lecture 14 return oriented programming
play

Lecture 14 Return-oriented programming Stephen Checkoway Oberlin - PowerPoint PPT Presentation

Jun 27, 2023 •816 likes •1.64k views

Lecture 14 Return-oriented programming Stephen Checkoway Oberlin College Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application logic gadgets Requirements: vulnerability +

  1. Lecture 14 – Return-oriented programming Stephen Checkoway Oberlin College Based on slides by Bailey, Brumley, and Miller

  2. ROP Overview • Idea: We forge shellcode out of existing application logic gadgets • Requirements: vulnerability + gadgets + some unrandomized code • History: • No code randomized: Code injection • DEP enabled by default: ROP attacks using libc gadgets published 2007 • ROP assemblers, compilers, shellcode generators • ASLR library load points: ROP attacks use .text segment gadgets • Today: all major OSes/compilers support position-independent executables 2

  3. 3 Image by Dino Dai Zovi

  4. ROP Programming 1. Disassemble code (library or program) 2. Identify useful code sequences (usually ending in ret) 3. Assemble the useful sequences into reusable gadgets* 4. Assemble gadgets into desired shellcode * Forming gadgets is mostly useful when constructing complicated return-oriented shellcode by hand 4

  5. A note on terminology • When ROP was invented in 2007 • Sequences of code ending in ret were the basic building blocks • Multiple sequences and data are assembled into reusable gadgets • Subsequently • A gadget came to refer to any sequence of code ending in a ret • In 2010 • ROP without returns (e.g., code sequences ending in call or jmp)

  6. There are many semantically equivalent ways to achieve the same net shellcode effect 6

  7. Equivalence ... v 2 Mem[v2] = v1 ... Desired Logic v 1 esp Stack a 1 : mov eax, [esp] a 2 : mov ebx, [esp+8] a 3 : mov [ebx], eax Implementation 1 7

  8. Constant store gadget a 5 v 2 Mem[v2] = v1 a 3 Desired Logic Suppose a 5 v 1 and a 3 on esp stack Stack a 1 : pop eax; a 2 : ret v 1 eax a 3 : pop ebx; ebx a 4 : ret a 1 eip a 5 : mov [ebx], eax Implementation 2 8

  9. Constant store gadget a 5 v 2 Mem[v2] = v1 a 3 Desired Logic esp v 1 Stack a 1 : pop eax; a 2 : ret v 1 eax a 3 : pop ebx; ebx a 4 : ret a 1 a 3 eip a 5 : mov [ebx], eax Implementation 2 9

  10. Constant store gadget a 5 v 2 Mem[v2] = v1 esp a 3 Desired Logic v 1 Stack a 1 : pop eax; a 2 : ret v 1 eax a 3 : pop ebx; v 2 ebx a 4 : ret a 3 eip a 5 : mov [ebx], eax Implementation 2 10

  11. Constant store gadget a 5 esp v 2 Mem[v2] = v1 a 3 Desired Logic v 1 Stack a 1 : pop eax; a 2 : ret v 1 eax a 3 : pop ebx; v 2 ebx a 4 : ret a 4 a 5 eip a 5 : mov [ebx], eax Implementation 2 11

  12. Constant store gadget esp a 5 v 2 Mem[v2] = v1 a 3 Desired Logic v 1 Stack a 1 : pop eax; a 2 : ret v 1 eax a 3 : pop ebx; v 2 ebx a 4 : ret a 5 eip a 5 : mov [ebx], eax Implementation 2 12

  13. Equivalence a 3 v 2 Mem[v2] = v1 a 2 Desired Logic v 1 semantically esp Stack equivalent a 1 : mov eax, [esp] a 1 : pop eax; ret a 2 : mov ebx, [esp+8] a 2 : pop ebx; ret a 3 : mov [ebx], eax a 3 : mov [ebx], eax Implementation 1 Implementation 2 13

  14. Return-Oriented Programming … argv Mem[v2] = v1 argc Desired Shellcode return addr caller’s ebp %ebp • Find needed instruction gadgets at addresses a 1 , a 2 , and a 3 in existing code • Overwrite stack to execute a 1 , buf a 2 , and then a 3 (64 bytes) argv[1] buf %esp 14

  15. Return-Oriented Programming a 3 … v 2 argv a 2 Mem[v2] = v1 argc v 1 Desired Shellcode return addr a 1 caller’s ebp %ebp a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax buf (64 bytes) Desired store executed! argv[1] buf %esp 15

  16. Arithmetic/logical operations: c = x op y Basic strategy 1. Pop the address of one variable into a register 2. Load the value of the variable into a register 3. Pop the address of another variable into a register 4. Load the value of the variable into a register 5. Perform the operation 6. Pop the address of the destination variable into a register 7. Store the result of the operation at that address Must be mindful of register interactions

  17. Arithmetic Stack contains Addresses of code • snippets ending in • Addition: c = x + y ret Data (here, the • • popl %eax addresses of our &c ret variables) • movl (%eax), %eax ret • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret esp

  18. Arithmetic Register Value eax 105 ebx 3852 • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax ret • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret esp

  19. Arithmetic Register Value eax 105 ebx 3852 • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax ret • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) esp ret

  20. Arithmetic Register Value eax &y ebx 3852 • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax ret • movl (%eax), %ebx ret &x • addl %eax, %ebx ret esp &y • movl %ebx, (%eax) ret

  21. Arithmetic Register Value eax &y ebx 3852 • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax ret • movl (%eax), %ebx ret &x • addl %eax, %ebx esp ret &y • movl %ebx, (%eax) ret

  22. Arithmetic Register Value eax &y ebx y • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax ret • movl (%eax), %ebx ret &x • addl %eax, %ebx esp ret &y • movl %ebx, (%eax) ret

  23. Arithmetic Register Value eax &y ebx y • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax ret • movl (%eax), %ebx ret &x esp • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret

  24. Arithmetic Register Value eax &x ebx y • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax ret • movl (%eax), %ebx esp ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret

  25. Arithmetic Register Value eax &x ebx y • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax ret esp • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret

  26. Arithmetic Register Value eax x ebx y • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax ret esp • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret

  27. Arithmetic Register Value eax x ebx y • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax esp ret • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret

  28. Arithmetic Register Value eax x ebx y + x • Addition: c = x + y • popl %eax &c ret • movl (%eax), %eax esp ret • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret

  29. Arithmetic Register Value eax x ebx y + x • Addition: c = x + y • popl %eax &c ret esp • movl (%eax), %eax ret • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret

  30. Arithmetic Register Value eax &c ebx y + x • Addition: c = x + y • popl %eax esp &c ret • movl (%eax), %eax ret • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret

  31. Arithmetic Register Value eax &c ebx y + x • Addition: c = x + y esp • popl %eax &c ret • movl (%eax), %eax ret • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret

  32. Arithmetic Register Value eax &c ebx y + x • Addition: c = x + y esp • popl %eax &c ret • movl (%eax), %eax ret • movl (%eax), %ebx ret &x • addl %eax, %ebx ret &y • movl %ebx, (%eax) ret

  33. What else can we do? • Depends on the code we have access to • Usually: Arbitrary Turing-complete behavior • Arithmetic • Logic • Conditionals and loops • Subroutines • Calling existing functions • System calls • Sometimes: More limited behavior • Often enough for straight-line code and system calls

  34. Comparing ROP to normal programming Normal programming ROP Instruction pointer eip esp No-op nop ret Unconditional jump jmp address set esp to address of gadget Conditional jump jnz address set esp to address of gadget if some condition is met Variables memory and registers mostly memory Inter-instruction (inter-gadget) minimal, mostly explicit; e.g., can be complex; e.g., adding two register and memory interaction adding two registers only affects registers may involve modifying the destination register many registers which impacts other gadgets

  35. Return-oriented conditionals • Processors support instructions that conditionally change the PC • On x86 • Jcc family: jz, jnz, jl, jle, etc. 33 in total • loop, loope, loopne • Based on condition codes mostly; and on ecx for some • On MIPS • beq, bne, blez, etc. • Based on comparison of registers • Processors generally don’t support for conditionally changing the stack pointer (with some exceptions)

  36. We want conditional jumps • Unconditional jump addr • popl %eax ret • movl %eax, %esp ret

  37. We want conditional jumps ... • Unconditional jump addr &next gadget • popl %eax ret • movl %eax, %esp ret addr esp

  38. We want conditional jump ... • Unconditional jump addr &next gadget • popl %eax ret • movl %eax, %esp ret addr esp

  39. We want conditional jump ... • Unconditional jump addr &next gadget eax • popl %eax ret • movl %eax, %esp ret esp addr

Recommend

Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago

Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago

Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application logic gadgets Requirements:

790 views • 63 slides
ROP A&ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING

ROP A&ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING

ROP A&ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING PRESENTED BY AHMAD MOGHIMI What is ROP A&ack? q Return Oriented Programming a0ack is a technic to

656 views • 46 slides
61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method for organizing programs Data abstraction John's Apply for Account Bundling together information and related behavior a loan! A metaphor

207 views • 18 slides
! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H.

Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H.

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy Dresden, 2010-10-20 Fundamental

792 views • 31 slides
Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure

Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure

Outline W X (DEP) CSci 4271W Return-oriented programming (ROP) Development of Secure Software Systems Day 6: Memory safety defenses and counter-attacks Announcements break Stephen McCamant University of Minnesota, Computer Science &

394 views • 4 slides
Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern exploit techniques Introduction to Computer Security Announcements intermission Day 7: Defensive programming and design, part 1 Saltzer &

579 views • 15 slides
Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The

Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The

Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The primary characteristics associated with object-oriented programming are inheritance; encapsulation; and polymorphism Inheritance class Shape: class

252 views • 9 slides
ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen

ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen

ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen (schen@wcupa.edu) Compile the code gcc -m32 fno-stack-protector z execstack o ./overflow2 ./overflow2.c Page 2 No eXecute (NX) -z

636 views • 37 slides
Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4

Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4

1 Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia Please submit both 'working exploit' and write-up on time; otherwise, no score. Due: Lab07 is out and its due on Oct 19

799 views • 37 slides
Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 Administrivia Please submit

Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 Administrivia Please submit

1 Lec07: Return-oriented programming Taesoo Kim 2 Scoreboard 3 Administrivia Please submit both working exploit and write-up on time! Due: Lab04 is due on Oct 11 Due: Lab05 is out and its due on Oct 18 (two weeks)!

558 views • 43 slides
Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC

Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC

Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage Stephen Checkoway, * Ariel J. Feldman, Brian Kantor, * J. Alex Halderman, Edward W. Felten, Hovav Shacham * * UCSD, Princeton,

641 views • 40 slides
Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer Security BCECHO Day 6: Low-level defenses and counterattacks, part 2 Stephen McCamant Control-flow integrity (CFI) University of Minnesota, Computer

907 views • 6 slides
Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer Security Day 6: Low-level defenses and BCECHO counterattacks, part 2 Control-flow integrity (CFI) Stephen McCamant University of Minnesota, Computer

348 views • 8 slides
61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming 4

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming 4

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming 4 Object-Oriented Programming A method for organizing programs 4 Object-Oriented Programming A method for organizing programs Data abstraction 4

1.46k views • 142 slides
CSEP505: Programming Languages Lecture 8: Types Wrap-Up; Object-Oriented Programming Dan

CSEP505: Programming Languages Lecture 8: Types Wrap-Up; Object-Oriented Programming Dan

CSEP505: Programming Languages Lecture 8: Types Wrap-Up; Object-Oriented Programming Dan Grossman Spring 2006 Todays plan Three last things about types 1. Type inference (ML-style) 2. Bounded polymorphism (subtyping & forall) 3.

864 views • 69 slides
CSCI 1112: Lecture 3 Mona Diab RoadMap High level view of Object Oriented Programming

CSCI 1112: Lecture 3 Mona Diab RoadMap High level view of Object Oriented Programming

CSCI 1112: Lecture 3 Mona Diab RoadMap High level view of Object Oriented Programming (Classes) In class exercise Arrays Object Oriented Programming OOP is an approach to programming which supports the creation of new data

491 views • 48 slides
Concepts in Object-Oriented Programming Languages Object-oriented design Primary

Concepts in Object-Oriented Programming Languages Object-oriented design Primary

CS 242 Outline of lecture Concepts in Object-Oriented Programming Languages Object-oriented design Primary object-oriented language concepts dynamic lookup encapsulation John Mitchell inheritance subtyping Program

479 views • 8 slides
Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer

Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer

Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer Security W X (DEP) Low-level defenses and counterattacks Announcements (combined lecture) Return-oriented programming (ROP) Stephen McCamant

699 views • 12 slides
Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer,

Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer,

Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham University of California, San Diego Bad code versus bad behavior Bad code versus bad behavior Bad Bad Good

548 views • 53 slides
CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of

CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of

CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of Computer Science University of Maryland, College Park Object-Oriented Programming (OOP) Approach to improving software View software as a

593 views • 18 slides
Lecture 14 Objects and Classes Object-oriented programming (OOP) Were always looking for

Lecture 14 Objects and Classes Object-oriented programming (OOP) Were always looking for

Lecture 14 Objects and Classes Object-oriented programming (OOP) Were always looking for ways to standardize, organize and simplify our code. Objects can help We use objects to represent things in the real world - like a student, a

296 views • 16 slides
Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been

Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been

Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been doing this since Day 1: Python is a deeply object oriented language Most of the data types we were using (strings, list, dictionaries) were

463 views • 21 slides
From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier

From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier

Introduction OOP OOP2MAOP MAOP Conclusion From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier ISCOD/Henri Fayol Institute & LSTI ENS Mines Saint-Etienne - France boissier@emse.fr MATES,

1.22k views • 73 slides

More recommend