on the effectiveness of nx ssp renewssp and aslr against
play

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack - PowerPoint PPT Presentation

Feb 26, 2024 •168 likes •528 views

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica

  1. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica de Val` encia (Spain) 2014 IEEE 13th International Symposium on Network Computing and Applications August 21-23, 2014

  2. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Table of contents Motivation 1 Introduction 2 Stack buffer overflow vulnerabilities Type of severs Protection techniques Threats 3 Bypassing NX, SSP, RenewSSP and ASLR Analysis of the protection techniques 4 Single process Inetd server Forking server Results and conclusions 5

  3. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Motivation Motivation Buffer overflows are still a major software threat. [Top 25] The NX, SSP, RenewSSP and ASLR protection techniques: Try to defeat/mitigate stack buffer overflows. Used on modern operating systems like Windows, Linux, Android etc,. New attack vectors , not considered when these techniques were developed, makes necessary to reassess their effectiveness to avoid a false sense of security. We reassess the NX, SSP, RenewSSP and ASLR exploiting a stack buffer overflow on: Single process, Inted and Forking servers.

  4. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Stack buffer overflow vulnerabilities The study has been focused on the stack buffer overflow vulnerabilities, considering multiple attack vectors. void func2( char *str, int lstr){ void func1( char *src, int lsrc) char buff[48]; { int i = 0; char buff[48]; ... int i = 0; for (i = 0; i < lstr; i++) { ... if (str[i] != ’\n’) memcpy(buff, src, lsrc); buff[lbuff++] = str[i]; ... ... } } Listing 1: memcpy example. Listing 2: loop example. Exploit successfully these vulnerabilities depends on the kind of server. It is more reliable to exploit these vulnerabilities on forking servers.

  5. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Example 1/3 %gs:0x14 reference canary Higher arg 3 addresses arg 2 arg 1 return address saved frame ptr function1() frame canary stack frame buffers saved reg 1 saved reg 2 arg 1 return address function2() saved frame ptr stack frame frame canary saved reg 1 Lower addresses Stack growth

  6. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Example 2/3 %gs:0x14 reference canary Higher arg 3 addresses arg 2 arg 1 return address saved frame ptr function1() frame canary stack frame buffers saved reg 1 saved reg 2 arg 1 return address function2() saved frame ptr stack frame frame canary saved reg 1 Lower addresses Stack growth

  7. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Example 3/3 %gs:0x14 reference canary Higher arg 3 addresses arg 2 arg 1 return address saved frame ptr function1() frame canary stack frame buffers = NO! saved reg 1 saved reg 2 arg 1 return address function2() saved frame ptr stack frame frame canary saved reg 1 Lower addresses Stack growth

  8. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Type of servers Single server: An incorrect attempt attack → crash → service stopped. Little chances to break into the server but easy to do a DoS. No real servers use this model.

  9. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Type of servers Single server: An incorrect attempt attack → crash → service stopped. Little chances to break into the server but easy to do a DoS. No real servers use this model. Inted server: An incorrect attempt attack → crash → relaunch the service. Every attempt → renew all secrets. ( fork()+exec() → attend() ) Paranoid servers (SSH suit) or services through the Inted (ftpd) .

  10. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Type of servers Single server: An incorrect attempt attack → crash → service stopped. Little chances to break into the server but easy to do a DoS. No real servers use this model. Inted server: An incorrect attempt attack → crash → relaunch the service. Every attempt → renew all secrets. ( fork()+exec() → attend() ) Paranoid servers (SSH suit) or services through the Inted (ftpd) . Forking server: An incorrect attempt attack → crash → use a new child. Every attempt → not renew all secrets. ( fork() → attend() ) . Most servers use it. Examples: Apache, lighttpd, etc.

  11. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Protection techniques NX or DEP: Executable pages are not writable. Prevent the execution of the injected code.

  12. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Protection techniques NX or DEP: Executable pages are not writable. Prevent the execution of the injected code. SSP: Random value placed on the stack initially to protect the return address. Detects stack buffer overflows and aborts the execution.

  13. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Protection techniques NX or DEP: Executable pages are not writable. Prevent the execution of the injected code. SSP: Random value placed on the stack initially to protect the return address. Detects stack buffer overflows and aborts the execution. ASLR: New process are loaded randomly in the main memory. Prevents attacks relying on the knowing absolute addresses.

  14. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Introduction Protection techniques NX or DEP: Executable pages are not writable. Prevent the execution of the injected code. SSP: Random value placed on the stack initially to protect the return address. Detects stack buffer overflows and aborts the execution. ASLR: New process are loaded randomly in the main memory. Prevents attacks relying on the knowing absolute addresses. RenewSSP: A recent modification of the SSP. Prevents SSP brute force attacks on forking servers.

  15. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Threats Bypassing NX, SSP, RenewSSP and ASLR 1/3 NX/DEP: Using attacks that do not require to execute the injected code. Modern attacks do not inject code but use ROP, JOP etc.

  16. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Threats Bypassing NX, SSP, RenewSSP and ASLR 1/3 NX/DEP: Using attacks that do not require to execute the injected code. Modern attacks do not inject code but use ROP, JOP etc. SSP-tat (SSP trial-and-test): The canary value is replaced after each trial. (sampling with replacement) The attacker can try at will but can not discard already tested values.

  17. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Threats Bypassing NX, SSP, RenewSSP and ASLR 1/3 NX/DEP: Using attacks that do not require to execute the injected code. Modern attacks do not inject code but use ROP, JOP etc. SSP-tat (SSP trial-and-test): The canary value is replaced after each trial. (sampling with replacement) The attacker can try at will but can not discard already tested values. SSP-bff (SSP brute-force-full): The canary value is the same in every trial. (sampling without replacement) The attacker can build a brute force attack to obtain the canary.

  18. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Threats Bypassing NX, SSP, RenewSSP and ASLR 2/3 SSP-bfb (SSP byte-for-byte): The canary value is the same in every trial. (sampling without replacement) The attacker can build a brute force attack but trying all possible values of each byte sequentially.

  19. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Threats Bypassing NX, SSP, RenewSSP and ASLR 2/3 SSP-bfb (SSP byte-for-byte): The canary value is the same in every trial. (sampling without replacement) The attacker can build a brute force attack but trying all possible values of each byte sequentially. RenewSSP-tat (RenewSSP trial-and-test): The canary value is replaced after each trial. (sampling with replacement) Only trial-and-test is possible independently of type of server (single, inted or forking)

  20. On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco Threats Bypassing NX, SSP, RenewSSP and ASLR 2/3 SSP-bfb (SSP byte-for-byte): The canary value is the same in every trial. (sampling without replacement) The attacker can build a brute force attack but trying all possible values of each byte sequentially. RenewSSP-tat (RenewSSP trial-and-test): The canary value is replaced after each trial. (sampling with replacement) Only trial-and-test is possible independently of type of server (single, inted or forking) ASLR-bff (ASLR brute force full): The memory map is the same in all trials. (sampling without replacement) The attacker can build a brute force attack trying all possible addresses.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit`

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit`

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica de Val` encia (Spain) In-Depth Security Conference (DeepSec)

1.05k views • 62 slides
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec Erik Bosman @brainsmoke Kaveh Razavi @gober Ben Gras @bjg Stephan van Schaik ASLR Address Space Layout Randomiza on Widely deployed

1.75k views • 137 slides
From Zygote to Morula: For0fying Weakened ASLR on Android

From Zygote to Morula: For0fying Weakened ASLR on Android

From Zygote to Morula: For0fying Weakened ASLR on Android Byoungyoung Lee Long Lu Tielei Wang Taesoo Kim Wenke Lee Georgia Tech,

635 views • 30 slides
Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for

1 Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for one week! Due: Lab05 is out and its due on Oct 5 at midnight Lab10: NSA Codebreaker Challenge Due: Nov 29 Offline CTF (Nov

880 views • 19 slides
String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland * now at UC Berkeley Current protection is not complete http://creoflick.net 2 Motivation:

639 views • 33 slides
ASLR-Guard: Stopping Address Space Leakage for Code Reuse

ASLR-Guard: Stopping Address Space Leakage for Code Reuse

ASLR-Guard: Stopping Address Space Leakage for Code Reuse A9acks Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, Wenke Lee

605 views • 45 slides
Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

1 Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia Congrats!! We've completed the half of labs! Due: Lab06 is out and its due on Oct 5 at midnight NSA Codebreaker Challenge Due:

1.13k views • 43 slides
How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger,

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger,

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger, Michael Backes, and Wenke Lee Georgia Tech, CISPA, Saarland University, MPI-SWS, DFKI RuntimeASLR 1 What did we do? We re-randomize the memory

833 views • 44 slides
String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback: hard to

640 views • 26 slides
Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei

Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei

Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei Wang Chengyu Song Long Lu Taesoo Kim Wenke Lee Georgia Tech Information Security Center (Rough) System Attack Trends Executing existing code

661 views • 50 slides
Determining the Determining the Effectiveness &amp; ROI Effectiveness &amp; ROI of Your GRC

Determining the Determining the Effectiveness &amp; ROI Effectiveness &amp; ROI of Your GRC

6/18/2012 Effectiveness &amp; ROI of GRC June 22, 2012 1 Determining the Determining the Effectiveness &amp; ROI Effectiveness &amp; ROI of Your GRC Program of Your GRC Program Bob Conlin, Chief Products Officer SCCE Regional Conference June

503 views • 9 slides
Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester

Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester

Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester Rebeiro Indian Institute of Technology Madras Parts of Malware Two parts Subvert execution: change the normal execution behavior of the program

1.25k views • 102 slides
Contextual factors of the external effectiveness of the university effectiveness of the

Contextual factors of the external effectiveness of the university effectiveness of the

19th International Conference on Computational Statistics Paris - France, August 22-27 Contextual factors of the external effectiveness of the university effectiveness of the university education: a multilevel approach Matilde Bini European

823 views • 14 slides
Educator Effectiveness Grant New Teacher S upport and Development Educator Effectiveness Grant

Educator Effectiveness Grant New Teacher S upport and Development Educator Effectiveness Grant

Educator Effectiveness Grant New Teacher S upport and Development Educator Effectiveness Grant In June 2015, Governor Jerry Brown and the state Legislature allocated $500 million dollars to support educator effectiveness, primarily for our

562 views • 17 slides
Linking integrals in three-dimensional geometries D. DeTurck University of Pennsylvania March 7,

Linking integrals in three-dimensional geometries D. DeTurck University of Pennsylvania March 7,

Linking integrals in three-dimensional geometries D. DeTurck University of Pennsylvania March 7, 2014 D. DeTurck Tetrahedral Geometry/Topology Seminar 1 / 32 Gauss linking integral Carl Friedrich Gauss, in a half-page paper dated January 22,

342 views • 33 slides
Near Atomic Resolution cryoEM: How Far Can We Go? Melody Campbell &amp; David Veesler Automated

Near Atomic Resolution cryoEM: How Far Can We Go? Melody Campbell &amp; David Veesler Automated

Near Atomic Resolution cryoEM: How Far Can We Go? Melody Campbell &amp; David Veesler Automated Molecular Imaging National Resource for automated Molecular Microscopy The Scripps Research Institute The revolution 2013 2012 2008

531 views • 40 slides
The Molecular Basis of N End Rule Recognition Kevin H. Wang, Giselle Roman Hernandez,

The Molecular Basis of N End Rule Recognition Kevin H. Wang, Giselle Roman Hernandez,

The Molecular Basis of N End Rule Recognition Kevin H. Wang, Giselle Roman Hernandez, Robert A. Grant, Robert T S T. Sauer, and Tania A. Baker d T i A B k Molecular Cell 32 , 406 414, 2008 Speaker: Ching-Han Shen Advisor: Chii-Shen

407 views • 22 slides
Exploiting State Information to Support QoS in Software-Defined WSNs Paolo Di Dio ,

Exploiting State Information to Support QoS in Software-Defined WSNs Paolo Di Dio ,

Exploiting State Information to Support QoS in Software-Defined WSNs Paolo Di Dio , Salvatore Faraci , Laura Galluccio, Sebastiano Milardo , Giacomo Morabito, Sergio Palazzo, and Patrizia Livreri CNIT Research Unit

902 views • 36 slides
Outline Background information Motivation Two-level control signal Controller design

Outline Background information Motivation Two-level control signal Controller design

T WO - LEVEL C ONTROL OF Processes with Dead Time and Input Constraints Qing-Chang Zhong and Chang-Chieh Hang zhongqc@ieee.org, enghcc@nus.edu.sg School of Electronics University of Glamorgan United Kingdom Dept. of Elec.

459 views • 25 slides
Applied Nonparametric Bayes Michael I. Jordan Department of Electrical Engineering and Computer

Applied Nonparametric Bayes Michael I. Jordan Department of Electrical Engineering and Computer

Applied Nonparametric Bayes Michael I. Jordan Department of Electrical Engineering and Computer Science Department of Statistics University of California, Berkeley http://www.cs.berkeley.edu/ jordan Acknowledgments : Yee Whye Teh, Romain

925 views • 54 slides
IceCube Search for Galactic Neutrino Sources based on HAWC Observations of the Milky Way Ali

IceCube Search for Galactic Neutrino Sources based on HAWC Observations of the Milky Way Ali

IceCube Search for Galactic Neutrino Sources based on HAWC Observations of the Milky Way Ali Kheirandish TAUP 2019, Toyama, Japan Galactic Cosmic Ray Accelerators The search for Galactic cosmic neutrino sources concentrates on the search for

621 views • 22 slides
in NHL Constantine Tam St Vincents Hospital Peter MacCallum Cancer Center University of

in NHL Constantine Tam St Vincents Hospital Peter MacCallum Cancer Center University of

Zanubrutinib (BGB-3111) in NHL Constantine Tam St Vincents Hospital Peter MacCallum Cancer Center University of Melbourne BTKi in Waldenstrom Macroglobulinemia First-generation BTK inhibitor Ibrutinib has shown activity in WM and

482 views • 23 slides

More recommend