iTOP: Automating Counterfeit Object-Oriented Programming Attacks

Exploiting a program requires a security analyst to manipulate data in program memory with the goal to obtain control over the program counter and to escalate privileges. However, this is a tedious and lengthy process as: (1) the analyst has to massage program data such that a logical reliable data passing chain can be established, and (2) depending on the attacker goal certain in-place fine-grained protection mechanisms need to be bypassed. Previous work has proposed various techniques to facilitate exploit development. Unfortunately, none of them can be easily used to address the given challenges. This is due to the fact that data in memory is difficult to be massaged by an analyst who does not know the peculiarities of the program as the attack specification is most of the time only textually available, and not automated at all. In this paper, we present indirect transfer oriented programming (iTOP), a framework to automate the construction of control-flow hijacking attacks in the presence of strong protections including control flow integrity, data execution prevention, and stack canaries. Given a vulnerable program, iTOP automatically builds an exploit payload with a chain of viable gadgets with solved SMT-based memory constraints. One salient feature of iTOP is that it contains 13 attack primitives powered by a Turing complete payload specification language, ESL. It also combines virtual and non-virtual gadgets using COOP-like dispatchers. As such, when searching for gadget chains, iTOP can respect, for example, a previously enforced CFI policy, by using only legitimate control flow transfers. We have evaluated iTOP with a variety of programs and demonstrated that it can successfully generate exploits with the developed attack primitives.

[1]  Claudia Eckert,et al.  ρFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings , 2020, ACSAC.

[2]  Thorsten Holz,et al.  Automated Multi-architectural Discovery of CFI-Resistant Code Gadgets , 2016, ESORICS.

[3]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[4]  Claudia Eckert,et al.  CastSan: Efficient Detection of Polymorphic C++ Object Type Confusions with LLVM , 2018, ESORICS.

[5]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[6]  Herbert Bos,et al.  MARX: Uncovering Class Hierarchies in C++ Programs , 2017, NDSS.

[7]  Sorin Lerner,et al.  Protecting C++ Dynamic Dispatch Through VTable Interleaving , 2016, NDSS.

[8]  Stefan Mangard,et al.  Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR , 2016, CCS.

[9]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[10]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[11]  Trent Jaeger,et al.  Block Oriented Programming: Automating Data-Only Attacks , 2018, CCS.

[12]  Wei Wu,et al.  KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities , 2019, USENIX Security Symposium.

[13]  Claudia Eckert,et al.  τCFI: Type-Assisted Control Flow Integrity for x86-64 Binaries , 2018, RAID.

[14]  Terence John Parr,et al.  ANother Tool for Language Recognition , 2005 .

[15]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[16]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[17]  David Brumley,et al.  Automatic exploit generation , 2014, CACM.

[18]  Eric Bodden,et al.  PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution , 2016, STM.

[19]  Chao Zhang,et al.  Revery: From Proof-of-Concept to Exploitable , 2018, CCS.

[20]  Herbert Bos,et al.  ShrinkWrap: VTable Protection without Loose Ends , 2015, ACSAC 2015.

[21]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[22]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[23]  Angelos Stavrou,et al.  Strict Virtual Call Integrity Checking for C++ Binaries , 2017, AsiaCCS.

[24]  Xi Chen,et al.  The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later , 2017, CCS.

[25]  Claudia Eckert,et al.  Analyzing control flow integrity with LLVM-CFI , 2019, ACSAC.

[26]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[27]  Cristiano Giuffrida,et al.  TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs , 2020, 2020 IEEE European Symposium on Security and Privacy (EuroS&P).

[28]  Chao Zhang,et al.  VTint: Protecting Virtual Function Tables' Integrity , 2015, NDSS.