SCRAP: Architecture for
Signature-based CRA Protection
Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry
Ponomarev and Nael Abu-Ghazaleh
Subhankar Pal ([email protected])
Harsha Valsaraju ([email protected])
4/3/2016
1
Code-Reuse Attacks
•
Security exploits that allow attackers to execute arbitrary code on a compromised
machine.
•
Main idea: Reuse fragments of the existing code
•
Approaches:
•
Return-Oriented Programming (ROP)
•
•
Protections in place - DROP, CFI
Jump-Oriented Programming (JOP)
4/3/2016
Gadget!
2
Jump-Oriented Programming
•
A gadget ends with a jmp (indirect jump) statement to transfer control to the next
gadget.
•
A dispatcher gadget is used to
orchestrate the attack.
•
Does not rely on return instructions.
•
More gadgets required for the attack.
4/3/2016
3
Vulnerability
•
All ISAs are vulnerable to JOP attacks.
•
Easier to find gadgets for variable-size instruction ISAs.
•
Attackers can find gadgets that are unintended by the programmer.
4/3/2016
4
Existing Defenses
•
Control Flow Integrity (CFI) checking
•
•
Involves substantial overhead to track the program’s control flow.
Code diversification techniques
•
Each time the program is compiled, a different binary is generated.
•
Binary rewriting to remove unintended branches.
•
•
Increases code footprint by 25%.
Address Space Layout Randomization (ASLR)
•
4/3/2016
Exploits are known. For example, format string attacks.
5
Proposed Solution? SCRAP
•
Based on dynamic detection of attack signatures.
•
•
•
Indirect jumps are used as gadget boundaries.
Implementing the signature-based checking logic in
hardware saves performance
•
SCRAP incorporates this in the commit stage.
•
Does not significantly affect performance as it is away
from the critical path of the processor.
Accommodates delaying gadgets in the attack
signature.
•
For example, function calls consisting of a large number
of instructions used to fool detectors.
4/3/2016
6
Exploiting JOP Signatures
•
•
Signature based defense mechanisms exploit thresholds on
•
Maximum number of instructions per gadget (x)
•
Number of consecutive gadgets (y)
A SCRAP detector is represented by Gx,y.
4/3/2016
7
Exploiting JOP Signatures
•
Observations:
•
•
4/3/2016
There are no gadgets of length >= 8 instructions
that are usable.
Bottom line: usable gadgets are short.
8
4/3/2016
9
Threat Model for SCRAP
•
System has W⊕X support for writable memory to prevent code injection attacks.
•
Attacker has access to memory.
•
•
For example, buffer overflow attacks, string formatting attacks.
The sequence used to initiate the attack does not lead to a privilege escalation.
4/3/2016
10
SCRAP State Machine
SCRAP detector G4,3 (max # of insns before jmp = t1 = 4; min # of gadgets = 3)
(State, counter value)
Secure stack
Input sequence:
awaxaayaazazaxaw
q3 = Attack detected!
4/3/2016
11
SCRAP State Machine
0 0 0 0 0 1
Input sequence:
awaxaayaazazaxaw
4/3/2016
12
SCRAP State Machine
0 0 0 0 0 0
Input sequence:
awaxaayaazazaxaw
4/3/2016
13
SCRAP State Machine
0 0 0 0 0 1
Input sequence:
awaxaayaazazaxaw
4/3/2016
14
SCRAP State Machine
0 0 0 0 0 0
(q1, 1)
Input sequence:
awaxaayaazazaxaw
4/3/2016
15
SCRAP State Machine
0 0 0 0 0 2
(q1, 1)
Input sequence:
awaxaayaazazaxaw
4/3/2016
16
SCRAP State Machine
0 0 0 0 0 2
(q2, 2)
(q1, 1)
Input sequence:
awaxaayaazazaxaw
4/3/2016
17
SCRAP State Machine
0 0 0 0 0 4
(q2, 2)
(q1, 1)
Input sequence:
awaxaayaazazaxaw
4/3/2016
18
SCRAP State Machine
0 0 0 0 0 2
(q1, 1)
Input sequence:
awaxaayaazazaxaw
4/3/2016
19
SCRAP State Machine
0 0 0 0 0 3
(q1, 1)
Input sequence:
awaxaayaazazaxaw
4/3/2016
20
SCRAP State Machine
0 0 0 0 0 1
Input sequence:
awaxaayaazazaxaw
4/3/2016
21
SCRAP State Machine
0 0 0 0 0 2
Input sequence:
awaxaayaazazaxaw
4/3/2016
22
SCRAP State Machine
0 0 0 0 0 0
(q1, 2)
Input sequence:
awaxaayaazazaxaw
4/3/2016
23
SCRAP State Machine
0 0 0 0 0 1
(q1, 2)
Input sequence:
awaxaayaazazaxaw
4/3/2016
24
SCRAP State Machine
0 0 0 0 0 1
(q1, 2)
Input sequence:
awaxaayaazazaxaw
4/3/2016
25
SCRAP Microarchitecture
•
3-bit wide field added to each ROB entry to classify
instructions.
•
SCRAP FSM and counter reside in the commit stage.
•
Counter updated when instructions are committing.
•
For superscalar machines, how do we schedule counter increment logic?
•
What happens if there is more than one jmp ready to retire?
•
Simplification: commit throttling
•
Allow only one of the following to commit per cycle:
•
4/3/2016
CALL, indirect CALL, indirect jump or RET.
26
Performance Evaluation
•
Simulator used: PTLsim. Hardware: 4-wide superscalar OoO core.
•
Benchmarks: 18 C and C++ SPEC CPU2006 benchmarks compiled using gcc on x86.
•
Performance drops only due to Commit Throttling and Secure Stack overflow
overhead.
4/3/2016
27
False Positive Rate
•
The authors observed zero false positives for G7,3.
•
At most 7 instructions in each gadget
•
3 consecutive gadgets
… except for Firefox
False positive rates rise with increasing #
of insns per gadget
4/3/2016
False positive rates
plummet with increasing # of
consecutive gadgets
28
Software Configurability
•
Solution for application variability? Software configurability.
•
Configuration can be changed from G7,3 to Gi,j by:
•
Changing t1 threshold register to a value of i.
•
Marking jth state in the FSM to be the “threat detected” state.
•
Catch: requires a big enough FSM to accommodate j + large enough counter size for i
4/3/2016
29
Detection Accuracy
•
The libraries used in the experiments had gadgets with < 7 instructions.
•
SCRAP detector G7,3 detected 100% of attacks across those libraries.
•
The authors claim that every published attack/automation tool CRAs used gadgets
of size <= 5.
4/3/2016
30
Summary
•
SCRAP!
•
Incurs minimal performance cost of < 2%.
•
Simple hardware implementation.
•
Practically no impact on cycle time.
•
Does not require compiler or ISA support and thus can be used to protect legacy binaries.
•
Causes no false alarms across regular code base.
4/3/2016
31
Discussion
•
Is the false positive rate really zero?
•
For a new application, how do you determine the thresholds (x and y in Gx,y)?
•
What happens when an attack is detected?
4/3/2016
32
4/3/2016
33