The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights 2014 13st of November 2014.

Slides:

Advertisements

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Advertisements

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

19-21 October 2006 Smashing Heap by Free Simulation Sandip Chaudhari Acknowledgements Thanks to everyone in my Security Team.

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

An in depth analysis of CVE

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.

Review: Software Security David Brumley Carnegie Mellon University.

K. Salah1 Buffer Overflow The crown jewel of attacks.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

PREVIOUS GNEWS. 11 Patches – 5 Critical Affecting most everything Other updates, MSRT, Defender Definitions, Junk Mail Filter –MS IE, Remote Execution.

Software and Security Buffer Overflow 1.

Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Defeating public exploit protections (EMET v5.2 and more)

Address Space Layout Permutation

Computer Security 2014 – Ymir Vigfusson Some slides borrowed from David Brumley’s lectures at CMU, and Vitaly Shmatikov’s CS380S.

Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.

More Network Security Threats Worm = a stand-alone program that can replicate itself and spread Worms can also contain manipulation routines to perform.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

Detection and Prevention of Buffer Overflow Exploit Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD.

Copyright (C) 2000, Network Associates Technology Inc. Advanced Windows NT/2000 Security (II) Beyond The User Command Shell… Into The Trusted Computing.

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.

CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.

Briefing for: Hacking Windows Internals Cesar Cerrudo Argeniss.

Exploitation possibilities of memory related vulnerabilities

Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

4061 Session 26 (4/19). Today Network security Sockets: building a server.

Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.

On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.

SEH overwrite and its exploitability Shuichiro Suzuki Fourteenforty Research Institute Inc. Research Engineer.

Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-

CNIT 127: Exploit Development Ch 14: Protection Mechanisms.

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov

1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.

Week-14 (Lecture-1) Malicious software and antivirus: 1. Malware A user can be tricked or forced into downloading malware comes in many forms, Ex. viruses,

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Exploiting & Defense Day 1 Recap

Secure Coding Techniques

Exploiting and Defense

Protecting Memory What is there to protect in memory?

CSC 495/583 Topics of Software Security Stack Overflows (2)

CSC 495/583 Topics of Software Security Return-oriented programming

Trust Boundary Vulnerability Exploitation State of the Exploit

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

Advanced Buffer Overflow: Pointer subterfuge

Understanding and Preventing Buffer Overflow Attacks in Unix

Presentation transcript:

The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights st of November 2014

Agenda Introduction The past The present The (nearest) future Q&A

Introduction This talk is very high-level overview of past and present software exploitation techniques (and their first appearances) Mostly about memory corruptions and “binary” vulnerabilities The (nearest) future section is just thoughts of speaker

The past

Kick-off!!! 2 October 1988 Morris Worm Fingerd Sendmail Password bruting via rsh

fingerd stack-based buffer overflow Picture source:

November 08, 1996 (Phrack 49) Smashing The Stack For Fun And Profit

Bypassing the non-exec Stack (ret-2-libc) - 8/10/ Solar Designer

Bypassing the non-exec Stack (ret-2-libc)

1/31/ w00w00 on Heap Overflows

9/20/ Format String bug in proftpd

7/25/ JPEG Com Marker vulnerability in Netscape

9/9/ Format String Attacks

6/18/ IIS.ida ISAPI filter Vulnerability Remove this slide?

7/13/ Code Red Worm in the Wild Remove this slide?

11/8/2001 VUDO malloc tricks

11/8/2001 Once upon a free

2/7/ Third Generation Exploits flake/bh-europe-01-halvarflake-1.ppt

7/28/ Advances in Format String Exploitation

7/10/ "Variations in Exploit methods between Linux and Windows" litchfield-paper.pdf litchfield-paper.pdf

8/2/ “Win32 device drivers communication vulnerabilities” Arbitrary memory overwrite via ioctl METHOD_NEITHER

9/8/ "Defeating the Stack Based Buffer Overflow Prevention Mechanism of MS Windows 2003 Server" litchfield.pdf

9/30/ /SAFESEH introduced into Visual Studio Remove this slide?

4/21/2004 “Reliable Windows Heap Exploits”

7/28/2004 “Windows Heap Overflows” litchfield/bh-win-04-litchfield.ppt

10/25/ “On the effectiveness of ASLR”

"Heap Spraying" against Internet Explorer is demonstrated - 11/2/2004

1/21/ "Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass" protection.pdf

2/17/ “Remote Windows Kernel Exploitation” Jack_White_Paper.pdf

7/20/ "Windows Kernel Pool Overflow Exploitation" BeIt.pdf

8/31/ “Critical Section Heap Exploit Technique” windows-heap-protections

10/5/ Technique published to bypass hardware DEP Uninformed Journal 2, Matt Miller (skape) and Ken Johnson (skywing) NtProtectVirtualMemory NtSetInformationProcess

11/30/ Microsoft ships Visual Studio 2005 with GS v2 Remove this slide?

12/7/ Technique published to exploit Freelist[0] on XP-SP2 oiting%20Freelist[0]%20On%20XP%20Service%20Pack%202.pdf

10/31/ "Memory Retrieval Vulnerabilities" Oct2006.pdf

1/19/ "Double Free Vulnerabilities" vulnerabilities-part-1

3/1/ "GS and ASLR in Windows Vista"

3/27/ "Heap Feng Shui in JavaScript" 07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf

7/6/ "Understanding and Bypassing Windows Heap Protection" 7.pdf

4/14/ "Application-Specific Attacks - Leveraging the ActionScript Virtual Machine" si/compsec_assign/Dowd2008.pdf

7/1/2008 "Real World Kernel Pool Exploitation"

7/29/2008.Net controls used to exploit IE 08/Sotirov_Dowd/bh08-sotirov-dowd.pdf

8/8/2008 "Attacking the Vista Heap" 08/Hawkes/BH_US_08_Hawkes_Attacking_Vista_Heap.ppt

2/3/ Pointer Inference and JIT Spray Paper.pdf

The present

Drive-By-Download attacks Heap manipulation Turning Memory Corruption to Information leakage (ASLR bypass) ROP

Privilege Escalation attacks Arbitrary memory overwrites Simple jump to shellcode located in r3 address space ROP (seen not a lot)

The future More chained exploits More “Inter-Ring” exploits Firmware/Hardware bugs

Thank you for listening! Any questions?