fit5124 advanced topics in security hacking techniques
play

FIT5124 Advanced Topics in Security Hacking Techniques III Web - PowerPoint PPT Presentation

Jun 20, 2023 •2.36k likes •2.56k views

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III Web Browser

  1. FIT5124 Advanced Topics in Security Hacking Techniques III – Web Browser Exploitation Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 1/16

  2. Hacking Techniques III Web Browser Exploitation: Web browsers are most often used application today – attractive target for hackers. Today: A look at some known browser exploitation techniques. Plan for this lecture: Exploitation techniques, examples, and defenses for: Heap Overflow Exploit techniques: ‘Heap Spray’ technique ‘Heap Engineering’ technique ‘Use After Free’ technique Example defenses Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 2/16

  3. Heap Overflow Exploits Recall: Heap is a segment in machine memory space Used to store dynamically allocated variables Managed by an OS heap allocation manager (called by the Browser via malloc system calls). Heap space allocated by OS to browser managed by a browser heap manager (e.g. storage of current web page HTML objects). Observations about heap: Browser’s Javascript engine creates objects on heap for Javascript program objects, e.g. Javascript string objects, Javascript ‘ActiveX’ objects Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 3/16

  4. Heap Overflow Exploits Observations about heap (cont.): Objects (e.g. ‘ActiveX’ objects) often include virtual functions. Virtual functions – implementation can be overwritten by a subclass inheriting from parent class Hence, address of virtual function implmentation not known at compile time Implemented as a vtable: virtual function = ptr to address of implementation (ptr set at compile time). Example: Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 4/16

  5. Heap Overflow Exploits Suppose: browser heap manager contains vulnerability e.g. buffer overflow into ActiveX object’s virtual function vtable Possible Exploit: Attacker’s Javascript can write strings containing malicious code into heap. Attacker uses overflow vulnerability to overwrite vtable pointer to point to malicious code. Figure : Before Overflow Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 5/16

  6. Heap Overflow Exploits Suppose: browser heap manager contains vulnerability e.g. buffer overflow into ActiveX object’s virtual function vtable Possible Exploit: Attacker’s Javascript can write strings containing malicious code into heap. Attacker uses overflow vulnerability to overwrite vtable pointer to point to malicious code. Figure : After Overflow Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 5/16

  7. Heap Overflow Exploits But... malicious code strings could be allocated anywhere in heap (attacker doesn’t know where!). Q: Where should attacker point his overflow vtable pointer? Attacker unlikely to guess correctly location of string S.... Possible A: ‘Heap Spray’ technique! Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 6/16

  8. Heap Overflow Exploits: Heap Spray Technique Idea: Fill large fraction of heap with NOP sleds leading to malicious code. Set overflowed vtable ptr anywhere in heap Goal: High probability that vtable ptr points somewhere in (one of) NOP sleds! Hence: much higher probability of attack success! Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 7/16

  9. Heap Overflow Exploits: Heap Spray Technique Possible Heap Spray Implementation in Javascript [HFS07]: Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 8/16

  10. Heap Overflow Exploits: Heap Engineering Q: How does attacker place overflowed buffer object next to target object Obj?: Possible A: Heap Engineering [HPS07,DHM08] Defragment the heap (‘plug’ the ‘holes’) with overflowing (vulnerable) objects. Create regular holes between overflowing objects. Insert target object into regular holes. Hence, target object will likely be next to an overflowing object! Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 9/16

  11. Heap Overflow Exploits: Heap Engineering Heap Eng. Implementation in Javascript [DHM08]: Step 1: Defragmenting the heap Step 2: Create regular holes between overflowing objects. Step 3: Insert target object into regular holes. Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 10/16

  12. Heap Overflow Exploits: Heap Engineering Heap Eng. Implementation in Javascript [DHM08] (cont): After step 3, have the following situation: Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 11/16

  13. Heap Overflow Exploits: Heap Engineering Heap Eng. Implementation in Javascript [DHM08] (cont): Then heap is sprayed and overflow is triggered, and we get: Practical Difficulty: overflow into vtable ptr, not vtable itself! Double indirection - execution jumps to *(* psled)!! Q: How to spray? Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 12/16

  14. Heap Overflow Exploits: Heap Engineering Heap Eng. Implementation in Javascript [DHM08] (cont): Possible A: Spray heap with ‘NOP sled’ dword value 0x52780278 How does it work? First indirection: (* psled) points to ‘magic NOP sled’ with high probability (spray trick). Points to address 0x52780278 - hope that this falls in spray area too (self-referential). Second indirection: *(* psled) points back into to ‘magic NOP sled’ with high probability. Opcode meaning of dword 0x52780278: Whether first condition is true or false, will always jump to next dword (+2 words)! Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 13/16

  15. Heap Overflow Exploits: Use After Free (UAF) Vulnerabilities In 2012-2014, several heap vulnerabilities were discovered and exploited in the field in Microsoft IE [Yas13,Yas14]. They fall into the class of ‘Use After Free’ (UAF) vulnerabilities UAF Vulnerability: Browser code frees heap allocation for object, but later dereference the freed object! Exploit: Attacker trigger the free, then reallocates the freed memory to object containing attacker malicious code! Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 14/16

  16. Heap Overflow Exploits: Defenses Several proposed (partially effective) countermeasures: Browser heap isolation (e.g. Microsoft’s 2014 ‘Isolated Heap’). Use a separate heap for string objects as for other (e.g. ActiveX) objects (heap eng. technique with strings not possible, some UAF exploits prevented). Randomized heap allocation (against heap eng.) Heap overflow protection using non-writable pages between writable ones (e.g. FreeBSD) Nozzle (Microsoft) [RLZ09]: Detect a lot of code in the heap (detect spraying). Counter-countermeasures by hackers are being devised, e.g. UAF exploit against IE’s ‘Isolated Heap’ [D15] Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 15/16

  17. References referred to in the Slides DHM08 M. Daniel, J. Honorrof, C. Miller, Engineering Heap Overflow Exploits with Javascript, In Proceedings of Usenix WOOT 2008. HFS07 A. Sotirov, Heap Feng Shui in Javascript, In Proceedings of Blackhat Europe 2007. RLZ09 P. Ratanaworabhan and B. Livshits and B. Zorn, Nozzle: A defense against Heap-Spraying Code Injection Attacks, In Proceedings of Usenix Security 2009. Yas13 M. Yason, Use-after-frees: That pointer may be pointing to something bad, Security Intelligence, April 2013. Available at http://securityintelligence.com/use-after-frees-that-pointer-may-be-pointing-to-something-bad Yas14 M. Yason, Understanding IEs New Exploit Mitigations: The Memory Protector and the Isolated Heap, Security Intelligence, August 2014. http://securityintelligence.com/understanding-ies-new-exploit- mitigations-the-memory-protector-and-the-isolated-heap D15 J. DeMott, Use-after-Free: New Protections, and how to Defeat them, Bromium Labs Call of the Wild Blog, Jan. 2015. http://labs.bromium.com/2015/01/17/use-after-free-new-protections-and-how-to-defeat-them/ Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III – Web Browser Exploitation Mar 2014 16/16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 7: Hacking Techniques I

1.11k views • 25 slides
FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques

FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques

FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware

450 views • 29 slides
FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge Proofs Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 5: Secure

729 views • 26 slides
FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton School of IT Monash University March 2016 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 1/33 Plan

932 views • 39 slides
FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton

Introduction FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton School of IT Monash University March 2016 Acknowledgements: Some figures sourced from Oded Regevs Lecture Notes on Lattices in

460 views • 30 slides
Advanced Animation [Boukhayma 2015] Topics 1. Advanced & non-rigid capture techniques 2.

Advanced Animation [Boukhayma 2015] Topics 1. Advanced & non-rigid capture techniques 2.

Advanced Animation [Boukhayma 2015] Topics 1. Advanced & non-rigid capture techniques 2. Data driven content reanimation 3. Layered animation models for complex scenes 2 Advanced & non-rigid capture techniques 3 Remember: Motion

637 views • 42 slides
Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program

Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program

ISA 330 Introduction to Proactive System Security Week #1 Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program University of Hawai'i West Oahu 1 Ethical Hacking Topics Introductions Syllabus

1.17k views • 88 slides
Advanced Topics in Alternative Asset Management: Strategies, Structures and Techniques Giovanni

Advanced Topics in Alternative Asset Management: Strategies, Structures and Techniques Giovanni

Advanced Topics in Alternative Asset Management: Strategies, Structures and Techniques Giovanni Beliossi University of Essex, 30/1/2015 Overview Advanced topics in investment management and trading Practical Relevant to todays

397 views • 25 slides
Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS Laurent Ghigonis P1 Security 2014, Hackito Ergo Sum - Security Conference What are we talking about ? A mobile

724 views • 59 slides
CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits Drive-by malware 3 4 Go Google le patch ches Chrome zero-da day under under active e at attacks 6 Con

920 views • 62 slides
How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a

How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a

How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a security system Paradox security system 16.11.2018. IT-SECX 2018, Austria Author Lead researcher at Possible Security, Latvia Hacking and

700 views • 29 slides
hacking in physically addressable memory a proof of concept David Rasmus Piegdon Supervisor:

hacking in physically addressable memory a proof of concept David Rasmus Piegdon Supervisor:

Introduction Accessing memory Virtual address spaces Gathering information Injecting code Prospects, Conclusion Seminar of Advanced Exploitation Techniques, WS 2006/2007 hacking in physically addressable memory a proof of concept David

1.51k views • 75 slides
Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at

Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at

Intro Hardware Security Platform Security Hacking Q&A Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at Hamburg & Dublin City University 2010-12-16 1 / 54 Intro Hardware Security

974 views • 79 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits British Airw rways Hack 2 BA last week admitted that personal and payment card info for 380,000 customers had been swiped from

840 views • 61 slides
Cryptocurrencies Course: EPL682 Advanced Security Topics Instructor: Elias Athanasopoulos

Cryptocurrencies Course: EPL682 Advanced Security Topics Instructor: Elias Athanasopoulos

Cryptocurrencies Course: EPL682 Advanced Security Topics Instructor: Elias Athanasopoulos SoK: Research perspective and challenges for Bitcoin and cryptocurrency Joseph Bonneau , Andrew Miller , Jeremy Clark, Arvind Narayanan

794 views • 43 slides
Building a Browser for Automotive: Alternatives, Challenges and Recommendations Juan J. Snchez

Building a Browser for Automotive: Alternatives, Challenges and Recommendations Juan J. Snchez

Building a Browser for Automotive: Alternatives, Challenges and Recommendations Juan J. Snchez Automotive Linux Summit 2015, Tokyo Myself, Igalia and Webkit/Chromium Co-founder of Igalia Open source consultancy founded in 2001 Igalia is

950 views • 51 slides
to WebKit for Wayland G_MAXUINT64 /* default value */, G_PARAM_READABLE | G_PARAM_WRITABLE |

to WebKit for Wayland G_MAXUINT64 /* default value */, G_PARAM_READABLE | G_PARAM_WRITABLE |

static void _f_do_barnacle_install_properties(GObjectClass *gobject_class) { Browsers for the GParamSpec *pspec; /* Party code attribute */ pspec = g_param_spec_uint64 automotive: an introduction (F_DO_BARNACLE_CODE, "Barnacle

1.01k views • 26 slides
and Privacy Protection Xianyi Gao*, Yulong Yang*, Huiqing Fu*, Janne Lindqvist*, Yang Wang+

and Privacy Protection Xianyi Gao*, Yulong Yang*, Huiqing Fu*, Janne Lindqvist*, Yang Wang+

Private Browsing: an Inquiry on Usability and Privacy Protection Xianyi Gao*, Yulong Yang*, Huiqing Fu*, Janne Lindqvist*, Yang Wang+ *Rutgers University +Syracuse University Published in WPES 2014 What is private browsing? Introduced in

632 views • 21 slides
EPUB in the Browser Ben Walters Principle Software Engineering Lead at Microsoft

EPUB in the Browser Ben Walters Principle Software Engineering Lead at Microsoft

EPUB in the Browser Ben Walters Principle Software Engineering Lead at Microsoft ben.walters@microsoft.com Warm up: how many people Warm up: how many people Build EPUB Reading Systems? Warm up: how many people Build

883 views • 23 slides
Beaker Browser and the peer-to-peer Web: Why? How? And whats next? Tara Vancil 2018-10-20

Beaker Browser and the peer-to-peer Web: Why? How? And whats next? Tara Vancil 2018-10-20

Beaker Browser and the peer-to-peer Web: Why? How? And whats next? Tara Vancil 2018-10-20 NodeConf Argentina Tara Vancil The Web, nail art, Beyonc - taravancil.com - beakerbrowser.com @taravancil / taravancil.com Beaker is an

674 views • 36 slides
An Analysis of Private Browsing Modes in Modern Browsers

An Analysis of Private Browsing Modes in Modern Browsers

Stanford Computer Security Lab An Analysis of Private Browsing Modes in Modern Browsers Gaurav Aggarwal, Elie Bursztein, Collin Jackson, Dan Boneh Usenix

653 views • 40 slides
Browser Development Tools by Rusty Keele Altair 8800 (1975)

Browser Development Tools by Rusty Keele Altair 8800 (1975)

Browser Development Tools by Rusty Keele Altair 8800 (1975) https://www.flickr.com/photos/mratzloff/9169309781/ Who This Presentation Is For Anyone who wants to learn about browser developer tools Basic knowledge of HTML, CSS and

871 views • 24 slides
TrustJS: Trusted Client-side Execution of JavaScript David Goltzsche 1 , Colin Wulf 1 , Divya

TrustJS: Trusted Client-side Execution of JavaScript David Goltzsche 1 , Colin Wulf 1 , Divya

Motivation Approach of TrustJS Evaluation Conclusion TrustJS: Trusted Client-side Execution of JavaScript David Goltzsche 1 , Colin Wulf 1 , Divya Muthukumaran 2 , Konrad Rieck 1 , Peter Pietzuch 2 and R udiger Kapitza 1 1 TU Braunschweig,

1k views • 23 slides

More recommend