lecture 09 code reuse attacks
play

Lecture 09 Code reuse attacks Stephen Checkoway University of - PowerPoint PPT Presentation

Oct 14, 2022 •315 likes •750 views

Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable - An exception to this

  1. Lecture 09 – Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 — Fall 2017

  2. Last time • No good reason for stack/heap/static data to be executable • No good reason for code to be writable - An exception to this would be a JIT • Data Execution Prevention (DEP) or W ^ X gives us exactly that - A page of memory can be writable - A page of memory can be executable - No page can ever be both - (Pages can be neither writable nor executable, of course)

  3. Think like an attacker shellcode (aka payload) padding &buf computation + control • We (as attackers) are now prevented from executing any injected code • We still want to perform our computation • We talked about how to bypass stack canaries last time, so let’s ignore them for now and focus on bypassing DEP • If we can’t execute injected code, what code should we execute?

  4. Existing code in binaries • Program code itself • Dynamic libraries - Google Chrome 61.0.3163.91 links to 99 dynamic libraries! - libc is linked into (almost) every program • libc contains useful functions - system — Run a shell command - mprotect — Change the memory protection on a region of code

  5. 
 Return to libc (ret2libc) • Rather than returning to our shellcode, let’s return to a standard library function like system • We need to set the stack up precisely how system expects 
 int system(const char *command);

  6. Simple example … • Consider evil void foo(char *evil) { saved eip saved ebp char buf[32]; strcpy(buf, evil); } buf • Let’s overwrite the saved eip with the address of system 
 evil &buf esp � …

  7. Simple example … • Consider evil void foo(char *evil) { &system char buf[32]; strcpy(buf, evil); } buf • Let’s overwrite the saved eip with the address of system 
 evil &buf esp � …

  8. Simple example … • Consider evil void foo(char *evil) { &system char buf[32]; strcpy(buf, evil); } buf • Let’s overwrite the saved eip with the address of system • system takes one argument, a evil &buf esp � pointer to the command string; where … does it go?

  9. Back to basics … • Imagine we called system directly via 
 command system(command); saved eip esp � • Look at the stack layout before the first instruction in system • As usual, the first argument is at 
 esp + 4 …

  10. Simple example … • Consider evil void foo(char *evil) { &system char buf[32]; strcpy(buf, evil); } buf • Let’s overwrite the saved eip with the address of system • system takes one argument, a evil &buf esp � pointer to the command string; where … does it go? esp + 4 after the ret

  11. Simple example … • ret pops the address of system o ff evil the stack and into eip leaving the esp � &system stack pointer pointing at the first evil • 4 bytes above that should be our pointer to the command string buf evil &buf …

  12. Simple example … • ret pops the address of system o ff &cmd string ??? the stack and into eip leaving the esp � &system stack pointer pointing at the first evil • 4 bytes above that should be our pointer to the command string buf • Where should we put the command string "sh" itself? - In buf? evil - Above the pointer to the command &buf string? …

  13. Simple example … "sh" • ret pops the address of system o ff &cmd string ??? the stack and into eip leaving the esp � &system stack pointer pointing at the first evil • 4 bytes above that should be our pointer to the command string buf • Where should we put the command string "sh" itself? - In buf? evil - Above the pointer to the command &buf string? …

  14. Simple example … "sh" • When system returns, it'll return to &cmd string ??? the address on the stack at esp esp � &system (the ???) • This will likely crash unless we pick a good value to put there buf evil &buf …

  15. Simple example … "sh" • When system returns, it'll return to &cmd string &exit the address on the stack at esp esp � &system (the ???) • This will likely crash unless we pick a good value to put there • The address of exit is a good choice buf • Now when system returns, the program will exit evil &buf …

  16. 
 Injecting code … • We cannot run injected code directly, but code we can first make it executable by calling mprotect 
 RWX code_len &code int mprotect(void *addr, 
 &code size_t len, 
 &mprotect esp � int prot); • This can be tricky since there are likely to be zero bytes - Use memcpy instead of strcpy … - Use return-oriented programming (next class)

  17. Injecting code … • Return to mprotect code RWX code_len &code &code &mprotect esp � …

  18. Injecting code … • Return to mprotect code - Increments esp by 4 - Runs mprotect making the injected RWX code executable code_len - Modifies the stack below esp &code &code esp � …

  19. Injecting code … • Return to mprotect code - Increments esp by 4 - Runs mprotect making the injected RWX code executable code_len - Modifies the stack below esp &code &code esp � • Return from mprotect to code …

  20. Injecting code … • Return to mprotect code - Increments esp by 4 eip � - Runs mprotect making the injected RWX code executable code_len - Modifies the stack below esp &code esp � &code • Return from mprotect to code - Increments esp by 4 - Runs code …

  21. Chaining functions • We can chain two functions together if - the first has one argument and the g argn ... second any number of arguments g arg2 g arg1 f arg1 &g &f esp �

  22. Chaining functions • We can chain two functions together if - the first has one argument and the f argn second any number of arguments; or ... - the first has any number of arguments f arg2 and the second has none f arg1 &g &f esp �

  23. Chaining functions • We can chain two functions together if - the first has one argument and the g argn f argn ... second any number of arguments; or ... g arg2 - the first has any number of arguments f arg2 g arg1 and the second has none f arg1 f arg1 &g &g • We can start with any number of zero &f &f argument functions for either case &funm &funm ... ... &fun2 &fun2 &fun1 &fun1 esp �

  24. Cleaning up between z • What if we want to chain the four function &fun4 calls fun1(t), fun2(u,v), fun3(w,x,y), fun4(z)? y • Identify pieces of code that clean up the x w stack and return to those between function addl $16, %esp calls ret &fun3 v • Examples: u - popl %ebp; ret popl %ebx popl %ebp - popl %ebx; popl %ebp; ret &fun2 ret t - addl $16, %esp; ret popl %ebp ret &fun1 esp �

  25. Running z 1. Return to fun1 &fun4 y x w addl $16, %esp ret &fun3 v u popl %ebx popl %ebp &fun2 ret t popl %ebp esp � ret &fun1

  26. Running z 1. Return to fun1 which runs, modifies stack &fun4 y x w addl $16, %esp ret &fun3 v u popl %ebx popl %ebp &fun2 ret t popl %ebp esp � ret

  27. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x w addl $16, %esp ret &fun3 v u popl %ebx popl %ebp &fun2 ret t esp � ← eip popl %ebp ret

  28. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x w addl $16, %esp ret &fun3 v u popl %ebx popl %ebp &fun2 esp � ret t popl %ebp ← eip ret

  29. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 w addl $16, %esp ret &fun3 v u popl %ebx esp � popl %ebp &fun2 ret t popl %ebp ret

  30. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 which runs, modifies stack w addl $16, %esp ret &fun3 v u popl %ebx esp � popl %ebp ret popl %ebp ret

  31. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 which runs, modifies stack w addl $16, %esp 4. Return to pop; pop; ret ret &fun3 v u esp � ← eip popl %ebx popl %ebp ret popl %ebp ret

  32. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 which runs, modifies stack w addl $16, %esp 4. Return to pop; pop; ret ret &fun3 v esp � u popl %ebx ← eip popl %ebp ret popl %ebp ret

  33. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 which runs, modifies stack w addl $16, %esp 4. Return to pop; pop; ret ret &fun3 esp � v u popl %ebx popl %ebp ← eip ret popl %ebp ret

  34. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 which runs, modifies stack w addl $16, %esp esp � 4. Return to pop; pop; ret ret &fun3 v 5. Return to fun3 u popl %ebx popl %ebp ret popl %ebp ret

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina Dartmouth T rust Lab Outline Code re-use: unexpected computation, programming models Containing computation: Coarse intent-based ABI-level

487 views • 27 slides
A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen,

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen,

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen, Enes Gkta (joint first author) (VU) Moritz Contag, Andre Pawlowski, Thorsten Holz (RUB) Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos,

587 views • 26 slides
Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes

Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes

Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes Gkta - Elias Athanasopoulos - Michalis Polychronakis Herbert Bos - Georgios Portokalidis presented by: Flora Karniavoura Katerina Karagiannaki

376 views • 23 slides
How to Write Fast Numerical Code Spring 2011 Lecture 7 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 7 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 7 Instructor: Markus Pschel TA: Georg Ofenbeck Last Time: Locality Temporal and Spatial memory memory Last Time: Reuse FFT: O(log(n)) reuse MMM: O(n) reuse Discrete Fourier

278 views • 25 slides
How to Write Fast Numerical Code Spring 2011 Lecture 8 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 8 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 8 Instructor: Markus Pschel TA: Georg Ofenbeck Reuse (Inherent Temporal Locality) Reuse of an algorithm: Number of operations Minimal number of Size of input + size of output data

465 views • 18 slides
How to Write Fast Numerical Code Spring 2011 Lecture 15 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 15 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 15 Instructor: Markus Pschel TA: Georg Ofenbeck Reuse Again Reuse of an algorithm: Number of operations Minimal number of Size of input + size of output data Memory accesses

271 views • 26 slides
Just-In-Time Code Reuse: On the Effec7veness of

Just-In-Time Code Reuse: On the Effec7veness of

Just-In-Time Code Reuse: On the Effec7veness of Fine-Grained Address Space Layout Randomiza7on Kevin Z. Snow, Fabian Monrose Lucas Davi,

819 views • 23 slides
Its a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane,

Its a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane,

Its a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi,Thorsten Holz, Bjorn De Sutter, Michael Franz

772 views • 62 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

894 views • 35 slides
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg Schwenk 1 , Adam Czubak 2 , Marcin Szymanek 2 1 : Ruhr University Bochum, Germany 2 : University of Opole, Poland 27 TH USENIX SECURITY SYMPOSIUM

476 views • 25 slides
1 Infrastructure Requirements Limit Reuse Planned Indirect Potable Reuse (Purple pipe may be a

1 Infrastructure Requirements Limit Reuse Planned Indirect Potable Reuse (Purple pipe may be a

Overview of Presentation DIRECT POTABLE REUSE: A PATH FORWARD: Take Home Message Reuse Opportunities De Facto and Planned Indirect Potable Reuse 2012 WATER REUSE CONFERENCE Proposed Direct Potable Reuse Strategies Boise, ID

599 views • 8 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London

Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London

Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020 Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on

869 views • 76 slides
D: Centralization, 51% Attacks Developer centralization Transf ansformati ormation on Code

D: Centralization, 51% Attacks Developer centralization Transf ansformati ormation on Code

D: Centralization, 51% Attacks Developer centralization Transf ansformati ormation on Code you write Code you Library use is depend on growing at a staggering rate Qu Ques estio tion Who controls the code you depend on? How

911 views • 55 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

566 views • 38 slides
PoP - - An Automated An Automated PoP Policy Replacement Policy Replacement Architecture for

PoP - - An Automated An Automated PoP Policy Replacement Policy Replacement Architecture for

PoP - - An Automated An Automated PoP Policy Replacement Policy Replacement Architecture for PBNM Architecture for PBNM Lisandro Zambenedetti Granville Granville Lisandro Zambenedetti Gustavo Augusto Faraco Augusto Faraco de de S

186 views • 16 slides
Big Idea #7 Useful assessment findings pop. Averages have little meaning. Look at

Big Idea #7 Useful assessment findings pop. Averages have little meaning. Look at

Big Idea #7 Useful assessment findings pop. Averages have little meaning. Look at percentages. Thesis 2.5 Organization 2.7 Intro/conclusion 2.7 Body paragraphs 2.6 Mechanics 3.0 Source material 2.5 Averages have little meaning.

243 views • 10 slides
CMSC201 Computer Science I for Majors Lecture 19 Recursion Prof. Jeremy Dixon Based on

CMSC201 Computer Science I for Majors Lecture 19 Recursion Prof. Jeremy Dixon Based on

CMSC201 Computer Science I for Majors Lecture 19 Recursion Prof. Jeremy Dixon Based on slides from the book author, and previous iterations of the course www.umbc.edu Last Class We Covered Project 1 Details Classes Inheritance

531 views • 34 slides
75% People homeless at Viral suppression among HIV diagnosis PLWH who are housed had 27-fold

75% People homeless at Viral suppression among HIV diagnosis PLWH who are housed had 27-fold

2/13/2020 Background 75% People homeless at Viral suppression among HIV diagnosis PLWH who are housed had 27-fold higher odds of 33% POP-UP Clinic, Ward 86 death Viral suppression among compared with PLWH who experience those with

292 views • 5 slides
and nd Pr Prod oduct ctivity EU H2020 Center r of of Excellence (CoE)

and nd Pr Prod oduct ctivity EU H2020 Center r of of Excellence (CoE)

Perf erfor ormance e Opti Optimization on and nd Pr Prod oduct ctivity EU H2020 Center r of of Excellence (CoE) 1 Oc Octobe ber 2015 31 March h 2018

604 views • 10 slides
CECP Accelerate Community: Systemic Investments in Equity, Talent, and Tech K AMAU B OBB I MARA C

CECP Accelerate Community: Systemic Investments in Equity, Talent, and Tech K AMAU B OBB I MARA C

CECP Accelerate Community: Systemic Investments in Equity, Talent, and Tech K AMAU B OBB I MARA C ONSULTING 2 O CTOBER 2018 THE CEO FORCE FOR GOOD Operationalizing Equity in STEM people institutions structures students k-12 schools high

286 views • 5 slides
Closed Loop Neural-Symbolic Learning via Integrating Neural Perception, Grammar Parsing, and

Closed Loop Neural-Symbolic Learning via Integrating Neural Perception, Grammar Parsing, and

Closed Loop Neural-Symbolic Learning via Integrating Neural Perception, Grammar Parsing, and Symbolic Reasoning Motivation NS-RL Neural Symbolic Input Prediction Error Network Reasoning Ground Truth Forward pass

1.13k views • 27 slides
ATS 2017 Call for Late-Breaking Abstracts Instructions for Title, Category and Presentation

ATS 2017 Call for Late-Breaking Abstracts Instructions for Title, Category and Presentation

ATS 2017 Call for Late-Breaking Abstracts Instructions for Title, Category and Presentation Preference Add Title Although there are limitations to the text formatting of the abstract title, submitters can still include the following by using

454 views • 18 slides

More recommend