CO CO 447 | LEC3 SECU CURE DE DESIGN PRINCI CIPLES JAVA SECU - PowerPoint PPT Presentation

CO CO 447 | LEC3 SECU CURE DE DESIGN PRINCI CIPLES JAVA SECU CURITY ROP AND D ADVANCE CED D EX EXPL PLOITS Dr. Ben Livshits

Java and Native Interactions 2 ¨ Possible to compile bytecode class file to native code class PlatformInvokeTest { [DllImport("msvcrt.dll")] ¨ JITs are used for public static extern int puts(string c); [DllImport("msvcrt.dll")] performance internal static extern int _flushall(); ¨ Java programs can call public static void Main() native methods, t ypically { puts("Test"); functions written in C _flushall(); } ¨ C# and .NET take C/C++ } interop very seriously

Java Security Mechanisms ¨ Sandboxing ¨ Class loader ¤ Run program in restricted ¤ Separate namespaces for separate class loaders environment ¤ Associates protection domain with each class ¤ Analogy: child’s sandbox with only safe toys ¨ Verifier and JVM run-time tests ¤ This term refers to features of ¤ NO unchecked casts or other type errors loader, verifier, interpreter that ¤ NO buffer/array overflows restrict program ¤ Preserves private, protected visibility levels ¨ Code signing ¨ Security Manager ¤ Use cryptography to establish ¤ Called by library functions to decide if request is origin of class file allowed ¤ This info can be used by security ¤ Uses protection domain associated with code, user manager policy ¤ Coming up in a few slides: stack inspection

Security Manager ¨ Java library functions call Security Manager ¨ Security manager object answers at run time ¤ Decide if calling code is allowed to do operation ¤ Examine protection domain of calling class n Signer: organization that signed code before loading n Location: URL where the Java classes came from ¤ Uses the system policy to decide access permission

Sample Security Manager Methods checkExec Checks if the system commands can be executed. checkRead Checks if a file can be read from. checkWrite Checks if a file can be written to. checkListen Checks if a certain network port can be listened to for connections. checkConnect Checks if a network connection can be created. checkCreate Check to prevent the installation of additional ClassLoader ClassLoaders.

Stack Inspection ¨ Permission depends on ¤ Permission of calling method f method method g ¤ Permission of all methods above it on method h stack ¤ Up to method that is java.io.FileInputStream trusted and asserts this trust

Java: Things Didn’t Quite Go According to Plan 7

An Analyzing Ja Java Explo loit its 8 https://www.abartel.net/static/p/ccs2016-10yearsJavaExploits.pdf

Ba Back to o Na Native Cod Code… 9 ¨ Buffer overruns: Stack, Heap

DE DEP 10 10 ¨ Hardware-enforced execution prevention technique ¨ Breaks the basics of memory exploitation ¨ Specifically, stacks and heaps become non-executable or NX ¨ So, can’t lo load your shellcode there existing (shell-) ¨ But… can jump to ex code

EI EIP Limitations 11 11 ¨ Return-to-libc Program image ¨ Pioneered in 1997 ¨ EIP returns to an Heap existing function ¨ Need control of the Stack stack to place parameters there DLL ¨ Typically, the stack is writeable DLL

DEP and ASLR DE 12 12 Address space layout randomization ( ASLR ) is a memory- protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory. https://www.zdnet.com/article/microsoft-says-aslr-behavior-in-windows-10-is-a-feature-not-a-bug/

Re Return-to to-lib libc fo for system 13 13 It's possible to ¨ invoke an arbitrary function simply by placing a fake frame in stack memory It’s possible to ¨ retain EIP control after the function return Ret2LibC forms ¨ the basis of return-oriented- programming https://www.slideshare.net/saumilshah/dive-into-rop

Func Function n Calls 14 14 void add(int x, int y){ frame for add() int sum; sum = x+y; ESP return address from add() printf(“%d\n”, sum); } 3 int main(){ 4 add(3,4); }

Ov Overflow the Buffer and Call add() 15 15 void overflow(char* s){ char buffer[128]; strcpy(buffer, s); buffer } int main(){ return address from overflow overflow(argv[1]); } parameter s

Ca Calls and Returns 16 16 Call ¨ Function return ¤ Leave ¨ push return address on the stack n Restore EBP=POP EBP n MOV EBP to ESP ¨ set up the stack ¤ ret – return control ¤ move ESP ahead back to the calling ¤ push EBP function ¤ mov ESP to EBP n Return address stored earlier on the stack n POP EIP

Be Befor ore the RE RET Instruction on 17 17 AAAAA AAAAA buffer buffer AAAAA AAAAA AAAAA AAAAA AAAAA AAAA ESP AAAA AAAAA AAAAA AAAAA AAAA AAAA

Af After the RET Instruction 18 18 ¨ To return to add() EIP=0x41414141 ¤ Insert a fake frame in the buffer buffer ¤ Make overflow() return to add(01010101, 02020202) ESP AAAA ¤ What is the stack layout? AAAA

Calling add() Throu Ca ough overflow() 19 19 AAAAA ¨ By carefully crafting a frame AAAAA AAAAA ¨ We can have a program buffer AAAAA return to our fu functi tion of f AAAAA cho choice ce address of add() ¨ We control the pa parame meter ers ¨ We also control where to return address from add() jump af after the return 01010101 02020202

Be Before/after RET in overflow() Called 20 20 AAAAA AAAAA AAAAA AAAAA AAAAA AAAAA buffer buffer AAAAA AAAAA AAAAA AAAAA EIP address of add() address of add() ESP return address from add() ESP return address from add() 01010101 01010101 02020202 02020202

Chaining Multiple Function Ch on Ca Calls 21 21 AAAAAAAAAA Return from overflow() AAAAAAAAAA AAAAAAAAAA address of add() return to add() return to POP/POP/RET address of POP/POP/RET 01010101 POP 02020202 POP return to add() address of add() 42424242 EIP = 0x42424242 ESP 03030303 04050404

RO ROP Design Principles 22 22 ¨ Piece together pieces of code ¨ Gadgets – primitive operations ¨ These are found in existing binaries to dodge DEP ¨ Can be the primary binary or the associated shared libraries ¨ Every gadget must end with RET (takes us to the next chained gadget) ¨ We find gadgets in function epilogues

EI EIP vs. ESP in ROP 23 23 Classic EIP code Cl RO ROP code ¨ N ops=N instructions ¨ N ops=N frames ¨ EIP increments ¨ ESP increments ¨ ESP fluctuates ¨ EIP fluctuates ¨ The CPU increments EIP ¨ We control ESP via ret automatically instructions

Ga Gadgets Gl Glued Tog ogether 24 24 https://www.slideshare.net/saumilshah/dive-into-rop

Ga Gadget Di Diction onary 25 25

Ho How w to o Find Gadgets? 26 26 ¨ Shacham et al. manually ¨ Disassemble code (binary + DLLs) identified which ¨ Identify useful code sequences ending in ret sequences ending in ret as in libc were useful potential gadgets gadgets ¨ Assemble gadgets into ¨ Common shellcode was desired shellcode created with these ¨ Return-Oriented gadgets. Programming: Systems, Languages, and Applications ¨ Everyone used libc, so by Ryan Roemer, Erik gadgets and shellcode Buchanan, Hovav Shacham universal and Stefan Savage

Pu Putting This All Together 27 27 ¨ Several gadget compilers exist ¨ one example is ROPgadget on GitHub

Ge Generating ROP Ch Chains 28 28

Ro Ropgadet dem demo 29 29 ¨ https://youtu.be/MSy0rdi1vbo

Qu Quiz 30 30 ¨ https://piazza.com/class/k0r3cj25uu0137

Malware 31 31

Malware: Different Types 32 Spyware is software that aids in gathering Sp A virus is a computer program that is ¨ ¨ information about a person or organization making copies of itself capable of ma without their knowledge and that may send and inserting those copies into other such information to another entity programs. A Tr Trojan often acts as a backdoor, contacting ¨ a controller which can then have unauthorized access to the affected A worm is a virus that uses a ¨ computer. network to copy itself onto other ne nload attack is a malware A dr drive-by by-do downl computers. ¨ delivery technique triggered when the user visits a website.

Wa Wait, There’s Mo More 33

Ma Malware Volume 34 The AV-TEST Institute registers over 450,000 new malicious programs every day http://www.av-test.org/en/statistics/malware/

A A Lot of Commercial Ac Activity 35 Cyber Security Market worth $155.74 Billion by 2019 http://www.marketsandmarkets.com/PressReleases/cyber-security.asp

What is a Virus? a program that can in infect other programs by modifying them to include a, possibly ev evolved , version of itself Fred Cohen, 1983

Br Brief Histor ory of of Malware 37 Mac users can often be heard to say “I don’t need antivirus software, I have an Apple”. Unfortunately, this is a misguided conclusion. Whilst the dangers are certainly much less than with Windows computers, they do exist nonetheless. Mac users who think they do not need to concern themselves have created an illusion. The claim that Apple users are less threatened than Windows users is currently still correct, but could change rapidly. It was the low market share of Macs that limited the attentions of online criminals; now that Macs are becoming more popular, this state of affairs is changing. http://www.itsecuritywatch.com/