dangling pointer dangling pointer
play

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat - PowerPoint PPT Presentation

Oct 27, 2023 •247 likes •543 views

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&A 2 What is a

  1. Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1

  2. Table of Contents � What is a Dangling Pointer? � Code Injection � Object Overriding � Demonstrations � Remediation � Summary � Q&A 2

  3. What is a Dangling Pointer? Invalid Pointer: � Dangerous Dangling Dangling Pointer Pointer � Easy to Exploit Pointer Pointer Pointer Pointer Pointer Pointer � Common Deleted Deleted Object Object New Data Object New Data Object Object Object Object Object 3

  4. What is a Dangling Pointer? – An Example � Results: Crash 4

  5. What is a Dangling Pointer? – An Example � Debugger View 5

  6. Where are We � What is a Dangling Pointer? � Code I njection � Object Overriding � Demonstrations � Remediation � Summary � Q&A 6

  7. Code I njection – The Layout of an Object � Class_A: class Class_A Instance_A memory Class_A VFTable vfunc_A1 Code class Class_A Instance_A memory Class_A VFTable vfunc_A1 Code VFTABLE Pointer vfunc_A1 address { VFTABLE Pointer vfunc_A1 address { Assembly code Assembly code member_of_A int member_of_A; vfunc_A2 address member_of_A int member_of_A; vfunc_A2 address public: public: vfunc_A2 Code virtual long vfunc_A1(); vfunc_A2 Code virtual long vfunc_A1(); { { … virtual long vfunc_A2(); … virtual long vfunc_A2(); ... ... Assembly code Assembly code MOVE EAX, [ECX] MOVE EAX, [ECX] static void sfunc_A(); static void sfunc_A(); this.vfunc_A2(); this.vfunc_A2(); CALL [EAX + 4] CALL [EAX + 4] ... ... void funcA(); void funcA(); … } … } }; }; 7

  8. Code I njection – The Double Reference Exploit Exploit Overview: – Free the Object – Override the Object – covered later – Execute a Virtual Function 8

  9. Code I njection – The Double Reference Exploit � Injecting Code � Continue – Free the Object – Automation – Shellcode – Call/Jmp ECX ECX – Original – Finding a “VFTABLE” ECX – Original Object Object – Interpreted as Code VFTABLE Pointer VFTABLE VFTABLE Pointer VFTABLE VFTABLE + 4 VFTABLE + 4 Original Object Freed Space Original Object Freed Space VFTABLE + 8 Pointer VFTABLE + 8 Pointer SHELLCODE SHELLCODE VFTABLE + C VFTABLE + C VFTABLE + 10 CALL/JMP ECX VFTABLE + 10 CALL/JMP ECX 9 9

  10. Code I njection – Double I nheritance Class_A::vfunc_A1 Class_A::vfunc_A1 � Multiple Inheritance Assembly code Assembly code Inherited::Class_A Inherited::Class_A Object’s memory Object’s memory VFTable VFTable class Inherited: public Class_A, public Class_B Inherited::vfunc_A2 class Inherited: public Class_A, public Class_B Inherited::vfunc_A2 A VFTABLE Pointer vfunc_A1 address A VFTABLE Pointer vfunc_A1 address { { Class A member_of_A vfunc_A2 address member_of_A vfunc_A2 address Assembly code public: Assembly code public: � We can now override the second VFTABLE!!! B VFTABLE Pointer B VFTABLE Pointer virtual int vfunc_A2(); virtual int vfunc_A2(); Inherited::Class_B Inherited::Class_B member1_of_B VFTable Class B member1_of_B VFTable virtual int vfunc_B2(); Class_B::vfunc_B1 virtual int vfunc_B2(); Class_B::vfunc_B1 vfunc_B1 address vfunc_B1 address Member2_of_B }; Member2_of_B }; vfunc_B2 address vfunc_B2 address Assembly code Assembly code Inherited::vfunc_B2 Inherited::vfunc_B2 Assembly code Assembly code 10 10

  11. Where are We � What is a Dangling Pointer? � Code Injection � Object Overriding � Demonstrations � Remediation � Summary � Q&A 11

  12. Object Overriding � Allocation Implementation – Numerous heaps • Two Default heaps • Different API • C-Runtime functions – Malloc – Free – New – Delete – Etc. 12 12

  13. Object Overriding � Allocation implementation details – Lookaside List • A list for each size (8-1024) (8) and for each heap • First Allocation Priority • Merges A De-Allocated Buffer Another De-Allocated A De-Allocated Buffer Another De-Allocated Buffer Buffer Next Buffer Pointer NULL Next Buffer Pointer NULL 40 40 40 40 Bytes Bytes Bytes Bytes Lookaside Lookaside list base list base pointer pointer 13 13

  14. Object Overriding � And Finally – Overriding – Search for Allocations • Static Analysis – Method: Disassembly – Restriction: Static Size – Validation: Controllable Content – Usage: Causing the Allocation • Dynamic analysis – Method: API Breakpoints – Restriction: Static/Dynamic Size – Validation: Controllable Content 14 14

  15. Object Overriding – The VFTABLE Exploit � Exploitation: � Continue: – Empty the Lookaside List – Free the Object – Allocate a Buffer – Execute a VFunc – Insert Content – Free the Buffer VFTABLE VFTABLE VFTABLE Pointer VFTABLE Pointer NULL SHELLCODE New Buffer SHELLCODE New Buffer Original Object Original Object VFTABLE + 8 Pointer Rest of Rest of CALL/JMP EAX CALL/JMP EAX SHELLCODE SHELLCODE 15

  16. Object Overriding – The Lookaside Exploit � Empty the Lookaside � Free One Buffer � Allocate Two Buffers � Free The Other � Insert Shellcode � Free The Object � Execute the Destructor The De-Allocated The De-Allocated The Shellcode The De-Allocated The De-Allocated The Shellcode Object Buffer Buffer Object Buffer Buffer A VFTABLE A Function NULL A VFTABLE A Function NULL Pointer Pointer GAME OVER!!! Pointer Pointer Shellcode … … Shellcode … … 16 16

  17. Object Overriding – The Lookaside Exploit � Executing NULL – NO Problem 17 17

  18. Summary � Summary – Double Reference • Controllable First DWORD • Static Address – VFTABLE Exploit • Controllable Allocations • No First DWORD • Static Address – Lookaside Exploit • Controllable Allocations • No First DWORD • No Static Address • Destructor Execution 18

  19. Where are We � What is a Dangling Pointer? � Code Injection � Object Overriding � Demonstrations � Remediation � Summary � Q&A 19

  20. Demonstrations – Configuration I tem � Allocating the Object � De-Allocation the Object 20

  21. Demonstrations – Configuration I tem � Allocating User Data 21

  22. Demonstrations – Configuration I tem � Executing a VFunc 22

  23. Demonstrations – Configuration I tem � Putting it Together – De-Allocate – Re-Allocate – Execute 23

  24. Demonstrations – Remote Exploit � Another Exploit on IIS, but this time – a remote one 24

  25. Where are We � What is a Dangling Pointer � Code Injection � Object Overriding � Demonstrations � Remediation? � Summary � Q&A 25

  26. Remediation � Known Protection Mechanisms – NX Bit – ASLR � VFTABLE Sanitation � Safe Programming 26

  27. Summary � Technical Background – Memory Allocations – Objects Implementation � Exploits – Double Reference Exploit – VFTABLE Exploit – Lookaside Exploit � Demonstrations – Configuration Item – Remote Exploit � Dangling Pointer – Only Object Oriented Objects 27

  28. Questions � Ask Away… 28

Recommend

The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June

The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June

The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June 30, 2011 Dangling nodes on the web Dangling nodes denote the nodes without outgoing links Some web pages do not contain any valid hyperlinks

467 views • 20 slides
Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and

Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and

Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and included in the result. A tuple is dangling if it do esn't join with an y other tuple. = R A B 1 2 3 4 = S B C 2 5 2

185 views • 18 slides
Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual memory management is error prone

574 views • 35 slides
Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an

Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an

Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an integer as long as result is still within the bounds of the array Can subtract a pointer from another pointer iff both point to

140 views • 9 slides
Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer

Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer

Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer is a variable that stores a memory address. Pointers are used to store the addresses of other variables or memory items. Pointers are very

742 views • 23 slides
Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer

Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer

Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer Interpretation: declare x as a variable on the stack that holds the numeric address of the location in memory at which are 32 bits that we intend

359 views • 15 slides
HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University

HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University

The 5 th ATS at Fukuoka HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University Hospital. 2 HD-SCR: High Definition Streaming Combined Remote conference system Concepts of New system Hi quality HD image

108 views • 7 slides
HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National

HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National

Medical WG Technology session APAN 32 nd meeting at New Delhi HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National Taiwan University Torata N and Cao Duc Minh, Kyushu University Hospital. 1 HD-SCR:

347 views • 10 slides
A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs Mentors: Artem Dergachev Etvs Lornd University, Budapest, Hungary Gbor Horvth rekanikolett@gmail.com Real-world example return

257 views • 9 slides
Pointers and Memory 1 Pointer values Pointer values are memory addresses

Pointers and Memory 1 Pointer values Pointer values are memory addresses

Pointers and Memory 1 Pointer values Pointer values are memory addresses Think of them as a kind of integer values The first byte of memory is 0, the next 1, and so on A pointer p can hold the address of a memory

1.01k views • 31 slides
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee , Chengyu Song,

Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee , Chengyu Song,

Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee , Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University Emerging Threat: Use-after-free

923 views • 43 slides
FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? METADATA ADDRESS PTR Typically

FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? METADATA ADDRESS PTR Typically

FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? METADATA ADDRESS PTR Typically metadata contains the base and bounds of the pointer which is essentially the valid accessible memory region by the pointer if(

511 views • 49 slides
Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer Arithmetic When you add to or subtract from a pointer, the amount by which you do that is multiplied by the size of the type the pointer points

689 views • 33 slides
Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller, Yannis Smaragdakis OOPSLA 2018 1 A New Pointer Analysis T echnique for Object-Oriented Programs 2 Pointer Analysis Determines which

841 views • 64 slides
Opaque Pointer Types To a world without pointer to pointer bitcasts Motivation Proximal

Opaque Pointer Types To a world without pointer to pointer bitcasts Motivation Proximal

Opaque Pointer Types To a world without pointer to pointer bitcasts Motivation Proximal Motivation 222748: Canonicalize store (cast V), P -> store V, (cast P) 220138: Canonicalize cast (load P) -> load (cast P)

649 views • 25 slides
A few more pointer points A few more pointer points Beware null & wayward pointers! (Learn

A few more pointer points A few more pointer points Beware null & wayward pointers! (Learn

A few more pointer points A few more pointer points Beware null & wayward pointers! (Learn from Binky) Command line arguments int main(int argc, char *argv[]) {} Equivalent argv declaration: char **argv Either way,

403 views • 14 slides
Pointers and memory Ch 9, 11.4, 13.1 & Appendix F Highlights - dynamic arrays Pointer to

Pointers and memory Ch 9, 11.4, 13.1 & Appendix F Highlights - dynamic arrays Pointer to

Pointers and memory Ch 9, 11.4, 13.1 & Appendix F Highlights - dynamic arrays Pointer to pointer You can have multiple stars next to types: Each star indicates how many arrows you need to follow before you find the variable int*** int**

605 views • 15 slides
Pointer Variables Chapter 4: (Pointers and) Linked Lists Declaring a variable creates space

Pointer Variables Chapter 4: (Pointers and) Linked Lists Declaring a variable creates space

Pointer Variables Chapter 4: (Pointers and) Linked Lists Declaring a variable creates space for it Pointer variables in a region of process memory called stack Operations on pointer variables each memory cell has an address

512 views • 11 slides
Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1 A New Pointer Analysis for Object-Oriented Programs 2 Pointer Analysis Determine which

965 views • 70 slides
The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach Model

371 views • 34 slides
Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders

Scalability-First Pointer Analysis with Self-Tuning Context Sensitivity Yue Li, Tian Tan, Anders Mller and Yannis Smaragdakis 1 Pointer Analysis Concept Which objects a variable may point to? Importance Fundamental for virtually

769 views • 54 slides
CS 103 Unit 11 Linked Lists Mark Redekopp 2 NULL Pointer Just like there was a null

CS 103 Unit 11 Linked Lists Mark Redekopp 2 NULL Pointer Just like there was a null

1 CS 103 Unit 11 Linked Lists Mark Redekopp 2 NULL Pointer Just like there was a null character in ASCII = '\0' whose value was 0 there is a NULL pointer whose value is 0 Used to represent a pointer to "nothing" NULL is

698 views • 28 slides
CS 241 Data Organization More List and Tree Fun April 3, 2018 Pointer Changing Code What do we

CS 241 Data Organization More List and Tree Fun April 3, 2018 Pointer Changing Code What do we

CS 241 Data Organization More List and Tree Fun April 3, 2018 Pointer Changing Code What do we do if a function needs to change one of the pointer parameters passed to it? Assume we have struct Node* root that points to a tree. We could

431 views • 10 slides
Objects and nesting and pointers, oh my! If we have a pointer variable ptr , we access the

Objects and nesting and pointers, oh my! If we have a pointer variable ptr , we access the

Objects and nesting and pointers, oh my! If we have a pointer variable ptr , we access the thing that a pointer points to with the syntax *ptr To access a field or method of a class through an object variable, use the syntax

282 views • 13 slides

More recommend