bypassing different defense schemes via crash resistant
play

Bypassing Different Defense Schemes via Crash-Resistant Probing of - PowerPoint PPT Presentation

Oct 10, 2022 •270 likes •1.13k views

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Grtz Institute for IT-Security Bochum, Germany About me Playing with InfoSec since 2010 Currently in academia

  1. Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Görtz Institute for IT-Security Bochum, Germany

  2. About me • Playing with InfoSec since 2010 • Currently in academia at Systems Security Group @ Horst Görtz Institute / Ruhr University Bochum • Focusing on binary analysis / attacks / defenses / static and dynamic analysis • Little time for bug hunting and exploiting • Fun fact: Recently discovered favorite toy: DynamoRIO CanSecWest 2016

  3. Agenda • Crash-Resistance • Crash-Resistance in IE 32-bit (CVE 2015-6161) • Memory Scanning : Bypass ASLR • Export Resolving : Bypass EMET's EAF+ • Function Chaining : Bypass Control Flow Guard & EMET's UNC library path restriction • Crash-Tolerant Function Dispatching : Fun ! • Mitigations/Fixes CanSecWest 2016

  4. Crash-Resistance

  5. Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  6. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  7. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  8. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  9. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } Program should int main(){ MSG msg; terminate abnormally SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  10. Crash-Resistance CanSecWest 2016

  11. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } Instead: int main(){ MSG msg; Program runs endlessly SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  12. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  13. Crash-Resistance 0:000:x86> g (370.e4): Access violation - code c0000005 (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b:00000001=?? 0:000:x86> gn (370.e4): Access violation - code c0000005 (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b:00000002=?? 0:000:x86> !exchain [...] 0057f800: USER32!_except_handler4+0 CRT scope 0, filter: USER32!DispatchMessageWorker+36882 func: USER32!DispatchMessageWorker+36895 CanSecWest 2016

  14. Crash-Resistance 0:000:x86> g (370.e4): Access violation - code c0000005 (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b:00000001=?? pass exception unhandled 0:000:x86> gn (370.e4): Access violation - code c0000005 (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b:00000002=?? 0:000:x86> !exchain [...] 0057f800: USER32!_except_handler4+0 CRT scope 0, filter: USER32!DispatchMessageWorker+36882 func: USER32!DispatchMessageWorker+36895 CanSecWest 2016

  15. Crash-Resistance Behind the Scenes (Simplified) char* addr = 0; DispatchMessage: void crash(){ __try addr++; { printf("reading %x", addr); crash() char content = *(addr); access violation } printf("read done"); __except( filter ) } filter returns 1 { int main(){ execute handler MSG msg; } SetTimer(0, 0, 1, crash); continue execution while (1){ return GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  16. Crash-Resistance Behind the Scenes (Simplified) char* addr = 0; DispatchMessage: void crash(){ __try addr++; { printf("reading %x", addr); crash() char content = *(addr); } printf("read done"); __except( filter ) } { int main(){ MSG msg; } SetTimer(0, 0, 1, crash); while (1){ return GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } CanSecWest 2016

  17. Crash-Resistance Behind the Scenes (Simplified) char* addr = 0; void crash(){ addr++; printf("reading %x", addr); If a fault is generated, char content = *(addr); execution is printf("read done"); transferred to the end } of the loop int main(){ MSG msg; SetTimer(0, 0, 1, crash); Program continues while (1){ running despite GetMessage(&msg, NULL, 0, 0); producing faults DispatchMessage(&msg); } } CanSecWest 2016

  18. Crash-Resistance Behind the Scenes (Simplified) char* addr = 0; void crash(){ addr++; printf("reading %x", addr); If a fault is generated, char content = *(addr); execution is printf("read done"); transferred to the end } of the loop int main(){ MSG msg; SetTimer(0, 0, 1, crash); Program continues while (1){ running despite GetMessage(&msg, NULL, 0, 0); producing faults DispatchMessage(&msg); } } CanSecWest 2016

  19. Crash-Resistance DEMO 1 CanSecWest 2016

  20. Crash-Resistance • Similar issues: - ”Why it's not crashing ?” [1] - ANI Vulnerability (CVE 2007-0038) [2] - ”Escaping VMware Workstation through COM1” (JPEG2000 parsing) [3] - ”The Art of Leaks” (exploit reliability) [4] CanSecWest 2016

  21. Crash-Resistance in Internet Explorer 11

  22. Crash-Resistance in IE 11 JS callback() set with setInterval() or setTimeout() in web worker is crash-resistant: • Start worker • Launch timed callback() with setInterval() • callback() function may produce access violations without forcing IE into termination (a) : if an AV is triggered in callback() , then callback() stops running and is executed anew (b) : if callback() produces no fault, it is executed completely and then started anew → usable as side channel CanSecWest 2016

  23. Crashless Memory Scanning in Internet Explorer 11

  24. Memory Scanning The Plan: • Spray the heap • Use vulnerabilty to change a byte → Create a type confusion and craft fake JS objects • Utilize fake objects in web worker with setInterval() to scan memory in a crash-resistant way → Discover Thread Environment Block (TEB) → Discover DLL Base Addresses • Don't control EIP yet – instead: use only JS → bypass ASLR CanSecWest 2016

  25. Memory Scanning Spray the heap • Alternate between Object Arrays and Integer Arrays • Object Arrays become aligned to 0xYYYY0000 • Integer Arrays become aligned to +f000 +f400 +f800 +fc00 → Object Array: ObjArr[0] = new String() // saved as reference; bit 0 never set ObjArr[1] = 4 // integer saved as 9 = 4 << 1 | 1 → Integer Array: IntArr[0] = 4 // saved as 4 CanSecWest 2016

  26. Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 | 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd 10110000 L0x0c 0:036> dd 10110000 L0x0c 10110000 00000000 0000eff0 00000000 00000000 10110000 00000000 0000eff0 00000000 00000000 10110010 00000000 000000fc 00003bf8 00000000 10110010 00000000 000000fc 00003bf8 00000000 10110020 1011f101 100ff1b0 80000002 80000002 10110020 1011f101 100ff1b0 80000002 80000002 0:036> dds 100ff1b0 L1 0:036> dds 100ff1b0 L1 100ff1b0 7193803c jscript9!Js::TypedArray<unsigned int,0>::`vftable' 100ff1b0 7193803c jscript9!Js::TypedArray<unsigned int,0>::`vftable' CanSecWest 2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology

Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology

Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology Lab/Security # /usr/bin/whoami Itzhak (Zuk) Avraham Researcher at Samsung Electronics Partner at PIA Follow me on twitter under

473 views • 31 slides
Checkmate? Review of the Epidemiology and our Last Line of Defense for Carbapenem-Resistant

Checkmate? Review of the Epidemiology and our Last Line of Defense for Carbapenem-Resistant

Checkmate? Review of the Epidemiology and our Last Line of Defense for Carbapenem-Resistant Enterobacteriaceae Kieran Shah, Clinical Pharmacy Specialist Critical Care, Surrey Memorial Hospital Presenter disclosure I have no current or past

744 views • 50 slides
Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David

Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David Malone and Josh Tobin. 2008-12-11 1 Hash Table Lookup scheme to avoid cost of searching full list. carrot zuchinni . . . . . . apricot apple

406 views • 16 slides
Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture Damage 1 Balanced Mix Design: ETG Definition Asphalt mix design using performance tests on appropriately conditioned specimens that address

480 views • 46 slides
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
Design of a blocking-resistant anonymity system Roger Dingledine, Nick Mathewson The Tor Project

Design of a blocking-resistant anonymity system Roger Dingledine, Nick Mathewson The Tor Project

Design of a blocking-resistant anonymity system Roger Dingledine, Nick Mathewson The Tor Project 1 Outline Crash course on Tor Goals for blocking resistance Assumptions (threat model) What Tor offers now Current proxy

1.07k views • 70 slides
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo, Amira Barki, Solenn Brunet and Jacques Traor 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING16 February 26th, 2016

532 views • 23 slides
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration

533 views • 34 slides
Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared 6/3/2020 1- Crash Identification Block The month, day and hour should be when the crash occurred Not when reported Not when you arrived 2- General

561 views • 15 slides
PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location System Website Address: http://pueblo.ms2soft.com Quick Search By: Study Location Location Crash Data Crash ID Date Crash Type LOG

555 views • 31 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides
Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven Maertens / DLR 7th Conference on Applied Infrastructure Research, OCT 10-11, 2008 Sven Maertens DLR Bypassing the hubs Page 1 Structure

559 views • 22 slides
A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure RNA DNA Replication Encoding Proteins Protein Folding Types of DNA Manipulating DNA PCR Biological Computation CPSC

378 views • 36 slides
Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

@amchamwatch| @HofstedeInsight @RudPedersenFIN Country Manager Network Breakfast: Crash Course into the New Finnish Government and HQ Communication Crash Course into the New Finnish Government and HQ Communication Esa Suominen Managing

262 views • 25 slides
CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain Landscape Architecture &amp; Regional and Community Planning Kansas State University DLA Conference 2015 June 6, 2015 BACKGROUND AND CONTEXT

702 views • 31 slides
Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Robert Diepeveen &amp; Ruben de Vries Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE standard Port-based network access protocol Authentication mechanism for devices wishing to attach to

357 views • 17 slides
From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

89 views • 7 slides
Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017

Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017

Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017 Introduction Merge-and-Shrink Evaluation of Merge Strategies Implementation Conclusion Motivation An important factor for the performance of

489 views • 22 slides
An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle

An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle

Background Evaluation An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle Malte Helmert University of Basel Switzerland June 15, 2016 Background Evaluation Outline Background 1 Evaluation 2

413 views • 23 slides
Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent MONJALET Commissariat lnergie Atomique et aux nergies alternatives Direction des Applications Militaires 17 novembre 2017 Guidelines :

672 views • 49 slides
Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International

Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International

Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International Conference on Audio for Virtual and Augmented Reality September 30th, 2016 Joseph G. Tylka (presenter) Edgar Y. Choueiri 3D Audio and Applied

441 views • 22 slides
Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick

Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick

Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick Richardson, Brian Nemsick and Douglas Reynolds Odyssey 2016 June 22, 2016 This work was sponsored by the Department of Defense under Air Force

413 views • 18 slides
Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows

Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows

Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows the recording of audio and video ( via webcam ) and slides together which can be shared with students. Its not a live broadcast and can be used

404 views • 11 slides
MICE Cavity Microphone Tests MTA Weekly RF Meeting Peter Lane Illinois Institute of Technology

MICE Cavity Microphone Tests MTA Weekly RF Meeting Peter Lane Illinois Institute of Technology

MICE Cavity Microphone Tests MTA Weekly RF Meeting Peter Lane Illinois Institute of Technology 1 Tests Description Use trigger hammer to capture physical taps trigger DAQ by completing a circuit on contact Tap ~5 times on each

390 views • 11 slides

More recommend