Bypassing Clang's SafeStack for Fun and Profit

Presented at Black Hat Europe 2016, Nov. 4, 2016, 2 p.m. (60 minutes)

SafeStack, a new compiler feature currently only available in clang[1] and underway for GCC[2], protects return addresses on the stack from being overwritten through memory vulnerabilities. SafeStack (-fsanitize=safe-stack) is intended to replace the stack cookies (-fstack-protector). It separates the data and the return addresses on the original stack, and puts the former in the unsafe stack and the latter in the safe stack. We investigate the implementation of the safe stack to see if there are still ways to get to it and overwrite the return addresses. <br><br>In this presentation we show implementation issues that allow an attacker to get to the safe stack. In addition, we demonstrate two new fundamental strategies to efficiently find the safe stack, namely through Thread Spraying and allocation oracles. Thread Spraying is a technique to force the application to spawn many safe stacks and to reduce the entropy of the safe stacks significantly. With allocation oracles we can determine the sizes of the unallocated holes in the address space and as such the distance from the known regions to the hidden regions.<br> <br> Sources<br> [1] http://clang.llvm.org/docs/SafeStack.html<br> [2] https://gcc.gnu.org/ml/gcc/2016-04/msg00083.html

Presenters:

• Robert Gawlik - Security Researcher, Ruhr-Universität Bochum
  Robert is a security researcher at the Ruhr-Universität Bochum. His research interests are in static and dynamic binary analysis. His previous research includes assessment of randomization and information hiding schemes. He is also interested in memory corruption bugs, their exploitation and defenses against it.
• Herbert Bos - Professor of Systems and Network Security, Vrije Universiteit Amsterdam
  Herbert Bos is a professor of Systems and Network Security at Vrije Universiteit Amsterdam in the Netherlands. Coming from a systems background, he drifted into security a few years ago and never left. Even so, he still does not understand crypto, and hides this by saying that he prefers to stay on the systems' side of security. He obtained a Ph.D. from Cambridge University Computer Laboratory (UK) and is very proud of his (ex-)students.
• Georgios Portokalidis - Assistant Professor in the Department of Computer Science, Stevens Institute of Technology
  Georgios Porotkalidis is an assistant Professor in the Department of Computer Science at Stevens Institute of Technology. He obtained his PhD from Vrije Universiteit in Amsterdam on February 2010. His research interests are mainly around the area of systems and security, including software security, authentication, privacy, and software resiliency.
• Enes Goktas - PhD Student, Vrije Universiteit Amsterdam
  Enes Goktas is a PhD Student at the Vrije Universiteit Amsterdam. His research focus is on evaluating and developing mitigations against memory corruption vulnerabilities. His previous work includes evaluation and proposal of Control-Flow Integrity based mitigations. His interests lies in the area of software security, and binary analysis and instrumentation.
• Elias Athanasopoulos - Assistant Professor in the Computer Science department, Vrije Universiteit Amsterdam
  Elias Athanasopoulos is an assistant professor in the Computer Science department at VU Amsterdam. Before joining VU Amsterdam, he was a Marie Curie Fellow with Columbia University and FORTH. He holds a PhD in Computer Science from the University of Crete, which was funded by the Microsoft Research PhD Scholarship program. He conducts practical research in different areas of systems security and privacy.
• Cristiano Giuffrida - Dr., Vrije Universiteit Amsterdam
  Cristiano Giuffrida is an Assistant Professor in the Computer Science Department of the Vrije Universiteit Amsterdam. His research interests span across most aspects of systems security and reliability, including software security, side channels, and binary and malware analysis. He received a PhD cum laude from the Vrije Universiteit Amsterdam in 2014. He was awarded the Roger Needham Award at EuroSys and the Dennis M. Ritchie Award at SOSP for the best PhD dissertation in Computer Systems in 2015 (Europe and worldwide).
• Benjamin Kollenda - , Ruhr-Universität Bochum
  Benjamin Kollenda is a PhD student at the Chair for Systems Security of the Ruhr-Universität Bochum. His research concerns mainly software security with a focus on binary attacks and mitigations. Recently he worked on both breaking and improving memory secrecy in the face of new attack methods.
• Aggelos Oikonomopoulos - PhD Student, Vrije Universiteit Amsterdam
  Aggelos Oikonomopoulos a PhD student in the VUSec group, working under the supervision of Prof. Herbert Bos. He received his diploma in Electrical and Computer Engineering from the National Technical University of Athens in 2009. His research has been concerned with the possibility of binary rejuvenation and the viability of various defense mechanisms which try to protect against memory corruption attacks.

Links:

• https://www.blackhat.com/eu-16/briefings/schedule/#bypassing-clangs-safestack-for-fun-and-profit-4965
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2016/videos/Bypassing Clang's SafeStack for Fun and Profit.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2016/videos/Bypassing Clang's SafeStack for Fun and Profit.eng.srt (subtitles)
• https://www.youtube.com/watch?v=gPzLv6QNbn0

Similar Presentations:

• Black Hat Asia 2017 / Go Get My/Vulnerabilities: An In-Depth Analysis of Go Language Runtime and the New Class of Vulnerabilities It Introduces
• Still Hacking Anyway (SHA2017) / Parkour communications: How you can communicate, free running style, using nothing but the 'fixtures' of the Internet.
• Black Hat USA 2021 / A Broken Chain: Discovering OPC UA Attack Surface and Exploiting the Supply Chain