string oriented programming
play

String Oriented Programming Circumventing ASLR, DEP, and other - PowerPoint PPT Presentation

May 19, 2023 •362 likes •640 views

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback: hard to

  1. String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zürich

  2. Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked ● Drawback: hard to construct (new protection mechanisms) ● Define a way to deterministically exploit format string bugs 2011-12-27 Mathias Payer, ETH Zürich 2

  3. Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked ● Drawback: hard to construct (new protection mechanisms) ● Define a way to deterministically exploit format string bugs 2011-12-27 Mathias Payer, ETH Zürich 3

  4. Attack model Attacker with restricted privileges forces escalation Attacker knows source code and binary Successful attacks ● Redirect control flow to alternate location ● Injected code is executed or alternate data is used for existing code 2011-12-27 Mathias Payer, ETH Zürich 4

  5. Outline Motivation Attack model Attack vectors and protection mechanisms String Oriented Programming Conclusion 2011-12-27 Mathias Payer, ETH Zürich 5

  6. Code injection* Injects additional code into the runtime image ● Buffer overflow used to inject code as data void foo(char *usr) { char tmp[len]; strcpy (tmp, usr); } 0xffe0 0xffe0 length of user input tmp nop slide & exploit code tmp 0xfff0 0xfff0 saved base pointer saved base pointer don't care return address return address return address 1 st argument: usr* 1 st argument: usr* next stack frame next stack frame 0xffff 0xffff * Aleph1, Phrack #49 2011-12-27 Mathias Payer, ETH Zürich 6

  7. Code injection* Injects additional code into the runtime image ● Buffer overflow used to inject code as data void foo(char *usr) { char tmp[len]; strcpy (tmp, usr); } Modern hardware and operating systems separate data and code ● Code injection is no longer feasible due to W ⊕ X ● If the attacked program uses a JIT then WX pages might be available * Aleph1, Phrack #49 2011-12-27 Mathias Payer, ETH Zürich 7

  8. Protection mechanisms Data Execution Prevention (DEP / ExecShield) ● Enforces the executable bit ( W ⊕ X) on page granularity ● Changes: HW, kernel, loader Address Space Layout Randomization (ASLR) ● All memory addresses (heap / stack / libraries) are dynamic ● Application itself is static ● Changes: loader ProPolice (in gcc) ● Uses canaries on the stack to protect from stack-based overflows ● Changes: compiler 2011-12-27 Mathias Payer, ETH Zürich 8

  9. Return Oriented Programming (ROP)* ROP prepares several stack invocation frames ● Executes arbitrary code ● Stack-based buffer overflow as initial attack vector 0xffe0 0xffe0 length of user input Gadget catalog (at static addrs) insns … … ret tmp (don't care) insns … … ret 0xfff0 0xfff0 insns … … ret saved base pointer (don't care) insns … … ret return address return address 1 st argument: usr* (data) return address next stack frame (data) 0xffff return address (data) 0xffff * Shacham, CCS'07 2011-12-27 Mathias Payer, ETH Zürich 9

  10. Return Oriented Programming (ROP)* ROP prepares several stack invocation frames ● Executes arbitrary code ● Stack-based buffer overflow as initial attack vector Executes alternate data with existing code ● Circumvents W ⊕ X ● Hard to get around ASLR, ProPolice * Shacham, CCS'07 2011-12-27 Mathias Payer, ETH Zürich 10

  11. Jump Oriented Programming (JOP)* Uses dispatchers and indirect control flow transfers ● JOP extends and generalizes ROP ● Any data region can be used as scratch space Scratch space (at static addrs) Gadget catalog (at static addrs) gadget address insns … … jmp * (data) insns … … jmp * gadget address insns … … jmp * (data) gadget address insns … … jmp * (data) Dispatcher, e.g., add %edx, 4; jmp *(%edx) * Bletsch et al., ASIACCS'11 2011-12-27 Mathias Payer, ETH Zürich 11

  12. Jump Oriented Programming (JOP)* Uses dispatchers and indirect control flow transfers ● JOP extends and generalizes ROP ● Any data region can be used as scratch space Executes alternate data with existing code ● Circumvents W ⊕ X ● Hard to get around ASLR, ProPolice (if stack data used) * Bletsch et al., ASIACCS'11 2011-12-27 Mathias Payer, ETH Zürich 12

  13. Format string attack* Attacker controlled format results in random writes ● Format strings consume parameters on the stack ● %n token inverses order of input, results in indirect memory write ● Often string is on stack and can be used to store pointers Write 0xc0f3babe to 0x41414141: ● printf("AAAACAAA%1$49387c%6$hn%1$63947c%5$hn"); printf ( "AAAACAAA" /* encode 2 halfword pointers */ Random writes are used to: "%1$49387c" /* write 0xc0f3 – 8 bytes */ "%6$hn" /* store at second HW */ ● Redirect control flow "%1$63947c%5$hn" /* repeat with 0xbabe */ ); ● Prepare/inject malicious data * many, e.g., Haas, Defcon 18 2011-12-27 Mathias Payer, ETH Zürich 13

  14. Format string attack* Attacker controlled format results in random writes ● Format strings consume parameters on the stack ● %n token inverses order of input, results in indirect memory write ● Often string is on stack and can be used to store pointers Write 0xc0f3babe to 0x41414141: ● printf("AAAACAAA%1$49387c%6$hn%1$63947c%5$hn"); Random writes are used to: ● Redirect control flow ● Prepare/inject malicious data * many, e.g., Haas, Defcon 18 2011-12-27 Mathias Payer, ETH Zürich 14

  15. Outline Motivation Attack model Attack vectors and protection mechanisms String Oriented Programming Conclusion 2011-12-27 Mathias Payer, ETH Zürich 15

  16. String Oriented Programming (SOP) SOP executes arbitrary code (through data) ● Needed: format string bug, attacker-controlled buffer on stack ● Not needed: buffer overflow, executable memory regions Executing code ● SOP builds on ROP/JOP ● Overwrites static instruction pointers (to initial ROP/JOP gadgets) 2011-12-27 Mathias Payer, ETH Zürich 16

  17. String Oriented Programming SOP patches and resolves addresses ● Application is static (this includes application's .plt and .got) ● Static program locations used to resolve relative addresses Resolving hidden functions ● ASLR randomizes ~10bit for libraries ● Modify parts of static .got pointers ● Hidden functions can be called without loader support 2011-12-27 Mathias Payer, ETH Zürich 17

  18. Running example void foo(char *arg) { char text[1024] ; // buffer on stack if ( strlen(arg) >= 1024 ) // length check return; strcpy(text, arg); printf(text); // vulnerable printf } … foo( user_str ); // unchecked user data … 2011-12-27 Mathias Payer, ETH Zürich 18

  19. SOP: No Protection All addresses are known, no execution protection, no stack protection ● Redirects control flow to code in the format string itself printf data printf data printf frame saved ebp ( 0xFFE4 ) saved ebp ( 0xFFE4 ) RIP to foo RIP to 0xFBD4 RIP to foo ptr to 0xFBD4 ptr to 0xFBD4 copy of &arg copy of &arg 0xFBD4 0xFBD4 … random write & 1024b buffer exploit code ... foo frame 0xFFD4 0xFFD4 ... ... 12b unused 12b unused ... ... saved ebp saved ebp eip to caller eip to caller &arg &arg main frame 0xFFF0 0xFFF0 … ? ... … ? ... 2011-12-27 Mathias Payer, ETH Zürich 19

  20. SOP: Only DEP DEP prevents code injection, rely on ROP/JOP instead GNU C compiler adds frame_lift gadget printf data printf data printf frame saved ebp ( 0xFFE4 ) saved ebp ( 0xFFE4 ) RIP to foo RIP to frame_lift RIP to foo ptr to 0xFBD4 ptr to 0xFBD4 copy of &arg copy of &arg add $0x1c,%esp pop %ebx 0xFBD4 0xFBD4 pop %esi … random write & 1024b buffer pop %edi stack invocation frames ... pop %ebp foo frame ret 0xFFD4 0xFFD4 ... ... 12b unused 12b unused ... ... saved ebp saved ebp eip to caller eip to caller &arg &arg main frame 0xFFF0 0xFFF0 … ? ... … ? ... 2011-12-27 Mathias Payer, ETH Zürich 20

  21. SOP: DEP & ProPolice ProPolice uses/enforces stack canaries ● Reuse attack mechanism, keep canaries intact printf data printf data printf frame saved ebp ( 0xFFE4 ) saved ebp ( 0xFFE4 ) RIP to foo RIP to frame_lift RIP to foo ptr to 0xFBD8 ptr to 0xFBD8 copy of canary &arg copy of canary &arg add $0x1c,%esp 16b unused 16b unused pop %ebx pop %esi copy of canary &arg copy of canary &arg pop %edi 12b unused 12b unused pop %ebp 0xFBD8 0xFBD8 ret … foo frame random write & 1024b buffer stack invocation frames ... 0xFFD8 0xFFD8 stack canary stack canary 8b unused 8b unused saved ebp saved ebp eip to caller eip to caller &arg &arg main frame 0xFFF0 0xFFF0 … ? ... … ? ... 2011-12-27 Mathias Payer, ETH Zürich 21

  22. SOP: ASLR, DEP, ProPolice Combined defenses force SOP to reuse existing code ● Static code sequences in the application object ● Imported functions in the application ( .plt and .got ) Use random byte-writes to adjust .got entries ● Enable other functions / gadgets that are not imported ● Combine stack invocation frames and indirect jump/call gadgets void foo(char *prn) { char text[1000]; // protected on stack strcpy(text, prn); printf(text); // vulnerable printf puts ("logged in\n"); // 'some' function } 2011-12-27 Mathias Payer, ETH Zürich 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation

String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation

String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback: hard to construct (new

850 views • 23 slides
Objects & Object Oriented Programming Weiss ch. 3 String Like any object, but: has

Objects & Object Oriented Programming Weiss ch. 3 String Like any object, but: has

Objects & Object Oriented Programming Weiss ch. 3 String Like any object, but: has a special way of creating new ones: abc creates a new String, returns reference to it has a special operator for

328 views • 22 slides
CS 335 Software Development Object-Oriented Versus Functional Programming; The Visitor

CS 335 Software Development Object-Oriented Versus Functional Programming; The Visitor

CS 335 Software Development Object-Oriented Versus Functional Programming; The Visitor Pattern April 1416, 2014 Functional vs OO interface Animal { String happyNoise(); String excitedNoise(); } class Dog implements Animal { String

571 views • 17 slides
String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland * now at UC Berkeley Current protection is not complete http://creoflick.net 2 Motivation:

639 views • 33 slides
CS 10: Problem solving via Object Oriented Programming String Finding Agenda 1. Boyer-Moore

CS 10: Problem solving via Object Oriented Programming String Finding Agenda 1. Boyer-Moore

CS 10: Problem solving via Object Oriented Programming String Finding Agenda 1. Boyer-Moore algorithm 2. Tries 2 Matching/recognizing patterns in sequences is a common CS problem Example: Find pattern in DNA data Task Find a substring

616 views • 26 slides
CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of

CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of

CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of Computer Science University of Maryland, College Park Object-Oriented Programming (OOP) Approach to improving software View software as a

593 views • 18 slides
Classes and Objects Object Oriented Programming Genome 559: Introduction to Statistical and

Classes and Objects Object Oriented Programming Genome 559: Introduction to Statistical and

Classes and Objects Object Oriented Programming Genome 559: Introduction to Statistical and Computational Genomics Elhanan Borenstein A quick review String manipulation is doable but tedious Regular expressions (RE): A tiny

483 views • 25 slides
61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method for organizing programs Data abstraction John's Apply for Account Bundling together information and related behavior a loan! A metaphor

207 views • 18 slides
Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been

Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been

Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been doing this since Day 1: Python is a deeply object oriented language Most of the data types we were using (strings, list, dictionaries) were

463 views • 21 slides
From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier

From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier

Introduction OOP OOP2MAOP MAOP Conclusion From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier ISCOD/Henri Fayol Institute & LSTI ENS Mines Saint-Etienne - France boissier@emse.fr MATES,

1.22k views • 73 slides
Introduction to Object-Oriented Programming Review 2: Object-Oriented Programming Christopher

Introduction to Object-Oriented Programming Review 2: Object-Oriented Programming Christopher

Introduction to Object-Oriented Programming Review 2: Object-Oriented Programming Christopher Simpkins chris.simpkins@gatech.edu CS 1331 (Georgia Tech) Review 2: Object-Oriented Programming 1 / 14 Topics in the OOP Block Inheritance

612 views • 14 slides
String: a Programming Example Bjrn Lisper School of Innovation, Design, and Engineering

String: a Programming Example Bjrn Lisper School of Innovation, Design, and Engineering

String: a Programming Example Bjrn Lisper School of Innovation, Design, and Engineering Mlardalen University bjorn.lisper@mdh.se http://www.idt.mdh.se/blr/ Strings: a Programming Example (revised 2013-11-21) String Processing String

570 views • 27 slides
Python: Object Oriented Programming - 1 Objects Python supports different type of data

Python: Object Oriented Programming - 1 Objects Python supports different type of data

Python: Object Oriented Programming - 1 Objects Python supports different type of data 125 (int), 24.04 (float), Hello (string) [3,7,8,10] (list) {India:New Delhi, Japan:Tokyo} Each of above is an

229 views • 20 slides
Chapter 3 Objects and Classes Object Oriented Object Oriented Programming Programming OOP

Chapter 3 Objects and Classes Object Oriented Object Oriented Programming Programming OOP

Chapter 3 Objects and Classes Object Oriented Object Oriented Programming Programming OOP is a relatively new approach to programming which supports the creation of new data types and operations to manipulate those types. 2 What is

563 views • 15 slides
Polymorphism 1 / 19 Introduction to Object-Oriented Programming Today well learn how to

Polymorphism 1 / 19 Introduction to Object-Oriented Programming Today well learn how to

Polymorphism 1 / 19 Introduction to Object-Oriented Programming Today well learn how to combine all the elements of object-oriented programming in the design of a program that handles a company payroll. Object-oriented programming requires

437 views • 19 slides
Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The

Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The

Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The primary characteristics associated with object-oriented programming are inheritance; encapsulation; and polymorphism Inheritance class Shape: class

252 views • 9 slides
Marta Zubieta Analysing Practice MA GRAPHIC ARTS 18/19 Ideas from the book: A field guide to

Marta Zubieta Analysing Practice MA GRAPHIC ARTS 18/19 Ideas from the book: A field guide to

Marta Zubieta Analysing Practice MA GRAPHIC ARTS 18/19 Ideas from the book: A field guide to getting lost disolution of identity In a society overcontrolled Ideas/Simils with my voice the most valuable thing is to subjects/ points to

2.24k views • 9 slides
A Pilot Project on Community Health Clubs and Rural Sanitation Marketing An Overview of the

A Pilot Project on Community Health Clubs and Rural Sanitation Marketing An Overview of the

A Pilot Project on Community Health Clubs and Rural Sanitation Marketing An Overview of the Approach, Initial Findings & Next Steps GOAL Sierra Leone September 2015 Background & Community Approaches Many initiatives at community

407 views • 18 slides
Fisc Fiscal al 2015 2015 Second Second Quarter Quarter Ea Earning rnings Call Call Pre

Fisc Fiscal al 2015 2015 Second Second Quarter Quarter Ea Earning rnings Call Call Pre

Fisc Fiscal al 2015 2015 Second Second Quarter Quarter Ea Earning rnings Call Call Pre Presen sentation tation | Fiscal 2015 Second Quarter Earnings Call Presentation | 1 harris.com Forward Forward-looking looking statemen

322 views • 9 slides
Zalando Press Call February 27, 2020 February 27, 2020 Zalando Press Call 1 Building the

Zalando Press Call February 27, 2020 February 27, 2020 Zalando Press Call 1 Building the

Customers declutter their wardrobe Zalando Press Call February 27, 2020 February 27, 2020 Zalando Press Call 1 Building the Starting Point for Fashion Rubin Ritter, Co-CEO 2 February 27, 2020 Zalando Press Call Our vision: To become

734 views • 36 slides
DAY 1 Arrival. Introduction. The Uruguayan Estancia (Ranch).

DAY 1 Arrival. Introduction. The Uruguayan Estancia (Ranch).

We are delighted to invite you to experience our unparalleled collection of contemporary Uruguayan art at Estancia Vik Jose Ignacio and Playa Vik Jose Ignacio. The retreats are a labor

171 views • 13 slides
Knot DNS CZ.NIC, z.s.p.o. Ondej Sur ondrej.sury@nic.cz 25. 6. 2012 ICANN 44 Tech Day 1

Knot DNS CZ.NIC, z.s.p.o. Ondej Sur ondrej.sury@nic.cz 25. 6. 2012 ICANN 44 Tech Day 1

Knot DNS CZ.NIC, z.s.p.o. Ondej Sur ondrej.sury@nic.cz 25. 6. 2012 ICANN 44 Tech Day 1 Design goals Open-source authoritative-only DNS server Developed in an open way (including our mistakes) Usable for root, TLDs and

458 views • 16 slides
DONKEY SKIN A project by Emilio CALCAGNO Taken from Perrault and the Brothers Grimms fairy

DONKEY SKIN A project by Emilio CALCAGNO Taken from Perrault and the Brothers Grimms fairy

DONKEY SKIN A project by Emilio CALCAGNO Taken from Perrault and the Brothers Grimms fairy tales Production Thtre National de Chaillot November 2012 www.compagnie-eco.com Choreographer Donkey Skin has always fascinated me. The most

539 views • 8 slides
Business Acceleration for Independents Serving Filmmakers and Artists Around the World

Business Acceleration for Independents Serving Filmmakers and Artists Around the World

Business Acceleration for Independents Serving Filmmakers and Artists Around the World www.soundviewmediapartners.com Consulting and Representation Services Soundview Media Partners specializes in business and product line development, the

681 views • 10 slides

More recommend