CS457 – Introduction to Information Systems Security Software 2 Elias Athanasopoulos

Slides:



Advertisements
Similar presentations
Low level Programming. Linux ABI System Calls – Everything distills into a system call /sys, /dev, /proc  read() & write() syscalls What is a system.
Advertisements

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
%rax %eax %rbx %ebx %rdx %edx %rcx %ecx %rsi %esi %rdi %edi %rbp %ebp %rsp %esp %r8 %r8d %r9 %r9d %r11 %r11d %r10 %r10d %r12 %r12d %r13 %r13d.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.
Framing Signals— A Return to Portable Shellcode
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
An Introduction to Buffer Overflow Exploits
Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
64-Bit Architectures Topics 64-bit data New registers and instructions Calling conventions CS 105 “Tour of the Black Holes of Computing!”
University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Machine-Level Programming: X86-64 Topics Registers Stack Function Calls Local Storage X86-64.ppt CS 105 Tour of Black Holes of Computing.
Machine-Level Programming III: Procedures Topics IA32 stack discipline Register-saving conventions Creating pointers to local variables CS 105 “Tour of.
Carnegie Mellon Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton D’Souza.
Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009.
Exploitation possibilities of memory related vulnerabilities
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Carnegie Mellon 1 Odds and Ends Intro to x86-64 Memory Layout.
Assembly and Bomb Lab : Introduction to Computer Systems Recitation 4: Monday, Sept. 16, 2013 Marjorie Carlson Section A.
AMD64/EM64T – Dyninst & ParadynMarch 17, 2005 The AMD64/EM64T Port of Dyninst and Paradyn Greg Quinn Ray Chen
Introduction to Information Security ROP – Recitation 5.
1 Carnegie Mellon Assembly and Bomb Lab : Introduction to Computer Systems Recitation 4, Sept. 17, 2012.
Chapter 2 Parts of a Computer System. 2.1 PC Hardware: Memory.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Carnegie Mellon Instructor: San Skulrattanakulchai Machine-Level Programming.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Information Security - 2. CISC Vs RISC X86 is CISC while ARM is RISC CISC is Compiler’s heaven while RISC is Architecture’s heaven Orthogonal ISA in RISC.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Spring 2016Assembly Review Roadmap 1 car *c = malloc(sizeof(car)); c->miles = 100; c->gals = 17; float mpg = get_mpg(c); free(c); Car c = new Car(); c.setMiles(100);
Exploiting & Defense Day 1 Recap
Introduction to Information Security
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
CS 177 Computer Security Lecture 9
Samira Khan University of Virginia Feb 2, 2017
Instruction Set Architecture
Credits and Disclaimers
Credits and Disclaimers
CSCE 212 Computer Architecture
Introduction to Information Security
Exploiting & Defense Day 2 Recap
Aaron Miller David Cohen Spring 2011
Introduction to Compilers Tim Teitelbaum
Machine-Level Programming III: Procedures
Recitation: Attack Lab
Q: Exploit Hardening Made Easy
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Machine-Level Programming III: Procedures /18-213/14-513/15-513: Introduction to Computer Systems 7th Lecture, September 18, 2018.
Carnegie Mellon Machine-Level Programming III: Procedures : Introduction to Computer Systems October 22, 2015 Instructor: Rabi Mahapatra Authors:
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
CSE 351 Section 10 The END…Almost 3/7/12
Machine Level Representation of Programs (IV)
Roadmap C: Java: Assembly language: OS: Machine code: Computer system:
Machine-Level Representation of Programs (x86-64)
Get To Know Your Compiler
Credits and Disclaimers
The von Neumann Machine
Credits and Disclaimers
Credits and Disclaimers
Computer Architecture and System Programming Laboratory
Presentation transcript:

CS457 – Introduction to Information Systems Security Software 2 Elias Athanasopoulos

More Jargon  Vulnerability type - Stack overflow, heap overflow, integer overflow, use-after-free, formatting bug  Vulnerability scope - Kernel/user, local/remote  Exploit type - Code execution, privilege escalation, DoS CS-457Elias Athanasopoulos2

Stack Buffer Overflow CS-457Elias Athanasopoulos3 Stack Ret Address Local Var. Vulnerable Buffer NEW RET Shellcode Stack NEW RET ShellcodeSled

Defense 1 CS-457Elias Athanasopoulos4 Stack Ret Address Local Var. Vulnerable Buffer Stack Ret Address Local Var. Vulnerable Buffer Canary (a random value) Canary (a random value)

Canary Values (stack canaries)  Produced by the compiler  Checked at run-time  Can be disclosed  Can be brute-forced CS-457Elias Athanasopoulos5

Defense 2 CS-457Elias Athanasopoulos6 Stack Ret Address Local Var. Vulnerable Buffer Stack Ret Address Local Var. Vulnerable Buffer Stack Heap Data Text High AddressLow Address Executable Executable?

NX-bit  Non Executable bit  Data Execution Prevention (DEP)  W xor X - Can be either Writable or Executable  Enforced in the MMU - Most modern CPUs support this (Intel, ARM, etc.) CS-457Elias Athanasopoulos7

Limitations of NX-bit  JIT and dynamic code - Web browsers CS-457Elias Athanasopoulos8

CS-457Elias Athanasopoulos9

Return to libc CS-457Elias Athanasopoulos10 Stack (non-exec) RETVulnerable Buffer(*f)() Stack (non-exec) RETVulnerable Buffer(*f)() execve(“/bin/sh”, …); libc code

Return Oriented Programming (ROP) CS-457Elias Athanasopoulos11 mov (%rcx),%rbx test %rbx,%rbx je 41c523 mov %rbx,%rdi callq 42ab00 mov %rax,0x2cda9d(%rip) cmpb $0x2d,(%rbx) je 41c4ac mov 0x2cda8d(%rip),%rax ret test %rbx,%rbx mov $0x4ab054,%eax cmove %rax,%rbx mov %rbx,0x2cda6a(%rip) test %rdi,%rdi je 41c0c2 mov $0x63b,%edx mov $0x4ab01d,%esi callq 46cab0 ret mov (%rcx),%rbx test %rbx,%rbx je 41c523 <main+0x803> mov %rbx,%rdi callq 42ab00 mov %rax,0x2cda9d(%rip) cmpb $0x2d,(%rbx) je 41c4ac <main+0x78c> mov 0x2cda8d(%rip),%rax ret test %rbx,%rbx mov $0x4ab054,%eax cmove %rax,%rbx mov %rbx,0x2cda6a(%rip) test %rdi,%rdi je 41c0c2 <main+0x3a2> mov $0x63b,%edx mov $0x4ab01d,%esi callq 46cab0 <sh_xfree> ret mov %rax,0x2d2945(%rip) mov 0x2cda16(%rip),%rax test %rax,%rax je 41c112 movzbl (%rax),%edx callq 41b640 mov 0xb8(%rsp),%r15d cmp 0xc(%rsp),%r15d mov %rax,0x2d2670(%rip) je 41c214 xchg %ax,%ax mov (%rsp),%rdx movslq %r15d,%rax mov (%rdx,%rax,8),%r14 ret je 41c214 cmpb $0x2d,(%r14) jne 41c214 movzbl 0x1(%r14),%r12d movl $0x0,0x18(%rsp) mov %rax,0x2d2945(%rip) mov 0x2cda16(%rip),%rax test %rax,%rax je 41c112 <main+0x3f2> movzbl (%rax),%edx callq 41b640 mov 0xb8(%rsp),%r15d cmp 0xc(%rsp),%r15d mov %rax,0x2d2670(%rip) je 41c214 <main+0x4f4> xchg %ax,%ax mov (%rsp),%rdx movslq %r15d,%rax mov (%rdx,%rax,8),%r14 ret je 41c214 <main+0x4f4> cmpb $0x2d,(%r14) jne 41c214 <main+0x4f4> movzbl 0x1(%r14),%r12d movl $0x0,0x18(%rsp) je 41c440 xor %ebp,%ebp mov $0x4c223a,%ebx add $0x1,%r14 jmp 41c1a3 cmp (%rbx),%r12b mov %ebp,%r13d jne 41c188 mov %rbx,%rsi test %eax,%eax xchg %ax,%ax jne 41c188 movslq %ebp,%rax ret cmpl $0x1,0x4ab3c8(%rax) je 41c461 mov (%rsp),%rcx add $0x1,%r15d movslq %r15d,%rdx mov (%rcx,%rdx,8),%rdx je 41c440 <main+0x720> xor %ebp,%ebp mov $0x4c223a,%ebx add $0x1,%r14 jmp 41c1a3 <main+0x483> cmp (%rbx),%r12b mov %ebp,%r13d jne 41c188 <main+0x468> mov %rbx,%rsi test %eax,%eax xchg %ax,%ax jne 41c188 <main+0x468> movslq %ebp,%rax ret cmpl $0x1,0x4ab3c8(%rax) je 41c461 <main+0x741> mov (%rsp),%rcx add $0x1,%r15d movslq %r15d,%rdx mov (%rcx,%rdx,8),%rdx Gadget 1 Gadget 2 Gadget 3

ROP in action CS-457Elias Athanasopoulos12 Stack (non-exec) RETVulnerable Buffer(*f)() Stack (non-exec) RETROP Chain(*f)() Virtual Stack

How the ROP chain works? –use esp as the instruction pointer CS-457Elias Athanasopoulos13 ROP Chain TEXT Section (Code) Addr. of G1 Addr. of G2 Addr. of G3 Addr. of GN G1; ret G2; ret G3; ret GN; ret

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.