Automated reduction of attack surface using call graph enumeration
1. Automated reduction of attack surface
using call graph enumeration
Ruo Ando
National Institute of Informatics, Japan
2018 2nd International Conference on
Management Engineering, Software
Engineering and Service Sciences (ICMSS)
Jan 13-15, 2018 in Wuhan, China
SESSION 1: Software Engineering and System Modeling
13:30 – 13:45
2. Attack surface
Vulnerable function
CVE-2013-4371
Use-after-free Xen Hypervisor
under high memory pressure
What is an attack surface ?
The Attack Surface of an application is:
1.the sum of all paths for data/commands
into and out of the application, and
2.the code that protects these paths
(including resource connection and
authentication, authorization, activity
logging, data validation and encoding), and
3.all valuable data used in the application,
including secrets and keys, intellectual
property, critical business data, personal
data and PII, and
4.the code that protects these data
(including encryption and checksums,
access auditing, and data integrity and
operational security controls).
For simplification, in this paper,
we define attack surface as function
call graph from malicious input
to vulnerable function.
https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet
Malicious input
3. Abstract: Attack surface reduction
In this paper, we propose a method of
attack surface reduction using
enumeration of call graph.
① Proposal system is divided into two
steps: enumerating edge E[Function Fi,
Function Fi+1] and constructing call graph
by recursive search of [E1, E2, En].
② Proposed method enables us to find the
sum of paths of which leaf node is
vulnerable function VF. Also, root node RF
of call graph is part of program which is
open to attacker.
③ Therefore, call graph [VF, RF] can be
eliminated according the situation where
the program is running.
We apply proposal method to the real
programs (Xen) and extracts the attack
surface of CVE-2013-4371.
Malicious input
vulnerability
4. TARGET: Xen Open Source Hypervisor Software
# global -t cmdtable_lookup
cmdtable_lookup tools/libxl/xl_cmdtable.c 390
INPUT
20struct cmd_spec cmd_table[] = {
34 { "list",
35 &main_list,
36 "List information about all/some domains",
37 "[options] [Domain]¥n",
38 "-l, --long Output all VM details¥n"
39 "-v, --verbose Prints out UUIDs",
40 },
134 { "migrate-receive",
135 &main_migrate_receive,
136 "Restore a domain from a saved state",
137 "- for internal use only",
138 },
This attack surface can be eliminated (reduced).
https://www.xenproject.org/
VULNERABLE FUNCTION
libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool)
5. TARGET: CVE-2013-4371
Use-after-free Xen Hypervisor
402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo));
388libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool)
389{
390 libxl_cpupoolinfo *ptr, *tmp;
397 poolid = 0;
398 for (i = 0;; i++) {
399 info = xc_cpupool_getinfo(ctx->xch, poolid);
400 if (info == NULL)
401 break;
402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo));
403 if (!tmp) {
404 LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info");
405 free(ptr);
406 xc_cpupool_infofree(ctx->xch, info);
407 return NULL;
408 }
409 ptr = tmp;
410 ptr[i].poolid = info->cpupool_id;
411 ptr[i].sched_id = info->sched_id;
412 ptr[i].n_dom = info->n_dom;
413 if (libxl_cpumap_alloc(ctx, &ptr[i].cpumap)) {
414 xc_cpupool_infofree(ctx->xch, info);
415 break;
416 }
417 memcpy(ptr[i].cpumap.map, info->cpumap, ptr[i].cpumap.size);
418 poolid = info->cpupool_id + 1;
419 xc_cpupool_infofree(ctx->xch, info);
420 }
realloc use-after-free vulnerability
Use-after-free vulnerability in the
libxl¥_list_cpupool function in the libxl
toolstack library in Xen 4.2.x and 4.3.x,
when running "under memory pressure,"
returns the original pointer when the
realloc function fails, which allows local
users to cause a denial of service (heap
corruption and crash) and possibly
execute arbitrary code via unspecified
vectors.
At line 402, Xen uses realloc for reallocating
the memory. Note that the address of
libxl_cpupoolinfo is already assigned outside of
this routine. Under high pressure, realloc can
not extend the memory from the original
pointer which is already obtained. in this case,
realloc newly yielding the address which
remaining the data to be written.
FOR LOOP without boundary
condition is dangerous
*tmp is return value of realloc
6. User-after-free (aka heap spray) : CVE-2013-4371 Xen hypervisor
http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-
attacks.html
create()
free()
realloc() use()
Jump to payload
on heap
ROP + Shellcode
int *tmp = (int*)realloc(k,(N+1)*sizeof(int));
if( tmp!=NULL ){
k = tmp;
puts("________realloc(k)_________");
for(i=0; i<N+1; i++){
printf("&k[%d]:%p ,
k[%d]=%d¥n",i,&k[i],i,k[i]);
}
}
realloc() allocates new area if realloc() fails to expand
the pointer of first argument.
Consequently, the string is saved but the address is changed.
If too many realloc() is invoked, DoS is enabled by adversary and an arbitrary
malicious string can be executed.
void* realloc (void* ptr, size_t size);
7. ① enumerating function call graph of routine(R[I], N[J], F[K])
② enumerating invocation list(I[O], M[P], F[Q])
③generating list (R,N) for each F
F[k] {(R[i1], N[j1]), (R[i2], N[j2]) . . }
④ For each invocation list(I[O], M[P], F[K]),
Detecting a position of S[x] of M[P] in list F[k]{R[i]N[j]..} with binary search
⑤ Concatenating (R[I], S[x-1], F[k]) and (I[O],F[Q]) of S[x-1]
⑥ Generating a list of E({(R[i], S[x-1], F[k]), (I[O], M[P], F[K])} ...) by repeating ④ and ⑤.
E is enumerable. That is, ⑥ should be finished in finite steps.
⑦ Enumerating CG (Call Graph) of E({(R[i], S[x-1], F[k]),(I[O], M[P], F[K])} ...) from vulnerable function to malicious input.
Exit Condition 1:node is EMPTY
Exit Condition2:node is MAIN
https://github.com/RuoAndo/Saturator/blob/master/postgres/ex.py
Algorithm of detecting attack surface
10. Conclusion: automated attack surface reduction is possible !
In this paper, we propose a method of
attack surface reduction using
enumeration of call graph.
① Proposal system is divided into two
steps: enumerating edge E[Function Fi,
Function Fi+1] and constructing call graph
by recursive search of [E1, E2, En].
② Proposed method enables us to find the
sum of paths of which leaf node is
vulnerable function VF. Also, root node RF
of call graph is part of program which is
open to attacker.
③ Therefore, call graph [VF, RF] can be
eliminated according the situation where
the program is running.
Malicious input
vulnerability
Proposal method can detect attack surface in major
open source software such as xen CVE-2013-4371 in
feasible computing time (2-7 hours).