Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview Firefox exploit Instrumentation: Finding values

Published byJob Stanley Modified over 6 years ago

Similar presentations

Presentation on theme: "Overview Firefox exploit Instrumentation: Finding values"— Presentation transcript:

1 Overview Firefox exploit Instrumentation: Finding values
Code injection using buggy javascript interpeter Javascript code exploiting the bug The bug in C++ The bug in assembly code Instrumentation: Finding values Daikon: Finding invariants LiveShield: Enforcing invariants April 10, 2007 DARPA AC MIT Site Visit

2 Remote Code Execution Exploit
html Load Java script From: April 10, 2007 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 2 2

3 JavaScript Exploit Code
// spray payload memory = new Array(); for (i=0;i<heapBlocks;i++) // Insert x86 instructions for calling shell code. memory[i]= …; // Invoke injected code InstallTrigger.install.call(0x , "a", "a"); Spend more time to talk about it. Insert x86 instructions for calling shell code. April 10, 2007 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 3 3

4 JavaScript Interpreter (C++ code)
// getting C++ object from JavaScript object nsIDOMInstallTriggerGlobal *nativeThis = (nsIDOMInstallTriggerGlobal*)JS_GetPrivate(cx, obj); // bug: doesn’t check the type of nativeThis nativeThis->UpdateEnabled(globalObject, XPI_WHITELIST, &enabled); // exploit point April 10, 2007 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 4 4

5 Disassembled Code nativeThis->UpdateEnabled(globalObject, XPI_WHITELIST, &enabled); // exploit point push ecx push 1 push dword ptr [ebp-10h] push ebx call dword ptr [eax+0Ch] // ptr[eax+0Ch] is the method address All variables, but few constrains. Computed value which is not in the source code. April 10, 2007 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 5 5

6 Overview Firefox exploit Instrumentation: Finding values
Register and memory values, jumps, calls, and returns Daikon: Finding invariants LiveShield: Enforcing invariants April 10, 2007 DARPA AC MIT Site Visit

7 Instrumentation To find invariants without source code or debug symbol access Captures important values Finding exploit root causes is challenging Currently manually select locations for instrumentation Memory firewall (Determina) may help to locate April 10, 2007 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 7 7

8 Binary Variable Examples
Binary variable: a variable in machine (binary) code Name: instruction address and register name Value : value of register or reference mov dword ptr [ebp-34h],esi mov eax,dword ptr [ebx] push ecx April 10, 2007 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 8 8

9 Binary Variable Examples
Binary variable: a variable in machine (binary) code Name: instruction address and register name Value : value of register or reference mov dword ptr [ebp-34h],esi mov eax,dword ptr [ebx] push ecx April 10, 2007 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 9 9

10 x86 Instrumentation Output
Binary variable: a variable in machine (binary) code Name: instruction address and register name Value : value of register or reference mov dword ptr [ebp-34h],esi mov eax,dword ptr [ebx] push ecx instrumentation xpinstal.dll:0xa111 BV esi 0x xpinstal.dll:0xa114 BV ebx 0x01f13bcc xpinstal.dll:0xa114 BV [ebx] 0x6005c6d8 xpinstal.dll:0xa116 BV ecx 0x0012ecf4 April 10, 2007 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 10 10

11 Output for Firefox Normal Runs
call dword ptr [eax+0Ch] xpinstal.dll:0xa11d BV [eax+0Ch] 0x d […] // eax is the v-table April 10, 2007 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 11 11

12 Normal VS Exploit Runs Normal run Exploit run
xpinstal.dll:0xa11d BV [eax+0Ch] 0x d Exploit run xpinstal.dll:0xa11d BV [eax+0Ch] 0x c April 10, 2007 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 12 12

13 Overview Firefox exploit Instrumentation: Finding values
Daikon: Finding invariants Grouping values into basic blocks Grouping basic blocks into program points Finding invariants among variables in a program point LiveShield: Enforcing invariants April 10, 2007 DARPA AC MIT Site Visit

14 Grouping values into basic blocks
Thread Address (dll+offset) opcode (BV=Binary Variable) ... 1588 xpinstal.dll:0x5ebe BV esp 0x0012df20 1588 xpinstal.dll:0x5ebe ICALL ret xpinstal.dll:0x5ec1 xpinstal.dll:0x5ecf BV esp 0x0012df1c 1588 xpinstal.dll:0x5ecf BV [4+esp] 0x1e78e98 1588 xpinstal.dll:0x5ed9 BV [0+esp] 0x60045ec1 xpinstal.dll:0x5ed9 RET to xpinstal.dll:0x5ec1 xpinstal.dll:0x5ec1 BV eax 0x Basic Block April 10, 2007 DARPA AC MIT Site Visit

15 Grouping basic blocks into program points
You might need variables from previous basic-blocks to find the right invariant For example: The right invariant might be: The size of the buffer is less than 256: char* p = …; while (*p) { … } Some.dll:0x1bb1d mov eax, … Some.dll:0x1bccc mov …, [eax] for (char* p = …; *p; p++) … - < 256 April 10, 2007 DARPA AC MIT Site Visit

16 Algorithm to create Daikon input
Partition the basic blocks into functions Build a control-flow-graph for each function Calculate dominators The program point of each basic block includes the binary-variables in its dominators April 10, 2007 DARPA AC MIT Site Visit

17 Invariant for Firefox Exploit
Buggy Code xpinstal.dll:0xa11d call [eax+0Ch] xpinstal.dll:0xa120 cmp … Invariant == 0x d April 10, 2007 DARPA AC MIT Site Visit

18 Overview Firefox exploit Instrumentation: Finding values
Daikon: Finding invariants LiveShield: Enforcing invariants Code in C that is woven into the application when loaded into the code cache Determina’s product Distributed and managed in the central controller April 10, 2007 DARPA AC MIT Site Visit

19 LiveShield for Firefox Exploit
<file name="xpinstal.dll"/> <patch offset="0xa116"> <function type="detector" name="ff_detector"/> <function type="protector" name="ff_protector“ return="0xa120"/> </patch> LiveShield hotp_exec_status_t ff_detector(const hotp_context_t *hotp_context) { if (POI(EAX+0xC) != 0x d) return HOTP_EXEC_EXPLOIT_DETECTED | HOTP_EXEC_LOG_EVENT; return HOTP_EXEC_EXPLOIT_NOT_DETECTED; } LiveShield Manual today Will be automatic In the central server hotp_exec_status_t ff_protector(hotp_context_t *hotp_context) { UNREFERENCED_PARAMETER(hotp_context); return HOTP_EXEC_CHANGE_CONTROL_FLOW | HOTP_EXEC_LOG_EVENT; } LiveShield April 10, 2007 DARPA AC MIT Site Visit

20 Demo Run the FireFox exploit Turn on a previously generated LiveShield
Run the FireFox exploit again on a different community workstation April 10, 2007 DARPA AC MIT Site Visit

21 Firefox Exploits Name Type Invariant exists? repairable?
Install object injection (javascript) Function Y CompareTo object injection (javascript) GIF image stack attack Buffer Custom cursor image Save as Wallpaper Exploit ? Unauthorized file upload Wrong index in crypto.signText() Manual application of our technique April 10, 2007 DARPA AC MIT Site Visit

22 IE Exploits Name Type Invariant exists? repairable?
ms ie-setslice Integer N (?) ms keyframe Y ms ie-onload Function ms ie-object Buffer msie-iscomponentinstalled ms ie-vml ms eventhandlers Manual application of our technique April 10, 2007 DARPA AC MIT Site Visit

23 IE exploit – Illegal function call
<body onLoad="window();"> jscript.dll:75c5f429 call [ecx+0x8] Exactly like the FireFox exploit Same fix: skip the call April 10, 2007 DARPA AC MIT Site Visit

24 IE exploit – buffer overflow
<object type="////…/////AAAAAAAAAAAAAAAA"/> 761240CE lea eax, [ebp+0x104] ... 761240E1 mov [eax], 5Fh 761240E4 inc eax ... String is checked for proper buffer size Then '/' is changed into '_/_' Invariant: Fix: eax<=(ebp+0x104)+242) if (eax>(ebp+0x104)+242) eax = (ebp+0x104)+242 April 10, 2007 DARPA AC MIT Site Visit

25 Current Protection Process
For example: Vista bug ms06-17 Determina creates a LiveShield Knowledge and labor intensive, tedious Dec 20 : Microsoft informed Mar 27 : attack in the wild Apr 3: Microsoft develops a patch Patch is deployed in the community Avg life time before protection (saman) Exploit deployed by blackhats April 10, 2007 DARPA AC MIT Site Visit

26 Application Community Protection Process
Application Community learns Exploit deployed by blackhats Exploit automatically recognized Patch automatically generated 0-day exploit → 0-day patch April 10, 2007 DARPA AC MIT Site Visit

27 Summary Instrumentation: Finding values Daikon: Finding invariants
Register and memory values, jumps, calls, and returns Daikon: Finding invariants Grouping values into program points LiveShield: Enforcing invariants Code in C that is woven into the application Real exploits: 4 in Firefox, 5 in IE April 10, 2007 DARPA AC MIT Site Visit

28 End Any questions? April 10, 2007 DARPA AC MIT Site Visit

29 Eventhandlers – buffer overflow
<foo onclick=foo onclick=foo … > 748D94CF mov ecx, [eax+45Ch] eax+0x45C<=93 if (eax+0x45C>93) eax = 93 April 10, 2007 DARPA AC MIT Site Visit

30 isComponentInstalled – buffer overflow
obj.isComponentInstalled("…") lstrcatA(&subkey_buf, clsid); strlen(clsid)<=93 if (eax+0x45C>93) eax = 93 April 10, 2007 DARPA AC MIT Site Visit

31 IE VML – buffer overflow
<html xmlns:v="urn:schemas-microsoft-com:vml"> <head> <title>IE VML crash</title> <style> v\:* { behavior: url(#default#VML); } </style> </head> <body> <v:rect style="width:20pt;height:20pt" fillcolor="red"> <v:fill method="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"/> </v:rect> </body> </html> April 10, 2007 DARPA AC MIT Site Visit

32 Strechbelt – Denial of Service
<img src="1000x1000.png" width=" " height=" "> if (width > MAX_WIDTH) width = MAX_WIDTH; if (height > MAX_HEIGHT) height = MAX_HEIGHT; April 10, 2007 DARPA AC MIT Site Visit

33 2218 false positives, out of 41360, which is 5.36%
BB-xpinstal.dll_0xbe86-InFunction-xpinstal.dll_0x19818::: xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe86 > xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe86 xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe86 < xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe87 xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe86 > xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe87 xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe86 < xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe87 xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe86 - xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe == 0 xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe87 > xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe87 At ppt BB-xpinstal.dll_0xa10b-InFunction-xpinstal.dll_0x1b9f6:::, Invariant 'xpinstal.dll_0xa10b__12_eax__xpinstal.dll_0xa11d one of { , }' invalidated by sample xpinstal.dll_0xa10b__12_eax__xpinstal.dll_0xa11d= : at line in file ff_exploit.dtrace.gz April 10, 2007 DARPA AC MIT Site Visit

34 Application Communities
MIT CSAIL, Determina

Download ppt "Overview Firefox exploit Instrumentation: Finding values"

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, 2010. All rights reserved. You may modify and copy this slide.

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
Assembly Language Basic Concepts IA-32 Processor Architecture.

Assembly Language Basic Concepts IA-32 Processor Architecture.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.

Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.
Carnegie Mellon Introduction to Computer Systems 15-213/18-243, spring 2009 Recitation, Jan. 14 th.

Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
Instrumentation - initial results Sung Kim, Jeff Perkins MIT.

Instrumentation - initial results Sung Kim, Jeff Perkins MIT.
Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.

Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
© Anders Ingeborn +46-8-662 10 70 www.ixsecurity.com IDS Evasion Design Tricks for Buffer Overflow Exploits.

© Anders Ingeborn IDS Evasion Design Tricks for Buffer Overflow Exploits.
1 cs205: engineering software university of virginia fall 2006 Forgiveness and Permissions.

1 cs205: engineering software university of virginia fall 2006 Forgiveness and Permissions.

Similar presentations

Ads by Google