info formation leaks
play

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy - PowerPoint PPT Presentation

Dec 05, 2023 •23 likes •1.82k views

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Ju Just st-in in-tim time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization Kevin Z.

  1. The solution • The favored method of interacting with the OS is through API calls because of the relative stability across OS revisions. [as in kernel32.dll] (not system calls) • Discover the virtual addresses of API Functions used in the attacker-supplied program (S (Step ep ❸ ) • Proposed code page harvesting gives unfettered access to a large amount of application code. This offers a unique opportunity for automatically discovering a diverse set of API function pointers. (S (Step ep ❷ ) University of Cyprus EPL 682: Advanced Security Topics 43

  2. C. Gadget Discovery JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 44

  3. far we have automatically mapped a Thus fa significant portion of the vulnerable application’s code layout and collected API function pointers required by the exploit writer’s designated program. University of Cyprus EPL 682: Advanced Security Topics 45

  4. Challenge University of Cyprus EPL 682: Advanced Security Topics 46

  5. Lies in accumulating a set of concrete gadgets to use as building blocks for the just-in-time code reuse payload & Fine-grained exploit mitigations may metamorphose instructions on each execution. University of Cyprus EPL 682: Advanced Security Topics 47

  6. The solution • In Step ❹ they efficiently collect sequences of instructions by adapting the Galileo algorithm proposed by Shacham to it iterat ate over the harvested code pages from Step ❷ and populate an ov instruction prefix tree structure. • Using criteria for useful gadgets University of Cyprus EPL 682: Advanced Security Topics 48

  7. Algorithm 2 VerifyGadget Automatically match a sequence of instructions to a gadget’s semantic definition. 49

  8. University of Cyprus EPL 682: Advanced Security Topics 50

  9. D. Just-In-Time Compilation JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 51

  10. Challenge University of Cyprus EPL 682: Advanced Security Topics 52

  11. Lies in using the dynamically discovered API function pointers and collection of concrete gadgets to satisfy the exploit writer’s target program (Step ❶ ), then generate a payload to execute (Step ❻ ) University of Cyprus EPL 682: Advanced Security Topics 53

  12. The solution • A dynamic compilation is required to ensure we can use a plethora of gadget types to build the final payload • The JIT Gadget Compiler proposed is like a traditional compiler, except that compilation is embedded directly within an exploit script with a subset of concrete instructions available for code generation • Next, they perform a lazy search over all possible gadget combinations that implement a program statement, as well as a search over all schedules and register combinations. • The final payload is serialized to a structure accessible from the script, and control is returned to the exploit writer’s code (Step ❻ ) University of Cyprus EPL 682: Advanced Security Topics 54

  13. E. Implementation JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 55

  14. University of Cyprus EPL 682: Advanced Security Topics 56

  15. Evaluation JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 57

  16. A. On Code Page Harvesting JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 58

  17. To perform the evaluation, they used memory snapshots created using a custom library. The snapshots contain all process memory, metadata indicating if a page is marked as executable code, and auxiliary information on which pages belong to the application or a shared library. University of Cyprus EPL 682: Advanced Security Topics 59

  18. University of Cyprus EPL 682: Advanced Security Topics 60

  19. University of Cyprus EPL 682: Advanced Security Topics 61

  20. B. On Gadget Coverage JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 62

  21. They were ab able to to f find al all th the g gad adgets ts required in their proof of concept exploit. They found that we could generate a payload from 78% of the initial code pages, and 67% of the initial starting points additionally yielded a StackPivotG , which is required for many exploits. University of Cyprus EPL 682: Advanced Security Topics 63

  22. University of Cyprus EPL 682: Advanced Security Topics 64

  23. To reinforce the point that gadget discovery is not hindered by fine-grained mitigation techniques, they conducted an experiment using the in-place binary code randomizer. The framework discovers slightly more gadgets in the randomized libraries than the original unmodified DLLs. University of Cyprus EPL 682: Advanced Security Topics 65

  24. C. On API Function Discovery JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 66

  25. By calling VirtualProtect is the most direct way to undermine non-executable memory They found that within the Internet Explorer 8 process memory (including all libraries), there were only 15 15 distinct call sites to VirtualProtect . They found that call sites for LoadLibrary and GetProcAddress functions were readily available within the Internet Explorer memory– 391 391 instances of GetProcAddress and 340 340 instances of LoadLibrary . University of Cyprus EPL 682: Advanced Security Topics 67

  26. D. On Runtime Performance JIT-ROP University of Cyprus EPL 682: Advanced Security Topics 68

  27. JIT-ROP was able to locate a pivot within 10 pages, all required APIs in 19 pages, and the requisite gadgets for a payload within 50 pages—a total running time of 22.5 seconds. University of Cyprus EPL 682: Advanced Security Topics 69

  28. University of Cyprus EPL 682: Advanced Security Topics 70

  29. The proposed framework runs incr credibly fa fast when natively compiled—code pages are traversed, gadgets are collected, APIs are resolved, and a payload is compiled in a fraction of a second. University of Cyprus EPL 682: Advanced Security Topics 71

  30. Potential Mitigations Suggestions University of Cyprus EPL 682: Advanced Security Topics 72

  31. Suggestions that would render this attack ineffective • Re-randomize code pages at a high rate; the disclosed pages might be re-randomized before the just-in-time pay-load executes (randomization costs problem) • Fortify defenses that hinder the first stage (i.e. the entry point) of a runtime attack • Apply an Instruction set randomization (ISR), which mitigates code injection attacks by encrypting the binary’s code pages with a random key and decrypting them on-the-fly. • To prevent control-flow attacks is the enforcement of control- flow integrity (CFI), which mitigates runtime attacks regardless of whether the program suffers from vulnerabilities. University of Cyprus EPL 682: Advanced Security Topics 73

  32. Conclusion University of Cyprus EPL 682: Advanced Security Topics 74

  33. In this paper, they introduce a novel framework that undermines fine-grained randomization techniques by using a just-in-time code reuse strategy. They repeatedly abuse a memory disclosure to map an application’s memory layout on-the-fly. It dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets—all within a script environment at the time an exploit is launched. University of Cyprus EPL 682: Advanced Security Topics 75

  34. Moving on University of Cyprus EPL 682: Advanced Security Topics 76

  35. Ha Hacking ng Blind nd Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh University of Cyprus EPL 682: Advanced Security Topics 77

  36. Abstract University of Cyprus EPL 682: Advanced Security Topics 78

  37. Re Retur urn n Orient nted Prog ogrammi mming ng (RO ROP) The attacker knows the location of useful gadgets, because binary and distribution are available University of Cyprus EPL 682: Advanced Security Topics 79

  38. What if the binary remains unknown to the attacker? University of Cyprus EPL 682: Advanced Security Topics 80

  39. It is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash . University of Cyprus EPL 682: Advanced Security Topics 81

  40. Solu So lutio ion Blind ROP (BROP) attack remotely fi finds enough ROP gadgets to perform a write system call and tr transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. University of Cyprus EPL 682: Advanced Security Topics 82

  41. • The source code is available • Usually proprietary software for everyone that none has access to see the source code • Open Source is most within reach • Hacking this software is also possible, but harder • Attackers can audit the code to find vulnerabilities • Attackers can use fuzz testing and reverse engineering University of Cyprus EPL 682: Advanced Security Topics 83

  42. Si Simples est p possible vu e vulner erability: y: St Stack ck b buffer Overf er Overflows bugs such as these go unnoticed in proprietary software, where the source (and binary) has not been under the heavy scrutiny of the public and security specialists University of Cyprus EPL 682: Advanced Security Topics 84

  43. Challenge University of Cyprus EPL 682: Advanced Security Topics 85

  44. Lies in developing a methodology for exploiting these vulnerabilities when information about the target binary is limited University of Cyprus EPL 682: Advanced Security Topics 86

  45. One advantage attack ckers oft ften have Many servers restart their worker processes after a crash for robustness University of Cyprus EPL 682: Advanced Security Topics 87

  46. They present a new attack, Blind Return Oriented Programming (BROP), that takes advantage of these situations to build exploits for proprietary services for which both the binary and source are unknown. University of Cyprus EPL 682: Advanced Security Topics 88

  47. BROP attack assumptions • A server application with stack vulnerability • One that is restarted after a crash • Runs 64-bit Linux with ASLR, non-executable (NX) memory, and stack canaries enabled University of Cyprus EPL 682: Advanced Security Topics 89

  48. Position Independent Executables ( PIE ) are an output of the hardened package build process. A PIE binary and all of its dependencies are loaded into random locations within virtual memory each time the application is executed. University of Cyprus EPL 682: Advanced Security Topics 90

  49. The attack is enabled by two new techniques 1. Generalized stack reading: this generalizes a known technique, used to leak canaries, to also leak saved return addresses in order to defeat ASLR on 64-bit even when Position Independent Executables (PIE) are used 2. Blind ROP: this technique remotely locates ROP gadgets Both techniques share the idea of using a single stack vulnerability to leak information based on whether a server process crashes or not. The stack reading technique overwrites the stack byte-by-byte with possible guess values, until the correct one is found and the server does not crash. University of Cyprus EPL 682: Advanced Security Topics 91

  50. The Blind ROP attack remotely finds enough gadgets to perform the write system call, after which the server’s binary can be transferred from memory to the attacker’s socket. At this point, canaries, ASLR and NX have been defeated and the exploit can proceed using known techniques. University of Cyprus EPL 682: Advanced Security Topics 92

  51. The BROP attack enables robust, general-purpose exploits for three new scenarios: 1. Hacking proprietary closed-binary services One may notice a crash when using a remote service or discover one through remote fuzz testing. 2. Hacking a vulnerability in an open-source library thought to be used in a proprietary closed-binary service A popular SSL library for example may have a stack vulnerability and one may speculate that it is being used by a proprietary service. 3. Hacking an open-source server for which the binary is unknown This applies to manually compiled installations or source-based distributions such as Gentoo University of Cyprus EPL 682: Advanced Security Topics 93

  52. Br Braille makes BROP attacks highly automated University of Cyprus EPL 682: Advanced Security Topics 94

  53. Their overall contribution 1. A technique to defeat ASLR on servers ( generalized stack reading ). 2. A technique to remotely find ROP gadgets ( BROP ) so that software can be attacked when the binary is unknown. 3. Braille: a tool that automatically constructs an exploit given input on how to trigger a stack overflow on a server 4. The first public exploit for nginx’s recent vulnerability, that is generic, 64-bit, and defeats (full/PIE) ASLR, canaries and NX. University of Cyprus EPL 682: Advanced Security Topics 95

  54. Their overall contribution 5. Suggestions for defending against BROP attacks. In summary, ASLR must be applied to all executable segments (PIE) and re-randomization must occur after each crash (at odds with fork-only servers). Holding the binary from the attacker or purposefully altering it may not be an effective security countermeasure. University of Cyprus EPL 682: Advanced Security Topics 96

  55. Historical Overview University of Cyprus EPL 682: Advanced Security Topics 97

  56. Exploitation defenses practices through time § Shellcode, return address, stack Canary § Structured exception handlers (SEH) NX bit § Redirect execution to existing shared-library functions, chaining together short instruction ASLR sequences ending with ret (gadgets, ROP) § Memory disclosure problem ? University of Cyprus EPL 682: Advanced Security Topics 98

  57. ROP Tutorial University of Cyprus EPL 682: Advanced Security Topics 99

  58. University of Cyprus EPL 682: Advanced Security Topics 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IC OFF THE RECORD: Direct access to leaked information related to the surveillance activities of

IC OFF THE RECORD: Direct access to leaked information related to the surveillance activities of

NSA PRISM Slides - IC OFF THE RECORD 11.06.18 14:18 2013 LEAKS 2014 LEAKS 2015 LEAKS 2016 LEAKS 2017 LEAKS 2018 LEAKS IC OFF THE RECORD: Direct access to leaked information related to the

480 views • 18 slides
Col ollaborative laborative In Info formation mation Seeki king: ng: On tra raca cabi

Col ollaborative laborative In Info formation mation Seeki king: ng: On tra raca cabi

Col ollaborative laborative In Info formation mation Seeki king: ng: On tra raca cabi bilit lity, , sensema nsemaking ing and recommen menda dation ion Andreas Nrnberger, Dominic Stange, Tatiana Gossen, Michael Kotzyba I NFORM

892 views • 55 slides
In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user data passwords stored in readable format 1B 600M 0.5M Data Breaches Cost of a Data Breach Study www.ibm.com/security/data-breach

677 views • 35 slides
Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety

Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety

Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety Trust Conference New Orleans, LA Leak Detection Best Defense is Preventing Leaks from Occurring in First Place Proactive pipeline integrity

258 views • 7 slides
Dwarf Galaxy Formation with Dwarf Galaxy Formation with H 2 -regulated Star Formation H 2

Dwarf Galaxy Formation with Dwarf Galaxy Formation with H 2 -regulated Star Formation H 2

Dwarf Galaxy Formation with Dwarf Galaxy Formation with H 2 -regulated Star Formation H 2 -regulated Star Formation Michael Kuhlen, UC Berkeley arXiv:1105.2376 w/ M. Krumholz, P. Madau, B. Smith, J. Wise August 9 th 2011 2011 UC Santa Cruz

708 views • 33 slides
AQUAPHONIE TOXIQUE TROTTOIR ABOUT THE SHOW AQUAPHONIE SUITE FOR LEAKS IN GLEE MAJOR! This

AQUAPHONIE TOXIQUE TROTTOIR ABOUT THE SHOW AQUAPHONIE SUITE FOR LEAKS IN GLEE MAJOR! This

SUITE FOR LEAKS IN GLEE MAJOR! AQUAPHONIE TOXIQUE TROTTOIR ABOUT THE SHOW AQUAPHONIE SUITE FOR LEAKS IN GLEE MAJOR! This aquatic celebration for all ages wont leave Acrobatic diving, fishing, swimming, sailboat anyone high and dry! Dive

407 views • 7 slides
Debugging Memory Leaks in .NET CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM

Debugging Memory Leaks in .NET CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM

Debugging Memory Leaks in .NET CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 18.07.2020 DEBUGGING MEMORY LEAKS IN .NET - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases.

779 views • 40 slides
Image formation How are objects in the world captured in Image formation an image? Matlab

Image formation How are objects in the world captured in Image formation an image? Matlab

Image formation How are objects in the world captured in Image formation an image? Matlab tutorial Tuesday, Sept 2 Image formation Physical parameters of image formation object film Geometric Type of projection Camera

190 views • 8 slides
Corrosion Mitigation What is the Problem? Leaks leading to: Wastage Lost

Corrosion Mitigation What is the Problem? Leaks leading to: Wastage Lost

Storage Tank Corrosion Mitigation What is the Problem? Leaks leading to: Wastage Lost resources Environmental damage What is the Problem? Corrosion is the main cause of these leaks. Other causes could be environmental

787 views • 55 slides
Th The New Life Spiritual Formation through the Means of Grace Wh What is Spiritual Formation?

Th The New Life Spiritual Formation through the Means of Grace Wh What is Spiritual Formation?

Th The New Life Spiritual Formation through the Means of Grace Wh What is Spiritual Formation? Wh What is Spiritual Formation? Spiritual Formation is the process of being conformed into the image of our Creator by the power of the Holy

469 views • 23 slides
Planetesimal formation in Planetesimal formation in turbulent protoplanetary discs turbulent

Planetesimal formation in Planetesimal formation in turbulent protoplanetary discs turbulent

Planetesimal formation in Planetesimal formation in turbulent protoplanetary discs turbulent protoplanetary discs Anders Johansen Planet formation Dust in MHD turbulence Planetesimal formation Zonal flows Analytical model Global

732 views • 50 slides
STRUCTURAL GROUTING PERMANENTLY STOPPING LEAKS IN MRT TUNNELS MRT Tunnel Walls & Floors

STRUCTURAL GROUTING PERMANENTLY STOPPING LEAKS IN MRT TUNNELS MRT Tunnel Walls & Floors

SOVEREIGN-JEDA STRUCTURAL GROUTING PERMANENTLY STOPPING LEAKS IN MRT TUNNELS MRT Tunnel Walls & Floors (pressure grout) We permanently MRT Tunnel & Station Interface (pressure grout) seal leaks in Underground basements

571 views • 18 slides
comments on star formation at the peak of the galaxy formation epoch its all different and

comments on star formation at the peak of the galaxy formation epoch its all different and

comments on star formation at the peak of the galaxy formation epoch its all different and still so similar Reinhard Genzel MPE & UCB star formation and feedback at the peak of the galaxy formation epoch continuous LIRGs accretion

349 views • 9 slides
www.leadershipwisdom.info www.realchange.info www www.realchange.info There are universal

www.leadershipwisdom.info www.realchange.info www www.realchange.info There are universal

www www.leadershipwisdom.info www.realchange.info www www.realchange.info There are universal principles of the mind that when INSIGHTFULLY understood create sustainable real change in all walks of life. www Heres some evidence of that

199 views • 18 slides
ray tracing 1 image formation 2 image formation 3 rendering computational simulation of

ray tracing 1 image formation 2 image formation 3 rendering computational simulation of

ray tracing 1 image formation 2 image formation 3 rendering computational simulation of image formation 4 rendering given viewer, geometry, materials, lights determine visibility and compute colors 5 raytracing a specific rendering

1.61k views • 95 slides
SUPPORT SYSTEM FOR THE IDENTIFICATION OF ROOF LEAKS AND CRACKS Dr. A. Paramasivam 1 & Dr. K.

SUPPORT SYSTEM FOR THE IDENTIFICATION OF ROOF LEAKS AND CRACKS Dr. A. Paramasivam 1 & Dr. K.

A THERMAL SENSOR-BASED DECISION SUPPORT SYSTEM FOR THE IDENTIFICATION OF ROOF LEAKS AND CRACKS Dr. A. Paramasivam 1 & Dr. K. Kamalanand 2 1 Department of Electrical and Electronics Engineering, B.S.Abdur Rahman Crescent Institute of Science

483 views • 17 slides
15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab

15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab

Carnegie Mellon 15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!! Carnegie Mellon Agenda Stack review Attack lab overview Phases

882 views • 19 slides
1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 13: a few

1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 13: a few

1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 13: a few more %cs would be needed to skip format string part 1 OVER questions? 2 last time memory management problems two objects end up at same

965 views • 63 slides
CSC 2400: Computer Systems Stack Buffer Overflow Attacks Summary Invoking a function ! CALL

CSC 2400: Computer Systems Stack Buffer Overflow Attacks Summary Invoking a function ! CALL

CSC 2400: Computer Systems Stack Buffer Overflow Attacks Summary Invoking a function ! CALL : call the function ! RET : return from the instruction Stack Frame for a function call includes ! Function arguments ! Return address ! Local

576 views • 15 slides
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming

CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming

613 views • 35 slides
ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To discuss buffer overflows in detail Stack-based buffer overflows Smashing the stack: execution from the stack

620 views • 37 slides
Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Introduction Logical attacks Combined attacks Conclusion Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team Xlim Labs Universit e

902 views • 53 slides
Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides

More recommend