Fixing/Making Holes in Binaries

Similar documents
Outline. Outline. Common Linux tools to explore object/executable files. Revealing Internals of Loader. Zhiqiang Lin

Runtime Process Insemination

Generic Technical Defences. Shaun Clowes SecureReality

A Security Microcosm Attacking and Defending Shiva

Protecting Against Unexpected System Calls

CS5460/6460: Operating Systems. Lecture 21: Shared libraries. Anton Burtsev March, 2014

Today s Big Adventure

ECE 471 Embedded Systems Lecture 4

Today s Big Adventure

ECE 598 Advanced Operating Systems Lecture 10

(Extract from the slides by Terrance E. Boult

Control Flow Integrity for COTS Binaries Report

Process Address Spaces and Binary Formats

Operating Systems CMPSC 473. Process Management January 29, Lecture 4 Instructor: Trent Jaeger

Lecture 4 Processes. Dynamic Analysis. GDB

Language Translation. Compilation vs. interpretation. Compilation diagram. Step 1: compile. Step 2: run. compiler. Compiled program. program.

July 14, EPITA Systems/Security Laboratory (LSE) Code sandboxing. Alpha Abdoulaye - Pierre Marsais. Introduction. Solutions.

ECE 498 Linux Assembly Language Lecture 1

CSCI341. Lecture 22, MIPS Programming: Directives, Linkers, Loaders, Memory

Exercise Session 7 Computer Architecture and Systems Programming

COS 318: Operating Systems. Overview. Andy Bavier Computer Science Department Princeton University

CIT 595 Spring System Software: Programming Tools. Assembly Process Example: First Pass. Assembly Process Example: Second Pass.

CSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization

CS 61C: Great Ideas in Computer Architecture CALL continued ( Linking and Loading)

CPEG421/621 Tutorial

A Simplistic Program Translation Scheme

Post exploitation techniques on OSX and Iphone. Vincenzo Iozzo

ECE 471 Embedded Systems Lecture 5

Process Environment. Pradipta De

A tale of ELFs and DWARFs

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

COS 318: Operating Systems

My ld.so. Version 1 5 December Epita systems/security laboratory 2018

Incremental Linking with Gold

Linkers and Loaders. CS 167 VI 1 Copyright 2008 Thomas W. Doeppner. All rights reserved.

The Process Model (1)

CS354 gdb Tutorial Written by Chris Feilbach

2012 LLVM Euro - Michael Spencer. lld. Friday, April 13, The LLVM Linker

Process Address Spaces and Binary Formats

CS140 - Summer Handout #8

Lecture 8: linking CS 140. Dawson Engler Stanford CS department

CSE 451: Operating Systems Winter Processes. Gary Kimura

Android Dynamic Linker - Marshmallow

Advances in Linux process forensics with ECFS

Romain Thomas - Static instrumentation based on executable file formats

Dynamic libraries explained

How to Sandbox IIS Automatically without 0 False Positive and Negative

Backdooring ELF Using Unused Code

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Assembly Language Programming Linkers

[07] SEGMENTATION 1. 1

Midterm. Median: 56, Mean: "midterm.data" using 1:2 1 / 37

Operating Systems. 09. Memory Management Part 1. Paul Krzyzanowski. Rutgers University. Spring 2015

ECS 153 Discussion Section. April 6, 2015

Compiler, Assembler, and Linker

Outline. Unresolved references

12: Memory Management

From Code to Program: CALL Con'nued (Linking, and Loading)

CS 33. Libraries. CS33 Intro to Computer Systems XXVIII 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Background. Contiguous Memory Allocation

CSE 509: Computer Security

Secure Software Programming and Vulnerability Analysis

MIPS (SPIM) Assembler Syntax

ECE260: Fundamentals of Computer Engineering

It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks

Linking. Explain what ELF format is. Explain what an executable is and how it got that way. With huge thanks to Steve Chong for his notes from CS61.

Computer Systems A Programmer s Perspective 1 (Beta Draft)

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Outline. Format string attack layout. Null pointer dereference

Main Memory. CISC3595, Spring 2015 X. Zhang Fordham University

Lec 13: Linking and Memory. Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University. Announcements

Generating Programs and Linking. Professor Rick Han Department of Computer Science University of Colorado at Boulder

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Homework 1 CS 642: Information Security

Reverse Engineering Malware Dynamic Analysis of Binary Malware II

CS 33. Libraries. CS33 Intro to Computer Systems XXIX 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.

CHAPTER 8: MEMORY MANAGEMENT. By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

TMS470 ARM ABI Migration

Executables and Linking. CS449 Fall 2017

Virtual Memory Paging

Chapter 8: Main Memory

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Is stack overflow still a problem?

Smashing the Buffer. Miroslav Štampar

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES

Exercise Session 6 Computer Architecture and Systems Programming

Metasm. a ruby (dis)assembler. Yoann Guillot. 20 october 2007

9/19/18. COS 318: Operating Systems. Overview. Important Times. Hardware of A Typical Computer. Today CPU. I/O bus. Network

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

Vulnerability Analysis I:

syscall_intercept A user space library for intercepting system calls Author Name, Company Krzysztof Czuryło, Intel

Università Ca Foscari Venezia

Protecting Against Unexpected System Calls

Link 8.A Dynamic Linking

Compiler Drivers = GCC

Shellbased Wargaming

Security Advisory on Updates to Pivotal / VMware vfabric Web Server

Chapter 8: Memory-Management Strategies

CSE 2421: Systems I Low-Level Programming and Computer Organization. Linking. Presentation N. Introduction to Linkers

Transcription:

Fixing/Making Holes in Binaries The Easy, The Hard, The Time Consuming Shaun Clowes Ð shaun@securereality.com.au

What are we doing? Changing the behaviour of programs Directly modifying the program in itõs compiled (binary) form No source code No recompilation

Types of Binary Modification Two types: Static (executable file) modification Runtime (process) modification

Why modify binaries? For the usual reasons for working on software: Fix bugs Add functionality Change behaviour

Why not just use source? No access to it COTS Not readily available Source code on a disk hidden in a cupboard behind mountains of other disks and CDs Running programs 99.999% uptime, no restart

IsnÕt it too hard? Traditionally been in the too hard basket Depends on the objective Normal value proposition It can be easy, it can also be very hard WeÕll cover a variety of techniques All do need some coding skill

HowÕs this related to Security? Two aspects Defender Fix holes in vulnerable software No waiting for vendor patches Attacker Backdoor/Trojan software

Scope Unix systems Solaris Linux ELF binaries Most concepts more generally applicable

Where to from here? All about ELF File patching In memory patching Library interception injectso - Run time library interception

Breakdown of ELF Need understanding of internal structure of executables ELF = Executable and Linkable Format Originally by Unix System Labs (USL) Adopted by Tool Interface Standards committee (TIS) Used in virtually every recent Unix

Breakdown of ELF Three main types of ELF files Relocatable file Ð object file ready to be linked with others Executable Shared Object (Library) Only last two relevant Concentrate on Executables

Static Vs Dynamic Executables Static executables are self contained They do not need any external code Dynamic executables use external data/code at run time Shared libraries Smaller executables Less disk/memory use Much more common

ELF ÔViewsÕ ELF describes two separate ÔviewsÕ of an executable, a linking view and a loading view Linking view is used at static link time to combine relocatable files Loading view is used at run time to load and execute program

ELF ÔViewsÕ Ð Split ELF Header Program Headers Section Headers File Contents

ELF Linking View.interp.dynamic.dynsym.dynstr.rel.plt.text Divides executable into many meaningful ÔSectionsÕ Sections have: A name and type Requested memory location at run time Permissions (writable/executable)

ELF Linking View Ð Important Sections.interp.dynamic.symtab,.strtab,.dynsym.dynstr.plt.rel.<x>.text.data Requested Dynamic linker Dynamic linking information Symbols (static/dynamic) String tables Procedure linkage table Relocations for section x Code Initialized data

ELF Linking View Not all sections needed at run time Information used for linking Debugging information Difference between link time and run time

ELF Loading View INTERP LOAD LOAD DYNAMIC Much simpler view, divides executable into ÔSegmentsÕ Describes Parts of file to be loaded into memory at run time Locations of important data at run time Segments have: A simple type Requested memory location Permissions (R/W/X) Size (in file and in memory)

ELF Loading View Ð Segment Types LOAD INTERP DYNAMI C Portion of file to be loaded into memory Pointer to dynamic linker for this executable (.interp section) Pointer to dynamic linking information (.dynamic section)

ELF ÔViewsÕ - Linking to Loading.interp.dynsym.text...data.dynamic.strtab.symtab INTERP LOAD (RX) LOAD (RW) DYNAMIC X

ELF Loading View Semantics of section table (Linking View) are irrelevant in Loading View Section information can be removed from executable Good way to kill GNU libbfd programs

ELF Loaders Operating system routines to load executable and begin execution ELF is very flexible, Loaders arenõt Bugs and idiosyncrasies ELF files conforming to the specification donõt always run

Loading and Executing an ELF Executable File opened Map LOAD segments into to memory Calls the dynamic linker specified in the INTERP segment, passing information about the executable

Dynamic Linker/Loader Handles all of the dynamic/shared library needs of executable Retrieves information from the DYNAMIC segment Loads all required shared libraries into memory Modifies executable such that it can access needed resources in the libraries

The Dynamic Section/Segment A table with records containing data critical to dynamic loading/linking Allows dynamic linker to quickly find out information about the executable No need for section table etc Each record consists of: A type (tag) Value (or pointer)

Dynamic Segment Record Tags DT_NEEDED DT_REL DT_JMPREL DT_DEBUG Offset to name of a required shared library Address of relocation entries Address of relocation entries associated with the PLT Pointer to debugging information from dynamic linker

Loading and Executing an ELF Executable 1Map in shared libraries corresponding to DT_NEEDED entries 2 Add libraries to link map stored in area referenced by DT_DEBUG entry 3 Perform relocations

Relocations Tell Dynamic Linker to rewrite parts of executable to refer to external resources Link to dynamic symbol table entries Needed to allow program to use code/data in shared libraries Since address decided at run time

The Procedure Linkage Table Stored in the.plt section Allows executables to call functions that arenõt present at compile time Shared library functions (e.g printf()) Set of function stubs Relocations point them to real location of the functions Normally relocated ÔlazilyÕ

The Procedure Linkage Table Program... printf("hello!\n");... PLT printf() stub libc.so.6 printf()

The Global Offset Table Like PLT but for non function symbols ÔstderrÕ, ÔerrnoÕ etc Referenced by PLT on IA32 But NOT Sparc Both PLT and GOT targeted for attack in format string vulnerabilities

DT_DEBUG Record Pointer to a debug structure provided by the Dynamic Linker (at run time) Normally examined by Debuggers Contains pointer to link map which describes memory layout of process Which binary files are loaded Base address at which they are loaded

File Patching Statically modify code in executable file Need to: Insert additional code Link existing code to added code

File Patching Existing Code New Code

File Patching Need to understand existing code Disassembly Reverse Engineering New code Assembly Hybrid C

File Patching Where to put additional code? Overwrite existing unused code Hard to identify Section padding Not much space Need section in executable segment (on non IA32 targets)

File Patching Add a segment ELF Loader bugs and issues Extend an existing segment Add as much space as you need Other methods Unix viruses

File Patching Ð Extending a Segment... section section segment section section...

File Patching Demo

File Patching Features Very powerful, can change almost anything Permanent ButÉ Complex and error prone Program must be restarted CanÕt easily call new library functions

In Core Patching Exactly like file patching but performed on process memory image Modify process memory using ptrace() or procfs

In Core Patching Where to put additional code? Memory space must be mapped executable Except under IA32 Overwrite unused code Hard to identify Use segment padding Segments padded to page boundaries

In Core Patching Ð Segment Alignment Virtual Address 0x8049644 0x8049000 0x8049644 0x8049734 0x8049754 0x804a000 File Size 0x000f0 padding segment nulls padding Memory Size 0x00110 1604 Bytes 240 Bytes 32 Bytes 2220 Bytes

In Core Patching Demo

In Core Patching Features Very powerful, can change almost anything Non permanent Can be performed on running process ButÉ Complex and error prone Can easily kill target Limited space for new code CanÕt easily call new library functions

Library Interception Dynamic loader resolves at run time all external symbols (dynamic relocations) GOT Ð Data relocations PLT Ð Function relocations How?

Library Interception Reads DT_NEEDED entries in PT_DYNAMIC segment Loads files and adds them to link map Then goes on to process relocations

Library Interception Ð Process View Link Map./testprog libc.so libncurses.so libtermcap.so Process Memory./testprog libc.so libncurses.so libtermcap.so

Dynamic Linker - Resolution When processing relocations dynamic linker looks through map and Searches each libraries exported symbols Tries to find matching symbol name Looks for non ÔweakÕ function First match is the winner

Library Function Call Interception Trick is to get your library loaded first It will be the match (winner) for all its exported symbols Can intercept any dynamic function call (libc etc)

Library Interception Ð Getting in First Modify DT_NEEDED records Overwrite other library entry Open it in your library with linker routines Substitute library depends on old library Move DYNAMIC segment and recreate Add entirely new library dependency

Library Interception Ð Getting in First Use Linker environment LD_PRELOAD specifies libraries to be loaded immediately Very common technique

Library Intercpetion Ð Calling Real Function Intercepting function usually needs to call old function Dynamic linker provides interface (through libdl.so): dlopen Ð Open a library dlsym Ð Get address of symbol, RTLD_NEXT flag specifies libraries after current one

Library Interception - Demo Demo

Library Interception Features Easy and simple All interception code can be done in C Safe Can call any library functions easily

Library Interception ButÉ LD_PRELOAD not permanent DT_NEEDED approach library in place at all times Program must be restarted

injectso Ð Runtime Library Interception injectso is like InjLib for Windows Injects a shared library into a running program Much harder on Unix than in Windows Operating system provides minimal support

injectso - Breakdown Opens process (using ptrace() or procfs) Searches link map to find dlopen() equivalent Construct arguments to dlopen() on stack Force process to jump to dlopen() Set return address to be 0x41414140

injectso Ð Breakdown Function ends with SEGFAULT Return to 0x41414140 Intercepted by injectso Can call user function Provide address of DYNAMIC segment Process state restored Syscalls restarted

injectso Ð Intercept.o Utility object, link into inject libraries Redirect dynamic function calls User code provides list of functions to override Finds functions in PLT and patches them to refer to replacement versions Provides pointer to old function

injectso Ð Intercept.o Program... printf("hello!\n");... PLT printf() stub libc.so.6 printf() X Injected Library newprintf()

injectso Demo

injectso Features Simple Flexible No modifications to binary file No disk files Library can be deleted after injection Service does not need to be restarted

injectso Technical Features ÔUnlimitedÕ space for code No trampolines Executable/Writable memory not required Can call any library functions easily Can override any library functions easily ButÉ Not permanent

Thankyou for listening! Questions? Feedback IP - 172.16.0.2 MAC - 00:10:5a:d3:5d:b2 SSL Certificate Fingerprint (SHA1) a0 8f db 28 7a 15 2e 86 76 42 6e 8a b1 27 32 55 4f 31 12 06 Username and Password are printed on the receipt part of your badge

Contact Details SecureReality Web Site: http://www.securereality.com.au Email: shaun@securereality.com.au

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback