Presentation is loading. Please wait.

Presentation is loading. Please wait.

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

Published byJocelyn Morton Modified over 9 years ago

Similar presentations

Presentation on theme: "English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary."— Presentation transcript:

1 English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary

2 0x01. Introduction  “code injection attack”  Manipulate Program counter (EIP in x86) : to disrupt the intended behavior (ex: return-to-libc attack)  Run the code delivered by attacker : SHELLCODE EE515/IS523: Security101: Think Like an Adversary Return-to-libc attack ‘libc’ is a shared library in Linux system. It contains useful functions such as system( ). By overwriting return address, attacker can disrupt code execution flow to functions in libc instead of making shellcodes.

3 0x01. Introduction (cont’d)  Shellcode: directly executable machine code  Detect its presence  Prevent its execution EE515/IS523: Security101: Think Like an Adversary Shellcode A machine code to launch a command shell(ex. /bin/sh) It should be executed independently, so it use Linux system call to start a new command shell

4 0x01. Introduction (cont’d)  Standard attack template of traditional buffer overflow attacks (in code injection attack)  NOPsled + shellcode + address of shellcode EE515/IS523: Security101: Think Like an Adversary Fill buffer to overflow Overwritten return address NOPsled Slammer worm Payload with exploit

5 0x01. Introduction (cont’d)  Polymorphic Shellcode  ‘decoder’ – to enable the encoded portion of payload to be executable form →NATIVELY EXECUTABLE  How to prevent getting shellcode as a input?  Shellcode has a ‘strange’ letters (non-ascii letters) EE515/IS523: Security101: Think Like an Adversary

6 0x02. Arms races  limit the range of accepted byte-values by alphanumeric or just certain character sets ex. isalnum, strspn  Limit the set of operations available in an attack  Solution: use encodings to convert original shellcode  Alphanumeric shellcode  Convert payloads to be consists of only letters and digits  Can be stored as unsuspected contexts  Smaller than other character sets like Unicode, UTF-8  Need an alphanumeric decoder EE515/IS523: Security101: Think Like an Adversary

7 0x02. Arms races (cont’d)  Detect the attack using the shellcode structure  Fail to ban the attack which is not constrained to the layout  contemporary researches are based on the idea ‘Shellcode is fundamentally different in structure than non-executable payload data’ EE515/IS523: Security101: Think Like an Adversary

8 0x03. English shellcode  Machine instruction seemed like ASCII character EE515/IS523: Security101: Think Like an Adversary

9 0x03. English shellcode - generation EE515/IS523: Security101: Think Like an Adversary 123 4  Make a list to categorize English- compatible instructions by behavior  Write a decoder which can make exploit using only instructions from the list  Three general types of instructions for multiple variants of English shellcode from the same payload  NOPs  Operation that affect generally but no interfere with decoder  Affect both machine state and decoder but no net effect

10 0x03. English shellcode - generation  With n-gram model, generate and train it with large set of English text EE515/IS523: Security101: Think Like an Adversary 123 4

11 0x03. English shellcode - generation  Use numerical values to indicate the strength of each candidates (Viterbi search)  Traverse the language model to find strings of word that score the highest possible value EE515/IS523: Security101: Think Like an Adversary 123 4

12 0x03. English shellcode - generation EE515/IS523: Security101: Think Like an Adversary

13 0x03. English shellcode - generation  To encode the original payload, continue to sample strings and get functionally equivalent encoded string from the original shellcode. EE515/IS523: Security101: Think Like an Adversary 123 4

14 0x03. English shellcode – auto generate  Monitoring with ptrace API of Linux EE515/IS523: Security101: Think Like an Adversary

15 0x03. English shellcode – optimize  Monitoring with ptrace API of Linux  Too arduous task to check every expand  Monitored direct execution  No need to ptrace  Two sets of machine state and switch  No single-step execution in every instruction → investigate only when flags are changed or memory beyond the current point is changed EE515/IS523: Security101: Think Like an Adversary

16 0x04. Evaluation  Exit(0) EE515/IS523: Security101: Think Like an Adversary

17 0x04. Evaluation (cont’d)  ‘Shellcode need not to be different in structure than non-executable payload data’ EE515/IS523: Security101: Think Like an Adversary

Download ppt "English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.

Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
1 Lab Session-III CSIT-120 Fall 2000 Revising Previous session Data input and output While loop Exercise Limits and Bounds Session III-B (starts on slide.

1 Lab Session-III CSIT-120 Fall 2000 Revising Previous session Data input and output While loop Exercise Limits and Bounds Session III-B (starts on slide.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Similar presentations

Ads by Google