Exploitation possibilities of memory related vulnerabilities

Slides:



Advertisements
Similar presentations
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Advertisements

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
CPS3340 COMPUTER ARCHITECTURE Fall Semester, /17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++
Review: Software Security David Brumley Carnegie Mellon University.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
PZ09A Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ09A - Activation records Programming Language Design.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Lecture 16 Buffer Overflow
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
13/02/2009CA&O Lecture 04 by Engr. Umbreen Sabir Computer Architecture & Organization Instructions: Language of Computer Engr. Umbreen Sabir Computer Engineering.
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:
Runtime Environments Compiler Construction Chapter 7.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Mitigation of Buffer Overflow Attacks
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
Introduction to Information Security ROP – Recitation 5.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Introduction to Information Security
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
Return Oriented Programming
Jump-Oriented Programming
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Introduction to Information Security
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Von Neumann model - Memory
CSC 495/583 Topics of Software Security Return-oriented programming
Recitation: Attack Lab
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Continuous, Low Overhead, Run-Time Validation of Program Executions
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Understanding Program Address Space
PZ09A - Activation records
Von Neumann model - Memory
Activation records Programming Language Design and Implementation (4th Edition) by T. Pratt and M. Zelkowitz Prentice Hall, 2001 Section
CPU Structure and Function
Activation records Programming Language Design and Implementation (4th Edition) by T. Pratt and M. Zelkowitz Prentice Hall, 2001 Section
Activation records Programming Language Design and Implementation (4th Edition) by T. Pratt and M. Zelkowitz Prentice Hall, 2001 Section
Activation records Programming Language Design and Implementation (4th Edition) by T. Pratt and M. Zelkowitz Prentice Hall, 2001 Section
Return-to-libc Attacks
Presentation transcript:

Exploitation possibilities of memory related vulnerabilities László ERDŐDI, PhD, CEH, SSCP Óbuda University, John von Neumann Faculty of Informatics, Department of Software Technology

Memory corruption vulnerabilities since 2002 CVE 2013-4974 CVE 2013-4206 CVE 2013-3348 400 300 200 100 2002 2005 2008 2011

Virtual address space Virtual memory Physical memory Local variables, method parameters, exception handling data, return adresses Virtual memory Physical memory Dynamically linked shared libraries (libc) Dynamic variables Global variables Compiled code

Main causes and exploitation methods Lack of input validation within methods (strcpy, gets, etc): stack based overflow (placing harmful code to the stack, ROP, JOP) Dynamic memory allocation problems (use after free, double free vulnerabilities) heap overflow (function pointer overwrite + heap spray) Exception handling errors (SEH overwrite) Others

Classic example of buffer overflow Stack … Method1(a) { d : fixed size array copy a to d } Method2() Method1(a); a Code segment d

Avoiding memory execution protection (return to libc)

Avoiding DEP: Return oriented programming (ROP) Shacham, 2007 Executable code will not be placed on the stack only series of memory addresses and parameters Memory addr 1 Memory addr 2 Parameter 1 Parameter 2 Memory addr 3 Parameter 4 Instruction 1 ret Instruction 3 ret Instruction 2 ret

Jump oriented programming (JOP) Bletsch, Jiang, Freeh 2011 Attack execution without using stack (not sensible for stack cookie and returnless kernel, it can be used in the case of register machines) Dispatcher gadget Increasing the index pointer Jumping to current address Instruction 1 jmp Instruction 2 jmp Dispatcher table: Memory addr1 Memory addr2 Parameter 1 Parameter 2 Memory addr3 Parameter4 Instruction 3 jmp

Protection against memory corruption SEH chain rewrite + Return address checking? +control flow integrity? ROP JOP ? Heap overflow (double free, use after free) Unhandled exceptions Stack overflow Return to libc

Jump Oriented Programming – dispatcher gadgets in shared libraries (Erdődi, 2013)

Jump Oriented Programming – WinExec example for Win32 X86

Return and Jump Oriented Programing requirements of Turing-completeness Kornau: ARM 2009, Buchanen, Roemer: RISC 2008 Arbitrary code execution Loading variables from memory Writing variables to memory Branches Cycles Method calls

Example: How to carry out conditional statements with return-oriented programming? Method 1: Writing the addresses of the false branch and true branch into the writeable memory, setting of the esp according to indirect addressing. 31 gadgets Method 2: Loading the distance between the address of the false branch and true branch in the memory into a register, adding to esp that value if the condition is true 17 gadgets Method 3: Applying gadget which carries out the condition evaluation and jumps at the same time 5 gadgets Instruction 1 ret Instruction 3 ret Instruction 2 ret

Description language for return- and jump- oriented programming write: e.g placing „net user add user passw” to the data segment gadget1: pop reg1 gadget1: pop reg1 write4:address:value gadget2: pop reg2 gadget2: pop reg2 gadget3: mov [reg1], reg2 gadget3: add reg1, reg2 gadget4: pop reg3 gadget5: pop reg4 gadget6: add reg3, reg4 gadget7: mov [reg1], reg3 write4:00400000:net write4:00400004:user write4:00400008: add write:00400000:net user add user passwd write4:0040000c: use write4:00400010:r pa write3:00400014:ssw

Description language for return- and jump- oriented programming write:address:value call:address:param1:param2: … paramn e.g call:fopen address:filenamestring:filemod if:condition:address_true:address_false

Description language for return- and jump- oriented programming sample program: 1: write:dataseg_addr1:filename_string write:00400000:try.txt 2: call:fopen_address:dataseg_addr1:filemod call:7c560122:00400000:0 3: if:address_of_gadget_cmp eax,0:6:4 if:77c7d230:6:4 4: write:dataseg_addr2:name of executable write:00400010:cmd.exe 5:call:winexec_addr:dataseg_addr2 call:7d77501c:0400010 6:call:exitprocess_addr call:7c210254

Summary Memory related vulnerabilities are extremly dangerous and developing quickly The tendency is the legitimate code-reuse for attacking (ROP, JOP) Several open questions still to solve

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.