From Assembly to JavaScript and Back
|
|
- Gwenda Holmes
- 5 years ago
- Views:
Transcription
1 From Assembly to JavaScript and Back Robert Gawlik Ruhr-University Bochum August 30th 2018 Singapore
2 About me IT Security since 2010 PostDoc Systems Security Horst Görtz Institute / Ruhr-University Bochum Security Researcher at Blue Frost Security low-level security, binary analysis and exploitation, fuzzing, client-side robert.gawlik@rub.de
3 Agenda JIT-Spray on x86 and ARM and previous work Case study ASM.JS and JIT-Spray 1) CVE ) CVE (bypass of patch for (1)) Arbitrary ASM.JS payload generation Exploitation with ASM.JS JIT-Spray CVE , CVE , CVE
4 JIT Overview
5 JIT Just-In-Time Compilation (JIT) Generate native machine code from higher-level language JavaScript PHP Java ActionScript... x86_32, x86_64, ARM, AArch64
6 JIT Just-In-Time Compilation (JIT) Generate native machine code from higher-level language JavaScript PHP Java ActionScript... x86_32, x86_64, ARM, AArch64 Performance gain compared to interpreted execution
7 JIT Just-In-Time Compilation (JIT) Several compilers and optimization layers
8 JIT Just-In-Time Compilation (JIT) Several compilers and optimization layers JS: Baseline, IonMonkey ChakraCore (2 Tier JIT) Baseline, DFG, FTL TurboFan
9 JIT Just-In-Time Compilation (JIT) Several compilers and optimization layers JS: Baseline, IonMonkey ChakraCore (2 Tier JIT) ActionScript: NanoJIT Baseline, DFG, FTL TurboFan Linux Kernel: ebpf Java: PHP: HotSpot JIT HHVM JIT.Net: RyuJIT
10 JIT Just-In-Time Compilation (JIT) Several compilers and optimization layers JS: Baseline, Baseline, IonMonkey Java: DFG, FTL HotSpot JIT ChakraCore More than 13 compilation engines. (2 Tier JIT) could TurboFan What possibly gophp: wrong? HHVM JIT ActionScript: NanoJIT Linux Kernel: ebpf.net: RyuJIT
11 JIT-Spray (x86)
12 JIT-Spray 1. Hide native instructions in constants of high-level language c = 0xa c += 0xa
13 JIT-Spray 1. Hide native instructions in constants of high-level language c = 0xa c += 0xa Emitted JIT Code 00: b a8 05: a8 mov eax, 0xa add eax, 0xa
14 JIT-Spray 1. Hide native instructions in constants of high-level language c = 0xa c += 0xa Emitted JIT Code 00: b a8 05: a8 mov eax, 0xa add eax, 0xa x86 offset 1 01: 02: 03: 04: 06: 07: 08: a nop nop nop test al, 5 nop nop nop
15 JIT-Spray 1. Hide native instructions in constants of high-level language c = 0xa c += 0xa Emitted JIT Code 00: b a8 05: a8 mov eax, 0xa add eax, 0xa x86 offset 1 01: 02: 03: 04: 06: 07: 08: 90 nop 90 nop 90 nop semantic a805 test nop al, 5 90 nop 90 nop 90 nop
16 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions
17 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa } While (not address_hit){ createfuncandjit() }
18 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa } While (not address_hit){ createfuncandjit() } 0x : 0x : 0x : 0x : 0x : 0x : 0x : a nop nop nop test al, 5 nop nop nop
19 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa } While (not address_hit){ createfuncandjit() } predictable?! 0x : 0x : 0x : 0x : 0x : 0x : 0x : a nop nop nop test al, 5 nop nop nop
20 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa Used to } predictable?! bypass While (not address_hit){ JIT() } 0x : 90 0x : 90 ASLR and DEP 0x : 90 0x : a805 0x : 90 0x : 90 0x : 90 nop nop nop test al, 5 nop nop nop
21 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa Used to } predictable?! 0x : 90 nop 0x : 90 nop bypass ASLR and DEP 0x : 90 nop 0x : a805 test al, 5 No info leak and code reuse necessary 0x : 90 nop While (not address_hit){ 0x : 90 nop JIT() 0x : 90 nop }
22 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa Used to } predictable?! 0x : 90 nop 0x : 90 nop bypass ASLR and DEP 0x : 90 nop 0x : a805 test al, 5 No info leak and code reuse necessary 0x : 90 nop While address_hit){ (not Memory corruptions are easier to exploit 0x : 90 nop JIT() 0x : 90 nop }
23 Prominent JIT-Spray on x86
24 JIT-Spray Flash JIT-Spray (Dionysus Blazakis, 2010) Targets ActionScript (Tamarin VM)
25 JIT-Spray Flash JIT-Spray (Dionysus Blazakis, 2010) Targets ActionScript (Tamarin VM) Long XOR sequence gets compiled to XOR instructions
26 JIT-Spray Flash JIT-Spray (Dionysus Blazakis, 2010) Targets ActionScript (Tamarin VM) Long XOR sequence gets compiled to XOR instructions First of its kind known to public
27 JIT-Spray Flash JIT-Spray (Dionysus Blazakis, 2010) Targets ActionScript (Tamarin VM) Mitigated by constant folding Long XOR sequence gets compiled to XOR instructions Bypassed with IN operator (VAL0 IN VAL1 ^ VAL2 ^..)...and mitigated with random nop insertion First of its kind known to public
28 JIT-Spray Writing JIT Shellcode (Alexey Sintsov, 2010) Nice methods to ease and automate payload generation:
29 JIT-Spray Writing JIT Shellcode (Alexey Sintsov, 2010) Nice methods to ease and automate payload generation: split long instructions into instructions <= 3 bytes ; 5 bytes mov ebx, 0xb1b2b3b4 mov ebx, 0xb1b2xxxx ; 3 bytes mov bh, 0xb3 ; 2 bytes mov bl, 0xb4 ; 2 bytes
30 JIT-Spray Writing JIT Shellcode (Alexey Sintsov, 2010) Nice methods to ease and automate payload generation: split long instructions into instructions <= 3 bytes ; 5 bytes mov ebx, 0xb1b2b3b4 mov ebx, 0xb1b2xxxx ; 3 bytes mov bh, 0xb3 ; 2 bytes mov bl, 0xb4 ; 2 bytes semantic nops which don t change flags 00: b a 05: a8 mov eax, 0x6a add eax, 0xa : 90 04: 6a05 nop push 5
31 JIT-Spray JIT-Spray Attacks & Advanced Shellcode (Alexey Sintsov, 2010) JIT-Spray in Apple Safari on Windows possible:
32 JIT-Spray JIT-Spray Attacks & Advanced Shellcode (Alexey Sintsov, 2010) JIT-Spray in Apple Safari on Windows possible: use two of four immediate bytes as payload
33 JIT-Spray JIT-Spray Attacks & Advanced Shellcode (Alexey Sintsov, 2010) JIT-Spray in Apple Safari on Windows possible: use two of four immediate bytes as payload connect payload bytes with short jumps (stage0)
34 JIT-Spray JIT-Spray Attacks & Advanced Shellcode (Alexey Sintsov, 2010) JIT-Spray in Apple Safari on Windows possible: use two of four immediate bytes as payload connect payload bytes with short jumps (stage0) copy stage1 payload to RWX JIT page and jump to it
35 JIT-Spray JIT-Spray Attacks & Advanced Shellcode (Alexey Sintsov, 2010)
36 JIT-Spray Attacking Clientside JIT Compilers (Chris Rohlf & Yan Ivnitskiy, 2011) In depth analysis of LLVM and Firefox JIT engines
37 JIT-Spray Attacking Clientside JIT Compilers (Chris Rohlf & Yan Ivnitskiy, 2011) In depth analysis of LLVM and Firefox JIT engines JIT-Spray techniques (i.e., with floating point values)
38 JIT-Spray Attacking Clientside JIT Compilers (Chris Rohlf & Yan Ivnitskiy, 2011) In depth analysis of LLVM and Firefox JIT engines JIT-Spray techniques (i.e., with floating point values) JIT gadget techniques (gajits)
39 JIT-Spray Attacking Clientside JIT Compilers (Chris Rohlf & Yan Ivnitskiy, 2011) In depth analysis of LLVM and Firefox JIT engines JIT-Spray techniques (i.e., with floating point values) JIT gadget techniques (gajits) Comparison of JIT hardening measurements
40 JIT-Spray Attacking Clientside JIT Compilers (Chris Rohlf & Yan Ivnitskiy, 2011) In depth analysis of LLVM and Firefox JIT engines JIT-Spray techniques (i.e. with floating point values) JIT gadget techniques (gajits) Comparison of JIT hardening measurements
41 JIT-Spray Flash JIT Spraying info leak gadgets (Fermin Serna, 2013) Bypass ASLR and random NOP insertion:
42 JIT-Spray Flash JIT Spraying info leak gadgets (Fermin Serna, 2013) Bypass ASLR and random NOP insertion: spray few instructions to predictable address prevents random NOPS
43 JIT-Spray Flash JIT Spraying info leak gadgets (Fermin Serna, 2013) Bypass ASLR and random NOP insertion: spray few instructions to predictable address prevents random NOPS trigger UAF bug and call JIT gadget
44 JIT-Spray Flash JIT Spraying info leak gadgets (Fermin Serna, 2013) Bypass ASLR and random NOP insertion: spray few instructions to predictable address prevents random NOPS trigger UAF bug and call JIT gadget JIT gadget writes return address into heap spray, continue execution in JS
45 JIT-Spray Flash JIT Spraying info leak gadgets (Fermin Serna, 2013) Bypass ASLR and random NOP insertion: spray few instructions to predictable address prevents random NOPS trigger UAF bug and call JIT gadget JIT gadget writes return address into heap spray, continue execution in JS Mitigated with constant blinding in Flash 11.8
46 JIT-Spray Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013) JIT-Spray on Java Runtime Environment
47 JIT-Spray Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013) JIT-Spray on Java Runtime Environment 3 of 4 bytes of one constant usable as payload
48 JIT-Spray Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013) JIT-Spray on Java Runtime Environment 3 of 4 bytes of one constant usable as payload Spray multiple functions to hit predictable address (32-bit)
49 JIT-Spray Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013) JIT-Spray on Java Runtime Environment 3 of 4 bytes of one constant usable as payload Spray multiple functions to hit predictable address (32-bit) Jump to it with EIP control
50 JIT-Spray Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013) School book JIT Spray on JRE 7 3 of 4 bytes of one constant usable as payload Spray multiple functions to hit predictable address (32-bit) Jump to it with EIP control
51 JIT-Spray (ARM)
52 JIT-Spray (ARM) Too lejit to Quit (Lian et al., 2015) Target: JSC DFG JIT Thumb-2: mixed 16-bit and 32-bit instructions 16-bit alignment
53 JIT-Spray (ARM) A Call to ARMs (Lian et al., 2017) Control JIT to emit 32-bit ARM AND instructions
54 JIT-Spray (ARM) A Call to ARMs (Lian et al., 2017) Control JIT to emit 32-bit ARM AND instructions Force interpretation of AND instruction as two consecutive 16-bit Thumb-2 instructions
55 JIT-Spray (ARM) A Call to ARMs (Lian et al., 2017) Control JIT to emit 32-bit ARM AND instructions Force interpretation of AND instruction as two consecutive 16-bit Thumb-2 instructions 1st instruction: attacker operation 2nd instruction: PC-relative jump
56 JIT-Spray (ARM) A Call to ARMs (Lian et al., 2017) Control JIT to emit 32-bit ARM AND instructions Force interpretation of AND instruction as two consecutive 16-bit Thumb-2 instructions 1st instruction: attacker operation 2nd instruction: PC-relative jump self-sustained payload without resynchronization (target: Firefox IonMonkey)
57 JIT-Spray (ARM) A Call to ARMs (Lian et al., 2017) Control JIT to emit 32-bit ARM AND instructions Force interpretation of AND instruction as two consecutive JIT-Spray on 16-bit Thumb-2 instructions architecture with fixed instruction length and 1st instruction: attacker operation alignment 2nd instruction:instruction PC-relative jump self-sustained payload without resynchronization (target: Firefox IonMonkey)
58 ASM.JS JIT-Spray on OdinMonkey (x86)
59 ASM.JS Strict subset of JS OdinMonkey: Ahead-Of-Time (AOT) Compiler in Firefox Appeared in 2013 in Firefox 22 No need to frequently execute JS as in traditional JITs Generates binary blob with native machine code ASM.JS JIT-Spray possible until Firefox 52 (2017)
60 ASM.JS Simple ASM.JS module
61 ASM.JS Simple ASM.JS module Prolog directive
62 ASM.JS Simple ASM.JS module Prolog directive ASM.JS module body
63 ASM.JS Simple ASM.JS module Prolog directive ASM.JS module body Your calculations
64 ASM.JS Simple ASM.JS module Prolog directive ASM.JS module body Your calculations
65 ASM.JS Inject Code to Predictable Addresses Request ASM.JS module several times
66 ASM.JS Inject Code to Predictable Addresses Request ASM.JS module several times Search for 0xc1c2c3c4 in memory
67 ASM.JS Inject Code to Predictable Addresses Value appears in machine code a d b8c4c3c2c c404 c3 mov xchg add ret eax,0c1c2c3c4h ax,ax esp,4
68 ASM.JS Inject Code to Predictable Addresses Value appears in machine code a d b8c4c3c2c c404 c3 mov xchg add ret eax,0c1c2c3c4h ax,ax esp,4
69 ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a a a a a c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c c c c c c d8bc304 0d8bc304 0d8bc304 0d8bc304 0d8bc304 0d8bc a a a a a761000
70 ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a a a a a c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c d8bc many module 0a requests yield many copies c d8bc304 c d8bc304 0a c d8bc304 0a c d8bc304 0a c d8bc304 0a761000
71 ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a a a a a c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c d8bc many module 0a requests yield many copies c d8bc304 c d8bc304 0a aligned to predictable c d8bc304 0a741000addresses c d8bc304 0a c d8bc304 0a761000
72 ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a a a a a c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c d8bc many module 0a requests yield many copies c d8bc304 c d8bc304 0a aligned to predictable c d8bc304 0a741000addresses c d8bc304 0a c d8bc304 0a ASM.JS JIT-Spray unlocked
73 ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a a a a a c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c c c c c c d8bc304 0d8bc304 0d8bc304 0d8bc304 0d8bc304 0d8bc a a a a a761000
74 ASM.JS JIT-Spray CVE Example: nop sled with ASM.JS (Firefox bit)
75 ASM.JS JIT-Spray
76 ASM.JS JIT-Spray No info leak, no code reuse, use your vuln to point EIP to your payload
77 ASM.JS JIT-Spray CVE The flaw (simplified) 1) 2) 3) 4) 5) ASM.JS module is compiled into RW region each module request executes VirtualAlloc many RW regions at 64k granularity predictable compiled module code is copied many times to RW regions RW regions are VirtualProtect ed to RX
78 ASM.JS JIT-Spray CVE The patch 1) Randomize VirtualAlloc allocations randomaddr = ComputeRandomAllocationAddress(); p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,...
79 ASM.JS JIT-Spray CVE The patch 1) Randomize VirtualAlloc allocations randomaddr = ComputeRandomAllocationAddress(); p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,... 2) Limit ASM.JS RX code per process to 160MB maxcodebytesperprocess = 160 * 1024 * 1024;
80 ASM.JS JIT-Spray CVE The patch 1) Randomize VirtualAlloc allocations randomaddr = ComputeRandomAllocationAddress(); p = VirtualAlloc(randomAddr,... Firefox 51 Fixed in if (!p) { Bypass it! // Try again without randomaddr. p = VirtualAlloc(nullPtr,... CVE ) Limit ASM.JS RX code per process to 160MB maxcodebytesperprocess = 160 * 1024 * 1024;
81 ASM.JS JIT-Spray CVE Bypass patch (1): force fallback code p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,...
82 ASM.JS JIT-Spray CVE Bypass patch (1): force fallback code p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,...
83 ASM.JS JIT-Spray CVE Bypass patch (1): force fallback code p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,... occupy as many 64k addresses as possible with Typed Arrays heap spray to decrease entropy
84 ASM.JS JIT-Spray CVE Bypass patch (1): force fallback code p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,... occupy as many 64k addresses as possible with Typed Arrays heap spray to decrease entropy randomaddr ASM.JS JIT allocations will fail fallback allocations become predictable again
85 ASM.JS JIT-Spray CVE Bypass patch (2): stay within ASM.JS code limit of 160MB maxcodebytesperprocess = 160 * 1024 * 1024;
86 ASM.JS JIT-Spray CVE Bypass patch (2): stay within ASM.JS code limit of 160MB maxcodebytesperprocess = 160 * 1024 * 1024; spray max allocations allowed, assuming that each module becomes < 64KB (estimation good enough for exploitation)
87 ASM.JS JIT-Spray CVE Bypass patch (2): stay within ASM.JS code limit of 160MB maxcodebytesperprocess = 160 * 1024 * 1024; spray max allocations allowed, assuming that each module becomes < 64KB (estimation good enough for exploitation) Release memory allocated with Typed Array Spray (1)
88 ASM.JS JIT-Spray
89 ASM.JS JIT-Spray CVE The patch major redesign reserve maxcodebytesperprocess range on startup difficult to predict address commit/decommit from this set of pages for ASM.JS/Wasm when requested
90 ASM.JS Payloads
91 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code How to inject arbitrary code?
92 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Arithmetic instructions
93 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Arithmetic instructions 01: 02: 03: 04: 06: 07: 08: a nop nop nop test al, 5 nop nop nop
94 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Arithmetic instructions 01: 02: 03: 04: 06: 07: 08: a nop nop nop test al, 5 nop nop nop problems: - constant folding - test changes flags
95 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Setting array elements
96 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Setting array elements 01: 02: 03:.. 11: 12: 13: eb0c nop nop jmp 0x eb0c nop nop jmp 0x21
97 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Setting array elements 2 payload bytes 01: 02: 03:.. 11: 12: 13: eb0c nop nop jmp 0x eb0c nop nop jmp 0x21
98 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Setting array elements 2 payload bytes connect with jumps 01: 02: 03:.. 11: 12: 13: eb0c nop nop jmp 0x eb0c nop nop jmp 0x21
99 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface)
100 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) import a JS function into your ASM.JS code
101 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) import a JS function into your ASM.JS code call it with many parameters
102 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) import a JS function into your ASM.JS code call it with many parameters hide payload in parameters
103 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) 00: c a9 mov dword [esp], 0xa : c a9 mov dword [esp + 4], 0xa f: c a9 mov dword [esp + 8], 0xa emitted code
104 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) 03: 04: 05: 06: 0b: 0c: 0d: 0e: a9c a9c nop nop nop test eax,42444c7h nop nop nop test eax,82444c7h
105 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) 03: 04: 05: 06: 0b: 0c: 0d: 0e: 90 nop 90 nop 3 payload 90 nop bytes per instruction a9c test eax,42444c7h 90 nop 90 nop large semantic nops 90 nop a9c test eax,82444c7h
106 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI
107 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI
108 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI emitted code
109 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI emitted code double constant values are referenced
110 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI emitted code double constant values are referenced
111 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI emitted code double constant values are referenced
112 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI constants executable! emitted code doubleare constant values are referenced constants are continuous in memory! full constant usable as payload! able to embed continuous code!
113 Automated Payload Generation
114 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Input: x86 assembly shellcode, or loader and payload sc2asmjs.py assembles it, transforms instructions, fixes branch-target distances Output: ASM.JS code containing your payload During exploit/run time: ASM.JS machine code
115 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Problems of automated payload generation: x86 instruction size <= 3 bytes (arithmetics) or <= 2 bytes (parameter passing) branch target distance, loops? side effects of semantic nops?
116 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Some problems solved transform MOVs preserve flags when needed loop and branch adjustments
117 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Some problems solved transform MOVs preserve flags when needed loop and branch adjustments
118 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example)
119 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example)
120 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example)
121 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example)
122 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example) Instructions <= 2 bytes stage0 compatible
123 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example) ASM.JS code
124 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example)
125 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example) sprayed ASM.JS payload
126 Exploitation
127 ASM.JS JIT-Spray Exploits Exploiting CVE Appeared in the wild (Tor Browser)
128 ASM.JS JIT-Spray Exploits Exploiting CVE Appeared in the wild (Tor Browser) Analysis and bug trigger available in Mozilla Bug report
129 ASM.JS JIT-Spray Exploits Exploiting CVE Appeared in the wild (Tor Browser) Analysis and bug trigger available in Mozilla Bug report Take crashing testcase find a road to EIP to write alternative exploit with ASM.JS JIT-Spray
130 ASM.JS JIT-Spray Exploits Exploiting CVE Appeared in the wild (Tor Browser) Analysis and bug trigger available in Mozilla Bug report Take crashing testcase find a road to EIP to write alternative exploit with ASM.JS JIT-Spray Much simpler than original exploit no info leak and code reuse
131 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit ( c): Access violation - code c (first chance) mov eax,dword ptr [ecx+0ach] ds:002b:414141ed=???????? 0:000>?eip-xul Evaluate expression: = 007a00dd
132 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit ( c): Access violation - code c (first chance) mov eax,dword ptr [ecx+0ach] ds:002b:414141ed=???????? 0:000>?eip-xul Evaluate expression: = 007a00dd ECX is controlled at xul.dll + 0x7a00dd
133 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit search for EIP control after xul.dll + 0x7a00dd follow 5 calls and you find: xul + 0x1c0cb8: call dword [eax + 0x138]
134 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit search for EIP control after xul.dll + 0x7a00dd follow 5 calls and you find: xul + 0x1c0cb8: call dword [eax + 0x138] Exploit: - ASM.JS JIT-Spray to 0x1c1c0054
135 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit search for EIP control after xul.dll + 0x7a00dd follow 5 calls and you find: xul + 0x1c0cb8: call dword [eax + 0x138] Exploit: - ASM.JS JIT-Spray to 0x1c1c Typed Array spray for controlling memory at ECX and EAX
136 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit search for EIP control after xul.dll + 0x7a00dd follow 5 calls and you find: xul + 0x1c0cb8: call dword [eax + 0x138] Exploit: - ASM.JS JIT-Spray to 0x1c1c Typed Array spray for controlling memory at ECX and EAX - Trigger the bug
137 ASM.JS JIT-Spray Exploits Exploiting CVE
138 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit HTML5 parser heap-buffer-overflow
139 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit HTML5 parser heap-buffer-overflow Analysis and crashing testcase available in Mozilla Bug report
140 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit HTML5 parser heap-buffer-overflow Analysis and crashing testcase available in Mozilla Bug report Patched at several vulnerable code paths
141 ASM.JS JIT-Spray Exploits Exploiting CVE Crashing testcase targets difficult to exploit code path bruteforce necessary
142 ASM.JS JIT-Spray Exploits Exploiting CVE Crashing testcase targets difficult to exploit code path bruteforce necessary Further analysis based on other patched code paths easier to exploit code path available modification of crashing testcase reaches path
143 ASM.JS JIT-Spray Exploits Exploiting CVE Easier-to-exploit code path:
144 ASM.JS JIT-Spray Exploits Exploiting CVE Easier-to-exploit code path: 1) integer underflow 1)
145 ASM.JS JIT-Spray Exploits Exploiting CVE Easier-to-exploit code path: 2) 1) integer underflow 2) control over node object 1)
146 ASM.JS JIT-Spray Exploits Exploiting CVE Easier-to-exploit code path: 3) 2) 1) integer underflow 2) control over node object 3) group is constant no need to bruteforce 1)
147 ASM.JS JIT-Spray Exploits Exploiting CVE Easier-to-exploit code path: 3) 4) 1) 2) 1) integer underflow 2) control over node object 3) group is constant no need to bruteforce 4) pop() calls node release() EIP control
148 ASM.JS JIT-Spray Exploits Exploiting CVE
149 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit Use-after-free in HTML5 string parser
150 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit Use-after-free in HTML5 string parser Analysis and crashing testcase available in Mozilla Bug report
151 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit Use-after-free in HTML5 string parser Analysis and crashing testcase available in Mozilla Bug report Looks suspiciously similar to CVE
152 ASM.JS JIT-Spray Exploits Exploiting CVE While crashing testcase is different from CVE , it exercises same (difficult to exploit) code path public exploit uses bruteforce approach
153 ASM.JS JIT-Spray Exploits Exploiting CVE While crashing testcase is different from CVE , it exercises same (difficult to exploit) code path public exploit uses bruteforce approach Let s try something: modify crashing testcase in same way as for CVE works! EIP control and ASM.JS payload execution
154 Conclusion
155 Conclusion JIT-Spray simplified client-side exploitation ASM.JS in OdinMonkey (x86) was the perfect JIT-Spray target JIT-Spray was possible on x86 and ARM JIT-Spray is infeasible in a large (64-bit) address space, under ASLR and Control-Flow Integrity JIT compilers have a big attack surface and remain prone to vulnerabilities
156 Thank you! Questions?
157 Appendix: Additional and Alternative Slides
158 References
159 References
160 References
161 More Flaws beyond JIT-Spray
162 Beyond JIT-Spray JIT-related flaws More exploit-mitigation bypasses DEP and CFG Bypass (Tencent, 2015)
163 Beyond JIT-Spray JIT-related flaws More exploit-mitigation bypasses DEP and CFG Bypass (Tencent, 2015) Chakra-JIT CFG Bypass (Theori, 2016)
164 Beyond JIT-Spray JIT-related flaws More exploit-mitigation bypasses DEP and CFG Bypass (Tencent, 2015) Chakra-JIT CFG Bypass (Theori, 2016) ACG Bypass (Ivan Fratric, 2018)
165 Beyond JIT-Spray JIT-related flaws Vulnerabilities in JIT-compilers Web Assembly bugs found by Google P0
166 Beyond JIT-Spray JIT-related flaws Vulnerabilities in JIT-compilers Web Assembly bugs found by Google P0 Safari JIT (Pwn2Own 2017, Pwn2Own 2018)
167 Beyond JIT-Spray JIT-related flaws Vulnerabilities in JIT-compilers Web Assembly bugs found by Google P0 Safari JIT (Pwn2Own 2017, Pwn2Own 2018) Chrome 63 (Windows OSR Team)
168 Beyond JIT-Spray JIT-related flaws Vulnerabilities in JIT-compilers Web Assembly bugs found by Google P0 Safari JIT (Pwn2Own 2017, Pwn2Own 2018) Chrome 63 (Windows OSR Team) Chakra JIT (CVE , CVE )
169 JIT-based Code Reuse
170 JIT-Code Reuse Similar to JIT-Spray but requires info leak Abuse JIT to achieve various goals: two payload bytes are enough to create gadgets bypass static ROP protections hide code within direct branch offsets bypass Execute-Only Memory find 4-byte constants missed by constant blinding bypass constant blinding and create gadgets
171 Automated Payload Generation: Preserving Flags
172 ASM.JS Payloads Automated payload generation Preserve flags when needed - payload we want to insert: 3C E CMP AL, 61 JE $+0x10
173 ASM.JS Payloads Automated payload generation Preserve flags when needed - payload we want to insert: - sprayed payload: 3C E 3C 10 A E CMP AL, 61 JE $+0x10 CMP AL, 61 TEST AL, 05 JE $+0x10
174 ASM.JS Payloads Automated payload generation Preserve flags when needed - payload we want to insert: - sprayed payload: 3C E 3C 10 A E CMP AL, 61 JE $+0x10 CMP AL, 61 semantic TEST AL, 05 nop kills flags JE $+0x10
175 ASM.JS Payloads Automated payload generation Preserve flags when needed - payload we want to insert: 3C 10 A E - sprayed payload: - save and restore flags around semantic nop 3C E 3C 10 9C A8 05 9D 74 0E CMP AL, 61 JE $+0x10 CMP AL, 61 semantic TEST AL, 05 nop kills flags JE $+0x10 CMP AL, 61 PUSHFD TEST AL, 05 POPFD JE $+0x10 --> save flags --> kills flags --> restore flags
176 Float Pool Spray: Alternative Slides
177 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values
178 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values 0x00: 0x08: 0x10: 0x18:... movsd movsd movsd movsd xmm1, xmm3, xmm2, xmm0, mmword mmword mmword mmword [****0530] [****0538] [****0540] [****0548] ****0530: ****0540:
179 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values 0x00: 0x08: 0x10: 0x18:... movsd movsd movsd movsd xmm1, xmm3, xmm2, xmm0, mmword mmword mmword mmword [****0530] [****0538] [****0540] [****0548] ****0530: ****0540: constants are referenced
180 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values 0x00: 0x08: 0x10: 0x18:... movsd movsd movsd movsd xmm1, xmm3, xmm2, xmm0, mmword mmword mmword mmword [****0530] [****0538] [****0540] [****0548] ****0530: ****0540: constants are referenced same executable region
181 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values 0x00: 0x08: 0x10: 0x18:... movsd movsd movsd movsd xmm1, xmm3, xmm2, xmm0, mmword mmword mmword mmword [****0530] [****0538] [****0540] [****0548] ****0530: ****0540: constants are referenced same executable region continuous in address space
182 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values 0x00: 0x08: 0x10: 0x18:... movsd movsd movsd movsd xmm1, xmm3, xmm2, xmm0, mmword mmword mmword mmword [****0530] [****0538] [****0540] [****0548] ****0530: ****0540: constants are referenced same executable region continuous in address space gapless, arbitrary shellcode possible
Attacking Client Side JIT Compilers. BlackHat 2011
Attacking Client Side JIT Compilers BlackHat 2011 Introduction Chris Rohlf - Principal Security Consultant @chrisrohlf chris@matasano.com Yan Ivnitskiy - Security Consultant @yan yan@matasano.com http://www.matasano.com/research
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationFlash JIT Spraying info leak gadgets
Flash JIT Spraying info leak gadgets Author: Fermin J. Serna - fjserna@gmail.com - @fjserna URL: http://zhodiac.hispahack.com/my-stuff/security/flash_jit_infoleak_gadgets.pdf PoC: http://zhodiac.hispahack.com/my-stuff/security/flash_jit_infoleak_gadgets/
More informationBypassing Mitigations by Attacking JIT Server in Microsoft Edge
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationAttacking Client Side JIT Compilers. BlackHat 2011
Attacking Client Side JIT Compilers BlackHat 2011 Introduction Chris Rohlf - Principal Security Consultant @chrisrohlf chris@matasano.com Yan Ivnitskiy - Security Consultant @yan yan@matasano.com http://www.matasano.com/research
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationThe geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler
The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler return-oriented programming Hovav Shacham presented by: Fabian
More informationAttacking Clientside JIT Compilers
Attacking Clientside JIT Compilers Chris Rohlf @chrisrohlf chris@matasano.com Yan Ivnitskiy @yan yan@matasano.com Introduction Targets JIT Design Overview Trace/JaegerMonkey Architecture TraceMonkey LLVM
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationUndermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationWhat Cannot be Read, Cannot be Leveraged?
What Cannot be Read, Cannot be Leveraged? Revisiting Assumptions of JIT-ROP Defenses Giorgi Maisuradze, Michael Backes, Christian Rossow CISPA, Saarland University, Germany Overview Code Reuse Attacks/Defenses
More informationSpectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationCanSecWest 2011, March Understanding and Exploiting Flash ActionScript Vulnerabilities -- Haifei Li, Sr. Security Researcher
CanSecWest 2011, March 2011 Understanding and Exploiting Flash ActionScript Vulnerabilities -- Haifei Li, Sr. Security Researcher hfli@fortinet.com Why started this research Recent years we have seen an
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationRamblr. Making Reassembly Great Again
Ramblr Making Reassembly Great Again Ruoyu Fish Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, Giovanni Vigna Motivation Available Solutions
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationHeap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks
Heap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks Yu Ding 1, Tao Wei 1, Tielei Wang 1, Zhenkai Liang 2, Wei Zou 1 1 Peking University, 2 National University of Singapore A
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationModule: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation
More informationIntro to x86 Binaries. From ASM to exploit
Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationCSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g
CSE 227 Computer Security Spring 2010 Software Df Defenses I Stefan Savage Kinds of defenses Eliminate violation of runtime model Better languages, code analysis Don t allow bad input Input validation
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationDigital Forensics Lecture 02 PDF Structure
Digital Forensics Lecture 02 PDF Structure PDF Files Structure Akbar S. Namin Texas Tech University Spring 2017 PDF Format and Structure Tools used Text editor (e.g., vi) ClamAV antivirus (http://www.clamav.net/lang/en/download/
More informationApplying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying
Acta Polytechnica Hungarica Vol. 12, No. 5, 2015 Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying László Erdődi Óbuda University, Faculty of Applied Informatics
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationWriting your first windows exploit in less than one hour
Writing your first windows exploit in less than one hour Klaus Gebeshuber klaus.gebeshuber@fh-joanneum.at http://www.fh-joanneum.at/ims AGENDA Workshop 10.00 13.00 Memory & stack basics, function calling
More informationReverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationAutodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
More informationLLV8: Adding LLVM as an extra JIT tier to V8 JavaScript engine
LLV8: Adding LLVM as an extra JIT tier to V8 JavaScript engine Dmitry Melnik dm@ispras.ru September 8, 2016 Challenges of JavaScript JIT compilation Dynamic nature of JavaScript Dynamic types and objects:
More informationAn NCC Group Publication. Exploiting CVE Prepared by: Katy Winterborn. Copyright 2015 NCC Group
An NCC Group Publication Exploiting CVE-2014-0282 Prepared by: Katy Winterborn Contents 1 Introduction... 3 2 Background... 3 2.1 Heap... 3 2.2 Virtual Function Tables... 3 2.3 Use-after-free Vulnerabilities...
More informationSecure Coding Techniques
Secure Coding Techniques "... the world outside your function should be treated as hostile and bent upon your destruction" [Writing Secure Code, Howard and LeBlanc] "Distrust and caution are the parents
More informationIdentifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang ( ) Aravind Prakash ( ) Xiaolei Li ( ) Zhenkai Liang ( ) Heng Yin ( ) ( ) School of Computing,
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationJust-in-Time Code Reuse
Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & A. Dmitrienko 2 C. Liebchen 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science University
More informationReturn oriented programming
Return oriented programming TOOR - Computer Security Hallgrímur H. Gunnarsson Reykjavík University 2012-05-04 Introduction Many countermeasures have been introduced to foil EIP hijacking: W X: Prevent
More informationINTRODUCTION TO EXPLOIT DEVELOPMENT
INTRODUCTION TO EXPLOIT DEVELOPMENT Nathan Ritchey and Michael Tucker Who Am I (Nathan Ritchey) Have Bachelors in Computer Science Member of CSG Working on Masters with focus on Information Assurance Some
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationA Call to ARMs: Understanding the Costs and Benefits of JIT Spraying Mitigations
A Call to ARMs: Understanding the Costs and Benefits of JIT Spraying Mitigations Wilson Lian UC San Diego wlian@cs.ucsd.edu Hovav Shacham UC San Diego hovav@cs.ucsd.edu Stefan Savage UC San Diego savage@cs.ucsd.edu
More informationThe X86 Assembly Language Instruction Nop Means
The X86 Assembly Language Instruction Nop Means As little as 1 CPU cycle is "wasted" to execute a NOP instruction (the exact and other "assembly tricks", as explained also in this thread on Programmers.
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationSoftware Security Era: Past, Present and Future. Nafiez & Yeh
Software Security Era: Past, Present and Future Nafiez & Yeh Who? Nafiez (@zeifan) - Independent researcher (https://github.com/nafiez) - HITB CTF Crew - Passionate in Vulnerability Research and Reverse
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationSA31675 / CVE
Generated by Secunia 10 September, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Tested Versions 4 Fixed Versions 5 References 5 Generated by Secunia
More informationOpenBSD Remote Exploit
OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June 30, 2007 Mbuf buffer overflow Buffer overflow Researching the OpenBSD 008: RELIABILITY FIX a new vulnerability
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationRUHR-UNIVERSITÄT BOCHUM. Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs
RUHR-UNIVERSITÄT BOCHUM Horst Görtz Institute for IT Security Technical Report TR-HGI-2014-004 Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs Robert Gawlik and
More informationDocumentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit about a generic way to exploit Linux targets written by Kingcope Introduction In May 2013 a security advisory was announced
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationOlder geometric based addressing is called CHS for cylinder-head-sector. This triple value uniquely identifies every sector.
Review: On Disk Structures At the most basic level, a HDD is a collection of individually addressable sectors or blocks that are physically distributed across the surface of the platters. Older geometric
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationBLACKBERRY PWNAGE THE BLUEJAY STRIKES
BLACKBERRY PWNAGE THE BLUEJAY STRIKES Federico Muttis Core Security Technologies Session ID: HTA-T19 Session Classification: Advanced INFO @ THE MEDIA http://www.zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationFTL WebKit s LLVM based JIT
FTL WebKit s LLVM based JIT Andrew Trick, Apple Juergen Ributzka, Apple LLVM Developers Meeting 2014 San Jose, CA WebKit JS Execution Tiers OSR Entry LLInt Baseline JIT DFG FTL Interpret bytecode Profiling
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationSneha Rajguru & Prajwal Panchmahalkar
Sneha Rajguru & Prajwal Panchmahalkar Sneha Rajguru Security Consultant, Payatu Technologies Pvt Ltd. @sneharajguru Prajwal Panchmahalkar Red Team Lead Security Engineer, VMware @pr4jwal Introduction to
More informationApology of 0days. Nicolás Waisman
Apology of 0days Nicolás Waisman Who Am I? Senior Security Researcher and Regional Manager at Immunity, Inc. Research and Development of reliable Heap Overflow exploitation for CANVAS attack framework
More informationPatching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps
SESSION ID: EXP-R01 Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps James Lyne Global Head of Security Research Sophos / SANS Institute @jameslyne Stephen Sims Security Researcher
More informationSA33901 / CVE
Released by Secunia 23 February, 2009 6 pages Table of Contents Terms and Conditions 2 Introduction 3 Technical Details 3 Exploitation 5 Characteristics 5 Tested Versions 6 Fixed Versions 6 References
More informationAbysssec Research. 1) Advisory information. 2) Not vulnerable version
Abysssec Research 1) Advisory information Title : Java CMM readmabcurvedata stack overflow Version : Java runtime
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationDigital Forensics Lecture 3 - Reverse Engineering
Digital Forensics Lecture 3 - Reverse Engineering Low-Level Software Akbar S. Namin Texas Tech University Spring 2017 Reverse Engineering High-Level Software Low-level aspects of software are often the
More informationMcSema: Static Translation of X86 Instructions to LLVM
McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM ANDREW RUEF, ANDREW@TRAILOFBITS.COM About Us Artem Security Researcher blog.dinaburg.org Andrew PhD Student,
More informationVersion:1.1. Overview of speculation-based cache timing side-channels
Author: Richard Grisenthwaite Date: January 2018 Version 1.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationShellcode Analysis. Chapter 19
Shellcode Analysis Chapter 19 What is Shellcode Shellcode a payload of raw executable code, attackers use this code to obtain interactive shell access. A binary chunk of data Can be generally referred
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationReverse Engineering x86 Processor Microcode
Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017 Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison, Robert Gawlik, Christof Paar, Thorsten Holz Horst Görtz Institute
More informationNever Let Your Guard Down: Finding Unguarded Gates to Bypass Control Flow Guard with Big Data
Never Let Your Guard Down: Finding Unguarded Gates to Bypass Control Flow Guard with Big Data Ke Sun Ya Ou Yanhui Zhao Xiaomin Song Xiaoning Li wildsator@gmail.com perfectno2015@gmail.com wildyz.yky@gmail.com
More information