lecture 10 return oriented programming
play

Lecture 10 Return-oriented programming Stephen Checkoway - PowerPoint PPT Presentation

Jan 12, 2024 •146 likes •790 views

Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application logic gadgets Requirements:

  1. Lecture 10 – Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

  2. ROP Overview • Idea: We forge shellcode out of existing application logic gadgets • Requirements: vulnerability + gadgets + some unrandomized code • History: • No code randomized: Code injection • DEP enabled by default: ROP attacks using libc gadgets published 2007 • ROP assemblers, compilers, shellcode generators • ASLR library load points: ROP attacks use .text segment gadgets • Today: all major OSes/compilers support position-independent executables 2

  3. 3 Image by Dino Dai Zovi

  4. ROP Programming 1. Disassemble code (library or program) 2. Identify useful code sequences (usually ending in ret) 3. Assemble the useful sequences into reusable gadgets* 4. Assemble gadgets into desired shellcode * Forming gadgets is mostly useful when constructing complicated return-oriented shellcode by hand 4

  5. A note on terminology • When ROP was invented in 2007 • Sequences of code ending in ret were the basic building blocks • Multiple sequences and data are assembled into reusable gadgets • Subsequently • A gadget came to refer to any sequence of code ending in a ret • In 2010 • ROP without returns (e.g., code sequences ending in call or jmp)

  6. There are many semantically equivalent ways to achieve the same net shellcode effect 6

  7. Equivalence ... v 2 Mem[v2] = v1 ... Desired Logic v 1 esp Stack a 1 : mov eax, [esp] a 2 : mov ebx, [esp+8] a 3 : mov [ebx], eax Implementation 1 7

  8. Constant store gadget a 5 v 2 Mem[v2] = v1 a 3 Desired Logic Suppose a 5 v 1 and a 3 on esp stack Stack a 1 : pop eax; a 2 : ret v 1 eax a 3 : pop ebx; ebx a 4 : ret a 1 eip a 5 : mov [ebx], eax Implementation 2 8

  9. Constant store gadget a 5 v 2 Mem[v2] = v1 a 3 Desired Logic esp v 1 Stack a 1 : pop eax; a 2 : ret v 1 eax a 3 : pop ebx; ebx a 4 : ret a 1 a 3 eip a 5 : mov [ebx], eax Implementation 2 9

  10. Constant store gadget a 5 v 2 Mem[v2] = v1 esp a 3 Desired Logic v 1 Stack a 1 : pop eax; a 2 : ret v 1 eax a 3 : pop ebx; v 2 ebx a 4 : ret a 3 eip a 5 : mov [ebx], eax Implementation 2 10

  11. Constant store gadget a 5 esp v 2 Mem[v2] = v1 a 3 Desired Logic v 1 Stack a 1 : pop eax; a 2 : ret v 1 eax a 3 : pop ebx; v 2 ebx a 4 : ret a 4 a 5 eip a 5 : mov [ebx], eax Implementation 2 11

  12. Constant store gadget esp a 5 v 2 Mem[v2] = v1 a 3 Desired Logic v 1 Stack a 1 : pop eax; a 2 : ret v 1 eax a 3 : pop ebx; v 2 ebx a 4 : ret a 5 eip a 5 : mov [ebx], eax Implementation 2 12

  13. Equivalence a 3 v 2 Mem[v2] = v1 a 2 Desired Logic v 1 semantically esp Stack equivalent a 1 : mov eax, [esp] a 1 : pop eax; ret a 2 : mov ebx, [esp+8] a 2 : pop ebx; ret a 3 : mov [ebx], eax a 3 : mov [ebx], eax Implementation 1 Implementation 2 13

  14. Return-Oriented Programming … argv Mem[v2] = v1 argc Desired Shellcode return addr caller’s ebp %ebp • Find needed instruction gadgets at addresses a 1 , a 2 , and a 3 in existing code • Overwrite stack to execute a 1 , buf a 2 , and then a 3 (64 bytes) argv[1] buf %esp 14

  15. Return-Oriented Programming a 3 … v 2 argv a 2 Mem[v2] = v1 argc v 1 Desired Shellcode return addr a 1 caller’s ebp %ebp a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax buf (64 bytes) argv[1] Desired store executed! buf %esp 15

  16. What else can we do? • Depends on the code we have access to • Usually: Arbitrary Turing-complete behavior • Arithmetic • Logic • Conditionals and loops • Subroutines • Calling existing functions • System calls • Sometimes: More limited behavior • Often enough for straight-line code and system calls

  17. Comparing ROP to normal programming Normal programming ROP Instruction pointer eip esp No-op nop ret Unconditional jump jmp address set esp to address of gadget Conditional jump jnz address set esp to address of gadget if some condition is met Variables memory and registers mostly memory Inter-instruction (inter-gadget) minimal, mostly explicit; e.g., can be complex; e.g., adding two register and memory interaction adding two registers only affects registers may involve modifying the destination register many registers which impacts other gadgets

  18. Return-oriented conditionals • Processors support instructions that conditionally change the PC • On x86 • Jcc family: jz, jnz, jl, jle, etc. 33 in total • loop, loope, loopne • Based on condition codes mostly; and on ecx for some • On MIPS • beq, bne, blez, etc. • Based on comparison of registers • Processors generally don’t support for conditionally changing the stack pointer (with some exceptions)

  19. We want conditional jumps • Unconditional jump addr • popl %eax ret • movl %eax, %esp ret

  20. We want conditional jumps ... • Unconditional jump addr &next gadget • popl %eax ret • movl %eax, %esp ret addr esp

  21. We want conditional jump ... • Unconditional jump addr &next gadget • popl %eax ret • movl %eax, %esp ret addr esp

  22. We want conditional jump ... • Unconditional jump addr &next gadget eax • popl %eax ret • movl %eax, %esp ret esp addr

  23. We want conditional jumps ... • Unconditional jump addr &next gadget eax • popl %eax ret • movl %eax, %esp esp ret addr

  24. We want conditional jumps ... • Unconditional jump addr &next gadget eax, esp • popl %eax ret • movl %eax, %esp ret addr

  25. We want conditional jumps ... esp • Unconditional jump addr &next gadget eax • popl %eax ret • movl %eax, %esp ret addr

  26. We want conditional jumps • Unconditional jump addr • popl %eax ret • movl %eax, %esp ret • Conditional jump addr, one way • Conditionally set a register to 0 or 0xffffffff • Perform a logical AND with the register and an offset • Add the result to esp

  27. Conditionally set a register to 0 or 0xffffffff • Compare registers eax and ebx and set ecx to • 0xffffffff if eax < ebx • 0 if eax >= ebx • Ideally we would find a sequence like cmpl %ebx, %eax set carry flag cf according to eax - ebx sbbl %ecx, %ecx ecx ← ecx - ecx - cf; or ecx ← -cf ret • Unlikely to find this; instead look for cmp; ret and sbb; ret sequences

  28. Performing a logical AND with a constant • Pop the constant into a register using pop; ret • Use an and; ret sequence

  29. Updating the stack pointer • Use an add esp; ret sequence

  30. Putting it together Useful instruction sequences ... &next gadget movl %eax, %esp 37 ret popl %edx ret Conditional jump gadget addr Load constant in edx gadget addl %eax, %esp ret Unconditional jump gadget 42 andl %ecx, %eax ret popl %eax ret offset sbbl %ecx, %ecx ret cmpl %ebx, %eax ret

  31. Putting it together ... &next gadget movl %eax, %esp 37 ret popl %edx ret addr addl %eax, %esp Register Value ret 42 eax 10 andl %ecx, %eax ebx 20 ret ecx 108 popl %eax edx 17 ret offset sbbl %ecx, %ecx ret cmpl %ebx, %eax esp ret

  32. Putting it together ... &next gadget movl %eax, %esp 37 ret popl %edx ret addr addl %eax, %esp Register Value ret 42 eax 10 andl %ecx, %eax ebx 20 ret ecx 108 popl %eax edx 17 ret offset sbbl %ecx, %ecx ret esp cmpl %ebx, %eax ret

  33. Putting it together ... &next gadget movl %eax, %esp 37 ret popl %edx ret addr addl %eax, %esp Register Value ret 42 eax 10 andl %ecx, %eax ebx 20 ret ecx 108 popl %eax edx 17 ret offset cf = 1 sbbl %ecx, %ecx ret esp cmpl %ebx, %eax ret

  34. Putting it together ... &next gadget movl %eax, %esp 37 ret popl %edx ret addr addl %eax, %esp Register Value ret 42 eax 10 andl %ecx, %eax ebx 20 ret ecx 108 popl %eax edx 17 ret offset cf = 1 sbbl %ecx, %ecx esp ret cmpl %ebx, %eax ret

  35. Putting it together ... &next gadget movl %eax, %esp 37 ret popl %edx ret addr addl %eax, %esp Register Value ret 42 eax 10 andl %ecx, %eax ebx 20 ret ecx 0xffffffff popl %eax edx 17 ret offset cf = 1 sbbl %ecx, %ecx esp ret cmpl %ebx, %eax ret

  36. Putting it together ... &next gadget movl %eax, %esp 37 ret popl %edx ret addr addl %eax, %esp Register Value ret 42 eax 10 andl %ecx, %eax ebx 20 ret ecx 0xffffffff popl %eax edx 17 ret offset esp sbbl %ecx, %ecx ret cmpl %ebx, %eax ret

  37. Putting it together ... &next gadget movl %eax, %esp 37 ret popl %edx ret addr addl %eax, %esp Register Value ret 42 eax 20 = offset andl %ecx, %eax ebx 20 ret ecx 0xffffffff popl %eax esp edx 17 ret offset sbbl %ecx, %ecx ret cmpl %ebx, %eax ret

  38. Putting it together ... &next gadget movl %eax, %esp 37 ret popl %edx ret addr addl %eax, %esp Register Value ret 42 eax 20 = offset andl %ecx, %eax ebx 20 ret esp ecx 0xffffffff popl %eax edx 17 ret offset sbbl %ecx, %ecx ret cmpl %ebx, %eax ret

  39. Putting it together ... &next gadget movl %eax, %esp 37 ret popl %edx ret addr addl %eax, %esp Register Value ret 42 eax 20 = offset andl %ecx, %eax ebx 20 ret esp ecx 0xffffffff popl %eax edx 17 ret offset sbbl %ecx, %ecx ret cmpl %ebx, %eax ret

Recommend

Lecture 14 Return-oriented programming Stephen Checkoway Oberlin College Based on slides by

Lecture 14 Return-oriented programming Stephen Checkoway Oberlin College Based on slides by

Lecture 14 Return-oriented programming Stephen Checkoway Oberlin College Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application logic gadgets Requirements: vulnerability +

1.64k views • 80 slides
ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING

ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING

ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING PRESENTED BY AHMAD MOGHIMI What is ROP A&amp;ack? q Return Oriented Programming a0ack is a technic to

656 views • 46 slides
61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method for organizing programs Data abstraction John's Apply for Account Bundling together information and related behavior a loan! A metaphor

207 views • 18 slides
! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H.

Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H.

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy Dresden, 2010-10-20 Fundamental

792 views • 31 slides
Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure

Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure

Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure Software Systems Day 6: Memory safety defenses and counter-attacks Announcements break Stephen McCamant University of Minnesota, Computer Science &amp;

394 views • 4 slides
Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern exploit techniques Introduction to Computer Security Announcements intermission Day 7: Defensive programming and design, part 1 Saltzer &amp;

579 views • 15 slides
Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The

Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The

Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The primary characteristics associated with object-oriented programming are inheritance; encapsulation; and polymorphism Inheritance class Shape: class

252 views • 9 slides
ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen

ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen

ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen (schen@wcupa.edu) Compile the code gcc -m32 fno-stack-protector z execstack o ./overflow2 ./overflow2.c Page 2 No eXecute (NX) -z

636 views • 37 slides
Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4

Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4

1 Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia Please submit both 'working exploit' and write-up on time; otherwise, no score. Due: Lab07 is out and its due on Oct 19

799 views • 37 slides
Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 Administrivia Please submit

Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 Administrivia Please submit

1 Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 Administrivia Please submit both working exploit and write-up on time! Due: Lab04 is due on Oct 11 Due: Lab05 is out and its due on Oct 18 (two weeks)!

558 views • 43 slides
Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC

Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC

Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage Stephen Checkoway, * Ariel J. Feldman, Brian Kantor, * J. Alex Halderman, Edward W. Felten, Hovav Shacham * * UCSD, Princeton,

641 views • 40 slides
Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer Security BCECHO Day 6: Low-level defenses and counterattacks, part 2 Stephen McCamant Control-flow integrity (CFI) University of Minnesota, Computer

907 views • 6 slides
Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer Security Day 6: Low-level defenses and BCECHO counterattacks, part 2 Control-flow integrity (CFI) Stephen McCamant University of Minnesota, Computer

348 views • 8 slides
61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming 4

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming 4

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming 4 Object-Oriented Programming A method for organizing programs 4 Object-Oriented Programming A method for organizing programs Data abstraction 4

1.46k views • 142 slides
CSEP505: Programming Languages Lecture 8: Types Wrap-Up; Object-Oriented Programming Dan

CSEP505: Programming Languages Lecture 8: Types Wrap-Up; Object-Oriented Programming Dan

CSEP505: Programming Languages Lecture 8: Types Wrap-Up; Object-Oriented Programming Dan Grossman Spring 2006 Todays plan Three last things about types 1. Type inference (ML-style) 2. Bounded polymorphism (subtyping &amp; forall) 3.

864 views • 69 slides
CSCI 1112: Lecture 3 Mona Diab RoadMap High level view of Object Oriented Programming

CSCI 1112: Lecture 3 Mona Diab RoadMap High level view of Object Oriented Programming

CSCI 1112: Lecture 3 Mona Diab RoadMap High level view of Object Oriented Programming (Classes) In class exercise Arrays Object Oriented Programming OOP is an approach to programming which supports the creation of new data

491 views • 48 slides
Concepts in Object-Oriented Programming Languages Object-oriented design Primary

Concepts in Object-Oriented Programming Languages Object-oriented design Primary

CS 242 Outline of lecture Concepts in Object-Oriented Programming Languages Object-oriented design Primary object-oriented language concepts dynamic lookup encapsulation John Mitchell inheritance subtyping Program

479 views • 8 slides
Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer

Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer

Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer Security W X (DEP) Low-level defenses and counterattacks Announcements (combined lecture) Return-oriented programming (ROP) Stephen McCamant

699 views • 12 slides
Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer,

Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer,

Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham University of California, San Diego Bad code versus bad behavior Bad code versus bad behavior Bad Bad Good

548 views • 53 slides
CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of

CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of

CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of Computer Science University of Maryland, College Park Object-Oriented Programming (OOP) Approach to improving software View software as a

593 views • 18 slides
Lecture 14 Objects and Classes Object-oriented programming (OOP) Were always looking for

Lecture 14 Objects and Classes Object-oriented programming (OOP) Were always looking for

Lecture 14 Objects and Classes Object-oriented programming (OOP) Were always looking for ways to standardize, organize and simplify our code. Objects can help We use objects to represent things in the real world - like a student, a

296 views • 16 slides
Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been

Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been

Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been doing this since Day 1: Python is a deeply object oriented language Most of the data types we were using (strings, list, dictionaries) were

463 views • 21 slides
From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier

From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier

Introduction OOP OOP2MAOP MAOP Conclusion From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier ISCOD/Henri Fayol Institute &amp; LSTI ENS Mines Saint-Etienne - France boissier@emse.fr MATES,

1.22k views • 73 slides

More recommend