Group of Software Security In Progress

GoSSIP @ LoCCS.Shanghai Jiao Tong University

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code

论文下载

INTRODUCTION

Code diversification: 抵制代码重用攻击

  • 本文提出一种旁路攻击,可以泄露diversified code。提出了三种 fault analysis attacks ,四种 timing attacks。
  • 评估了不同旁路攻击的有效性。
  • 展示了在Apache进行旁路攻击

RELATED WORK

Code Diversification

ASLR

  • instruction level
  • function or basic blocks level (fine-grained ASLR)

插入NOP指令

Attacks on Diversified Code

  • Entropy exhausting attacks
  • BROP attack

需要不断重复crashing,程序会在crashing后自动重启,并且内存不会产生新的随机化

通常需要两个漏洞,一个读内存,一个写内存

  • JIT
  • leveraging cache and TLB-based side chan- nels
  • garbage collection to leak addresses

Side Channel Attacks on Cryptography Implementations

  • Timing
  • Fault Analysis
  • Caches
  • Physical Access

SIDE CHANNEL ATTACKS ON DIVERSIFIED CODE

Fault Analysis Attacks

攻击者可以发送payload,接收执行的结果,并且读懂结果知道什么东西被执行了

  • Overwrite Data

知道 0x00 的位置

Fig

  • Overwrite Data Pointer

知道需要多少array里的值加到100

Fig

  • Overwrite Code Pointer

猜测函数地址是否合法

Fig

Timing Attacks

  • Crafted Input

知道 NOP 被插入 block 1 还是 2

Fig

  • Overwrite Data

Fig

  • Overwrite Data Pointer

猜测 ret 0xc3

Fig

  • Overwrite Code Pointer

func1, func2, func3:t1, t2, t3

Fig

SIDE CHANNEL EFFECTIVENESS

评估泄露的代码信息的有用性 采用libc

Metrics

  • USS (uncertainty set size metric)

The USS of a function is the cardinality of the set of other functions that have the same measurement associated with it. (代表有多少函数拥有相同的旁路性质)

完全不同的函数的USS是0

  • 实验采用function-level随机化

  • 根据研究,gadget set最重要的性质是能够使用系统调用

  • 分析了Ubuntu Top 500 packages,涉及到了3989个独立的库,发现除了libc外只有三个库涉及到system call gadgets: libgomp, libxul, and libjvm

Byte Sequences

Return Instructions

Output

Timing

Fig

Fig

Fig

MEASUREMENTS AND RESULTS

攻击

  • timing attack against Apache 2.4.7
  • evaluate the accuracy of timing information for two types of networks: a 802.11g wireless network and a wired LAN with two routers.

在四种code diversification 防御下

  • coarse-grained ASLR
  • function permutation (medium-grained ASLR)
  • basic block randomization (fine-grained ASLR)
  • NOP insertion

场景

  • glibc 2.16
  • 栈溢出漏洞 (CVE-2004-0488)

Fig

overwrite fmt->nelts

Slow Timing Attack

Fig

Fast Timing Attack

Fig

Coarse-Grained ASLR

  • the location of the executable is not randomized
  • fast timing attack
  • 30.58 sec (22×1.39 sec)

Medium-Grained ASLR

  • slow timing attack
  • 8.6 hours to complete on the LAN (717 × 43.2 sec)

Fine-Grained ASLR

  • a week to complete on the LAN (13866 × 43.2 sec)

NOP Insertion

  • 2.2 hours to complete on the LAN (190 × 43.2 sec)