Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

Published byChloe Salazar Modified over 10 years ago

Similar presentations

Presentation on theme: "CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos"— Presentation transcript:

1 CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos elathan@ics.forth.gr

2 Software Exploitation – High Level CS-457Elias Athanasopoulos2 Vulnerable Software (e.g., web browser) Input (malicious web page) Exploit Code Renders malicious page Exploit Runs Collect Gadgets Build ROP Chain Exec ROP Chain Introduce new control flows HACKED

3 How the ROP chain works? –use esp as the instruction pointer CS-457Elias Athanasopoulos3 ROP Chain TEXT Section (Code) Addr. of G1 Addr. of G2 Addr. of G3 Addr. of GN G1; ret G2; ret G3; ret GN; ret

4 Heap Overflows CS-457Elias Athanasopoulos4 Stack Heap Data Text High AddressLow Address Vulnerability (VTable ptr) Vulnerability (VTable ptr) (*)f() Jump to Gadget G1 …; ret Attacker does NOT control the stack!

5 Stack Pivoting CS-457Elias Athanasopoulos5 Stack Heap Data Text High AddressLow Address Vulnerability (VTable ptr) Vulnerability (VTable ptr) (*)f() Jump to Gadget G1 xchg %eax,%esp; ret Stack Pivoting Force %esp to point to heap Execute the rest of the ROP chain

6 CS-457Elias Athanasopoulos6

7 Randomization  ASLR - Address Space Layout Randomization  Fine-grained Randomization - Smashing the gadgets - Binary Stirring CS-457Elias Athanasopoulos7

8 CS-457Elias Athanasopoulos8

9 Fine-grained Randomization  Shuffle instructions, without changing the semantics CS-457Elias Athanasopoulos9

10 Information Disclosure Bugs  String formatting bugs int main() { char localStr[100]; printf("Username? "); fgets(localStr, sizeof(localStr), stdin); printf(localStr); printf("What is the access code? "); … } CS-457Elias Athanasopoulos10 localStr = "AAAA %08x %08x %08x";

11 Just-in-time ROP CS-457Elias Athanasopoulos11

12 CS-457Elias Athanasopoulos12

13 Ideal CFI CS-457Elias Athanasopoulos13 Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks

14 Coarse-grained (loose) CFI CS-457Elias Athanasopoulos14

15 Gadgets under CFI CS-457Elias Athanasopoulos15

16 Linking Gadgets under CFI CS-457Elias Athanasopoulos16

17 Exploitation under CFI CS-457Elias Athanasopoulos17

18 CS-457Elias Athanasopoulos18

19 kBouncer CS-457Elias Athanasopoulos19

20 kBouncer Checks  call-ret pairing - Coarse-grained CFI  Heuristics - Up to 20 instructions is considered a gadget - 6 gadgets in a row is considered an attack CS-457Elias Athanasopoulos20

21 kBouncer Heuristics CS-457Elias Athanasopoulos21

22 Bypassing kBouncer CS-457Elias Athanasopoulos22

23 kBouncer bypass PoC CS-457Elias Athanasopoulos23

Download ppt "CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
CS457 – Introduction to Information Systems Security Software 2 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 2 Elias Athanasopoulos
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
The OWASP Top 10 and Buffer Overflow Attacks

The OWASP Top 10 and Buffer Overflow Attacks
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google