Control Hijacking Defenses

Questions and Answers

What is the purpose of Address Space Layout Randomization (ASLR)?

To randomly shift the base of code and data in process memory (correct)

To prevent memory leaks during execution

To increase the speed of application loading

To encrypt all process memory

What is a key feature of kBouncer's method of control hijacking defense?

It encrypts system calls before execution

It verifies the last executed return addresses before a syscall (correct)

It checks the integrity of the stack frame

It requires modifications to application code

How does StackGuard protect against buffer overflow attacks?

By randomizing the location of stack variables

By embedding canaries in stack frames (correct)

By limiting the size of stack frames

By using encryption for function returns

What is a potential limitation of the kBouncer technique?

An attacker can ensure calls prior to the syscall are valid

What does the technique known as 'canary' in StackGuard primarily address?

Stack integrity verification

What aspect of address space randomization was introduced in Windows 8 for 64-bit processors?

24 bits of randomness

What does Intel's Last Branch Recording (LBR) provide for kBouncer?

Storage of the last 16 executed branches

What is the purpose of the shadow memory in AddressSanitizer (ASan)?

To track the allocation status of usable memory.

What does a value of -1 indicate in the shadow memory tag?

The corresponding memory should not be accessed.

In the context of AddressSanitizer, what is likely to happen if a buffer overflow occurs?

An access to a red zone will lead to a program crash.

What technique does Control Flow Integrity (CFI) aim to achieve?

Ensure control flows match the specified code's flow graph.

What is one consequence of using a security cookie mechanism?

It adds overhead to detect buffer overflows.

Which of the following is a common vulnerability associated with heap memory?

Use-after-free vulnerabilities causing program crashes.

What can be a consequence of performing a control hijacking attack?

The attacker can execute arbitrary code instead of the intended program flow.

Which of the following is an effect of a stack canary?

It protects against stack overflows by detecting attempts to overwrite the return address.

What is the default behavior when a cookie mismatch occurs?

Call _exit(3)

What do stack canaries primarily protect against?

Control hijacking attacks

Which attack type can still occur even when canaries are implemented?

All of the above

How do canaries get extracted in a crash recovery situation?

By restarting the process automatically

What is a significant risk associated with automatic crash recovery mechanisms?

They may leave canaries unchanged.

Which is a type of attack that can bypass canaries?

Integer overflow attacks

What layer of protection do security cookies provide in relation to stack canaries?

They help validate the integrity of the stack.

Which of the following statements about stack smashing attacks is true?

Some stack smashing attacks leave canaries unchanged.

In the context of memory security, what does ASLR stand for?

Address Space Layout Randomization

What is the purpose of the function call to @__security_check_cookie@4?

To validate the security cookie

Study Notes

Control Hijacking Defenses

• Control hijacking attacks exploit vulnerabilities in software design, allowing attackers to redirect program execution. These vulnerabilities often arise from mixing data and control flow in memory.
• Key attacks include stack smashing (overwriting return addresses), heap spraying (exploiting heap overflows), use-after-free (writing to freed memory), integer overflows, and format string vulnerabilities.
• The fundamental flaw involves mixing data and control, enabling injection of control signals. This allows attackers to manipulate program flow.
• AT&T recognized this issue as early as 1971, demonstrating the longstanding problem.

Preventing Hijacking Attacks

• Fixing bugs: Auditing software with automated tools (like Coverity, Infer) to find vulnerabilities, and rewriting software in type-safe languages such as Java, Go, or Rust can help prevent control hijacking.
• Platform defenses: Preventing the execution of attacker code, and halting processes when exploits are detected using techniques like StackGuard, ShadowStack, memory tagging (ASan, MTE), are important.

Marking Memory as Non-executable (DEP)

• This technique prevents attack code execution by marking the stack and heap as non-executable memory.
• NX-bit on AMD64, XD-bit on Intel x86, and XN-bit on ARM provide this functionality.
• All major operating systems, including Windows DEP, have implemented this defense since XP SP2.
• Limitations exist, as some applications require executable heaps (like JITs) and there are specific bypasses, such as using Return-Oriented Programming (ROP).

Attack: Return-Oriented Programming (ROP)

• Control hijacking without code injection, using existing code sequences within the program (gadgets).
• The stack is manipulated to execute these pre-existing code "gadgets" for malicious purposes.

ROP: Further Detail

• Exploiting vulnerabilities to manipulate the stack can redirect program flow, allowing malicious code execution.

ROP: In Even More Detail

• Demonstrating how specific instructions (pop rdi, pop rsi, pop rax, syscall, ret) can be combined to achieve malicious code execution.

Randomization

• Address Space Layout Randomization (ASLR) randomly shifts the memory layout of code, making it more difficult to exploit the system when running.
• The location of code and data segments is randomized.
• DynamicBase is used, and windows 8 implemented random memory layout randomization.
• Other methods like Sys-call randomization and Instruction Set Randomization (ISR) are also possible.

kBouncer

• A different approach checking if ret instruction sequence is abnormal using Intel's Last Branch Recording (LBR).
• Checking for abnormalities in prior return instructions is used as a defense mechanism.

Hardening the Executable

• Run-time checking (StackGuard): Inserts "canaries" into the stack frame to detect tampering with memory integrity. Implementing runtime stack checking.

Canary Types

• Random canary: A random string inserted into each stack frame and verified against corruption. If the random string changes, a program problem is detected.
• Terminator canary: String functions avoid writing past this terminal character to protect the stack.

StackGuard (Continuous)

• StackGuard operates as a GCC patch, requiring recompilation. The performance impact is minimal, with a measured 8% impact on Apache.

StackGuard Enhancement: ProPolice

• Improves StackGuard by rearranging the stack layout to prevent pointer overflows.
• Safeguard pointer arguments and local pointers from buffer overflow exploits on the stack.

MS Visual Studio/GS (BufferSecurityCheck)

• Combines ProPolice and random canaries for enhanced stack protection. If the cookie (ProPolice) or canary mismatch is detected, the program exits.

Summary: Canaries

• Canaries are a vital defense, but aren't foolproof. Some stack-smash attacks can avoid corrupting canaries, and heap-based and integer overflow attacks still pose threats.

Even worse: Canary Extraction

• In some crash-recovery schemes, restarting a process after a failure potentially involves failing to change the canary value. The attacker can then exploit this.

Similarly, Extract ASLR Randomness

• Malicious code could extract the return address or the code location and use that information to exploit subsequent processes.

Other Methods: Shadow Stack

• Keeps a copy of the stack in memory for verifying integrity when dealing with ret instructions. Validating the return address on the actual stack confirms that no process modifications were made.
• Memory corruption should not modify the shadow stack's integrity.

ARM Memory Tagging Extension (MTE)

• Uses tags on memory pointers and regions to detect buffer overflows and use-after-free vulnerabilities. This prevents out-of-bounds access to memory. Hardware exceptions are triggered if the memory tags do not match.

AddressSanitizer (ASan)

• Is a software tool recording the allocation status of memory. It can detect buffer overflows. It inserts "guard" references to memory locations to check for valid memory access. In the case of invalid access, this will trigger a crash.

Control Flow Integrity (CFI)

• This method ensures control flow adheres to the graph by building a list of possible call targets. It validates the target of every indirect call to confirm that it is valid.

Coarse CFI: Control Flow Guard (CFG)

• Indirect calls are protected by checking against a bitmask of valid function entry points in the executable..

Coarse CFI using EndBranch (Intel) and BTI (ARM)

• This method inserts instructions to prevent hijacking indirect jumps to invalid locations or procedures. A C-language compiler checks and ensures target address is valid. A #CP fault occurs if this validation fails.

CFG, EndBranch, BTI: Limitations

• These approaches do not prevent all attacks, as some clever attacker tactics can cause jumps to valid but incorrect functions. Creating static control flow graphs to identify potential targets has limitations.

An Example of Control Flow Hijacking

• Demonstrating the principle of how an attacker could exploit, through buffer overflow, control flow to call an invalid function after the jump.

Cryptographic Control Flow Integrity (CCFI)

• Uses cryptographic hashes for verifying pointers and code flow to protect against attacks.

Back to the Example

• Demonstrating how CCFI would protect against an attempt to change a handler pointer from buffer overflow and the importance of pointer authentication.

Description

This quiz explores control hijacking attacks and their defenses in software design. You will learn about various key attacks, including stack smashing and heap spraying, as well as strategies to prevent such vulnerabilities. Understanding these concepts is crucial for enhancing software security.