Read-only data in ELF libraries may be remapped writable at runtime (upcoming NDSS'17 paper)

[Mathias Payer <mathias dot payer at nebelwelt dot net>]

Hi there,

We want to report a vulnerability that is common in binaries on most
Linux distributions where binaries with PIE break common security
assumptions (like read-only format strings or immutable vtables).

When a program is not compiled as PIC, the compiler assumes addresses of
global variables are known at link time statically. However, this
assumption is not upheld when the program accesses a global variable
defined in a dynamic library. The ELF specification uses copy
relocations to allow programs that are not compiled as PIC to access
library variables without having to patch the read-only code segment at
runtime.  Specifically, a copy relocation instructs the dynamic loader
to copy each referenced library global variable to a program-specified
location and discard the one in the original library.  Unfortunately,
such a copy does not preserve the original memory protection, i.e., a
read-only library variable in the .rodata section is copied to the
writable .bss section in the executable.  Our study shows that such
dangerous behavior is prevalent in current software and certain types of
library variables (e.g., C++ vtables, format strings, or code pointers)
have security implications.  For mitigation, we suggest to recompile
programs with -fPIC flag so that the resultant programs use the Global
Offset Table to access library variables instead of relying on copy
relocations.  This ensures permissions specified at language source
level remain at runtime.

We have studied all Ubuntu 16.04 LTS packages and found that out of
54,045 packages, 4,570 packages have unexpected copy relocations that
change read-only permissions to read-write, presenting new avenues for
attack. The attack surface is broad with 29,817 libraries exporting
relocatable read-only variables. The set of 6,399 programs with actual
copy relocation violations includes ftp servers, apt-get, and gettext.
We have contacted the Debian and Ubuntu security teams.

This is a problem prevalent in ELF (and how ELF handles relocations).
While current systems mostly don't enforce integrity of code pointers,
many upcoming defenses like CFI assume that locations that are "read
only" will remain read only at runtime. If not addressed, such
relocations allow adversaries to modify read-only data such as format
strings or vtables to bypass deployed defenses.

The mitigation is to (a) recompile packages with -fPIC instead of -fPIE
or to (b) update the ELF format/loader linker toolchain so that
permissions of individual symbols can be tracked throughout the lifetime
of code.

The paper will be published at NDSS on Feb16. A preprint of
the paper is available at:
https://nebelwelt.net/publications/files/17NDSS.pdf
In the paper, we include a discussion how MacOS and Windows handle
similar issues and discuss possible mitigations in more detail.

We would like your help in addressing this problem, potentially
recompiling affected binaries/packages, updating the linker/loader, and
assigning a CVE number or numbers if warranted. When addressing/working
on this issue, we'd love if you can reference our research and NDSS paper.

We are happy to provide further details.

Thanks,
Mathias, Xinyang, and Trent

Attachment: signature.asc
Description: OpenPGP digital signature