Is Exploitation Over? Bypassing Memory Protections in Windows 7

Similar documents
How to Impress Girls with Browser Memory Protection Bypasses

Bypassing Browser Memory Protections

Bypassing SEHOP. Stéfan Le Berre Damien Cauquil

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

SEH overwrite and its exploitability. Shuichiro Suzuki Fourteenforty Research Institute Inc. Research Engineer

CS 161 Computer Security

Smashing the Buffer. Miroslav Štampar

CS 161 Computer Security

Runtime Defenses against Memory Corruption

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Software Security II: Memory Errors - Attacks & Defenses

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Software Security: Buffer Overflow Defenses

Software Security: Buffer Overflow Attacks (continued)

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Outline. Memory Exploit

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

How secure am I with EMET?

CS161 Midterm 1 Review

On Compilers, Memory Errors and Control-Flow Integrity

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Reversed Buffer Overflow Cross Stack Attacks. Kris Kaspersky Endeavor Security, Inc.

Apology of 0days. Nicolás Waisman

CSE 127 Computer Security

CSE 127 Computer Security

Inject malicious code Call any library functions Modify the original code

Lecture 08 Control-flow Hijacking Defenses

Black Hat Webcast Series. C/C++ AppSec in 2014

Writing Exploits. Nethemba s.r.o.

CSE 127 Computer Security

Software Security: Buffer Overflow Attacks

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Digital Forensics Lecture 02 PDF Structure

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

CSE 565 Computer Security Fall 2018

Return-orientated Programming

Università Ca Foscari Venezia

WEB BROWSER SANDBOXING: SECURITY AGAINST WEB ATTACKS

Inline Reference Monitoring Techniques

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Buffer overflow prevention, and other attacks

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Alternative Exploitation Vectors

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Exploit Mitigation - PIE

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Lecture 4 September Required reading materials for this class

Hackveda Training - Ethical Hacking, Networking & Security

What the Stack? On Memory Exploitation and Protection in Resource Constrained Automotive Systems

Security and Exploit Mitigation. CMSC Spring 2016 Lawrence Sebald

Is stack overflow still a problem?

Stack Overflow COMP620

Abstraction Recovery for Scalable Static Binary Analysis

Secure Coding Techniques

Advanced Buffer Overflow

Introduction to software exploitation ISSISP 2017

Vulnerability Analysis I:

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Buffer Overflow and Protection Technology. Department of Computer Science,

Analysis of MS Multiple Excel Vulnerabilities

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Protection. Thierry Sans

Malware and Vulnerability Check Point. 1. Find Problems 2. Tell Vendors 3. Share with Community

Outline. Format string attack layout. Null pointer dereference

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

Title: SEH Overwrites Simplified. Date: October 29 th Author: Aelphaeis Mangarae

Back To The Epilogue

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Advanced Buffer Overflow

TABLE OF CONTENT 1. Abstract: Terminology Introduction Basic Shellcoding Solving The Addressing Problem Hash API

ECS 153 Discussion Section. April 6, 2015

SA28083 / CVE

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Intrusion Detection and Malware Analysis

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Software Security: Buffer Overflow Defenses and Miscellaneous

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

CS 290 Host-based Security and Malware. Christopher Kruegel

Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform

Cyber Moving Targets. Yashar Dehkan Asl

Lecture 1: Buffer Overflows

CS 161 Computer Security

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

Post exploitation techniques on OSX and Iphone. Vincenzo Iozzo

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Bypassing Windows heap protections

N e xt G e n e ra tio n S e c u rity S o f t w a r e Lt d. Blind Exploitation of Stack Overflow

Transcription:

Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net

About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap manipulation in JavaScript Bypassing browser memory protections on Windows Vista (with Mark Dowd)

difficulty Exploitation is getting harder reliable exploita.on finding vulnerabili.es 2004 200? year

Overview of this talk The evolution of exploit mitigations GS, SafeSEH, DEP, ASLR, SEHOP State of the art in exploitation Windows XP through Windows 7 Windows 7 challenges and directions for future research

Part I The evolution of exploit mitigations

OS evolution

Exploit mitigations Detect memory corruption: GS stack cookies SEH chain validation (SEHOP) Heap corruption detection Stop common exploitation patterns: GS variable reordering SafeSEH DEP ASLR

GS stack cookies saved cookie buffer cookie retaddr buffer overflow

Breaking GS saved cookie buffer pointer var cookie retaddr pointer arg buffer overflow shellcode

GS variable reordering saved cookie copes of arguments non-buffer variables buffer cookie retaddr arguments (unused) buffer overflow pointer arguments are copied before the other variables

Breaking GS, round 2 Some function still use overwritten stack data before the cookie is checked: callee saved registers copy of pointer and string buffer arguments local variables string buffers gs cookie exception handler record saved frame pointer return address arguments stack frame of the caller o v e r f l o w

SafeSEH Validates that each SEH handler is found in the SafeSEH table of the DLL Prevents the exploitation of overwritten SEH records

Breaking SafeSEH Requires that all DLLs in the process are compiled with the new /SafeSEH option A single non-compatible DLL is enough to bypass the protection Control flow modification is still possible

SEH chain validation (SEHOP) Puts a cookie at the end of the SEH chain The exception dispatcher walks the chain and verifies that it ends with a cookie If an SEH record is overwritten, the SEH chain will break and will not end with the cookie No known bypass techniques

Data Execution Prevention Executing data allocated without the PAGE_EXECUTABLE flag raises an access violation exception Stack and heap protected by default Prevents us from jumping to shellcode

Breaking DEP Off by default for compatibility reasons Compatibility problems with plugins: Internet Explorer 8 finally turned on DEP Sun JVM allocated its heap memory RWX, allowing us to write shellcode there Return oriented shellcode (ret2libc) DEP without ASLR is completely useless

ASLR Executables and DLLs loaded at random addresses Randomization of the heap and stack base addresses Prevents us from jumping to existing code

Breaking ASLR Enabled only for binaries compiled with a special flag (for compatibility reasons) Many browser plugins still don t have it Heap spraying still works ASLR without DEP is completely useless

Breaking ASLR Heap spraying defeats ASLR 64KB-aligned allocations allow us to put arbitrary data at an arbitrary address Allocate multiple 1MB strings, repeat a 64KB pattern 64KB 64KB

Part II State of the art in exploitation

Windows pre-xp SP2 Exploitation is trivial Tools can automate the process of analyzing a stack overflow crash and generating an exploit Nobody cares about these old systems

Windows XP SP2 The most widely targeted system in mass exploitation for botnets and keyloggers Attack surface reduction has reduced the number of vulnerabilities in services, but client software is almost completely unprotected Reliable exploitation techniques exist for almost all types of vulnerabilities

Windows Vista Limited deployment, not a target for mass exploitation yet More attack surface reduction in services, but client software still an easy target ASLR and DEP are very effective in theory, but backwards compatibility limitations severely weaken them

Windows 7 No major exploit mitigation changes since Vista, but still much better than XP Wide deployment expected Improved support for DEP and ASLR from Microsoft and third party vendors:.net framework 3.5 SP1 Internet Explorer 8 Adobe Reader 9 Flash 10 QuickTime 7.6

Part III The future of exploitation

Is exploitation over? What if all software used these protections to the fullest extent possible? Assume a Windows 7 system with the latest versions of all common browser plugins and complete DEP and ASLR protection.

Protection dependency graph ASLR GS DEP SEHOP SafeSEH

Partial overwrites Windows binaries are 64KB aligned ASLR only affects the top 16 bits Overwriting the low 16 bits of a pointer will shift it by up to 64KB to a known location inside the same DLL Exploitation is vulnerability specific

Memory disclosure If we can read memory from the process, we can bypass ASLR Even a single return address from the stack is enough to get the base of a DLL DEP can be bypassed with return oriented shellcode

ASLR entropy attacks ASLR on Windows provides only about 8 bits of entropy If we can try an exploit 256 times, we can bypass ASLR by guessing the base address of a DLL DEP can be bypassed with return oriented shellcode

Virtual shellcode We can write our shellcode as a Java applet and use memory corruption to disable the Java bytecode verification No need to worry about DEP at all! Can be achieved by overwriting a single byte in the JVM ASLR makes it harder to find the JVM, but other attacks of this kind might be possible

Corrupting application data We can change the behavior of a program by corrupting its data without modifying the control flow Stack and heap overflows can corrupt data How do we find the right data to overwrite?

Directions for future research 1. Are there new classes of C or C++ vulnerabilities that lead to memory disclosure? Are there more general ways to get memory disclosure from the currently known vulnerability classes?

Directions for future research 2. Can we automate the of the manual analysis work required to exploit data corruption vulnerabilities? How do we find data in memory that is used by an authentication function? How do we track the data in memory and reverse engineer the code that uses it?

Directions for future research 3. Can we use static or dynamic binary analysis to improve our control over the memory layout of a process? How do we ensure a heap block containing such data is allocated next to a heap block I can overflow? How do we get control over the value of an stack or heap variable that is used before initialization?

Part IV Conclusion

Conclusion Windows 7 exploitation is hard, but not impossible Static and dynamic reverse engineering techniques will get even more important If all else fails, web vulnerabilities will always be there!

Questions? alex@sotirov.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback