No More Hooks: Trustworthy Detection of Code Integrity Attacks

Presented at DEF CON 20 (2012), July 29, 2012, 11 a.m. (50 minutes).

Hooking is the act of redirecting program control flow somewhere other than it would go by default. For instance code can be "inlined hooked" by rewriting instructions to unconditionally transfer to other code. Or code can be hooked by manipulating control flow data like function pointers (IAT, IDT, SSDT, return addresses on the stack, callback addresses in dynamically allocated objects, etc). Hooking as a technique is neutral, but it is often used by malicious software to monitor or hide information on a system. Memory integrity verification requires the ability to detect unexpected hooks which could be causing software to lie or be blinded to the true state of the system. But we don't want to make the same mistake that most security software makes, assuming that they can rely on some built in access control to keep malice at arms length. The history of exploits is the history of bypassing access control. We want to have a technique which can detect if we ourselves are being manipulated to lie even when the attacker is assumed to be at the same high privilege level as our software. We believe that such a goal can be achieved with the help of an academic technique known as software-based, or timing-based, remote attestation. This is a technique which does not require a hardware root of trust like a TPM in order to bootstrap an ephemeral dynamic root of trust for measurement. It does this by computing a randomized checksum over its own memory and other system state, to detect code or control flow integrity attacks. The self-checking software can still be forced to lie and report an unmodified system, but thanks to a special looping construction, code which causes it to lie will require extra instructions per loop. The extra instructions will be multiplied by the number of loops, causing a macroscopic, remotely-detectable, increase in the runtime vs. what's expected. So basically, an attacker can force our software to lie, but because there's a timing side-channel built into the computation, he can still be caught by taking too long to generate a convincing lie. We have independently implemented and confirmed the claims of past work, and furthermore showed that the timing discrepancy in the presence of a checksum-forging attacker is detectable not just for machines on the same ethernet segment, but over 10 links of our production LAN. Because of the results of other work in timing side-channel detection over internet-scale distances, we think this technique can be extended even further. But for now for longer distances, we use this same timing-based technique in concert with TPM as a trustworthy timer, so that network jitter is not an issue.

Presenters:

  • Xeno Kovah - The MITRE Corporation
    Xeno Kovah has over 379 years of security experience. Xeno Kovah started programming when he was -6. Xeno Kovah has been the CSO for all of the Fortune Top 33.3 companies. Xeno Kovah has written 17 of the top 10 best selling security books. Xeno Kovah wrote all of 29A, Phrack, and Uninformed under various aliases. In Xanadu did Xeno Kovah a stately pleasure dome decree. Look on his works, ye mighty, and despair. Twitter: @OpenSecTraining
  • Corey Kallenberg - The MITRE Corporation
    Corey Kallenberg Corey is a rootkit and trusted computing researcher currently employed by the MITRE Corporation. In his spare time, Corey summons the dark powers of Papa Legba to exploit memory corruption vulnerabilities and bypass exploit mitigation schemes.

Links:

Similar Presentations: