• This repository has been archived on 12/May/2018
  • Stars
    star
    152
  • Rank 244,685 (Top 5 %)
  • Language
    C
  • License
    Other
  • Created over 9 years ago
  • Updated over 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A proposed hardware-based method for stopping known memory corruption exploitation techniques. #nsacyber

Control Flow Integrity

This project captures research to effectively fix the lack of underlying control flow enforcement that would prevent memory corruption exploitation. This mechanism does not exist today but could be implemented in the future by the IT industry.

Hardware Control Flow Integrity (CFI) for an IT Ecosystem

This paper is a brief introduction to the problem of memory corruption and a description of one way to prevent control flow hijacking. It also includes a discussion on the issues that may be encountered in the IT ecosystem when an architectural change like this is introduced.

Additionally, Intel recently disclosed an x86 instruction specification called Control-flow Enforcement Technology (CET) that closely resembles Landhere.

Questions or comments can be sent to [email protected] or submitted to our GitHub issue tracker.

Code

The code folder has examples of software that would leverage the hardware described in the paper. It is hoped that researchers can learn more about the effect and strength of the proposal by reverse engineering and performing static analysis on them. Perhaps demonstrate a way to bypass the mitigation and report via mechanisms described above. The files are:

  • 2 source files that have a buffer overflow of either a return address or a function pointer (i.e. stack-return.c and stack-functionptr.c).
  • 2 Linux binaries of the overflow source files instrumented with new landing point opcodes (i.e. stack-return and stack-functionptr).
  • 2 instrumented Linux libraries that were linked to the example buffer overflow binaries (ld-linux-x86-64.so.2 and libc.so.6).
  • 1 binary of ls, just as a typical Linux utility that has been instrumented with landing point opcodes.

These simple examples should allow one to explore the impact of the CFI countermeasure in a process address space. The binaries should run on any x86 Linux machine. The opcodes will work as NOP's. The landing point opcodes are as follows:

  • CLP: 0x0f,1f,40,aa
  • JLP: 0x0f,1f,40,bb
  • RLP: 0x0f,1f,40,cc

The binaries contain no fine grained label checks. They only have a corresponding Landing Point instruction to any indirect branch as a label, which is coarse grained. If other binaries are desired, we can produce them, if source is provided.

One can extract the gadgets (as defined on line 271/2 in the paper) from the binaries and attempt to chain them together. Note: RLP gadgets are of no semantic use due to the (imaginary) shadow stack. So gadget chains can only contain CLP and JLP based gadgets. To test validity of a claim, one can use gdb to "run" a gadget chain. First one can manually change the memory as an exploit might do by setting a breakpoint at the appropriate place and performing the overwrite(s). Then continue using single stepping. As a substitute for the HW enforcement, whenever an indirect branch occurs one can visually validate it lands on a landing point. If it reaches the goal (e.g. exec("Your string")) without crashing the application, you win and this form of CFI loses. There is no secret right answer.

We believe it's not possible or extremely unreliable to bypass the minimal CFI design (line 116 in the paper) with these code samples (and others like them). Unfortunately, this is the best dynamic tool we can offer for now to allow independent validation.

Other Research

Galois has taken the time and effort to implement a full Linux build of Landhere+ShadowStack concept. This includes instrumented binaries and a VM to create Landhere binaries on one's own. See http://landhere.galois.com/ for more information. Also at the Galois site is a fully instrumented landing point Linux file system that we have used as an exemplar for gadget analysis.

Gadgets

As a convenience, we have extracted all gadgets from the Galois file system and made them available as an attachment to a release. The resulting gadgets are 50 instructions or less and contain 5 or less pre-conditions (e.g. conditional branches).

A gadget is effectively a trace as it would happen if certain conditions were true. Each gadget is represented as a textual assembly listing. There can be multiple traces from a single landing point. If there's a gadget with an indirect function in the middle, that branch is treated as a stub and the trace falls through to the subsequent instruction, an RLP. Gadgets can have nested function calls/flows.

The tarball contains two main subdirectories, exes and libs which reflect the executables and libraries from the Galois set. Each executable is further broken down into raw and filtered. The files in the raw folder contain all possible gadgets. The files in the filtered folder are de-duped (logical and binary) and are labeled for their chaining purpose (return, link, prestitch, poststitch, dispatch loop, atomic).

Return is a gadget that "returns", typically it's a real function. It's intended to be used with the dispatch loop but can also be substituted for a call*.

Dispatch loop is a quasi gadget that is used to chain multiple return gadgets (i.e. "functions").

Link is a forward flowing gadget that does not return (gadget block exit is either a call* or jmp*).

Pre and post stitch gadgets are a sub-genre of link gadgets that can be combined if the stack pointer change is neutral to the shadow stack.

Atomic is the minimal size gadget for a particular free branch. Namely it is the flow from closest preceding landing point. There may be several Atomic gadgets that flow to the same free branch given any pre-conditions. However, because the maximum size is up to 50 instructions, a gadget might also flow through multiple landing points before encountering a free branch. These nested gadgets are included (but aren’t labeled as atomic) to illustrate side effects that might, or might not, be useful since one is not restricted to branching to the nearest landing point from a free branch. Atomic serves to bound the smallest theoretical flows.

License

See LICENSE.

Disclaimer

See DISCLAIMER.

More Repositories

1

Windows-Secure-Host-Baseline

Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
HTML
1,538
star
2

WALKOFF

A flexible, easy to use, automation framework allowing users to integrate their capabilities and devices to cut through the repetitive, tedious tasks slowing them down. #nsacyber
Python
1,191
star
3

goSecure

An easy to use and portable Virtual Private Network (VPN) system built with Linux and a Raspberry Pi. #nsacyber
Python
971
star
4

Mitigating-Web-Shells

Guidance for mitigation web shells. #nsacyber
YARA
951
star
5

GRASSMARLIN

Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber
Java
910
star
6

Event-Forwarding-Guidance

Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber
PowerShell
840
star
7

Hardware-and-Firmware-Security-Guidance

Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance. #nsacyber
C
748
star
8

ELITEWOLF

OT security monitoring #nsacyber
560
star
9

Windows-Event-Log-Messages

Retrieves the definitions of Windows Event Log messages embedded in Windows binaries and provides them in discoverable formats. #nsacyber
C#
392
star
10

Mitigating-Obsolete-TLS

Guidance for mitigating obsolete Transport Layer Security configurations. #nsacyber
PowerShell
269
star
11

nsacyber.github.io

NSA Cybersecurity. Formerly known as NSA Information Assurance and the Information Assurance Directorate
PowerShell
257
star
12

AppLocker-Guidance

Configuration guidance for implementing application whitelisting with AppLocker. #nsacyber
PowerShell
204
star
13

Pass-the-Hash-Guidance

Configuration guidance for implementing Pass-the-Hash mitigations. #nsacyber
PowerShell
196
star
14

HIRS

Trusted Computing based services supporting TPM provisioning and supply chain validation concepts. #nsacyber
Java
171
star
15

simon-speck

The SIMON and SPECK families of lightweight block ciphers. #nsacyber
167
star
16

unfetter

Identifies defensive gaps in security posture by leveraging Mitre's ATT&CK framework. #nsacyber
163
star
17

BAM

The Binary Analysis Metadata tool gathers information about Windows binaries to aid in their analysis. #nsacyber
Python
146
star
18

WALKOFF-Apps

WALKOFF-enabled applications. #nsacyber
YARA
141
star
19

Maplesyrup

Assesses CPU security of embedded devices. #nsacyber
C
140
star
20

RandPassGenerator

A command-line utility for generating random passwords, passphrases, and raw keys. #nsacyber
Java
118
star
21

BitLocker-Guidance

Configuration guidance for implementing BitLocker. #nsacyber
HTML
113
star
22

Certificate-Authority-Situational-Awareness

Identifies unexpected and prohibited certificate authority certificates on Windows systems. #nsacyber
PowerShell
107
star
23

netfil

A kernel network manager with monitoring and limiting capabilities for macOS. #nsacyber
C
103
star
24

LOCKLEVEL

A prototype that demonstrates a method for scoring how well Windows systems have implemented some of the top 10 Information Assurance mitigation strategies. #nsacyber
JavaScript
99
star
25

HTTP-Connectivity-Tester

Aids in discovering HTTP and HTTPS connectivity issues. #nsacyber
PowerShell
96
star
26

Splunk-Assessment-of-Mitigation-Implementations

Automatically scores how well Windows systems have implemented some of the top 10 Information Assurance mitigation strategies. #nsacyber
Python
72
star
27

netman

A userland network manager with monitoring and limiting capabilities for macOS. #nsacyber
C
71
star
28

serial2pcap

Converts serial IP data, typically collected from Industrial Control System devices, to the more commonly used Packet Capture (PCAP) format. #nsacyber
Python
65
star
29

PRUNE

Logs key Windows process performance metrics. #nsacyber
C#
62
star
30

paccor

The Platform Attribute Certificate Creator can gather component details, create, sign, and validate the TCG-defined Platform Credential. #nsacyber
Java
53
star
31

Blocking-Outdated-Web-Technologies

Guidance for blocking outdated web technologies. #nsacyber
PowerShell
51
star
32

Detect-CVE-2017-15361-TPM

Detects Windows and Linux systems with enabled Trusted Platform Modules (TPM) vulnerable to CVE-2017-15361. #nsacyber
PowerShell
49
star
33

Driver-Collider

Blocks drivers from loading by using a name collision technique. #nsacyber
C
45
star
34

simon-speck-supercop

Fast implementations of the SIMON and SPECK lightweight block ciphers for the SUPERCOP benchmark toolkit. #nsacyber
C
43
star
35

Cyber-Challenge

Supporting files for cyber challenge exercises. #nsacyber
Jupyter Notebook
39
star
36

Chinese-State-Sponsored-Cyber-Operations-Observed-TTPs

Supporting files for the Chinese State-Sponsored Cyber Operations: Observed TTPs Cybersecurity Advisory. #nsacyber
34
star
37

AtomicWatch

Intel Atom C2000 series discovery tool that parses log files and returns results if a positive match is found. #nsacyber
Python
25
star
38

CodeGov

Creates a code.gov code inventory JSON file based on GitHub repository information. #nsacyber
PowerShell
22
star