Introduction to software exploitation ISSISP 2017

Similar documents
Lecture Notes: Unleashing MAYHEM on Binary Code

Buffer Overflow Defenses

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Buffer overflow background

Software Security II: Memory Errors - Attacks & Defenses

CS161 Midterm 1 Review

Buffer overflow prevention, and other attacks

Lecture 08 Control-flow Hijacking Defenses

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Using static analysis to detect use-after-free on binary code

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Black Hat Webcast Series. C/C++ AppSec in 2014

CSE 565 Computer Security Fall 2018

Protection and Mitigation of Software Bug Exploitation

Runtime Defenses against Memory Corruption

CS 161 Computer Security

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

Secure Programming I. Steven M. Bellovin September 28,

Memory Safety (cont d) Software Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

From Over ow to Shell

Secure Software Development: Theory and Practice

18-600: Recitation #4 Exploits

SoK: Eternal War in Memory

Memory corruption countermeasures

Biography. Background

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut

Lecture 4 September Required reading materials for this class

Project 4: Application Security

UMSSIA LECTURE I: SOFTWARE SECURITY

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Lab 2: Buffer Overflows

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

20: Exploits and Containment

CS 161 Computer Security

CSE 565 Computer Security Fall 2018

Outline. Format string attack layout. Null pointer dereference

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Project 4: Application Security

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Software Security: Buffer Overflow Defenses

Reversed Buffer Overflow Cross Stack Attacks. Kris Kaspersky Endeavor Security, Inc.

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

C and C++ Secure Coding 4-day course. Syllabus

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

in memory: an evolution of attacks Mathias Payer Purdue University

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Code Injection Attacks Buffer Overflows

Buffer Overflows Defending against arbitrary code insertion and execution

18-600: Recitation #4 Exploits (Attack Lab)

Basic Buffer Overflows

Inject malicious code Call any library functions Modify the original code

Computer Security Course. Midterm Review

Advanced Buffer Overflow

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Hackveda Training - Ethical Hacking, Networking & Security

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

ECE 471 Embedded Systems Lecture 22

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CMSC 414 Computer and Network Security

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Buffer Overflow Attack (AskCypert CLaaS)

Software Security: Buffer Overflow Attacks

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Exploit Mitigation - PIE

Shellbased Wargaming

Blossom Hands-on exercises for computer forensics and security. Buffer Overflow

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Malware

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Baggy bounds with LLVM

ECS 153 Discussion Section. April 6, 2015

Lec06: DEP and ASLR. Taesoo Kim

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Practical Techniques for Regeneration and Immunization of COTS Applications

Program Security and Vulnerabilities Class 2

Advanced Buffer Overflow

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

Transcription:

Introduction to software exploitation ISSISP 2017 1

VM https://drive.google.com/open?id=0b8bzf4ybu s1kltjsnlnwqjhss1e (sha1sum: 36c32a596bbc908729ea9333f3da10918e24d767) Login / pass: issisp / issisp 2

Who are we Josselin Feist, josselin@trailofbits.com Mark Mossberg, mark@trailofbits.com Trail of Bits: trailofbits.com Help to build safer software R&D focused: use of the latest program analysis techniques 3

Plan for Today Basic concepts of software exploitation What is a buffer overflow How to exploit it Two hands-on: Simple buffer overflow to exploit, using debugger More complex example, using symbolic execution 4

Program Vulnerabilities Programs contain tons of bugs Some are benign Some impact the security of the system: vulnerabilities How to find them: Manual inspecting Fuzzing Use of a vuln to corrupt the system = exploitation 5

Software Exploitation Why does it matter? Attack: obvious reasons Defense: Knowing if a vulnerability is exploitable -> prioritization Help to convince developers to fix the vulnerability Other reasons: CTF, interesting low-level manipulation,... 6

Recall X64 7

Source Code Versus Assembly Code Programs usually written in high-level languages C/C++, java, python,.. Compilation: Source code binary High-level code assembly code Variables memory locations 8

Source Code Versus Assembly Code 9

Program Variables Variables are split in sections: Local variable: stack Dynamic variable (malloc): heap Others (constant, static,..) : data, rodata,... 10

Program Variables Each function possesses its own stack frame Stack is organized as LIFO It grows toward lower addresses (first element = highest address) 11

Stack Frame Example Before f2() call During f2() 12

Stack Frame Example Two specific registers: RSP and RBP 13

Stack Frame Example Array elements grow toward higher values (@buf[0] < @buf[1]) 14

Stack Frame: Other usages The stack is used to store other elements Function parameters Saving registers during call: RBP and RIP Special register: RIP RIP points to the code that will be executed When a function returns, RIP needs to know where to return -> The stack stores data used for the control flow execution 15

Stack Frame Example When f2() is called During f2() 16

Buffer Overflow 17

Stack-Based Buffer overflow If we write more than 8 elements in buf, we overwrite the stack, and thus the stored values When it happens: Call to unsafe functions: strcpy, Call safer functions with a wrong size Wrong number of loop iterations... 18

Buffer Overflow Example Input = AAAAAAAAAAA...AAA\0 19

Control-Flow Hijacking The overflow rewrites the stored value of RIP You control RIP when the program returns Redirect the program execution flow wherever you want: Usually, use of shellcode = small assembly code executing specific action (reading/writing file, ) Goal for today: execute a specific function 20

Your goal Exploit the binary: /home/issisp/desktop/exo1/bof The subject: /home/issisp/desktop/exo1/subject.pdf Goal: execute the function print_secret 21

Modern Exploitation Lots of protections against vulnerabilities: Canary: a random value is put between stack frames, check if it is changed during execution DEP: the stack is no longer executable (harder to use shellcode) ASLR: sections are randomized In modern OS, you find even more complicated protections (EMET,...) 22

Second binary 23

Second binary $ cat crash.txt 1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $./vuln input.txt Segmentation fault (core dumped) $ gdb./vuln run input.txt => 0x400bfe: call rdx RDX: 0x4582c3004582c300 24

Crash Analysis Not a crash on the return of a function call rdx, with rdx = strange value Direct link between the value of rdx and the input not explicit Not trivial to know the root cause Call to a direct user-controlled value? Buffer overflow leading to rewriting function pointer? Other vulnerability? (Use-after-free,..) 25

Crash Analysis One common solution: reverse-engineer the binary to understand the relation between the input and rdx The solution presented here: using dynamic symbolic execution to build the exploit 26

Dynamic Symbolic Execution 27

Dynamic Symbolic Execution (DSE) DSE: an automated input generation technique. Key idea: execute the program, but consider some variables as symbolic 28

DSE Example 29

DSE Example a is symbolic, called a0 30

DSE Example a is symbolic, called a0 a1 := a0 + 1 31

DSE Example a is symbolic, called a0 a1 := a0 + 1 Two possibilities: - a1 == 0x42 - a1!= 0x42 32

DSE Example a is symbolic, called a0 a1 := a0 + 1 Two possibilities: - a1 == 0x42 - a1!= 0x42 Two paths, represented as so-called path predicates: - a1 := a0 +1 ^ a1 == 0x42 - a1 := a0 +1 ^ a1!= 0x42 33

Path Predicate Once you represent a path as a path predicate: Ask a solver to give a valuation of symbolic inputs Generating the inputs of the path Proof that the path is not feasible Add new constraints on the path predicate Invert a condition Force specific value (e.g. buf[i], i can be > size of buf[]?) 34

DSE Large recent interest in security Academic & industrial interest Angr, Binsec, KLEE, Mayhem, SAGE, Triton, etc. Today: Manticore Young topic, still a lot of limitations Different use: Path exploration Crash analysis Deobfuscation... 35

Manticore Dynamic Binary Analysis Tool Symbolic Execution Taint Analysis Program Instrumentation CLI Tool/Python API Generate inputs Query satisfiability Script custom analyses x86/64, ARMv7 github.com/trailofbits/manticore $ pip install manticore 36

Second binary (cont.) 37

Your goal Use Manticore to know if you can exploit the crash to call the function print_secret You need an input leading to rdx == @print_secret 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback