Return to Where? You Can't Exploit What You Can't Find

Presented at Black Hat USA 2015, Aug. 6, 2015, 11 a.m. (50 minutes)

Detecting and preventing exploitation of memory corruption vulnerabilities is highly challenging. Until now, no countermeasure has been able to fully prevent sophisticated exploitation techniques, such as return-oriented programming (ROP). Recent control-flow integrity (CFI) defenses from Google and Microsoft can be bypassed by constructing a ROP payload that adheres to the control-flow constraints or by exploiting implementation flaws. Microsoft's EMET has less overhead than full CFI, but offers less protection in return, and can be bypassed. Probabilistic countermeasures based on memory layout randomization (such as ASLR) are already in widespread use. However, the Pwn2own competitions have repeatedly demonstrated that attackers can bypass code randomization using memory leaks in browsers.

To reduce the impact of memory disclosure, recent defenses utilize execute-only memory. In this work we show that execute-only memory is insufficient and that these solutions can still be bypassed. In particular, we show how to determine the code layout by analyzing pointers in the heap and on the stack without ever reading the code.

On the defensive side, we build a comprehensive yet practical defense called Readactor that counters both direct reading of code and indirect layout disclosure through analysis of code pointers. We employ a thin hypervisor and a kernel patch to utilize true hardware execute-only memory, and prevent direct reading of code in Linux processes. We hide all code pointers in readable memory using a patched version of the LLVM compiler. We deploy a number of techniques to break ROP gadget chains and disorient the adversary. Specifically, we hide code pointers by converting them into direct jumps stored in execute-only memory to prevent indirect layout disclosure.

Our solution is efficient, because it activates previously unused hardware capabilities in modern x86 processors and is often faster than industry CFI implementations. Our solution is also highly practical; we were able to automatically apply our defense to the Chromium web browser. Finally, our solution is comprehensive; we also protect the dynamically generated code emitted by the V8 JavaScript JIT compiler.

Presenters:

• Stephen Crane - University of California, Irvine
  Stephen Crane is finishing up his PhD in computer security with the Secure Systems and Software Laboratory at the University of California, Irvine. His current research primarily focuses around novel and practical defenses for the abundance of unsafe systems software. When hes not staring at machine code or hacking on compilers, you can often find him playing games of all sorts. Before coming to UCI, Stephen received a BS in CS from Cal Poly Pomona, where he enjoyed competing in the National Collegiate Cyber Defense Competition.
• Andrei Homescu - University of California, Irvine
  Andrei Homescu is a 5th year PhD candidate at the University of California Irvine. His main research interests are programming languages and software security, and has investigated the use of software diversity to harden applications against a variety of attacks. Most recently, his main research focus has been software diversity for just-in-time compilers for dynamically-compiled languages such as Java and JavaScript.
• Ahmad-Reza Sadeghi - Technische Universität Darmstadt & Intel CRI-SC
  Ahmad-Reza Sadeghi is a full professor of Computer Science at Technische Universität Darmstadt, Germany. He is the head of the System Security Lab at the Center for Advanced Security Research Darmstadt (CASED) and the Director of the Intel Collaborative Research Institute for Secure Computing (ICRI-SC) at TU-Darmstadt. He holds a PhD in Computer Science from the University of Saarland in Saarbrücken, Germany. Prior to academia, he worked in Research and Development of Telecommunications enterprises, amongst others Ericsson Telecommunications. He has been continuously contributing to the research community and serving as general or program chair as well as program committee member of many established conferences and workshops in information security and privacy. He is on the editorial board of ACM Books for Security and Privacy, and has served on the Editorial Board of the ACM Transactions on Information and System Security.
• Christopher Liebchen - Technische Universität Darmstadt
  Christopher Liebchen is a research assistant at the System Security Lab at CASED/Technische Universität Darmstadt, Germany. He received his MSc in IT-Security from Technische Universität Darmstadt and his current research focuses on runtime attacks and defenses.

Links:

• https://www.blackhat.com/us-15/briefings.html#return-to-where-you-cant-exploit-what-you-cant-find
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Return To Where You Can t Exploit What You Can t Find.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Return To Where You Can t Exploit What You Can t Find.mp4
• https://www.youtube.com/watch?v=KVk1ANkzjGI

Similar Presentations:

• 31C3 (2014) / Code Pointer Integrity: ... or how we battle the daemons of memory safety
• Black Hat USA 2017 / kR^X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse
• Black Hat USA 2014 / The Beast is in Your Memory: Return-Oriented Programming Attacks Against Modern Control-Flow Integrity Protection Techniques