Data-Oriented Programming
Size: px
Start display at page:

Download "Data-Oriented Programming"

Transcription

1 Data-Oriented Programming On the Expressiveness of Non-Control Data Attacks Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, Zhenkai Liang Department of Computer Science National University of Singapore

2 Control Attacks are Getting Harder 2

3 Control Attacks are Getting Harder CFG Memory space Data Code 3

4 Control Attacks are Getting Harder Code injection CFG Memory space Data Code 4

5 Control Attacks are Getting Harder Code injection Data Execution Prevention CFG Memory space Data Data w/ DEP Code 5

6 Control Attacks are Getting Harder Code injection Data Execution Prevention Code reuse return-to-libc return-oriented programming (ROP) CFG Memory space Data Data w/ DEP Code 6

7 Control Attacks are Getting Harder Code injection Data Execution Prevention Code reuse Control Flow Integrity return-to-libc return-oriented programming (ROP) CFG w/ CFI Memory space Data Data w/ DEP Code 7

8 A New Attack Class Assume: conform to CFI & DEP CFG w/ CFI Memory space Data w/ DEP Code 8

9 A New Attack Class Assume: conform to CFI & DEP Attackers capability on arbitrary vul. programs? Nothing Specific computation Turing-complete CFG w/ CFI Memory space Data w/ DEP Code 9

10 Non-Control Data Attacks Corrupt/leak several bytes of security-critical data 10

11 Non-Control Data Attacks Corrupt/leak several bytes of security-critical data //set root privilege * seteuid(0);... //set normal user privilege seteuid(pw->pw_uid); //execute user s command //offset depends on IE version + safemode = *(DWORD *) (jsobj + offset); if(safemode & 0xB == 0) { Turn_on_God_Mode(); } * Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-Control-Data Attacks Are Realistic Threats. In USENIX Yang Yu. Write Once, Pwn Anywhere. In Black Hat USA 2014

12 Non-Control Data Attacks Corrupt/leak several bytes of security-critical data //set root privilege * seteuid(0);... //set normal user privilege seteuid(pw->pw_uid); //execute user s command //offset depends on IE version + safemode = *(DWORD *) (jsobj + offset); if(safemode & 0xB == 0) { Turn_on_God_Mode(); } Special cases relying on particular data/functions user id, safemode, private key, etc interpreter printf() (with %n ), etc Nothing Specific computation Turing-complete * Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-Control-Data Attacks Are Realistic Threats. In USENIX Yang Yu. Write Once, Pwn Anywhere. In Black Hat USA

13 Contributions Non-control data attacks can be Turing-complete 13

14 Contributions Non-control data attacks can be Turing-complete Data-Oriented Programming (DOP) build expressive non-control data attacks independent of any specific data / functions 14

15 Contributions Non-control data attacks can be Turing-complete Data-Oriented Programming (DOP) build expressive non-control data attacks independent of any specific data / functions DOP builds attacks on real-world programs bypass ASLR w/o address leakage simulate a network bot enable code injection 15

16 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program 16

17 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program 17

18 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program 18

19 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program 1 struct Obj {struct Obj *next; int prop;} 2 3 void updatelist(struct Obj *list, int addend){ 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; 6 } Malicious Computation 19

20 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program CFG w/ CFI struct Obj {struct Obj *next; int prop;} 2 3 void updatelist(struct Obj *list, int addend){ 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; 6 } Malicious Computation 20

21 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program CFG w/ CFI struct Obj {struct Obj *next; int prop;} 2 3 void updatelist(struct Obj *list, int addend){ 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; 6 } Malicious Computation 21

22 Motivating Example 1 struct server{int *cur_max, total, typ;} *srv; 2 int quota = MAXCONN; int *size, *type; 3 char buf[maxlen]; 4 size = &buf[8]; type = &buf[12] while (quota--) { 7 readdata(sockfd, buf); // stack bof 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(following code skipped) } Vulnerable Program CFG w/ CFI struct Obj {struct Obj *next; int prop;} 2 3 void updatelist(struct Obj *list, int addend){ 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; 6 } Malicious Computation 22

23 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? 23

24 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack cur_ max total typ 24

25 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 25

26 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 26

27 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 27

28 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 28

29 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 29

30 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 30

31 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type list size cur_ max addend quota total srv typ cur_ max stack total typ heap next prop next prop 31

32 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 32

33 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack heap list addend cur_ max total typ cur_ max total next prop next prop typ 33

34 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack heap list addend cur_ max total typ cur_ max total next prop next prop typ 34

35 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack list addend cur_ max total typ heap next prop next prop 35

36 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack STREAM list addend cur_ max total typ heap next prop next prop 36

37 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack STREAM list addend cur_ max total typ heap next prop next prop 37

38 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack STREAM list addend cur_ max total typ heap next prop next prop 38

39 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack STREAM heap list cur_ max addend total typ cur_ max total next prop next prop typ 39

40 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate? Memory space buf[] type size quota srv stack STREAM list addend cur_ max total typ heap next prop next prop 40

41 Motivating Example (cont.) 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } 15 } vulnerable program 4 for(; list!= NULL; list = list->next) 5 list->prop += addend; malicious computation simulate Memory space buf[] type size quota srv stack STREAM list addend cur_ max total typ heap next prop next prop 41

42 Data-Oriented Programming A Generic Technique 42

43 Data-Oriented Programming (DOP) General construction w/o dependency on specific data / functions 43

44 Data-Oriented Programming (DOP) General construction w/o dependency on specific data / functions Expressive attacks towards Turing-complete computation 44

45 Data-Oriented Programming (DOP) General construction w/o dependency on specific data / functions Expressive attacks towards Turing-complete computation Elements data-oriented gadgets gadget dispatchers 45

46 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) CFG

47 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) CFG Addition: srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op 47

48 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) save results in memory load micro-op --> semantics micro-op --> store micro-op CFG Addition: srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op 48

49 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) save results in memory load micro-op --> semantics micro-op --> store micro-op CFG Addition: srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op Memory space 49

50 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) save results in memory load micro-op --> semantics micro-op --> store micro-op CFG Addition: srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op Memory space Load: *size = *(srv ->cur_max); 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 mov 0xb(%ebx), %eax //load 4 mov %eax, (%edx) //store micro-op 50

51 Data-Oriented Gadgets x86 instruction sequence show in normal execution (CFI) save results in memory load micro-op --> semantics micro-op --> store micro-op CFG Addition: srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op Memory space Load: *size = *(srv ->cur_max); 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 mov 0xb(%ebx), %eax //load 4 mov %eax, (%edx) //store micro-op 51

52 Gadget Dispatcher corruptible by mem-err round1 loop selector round2 round3 roundn 52

53 Gadget Dispatcher corruptible by mem-err round1 loop selector round2 round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 53

54 Gadget Dispatcher corruptible by mem-err round1 loop selector round2 round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 54

55 Gadget Dispatcher corruptible by mem-err round1 loop selector round2 round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 55

56 Gadget Dispatcher corruptible by mem-err round1 loop selector round round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 56

57 Gadget Dispatcher corruptible by mem-err round1 loop selector round round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 57

58 Gadget Dispatcher corruptible by mem-err round1 loop selector round round3 roundn Chain data-oriented gadgets legitimately loop ---> repeatedly invoke gadgets selector ---> selectively activate gadgets 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; // loop // selector 9 if(*type == STREAM) *size = *(srv->cur_max); 10 else{ srv->typ = *type; srv->total += *size; } 14 } 58

59 Turing-completeness DOP emulates a minimal language MINDOP MINDOP is Turing-complete Semantics Statements In C Data-Oriented Gadgets in DOP arithmetic / logical a op b *p op *q assignment a = b *p = *q load a = *b *p = **q store *a = b **p = *q jump goto L vpc = &input conditional jump if (a) goto L vpc = &input if *p p &a; q &b; op any arithmetic / logical operation 59

60 Attack Construction 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped) } 60

61 Gadget identification Attack Construction 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped) } statically identify load-semantics-store chain from LLVM IR 61

62 Gadget identification Attack Construction 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped) } statically identify load-semantics-store chain from LLVM IR Dispatcher identification static identify loops with gadgets from LLVM IR 62

63 Gadget identification Attack Construction 6 while (quota--) { 7 readdata(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped) } statically identify load-semantics-store chain from LLVM IR Dispatcher identification static identify loops with gadgets from LLVM IR Gadget stitching select gadgets and dispatchers (manual) check stitchability (manual) 63

64 Evaluation 64

65 Evaluation Feasibility 9 x86 programs with 9 vulnerabilities Nginx, ProFTPD, Wu-FTPD, sshd, Bitcoind, Wireshark, sudo, musl libc, mcrypt 65

66 Evaluation Feasibility 9 x86 programs with 9 vulnerabilities Nginx, ProFTPD, Wu-FTPD, sshd, Bitcoind, Wireshark, sudo, musl libc, mcrypt x86 Gadgets 7518 in total, 1273 reachable via selected CVEs 8 programs can simulate all MINDOP operations x86 Dispatchers 1443 in total, 110 reachable from selected CVEs 66

67 Evaluation Feasibility 9 x86 programs with 9 vulnerabilities Nginx, ProFTPD, Wu-FTPD, sshd, Bitcoind, Wireshark, sudo, musl libc, mcrypt x86 Gadgets 7518 in total, 1273 reachable via selected CVEs 8 programs can simulate all MINDOP operations x86 Dispatchers 1443 in total, 110 reachable from selected CVEs 2 programs can build Turing-complete attack 3 end-to-end attacks 67

68 Case Study: Bypassing Randomization Previous methods information leakage to network Defeat ASLR w/o address leakage to network? 68

69 Case Study: Bypassing Randomization Previous methods information leakage to network Defeat ASLR w/o address leakage to network? Vulnerable ProFTPD use OpenSSL for authentication a dereference chain to the private key 69

70 Case Study: Bypassing Randomization Previous methods information leakage to network Defeat ASLR w/o address leakage to network? Vulnerable ProFTPD use OpenSSL for authentication a dereference chain to the private SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 70

71 Case Study: Bypassing Randomization Gadgets MOV ADD LOAD *p = *q *X = *X + offset *Z = SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 71

72 Case Study: Bypassing Randomization Gadgets Dispatcher MOV ADD LOAD while (1) { user_request = get_user_request(); dispatch(user_request); } *p = *q *X = *X + offset *Z = **Y func1() { memory_error; MOV;} func2() { ADD; } func3() { LOAD; SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 72

73 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 73

74 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z ssl_ctx SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 74

75 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 75

76 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z d2 buf write(outsock, buf, SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 76

77 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z d2 buf write(outsock, buf, SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 77

78 Case Study: Bypassing Randomization MOV ADD MOV LOAD MOV *X = *0x080dbc28 (ssl_ctx) *X = *X + offset1 *Y = *X *Z = **Y *0x080dbc28 = *Z d2 buf write(outsock, buf, strlen(buf)); leak private key to SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 struct cert_st * cert Private Key struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 78

79 dlopen() Dynamic Linking Interface Load the dynamic library into memory space resolve symbols based on binary metadata patch program due to relocation like LoadLibrary() on Windows 79

80 dlopen() Dynamic Linking Interface Load the dynamic library into memory space resolve symbols based on binary metadata patch program due to relocation like LoadLibrary() on Windows Dynamic loader can do arbitrary computation * exec() RTLD start() sysexec ld.so bin START() bin ld.so libc.so file access before run * R. Shapiro, S. Bratus, and S. W. Smith, Weird Machines in ELF: A Spotlight on the Underappreciated Metadata, in WOOT

81 dlopen() Dynamic Linking Interface Load the dynamic library into memory space resolve symbols based on binary metadata patch program due to relocation like LoadLibrary() on Windows Dynamic loader can do arbitrary computation * exec() RTLD start() sysexec ld.so bin START() bin ld.so libc.so file access before run The same to dlopen() * R. Shapiro, S. Bratus, and S. W. Smith, Weird Machines in ELF: A Spotlight on the Underappreciated Metadata, in WOOT

82 Case Study: Simulating A Network Bot Attacks with dlopen dlopen() { head } dynamic library list link_map 82

83 Case Study: Simulating A Network Bot Attacks with dlopen send malicious payload dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload 83

84 Case Study: Simulating A Network Bot Attacks with dlopen send malicious payload corrupt link list & call dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload 84

85 Case Study: Simulating A Network Bot Attacks with dlopen send malicious payload invalid input corrupt link list & call dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload 85

86 Case Study: Simulating A Network Bot Attacks with dlopen send malicious payload invalid input corrupt link list & call dlopen no call to dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload 86

87 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send malicious payload invalid input corrupt link list & call dlopen no call to dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload 87

88 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send construct malicious payload payload in memory invalid input corrupt link list & call dlopen no call to dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload (1) Payload prepare MOV MOV 88

89 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send construct malicious payload payload in memory invalid input corrupt link list & call dlopen no call to dlopen dlopen() { head } dynamic library list link_map ProFTPD s memory Malicious payload (1) Payload prepare MOV MOV 89

90 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send construct malicious payload payload in memory invalid input force corrupt call link to dlopen list & call dlopen no call to dlopen if (flag) { dlopen() { head } } dynamic library list link_map ProFTPD s memory Malicious payload (1) Payload prepare MOV MOV 90

91 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send construct malicious payload payload in memory invalid input force corrupt call link to dlopen list & call dlopen no call to dlopen if (flag) { dlopen() { head } } ProFTPD s memory Malicious payload dynamic library list link_map (2) Trigger MOV STORE (1) Payload prepare MOV MOV 91

92 Case Study: Simulating A Network Bot dlopen DOP attack allows addresses arbitrary the computation problems send construct malicious payload payload in memory invalid input force corrupt call link to dlopen list & call dlopen no call to dlopen if (flag) { dlopen() { head } } ProFTPD s memory Malicious payload dynamic library list link_map (2) Trigger MOV STORE (1) Payload prepare MOV MOV > 700 requests 92

93 Case Study: Altering Memory Permissions Defenses based on memory permissions DEP: non-writable code CFI: non-writable jump tags 93

94 Case Study: Altering Memory Permissions Defenses based on memory permissions DEP: non-writable code CFI: non-writable jump tags dlopen(): relocation change any page permission to writable update page content change the permission back 94

95 Case Study: Altering Memory Permissions Defenses based on memory permissions DEP: non-writable code CFI: non-writable jump tags dlopen(): relocation change any page permission to writable update page content change the permission back DOP attacks dlopen(code_addr, shellcode) 95

96 Case Study: Altering Memory Permissions Defenses based on memory permissions DEP: non-writable code CFI: non-writable jump tags dlopen(): relocation change any page permission to writable update page content change the permission back DOP attacks dlopen(code_addr, shellcode) Code injection is back! 96

97 Related Work Techniques Non-control Data Attacks (Chen et al. 2005) Turing Complete? Preserve CFI? Independent of specific data / funcs? COOP (Schuster et al. 2015) FlowStitch (Hu et al. 2015) Printf-Oriented Programming (Carlini et al. 2015) Control Jujustu (Evans et al. 2015) Data-Oriented Programming 97

98 Potential Defenses Memory Safety e.g., Cyclone (Jim et al. 2002), CCured (Necula et al. 2002), SoftBounds+CETS (Nagarakatte et al. 2009, 2010) high performance overhead (> 100%) Data-flow Integrity e.g, DFI (Castro et al. 2006), kernel DFI (Song et al. 2016) Fined-grained randomization in data space e.g., DSR (Bhatkar et al. 2008) Hardware & software fault isolation e.g., HDFI (Song et al. 2016), MPX 98

99 Potential Defenses Memory Safety e.g., Cyclone (Jim et al. 2002), CCured (Necula et al. 2002), SoftBounds+CETS (Nagarakatte et al. 2009, 2010) high performance overhead (> 100%) Data-flow Integrity e.g, DFI (Castro et al. 2006), kernel DFI (Song et al. 2016) Fined-grained randomization in data space e.g., DSR (Bhatkar et al. 2008) Hardware & software fault isolation e.g., HDFI (Song et al. 2016), MPX No practical defenses yet! 99

100 Conclusion Non-control data attacks can be Turing-complete 100

101 Conclusion Non-control data attacks can be Turing-complete Data-Oriented Programming (DOP) build expressive non-control data attacks independent of specific data / functions 101

102 Conclusion Non-control data attacks can be Turing-complete Data-Oriented Programming (DOP) build expressive non-control data attacks independent of specific data / functions In real-world programs, DOP can build attacks bypass ASLR w/o address leakage simulate a network bot enable code injection 102

103 Thanks! Hong Hu Non-control data attacks are available

Similar documents

SoK: Eternal War in Memory

SoK: Eternal War in Memory SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge

More information

Automatic Generation of Data-Oriented Exploits

Automatic Generation of Data-Oriented Exploits Automatic Generation of Data-Oriented Exploits Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang, National University of Singapore https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/hu

More information

in memory: an evolution of attacks Mathias Payer Purdue University

in memory: an evolution of attacks Mathias Payer Purdue University in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory

More information

CMPSC 497: Midterm Review

CMPSC 497: Midterm Review CMPSC 497: Midterm Review Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Midterm Format True/False

More information

Software Security II: Memory Errors - Attacks & Defenses

Software Security II: Memory Errors - Attacks & Defenses 1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow

More information

VERIFYING DATA-ORIENTED GADGETS IN BINARY PROGRAMS TO BUILD DATA-ONLY EXPLOITS

VERIFYING DATA-ORIENTED GADGETS IN BINARY PROGRAMS TO BUILD DATA-ONLY EXPLOITS VERIFYING DATA-ORIENTED GADGETS IN BINARY PROGRAMS TO BUILD DATA-ONLY EXPLOITS A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science By ZACHARY DAVID SISCO B.S.,

More information

String Oriented Programming Exploring Format String Attacks. Mathias Payer

String Oriented Programming Exploring Format String Attacks. Mathias Payer String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:

More information

Control-Flow Bending: On the Effectiveness of Control-Flow Integrity

Control-Flow Bending: On the Effectiveness of Control-Flow Integrity Control-Flow Bending: On the Effectiveness of Control-Flow Integrity Nicolas Carlini UC Berkeley Antonio Barresi ETH Zurich Thomas R. Gross ETH Zurich Mathias Payer Purdue University David Wagner UC Berkeley

More information

Protecting Against Unexpected System Calls

Protecting Against Unexpected System Calls Protecting Against Unexpected System Calls C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman Department of Computer Science University of Arizona Presented By: Mohamed Hassan

More information

Q: Exploit Hardening Made Easy

Q: Exploit Hardening Made Easy Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario

More information

On Compilers, Memory Errors and Control-Flow Integrity

On Compilers, Memory Errors and Control-Flow Integrity On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView

More information

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application

More information

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker

More information

Return-orientated Programming

Return-orientated Programming Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming

More information

STEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming

STEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming STEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming Jannik Pewny Ruhr-Universität Bochum, Germany jannik.pewny@rub.de Philipp Koppe Ruhr-Universität Bochum, Germany philipp.koppe@rub.de

More information

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014) Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science

More information

Mitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011

Mitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011 Mitigating Code-Reuse Attacks with Control-Flow Locking Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011 Introduction Computer systems run complicated software, which is vulnerable We keep finding

More information

Abstraction Recovery for Scalable Static Binary Analysis

Abstraction Recovery for Scalable Static Binary Analysis Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov

More information

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,

More information

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess

More information

Shuffler: Fast and Deployable Continuous Code Re-Randomization

Shuffler: Fast and Deployable Continuous Code Re-Randomization Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis,

More information

The Geometry of Innocent Flesh on the Bone

The Geometry of Innocent Flesh on the Bone The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop

More information

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow

More information

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems

More information

Defeating Return-Oriented Rootkits with Return-less Kernels

Defeating Return-Oriented Rootkits with Return-less Kernels 5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.

More information

Remix: On-demand Live Randomization

Remix: On-demand Live Randomization Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow

More information

Exploits and gdb. Tutorial 5

Exploits and gdb. Tutorial 5 Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or

More information

Lecture 08 Control-flow Hijacking Defenses

Lecture 08 Control-flow Hijacking Defenses Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation

More information

Outline. Memory Exploit

Outline. Memory Exploit Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April

More information

It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks

It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten

More information

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow

More information

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation

More information

Memory corruption: Why we can t have nice things. Mathias Payer

Memory corruption: Why we can t have nice things. Mathias Payer Memory corruption: Why we can t have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance

More information

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang ( ) Aravind Prakash ( ) Xiaolei Li ( ) Zhenkai Liang ( ) Heng Yin ( ) ( ) School of Computing,

More information

Memory Corruption: Why Protection is Hard. Mathias Payer, Purdue University

Memory Corruption: Why Protection is Hard. Mathias Payer, Purdue University Memory Corruption: Why Protection is Hard Mathias Payer, Purdue University http://hexhive.github.io 1 Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for

More information

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing

More information

HDFI: Hardware-Assisted Data-flow Isolation

HDFI: Hardware-Assisted Data-flow Isolation HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia

More information

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam New York University CSCI-UA.480-008: Advanced Computer Systems: Spring 2016 Midterm Exam This exam is 75 minutes. Stop writing when time is called. You must turn in your exam; we will not collect it. Do

More information

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned

More information

Vulnerability Analysis I:

Vulnerability Analysis I: Vulnerability Analysis I: Exploit Hardening Made Easy Surgically Returning to Randomized Lib(c) Mitchell Adair September 9 th, 2011 Outline 1 Background 2 Surgically Returning to Randomized lib(c) 3 Exploit

More information

Inline Reference Monitoring Techniques

Inline Reference Monitoring Techniques Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code

More information

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD

More information

Advanced Systems Security: Control-Flow Integrity

Advanced Systems Security: Control-Flow Integrity Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Inject malicious code Call any library functions Modify the original code

Inject malicious code Call any library functions Modify the original code Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt

More information

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks 2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption

More information

CSE 509: Computer Security

CSE 509: Computer Security CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger

More information

Securing Untrusted Code

Securing Untrusted Code Securing Untrusted Code Untrusted Code May be untrustworthy Intended to be benign, but may be full of vulnerabilities These vulnerabilities may be exploited by attackers (or other malicious processes)

More information

CMPSC 497 Buffer Overflow Vulnerabilities

CMPSC 497 Buffer Overflow Vulnerabilities Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow

More information

Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization

Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization 2012 IEEE Symposium on Security and Privacy Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis

More information

Jump-Oriented Programming: A New Class of Code-Reuse Attack

Jump-Oriented Programming: A New Class of Code-Reuse Attack Jump-Oriented Programming: A New Class of Code-Reuse Attack Tyler Bletsch, Xuxian Jiang, Vince Freeh Department of Computer Science North Carolina State University {tkbletsc, xuxian jiang, vwfreeh}@ncsu.edu

More information

Lecture 10 Code Reuse

Lecture 10 Code Reuse Lecture 10 Code Reuse Computer and Network Security 4th of December 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 10, Code Reuse 1/23 Defense Mechanisms static & dynamic analysis

More information

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g CSE 227 Computer Security Spring 2010 Software Df Defenses I Stefan Savage Kinds of defenses Eliminate violation of runtime model Better languages, code analysis Don t allow bad input Input validation

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 5 Low Level Software Security III: Integers, ROP, & CFI Integer Arithmetic in C Quiz time! What does this code produce? 100 200 300 100 200

More information

Architecture-level Security Vulnerabilities

Architecture-level Security Vulnerabilities Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:

More information

Pangu 9 Internals. Tielei Wang and Hao Xu

Pangu 9 Internals. Tielei Wang and Hao Xu Pangu 9 Internals Tielei Wang and Hao Xu Team Pangu Agenda ios Security Overview Pangu 9 Overview Userland Exploits Kernel Patching in Kernel Patch Protections Persistent Code Signing Bypass Conclusion

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on

More information

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier

More information

Software Security: Buffer Overflow Defenses

Software Security: Buffer Overflow Defenses CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes

More information

Università Ca Foscari Venezia

Università Ca Foscari Venezia Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C

More information

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation

More information

On the Effectiveness of Type-based Control Flow Integrity

On the Effectiveness of Type-based Control Flow Integrity On the Effectiveness of Type-based Control Flow Integrity Reza Mirzazade farkhani, Saman Jafari, Sajjad Arshad, William Robertson, Engin Kirda, Hamed Okhravi DISTRIBUTION STATEMENT A. Approved for public

More information

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization 04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization

More information

It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks

It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten

More information

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection

More information

Bypassing SEHOP. Stéfan Le Berre Damien Cauquil

Bypassing SEHOP. Stéfan Le Berre Damien Cauquil Bypassing SEHOP Stéfan Le Berre s.leberre@sysdream.com Damien Cauquil d.cauquil@sysdream.com Table of contents 0. Introduction...3 1. SEHOP specifications (short version)...3 2. Dealing with SEHOP when

More information

A survey of Hardware-based Control Flow Integrity (CFI)

A survey of Hardware-based Control Flow Integrity (CFI) A survey of Hardware-based Control Flow Integrity (CFI) RUAN DE CLERCQ and INGRID VERBAUWHEDE, KU Leuven Control Flow Integrity (CFI) is a computer security technique that detects runtime attacks by monitoring

More information

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor

More information

Biography. Background

Biography. Background From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com

More information

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause

More information

ISA564 SECURITY LAB. Code Injection Attacks

ISA564 SECURITY LAB. Code Injection Attacks ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized

More information

20: Exploits and Containment

20: Exploits and Containment 20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability

More information

Practical and Efficient Exploit Mitigation for Embedded Devices

Practical and Efficient Exploit Mitigation for Embedded Devices Practical and Efficient Exploit Mitigation for Embedded Devices Matthias Neugschwandtner IBM Research, Zurich Collin Mulliner Northeastern University, Boston Qualcomm Mobile Security Summit 2015 1 Embedded

More information

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code

More information

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable

More information

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40 Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing

More information

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

Memory corruption vulnerability exposure can be mitigated through memory hardening practices Memory corruption vulnerability exposure can be mitigated through memory hardening practices OS vendors have a unique opportunity to fight memory corruption vulnerabilities through hardening the memory

More information

(Early) Memory Corruption Attacks

(Early) Memory Corruption Attacks (Early) Memory Corruption Attacks CS-576 Systems Security Instructor: Georgios Portokalidis Fall 2018 Fall 2018 Stevens Institute of Technology 1 Memory Corruption Memory corruption occurs in a computer

More information

Infecting the Embedded Supply Chain

Infecting the Embedded Supply Chain SESSION ID: PDAC-F01 Infecting the Embedded Supply Chain Zach Miller Security Researcher in8 Solutions (Formerly Somerset Recon) @bit_twidd1er Inspiration Inspiration Countless embedded devices exist Each

More information

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?

More information

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/

More information

Stack Bounds Protection with Low Fat Pointers

Stack Bounds Protection with Low Fat Pointers Stack Bounds Protection with Low Fat Pointers Gregory J. Duck, Roland H.C. Yap, and Lorenzo Cavallaro NDSS 2017 Overview Heap Bounds Protection with Low Fat Pointers, CC 2016 Stack New method for detecting

More information

Defense against Code-injection, and Code-reuse Attack

Defense against Code-injection, and Code-reuse Attack Operating Systems Security Defense against Code-injection, and Code-reuse Attack Computer Security & OS lab. Cho, Seong-je ( 조성제 ) sjcho at dankook.ac.kr Fall, 2018 Contents Buffer Overflows: Stack Smashing,

More information

Software Security: Buffer Overflow Attacks (continued)

Software Security: Buffer Overflow Attacks (continued) CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018

143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018 143A: Principles of Operating Systems Lecture 5: Address translation Anton Burtsev October, 2018 Two programs one memory Or more like renting a set of rooms in an office building Or more like renting a

More information

Memory Error Exploits and Defenses

Memory Error Exploits and Defenses Memory Error Exploits and Defenses 1 Process Memory Layout argv, env stack heap bss data text high mem Argv/Env: CLI args and environment Stack: generally grows downwards Heap: generally grows upwards

More information

Playing God With Format String Attacks. Bsides Jax 2016 Travis Phillips 10/22/2016

Playing God With Format String Attacks. Bsides Jax 2016 Travis Phillips 10/22/2016 Playing God With Format String Attacks Bsides Jax 2016 Travis Phillips 10/22/2016 So Why This Talk? Been experimenting with them over the last year Found them simple in theory; difficult in practice. Found

More information

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units

More information

Exploit Mitigation - PIE

Exploit Mitigation - PIE Exploit Mitigation - PIE Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch ASCII Armor Arbitrary Write Overflow Local

More information

Architecture-level Security Vulnerabilities. Julian Stecklina

Architecture-level Security Vulnerabilities. Julian Stecklina Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The

More information

Fast Byte-Granularity Software Fault Isolation

Fast Byte-Granularity Software Fault Isolation Fast Byte-Granularity Software Fault Isolation Manuel Costa Microsoft Research, Cambridge Joint work with: Miguel Castro, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul

More information

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1 Who We Are Nadav Markus, Gal De-Leon Security researchers @ PaloAltoNetworks Vulnerability research and exploitation Reverse

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the

More information

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer Science State University of New York at Binghamton

More information

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of

More information

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler return-oriented programming Hovav Shacham presented by: Fabian

More information

Non-Control-Data Attacks Are Realistic Threats

Non-Control-Data Attacks Are Realistic Threats Non-Control-Data Attacks Are Realistic Threats Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Center for Reliable and High Performance Computing, Department of Computer Science

More information

OpenBSD Remote Exploit

OpenBSD Remote Exploit OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June 30, 2007 Mbuf buffer overflow Buffer overflow Researching the OpenBSD 008: RELIABILITY FIX a new vulnerability

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback