lecture 12 rop review
play

Lecture 12: ROP & Review January 27, 2020 Chris Stone Lab 3 - PowerPoint PPT Presentation

Lecture 12: ROP & Review January 27, 2020 Chris Stone Lab 3 (Bomb) Due 1:15pm Tomorrow Lab 4 (Attack) Starts Tomorrow New Partner! Take-Home Midterm available by 5pm Tomorrow Afternoon (75-minute exam due 5pm next Friday) Security:


  1. Lecture 12: ROP & Review January 27, 2020 Chris Stone Lab 3 (Bomb) Due 1:15pm Tomorrow Lab 4 (Attack) Starts Tomorrow — New Partner! Take-Home Midterm available by 5pm Tomorrow Afternoon (75-minute exam due 5pm next Friday)

  2. Security: The Story So Far

  3. Observation Rest of stack frame for call_echo unix> ./bufdemo-nsp Type a string:0123456789012345678901234 Segmentation Fault Return Address 00 00 00 00 00 40 00 34 Return Address 33 32 31 30 39 38 37 36 35 34 33 32 31 30 39 38 37 36 35 34 [3] [2] [1] 30 33 32 31 30 bu buf[3] buf[2] 31 30 The program crashed because the code "returned" (jumped) to address 0x400034, which didn't contain valid machine code. And by typing in a carefully-chosen 32-character string, we can make echo() "return" (jump) to any address we want!

  4. Code Injection Attacks Input string includes bytes encoding machine code Overwrite return address A with address of that code! Stack before call to gets() Stack after call to gets() void P(){ P stack frame Q(); Return ... address A } A B Return address What happens when Q returns? int Q() { padding char buf[64]; gets(buf); Q stack frame exploit ... buf code return ...; B }

  5. 2. System-Level Protections can help • Non-executable code segments Stack after call to gets() • In previous x86, could mark region of memory as either “read-only” or “writeable”… could execute P stack frame anything readable • X86-64 added explicit “execute” permission B • Stack marked as non-executable data written pad by gets() exploit Q stack frame code B Any attempt to execute this code will fail

  6. Are We Still in Danger? If the stack is marked "don't execute" • we can't write machine code into the buffer and jump to it. • but we can still overwrite the return address • we can force a "return" (jump!) anywhere in the code that is running. Is that really so bad? Yes!

  7. Question 1 There are lots of instructions in Stack after call to gets() a typical program. Suppose that at address P stack frame 0x410000 there are two consecutive instructions 410000 inc %ebp return ret data written by gets() pad Suppose we overwrite Q stack frame the return address with Q stack frame buf 0x410000. B What happens when function Q returns?

  8. Question 2 There are lots of instructions in Stack after call to gets() a typical program. Suppose that at address P stack frame 0x410000 there are two 410000 consecutive instructions 410000 410000 incl %ebp return retq data written by gets() pad Suppose we overwrite Q stack frame the return address with Q stack frame buf three copies of 0x410000 B What happens when function Q returns?

  9. Return-Oriented Programming (ROP) Idea: • Find existing machine code instructions followed by retq (These are called gadgets ) • Put a sequence of gadgets addresses on the stack. (where the sequence of gadgets does our evil work) The computer returns ( jumps) from each gadget to the next! • It reads addresses from the stack, but executes code in the text segment. But most of our retq instructions immediately follow addq $..., %rsp. • Can attacker find enough gadgets to do evil? Yes!

  10. We don't need retq ; we need 0xc3 ! Unintended instructions — ecb crypt() Unintended instructions ecb_crypt() c7 45 45 d4 01 movl $0x00000001, - 00 44(%ebp) 00 00 00 add %dh, %bh f7 c7 07 test $0x00000007, 00 movl $0x0F000000, %edi 00 (%edi) 00 00 0f } 95 xchg %ebp, %eax setnzb -61(%ebp) } } inc%ebp 45 } ret c3 https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf

  11. Have Fun with Lab 4!

  12. Review Topics • Bits • Mult/Div vs. Shifting • Implementing if, do, while loops using jumps & labels • And/Or/Not/Xor • IEEE float & double • Stack frames & %rsp • Arithmetic & logical shifts • Normal, special, and • Return address denormal fp numbers • Integers • Memory vs. registers • Arrays, Structs, Unions • Unsigned ints • Padding/alignment • 2's complement • Machine code vs. assembly • Max/min values • Buffer overflows • x86 assembly • Negating a signed int • Identifying • arithmetic • Security implications • Signed/unsigned compare • movq vs. leaq • Prevention techniques • comparisons • Zero- vs. sign-extension • condition codes • Casting • conditional jumps • Overflow • conditional moves

  13. 4,

Recommend


More recommend