Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dissecting complex code-reuse attacks with ROPMEMU

Published byJocelyn Montgomery Modified over 7 years ago

Similar presentations

Presentation on theme: "Dissecting complex code-reuse attacks with ROPMEMU"— Presentation transcript:

1 Dissecting complex code-reuse attacks with ROPMEMU
Mariano Graziano Cisco Talos

2 whoami Security researcher at Cisco Talos
Ph.D. from Telecom ParisTech/Eurecom Hackademic Malware analysis / Memory forensics / Mitigations

3 CODE INJECTION ATTACKS

4 CODE INJECTION ATTACKS

5 CODE INJECTION ATTACKS
Attackers inject or load malicious code (or modify the existing one)

6 CODE-REUSE ATTACKS - ROP

7 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

8 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

9 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

10 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

11 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

12 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

13 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

14 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30)

15 CODE-REUSE ATTACKS - ROP
SP = 0xFFFF88001B800000 0x00) 0x30) ?!?

16 HW and OS countermeasures forced ROP adoption
MOTIVATION HW and OS countermeasures forced ROP adoption

17 HW and OS countermeasures forced ROP adoption
MOTIVATION HW and OS countermeasures forced ROP adoption Persistent ROP rootkit – Vogl et al. [NDSS 14] ROP as an obfuscation technique (malware in the wild) All existing tools cope with injected code No tools to dissect ROP payloads

18 ROP ROOTKITS

19 CHUCK - CHALLENGES Memory region for the persistent control structure
Overwrites protection: Interrupts Self-overwriting Resume original/normal control flow Activate the persistent component

20 CHUCK - CHALLENGES Memory region for the persistent memory region
Overwrites protection: Interrupts Self-overwriting Resume original/normal control flow Activate the persistent component

21 CHUCK - PERSISTENCE CVE-2013-2094 sysenter IA32_SYSENTER_ESP (0x175)
IA32_SYSENTER_EIP (0x176)

22 CHUCK - PERSISTENCE CVE-2013-2094 sysenter
IA32_SYSENTER_ESP (0x175) – Copy chain IA32_SYSENTER_EIP (0x176) - ret

23 1 https://www.sec.in.tum.de/persistent-data-only-malware/
CHUCK PoC1: LPE: CVE OS: Ubuntu Server 3.8 with secure boot Hooks: sys_read sys_getdents Chains: Copy chain (persistent) Dispatcher chain Payload chain 1

24 CHALLENGES

25 CHALLENGES [C1] Verbosity

26 CHALLENGES [C1] Verbosity [C2] Lack of immediate values

27 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining

28 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches

29 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions

30 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains

31 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains [C7] Stop condition

32 CHALLENGES [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains [C7] Stop condition

33 CHALLENGES - Lu et al. – ACSAC12 - Yadegari et al. – S&P15 - Stancill et al. – RAID13 - Lu et al. – ACSAC12 [C1] Verbosity [C2] Lack of immediate values [C3] Stack based instruction chaining [C4] Conditional branches [C5] Return to functions [C6] Dynamically generated chains [C7] Stop condition

34 APPROACH ROPMEMU framework adopts many techniques: Memory forensics
Code emulation Multi-path exploration CFG recovery Compiler transformations

35 IMPLEMENTATION Standalone scripts (bash and python):
Volatility plugins (ropemu and unchain) depend on: Capstone Unicorn nasm Standalone scripts (bash and python): GDB python pygraphviz

36 ROPMEMU

37 ROPMEMU

38 DEMO 0x01 DEMO 0x01

39 ROPMEMU

40 DEMO 0x02 DEMO 0x02

41 ROPMEMU

42 DEMO 0x03 DEMO 0x03

43 ROPMEMU

44 ROPMEMU

45 EXPERIMENT CHAINS INSTRUCTIONS GADGETS BLOCKS BRANCHES FUNCTIONS CALLS
COPY 414275 184126 1 - DISPATCHER 63515 18874 7 3 5 PAYLOAD 6320 2913 34 26 9 17

46 RESULTS - CFG

47 RESULTS - CFG

48 RESULTS - IDA

49 DEMO 0x04 DEMO 0x04

50 LIMITATIONS Prone to anti-acquisition Prone to anti-emulation
Lack of completeness on arbitrary inputs

51 CONCLUSIONS Source code: https://github.com/vrtadmin/ROPMEMU
First public tool to analyze code-reuse payloads Tested on the most complex public threat

52 QUESTIONS? Mariano Graziano @emd3l

Download ppt "Dissecting complex code-reuse attacks with ROPMEMU"

Similar presentations

A Comprehensive Study for RFID Malwares on Mobile Devices TBD.

A Comprehensive Study for RFID Malwares on Mobile Devices TBD.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Saumya Debray The University of Arizona Tucson, AZ 85721.

Saumya Debray The University of Arizona Tucson, AZ
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)

Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
PERSISTENT DATA-ONLY MALWARE: Function Hooks without Code Presented by Ben Summers for CSCI 780.

PERSISTENT DATA-ONLY MALWARE: Function Hooks without Code Presented by Ben Summers for CSCI 780.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
On-Chip Control Flow Integrity Check for Real Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui.

On-Chip Control Flow Integrity Check for Real Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Similar presentations

Ads by Google