
3
4
5
If the index is large it will eventually reach a memory zone not allocated to the program
The OS detects it and stops the program The overflow might also corrupt existing data
21
Buffer Overflow Attack
buf[6] = ‘o’;
buf
Custom Code Execution
?
0
1
2
3
4
5
The overflowing bytes have to redirect the execution flow to the customized code
22
Buffer Overflow Attack
Stack
Heap
BSS segment
Data segment
Text segment
high address
Local variables and data
related to function calls
low address
Dynamic memory allocation
malloc, calloc, free
Uninitialized
static/global variables
Initialized
static/global variables
Executable code of the
program
23
Buffer Overflow Attack
stack grows
void foo(char *str) {
char buffer[12];
strcpy(buffer, str);
}
arguments
local
variables
Stack
foo()
value of str
return address
previous FP
value of buffer
Current FP
(Frame Pointer)
24
Buffer Overflow Attack
stack grows
void foo(char *str) {
char buffer[12];
} strcpy(buffer, str);
int main() {
char *str = “test”;
} foo(str);
Stack
main()’s FP
Foo()’s FP
Current FP
(Frame Pointer)
25
Buffer Overflow Attack
stack grows
void foo(char *str) {
char buffer[12];
} strcpy(buffer, str);
int main() {
char *str = “test”;
} foo(str);
main()’s
stack
foo()’s
stack
Current FP
(Frame Pointer)
value of str
return address
previous FP
buffer[11] ……
buffer[0]
buffer copy
26
Buffer Overflow Attack
stack grows
int main() {
void foo(char *str) { char *str = “This is
char buffer[12]; definitely longer than 12”; } strcpy(buffer, str); } foo(str);
main()’s
stack
foo()’s
stack
Current FP
(Frame Pointer)
value of str
return address
previous FP
buffer[11] ……
buffer[0]
buffer copy
27
Buffer Overflow Attack
stack grows
malicious
code
main()’s
stack
foo()’s
stack
overwrite
Trigger the
execution of
malicious payloads
overwrite
new address
overwrite
buffer[11] ……
buffer[0]
buffer copy
28
Creation of The Malicious Input (badfile)
Task A : Find the offset distance between the base of the buffer and return address. Task B : Find the address to place the shellcode
Task B : Address of Malicious Code
• To increase the chances of jumping to the correct address, of the malicious code, we can fill the badfile with NOP instructions and place the malicious code at the end of the buffer.
Note : NOP- Instruction that does nothing.
Countermeasures
Developer approaches:
• Use of safer functions like strncpy(), strncat() etc, safer dynamic link libraries that check the length of the data before copying.
OS approaches:
• ASLR (Address Space Layout Randomization)
Compiler approaches:
• Stack-Guard-> Stack Canaries
Hardware approaches:
• Non-Executable bit (NX bit) Stack
Principle of ASLR
To randomize the start location of the stack that is every time the code is loaded in the memory, the stack address changes.
Difficult to guess the stack address in the memory.
Difficult to guess %ebp address and address of the malicious code
Address Space Layout Randomization : Working
1
2
3
Return Oriented Programming Attacks
Chain gadgets to execute malicious code.
A gadget is a suite of instructions which end by the branch
●
instruction ret (Intel) or the equivalent on ARM.
– Intel examples: ● pop eax ; ret
● xor ebx, ebx ; ret
– ARM examples: ● pop {r4, pc}
● str r1, [r0] ; bx lr
Objective: Use gadgets instead of classical shellcode Why?
Gadgets are mainly located on segments without ASLR and on pages marked as executables – It can bypass the ASLR
– It can bypass the NX bit
ROP Attack process
Attack Road map:
•Find your gadgets
•Store your gadgets addresses on the stack
You must to overwrite the saved eip with the address of your first gadget
Example on x86 (figure) Gadget1 is executed and returns Gadget2 is executed and returns Gadget3 is executed and returns
And so on until all instructions that you want are executed
So, the real assembly code execution is: pop eax
xor edx, edx inc ecx
MATE
MATE: Main-at-the-end Attack
MATE attacks occur in any setting where an adversary has physical access to a device and compromises it by inspecting, reverse engineering, or tampering with its hardware or software.
36
MATE
Tamper Clone Keys
Code & Content
37
MATE
set_top_box() {
}
if (bob_paid(“ESPN”))
allow_access();
if (hw_is_tampered()
||
sw_is_tampered()
||
bob_is_curious()
||…)
punish_bob();
Code & Content
Tamper Clone Keys
38
MATE
int main () {
if (today > “Aug 17,2016”){
printf(“License expired!”);
abort; }
}
39
MATE
in
n
t
t
m
m
a
a
i
i
pr
n
n
(
i
e
> “Aug 17,2016”){ “License expired!”);
i
f
f
(
(
ri
f
{ ){
t
in
a
o
nt
()
l
d
){
s
p
y
tf
a
f(
}
}
abort; }
(
“
a
Hack!
40
MATE
Extract Code! Discover Algorithms! Find Design!
Find Keys!
Modify Code!
Hack!
int foo()
{ …………
}
Man-At-The-End
41
MATE
encrypt
()
42
MATE
}
()
int DigitalRightsMgmt () {
album=download();
key=0x47…;
song=decrypt(key,album);
play(song);
encrypt
43
MATE
in
t () { oad();
nt
t
D
a
D
l
i
ig
lb
ke
o
b
y
gi
u
u
=
i
m
t
ta
m=
a
=d
0x
l
lR
do
4
Ri
ow
w
i
n
n
g
gh
l
l
ht
ts
s
M
Mg
g
a
mt
m
k
7…
s
;
e
y
on
=0
g
x4
7
…;
(key,album); play(song);
so
ng
=
=
d
d
e
e
c
c
r
r
y
y
p
p
t
t
(
}
}
encrypt
()
44
MATE
Malicious
insider!
Secret!
Evade discovery! Hide intent! Destroy data! Exfiltrate secrets!
45
MATE
Malware!
Secret!
Exploit vulnerability! Evade discovery! Survive reboot! Hide intent!
Destroy data! Exfiltrate secrets!
46
Defense Strategy
• Code Transformations • Obfuscation
• Tamperproofing
• Watermarking
• Code Analysis
• Static Analysis
• Dynamic Analysis
47
Obfuscation
Obfuscation is the obscuring of the
intended meaning of communication by making the message difficult to understand, usually
with confusing and ambiguous language.
In network security, obfuscation refers to methods used to obscure an attack payload from inspection by network protection systems.
48
Obfuscation
int main()
{ Abstraction
Destroy module structure, classes, functions, etc.!
Replace data structures with new representations!
………… }
Transformation
Data Transformation
Control Transformation
Dynamic Transformation
Destroy if-, while-, repeat-, et}c.!
Make the program change at runtime!
49
Obfuscation
int main() {
int y = 6;
y = foo(y);
bar(y,42); }
int foo(int x)
return x*7; }
void bar(int x, int z) { if (x==z)
printf(“%i\n”,x);
}
50
Obfuscation
int main() {
int y = 6;
Abstraction Transformation
y = foobar(y,99,1);
foobar(y,42,2); }
int foobar(int x, int z, int s) { if (s==1)
return x*7; else if (s==2)
if (x==z)
printf(“%i \n”,x);
}
51
Obfuscation
int main () { int y = 12;
y = foobar(y,99,1);
} foobar(y,36,2);
Abstraction Transformation
Data Transformation
int foobar(int x, int z, int s) { if (s==1)
} }
int x2=x*x%51,×3=x2*x%51;
int x4=x2*x2%51,×8=x4*x4%51;
int x11=x8*x3%51;
printf(“%i\n”,x11);
return (x*37)%51; else if (x==z) {
52
Obfuscation
int foobar(int x, int z, int s){
char* next=&&cell0;
int retVal = 0;
cell0: {
next=(s==1)?&&cell1:&&cell2;
goto *next;}
cell1: {retVal=(x*37)%51; goto end;} cell2: {next=(s==2)?&&cell3:&&end; goto *next;}
cell3: {next=(x==z)?&&cell4:&&end; goto *next;}
cell4: {
int x2=x*x%51,×3=x2*x%51;
int x4=x2*x2%51,×8=x4*x4%51;
int x11=x8*x3 % 51;
printf(“%i \n”,x11); goto end;
}
end: return retVal;
}
Abstraction Transformation
Data Transformation
Control Transformation
53
Tamperproofing
Tamperproofing is a term sometimes used for a methodology used to hinder, deter or detect unauthorised access to a device of a security system.
54
Tamperproofing
int foo () {
in
nt
t
f
f
o
oo
o(
(
)
){
{
today > “Aug 17,2016”
f
a
l
s
if (
e
){
> “Aug 17,2016”){
i
if
f
printf(“License expired!”);
(
(
t
o
d
a
y
){
“License expired!”);
} }
p
p
r
r
i
in
nt
( abort;
“
tf
f(
a
abort;
}
}
}
check(){
if (hash(foo)!=42)
}
abort()
55
Tamperproofing
int hash (addr_t addr,int words){
int h = *addr;
for(int i=1; i