Return Oriented Programming (ROP)

Questions and Answers

Return-oriented programming (ROP) is primarily used as an attack response to what?

• Implementing Address Space Layout Randomization (ASLR).
• Making the stack and heap non-executable.
• Hiding the address of desired libc code.
• Avoiding the use of libc code entirely. (correct)

Which of the following best describes the core idea behind Return-Oriented Programming (ROP)?

• Injecting new code into a running process.
• Stringing together pieces of existing code (gadgets) to perform desired actions. (correct)
• Overwriting return addresses on the stack with arbitrary values.
• Executing a single libc function to run shellcode.

In Return-Oriented Programming (ROP), what is the primary role of the stack?

• Serving as the code to be executed by the CPU. (correct)
• Holding the return addresses of function calls.
• Managing the program's heap allocations.
• Storing the program's data and variables.

What is the primary function of 'gadgets' in Return-Oriented Programming (ROP)?

To perform small, specific operations when chained together. (D)

When searching for gadgets to use in Return-Oriented Programming (ROP), what specific instruction is typically targeted?

ret (A)

In the context of Return-Oriented Programming (ROP), what does it mean for gadgets to be 'Turing complete'?

Gadgets can perform any computation, given enough of them. (C)

Which of the following is a primary defense against Return-Oriented Programming (ROP) attacks?

Randomizing the location of code with position-independent compilation on a 64-bit machine. (C)

What is the primary goal of 'Blind ROP' as an attack strategy?

To discover and exploit gadgets without prior knowledge of the binary. (B)

Why is memory safety considered a crucial defense against attacks like Blind ROP?

It eliminates vulnerabilities that allow attackers to manipulate program control flow. (A)

Which of the following best describes the purpose of Control Flow Integrity (CFI)?

To ensure that a program's execution follows a pre-defined control flow graph. (C)

Stack canaries, non-executable data, and ASLR are security measures designed to:

Complicate exploitation attempts. (B)

What is the primary idea behind behavior-based detection methods in computer security?

Observing the program's actions to identify deviations from expected behavior. (C)

In Control Flow Integrity (CFI), what is the role of the 'control flow graph' (CFG)?

To define the allowed execution paths within the program. (A)

What is the purpose of an 'in-line reference monitor' (IRM) in the context of Control Flow Integrity (CFI)?

To enforce the control flow graph by checking the validity of indirect branches. (D)

How does Control Flow Integrity (CFI) typically handle direct calls?

Direct calls are generally not monitored because their target is known and immutable. (D)

In Control Flow Integrity (CFI), what type of calls are primarily monitored?

Indirect calls. (D)

What is the purpose of inserting a 'label' before the target address of an indirect transfer in the context of implementing an in-line monitor for Control Flow Integrity (CFI)?

To provide a marker that can be checked to ensure control flow integrity. (B)

When implementing the simplest form of labeling for Control Flow Integrity (CFI), what is a potential drawback?

It can block legitimate returns. (D)

In more detailed labeling schemes for CFI, what constraint might be applied to return sites from calls to a specific function?

They must share a label. (B)

Control Flow Integrity (CFI) is designed to defeat which type of attacks?

Control flow-modifying attacks. (A)

While Control Flow Integrity (CFI) can prevent control flow-modifying attacks, what is one limitation regarding the manipulation of control flow?

It cannot prevent manipulation of control-flow that is allowed by the labels/graph. (C)

What is the main idea behind using 'secure coding' practices?

To write code that minimizes vulnerabilities and enhances security. (C)

What is a 'principle' in the context of secure coding practices?

A design goal with multiple possible manifestations. (C)

What is a 'rule' in the context of secure coding practices?

A specific practice that aligns with sound design principles. (D)

What does it mean to "enforce input compliance" in secure coding?

Validating and sanitizing all external input to ensure it meets expected criteria. (D)

In secure coding, why is it important to avoid 'unfounded trust' in received input?

Unfounded trust is a common source of vulnerabilities. (D)

What is the primary idea behind 'robust coding'?

Writing code that is resilient to unexpected conditions and input. (B)

Why is it important to use safe string functions instead of traditional string library routines?

Traditional string routines can lead to buffer overflows if the target buffer is too small. (A)

Which of the following is a potential consequence of forgetting the NUL terminator in a C string?

Functions reading the string may read beyond the intended boundary. (A)

What is a key consideration when performing pointer arithmetic in C?

Pointer arithmetic multiplies by the size of the pointed-to type. (C)

What is a 'dangling pointer'?

A pointer that points to memory that has been freed. (B)

What is a good practice to defend against 'dangling pointers' after freeing memory in C?

Setting the pointer to NULL. (D)

In memory management, what is the purpose of using 'goto chains'?

To avoid duplicated or missed code when cleaning up resources. (B)

What is the primary advantage of using a safe string library?

They ensure strings are used safely, preventing common vulnerabilities. (D)

What is the general principle behind favoring 'safe libraries' in secure coding?

They encapsulate well-thought-out designs and prevent common errors. (D)

What is a primary benefit of using a 'safe allocator'?

It can challenge heap-based overflows. (D)

What security concern does Address Space Layout Randomization (ASLR) address?

Predictable memory addresses. (A)

Flashcards

Return-Oriented Programming

Return-oriented programming (ROP) is a technique where an attacker uses existing code in the program or libraries to execute malicious commands. Instead of injecting new code, the attacker strings together short sequences of existing code, called "gadgets," to achieve their goal.

Gadgets in ROP

Gadgets are instruction sequences within existing program code that end with a return instruction. These gadgets are chained together in ROP attacks to perform desired actions.

Defense Mechanisms

Stack canaries, marking stack/heap memory as non-executable, and Address Space Layout Randomization (ASLR).

Control Flow Integrity (CFI)

Control Flow Integrity (CFI) is a security mechanism that ensures the program's control flow follows a predetermined path. This is achieved by monitoring indirect calls and jumps, ensuring they only go to valid target addresses.

Control Flow Graph (CFG)

A directed graph representing the allowed execution paths in a program.

In-line Reference Monitor (IRM)

In-line Reference Monitor (IRM) is a mechanism used in CFI to check the validity of code execution paths at runtime. It inserts checks to ensure that indirect calls and jumps go to expected target addresses.

Defense: Code Randomization

This defense randomizes the location of code to make attacks difficult, on a 64-bit machine.

Enforce Input Compliance

Input compliance refers to the practice of validating and sanitizing input data to ensure it conforms to expected formats and values, preventing vulnerabilities like buffer overflows and format string exploits.

Robust Coding

A coding style where each module pessimistically validates the assumptions and input. It helps prevent unexpected behavior by immediately checking preconditions.

Use Safe String Functions

It involves using string manipulation functions that prevent buffer overflows by checking destination buffer sizes before writing data.

Don't Forget NUL Terminator

Always terminate strings with a null character ('\0') to prevent buffer overflows and ensure correct string handling by functions that rely on null termination.

Use a safe allocator

Safe allocators are used to mitigate heap-based overflows. These allocators return unpredictable addresses.

Use NULL after free

Once you are done with allocated memory, use NULL for the pointer after freeing it. This helps you avoid the bad dereference.

Use goto chains

Use goto chains to avoid duplicated or missed code. This acts as try/finally.

Use safe string library

Use a safer string library that ensures security. Safety comes first, even if there is some performance loss.

Favor safe libraries

Favor libraries that are safe and well-designed. They encapsulate well-thought-out designs.

Pointer Arithmetic

Understanding pointer arithmetic is very important, especially when using sizeof().

Study Notes

• Return oriented programming (ROP) involves constructing needed functionality using existing code within a program's text.

Cat and Mouse

• Defenses against code injection include making the stack/heap non-executable, or hiding libc code addresses using ASLR.
• Attack responses involve jumping/returning to libc, brute force searches or information leaks.
• Another defense is avoiding libc code entirely by using code within the program text.
• Attack response to this is constructing needed functionality using return oriented programming (ROP).

Return-oriented Programming

• Hovav Shacham introduced return-oriented programming in 2007.
• ROP involves stringing together pieces of existing code, called gadgets, instead of using a single library function to run shellcode.
• Challenges include finding gadgets and stringing them together.

Approach

• Gadgets are instruction groups that end with ret.
• The stack serves as the code.
• %esp equals the program counter.
• Gadgets are invoked via ret instruction.
• Gadgets obtain arguments via pop, etc., also on the stack.

Simple example

• A gadget contains assembly instructions such as pop %edx and ret.
• The stack will contain an address to the gadget, as well as the arguments to the gadget.
• The stack pointer (%esp) points to the next gadget in the chain.

Code Sequence

• Assembly code will contain instructions at an address, and use registers as reference.

Equivalent ROP Sequence

• ROP sequences involve invoking chains of gadgets, using stack to supply arguments and addresses.

Whence the gadgets?

• Gadgets can be found to construct an exploit by automating a search of the target binary.
• The search would look for ret instructions and work backwards.
• Shacham found that gadgets in significant codebases are Turing complete.
• Schwartz et al have automated gadget shellcode creation, though not needing Turing completeness.

Blind ROP

• Randomizing the location of the code by compiling for position independence on a 64-bit machine makes attacks difficult.
• Published attacks are often for 32-bit versions of executables.
• Blind ROP involves reading the stack to leak canaries and a return address if a server restarts on a crash but does not re-randomize.
• Next step involves finding gadgets at run-time to effect call to write.
• Final step is to dump the binary to find gadgets for shellcode.

Defeat!

• The blind ROP team developed a remote code exploit for nginx automatically and only through remote interactions.
• The exploit was carried out on a 64-bit executable with full stack canaries and randomization.

Control Flow Integrity

• Stack canaries, non-executable data, and ASLR complicate steps in a standard attack, but don't always stop it.
• The idea is to observe the program's behavior — is it doing what one expect it to?
• If not, code might be compromised.
• Challenges include defining "expected behavior," detecting deviations efficiently, and avoiding compromise of the detector.

Control-Flow Integrity (CFI)

• Expected behavior is defined by Control Flow Graph (CFG).
• Deviations are detected efficiently through In-line Reference Monitor (IRM).
• Compromise is avoided through sufficient randomness and immutability.

Efficient?

• Classic CFI (2005) imposes 16% overhead on average, 45% in the worst case.
• It works on arbitrary executables but is not modular (no dynamically linked libraries).
• Modular CFI (2014) imposes 5% overhead on average, 12% in the worst case.
• It is C only, a part of LLVM, and modular with separate compilation.

Secure?

• MCFI eliminates 95.75% of ROP gadgets on x86-64 versions of SPEC2006 benchmark suite by ruling their use non-compliant with the CFG.
• Average Indirect-target Reduction (AIR) is > 99%.
• AIR is the percentage of possible targets of indirect jumps that CFI rules out.

Call Graph

• A call graph shows the relationships between functions, which functions call which other functions.

Control Flow Graph

• Control flow graph breaks call graph into basic blocks
• Can distinguish calls from returns

CFI: Compliance with CFG

• The call/return CFG is computed in advance during compilation or from the binary.
• Program has to follow the paths allowed by the CFG.
• Direct calls need not be monitored, assuming code is immutable.
• Only indirect calls, like jmp, call, ret with non-constant targets, need monitoring.

In-line Monitor

• The monitor is implemented in-line, as a program transformation.
• A label is inserted just before the target address of an indirect transfer.
• Code is inserted to check the label of the target at each indirect transfer.
• The check should abort if the label does not match.
• The labels are determined by the CFG.

Simplest labeling

• Simplest control flow labeling uses same label at all possible targets of indirect calls

Detailed Labeling

• More detailed control flow labeling uses varying labels for varying call sites
• Return sites from calls to sort must share a label, call targets gt and It must share a label.

Classic CFI Instrumentation

• Instrumentation added to assembly code is to check target label before call happens

Can we defeat CFI?

• There is no way to defeat CFI
• CFI assumes that code is non-executable data
• CFI assumes that code is immutable
• CFI assumes adversary cannot change registers

CFI Assurances

• CFI defeats control flow-modifying attacks such as remote code injection and ROP/return-to-libc.
• CFI doesn't prevent the manipulation of control-flow if is allowed by the labels/graph.
• These are called mimicry attacks, a simple, single-label CFG is susceptible to these.
• CFI has no effect on data leaks or corruptions.

Secure Coding

• Secure coding in C requires developers to maintain discipline, as the language provides few guarantees.
• A good reference is the CERT C Coding Standard.

Design vs Implementation

• Implement coding rules for memory safety errors in the future
• Principles are broader goals, rules are specific practices.

Rule: Enforce input compliance

• Enforcing input compliance sanitizes input

Rule: Enforce input compliance

• Ensure that input is valid
• Not doing so can lead to overflow

General principle: Robust coding

• Robust coding is like defensive driving.
• Each module pessimistically checks its assumed preconditions on outside callers.
• Throw an exception (or even exit) rather than run malicious code, even if clients "know" they won't send a suspicious requests.

Rule: Use safe string functions

• Use string functions that perform length checking and avoid overflows.

Replacements

• Replacements for string oriented functions are as follows:
  • strcat should be replaced with strlcat
  • strcpy should be replaced with strlcpy
  • strncpy should be replaced with strlcpy
  • sprintf should be replaced with snprintf
  • vsprintf should be replaced with vsnprintf
  • gets should be replaced with fgets
• Microsoft versions follow the same pattern but append the _s suffix to the standard function.

Rule: Don't forget NUL terminator

• Strings require one additional character to store the NUL terminator.

Rule: Understand pointer arithmetic

• sizeof() returns number of bytes, but pointer arithmetic multiplies by the sizeof the type.

Defend dangling pointers

• Dangling pointers must be accounted for to prevent crashing

Rule: Use NULL after free

• After freeing a malloced variable, set the pointer to NULL

Manage memory properly

• Use goto chains to avoid duplicated or missed code.
• Coding that encodes try/finally from other languages
• Confirm logic with Gotofail bug

Rule: Use safe string library

• To ensure strings used safely, utilize safey first
• Ex: Very Secure FTP (vsftp) string library

Rule: Favor safe libraries

• Use of libraries that encapsulate well-thought-out design
• Use smart pointers that have only safe operations
• Network with Google protocol buffers, Apache Thrift, with ensure input validation

Rule: Use a safe allocator

• Address Space Layout Randomization (ASLR) affects libraries to make base addresses unpredictable
• Challenge heap-based overflows by making the address returned by malloc unpredictable