cse 610 special topics system security attack and defense
play

CSE 610 Special Topics: System Security - Attack and Defense for - PowerPoint PPT Presentation

Aug 19, 2023 •663 likes •872 views

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Defenses a. Address Space Layout Randomization (ASLR)

  1. CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM

  2. Last Class 1. Defenses a. Address Space Layout Randomization (ASLR) Seccomp

  3. NDSS 2016

  4. Announcement Midterm next week. 2hrs. 1. UB Learns (Blackboard) 2. Multiple choice 3. Binary hacking

  5. Today’s Agenda 1. Developing shellcode a. Non-zero shellcode b. Non-printable, non-alphanumeric shellcode c. English shellcode

  6. code/tester.c #include <stdio.h> #include <stdlib.h> #include <sys/mman.h> #include <unistd.h> int main() { void * page = 0; page = mmap(0, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 0, 0); if (!page) { puts("Fail to mmap.\n"); exit(0); } read(0, page, 0x1000); ((void(*)())page)(); }

  7. x86 invoke system call https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md ● Set %eax as target system call number Set arguments ● 1st arg : %ebx ○ ○ 2nd arg: %ecx ○ 3rd arg: %edx 4th arg: %esi ○ 5th arg: %edi ○ ● Run int $0x80 ○ ● Return value will be stored in %eax

  8. x86 calling execve() execve(char* filepath, char** argv, char** envp) execve(“/bin/sh”, NULL, NULL); %eax = $SYS_execve %ebx = address of “/bin/sh” %ecx = 0 %edx = 0

  9. x86 how to create a string? %ebx = address of “/bin/sh” Use Stack Push $0 ● push $0x67832f6e // “n/sh” ● push $0x69622f2f // “//bi” ● mov %esp, %ebx ●

  10. Let us code shellcode32zero.s gcc -m32 -nostdlib -static shellcode32zero.s -o shellcode32zero objcopy --dump-section .text=shellcode32zero-raw shellcode32zero

  11. amd64 invoke system call https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md ● Set %rax as target system call number Set arguments ● 1st arg : %rid ○ ○ 2nd arg: %rsi ○ 3rd arg: %rdx 4th arg: %r10 ○ 5th arg: %r8 ○ ● Run syscall ○ ● Return value will be stored in %rax

  12. amd64 how to create a string? Rip-based addressing lea binsh(%rip), %rdi mov $0, %rsi mov $0, %rdx syscall binsh: .string "/bin/sh"

  13. Let us code shellcode64zero.s gcc -nostdlib -static shellcode64zero.s -o shellcode64zero objcopy --dump-section .text=shellcode64zero-raw shellcode64zero

  14. code/testernozero char buf[0x1000] = {0}; int main() { void * page = 0; page = mmap(0, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 0, 0); if (!page) { puts("Fail to mmap.\n"); exit(0); } read(0, buf, 0x1000); strcpy(page, buf); ((void(*)())page)(); }

  15. Non-shell shellcode Finish another task but do not return a shell. Print out the secret file in the folder

  16. code/testerascii char *asciicpy(char *dest, const char *src) { unsigned i; for (i = 0; src[i] > 0 && src[i] < 127; ++i) dest[i] = src[i]; return dest;} int main() { void * page = 0; page = mmap(0, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, 0, 0); if (!page) { puts("Fail to mmap.\n"); exit(0); } read(0, buf, 0x1000); asciicpy(page, buf); ((void(*)())page)();}

  17. English Shellcode CCS 2009

  18. English Shellcode

  19. How breakpoints work? int $3 Set breakpoint by yourself.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Todays Agenda 1. Cache side channel attack Speed Gap Between CPU and

535 views • 42 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Defenses a. Direct defense b. Stack Cookie; Canary -

713 views • 26 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Online Time: Monday, 5:20 PM - 8:10 PM First off, Logistics! Turn on camera if possible Classes are recorded and released

1.42k views • 116 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Announcements 1. Final Exam : 12/14 2020 7:15PM-10:15PM. Same format as

483 views • 15 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Online Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Stack-based buffer overflow-1 a. Brief history of buffer overflow b.

873 views • 73 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack &amp; GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Serverless security: attack &amp; defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack &amp; defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack &amp; defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

ATTACK &amp; &amp; ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and

577 views • 28 slides
Preview question Which of these defense techniques would completely prevent a ROP attack from

Preview question Which of these defense techniques would completely prevent a ROP attack from

Preview question Which of these defense techniques would completely prevent a ROP attack from returning from an intended CSci 5271 return instruction to an unintended gadget? Introduction to Computer Security A. ASLR Day 6: Low-level defenses

125 views • 9 slides
Exploit Development 101 ATTACK &amp; DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi

Exploit Development 101 ATTACK &amp; DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi

Exploit Development 101 ATTACK &amp; DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi chiwp@tw.ibm.com 2020/08/11 About Me IBM CDL Software Engineer Columbia Univ. Master of Science Computer Security Track OSCP / OSCE / eWPT /

1.11k views • 22 slides
Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine

Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine

Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine Learning in Real-World Computer Vision Systems Long Beach, CA, USA 1 Outline Background and Motivation Project-based Defense Mechanism

760 views • 72 slides
Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and

Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and

Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and defense at host machines Applications written in C and C++ Violations of memory safety Web security now Attacking web services

830 views • 37 slides
CMPSC 497 Special Topics: Software Security Trent Jaeger Systems and Internet

CMPSC 497 Special Topics: Software Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Special Topics: Software Security Trent Jaeger

745 views • 27 slides
Protection and Security Threat is potential security violation Attack is attempt to breach

Protection and Security Threat is potential security violation Attack is attempt to breach

CSC 4103 - Operating Systems The Security Problem Spring 2007 Security must consider external environment of the system, and protect the system resources Lecture - XX Intruders (crackers) attempt to breach security Protection and

195 views • 4 slides
Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu - peteresnyder.com Surveillance Defense 1. Good Practices 2. System / PC Security 3. Mobile Security 4. Browser Security 5. Secure Networking Tools

443 views • 27 slides
COMP364: Regular expression in Python Jrme Waldisphl, McGill

COMP364: Regular expression in Python Jrme Waldisphl, McGill

COMP364: Regular expression in Python Jrme Waldisphl, McGill University DefiniHon A regular expression (a.k.a. Regexp) is a specific paNern that provides

155 views • 11 slides
Todays topics Java Syntax of Computer Language Upcoming More Java Reading Great Ideas ,

Todays topics Java Syntax of Computer Language Upcoming More Java Reading Great Ideas ,

Todays topics Java Syntax of Computer Language Upcoming More Java Reading Great Ideas , Chapter 2 Grammar English and other natural languages have structure &lt;S&gt; =&gt; &lt;NOUN-PHRASE&gt; &lt;VERB-PHRASE&gt; &lt;NOUN-PHRASE&gt;

321 views • 8 slides
Normal form of the metric for a class of Riemannian manifolds with ends Jean-Marc Bouclet April

Normal form of the metric for a class of Riemannian manifolds with ends Jean-Marc Bouclet April

Normal form of the metric for a class of Riemannian manifolds with ends Jean-Marc Bouclet April 22, 2013 Abstract In many problems of PDE involving the Laplace-Beltrami operator on manifolds with ends, it is often useful to introduce radial or

180 views • 17 slides
EFFECTIVE DYNAMICS OF AN ELECTRON COUPLED TO AN EXTERNAL POTENTIAL IN NON-RELATIVISTIC QED VOLKER

EFFECTIVE DYNAMICS OF AN ELECTRON COUPLED TO AN EXTERNAL POTENTIAL IN NON-RELATIVISTIC QED VOLKER

EFFECTIVE DYNAMICS OF AN ELECTRON COUPLED TO AN EXTERNAL POTENTIAL IN NON-RELATIVISTIC QED VOLKER BACH, THOMAS CHEN, J ER EMY FAUPIN, J URG FR OHLICH, AND ISRAEL MICHAEL SIGAL Abstract. In the framework of non-relativistic QED, we show

591 views • 22 slides
Introduction to Open API Specification Lorna Mitchell, Nexmo Describing APIs Describe

Introduction to Open API Specification Lorna Mitchell, Nexmo Describing APIs Describe

Introduction to Open API Specification Lorna Mitchell, Nexmo Describing APIs Describe RESTful HTTP APIs in a machine-readable way API description is independent of outputs such as documentation Enable things that are not

823 views • 31 slides
Mr. Data Converter Sets up classes Formatted Caveat: it requires that there be a

Mr. Data Converter Sets up classes Formatted Caveat: it requires that there be a

Mr. Data Converter Sets up classes Formatted Caveat: it requires that there be a value in the upper left cell Find/Replace is your friend Resources page on website Regular Expressions Komodo Primer Python (what

346 views • 5 slides
Intro to bash scripting Here were talking about storing bash code in a file (script) to be

Intro to bash scripting Here were talking about storing bash code in a file (script) to be

Intro to bash scripting Here were talking about storing bash code in a file (script) to be run when desired you can also use this bash syntax typed directly on command line too At start of bash scripts, need to include a line

334 views • 7 slides
MATLAB Seminar CS Grad Seminars Outline 1. MATLAB Basics 2. Matrix Manipulations 3. Using .m

MATLAB Seminar CS Grad Seminars Outline 1. MATLAB Basics 2. Matrix Manipulations 3. Using .m

MATLAB Seminar CS Grad Seminars Outline 1. MATLAB Basics 2. Matrix Manipulations 3. Using .m Files 4. Plotting Graphs 5. Creating Functions MATLAB Basics Arithmetic Stuff Constants pi i (or j) Inf, NaN MATLAB Basics

538 views • 11 slides

More recommend