a single gadget weird machine
play

a single gadget weird machine Highlights of Dutch Cyber Security - PowerPoint PPT Presentation

Feb 12, 2023 •252 likes •879 views

a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos memory corruption, the problem that just won't go away 25+ years after the morris worm and

  1. a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos

  2. memory corruption, the problem that just won't go away 25+ years after the morris worm and still going strong 1

  3. stack buffer overflow stack return addr buffer sp 2

  4. stack buffer overflow stack return addr buffer sp 2

  5. stack buffer overflow stack return addr buffer sp 2

  6. stack buffer overflow stack sp return addr buffer 2

  7. stack buffer overflow stack sp return addr buffer 2

  8. stack buffer overflow stack sp return addr buffer 2

  9. stack sp return addr buffer 3

  10. stack sp return addr buffer code 3

  11. return oriented programming stack return addr buffer gadgets code 3

  12. return addr return addr return addr buffer gadgets code 3

  13. Return Oriented Programming - dependent on available gadgets - non-trivial to program - chains may differ greatly between different binaries - Turing complete 4

  14. Sigreturn Oriented Programming - minimal number of gadgets - constructing shellcode by chaining system calls - easy to change functionality of shellcode - shellcode portable (gadgets are always present) - Turing complete 5

  15. unix signals stack sp 6

  16. unix signals stack sp 6

  17. unix signals stack ucontext siginfo sp 6

  18. unix signals stack ucontext siginfo sp sigreturn 6

  19. unix signals stack good: kernel agnostic about signal handlers ucontext siginfo sp sigreturn 6

  20. unix signals stack bad: kernel agnostic about signal handlers ucontext (we can fake 'em) siginfo sp sigreturn 6

  21. two gadgets - call to sigreturn - syscall & return 7

  22. forged signal frame sigreturn 8

  23. program counter forged signal frame sigreturn 8

  24. program counter stack pointer forged signal frame sigreturn 8

  25. program counter stack pointer RAX ... RDI RSI RDX R10 R8 R9 ... sigreturn 8

  26. program counter stack pointer syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 8

  27. syscall & return stack pointer syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 8

  28. syscall & return next sigframe syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 8

  29. next syscall(...) 9

  30. socket() bind() listen() accept() execve() 10

  31. SROP exploit on x86-64 An exploit which does not make use of any gadgets in the target program - control over the stack - a known writable memory location (*any* location, and we don't need to write there beforehand) 11

  32. two gadgets - call to sigreturn - syscall & return 12

  33. two gadgets - call to sigreturn: RAX = 15 + syscall - syscall & return 12

  34. one gadget - RAX = 15 - syscall & return 12

  35. [vsyscall] ffffffffff600000 48 c7 c0 60 00 00 00 0f 05 c3 cc cc cc cc cc cc gettimeofday() fffffffffff60010 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600400 48 c7 c0 c9 00 00 00 0f 05 c3 cc cc cc cc cc cc time() ffffffffff600410 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600800 48 c7 c0 35 01 00 00 0f 05 c3 cc cc cc cc cc cc getcpu() ffffffffff600810 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff601000 0f05 syscall c3 return 13

  36. socket() bind() listen() accept() execve() 14

  37. socket() bind() listen() accept() execve() 14

  38. x64 syscall ABI RAX RDI RSI RDX read(fd, buffer, 1024) 15

  39. x64 syscall ABI RAX RDI RSI RDX read(fd, buffer, 1024) = 1024 15

  40. x64 syscall ABI RAX RDI RSI RDX read(fd, buffer, 1024) = 1024 RAX 15

  41. read() = 306 (syncfs) fsyncfs() = 0 (read) read() = 15 (sigreturn) sigreturn() execve() 16

  42. CVE-2012-5976 (asterisk) 17

  43. On some systems SROP gadgets are randomised, on others, they are not Operating system Gadget Memory map Linux i386 sigreturn [vdso] Linux < 3.11 ARM sigreturn [vectors] 0x ffff 0000 Linux < 3.3 x86-64 syscall & return [vsyscall] 0x ffffffffff 600000 Linux ≥ 3.3 x86-64 syscall & return Libc Linux x86-64 sigreturn Libc FreeBSD 9.2 x86-64 sigreturn 0x7 ffffffff 000 Mac OSX x86-64 sigreturn Libc iOS ARM sigreturn Libsystem iOS ARM syscall & return Libsystem 18

  44. On some systems SROP gadgets are randomised, on others, they are not android non-ASLR :-( Operating system Gadget Memory map Linux i386 sigreturn [vdso] Linux < 3.11 ARM sigreturn [vectors] 0x ffff 0000 Linux < 3.3 x86-64 syscall & return [vsyscall] 0x ffffffffff 600000 Linux ≥ 3.3 x86-64 syscall & return Libc Linux x86-64 sigreturn Libc FreeBSD 9.2 x86-64 sigreturn 0x7 ffffffff 000 Mac OSX x86-64 sigreturn Libc iOS ARM sigreturn Libsystem iOS ARM syscall & return Libsystem 18

  45. questions? 19

  46. questions? 27

  47. mitigation: It may be useful to disable vsyscall vsyscall=emulate (default from Linux 3.3 onward) or vsyscall=none

  48. mitigation: - Signal frame canaries

  49. stack canary stack return addr buffer sp

  50. stack canary stack return addr buffer sp

  51. program counter stack pointer RAX ... RDI RSI RDX R10 R8 R9 ... sigreturn

  52. program counter stack pointer RAX ... RDI RSI RDX R10 R8 R9 ... sigreturn

  53. mitigation: - Signal frame canaries

  54. mitigation: - Signal frame canaries - Counting signals in progress

  55. CVE-2012-5976 (asterisk) stack sp stack sp

  56. CVE-2012-5976 (asterisk) stack alloca stack sp sp

  57. CVE-2012-5976 (asterisk) stack alloca stack sp sp

  58. dispatch load CODE dispatch jmp exit cond jump jump P = P + c *P = *P + c *P=getchar() putchar(*P) store

  59. code = open("/proc/self/mem",O_RDWR); p = open("/proc/self/mem",O_RDWR); a = open("/proc/self/mem",O_RDWR);

  60. code = open("/proc/self/mem",O_RDWR); p = open("/proc/self/mem",O_RDWR); a = open("/proc/self/mem",O_RDWR); instruction dispatch: read(code, &ucontext.sp, sizeof(long));

  61. code = open("/proc/self/mem",O_RDWR); p = open("/proc/self/mem",O_RDWR); a = open("/proc/self/mem",O_RDWR); instruction dispatch: read(code, &ucontext.sp, sizeof(long)); pointer ops: p++ -> lseek(p, 1, SEEK_CUR);

  62. code = open("/proc/self/mem",O_RDWR); p = open("/proc/self/mem",O_RDWR); a = open("/proc/self/mem",O_RDWR); instruction dispatch: read(code, &ucontext.sp, sizeof(long)); pointer ops: p++ -> lseek(p, 1, SEEK_CUR); addition: lseek(a, &identity_table_x2, SEEK_SET); lseek(a, val1, SEEK_SET); lseek(a, val2, SEEK_SET); read(a, dest, 1);

Recommend

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos stack buffer overflow stack return addr buffer sp 1 stack buffer overflow stack return addr buffer sp 1 stack buffer overflow

1.65k views • 89 slides
Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB Linux USB Terminology Brief history of USB gadget subsystem Other filesystem-based gadget interfaces Using USB gadget configfs

439 views • 21 slides
Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of

Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of

DM204 , 2010 SCHEDULING, TIMETABLING AND ROUTING Lecture 18 Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Single Machine

439 views • 43 slides
Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as:

Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as:

Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as: All instructions take the same time (CPI = 1), but some instructions are shorter than others: ADD uses Instruction Memory, Register File, ALU,

95 views • 5 slides
Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020 https://tinyurl.com/fosdem-gadget Hi, Im Alban Alban Crequy CTO, Kinvolk Github: alban Twitter: albcr Email: alban@kinvolk.io Kinvolk Driving

426 views • 30 slides
Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows Christopher Olston and Benjamin Reed Yahoo! Research Web Scale problems Lots of servers, users, and data Fun to have power at your fingertip

505 views • 33 slides
Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules

Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules

Dispatching Rules Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules Lecture 10 Single Machine Models 2. Single Machine Models Marco Chiarandini 2 Dispatching Rules Dispatching Rules Outline

417 views • 7 slides
Why the British constitution is weird (and interesting)

Why the British constitution is weird (and interesting)

Why the British constitution is weird (and interesting) Dr Mark Ellio+ Reader in Public Law, University of Cambridge Fellow &amp; Director of

426 views • 14 slides
Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of

Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of

Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of single queue systems includes an ATM machine ATM machine. A single line of people waiting to get money forms in front of the machine. in front of

401 views • 21 slides
Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine

Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine

Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine Scheduling to Minimize w j C j Given: n jobs j = 1 , . . . , n , processing times p j &gt; 0, weights w j &gt; 0 Task: schedule jobs on a single

393 views • 20 slides
ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

Background Evaluation Conclusion ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel Coffman Daniel M. Kelly Christopher C. Wellons Andrew S. Gearhart Johns Hopkins University Applied Physics

1.28k views • 45 slides
Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int.

622 views • 39 slides
Some Weird Things Poll #1: Who in here has taken a MOOC? Going On Poll #2: Are you happy or

Some Weird Things Poll #1: Who in here has taken a MOOC? Going On Poll #2: Are you happy or

2/9/2019 Talk Outline Fostering Self-Directed Learning in MOOCs: 1. MOOC Weird Stuff One Modest Little Study to 2. MOOC Systematic Literature Review Help Save the Planet 3. MOOC ID Considerations and Challenges 4. MOOC ID for Self-directed

386 views • 16 slides
T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr.

T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr.

T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr. Yuan, Co-Director of MIST Daniel Gibney CpE research center at UCF. Leaphar Castro EE Motivation With the ever expanding use of IoT sensor

740 views • 46 slides
On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H

On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H

On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H ohn Technische Universit at Berlin Tobias Jacobs NEC Laboratories Europe 18th Combinatorial Optimization Workshop Aussois 2014 Generalized

1.06k views • 89 slides
From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning

From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning

From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning with Maggy Moritz Meister, @morimeister Software Engineer, Logical Clocks Jim Dowling, @jim_dowling Associate Professor, KTH Royal Institute of

505 views • 33 slides
Batch Processing Natacha Crooks - CS 6453 Data (usually) doesnt fit on a single machine

Batch Processing Natacha Crooks - CS 6453 Data (usually) doesnt fit on a single machine

Batch Processing Natacha Crooks - CS 6453 Data (usually) doesnt fit on a single machine CoinGraph (900GB) LiveJournal (1.1GB) Orkut (1.4GB) Twitter (between 5 and 20GB) Netflix Recommendation (2.5BGB) Sources: Musketer (Eurosys15),

1k views • 32 slides
MILLIONS OF TRANSACTIONS PER SECOND ON A SINGLE MACHINE CASE FOR A VIRTUALIZED DATABASE AND

MILLIONS OF TRANSACTIONS PER SECOND ON A SINGLE MACHINE CASE FOR A VIRTUALIZED DATABASE AND

MILLIONS OF TRANSACTIONS PER SECOND ON A SINGLE MACHINE CASE FOR A VIRTUALIZED DATABASE AND SCALE-IN ROGER JOHANSSON Who am I? Roger Johansson Actor Model, Scalability, Distributed Systems, C#, Senior Solution Architect Starcounter Go,

683 views • 37 slides
Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes

Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes

Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes Gkta - Elias Athanasopoulos - Michalis Polychronakis Herbert Bos - Georgios Portokalidis presented by: Flora Karniavoura Katerina Karagiannaki

376 views • 23 slides
Portability Problems Modularity Stick as much machine dependent code into a single module. When

Portability Problems Modularity Stick as much machine dependent code into a single module. When

Chapter - &lt;added&gt; Portability Problems Modularity Stick as much machine dependent code into a single module. When you change machines replace the module. Word Size The following works on 32-bit UNIX but fails on MS-DOS: int zip; zip

1.15k views • 11 slides
Cray XMT Scalable, multithreaded, shared memory machine Designed for single word

Cray XMT Scalable, multithreaded, shared memory machine Designed for single word

Cray XMT Scalable, multithreaded, shared memory machine Designed for single word random global access patterns Very good at large graph problems Next Generation Cray XMT Goals Memory System Improvements Improve

336 views • 31 slides
Desktop on the Linux (and *BSD of course) . . . youre doing it confused? weird? strange? wrong?

Desktop on the Linux (and *BSD of course) . . . youre doing it confused? weird? strange? wrong?

Desktop on the Linux (and *BSD of course) . . . youre doing it confused? weird? strange? wrong? Who? Wolfgang datenwolf Draxinger When? 27c3, 2010-12-27 DISCLAIMER This talk is: highly opinionated biased born out of frustration .

1.85k views • 169 slides
Constricting the Web Offensive Python for Web Hackers Yes, We are Weird Marcin Wielgoszewski

Constricting the Web Offensive Python for Web Hackers Yes, We are Weird Marcin Wielgoszewski

Constricting the Web Offensive Python for Web Hackers Yes, We are Weird Marcin Wielgoszewski Security Engineer Nathan Hamiel Principal Consultant Associate Professor at UAT This is Important Reliance on

683 views • 67 slides
R's weirdnesses are fun &amp; useful richfitz Rich FitzJohn R is a really weird language

R's weirdnesses are fun &amp; useful richfitz Rich FitzJohn R is a really weird language

R's weirdnesses are fun &amp; useful richfitz Rich FitzJohn R is a really weird language There are people who think of it as a statistical package - a free version of stata perhaps. Like stata, R includes lots of useful things Statistics

1.15k views • 95 slides

More recommend