Imagine driving to a new place: you look up the address, type it into your GPS and follow the directions to get there. But what if it didn't give you any directions? And the layout of the roads changed every time you drove there? You'd have to rely on an outdated roadmap, landmarks, geographic markings and the location of the sun or moon to reach your destination.
While this scenario is unrealistic for modern travelers, it's actually pretty common in the cybersecurity world. A skilled hacker can reach a target destination within a software program with equally primitive methods—even when current security methods change the layout of that information—gaining easy access to anyone's private data.
Stevens Institute of Technology's Georgios Portokalidis is trying to stop them.
"Software programs have access to all types of user information," says assistant professor Portokalidis, "and hackers exploit software bugs to gain control of these programs and access that information with sophisticated, low-level cyberattacks."
Portokalidis explains how in a paper just published at the 2018 IEEE European Symposium on Security and Privacy (Euro S&P) in London, one of the most prestigious conferences in the cybersecurity field.
Practice-attacking software to keep data safe
While most people believe that hackers are innately harmful, "hacker" is a general term. A hacker is an expert on the inner workings of software and hardware who is able to alter them without system permissions for malicious—or altruistic—purposes.
Portokalidis and his students in the Department of Computer Science are altruistic "white hat" hackers. His research involves developing novel methods of practice-attacking software to keep malicious "black hat" hackers on their toes and shift the balance of power back to the white hat hackers in the cybersecurity world.
In his Euro S&P paper, Portokalidis developed a proof-of-concept attack against telecom server Asterisk and internet browser Mozilla Firefox to demonstrate one of these techniques. He revealed that mounting low-level attacks on software programs is easier than previously believed. In order to mount these kinds of attacks, cybersecurity experts thought hackers needed to find an information-disclosure vulnerability to leak the layout of a program in memory. One well-known and highly respected defense against these kind of attacks in called an address space layout randomization (ASLR), and it randomizes the layout of a program’s information every time it runs—or, per the opening example, changing the layout of the roads.
But Portokalidis’ research demonstrates for the first time that certain kinds of cyberattacks can actually bypass ASLR, as well as more advanced defenses based on randomization, including information-leaking attacks that don’t reveal process layout.
A cut-and-paste attack on code
The attack in question is a code-reuse attack, which triggers existing bugs in programs to take control off them and execute arbitrary instructions by combining existing code in creative ways. According to the paper: "Code-reuse attacks chain existing code together by positioning the addresses of carefully selected code fragments in memory." From there, a hijacked code pointer redirects execution to the first fragment, which uses one of the false addresses to execute the attack.
Basically, it pieces together bits of pieces of code that’s similar enough for the program to read the message, like "a ransom note where letters from existing pages are clipped and glued together," according to Portokalidis.
One of the most popular instances of code-reuse attacks employ a technique called return-oriented programming (ROP), which uses function returns to chain code segments together. Portokalidis and his co-authors developed a new multi-step version of that technique called "Position-Independent Return-Oriented Programming" (PIROP). It works like this:
- Have a program generate a blueprint of a payload in its memory by providing appropriate input
- Trigger bugs in that program that enable illegally overwriting program memory relative to critical program structures to customize the payload for the given program
- Trigger the bug one last time to activate the payload
This PIROP tactic was able to successfully bypass existing security measures for both Asterisk and Firefox, as the paper summarizes: "[this technique] bypasses all defenses against information disclosure… requires no disclosure [on behalf of the program] and no attacker-provided pointers [it can create its own]... never reads the code [so] destructive code reads are powerless… and is generally resistant to traditional code re-randomization."
All of those tactics are typical cybersecurity measures for major pieces of software. Discovering a way that consistently discloses their weakness is a really good way to create a solution.
That’s why Portokalidis plans to continue developing novel offensive techniques—and other methods and tools to improve the resiliency of software against attacks.
"Designing and carrying out attacks at this level is highly complex, and requires detailed knowledge of how computer systems operate," Portokalidis adds. "These attacks are challenging to counter, but it is our hope to stop these and all future cyberattacks so we can secure sensitive, private data."