Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Diversity Algorithms for Worrisome
Software and Networks
(DAWSON)
James Just, Nathan Li, Mark Cornwell
Global InfoTek, Inc.
Jeff Rowe, Tufan Demir
UC Davis
R. Sekar
SUNY Stony Brook
15 December 2005
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
DAWSON Overview
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Explores Biologically Inspired Diversity
• Automatically generates a large number of
program variants
– Variants differ in terms of memory layout
• Targets memory errors such as buffer
overflows
• Implemented on Microsoft Windows
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Agenda
Non-Bypassability
SYSTEM.SYS
Defense Techniques
•
•
•
•
•
Introduction
Development Update
Testing Update
Analytic Update
Conclusions
Diversity System Functional Architecture
Address randomization does not remove vulnerability
but makes effect of attack unpredictable
Normal user
inputs work
Attacker (memory error exploits)
Modifications
transform original
stored program User Inputs
Translation
Other
System
Resources
Original
Program
Modified PE
File, Loader &
System Calls
PRNG*
Optional
Annotation
File
*Pseudo-Random Number Generator
Wrapper
Some attacks fail
Transformed
because
In-memory vulnerability is not
program
at assumed
address
Other attacks
fail because
injected
commands
are wrong
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Multi-Layer Defense
Strategy
Layer 1 - Prevent Remote Exploit of Memory Errors
Layer 2 - Prevent Injected Code from Properly Executing
Layer 3 - Prevent Bypass of Layer 2
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Characterizing
DAWSON’s
Multi-Layer Defenses
Writable memory
Layer 1
Layer 2
STACK
HEAP
Randomize
base of main
and thread
stack
Randomize
heap base
Randomize
heap allocs
Executable memory
Kernel
memory
USER.EXE USER.DLL SYS.DLL SYS.SYS
Exploit
Randomize
Code
Location
Rebase DLL
IAT Permutation
PEB/SEH Masking*
Layer 3
Payload
NonBypassability*
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Development Update
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
DAWSON Development
Phases
• Phase 1: First 6 months:
– Diversity approaches
– Code transformation techniques
• Phase 2: Second 6 months
– Windows randomization integration
– Application protection
• Phase 3:Third 6 months
– Host protection
– Performance and memory efficiency
– Extensive tests
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
DAWSON on a Host
Non-Bypassability
SYSTEM.SYS
Defense Techniques
OS: User address space
layout creator
Randomization and
Protection Layer:
Randomized User
Address Space
Remote Monitor &
Controller (e.g.,
Blackboard)
Messages
Local Host
Randomization
Configuration
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
DAWSON Changes
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
(Since July '05)
• Primary Stack Randomization
– Native API Augmentation
– Coming – Kernel driver integration
• System DLLs Base Randomization (Rebasing)
– Kernel Mode Driver
• PEB/SEH protection
– Debugging API
• 6 New Exploits
• Extensive Testing
– Test in small
– Test in large
– Red team exercise
Attack Depth
Exploit
Payload
OS Depth
DLL Rebasing Issues
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Rebasing system DLLs like ntdll and kernel32
– Solution: use kernel-mode driver to rebase at boot-time
• Cost Vs Benefit
– Significant benefits: can break exploit and payload
– Costs:
• Performance impact to relocate code
• Memory impact due to reduced sharing across processes
– Options:
• Baseline: Rebase and Share
– shared, but introduces common vulnerabilities across all apps
• Rebase on First Use
• Rebase on Request
– Configurable via registry settings
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
DAWSON Second Layer
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Payload Execution Prevention
– IAT permutation (Done prior to July PI meeting)
• IAT used to lookup addresses of functions in DLLs
• By permuting the order of IAT entries, attack code will
access the wrong function
– PEB/SEH Protection (New)
• PEB is a data structure with the addresses of common API
functions
• PEB is memory protected, accessing PEB raises an
exception
• Exception Handler checks location of caller, if it is
outside the program boundary, access is denied.
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Rebasing Executables
using Exception Handler
Exception Handler
with
stack
Address Map
IAT
IAT
.text
.text
1
Address
3
Map
2
2
1
3
2
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Limitations
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Where Absolute Address
Randomization Fails
• Non-pointer attacks
– Overflow a buffer to corrupt nearby non-pointer data, e.g.,
string used as argument of execve
– Relies on the ability to find security-critical data next to
vulnerable buffers: Not very easy.
• Attacks that can extract “randomization key”
– “Information leakage attacks”
– Relies on a vulnerability that sends back pointer values in a
response to a request
• Vulnerabilities shared by many other defenses
– StackGuard, StackGhost, PointGuard and some ISR
implementations
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Repetitive attacks
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Double-pointer attack
– AAR provides only limited protection
• Guessing attacks
– Require of the order of 15K attempts
• Solutions
– Layer 2 defenses
– Automated response:
• Filtering based on automatically generated signature is a
promising approach to address these
• [Liang et al ’05] generate successful signatures to reliably
block 10 of 11 attacks in their test suite.
• Less than 10% performance overheads, no false positives.
Expected Attack Attempts for
Conventional Attacks
Attack Name
Effect 1
Effect 2
Expected attack attempts
Stack-smash
Injected code
Base ptr attack
Write using
corrupted ptr
Return-to-libc
Existing code
Format string
Write using
corrupted ptr
Injected code
15K
Heap overflow
Write using
corrupted ptr
Injected code
15K
Integer overflow (1)
Write using
corrupted ptr
Injected code
15K
Integer overflow (2)
Injected code
500K to 5M
Injected code
500K to 5M or more
15K
15K
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Testing Update
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Implementation Status
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Kernel Driver: System DLLs randomization
• Layer 1:
–
–
–
–
2-Level Stack Randomization, including primary stack
2-level Heap Randomization
Application DLLs randomization
EXE randomization when .reloc is available (included in
synthetic vulnerable server)
• Layer 2:
– IAT permute and library name erase integrated
– SEH/PEB protection developed, NOT integrated
• Layer 3: Not integrated
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Testing Changes
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
(Since July 05)
• Extended Benchmark Vulnerable Service to
incorporate 15 vulnerabilities.
– Extended Attack Corpus to 15 corresponding attacks
packaged in Metasploit.
• Extensive internal testing
– Performed testing on Emulab to observe contributions of
individual randomizations.
– Automated testing on small scale 3-node in-house testbed
and used results to refine/debug randomization software.
– Built an iterative test to restart VulnSrv to support testing of
brute force attacks.
• Conducted Red Team Experiment in November.
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
DAWSON Testing
Platform
Monitoring
Metasploit
Attack Center
Listening
Listening
Listening
Listening
Thread
Thread
Thread
Thread
Vulnerable
Vulnerable
Vulnerable
Vulnerable
Service
Service
Service
Service
Attack
String
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Key Test Characteristics
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Vulnerabilities
–
–
–
–
–
Stack buffer Overflow
Format String
Integer Overflow
Heap Overflow
A function may have combinations of the
vulnerabilities
• Payloads:
– Injected Code
– Existing Code
– Existing Program
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Test Demo
Defense Techniques
Randomization
Blocks most attacks
from the test corpus.
All randomizations
turned on.
Single Kernel
Randomization.
2 Dec 2005
12:12PM
Kmd+1111
w/ConflResolv1201
Processes rerandomize every
process start.
Comparative Results
Attack Depth
Exploit
Payload
USER.EXE
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
100%
Benchmark attacks against
unrandomized baseline avg.
penetration rate =100%
90%
80%
70%
60%
100%100%
100%
50%
100% 100%
100%
40%
100% 100%
100%
With initial randomization,
avg. penetration rate fell to
2.4%
100%
100%
30%
100%
100%
100%
100%
20%
After further engineering
effort, avg. penetration
rate fell to 0.56%
10%
5%
0%
heapov5
heapov4
heapov3
heapov1
heapov2
fmrstr1
integerov1
stackov_rtl
stackov_lfp
stackov_esp_kernel32
stackov_esp_exe
0% 5%
0% 1% 0% 0%
0% 5%
0%
6%
0%
5%
0%
5%
0%
5%
0%
5%
0% 6%
0%
1%
0%
0%
0%
0%
0%
stackov_esp_ntdll
stackov_abs
0% 0%
integerov2
USER.DLL
stackov_esp
OS Depth
Overall Layer 1 Effectiveness
Randomize Stack Base and Allocation
Test results show DAWSON
randomization implementation is
growing increasingly effective.
Further to go to approach
theoretical limits.
Attack Depth
Exploit
OS Depth
Breakdown of Individual
Randomization Effectiveness
Payload
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
none
"0000"
fmrstr1
heapov1
heapov2
heapov3
heapov4
heapov5
integerov1
integerov2
stackov_abs
stackov_esp
stackov_esp_exe
stackov_esp_kernel32
stackov_esp_ntdll
stackov_lfp
stackov_rtl
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
without Kernel Mode Driver (KMD)
dll-only
heap-only stack-only iat-only
"1000"
"0100"
"0010'
"0001"
0
2
2
0
2
2
0
0
0
0
0
0
0
0
0
0
2
2
0
2
2
0
2
2
1
0
0
0
2
0
0
2
0
2
2
2
2
2
2
0
2
2
0
2
2
On unprotected
system, all
baseline attacks
succeed
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
all-but-kmd none
"1111"
"0000"
0
0
0
0
0
0
0
0
0
0
0
2
2
0
0
Different randomization
techniques are effective
against some attack
classes and not others.
2
2
0
2
0
2
2
2
2
0
0
0
0
2
2
lilo with Kernel Mode Driver (KMD)
dll
heap
stack
iat
"1000"
"0100"
"0010"
"0001"
0
2
2
0
2
2
0
0
0
0
0
0
0
0
0
0
2
2
0
2
1
0
2
2
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
2
0
2
2
all
"1111"
2
2
0
2
0
2
2
2
2
0
0
0
0
2
2
Most effective when all
techniques are used in
combination.
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Minor Performance
Impacts
• Heap transformations cause 5% overhead for
apps that are intensive in heap allocations
• Other transformations don’t add recurring cost
– One-time overhead for relocation adds modestly to
the load-time
• Absolute address randomization does not
change program locality
– Most relocations occur at page granularity
– Relative locations of objects unchanged within a
page
Attack
Attack
Depth
Depth
Exploit
Exploit
Payload
Payload
OS Depth
OS Depth
Randomize
Randomize
StackStack
BaseBase
and Allocation
and Allocation
USER.EXE
USER.EXE
Randomize
Randomize
HeapHeap
BaseBase
and Allocation
and Allocation
Randomize
Randomize
CodeCode
Location
Location
USER.DLL
USER.DLL
Address
Address
Resolution
Resolution
Rebase
Rebase
DLL DLL
SYSTEM.DLL
SYSTEM.DLL
Performance Impact
Non-Bypassability
Non-Bypassability
SYSTEM.SYS
SYSTEM.SYS
Defense
Defense
Techniques
Techniques
Defense
Technology
Disk File
Size
Memory
Usage
Load Time Run Time
Increase
Increase
DLL Base
Randomization
None
None
< 1 millisec
None
Stack
Randomization
None
None
< 1 millisec
None
Heap Base
Randomization
None
None
< 1 millisec
None
Heap Block
Randomization
None
Up to 16 bytes
per block
None
< 5%
* Data collected on a Pentium 4 1.2GHz CPU with 768MB RAM
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Improving the Test Suite
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Further Work
– Add new exploits focusing on payload execution
– Testing payload execution protection
• Offer to security community
– A package to test memory defense technologies
– Open source vulnerable service with advanced
memory errors and exploits (packaged as
Metasploit modules)
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
DAWSON Red Team
Exercise
•Layer 1 blocked 15 of 16 attacks (many reps)
– Red team identified a new “double vulnerability”
– This unintended combination of a stack-buffer
overflow and format-string vulnerabilities made the
Red Team exercise a lot more interesting and useful!
•Layer 2 blocked the 16th attack
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Attack Outline
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Vulnerable code (simplified):
void vulnerable(char *attack) {
char buf1[512], buf2[512];
strcpy(buf1, attack);
sprintf(buf2, buf1);
}
• Attack
–
–
–
–
Guess a writable memory location X
Use format-string attack to inject code at X
Overflow buf2 to overwrite return address
Note: attack impossible if the order of declaration of buf1
and buf2 were interchanged!
• Use brute-force to guess X
Attack Depth
Exploit
Payload
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
formatStrAttack
formatStrThread
High
DWORD WINAPI FormatStrThread(LPVOID lparameter {
char safebuf[4096];
nRet=recv(peersock,safeBuf,sizeof(safeBuf),0);
formatStrAttack(safeBuf,nRet);
}
evil
char[4096]
safeBuf
void formatStrAttack(char *sbuffer, int nSize) {
char buf[512];
char bufmain[512];
sprintf(buf, “String : %s”,sBuffer); // (1)
sprintf(bufmain,buf);
// (2)
}
// (4)
(1)
1)
raddr
(2)
2)
496
some page in memory
0x7ffdxxxx
char[512]
bufmain
(3)
char[512]
buf
evil
Arg5
Arg4
Arg3
3)
4)
JMP ESP
waddr
Arg2/fmt
Arg1/dest
sprintf
OS Depth
Attack Details: Layer I
Randomize Stack Base and Allocation
5)
6)
7)
Low
Addresses embedded at start of attack
string get interpreted as arguments to
sprintf(*dest,*fmt,arg1,arg2,arg3,…)
MDVULN.dll –
vulnerable
service code
sprintf(void*dest, char*fmt,…)
…interprets lots of % conversion spex
…to access stack in flexible …ways
First sprintf copies the attack string from
safeBuf into buf.
Second sprintf interprets “496c” in format
string overflowing waddr into the return
address location.
“%229c%hn%229c%hn” manipulates #chars
written to write a JMP ESP instruction into 2
bytes at waddr.
Return from formatStrAttack branches to
waddr and executs JMP ESP instruction. At
this time ESP points into expanded format
string near bufmain..
ESP is manipulated to point to where shell
code slid to inside the formatStrThread stack
frame.
Normal return now branches to waddr where
it executes the JMP ESP
ESP location contains shellcode on stack
that gains control & bootstraps a DLL
injection attack.
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Attack Details: Layer II
Non-Bypassability
SYSTEM.SYS
Defense Techniques
char[4096]
safeBuf
Shell
code
exploit
parms
Metasploit shell code for DLL
injection:
1.
2.
3.
4.
Uses PEB to look up
GetProcAddress and LoadLibrary
Loads w32.dll and opens socket
connection to call home.
Loads the injected DLL payload
(hackmark.dll) into memory and
tricks Windows into treating it as a
and ordinary DLL linked & loaded.
Transfers execution to the init entry
point in the DLL.
DAWSON Layer 2
Catches and stops
PEB access since
it made from code
executing from the
stack.
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Estimating number of
attempts needed
• Attacker needs to guess a writable memory location X
• Probability of correctly guessing X
= fraction of writable memory in address space
= 10MB/2GB = 0.005, for an app using 10MB data
• Vulnerable server uses 0.5MB, so probability of
success should be about 1/4000
• But Red Team succeeded in 128 attempts! Why?
– Red Team was varying only the leading 8 bits of address
– PEB was not relocated, and happened to be located at an
address that matched the lower 24-bits used by Red Team
– Red Team informed by the Blue team of this vulnerability
• And the possibility of injecting code into PEB
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Red Team Attack:
Conclusions
• DAWSON robust against attacks that exploit any
single vulnerability in vulnerable server
• Randomization is vulnerable to rare combinations of
vulnerabilities
• To be effective, all memory regions should be
randomized
– Non-randomization of PEB was the reason for Red Team to
succeed in ~100 attempts as opposed to about ~4000
– Ongoing work with kernel driver will relocate PEB/SEH,
thus addressing this weakness
• Multi-layered approach is important
– Layer 2 was able to defeat the attack even though the attack
got through layer 1.
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Tech Transition
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Looking at Service IA entrance points, e.g.,
– CECOM/CERDEC (S&TCD)
– Navy (NMCI)
– Air Force
• Initial ideas for commercial sales & support
– Commercial partner
– Spin-off
– Other (GOTS)?
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Further Development
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Issues
–
–
–
–
Fixed PEB/TEB base location
Exception handler location
Initial process heap/CRT heap base randomization
Some things not exhaustively covered
• Process/thread creation, memory allocation
– Undocumented Native API
• Occasional communication error with Win32 subsystem
– Inadequate monitoring and control
• Solutions
– Kernel mode driver
– Expanded vulnerabilities and attacks for Layer 2 testing
– Control and alerting interfaces
• Enterprise capabilities and productization needed
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Thank You
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Questions?
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Backup Slides
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Analytic Update
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Address Space
Randomization (ASR)
• Absolute address randomization
– Randomize absolute address of an object
– Distances between objects may not be randomized
• Relative address randomization
– Randomize distances between objects, even those
within the same segment
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Attacks on DAWSON
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Exploit phase
– Defeating randomization
• Payload execution phase
– Difficulty of successfully executing system
functions needed to carry out the attack
– Comes into play if and when DAWSON exploit
protection is defeated
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Probability of Successful
Attacks
Pr(A) = Pr(V)/[EE(A) * PEE(A)]
• Success probability of attack A exploiting
vulnerability V
• EE: “exploit effort”
–Given by range of randomization of addresses involved in A
• PEE: “payload execution effort”
–Attempts to successfully execute “attack payload”
• Multiplicative effect
–requires rerandomization after every failed attack
–does not apply if attack defeats the same randomization in
both layers
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Layer 2 Threat Model
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Injected code has begun execution
• Attack needs to invoke system APIs to deliver
its payload
• No direct invocation of system calls
– Supposed to be protected by layer 3 (not
implemented for DAWSON)
• Existing code attacks
– Still requires breaking layer 1 defense to get to
exploitable code within application
• We estimate PEE(V) for other types of attacks
Attack Depth
Exploit
Payload
OS Depth
Data Attacks
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Attack Name
Effect 1
Effect 2
Expected attack attempts
[Chen et al] Wu-Ftpd Write using
Corrupt data value 15 to 30K, can possibly be increased
corrupted pointer
by another 4K to 16K times
[Chen et al] NullHttpd Write using
Corrupt data value Same as above
corrupted pointer
[Chen et al] Telnetd
Write using
Corrupt data value Same as above
corrupted pointer
[Chen et al] GHttpd
Write using
corrupted pointer
Same as above
[Chen et al] Sshd
Corrupt data value
Need more details.
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
PE(V) for conventional
attacks
• Stack-smashing
– modify return address to point to injected code on
stack
– Range of possible code addresses is 1GB
– Can improve success using NOP padding
• With 1KB padding, PE(V) = 10-6
• Heap overflow
– Relies on knowing absolute addresses
– If target pointer is in static data area,
PE(V) = 1GB/64KB = 15K
– This estimate applies to many other attack types:
return-to-libc, format-string,…
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Attacks on DAWSON
Randomization
• Exploit weaknesses in randomization
– Attacks that can extract “randomization key”
• “information leakage attacks”
– Partial overflow attacks
• Overflow only the least significant byte of address
– Double pointer attacks
• Rely only on finding a writable address in memory
– All require a combination of vulnerabilities
• Low likelihood of finding them
• Derandomization (brute-force) attacks
– Analyzed work factor in the next slides.
– [Liang et al ’05] approach promises to block these …
• Automatically learn signatures of memory error exploits and
discard subsequent instances of them
• Shown to be very effective on recent attacks on Linux
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Exception Handler
Protection – The Numbers
• Program address space is ~2Gb
• Assume a program size of ~200 Mb
• Dummy padding with alert functions and failcrash code size is ~1.8 Gb
• Attacker has a 1 in 500 Million chance of
getting the right DLL address; 90% chance of
tripping an alarm per try.
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Attack Descriptions
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Vulnerability
Attack Name, VulnNum, Port
Exploit Target
Payload Execution
Stack Buffer Overflow
Run_Stackov_abs
VulnNum 100, Port 9100
Absolute stack address contains return Address, (32 bytes NOP)
Inject buffer,
Stack Buffer Overflow
Run_Stackov_esp
VulnNum 110, Port 9110
Overwrite stack return address with jmp ESP in vulnerable DLL, (32 bytes NOP)
Inject buffer
Stack Buffer Overflow
Run_Stackov_esp_exe
VulnNum 111, Port 9111
Overwrite stack return address with jmp ESP in EXE
(32 bytes NOP)
Inject buffer
Stack Buffer Overflow
Run_Stackov_esp_ntdll
VulnNum 112, Port 9112
Overwrite stack return address with Jmp ESP in NTDLL, (32 bytes NOP)
Inject buffer
Stack Buffer Overflow
Run_Stackov_esp_ws2
VulnNum 113, Port 9113
Overwrite stack return address with JMP ESP in ws2_32.dll, (32 bytes NOP)
Inject buffer
Stack Buffer Overflow
Run_stackov_rtl
VulnNum 120, Port 9120
Overwrite stack return address with a local function address
(32 bytes NOP)
Return to libc type.
Stack Buffer Overflow
Run_stackov_lfp
VulnNum 130, Port 9120
Overwrite a local function pointer that called later
(32 bytes NOP)
Return to libc type
Integer Overflow
Run_integerov1
VulnNum 200, Port 9200
Integer overflow data array and overwrite neighbor function pointer
Return to libc type
Integer Overflow
Run_integerov2
VulnNum 210, Port 9210
Integer overflow stack to overwrite exception handler with payload address
Return to libc type
Format string and
Stack Buffer Overflow
Run_stackov_fmr
VulnNum 300, Port 9300
Stack buffer overflow return address using format string function sprintf
Return to libc type
Heap overflow
Run_heapov1
VulnNum 400, Port 9400
Heap overflow to overwrite a local function pointer
Return to libc type
Heap overflow
Run_heapov2_peb
VulnNum 410, Port 9410
Heap overflow to overwrite RtlCriticalSection in PEB, cause
Call System() to launch an
external program
LookAsideList
Run_lookaside1
VulnNum 420, Port 9420
Heap Lookaside List overflow stack return address with payload function address
Return to libc
LookAsideList
Run_lookaside2
VulnNum 421, Port 9421
Heap Lookaside List overflow stack return
Return to libc
CriticalSectionList
Run_CSList
VulnNum 430, Port 9430
Process Heap Critical Section List Overflow to overwrite a local function pointer
Call System() to launch an
external program
Attack Depth
Exploit
Payload
OS Depth
Composite Results
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
none
"0000"
fmrstr1
heapov1
heapov2
heapov3
heapov4
heapov5
integerov1
integerov2
stackov_abs
stackov_esp
stackov_esp_exe
stackov_esp_kernel32
stackov_esp_ntdll
stackov_lfp
stackov_rtl
dll-only
"1000"
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
without Kernel Mode Driver
heap-only stack-only
"0100"
"0010'
0
2
0
2
0
0
0
0
0
0
0
2
0
2
0
2
1
0
0
2
0
2
2
2
2
2
0
2
0
2
Results of lilo VulnSrv2 without kernel driver randomization
Emulab + Red Team Demo System Composite
(KMD)
iat-only
"0001"
2
2
0
0
0
2
2
2
0
0
0
2
2
2
2
with KMD
kmd-only
"0000"+K
all-but-kmd
"1111"
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
0
0
0
0
0
0
0
0
0
0
0
2
2
0
0
2
2
0
2
0
2
2
2
2
0
0
0
0
2
2
all+kmd
"1111"+K
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
DAWSON Testing Notes
December 1, 2005
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Manual Tests
3 Node Red Team
Testbed
without Kernel Mode Driver (KMD)
lilo with Kernel Mode Driver (KMD)
none ("0000")
all ("1111")
Trials
Infected Blocked %Blocked Trials
Infected Blocked %Blocked
100 stackov_abs
65
65
0
0%
294
0
294
100%
110 stackov_esp
65
65
0
0%
294
14
280
95%
111 stackov_esp_exe
65
65
0
0%
294
0
294
100%
112 stackov_esp_ntdll
65
65
0
0%
294
0
294
100%
113 stackov_esp_kernel32
65
65
0
0%
294
0
250
85%
120 stackov_rtl
65
65
0
0%
294
15
279
95%
130 stackov_lfp
65
65
0
0%
293
15
234
80%
200 integerov1
65
65
0
0%
293
15
278
95%
210 integerov2
65
65
0
0%
293
15
278
95%
300 fmrstr1
65
65
0
0%
293
15
278
95%
400 heapov1
65
65
0
0%
293
15
278
95%
410 heapov2
65
65
0
0%
293
0
293
100%
420 heapov3
65
65
0
0%
294
0
294
100%
421 heapov4
65
65
0
0%
293
0
293
100%
430 heapov5
65
65
0
0%
293
15
278
95%
Composite result of
44 manual and 250 semi-automated test runs on fully randomized system.
65 manual runs on unprotected baseline system
Test run is 15 attacks, one against 15 new process instances
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Testing: Scale
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Small Scale Tests
Large Scale Tests
Method: Relatively more manual
Method: Much more Automated
Scale: Fewer test cases (tens to hundreds)
smaller networks (2 or 3 nodes).
Scale: Many more trials (thousands to
millions) larger networks (10’s to 100’s)
Observation: Close – More state available Observation: – Limited. Less state
for analysis (can stop and drill down into
available – can only inspect what was
images at run time – dynamic debugger)
logged. Logs massive but limited
Advantage: ability to stop and analyze
causes of unanticipated events, much state
data retained and available
Advantage: finds effects and problems that
occur at larger scales or over longer
periods of time.
Disadvantage: miss phenomena that occur Disadvantage: limited to data from log
at scale.
records – less complete picture of system
state.
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Testing
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Testing in the small
– Fewer test cases, but closer observation
– Much system state available – can stop and run debugger to observe
even closer.
– When interesting phenomena occur can stop and drill down into system
state with debuggers, etc.
• Testing in the large
–
–
–
–
–
–
Flexible network based testing on Emulab
Test defenses on larger networks up to 100 nodes.
Automate a suite of tests
Provide feedback to developers
Provide examples on networks of non-trivial size.
Observe phenomena scale
• Test on larger networks of up to 100 hosts
• Use parallelism for more test cases over time
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
What is Emulab
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Project at Univ of UTAH (Jay Lepreau)
Shared network testbed of over 300 hosts
Dynamically imaged and configured for each
experiment
Web-interface to remote users
Common resource for researchers
Progenitor of numerous other testbeds
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
What we have done
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Automated Installation & Configuration of Emulab
Images for DAWSON
• Packaged a corpus of attacks in Metasploit
• Added instrumentation to detect marker file dropped
by attacker
• Automate attacks on variety of defense configurations
to probe effectiveness of individual randomizations.
• Sample test runs:
– 15 attacks x 6 defensive configurations = 90 trials
– Target population of 10 nodes
• Empirical validation of expectations
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Examples
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• DAWSON Wiki
– Main Page
• Overview
• Recent script generated results
• Quick Demo
– RDT
• Show log files
• Show summary chart
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Red Team Meeting
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Notes on Nov 7 Meeting with Red Team
– Attack Ideas
• Does vulnSrv2 have way to send data out a port?
– Potentially speed up probing
• Trigger reversion to old DLLs
• Restore original DLLs & convince system these are
already randomized
• Some critical data structures not randomized
• Direct system calls – interrupts/svc’s
Attack Depth
Exploit
Payload
USER.EXE
Baseline Effectiviness
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
100%
90%
80%
70%
60%
100%100%
100%
50%
100% 100%
100%
40%
100% 100%
100%
100%
100%
30%
100%
100%
100%
20%
10%
5%
0%
heapov5
heapov4
heapov3
heapov2
heapov1
fmrstr1
integerov2
integerov1
stackov_lfp
stackov_rtl
stackov_esp_ntdll
stackov_esp_exe
0% 5%
0% 1% 0% 0%
0%
5%
0%
6%
0%
5%
0%
5%
0%
5%
0%
5%
6%
0%
0%
1%
0%
0%
0%
0%
0%
stackov_esp
0% 0%
stackov_esp_kernel32
USER.DLL
stackov_abs
OS Depth
Randomize Stack Base and Allocation
100%
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Catalyst Experiment
Monitor
December 6, 2005
KMD+1111+ConflResolv1201
Called at approx 2:23 pm
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
Randomize Heap Base and Allocation
Randomize
Code
Location
USER.DLL
Address Resolution
Rebase DLL
SYSTEM.DLL
Abstract View of Attacks
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Characterize successful attacks as
program inputs e that transition from
good states to evil states.
Programs acting on
“good” inputs.
Pg
“good” states
Not compromised.
Pg in good states
stay in good states.
Represents desired
behavior.s
wp(Pg,G)<=G
G
Pe
“evil” states
Program acting on
“evil” inputs.
Attacker
compromised
system
E
“evil” states
Attacker succeeds
S
Pe describes flaws
where certain inputs
allow compromise
G<=wp(Pe,E)
Until we create more nearly
perfect programs, flaws in
realization of P will continue to
exhibit Pe cases
Attack Depth
Exploit
OS Depth
Idealized Effect of
Randomizing Transformations
Payload
Randomize Stack Base and Allocation
USER.EXE
Randomize Heap Base and Allocation
Randomize
Code
Location
USER.DLL
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Pg
Pf
Vulnerability to
e randomly
remapped to
an unknown f
G
Pe
Pg
G’
Pf
Pe
E’
E
S
S’
Randomizing Transform
After the Transformation:
Nearly all good inputs in good states
still work: wp(Pg,G’)<=G’
Previously successful attacks no longer
work: wp(Pe,G’)<=G’
f-attack analogs to old e-attack, where
wp(Pf,G’)<=E will appear, but
• f is hard to find for a specific host
• f’s are diverse over the host population
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Attack String Construction:
Phase I
my $evil = pack ('V', "$writeAddr");
$evil .= "\x41\x41\x41\x41";
$evil .= pack ('V',$writeAddr+1);
$evil .= "%496c";
$evil .= pack ('V',$writeAddr);
$evil .= "\x90\x90\x90\x90”
“\x83\xc4\x7f”
“\x83\xc4\x7f”
“\x83\xc4\x7f”
“\x83\xc4\x5f”
“\xff\xe4”
“%229c%hn%229c%hn”
“\x83\xec\x7f”
“\x83\xec\x7f”
“\x83\xec\x7f”
“\x83\xec\x5f";
$evil .= $shellcode;
Address to write 1st byte of JMP ESP instr
Padding
Address to write 2nd byte of JMP ESP instr
Offset sprintf destination to the return
address on stack
Short NOP sled
add esp,7fh (3 times)
add esp, 5fh
jmp esp
Point ESP to
a clean
copy of attack
String and jmp
into it
Format string escapes to write
the $writeAddr into the return address.
Entry point of our JMP ESP
Fixes up ESP register to prior value
Falls through into Metasploit shell code
for DLL injection.
Attack Depth
Exploit
Payload
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
An Alternative Attack: Phase I
Non-Bypassability
SYSTEM.SYS
formatStrThread
Defense Techniques
DWORD WINAPI FormatStrThread(LPVOID lparameter {
char safebuf[4096];
nRet=recv(peersock,safeBuf,sizeof(safeBuf),0);
formatStrAttack(safeBuf,nRet);
}
char[4096]
safeBuf
MDVULN.dll –
vulnerable
service code
void formatStrAttack(char *sbuffer, int nSize) {
char buf[512];
char bufmain[512];
sprintf(buf, “String : %s”,sBuffer); // (1)
sprintf(bufmain,buf);
// (2)
}
// (4)
1)
formatStrAttack
OS Depth
Randomize Stack Base and Allocation
Old ESP
return
char[512]
buff
MA
0x7ffdxxxx
2)
JMP ESP
3)
4)
char[512]
bufmain
A writeable/executable
page in memory
First Sprintf overflows buffer putting a
“magic” address MA into the return
address slot.
Second sprintf interprets the format
string poking a JMP ESP instruction
into memory at the “magic” address
ESP is manipulated to point to start of
shell code inside the stack frame.
Normal return now branches to MA
where it executes the JMP ESP
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
DAWSON
DLL Rebase Design
Considerations
• DAWSON DLL Rebase
– Benefits vs Costs
– Functionality vs Flexibility
• DLL Base randomization
– Rebase and Share
– Rebase on Demand
– Rebase on Request
• Local Configuration
• Interface with Blackboard
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
PEB/SEH Protection:
Exception Handlers
• Monitoring for exceptions are done
– From another process
• Using Win32 DEBUG API
– within the same process
• Using Vectored Exception Handling
• Monitor needs to receive exception events
before the attacker
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Four ways to monitor
exceptions
Load Time
Runtime
Monitoring
Process
CreateProcess(…,
DebugActiveProcess(pro
DEBUG_PROCESS,…) cess_id
)
DLL injection
Import table
modification &
CreateRemote
Thread(…) &
AddVectoredException
Handler(…)
AddVectoredException
Handler(…)
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Red Team Exploit Analysis
Non-Bypassability
SYSTEM.SYS
Defense Techniques
1. Phase I of the attack is insensitive to DLL positions or stack
locations. (see 6 & 7)
• It only needs a location to which it can write a JMP ESP instruction.
• It typically finds such a location inside a page where the PEB (Process
Environment Block) resides by default.
• Though marked READ_ONLY in SP1 an exception handler in the
kernel implements Copy-on-write semantics for the first write to this
page.
• The fixed address 0xffdc082 is near the PEB but not inside of it.
Writing to it does not typically corrupt the PEB/TEB structures.
2. In later testing, it appears that the Red Team attack either
always succeeds or always fails for a particular boot.
• Even in the failures, Phase I of the attack appears to work, i.e. the DLL
injection callback gains control and does execute.
• Attack fails by not successfully writing a marker file on the target host.
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Vulnerable Server
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• VulnSrv2.exe:
– A program run as a command line console
application.
– VulnSrv2 loads MdVuln2.dll and listen to the
specified port for certain vulnerability.
• Each vulnerability on a different port
– Uses multi-threaded server architecture
• One thread for each vulnerability
Attack Depth
Exploit
Payload
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Non-Bypassability
SYSTEM.SYS
Defense Techniques
Blocked
%Blocked
%Unblocked
Trials
Infected
Blocked
%Blocked
%Unblocked
all AFTER ConflResolv1201
Infected
all BEFORE ConfResolv1201
Trials
no randomization
%Unblocked
lilo w/KMD
%Blocked
stackov_abs
stackov_esp
stackov_esp_exe
stackov_esp_ntdll
stackov_esp_kernel32
stackov_rtl
stackov_lfp
integerov1
integerov2
fmrstr1
heapov1
heapov2
heapov3
heapov4
heapov5
lilo w/ KMD
Blocked
Corpus of
15 baseline
Attacks
(Metasploit)
100
110
111
112
113
120
130
200
210
300
400
410
420
421
430
w/o KMD
Infected
#Trials
#Infected
#Blocked
%Blocked
%Unblocked
Trials
OS Depth
Small Scale Tests
Randomize Stack Base and Allocation
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
65
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
294
294
294
294
250
294
249
293
293
293
293
293
294
293
293
0
14
0
0
0
15
15
15
15
15
15
0
0
0
15
294
280
294
294
250
279
234
278
278
278
278
293
294
293
278
100%
95%
100%
100%
100%
95%
94%
95%
95%
95%
95%
100%
100%
100%
95%
0%
5%
0%
0%
0%
5%
6%
5%
5%
5%
5%
0%
0%
0%
5%
355
355
355
356
356
356
356
356
356
356
356
356
355
355
355
0
0
5
0
0
0
0
0
0
23
2
0
0
0
0
355
355
350
356
356
356
356
356
356
333
354
356
355
355
355
100%
100%
99%
100%
100%
100%
100%
100%
100%
94%
99%
100%
100%
100%
100%
0%
0%
1%
0%
0%
0%
0%
0%
0%
6%
1%
0%
0%
0%
0%
No
Randomization
All
Randomizations
11/15 Release
(Red Team)
All
Randomizations
12/01 Release
65 trials
294 trials
355 trials
Attack Depth
Exploit
Payload
OS Depth
Randomize Stack Base and Allocation
USER.EXE
USER.DLL
Randomize Heap Base and Allocation
Randomize
Code
Location
Address Resolution
Rebase DLL
SYSTEM.DLL
Further Development
Non-Bypassability
SYSTEM.SYS
Defense Techniques
• Expects
–
–
–
–
Fixed PEB/TEB base location
Exception handler location
Initial process heap/CRT heap base randomization
Some things not exhaustively covered
• Process/thread creation, memory allocation
– Undocumented Native API
• Occasional communication error with Win32 subsystem
– Remote monitoring and management
• Solutions
– Kernel mode driver
– Expanded vulnerabilities and attacks for Layer 2 testing
– Control and alerting interfaces
• Enterprise version capabilities (Army CECOM?)