aslr nx bounds checking
play

ASLR / NX / Bounds Checking 1 last time stack canaries - PowerPoint PPT Presentation

Nov 12, 2023 •358 likes •1.1k views

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

  1. ASLR / NX / Bounds Checking 1

  2. last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO — protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses ideally attacker never learns addresses except overfmows can leak them 2

  3. logistical note: FORMAT deadline Saturday since executable was not linked correctly on time format string exploit sufficient to overwrite defaultLetterGrade variable 3

  4. Linux stack randomization (x86-64) 1. choose random number between 0 and 0x3F FFFF 0x1000 16 GB range! 6 2. stack starts at 0x7FFF FFFF FFFF - random number × randomization disabled? random number = 0

  5. Linux stack randomization (x86-64) 1. choose random number between 0 and 0x3F FFFF 0x1000 16 GB range! 6 2. stack starts at 0x7FFF FFFF FFFF - random number × randomization disabled? random number = 0

  6. program memory (x86-64 Linux; ASLR) Used by OS why are these addresses fjxed? Code + Constants Writable data Heap (brk/sbrk) Dynamic/Libraries (mmap) Stack 0x0000 0000 0040 0000 0xFFFF FFFF FFFF FFFF (constants + 2MB alignment) 0x0000 0000 0060 0000* (fjlled from top with ASLR) 0xFFFF 8000 0000 0000 7 ± 0x004 0000 0000 ± 0x100 0000 0000 ± 0x200 0000

  7. program memory (x86-32 Linux; ASLR) 0xFFFF FFFF 0xC000 0000 0x0804 8000 Used by OS Stack Dynamic/Libraries (mmap) Heap (brk/sbrk) Writable data Code + Constants 8 ± 0x080 0000 (default) ± 0x008 0000 (default) ± 0x200 0000

  8. how much guessing? gaps change by multiples of page (4K) 64-bit: huge ranges — need millions of guesses only about 8 randomized bits in addresses why? only 4 GB to work with! can be confjgured higher — but larger gaps 9 lower 12 bits are fjxed about 30 randomized bits in addresses 32-bit: smaller ranges — hundreds of guesses

  9. danger of leaking pointers any stack pointer? know everything on the stack! any pointer to a particular library? know everything in library! library loaded as one big chunk contains many ofgsets in instructions — can’t split easily 10

  10. program memory (x86-64 Linux; ASLR) Used by OS why are these addresses fjxed? Code + Constants Writable data Heap (brk/sbrk) Dynamic/Libraries (mmap) Stack 0x0000 0000 0040 0000 0xFFFF FFFF FFFF FFFF (constants + 2MB alignment) 0x0000 0000 0060 0000* (fjlled from top with ASLR) 0xFFFF 8000 0000 0000 11 ± 0x004 0000 0000 ± 0x100 0000 0000 ± 0x200 0000

  11. program memory (x86-64 Linux; ASLR) Used by OS why are these addresses fjxed? Code + Constants Writable data Heap (brk/sbrk) Dynamic/Libraries (mmap) Stack 0x0000 0000 0040 0000 0xFFFF FFFF FFFF FFFF (constants + 2MB alignment) 0x0000 0000 0060 0000* (fjlled from top with ASLR) 0xFFFF 8000 0000 0000 11 ± 0x004 0000 0000 ± 0x100 0000 0000 ± 0x200 0000

  12. fjxed addresses machine code contains hard-coded addresses and is supposed to be loaded without changes only small global ofgset table, etc. changed 12

  13. one possibility — not fjxed could just edit fjxed addresses at load time usual dynamic linking strategy avoids this typical dynamic linkers support it, but unused by compilers, etc. a lot slower than writing small table of addresses a lot more “metadata” for linker harder to share memory between programs 13

  14. relocating: Windows Windows will edit code to relocate typically one fjxed location per program/library per boot same address used across all instances of program/library still allows sharing memory fjxup once per program/library per boot before ASLR: code could be pre-relocated Windows + Visual Studio had ‘full’ ASLR by default since 2010 14 programs/libraries usually include relocation table

  15. recall: relocation 48 c7 c7 00 00 00 00 .data : address to insert R_X86_64_32S : 32-bit signed integer 3: location in machine code relocation record says how to fjx 0x0 in mov 3: R_X86_64_32S .data $0x0,%rdi mov 0: .data generates: ( objdump --disassemble --reloc ) movq $string, %rdi /* NOT PC/RIP-relative mov */ main: .text World!" string: .asciz "Hello, 15 ␣

  16. relocating and stubs: Windows What about the “stubs” and lookup tables? Windows GOT equivalent is IAT (Import Address Table) Can’t Windows avoid them by editing code? Probably, but…it doesn’t Why? 16

  17. Windows ASLR limitation same address in all programs — not very useful against local exploits 17

  18. PIC: Linux, OS X position independent code instead of fjxed-up hard-coded addresses Linux, OS X don’t fjxup code at runtime previously a challenge for ASLR libraries on these systems previously had no fjxed address …but executables had a bunch 18

  19. hard-coded addresses? (64-bit) .quad *lookupTable(,%rdi,8) /* code for defaultCase, returnOne, returnTwo */ ... .section .rodata .quad returnOne returnTwo int foo( long n) { .quad returnOne .quad returnTwo .quad returnOne .quad returnOne jmp defaultCase ja return 2; switch (n) { case 0: case 2: case 4: case 5: return 1; case 1: case 3: default : $5, %rdi return 3; } } foo: movl $3, %eax cmpq 19 lookupTable: /* read-only pointers: */

  20. hard-coded addresses? (64-bit) *0x400618(,%rdi,8) 77 12 ja 0x40058d /* lookup table jump: */ ff 24 fd 18 06 40 00 jmpq ... $0x5,%rdi /* lookupTable @ 0x400618 */ @ 400618: 0x400588 /* returnOne */ @ 400620: 0x400582 /* returnTwo */ @ 400628: 0x400588 @ 400630: 0x400582 /* jump to defaultCase: */ cmp int foo( long n) { case 3: switch (n) { case 0: case 2: case 4: case 5: return 1; case 1: return 2; 48 83 ff 05 default : return 3; } } 400570 <foo> : b8 03 00 00 00 mov $0x3,%eax 20

  21. hard-coded addresses? (64-bit) *0x400618(,%rdi,8) 77 12 ja 0x40058d /* lookup table jump: */ ff 24 fd 18 06 40 00 jmpq ... $0x5,%rdi /* lookupTable @ 0x400618 */ @ 400618: 0x400588 /* returnOne */ @ 400620: 0x400582 /* returnTwo */ @ 400628: 0x400588 @ 400630: 0x400582 /* jump to defaultCase: */ cmp int foo( long n) { case 3: switch (n) { case 0: case 2: case 4: case 5: return 1; case 1: return 2; 48 83 ff 05 default : return 3; } } 400570 <foo> : b8 03 00 00 00 mov $0x3,%eax 20

  22. hard-coded addresses? (64-bit) *0x400618(,%rdi,8) 77 12 ja 0x40058d /* lookup table jump: */ ff 24 fd 18 06 40 00 jmpq ... $0x5,%rdi /* lookupTable @ 0x400618 */ @ 400618: 0x400588 /* returnOne */ @ 400620: 0x400582 /* returnTwo */ @ 400628: 0x400588 @ 400630: 0x400582 /* jump to defaultCase: */ cmp int foo( long n) { case 3: switch (n) { case 0: case 2: case 4: case 5: return 1; case 1: return 2; 48 83 ff 05 default : return 3; } } 400570 <foo> : b8 03 00 00 00 mov $0x3,%eax 20

  23. exercise: avoiding absolute addresses movl but fast exercise: rewrite this without absolute addresses .quad returnOne .quad returnOne .quad returnTwo .quad returnOne .quad returnTwo .quad returnOne lookupTable: ret defaultCase: $2, %eax returnTwo: foo: ret $1, %eax movl returnOne: *lookupTable(,%rdi,8) jmp defaultCase ja $5, %rdi cmpq $3, %eax movl 21

  24. hard-coded addresses 0x0000000000000238 vaddr 0x0000000000400238 filesz 0x0000000000000228 memsz 0x0000000000000230 flags rw paddr 0x0000000000600e10 align 2**21 0x0000000000000e10 vaddr 0x0000000000600e10 LOAD off filesz 0x000000000000078c memsz 0x000000000000078c flags r x paddr 0x0000000000400000 align 2**21 LOAD off filesz 0x000000000000001c memsz 0x000000000000001c flags r paddr 0x0000000000400238 align 2**0 INTERP off filesz 0x00000000000001f8 memsz 0x00000000000001f8 flags r x paddr 0x0000000000400040 align 2**3 PHDR off Program Header: start address 0x0000000000400450 EXEC_P, HAS_SYMS, D_PAGED 22 test − 64 − nopie.exe: file format elf64 − x86 − 64 test − 64 − nopie.exe architecture: i386:x86 − 64, flags 0x00000112: 0x0000000000000040 vaddr 0x0000000000400040 0x0000000000000000 vaddr 0x0000000000400000

  25. relocation? one solution: be willing change addresses at load time Windows does this Linux’s dynamic linker is not willing to 23 requires: table of relocations in executable code

  26. PIE position-independent executables (PIE) no hardcoded addresses Windows solution GCC: -pie -fPIE -pie is linking option -fPIE is compilation option related option: -fPIC (position independent code) used to compile runtime-loaded libraries 24 alternative: edit code (not global ofgset table) at load time

  27. PIE jump-table returnTwo: jumpTable: .rodata .section ret defaultCase: $1, %eax movl returnOne: ret foo: movl $2, %eax *%rax ja movl $3, %eax jmp $5, %rdi cmpq retDefault leaq jumpTable(%rip), %rax movslq (%rax,%rdi,4), %rdx addq %rdx, %rax 25 .long returnOne − jumpTable .long returnTwo − jumpTable .long returnOne − jumpTable .long returnTwo − jumpTable .long returnOne − jumpTable .long returnOne − jumpTable

  28. PIE jump-table returnTwo: jumpTable: .rodata .section ret defaultCase: $1, %eax movl returnOne: ret foo: movl $2, %eax *%rax ja movl $3, %eax jmp $5, %rdi cmpq retDefault leaq jumpTable(%rip), %rax addq %rdx, %rax 25 .long returnOne − jumpTable .long returnTwo − jumpTable .long returnOne − jumpTable .long returnTwo − jumpTable movslq (%rax,%rdi,4), %rdx .long returnOne − jumpTable .long returnOne − jumpTable

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted (how it all started) if (obj &gt; type == OBJ

863 views • 29 slides
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology July 8th, 2013 Algorithmic Meta-Theorems Positive results Negative results Problem X is tractable. Problem X is hard. Model Checking Lower

912 views • 62 slides
ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows Buffer overflows are the source of many of the common vulnerabilities in modern software Caused by not checking the source length when writing to a

1.88k views • 130 slides
Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as objects Arrays of objects Command-line arguments Variable-length parameter lists Multidimensional arrays Java Foundations, 3rd Edition,

628 views • 59 slides
Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted if (obj &gt; type == OBJ COMMIT) { if (process commit(walker, ( struct commit )obj))

641 views • 62 slides
Process-wide type and bounds checking (via an alliance of many language implementations) Stephen

Process-wide type and bounds checking (via an alliance of many language implementations) Stephen

Process-wide type and bounds checking (via an alliance of many language implementations) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Join me, and together we can rule all the languages

849 views • 70 slides
On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit`

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit`

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica de Val` encia (Spain) In-Depth Security Conference (DeepSec)

1.05k views • 62 slides
ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec Erik Bosman @brainsmoke Kaveh Razavi @gober Ben Gras @bjg Stephan van Schaik ASLR Address Space Layout Randomiza on Widely deployed

1.75k views • 137 slides
On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica

528 views • 35 slides
From Zygote to Morula: For0fying Weakened ASLR on Android

From Zygote to Morula: For0fying Weakened ASLR on Android

From Zygote to Morula: For0fying Weakened ASLR on Android Byoungyoung Lee Long Lu Tielei Wang Taesoo Kim Wenke Lee Georgia Tech,

635 views • 30 slides
Security aid in producing vulnerability free code (bounds primary topic of the paper for today

Security aid in producing vulnerability free code (bounds primary topic of the paper for today

Security aid in producing vulnerability free code (bounds primary topic of the paper for today protect code from people with access to hardware checking, no-execute bit) aid in producing vulnerability free code (bounds secondary topic of the

193 views • 18 slides
3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification Technology

3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification Technology

Fachgebiet RechnerSysteme Technische Universitt Verification Technology Darmstadt 3. Satisfiability Checking Computer Systems Lab 1 3. Satisfiability Checking 3 3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification

278 views • 11 slides
Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for

1 Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for one week! Due: Lab05 is out and its due on Oct 5 at midnight Lab10: NSA Codebreaker Challenge Due: Nov 29 Offline CTF (Nov

880 views • 19 slides
String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland * now at UC Berkeley Current protection is not complete http://creoflick.net 2 Motivation:

639 views • 33 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations Multivariate quadratic equations Olivier Billet, Thomas Peyrin, and Matt Robshaw Hash functions and multivariate quadratic equations Orange Labs

299 views • 3 slides
Topic 25 Clicker 1 Tries (Edward) Fredkin recommended A. that BBN (Bolt, Beranek and Newman,

Topic 25 Clicker 1 Tries (Edward) Fredkin recommended A. that BBN (Bolt, Beranek and Newman,

Topic 25 Clicker 1 Tries (Edward) Fredkin recommended A. that BBN (Bolt, Beranek and Newman, now B. ee BBN Technologies) purchase the very first PDP-1 to support research projects at C. BBN. The PDP-1 came with no software D. whatsoever.

197 views • 7 slides
Serval: An End-Host Stack for Service-Centric Networking Erik Nordstr om, David Shue, Prem

Serval: An End-Host Stack for Service-Centric Networking Erik Nordstr om, David Shue, Prem

Appeared in 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12) Serval: An End-Host Stack for Service-Centric Networking Erik Nordstr om, David Shue, Prem Gopalan, Robert Kiefer Matvey Arye, Steven Y. Ko, Jennifer

291 views • 14 slides
The Intrepidus Group Proxy setups for apps Who are we? Wh ? P t f Throwaway tools

The Intrepidus Group Proxy setups for apps Who are we? Wh ? P t f Throwaway tools

The Intrepidus Group Proxy setups for apps Who are we? Wh ? P t f Throwaway tools that Jeremy Allen are all similar are all similar Rajendra Umadas R j d U d Scratching the g What do we do? What do we do?

715 views • 37 slides
Using SCHISM Joseph Zhang 2 Primer Online manual and wiki resource: www.schism.wiki o There

Using SCHISM Joseph Zhang 2 Primer Online manual and wiki resource: www.schism.wiki o There

1 Using SCHISM Joseph Zhang 2 Primer Online manual and wiki resource: www.schism.wiki o There are beta_notes, sample files etc in each source code bundle It helps if you know a few programming/scripting languages: python, matlab,

804 views • 68 slides
Jack Dongarra University of Tennessee Oak Ridge National Laboratory University of Manchester

Jack Dongarra University of Tennessee Oak Ridge National Laboratory University of Manchester

Jack Dongarra University of Tennessee Oak Ridge National Laboratory University of Manchester 9/14/09 1 TPP performance Rate Size 2 100 Pflop/s 10000000 22.9 PFlop/s 10 Pflop/s 10000000 1.1 PFlop/s 1 Pflop/s 1000000

864 views • 84 slides
TreeJuxtaposer: Scalable Tree Comparison using Focus+Context with Guaranteed Visibility Tamara

TreeJuxtaposer: Scalable Tree Comparison using Focus+Context with Guaranteed Visibility Tamara

TreeJuxtaposer: Scalable Tree Comparison using Focus+Context with Guaranteed Visibility Tamara Munzner Franois Guimbretire Univ. British Columbia Univ. Maryland College Park Serdar Ta iran Li Zhang, Yunhong Zhou Ko University

742 views • 53 slides
CMU-Q 15-381 Lecture 4: Path Planning Teacher: Gianni A. Di Caro A PPLICATION : M OTION P

CMU-Q 15-381 Lecture 4: Path Planning Teacher: Gianni A. Di Caro A PPLICATION : M OTION P

CMU-Q 15-381 Lecture 4: Path Planning Teacher: Gianni A. Di Caro A PPLICATION : M OTION P LANNING Path planning: computing a continuous sequence (a path) of configurations (states) between an initial configuration (start) and a final

367 views • 32 slides

More recommend