Advanced Mitigations Flashcards
Targets for CFH attacks
- Function returns (return instruction pointer on the stack)
- Function pointers (code pointer anywhere)
- Virtual dispatch (code pointer in an object)
- Switch statement (calculated indirect jump target)
Shadow Stack
- Second stack for each thread that keeps track of control data
- Data on the shadow stack is integrity protected implicitly: shadow stack contains only (pointer type) control data, buffer overflows are impossible
- Values from normal and shadow stack are compared to detect attacks
- Limitation: Data corruption is uncaught
- shadow stack stores Caller stack pointer and Return addresses
Safe Stack
- Core idea: For each variable in the stack decide if its safe (variables are safe if they are only used in a safe context, i.e., they don’t escape the current function and are only used with bounded pointer arithmetic)
- Allocate safe variables on safe stack, unsafe variables on unsafe stack
- Performance benefit: An unsafe stack frame is only allocated if any unsafe variable remains
- Limitation: Unsafe data corruption remains uncaught
Control Flow Integrity
- Goal: Restrict the dynamic control flow of the application to the control-flow graph of the application
- Requires two steps:
-> Construct the target sets (based on a static analysis)
-> Enforce the set checks at runtime
CFI: Target Set Construction
- Static analysis can recover an approximation of the control-flow graph
-> Valid functions (highly compatible with other software, but can be imprecise due to large amount of functions)
-> Arity (number of arguments)
-> Function prototypes
-> Class hierarchy analysis (results in small sets but may be incompatible with other source code and some programmer patterns)
CFI: Limitations
- Allows the underlying bug to fire and the memory corruption can be controlled by the attacker (defense only detects the deviation after the fact)
- Over-approximation in the static analysis reduces security
- Is stateless, each state is verified without context
Code-Pointer Integrity
- Goal: enforce integrity of a subset of data
- Sensitive pointers are code pointers plus pointers that access sensitive pointers
Sandboxing
- Different levels of granularity:
-> Kernel isolates process memory (processes cannot access privileged instructions)
-> Containers isolate processes from each other
-> Seccomp restricts processes from interacting with the kernel (restricts available system calls)
-> Software-based fault isolation isolates components in a process (untrusted code may only read/write the untrusted data segment)
What is a stack pivot?
A stack pivot is a technique used in various exploitation scenarios, particularly in Return-Oriented Programming attacks, to redirect the stack pointer (esp on x86 architecture) to a different memory location. This technique is employed to control the flow of execution by manipulating the stack pointer, allowing attackers to execute arbitrary code or bypass security mechanisms.
How do you protect against a stack pivot?
Stack Integrity Protections: Techniques like stack cookies, stack canaries, and stack bounds checks help detect and prevent stack-based exploitation techniques.
Code Signing and Execution Permissions: Limiting code execution permissions and enforcing code signing can prevent attackers from executing arbitrary code even if they manage to control the stack.
Address Space Layout Randomization (ASLR): ASLR randomizes the memory layout of a process, making it harder for attackers to predict the location of gadgets and controlled memory areas.
How does CFI analysis
work through:
- Function Prototype
- Function Arity
-Valid Functions
Function prototype: This is the most precise among the three. It ensures that calls only target functions with a specific signature, including the return type and parameter types. This level of precision significantly narrows down the set of valid targets since both the function’s parameters and its return type must match exactly.
Function Arity: ensures that calls only target functions with a specific number of arguments
Valid functions: This is the least precise among the three. It merely ensures that calls target any valid function, without considering the number of arguments or their types
What is the difference between forward-edge CFI and backward edge CFI?
Forward-edge CFI focuses on ensuring the integrity of control flow transfers that move “forward” in the control flow graph, such as function calls and indirect jumps.
Backward-edge CFI focuses on ensuring the integrity of control flow transfers that move “backward” in the control flow graph, such as function returns.
Shadow stack implementation in software versus hardware
- software: In software implementations, the shadow stack is managed entirely by the compiler and runtime system. software implementation gives Platform Independence and flexibility but performance and memory overhead is higher.
Hardware: the shadow stack is supported directly by the processor, which includes specific instructions and mechanisms for managing the shadow stack. Gives lower performance overhead and stronger security guarantees (isolated in hardware). Downsides : hardware dependency and cost ($)
instrumentation at compile time versus at run-time
Compile-time:
- Enables static boundary checks, catching obvious violations early.
- Reduces runtime overhead by optimizing checks during compilation.
Run-time:
- Handles dynamic behaviors and runtime memory allocations.
- Complements compile-time checks to catch violations that are not predictable statically.
