string oriented programming exploring format string
play

String Oriented Programming Exploring Format String Attacks Mathias - PowerPoint PPT Presentation

Mar 09, 2024 •614 likes •850 views

String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback: hard to construct (new

  1. String Oriented Programming Exploring Format String Attacks Mathias Payer

  2. Motivation ● Additional protection mechanisms prevent many existing attack vectors ● Format string exploits are often overlooked – Drawback: hard to construct (new protection mechanisms) – Define a way to deterministically exploit format string bugs

  3. Attack model ● Attacker with restricted privileges forces escalation ● Attacker knows source code and binary ● Successful attacks – Redirect control flow to alternate location – Injected code is executed or alternate data is used for existing code

  4. Outline ● Motivation ● Attack model ● Attack vectors and protection mechanisms ● String Oriented Programming ● Conclusion

  5. Code injection* ● Injects additional code into the runtime image – Buffer overflow used to inject code as data void foo(char *usr) { char tmp[len]; strcpy (tmp, usr); } 0xfge0 0xfge0 length of user input tmp nop slide & exploit code tmp 0xfgf0 0xfgf0 saved base pointer saved base pointer don't care return address return address return address 1 st argument: usr* 1 st argument: usr* next stack frame next stack frame 0xfgfg 0xfgfg * Aleph1, Phrack #49

  6. Code injection* ● Injects additional code into the runtime image – Buffer overflow used to inject code as data void foo(char *usr) { char tmp[len]; strcpy (tmp, usr); } ● Modern hardware and operating systems separate data and code – Code injection is no longer feasible due to W ⊕ X – If the attacked program uses a JIT then WX pages might be available * Aleph1, Phrack #49

  7. Protection mechanisms ● Data Execution Prevention (DEP / ExecShield) – Enforces the executable bit ( W ⊕ X) on page granularity – Changes: HW, kernel, loader ● Address Space Layout Randomization (ASLR) – All memory addresses (heap / stack / libraries) are dynamic – Application itself is static – Changes: loader ● ProPolice (in gcc) – Uses canaries on the stack to protect from stack-based overflows – Changes: compiler

  8. Return Oriented Programming (ROP)* ● ROP prepares several stack invocation frames – Executes arbitrary code – Stack-based buffer overflow as initial attack vector 0xfge0 0xfge0 length of user input Gadget catalog (at static addrs) insns … … ret tmp (don't care) insns … … ret 0xfgf0 0xfgf0 insns … … ret saved base pointer (don't care) insns … … ret return address return address 1 st argument: usr* (data) return address next stack frame (data) 0xfgfg return address (data) 0xfgfg * Shacham, CCS'07

  9. Return Oriented Programming (ROP)* ● ROP prepares several stack invocation frames – Executes arbitrary code – Stack-based buffer overflow as initial attack vector ● Executes alternate data with existing code – Circumvents W ⊕ X – Hard to get around ASLR, ProPolice * Shacham, CCS'07

  10. Jump Oriented Programming (JOP)* ● Uses dispatchers and indirect control flow transfers – JOP extends and generalizes ROP – Any data region can be used as scratch space Scratch space (at static addrs) Gadget catalog (at static addrs) gadget address insns … … jmp * (data) insns … … jmp * gadget address insns … … jmp * (data) gadget address insns … … jmp * (data) Dispatcher, e.g., add %edx, 4; jmp *(%edx) * Bletsch et al., ASIACCS'11

  11. Jump Oriented Programming (JOP)* ● Uses dispatchers and indirect control flow transfers – JOP extends and generalizes ROP – Any data region can be used as scratch space ● Executes alternate data with existing code – Circumvents W ⊕ X – Hard to get around ASLR, ProPolice (if stack data used) * Bletsch et al., ASIACCS'11

  12. Format string attack* ● Attacker controlled format results in random writes – Format strings consume parameters on the stack – %n token inverses order of input, results in indirect memory write – Often string is on stack and can be used to store pointers printf ( "AAAACAAA" /* encode 2 halfword pointers */ ● Write 0xdeadbeef to 0x41414141: "%1$49387c" /* write 0xc0f3 – 8 bytes */ "%6$hn" /* store at second HW */ – printf("AAAACAAA%1$56997c%7$hn%1$57410c "%1$61204c%5$hn" /* repeat with 0xb007 */ %6$hn"); ); ● Random writes are used to: – Redirect control flow – Prepare/inject malicious data * many, e.g., Haas, Defcon 18

  13. Outline ● Motivation ● Attack model ● Attack vectors and protection mechanisms ● String Oriented Programming ● Conclusion

  14. String Oriented Programming (SOP) ● SOP executes arbitrary code (through data) – Needed: format string bug, attacker-controlled buffer on stack – Not needed: buffer overflow, executable memory regions ● Executing code – SOP builds on ROP/JOP – Overwrites static instruction pointers (to initial ROP/JOP gadgets)

  15. String Oriented Programming ● SOP patches and resolves addresses – Application is static (this includes .plt and .got) – Static program locations used to resolve relative addresses ● Resolving hidden functions – ASLR randomizes ~10bit for libraries – Modify parts of static .got pointers – Hidden functions can be called without loader support

  16. Running example void foo(char *arg) { char text[1024] ; // buffer on stack if ( strlen(arg) >= 1024 ) // length check return; strcpy(text, arg); printf(text); // vulnerable printf } … foo( user_str ); // unchecked user data …

  17. SOP: No Protection ● All addresses are known, no execution protection, no stack protection – Redirects control flow to code in the format string printf data printf data printf frame saved ebp ( 0xFFE4 ) saved ebp ( 0xFFE4 ) RIP to foo RIP to 0xFBD4 RIP to foo ptr to 0xFBD4 ptr to 0xFBD4 copy of &arg copy of &arg 0xFBD4 0xFBD4 … random write & 1024b buffer exploit code ... foo frame 0xFFD4 0xFFD4 ... ... 12b unused 12b unused ... ... saved ebp saved ebp eip to caller eip to caller &arg &arg main frame 0xFFF0 0xFFF0 … ? ... … ? ...

  18. SOP: Only DEP ● DEP prevents code injection, rely on ROP/JOP instead ● GNU C compiler adds frame_lift gadget printf data printf data printf frame saved ebp ( 0xFFE4 ) saved ebp ( 0xFFE4 ) RIP to foo RIP to frame_lift RIP to foo ptr to 0xFBD4 ptr to 0xFBD4 copy of &arg copy of &arg add $0x1c,%esp pop %ebx 0xFBD4 0xFBD4 pop %esi … random write & 1024b buffer pop %edi stack invocation frames ... pop %ebp foo frame ret 0xFFD4 0xFFD4 ... ... 12b unused 12b unused ... ... saved ebp saved ebp eip to caller eip to caller &arg &arg main frame 0xFFF0 0xFFF0 … ? ... … ? ...

  19. SOP: DEP & ProPolice ● ProPolice uses/enforces stack canaries – Reuse attack mechanism, keep canaries intact printf data printf data printf frame saved ebp ( 0xFFE4 ) saved ebp ( 0xFFE4 ) RIP to foo RIP to frame_lift RIP to foo ptr to 0xFBD8 ptr to 0xFBD8 copy of canary &arg copy of canary &arg add $0x1c,%esp 16b unused 16b unused pop %ebx pop %esi copy of canary &arg copy of canary &arg pop %edi 12b unused 12b unused pop %ebp 0xFBD8 0xFBD8 ret … foo frame random write & 1024b buffer stack invocation frames ... 0xFFD8 0xFFD8 stack canary stack canary 8b unused 8b unused saved ebp saved ebp eip to caller eip to caller &arg &arg main frame 0xFFF0 0xFFF0 … ? ... … ? ...

  20. SOP: ASLR, DEP, ProPolice ● Combined defenses force SOP to reuse existing code – Static code sequences in the application object – Imported functions in the application ( .plt and .got ) ● Use random byte-writes to adjust .got entries void foo(char *prn){ char text[1000]; – Enable other functions / gadgets that are not // protected on stack strcpy(text, prn); imported printf(text); // vulnerable printf puts ("logged in\n"); // 'some' function – Combine stack invocation frames and indirect } jump/call gadgets

  21. SOP: ASLR, DEP, ProPolice Application (static) Libraries, heap, stack(s) (dynamic) RX printf data .init printf frame .plt libc saved ebp ( 0xFFE4 ) (text, data, got) system@plt RIP to foo puts@plt ptr to 0xFBD8 .text copy of canary &arg lift_esp_gadget 16b unused .fini copy of canary &arg 12b unused heap RW 0xFBD8 .got: foo frame … 3 random writes & string array stack invocation frames .got.plt: … 0xFFD8 stack canary printf "/bin/sh\0" __stack_chk_fail 8b unused puts puts saved ebp eip to caller Place data in RW section ● &arg main frame 0xFFF0 Redirect imported function (JOP) … ? ... ● Use ROP for fun & profit ●

  22. Outline ● Motivation ● Attack model ● Attack vectors and protection mechanisms ● String Oriented Programming ● Conclusion

  23. Conclusion ● String Oriented Programming (SOP) – Relies on format string exploit – Extends data oriented programming (ROP / JOP) – Naturally circumvents DEP and ProPolice – Reconstructs pointers and circumvents ASLR ● Format string bugs result in complete compromise of the application and full control for the attacker – Protection against SOP needs more work (virtualization?) – Look at the complete toolchain

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback: hard to

640 views • 26 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
Format String Vulnerabilities Most slides courtesy Wenliang Du @ Syracuse Univ. (with

Format String Vulnerabilities Most slides courtesy Wenliang Du @ Syracuse Univ. (with

Format String Vulnerabilities Most slides courtesy Wenliang Du @ Syracuse Univ. (with modifications) Outline Format String Access optional arguments How printf() works Format string attack How to exploit the

798 views • 35 slides
Objects & Object Oriented Programming Weiss ch. 3 String Like any object, but: has

Objects & Object Oriented Programming Weiss ch. 3 String Like any object, but: has

Objects & Object Oriented Programming Weiss ch. 3 String Like any object, but: has a special way of creating new ones: abc creates a new String, returns reference to it has a special operator for

328 views • 22 slides
Format-String Vulnerability Instructor: Fengwei Zhang SUSTech CS 315 Computer Security 1

Format-String Vulnerability Instructor: Fengwei Zhang SUSTech CS 315 Computer Security 1

Format-String Vulnerability Instructor: Fengwei Zhang SUSTech CS 315 Computer Security 1 Outline Format String Access optional arguments How printf() works Format string attack How to exploit the vulnerability

617 views • 36 slides
CS 335 Software Development Object-Oriented Versus Functional Programming; The Visitor

CS 335 Software Development Object-Oriented Versus Functional Programming; The Visitor

CS 335 Software Development Object-Oriented Versus Functional Programming; The Visitor Pattern April 1416, 2014 Functional vs OO interface Animal { String happyNoise(); String excitedNoise(); } class Dog implements Animal { String

571 views • 17 slides
String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland * now at UC Berkeley Current protection is not complete http://creoflick.net 2 Motivation:

639 views • 33 slides
String Matching String matching problem: string T (text) and string P (pattern) over an

String Matching String matching problem: string T (text) and string P (pattern) over an

String Matching String matching problem: string T (text) and string P (pattern) over an alphabet . String Matching |T| = n, |P| = m. Report all starting positions of occurrences of P in T. Inge Li Grtz P = a b a b a c a T

468 views • 9 slides
Character String 1 What we should learn about strings Representation in C String Literals

Character String 1 What we should learn about strings Representation in C String Literals

10-02-2016 Character String 1 What we should learn about strings Representation in C String Literals String Variables String Input/Output printf, scanf, gets, fgets, puts, fputs String Functions strlen, strcpy,

663 views • 18 slides
String Matching Inge Li Grtz CLRS 32 String Matching String matching problem: string

String Matching Inge Li Grtz CLRS 32 String Matching String matching problem: string

String Matching Inge Li Grtz CLRS 32 String Matching String matching problem: string T (text) and string P (pattern) over an alphabet . |T| = n, |P| = m. Report all starting positions of occurrences of P in T. P = a b a b

903 views • 43 slides
String: a Programming Example Bjrn Lisper School of Innovation, Design, and Engineering

String: a Programming Example Bjrn Lisper School of Innovation, Design, and Engineering

String: a Programming Example Bjrn Lisper School of Innovation, Design, and Engineering Mlardalen University bjorn.lisper@mdh.se http://www.idt.mdh.se/blr/ Strings: a Programming Example (revised 2013-11-21) String Processing String

570 views • 27 slides
CS 10: Problem solving via Object Oriented Programming String Finding Agenda 1. Boyer-Moore

CS 10: Problem solving via Object Oriented Programming String Finding Agenda 1. Boyer-Moore

CS 10: Problem solving via Object Oriented Programming String Finding Agenda 1. Boyer-Moore algorithm 2. Tries 2 Matching/recognizing patterns in sequences is a common CS problem Example: Find pattern in DNA data Task Find a substring

616 views • 26 slides
String Matching: Boyer-Moore Algorithm Greg Plaxton Theory in Programming Practice, Fall 2005

String Matching: Boyer-Moore Algorithm Greg Plaxton Theory in Programming Practice, Fall 2005

String Matching: Boyer-Moore Algorithm Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin The (Exact) String Matching Problem Given a text string t and a pattern string p ,

407 views • 19 slides
String Objectives Discuss string handling System.String class

String Objectives Discuss string handling System.String class

String Objectives Discuss string handling System.String class System.Text.StringBuilder class 2 String class Framework Class Library provides System.String class represents immutable sequence of characters namespace

206 views • 20 slides
String matching Announcements Programming assignment 1 posted - need to submit a .sh file The

String matching Announcements Programming assignment 1 posted - need to submit a .sh file The

String matching Announcements Programming assignment 1 posted - need to submit a .sh file The .sh file should just contain what you need to type to compile and run your program from the terminal String matching Some pattern/string P occurs

818 views • 28 slides
The String Class Trace Code Constructing a String String s = "Java"; String

The String Class Trace Code Constructing a String String s = "Java"; String

The String Class Trace Code Constructing a String String s = "Java"; String message2 = new String("Welcome to Java); s = "HTML"; String s1 = new String(); Since strings are used frequently, Java provides a

225 views • 8 slides
On truncated discrete moment problems Tobias Kuna University of Reading, UK (Joint work with

On truncated discrete moment problems Tobias Kuna University of Reading, UK (Joint work with

On truncated discrete moment problems Tobias Kuna University of Reading, UK (Joint work with Maria Infusino, Joel Lebowitz, Eugene Speer) IWOTA 2019 Lisbon 26th July T. Kuna On truncated discrete moment problems Discrete truncated moment

299 views • 19 slides
recursion 2: power, binary search Oct. 4/5, 2017 1 Recall: Converting to binary (iterative)

recursion 2: power, binary search Oct. 4/5, 2017 1 Recall: Converting to binary (iterative)

COMP 250 Lecture 12 recursion 2: power, binary search Oct. 4/5, 2017 1 Recall: Converting to binary (iterative) k = 0 while n > 0 { b[ k ] = n % 2 n = n / 2 k++ } Recall that in binary needs approximately bits.

663 views • 29 slides
ALLOCATION IN C CSSE 120 Rose Hulman Institute of Technology Final Exam Facts Date:

ALLOCATION IN C CSSE 120 Rose Hulman Institute of Technology Final Exam Facts Date:

FILES & DYNAMIC MEMORY ALLOCATION IN C CSSE 120 Rose Hulman Institute of Technology Final Exam Facts Date: Wednesday, Feb 25, 2009 Time: 8:00AM to 12:00 PM Venue: O267, O269, O231, O233 Chapters: Zelle chapters 1 to 12.1,

480 views • 16 slides
Macros and Metaprogramming Dr. Mattox Beckman University of Illinois at Urbana-Champaign

Macros and Metaprogramming Dr. Mattox Beckman University of Illinois at Urbana-Champaign

Introduction Macro systems Variable Capture Macros and Metaprogramming Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer Science Introduction Macro systems Variable Capture Objectives You should be able

551 views • 15 slides
Anne Bracy CS 3410 Computer Science Cornell University The slides are the product of many

Anne Bracy CS 3410 Computer Science Cornell University The slides are the product of many

Anne Bracy CS 3410 Computer Science Cornell University The slides are the product of many rounds of teaching CS 3410 by Professors Weatherspoon, Bala, Bracy, McKee, and Sirer. See P&H 2.8 and 2.12, and A.5-6 compute jump/branch targets

787 views • 44 slides
Processes, I/O Multiplexing David Hovemeyer 20 November 2019 David Hovemeyer Computer Systems

Processes, I/O Multiplexing David Hovemeyer 20 November 2019 David Hovemeyer Computer Systems

Processes, I/O Multiplexing David Hovemeyer 20 November 2019 David Hovemeyer Computer Systems Fundamentals: Processes, I/O Multiplexing 20 November 2019 Web server 1 Main web server loop: while (1) { int clientfd = Accept(serverfd, NULL,

547 views • 37 slides
An Introduction to Template Metaprogramming Barney Dellar Software Team Lead Toshiba Medical

An Introduction to Template Metaprogramming Barney Dellar Software Team Lead Toshiba Medical

An Introduction to Template Metaprogramming Barney Dellar Software Team Lead Toshiba Medical Visualisation Systems Caveat I decided to do this talk after getting thoroughly lost on the recent talk on SFINAE. I am not an expert on this

757 views • 50 slides
Gordon Stewart (Princeton), Mahanth Gowda (UIUC), Geoff Mainland (Drexel), Cristina Luengo (UPC),

Gordon Stewart (Princeton), Mahanth Gowda (UIUC), Geoff Mainland (Drexel), Cristina Luengo (UPC),

Gordon Stewart (Princeton), Mahanth Gowda (UIUC), Geoff Mainland (Drexel), Cristina Luengo (UPC), Anton Ekblad (Chalmers), Bozidar Radunovic (MSR), Dimitrios Vytiniotis (MSR) What is ZIRIA* A programming language for bit stream and packet

536 views • 50 slides

More recommend