current state of exploitation return oriented
play

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac - PowerPoint PPT Presentation

Oct 11, 2022 •200 likes •1.02k views

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

  2. ! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion

  4. ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX ! Payload issued execve(“/bin/sh”, 0, 0) system call directly ! Thomas Lopatic publishes remote stack buffer overflow exploit against NCSA HTTPD for HP-PA (February 1995) ! “Smashing the Stack for Fun and Profit” by Aleph One published in Phrack 49 (August 1996) ! Researchers find stack buffer overflows all over the universe ! Many believe that only stack corruption is exploitable…

  5. ! “JPEG COM Marker Processing Vulnerability in Netscape Browsers” by Solar Designer (July 2000) ! Demonstrates exploitation of heap buffer overflows by overwriting heap free block next/previous linked list pointers ! Apache/IIS Chunked-Encoding Vulnerabilities demonstrate exploitation of integer overflow vulnerabilities ! Integer overflow => stack or heap memory corruption

  6. ! In early 2000’s, worm authors took published exploits and unleashed worms that caused widespread damage ! Exploited stack buffer overflow vulnerabilities in Microsoft operating systems ! Results in Bill Gates’ “Trustworthy Computing” memo ! Microsoft’s Secure Development Lifecycle (SDL) combines secure coding, auditing, and exploit mitigation

  7. ! Patching every security vulnerability and writing 100% bug- free code is impossible ! Exploit mitigations acknowledge this and attempt to make exploitation of remaining vulnerabilities impossible or at least more difficult ! Windows XP SP2 was the first commercial operating system to incorporate exploit mitigations ! Protected stack metadata (Visual Studio compiler /GS flag) ! Protected heap metadata (Heap Safe Unlinking) ! SafeSEH (compile-time exception handler registration) ! Software and hardware-enforced Data Execution Prevention (DEP) ! Mac OS X is still catching up to Windows and Linux mitigations

  8. ASLR Difficulty DEP/NX Exploit Heap Protection Stack Protection Mitigations

  9. Stack return address overwrite Heap free block metadata overwrite Direct jump/return to shellcode App-specific data overwrite ???

  11. ! Direct jump or “register spring” (jmp/call <reg>) into injected code is not always possible ! ASLR and Library Randomization make code and data locations unpredictable ! EIP pointing to attacker-controlled data does not yield arbitrary code execution ! DEP/NX makes data pages non-executable ! On platforms with separate data and instruction caches (PowerPC, ARM), the CPU may fetch old data from memory, not your shellcode from data cache

  12. ! It now requires extra effort to go from full control of EIP to arbitrary code execution ! We use control of EIP to point ESP to attacker- controlled data ! “Stack Pivot” ! We use control of the stack to direct execution by simulating subroutine returns into existing code ! Reuse existing subroutines and instruction sequences until we can transition to full arbitrary code execution ! “Return-oriented exploitation”

  13. ! Return-to-libc (ret2libc) ! An attack against non- Arg 2 executable memory segments (DEP, W^X, etc) Stack Growth Arg 1 ! Instead of overwriting return address to return into shellcode, return Next into a loaded library to function simulate a function call ! Data from attacker’s controlled buffer on Function stack are used as the function’s arguments ! i.e. call system( cmd ) “Getting around non-executable stack (and fix)”, Solar Designer (BUGTRAQ, August 1997)

  14. Argument 2 ! Stack unwinds upward Argument 1 ! Can be used to call &(pop-pop-ret) multiple functions in Stack Growth Function 2 succession Argument 2 ! First function must Argument 1 return into code to &(pop-pop-ret) advance stack pointer Function 1 over function arguments ! i.e. pop-pop-ret ! Assuming cdecl and 2 arguments

  15. Argument 2 0043a82f: Argument 1 ret &(pop-pop-ret) Stack Growth Function 2 … Argument 2 Argument 1 &(pop-pop-ret) 0x780da4dc

  16. Argument 2 780da4dc: Argument 1 push ebp &(pop-pop-ret) Stack Growth mov ebp, esp Function 2 Argument 2 sub esp, 0x100 Argument 1 … &(pop-pop-ret) mov eax, [ebp+8] saved ebp … leave ret

  17. Argument 2 780da4dc: Argument 1 push ebp &(pop-pop-ret) Stack Growth mov ebp, esp Function 2 Argument 2 sub esp, 0x100 Argument 1 … &(pop-pop-ret) mov eax, [ebp+8] ebp … leave ret

  18. Argument 2 780da4dc: Argument 1 push ebp &(pop-pop-ret) Stack Growth mov ebp, esp Function 2 Argument 2 sub esp, 0x100 Argument 1 … &(pop-pop-ret) mov eax, [ebp+8] ebp … leave ret

  19. Argument 2 780da4dc: Argument 1 push ebp &(pop-pop-ret) Stack Growth mov ebp, esp Function 2 Argument 2 sub esp, 0x100 Argument 1 … &(pop-pop-ret) mov eax, [ebp+8] ebp … leave ret

  20. Argument 2 6842e84f: Argument 1 pop edi &(pop-pop-ret) Stack Growth Function 2 pop ebp Argument 2 ret Argument 1 &(pop-pop-ret) ebp

  21. Argument 2 6842e84f: Argument 1 pop edi &(pop-pop-ret) Stack Growth Function 2 pop ebp Argument 2 ret Argument 1 &(pop-pop-ret) ebp

  22. mov eax, 0xc3084189 ! Instead of returning to functions, return to instruction sequences followed by a return B8 89 41 08 C3 instruction ! Can return into middle of existing instructions to simulate different instructions mov [ecx+8], eax ret ! All we need are useable byte sequences anywhere in executable memory pages “The Geometry of Innocent Flesh on the Bone: Return-Into-Libc without Function Calls (on the x86)”, Hovav Shacham (ACM CCS 2007)

  23. Credit: Dr. Raid’s Girlfriend

  24. ! Various instruction sequences can be combined pop eax to form gadgets mov ret [eax],ecx ! Gadgets perform higher- ret level actions add eax,ecx ! Write specific 32-bit ret value to specific memory location ! Add/sub/and/or/xor value at memory location with immediate value Gadgets ! Call function in shared library

  25. mov STORE pop eax pop ecx [ecx],eax IMMEDIATE ret ret VALUE ret

  26. 0x684a123a � 684a0f4e: 0xfeedface � pop eax 0x684a2367 � Stack Growth ret 0xdeadbeef � 0x684a0f4e � 684a2367: pop ecx ret 684a123a: mov [ecx], eax ret

  27. 0x684a123a � 684a0f4e: 0xfeedface � pop eax 0x684a2367 � Stack Growth ret 0xdeadbeef � 0x684a0f4e � 684a2367: pop ecx ret 684a123a: mov [ecx], eax ret

  28. 0x684a123a � 684a0f4e: 0xfeedface � pop eax 0x684a2367 � Stack Growth ret 0xdeadbeef � 0x684a0f4e � 684a2367: pop ecx ret 684a123a: mov [ecx], eax ret

  29. 0x684a123a � 684a0f4e: 0xfeedface � pop eax 0x684a2367 � Stack Growth ret 0xdeadbeef � 0x684a0f4e � 684a2367: pop ecx ret 684a123a: mov [ecx], eax ret

  30. 0x684a123a � 684a0f4e: 0xfeedface � pop eax 0x684a2367 � Stack Growth ret 0xdeadbeef � 0x684a0f4e � 684a2367: pop ecx ret 684a123a: mov [ecx], eax ret

  31. 0x684a123a � 684a0f4e: 0xfeedface � pop eax 0x684a2367 � Stack Growth ret 0xdeadbeef � 0x684a0f4e � 684a2367: pop ecx ret 684a123a: mov [ecx], eax ret

  32. 0x684a123a � 684a0f4e: 0xfeedface � pop eax 0x684a2367 � Stack Growth ret 0xdeadbeef � 0x684a0f4e � 684a2367: pop ecx ret 684a123a: mov [ecx], eax ret

  33. ! Scan executable memory regions of common shared libraries for useful instructions followed by return instructions ! Chain returns to identified sequences to form all of the desired gadgets from a Turing-complete gadget catalog ! The gadgets can be used as a backend to a C compiler ! “Preventing the introduction of malicious code is not enough to prevent the execution of malicious computations” ! “The Geometry of Innocent Flesh on the Bone: Return-Into- Libc without Function Calls (on the x86)”, Hovav Shacham (ACM CCS 2007)

  34. Borrowed Instructions Synthetic Computation

  35. ! BISC is a ruby library for demonstrating how to build borrowed-instruction 1 programs ! Design principles: ! Keep It Simple, Stupid (KISS) ! Analogous to a traditional assembler ! Minimize behind the scenes “magic” ! Let user write simple “macros” 1. Sebastian Krahmer, “x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique”. http://www.suse.de/~krahmer/no-nx.pdf

  36. Return-Oriented BISC Programming ! Reuses single instructions ! Reuses single instructions followed by a return followed by a return Composes reused Programs are written ! ! instruction sequences into using the mnemonics of gadgets the borrowed instructions ! Requires a Turing- ! Opportunistic based on complete gadget catalog instructions available with conditionals and Rarely Turing-complete ! flow control ! Supports user-written ! May be compiled from a macros to abstract high-level language common operations

  37. ! We don’t need a full compiler, just an assembler ! Writing x86 assembly is not scary ! Only needs to support a minimal subset of x86 ! Our assembler will let us write borrowed-instruction programs using familiar x86 assembly syntax ! Source instructions are replaced with an address corresponding to that borrowed instruction ! Assembler will scan a given set of PE files for borrowable instructions ! No support for conditionals or loops

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer,

Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer,

Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham University of California, San Diego Bad code versus bad behavior Bad code versus bad behavior Bad Bad Good

548 views • 53 slides
ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING

ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING

ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING PRESENTED BY AHMAD MOGHIMI What is ROP A&amp;ack? q Return Oriented Programming a0ack is a technic to

656 views • 46 slides
Moving Beyond Return of Research Results To Return of Consuelo H. Wilkins, MD, MSCI Vice

Moving Beyond Return of Research Results To Return of Consuelo H. Wilkins, MD, MSCI Vice

Moving Beyond Return of Research Results To Return of Consuelo H. Wilkins, MD, MSCI Vice President and Associate Dean for Health Equity Vanderbilt University Medical Center @DrCHWilkins Overview Current state of return of research

743 views • 38 slides
Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester

Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester

Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester Rebeiro Indian Institute of Technology Madras Parts of Malware Two parts Subvert execution: change the normal execution behavior of the program

1.25k views • 102 slides
CS 335 Software Development Introduction/Review of Object-Oriented Concepts Feb 5, 2014

CS 335 Software Development Introduction/Review of Object-Oriented Concepts Feb 5, 2014

CS 335 Software Development Introduction/Review of Object-Oriented Concepts Feb 5, 2014 Objects return Jan 12, 2009; + dateProduced(): long + color(): Color return WHITE; + calories(): int return 300; Objects dont need classes

209 views • 17 slides
Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H.

Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H.

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy Dresden, 2010-10-20 Fundamental

792 views • 31 slides
Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure

Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure

Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure Software Systems Day 6: Memory safety defenses and counter-attacks Announcements break Stephen McCamant University of Minnesota, Computer Science &amp;

394 views • 4 slides
ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen

ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen

ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen (schen@wcupa.edu) Compile the code gcc -m32 fno-stack-protector z execstack o ./overflow2 ./overflow2.c Page 2 No eXecute (NX) -z

636 views • 37 slides
Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4

Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4

1 Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia Please submit both 'working exploit' and write-up on time; otherwise, no score. Due: Lab07 is out and its due on Oct 19

799 views • 37 slides
Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 Administrivia Please submit

Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 Administrivia Please submit

1 Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 Administrivia Please submit both working exploit and write-up on time! Due: Lab04 is due on Oct 11 Due: Lab05 is out and its due on Oct 18 (two weeks)!

558 views • 43 slides
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago

Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago

Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application logic gadgets Requirements:

789 views • 63 slides
Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC

Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC

Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage Stephen Checkoway, * Ariel J. Feldman, Brian Kantor, * J. Alex Halderman, Edward W. Felten, Hovav Shacham * * UCSD, Princeton,

641 views • 40 slides
Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer Security Day 6: Low-level defenses and BCECHO counterattacks, part 2 Control-flow integrity (CFI) Stephen McCamant University of Minnesota, Computer

348 views • 8 slides
Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer Security BCECHO Day 6: Low-level defenses and counterattacks, part 2 Stephen McCamant Control-flow integrity (CFI) University of Minnesota, Computer

907 views • 6 slides
Lecture 14 Return-oriented programming Stephen Checkoway Oberlin College Based on slides by

Lecture 14 Return-oriented programming Stephen Checkoway Oberlin College Based on slides by

Lecture 14 Return-oriented programming Stephen Checkoway Oberlin College Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application logic gadgets Requirements: vulnerability +

1.64k views • 80 slides
CS 331: Artificial Intelligence function MAX-VALUE( state , , ) returns a utility value

CS 331: Artificial Intelligence function MAX-VALUE( state , , ) returns a utility value

4/19/2019 ALPHA-BETA Pseudocode function ALPHA-BETA-SEARCH( state ) returns an action inputs : state , current state in game v MAX -VALUE( state , - , +) return the action in SUCCESSORS( state ) with value v CS 331: Artificial

236 views • 4 slides
EM-MAC: A Dynamic Multichannel Energy-Efficient MAC Protocol for Wireless Sensor Networks Lei

EM-MAC: A Dynamic Multichannel Energy-Efficient MAC Protocol for Wireless Sensor Networks Lei

EM-MAC: A Dynamic Multichannel Energy-Efficient MAC Protocol for Wireless Sensor Networks Lei Tang, Yanjun Sun, Omer Gurewitz, and David B. Johnson Presentation at ACM MobiHoc 2011, May 2011 The Objectives of EM-MAC Spread traffic to

614 views • 24 slides
Mac OS X : System Integrity Protection Nicolas RUFF - nruff(at)google(dot)com Proprietary

Mac OS X : System Integrity Protection Nicolas RUFF - nruff(at)google(dot)com Proprietary

Mac OS X : System Integrity Protection Nicolas RUFF - nruff(at)google(dot)com Proprietary Proprietary Introduction Proprietary Proprietary What is SIP? SIP: &quot;System Integrity Protection&quot;, a.k.a. &quot;rootless&quot;. SIP restricts

370 views • 15 slides
Multi-agent learning Multi-a rmed bandit algo rithms Gerard Vreeswijk , Intelligent Software

Multi-agent learning Multi-a rmed bandit algo rithms Gerard Vreeswijk , Intelligent Software

Multi-agent learning Multi-a rmed bandit algo rithms Gerard Vreeswijk , Intelligent Software Systems, Computer Science Department, Faculty of Sciences, Utrecht University, The Netherlands. Thursday 30 th April, 2020 Contents Author: Gerard

2k views • 173 slides
Adaptive Quiz Generation Using Thompson Sampling Fuhua (Oscar) Lin, PhD Athabasca University,

Adaptive Quiz Generation Using Thompson Sampling Fuhua (Oscar) Lin, PhD Athabasca University,

Adaptive Quiz Generation Using Thompson Sampling Fuhua (Oscar) Lin, PhD Athabasca University, Canada Third Workshop eliciting Adaptive Sequences for Learning ( WASL 2020 ) Cyberspace, 6 July, 2020 Co-located with the AIED 2020 Outline

352 views • 21 slides
Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting SELinux to Mac OS X SELinux Symposium 2007 ELinux Symposium 2007 S Chris Vance Information Systems Security Operation, SPARTA, Inc.

700 views • 26 slides
The Finite Element Method in Scientific Computing MATH 9830 Timo Heister (heister@clemson.edu)

The Finite Element Method in Scientific Computing MATH 9830 Timo Heister (heister@clemson.edu)

The Finite Element Method in Scientific Computing MATH 9830 Timo Heister (heister@clemson.edu) http://www.math.clemson.edu/~heister/math983-spring2014/ Goals of this course Learn about the software library deal.II understand practical

372 views • 34 slides
Porting an existing Qt-based Windows only application to Mac OS X Overview Introduction

Porting an existing Qt-based Windows only application to Mac OS X Overview Introduction

Porting an existing Qt-based Windows only application to Mac OS X Overview Introduction Where we started Apple Mac an unknown country With a little help from a friend Communication Version Control System

563 views • 22 slides
Session 18 Session 18 Tool Time Tuesday Tool Time Tuesday Zoom Tips Zoom Tips Hello! Hello!

Session 18 Session 18 Tool Time Tuesday Tool Time Tuesday Zoom Tips Zoom Tips Hello! Hello!

Session 18 Session 18 Tool Time Tuesday Tool Time Tuesday Zoom Tips Zoom Tips Hello! Hello! Laurissa Gann, MSLS, AHIP Lesli Moore, MLS Research Medical Library Research Medical Library www.mdanderson.org/library/ RML-Help@mdanderson.org

213 views • 19 slides

More recommend