Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security & Exploitation

Published byLydia Osborne Modified over 9 years ago

Similar presentations

Presentation on theme: "Security & Exploitation"— Presentation transcript:

1 Security & Exploitation
Operating Systems Fall 2014 RPISEC - 12/01/2014 OS Security

2 whoami Markus Gaasedelen Security Enthusiast President of RPISEC
B.S. Computer Science ’15 Security Enthusiast I like to hack things President of RPISEC RPISEC - 12/01/2014 OS Security

3 RPISEC The Computer Security Club @ RPI
The leading authority on campus for any and all things computer security related We compete in hacking competitions known as CTFs (Capture The Flag) and we’re very good at them We teach cool and applicable security skills at our weekly meetings 5-7pm Fridays, DCC 318 RPISEC - 12/01/2014 OS Security

4 CSAW 2014 Finals RPISEC - 12/01/2014 OS Security

5 CSAW 2014 Finals RPISEC - 12/01/2014 OS Security

6 CSAW 2014 Awards RPISEC - 12/01/2014 OS Security

7 let’s get rolling… What is security? RPISEC - 12/01/2014 OS Security

8 RPISEC - 12/01/2014 OS Security

9 What is Security? such h4ck3r, wow Security == Hacking
‘politically correct’ Cyber is the buzzword Very technical and rewarding challenges Rarely taught or talked about in school ): Many different categories of security such h4ck3r, wow RPISEC - 12/01/2014 OS Security

10 Categories of Security
Cryptography Web Security Vulnerability Research Binary Exploitation Reverse Engineering Malware Analysis Systems Security Embedded Hardware Hacking Network Security Digital Forensics Physical Security Pentesting RPISEC - 12/01/2014 OS Security

11 Categories of Security
Cryptography Web Security Vulnerability Research Binary Exploitation Reverse Engineering Malware Analysis Systems Security Embedded Hardware Hacking Network Security Digital Forensics Physical Security Pentesting The kind of stuff I’ll talk about today (: RPISEC - 12/01/2014 OS Security

12 Memory Corruption & Binary Exploitation
RPISEC - 12/01/2014 OS Security

13 Binary Exploitation The simplest definition:
Leveraging bugs in an executable to cause unintended, controlled actions by an attacker Requires intimate knowledge of the language, compiler, and the machine RPISEC - 12/01/2014 OS Security

14 Bugs Are Everywhere C is a ‘low level’ language
Compiles straight to machine code (x86, ARM, etc) Very fast Very fine control over the machine and memory It’s like driving a manual! Easy to do stupid things RPISEC - 12/01/2014 OS Security

15 RPISEC - 12/01/2014 OS Security

16 The Unexciting Languages
Binary exploitation isn’t really a thing for managed or scripting languages C#, .NET, JavaScript, Lua, Python, etc Slower, automate lots of stuff for you Driving an automatic RPISEC - 12/01/2014 OS Security

17 Welcome to the warzone let’s dive right in and try breaking some stuff
RPISEC - 12/01/2014 OS Security

18 ssh username/password intro01:intro01
warzone.rpis.ec ssh username/password intro01:intro01 RPISEC - 12/01/2014 OS Security

19 Getting Started / Tips cd /levels ./intro01 python –c ‘print “A”*20’
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA python –c ‘print “A”*20’ gdb ./intro01 run In GDB: Info functions Info registers i r disassemble <function> disas main breakpoint <function> b main breakpoint * <address> b * 0x RPISEC - 12/01/2014 OS Security

20 Stack Overview The stack is a region of memory for a program to maintain function variables and stuff during execution This is main()’s stack > RPISEC - 12/01/2014 OS Security

21 Understanding the Stack
RPISEC - 12/01/2014 OS Security

22 Understanding the Stack
RPISEC - 12/01/2014 OS Security

23 Corrupting the Stack RPISEC - 12/01/2014 OS Security

24 PWNING the Stack RPISEC - 12/01/2014 OS Security

25 Endianess Endianess – How data is stored in memory
Modern computers are generally little endian ‘little end in’ Endianess can be confusing, and I don’t want to get into the details 0x stored as 0x44, 0x43, 0x42, 0x41 0xdeadbeef stored as 0xef, 0xbe, 0xad, 0xde RPISEC - 12/01/2014 OS Security

26 (python -c 'print "A"*64 + "\xef\xbe\xad\xde"'; cat) | ./intro01
Intro01 Exploit (python -c 'print "A"*64 + "\xef\xbe\xad\xde"'; cat) | ./intro01 RPISEC - 12/01/2014 OS Security

27 Understanding control flow
Bend it like Beckham Understanding control flow RPISEC - 12/01/2014 OS Security

28 Example ELF / EXE in Memory
0x – Start of memory Runtime Memory Libraries (libc) ELF Executable .text segment .data segment 0x – Start of .text Segment Heap 0xbfff0000 – Top of stack Stack 0xFFFFFFFF – End of memory RPISEC - 12/01/2014 OS Security

29 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Executable code Heap Stack RPISEC - 12/01/2014 OS Security

30 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Executable code EIP Heap Stack RPISEC - 12/01/2014 OS Security

31 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Executable code EIP Heap Stack RPISEC - 12/01/2014 OS Security

32 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Executable code EIP Heap Stack RPISEC - 12/01/2014 OS Security

33 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Executable code EIP Heap Stack RPISEC - 12/01/2014 OS Security

34 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Executable code EIP Heap Stack RPISEC - 12/01/2014 OS Security

35 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Executable code EIP Heap Stack RPISEC - 12/01/2014 OS Security

36 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) EIP ELF Executable .text segment .data segment dat flow doe Heap Stack RPISEC - 12/01/2014 OS Security

37 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) ELF Executable .text segment .data segment dat flow doe EIP Heap Stack RPISEC - 12/01/2014 OS Security

38 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Executable code EIP Heap Stack RPISEC - 12/01/2014 OS Security

39 Example ELF / EXE in Memory
.text segment Runtime Memory Libraries (libc) EIP ELF Executable .text segment .data segment dat flow doe Heap Stack RPISEC - 12/01/2014 OS Security

40 How Calling Works EIP RPISEC - 12/01/2014 OS Security

41 How Calling Works EIP RPISEC - 12/01/2014 OS Security

42 How Calling Works EIP RPISEC - 12/01/2014 OS Security

43 How Calling Works EIP RPISEC - 12/01/2014 OS Security

44 How Calling Works EIP RPISEC - 12/01/2014 OS Security

45 How Calling Works EIP RPISEC - 12/01/2014 OS Security

46 Returning EIP RPISEC - 12/01/2014 OS Security

47 Returning EIP RPISEC - 12/01/2014 OS Security

48 Returning EIP RPISEC - 12/01/2014 OS Security

49 Returning EIP RPISEC - 12/01/2014 OS Security

50 Returning EIP RPISEC - 12/01/2014 OS Security

51 Owning control flow Now that you know how it works …
RPISEC - 12/01/2014 OS Security

52 Stack Smashing EIP RPISEC - 12/01/2014 OS Security

53 Stack Smashing EIP RPISEC - 12/01/2014 OS Security

54 Stack Smashing EIP RPISEC - 12/01/2014 OS Security

55 Returning EIP RPISEC - 12/01/2014 OS Security

56 Returning home SEGFAULT 0x41414141 … EIP RPISEC - 12/01/2014
OS Security

57 RPISEC - 12/01/2014 OS Security

58 “If your program simply segfaulted, consider yourself lucky.”
-Chuck Stewart RPISEC - 12/01/2014 OS Security

59 Redirecting Control Flow
Overwrite with a code address EIP RPISEC - 12/01/2014 OS Security

60 SSH in as intro02 use the password you got from solving intro01
warzone.rpis.ec SSH in as intro02 use the password you got from solving intro01 RPISEC - 12/01/2014 OS Security

61 RPISEC - 12/01/2014 OS Security

62 Modern Protections Address Space Layout Randomization (ASLR)
Data Execution Prevention (DEP) Stack Cookies (Canaries) Stack Rearrangement Read Only Relocation (RELRO) FORTIFY_SOURCE These only make things harder, not impossible Take MBE if you want to know more about these RPISEC - 12/01/2014 OS Security

63 Lets try something real(er)
Those were only educational challenges Lets try something real(er) RPISEC - 12/01/2014 OS Security

64 Courtesy of Goldschmidt
Chatserver v3 RPISEC - 12/01/2014 OS Security

65 ChatServer V3 From NetProg (CSCI-4220) 32bit Linux Exploitation
Vulnerable to a stack smash Compiler’s stack cookies save the day I’ll be demoing without cookies, not exploitable otherwise ): RPISEC - 12/01/2014 OS Security

66 Chatserver v3 – Demo Courtesy of Goldschmidt RPISEC - 12/01/2014
OS Security

67 CSAW 2014 LINKS.exe Windows 8.1 Exploitation (x64) RPISEC - 12/01/2014
OS Security

68 links.exe Challenge from the CSAW 2014 CTF Finals
64bit Exploitation on Windows 8.1 Basically all protections are on by default No source, lots of reversing :0 RPISEC - 12/01/2014 OS Security

69 reversing is tedious RPISEC - 12/01/2014 OS Security

70 CSAW 2014 LINKS.exe - DEMO Windows 8.1 Exploitation (x64)
RPISEC - 12/01/2014 OS Security

71 CSAW 2014 Finals RPISEC - 12/01/2014 OS Security

72 Wrapping up Binary Exploitation
You might consider yourself a rockstar programmer, but you probably know nothing about secure coding practices or the implications of your mistakes Compilers go out of their way to prevent your bugs from causing catastrophic failure Because your program doesn’t appear to segfault or crash, doesn’t mean it is bug free or without vulnerabilities Binary exploitation is nothing like standard software development - I truly think of it as an art RPISEC - 12/01/2014 OS Security

73 Job opportunities welcome to the real world RPISEC - 12/01/2014
OS Security

74 …so…many…jobs… Typical titles / positions
Information Security Analyst / Engineer Security Software Engineer Vulnerability Research Engineer Web Application Security Engineer Computer Network Operations Threat & Incident Response Engineer Product Security Reverse Engineer Malware Analyst / Reverse Engineer RPISEC - 12/01/2014 OS Security

75 Entering the Job Market
There are so few qualified security individuals, companies are totally starved ): Skilled in security & have a B.S. in CS? Government, Contractors, FFRDCs $70k – $90k+ Private / Commercial $100k – ?? Anything less and you’re missing out RPISEC - 12/01/2014 OS Security

76 Modern Binary exploitation
Coming Soon - Spring 2015 Modern Binary exploitation RPISEC - 12/01/2014 OS Security

77 Modern Binary Exploitation
An official class developed by RPISEC Class cap is raised to 50! Thank Goldschmidt & Stewart for getting us an awesome room that seats 50+, Walker 5113 General registration re-opens December 8th Tuesday/Friday 2-4pm, Spring 2015 DON’T MISS THIS! ZERO guarantee it’ll ever be offered again RPISEC - 12/01/2014 OS Security

78 Questions? gaasem@rpi.edu security.cs.rpi.edu/~gaasem @gaasedelen
irc.rpis.ec 6667 RPISEC - 12/01/2014 OS Security

Download ppt "Security & Exploitation"

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CSCE 145: Algorithmic Design I Chapter 1 Intro to Computers and Java Muhammad Nazmus Sakib.

CSCE 145: Algorithmic Design I Chapter 1 Intro to Computers and Java Muhammad Nazmus Sakib.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.

CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.
Software and Security Buffer Overflow 1.

Software and Security Buffer Overflow 1.
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: 509-359-6908 Office.

CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
PicoCTF: Inspiring Tomorrow’s Cyber Security Workforce and Leaders Jonathan Burket

PicoCTF: Inspiring Tomorrow’s Cyber Security Workforce and Leaders Jonathan Burket
Software Development and Software Loading in Embedded Systems.

Software Development and Software Loading in Embedded Systems.
CS 0008 Day 2 1. Today Hardware and Software How computers store data How a program works Operators, types, input Print function Running the debugger.

CS 0008 Day 2 1. Today Hardware and Software How computers store data How a program works Operators, types, input Print function Running the debugger.
RPISEC - 08/30/2013Intro Meeting1. Introductions What we do Tools Hands-on hacking Wargames CTFs RPISEC - 08/30/2013Intro Meeting2.

RPISEC - 08/30/2013Intro Meeting1. Introductions What we do Tools Hands-on hacking Wargames CTFs RPISEC - 08/30/2013Intro Meeting2.
Herbert Bos Erik van der Kouwe Remco Vermeulen Andrei Bacs

Herbert Bos Erik van der Kouwe Remco Vermeulen Andrei Bacs
Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.

Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.
Ch 1. Introduction Dr. Bernard Chen Ph.D. University of Central Arkansas Spring 2012.

Ch 1. Introduction Dr. Bernard Chen Ph.D. University of Central Arkansas Spring 2012.
Address Space Layout Permutation

Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Similar presentations

Ads by Google