Selected x86 Low-level Attacks and Mitigations
MetadataShow full item record
Low-level exploitation is an ongoing security issue. History has shown multiple methods to gain control over, and control, the flow of execution, as well as multiple methods and approaches to mitigate the same issue. This thesis focuses on state-of-the-art mitigation techniques and presents attacks against them. Specific issues pertaining to vendor malware are also evaluated. Furthermore, overall trends in low-level exploitation are identified and discussed, and a generic solution that can mitigate low-level exploitation in general is presented. Software based bounds checking has been employed previously, e.g. through AddressSanitizer, CCured, and others. However, reluctance to accept reduced performance has hindered widespread use. Intel MPX (Memory Protection Extensions) enables hardware accelerated support through special machine instructions. It is shown that under special circumstances the mitigation mechanism still allows exploitation, and potential attacks are listed. These attacks involve memory management at a level above MPX, e.g. heap managers, and pointer arithmetic or pointers that cannot be followed by the compiler. In particular, examples of vulnerable programs are provided: a program accepting a pointer from the command line which is used to write bytes into a buffer or dereferenced as a function pointer is not enforced by the bounds tracking. It is also shown that certain versions of MPX can loose track of pointers in particular cases due to an invalid BNDLDX. Later versions can have other issues: copying a full pointer, copying a pointer byte for byte or copying a pointer with an inline assembly routine all result in invalid bounds checking. A working exploit example is given against such an issue. In general, it is asserted that the MPX framework like any other code may contain bugs and/or limitations that render it exploitable, leading to typical exploitation. XnR (eXecute-no-Read) prevents an attacker from reading executable memory—a response to JIT-ROP (Just-in-Time Return-oriented Programming) style attacks. XnR prevents an attacker, given a read primitive, from reading executable memory and finding gadgets. In this thesis, it is demonstrated that under special circumstances the target program remains vulnerable. In particular, it is shown that a forking server with a stack overflow can be used to completely bypass the combination of stack canaries, NXbit, variable strength ASLR/ASLP, and XnR. This is realized through the use of BROP (Blind Return-Oriented Programming) which enables the attacker to scan for and locate the required gadgets to launch a successful exploit. The strength of the overall mitigation is highly dependent on the time required to find the necessary gadgets, which in turn is directly related to the strength of the ASLR implementation. The first known implementation of first principles BROP is presented, where the issues with implementing it are identified and solved. Moreover, the exploitation technique is improved over standard first principles BROP to use multithreading and spatial information to speed up the detection of useful gadgets. Especially multithreading is shown to greatly improve performance. A novel approach to mitigation of low-level exploitation is suggested, realized with a microservice network. The mitigating mechanism of this solution consists of better isolation, enforced in the strongest case by physical machine barriers. In consequence, the attacker gains less control for the same amount of work. This is demonstrated using an example microservice network of a trivial bank where the attacker’s goal is direct access to the bank database, implemented as both a monolithic system as well as a microservice network. We show that the attacker obtains full access using a single exploit with the monolithic system, whereas on the microservice system the same amount of work only results in control over a single microservice node—hence preventing the attacker from taking control of the asset. We also identify and describe useful design patterns that would benefit a defender.
Has partsPaper 1. C. Otterstad, On trends in low-level exploitation, NISK 2016. The article is available in the thesis.
Paper 2. C. Otterstad, A brief evaluation of Intel MPX, IEEE SysCon, 13-16 April 2015. The article is available in the thesis. The published version is available at: https://doi.org/10.1109/SYSCON.2015.7116720
Paper 3. C. Otterstad, On the effectiveness of non-readable executable memory against BROP, ATIS 2017, 6-7 June 2017. The article is available in the thesis. The published version is available at: https://doi.org/10.1007/978-981-10-5421-1_18
Paper 4. O. Lysne, K. J. Hole, C. Otterstad, Ø. Ytrehus, R. Aarseth and J. Tellnes, Vendor malware: detection limits and mitigation, in Computer, vol. 49, no. 8, pp. 62-69, Aug. 2016. The article is available in the thesis. The published version is available at: https://doi.org/10.1109/MC.2016.227
Paper 5. C. Otterstad, T. Yarygina, Low-level Exploitation Mitigation by Diverse Microservices, submitted to ESOCC 2017. The article is available in the thesis. The published version is available at: https://doi.org/10.1007/978-3-319-67262-5_4