when rop meets turing automatic generation of rop chains
play

When ROP meets Turing: Automatic Generation of ROP Chains using - PowerPoint PPT Presentation

Oct 23, 2023 •112 likes •697 views

When ROP meets Turing: Automatic Generation of ROP Chains using Turing-Complete Instruction Sets Daniel Uroz, Ricardo J. Rodrguez danieluroz@protonmail.com, rjrodriguez@unizar.es All wrongs reversed E R S I T A R I O D E O U N

  1. When ROP meets Turing: Automatic Generation of ROP Chains using Turing-Complete Instruction Sets Daniel Uroz, Ricardo J. Rodríguez danieluroz@protonmail.com, rjrodriguez@unizar.es � All wrongs reversed E R S I T A R I O D E O U N V I A L D E N T R F N E E C S A D D I I S E N E C O C D N D I S V O N M S I N N V A T I 2 0 0 9 A Z R A O G Z A April 13, 2018 HITB 2018 Amsterdam, Netherlands

  2. $whoami Ph.D. in Comp. Sc. (2013) BSc. in Informatics (2016) Assistant Professor at Centro Junior malware analyst Universitario de la Defensa, Researcher at University of General Military Academy Zaragoza (Zaragoza, Spain) Research interests Security-driven engineering Malware analysis RFID/NFC security Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 2 / 34

  3. Agenda 1 Introduction EasyROP : Description of the tool 2 Executional Adversary Power in Windows OSes 3 Case Study: CVE-2010-3333 4 Conclusions 5 Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 3 / 34

  4. Agenda 1 Introduction 2 EasyROP : Description of the tool 3 Executional Adversary Power in Windows OSes Case Study: CVE-2010-3333 4 Conclusions 5 Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 4 / 34

  5. Introduction Software systems are large and complex Fixed time-to-market urges developers to finish as soon as possible Who cares of software quality? (or other attributes) Consequence: software vulnerabilities on the rise 6 to 16 software bugs per 1,000 lines of code (approximately) Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 5 / 34

  6. Introduction Presence of software memory errors → control-flow hijacking attacks Legitimate control-flow of the program is hijacked Arbitrary code inserted AND executed by the adversary Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 6 / 34

  7. Introduction Presence of software memory errors → control-flow hijacking attacks Legitimate control-flow of the program is hijacked Arbitrary code inserted AND executed by the adversary Different defense approaches Control-flow integrity approaches (e.g., type-safe languages, stack cookies, inline software guards) Isolate malicious code prior execution (e.g., tainting, run-time elimination, W ⊕ X) Further reading: van der Veen, V.; dutt Sharma, N.; Cavallaro, L. & Bos, H. Memory Errors: The Past, the Present, and the Future . Proceedings of the 15th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), Springer Berlin Heidelberg, 2012, 86-106. doi: 10.1007/978-3-642-33338-5_5 Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 6 / 34

  8. Introduction W ⊕ X – Write-xor-Execute memory pages Widely used defense mechanism against control-flow hijacking attacks Almost every current OS incorporates it natively Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 7 / 34

  9. Introduction W ⊕ X – Write-xor-Execute memory pages Widely used defense mechanism against control-flow hijacking attacks Almost every current OS incorporates it natively Concept : memory pages are either writable or executable, but not both An adversary can still inject code, but its execution is prevented Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 7 / 34

  10. Introduction W ⊕ X – Write-xor-Execute memory pages Hardware support NX-bit on AMD Athlon 64 XD-bit on Intel P4 Prescott Software support Linux (via PaX project); OpenBSD Windows (from XP SP2 onward) (aka Data Execution Prevention, DEP) Windows � to rename every f***ing single thing Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 8 / 34

  11. Introduction Defeating W ⊕ X protection Control-flow is redirected to the stack W ⊕ X prevents execution. Roughly speaking, you (as attacker) are fucked Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 9 / 34

  12. Introduction Defeating W ⊕ X protection Control-flow is redirected to the stack W ⊕ X prevents execution. Roughly speaking, you (as attacker) are fucked Wait a minute! Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 9 / 34

  13. Introduction Defeating W ⊕ X protection Control-flow is redirected to the stack W ⊕ X prevents execution. Roughly speaking, you (as attacker) are fucked Wait a minute! IDEA Since we can write the stack... and stack also stores the return addresses of the control-flow when (legitimately) diverted... can we use memory addresses pointing to ALREADY EXISTING code? → Yes! Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 9 / 34

  14. Introduction Defeating W ⊕ X protection Control-flow is redirected to the stack W ⊕ X prevents execution. Roughly speaking, you (as attacker) are fucked Wait a minute! IDEA Since we can write the stack... and stack also stores the return addresses of the control-flow when (legitimately) diverted... can we use memory addresses pointing to ALREADY EXISTING code? → Yes! Return-Oriented Programming (ROP) Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 9 / 34

  15. Introduction Defeating W ⊕ X protection Control-flow is redirected to the stack W ⊕ X prevents execution. Roughly speaking, you (as attacker) are fucked Wait a minute! IDEA Since we can write the stack... and stack also stores the return addresses of the control-flow when (legitimately) diverted... can we use memory addresses pointing to ALREADY EXISTING code? → Yes! Return-Oriented Programming (ROP) In memory pages that already have execution privileges Since these pages can execute, they are not captured by W ⊕ X protection Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 9 / 34

  16. Introduction Defeating W ⊕ X protection Control-flow is redirected to the stack W ⊕ X prevents execution. Roughly speaking, you (as attacker) are fucked Wait a minute! IDEA Since we can write the stack... and stack also stores the return addresses of the control-flow when (legitimately) diverted... can we use memory addresses pointing to ALREADY EXISTING code? → Yes! Return-Oriented Programming (ROP) In memory pages that already have execution privileges Since these pages can execute, they are not captured by W ⊕ X protection ROP enables an adversary to induce arbitrary execution behavior while injecting no code (just pointers to existing code!) Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 9 / 34

  17. Introduction Return-Oriented-Programming attacks ROP attacks Hijack control-flow without executing new code Redirect control-flow to chunks of code already available in the memory space of the process Recall x86 ISA has variable size! ROP gadget: set of instructions that ends with retn Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 10 / 34

  18. Introduction Return-Oriented-Programming attacks ROP attacks Hijack control-flow without executing new code Redirect control-flow to chunks of code already available in the memory space of the process Recall x86 ISA has variable size! ROP gadget: set of instructions that ends with retn b8 89 41 08 c3 mov eax, 0xc3084189 89 41 08 mov [ecx+8], eax c3 ret Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 10 / 34

  19. Introduction Return-Oriented-Programming attacks ROP attacks Hijack control-flow without executing new code Redirect control-flow to chunks of code already available in the memory space of the process Recall x86 ISA has variable size! ROP gadget: set of instructions that ends with retn . . . esp → 0x7c37638d → pop ecx; ret b8 89 41 08 c3 mov eax, 0xc3084189 0xF13C1A02 0x7c341591 → pop edx; ret 0xBAADF00D 89 41 08 mov [ecx+8], eax 0x7c367042 → xor eax, eax; ret c3 ret 0x7c34779f → add eax, ecx; ret 0x7c347f97 → mov ebx, eax; ret . . . Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 10 / 34

  20. Introduction Adversary controls the order of execution of ROP gadgets ROP chain : set of ROP gadgets chained by the adversary Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 11 / 34

  21. Introduction Adversary controls the order of execution of ROP gadgets ROP chain : set of ROP gadgets chained by the adversary How to defeat the W ⊕ X protection? Build a ROP chain to deactivate the protection! First, set CPU registers to specific values. Then, Execute memprot() syscall (in GNU/Linux) Execute SetDEPProcessPolicy() (in Windows) . . . Automatic Generation of ROP Chains using Turing-Complete Instruction Sets (D. Uroz, R.J. Rodríguez) April 13, 2018 11 / 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Turing meets Synthetic Biology: Self-emerging patterns in an activator inhibitor network Turing

Turing meets Synthetic Biology: Self-emerging patterns in an activator inhibitor network Turing

Turing meets Synthetic Biology: Self-emerging patterns in an activator inhibitor network Turing meets Synthetic Biology: The main goal of the project was to show that Turing patterns could be obtained by the action of an underlying

704 views • 47 slides
Objectives Fault modeling and simulation Test generation

Objectives Fault modeling and simulation Test generation

Objectives Fault modeling and simulation Test generation Automatic-test-pattern-generation Built-in-self-test BIST architecture Scan and boundary scan Scan chains Digital scan standard Digital system

617 views • 37 slides
TURING CATEGORIES TURING CATEGORIES T is a Turing category if It is a cartesian

TURING CATEGORIES TURING CATEGORIES T is a Turing category if It is a cartesian

Turing Categories and Computability 1 Robin Cockett Department of Computer Science University of Calgary Alberta, Canada robin@cpsc.ucalgary.ca Estonia, March 2010 1 Joint work with Pieter Hofstra TURING CATEGORIES TURING

1.44k views • 39 slides
Foundations of Computer Science Lecture 27 Unsolvable Problems No Automatic Program Verifier for

Foundations of Computer Science Lecture 27 Unsolvable Problems No Automatic Program Verifier for

Foundations of Computer Science Lecture 27 Unsolvable Problems No Automatic Program Verifier for Hello-World No Ultimate Debugger or Algorithm for PCP The Complexity Zoo Last Time: Turing Machines Intuitive notion of algorithm Turing Machine

361 views • 13 slides
Foundations of Computer Science Lecture 27 Unsolvable Problems No Automatic Program Verifier for

Foundations of Computer Science Lecture 27 Unsolvable Problems No Automatic Program Verifier for

Foundations of Computer Science Lecture 27 Unsolvable Problems No Automatic Program Verifier for Hello-World No Ultimate Debugger or Algorithm for PCP The Complexity Zoo Last Time: Turing Machines Intuitive notion of algorithm Turing Machine

763 views • 74 slides
Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in

Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in

Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in Next-Generation Portals Fedor Bakalov University of Jena Birgitta Knig-Ries Andreas Nauerz IBM Research and Development Martin Welsch

263 views • 22 slides
Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Introduction DBT principle Design flow Intermediate Representation Generation Conclusion Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc Michel and Nicolas Fournel Tima Laboratory , Grenoble,

686 views • 25 slides
Outline Super-Turing I. The Limits of Turing Computation or A. Models & Frames of

Outline Super-Turing I. The Limits of Turing Computation or A. Models & Frames of

Super-Turing or Non-Turing? Outline Super-Turing I. The Limits of Turing Computation or A. Models & Frames of Relevance Non-Turing? B. The Frame of Turing Computability II. New Computational Models Bruce MacLennan A. Natural

209 views • 6 slides
TURING CATEGORIES Turing categories Reducibility Partial combinatory algebras Recursion

TURING CATEGORIES Turing categories Reducibility Partial combinatory algebras Recursion

Turing Categories and Computability 1 Robin Cockett Department of Computer Science University of Calgary Alberta, Canada robin@cpsc.ucalgary.ca Estonia, March 2010 1 Joint work with Pieter Hofstra TURING CATEGORIES Turing categories

853 views • 39 slides
NVIDIA QUADRO RTX NVIDIA TURING GPU Turing SM RT Cores Turing SM RT Cores Up to 10 Giga

NVIDIA QUADRO RTX NVIDIA TURING GPU Turing SM RT Cores Turing SM RT Cores Up to 10 Giga

NVIDIA QUADRO RTX NVIDIA TURING GPU Turing SM RT Cores Turing SM RT Cores Up to 10 Giga Rays/sec Up to 16 TFLOPS + 16 TIPS Ray Triangle Intersection Concurrent FP & INT Execution BVH Traversal Unified L1 Cache Variable Rate Shading

510 views • 29 slides
A Framework for Automatic Generation A Framework for Automatic Generation of Configuration Files

A Framework for Automatic Generation A Framework for Automatic Generation of Configuration Files

A Framework for Automatic Generation A Framework for Automatic Generation of Configuration Files for a Custom of Configuration Files for a Custom Hardware/Software RTOS Hardware/Software RTOS Jaehwan Lee* Lee* Jaehwan Kyeong Keol Keol Ryu

702 views • 29 slides
Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a

Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a

Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a Viktor Pu Hana Kub atov 1 Liberouter CESNET 2 Faculty of Information Technology Czech Technical University in Prague H 2 RC Workshop,

130 views • 12 slides
Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe

Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe

Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe Pasquier ENGAGING THE WORLD The preset generation problem Modern synthesizers are very powerful and have many parameters resulting in a vast

543 views • 12 slides
ON THE AUTOMATIC GENERATION OF RECURSIVE ATTITUDE DETERMINATION ALGORITHMS Presented at the AAS

ON THE AUTOMATIC GENERATION OF RECURSIVE ATTITUDE DETERMINATION ALGORITHMS Presented at the AAS

ON THE AUTOMATIC GENERATION OF RECURSIVE ATTITUDE DETERMINATION ALGORITHMS Presented at the AAS GN&C Conference in Breckenridge, CO, on February the 7th, 2017 by Tucker McClure @ An Uncommon Lab WHAT ARE THE GOALS? EXAMINE

775 views • 29 slides
Turing Machines (TM) Deterministic Turing Machine (DTM) Nondeterministic Turing Machine

Turing Machines (TM) Deterministic Turing Machine (DTM) Nondeterministic Turing Machine

Turing Machines (TM) Deterministic Turing Machine (DTM) Nondeterministic Turing Machine (NDTM) 1 Deterministic Turing Machine (DTM) .. .. B B 0 1 1 0 0 B B Finite Control Two-way, infinite tape, broken into

616 views • 14 slides
1 Undecidability; the Church-Turing Thesis The Church-Turing thesis: A Turing machine that halts

1 Undecidability; the Church-Turing Thesis The Church-Turing thesis: A Turing machine that halts

1 Undecidability; the Church-Turing Thesis The Church-Turing thesis: A Turing machine that halts on all inputs is the precise, formal notion corresponding to the intuitive notion of an algorithm. Note that algorithms existed before Turing

388 views • 4 slides
Structure and recognition of graphs with no 6-wheel subdivision Rebecca Robinson Monash

Structure and recognition of graphs with no 6-wheel subdivision Rebecca Robinson Monash

Structure and recognition of graphs with no 6-wheel subdivision Rebecca Robinson Monash University (Clayton Campus) rebeccar@infotech.monash.edu.au (joint work with Graham Farr) Structure and recognition of graphs with no 6-wheel subdivision

536 views • 29 slides
1 2.1 Mobility trees Mobility tree, Men Working status 04 (SHP Data,

1 2.1 Mobility trees Mobility tree, Men Working status 04 (SHP Data,

IPUC, Neuch atel, February 23-24, 2007 1 Aim of the research project Innovative Data Mining based approaches for Just started February 1, 2007 FNS project on life course analysis Mining event histories: Towards new

479 views • 4 slides
Session 20 Session 20 Tool Time Tuesday Tool Time Tuesday Textbooks; Recording Classes; Zoom

Session 20 Session 20 Tool Time Tuesday Tool Time Tuesday Textbooks; Recording Classes; Zoom

Session 20 Session 20 Tool Time Tuesday Tool Time Tuesday Textbooks; Recording Classes; Zoom Registration Textbooks; Recording Classes; Zoom Registration Hello! Hello! Laurissa Gann, MSLS, AHIP Lesli Moore, MLS Research Medical Library

321 views • 21 slides
HHGM Insights LUPA Utilization Chris Attaya VP of Product Strategy, SHP HHFMA Call with the

HHGM Insights LUPA Utilization Chris Attaya VP of Product Strategy, SHP HHFMA Call with the

HHGM Insights LUPA Utilization Chris Attaya VP of Product Strategy, SHP HHFMA Call with the Experts May 16th, 2018 1 HHGM: Low Utilization Payment Adjustments LUPAs will be based on variable thresholds for each of the 144 Payment

186 views • 5 slides
historical map polygon and feature extractor mauricio giraldo arteaga NYPL Labs @mgiraldo

historical map polygon and feature extractor mauricio giraldo arteaga NYPL Labs @mgiraldo

historical map polygon and feature extractor mauricio giraldo arteaga NYPL Labs @mgiraldo NYGeoCon 2013 background ~120k polygons produced in three years by staff and volunteers (NYPL volunteers) building = building = not paper-colored

656 views • 65 slides
SHPE Sacramento State SHPE California State University, Sacramento AGENDA SHPEology

SHPE Sacramento State SHPE California State University, Sacramento AGENDA SHPEology

General Meeting SHPE Sacramento State SHPE California State University, Sacramento AGENDA SHPEology Officer Announcements Changing Lives; Empowering Communities; Impacting the World 2 2 SHPEology History Founded in Los Angeles,

872 views • 43 slides
The optimality of IPG methods for odd degrees of polynomial approximation Oto Havle Vt

The optimality of IPG methods for odd degrees of polynomial approximation Oto Havle Vt

The optimality of IPG methods for odd degrees of polynomial approximation Oto Havle Vt Dolej Charles University Prague Workshop Dresden-Prague on Numerical Analysis 2010 1 / 21 Contents Introduction 1 Main result and numerical

307 views • 27 slides
RENOVATION, MODERNIZATION AND UPRATING OF SMALL HYDRO-POWER STATIONS Dr. H. K. Verma

RENOVATION, MODERNIZATION AND UPRATING OF SMALL HYDRO-POWER STATIONS Dr. H. K. Verma

RENOVATION, MODERNIZATION AND UPRATING OF SMALL HYDRO-POWER STATIONS Dr. H. K. Verma Distinguished Professor (EEE) SHARDA UNIVERSITY Greater Noida, India (Former Professor and Dy. Director Indian Institute of Technology Roorkee) Website:

645 views • 40 slides

More recommend