lec06 dep and aslr
play

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 NSA Codebreaker - PowerPoint PPT Presentation

Apr 17, 2023 •684 likes •1.13k views

1 Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia Congrats!! We've completed the half of labs! Due: Lab06 is out and its due on Oct 5 at midnight NSA Codebreaker Challenge Due:

  1. 1 Lec06: DEP and ASLR Taesoo Kim

  2. 2 Scoreboard

  3. 3 NSA Codebreaker Challenges

  4. 4 Administrivia • Congrats!! We've completed the half of labs! • Due: Lab06 is out and its due on Oct 5 at midnight • NSA Codebreaker Challenge → Due: Nov 30 • We'll release new lab every Thursday at 8pm • If you are working on Thursday, please connect to " -p 2024" • If you haven't read yet, please check some time saving tips on Piazza.

  5. 5 Lab05: Stack Protection

  6. 6 Best Write-ups for Lab05 • xor: shudak3, carterchen • stackshield: spark720, shudak3 • weak-random: markwis, spark720 • gs-random: carterchen, shudak3 • terminator: spark720, brian_edmonds • assassination: carterchen, dhaval • mini-heartbleed: rpgiri, brian_edmonds • pltgot: carterchen, N/A • ssp: shudak3, carterchen • fd: luoyinfeng, spark720

  7. 7 Discussion: Lab05 • What's the most "annoying" bug or challenge? • What's the most "interesting" bug or challenge? • So, should we use canary or not? • So, which one would you like to use?

  8. 8 Take-outs from Stack Canary? • Stack Canary indirectly protects the "integrity" of RA, funcptr, etc • (e.g., exploitation mitigation → NX, canary) • We better prevent buffer overflows at the first place • (e.g., code analysis, better APIs)

  9. 9 Subtle Design Choices for the Stack Canary • Where to put? (e.g., right above ra? fp? local vars?) • Which value should I use? (e.g., secrete? random? per exec? per func?) • How to check its integrity? (e.g., xor? cmp?) • What to do after you find corrupted? (e.g., crash? report?)

  10. 10 Discussion: xor • How xor canary works? • What happens if RA is overwritten (or leaked)?

  11. 11 Discussion: xor

  12. 12 Discussion: stackshield • How stackshield works? (can you overwrite ra/fp?) • Compared to xor, what's better? • Then, could you control its control flow?

  13. 13 Discussion: weak-random • How weak-random is implemented? • How did you exploit? • What if we use a perfect random value (e.g., /dev/random)?

  14. 14 Discussion: gs-random • Near perfect (Microsoft CL): • strong randomness: /dev/random • protect fp/ra

  15. 15 Discussion: gs-random void echo(char *msg) { char buf[80]; strcpy(buf, msg); capitalize(buf); strcpy(msg, buf); ... }

  16. 16 Discussion: gs-random (arbitrary overwrite) void echo(char *msg) { char buf[80]; /* buf = [val] ... [addr] */ /* *addr = val */ strcpy(buf, msg); /* overwrite msg (addr) */ capitalize(buf); strcpy(msg, buf); /* overwrite addr with buf */ ... }

  17. 17 Discussion: gs-random

  18. 18 Discussion: terminator • How is the terminator canary implemented?

  19. 19 Discussion: terminator • What's the vulnerability?

  20. 20 Discussion: terminator (off-by-one)

  21. 21 Discussion: terminator • How to prevent this vulnerability?

  22. 22 Discussion: assassination • Near perfect (GCC) • random canary • protect fp, ra • What's the bug? • How to prevent?

  23. 23 Discussion: mini-heartbleed

  24. 24 Discussion: ssp • What happens if you cause a crash?

  25. 25 Discussion: ssp

  26. 26 Discussion: ssp

  27. 27 Discussion: pltgot • What was the vulnerability? • Where to overwrite? • How to prevent?

  28. 28 Discussion: fd

  29. 29 Discussion: fd • Why need vtable?

  30. 30 Discussion: fd

  31. 31 Discussion: fd • How to prevent this vulnerability?

  32. 32 Discussion: How to make exploitation difficult?

  33. 33 Discussion: How to make exploitation difficult? • What if the stack address (or code/heap) is random? • How could you exploit any challenge in the last week? • What if the stack/heap memory is not executable? • Then, where to put your shellcode?

  34. 34 Today's Tutorial • In-class tutorial: • About: format string vulnerability • Format string to arbitrary read • Format string to arbitrary write • (optional) Format string to arbitrary execution

  35. 35 Format string: *printf 1) printf("hello: %d", 10); 2) printf("hello: %d/%d", 10, 20); 3) printf("hello: %d/%d/%d", 10, 20);

  36. 36 Format string: *printf printf("%d/%d/%d", a1, a2 ...) +----(n)----+ | v [ra][fmt][a1][a2][a3][..] (1) (2) (3) ....

  37. 37 Format string specifiers printf(fmt); %p: pointer %s: string %d: int %x: hex %[nth]$p (e.g., %1$p = first argument)

  38. 38 Arbitrary Read printf("\xaa\xbb\xcc\xdd%3$s") +---(3rd)---+ | v [ra][fmt][a1][a2][\xaa\xbb\xcc\xdd%3$s] (1) (2) (3) .... -> "\xaa\xbb\xcc\xdd[value]"

  39. 39 More Format Specifiers printf("1234%n", &len) -> len=4 %n: write #bytes %hn (short), %hhn (byte) NOTE. %10d: print an int on 10-space word (e.g., " 10")

  40. 40 Write (sth) to an Arbitrary Location printf("\xaa\xbb\xcc\xdd%3$n") +---(3rd)---+ | v [ra][fmt][a1][a2][\xaa\xbb\xcc\xdd%3$n] (1) (2) (3) .... -> "\xaa\xbb\xcc\xdd" = 4

  41. 41 Arbitrary Write printf("\xaa\xbb\xcc\xdd%6c%3$n") +---(3rd)---+ | v [ra][fmt][a1][a2][\xaa\xbb\xcc\xdd%6c%3$n] (1) (2) (3) .... -> *(int *)(0xddccbbaa) = strlen("\xaa\xbb\xcc\xdd......") = 10

  42. 42 In-class Tutorial • Step1: Format string to arbitrary read • Step2: Format string to arbitrary write • Step3: (optional) Format string to arbitrary execution $ ssh YOURID@cyclonus.gtisc.gatech.edu -p 2023 $ ssh YOURID@cyclonus.gtisc.gatech.edu -p 2022 $ ssh YOURID@computron.gtisc.gatech.edu -p 2023 $ ssh YOURID@computron.gtisc.gatech.edu -p 2022 $ cd tut/lab06 $ cat README

  43. 43 References • Bypassing ASLR • Advanced return-into-lib(c) exploits • Format string vulnerability

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for

1 Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for one week! Due: Lab05 is out and its due on Oct 5 at midnight Lab10: NSA Codebreaker Challenge Due: Nov 29 Offline CTF (Nov

880 views • 19 slides
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit`

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit`

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica de Val` encia (Spain) In-Depth Security Conference (DeepSec)

1.05k views • 62 slides
ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec Erik Bosman @brainsmoke Kaveh Razavi @gober Ben Gras @bjg Stephan van Schaik ASLR Address Space Layout Randomiza on Widely deployed

1.75k views • 137 slides
On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica

528 views • 35 slides
From Zygote to Morula: For0fying Weakened ASLR on Android

From Zygote to Morula: For0fying Weakened ASLR on Android

From Zygote to Morula: For0fying Weakened ASLR on Android Byoungyoung Lee Long Lu Tielei Wang Taesoo Kim Wenke Lee Georgia Tech,

635 views • 30 slides
String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland * now at UC Berkeley Current protection is not complete http://creoflick.net 2 Motivation:

639 views • 33 slides
ASLR-Guard: Stopping Address Space Leakage for Code Reuse

ASLR-Guard: Stopping Address Space Leakage for Code Reuse

ASLR-Guard: Stopping Address Space Leakage for Code Reuse A9acks Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, Wenke Lee

605 views • 45 slides
How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger,

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger,

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger, Michael Backes, and Wenke Lee Georgia Tech, CISPA, Saarland University, MPI-SWS, DFKI RuntimeASLR 1 What did we do? We re-randomize the memory

833 views • 44 slides
String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback: hard to

640 views • 26 slides
Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei

Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei

Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei Wang Chengyu Song Long Lu Taesoo Kim Wenke Lee Georgia Tech Information Security Center (Rough) System Attack Trends Executing existing code

661 views • 50 slides
Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester

Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester

Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester Rebeiro Indian Institute of Technology Madras Parts of Malware Two parts Subvert execution: change the normal execution behavior of the program

1.25k views • 102 slides
Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer

Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer

Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer Security W X (DEP) Low-level defenses and counterattacks Announcements (combined lecture) Return-oriented programming (ROP) Stephen McCamant

699 views • 12 slides
ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows Buffer overflows are the source of many of the common vulnerabilities in modern software Caused by not checking the source length when writing to a

1.88k views • 130 slides
Control Flow Integrity Behavior-based detection Stack canaries, non-executable data, and ASLR

Control Flow Integrity Behavior-based detection Stack canaries, non-executable data, and ASLR

Control Flow Integrity Behavior-based detection Stack canaries, non-executable data, and ASLR aim to complicate various steps in a standard attack But they still may not stop it Idea: observe the programs behavior is it doing

314 views • 17 slides
I/O I/O: Connecting to Outside World So far, weve learned how to: compute with values in

I/O I/O: Connecting to Outside World So far, weve learned how to: compute with values in

Chapter 8 I/O I/O: Connecting to Outside World So far, weve learned how to: compute with values in registers load data from memory to registers store data from registers to memory But where does data in memory come from? And how

529 views • 41 slides
NSF Future of High Performance Computing Bill Kramer NSF Workshop on the Future of High

NSF Future of High Performance Computing Bill Kramer NSF Workshop on the Future of High

NSF Future of High Performance Computing Bill Kramer NSF Workshop on the Future of High Performance Computing Washington DC December 4, 2009 Why Sustained Performance is the Critical Focus Rela#onship between Peak,

251 views • 9 slides
Welcome What Employers Need To Know to todays webinar Paul Byrne Rachel Hynes Managing

Welcome What Employers Need To Know to todays webinar Paul Byrne Rachel Hynes Managing

COVID-19 & Payroll: What you need to know 7th April 2020 COVID-19 & Payroll: Welcome What Employers Need To Know to todays webinar Paul Byrne Rachel Hynes Managing Director Marketing Executive - BrightPay Laura Murphy HR

291 views • 13 slides
What is good, better, and the best audio? For WinHEC Cortana Workshop, Shenzhen, 11 August 2015

What is good, better, and the best audio? For WinHEC Cortana Workshop, Shenzhen, 11 August 2015

What is good, better, and the best audio? For WinHEC Cortana Workshop, Shenzhen, 11 August 2015 2.0 Laptop as a Speakerphone Enterprise Class Full Duplex Speakerphone Experience Optimized for MS Lync/Skype CONEXANT AudioSmart TM Software

330 views • 15 slides
Solving Random Subset Sum Problem by l p -norm SVP Oracle Gengran Hu joint work with Yanbin Pan,

Solving Random Subset Sum Problem by l p -norm SVP Oracle Gengran Hu joint work with Yanbin Pan,

Lattices and SVP Random Subset Sum Problem Solving RSSP by l p -norm SVP Oracle Solving Random Subset Sum Problem by l p -norm SVP Oracle Gengran Hu joint work with Yanbin Pan, Feng Zhang Key Laboratory of Mathematics Mechanization, NCMIS,

700 views • 35 slides
Design of optimal Runge-Kutta methods David I. Ketcheson King Abdullah University of Science

Design of optimal Runge-Kutta methods David I. Ketcheson King Abdullah University of Science

Design of optimal Runge-Kutta methods David I. Ketcheson King Abdullah University of Science & Technology (KAUST) D. Ketcheson (KAUST) 1 / 36 Acknowledgments Some parts of this are joint work with: Aron Ahmadia Matteo Parsani D.

598 views • 58 slides
csci 210: Data Structures Stacks and Queues 1 Summary Topics Stacks and Queues as

csci 210: Data Structures Stacks and Queues 1 Summary Topics Stacks and Queues as

csci 210: Data Structures Stacks and Queues 1 Summary Topics Stacks and Queues as abstract data types (ADT) Implementations arrays linked lists Analysis and comparison Applications: searching with

345 views • 21 slides
csci 210: Data Structures Stacks and Queues Summary Topics stacks and queues as

csci 210: Data Structures Stacks and Queues Summary Topics stacks and queues as

csci 210: Data Structures Stacks and Queues Summary Topics stacks and queues as abstract data types implementations arrays linked lists analysis and comparison application: searching with stacks and

284 views • 16 slides

More recommend