Introduction to Information Security

Slides:



Advertisements
Similar presentations
Practical Malware Analysis
Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Calling sequence ESP.
Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Review: Software Security David Brumley Carnegie Mellon University.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
September 22, 2014 Pengju (Jimmy) Jin Section E
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
Mitigation of Buffer Overflow Attacks
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Exploitation possibilities of memory related vulnerabilities
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
CNIT 127: Exploit Development Ch 1: Before you begin.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
Introduction to Information Security ROP – Recitation 5.
1 Understanding Pointers Buffer Overflow. 2 Outline Understanding Pointers Buffer Overflow Suggested reading –Chap 3.10, 3.12.
Introduction to Assembly II Abed Asi Extended System Programming Laboratory (ESPL) CS BGU Fall 2013/2014.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Introduction to Information Security
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Buffer Overflow Walk-Through
Return Oriented Programming
Jump-Oriented Programming
Introduction to Information Security
Homework Reading Machine Projects Labs PAL, pp ,
Exploiting & Defense Day 2 Recap
Memory safety, continued again
CSC 495/583 Topics of Software Security Return-oriented programming
Buffer Overflow Walk-Through
CMSC 414 Computer and Network Security Lecture 21
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Stack Frames and Advanced Procedures
Introduction to Intel IA-32 and IA-64 Instruction Set Architectures
Lecture 9: Buffer Overflow*
Machine Level Representation of Programs (IV)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
Week 2: Buffer Overflow Part 1.
Week 2: Buffer Overflow Part 2.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
Several Tips on Project 1
Computer Architecture and System Programming Laboratory
Return-to-libc Attacks
Presentation transcript:

Introduction to Information Security ROP

Return Oriented Programming Return oriented programming is a different way to control the flow of EIP in a program Motivation: Write or Execute: as a result of overflows, the first prevention technique is to make: Executable memory segments read-only Writeable memory segments Non-Executable. Most slides in this presentation were taken as is from: Return-oriented Programming: Exploitation without Code Injection By Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham from the University of California, San Diego http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf

Getting started Need control of memory around %esp Rewrite stack: Buffer overflow on stack Format string vuln to rewrite stack contents Move stack: Overwrite saved frame pointer on stack; on leave/ret, move %esp to area under attacker control Overflow function pointer to a register spring for %esp: set or modify %esp from an attacker-controlled register then return

Schematic: return to libc Control hijacking without executing code stack libc.so args ret-addr exec() sfp printf() NX wasted effort? local buf “/bin/sh”

Principals of ROP Instruction pointer (%eip) determines which instruction to fetch & execute Once processor has executed the instruction, it automatically increments %eip to next instruction Control flow by changing value of %eip

ROP – Machine level Stack pointer (%esp) determines which instruction sequence to fetch & execute Processor doesn’t automatically increment %esp; — but the “ret” at end of each instruction sequence does

No-op equivalent No-op instruction does nothing but advance %eip Return-oriented equivalent: point to return instruction advances %esp Useful in nop sled

Loading Immediates Instructions can encode constants Return-oriented equivalent: Store on the stack; Pop into register to use

Control flow Ordinary programming: Return-oriented equivalent: (Conditionally) set %eip to new value Return-oriented equivalent: (Conditionally) set %esp to new value

Multiple instruction sequence Sometimes more than one instruction sequence needed to encode logical unit Example: load from memory into register: Load address of source word into %eax Load memory at (%eax) into %ebx

Return to code chunk Write complex shellcode by returning to relevant code chunks in memory where code that meets our needs exists. All code must end with ret. (0xc3) We can create loops by finding code that modifies the stack pointer. We don’t have to maintain the original alignment of code

Code chunk example mov eax, 0x5dc3 This is interpreted into: B8 5D C3 POP EBP RETN This is interpreted into: 5D C3 We can use binary search to identify where the shellcode we want exists

Code chunks We can find them in any of the libraries that are loaded in the binary Any memory area that is executable is kosher. We only need to find memory chunks that end in 0xc3 We need to verify that everything is interpretable until the 0xc3 The best way to find them, is to compile the commands we need into binary and search for them.