weird machines on little robots
play

Weird Machines on Little Robots Intro to binary exploitation on - PowerPoint PPT Presentation

Feb 26, 2023 •368 likes •899 views

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki 2013-06-06 Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses & Mitigation Techniques

  1. Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki 2013-06-06

  2. Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses & Mitigation Techniques Compiler/Linker Defenses Kernel Defenses Exploitation Strategies Conclusion References 2 / 41

  3. Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses & Mitigation Techniques Compiler/Linker Defenses Kernel Defenses Exploitation Strategies Conclusion References 3 / 41

  4. Introduction � Smartphones are a Big Market � Not as well researched as security on x86(_64) � New challenges on Android? � Rooting is popular � Increasing use of native components � e.g. game engines, audio/video codec stuff 4 / 41

  5. Introduction � Smartphones are a Big Market � Not as well researched as security on x86(_64) � New challenges on Android? � Rooting is popular � Increasing use of native components � e.g. game engines, audio/video codec stuff But Daddy, all the cool kids are exploiting ARM devices!!!!!! 4 / 41

  6. Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses & Mitigation Techniques Compiler/Linker Defenses Kernel Defenses Exploitation Strategies Conclusion References 5 / 41

  7. ARM? Embedded stuff. . . I think. . . � Mostly sold CPU architecture � It’s basically everywhere � ARM Architecture is licenced to manufacturers � e.g. Samsung, Qualcomm, Texas Instruments, . . . � They buy the “source code”/“blueprints” for the CPU cores � . . . and build System-on-a-Chip (SoC) 6 / 41

  8. ARM Facts � BuzzWord Bingo: 7 / 41

  9. ARM Facts � BuzzWord Bingo: Bi-endian 32-Bit Load/Store RISC architecture 7 / 41

  10. ARM Facts � BuzzWord Bingo: Bi-endian 32-Bit Load/Store RISC architecture � 64-Bit on the way (AArch64) � ARMv5 to ARMv8 are common � (Relatively) simple architecture, no microcode � Many extensions (like in x86 world) � Different instruction sets � Fixed width instructions (32 bit or 16 bit) � ARM, Thumb(-2), Jazelle � Floating Point, SIMD instructions � Still R(educed)ISC? � Power efficient 7 / 41

  11. ARM Architecture and Instruction � Registers from r0 to r15 � r15 is Program Counter (PC) � r14 is Link Register � r13 is Stack Pointer (SP) � Fancy features � conditional execution of all instructions � Bit-Shifting included (before/after instructions) � Several addressing modes � ARM ABIs and ARM Procedure Call Standard (APCS) � Different ABI versions and sub-versions � ARM Embedded ABI → Android-EABI (quite similar to GNU-EABI) 8 / 41

  12. Procedure Calls � ARM has no call / ret instructions � Direct manipulation of PC � ldr , pop (also: dm, ldmda, ldmdb and ldmib ) � Example Function Prologue/Epilogue otherfunction : blx function function: push {fp , lr} ; init stack , save registers ; function code pop {fp , pc} � Arguments are passed in r0 to r4 (depending on ABI) � Callee must preserve r4 to r8, r10, r11 and sp � Stack might be pretty crowded ;) 9 / 41

  13. Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses & Mitigation Techniques Compiler/Linker Defenses Kernel Defenses Exploitation Strategies Conclusion References 10 / 41

  14. Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses & Mitigation Techniques Compiler/Linker Defenses Kernel Defenses Exploitation Strategies Conclusion References 11 / 41

  15. Exploitation 101: Science!!! � Programs are “abstract machines” with states � Programs transist between those states 12 / 41

  16. Exploitation 101: Science!!! � Programs are “abstract machines” with states � Programs transist between those states � Weird Machines � Program transists into undefined “weird” state � Through a vulnerability � Anything can happen (e.g. code execution) � State transitions still happen. . . 12 / 41

  17. Exploitation 101: Science!!! � Programs are “abstract machines” with states � Programs transist between those states � Weird Machines � Program transists into undefined “weird” state � Through a vulnerability � Anything can happen (e.g. code execution) � State transitions still happen. . . � . . . and the machine gets weirder! � Exploitation is the art of programming of weird machines 12 / 41

  18. Exploitation 101: Science!!! � Programs are “abstract machines” with states � Programs transist between those states � Weird Machines � Program transists into undefined “weird” state � Through a vulnerability � Anything can happen (e.g. code execution) � State transitions still happen. . . � . . . and the machine gets weirder! � Exploitation is the art of programming of weird machines � Underlying problem: no distinction between code and data (von-Neumann architecture) 12 / 41

  19. Exploitation is hard � Finding vulnerabilities is hard � Writing reliable exploits is harder � Lot’s of constraints � Extremely architecture dependent � Sometimes the best solution is brute-force 13 / 41

  20. Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses & Mitigation Techniques Compiler/Linker Defenses Kernel Defenses Exploitation Strategies Conclusion References 14 / 41

  21. Vulnerabilities I Attack types � Inject and execute new code (Shellcode) � Execute existing code out of intended order (ROP) � Data-only attacks Buffer Overflows The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. � Stack-based, Heap-based, in Data segment 15 / 41

  22. Vulnerabilities II Format String � User controlled format string � Variable arguments implementation problem � Read arbitrary data from stack � Write anywhere primitive using %n � Not in android libc/bionic! Integer Overflows � Integer values wrap around on INT_MAX � Get program to increment over INT_MAX � Problems with signedness ( − 1 = 0xFFFFFFFF ) � Usually in combination with other bugs 16 / 41

  23. Vulnerabilities III And many more. . . 17 / 41

  24. Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses & Mitigation Techniques Compiler/Linker Defenses Kernel Defenses Exploitation Strategies Conclusion References 18 / 41

  25. Code Execution � Introduce your payload (shellcode or ROP “code”) into address space � Overwrite pointer to code to your payload � Return address, function pointer, PLT/GOT etc. � Abuse linked data structures to achieve write-anywhere primitive (traditional example: heap metadata) � Wait for usage of overwritten code pointer � ??? � PROFIT!!! 19 / 41

  26. Shellcode � use PC-relative addressing to mix data/code � See Phrack66/12 [1] for alphanumeric shellcodes � Metasploit includes some Linux shellcode generators � Use your favorite Asssembler (e.g. gcc, radare2/rasm2 [4]) � NOP-slides � Jump into NOP-slide � Reduce risk of jumping to wrong address � NOP is mov r0, r0 (0xe1a00000) � Or use something other useless instead: e.g. mov r1, r1 (0xe1a01001) 20 / 41

  27. Return-to-lib(c) Idea: ret2lib(c) Prepare stack so that it looks like function call into a library on return. (e.g. system function in libc) 21 / 41

  28. Return-to-lib(c) Idea: ret2lib(c) Prepare stack so that it looks like function call into a library on return. (e.g. system function in libc) BUT WAIT! 21 / 41

  29. Return-to-lib(c) Idea: ret2lib(c) Prepare stack so that it looks like function call into a library on return. (e.g. system function in libc) BUT WAIT! � Remember: First arguments are passed in registers � Oh noes: ret2lib(c) does not work on ARM � We have the same Problem on x86_64 21 / 41

  30. Return Oriented Programming (ROP) Idea: ROP Search for reusable code snippets that end with ret instruction, called gadgets. Chain together gadgets to achieve turing completeness. 22 / 41

  31. Return Oriented Programming (ROP) Idea: ROP Search for reusable code snippets that end with ret instruction, called gadgets. Chain together gadgets to achieve turing completeness. � Oh noes we have no ret instruction. � Use any branching instruction! � Check out existing work ([5], [6]) � Lot’s of research in this area � Though tool quality could be better 22 / 41

  32. Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses & Mitigation Techniques Compiler/Linker Defenses Kernel Defenses Exploitation Strategies Conclusion References 23 / 41

  33. The Android Environment � Android is compiled with reasonably new GCC toolchain � Experimental support for LLVM/clang � Userland libraries are Android specific � bionic as libc � custom linker (called “linker”) � Many features are inherited by GNU/Linux 24 / 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx

WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx

ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013 WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx SHAPIRO DARTMOUTH COLLEGE TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1 UNIVERSITY

566 views • 13 slides
Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina Dartmouth T rust Lab Outline Code re-use: unexpected computation, programming models Containing computation: Coarse intent-based ABI-level

487 views • 27 slides
Artificial Intelligence (AI) Intelligent computers / robots / other machines Not today, but

Artificial Intelligence (AI) Intelligent computers / robots / other machines Not today, but

Artificial Intelligence (AI) Intelligent computers / robots / other machines Not today, but perhaps in 20-30 years. Will they have free will? Will they become conscious? Will they have rights? They may be very different

483 views • 17 slides
Building Personable Machines (Lessons from Infusing Affect in Physical Robots) Star Simpson Bot

Building Personable Machines (Lessons from Infusing Affect in Physical Robots) Star Simpson Bot

Building Personable Machines (Lessons from Infusing Affect in Physical Robots) Star Simpson Bot Summit 2016 Victoria & Albert Museum @starsandrobots http://robotic.media.mit.edu/portfolio/tikl/

355 views • 17 slides
Brain-Based Robots A Means to Creating More Intelligent Machines Jeff Krichmar Cognitive

Brain-Based Robots A Means to Creating More Intelligent Machines Jeff Krichmar Cognitive

Brain-Based Robots A Means to Creating More Intelligent Machines Jeff Krichmar Cognitive Anteater Robotics Laboratory (CARL) Department of Cognitive Sciences Department of Computer Science 1 3 Who is Better at Recognizing Objects? 4 Who

455 views • 42 slides
Robots are becoming an essential part in the human evolution. Robots or machines can

Robots are becoming an essential part in the human evolution. Robots or machines can

Running head: Robotics 1 (Intelligent) Robotics Omar Alenezi Montana Tech at University of Montana Running head: Robotics 2 Abstract This paper covers robotic history and their advancement and contribute in various of fields. Then talked about

336 views • 15 slides
! Collabora(ve!Proposal:!! Printable!Robots:!An!Expedi(on!in!Compu(ng!for!

! Collabora(ve!Proposal:!! Printable!Robots:!An!Expedi(on!in!Compu(ng!for!

! Collabora(ve!Proposal:!! Printable!Robots:!An!Expedi(on!in!Compu(ng!for! Compiling!Func(onal!Physical!Machines! Daniela!Rus,!Andre!DeHon ,!Mar(n!Demaine,!Sanjeev!Khanna ,!Sangbae!Kim ,! Vijay!Kumar

687 views • 40 slides
The Imitation Game: The New Frontline of Security Fighting Robots Weve been warned for a

The Imitation Game: The New Frontline of Security Fighting Robots Weve been warned for a

The Imitation Game: The New Frontline of Security Fighting Robots Weve been warned for a long time Many robots are good Some robots are creepy but still good Some robots replicate rapidly Robots can overwhelm our best defenses Robots can

723 views • 56 slides
Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines: Virtual machine technology, often just called virtualization , makes one computer behave as several Running several operating systems simultaneously on

254 views • 10 slides
ROBOTS AND HEALTHCARE PAST, PRESENT, AND FUTURE COMPILED BY HOWIE BAUM What do you think of when

ROBOTS AND HEALTHCARE PAST, PRESENT, AND FUTURE COMPILED BY HOWIE BAUM What do you think of when

ROBOTS AND HEALTHCARE PAST, PRESENT, AND FUTURE COMPILED BY HOWIE BAUM What do you think of when you hear the word robot? 2 Why Robotics? Areas that robots are used: Industrial robots Military, government and space robots

1.36k views • 89 slides
Why the British constitution is weird (and interesting)

Why the British constitution is weird (and interesting)

Why the British constitution is weird (and interesting) Dr Mark Ellio+ Reader in Public Law, University of Cambridge Fellow & Director of

426 views • 14 slides
Human robot interaction www.biorobotics.ttu.ee Social robots Traditional robots Tools

Human robot interaction www.biorobotics.ttu.ee Social robots Traditional robots Tools

Human robot interaction www.biorobotics.ttu.ee Social robots Traditional robots Tools to perform difficult, hazardous, tedious tasks Social robots Companions and partners www.biorobotics.ttu.ee Social robots Are

1.45k views • 20 slides
UNIVERSAL ROBOTS RUC 2018 Universal Robots - Evolving the future UNIVERSAL ROBOTS SET THE

UNIVERSAL ROBOTS RUC 2018 Universal Robots - Evolving the future UNIVERSAL ROBOTS SET THE

UNIVERSAL ROBOTS RUC 2018 Universal Robots - Evolving the future UNIVERSAL ROBOTS SET THE STANDARD Fast Set-up Flexible Deployment Easy Programming Safe UNIVERSAL ROBOTS SET THE STANDARD Fast setup Fast Set-up Flexible

585 views • 24 slides
Robots Playing Catch Brandon Tolsch Brandon Tolsch Robots Playing Catch Two robots throwing

Robots Playing Catch Brandon Tolsch Brandon Tolsch Robots Playing Catch Two robots throwing

Robots Playing Catch Brandon Tolsch Brandon Tolsch Robots Playing Catch Two robots throwing a ball through the air Free to move around on the ground Pass back and forth forever Never drop the ball 2/9 Brandon Tolsch Robots

636 views • 9 slides
Computations by Luminous Robots Giuseppe Prencipe Universit di Pisa Swarms of robots Many

Computations by Luminous Robots Giuseppe Prencipe Universit di Pisa Swarms of robots Many

Computations by Luminous Robots Giuseppe Prencipe Universit di Pisa Swarms of robots Many Very Simple Generic Identical Autonomous Silent 21st Oct, 2015 MAC 2015 Swarms of robots A robot - alone - is computationally weak

794 views • 68 slides
Self-Reconfigurable Robots for Space Exploration Effect of compliance in modular robots

Self-Reconfigurable Robots for Space Exploration Effect of compliance in modular robots

Self-Reconfigurable Robots for Space Exploration Effect of compliance in modular robots structures on the locomotion Adi Vardi Prof. Auke Jan Ijspeert Stphane Bonardi, Simon Hauser, Mehmet Mutlu, Massimo Vespignani 1 Motivation

416 views • 27 slides
Software Engineering Case Studies Bob Monroe Software Engineering Reading Group March 31, 1997

Software Engineering Case Studies Bob Monroe Software Engineering Reading Group March 31, 1997

Software Engineering Case Studies Bob Monroe Software Engineering Reading Group March 31, 1997 Overview Case study paper (Kitchenham et al) Overview of case study methodology Good case studies are powerful. They are also rare

561 views • 15 slides
Attacks on Lattice Crypto December 7th, 2016 FluxFingers Workgroup Symmetric Cryptography Ruhr

Attacks on Lattice Crypto December 7th, 2016 FluxFingers Workgroup Symmetric Cryptography Ruhr

RUHR-UNIVERSITT BOCHUM Attacks on Lattice Crypto December 7th, 2016 FluxFingers Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 1 RUHR-UNIVERSITT

686 views • 47 slides
Todays Objec3ves TCP Wrap Up Services: Buzzword Bingo Threads and Synchroniza3on

Todays Objec3ves TCP Wrap Up Services: Buzzword Bingo Threads and Synchroniza3on

9/22/17 Todays Objec3ves TCP Wrap Up Services: Buzzword Bingo Threads and Synchroniza3on Sept 22, 2017 Sprenkle - CSCI325 1 Review What layer is TCP? What does it add that the lower level does not have? How does it add

362 views • 11 slides
Overview Introduction Design Processes Jrg Cassens Linear Models Iterative Models SoSe

Overview Introduction Design Processes Jrg Cassens Linear Models Iterative Models SoSe

Required Reading Overview Introduction Design Processes Jrg Cassens Linear Models Iterative Models SoSe 2019 References Contextual Design of Interactive Systems SoSe 2019 Jrg Cassens Overview 1 / 81 Foreword Required

1.21k views • 99 slides
SCALE APPLICATIONS FLEXIBLY WITH MICROPROFILE Ondrej Mihlyi @omihalyi SCALABLE APPLICATIONS

SCALE APPLICATIONS FLEXIBLY WITH MICROPROFILE Ondrej Mihlyi @omihalyi SCALABLE APPLICATIONS

SCALE APPLICATIONS FLEXIBLY WITH MICROPROFILE Ondrej Mihlyi @omihalyi SCALABLE APPLICATIONS What it means? Another buzzword? @OMihalyi HIGHLY SCALABLE APPLICATIONS !? Just great. Buzzword Bingo time! @OMihalyi SERIOUSLY, WHAT ARE WE

515 views • 29 slides
An Intuitive Guide to Combining Free Monad and Free Applicative Who Am I? I'm Cameron

An Intuitive Guide to Combining Free Monad and Free Applicative Who Am I? I'm Cameron

An Intuitive Guide to Combining Free Monad and Free Applicative Who Am I? I'm Cameron Linkedin - https://www.linkedin.com/in/cameron-joannidis/ Twitter - @CamJo89 Consult across a range of areas and have built many big data

1.13k views • 78 slides
Some Notes on BLAS, SIMD, MIC and GPGPU (for Octave and Matlab) Christian Himpe (

Some Notes on BLAS, SIMD, MIC and GPGPU (for Octave and Matlab) Christian Himpe (

Some Notes on BLAS, SIMD, MIC and GPGPU (for Octave and Matlab) Christian Himpe ( christian.himpe@uni-muenster.de ) WWU Mnster Institute for Computational and Applied Mathematics Software-Tools fr die Numerische Mathematik 15.10.2014 About

452 views • 21 slides
Writing Concurrent Applications in Python Bastian Venthur Berlin Institute of Technology

Writing Concurrent Applications in Python Bastian Venthur Berlin Institute of Technology

Writing Concurrent Applications in Python Bastian Venthur Berlin Institute of Technology 2011-09-14 Outline Introduction to Concurrency Starting and Joining Tasks Processes and Threads Concurrency Paradigms Pythons threading Module

1.07k views • 60 slides

More recommend