English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.
Buffer Overflow. Process Memory Organization.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Lecture 16 Buffer Overflow
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
1 Lab Session-III CSIT-120 Fall 2000 Revising Previous session Data input and output While loop Exercise Limits and Bounds Session III-B (starts on slide.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Computer Security and Penetration Testing
Lec 3: Data Representation Computer Organization & Assembly Language Programming.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks
Chapter 9 1 Chapter 9 – Part 1 l Overview of Streams and File I/O l Text File I/O l Binary File I/O l File Objects and File Names Streams and File I/O.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Introduction to Unix (CA263) File Editing By Tariq Ibn Aziz.
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
Introduction to Information Security ROP – Recitation 5.
Digital Computer Concept and Practice Copyright ©2012 by Jaejin Lee Control Unit.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
Chapter 9: Completing the Basics. In this chapter, you will learn about: – Exception handling – Exceptions and file checking – The string class – Character.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
8086/8088 Instruction Set, Machine Codes and Addressing Modes.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
Introduction to Information Security
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Lec 3: Data Representation
Introduction to Information Security
CSC 495/583 Topics of Software Security Stack Overflows (2)
CSC 495/583 Topics of Software Security Return-oriented programming
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Software Security Lesson Introduction
Smashing the Stack for Fun and Profit
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
Week 2: Buffer Overflow Part 2.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
System and Cyber Security
Exploitation Part 1.
Return-to-libc Attacks
Presentation transcript:

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary

0x01. Introduction  “code injection attack”  Manipulate Program counter (EIP in x86) : to disrupt the intended behavior (ex: return-to-libc attack)  Run the code delivered by attacker : SHELLCODE EE515/IS523: Security101: Think Like an Adversary Return-to-libc attack ‘libc’ is a shared library in Linux system. It contains useful functions such as system( ). By overwriting return address, attacker can disrupt code execution flow to functions in libc instead of making shellcodes.

0x01. Introduction (cont’d)  Shellcode: directly executable machine code  Detect its presence  Prevent its execution EE515/IS523: Security101: Think Like an Adversary Shellcode A machine code to launch a command shell(ex. /bin/sh) It should be executed independently, so it use Linux system call to start a new command shell

0x01. Introduction (cont’d)  Standard attack template of traditional buffer overflow attacks (in code injection attack)  NOPsled + shellcode + address of shellcode EE515/IS523: Security101: Think Like an Adversary Fill buffer to overflow Overwritten return address NOPsled Slammer worm Payload with exploit

0x01. Introduction (cont’d)  Polymorphic Shellcode  ‘decoder’ – to enable the encoded portion of payload to be executable form →NATIVELY EXECUTABLE  How to prevent getting shellcode as a input?  Shellcode has a ‘strange’ letters (non-ascii letters) EE515/IS523: Security101: Think Like an Adversary

0x02. Arms races  limit the range of accepted byte-values by alphanumeric or just certain character sets ex. isalnum, strspn  Limit the set of operations available in an attack  Solution: use encodings to convert original shellcode  Alphanumeric shellcode  Convert payloads to be consists of only letters and digits  Can be stored as unsuspected contexts  Smaller than other character sets like Unicode, UTF-8  Need an alphanumeric decoder EE515/IS523: Security101: Think Like an Adversary

0x02. Arms races (cont’d)  Detect the attack using the shellcode structure  Fail to ban the attack which is not constrained to the layout  contemporary researches are based on the idea ‘Shellcode is fundamentally different in structure than non-executable payload data’ EE515/IS523: Security101: Think Like an Adversary

0x03. English shellcode  Machine instruction seemed like ASCII character EE515/IS523: Security101: Think Like an Adversary

0x03. English shellcode - generation EE515/IS523: Security101: Think Like an Adversary  Make a list to categorize English- compatible instructions by behavior  Write a decoder which can make exploit using only instructions from the list  Three general types of instructions for multiple variants of English shellcode from the same payload  NOPs  Operation that affect generally but no interfere with decoder  Affect both machine state and decoder but no net effect

0x03. English shellcode - generation  With n-gram model, generate and train it with large set of English text EE515/IS523: Security101: Think Like an Adversary 123 4

0x03. English shellcode - generation  Use numerical values to indicate the strength of each candidates (Viterbi search)  Traverse the language model to find strings of word that score the highest possible value EE515/IS523: Security101: Think Like an Adversary 123 4

0x03. English shellcode - generation EE515/IS523: Security101: Think Like an Adversary

0x03. English shellcode - generation  To encode the original payload, continue to sample strings and get functionally equivalent encoded string from the original shellcode. EE515/IS523: Security101: Think Like an Adversary 123 4

0x03. English shellcode – auto generate  Monitoring with ptrace API of Linux EE515/IS523: Security101: Think Like an Adversary

0x03. English shellcode – optimize  Monitoring with ptrace API of Linux  Too arduous task to check every expand  Monitored direct execution  No need to ptrace  Two sets of machine state and switch  No single-step execution in every instruction → investigate only when flags are changed or memory beyond the current point is changed EE515/IS523: Security101: Think Like an Adversary

0x04. Evaluation  Exit(0) EE515/IS523: Security101: Think Like an Adversary

0x04. Evaluation (cont’d)  ‘Shellcode need not to be different in structure than non-executable payload data’ EE515/IS523: Security101: Think Like an Adversary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.