a single gadget weird machine
play

a single gadget weird machine Highlights of Dutch Cyber Security - PowerPoint PPT Presentation

Feb 12, 2023 •252 likes •879 views

a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos memory corruption, the problem that just won't go away 25+ years after the morris worm and

  1. a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos

  2. memory corruption, the problem that just won't go away 25+ years after the morris worm and still going strong 1

  3. stack buffer overflow stack return addr buffer sp 2

  4. stack buffer overflow stack return addr buffer sp 2

  5. stack buffer overflow stack return addr buffer sp 2

  6. stack buffer overflow stack sp return addr buffer 2

  7. stack buffer overflow stack sp return addr buffer 2

  8. stack buffer overflow stack sp return addr buffer 2

  9. stack sp return addr buffer 3

  10. stack sp return addr buffer code 3

  11. return oriented programming stack return addr buffer gadgets code 3

  12. return addr return addr return addr buffer gadgets code 3

  13. Return Oriented Programming - dependent on available gadgets - non-trivial to program - chains may differ greatly between different binaries - Turing complete 4

  14. Sigreturn Oriented Programming - minimal number of gadgets - constructing shellcode by chaining system calls - easy to change functionality of shellcode - shellcode portable (gadgets are always present) - Turing complete 5

  15. unix signals stack sp 6

  16. unix signals stack sp 6

  17. unix signals stack ucontext siginfo sp 6

  18. unix signals stack ucontext siginfo sp sigreturn 6

  19. unix signals stack good: kernel agnostic about signal handlers ucontext siginfo sp sigreturn 6

  20. unix signals stack bad: kernel agnostic about signal handlers ucontext (we can fake 'em) siginfo sp sigreturn 6

  21. two gadgets - call to sigreturn - syscall & return 7

  22. forged signal frame sigreturn 8

  23. program counter forged signal frame sigreturn 8

  24. program counter stack pointer forged signal frame sigreturn 8

  25. program counter stack pointer RAX ... RDI RSI RDX R10 R8 R9 ... sigreturn 8

  26. program counter stack pointer syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 8

  27. syscall & return stack pointer syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 8

  28. syscall & return next sigframe syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 8

  29. next syscall(...) 9

  30. socket() bind() listen() accept() execve() 10

  31. SROP exploit on x86-64 An exploit which does not make use of any gadgets in the target program - control over the stack - a known writable memory location (*any* location, and we don't need to write there beforehand) 11

  32. two gadgets - call to sigreturn - syscall & return 12

  33. two gadgets - call to sigreturn: RAX = 15 + syscall - syscall & return 12

  34. one gadget - RAX = 15 - syscall & return 12

  35. [vsyscall] ffffffffff600000 48 c7 c0 60 00 00 00 0f 05 c3 cc cc cc cc cc cc gettimeofday() fffffffffff60010 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600400 48 c7 c0 c9 00 00 00 0f 05 c3 cc cc cc cc cc cc time() ffffffffff600410 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600800 48 c7 c0 35 01 00 00 0f 05 c3 cc cc cc cc cc cc getcpu() ffffffffff600810 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff601000 0f05 syscall c3 return 13

  36. socket() bind() listen() accept() execve() 14

  37. socket() bind() listen() accept() execve() 14

  38. x64 syscall ABI RAX RDI RSI RDX read(fd, buffer, 1024) 15

  39. x64 syscall ABI RAX RDI RSI RDX read(fd, buffer, 1024) = 1024 15

  40. x64 syscall ABI RAX RDI RSI RDX read(fd, buffer, 1024) = 1024 RAX 15

  41. read() = 306 (syncfs) fsyncfs() = 0 (read) read() = 15 (sigreturn) sigreturn() execve() 16

  42. CVE-2012-5976 (asterisk) 17

  43. On some systems SROP gadgets are randomised, on others, they are not Operating system Gadget Memory map Linux i386 sigreturn [vdso] Linux < 3.11 ARM sigreturn [vectors] 0x ffff 0000 Linux < 3.3 x86-64 syscall & return [vsyscall] 0x ffffffffff 600000 Linux ≥ 3.3 x86-64 syscall & return Libc Linux x86-64 sigreturn Libc FreeBSD 9.2 x86-64 sigreturn 0x7 ffffffff 000 Mac OSX x86-64 sigreturn Libc iOS ARM sigreturn Libsystem iOS ARM syscall & return Libsystem 18

  44. On some systems SROP gadgets are randomised, on others, they are not android non-ASLR :-( Operating system Gadget Memory map Linux i386 sigreturn [vdso] Linux < 3.11 ARM sigreturn [vectors] 0x ffff 0000 Linux < 3.3 x86-64 syscall & return [vsyscall] 0x ffffffffff 600000 Linux ≥ 3.3 x86-64 syscall & return Libc Linux x86-64 sigreturn Libc FreeBSD 9.2 x86-64 sigreturn 0x7 ffffffff 000 Mac OSX x86-64 sigreturn Libc iOS ARM sigreturn Libsystem iOS ARM syscall & return Libsystem 18

  45. questions? 19

  46. questions? 27

  47. mitigation: It may be useful to disable vsyscall vsyscall=emulate (default from Linux 3.3 onward) or vsyscall=none

  48. mitigation: - Signal frame canaries

  49. stack canary stack return addr buffer sp

  50. stack canary stack return addr buffer sp

  51. program counter stack pointer RAX ... RDI RSI RDX R10 R8 R9 ... sigreturn

  52. program counter stack pointer RAX ... RDI RSI RDX R10 R8 R9 ... sigreturn

  53. mitigation: - Signal frame canaries

  54. mitigation: - Signal frame canaries - Counting signals in progress

  55. CVE-2012-5976 (asterisk) stack sp stack sp

  56. CVE-2012-5976 (asterisk) stack alloca stack sp sp

  57. CVE-2012-5976 (asterisk) stack alloca stack sp sp

  58. dispatch load CODE dispatch jmp exit cond jump jump P = P + c *P = *P + c *P=getchar() putchar(*P) store

  59. code = open("/proc/self/mem",O_RDWR); p = open("/proc/self/mem",O_RDWR); a = open("/proc/self/mem",O_RDWR);

  60. code = open("/proc/self/mem",O_RDWR); p = open("/proc/self/mem",O_RDWR); a = open("/proc/self/mem",O_RDWR); instruction dispatch: read(code, &ucontext.sp, sizeof(long));

  61. code = open("/proc/self/mem",O_RDWR); p = open("/proc/self/mem",O_RDWR); a = open("/proc/self/mem",O_RDWR); instruction dispatch: read(code, &ucontext.sp, sizeof(long)); pointer ops: p++ -> lseek(p, 1, SEEK_CUR);

  62. code = open("/proc/self/mem",O_RDWR); p = open("/proc/self/mem",O_RDWR); a = open("/proc/self/mem",O_RDWR); instruction dispatch: read(code, &ucontext.sp, sizeof(long)); pointer ops: p++ -> lseek(p, 1, SEEK_CUR); addition: lseek(a, &identity_table_x2, SEEK_SET); lseek(a, val1, SEEK_SET); lseek(a, val2, SEEK_SET); read(a, dest, 1);

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos stack buffer overflow stack return addr buffer sp 1 stack buffer overflow stack return addr buffer sp 1 stack buffer overflow

1.65k views • 89 slides
Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB Linux USB Terminology Brief history of USB gadget subsystem Other filesystem-based gadget interfaces Using USB gadget configfs

439 views • 21 slides
Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of

Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of

DM204 , 2010 SCHEDULING, TIMETABLING AND ROUTING Lecture 18 Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Single Machine

439 views • 43 slides
Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as:

Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as:

Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as: All instructions take the same time (CPI = 1), but some instructions are shorter than others: ADD uses Instruction Memory, Register File, ALU,

95 views • 5 slides
Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020 https://tinyurl.com/fosdem-gadget Hi, Im Alban Alban Crequy CTO, Kinvolk Github: alban Twitter: albcr Email: alban@kinvolk.io Kinvolk Driving

426 views • 30 slides
Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows Christopher Olston and Benjamin Reed Yahoo! Research Web Scale problems Lots of servers, users, and data Fun to have power at your fingertip

505 views • 33 slides
Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules

Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules

Dispatching Rules Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules Lecture 10 Single Machine Models 2. Single Machine Models Marco Chiarandini 2 Dispatching Rules Dispatching Rules Outline

417 views • 7 slides
Why the British constitution is weird (and interesting)

Why the British constitution is weird (and interesting)

Why the British constitution is weird (and interesting) Dr Mark Ellio+ Reader in Public Law, University of Cambridge Fellow &amp; Director of

426 views • 14 slides
Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of

Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of

Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of single queue systems includes an ATM machine ATM machine. A single line of people waiting to get money forms in front of the machine. in front of

401 views • 21 slides
Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine

Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine

Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine Scheduling to Minimize w j C j Given: n jobs j = 1 , . . . , n , processing times p j &gt; 0, weights w j &gt; 0 Task: schedule jobs on a single

393 views • 20 slides
ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

Background Evaluation Conclusion ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel Coffman Daniel M. Kelly Christopher C. Wellons Andrew S. Gearhart Johns Hopkins University Applied Physics

1.28k views • 45 slides
Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int.

622 views • 39 slides
Some Weird Things Poll #1: Who in here has taken a MOOC? Going On Poll #2: Are you happy or

Some Weird Things Poll #1: Who in here has taken a MOOC? Going On Poll #2: Are you happy or

2/9/2019 Talk Outline Fostering Self-Directed Learning in MOOCs: 1. MOOC Weird Stuff One Modest Little Study to 2. MOOC Systematic Literature Review Help Save the Planet 3. MOOC ID Considerations and Challenges 4. MOOC ID for Self-directed

386 views • 16 slides
T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr.

T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr.

T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr. Yuan, Co-Director of MIST Daniel Gibney CpE research center at UCF. Leaphar Castro EE Motivation With the ever expanding use of IoT sensor

740 views • 46 slides
On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H

On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H

On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H ohn Technische Universit at Berlin Tobias Jacobs NEC Laboratories Europe 18th Combinatorial Optimization Workshop Aussois 2014 Generalized

1.06k views • 89 slides
From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning

From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning

From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning with Maggy Moritz Meister, @morimeister Software Engineer, Logical Clocks Jim Dowling, @jim_dowling Associate Professor, KTH Royal Institute of

505 views • 33 slides
Years Guri Sohi University of Wisconsin-Madison Outline Speculation infancy performance

Years Guri Sohi University of Wisconsin-Madison Outline Speculation infancy performance

Still Speculating After All These Years Guri Sohi University of Wisconsin-Madison Outline Speculation infancy performance Speculation adolescence energy Speculation maturity security 2 Speculation Infancy

1.02k views • 23 slides
Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

703 views • 27 slides
FLST: Linguistic Foundations Francesca Delogu delogu@coli.uni-saarland.de

FLST: Linguistic Foundations Francesca Delogu delogu@coli.uni-saarland.de

FLST: Linguistic Foundations Francesca Delogu delogu@coli.uni-saarland.de http://www.coli.uni-saarland.de/courses/FLST/2014/ FLST: Linguistics Foundation Morphology ! The study of the internal structure of words, and of the rules by which

1.78k views • 55 slides
Computational Morphology FOU17 Harald Hammarstr om Uppsala University

Computational Morphology FOU17 Harald Hammarstr om Uppsala University

Computational Morphology FOU17 Harald Hammarstr om Uppsala University harald.hammarstrom@lingfil.uu.se 30 Aug 2017 Uppsala Hammarstrom Computational Morphology 2017 Uppsala 1 / 11 Computational Morphology Break words into meaningful

1.23k views • 14 slides
TO SEE OR BECOME AWARE OF SOMETHING THAT HAS NOT YET HAPPENED TRAINING THE CRISIS IN CRISIS

TO SEE OR BECOME AWARE OF SOMETHING THAT HAS NOT YET HAPPENED TRAINING THE CRISIS IN CRISIS

TO SEE OR BECOME AWARE OF SOMETHING THAT HAS NOT YET HAPPENED TRAINING THE CRISIS IN CRISIS MANAGEMENT Klas Lindstrm Managing Director 4C Strategies Understand what you need to do to achieve your desired end state Understand Build your

521 views • 30 slides
Managing Ancestral Land through Mortuary Ceremonies: The experiences of Nalik People in northern

Managing Ancestral Land through Mortuary Ceremonies: The experiences of Nalik People in northern

Managing Ancestral Land through Mortuary Ceremonies: The experiences of Nalik People in northern New Ireland, Papua New Guinea 1 / 15 00001 - 00:00:01 Managing Ancestral Land through Mortuary Ceremonies: The experiences of Nalik People in

366 views • 15 slides
THE RACE CARD PROJECT BY MICHELE NORRIS Race. Your Thoughts. Six Words. Please Send. The Wall,

THE RACE CARD PROJECT BY MICHELE NORRIS Race. Your Thoughts. Six Words. Please Send. The Wall,

Eavesdropping on Americas Conversation about Race THE RACE CARD PROJECT BY MICHELE NORRIS Race. Your Thoughts. Six Words. Please Send. The Wall, Early Stages University of Michigan THE INBOX My Ancestors Bones Not For Museum Sonya

621 views • 30 slides
Finances 2018/19 Dawn Scrafield, Director of Finance, ESNEFT Delivered in 2018/19 Subject here

Finances 2018/19 Dawn Scrafield, Director of Finance, ESNEFT Delivered in 2018/19 Subject here

Annual Subject members here meeting Finances 2018/19 Dawn Scrafield, Director of Finance, ESNEFT Delivered in 2018/19 Subject here A significant year regarding the scale of the Trusts accountability for NHS resources. The

235 views • 9 slides

More recommend