q exploit hardening made easy
play

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis - PowerPoint PPT Presentation

Feb 09, 2024 •249 likes •837 views

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

  1. Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1

  2. Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

  3. 8/15/2011 3

  4. Downloading Exploits Why didn’t the exploit work? Evil Ed Windows 7 8/15/2011 4

  5. Causes of Broken Exploits 1. Exploit used OS/binary- specific tricks/features 2. OS Defenses 8/15/2011 5

  6. OS Defenses • Modern OS defenses are designed to make exploiting difficult – ASLR: Address Space Layout Randomization – DEP: Data Execution Prevention – Do not guarantee control flow integrity • How difficult? 8/15/2011 6

  7. Exploit hardening: Modifying exploits to bypass defenses 8/15/2011 7

  8. Overview • Background: Defenses and Return Oriented Programming (ROP) • Q: ROP + Hardening – Automatic ROP – Automatic Hardening • Evaluation • Limitations • Conclusion 8/15/2011 8

  9. Simple Exploit Exploit Shellcode Padding Pointer Control Computation 8/15/2011 9

  10. Data Execution Prevention (DEP) Exploit Shellcode Padding Pointer Crash User input is DEP : Buffers cannot be writable non-executable and executable 8/15/2011 10

  11. Bypassing DEP • Goal: Specify exploit computation even when DEP is enabled • Return Oriented Programming [S07] – Use existing instructions from program in special order to encode computation 8/15/2011 11

  12. Return Oriented Programming Example: How can we write to memory without shellcode? 8/15/2011 12

  13. Return Oriented Programming nextaddr Exploit addr3 eax address ebx addr2 value stack Gadgets addr1 addr2 addr3 pop %eax pop %ebx movl %eax, (%ebx) ret ret ret 8/15/2011 13

  14. Address Space Layout Randomization (ASLR) ASLR disabled Exploit Gadgets ASLR enabled Exploit Gadgets Crash ASLR : Addresses are unpredictable 8/15/2011 14

  15. Return Oriented Programming + ASLR • Bad news: Randomized code can’t be used for ROP • Good news: ASLR implementations leave small amounts of code Evil Ed unrandomized 8/15/2011 15

  16. ASLR in Linux (Example) Unrandomized Randomized Program Image Libc Stack Heap Executable 8/15/2011 16

  17. Consequences • Challenge: Program image is often the only unrandomized code – Small – Program-specific • Prior work on ROP assumes unrandomized large code bases; can’t simply reuse • We developed new automated ROP techniques for targeting the program image 8/15/2011 17

  18. Overview • Background: Defenses and Return Oriented Programming (ROP) • Q: ROP + Hardening – Automatic ROP – Automatic Hardening • Evaluation • Limitations • Conclusion 8/15/2011 18

  19. Automatic ROP Overview Instructions Source P from P Computation 8/15/2011 19

  20. ROP Overview Source P Discovery Assignment Computation Arrangement 8/15/2011 20

  21. Gadget Discovery • Gadget Discovery: Does instruction sequence do something we can use for our computation? • Fast randomized test for every program location (thousands or millions) sbb %eax, %eax; Source P neg %eax; ret 8/15/2011 21

  22. Randomized Testing EAX 0x0298a7bc Before OutReg <- InReg CF 0x1 Semantic ESP 0x81e4f104 Definition For Move sbb %eax, %eax; neg %eax; ret If 10 random runs EAX 0x1 satisfy a semantic After definition, then Q ESP 0x81e4f108 probably found a EBX 0x0298a7bc gadget of that type 8/15/2011 22

  23. Q’s Gadget Types Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret mov %dl, 0x13(%eax); StoreMemG M[Addr + Offset] <- In ret add 0x1376dbe4(%ebx), ArithmeticLoadG Out +<- M[Addr + Offset] %ecx ; (…); ret ArithmeticStoreG M[Addr + Offset] +<- In add %al, 0x5de474c0(%ebp); ret 8/15/2011 23

  24. Q’s Gadget Types Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret mov %dl, 0x13(%eax); StoreMemG M[Addr + Offset] <- In ret add 0x1376dbe4(%ebx), ArithmeticLoadG Out +<- M[Addr + Offset] %ecx ; (…); ret ArithmeticStoreG M[Addr + Offset] +<- In add %al, 0x5de474c0(%ebp); ret 8/15/2011 24

  25. Q’s Gadget Types Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret mov %dl, 0x13(%eax); StoreMemG M[Addr + Offset] <- In ret add 0x1376dbe4(%ebx), ArithmeticLoadG Out +<- M[Addr + Offset] %ecx ; (…); ret ArithmeticStoreG M[Addr + Offset] +<- In add %al, 0x5de474c0(%ebp); ret 8/15/2011 25

  26. Randomized Testing • Randomized testing tells us we likely found a gadget – Fast; filters out many candidates – Enables more expensive second stage • Second stage: SMT-based gadget discovery – Gadget discovery is program verification 8/15/2011 26

  27. SMT-Based Gadget Discovery sbb %eax, %eax [D76] neg %eax; ret Weakest F EAX <- CF Precondition Valid (Gadget) SMT Validity F Invalid (not Check Gadget)

  28. SMT-Based Gadget Discovery • Q is better at finding gadgets than I am! Move %eax to %ebx imul $1, %eax, %ebx ret Store %ebx+%ecx in %eax lea (%ebx,%ecx,1), %eax ret Move carry flag to %eax sbb %eax, %eax; neg %eax ret 8/15/2011 28

  29. ROP Overview Source P Discovery Assignment Computation Arrangement 8/15/2011 29

  30. Gadget Arrangement • Gadget Arrangement: How can gadget types be combined to implement a computation? • Alternate view: Compile user computation for gadget type architecture • Example : M[0xcafecafe] := 0xdeadbeef 8/15/2011 30

  31. Arrangement: Storing to Memory T1 T2 T3 LoadConst deadbeef LoadConst Address cafecafe Value StoreMem, u32 8/15/2011 31

  32. Gadget Arrangement How can we write to memory without StoreMem? 8/15/2011 32

  33. Arrangement: Storing to Memory T1 T2 T3 Writes zero to LoadConst M[cafecafe] 0 LoadConst Address cafecafe Value ArithmeticStore, u32, Bitwise And 8/15/2011 33

  34. Arrangement: Storing to Memory T1 T2 T3 Adds deadbeef to LoadConst M[cafecafe]. deadbeef 0 + deadbeef = deadbeef LoadConst Address cafecafe Value ArithmeticStore, u32, Plus 8/15/2011 34

  35. Gadget Arrangement • Gadgets types are often unavailable – Synthesize alternatives on the fly • Flexible arrangement rules are necessary for small code bases 8/15/2011 35

  36. ROP Overview Source P Discovery Assignment Computation Arrangement 8/15/2011 36

  37. Assignment • Gadget Assignment: Assign concrete gadgets found in source program to arrangements • Assignments must be compatible 8/15/2011 37

  38. Assignment: Register Mismatch CONFLICT %ebx and %ecx LoadConst mismatch deadbeef pop %eax StoreMem, u32 ret mov %eax, (%ecx) LoadConst ret cafecafe pop %ebx ret 8/15/2011 38

  39. Gadget Assignment • Need to search over – Gadgets – Schedules • We developed dynamic programming approach to find assignment • Easy to print payload bytes with assignment 8/15/2011 39

  40. Overview • Background: Defenses and Return Oriented Programming (ROP) • Q: ROP + Hardening – Automatic ROP – Automatic Hardening • Evaluation • Limitations • Conclusion 8/15/2011 40

  41. Exploit Hardening Old Exploit (stopped by DEP+ASLR) Hardened Exploit (bypasses DEP+ASLR) ROP Payload 8/15/2011 41

  42. Trace-based Analysis • Record P on the old exploit Branch 1 Branch 2 Branch 3 Stop at vulnerability condition 8/15/2011 42

  43. Reasoning about Executions Logical [SAB10] Formula Symbolic For All Execution Inputs On Path 8/15/2011 43

  44. Exploit Constraints Path Exploit 8/15/2011 44

  45. Exploit Constraints How do we ensure the ROP payload gets in the exploit? Exploit Gadgets M[ESP] = &gadget1 M[ESP+off1] = &gadget2 M[ESP+off2] = &gadget3 Exploit Constraints SMT Exploit Path Constraints 8/15/2011 45

  46. Demo! 8/15/2011 46

  47. Overview • Background: Defenses and Return Oriented Programming (ROP) • Q: ROP + Hardening – Automatic ROP – Automatic Hardening • Evaluation • Limitations • Conclusion 8/15/2011 47

  48. Evaluation Questions 1. Can Q harden exploits for real binary programs? 2. How much unrandomized code is sufficient to create ROP payloads? 8/15/2011 48

  49. Real Exploits • Q was able to automatically harden nine exploits downloaded from exploit-db.com Name Total Time OS Free CD to MP3 Converter 130s Windows 7 Fatplayer 133s Windows 7 A-PDF Converter 378s Windows 7 A-PDF Converter (SEH exploit) 357s Windows 7 MP3 CD Converter Pro 158s Windows 7 rsync 65s Linux opendchub 225s Linux gv 237s Linux Proftpd 44s Linux 8/15/2011 49

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy Welcome! Welcome! Housekeeping Webinar polling Recording will be a ailable available http://www.healthyutah.org/ programs/seminars.php

387 views • 19 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens

WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens

WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens Reduced water use Same footprint as our WD 290 Compatible with WD 290 racks and carts Compatible with WA 290 and SISO

303 views • 17 slides
Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

884 views • 41 slides
The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase

The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase

The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase ROI 3 - Provide DATA and Reports Statistics Analysis Statistics Made Easy Statistics Made Easy Statistics Made Easy Statistics Made Easy

335 views • 18 slides
Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2

Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2

Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2 19/01/2012 Q2 ION Metals Analysis Made Easy System overview Properties &amp; Features Technology Ultra-compact design, patented

785 views • 19 slides
AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain

AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain

AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain valuable industry insight Robert Morris Chief Communications Officer Georgia Ports Authority BRIDGING THE GAP Slido is an easy-to-use Q&amp;A and

293 views • 4 slides
From x-ray crystallography to electron microscopy and back -- how best to exploit the continuum of

From x-ray crystallography to electron microscopy and back -- how best to exploit the continuum of

From x-ray crystallography to electron microscopy and back -- how best to exploit the continuum of structure-determination methods now available Scripps EM course, November 14, 2007 What aspects of contemporary x-ray crystallography have made

609 views • 33 slides
Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public Service Commission May 4, 2007 Mark A. Jamison, PURC Director Leadership in Infrastructure Policy Leadership in Infrastructure Policy

487 views • 45 slides
Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use

Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use

Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use Easy-to-Install Easy on the Budget OrecX Call Recording The issue is simple: You want to comply with regulatory requirements and improve customer service by

204 views • 9 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
Outdoors NV Made Easy First question Why? Customer Service Deliver value

Outdoors NV Made Easy First question Why? Customer Service Deliver value

Outdoors NV Made Easy First question Why? Customer Service Deliver value Ease confusion Reduce mistakes Make it easier for our customers to engage What about the money? Revenue neutral Difficult to model

532 views • 22 slides
FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your

FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your

FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your skin! Relieves rashes, simple sun burn and eczema HONEY Honey, did I tell you I Love You! TEA BAGS They spell relief or make tea CLING

355 views • 32 slides
IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit

IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit

IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit for Arduino pinout JORDI JOFRE NFC READERS NFC EVERYWHERE 11/07/2017 PUBLIC IoT and smart home adoption today 1 The Internet of Things in

590 views • 29 slides
Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are The exploit problem Modern software vulnerabilities Hardware-assisted exploit Agenda prevention Prior research

674 views • 45 slides
Static Analysis of Dynamically Typed Languages made Easy Yin

Static Analysis of Dynamically Typed Languages made Easy Yin

Static Analysis of Dynamically Typed Languages made Easy Yin Wang School of Informatics and Computing Indiana University Overview Work done as two internships at

797 views • 65 slides
Customizing the PTP monitoring layout July 31, 2013 Carsten Karbach Monitoring Architecture I

Customizing the PTP monitoring layout July 31, 2013 Carsten Karbach Monitoring Architecture I

Mitglied der Helmholtz-Gemeinschaft Customizing the PTP monitoring layout July 31, 2013 Carsten Karbach Monitoring Architecture I July 31, 2013 Carsten Karbach 2 27 Monitoring Architecture II LML da gathers status information, calls target

390 views • 27 slides
D3 Tutorial Hierarchical Layouts Edit by Jiayi Xu and Han-Wei Shen, The Ohio State University

D3 Tutorial Hierarchical Layouts Edit by Jiayi Xu and Han-Wei Shen, The Ohio State University

D3 Tutorial Hierarchical Layouts Edit by Jiayi Xu and Han-Wei Shen, The Ohio State University Hierarchical Layouts D3 has a number of hierarchical layouts to help with visualizing hierarchies or trees Well look at the tree , cluster ,

343 views • 23 slides
Assignment Algorithms for Variable Robot Formations Srinivas Akella Department of Computer

Assignment Algorithms for Variable Robot Formations Srinivas Akella Department of Computer

Assignment Algorithms for Variable Robot Formations Srinivas Akella Department of Computer Science University of North Carolina at Charlotte Droplets, Lights, Action! Light-actuated digital microfluidic systems [Chiou et. al. 08, Pei et.

455 views • 31 slides
T n -action on the Grassmannians G n , 2 via hyperplane arrangements Svjetlana Terzi c

T n -action on the Grassmannians G n , 2 via hyperplane arrangements Svjetlana Terzi c

T n -action on the Grassmannians G n , 2 via hyperplane arrangements Svjetlana Terzi c University of Montenegro based on joint results with Victor M. Buchstaber Workshop on Torus Actions in Topology Fields Institute for Research in

692 views • 29 slides
What is the Impact of Foreclosures on Retirement Security? Irena Dushi Social Security

What is the Impact of Foreclosures on Retirement Security? Irena Dushi Social Security

What is the Impact of Foreclosures on Retirement Security? Irena Dushi Social Security Administration Leora Friedberg University of Virginia and TIAA-CREF Anthony Webb Center for Retirement Research at Boston College 12 th Annual Joint

414 views • 19 slides
San Francisco Child Support Services The Department and the CARES Act CARES Stimulus Intercept

San Francisco Child Support Services The Department and the CARES Act CARES Stimulus Intercept

San Francisco Child Support Services The Department and the CARES Act CARES Stimulus Intercept Distribution The Coronavirus, Aid, Relief and Economic Security Act (CARES) provides economic stimulus payments to American families who meet certain

378 views • 4 slides
2010: 2010 FINAL RESULTS Forward looking statement PAGE 2 A number of statements we make in

2010: 2010 FINAL RESULTS Forward looking statement PAGE 2 A number of statements we make in

1 PAGE FINAL RESULTS 2010: 2010 FINAL RESULTS Forward looking statement PAGE 2 A number of statements we make in our presentation and in the accompanying slides will not be based on historical fact, but will be forward-looking

833 views • 52 slides
Principles and Policies for Low and Moderate-Income Solar Part 2: Case Studies Nate Hausman,

Principles and Policies for Low and Moderate-Income Solar Part 2: Case Studies Nate Hausman,

Principles and Policies for Low and Moderate-Income Solar Part 2: Case Studies Nate Hausman, CESA October 6, 2017 This content is provided to assist teams participating in the Solar in Your Community Challenge, a prize program sponsored by

266 views • 13 slides

More recommend