an evil copy how the loader betrays you
play

An Evil Copy: How the Loader Betrays You Xinyang Ge 1,3 , Mathias - PowerPoint PPT Presentation

Apr 18, 2023 •380 likes •906 views

An Evil Copy: How the Loader Betrays You Xinyang Ge 1,3 , Mathias Payer 2 and Trent Jaeger 3 Microsoft Research 1 Purdue University 2 Penn State University 3 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1 Problem: A

  1. An Evil Copy: How the Loader Betrays You Xinyang Ge 1,3 , Mathias Payer 2 and Trent Jaeger 3 Microsoft Research 1 Purdue University 2 Penn State University 3 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  2. Problem: A Motivating Example // test.c // main.c const int foo = 10; extern const int foo; int main() { *(int *)&foo = 100; return 0; } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  3. Problem: A Motivating Example // test.c // main.c const int foo = 10; extern const int foo; int main() { *(int *)&foo = 100; return 0; } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  4. Problem: A Motivating Example • 1 Executable ‣ cc main.c test.c • 1 Executable + 1 Library ‣ cc -fPIC –shared test.c –o libtest.so ‣ cc [–fPIE] main.c -L. –ltest Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  5. Problem: A Motivating Example • 1 Executable ‣ cc main.c test.c • 1 Executable + 1 Library ‣ cc -fPIC –shared test.c –o libtest.so ‣ cc [-fPIE] main.c -L. –ltest Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  6. Problem: A Motivating Example • 1 Executable ‣ cc main.c test.c • 1 Executable + 1 Library ‣ cc -fPIC –shared test.c –o libtest.so …Nothing happened? ‣ cc [-fPIE] main.c -L. –ltest Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  7. Problem: A Motivating Example • 1 Executable ‣ cc main.c test.c • 1 Executable + 1 Library ‣ cc -fPIC –shared test.c –o libtest.so …Nothing happened? ‣ cc [-fPIE] main.c -L. –ltest • 1 Executable + 1 Library ‣ cc -fPIC –shared test.c –o libtest.so ‣ cc –fPIC main.c -L. –ltest Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  8. Problem: A Motivating Example • 1 Executable ‣ cc main.c test.c • 1 Executable + 1 Library ‣ cc -fPIC –shared test.c –o libtest.so …Nothing happened? ‣ cc [-fPIE] main.c -L. –ltest • 1 Executable + 1 Library ‣ cc -fPIC –shared test.c –o libtest.so ‣ cc –fPIC main.c -L. –ltest Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  9. What happened so far... non-PIC executable PIC executable local “foo” foreign “foo” …Nothing happened? Obviously, foo is not in read-only memory in the above case, but WHY ? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4

  10. Building Process compiling linking loading Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5

  11. Building Process compiling linking loading Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5

  12. What does “extern” mean // main.c extern const int foo; int main() { *(int *)&foo = 100; return 0; } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  13. What does “extern” mean foo is defined in a different file but // main.c still in the same image ( w/o -fPIC flag ) extern const int foo; int main() { *(int *)&foo = 100; return 0; } foo is defined in a different file and potentially in a different image ( w/ -fPIC flag ) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  14. What does “extern” mean foo is defined in a different file but // main.c still in the same image ( w/o -fPIC flag ) extern const int foo; int main() { *(int *)&foo = 100; return 0; } foo is defined in a different file and potentially in a different image ( w/ -fPIC flag ) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  15. foo is defined in the same image // main.o – assuming same image <main>: push %rbp mov %rsp,%rbp mov $0x64,offset_to_foo(%rip) mov $0x0,%rax pop %rbp ret Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  16. foo is defined in the same image // main.o – assuming same image The compiler assumes <main>: foo’s location can be push %rbp statically determined by mov %rsp,%rbp the linker, and emits a mov $0x64,offset_to_foo(%rip) mov $0x0,%rax single MOV instruction to pop %rbp write to foo. ret Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  17. foo is defined in the same image data foo // main.o – assuming same image The compiler assumes <main>: foo’s location can be push %rbp statically determined by mov %rsp,%rbp GOT the linker, and emits a mov $0x64,offset_to_foo(%rip) mov $0x0,%rax single MOV instruction to pop %rbp write to foo. ret code Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  18. What does “extern” mean foo is defined in a different file but // main.c still in the same image ( w/o -fPIC flag ) extern const int foo; int main() { *(int *)&foo = 100; return 0; } foo is defined in a different file and potentially in a different image ( w/ -fPIC flag ) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  19. foo is defined in a di ff erent image // main.o – assuming same image <main>: push %rbp mov %rsp,%rbp mov offset_to_foo_got(%rip),%rax mov $0x64,(%rax) mov $0x0,%rax pop %rbp ret Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  20. foo is defined in a di ff erent image The compiler assumes // main.o – assuming same image foo’s loca;on cannot be <main>: sta;cally determined push %rbp and emits two MOV mov %rsp,%rbp instruc;ons: one to mov offset_to_foo_got(%rip),%rax retrieve foo’s address mov $0x64,(%rax) mov $0x0,%rax from its GOT slot, and pop %rbp the other to actually ret write to foo. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  21. foo is defined in a di ff erent image data The compiler assumes // main.o – assuming same image foo’s loca;on cannot be <main>: sta;cally determined push %rbp and emits two MOV mov %rsp,%rbp instruc;ons: one to GOT mov offset_to_foo_got(%rip),%rax retrieve foo’s address mov $0x64,(%rax) foo’s address mov $0x0,%rax from its GOT slot, and pop %rbp the other to write to code ret foo. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  22. Without –fPIC flag, GCC and Clang on Linux assumes foo is defined in the same image. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9

  23. Building Process compiling linking loading Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10

  24. Copy Relocation data Hi, I am the linker. Oops, foo is actually defined in a different image. How can I resolve the reference to foo? GOT code <main>: ... mov $0x64,offset_to_foo(%rip) ... executable Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11

  25. Copy Relocation data Let me allocate a local copy of foo and have the dynamic loader to relocate the original variable to this new copy. GOT code <main>: ... mov $0x64,offset_to_foo(%rip) ... executable Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11

  26. Copy Relocation data Let me allocate a local copy of foo and have the dynamic foo = 0 loader to relocate the original variable to this new copy. GOT code <main>: ... mov $0x64,0x200970(%rip) ... executable Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11

  27. Building Process compiling linking loading Systems and Internet Infrastructure Security Laboratory (SIIS) Page 12

  28. Copy Relocation data data foo = 0 GOT address of foo GOT rodata foo = 10 code code <main>: ... mov $0x64,0x200970(%rip) ... executable library Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  29. Copy Relocation data data foo = 0 GOT address of foo GOT rodata foo = 10 code code <main>: ... mov $0x64,0x200970(%rip) ... executable library Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  30. Copy Relocation data data foo = 10 GOT address of foo GOT rodata foo = 10 code code <main>: ... mov $0x64,0x200970(%rip) ... executable library Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  31. Copy Relocation data data foo = 10 GOT address of foo GOT rodata foo = 10 code code <main>: ... mov $0x64,0x200970(%rip) ... executable library Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  32. Copy Relocation Violation data data foo = 10 GOT address of foo GOT rodata foo = 10 code code <main>: ... mov $0x64,0x200970(%rip) ... executable library Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  33. Security Concerns • Expose “read-only” data to memory corruption attacks ‣ Making C++ vtables mutable can break existing defenses • VTV, Interleaving, SafeDispatch ‣ Making format string writable can enable printf-oriented programming • Printf-oriented programming requires mutable format string to implement branching ‣ File names ‣ IP addresses ‣ ... Systems and Internet Infrastructure Security Laboratory (SIIS) Page 14

Recommend

T Levels/Skills Plan Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body

T Levels/Skills Plan Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body

HERTFORD REGIONAL COLLEGE HEADER Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body

515 views • 17 slides
Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history

Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history

The Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history November 2005 its distracting! reuse is overrated! Evil! Evil! Evil! Evil! Evil! Evil! Evil! Evil! Shit! eek! appable_plugins desert

972 views • 96 slides
SAS Data Loader for Hadoop Agenda Intro What is Hadoop? What do I get from Hadoop?

SAS Data Loader for Hadoop Agenda Intro What is Hadoop? What do I get from Hadoop?

SAS Data Loader for Hadoop Agenda Intro What is Hadoop? What do I get from Hadoop? Hadoop components Why SAS Data Loader for Hadoop? SAS Data Loader for Hadoop overview Demo Introduction Doug Cutting, creator of Hadoop

285 views • 11 slides
The true form of evil rarely looks evil on the surface, it seduces us with fair face as it

The true form of evil rarely looks evil on the surface, it seduces us with fair face as it

Webinar: Abortion &amp; Conscientious Objection 2 July 2020 (Adv Keith Matthee SC) 1 As a nation we would be well advised to heed the words of Professor Forstchen in his review on the film Downfall, which exposes the evil of Adolf

490 views • 11 slides
Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He

Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He

Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He even exists. Natural disasters and diseases seem at odds with a good and benevolent God. Try to remember, though, that God created this universe

462 views • 8 slides
THEODICY: The Problem of Evil .. Christian : Pastor Nathan Lewis Atheist : Bernie

THEODICY: The Problem of Evil .. Christian : Pastor Nathan Lewis Atheist : Bernie

THEODICY: The Problem of Evil .. Christian : Pastor Nathan Lewis Atheist : Bernie Dehler 4-22-12 What is the problem? (1 of 2) Q: If God is all-loving and all-powerful, why is there so much evil in the world? A: What evil are you

312 views • 15 slides
Unmasking Evil Revelation 13 Speaker: Gilbert van Bueren REVELATION 13 UNMASKING EVIL

Unmasking Evil Revelation 13 Speaker: Gilbert van Bueren REVELATION 13 UNMASKING EVIL

Revelation series nr.10: Unmasking Evil Revelation 13 Speaker: Gilbert van Bueren REVELATION 13 UNMASKING EVIL Series The Future has already Begun #10 IBC Eindhoven, 8 March 2020 UNMASKING THE DRAGON Revelation 12:9 and 20:2 1.

361 views • 14 slides
Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates

Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates

Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates new process Sets up address space/segments Read executable file, load instructions, init global data 0x7ffff770000 Shared library

844 views • 16 slides
Natural Evil and the Mythology of J.R.R. Tolkien Keith B. Miller Department of Geology Kansas

Natural Evil and the Mythology of J.R.R. Tolkien Keith B. Miller Department of Geology Kansas

Natural Evil and the Mythology of J.R.R. Tolkien Keith B. Miller Department of Geology Kansas State University The Problem of Natural Evil and the Creative Imagination We must seriously engage the challenging theological questions that

756 views • 22 slides
DSCP and the Evil Bit Runa Barik (UiO), Michael Welzl (UiO), Ahmed Elmokashfi (SRL) maprg @96th

DSCP and the Evil Bit Runa Barik (UiO), Michael Welzl (UiO), Ahmed Elmokashfi (SRL) maprg @96th

DSCP and the Evil Bit Runa Barik (UiO), Michael Welzl (UiO), Ahmed Elmokashfi (SRL) maprg @96th IETF Meeting Berlin, Germany 18 th July 2015 IETF96 DSCP and the Evil Bit 1 / 14 Motivation The Internet could ideally use the IP header for

149 views • 14 slides
Content Loader Introduction by G.Paskaleva Institute of Computer Graphics and Algorithms Vienna

Content Loader Introduction by G.Paskaleva Institute of Computer Graphics and Algorithms Vienna

Content Loader Introduction by G.Paskaleva Institute of Computer Graphics and Algorithms Vienna University of Technology Model Formats Quake II / III (md2 / md3, md4) Doom 3 (md5) FBX Ogre XML Collada (dae) Wavefront (obj) Institute

606 views • 56 slides
evil maid on droids or why you should never loose your android smartphone @f0rki 2012-12-06

evil maid on droids or why you should never loose your android smartphone @f0rki 2012-12-06

evil maid on droids or why you should never loose your android smartphone @f0rki 2012-12-06 Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 2 / 51 Agenda

1.31k views • 85 slides
Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web Applications Web Application &lt;SCRIPT&gt;...&lt;/SCRIPT&gt; Attackers evil script executed using victims credentials Omer Tripp Marco

410 views • 6 slides
Wisdom Discerning between Good and Evil Goal scripture: Hebrews 5:11-14 Wisdom Discerning

Wisdom Discerning between Good and Evil Goal scripture: Hebrews 5:11-14 Wisdom Discerning

Wisdom Discerning between Good and Evil Goal scripture: Hebrews 5:11-14 Wisdom Discerning between Good and Evil My Focus Today New Series: Books of Wisdom Talk a little about what wisdom is Job Present Teaching Points Psalms on 2

484 views • 29 slides
Copying Objects: Reference Copy Copies: Reference vs. Shallow vs. Deep Reference Copy c1 := c2

Copying Objects: Reference Copy Copies: Reference vs. Shallow vs. Deep Reference Copy c1 := c2

Copying Objects: Reference Copy Copies: Reference vs. Shallow vs. Deep Reference Copy c1 := c2 Copy the address stored in variable c2 and store it in c1 . Writing Complete Postconditions Both c1 and c2 point to the same object.

115 views • 10 slides
A Poisonous Mouth

A Poisonous Mouth

A Poisonous Mouth Poisonous Mouth Deliver me, O Lord, from evil men; preserve me from violent men, who plan evil things in their heart and stir up wars continually. They

415 views • 15 slides
Booting PROM (BIOS) perform basic self-test (POST) Lecture 13 and access parameters from

Booting PROM (BIOS) perform basic self-test (POST) Lecture 13 and access parameters from

Booting PROM (BIOS) perform basic self-test (POST) Lecture 13 and access parameters from nvram OS Loader locate and run kernel on disk Located in the MBR (first sector of boot device) May call secondary loader on some

468 views • 11 slides
A Flight RTEMS OSAL With Runtime Loader Support and Other Enhancements Kevin Gordon, Allen Brown

A Flight RTEMS OSAL With Runtime Loader Support and Other Enhancements Kevin Gordon, Allen Brown

A Flight RTEMS OSAL With Runtime Loader Support and Other Enhancements Kevin Gordon, Allen Brown Odyssey Space Research, LLC 2017 Workshop on Spacecraft Flight Software Johns Hopkins University Applied Physics Laboratory Laurel, MD This

391 views • 17 slides
A Penrose transform for the double copy Three routes to the double copy: Lie-polynomials,

A Penrose transform for the double copy Three routes to the double copy: Lie-polynomials,

A Penrose transform for the double copy Three routes to the double copy: Lie-polynomials, differential forms, and the worldsheet Lionel Mason The Mathematical Institute, Oxford lmason@maths.ox.ac.uk QCD Meets gravity 13/12/2019 Continuing

673 views • 19 slides
Communication in History: The Key to Understanding Get your digital copy today at

Communication in History: The Key to Understanding Get your digital copy today at

Communication in History: The Key to Understanding Get your digital copy today at nhd.org/rulebook or a hard copy at nhd.org/buyrulebook Get your digital copy today at nhd.org/themebook or purchase a hard copy at nhd.org/buythemebook NARA

659 views • 33 slides
6/24/2014 1 6/24/2014 Theory of Retribution Good will be rewarded and Evil will be punished

6/24/2014 1 6/24/2014 Theory of Retribution Good will be rewarded and Evil will be punished

6/24/2014 1 6/24/2014 Theory of Retribution Good will be rewarded and Evil will be punished Book of Job challenges this theory We are shocked when Good suffer and the Evil are rewarded We want to make God is predicable We know how God will

583 views • 6 slides
Copy #16 BCA Copy #16 BCA Company Overview Grower, trader, exporter, and distributor of fruit

Copy #16 BCA Copy #16 BCA Company Overview Grower, trader, exporter, and distributor of fruit

Copy #16 BCA Copy #16 BCA Company Overview Grower, trader, exporter, and distributor of fruit and vegetables based on human beings through conscious and responsible consumption, sustainable development, fair trade, organic farming, and

639 views • 17 slides
Introduction to Mirai Luis Espinoza lespinoz@akamai.com Hardcoded list of user/pass used by

Introduction to Mirai Luis Espinoza lespinoz@akamai.com Hardcoded list of user/pass used by

Introduction to Mirai Luis Espinoza lespinoz@akamai.com Hardcoded list of user/pass used by Mirai https://krebsonsecurity.com/wp-content/uploads/2016/10/IoTbadpass-Sheet1.pdf loader/src/headers/includes.h loader/src/headers/binary.h

835 views • 17 slides
Snow and Ice control (SnIc) Plow Truck with Sanders Blade Inventory Loader with Blower 2 Parks

Snow and Ice control (SnIc) Plow Truck with Sanders Blade Inventory Loader with Blower 2 Parks

Snow and Ice control (SnIc) Plow Truck with Sanders Blade Inventory Loader with Blower 2 Parks &amp; Open Space Equipment 3 Sand and Salt Storage SNIC Signs 4 Byla Bylaw Procedu edure re Poli Policy cy 5 6 Snow Storage Facility

511 views • 21 slides

More recommend