on the effectiveness of full aslr on 64 bit linux
play

On the effectiveness of Full-ASLR on 64-bit Linux Hector - PowerPoint PPT Presentation

Feb 10, 2023 •422 likes •1.05k views

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica de Val` encia (Spain) In-Depth Security Conference (DeepSec)

  1. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica de Val` encia (Spain) In-Depth Security Conference (DeepSec) November 18-21, 2014 1 / 37

  2. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Table of contents Overview 1 Linux ASLR weakness: offset2lib 2 Example: Offset2lib in stack buffer overflows 3 Demo: Root shell in < 1 sec. 4 Mitigation 5 ASLR 6 PaX Patch randomize va space=3 ASLR redesign Stack Smashing Protector ++ 7 Conclusions 8 2 / 37

  3. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Overview What have we done ? We have deeply analyzed the effectiveness of the GNU/Linux ASLR and: Found a weakness on the current GNU/Linux ASLR implementation, named offset2lib . Built an attack which bypasses the NX, SSP and ASLR on a 64 bit system in < 1 sec. Sent a small patch “ASLRv3” (randomize va space = 3) to Linux developers, but no response . Some mitigation techniques against the offset2lib attack are presented. 3 / 37

  4. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Overview ASLR Background ASLR does not remove vulnerabilities but make more difficult to exploit them. ASLR deters exploits which relays on knowing the memory map. ASLR is effective when all memory areas are randomise. Otherwise, the attacker can use these non-random areas. Full ASLR is achieved when: Applications are compiled with PIE (-fpie -pie). The kernel is configured with randomize va space = 2 (stack, VDSO, shared memory, data segment) 4 / 37

  5. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Linux ASLR weakness: offset2lib Loading shared objects The problem appears when the application is compiled with PIE because the GNU/Linux algorithm for loading shared objects works as follows: The first shared object is loaded at a random position . The next object is located right below (lower addresses) the last object. 0x000000000000 ... Libc Base libc-2.19.so Dynamic Linker Base ld-2.19.so Executable Base server 64 PIE mmap base ... Stack ... 0x7FFFFFFFFFFF All libraries are located ”side by side” at a single random place . 5 / 37

  6. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Linux ASLR weakness: offset2lib Offset2lib $ cat /proc/ < pid > /server 64 PIE 7fd1b414f000 -7fd1b430a000 r-xp /lib/.../ libc-2.19.so 7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so 7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so 7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so 7fd1b4510000-7fd1b4515000 rw-p 7fd1b4515000 -7fd1b4538000 r-xp /lib/.../ ld-2.19.so 7fd1b4718000-7fd1b471b000 rw-p 7fd1b4734000-7fd1b4737000 rw-p 7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so 7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so 7fd1b4739000-7fd1b473a000 rw-p 7fd1b473a000 -7fd1b473c000 r-xp /root/ server 64 PIE 7fd1b493b000-7fd1b493c000 r--p /root/server_64_PIE 7fd1b493c000-7fd1b493d000 rw-p /root/server_64_PIE 7fff981fa000-7fff9821b000 rw-p [stack] 7fff983fe000-7fff98400000 r-xp [vdso] 6 / 37

  7. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Linux ASLR weakness: offset2lib Offset2lib $ cat /proc/ < pid > /server 64 PIE 7fd1b414f000 -7fd1b430a000 r-xp /lib/.../ libc-2.19.so 7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so 7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so 7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so 7fd1b4510000-7fd1b4515000 rw-p 0x5eb000 7fd1b4515000 -7fd1b4538000 r-xp /lib/.../ ld-2.19.so 7fd1b4718000-7fd1b471b000 rw-p 7fd1b4734000-7fd1b4737000 rw-p 7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so 7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so 7fd1b4739000-7fd1b473a000 rw-p 7fd1b473a000 -7fd1b473c000 r-xp /root/ server 64 PIE 7fd1b493b000-7fd1b493c000 r--p /root/server_64_PIE 7fd1b493c000-7fd1b493d000 rw-p /root/server_64_PIE 7fff981fa000-7fff9821b000 rw-p [stack] 7fff983fe000-7fff98400000 r-xp [vdso] 6 / 37

  8. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Linux ASLR weakness: offset2lib Offset2lib $ cat /proc/ < pid > /server 64 PIE 7fd1b414f000 -7fd1b430a000 r-xp /lib/.../ libc-2.19.so 7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so 7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so 7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so 7fd1b4510000-7fd1b4515000 rw-p 0x5eb000 7fd1b4515000 -7fd1b4538000 r-xp /lib/.../ ld-2.19.so 7fd1b4718000-7fd1b471b000 rw-p 0x225000 7fd1b4734000-7fd1b4737000 rw-p 7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so 7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so 7fd1b4739000-7fd1b473a000 rw-p 7fd1b473a000 -7fd1b473c000 r-xp /root/ server 64 PIE 7fd1b493b000-7fd1b493c000 r--p /root/server_64_PIE 7fd1b493c000-7fd1b493d000 rw-p /root/server_64_PIE 7fff981fa000-7fff9821b000 rw-p [stack] 7fff983fe000-7fff98400000 r-xp [vdso] 6 / 37

  9. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Linux ASLR weakness: offset2lib Offset2lib 7fd1b414f000 -7fd1b430a000 r-xp /lib/.../ libc-2.19.so 7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so 7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so 7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so offset2lib 7fd1b4510000-7fd1b4515000 rw-p 7fd1b4515000 -7fd1b4538000 r-xp /lib/.../ ld-2.19.so offset2lib 7fd1b4718000-7fd1b471b000 rw-p 7fd1b4734000-7fd1b4737000 rw-p 7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so 7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so 7fd1b4739000-7fd1b473a000 rw-p 7fd1b473a000 -7fd1b473c000 r-xp /root/ server 64 PIE 7fd1b493b000-7fd1b493c000 r--p /root/server_64_PIE 7fd1b493c000-7fd1b493d000 rw-p /root/server_64_PIE 7fff981fa000-7fff9821b000 rw-p [stack] 7fff983fe000-7fff98400000 r-xp [vdso] We named this invariant distance offset2lib which: It is a constant distance between two shared objects even in different executions of the application. 7 / 37

  10. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Linux ASLR weakness: offset2lib Offset2lib 7fd1b414f000 -7fd1b430a000 r-xp /lib/.../ libc-2.19.so 7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so 7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so 7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so offset2lib 7fd1b4510000-7fd1b4515000 rw-p 7fd1b4515000 -7fd1b4538000 r-xp /lib/.../ ld-2.19.so offset2lib 7fd1b4718000-7fd1b471b000 rw-p 7fd1b4734000-7fd1b4737000 rw-p 7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so 7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so 7fd1b4739000-7fd1b473a000 rw-p 7fd1b473a000 -7fd1b473c000 r-xp /root/ server 64 PIE 7fd1b493b000-7fd1b493c000 r--p /root/server_64_PIE 7fd1b493c000-7fd1b493d000 rw-p /root/server_64_PIE 7fff981fa000-7fff9821b000 rw-p [stack] 7fff983fe000-7fff98400000 r-xp [vdso] We named this invariant distance offset2lib which: It is a constant distance between two shared objects even in different executions of the application. Any address of the app. → de-randomize all mmapped areas !!! 7 / 37

  11. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Linux ASLR weakness: offset2lib Why the Offset2lib is dangerous ? Offset2lib scope: Realistic ; applications are more prone than libraries to errors. Makes some vulnerabilities faster , easier and more reliable to exploit them. It is not a self-exploitable vulnerability but an ASLR-design weakness exploitable. It opens new (and old) attack vectors. 8 / 37

  12. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Linux ASLR weakness: offset2lib Why the Offset2lib is dangerous ? Offset2lib scope: Realistic ; applications are more prone than libraries to errors. Makes some vulnerabilities faster , easier and more reliable to exploit them. It is not a self-exploitable vulnerability but an ASLR-design weakness exploitable. It opens new (and old) attack vectors. Next example: Offset2lib on a standard stack buffer overflow. 8 / 37

  13. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Example: Offset2lib in stack buffer overflows Building the attack The steps to build the attack are: 1 Extracting static information 2 Brute force part of saved-IP 3 Calculate base app. address 4 Calculate library offsets 5 Obtain mmapped areas 9 / 37

  14. On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco Example: Offset2lib in stack buffer overflows 1) Extracting static information Our goal is to obtain an address belonging to the application. We are going to obtain the saved-IP of vulnerable function caller. Offset2lib with saved-IP ⇒ all mmapped areas. STACK 0000000000001063 <attend_client>: 1063: 55 push %rbp ... Stack grows down 1064: 48 89 e5 mov %rsp,%rbp 1067: 48 81 ec 60 04 00 00 sub $0x460,%rsp 106e: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax BUFFER 1075: 00 00 ..... ..... ..... 12d7: 48 89 c7 mov %rax,%rdi RBP 12da: e8 1c fc ff ff callq efb <vuln func> 0x??????????????? 12df: 48 8d 85 c0 fb ff ff lea -0x440(%rbp),%rax 12e6: 48 89 c7 mov %rax,%rdi ... ..... ..... ..... 10 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica

528 views • 35 slides
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Context Context Context Context Full control of EIP no longer yields immediate arbitrary

Context Context Context Context Full control of EIP no longer yields immediate arbitrary

Context Context Context Context Full control of EIP no longer yields immediate arbitrary code execution y Primarily due to increasing availability and utilization of exploit mitigations such as DEP and ASLR Attackers must identify

1.05k views • 91 slides
ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec Erik Bosman @brainsmoke Kaveh Razavi @gober Ben Gras @bjg Stephan van Schaik ASLR Address Space Layout Randomiza on Widely deployed

1.75k views • 137 slides
From Zygote to Morula: For0fying Weakened ASLR on Android

From Zygote to Morula: For0fying Weakened ASLR on Android

From Zygote to Morula: For0fying Weakened ASLR on Android Byoungyoung Lee Long Lu Tielei Wang Taesoo Kim Wenke Lee Georgia Tech,

635 views • 30 slides
Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for

1 Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for one week! Due: Lab05 is out and its due on Oct 5 at midnight Lab10: NSA Codebreaker Challenge Due: Nov 29 Offline CTF (Nov

880 views • 19 slides
Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range of systems ! CC BY-SA 2.0 FHKE, Flickr 2 Whats the difference between Linux on a big thing and Linux on a little thing? ! 3 ! Whats the

900 views • 52 slides
String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland * now at UC Berkeley Current protection is not complete http://creoflick.net 2 Motivation:

639 views • 33 slides
Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

High Performance Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the supercomputers today run Linux. All of the computational clusters in corporations that I know of run Linux. Support for

419 views • 12 slides
Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux Distributions Linux vs Windows Linux Architecture Linux Security 2 What is Linux? Similar Operating System To Microsoft Windows, Sun

1.11k views • 55 slides
ASLR-Guard: Stopping Address Space Leakage for Code Reuse

ASLR-Guard: Stopping Address Space Leakage for Code Reuse

ASLR-Guard: Stopping Address Space Leakage for Code Reuse A9acks Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, Wenke Lee

605 views • 45 slides
Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig

Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig

The State of Desktop Linux: Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig www.mylinuxrig.com @steven_ovadia *** Associate Professor/Web Services Librarian LaGuardia Community College About My Linux

458 views • 27 slides
Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux History Linux Architecture Logging in to Linux Command Format Linux Filesystem Directory and File Commands Wildcard Characters

686 views • 19 slides
Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

1 Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia Congrats!! We've completed the half of labs! Due: Lab06 is out and its due on Oct 5 at midnight NSA Codebreaker Challenge Due:

1.13k views • 43 slides
Traffic management An Engineering Approach to Computer Networking An Engineering Approach to

Traffic management An Engineering Approach to Computer Networking An Engineering Approach to

Traffic management An Engineering Approach to Computer Networking An Engineering Approach to Computer Networking An example Executive participating in a worldwide videoconference Proceedings are videotaped and stored in an archive

1.04k views • 91 slides
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto . Penguin books. 2001. A

ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto . Penguin books. 2001. A

ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto . Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall Symmetric Cryptography Before

1.93k views • 145 slides
Traffic management An Engineering Approach to Computer Networking An Engineering Approach to

Traffic management An Engineering Approach to Computer Networking An Engineering Approach to

Traffic management An Engineering Approach to Computer Networking An Engineering Approach to Computer Networking An example Executive participating in a worldwide videoconference Proceedings are videotaped and stored in an archive

1.15k views • 90 slides
MATRICES 1. Rectangular array of numbers 3 5 7 8 7 A 2 4 1 2 3 Symbol -

MATRICES 1. Rectangular array of numbers 3 5 7 8 7 A 2 4 1 2 3 Symbol -

*** St 512 *** 1 MATRICES 1. Rectangular array of numbers 3 5 7 8 7 A 2 4 1 2 3 Symbol - cap letter , A B C , 2. Vectors 3. Elements a ij 4. Operations (a) Addition or subtraction Element by element (b)

1.68k views • 139 slides
Working on Krita:Fun&amp;Profit Luk Tvrd 02.07.2010 | T ampere, Finland | Akademy 2010

Working on Krita:Fun&amp;Profit Luk Tvrd 02.07.2010 | T ampere, Finland | Akademy 2010

Working on Krita:Fun&amp;Profit Luk Tvrd 02.07.2010 | T ampere, Finland | Akademy 2010 Luk Tvrd Who I am Alumnus of VB-TU Ostrava, Czech Republic How did I get involved in Krita GSoC 2008: Sumi-e brush engine

669 views • 22 slides
Variable Long-Term Trends in 100+ Mineral Prices John T. Cuddington William J. Coulter Professor

Variable Long-Term Trends in 100+ Mineral Prices John T. Cuddington William J. Coulter Professor

Variable Long-Term Trends in 100+ Mineral Prices John T. Cuddington William J. Coulter Professor of Mineral Economics Colorado School of Mines August 16-17, 2012 Rio de Janeiro, Brazil Conference on The Economics and Econometrics of

333 views • 30 slides
Succinct Data Structures for NLP-at-Scale Matthias Petri Trevor Cohn Computing and Information

Succinct Data Structures for NLP-at-Scale Matthias Petri Trevor Cohn Computing and Information

Succinct Data Structures for NLP-at-Scale Matthias Petri Trevor Cohn Computing and Information Systems The University of Melbourne, Australia first.last@unimelb.edu.au November 20, 2016 Who are we? Trevor Cohn, University of Melbourne

2.2k views • 176 slides
Current numbers of Spain Cases in Spain Confirmed cases Deaths Recovered COVID-19 Cases by age

Current numbers of Spain Cases in Spain Confirmed cases Deaths Recovered COVID-19 Cases by age

Javier Benito Director Pediatric Emergency Department Cruces University Hospital Bilbao Basque Country - Spain Chairman Spanish Society of PEM Current numbers of Spain Cases in Spain Confirmed cases Deaths Recovered COVID-19 Cases

749 views • 20 slides

More recommend