removing rop gadgets from openbsd
play

Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer - PowerPoint PPT Presentation

Feb 06, 2023 •982 likes •1.99k views

Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview Return Oriented Programming Removing ROP Gadgets Unaligned / Polymorphic Gadget Reduction Aligned Gadget Reduction Results Return

  1. Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org

  2. Overview • Return Oriented Programming • Removing ROP Gadgets • Unaligned / Polymorphic Gadget Reduction • Aligned Gadget Reduction • Results

  3. Return Oriented Programming

  4. Return Oriented Programming • W^X means attackers cannot just upload shellcode anymore • Return Oriented Programming (ROP) is stitching bits of existing binary together in a new way to get the same e ff ect as shellcode • The bits are called Gadgets • The stitching is called a ROP Chain • To execute a ROP attack, the attacker • Loads a ROP chain in memory • Redirects execution to return o ff of the chain

  5. ROP Gadgets • A Gadget is any fragment of code that does something • Move a value to or from memory or a register • Increment a value • Zero a register • Call a function • etc… • ROP gadgets terminate in a return instruction • Can be Aligned or Unaligned return

  6. ROP Gadgets Aligned Gadget Terminates on an intended return instruction Intended Instruction Gadget Instruction 5d popq %rbp 
 5d popq %rbp 
 c3 retq c3 retq Intended Instruction Gadget Instruction 0f b6 c0 movzbl %al,%eax b6 c0 mov $0xc0, %dh 5d pop %rbp 5d pop %rbp c3 retq c3 retq

  7. ROP Gadgets Unaligned / Polymorphic Gadget Terminates on an unintended return instruction Intended Instruction Gadget Instruction 5d popq %rbp 
 8a 5d c3 movb -61(%rbp), %bl c3 retq Intended Instruction Gadget Instruction e8 c8 0a 00 00 callq 0xacd 00 48 ff addb %cl, -1(%rax) 48 ff c3 inc %rbx c3 retq

  8. ROP Chains • Each gadget ends with ‘ ret ’ • ‘ ret ’ pops an address from the stack and jumps to it • A ROP Chain strings many gadget addresses together on the stack • Gadgets are executed sequentially

  9. 
 
 ROP Chain Example • Suppose we want to make our program execute a shell • We would use the execve syscall: 
 execve(char *path, char *argv[], char *envp[]); • Given minimal arguments: 
 execve(“/bin/sh”, NULL, NULL); 
 %rdi, %rsi, %rdx • How do we make the target program do this?

  10. ROP Chain Example • Scan the target binary and identify the following useful gadgets. • 0x00000000000905ee # pop rsi ; ret • 0x000000000003b62e # pop rax ; ret • 0x00000000000004cd # pop rdi ; pop rbp ; ret • 0x0000000000068f03 # pop rdx ; ret • 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret • 0x0000000000000fa0 # xor rax, rax ; ret • 0x00000000000038fe # inc rax ; ret • 0x00000000000009c8 # syscall • We arrange these gadgets into a ROP chain and load it into the stack

  11. Stack Gadget Effect rsp 0x00000000000905ee # pop rsi ; ret 0x00000000002cd000 # @ .data 0x000000000003b62e # pop rax ; ret 0x2f62696e2f2f7368 # ”/bin//sh" 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret 0x4141414141414141 # padding 0x00000000000905ee # pop rsi ; ret 0x00000000002cd008 # @ .data + 8 0x0000000000000fa0 # xor rax, rax ; ret 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret rax 0x4141414141414141 # padding 0x00000000000004cd # pop rdi ; pop rbp ; ret 0xffffffffffffffff 0x00000000002cd000 # @ .data rdi 0x4141414141414141 # padding 0x00000000000905ee # pop rsi ; ret 0xffffffffffffffff 0x00000000002cd008 # @ .data + 8 rsi 0x0000000000068f03 # pop rdx ; ret 0x00000000002cd008 # @ .data + 8 0xffffffffffffffff 0x0000000000000fa0 # xor rax, rax ; ret rdx 0x00000000000038fe # inc rax ; ret 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000038fe # inc rax ; ret [… keep incrementing rax to 59 : SYS_execve] 0x2cd000 0x00000000000038fe # inc rax ; ret 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000009c8 # syscall

  12. Stack Gadget Effect 0x00000000000905ee # pop rsi ; ret 0x00000000002cd000 # @ .data rsp 0x000000000003b62e # pop rax ; ret 0x2f62696e2f2f7368 # ”/bin//sh" 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret 0x4141414141414141 # padding 0x00000000000905ee # pop rsi ; ret 0x00000000002cd008 # @ .data + 8 0x0000000000000fa0 # xor rax, rax ; ret 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret rax 0x4141414141414141 # padding 0x00000000000004cd # pop rdi ; pop rbp ; ret 0xffffffffffffffff 0x00000000002cd000 # @ .data rdi 0x4141414141414141 # padding 0x00000000000905ee # pop rsi ; ret 0xffffffffffffffff 0x00000000002cd008 # @ .data + 8 rsi 0x0000000000068f03 # pop rdx ; ret 0x00000000002cd008 # @ .data + 8 0x00000000002cd000 0x0000000000000fa0 # xor rax, rax ; ret rdx 0x00000000000038fe # inc rax ; ret 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000038fe # inc rax ; ret [… keep incrementing rax to 59 : SYS_execve] 0x2cd000 0x00000000000038fe # inc rax ; ret 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000009c8 # syscall

  13. Stack Gadget Effect 0x00000000000905ee # pop rsi ; ret 0x00000000002cd000 # @ .data 0x000000000003b62e # pop rax ; ret 0x2f62696e2f2f7368 # ”/bin//sh" rsp 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret 0x4141414141414141 # padding 0x00000000000905ee # pop rsi ; ret 0x00000000002cd008 # @ .data + 8 0x0000000000000fa0 # xor rax, rax ; ret 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret rax 0x4141414141414141 # padding 0x00000000000004cd # pop rdi ; pop rbp ; ret 0x2f62696e2f2f7368 0x00000000002cd000 # @ .data rdi 0x4141414141414141 # padding 0x00000000000905ee # pop rsi ; ret 0xffffffffffffffff 0x00000000002cd008 # @ .data + 8 rsi 0x0000000000068f03 # pop rdx ; ret 0x00000000002cd008 # @ .data + 8 0x00000000002cd000 0x0000000000000fa0 # xor rax, rax ; ret rdx 0x00000000000038fe # inc rax ; ret 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000038fe # inc rax ; ret [… keep incrementing rax to 59 : SYS_execve] 0x2cd000 0x00000000000038fe # inc rax ; ret 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000009c8 # syscall

  14. Stack Gadget Effect 0x00000000000905ee # pop rsi ; ret 0x00000000002cd000 # @ .data 0x000000000003b62e # pop rax ; ret 0x2f62696e2f2f7368 # ”/bin//sh" 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret 0x4141414141414141 # padding rsp 0x00000000000905ee # pop rsi ; ret 0x00000000002cd008 # @ .data + 8 0x0000000000000fa0 # xor rax, rax ; ret 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret rax 0x4141414141414141 # padding 0x00000000000004cd # pop rdi ; pop rbp ; ret 0x2f62696e2f2f7368 0x00000000002cd000 # @ .data rdi 0x4141414141414141 # padding 0x00000000000905ee # pop rsi ; ret 0xffffffffffffffff 0x00000000002cd008 # @ .data + 8 rsi 0x0000000000068f03 # pop rdx ; ret 0x00000000002cd008 # @ .data + 8 0x00000000002cd000 0x0000000000000fa0 # xor rax, rax ; ret rdx 0x00000000000038fe # inc rax ; ret 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000038fe # inc rax ; ret [… keep incrementing rax to 59 : SYS_execve] 0x2cd000 0x00000000000038fe # inc rax ; ret 0x00000000000038fe # inc rax ; ret 0x2f62696e2f2f7368 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000009c8 # syscall

  15. Stack Gadget Effect 0x00000000000905ee # pop rsi ; ret 0x00000000002cd000 # @ .data 0x000000000003b62e # pop rax ; ret 0x2f62696e2f2f7368 # ”/bin//sh" 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret 0x4141414141414141 # padding 0x00000000000905ee # pop rsi ; ret 0x00000000002cd008 # @ .data + 8 rsp 0x0000000000000fa0 # xor rax, rax ; ret 0x000000000001f532 # mov qword ptr [rsi], rax ; pop rbp ; ret rax 0x4141414141414141 # padding 0x00000000000004cd # pop rdi ; pop rbp ; ret 0x2f62696e2f2f7368 0x00000000002cd000 # @ .data rdi 0x4141414141414141 # padding 0x00000000000905ee # pop rsi ; ret 0xffffffffffffffff 0x00000000002cd008 # @ .data + 8 rsi 0x0000000000068f03 # pop rdx ; ret 0x00000000002cd008 # @ .data + 8 0x00000000002cd008 0x0000000000000fa0 # xor rax, rax ; ret rdx 0x00000000000038fe # inc rax ; ret 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000038fe # inc rax ; ret [… keep incrementing rax to 59 : SYS_execve] 0x2cd000 0x00000000000038fe # inc rax ; ret 0x00000000000038fe # inc rax ; ret 0x2f62696e2f2f7368 0x00000000000038fe # inc rax ; ret 0xffffffffffffffff 0x00000000000009c8 # syscall

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org>

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org>

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org> OpenCON, 2005 Outline 1 Porting OpenBSD What It Takes Preparation Cross-Development The Boot Loader Building The Kernel Adapting Startup

1.59k views • 88 slides
Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD BSDConTr, Istanbul, Turkey Agenda 1 Introduction 2 Radio Clocks 3 Architectural Overview 4 Support for GPS-Receivers 5 Support for Time Signal

745 views • 35 slides
Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Reflections|Projections 2007 Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org Overview of OpenBSD History Berkeley Software Distribution (BSD) First freely distributable BSD was released in June

810 views • 24 slides
Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction Fuzzing the OpenBSD kernel using the syzkaller kernel fuzzer. Heard about first on the BSD Now podcast back in April 2018. Ongoing effort, hence 1/N in

668 views • 15 slides
Gadgets and Anti-Gadgets Leading to a Complexity Dichotomy Tyson Williams University of

Gadgets and Anti-Gadgets Leading to a Complexity Dichotomy Tyson Williams University of

Gadgets and Anti-Gadgets Leading to a Complexity Dichotomy Tyson Williams University of Wisconsin-Madison Joint with: Jin-Yi Cai (University of Wisconsin-Madison) Michael Kowalczyk (Northern Michigan University) Tyson Williams (UW-M) Gadgets

886 views • 69 slides
Gadgets and Anti-Gadgets Leading to a Complexity Dichotomy Tyson Williams University of

Gadgets and Anti-Gadgets Leading to a Complexity Dichotomy Tyson Williams University of

Gadgets and Anti-Gadgets Leading to a Complexity Dichotomy Tyson Williams University of Wisconsin-Madison Joint with: Jin-Yi Cai (University of Wisconsin-Madison) Michael Kowalczyk (Northern Michigan University) To appear at ITCS 2012 Tyson

1.06k views • 67 slides
Gadgets, Gizmos & Apps for your entertainment Fun for all ages, come enjoy the fun. Not

Gadgets, Gizmos & Apps for your entertainment Fun for all ages, come enjoy the fun. Not

Gadgets, Gizmos & Apps for your entertainment Fun for all ages, come enjoy the fun. Not all inclusive - just what I know about Gadgets, Gizmos . . . Some connection basics - wired wi-fi bluetooth Some data

194 views • 7 slides
Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler phessler@openbsd.org OpenBSD 17 March, 2013 1 / 27 what is this spamd uses IP host entries, to whitelist, blacklist or greylist hosts spamd can import and

412 views • 27 slides
Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe

Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe

Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe akoshibe@openbsd.org AsiaBSDCon 2018 SDN? Network split into programmable nodes that handle traffic and entities that program them

372 views • 26 slides
LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1)

LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1)

OpenBSD rc.d(8) LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1) OpenBSD developer since 2006 ajacoutot@ aka aja@ sysmerge, rc.d, rcctl, libtool, stuff, other stuff >400 ports,

1.19k views • 64 slides
OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to be able to create VM images on OpenBSD for VMM and many other virtualizers. Philipp Bhler <pb@sysfive.com> @pb_double sysfive.com portfolio

510 views • 20 slides
OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org>

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org>

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org> Fosdem 2020, Brussels Historical setup some OpenBSD mail servers Postfix + Apache SpamAssassin + Amavisd-new + Courier Imap no shared

310 views • 20 slides
Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.1/22 Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet

455 views • 33 slides
Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019

Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019

What did exist before? How does it work? What are the findings? What is the Conclusion? Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019 What did exist before? How does it work? What are the

491 views • 48 slides
OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org)

OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org)

I n t ro d u c i n g OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org) ESDENERA NETWORKS GmbH Why do we need a web server in base? Serve the OpenBSD page. Why do we need a web server

264 views • 22 slides
Game of Trees Stefan Sperling < stsp@openbsd.org > EuroBSDcon 2019 What is Game of Trees?

Game of Trees Stefan Sperling < stsp@openbsd.org > EuroBSDcon 2019 What is Game of Trees?

Game of Trees Stefan Sperling < stsp@openbsd.org > EuroBSDcon 2019 What is Game of Trees? Game of Trees is a work-in-progress version control system which attempts to be appealing to OpenBSD developers. designed and written from scratch

1.08k views • 72 slides
LLVM Backend for HHVM Brett Simmers Maksim Panchenko Facebook HHVM JIT for PHP/Hack

LLVM Backend for HHVM Brett Simmers Maksim Panchenko Facebook HHVM JIT for PHP/Hack

LLVM Backend for HHVM Brett Simmers Maksim Panchenko Facebook HHVM JIT for PHP/Hack Initial work started in early 2010 Running facebook.com since February 2013 Open source! http://hhvm.com/repo wikipedia.org since December 2014

830 views • 35 slides
Binarylevel program analysis: A discussion of x8664 Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: A discussion of x8664 Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: A discussion of x8664 Gang Tan CSE 597 Spring 2019 Penn State University * These slides follow Sec 3.13 of the book CSAPP Computer Systems: A Programmers Perspective; Figures and slides are

496 views • 16 slides
and Threads CS 4411 Spring 2020 Outline for Today Intro to EGOS and GitHub Address Space

and Threads CS 4411 Spring 2020 Outline for Today Intro to EGOS and GitHub Address Space

Project 1, Processes, and Threads CS 4411 Spring 2020 Outline for Today Intro to EGOS and GitHub Address Space Layout Processes vs. Threads Context Switching Kernel vs. User-Level Threads Project 1 Overview EGOS Grass

725 views • 23 slides
Previous Lecture Slides for Lecture 5 ENCM 501: Principles of Computer Architecture Winter 2014

Previous Lecture Slides for Lecture 5 ENCM 501: Principles of Computer Architecture Winter 2014

slide 2/19 ENCM 501 W14 Slides for Lecture 5 Previous Lecture Slides for Lecture 5 ENCM 501: Principles of Computer Architecture Winter 2014 Term a little more about die yield Steve Norman, PhD, PEng measuring and reporting computer

457 views • 4 slides
Valgrind register allocator overhaul Ivo Raisr FOSDEM 2018 Ivo Raisr 39.6 GNU Toolchain

Valgrind register allocator overhaul Ivo Raisr FOSDEM 2018 Ivo Raisr 39.6 GNU Toolchain

Valgrind register allocator overhaul Ivo Raisr FOSDEM 2018 Ivo Raisr 39.6 GNU Toolchain Why? Valgrind master If-Then-Else VEX register support into IR allocator v3 VEX operation ------ IMark(0x4001CA3, 4, 0) ------ movq

573 views • 17 slides
Lecture 2: Processor Design, Single-Processor Performance G63.2011.002/G22.2945.001 September

Lecture 2: Processor Design, Single-Processor Performance G63.2011.002/G22.2945.001 September

Lecture 2: Processor Design, Single-Processor Performance G63.2011.002/G22.2945.001 September 14, 2010 Intro Basics Assembly Memory Pipelines Outline Intro The Basic Subsystems Machine Language The Memory Hierarchy Pipelines Intro

970 views • 72 slides
How Julia Goes Fast Leah Hanson Main Points 1. Design choices make Julia fast. 2. Design and

How Julia Goes Fast Leah Hanson Main Points 1. Design choices make Julia fast. 2. Design and

How Julia Goes Fast Leah Hanson Main Points 1. Design choices make Julia fast. 2. Design and implementation choices work together. 3. You should try using Julia. 1. What problem is Julia solving? 2. What design choices does that lead to? 3.

972 views • 74 slides
STACK AND HEAP: COMMONLY ABUSED TERMS Simon Brand Codeplay Soware Ltd. AGENDA A bit about

STACK AND HEAP: COMMONLY ABUSED TERMS Simon Brand Codeplay Soware Ltd. AGENDA A bit about

STACK AND HEAP: COMMONLY ABUSED TERMS Simon Brand Codeplay Soware Ltd. AGENDA A bit about me What misuse am I talking about? Why is it wrong? What does the standard say? What terms should we use instead? C++ AND ME Work with C++ daily

637 views • 24 slides

More recommend