lecture 09 code reuse attacks
play

Lecture 09 Code reuse attacks Stephen Checkoway University of - PowerPoint PPT Presentation

Oct 14, 2022 •315 likes •751 views

Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable - An exception to this

  1. Lecture 09 – Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 — Fall 2017

  2. Last time • No good reason for stack/heap/static data to be executable • No good reason for code to be writable - An exception to this would be a JIT • Data Execution Prevention (DEP) or W ^ X gives us exactly that - A page of memory can be writable - A page of memory can be executable - No page can ever be both - (Pages can be neither writable nor executable, of course)

  3. Think like an attacker shellcode (aka payload) padding &buf computation + control • We (as attackers) are now prevented from executing any injected code • We still want to perform our computation • We talked about how to bypass stack canaries last time, so let’s ignore them for now and focus on bypassing DEP • If we can’t execute injected code, what code should we execute?

  4. Existing code in binaries • Program code itself • Dynamic libraries - Google Chrome 61.0.3163.91 links to 99 dynamic libraries! - libc is linked into (almost) every program • libc contains useful functions - system — Run a shell command - mprotect — Change the memory protection on a region of code

  5. 
 Return to libc (ret2libc) • Rather than returning to our shellcode, let’s return to a standard library function like system • We need to set the stack up precisely how system expects 
 int system(const char *command);

  6. Simple example … • Consider evil void foo(char *evil) { saved eip saved ebp char buf[32]; strcpy(buf, evil); } buf • Let’s overwrite the saved eip with the address of system 
 evil &buf esp � …

  7. Simple example … • Consider evil void foo(char *evil) { &system char buf[32]; strcpy(buf, evil); } buf • Let’s overwrite the saved eip with the address of system 
 evil &buf esp � …

  8. Simple example … • Consider evil void foo(char *evil) { &system char buf[32]; strcpy(buf, evil); } buf • Let’s overwrite the saved eip with the address of system • system takes one argument, a evil &buf esp � pointer to the command string; where … does it go?

  9. Back to basics … • Imagine we called system directly via 
 command system(command); saved eip esp � • Look at the stack layout before the first instruction in system • As usual, the first argument is at 
 esp + 4 …

  10. Simple example … • Consider evil void foo(char *evil) { &system char buf[32]; strcpy(buf, evil); } buf • Let’s overwrite the saved eip with the address of system • system takes one argument, a evil &buf esp � pointer to the command string; where … does it go? esp + 4 after the ret

  11. Simple example … • ret pops the address of system o ff evil the stack and into eip leaving the esp � &system stack pointer pointing at the first evil • 4 bytes above that should be our pointer to the command string buf evil &buf …

  12. Simple example … • ret pops the address of system o ff &cmd string ??? the stack and into eip leaving the esp � &system stack pointer pointing at the first evil • 4 bytes above that should be our pointer to the command string buf • Where should we put the command string "sh" itself? - In buf? evil - Above the pointer to the command &buf string? …

  13. Simple example … "sh" • ret pops the address of system o ff &cmd string ??? the stack and into eip leaving the esp � &system stack pointer pointing at the first evil • 4 bytes above that should be our pointer to the command string buf • Where should we put the command string "sh" itself? - In buf? evil - Above the pointer to the command &buf string? …

  14. Simple example … "sh" • When system returns, it'll return to &cmd string ??? the address on the stack at esp esp � &system (the ???) • This will likely crash unless we pick a good value to put there buf evil &buf …

  15. Simple example … "sh" • When system returns, it'll return to &cmd string &exit the address on the stack at esp esp � &system (the ???) • This will likely crash unless we pick a good value to put there • The address of exit is a good choice buf • Now when system returns, the program will exit evil &buf …

  16. 
 Injecting code … • We cannot run injected code directly, but code we can first make it executable by calling mprotect 
 RWX code_len &code int mprotect(void *addr, 
 &code size_t len, 
 &mprotect esp � int prot); • This can be tricky since there are likely to be zero bytes - Use memcpy instead of strcpy … - Use return-oriented programming (next class)

  17. Injecting code … • Return to mprotect code RWX code_len &code &code &mprotect esp � …

  18. Injecting code … • Return to mprotect code - Increments esp by 4 - Runs mprotect making the injected RWX code executable code_len - Modifies the stack below esp &code &code esp � …

  19. Injecting code … • Return to mprotect code - Increments esp by 4 - Runs mprotect making the injected RWX code executable code_len - Modifies the stack below esp &code &code esp � • Return from mprotect to code …

  20. Injecting code … • Return to mprotect code - Increments esp by 4 eip � - Runs mprotect making the injected RWX code executable code_len - Modifies the stack below esp &code esp � &code • Return from mprotect to code - Increments esp by 4 - Runs code …

  21. Chaining functions • We can chain two functions together if - the first has one argument and the g argn ... second any number of arguments g arg2 g arg1 f arg1 &g &f esp �

  22. Chaining functions • We can chain two functions together if - the first has one argument and the f argn second any number of arguments; or ... - the first has any number of arguments f arg2 and the second has none f arg1 &g &f esp �

  23. Chaining functions • We can chain two functions together if - the first has one argument and the g argn f argn ... second any number of arguments; or ... g arg2 - the first has any number of arguments f arg2 g arg1 and the second has none f arg1 f arg1 &g &g • We can start with any number of zero &f &f argument functions for either case &funm &funm ... ... &fun2 &fun2 &fun1 &fun1 esp �

  24. Cleaning up between z • What if we want to chain the four function &fun4 calls fun1(t), fun2(u,v), fun3(w,x,y), fun4(z)? y • Identify pieces of code that clean up the x w stack and return to those between function addl $16, %esp calls ret &fun3 v • Examples: u - popl %ebp; ret popl %ebx popl %ebp - popl %ebx; popl %ebp; ret &fun2 ret t - addl $16, %esp; ret popl %ebp ret &fun1 esp �

  25. Running z 1. Return to fun1 &fun4 y x w addl $16, %esp ret &fun3 v u popl %ebx popl %ebp &fun2 ret t popl %ebp esp � ret &fun1

  26. Running z 1. Return to fun1 which runs, modifies stack &fun4 y x w addl $16, %esp ret &fun3 v u popl %ebx popl %ebp &fun2 ret t popl %ebp esp � ret

  27. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x w addl $16, %esp ret &fun3 v u popl %ebx popl %ebp &fun2 ret t esp � ← eip popl %ebp ret

  28. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x w addl $16, %esp ret &fun3 v u popl %ebx popl %ebp &fun2 esp � ret t popl %ebp ← eip ret

  29. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 w addl $16, %esp ret &fun3 v u popl %ebx esp � popl %ebp &fun2 ret t popl %ebp ret

  30. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 which runs, modifies stack w addl $16, %esp ret &fun3 v u popl %ebx esp � popl %ebp ret popl %ebp ret

  31. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 which runs, modifies stack w addl $16, %esp 4. Return to pop; pop; ret ret &fun3 v u esp � ← eip popl %ebx popl %ebp ret popl %ebp ret

  32. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 which runs, modifies stack w addl $16, %esp 4. Return to pop; pop; ret ret &fun3 v esp � u popl %ebx ← eip popl %ebp ret popl %ebp ret

  33. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 which runs, modifies stack w addl $16, %esp 4. Return to pop; pop; ret ret &fun3 esp � v u popl %ebx popl %ebp ← eip ret popl %ebp ret

  34. Running z 1. Return to fun1 which runs, modifies stack &fun4 2. Return to pop; ret y x 3. Return to fun2 which runs, modifies stack w addl $16, %esp esp � 4. Return to pop; pop; ret ret &fun3 v 5. Return to fun3 u popl %ebx popl %ebp ret popl %ebp ret

Recommend

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina Dartmouth T rust Lab Outline Code re-use: unexpected computation, programming models Containing computation: Coarse intent-based ABI-level

487 views • 27 slides
A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen,

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen,

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen, Enes Gkta (joint first author) (VU) Moritz Contag, Andre Pawlowski, Thorsten Holz (RUB) Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos,

587 views • 26 slides
Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes

Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes

Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes Gkta - Elias Athanasopoulos - Michalis Polychronakis Herbert Bos - Georgios Portokalidis presented by: Flora Karniavoura Katerina Karagiannaki

376 views • 23 slides
How to Write Fast Numerical Code Spring 2011 Lecture 7 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 7 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 7 Instructor: Markus Pschel TA: Georg Ofenbeck Last Time: Locality Temporal and Spatial memory memory Last Time: Reuse FFT: O(log(n)) reuse MMM: O(n) reuse Discrete Fourier

278 views • 25 slides
How to Write Fast Numerical Code Spring 2011 Lecture 8 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 8 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 8 Instructor: Markus Pschel TA: Georg Ofenbeck Reuse (Inherent Temporal Locality) Reuse of an algorithm: Number of operations Minimal number of Size of input + size of output data

465 views • 18 slides
How to Write Fast Numerical Code Spring 2011 Lecture 15 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 15 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 15 Instructor: Markus Pschel TA: Georg Ofenbeck Reuse Again Reuse of an algorithm: Number of operations Minimal number of Size of input + size of output data Memory accesses

272 views • 26 slides
Just-In-Time Code Reuse: On the Effec7veness of

Just-In-Time Code Reuse: On the Effec7veness of

Just-In-Time Code Reuse: On the Effec7veness of Fine-Grained Address Space Layout Randomiza7on Kevin Z. Snow, Fabian Monrose Lucas Davi,

819 views • 23 slides
Its a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane,

Its a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane,

Its a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi,Thorsten Holz, Bjorn De Sutter, Michael Franz

772 views • 62 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

894 views • 35 slides
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg Schwenk 1 , Adam Czubak 2 , Marcin Szymanek 2 1 : Ruhr University Bochum, Germany 2 : University of Opole, Poland 27 TH USENIX SECURITY SYMPOSIUM

476 views • 25 slides
1 Infrastructure Requirements Limit Reuse Planned Indirect Potable Reuse (Purple pipe may be a

1 Infrastructure Requirements Limit Reuse Planned Indirect Potable Reuse (Purple pipe may be a

Overview of Presentation DIRECT POTABLE REUSE: A PATH FORWARD: Take Home Message Reuse Opportunities De Facto and Planned Indirect Potable Reuse 2012 WATER REUSE CONFERENCE Proposed Direct Potable Reuse Strategies Boise, ID

599 views • 8 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London

Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London

Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020 Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on

869 views • 76 slides
D: Centralization, 51% Attacks Developer centralization Transf ansformati ormation on Code

D: Centralization, 51% Attacks Developer centralization Transf ansformati ormation on Code

D: Centralization, 51% Attacks Developer centralization Transf ansformati ormation on Code you write Code you Library use is depend on growing at a staggering rate Qu Ques estio tion Who controls the code you depend on? How

911 views • 55 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

566 views • 38 slides
Aspects of Inheritance Inheritance Readings: OOSCS2 Chapters 14 16 Code Reuse

Aspects of Inheritance Inheritance Readings: OOSCS2 Chapters 14 16 Code Reuse

Aspects of Inheritance Inheritance Readings: OOSCS2 Chapters 14 16 Code Reuse Substitutability Polymorphism and Dynamic Binding [ compile-time type checks ] EECS3311 A & E: Software Design Sub-contracting Fall 2020 [

226 views • 6 slides
Key Reuse: Theory and Practice Kenny Paterson Royal Holloway, University of London based on

Key Reuse: Theory and Practice Kenny Paterson Royal Holloway, University of London based on

Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Reuse: Theory and Practice Kenny Paterson Royal Holloway, University of London based on joint work

819 views • 57 slides
ASLR-Guard: Stopping Address Space Leakage for Code Reuse

ASLR-Guard: Stopping Address Space Leakage for Code Reuse

ASLR-Guard: Stopping Address Space Leakage for Code Reuse A9acks Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, Wenke Lee

605 views • 45 slides
kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

Introduction RX Fine-grained KASLR Evaluation kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos Petsios 1 Angelos D. Keromytis 1 Michalis Polychronakis 2 Vasileios P. Kemerlis 3 1 Columbia

1.18k views • 66 slides
Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca

Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca

Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & C. Liebchen 2 A. Dmitrienko 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science 2 CASED/Technische Universitt University

1.42k views • 127 slides
Advanced Man-at-the-end Attacks and Defenses Bjorn De Sutter ISSISP 2018 Canberra 1

Advanced Man-at-the-end Attacks and Defenses Bjorn De Sutter ISSISP 2018 Canberra 1

Advanced Man-at-the-end Attacks and Defenses Bjorn De Sutter ISSISP 2018 Canberra 1 Lecture Overview 1. Advanced MATE attacks models tools & techniques 2. Protected code comprehension processes 3. Advanced MATE defenses 4.

1.79k views • 114 slides
Object-Oriented Programming Exercises 13.1 Using Java as an example: Code reuse: inhertiance,

Object-Oriented Programming Exercises 13.1 Using Java as an example: Code reuse: inhertiance,

13 Object-Oriented Programming Exercises 13.1 Using Java as an example: Code reuse: inhertiance, interfaces. In the case of an interface, any class implementing the Comparable interface can be sorted or stored in an ordered colection.

425 views • 6 slides
CS 241: Systems Programming Lecture 29. Static Libraries Fall 2019 Prof. Stephen Checkoway 1

CS 241: Systems Programming Lecture 29. Static Libraries Fall 2019 Prof. Stephen Checkoway 1

CS 241: Systems Programming Lecture 29. Static Libraries Fall 2019 Prof. Stephen Checkoway 1 Announcement Homework 5 Regular Expressions is now available Due Sunday 2019-11-24 at 23:59 2 Code reuse is good! Why? 3 Multiple forms of code

348 views • 19 slides

More recommend