lec06 dep and aslr
play

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 NSA Codebreaker - PowerPoint PPT Presentation

Apr 17, 2023 •684 likes •1.13k views

1 Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia Congrats!! We've completed the half of labs! Due: Lab06 is out and its due on Oct 5 at midnight NSA Codebreaker Challenge Due:

  1. 1 Lec06: DEP and ASLR Taesoo Kim

  2. 2 Scoreboard

  3. 3 NSA Codebreaker Challenges

  4. 4 Administrivia • Congrats!! We've completed the half of labs! • Due: Lab06 is out and its due on Oct 5 at midnight • NSA Codebreaker Challenge → Due: Nov 30 • We'll release new lab every Thursday at 8pm • If you are working on Thursday, please connect to " -p 2024" • If you haven't read yet, please check some time saving tips on Piazza.

  5. 5 Lab05: Stack Protection

  6. 6 Best Write-ups for Lab05 • xor: shudak3, carterchen • stackshield: spark720, shudak3 • weak-random: markwis, spark720 • gs-random: carterchen, shudak3 • terminator: spark720, brian_edmonds • assassination: carterchen, dhaval • mini-heartbleed: rpgiri, brian_edmonds • pltgot: carterchen, N/A • ssp: shudak3, carterchen • fd: luoyinfeng, spark720

  7. 7 Discussion: Lab05 • What's the most "annoying" bug or challenge? • What's the most "interesting" bug or challenge? • So, should we use canary or not? • So, which one would you like to use?

  8. 8 Take-outs from Stack Canary? • Stack Canary indirectly protects the "integrity" of RA, funcptr, etc • (e.g., exploitation mitigation → NX, canary) • We better prevent buffer overflows at the first place • (e.g., code analysis, better APIs)

  9. 9 Subtle Design Choices for the Stack Canary • Where to put? (e.g., right above ra? fp? local vars?) • Which value should I use? (e.g., secrete? random? per exec? per func?) • How to check its integrity? (e.g., xor? cmp?) • What to do after you find corrupted? (e.g., crash? report?)

  10. 10 Discussion: xor • How xor canary works? • What happens if RA is overwritten (or leaked)?

  11. 11 Discussion: xor

  12. 12 Discussion: stackshield • How stackshield works? (can you overwrite ra/fp?) • Compared to xor, what's better? • Then, could you control its control flow?

  13. 13 Discussion: weak-random • How weak-random is implemented? • How did you exploit? • What if we use a perfect random value (e.g., /dev/random)?

  14. 14 Discussion: gs-random • Near perfect (Microsoft CL): • strong randomness: /dev/random • protect fp/ra

  15. 15 Discussion: gs-random void echo(char *msg) { char buf[80]; strcpy(buf, msg); capitalize(buf); strcpy(msg, buf); ... }

  16. 16 Discussion: gs-random (arbitrary overwrite) void echo(char *msg) { char buf[80]; /* buf = [val] ... [addr] */ /* *addr = val */ strcpy(buf, msg); /* overwrite msg (addr) */ capitalize(buf); strcpy(msg, buf); /* overwrite addr with buf */ ... }

  17. 17 Discussion: gs-random

  18. 18 Discussion: terminator • How is the terminator canary implemented?

  19. 19 Discussion: terminator • What's the vulnerability?

  20. 20 Discussion: terminator (off-by-one)

  21. 21 Discussion: terminator • How to prevent this vulnerability?

  22. 22 Discussion: assassination • Near perfect (GCC) • random canary • protect fp, ra • What's the bug? • How to prevent?

  23. 23 Discussion: mini-heartbleed

  24. 24 Discussion: ssp • What happens if you cause a crash?

  25. 25 Discussion: ssp

  26. 26 Discussion: ssp

  27. 27 Discussion: pltgot • What was the vulnerability? • Where to overwrite? • How to prevent?

  28. 28 Discussion: fd

  29. 29 Discussion: fd • Why need vtable?

  30. 30 Discussion: fd

  31. 31 Discussion: fd • How to prevent this vulnerability?

  32. 32 Discussion: How to make exploitation difficult?

  33. 33 Discussion: How to make exploitation difficult? • What if the stack address (or code/heap) is random? • How could you exploit any challenge in the last week? • What if the stack/heap memory is not executable? • Then, where to put your shellcode?

  34. 34 Today's Tutorial • In-class tutorial: • About: format string vulnerability • Format string to arbitrary read • Format string to arbitrary write • (optional) Format string to arbitrary execution

  35. 35 Format string: *printf 1) printf("hello: %d", 10); 2) printf("hello: %d/%d", 10, 20); 3) printf("hello: %d/%d/%d", 10, 20);

  36. 36 Format string: *printf printf("%d/%d/%d", a1, a2 ...) +----(n)----+ | v [ra][fmt][a1][a2][a3][..] (1) (2) (3) ....

  37. 37 Format string specifiers printf(fmt); %p: pointer %s: string %d: int %x: hex %[nth]$p (e.g., %1$p = first argument)

  38. 38 Arbitrary Read printf("\xaa\xbb\xcc\xdd%3$s") +---(3rd)---+ | v [ra][fmt][a1][a2][\xaa\xbb\xcc\xdd%3$s] (1) (2) (3) .... -> "\xaa\xbb\xcc\xdd[value]"

  39. 39 More Format Specifiers printf("1234%n", &len) -> len=4 %n: write #bytes %hn (short), %hhn (byte) NOTE. %10d: print an int on 10-space word (e.g., " 10")

  40. 40 Write (sth) to an Arbitrary Location printf("\xaa\xbb\xcc\xdd%3$n") +---(3rd)---+ | v [ra][fmt][a1][a2][\xaa\xbb\xcc\xdd%3$n] (1) (2) (3) .... -> "\xaa\xbb\xcc\xdd" = 4

  41. 41 Arbitrary Write printf("\xaa\xbb\xcc\xdd%6c%3$n") +---(3rd)---+ | v [ra][fmt][a1][a2][\xaa\xbb\xcc\xdd%6c%3$n] (1) (2) (3) .... -> *(int *)(0xddccbbaa) = strlen("\xaa\xbb\xcc\xdd......") = 10

  42. 42 In-class Tutorial • Step1: Format string to arbitrary read • Step2: Format string to arbitrary write • Step3: (optional) Format string to arbitrary execution $ ssh YOURID@cyclonus.gtisc.gatech.edu -p 2023 $ ssh YOURID@cyclonus.gtisc.gatech.edu -p 2022 $ ssh YOURID@computron.gtisc.gatech.edu -p 2023 $ ssh YOURID@computron.gtisc.gatech.edu -p 2022 $ cd tut/lab06 $ cat README

  43. 43 References • Bypassing ASLR • Advanced return-into-lib(c) exploits • Format string vulnerability

Recommend

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for

Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for

1 Lec06: DEP and ASLR Taesoo Kim 2 Scoreboard 3 Administrivia Due: Lab04 is extended for one week! Due: Lab05 is out and its due on Oct 5 at midnight Lab10: NSA Codebreaker Challenge Due: Nov 29 Offline CTF (Nov

880 views • 19 slides
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit`

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit`

On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco On the effectiveness of Full-ASLR on 64-bit Linux Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica de Val` encia (Spain) In-Depth Security Conference (DeepSec)

1.05k views • 62 slides
ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec

ASLR on the Line Ben Gras, Kaveh Razavi, Erik Bosman , Herbert Bos, Cris ano Giu ff rida VUSec Erik Bosman @brainsmoke Kaveh Razavi @gober Ben Gras @bjg Stephan van Schaik ASLR Address Space Layout Randomiza on Widely deployed

1.75k views • 137 slides
On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica

528 views • 35 slides
From Zygote to Morula: For0fying Weakened ASLR on Android

From Zygote to Morula: For0fying Weakened ASLR on Android

From Zygote to Morula: For0fying Weakened ASLR on Android Byoungyoung Lee Long Lu Tielei Wang Taesoo Kim Wenke Lee Georgia Tech,

635 views • 30 slides
String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross

String Oriented Programming: When ASLR is not enough Mathias Payer* and Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland * now at UC Berkeley Current protection is not complete http://creoflick.net 2 Motivation:

639 views • 33 slides
ASLR-Guard: Stopping Address Space Leakage for Code Reuse

ASLR-Guard: Stopping Address Space Leakage for Code Reuse

ASLR-Guard: Stopping Address Space Leakage for Code Reuse A9acks Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, Wenke Lee

605 views • 45 slides
How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger,

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger,

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger, Michael Backes, and Wenke Lee Georgia Tech, CISPA, Saarland University, MPI-SWS, DFKI RuntimeASLR 1 What did we do? We re-randomize the memory

833 views • 44 slides
String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich

String Oriented Programming Circumventing ASLR, DEP, and other Guards Mathias Payer, ETH Zrich Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback: hard to

640 views • 26 slides
Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei

Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei

Abusing Performance Optimization Weaknesses to Bypass ASLR Byoungyoung Lee Yeongjin Jang Tielei Wang Chengyu Song Long Lu Taesoo Kim Wenke Lee Georgia Tech Information Security Center (Rough) System Attack Trends Executing existing code

661 views • 50 slides
Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester

Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester

Binary Exploitation 1 Buffer Overflows (return-to-libc, ROP, Canaries, W^X, ASLR) Chester Rebeiro Indian Institute of Technology Madras Parts of Malware Two parts Subvert execution: change the normal execution behavior of the program

1.25k views • 102 slides
Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer

Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer

Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer Security W X (DEP) Low-level defenses and counterattacks Announcements (combined lecture) Return-oriented programming (ROP) Stephen McCamant

699 views • 12 slides
ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows Buffer overflows are the source of many of the common vulnerabilities in modern software Caused by not checking the source length when writing to a

1.88k views • 130 slides
Control Flow Integrity Behavior-based detection Stack canaries, non-executable data, and ASLR

Control Flow Integrity Behavior-based detection Stack canaries, non-executable data, and ASLR

Control Flow Integrity Behavior-based detection Stack canaries, non-executable data, and ASLR aim to complicate various steps in a standard attack But they still may not stop it Idea: observe the programs behavior is it doing

314 views • 17 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman <erik@minemu.org> Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Last Words on Buffer Overflows 10/12/17 CSE 484 / CSE M 584 - Fall 2017 2 ASLR Issues

Last Words on Buffer Overflows 10/12/17 CSE 484 / CSE M 584 - Fall 2017 2 ASLR Issues

CSE 484 / CSE M 584: Computer Security and Privacy Software Security (Misc) Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John

596 views • 26 slides
Preview question Which of these defense techniques would completely prevent a ROP attack from

Preview question Which of these defense techniques would completely prevent a ROP attack from

Preview question Which of these defense techniques would completely prevent a ROP attack from returning from an intended CSci 5271 return instruction to an unintended gadget? Introduction to Computer Security A. ASLR Day 6: Low-level defenses

125 views • 9 slides
Context Context Context Context Full control of EIP no longer yields immediate arbitrary

Context Context Context Context Full control of EIP no longer yields immediate arbitrary

Context Context Context Context Full control of EIP no longer yields immediate arbitrary code execution y Primarily due to increasing availability and utilization of exploit mitigations such as DEP and ASLR Attackers must identify

1.05k views • 91 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Last Class 1. Defenses a. Address Space Layout Randomization (ASLR)

872 views • 19 slides
Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP Return-to-libc RoP (Return-oriented Programming) StackGuard (insert canaries on stack) PointGuard (encrypt the pointers) ASLR CFI

809 views • 42 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security!

Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security!

Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security! Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript

891 views • 59 slides

More recommend