Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University
|
|
- Dale Nigel Burke
- 6 years ago
- Views:
Transcription
1 Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University
2 Hacking 101 Exploit GET /0xDEAD HTTP/1.0 shell $ cat /etc/passwd root:x:0:0:::/bin/sh sorbo:x:6:9:pac:/bin/sh
3 Crash or no Crash? Enough to build exploit GET /blabla HTTP/1.0 HTTP/ Not Found GET /AAAAAAAAAAAAAAAA connection closed
4 Don t even need to know what application is running! Exploit scenarios: 1. Open source 2. Open binary 3. Closed-binary (and source)????
5 Attack effectiveness Works on 64-bit Linux with ASLR, NX and canaries Server Requests Time (mins) nginx 2,401 1 MySQL 3, Toy proprietary service (unknown binary and source) 1,950 5
6 Attack requirements 1. Stack vulnerability, and knowledge of how to trigger it. 2. Server process that respawns after crash E.g., nginx, MySQL, Apache, OpenSSH, Samba.
7 Background Outline Stack Vulnerabilities No-eXecute memory (NX) Return-Oriented Programming (ROP) Address Space Layout Randomization (ASLR)
8 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address 0x urn; } handle_client() buf[1024]
9 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; 0x AAAAAAAAA AAAAAAAAA handle_client() AAAAAAAAA AAAAAAAAA
10 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; 0x AAAAAAAAA AAAAAAAAA?? AAAAAAAAA AAAAAAAAA
11 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x AAAAAAAAA AAAAAAAAA AAAAAAAAA AAAAAAAAA
12 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x x
13 Exploit protections void process_packet(int s) { char buf[1024]; 1. Make stack non-executable int len; (NX) read(s, &len, sizeof(len)); read(s, 2. buf, Randomize len); memory addresses (ASLR) Stack: urn address 0x } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x
14 Non-eXecutable (NX) memory stack Read stack Write Read heap Execute heap Write.text Read.text Read (code) Execute (code) Execute
15 Non-eXecutable (NX) memory stack Read stack Write Read heap Execute heap Write.text Read.text Read (code) Execute (code) Execute
16 Return-Oriented Programming (ROP).text: Stack: code fragment 0x dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0);...
17 Return-Oriented Programming (ROP).text: Stack: code dup2(sock, 0); 0x fragment urn; 0x dup2(sock, 1); 0x x urn; execve( /bin/sh, 0, 0); urn; 0x x ROP gadget
18 Address Space Layout Randomization (ASLR).text: 0x code fragment dup2(sock, 0); urn; dup2(sock, 1); urn; execve( /bin/sh, 0, 0); urn; Stack: 0x x x800000
19 Address Space Layout Randomization (ASLR).text: 0x ?? code fragment dup2(sock, 0); urn; dup2(sock, 1); urn; execve( /bin/sh, 0, 0); urn; Stack: 0x ?? 0x ?? 0x ??
20 Exploit requirements today 1. Break ASLR. 2. Copy of binary (find ROP gadgets / break NX). Is it even possible to hack unknown applications?
21 Blind Return-Oriented Programming (BROP) 1. Break ASLR. 2. Leak binary: Remotely find enough gadgets to call write(). write() binary from memory to network to disassemble and find more gadgets to finish off exploit.
22 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address buf[1024] 0x401183
23 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x401183
24 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)
25 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)
26 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)
27 How to find gadgets?.text: 0x code fragment 0x x x x x401130?????????? Stack: urn address 0x buf[1024]
28 How to find gadgets?.text: 0x code 0x x x x x fragment crash???????? Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA
29 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash?????? Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA
30 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash no crash???? Connection hangs Stack: urn address 0x AAAAAAAAA AAAAAAAAA
31 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash no crash crash crash Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA
32 Three types of gadgets Stop gadget Crash gadget Useful gadget sleep(10); urn; abort(); urn; dup2(sock, 0); urn; Never crashes Always crashes Crash depends on urn
33 Three types of gadgets Stop gadget Crash gadget Useful gadget sleep(10); urn; abort(); urn; dup2(sock, 0); urn; Never crashes Always crashes Crash depends on urn
34 Finding useful gadgets 0x Stack: Crash!! dup2(sock, 0); urn; other urn address 0x x buf[1024] sleep(10); urn;
35 Finding useful gadgets 0x Stack: dup2(sock, 0); urn; 0x x sleep(10); urn; No crash urn address 0x buf[1024]
36 How to find gadgets?.text: 0x code fragment 0x x x x x crash crash stop gadget crash crash Stack: other urn address 0x buf[1024]
37 How to find gadgets?.text: 0x code fragment Connection hangs 0x x x x x gadget! crash stop gadget crash crash Stack: 0x urn address 0x AAAAAAAAA AAAAAAAAA
38 How to find gadgets?.text: 0x code fragment Connection closes 0x x x x x gadget! crash stop gadget crash crash Stack: 0x urn address 0x AAAAAAAAA AAAAAAAAA
39 What are we looking for? write(int sock, void *buf, int len)
40 What are we looking for? write(int sock, void *buf, int len) pop rdi pop rsi pop rdx call write
41 What are we looking for? write(int sock, void *buf, int len) pop rdi pop rsi pop rdx call write AAAAA buf[1024] 0x addr sock rdi 0x buf rsi 0x len rdx 0x700000
42 Pieces of the puzzle stop gadget [call sleep] pop rsi pop rdi pop rdx call write
43 Pieces of the puzzle stop gadget [call sleep] pop rsi pop rdi call strcmp call write
44 Pieces of the puzzle stop gadget pop rsi [call sleep] call strcmp pop rdi call write
45 Pieces of the puzzle The BROP gadget pop rbx pop rbp pop rsi pop r15 pop rdi pop r12 pop r13 pop r14 pop r15 stop gadget [call sleep] call strcmp call write
46 Pieces of the puzzle The BROP gadget pop rbx pop rsi pop r15 pop rdi pop rbp pop r12 pop r13 pop r14 pop r15 PLT stop gadget [call sleep] call strcmp call write
47 Finding the BROP gadget Stack: Connection hangs stop gadget urn address 0x buf[1024]
48 Finding the BROP gadget Stack: stop gadget crash gadget Connection closes urn address 0x buf[1024]
49 Finding the BROP gadget Stack: stop gadget crash gadget pop rbx Connection hangs urn address 0x buf[1024]
50 Stack: Finding the BROP gadget stop gadget crash gadget crash gadget pop rbx pop rbp Connection hangs urn address 0x buf[1024]
51 Stack: Finding the BROP gadget stop gadget crash gadget crash gadget crash gadget crash gadget crash gadget crash gadget urn address 0x pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 BROP gadget Connection hangs buf[1024]
52 Attack so far Can control first two arguments to calls (using BROP gadget). Need to control third argument (using call strcmp). Need to find call write Procedure Linking Table (PLT)
53 Procedure Linking Table (PLT) Origin: 0x PLT.text
54 Procedure Linking Table (PLT) Origin: 0x [GOT dereference].text call write.text... call write... call strcmp PLT PLT jmp [sleep] push 0 jmp dlresolve jmp [write] push 1 jmp dlresolve jmp [strcmp] push 2 jmp dlresolve libc sleep() {... } write() {... } strcmp() {... }
55 Finding the PLT Toward beginning of.text Each entry is 0x10 bytes apart, 0x10 aligned Most don t crash: syscalls - urn EFAULT on bad args. Can check if entry + 6 succeeds too (dlresolve slow path)
56 Fingerprinting strcmp arg1 arg2 result readable 0x0 crash 0x0 readable crash readable readable nocrash Use urn address (.text) as readable Can now control three arguments: strcmp sets RDX to length of string
57 Finding write strcmp(origin, origin) // sets RDX / write length to 7 - ELF header. set rdi to socket number, rsi to origin/addr try calling candidate PLT function. check if data received on socket. chain writes with different FD numbers to find socket. Use multiple connections.
58 Launching a shell 1. dump binary to network - not blind anymore! 2. dump symbol table to find PLT calls. 3. redirect stdin/out to socket: dup2(fd, 0); close(0); fcntl(sock, F_DUPFD, 0); 4. read() /bin/sh from socket to writable writable can be environ (from symbol table) 5. execve( /bin/sh, 0, 0)
59 Braille Fully automated: from crash to shell. 2,000 lines of Ruby. Needs function that will trigger overflow: nginx: 68 lines. mysql: 121 lines. proprietary service: 35 lines. try_exp(data) true crash false no crash
60 Attack complexity dump bin 222 find write 101 find strcmp 61 stack reading 846 find BROP gadget 469 find PLT 702 # of requests for nginx
61 BROP conclusions It s scary what a motivated attacker can do: e.g., hack unknown binaries. Hackers can get past point solutions - need principled solutions: OS: rerandomize ASLR & canaries per-fork Compiler: Encrypt or MAC pointers? Application: Dune (privilege separation)?
Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationHacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University
Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University Abstract We show that it is possible to write remote stack buffer overflow exploits without possessing
More informationInformation Leaks. Kyriakos Kyriakou
Information Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Just-in-time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationDocumentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit about a generic way to exploit Linux targets written by Kingcope Introduction In May 2013 a security advisory was announced
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationLecture 10 Code Reuse
Lecture 10 Code Reuse Computer and Network Security 4th of December 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 10, Code Reuse 1/23 Defense Mechanisms static & dynamic analysis
More information6.858 Lecture 3. char *p = malloc(256); char *q = p + 256; char ch = *q; //Does this raise an exception? //Hint: How big is the baggy bound for p?
Baggy bounds continued: Example code (assume that slot_size=16) 6.858 Lecture 3 char *p = malloc(44); //Note that the nearest power of 2 (i.e., //64 bytes) are allocated. So, there are //64/(slot_size)
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More information18-600: Recitation #4 Exploits (Attack Lab)
18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationChangelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part
1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationExploit Mitigation - PIE
Exploit Mitigation - PIE Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch ASCII Armor Arbitrary Write Overflow Local
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationReturn Oriented Programming
ROP gadgets Small instruction sequence ending with a ret instruction 0xc3 Gadgets are found in existing, resident code and libraries There exist tools to search for and find gadgets Gadgets are put together
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationSecurity and Privacy in Computer Systems. Lecture 5: Application Program Security
CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationWriting Exploits. Nethemba s.r.o.
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationProgram Security and Vulnerabilities Class 2
Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity
More informationNew York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam
New York University CSCI-UA.480-008: Advanced Computer Systems: Spring 2016 Midterm Exam This exam is 75 minutes. Stop writing when time is called. You must turn in your exam; we will not collect it. Do
More informationCMPSC 497: Midterm Review
CMPSC 497: Midterm Review Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Midterm Format True/False
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.
More informationOn The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004
On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationBuffer Overflow Attack (AskCypert CLaaS)
Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.
More informationLeveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus
Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1 Who We Are Nadav Markus, Gal De-Leon Security researchers @ PaloAltoNetworks Vulnerability research and exploitation Reverse
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationVulnerability Analysis I:
Vulnerability Analysis I: Exploit Hardening Made Easy Surgically Returning to Randomized Lib(c) Mitchell Adair September 9 th, 2011 Outline 1 Background 2 Surgically Returning to Randomized lib(c) 3 Exploit
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationSecure Systems Engineering
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2 Program Bugs
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationOS Security. Memory. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Memory Radboud University Nijmegen, The Netherlands Winter 2014/2015 A short recap Central task of OS is to manage access of subjects (processes) to objects (files) Access to resources only
More informationCSc 466/566. Computer Security. 20 : Operating Systems Application Security
1/68 CSc 466/566 Computer Security 20 : Operating Systems Application Security Version: 2014/11/20 13:07:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2014 Christian
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationEthical Hacking: Preventing & Writing Buffer Overflow Exploits
Ethical Hacking: Preventing & Writing Buffer Overflow Exploits Rochester Security Summit 2014 Rochester OWASP Chapter Lead Ralph Durkee - Durkee Consulting, Inc. info@rd1.net Ralph Durkee Background Founder
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationECS 153 Discussion Section. April 6, 2015
ECS 153 Discussion Section April 6, 2015 1 What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc)
More informationCSC 405 Computer Security Shellcode
CSC 405 Computer Security Shellcode Alexandros Kapravelos akaprav@ncsu.edu Attack plan Attack code Vulnerable code xor ebx, ebx xor eax, eax mov ebx,edi mov eax,edx sub eax,0x388 Vulnerable code xor ebx,
More informationISA564 SECURITY LAB. Code Injection Attacks
ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationWriting your first windows exploit in less than one hour
Writing your first windows exploit in less than one hour Klaus Gebeshuber klaus.gebeshuber@fh-joanneum.at http://www.fh-joanneum.at/ims AGENDA Workshop 10.00 13.00 Memory & stack basics, function calling
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationAdvanced Systems Security: Program Diversity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationReturn oriented programming
Return oriented programming TOOR - Computer Security Hallgrímur H. Gunnarsson Reykjavík University 2012-05-04 Introduction Many countermeasures have been introduced to foil EIP hijacking: W X: Prevent
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationBuffer Overflows Many of the following slides are based on those from Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron
More informationSecurity and Exploit Mitigation. CMSC Spring 2016 Lawrence Sebald
Security and Exploit Mitigation CMSC 421 - Spring 2016 Lawrence Sebald Security is of Supreme Importance in Systems As we have seen in the past two classes, even with sophisticated security systems, small
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationHands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits
Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits OWASP AppSec 2013 Rochester OWASP Chapter Lead Ralph Durkee - Durkee Consulting, Inc. info@rd1.net Hands-on Ethical Hacking: Preventing
More informationidkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.
idkwim@gmail.com idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com choicy90@nate.com (Nate-On) @idkwim idkwim.linknow.kr Zombie PC?? -> No! Return Oriented Programming
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationLec06: DEP and ASLR. Taesoo Kim
1 Lec06: DEP and ASLR Taesoo Kim Scoreboard 2 NSA Codebreaker Challenges 3 4 Administrivia Congrats!! We've completed the half of labs! Due: Lab06 is out and its due on Oct 5 at midnight NSA Codebreaker
More informationSoftware Security: Buffer Overflow Defenses and Miscellaneous
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses and Miscellaneous Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationPractical and Efficient Exploit Mitigation for Embedded Devices
Practical and Efficient Exploit Mitigation for Embedded Devices Matthias Neugschwandtner IBM Research, Zurich Collin Mulliner Northeastern University, Boston Qualcomm Mobile Security Summit 2015 1 Embedded
More information