context context context context
play

Context Context Context Context Full control of EIP no longer - PowerPoint PPT Presentation

May 01, 2023 •135 likes •1.05k views

Context Context Context Context Full control of EIP no longer yields immediate arbitrary code execution y Primarily due to increasing availability and utilization of exploit mitigations such as DEP and ASLR Attackers must identify

  2. Context Context Context Context � Full control of EIP no longer yields immediate arbitrary code execution y � Primarily due to increasing availability and utilization of exploit mitigations such as DEP and ASLR � Attackers must identify other supplementary vulnerabilities to enable exploitation of memory corruption issues corruption issues � Memory address/layout disclosure vulnerabilities � Availability of known executable code at static, y , predictable, or chosen locations � i.e. non-ASLR DLLs, JIT sprays, IE .NET user controls

  3. Agenda Agenda Agenda Agenda � Current State of Exploitation � Return-Oriented Exploitation � Borrowed Instructions Synthetic Computer � Borrowed Instructions Synthetic Computer � Or, ROP in Evenings and Weekends � Return-Oriented Exploitation Strategies R t O i t d E l it ti St t i � Exploiting Aurora on Windows 7 � Conclusion

  4. Current State of Current State of Current State of Current State of Exploitation Exploitation p

  5. A Brief History of Memory A Brief History of Memory C C Corruption Corruption ti ti � Morris Worm (November 1988) � Exploited a stack buffer overflow in BSD in.fingerd on VAX � Payload issued execve(“/bin/sh”, 0, 0) system call directly � Thomas Lopatic publishes remote stack buffer overflow exploit against NCSA HTTPD for HP-PA (February 1995) � “Smashing the Stack for Fun and Profit” by Aleph One published in Phrack 49 (August 1996) published in Phrack 49 (August 1996) � Researchers find stack buffer overflows all over the universe � Many believe that only stack corruption is exploitable…

  6. A Brief History of Memory A Brief History of Memory C C Corruption Corruption ti ti � “JPEG COM Marker Processing Vulnerability in Netscape Browsers” by Solar Designer (July 2000) p y g ( y ) � Demonstrates exploitation of heap buffer overflows by overwriting heap free block next/previous linked list pointers t/ i li k d li t i t � Apache/IIS Chunked-Encoding Vulnerabilities d demonstrate exploitation of integer overflow t t l it ti f i t fl vulnerabilities � Integer overflow => stack or heap memory � Integer overflow stack or heap memory corruption

  7. A Brief History of Memory A Brief History of Memory C C Corruption Corruption ti ti � In early 2000’s, worm authors took published exploits and unleashed worms that caused p widespread damage � Exploited stack buffer overflow vulnerabilities in Microsoft operating systems Microsoft operating systems � Results in Bill Gates’ “Trustworthy Computing” memo � Microsoft’s Secure Development Lifecycle (SDL) Mi ft’ S D l t Lif l (SDL) combines secure coding, auditing, and exploit mitigation

  8. Exploit Mitigation Exploit Mitigation Exploit Mitigation Exploit Mitigation � Patching every security vulnerability and writing 100% bug-free code is impossible � � Exploit mitigations acknowledge this and attempt to make Exploit mitigations acknowledge this and attempt to make exploitation of remaining vulnerabilities impossible or at least more difficult � Windows XP SP2 was the first commercial operating � Windows XP SP2 was the first commercial operating system to incorporate exploit mitigations � Protected stack metadata (Visual Studio compiler /GS flag) � � Protected heap metadata (Heap Safe Unlinking) Protected heap metadata (Heap Safe Unlinking) � SafeSEH (compile-time exception handler registration) � Software and hardware-enforced Data Execution Prevention (DEP) ( ) � Windows Vista and 7 include Address Space Layout Randomization (ASLR) and other mitigations

  9. Mitigations Make Exploitation Mitigations Make Exploitation H H Harder Harder d d ASLR ASLR DEP/NX iculty ploit SafeSEH Exp Diffi Heap Metadata Protection Stack Cookies Mitigations

  10. Exploitation Techniques Exploitation Techniques R Rendered Ineffective Rendered Ineffective R d d d I d I ff ff ti ti Stack return address overwrite Stack return address overwrite Stack return address overwrite Stack return address overwrite Heap free block metadata overwrite Heap free block metadata overwrite SEH Frame Overwrite SEH Frame Overwrite Direct jump/return to Direct jump/return to shellcode shellcode App-specific App specific App-specific App specific data overwrite data overwrite ??? ??? ??? ???

  11. Mitigations requires OS, Compiler, and Mitigations requires OS, Compiler, and Application Participation and are additive Application Participation and are additive Application Participation and are additive Application Participation and are additive Heap protections, SEH Chain Validation OS run-time OS run-time mitigations Stack DEP, cookies, ASLR SafeSEH Compiler- Compiler Application Application based opt-in mitigations mitigations

  12. What mitigations are active in What mitigations are active in my app? my app? ? � It is difficult for even a knowledgeable user to determine which mitigations are present in their applications � Is the application compiled with stack protection? � Is the application compiled with SafeSEH? � � Do all executable modules opt in to DEP (NXCOMPAT) Do all executable modules opt-in to DEP (NXCOMPAT) and ASLR (DYNAMICBASE)? � Is the process running with DEP and/or Permanent DEP? � Internet Explorer 8 on Windows 7 is 100% safe, right? � IE8 on Windows 7 uses the complete suite of exploit mitigations mitigations � … as long as you don’t install any 3 rd -party plugins or ActiveX controls

  13. Return Return-Oriented Return Return Oriented Oriented Oriented Exploitation Exploitation p

  14. EIP != Arbitrary Code EIP != Arbitrary Code E E Execution Execution ti ti � Direct jump or “register spring” (jmp/call <reg>) into injected code is not always possible j y p � ASLR and Library Randomization make code and data locations unpredictable � EIP pointing to attacker-controlled data does not yield arbitrary code execution � DEP/NX makes data pages non-executable DEP/NX k d t t bl � On platforms with separate data and instruction caches (PowerPC, ARM), the CPU may fetch old data from memory, not your shellcode from data cache

  15. EIP => Arbitrary Code EIP => Arbitrary Code E E Execution Execution ti ti � It now requires extra effort to go from full control of EIP to arbitrary code execution y � We use control of EIP to point ESP to attacker- controlled data � “Stack Pivot” � We use control of the stack to direct execution by � We use control of the stack to direct execution by simulating subroutine returns into existing code � Reuse existing subroutines and instruction � Reuse existing subroutines and instruction sequences until we can transition to full arbitrary code execution

  16. Stack Pivot Stack Pivot Stack Pivot Stack Pivot � First, attacker must cause stack pointer to point into attacker- controlled data � � This comes for free in a stack buffer overflow This comes for free in a stack buffer overflow � Exploiting other vulnerabilities (i.e. heap overflows) requires using a stack pivot sequence to point ESP into attacker data � mov esp, eax ret t � xchg eax, esp ret � add esp, <some amount> ret t � Attacker-controlled data contains a return-oriented exploit payload � These payloads may be 100% return-oriented or simply act as a temporary payload stage that enables subsequent execution of a traditional machine-code payload 16

  17. Return Return Return to Return-to to-libc to libc libc libc � Return-to-libc (ret2libc) � An attack against non- Arg 2 Arg 2 executable memory executable memory segments (DEP, W^X, etc) Stack Stack Arg 1 Arg 1 � Instead of overwriting return address to return return address to return Growth Growth into shellcode, return Next Next into a loaded library to function function simulate a function call � � Data from attacker’s Data from attacker s controlled buffer on Function Function stack are used as the function’s arguments � � i e call system( cmd ) i.e. call system( cmd ) “Getting around non-executable stack (and fix)”, Solar Designer (BUGTRAQ, August 1997

  18. Return Chaining Return Chaining Return Chaining Return Chaining Argument 2 Argument 2 � Stack unwinds upward Argument 1 Argument 1 � Can be used to call C b d t ll &(pop-pop-ret) &(pop-pop-ret) multiple functions in Stack G Stack G Function 2 Function 2 succession Argument 2 Argument 2 Argument 2 Argument 2 Growth Growth � First function must Argument 1 Argument 1 return into code to &(pop-pop-ret) &(pop-pop-ret) advance stack pointer d t k i t Function 1 Function 1 over function arguments � i.e. pop-pop-ret � Assuming cdecl and 2 arguments

  19. Return Chaining Return Chaining Return Chaining Return Chaining Argument 2 Argument 2 0043a82f: Argument 1 Argument 1 ret ret &(pop-pop-ret) &(pop-pop-ret) Stack G Stack G Function 2 Function 2 … Argument 2 Argument 2 Argument 2 Argument 2 Growth Growth Argument 1 Argument 1 &(pop-pop-ret) &(pop-pop-ret) 0x780da4dc 0x780da4dc

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Gr o w ing S chools 1 context context E x t e n s i v e 174,045 mo r e p eo p le w ill need

Gr o w ing S chools 1 context context E x t e n s i v e 174,045 mo r e p eo p le w ill need

Growing Population Gr o w ing S chools 1 context context E x t e n s i v e 174,045 mo r e p eo p le w ill need 72,530 ne w housing units b y 2030 demographic shifts Visibly C ommunity S uggestions transforming M i s s i o n B a y , C a n d l

469 views • 27 slides
Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitive Grammars Context Sensitive Grammars Context in Programming Languages Context in Programming Languages Context in Natural Languages Context in Natural Languages 1 Context Sensitive Grammars Chomsky Hierarchy Context

160 views • 5 slides
Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

June 17, 2014 Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach to transportation facility design and engineering that involves all stakeholders in the process of developing a solution that is

193 views • 3 slides
Principles for Catholic Scripture Study Context, Context, Context Four Senses of Scripture

Principles for Catholic Scripture Study Context, Context, Context Four Senses of Scripture

Principles for Catholic Scripture Study Context, Context, Context Four Senses of Scripture (CCC 115-119) Literal What the author intended to say Allegorical Points to Christ Moral Points to living Christian life

960 views • 26 slides
Hillside Dr. Context Hillside Dr. Site Issues Hillside Dr. Context Broadview Ave

Hillside Dr. Context Hillside Dr. Site Issues Hillside Dr. Context Broadview Ave

Hillside Dr. Context Hillside Dr. Site Issues Hillside Dr. Context Broadview Ave Hillside Dr. Context Broadview Ave Charles Sauriol Parkette / pastoral green space Hillside Dr. Context Gamble Ave. Hillside Dr.

788 views • 20 slides
Ol Old Timeline and context: Timeline and context: 1:9,22 A new Pharoah came to power

Ol Old Timeline and context: Timeline and context: 1:9,22 A new Pharoah came to power

God Speaks in Solitude: Moses (part 7) Exodus 1-4 Ol Old Timeline and context: Timeline and context: 1:9,22 A new Pharoah came to power and decided to control population by murdering Hebrew baby boys at birth. Timeline and

352 views • 34 slides
Part 15: Context Dependent Recommendations Francesco Ricci Free University of Bozen-Bolzano

Part 15: Context Dependent Recommendations Francesco Ricci Free University of Bozen-Bolzano

Part 15: Context Dependent Recommendations Francesco Ricci Free University of Bozen-Bolzano Italy fricci@unibz.it Content p What is context? p Types of context p Context impact on recommendations and ratings p Context modelling

938 views • 74 slides
ECA-DL e Transformaes Patrcia Dockhorn Costa pdcosta@inf.ufes.br Context-Awareness

ECA-DL e Transformaes Patrcia Dockhorn Costa pdcosta@inf.ufes.br Context-Awareness

ECA-DL e Transformaes Patrcia Dockhorn Costa pdcosta@inf.ufes.br Context-Awareness Context-Awareness Context the set of possibly interrelated conditions in which an entity exists. Context-Aware Application Context Application

1.17k views • 92 slides
Select Bus Service New York City Context 2 New York City Context 3 Transit Context 8.5

Select Bus Service New York City Context 2 New York City Context 3 Transit Context 8.5

Select Bus Service New York City Context 2 New York City Context 3 Transit Context 8.5 million 1,750 million NYC Population Annual subway ridership 665 million Annual bus ridership 1994 1996 1998 2000 2002 2004 2006 2008 2010

441 views • 25 slides
Java Technologies Servlets The Context We are in the context of developing a distributed

Java Technologies Servlets The Context We are in the context of developing a distributed

Java Technologies Servlets The Context We are in the context of developing a distributed application - a software system in which components communicate over the network and coordinate their actions in order to achieve a common goal.

1.01k views • 33 slides
San Jos: History and Context San Jos: History and Context Historically Multimodal Growing Up

San Jos: History and Context San Jos: History and Context Historically Multimodal Growing Up

San Jos: History and Context San Jos: History and Context Historically Multimodal Growing Up Embracing Public Life What is a Better Bikeway? Protected Calm All Ages and Abilities Why Better Bikeways? Policy Background Support

494 views • 33 slides
Policy 101 Vision &amp; Context Project Development Funding Vision &amp; Context CS is

Policy 101 Vision &amp; Context Project Development Funding Vision &amp; Context CS is

Policy 101 Vision &amp; Context Project Development Funding Vision &amp; Context CS is fundamentally about a commitment to equity Needs of vulnerable road user Context is important Project Development Achieving network of

751 views • 64 slides
WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING

WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING

WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING BOTTOM UNITED ALL OF US ON THE SAME PURPOSE @ R u t a _ N CITIZENS MEDELLNS SCIENCE, TECHNOLOGY AND INNOVATION PLAN M E D E L L N 2 0 1 1

400 views • 12 slides
Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of

Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of

Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of developing large , distributed applications. What components should contain the code that fulfills the purpose of the application: where should we write

779 views • 43 slides
Helping hands Final presentation Attila van Dijk 4045157 contents -Context -Research and

Helping hands Final presentation Attila van Dijk 4045157 contents -Context -Research and

Helping hands Final presentation Attila van Dijk 4045157 contents -Context -Research and Design -Product -Evaluation Context context Cooking with children Adequate tasks Confmict Context To provide an autonomous and playful activity

886 views • 36 slides
Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P Presented by Mary Salinas t d b M S li What problem are they trying to solve? l ? Context-aware applications are great for Context aware

164 views • 13 slides
Novinky ve starm dobrm SQL svt Overview PRESENTED BY: Honza Hork Co ns ek

Novinky ve starm dobrm SQL svt Overview PRESENTED BY: Honza Hork Co ns ek

Novinky ve starm dobrm SQL svt Overview PRESENTED BY: Honza Hork Co ns ek Obecn pohled na data ve svt Staronov lenov SQL klubu MySQL MariaDB Galera PostgreSQL Mal odboka... Buzzword

625 views • 29 slides
Business Process Education - Quantum PCard July 9, 2019 Disclaimer This is not meant to be

Business Process Education - Quantum PCard July 9, 2019 Disclaimer This is not meant to be

A leap forward. Transforming systems. Empowering People! Business Process Education - Quantum PCard July 9, 2019 Disclaimer This is not meant to be TRAINING training will be offered closer to Go-Live some will be required to get

479 views • 27 slides
Data Mining 2018 Mining (Social) Network Data Ad Feelders Universiteit Utrecht Ad Feelders (

Data Mining 2018 Mining (Social) Network Data Ad Feelders Universiteit Utrecht Ad Feelders (

Data Mining 2018 Mining (Social) Network Data Ad Feelders Universiteit Utrecht Ad Feelders ( Universiteit Utrecht ) Data Mining 1 / 39 Example: Predicting Romantic Relationships The latest offering from Facebooks data-science team teases

686 views • 39 slides
Chaucer and The Canterbury Tales P . S. Langeslag Chaucer Anglo-Saxon Bureaucracy Laws

Chaucer and The Canterbury Tales P . S. Langeslag Chaucer Anglo-Saxon Bureaucracy Laws

Chaucer and The Canterbury Tales P . S. Langeslag Chaucer Anglo-Saxon Bureaucracy Laws Charters Writs Annals Anglo-Norman Bureaucracy Laws Charters Writs (Chancery) Annals Balance sheets Figure 1: Domesday

601 views • 31 slides
Database Stalls, From the Ordinary to the Obscure Preetam Jinka (@PreetamJinka) Software

Database Stalls, From the Ordinary to the Obscure Preetam Jinka (@PreetamJinka) Software

Database Stalls, From the Ordinary to the Obscure Preetam Jinka (@PreetamJinka) Software Engineer Percona Live 2017 VividCortexs database monitoring application is the best way to improve your database performance, efficiency, and uptime.

573 views • 36 slides
Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin

Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin

Estimating size requirements for pairings: Simulating the Tower-NFS algorithm in GF( p n ) Quentin Deschamps, Aurore Guillevic , Shashank Singh ENS Lyon, Inria Nancy, Loria, CNRS, Universit de Lorraine November 15, 1027 Elliptic Curve

753 views • 43 slides
or the keys to open the door of the BSM world Aurore Savoy-Navarro, LPNHE, Universit Pierre et

or the keys to open the door of the BSM world Aurore Savoy-Navarro, LPNHE, Universit Pierre et

or the keys to open the door of the BSM world Aurore Savoy-Navarro, LPNHE, Universit Pierre et Marie Curie/CNRS-IN2P3, Paris, France HADRON COLLIDER PHYSICS HADRON COLLIDER PHYSICS Summer school 2008 Summer school 2008 FNAL WINE &amp; CHEESE

903 views • 64 slides
Modelling the gravitational radiation emitted by merging black holes Harald Pfeiffer CITA,

Modelling the gravitational radiation emitted by merging black holes Harald Pfeiffer CITA,

Modelling the gravitational radiation emitted by merging black holes Harald Pfeiffer CITA, University of Toronto AEI, Potsdam Stephen Hawking 75th Birthday Conference July 4, 2017 LIGO-G1701238 Waveform-knowledge essential to GW astronomy

884 views • 72 slides

More recommend