Data-Oriented Programming
|
|
- Baldwin Garrison
- 6 years ago
- Views:
Transcription
1 Data-Oriented Programming On the Expressiveness of Non-Control Data Attacks Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, Zhenkai Liang Department of Computer Science National University of Singapore
2 Control Attacks are Getting Harder 2
3 Control Attacks are Getting Harder CFG Memory space Data Code 3
4 Control Attacks are Getting Harder Code injection CFG Memory space Data Code 4
5 Control Attacks are Getting Harder Code injection Data Execution Prevention CFG Memory space Data Data w/ DEP Code 5
6 Control Attacks are Getting Harder Code injection Data Execution Prevention Code reuse return-to-libc return-oriented programming (ROP) CFG Memory space Data Data w/ DEP Code 6
7 Control Attacks are Getting Harder Code injection Data Execution Prevention Code reuse Control Flow Integrity return-to-libc return-oriented programming (ROP) CFG w/ CFI Memory space Data Data w/ DEP Code 7
8 A New Attack Class Assume: conform to CFI & DEP CFG w/ CFI Memory space Data w/ DEP Code 8
9 A New Attack Class Assume: conform to CFI & DEP Attackers capability on arbitrary vul. programs? Nothing Specific computation Turing-complete CFG w/ CFI Memory space Data w/ DEP Code 9
10 Non-Control Data Attacks Corrupt/leak several bytes of security-critical data 10
11 Non-Control Data Attacks Corrupt/leak several bytes of security-critical data //set root privilege * seteuid(0);... //set normal user privilege seteuid(pw->pw_uid); //execute user s command //offset depends on IE version + safemode = *(DWORD *) (jsobj + offset); if(safemode & 0xB == 0) { Turn_on_God_Mode(); } * Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-Control-Data Attacks Are Realistic Threats. In USENIX Yang Yu. Write Once, Pwn Anywhere. In Black Hat USA 2014
12 Non-Control Data Attacks Corrupt/leak several bytes of security-critical data //set root privilege * seteuid(0);... //set normal user privilege seteuid(pw->pw_uid); //execute user s command //offset depends on IE version + safemode = *(DWORD *) (jsobj + offset); if(safemode & 0xB == 0) { Turn_on_God_Mode(); } Special cases relying on particular data/functions user id, safemode, private key, etc interpreter printf() (with %n ), etc Nothing Specific computation Turing-complete * Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-Control-Data Attacks Are Realistic Threats. In USENIX Yang Yu. Write Once, Pwn Anywhere. In Black Hat USA
13 Contributions Non-control data attacks can be Turing-complete 13
14 Contributions Non-control data attacks can be Turing-complete Data-Oriented Programming (DOP) build expressive non-control data attacks independent of any specific data / functions 14
15 Contributions Non-control data attacks can be Turing-complete Data-Oriented Programming (DOP) build expressive non-control data attacks independent of any specific data / functions DOP builds attacks on real-world programs bypass ASLR w/o address leakage simulate a network bot enable code injection 15
16 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program 16
17 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program 17
18 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program 18
19 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program 1 struct Obj {struct Obj *next; int prop;} 2 3 void updatelist(struct Obj *list, int addend){ 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; 6 } Malicious Computation 19
20 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program CFG w/ CFI struct Obj {struct Obj *next; int prop;} 2 3 void updatelist(struct Obj *list, int addend){ 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; 6 } Malicious Computation 20
21 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program CFG w/ CFI struct Obj {struct Obj *next; int prop;} 2 3 void updatelist(struct Obj *list, int addend){ 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; 6 } Malicious Computation 21
22 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program CFG w/ CFI struct Obj {struct Obj *next; int prop;} 2 3 void updatelist(struct Obj *list, int addend){ 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; 6 } Malicious Computation 22
23 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? 23
24 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack cur_ max total typ 24
25 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 25
26 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 26
27 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 27
28 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 28
29 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 29
30 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 30
31 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type list size cur_ max addend quota total srv typ cur_ max stack total typ heap next prop next prop 31
32 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 32
33 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack heap list addend cur_ max total typ cur_ max total next prop next prop typ 33
34 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack heap list addend cur_ max total typ cur_ max total next prop next prop typ 34
35 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 35
36 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack STREAM list addend cur_ max total typ heap next prop next prop 36
37 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack STREAM list addend cur_ max total typ heap next prop next prop 37
38 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack STREAM list addend cur_ max total typ heap next prop next prop 38
39 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack STREAM heap list cur_ max addend total typ cur_ max total next prop next prop typ 39
40 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack STREAM list addend cur_ max total typ heap next prop next prop 40
41 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate Memory space buf[] type size quota srv stack STREAM list addend cur_ max total typ heap next prop next prop 41
42 Data-Oriented Programming A Generic Technique 42
43 Data-Oriented Programming (DOP) General construction w/o dependency on specific data / functions 43
44 Data-Oriented Programming (DOP) General construction w/o dependency on specific data / functions Expressive attacks towards Turing-complete computation 44
45 Data-Oriented Programming (DOP) General construction w/o dependency on specific data / functions Expressive attacks towards Turing-complete computation Elements data-oriented gadgets gadget dispatchers 45
46 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) CFG
47 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) CFG Addition: srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op 47
48 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) save results in memory load micro-op --> semantics micro-op --> store micro-op CFG Addition: srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op 48
49 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) save results in memory load micro-op --> semantics micro-op --> store micro-op CFG Addition: srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op Memory space 49
50 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) save results in memory load micro-op --> semantics micro-op --> store micro-op CFG Addition: srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op Memory space Load: *size = *(srv ->cur_max); 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 mov 0xb(%ebx), %eax //load 4 mov %eax, (%edx) //store micro-op 50
51 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) save results in memory load micro-op --> semantics micro-op --> store micro-op CFG Addition: srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op Memory space Load: *size = *(srv ->cur_max); 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 mov 0xb(%ebx), %eax //load 4 mov %eax, (%edx) //store micro-op 51
52 Gadget Dispatcher corruptible by mem-err round1 loop selector round2 round3 roundn 52
53 Gadget Dispatcher corruptible by mem-err round1 loop selector round2 round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 53
54 Gadget Dispatcher corruptible by mem-err round1 loop selector round2 round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 54
55 Gadget Dispatcher corruptible by mem-err round1 loop selector round2 round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 55
56 Gadget Dispatcher corruptible by mem-err round1 loop selector round round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 56
57 Gadget Dispatcher corruptible by mem-err round1 loop selector round round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 57
58 Gadget Dispatcher corruptible by mem-err round1 loop selector round round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; // loop // selector 9 if(*type == STREAM) *size = *(srv->cur_max); 10 else{ srv->typ = *type; srv->total += *size; } 14 } 58
59 Turing-completeness DOP emulates a minimal language MINDOP MINDOP is Turing-complete Semantics Statements In C Data-Oriented Gadgets in DOP arithmetic / logical a op b *p op *q assignment a = b *p = *q load a = *b *p = **q store *a = b **p = *q jump goto L vpc = &input conditional jump if (a) goto L vpc = &input if *p p &a; q &b; op any arithmetic / logical operation 59
60 Attack Construction 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped) } 60
61 Gadget identification Attack Construction 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped) } statically identify load-semantics-store chain from LLVM IR 61
62 Gadget identification Attack Construction 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped) } statically identify load-semantics-store chain from LLVM IR Dispatcher identification static identify loops with gadgets from LLVM IR 62
63 Gadget identification Attack Construction 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped) } statically identify load-semantics-store chain from LLVM IR Dispatcher identification static identify loops with gadgets from LLVM IR Gadget stitching select gadgets and dispatchers (manual) check stitchability (manual) 63
64 Evaluation 64
65 Evaluation Feasibility 9 x86 programs with 9 vulnerabilities Nginx, ProFTPD, Wu-FTPD, sshd, Bitcoind, Wireshark, sudo, musl libc, mcrypt 65
66 Evaluation Feasibility 9 x86 programs with 9 vulnerabilities Nginx, ProFTPD, Wu-FTPD, sshd, Bitcoind, Wireshark, sudo, musl libc, mcrypt x86 Gadgets 7518 in total, 1273 reachable via selected CVEs 8 programs can simulate all MINDOP operations x86 Dispatchers 1443 in total, 110 reachable from selected CVEs 66
67 Evaluation Feasibility 9 x86 programs with 9 vulnerabilities Nginx, ProFTPD, Wu-FTPD, sshd, Bitcoind, Wireshark, sudo, musl libc, mcrypt x86 Gadgets 7518 in total, 1273 reachable via selected CVEs 8 programs can simulate all MINDOP operations x86 Dispatchers 1443 in total, 110 reachable from selected CVEs 2 programs can build Turing-complete attack 3 end-to-end attacks 67
68 Case Study: Bypassing Randomization Previous methods information leakage to network Defeat ASLR w/o address leakage to network? 68
69 Case Study: Bypassing Randomization Previous methods information leakage to network Defeat ASLR w/o address leakage to network? Vulnerable ProFTPD use OpenSSL for authentication a dereference chain to the private key 69
70 Case Study: Bypassing Randomization Previous methods information leakage to network Defeat ASLR w/o address leakage to network? Vulnerable ProFTPD use OpenSSL for authentication a dereference chain to the private SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 70
71 Case Study: Bypassing Randomization Gadgets MOV ADD LOAD *p = *q *X = *X + offset *Z = SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 71
72 Case Study: Bypassing Randomization Gadgets Dispatcher MOV ADD LOAD while (1) { user_request = get_user_request(); dispatch(user_request); } *p = *q *X = *X + offset *Z = **Y func1() { memory_error; MOV;} func2() { ADD; } func3() { LOAD; SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 72
73 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 73
74 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z ssl_ctx SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 74
75 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 75
76 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z d2 buf write(outsock, buf, SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 76
77 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z d2 buf write(outsock, buf, SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 77
78 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z d2 buf write(outsock, buf, strlen(buf)); leak private key to SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 78
79 dlopen() Dynamic Linking Interface Load the dynamic library into memory space resolve symbols based on binary metadata patch program due to relocation like LoadLibrary() on Windows 79
80 dlopen() Dynamic Linking Interface Load the dynamic library into memory space resolve symbols based on binary metadata patch program due to relocation like LoadLibrary() on Windows Dynamic loader can do arbitrary computation * exec() RTLD start() sysexec ld.so bin START() bin ld.so libc.so file access before run * R. Shapiro, S. Bratus, and S. W. Smith, Weird Machines in ELF: A Spotlight on the Underappreciated Metadata, in WOOT
81 dlopen() Dynamic Linking Interface Load the dynamic library into memory space resolve symbols based on binary metadata patch program due to relocation like LoadLibrary() on Windows Dynamic loader can do arbitrary computation * exec() RTLD start() sysexec ld.so bin START() bin ld.so libc.so file access before run The same to dlopen() * R. Shapiro, S. Bratus, and S. W. Smith, Weird Machines in ELF: A Spotlight on the Underappreciated Metadata, in WOOT
82 Case Study: Simulating A Network Bot Attacks with dlopen dlopen() { head } dynamic library list link_map 82
83 Case Study: Simulating A Network Bot Attacks with dlopen send malicious payload dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload 83
84 Case Study: Simulating A Network Bot Attacks with dlopen send malicious payload corrupt link list & call dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload 84
85 Case Study: Simulating A Network Bot Attacks with dlopen send malicious payload invalid input corrupt link list & call dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload 85
86 Case Study: Simulating A Network Bot Attacks with dlopen send malicious payload invalid input corrupt link list & call dlopen no call to dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload 86
87 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send malicious payload invalid input corrupt link list & call dlopen no call to dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload 87
88 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send construct malicious payload payload in memory invalid input corrupt link list & call dlopen no call to dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload (1) Payload prepare MOV MOV 88
89 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send construct malicious payload payload in memory invalid input corrupt link list & call dlopen no call to dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload (1) Payload prepare MOV MOV 89
90 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send construct malicious payload payload in memory invalid input force corrupt call link to dlopen list & call dlopen no call to dlopen if (flag) { dlopen() { head } } dynamic library list link_map ProFTPD s memory Malicious payload (1) Payload prepare MOV MOV 90
91 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send construct malicious payload payload in memory invalid input force corrupt call link to dlopen list & call dlopen no call to dlopen if (flag) { dlopen() { head } } ProFTPD s memory Malicious payload dynamic library list link_map (2) Trigger MOV STORE (1) Payload prepare MOV MOV 91
92 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send construct malicious payload payload in memory invalid input force corrupt call link to dlopen list & call dlopen no call to dlopen if (flag) { dlopen() { head } } ProFTPD s memory Malicious payload dynamic library list link_map (2) Trigger MOV STORE (1) Payload prepare MOV MOV > 700 requests 92
93 Case Study: Altering Memory Permissions Defenses based on memory permissions DEP: non-writable code CFI: non-writable jump tags 93
94 Case Study: Altering Memory Permissions Defenses based on memory permissions DEP: non-writable code CFI: non-writable jump tags dlopen(): relocation change any page permission to writable update page content change the permission back 94
95 Case Study: Altering Memory Permissions Defenses based on memory permissions DEP: non-writable code CFI: non-writable jump tags dlopen(): relocation change any page permission to writable update page content change the permission back DOP attacks dlopen(code_addr, shellcode) 95
96 Case Study: Altering Memory Permissions Defenses based on memory permissions DEP: non-writable code CFI: non-writable jump tags dlopen(): relocation change any page permission to writable update page content change the permission back DOP attacks dlopen(code_addr, shellcode) Code injection is back! 96
97 Related Work Techniques Non-control Data Attacks (Chen et al. 2005) Turing Complete? Preserve CFI? Independent of specific data / funcs? COOP (Schuster et al. 2015) FlowStitch (Hu et al. 2015) Printf-Oriented Programming (Carlini et al. 2015) Control Jujustu (Evans et al. 2015) Data-Oriented Programming 97
98 Potential Defenses Memory Safety e.g., Cyclone (Jim et al. 2002), CCured (Necula et al. 2002), SoftBounds+CETS (Nagarakatte et al. 2009, 2010) high performance overhead (> 100%) Data-flow Integrity e.g, DFI (Castro et al. 2006), kernel DFI (Song et al. 2016) Fined-grained randomization in data space e.g., DSR (Bhatkar et al. 2008) Hardware & software fault isolation e.g., HDFI (Song et al. 2016), MPX 98
99 Potential Defenses Memory Safety e.g., Cyclone (Jim et al. 2002), CCured (Necula et al. 2002), SoftBounds+CETS (Nagarakatte et al. 2009, 2010) high performance overhead (> 100%) Data-flow Integrity e.g, DFI (Castro et al. 2006), kernel DFI (Song et al. 2016) Fined-grained randomization in data space e.g., DSR (Bhatkar et al. 2008) Hardware & software fault isolation e.g., HDFI (Song et al. 2016), MPX No practical defenses yet! 99
100 Conclusion Non-control data attacks can be Turing-complete 100
101 Conclusion Non-control data attacks can be Turing-complete Data-Oriented Programming (DOP) build expressive non-control data attacks independent of specific data / functions 101
102 Conclusion Non-control data attacks can be Turing-complete Data-Oriented Programming (DOP) build expressive non-control data attacks independent of specific data / functions In real-world programs, DOP can build attacks bypass ASLR w/o address leakage simulate a network bot enable code injection 102
103 Thanks! Hong Hu Non-control data attacks are available
SoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationAutomatic Generation of Data-Oriented Exploits
Automatic Generation of Data-Oriented Exploits Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang, National University of Singapore https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/hu
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationCMPSC 497: Midterm Review
CMPSC 497: Midterm Review Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Midterm Format True/False
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationVERIFYING DATA-ORIENTED GADGETS IN BINARY PROGRAMS TO BUILD DATA-ONLY EXPLOITS
VERIFYING DATA-ORIENTED GADGETS IN BINARY PROGRAMS TO BUILD DATA-ONLY EXPLOITS A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science By ZACHARY DAVID SISCO B.S.,
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationControl-Flow Bending: On the Effectiveness of Control-Flow Integrity
Control-Flow Bending: On the Effectiveness of Control-Flow Integrity Nicolas Carlini UC Berkeley Antonio Barresi ETH Zurich Thomas R. Gross ETH Zurich Mathias Payer Purdue University David Wagner UC Berkeley
More informationProtecting Against Unexpected System Calls
Protecting Against Unexpected System Calls C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman Department of Computer Science University of Arizona Presented By: Mohamed Hassan
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationSTEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming
STEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming Jannik Pewny Ruhr-Universität Bochum, Germany jannik.pewny@rub.de Philipp Koppe Ruhr-Universität Bochum, Germany philipp.koppe@rub.de
More informationDefeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)
Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science
More informationMitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011
Mitigating Code-Reuse Attacks with Control-Flow Locking Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011 Introduction Computer systems run complicated software, which is vulnerable We keep finding
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationShuffler: Fast and Deployable Continuous Code Re-Randomization
Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis,
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationDefeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationIt s a TRaP: Table Randomization and Protection against Function-Reuse Attacks
It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationModule: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation
More informationMemory corruption: Why we can t have nice things. Mathias Payer
Memory corruption: Why we can t have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance
More informationIdentifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang ( ) Aravind Prakash ( ) Xiaolei Li ( ) Zhenkai Liang ( ) Heng Yin ( ) ( ) School of Computing,
More informationMemory Corruption: Why Protection is Hard. Mathias Payer, Purdue University
Memory Corruption: Why Protection is Hard Mathias Payer, Purdue University http://hexhive.github.io 1 Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationHDFI: Hardware-Assisted Data-flow Isolation
HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia
More informationNew York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam
New York University CSCI-UA.480-008: Advanced Computer Systems: Spring 2016 Midterm Exam This exam is 75 minutes. Stop writing when time is called. You must turn in your exam; we will not collect it. Do
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationVulnerability Analysis I:
Vulnerability Analysis I: Exploit Hardening Made Easy Surgically Returning to Randomized Lib(c) Mitchell Adair September 9 th, 2011 Outline 1 Background 2 Surgically Returning to Randomized lib(c) 3 Exploit
More informationInline Reference Monitoring Techniques
Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationAdvanced Systems Security: Control-Flow Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationSecuring Untrusted Code
Securing Untrusted Code Untrusted Code May be untrustworthy Intended to be benign, but may be full of vulnerabilities These vulnerabilities may be exploited by attackers (or other malicious processes)
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationSmashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization
2012 IEEE Symposium on Security and Privacy Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis
More informationJump-Oriented Programming: A New Class of Code-Reuse Attack
Jump-Oriented Programming: A New Class of Code-Reuse Attack Tyler Bletsch, Xuxian Jiang, Vince Freeh Department of Computer Science North Carolina State University {tkbletsc, xuxian jiang, vwfreeh}@ncsu.edu
More informationLecture 10 Code Reuse
Lecture 10 Code Reuse Computer and Network Security 4th of December 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 10, Code Reuse 1/23 Defense Mechanisms static & dynamic analysis
More informationCSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g
CSE 227 Computer Security Spring 2010 Software Df Defenses I Stefan Savage Kinds of defenses Eliminate violation of runtime model Better languages, code analysis Don t allow bad input Input validation
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 5 Low Level Software Security III: Integers, ROP, & CFI Integer Arithmetic in C Quiz time! What does this code produce? 100 200 300 100 200
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationPangu 9 Internals. Tielei Wang and Hao Xu
Pangu 9 Internals Tielei Wang and Hao Xu Team Pangu Agenda ios Security Overview Pangu 9 Overview Userland Exploits Kernel Patching in Kernel Patch Protections Persistent Code Signing Bypass Conclusion
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationSoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14
SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow Integrity Reza Mirzazade farkhani, Saman Jafari, Sajjad Arshad, William Robertson, Engin Kirda, Hamed Okhravi DISTRIBUTION STATEMENT A. Approved for public
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationIt s a TRaP: Table Randomization and Protection against Function-Reuse Attacks
It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationBypassing SEHOP. Stéfan Le Berre Damien Cauquil
Bypassing SEHOP Stéfan Le Berre s.leberre@sysdream.com Damien Cauquil d.cauquil@sysdream.com Table of contents 0. Introduction...3 1. SEHOP specifications (short version)...3 2. Dealing with SEHOP when
More informationA survey of Hardware-based Control Flow Integrity (CFI)
A survey of Hardware-based Control Flow Integrity (CFI) RUAN DE CLERCQ and INGRID VERBAUWHEDE, KU Leuven Control Flow Integrity (CFI) is a computer security technique that detects runtime attacks by monitoring
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationISA564 SECURITY LAB. Code Injection Attacks
ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationPractical and Efficient Exploit Mitigation for Embedded Devices
Practical and Efficient Exploit Mitigation for Embedded Devices Matthias Neugschwandtner IBM Research, Zurich Collin Mulliner Northeastern University, Boston Qualcomm Mobile Security Summit 2015 1 Embedded
More informationOn The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004
On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationMemory corruption vulnerability exposure can be mitigated through memory hardening practices
Memory corruption vulnerability exposure can be mitigated through memory hardening practices OS vendors have a unique opportunity to fight memory corruption vulnerabilities through hardening the memory
More information(Early) Memory Corruption Attacks
(Early) Memory Corruption Attacks CS-576 Systems Security Instructor: Georgios Portokalidis Fall 2018 Fall 2018 Stevens Institute of Technology 1 Memory Corruption Memory corruption occurs in a computer
More informationInfecting the Embedded Supply Chain
SESSION ID: PDAC-F01 Infecting the Embedded Supply Chain Zach Miller Security Researcher in8 Solutions (Formerly Somerset Recon) @bit_twidd1er Inspiration Inspiration Countless embedded devices exist Each
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationUniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/
More informationStack Bounds Protection with Low Fat Pointers
Stack Bounds Protection with Low Fat Pointers Gregory J. Duck, Roland H.C. Yap, and Lorenzo Cavallaro NDSS 2017 Overview Heap Bounds Protection with Low Fat Pointers, CC 2016 Stack New method for detecting
More informationDefense against Code-injection, and Code-reuse Attack
Operating Systems Security Defense against Code-injection, and Code-reuse Attack Computer Security & OS lab. Cho, Seong-je ( 조성제 ) sjcho at dankook.ac.kr Fall, 2018 Contents Buffer Overflows: Stack Smashing,
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More information143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018
143A: Principles of Operating Systems Lecture 5: Address translation Anton Burtsev October, 2018 Two programs one memory Or more like renting a set of rooms in an office building Or more like renting a
More informationMemory Error Exploits and Defenses
Memory Error Exploits and Defenses 1 Process Memory Layout argv, env stack heap bss data text high mem Argv/Env: CLI args and environment Stack: generally grows downwards Heap: generally grows upwards
More informationPlaying God With Format String Attacks. Bsides Jax 2016 Travis Phillips 10/22/2016
Playing God With Format String Attacks Bsides Jax 2016 Travis Phillips 10/22/2016 So Why This Talk? Been experimenting with them over the last year Found them simple in theory; difficult in practice. Found
More informationShreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S
Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units
More informationExploit Mitigation - PIE
Exploit Mitigation - PIE Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch ASCII Armor Arbitrary Write Overflow Local
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationFast Byte-Granularity Software Fault Isolation
Fast Byte-Granularity Software Fault Isolation Manuel Costa Microsoft Research, Cambridge Joint work with: Miguel Castro, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul
More informationLeveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus
Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1 Who We Are Nadav Markus, Gal De-Leon Security researchers @ PaloAltoNetworks Vulnerability research and exploitation Reverse
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationBranch Regulation: Low-Overhead Protection from Code Reuse Attacks
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer Science State University of New York at Binghamton
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationThe geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler
The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler return-oriented programming Hovav Shacham presented by: Fabian
More informationNon-Control-Data Attacks Are Realistic Threats
Non-Control-Data Attacks Are Realistic Threats Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Center for Reliable and High Performance Computing, Department of Computer Science
More informationOpenBSD Remote Exploit
OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June 30, 2007 Mbuf buffer overflow Buffer overflow Researching the OpenBSD 008: RELIABILITY FIX a new vulnerability
More information