Just-in-Time Code Reuse
|
|
- Chrystal Payne
- 5 years ago
- Views:
Transcription
1 Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & A. Dmitrienko 2 C. Liebchen 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science University of North Carolina at Chapel Hill 2 CASED/Technische Universität Darmstadt, Germany 1
2 The Big Picture 2 2
3 The Big Picture 2 2
4 The Big Picture Scrip&ng facilitates a0acks 2 2
5 The Big Picture Scrip&ng facilitates a0acks Large a0ack surface 2 2
6 The Big Picture Scrip&ng facilitates a0acks Exploit packs automate increasingly complex a0acks Adversary must apply a code- reuse strategy Large a0ack surface 2 2
7 The Big Picture 3 3
8 The Big Picture 3 3
9 The Big Picture Re t u r n o r ien ted Pro g ra mm ing 3 3
10 Basic ROP Attack Technique 4
11 Basic ROP Attack Technique Adversary 4
12 Basic ROP Attack Technique Adversary Stack Heap Code 4
13 Basic ROP Attack Technique Adversary Stack Heap Stack Pivot LOAD Gadget ADD Gadget Code 4
14 Basic ROP Attack Technique Adversary Stack Stack Var 1 Stack Var 2 Heap Stack Pivot LOAD Gadget ADD Gadget Code 4
15 Basic ROP Attack Technique Adversary SP Stack Stack Var 1 Stack Var 2 Heap Stack Pivot LOAD Gadget ADD Gadget Code 4
16 Basic ROP Attack Technique Adversary SP Stack Stack Var 1 Stack Var 2 Heap Inject ROP Payload Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4
17 Basic ROP Attack Technique Adversary Inject ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4
18 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4
19 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4
20 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4
21 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability SP Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4
22 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability SP Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4
23 Basic ROP Attack Technique Adversary Exploit Vulnerability to Launch ROP Payload SP Stack Stack Var 1 Stack Var 2 Heap Heap Vulnerability Address 3 Address 2 Address 1 Stack Pivot LOAD Gadget ADD Gadget Code 4
24 Code Reuse Attacks History selected not exhaustive
25 Code Reuse Attacks History selected not exhaustive 1997 ret2libc Solar Designer
26 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal
27 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer
28 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS)
29 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS) 2008 ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Shacham (BlackHat USA)
30 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS) 2008 ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Shacham (BlackHat USA) 2009 ROP Rootkits Hund et al (USENIX) ROP on PowerPC FX Lindner (BlackHat USA) ROP on ARM/iOS Miller et al (BlackHat USA)
31 Code Reuse Attacks History selected not exhaustive ret2libc Solar Designer Advanced ret2libc Nergal Borrowed Code Chunks Exploitation Krahmer 2007 ROP Shacham (CCS) 2008 ROP on SPARC Buchanan et al (CCS) ROP on Atmel Francillon et al (CCS) ROP Shacham (BlackHat USA) 2009 ROP Rootkits Hund et al (USENIX) ROP on PowerPC FX Lindner (BlackHat USA) ROP on ARM/iOS Miller et al (BlackHat USA) 2010 Roppery Iozzo et al (BlackHat USA) Payload already inside Long Le (BlackHat USA) ROP without Returns Checkoway et al (CCS) Pwn2Own iphone Weinmann & Iozzo Pwn2Own IE Nils Practical ROP Zovi (RSA Conference) 5
32 ASLR Address Space Layout Randomiza6on 6
33 Basics of ASLR ASLR randomizes the base address of code/data segments Application Run 1 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) 7 7
34 Basics of ASLR ASLR randomizes the base address of code/data segments Application Run 1 Stack Application Run 2 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) Heap Executable Library (e.g., user32.dll) Program Memory (abstract) 7 7
35 Basics of ASLR ASLR randomizes the base address of code/data segments Application Run 1 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) Application Run 2 Stack Heap Executable Library (e.g., user32.dll) Program Memory (abstract) 3. Adjust instruction sequence pointers Disclosure Attack e.g., [Sotirov et al., Blackhat 2008] 2. Leak function pointer 1. Exploit disclosure vulnerability 7 7
36 Example Memory Disclosure Stack Executable Heap Library (e.g., user32.dll) Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8
37 Example Memory Disclosure Stack Executable Vulnerable Object array vuln[10] JavaScript String size Heap string data funcpointer Object funcpointer Library (e.g., user32.dll) Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8
38 Example Memory Disclosure Stack Executable Vulnerable Object AAAAAAAAAAAAAAAAA array vuln[10] JavaScript String MAX_SIZE size Heap string data funcpointer Object funcpointer Library (e.g., user32.dll) Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8
39 Example Memory Disclosure Stack Executable Vulnerable Object AAAAAAAAAAAAAAAAA array vuln[10] JavaScript String MAX_SIZE size Heap string data Object funcpointer funcpointer Library (e.g., user32.dll) Memory Readable as String Data Program Memory (abstract) See [Serna, Blackhat USA 2012] for more memory disclosure tac&cs. 8 8
40 Tackling the Problems of ASLR via Fine- Grained ASLR 9
41 Basics of Fine-grained ASLR Application Run 1 Library (e.g., user32.dll) Instruction Sequence 1 Instruction Sequence 2 Instruction Sequence
42 Basics of Fine-grained ASLR Application Run 1 Library (e.g., user32.dll) Instruction Sequence 1 Instruction Sequence 2 Instruction Sequence 3 Application Run 2 Library (e.g., user32.dll) Instruction Sequence 3 Instruction Sequence 1 Instruction Sequence 2 Different fine- grained ASLR approaches have been proposed recently ORP [Pappas et al., IEEE Security & Privacy 2012] ILR [Hiser et al., IEEE Security & Privacy 2012] STIR [Wartell et al., ACM CCS 2012] XIFER [Davi et al., ASIACCS 2013] All mi&gate single memory disclosure a0acks 10 10
43 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized 11
44 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr 11
45 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original Randomized MOV EBX, $0 11
46 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original MOV EBX, $0 Randomized XOR EBX,EBX 11
47 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original MOV EBX, $0 Randomized XOR EBX,EBX Register Re-Allocation (in case another register is free to use) Original MOV EAX, &ptr CALL *EAX Randomized 11
48 Inner Basic Block Randomization Instruction Reordering [Pappas et al., IEEE S&P 2012] Original MOV EBX, &ptr MOV EAX, &string Randomized MOV EAX, &string MOV EBX, &ptr Instruction Substitution Original MOV EBX, $0 Randomized XOR EBX,EBX Register Re-Allocation (in case another register is free to use) Original MOV EAX, &ptr CALL *EAX Randomized MOV EBX, &ptr CALL *EBX 11
49 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original 12
50 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 BBL_2 BBL_3 12
51 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX 0x10FF: BBL_3 ADD EAX, ECX 12
52 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX 0x10FF: BBL_3 ADD EAX, ECX 12
53 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 MOV EBX, EAX CALL 0x10FF BBL_2 MOV (ESP), EAX 0x10FF: BBL_3 ADD EAX, ECX 12
54 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original BBL_1 MOV EBX, EAX CALL 0x10FF 0x1000: Randomized BBL_2 BBL_2 MOV (ESP), EAX 0x10A0: BBL_3 0x10FF: BBL_3 ADD EAX, ECX 0x10FF: BBL_1 12
55 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: BBL_3 BBL_1 0x10FF: ADD EAX, ECX 0x10FF: MOV EBX, EAX CALL 0x10A0 12
56 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX BBL_3 BBL_1 0x10FF: ADD EAX, ECX 0x10FF: MOV EBX, EAX CALL 0x10A0 12
57 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX 0x10FF: BBL_3 ADD EAX, ECX 0x10FF: BBL_1 MOV EBX, EAX CALL 0x10A0 JMP 0x
58 Basic Block Randomization [Wartell et al., ACM CCS 2012; Davi et al. AsiaCCS 2013] Original Randomized BBL_1 BBL_2 MOV EBX, EAX CALL 0x10FF 0x1000: MOV (ESP), EAX BBL_2 BBL_3 MOV (ESP), EAX 0x10A0: ADD EAX, ECX 0x10FF: BBL_3 ADD EAX, ECX 0x10FF: BBL_1 MOV EBX, EAX CALL 0x10A0 JMP 0x
59 Instruction Location Randomization Original MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX [Hiser et al., IEEE S&P 2012] 0x10FF: ADD EAX, ECX 13
60 Instruction Location Randomization [Hiser et al., IEEE S&P 2012] Original Randomized MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX 0x1000: 0x12A0: MOV (ESP), EAX 0x1F00: 0x10FF: ADD EAX, ECX 0x2000: CALL 0x3000 0x2500: MOV EBX, EAX 0x3000: ADD EAX, ECX 13
61 Instruction Location Randomization [Hiser et al., IEEE S&P 2012] Original Randomized MOV EBX, EAX CALL 0x10FF MOV (ESP), EAX 0x1000: 0x12A0: MOV (ESP), EAX 0x1F00: 0x10FF: ADD EAX, ECX 0x2000: CALL 0x3000 0x2500: MOV EBX, EAX 0x2500 -> 0x2000 0x2000 -> 0x1000 0x1000 -> 0x12A0 0x3000 -> 0x1F00 Execution is driven by a fall-through map and a binary translation framework (Strata) 0x3000: ADD EAX, ECX 13
62 Does Fine- Grained ASLR Provide a Viable Defense in the Long Run? 14
63 Contributions 15 15
64 Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 15 15
65 Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 2 We show that memory disclosures are far more damaging than previously believed 15 15
66 Contributions 1 A novel attack class that undermines fine-grained ASLR, dubbed just-in-time code reuse 2 We show that memory disclosures are far more damaging than previously believed 3 A prototype exploit framework that demonstrates one instantiation of our idea, called JIT-ROP 15 15
67 Assumptions Adversary Defender 16 16
68 Assumptions Adversary Defender Non-Executable Stack and Heap 16 16
69 Assumptions Adversary Defender Fine-Grained ASLR Non-Executable Stack and Heap 16 16
70 Assumptions Adversary Memory Disclosure Vulnerability Defender Fine-Grained ASLR Non-Executable Stack and Heap 16 16
71 Assumptions Adversary Control-Flow Vulnerability Memory Disclosure Vulnerability Fine-Grained ASLR Defender Non-Executable Stack and Heap 16 16
72 Workflow of Just-In-Time Code Reuse Adversary 17 17
73 Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer 17 17
74 Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer Exploit Description (High-Level Language) 17 17
75 Workflow of Just-In-Time Code Reuse Adversary Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application 17 17
76 Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Map Memory Description (High-Level Language) Vulnerable Application 17 17
77 Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Map Memory Find ROP Sequences (Gadgets) Vulnerable Application 17 17
78 Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application Map Memory Find ROP Sequences (Gadgets) Find API Functions 17 17
79 Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application Map Memory Compile ROP Program Find ROP Sequences (Gadgets) Find API Functions 17 17
80 Workflow of Just-In-Time Code Reuse Adversary JIT-ROP Framework Leak Code Pointer Exploit Description (High-Level Language) Vulnerable Application Map Memory Compile ROP Program Find ROP Sequences (Gadgets) Find API Functions 17 17
81 Challenges 18 18
82 Challenges Map memory without crashing 18 18
83 Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime 18 18
84 Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime Fully automated 18 18
85 Challenges Map memory without crashing Find gadgets, APIs, and compile payload dynamically at runtime Fully automated Demonstrate efficient, practical exploit 18 18
86 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present 19 19
87 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present f295afcad42b43 638b2bbf6381ff 72efc88bda4cc0 0732bba1575ccb eb7c025e6b8ad3 0c283baa9f03e4 7464fc814176cd 546bcee28e4232 initial code page 19 19
88 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx initial code page 19 19
89 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx initial code page 19 19
90 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile observation: single leaked function pointer an entire code page is present push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx initial code page push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx 19 19
91 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile 20 20
92 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( bot.exe ); WinExec( bot.exe ); ExitProcess(1); 20 20
93 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( bot.exe ); WinExec( bot.exe ); ExitProcess(1); 20 20
94 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( bot.exe ); WinExec( bot.exe ); ExitProcess(1); needed APIs o\en not referenced by program Vulnerable Application Code Page Previously Found Sleep() FindWindow() GetActiveWindow() 20 20
95 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( bot.exe ); WinExec( bot.exe ); ExitProcess(1); needed APIs o\en not referenced by program dynamic library and func&on loading is common solu&on: scan for LoadLibrary and GetProcAddress references instead Vulnerable Application Code Page Previously Found LoadLibrary( library.dll ); LoadLibrary( library.dll ); Sleep() LoadLibrary( library.dll ); GetProcAddress( func1 ) GetProcAddress( func1 ) FindWindow() GetProcAddress( func1 ) GetProcAddress( func2 ) GetProcAddress( func2 ) GetActiveWindow() GetProcAddress( func2 ) 20 20
96 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile Desired Payload URLDownloadToFile( bot.exe ); WinExec( bot.exe ); ExitProcess(1); needed APIs o\en not referenced by program dynamic library and func&on loading is common solu&on: scan for LoadLibrary and GetProcAddress references instead With Vulnerable Dynamic Application Loading LoadLibrary( urlmon.dll ); Code Page Previously Found URLDownloadToFile bot.exe ); LoadLibrary( kernel32.dll ); WinExec bot.exe ); LoadLibrary( library.dll ); LoadLibrary( library.dll ); Sleep() LoadLibrary( library.dll ); GetProcAddress( func1 ) GetProcAddress( func1 ) FindWindow() GetProcAddress( func1 ) GetProcAddress( func2 ) GetProcAddress( func2 ) GetActiveWindow() GetProcAddress( func2 ) 20 20
97 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile 21 21
98 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx gadgets found 21 21
99 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx mov eax, 0x14 ret ret ret ret gadgets found 21 21
100 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx mov eax, 0x14 ret ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found 21 21
101 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx mov eax, 0x14 ret ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found 21 21
102 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found 21 21
103 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov [ecx], eax mov ebx, edx ret ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found MovRegG 21 21
104 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov ebx, edx ret ret MovRegG JumpG ArithmeticG LoadRegG gadgets found MovRegG 21 21
105 Our Approach Map Memory Find API Calls Find Gadgets JIT Compile code pages code sequences gadget types push 0x1 call push 0x1 [-0xFEED] call mov [-0xFEED] ebx, eax mov ebx, jmp eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp push 0x1 call [-0xFEED] mov ebx, eax jmp +0xBEEF dec ecx xor ebx, ebx pop eax Galileo Algorithm [Schacham, ACM CCS 2007] mov ebx, eax mov ebx, edx ret ret MovRegG JumpG ArithmeticG LoadRegG LoadRegG gadgets found MovRegG 21 21
106 Compiling the ROP program 22 22
107 Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); WinExec calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); ExitProcess LoadRegG& MovRegG& JumpG& 22 22
108 Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); WinExec calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); ExitProcess LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 generate possible gadget arrangements 22 22
109 Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); WinExec calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); ExitProcess LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 fullfill with available gadgets generate possible gadget arrangements Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters 22 22
110 Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); WinExec calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); ExitProcess LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 fullfill with available gadgets generate possible gadget arrangements Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters 22 22
111 Compiling the ROP program our high-level language gadgets available LoadLibrary( kernel32 ); WinExec calc, SW_SHOWNORMAL); LoadLibrary( kernel32 ); ExitProcess LoadRegG& MovRegG& JumpG& Gadget 1 Gadget 2 Gadget 3 Gadget 4 Gadget 5 Gadget 6 fullfill with available gadgets generate possible gadget arrangements Serialize Reimplementation of Q gadget compiler algorithms [Schwartz et al., USENIX 2011] extended for multiple program statements and function parameters 22 22
112 Take it to the Next Level JIT-ROP is only our initial prototype of just-in-time code reuse. Potential Improvements: Map Memory Find API Calls Find Gadgets Compile Run Time Improve ability to discern code from embedded data. Explore direct use of system calls. Lower conservativeness at expense of complexity. Define more composite gadgets implementing an operation. Optimize code throughout. Bigger changes: apply JIT code reuse to jump-oriented programming, return-less ROP, or ret-to-libc styles of code reuse
113 Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? 24 24
114 Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler) 24 24
115 Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler) Are code pages interconnected enough? 24 24
116 Page Mapping Considerations All other steps depend on the ability to map code pages well. Are there enough function pointers on the heap? Assume only one code pointer initially accessible. (e.g. from a virtual table entry, callback, or event handler) Tested on 7 Applications: Are code pages interconnected enough? 24 24
117 Experiment Design For each application: Open Application with Blank Document Save Save Snapshot Save Snapshot Save of Snapshot Save of Snapshot Program Save Program Memory of Snapshot Save Program Memory of Program Memory of Snapshots Program Memory of Program Memory of Program Memory Memory Use only one initial code pointer to kick-off memory mapping, repeat for all possible initializations Build Native x86 Version of JIT-ROP Map Memory Find API Calls Find Gadgets Compile 25 25
118 Experimental Results Map Memory On average, 300 pages of code harvested. Find API Calls 500 Pages harvested from a single initial code pointer upper quartile 300 Find Gadgets median Run Time 100 lower quartile 26 26
119 Experimental Results Map Memory Find API Calls Using the LoadLibrary() and GetProcAddress() APIs, the generated ROP payload can lookup any other APIs needed. Find 9 to 12 on average, but only one needed. Find Gadgets upper quartile median 5 Run Time GetProcAddress() ASCII UNICODE LoadLibrary() similar results for all applications 27 27
120 Experimental Results Map Memory We only consider xchg eax,esp for a stack pivot, this could be improved. upper quartile median Find API Calls Find Gadgets Run Time 50 jump pivot mvreg arith load store arithld arithsto lower quartile Usually find one or more of each gadget type. Also tested against gadget elimination, e.g. ORP [Pappas et al., IEEE S&P 2012], which had little benefit. Some gadgets vanished, while new gadgets appeared. again, similar results for all applications 28 28
121 Seconds to Exploit Experimental Results Map Memory 22.5 End-to-end live exploitation experiments with different environments and vulnerabilities. Find API Calls CVE string size overwrite string size overwrite format string disclosure Find Gadgets V Run Time Varies, but viable for real-world exploitation
122 Live Demo CVE on 8 10 Credits Vulnerability Discovery: Metasploit Module for Win7/IE8: Nicolas Joly Juan Vazquez 30
123 Conclusion 31 31
124 Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure 31 31
125 Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure Quick Fix? re-randomize periodically [Giuffrida et al., USENIX 2012] performance trade-off is impractical 31 31
126 Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure Quick Fix? re-randomize periodically [Giuffrida et al., USENIX 2012] performance trade-off is impractical Towards More Comprehensive Mitigations control-flow integrity [Abadi et al., CCS 2005] 31 31
127 Conclusion Fine-grained ASLR not sufficient against adversary with ability to bypass standard ASLR via memory disclosure Quick Fix? re-randomize periodically [Giuffrida et al., USENIX 2012] performance trade-off is impractical Towards More Comprehensive Mitigations Need for Practical Solutions control-flow integrity [Abadi et al., CCS 2005] work towards efficient fine-grained CFI/DFI 31 31
Selected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationStephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA
Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy ACM CCS 2010, Chicago, USA Ad hoc defense against code injection: W X DEP Code injection unnecessary
More informationIsomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming
Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationRuntime Code Reuse Attacks: A Dynamic Framework Bypassing Fine-Grained Address Space Layout Randomization
Runtime Code Reuse Attacks: A Dynamic Framework Bypassing Fine-Grained Address Space Layout Randomization Yi Zhuang 1, Tao Zheng 12, Zhitian Lin 1 Software Institute 1. National Key Laboratory for Novel
More informationInformation Leaks. Kyriakos Kyriakou
Information Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Just-in-time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationIsomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming
Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationCVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK
CVE-2017-11882 EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK First words of thank to Embedy Company to discover the initial exploit and POC of 44 bytes máximum, Ridter
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationApplying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying
Acta Polytechnica Hungarica Vol. 12, No. 5, 2015 Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying László Erdődi Óbuda University, Faculty of Applied Informatics
More informationControl-Flow Attacks and Defenses
Lecture Embedded System Security Summer Term 2016 Control-Flow Attacks and Defenses Prof. Dr.-Ing. Ahmad-Reza Sadeghi Dr.-Ing. Lucas Davi CRISP, Technische Universität Darmstadt Intel Collaborative Research
More informationCheck my profile: Leveraging static analysis for fast and accurate detection of ROP gadgets
Check my profile: Leveraging static analysis for fast and accurate detection of ROP gadgets Blaine Stancill 1, Kevin Z. Snow 1, Nathan Otterness 1, Fabian Monrose 1, Lucas Davi 2, and Ahmad-Reza Sadeghi
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationJust-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization
Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization Kevin Z. Snow, Fabian Monrose Department of Computer Science University of North Carolina at Chapel Hill,
More informationReturn-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling University of Mannheim Page 1 Motivation (1) Operating systems separate system
More informationDefeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationMemory corruption vulnerability exposure can be mitigated through memory hardening practices
Memory corruption vulnerability exposure can be mitigated through memory hardening practices OS vendors have a unique opportunity to fight memory corruption vulnerabilities through hardening the memory
More informationDefending against Return-Oriented Programming. Vasileios Pappas
Defending against Return-Oriented Programming Vasileios Pappas Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences COLUMBIA
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationStitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. Accepted at USENIX Security 2014
Technical Report Nr. TUD-CS-2014-0800 May 8, 2014 Latest Revision: August 26, 2014 Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection Accepted at USENIX Security
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationModule: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationReturn-Oriented Rootkits
Return-Oriented Rootkits Ralf Hund Troopers March 10, 2010 What is Return-Oriented Programming? New emerging attack technique, pretty hyped topic Gained awareness in 2007 in Hovav Shacham s paper The Geometry
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationIdentifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang ( ) Aravind Prakash ( ) Xiaolei Li ( ) Zhenkai Liang ( ) Heng Yin ( ) ( ) School of Computing,
More informationReturn oriented programming
Return oriented programming TOOR - Computer Security Hallgrímur H. Gunnarsson Reykjavík University 2012-05-04 Introduction Many countermeasures have been introduced to foil EIP hijacking: W X: Prevent
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationExercise 6: Buffer Overflow and return-into-libc Attacks
Technische Universität Darmstadt Fachbereich Informatik System Security Lab Prof. Dr.-Ing. Ahmad-Reza Sadeghi M.Sc. David Gens Exercise 6: Buffer Overflow and return-into-libc Attacks Course Secure, Trusted
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationRuntime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include
2 Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationThree Decades of Runtime Attacks
instead of Motivation Three Decades of Runtime Attacks Morris Worm 1988 return-intolibc Solar Designer 1997 Return-oriented programming Shacham CCS 2007 Continuing Arms Race Code Injection AlephOne 1996
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationWhat Cannot be Read, Cannot be Leveraged?
What Cannot be Read, Cannot be Leveraged? Revisiting Assumptions of JIT-ROP Defenses Giorgi Maisuradze, Michael Backes, Christian Rossow CISPA, Saarland University, Germany Overview Code Reuse Attacks/Defenses
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationLucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher
17 th May 2017, ICRI-SC Retreat, Darmstadt, Germany Can Systems ever be Protected against Run-time Attacks? Lucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher Motivation Motivation
More informationVulnerability Analysis I:
Vulnerability Analysis I: Exploit Hardening Made Easy Surgically Returning to Randomized Lib(c) Mitchell Adair September 9 th, 2011 Outline 1 Background 2 Surgically Returning to Randomized lib(c) 3 Exploit
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationHideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities
HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities Jason Gionta, William Enck, Peng Ning 1 JIT-ROP 2 Two Attack Categories Injection Attacks Code Integrity Data
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationSmashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization
2012 IEEE Symposium on Security and Privacy Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis
More informationBit Flips in Memory Rowhammer Attacks and Defenses
Bit Flips in Memory Rowhammer Attacks and Defenses Memory Corruption Attacks Software code injection return-oriented programming Data Code Hardware Memory Corruption Attacks Software code injection return-oriented
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationDefending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science
Defending Computer Networks Lecture 4: Exploit Defenses Stuart Staniford Adjunct Professor of Computer Science Logis;cs Course is now official Expect an email from Stephanie Meik with your PIN Need to
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationFrom Assembly to JavaScript and Back
From Assembly to JavaScript and Back Robert Gawlik Ruhr-University Bochum August 30th 2018 Singapore About me IT Security since 2010 PostDoc Systems Security Group @ Horst Görtz Institute / Ruhr-University
More informationHAFIX: Hardware-Assisted Flow Integrity Extension
HAFIX: Hardware-Assisted Flow Integrity Extension Lucas Davi, Matthias Hanreich, Debayan Paul, Ahmad-Reza Sadeghi Technische Universität Darmstadt, Germany Patrick Koeberl Intel Labs Dean Sullivan, Orlando
More informationLecture 10 Code Reuse
Lecture 10 Code Reuse Computer and Network Security 4th of December 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 10, Code Reuse 1/23 Defense Mechanisms static & dynamic analysis
More informationThe geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler
The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler return-oriented programming Hovav Shacham presented by: Fabian
More informationPhysical Unclonable Functions-based Linear Encryption against Code Reuse Attacks
Physical Unclonable Functions-based Linear Encryption against Code Reuse Attacks Pengfei Qiu, Yongqiang Lyu Research Institute of Information Technology & TNList Tsinghua University Beijing, China {qpf15;luyq}@mails.tsinghua.edu.cn
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More information16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More information16.317: Microprocessor Systems Design I Fall 2015
16.317: Microprocessor Systems Design I Fall 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks
ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy ABSTRACT System Security Lab Technische Universität Darmstadt Darmstadt,
More informationFull control of EIP no longer yields immediate arbitrary code execution
Context Full control of EIP no longer yields immediate arbitrary code execution Primarily due to increasing availability and utilization of exploit mitigations such as DEP and ASLR Attackers must identify
More informationSyscall Proxying. Simulating Remote Execution. Maximiliano Cáceres.
Syscall Proxying Maximiliano Cáceres maximiliano.caceres@corest.com Caesars Palace, Las Vegas, NV, USA July 31st, 2002 Agenda General Concepts Syscall Proxying A first implementation Optimizing for size
More informationROPInjector: Using Return- Oriented Programming for Polymorphism and AV Evasion
University of Piraeus Department of Digital Systems ROPInjector: Using Return- Oriented Programming for Polymorphism and AV Evasion G. Poulios, C. Ntantogian, C. Xenakis {gpoulios, dadoyan, xenakis}@unipi.gr
More informationWriting Exploits. Nethemba s.r.o.
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History
More informationAdvanced Systems Security: Control-Flow Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationMicrogadgets: Size Does Matter In Turing-complete Return-oriented Programming
Microgadgets: Size Does Matter In Turing-complete Return-oriented Programming Andrei Homescu Michael Stewart Per Larsen Stefan Brunthaler Michael Franz Department of Computer Science University of California,
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationChronomorphic Programs: Using Runtime Diversity to Prevent Code Reuse Attacks
Chronomorphic Programs: Using Runtime Diversity to Prevent Code Reuse Attacks Scott E. Friedman, David J. Musliner, and Peter K. Keller Smart Information Flow Technologies (SIFT) Minneapolis, USA email:
More informationDefense against Code-injection, and Code-reuse Attack
Operating Systems Security Defense against Code-injection, and Code-reuse Attack Computer Security & OS lab. Cho, Seong-je ( 조성제 ) sjcho at dankook.ac.kr Fall, 2018 Contents Buffer Overflows: Stack Smashing,
More information16.317: Microprocessor Systems Design I Spring 2015
16.317: Microprocessor Systems Design I Spring 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by
More informationTABLE OF CONTENT 1. Abstract: Terminology Introduction Basic Shellcoding Solving The Addressing Problem Hash API
SECURITY PAPER Preparation Date: 11 Dec 2016 Art of Anti Detection 3 Shellcode Alchemy Prepared by: Ege BALCI Penetration Tester ege.balciinvictuseurope.com TABLE OF CONTENT 1. Abstract:...3 2. Terminology...
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationWriting your first windows exploit in less than one hour
Writing your first windows exploit in less than one hour Klaus Gebeshuber klaus.gebeshuber@fh-joanneum.at http://www.fh-joanneum.at/ims AGENDA Workshop 10.00 13.00 Memory & stack basics, function calling
More informationLaunching Return-Oriented Programming Attacks against Randomized Relocatable Executables
2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11 Launching Return-Oriented Programming Attacks against Randomized Relocatable Executables Limin Liu Jin Han Debin Gao Jiwu Jing
More informationSecuring Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future?
Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? Ahmad-Reza Sadeghi, Lucas Davi Technische Universität Darmstadt, Germany and Intel Collaborative Research
More informationPacked, Printable, and Polymorphic Return-Oriented Programming
Packed, Printable, and Polymorphic Return-Oriented Programming Kangjie Lu 1,2, Dabi Zou 1, Weiping Wen 2, Debin Gao 1 1 School of Information Systems, Singapore Management University, Singapore {kjlu,
More information