macOS and ROP attacks

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

macOS and ROP attacks

Postby jihlau » Sun Oct 01, 2017 10:33 am

hello

I'm curious about the state of defences the current macOS has in respect of ROP attacks. I understand that the idea is difficult to defend against (bypassing DEP, ASLR et al) but am curious whether Apple has managed to implement innovative or other defences of any particular strength, say compared to other operating systems.

I found a small project that disables SIP using an attack on 10.11.x (but no longer seems to work on 10.12) https://github.com/jndok/stfusip
I've also read about this protection model https://people.csail.mit.edu/hes/ROP/Re ... G-Free.pdf

thanks

j.
jihlau
 
Posts: 3
Joined: Sun Oct 01, 2017 10:19 am

Re: macOS and ROP attacks

Postby littlelailo » Sun Oct 01, 2017 3:46 pm

There is the idea of control-flow integrity.
The basic concept behind this is that if you use rop gadgets you only use parts of a function (jump into the middle of them etc).
So control-flow integrity will always check (on indirect calls and return statements) if the address the program will jump to is the begin of a function.
If this is not the case CFI will kill the binary.
As far as I'm aware of Apple hasn't any implementation of this. If you want to look at it anyway Microsoft Edge has some sort of protection mechanism build into it which will check for those things.

But there is a problem with this technique: you trade securtiy with performance (some code has to perform the checks) and memory usage (the code needs information if an address is a function head or not).
This is why the recent implementations will only check if the new address will be a function and not if the new address is a function which the caller is allowed to call.
And we can abuse this using a new technique called LOP (loop-oriented programming; you won't find much about it online).
For LOP you first need a function gadget which performs indirect calls on an array of functions. The attacker needs control over this array, in terms of that he can swap out function pointers or even pass a completely arbitrary chosen pointer to an array of functions. Then you need function which will modify registers and function which can call interrupts based on registers or change the layout of the stack.
Now an attacker creates an array of functions which will slowly setup registers and in the end call an interrupt or some "magic" function like libc's system.
This will bypass all recent CFI implementations, but because there are not many it is not needed yet and because of that there are only a few papers online.
Most times it is even simpler... for example when you attack a browser you can just use JIT, but Apple and other vendors try to invent other migrations against those kind of attacks.

If you know ROP well and think about LOP for some time you will come up with a problem: how to stack-pivot, but there are already methods for it:
you can use a function which will clean up the arguments of the callee and call it with a function which will clean up the arguments by itself (there are special terms for those two types of functions)
This will move the stack up a bit which is often times enough to get it into areas with attacker controlled data.
littlelailo
 
Posts: 7
Joined: Thu Sep 28, 2017 6:48 pm

Re: macOS and ROP attacks

Postby Siguza » Sat Oct 07, 2017 8:13 pm

jihlau wrote:I'm curious about the state of defences the current macOS has in respect of ROP attacks. I understand that the idea is difficult to defend against (bypassing DEP, ASLR et al) but am curious whether Apple has managed to implement innovative or other defences of any particular strength, say compared to other operating systems.


macOS has DEP, (K)ASLR, SMEP and on some newer hardware, SMAP. Those are all that I'm aware of, and my ROP chain is purring like a kitten on High Sierra 10.13.0. ¯\_(ツ)_/¯
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests