Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Similar documents
Return-orientated Programming

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

The Geometry of Innocent Flesh on the Bone

Practical Malware Analysis

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Program Exploitation Intro

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

Assembly Language: Function Calls" Goals of this Lecture"

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

CPS104 Recitation: Assembly Programming

Assembly Language: Function Calls

Lab 3. The Art of Assembly Language (II)

Assembly Language: Function Calls" Goals of this Lecture"

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

An Introduction to x86 ASM

16.317: Microprocessor Systems Design I Fall 2014

Advanced Buffer Overflow

Q: Exploit Hardening Made Easy

Abstraction Recovery for Scalable Static Binary Analysis

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

mith College Computer Science CSC231 Assembly Week #10 Fall 2017 Dominique Thiébaut

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018

CS61 Section Solutions 3

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Buffer Overflow

Second Part of the Course

Lecture 08 Control-flow Hijacking Defenses

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

Università Ca Foscari Venezia

Process Layout and Function Calls

Architecture-level Security Vulnerabilities

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Instruction Set Architecture

CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015

Instruction Set Architecture

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

18-600: Recitation #4 Exploits

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

CS429: Computer Organization and Architecture

Topic 6: Code Generation

Outline. Memory Exploit

mith College Computer Science CSC231 Assembly Week #9 Spring 2017 Dominique Thiébaut

Architecture-level Security Vulnerabilities. Julian Stecklina

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA

X86 Addressing Modes Chapter 3" Review: Instructions to Recognize"

Assembly Language: IA-32 Instructions

Lab 10: Introduction to x86 Assembly

CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Computer Systems C S Cynthia Lee

Lecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422

Instruction Set Architecture

CISC 360 Instruction Set Architecture

W4118: PC Hardware and x86. Junfeng Yang

Y86 Processor State. Instruction Example. Encoding Registers. Lecture 7A. Computer Architecture I Instruction Set Architecture Assembly Language View

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta

Is stack overflow still a problem?

Assembly Language: Overview!

Writing Exploits. Nethemba s.r.o.

complement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]

x86 architecture et similia

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

Chapter 4 Processor Architecture: Y86 (Sections 4.1 & 4.3) with material from Dr. Bin Ren, College of William & Mary

How Software Executes

Branching and Looping

Machine Programming 2: Control flow

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Instruction Set Architecture

CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

Compiler Construction D7011E

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

18-600: Recitation #4 Exploits (Attack Lab)

SOEN228, Winter Revision 1.2 Date: October 25,

CSC 8400: Computer Systems. Machine-Level Representation of Programs

CSE P 501 Compilers. x86 Lite for Compiler Writers Hal Perkins Autumn /25/ Hal Perkins & UW CSE J-1

Buffer Overflow Attack

Winter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:

CPEG421/621 Tutorial

What is a Compiler? Compiler Construction SMD163. Why Translation is Needed: Know your Target: Lecture 8: Introduction to code generation

System calls and assembler

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Control flow. Condition codes Conditional and unconditional jumps Loops Switch statements

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Module 3 Instruction Set Architecture (ISA)

The x86 Architecture

CSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

String Oriented Programming Exploring Format String Attacks. Mathias Payer

mith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut

x86 Assembly Crash Course Don Porter

Machine-Level Programming II: Control and Arithmetic

Transcription:

Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

ROP Overview Idea: We forge shellcode out of existing application logic gadgets Requirements: vulnerability + gadgets + some unrandomized code History: No code randomized: Code injection DEP enabled by default: ROP attacks using libc gadgets published 2007 ROP assemblers, compilers, shellcode generators ASLR library load points: ROP attacks use.text segment gadgets Today: all major OSes/compilers support position-independent executables 2

Image by Dino Dai Zovi 3

ROP Programming 1. Disassemble code (library or program) 2. Identify useful code sequences (usually ending in ) 3. Assemble the useful sequences into reusable gadgets* 4. Assemble gadgets into desired shellcode * Forming gadgets is mostly useful when constructing complicated urn-oriented shellcode by hand 4

A note on terminology When ROP was invented in 2007 Sequences of code ending in were the basic building blocks Multiple sequences and data are assembled into reusable gadgets Subsequently A gadget came to refer to any sequence of code ending in a In 2010 ROP without urns (e.g., code sequences ending in call or jmp)

There are many semantically equivalent ways to achieve the same net shellcode effect 6

Equivalence Mem[v2] = v1 Desired Logic v 2 v 1 Stack a 1 : mov eax, [] a 2 : mov ebx, [+8] a 3 : mov [ebx], eax Implementation 1 7

Constant store gadget Mem[v2] = v1 Desired Logic Suppose a 5 and a 3 on stack a 5 v 2 a 3 v 1 Stack eax ebx eip v 1 a 1 a 1 : pop eax; a 2 : a 3 : pop ebx; a 4 : a 5 : mov [ebx], eax Implementation 2 8

Constant store gadget Mem[v2] = v1 Desired Logic a 5 v 2 a 3 v 1 Stack eax ebx eip v 1 a 13 a 1 : pop eax; a 2 : a 3 : pop ebx; a 4 : a 5 : mov [ebx], eax Implementation 2 9

Constant store gadget Mem[v2] = v1 Desired Logic a 5 v 2 a 3 v 1 Stack eax ebx eip v 1 v 2 a 3 a 1 : pop eax; a 2 : a 3 : pop ebx; a 4 : a 5 : mov [ebx], eax Implementation 2 10

Constant store gadget Mem[v2] = v1 Desired Logic a 5 v 2 a 3 v 1 Stack eax ebx eip v 1 v 2 a 45 a 1 : pop eax; a 2 : a 3 : pop ebx; a 4 : a 5 : mov [ebx], eax Implementation 2 11

Constant store gadget Mem[v2] = v1 Desired Logic a 5 v 2 a 3 v 1 Stack eax ebx eip v 1 v 2 a 5 a 1 : pop eax; a 2 : a 3 : pop ebx; a 4 : a 5 : mov [ebx], eax Implementation 2 12

Equivalence Mem[v2] = v1 Desired Logic semantically equivalent a 3 v 2 a 2 v 1 Stack a 1 : mov eax, [] a 2 : mov ebx, [+8] a 3 : mov [ebx], eax Implementation 1 a 1 : pop eax; a 2 : pop ebx; a 3 : mov [ebx], eax Implementation 2 13

Return-Oriented Programming Mem[v2] = v1 Desired Shellcode Find needed instruction gadgets at esses a 1, a 2, and a 3 in existing code Overwrite stack to execute a 1, a 2, and then a 3 argv argc urn caller s ebp buf (64 bytes) argv[1] buf %ebp % 14

Return-Oriented Programming a 3 v 2 Mem[v2] = v1 Desired Shellcode argv a 2 argc v 1 urn a 1 caller s ebp %ebp a 1 : pop eax; a 2 : pop ebx; a 3 : mov [ebx], eax Desired store executed! buf (64 bytes) argv[1] buf % 15

What else can we do? Depends on the code we have access to Usually: Arbitrary Turing-complete behavior Arithmetic Logic Conditionals and loops Subroutines Calling existing functions System calls Sometimes: More limited behavior Often enough for straight-line code and system calls

Comparing ROP to normal programming Normal programming Instruction pointer eip No-op nop Unconditional jump jmp ess set to ess of gadget Conditional jump jnz ess set to ess of gadget if some condition is met Variables memory and registers mostly memory Inter-instruction (inter-gadget) register and memory interaction minimal, mostly explicit; e.g., adding two registers only affects the destination register ROP can be complex; e.g., adding two registers may involve modifying many registers which impacts other gadgets

Return-oriented conditionals Processors support instructions that conditionally change the PC On x86 Jcc family: jz, jnz, jl, jle, etc. 33 in total loop, loope, loopne Based on condition codes mostly; and on ecx for some On MIPS beq, bne, blez, etc. Based on comparison of registers Processors generally don t support for conditionally changing the stack pointer (with some exceptions)

We want conditional jumps Unconditional jump movl %eax, %

We want conditional jumps Unconditional jump movl %eax, %

We want conditional jump Unconditional jump movl %eax, %

We want conditional jump Unconditional jump movl %eax, % eax

We want conditional jumps Unconditional jump movl %eax, % eax

We want conditional jumps Unconditional jump movl %eax, % eax,

We want conditional jumps Unconditional jump movl %eax, % eax

We want conditional jumps Unconditional jump movl %eax, % Conditional jump, one way Conditionally set a register to 0 or 0xffffffff Perform a logical AND with the register and an Add the result to

Conditionally set a register to 0 or 0xffffffff Compare registers eax and ebx and set ecx to 0xffffffff if eax < ebx 0 if eax >= ebx Ideally we would find a sequence like set carry flag cf according to eax - ebx ecx ecx - ecx - cf; or ecx -cf Unlikely to find this; instead look for cmp; and sbb; sequences

Performing a logical AND with a constant Pop the constant into a register using pop; Use an and; sequence

Updating the stack pointer Use an add ; sequence

Putting it together Useful instruction sequences movl %eax, % Conditional jump gadget Load constant in edx gadget Unconditional jump gadget addl %eax, %

Putting it together eax 10 ecx 108 edx 17 movl %eax, % addl %eax, %

Putting it together eax 10 ecx 108 edx 17 movl %eax, % addl %eax, %

Putting it together movl %eax, % eax 10 ecx 108 edx 17 cf = 1 addl %eax, %

Putting it together movl %eax, % eax 10 ecx 108 edx 17 cf = 1 addl %eax, %

Putting it together movl %eax, % eax 10 ecx 0xffffffff edx 17 cf = 1 addl %eax, %

Putting it together movl %eax, % eax 10 ecx 0xffffffff edx 17 addl %eax, %

Putting it together eax 20 = ecx 0xffffffff edx 17 movl %eax, % addl %eax, %

Putting it together movl %eax, % eax 20 = ecx 0xffffffff edx 17 addl %eax, %

Putting it together movl %eax, % eax 20 = ecx 0xffffffff edx 17 addl %eax, %

Putting it together movl %eax, % eax 20 = ecx 0xffffffff edx 17 addl %eax, %

Putting it together eax 20 = ecx 0xffffffff edx 17 movl %eax, % addl %eax, %

Putting it together eax 20 = ecx 0xffffffff edx 17 movl %eax, % addl %eax, %

Putting it together eax 20 = ecx 0xffffffff edx movl %eax, % addl %eax, %

Putting it together eax 20 = ecx 0xffffffff edx movl %eax, % addl %eax, %

And again! eax 500 ecx 108 edx 17 movl %eax, % addl %eax, %

And again! eax 500 ecx 108 edx 17 movl %eax, % addl %eax, %

And again! eax 500 ecx 108 edx 17 cf = 0 movl %eax, % addl %eax, %

And again! eax 500 ecx 108 edx 17 cf = 0 movl %eax, % addl %eax, %

And again! eax 500 ecx 0 edx 17 movl %eax, % addl %eax, %

And again! movl %eax, % eax 500 ecx 0 edx 17 addl %eax, %

And again! eax 20 = ecx 0 edx 17 movl %eax, % addl %eax, %

And again! movl %eax, % eax 20 = ecx 0 edx 17 addl %eax, %

And again! movl %eax, % eax 0 ecx 0 edx 17 addl %eax, %

And again! movl %eax, % eax 0 ecx 0 edx 17 addl %eax, %

And again! movl %eax, % eax 0 ecx 0 edx 17 addl %eax, %

And again! movl %eax, % eax 0 ecx 0 edx 17 addl %eax, %

And again! movl %eax, % eax 0 ecx 0 edx addl %eax, %

And again! movl %eax, % eax 0 ecx 0 edx addl %eax, %

And again! eax ecx 0 edx movl %eax, % addl %eax, %

And again! eax ecx 0 edx movl %eax, % addl %eax, %

And again! movl %eax, % eax ecx 0 edx addl %eax, %

And again! movl %eax, % eax ecx 0 edx addl %eax, %

Compare eax 10 ecx 108 edx 17 eax 20 ecx 0xffffffff edx if (eax < ebx) edx = ; else edx = ; eax 500 ecx 108 edx 17 eax ecx 0 edx

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback