Native Language Exploitation
|
|
- Tabitha King
- 6 years ago
- Views:
Transcription
1 Native Language Exploitation András Gazdag CrySyS Lab, BME CrySyS Lab
2 Memory errors and corruption Memory error vulnerabilities are created by programmers and exploited by attackers Attackers can read or write arbitrary memory locations in the program Implementing safe software in C/C++ is almost impossible C and C++ are memory unsafe C and C++ standard: Memory errors are undefined behaviors Programmers are responsible for the entire memory management and bound checking of a program Thus, a huge amount of unsafe code exists worldwide Native codes are still appealing due to performance issues E.g., Google Chrome was written in C++ Memory Corruption 2
3 Exploiting memory errors corruption 1. Make a pointer invalid Go out of the bounds of the pointed object» Incrementing an array pointer à buffer overflow» Indexing bugs à integer overflow» Utilizing allocation failure à a null pointer can be created When the pointed object gets deallocated» Dangling pointer: Points to a deleted object 2. Dereference that pointer à trigger the error Spatial error: dereferencing an out-of-the-bound pointer Temporal error: dereferencing a dangling pointer à use-after-free vulnerability Read from or write to the address pointed by the invalid pointer» Examples: format string vulnerability, buffer overflows printf (user_input); // if user_input is %2$x, the 2nd integer on the stack is printed Memory Corruption 3
4 Exploiting memory errors - attacks 1. Information leak Leak information to trigger exploitation Real-world exploits bypass ASLR by using leaked addresses 2. Data-only attack The goal is to gain more control E.g., variable overwrite via buffer overflow Neither code nor code pointers are modified bool is_root = false; if (is_root) { /* privileged functionality */ Data Integrity policy can prevent the integrity of variables Data Space Randomization brings entropy into all the data representation Memory Corruption 4
5 Exploiting memory errors - attacks 3. Control-flow hijack attack Code pointer (e.g., function pointer) is overwritten to divert control-flow» The attacker needs to know the address of his payload» Address Space Layout Randomization (ASLR) can prevent it Or, the attacker can only indirectly control the instruction pointer» Indirect function call, indirect jump or return instruction» Control-flow Integrity (CFI) policy can detect it Shellcode injection and execution is diverted» Non-executable Data policy disables code execution on data memory pages» Combination of Code Integrity and Non-executable Data is the Write XOR Execute policy à JIT or self-modifying code evades it Or, code reuse attacks» Return-to-LibC, Return-oriented Programming, Jump-oriented Programming 4. Code corruption attack Overwrite a program code in memory Code integrity policies cannot be enforced entirely» E.g., Just-in-Time compilers for JavaScript or Flash create writable pages Memory Corruption 5
6 x86 Machine code, Memory layout, Stack operations
7 Intel x86 main registers Register: 32-bit storage inside the microprocessor General registers: eax, ebx, ecx, edx, esi, edi Special purpose registers esp stack pointer ebp stack frame (base) pointer function context eip instruction pointer, stores the address of the next instruction to process Data Addressing modes Direct specifying a value directly, e.g. eax or 0x07B3 Indirect specifying the address that stores the value, e.g. [ecx] or [0x0012FE10] or even [ebp+12] Memory Corruption 7
8 Intel x86 instructions Name MOV <dest>, <src> ADD <op1>, <op2> SUB <op1>, <op2> CMP <op1>, <op2> AND <op1>, <op2> OR <op1>, <op2> XOR <op1>, <op2> Description Moves data from <src> to <dest> <dest> := <src> Adds two integers <op1> := <op1> + <op2> Subtracts an integer from another <op1> := <op1> - <op2> Compares two integers and sets the flags, just like SUB <op1>, <op2> Bitwise AND of two integers <op1> := <op1> AND <op2> Bitwise OR of two integers <op1> := <op1> OR <op2> Exclusive OR of two integers <op1> := <op1> XOR <op2> Memory Corruption 8
9 Intel x86 flags Stored in the status register, called FLAGS (F) Name ZF zero flag CF carry flag SF sign flag OF overflow flag PF parity flag Description Set to 1 if the result of the last arithmetic operation was zero Set to 1 if the last arithmetic operation caused carry or borrow in the most significant bit Set to 1 if the result of the last arithmetic operation was a negative value Set to 1 if the last arithmetic operation caused overflow Set to 1 if the least significant byte of the result of the last arithmetic operation contains an even number of 1 bits Memory Corruption 9
10 Intel x86 control instructions Name JMP <addr> or JMP <offs> J<cond> <offs> Description Jump, i.e. continues the code execution from a new address (absolute or relative) eip:=<addr> or eip:=eip + <offs> Jumps if condition is true (otherwise continues with next instr.) if (cond) then eip:=eip + <offs> Some possible conditions: Z / NZ zero / non-zero, example: JZ <offs> / JNZ <offs> E / NE equals (ZF=1) / not equals (ZF=0) C / NC carry / no carry S / NS sign, i.e. negative / no sign, i.e. zero or positive O / NO overflow / no overflow P / NP parity / no parity A, NBE (unsigned) above, not below or equal (CF=0 and ZF=0) BE, NA (unsigned) below or equal, not above (CF=1 or ZF=1) L, NGE (signed) less, not greater than or equal (SF<>OF) GE, NL (signed) greater than or equal, not less (SF=OF) Memory Corruption 10
11 Intel x86 stack handling and flow control Name PUSH <value> POP <dest> LEAVE CALL <addr> CALL <offs> RET Description Places <value> on top of stack [esp] esp := esp 4 [esp] := <value> Loads a value from the top of stack to <dest> <dest> := [esp] esp := esp + 4 Used at the end of functions, shortcut for MOV esp, ebp POP ebp Stores the return address on the stack and calls (relative or absolute jump) a function PUSH eip JMP <add> / JMP <offs> Loads the top of the stack into the eip instruction pointer (and so jumps back / to the return address) POP eip Memory Corruption 11
12 The memory address layout Typical placement of various data and variables: int a= ; int b; char *c="hello World!"; int function(int input) { int d; int e= ; char f[]="local string"; static long g; char *h=(char*)malloc(100); // return e; 0x xFFFFFFFF Code Data Heap Stack Memory Corruption 12
13 Memory segmentation (ELF binaries) 0xFFFFFFFF Kernel Environment variables Stack Data segment (heap) Data segment (.bss) Data segment (.data) Code segment (.text) Stack segment includes Local variables Values required for procedure call Data segment heap: dynamically allocated memory. bss: Uninitialized global & static variables.data: Initialized global & static variables Code Segment: Executable instructions Typically read-only Shared libraries 0x Memory Corruption 13
14 Stack Stack is built up from several stack frames belonging to functions. Each stack frame comprises: Function parameters Return address Saved Frame Pointer (Saved EBP, =Frame pointer of the preceding frame) Local variables Previous frame Higher memory addresses Function parameters Return address Saved EBP (SFP) Local variables Free memory ß EBP ß ESP Memory Corruption 14
15 The local variables and the stack frame Information stored in the stack for a function Parameters (arguments) Return address Saved base pointer (EBP) Local variables Stack frame 0xFFFFFFFF Mem.addr. 0x EBP register is used to point to the actual stack frame But not to the top of the stack (that's ESP) EBP points to where the caller's EBP is saved Local variables are at EBP-x (from ESP to EBP-4) Return address is at EBP+4 Parameters are at EBP+8, EBP+12, Memory Corruption 15
16 Stack frame example The stack in calling and returning from function addnum LIFO principles Grows towards lower memory addresses ß ESP ESP: stack pointer, points to the top of the stack STACK 0x Memory Corruption 16
17 Stack frame example mov dword ptr [b],3 ; Moving 3 to the address pointed by variable b mov eax,dword ptr [b] ; Storing that value in register eax push eax ; Pushing b to stack and decreasing ESP by addressing size 3 (b) ß ESP int main(void){ int a, b, c; a=7; b=3; c = addnum(a,b); printf("result is: %d", a+b); STACK 0x Memory Corruption 17
18 Stack frame example mov dword ptr [a],7 ; Moving 7 to the address pointed by variable a mov ecx,dword ptr [a] ; Storing that value in register ecx push ecx ; Pushing a to stack and decreasing ESP by addressing size 3 (b) 7 (a) ß ESP int main(void){ int a, b, c; a=7; b=3; c = addnum(a,b); printf("result is: %d", a+b); STACK 0x Memory Corruption 18
19 Stack frame example call addnum ; Pushing the address of the next instruction (return addr.) ; (0x ) to the stack and calling function addnum & ; decreasing ESP 3 (b) 7 (a) 0x (ret addr.) ß ESP int main(void){ int a, b, c; a=7; b=3; c = addnum(a,b); printf("result is: %d", a+b); STACK 0x Memory Corruption 19
20 Stack frame example Every function starts with function prologue: à push ebp ; Saves the previous frame pointer (EBP also called Saved FP) mov ebp,esp ; Currently the EBP points to SFP sub esp, 0x10 ; Saving space for the local variables of the function 3 (b) 7 (a) 0x (ret addr.) Saved EBP (SFP) ß ESP int addnum(int a, int b){ int c = 4; c = a + b; return c; STACK 0x Memory Corruption 20
21 Stack frame example Every function starts with function prologue: push ebp ; Saves the previous frame pointer (EBP also called Saved FP) à mov ebp,esp ; Currently the EBP points to SFP sub esp, 0x10 ; Saving space for the local variables of the function 3 (b) 7 (a) 0x (ret addr.) Saved EBP (SFP) ß ESP,EBP int addnum(int a, int b){ int c = 4; c = a + b; return c; STACK 0x Memory Corruption 21
22 Stack frame example Every function starts with function prologue: push ebp ; Saves the previous frame pointer (EBP also called Saved FP) mov ebp,esp ; Currently the EBP points to SFP à sub esp, 0x10 ; Saving space for the local variables of the function 3 (b) 7 (a) 0x (ret addr.) Saved EBP (SFP) Space for local variables STACK ß EBP ß ESP int addnum(int a, int b){ int c = 4; c = a + b; return c; 0x Memory Corruption 22
23 Stack frame example Every function ends with function epilogue. à mov esp,ebp ; Restoringthe stack pointer to SFP, unallocating space for locals pop ebp ; Restoring the value of EBP to point to the SFP of preceding frame ret ; Popping return address and returning to that, increasing ESP 3 (b) 7 (a) 0x (ret addr.) Saved EBP (SFP) ß EBP, ESP int addnum(int a, int b){ int c = 4; c = a + b; return c; STACK 0x Memory Corruption 23
24 Stack frame example Every function ends with function epilogue. mov esp,ebp ; Restoringthe stack pointer to SFP, unallocating space for locals à pop ebp ; Restoring the value of EBP to point to the SFP of preceding frame ret ; Popping return address and returning to that, increasing ESP 3 (b) 7 (a) 0x (ret addr.) ß ESP int addnum(int a, int b){ int c = 4; c = a + b; return c; STACK 0x Memory Corruption 24
25 Stack frame example Every function ends with function epilogue. mov esp,ebp ; Restoringthe stack pointer to SFP, unallocating space for locals pop ebp ; Restoring the value of EBP to point to the SFP of preceding frame à ret ; Popping return address and returning to that, increasing ESP 3 (b) 7 (a) ß ESP int addnum(int a, int b){ int c = 4; c = a + b; return c; STACK 0x Memory Corruption 25
26 Stack frame example add esp,8 ; Decreasing the stack after the RET instruction of addnum 3 (b) 7 (a) ß ESP int main(void){ int a, b, c; a=7; b=3; c = addnum(a,b); printf("result is: %d", a+b); STACK 0x Memory Corruption 26
27 Calling conventions Various calling conventions exist for x86 cdecl: the above described, caller cleans up the arguments, arguments are placed from right to left pascal: the called function cleans up arguments, arguments are placed from left to right stdcall: similar to pascal, but arguments are put right-to-left (used by Win32 APIs or Open Watcom C++) fastcall: similar to stdcall, but some arguments (typically first two) are passed in registers (MS VC and GCC) thiscall: used in C++, this pointer is passed on automatically (through stack by GCC or by using registers in MS VC) And there are many more conventions for x64 and other platforms (ARM, PowerPC, SPARC ) Memory Corruption 27
28 BUFFER OVERFLOW
29 Buffer overflow Occurs when the boundary of a buffer is exceeded by data which overwrites adjacent memory locations Stack overflow / Heap overflow Typically causing the program to halt with exception Segmentation fault (Linux) Access violation at 0x (Windows) Can be exploited by overwriting interesting variables, memory locations (return address, pointers, file names, etc.) Forcing the program to change its control flow by injecting malicious code Most preferred targets: Setuid/setgid programs Network servers: remote access Memory Corruption 29
30 Goals in this course Crash the application (DOS attack) Data based attack Unauthorized use of functions Memory Corruption 30
31 STACK OVERFLOW
32 Stack overflow Stack overflow occurs when a procedure copies user-controlled data to a local buffer on the stack without verifying its size. Dangerous functions strcpy, sprintf, strcat, gets, fgets, memcpy, Local data overwrites other values on the stack up to return address When the procedure returns, EIP is set to the address residing at the location of the return address à control flow can be changed Insert code to that modified address à will be executed Memory Corruption 32
33 Stack overflow #include <stdio.h> #include <string.h> 0x esp void function(char *input) { int i = 1; int j = 2; char buffer[8]; The buffer can strcpy(buffer,input); overflow printf( %x %x %s\n", i, j, buffer); ebp buffer[8] (=?) j (=2) i (=1) ebp (=main() s ebp) Return address input (=argv[1]) Stack frame of function() int main(int argc, char* argv[]) { int k=3; function(argv[1]); return 0; k (=3) ebp (=prev. stack fr.) Return address argc (=1) argv (=cmd line args) 0xFFFFFFFF Stack frame of main() Memory Corruption 33
34 Overwriting the return address No boundary check A long input causes strcpy to write over the boundaries of the local buffer: abcdefghijklmnopqrstuvwx The return address can be overwritten This is exploitable [ ] BOFIntro[29676]: segfault at ip sp bffff280 error 4 [ ] grsec: Segmentation fault occurred at in /home/ex/c++/bofintro/bofintro[bofintro:29676] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:28763] uid/euid:0/0 gid/egid:0/0 esp ebp 0x buffer[8] (= abcdefgh ) j (=0x6c6b6a69, ijkl ) i (=0x706f6e6d, mnop ) ebp (=0x , M qrst ) ret (=0x , uvwx ) input (=argv[1]) k (=3) ebp (=prev. stack fr.) Return address argc (=1) argv (=cmd line args) 0xFFFFFFFF L L Stack frame of function() Stack frame of main() Memory Corruption 34
35 Data based attack #include <stdio.h> #include <string.h> int authorize(char *password) { return!strcmp( SecretKeyword, password); int main(int argc, char* argv[]) { char username[10]; int authorized = 0; authorized = authorize(argv[1]); printf( Enter your username: ); gets(username); if (authorized) { priviledged_function(username); 0x username[10] authorized (=0) EBP RET argc (=1) argv (=cmd line args) 0xFFFFFFFF Stack frame of main() return 0; Memory Corruption 35
36 Data based attack #include <stdio.h> #include <string.h> int authorize(char *password) { return!strcmp( SecretKeyword, password); int main(int argc, char* argv[]) { char username[10]; int authorized = 0; authorized = authorize(argv[1]); printf( Enter your username: ); gets(username); if (authorized) { priviledged_function(username); 0x BBBBBBBBBB 1 EBP RET argc (=1) argv (=cmd line args)... 0xFFFFFFFF Stack frame of main() return 0; Memory Corruption 36
37 Control flow attack #include <stdio.h> #include <string.h> int authorize(char *password) { char buffer[8]; strcpy(buffer, password); return!strcmp( SecretKeyword, buffer); void privileged_function (char *username) {... int main(int argc, char* argv[]) { char username[10]; int authorized = 0; authorized = authorize(argv[1]); printf( Enter your username: ); gets(username); if (authorized) { priviledged_function(username); return 0; 0x buffer[8] EBP RET &password username[10] authorized (=0) EBP RET argc (=1) argv (=cmd line args)... 0xFFFFFFFF Stack frame of authorize() Stack frame of main() Memory Corruption 37
38 Control flow attack #include <stdio.h> #include <string.h> int authorize(char *password) { char buffer[8]; strcpy(buffer, password); return!strcmp( SecretKeyword, buffer); void privileged_function (char *username) {... int main(int argc, char* argv[]) { char username[10]; int authorized = 0; authorized = authorize(argv[1]); printf( Enter your username: ); gets(username); if (authorized) { priviledged_function(username); return 0; 0x AAAAAAAA BBBB &privileged_function &password username[10] authorized (=0) EBP RET argc (=1) argv (=cmd line args)... 0xFFFFFFFF Stack frame of authorize() Stack frame of main() Memory Corruption 38
39 Stack overflow custom shellcode int main(int argc, char* argv[] ) { dangereous(argv[1]); printf( Is everything all right? ); 0xFFFFFFFF Previous frame Higher memory addresses void dangerous(char * buf){ char buffer[100]; strcpy(buffer, buf); Previous frame Function parameters Function parameters Return address buffer address Saved EBP (frame pointer) ß EBP SHELLCODE 0x buffer[100] Free memory ß ESP 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Free 0x90 memory 0x90 0x90 NOP sled Memory Corruption 39
40 Stack overflow NOP sled: Put in front of the shellcode and jump into that area Instructions should always reach the beginning of the shellcode The simplest version is a sequence of 0x90 (no operations - nop) Reason to apply: Bigger chance to find our shellcode On local systems the position of return address can be calculated (no ASLR) Remote addresses are unknown Where to put the shellcode? Into the local buffer with a proceeding nop sled» Remote attacks possible, but the memory page the buffer residing at must be executable. The location of the buffer must be known. Into environment variables» Easy to implement. Good for tiny buffers, however, only for local attacks. Stack must be executable Address of a function inside the program» Remote attacks are possible with non-executable stack. More frames to put on stack. Memory Corruption 40
41 BUFFER OVERFLOW MITIGATION
42 Buffer overflow mitigation Hardware Operating system Programming language Compiler options Source code Application Preventive Detective Anti-exploit Safe libraries Safe operations Detection and prevention of dangerous operations Development rules, source code review White-box / blackbox testing Virtual memory management (VMM) Antivirus, IDS Strict type and boundary checks Detection of common mistakes, Stack Smashing Protection Strict input validation Black-box testing Input filtering NX (Never Execute) memory protection ASLR randomization Application-level access control Generating more secure binary code Software ASLR Patching Memory Corruption 42
43 ASLR
44 Control-flow hijacking prevention OS-level ASLR Randomly arranging the position of specific data memory regions Base address of executables Position of libraries Stack Heap Supported by MS Windows from Vista, PaX kernel patch for Linux, FreeBSD, etc.. Disadvantage ASLR is effective only on 64-bit platforms On 32-bit systems one can easily brute force the right addresses à Only upper 16 bits are randomized à Executables and modules are aligned on 64k boundaries ASLR does not protect against data corruption Applications should be compiled properly (PIE) Memory Corruption 44
45 Control-flow hijacking prevention Software ASLR (Address Space Layout/Load Randomization) Stack Heap ß RND ß RND void alt_main(int argc, char* argv[]){.. void spamstack(int i, int ac, char* av[] ){ if (! i) alt_main(ac, av); spamstack(--i); int main(int argc, char* argv[]){ srand ( time(null) ); malloc(rand() % ); // rnd heap spamstack(rand() % , argc, argv); 0x Memory Corruption 45
46 Further reading V Van Der Veen, L Cavallaro, H Bos: Memory errors: The Past, the Present, and the Future, Research in Attacks, Intrusions, and Defenses, L Szekeres, M Payer, Wei Tao, D Song : SoK Eternal War in Memory, IEEE Security and Privacy, 2013 Aleph One: Smashing the Stack for Fun and Profit, Phrack, Nergal: The advanced return-into-lib(c) exploits, Phrack, Klog: The Frame Pointer Overwrite, Phrack, MaXX: Vudo malloc tricks, Phrack, anonymous: Once upon a free(), Phrack, H. Shacham: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), ACM CCS, 2007 Memory Corruption 46
CNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationControl Hijacking Attacks
Control Hijacking Attacks Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides from Chris Kruegel) Attacker s mindset Take control of the victim s machine Hijack the execution flow of a running
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationExercise 6: Buffer Overflow and return-into-libc Attacks
Technische Universität Darmstadt Fachbereich Informatik System Security Lab Prof. Dr.-Ing. Ahmad-Reza Sadeghi M.Sc. David Gens Exercise 6: Buffer Overflow and return-into-libc Attacks Course Secure, Trusted
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationbuffer overflow exploitation
buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationBuffer Overflow and Protection Technology. Department of Computer Science,
Buffer Overflow and Protection Technology Department of Computer Science, Lorenzo Cavallaro Andrea Lanzi Table of Contents Introduction
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationSample slides and handout
www.securecodingacademy.com Join the Secure Coding Academy group on LinkedIn and stay informed about our courses! [FOOTER] Sample slides and handout 2016 SCADEMY Secure Coding Academy Confidential. These
More informationStack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
More informationSecurity and Privacy in Computer Systems. Lecture 5: Application Program Security
CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationCSE509 System Security
CSE509 System Security Software Security Nick Nikiforakis nick@cs.stonybrook.edu Things we are going to discuss Basic x86 assembly instructions Stack workings GDB syntax Overflows Stack Heap Shellcode
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationBuffer Overflow Attack (AskCypert CLaaS)
Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.
More informationTopics in Software Security Vulnerability
Topics in Software Security Vulnerability Software vulnerability What are software vulnerabilities? Types of vulnerabilities E.g., Buffer Overflows How to find these vulnerabilities and prevent them? Classes
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationWriting Exploits. Nethemba s.r.o.
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationputting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 25th January 2018 Memory corruption Buffer overflow is a common vulnerability Simple
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationcomplement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]
The following pages contain references for use during the exam: tables containing the x86 instruction set (covered so far) and condition codes. You do not need to submit these pages when you finish your
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationBasic exploitation techniques
Basic exploitation techniques 20180118 Outline A primer on x86 assembly Memory segments Stack-based buffer overflows Heap-based overflow Format strings 1 A primer on x86 assembly Introduction Verily, when
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More informationx86 assembly CS449 Fall 2017
x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationSecure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 25th January 2018 Memory corruption Buffer overflow is a common vulnerability. Simple
More informationCSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
More informationIntro to x86 Binaries. From ASM to exploit
Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more
More informationLecture 4 CIS 341: COMPILERS
Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic
More informationVulnerabilities in C/C++ programs Part I
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationReturn-Oriented Rootkits
Return-Oriented Rootkits Ralf Hund Troopers March 10, 2010 What is Return-Oriented Programming? New emerging attack technique, pretty hyped topic Gained awareness in 2007 in Hovav Shacham s paper The Geometry
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationSecure Systems Engineering
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2 Program Bugs
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationDefense against Code-injection, and Code-reuse Attack
Operating Systems Security Defense against Code-injection, and Code-reuse Attack Computer Security & OS lab. Cho, Seong-je ( 조성제 ) sjcho at dankook.ac.kr Fall, 2018 Contents Buffer Overflows: Stack Smashing,
More informationBuffer Overflow Vulnerability
Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationBuffer Overflow Attack
Chapter 4 This is a sample chapter in the book titled "Computer Security: A Hands-on Approach" authored by Wenliang Du. Buffer Overflow Attack From Morris worm in 1988, Code Red worm in 2001, SQL Slammer
More informationputting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 28th January 2019 Memory corruption Buffer overflow is a common vulnerability Simple
More informationHow Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Intel x86
More informationMemory corruption countermeasures
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 30th January 2014 Outline Announcement Recap Containment and curtailment Stack tamper detection
More information