New memory corruption attacks: why can't we have nice things?

Presented at 32C3 (2015), Dec. 27, 2015, 9:45 p.m. (60 minutes).

Memory corruption is an ongoing problem and in past years we have both developed a set of defense mechanisms and novel attacks against those defense mechanisms. Novel defense mechanisms like Control-Flow Integrity (CFI) and Code-Pointer Integrity (CPI) promise to stop control-flow hijack attacks. We show that, while they make attacks harder, attacks often remain possible. Introducing novel attack mechanisms, like Control-Flow Bending (CFB), we discuss limitations of the current approaches. CFB is a generalization of data-only attacks that allows an attacker to execute code even if a defense mechanism significantly constrains execution.

Memory corruption plagues systems not just since Aleph1's article on stack smashing but since the dawn of computing. With the rise of defense techniques like stack cookies, ASLR, and DEP, attacks have grown more sophisticated but control-flow hijack attacks are still prevalent. Attackers can still launch code reuse attacks, often using some form of information disclosure. Stronger defense mechanisms have been proposed but none have seen wide deployment so far due to the time it takes to deploy a security mechanism, incompatibility with specific features, and most severely due to performance overhead.

Control-Flow Integrity (CFI) and Code-Pointer Integrity (CPI) are two of the hottest upcoming defense mechanisms. After quickly introducing them, we will discuss differences and advantages/disadvantages of both approaches, especially the security benefits they give under novel memory corruption attacks. CFI guarantees that the dynamic control flow follows the statically determined control-flow of the compiled program but an attacker may reuse any of the statically valid transitions at any control flow transfer. CPI on the other hand is a dynamic property that enforces memory safety guarantees like bounds checks for code pointers by separating code pointers from regular data. Data-only attacks are possible both for CFI and CPI.

Counterfeit Object-Oriented Programming (COOP) and Control-Flow Bending (CFB) are two novel attack mechanisms. COOP reuses complete functions as gadgets, mitigating several defense mechanisms and CFB bends the control flow along valid but unintended paths in the control flow graph of a program. We will discuss COOP and CFB attacks, focusing on mitigating strong novel defense mechanisms.


Presenters:

  • gannimo
    Mathias Payer is a security researcher and an assistant professor in computer science at Purdue university. His interests are related to system security, binary exploitation, user-space software-based fault isolation, binary translation/recompilation, and (application) virtualization. His research focuses on protecting applications even in the presence of vulnerabilities, with a focus on memory corruption. Mathias Payer sees himself as a hacker and he is interested in all areas of system security, both looking at new defence mechanisms and new attack vectors. His credo is that we have to protect applications even in the presence of vulnerabilities, with a specific focus on memory corruption. Next to publishing his research at academic conferences he is a frequent speaker at hacker conferences (27c3, 28c3, 2x 30c3, SyScan) and enjoys the relaxed atmosphere there. Before joining Purdue in 2014 he spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH with a Dr. sc. ETH in 2012. The topic of his thesis is related to low-level binary translation and security. He analyzed different exploit techniques and wondered how we can enforce integrity for a subset of data (e.g., code pointers). All prototype implementations are open-source. In 2014, he started the b01lers Purdue CTF team.
  • npc@berkeley.edu

Links:

Similar Presentations: