Non-Control-Data Attacks Are Realistic Threats
advertisement
Non-Control-Data Attacks
Are Realistic Threats
Shuo Chen†*, Jun Xu‡, Emre Sezer‡, Prachi Gauriar‡, Ravi Iyer†
†
Center for Reliable and High-Performance Computing,
University of Illinois at Urbana-Champaign
‡ Department
of Computer Science, North Carolina State University
* Cybersecurity and Systems Management Group, Microsoft Research
USENIX Security Symposium, Baltimore, MD, 2005
1
Control Data Attack: Well-Known, Dominant
Control data attack: corrupt function pointers,
jump targets and return addresses to run
malicious code
• E.g., code injection, mimicry attack and return-to-LibC
Currently the most dominant form of memory
corruption attacks [CERT and Microsoft Security
Bulletin]
• By exploiting many vulnerabilities such as buffer
overflow, format string bug, integer overflow, double
free, etc.
Many current defense techniques: to enforce
control data integrity to provide security.
USENIX Security Symposium, Baltimore, MD, 2005
2
Non-Control-Data Attack
Non-control-data attacks: attacks not
corrupting any control data
• i.e., attacks preserving the integrity of control flow of
the victim process
Currently very rare in reality
• Very few instances documented in literature.
• Several papers: theoretically possible to construct
non-control-data attacks against synthetic programs.
• Not yet considered as a serious threat
How applicable are such attacks against realworld software?
• Why rare attackers’ incapability or lack of
incentives?
• No focused investigation yet.
USENIX Security Symposium, Baltimore, MD, 2005
3
Motivating Facts
Random hardware memory errors could subvert the security
of real-world systems.
• Boneh and DeMillo: random errors allow deriving secret keys in
CRT-based RSA implementation. [Eurocrypt’97]
• Our previous work: authentication of SSH and FTP servers,
packet filtering of Linux firewalls can be compromised. [DSN’01
and DSN’02]
• Govindavajhala and Appel: Java type system can be subverted.
[S&P’03]
• None of them is control-data attack. A wide range of real-world
software susceptible.
Software vulnerabilities are more deterministic and more
amenable to attacks.
Many software vulnerabilities are essentially “memory fault
injectors”: overwriting an arbitrary memory location
•
•
•
•
Heap overflow
Double free
Format string bug
Integer overflow
USENIX Security Symposium, Baltimore, MD, 2005
4
Our Claim: General Applicability of
Non-Control-Data Attacks
The claim:
• Many real-world software applications are
susceptible to non-control-data attacks.
• The severity of the attack consequences is
equivalent to that due to control data attacks.
Goal of our project
• Experimentally validate the claim
Construct non-control-data attacks to compromise the
security of “representative” applications
• Discuss the implications of the claim on current
defensive techniques
• Call for comprehensive defensive techniques
USENIX Security Symposium, Baltimore, MD, 2005
5
Selection of Target Applications
Real-world applications, not synthetic applications.
Leading application categories
• CERT advisories (2000 – 2004)
84% are server vulnerabilities
HTTP service (18%), database service (10%), 6 remote login
service (8%), mail service (5%), FTP service (4%).
Selection criteria
• Different types of vulnerabilities should be covered
• Different types of server applications should be studied
Practical constraints for our selection
• Uncertainties in many vulnerability reports: really exploitable?
• Proprietary source code
• Limited information about details of many vulnerabilities
Eventually, we selected
• Open-source FTP, SSH, Telnet, HTTP servers
• Stack buffer overflow, format string, heap corruption, integer
overflow.
USENIX Security Symposium, Baltimore, MD, 2005
6
Non-Control-Data Attack against WU-FTPD
Server (via a format string bug)
int x;
FTP_service(...) {
x uninitialized, run as EUID 0
authenticate();
x = user ID of the authenticated user;
x=109, run as EUID 0
x=109, run as EUID 109. Lose the root privilege!
seteuid(x);
while (1) {
Getaadata
special
SITE EXEC
Get
command
(e.g.,command.
PUT)
get_FTP_command(...);
Exploit a format string vulnerability.
if (a data command?)
x= 0, still run as EUID 109.
getdatasock(...);
}
}
getdatasock(
... )loop,
{
When return
to service
still runs as EUID 0 (root). Allow us to
x=0, run as EUID 0
seteuid(0);
upload /etc/passwd
... );the root privilege!
We can setsockopt(
grant ourselves
x=0, run as EUID 0
seteuid(x);
}
Only corrupt
an integer, not a control data attack.
USENIX Security Symposium, Baltimore, MD, 2005
7
Non-Control-Data Attack against
NULL-HTTP Server (via a heap overflow bug)
Attack the configuration string of CGI-BIN
path.
Mechanism of CGI
• suppose server name = www.foo.com
CGI-BIN = /usr/local/httpd/exe
• Requested URL = http://www.foo.com/cgi-bin /bar
• The server executes
Our attack
• Exploit the vulnerability to overwrite CGI-BIN to /bin
• Request URL http://www.foo.com/cgi-bin/sh
/sh
• The server executes
The server gives me a root shell!
Only overwrite four characters in the CGI-BIN string.
USENIX Security Symposium, Baltimore, MD, 2005
8
Non-Control-Data Attack against SSH Communications SSH
Server (via an integer overflow bug)
void do_authentication(char *user, ...) {
int auth = 0;
...
while (!auth) {
/* Get a packet from the client */
type = packet_read();
switch (type) {
...
case SSH_CMSG_AUTH_PASSWORD:
if (auth_password(user, password))
auth =1;
case ...
}
if (auth) break;
}
/* Perform session preparation. */
do_authenticated(…);
}
USENIX Security Symposium, Baltimore, MD, 2005
auth = 0
auth = 0
auth = 1
Password incorrect,
but auth = 1
auth = 1
Logged in without
correct password
9
More Non-Control-Data Attacks
Against NetKit Telnet server (default Telnet
server of Redhat Linux)
• Exploit a heap overflow bug
• Overwrite two strings:
/bin/login –h foo.com -p
(normal scenario)
/bin/sh –h
–p
-p
(attack scenario)
• The server runs /bin/sh when it tries to authenticate
the user.
Against GazTek HTTP server
• Exploit a stack buffer overflow bug
Send a legitimate URL http://www.foo.com/cgi-bin/bar
The server checks that “/..” is not embedded in the URL
Exploit the bug to change the URL to
http://www.foo.com/cgi-bin/../../../../bin/sh
The server executes /bin/sh
USENIX Security Symposium, Baltimore, MD, 2005
10
What Non-Control-Data Attacks Imply?
Control flow integrity is not a sufficiently
accurate approximation to software
security.
Many types of non-control data critical to
security
• User identify data, configuration data, user input
data and decision-making data
Once attackers have the incentive, they are
likely to succeed in non-control-data
attacks.
USENIX Security Symposium, Baltimore, MD, 2005
11
Discussions on Current Defensive Techniques
Defenses based on control flow integrity
• Monitor system call sequences
• Protect control data
• Non-executable stack and heap
Pointer encryption PointGuard
• Identifying pointers in low level code is really challenging
Address space randomization
• Challenge: need to randomize every program segment
• Limitation: 32-bit address space cannot provide sufficient entropy
Memory safety enforcement
• Promising direction, e.g., CCured, Cyclone, CRED
• Currently difficult to migrate existing large code bases to memory
safe version. Incur runtime overhead. Difficult to ensure memory
safety for low-level code.
Still open: to design a generic and secure defense
USENIX Security Symposium, Baltimore, MD, 2005
12
Mitigating Factors
Requiring application-specific semantic knowledge
• Control-data attack unrelated to the semantics of
the victim process (hijack the control flow, do
whatever you like)
• Non-control-data attack rely on the semantics of
the victim process
• Not a fundamental constraint
Semantics of widely used applications will be well
understood, if attackers have strong incentives
The more instances attackers see, the easier they can
clone new ones. A matter of experiences.
Lifetime of security-critical data
• Attacks are not possible if the vulnerabilities exist
outside the lifetime of the target data.
• Programs can be modified to reduce data lifetime to
enhance security.
USENIX Security Symposium, Baltimore, MD, 2005
13
Reducing Data Lifetime for Security
Original WU-FTPD
Modified WU-FTPD
lifetime of x is global
siteexec() {
siteexec() {
}
getdatasock() {
seteuid(0);
setsockopt( ... );
seteuid(x);
}
}
getdatasock() {
tmp = geteuid();
seteuid(0);
setsockopt( ... );
seteuid(tmp);
}
Lifetime of seteuid() argument
USENIX Security Symposium, Baltimore, MD, 2005
14
Reducing Data Lifetime for Security
Original SSHD
do_authentication()
{ int auth = 0;
while (!auth) {
type = packet_read();
switch (type) {
case CMSG_AUTH_PASSWORD:
if (auth_password(passwd))
auth = 1;
case ...
}
if (auth) break;
}
do_authenticated(pw);
}
Modified SSHD
do_authentication()
{ int auth = 0;
while (!auth) {
type = packet_read();
auth = 0;
switch (type) {
case CMSG_AUTH_PASSWORD:
if (auth_password(passwd))
auth = 1;
case ...
}
if (auth) break;
}
do_authenticated(pw);
}
Lifetime of auth flag
USENIX Security Symposium, Baltimore, MD, 2005
15
Conclusions
Major claim: many real-world software
applications are susceptible to attacks that do not
hijack program control flow.
Constructing a generic and secure defensive
technique to defeat both control-data attacks and
non-control-data attacks is still an open problem.
Reducing data lifetime is a secure
programming practice to increase software
resilience to attacks.
USENIX Security Symposium, Baltimore, MD, 2005
16
Links
DEPEND Research Group, Univ. of Illinois
• http://www.crhc.uiuc.edu/DEPEND
Prof. Jun Xu’s Research Group.
North Carolina State University
• http://www.csc.ncsu.edu/faculty/junxu/
Cybersecurity and Systems Management
Group, Microsoft Research (a.k.a. the
Strider team)
• http://research.microsoft.com/csm
USENIX Security Symposium, Baltimore, MD, 2005
17
