The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler
|
|
- Homer Shelton
- 6 years ago
- Views:
Transcription
1 The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler
2 return-oriented programming Hovav Shacham presented by: Fabian Fäßler
3 ROP Hovav Shacham presented by: Fabian Fäßler
4 What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 4
5 Overview Buffer Overflow + Shellcode DEP / W X return2libc return-oriented programming additional information 5
6 Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 6 source: exploit-exercises.com
7 Buffer Overflow + Shellcode --> 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> eax 0xbffffc60 ecx 0xbbb5764b edx 0x ebx 0xb7fd7ff4 esp 0xbffffc50 ebp 0xbffffca8 esi 0x edi 0x eip 0x080483d4 <main+16> 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff1040 0x c 7 source: exploit-exercises.com
8 Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret eax ecx edx ebx esp ebp esi edi eip 0xbffffc60 0xbbb5764b 0x xb7fd7ff4 0xbffffc4c 0xbffffca8 0x x xb7ef3e40 <_IO_gets+0> 0x080483d9 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff source: exploit-exercises.com
9 Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret eax ecx edx ebx esp ebp esi edi eip 0xbffffc60 0xbffffc60 0xb7fd9334 0xb7fd7ff4 0xbffffc4c 0xbffffca8 0x x xb7ef3f2d <_IO_gets+237> 0x080483d9 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff source: exploit-exercises.com
10 Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret eax ecx edx ebx esp ebp esi edi eip ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xbffffc60 0xbffffc60 0xb7fd9334 0xb7fd7ff4 0xbffffc4c 0xbffffca8 0x x xb7ef3f2d <_IO_gets+237> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret? 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff source: exploit-exercises.com
11 Buffer Overflow + Shellcode 0x31c x2f2f7368 0x682f6269 0x6e89e350 0xbffffc30 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff
12 Buffer Overflow + Shellcode Shellcode Restrictions: Attacker has to write it somewhere Write destination has to be executable 0x31c x2f2f7368 0x682f6269 0x6e89e350 0xbffffc30 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff
13 DEP / W X Shellcode Restrictions: Attacker has to write it somewhere Write destination has to be executable! Countermeasures: Data Execution Prevention Write XOR Execute - memory protection policy 13
14 ret2libc? 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff
15 ret2libc (gdb) x system 0xb7ecffb0 < libc_system>: 0x890cec83 (gdb) disassemble system Dump of assembler code for function libc_system: 0xb7ecffb0 < libc_system+0>: sub esp,0xc 0xb7ecffb3 < libc_system+3>: mov DWORD PTR [esp+0x4],esi 0xb7ecffb7 < libc_system+7>: mov esi,dword PTR [esp+0x10] system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff
16 ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fc1 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff
17 ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff
18 ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff
19 ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret! Gadget 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff
20 ret2libc - recap Oldschool shellcode requires write AND execute rights ret2libc can be used to call critical functions such as system, execve, etc. You can load parameters and chain functions! 20
21 ret2libc - recap Oldschool shellcode requires write AND execute rights ret2libc can be used to call critical functions such as system, execve, etc. You can load parameters and chain functions! Evolution of ret2libc is ROP 21
22 ROP - step 1/2 1. Find gadgets asm 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret 0x51 0x59 0x58 0xc3 22
23 ROP - step 1/2 1. Find gadgets asm 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret 0x51 0x59 0x58 0xc3 0xb7f0bc0d <stpcpy+61>: 0xb7f0bc0e <stpcpy+62>: 0xb7f0bc0f <stpcpy+63>: 0xb7f0bc10 <stpcpy+64>: inc eax inc eax inc eax ret 0xb7f29fc7 <dirfd+7>: 0xb7f29fc9 <dirfd+9>: mov eax,dword PTR [eax] ret 23
24 ROP - step 1/2 1. Find gadgets - advanced 24
25 ROP - step 1/2 1. Find gadgets - advanced 25
26 ROP - step 1/2 1. Find gadgets - advanced b2 : ror byte ptr [edi], -0x7c b5 : ret 26
27 ROP - step 1/2 1. Find gadgets - advanced b2 : ror byte ptr [edi], -0x7c b5 : ret algorithm: search for 0xc3 (ret), and look backwards if there are valid instructions. 27
28 ROP - step 1/2 1. Find gadgets - advanced $ python ROPgadget.py --binary ~/libc.so.6 0x00138c14 : xor al, -0x20 ; add byte ptr [eax], al ; sbb ah, cl ; cli ; call edi 0x00128f04 : xor al, -0x58 ; add byte ptr [eax], al ; cld ; ret -0xa 0x0012ab71 : sub esi, edi ; jmp esp 0x : sub esi, esi ; call dword ptr [eax] 0x : sub esp, 0x10 ; call 0x16ad8 0x0003d595 : rol byte ptr [ecx], -0x7d ; ret 0x390c 0x a : rep push eax ; jnp 0x1287a8 ; add byte ptr [esp + edi*8 + 0xfffffff3], bl ; call dword ptr [eax] 0x00072d09 : or dword ptr [ebx + 0x960ff07d], ecx ; ret 0x5589 0x000a4079 : movzx eax, al ; sub eax, 1 ; pop ebp ; ret 0x00097c4a : mov eax, 0x39 ; int 0x80 0x0011b958 : jo 0x11b901 ; hlt ; call ebx 0x c : jge 0x6557f ; mov esp, ebp ; pop ebp ; ret 0x : add eax, dword ptr [eax] ; add byte ptr [ebx + 0xfffe548d], cl ; jmp dword ptr [ebx]... 28
29 geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] 29
30 geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] ARM has 32bit and 16bit wide instructions. Forcing THUMB mode could be used as well. 30
31 geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] ARM has 32bit and 16bit wide instructions. Forcing THUMB mode could be used as well.! MIPS enforces 32bit instructions and alignment.! 31
32 ROP - step 2/2 2. The weird machine - building an instruction set. 32
33 ROP - step 2/2 2. The weird machine - building an instruction set. 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret load values into registers 0xb7f0bc0d <stpcpy+61>: 0xb7f0bc0e <stpcpy+62>: 0xb7f0bc0f <stpcpy+63>: 0xb7f0bc10 <stpcpy+64>: inc eax inc eax inc eax ret increment registers 0xb7f29fc7 <dirfd+7>: 0xb7f29fc9 <dirfd+9>: mov eax,dword PTR [eax] ret load from an address 33
34 ROP - step 2/2 2. The weird machine - building an instruction set. add: 34
35 ROP - step 2/2 2. The weird machine - building an instruction set. add: 35
36 ROP - step 2/2 2. The weird machine - building an instruction set. add: 36
37 ROP - step 2/2 2. The weird machine - building an instruction set. Loading Constant Loading from Memory Storing to Memory Add XOR And/Or/Not Shift and Rotate Unconditional Jumps Conditional Jumps System Calls Function Calls (ret2libc) 37 Write any code you like <3
38 a weird machine is born source: The science 38 of Insecurity (29c3) - Sassman, Patterson, Bratus
39 What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 39
40 What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 40
41 What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 41
42 Discussion What is the obvious mitigation for this? 42
43 The ASLR Lie source:
44 The ASLR Lie source:
45 The ASLR Lie source:
46 Discussion What do you think about, ROP, geometry, ASLR, W X 46
47 References The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) - [0] direct quote page 4 - Figure 5 - Figure 7 exploit-exercises.com The science of Insecurity - Sassman, Patterson, Bratus 47
Return-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationReturn oriented programming
Return oriented programming TOOR - Computer Security Hallgrímur H. Gunnarsson Reykjavík University 2012-05-04 Introduction Many countermeasures have been introduced to foil EIP hijacking: W X: Prevent
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationLab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More information16.317: Microprocessor Systems Design I Fall 2015
16.317: Microprocessor Systems Design I Fall 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationX86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationReturn Oriented Programming
ROP gadgets Small instruction sequence ending with a ret instruction 0xc3 Gadgets are found in existing, resident code and libraries There exist tools to search for and find gadgets Gadgets are put together
More informationMachine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어
More informationIntro x86 Part 3: Linux Tools & Analysis
Intro x86 Part 3: Linux Tools & Analysis Xeno Kovah 2009/2010 xkovah at gmail Approved for Public Release: 10-3348. Distribution Unlimited All materials is licensed under a Creative Commons Share Alike
More informationCSE509 System Security
CSE509 System Security Software Security Nick Nikiforakis nick@cs.stonybrook.edu Things we are going to discuss Basic x86 assembly instructions Stack workings GDB syntax Overflows Stack Heap Shellcode
More information16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationInstruction Set Architectures
Instruction Set Architectures ISAs Brief history of processors and architectures C, assembly, machine code Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface contain?
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationExercise 6: Buffer Overflow and return-into-libc Attacks
Technische Universität Darmstadt Fachbereich Informatik System Security Lab Prof. Dr.-Ing. Ahmad-Reza Sadeghi M.Sc. David Gens Exercise 6: Buffer Overflow and return-into-libc Attacks Course Secure, Trusted
More informationBasic Pentium Instructions. October 18
Basic Pentium Instructions October 18 CSC201 Section 002 Fall, 2000 The EFLAGS Register Bit 11 = Overflow Flag Bit 7 = Sign Flag Bit 6 = Zero Flag Bit 0 = Carry Flag "Sets the flags" means sets OF, ZF,
More informationCS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015
CS165 Computer Security Understanding low-level program execution Oct 1 st, 2015 A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns
More informationMitchell Adair January, 2014
Mitchell Adair January, 2014 Know Owen from our time at Sandia National Labs Currently work for Raytheon Founded UTDallas s Computer Security Group (CSG) in Spring 2010 Reversing, binary auditing, fuzzing,
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationOverview of Compiler. A. Introduction
CMPSC 470 Lecture 01 Topics: Overview of compiler Compiling process Structure of compiler Programming language basics Overview of Compiler A. Introduction What is compiler? What is interpreter? A very
More informationLecture 2 Assembly Language
Lecture 2 Assembly Language Computer and Network Security 9th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 2, Assembly Language 1/37 Recap: Explorations Tools assembly
More informationAssembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction
Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction E I P CPU isters Condition Codes Addresses Data Instructions Memory Object Code Program Data OS Data Topics Assembly Programmer
More informationidkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.
idkwim@gmail.com idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com choicy90@nate.com (Nate-On) @idkwim idkwim.linknow.kr Zombie PC?? -> No! Return Oriented Programming
More informationMACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION
MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics:
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More informationInstruction Set Architectures
Instruction Set Architectures! ISAs! Brief history of processors and architectures! C, assembly, machine code! Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationCSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationLecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86
Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationcomplement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]
The following pages contain references for use during the exam: tables containing the x86 instruction set (covered so far) and condition codes. You do not need to submit these pages when you finish your
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More information16.317: Microprocessor Systems Design I Spring 2015
16.317: Microprocessor Systems Design I Spring 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by
More informationReverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
More informationCMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang
Project 3 Questions CMSC 313 Lecture 12 How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP
More informationTurning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p
Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p text C program (p1.c p2.c) Compiler (gcc -S) text Asm
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationCSE P 501 Compilers. x86 Lite for Compiler Writers Hal Perkins Autumn /25/ Hal Perkins & UW CSE J-1
CSE P 501 Compilers x86 Lite for Compiler Writers Hal Perkins Autumn 2011 10/25/2011 2002-11 Hal Perkins & UW CSE J-1 Agenda Learn/review x86 architecture Core 32-bit part only for now Ignore crufty, backward-compatible
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationRepresentation of Information
Representation of Information CS61, Lecture 2 Prof. Stephen Chong September 6, 2011 Announcements Assignment 1 released Posted on http://cs61.seas.harvard.edu/ Due one week from today, Tuesday 13 Sept
More informationCSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II
1 byte{ 1 byte{ CSCI 334: Principles of Programming Languages Lecture 11: Control Structures II Computer Architecture (a really really fast introduction) Instructor: Dan Barowy Memory Instructions main
More informationThe x86 Architecture
The x86 Architecture Lecture 24 Intel Manual, Vol. 1, Chapter 3 Robb T. Koether Hampden-Sydney College Fri, Mar 20, 2015 Robb T. Koether (Hampden-Sydney College) The x86 Architecture Fri, Mar 20, 2015
More informationSecure Systems Engineering
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2 Program Bugs
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationRev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
More informationX86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson
X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Time ACL-based permissions (UNIX style) Read, Write, execute can be restricted on users and groups
More informationMachine-Level Programming Introduction
Machine-Level Programming Introduction Today Assembly programmer s exec model Accessing information Arithmetic operations Next time More of the same Fabián E. Bustamante, Spring 2007 IA32 Processors Totally
More informationIntro to x86 Binaries. From ASM to exploit
Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationComplex Instruction Set Computer (CISC)
Introduction ti to IA-32 IA-32 Processors Evolutionary design Starting in 1978 with 886 Added more features as time goes on Still support old features, although obsolete Totally dominate computer market
More informationSecond Part of the Course
CSC 2400: Computer Systems Towards the Hardware 1 Second Part of the Course Toward the hardware High-level language (C) assembly language machine language (IA-32) 2 High-Level Language g Make programming
More informationFLARE-On 4: Challenge 3 Solution greek_to_me.exe
FLARE-On 4: Challenge 3 Solution greek_to_me.exe Challenge Author: Matt Williams (@0xmwilliams) greek_to_me.exe is a Windows x86 executable whose strings reveal what is likely the desired state of the
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationStack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
More informationAutodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
More informationx86 assembly CS449 Fall 2017
x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS
More informationPayload Already Inside: Data re-use for ROP Exploits
Payload Already Inside: Data re-use for ROP Exploits Long Le longld at vnsecurity.net Thanh Nguyen rd at vnsecurity.net 1 HITB2010KUL DEEPSEC Agenda Introduction Recap on stack overflow & mitigations Multistage
More informationUMBC. A register, an immediate or a memory address holding the values on. Stores a symbolic name for the memory location that it represents.
Intel Assembly Format of an assembly instruction: LABEL OPCODE OPERANDS COMMENT DATA1 db 00001000b ;Define DATA1 as decimal 8 START: mov eax, ebx ;Copy ebx to eax LABEL: Stores a symbolic name for the
More informationSecurity-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat
Security-Aware Processor Architecture Design CS 6501 Fall 2018 Ashish Venkat Agenda Theme Selection (due today at 11:59:59pm) Readings and Presentation Logistics Quick Processor Architecture Review (continued
More information«Defeating DEP through a mapped file»
«Defeating DEP through a mapped file» by Homeostasie (Nicolas.D) 08/08/2011 (trashomeo [at] gmail [dot] com) Contents 1. Introduction...3 2. Description of the attack scenario...4 3. Building a ROP exploit...7
More informationMACHINE-LEVEL PROGRAMMING I: BASICS
MACHINE-LEVEL PROGRAMMING I: BASICS CS 429H: SYSTEMS I Instructor: Emmett Witchel Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics:
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationSystems I. Machine-Level Programming I: Introduction
Systems I Machine-Level Programming I: Introduction Topics Assembly Programmerʼs Execution Model Accessing Information Registers IA32 Processors Totally Dominate General Purpose CPU Market Evolutionary
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationBypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.
Bypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.be (May 2010) Introduction : For this first tutorial,
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationY86 Processor State. Instruction Example. Encoding Registers. Lecture 7A. Computer Architecture I Instruction Set Architecture Assembly Language View
Computer Architecture I Instruction Set Architecture Assembly Language View Processor state Registers, memory, Instructions addl, movl, andl, How instructions are encoded as bytes Layer of Abstraction
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More informationCPEG421/621 Tutorial
CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model
More informationLab 10: Introduction to x86 Assembly
CS342 Computer Security Handout # 8 Prof. Lyn Turbak Wednesday, Nov. 07, 2012 Wellesley College Revised Nov. 09, 2012 Lab 10: Introduction to x86 Assembly Revisions: Nov. 9 The sos O3.s file on p. 10 was
More informationInstruction Set Architecture
CS:APP Chapter 4 Computer Architecture Instruction Set Architecture Randal E. Bryant Carnegie Mellon University http://csapp.cs.cmu.edu CS:APP Instruction Set Architecture Assembly Language View! Processor
More informationInstruction Set Architecture
CS:APP Chapter 4 Computer Architecture Instruction Set Architecture Randal E. Bryant Carnegie Mellon University http://csapp.cs.cmu.edu CS:APP Instruction Set Architecture Assembly Language View Processor
More informationChapter 4 Processor Architecture: Y86 (Sections 4.1 & 4.3) with material from Dr. Bin Ren, College of William & Mary
Chapter 4 Processor Architecture: Y86 (Sections 4.1 & 4.3) with material from Dr. Bin Ren, College of William & Mary 1 Outline Introduction to assembly programing Introduction to Y86 Y86 instructions,
More informationApplying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying
Acta Polytechnica Hungarica Vol. 12, No. 5, 2015 Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying László Erdődi Óbuda University, Faculty of Applied Informatics
More informationToday: Machine Programming I: Basics
Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics: Registers, operands, move Intro to x86-64 1 Intel x86 Processors Totally dominate
More informationIntroduction to IA-32. Jo, Heeseung
Introduction to IA-32 Jo, Heeseung IA-32 Processors Evolutionary design Starting in 1978 with 8086 Added more features as time goes on Still support old features, although obsolete Totally dominate computer
More information