memory corruption
play

Memory Corruption The (almost) Complete History... haroon meer - - PowerPoint PPT Presentation

Feb 05, 2024 •39 likes •959 views

Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer | haroon@thinkst.com Who ? haroon meer thinkst ? some papers, some books, some talks academic wannabe Why? Why? Why? Why? Why? twitter made me do it!

  1. Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer | haroon@thinkst.com

  2. Who ? haroon meer thinkst ? some papers, some books, some talks academic wannabe

  3. Why?

  4. Why?

  5. Why?

  6. Why?

  7. Why? twitter made me do it!

  8. Why? de-mystify some of the otherwise mystical convince you that Solar Designer was skynet

  9. Why? (Some silly Stats) '!" &!" &#" %#" &!" %!" %#" %!" $#" $#" $!" $!" #" #" !" !" $(((" %!!!" %!!$" %!!%" %!!&" %!!'" %!!#" %!!)" %!!*" %!!+" %!!(" $'''" %!!!" %!!$" %!!%" %!!&" %!!(" %!!#" %!!)" %!!*" %!!+" %!!'" Stack : 140 Heap : 74

  10. Why? (Some silly Stats) '!" &!" &#" %#" &!" %!" %#" %!" $#" $#" $!" $!" #" #" !" !" $(((" %!!!" %!!$" %!!%" %!!&" %!!'" %!!#" %!!)" %!!*" %!!+" %!!(" $'''" %!!!" %!!$" %!!%" %!!&" %!!(" %!!#" %!!)" %!!*" %!!+" %!!'" Stack : 140 Heap : 74

  11. Caveats - Limits

  12. Caveats - Limits

  13. Caveats - Myopia

  14. Caveats - Myopia

  15. Caveats -Compression Ratio 332880 : 1

  16. Disclosure, Bugs and Counts VS.

  17. Disclosed Bugs

  18. Our Approach Clearly naive initially

  19. http://ilm.thinkst.com/folklore/

  20. http://ilm.thinkst.com/folklore/

  21. http://ilm.thinkst.com/folklore/

  22. the paper (read it)

  23. So at the end of this.. You wont be able to suddenly use free() to obtain a 4-byte write anything anywhere primitive. You will understand what that means. You will be able to see: When that was first used; What prevents it’s use/abuse today;

  24. Where did it start?

  26. Memory Basics

  27. Memory Basics

  28. Memory Basics { 0x00000000 User PageTable 4 gig Kernel

  29. Memory Basics { 0x00000000 User PageTable 4 gig Kernel

  30. Multiple Processes { 0x00000000 0x00000000 0x00000000 3 gig User User User Kernel Kernel Kernel

  31. Multiple Processes { 0x00000000 0x00000000 0x00000000 3 gig User User User Kernel Kernel Kernel Kernel

  32. Segments { 0x00000000 PageTable User 4 gig Kernel

  33. Segments { 0x00000000 User 4 gig Kernel

  34. Segments 0x00000000 { 0x00000000 User 4 gig Kernel

  35. Segments 0x00000000 Text { 0x00000000 User 4 gig Kernel

  36. Segments 0x00000000 Text Data { 0x00000000 User 4 gig Kernel

  37. Segments 0x00000000 Text Data ... { 0x00000000 User 4 gig Kernel

  38. Segments 0x00000000 Text Data ... { Grows Upwards Heap 0x00000000 User 4 gig Kernel

  39. Segments 0x00000000 Text Data ... { Grows Upwards Heap 0x00000000 mmap (Shared Memory) User 4 gig Kernel

  40. Segments 0x00000000 Text Data ... { Grows Upwards Heap 0x00000000 mmap (Shared Memory) User 4 gig Grows Stack Downwards Kernel

  41. So what is code?

  42. So what is code?

  43. So what is code?

  44. So what is code?

  45. Is this code?

  46. Is this code?

  47. Is this code?

  48. Is this code?

  49. Is this code?

  51. 0x00000000 Text Data ... { Grows Upwards Heap 0x00000000 mmap (Shared Memory) User 4 gig Grows Stack Downwards Kernel

  52. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 mmap Text Data ... Heap Stack (Shared Memory) Grows Grows Upwards Downwards

  53. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 mmap Text Data ... Heap Stack (Shared Memory) Grows Grows Upwards Downwards

  54. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 int argc char **argv char **envp Grows Downwards

  55. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 Saved Saved int argc char **argv char **envp EBP EIP Grows Downwards

  56. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 Saved Saved int argc char **argv char **envp EBP EIP Grows Downwards

  57. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 Saved Saved int i int argc char **argv char **envp EBP EIP Grows Downwards

  58. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 Saved Saved int i int argc char **argv char **envp EBP EIP Grows Downwards

  59. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 function_1 function_1 Saved Saved int i int argc char **argv char **envp argument_1 argument_2 EBP EIP (a) (b) Grows Downwards

  60. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 function_1 function_1 Saved Saved int i int argc char **argv char **envp argument_1 argument_2 EBP EIP (a) (b) Grows Downwards

  61. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 function_1 function_1 Saved Saved Saved Saved int i int argc char **argv char **envp argument_1 argument_2 EBP EIP EBP EIP (a) (b) Grows Downwards

  62. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 function_1 function_1 Saved Saved Saved Saved int i int argc char **argv char **envp argument_1 argument_2 EBP EIP EBP EIP (a) (b) Grows Downwards

  63. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 function_1 function_1 Saved Saved Saved Saved int i int argc char **argv char **envp int j argument_1 argument_2 EBP EIP EBP EIP (a) (b) Grows Downwards

  64. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 function_1 function_1 Saved Saved Saved Saved int i int argc char **argv char **envp argument_1 argument_2 EBP EIP EBP EIP (a) (b) Grows Downwards

  65. Stack Basics int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; } 0x00000000 function_1 function_1 Saved Saved int i int argc char **argv char **envp argument_1 argument_2 EBP EIP (a) (b) Grows Downwards

  66. Classic Overflow Where to go function_1 Saved Saved Saved Saved buff int j argument_1 int argc char **argv char **envp EBP EIP EBP EIP (a) Overflow Direction Stack Grows Downwards

  67. non-terminated strings strcpy(buf1, buf2);

  68. non-terminated strings strcpy(buf1, buf2);

  69. non-terminated strings char buf1[4]; strcpy(buf1, buf2); strncpy(buf1, buf2, 4);

  70. non-terminated strings char buf1[4]; strcpy(buf1, buf2); strncpy(buf1, buf2, 4);

  71. non-terminated strings char buf1[4]; strcpy(buf1, buf2); strncpy(buf1, buf2, 4); T E S T I N G \0 char buf1[4] char buf2[] = “TESTING”

  72. non-terminated strings char buf1[4]; strcpy(buf1, buf2); strncpy(buf1, buf2, 4); T E S T T E S T I N G \0 char buf1[4] char buf2[] = “TESTING”

Recommend

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and expensive problem Impractical to manually review code for it Corruption can easily be introduced by unwary changes (again with the

702 views • 45 slides
Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song Georgia Tech Agenda Memory corruption vulnerability Thesis Statement Approaches SDCG Kenali HDFI Conclusion Memory

737 views • 72 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Enhancing Server Availability and Security Through Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow Out of Bounds Array Accesses Invalid Pointer Accesses Importance Martin Rinard,

340 views • 4 slides
New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and Nicholas Carlini http://hexhive.github.io (c) Castro Theatre and Spoke Art, 2013 DR. STRANGELOVE DR. STRANGELOVE OR: HOW I LEARNED TO STOP OR: HOW I

549 views • 42 slides
Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption measured Complex issue without an exact answer Perception of corruption vs. corruption What can be done? Policy measures Preventive

702 views • 12 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource Centre Anti-Corruption in development: Evolution of practice 1 st generation: the principal-agent problem Corruption = Monopoly + Discretion

417 views • 7 slides
Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &

750 views • 45 slides
COMBATING BRIBERY & CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr.

COMBATING BRIBERY & CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr.

COMBATING BRIBERY & CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr. T.M.Bhasin Vigilance Commissioner, CVC at National Judicial Academy, Bhopal on 04.09.2016 1 Corruption Definition and Cause World Bank

473 views • 43 slides
Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption Introduction Gender and Corruption Women are often perceived as less susceptable to corruption than men. In Mexico City traffic officers all

768 views • 33 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides
Against Corruption Andrii Kukharuk Resident Advisor OECD Anti-Corruption Project for Ukraine

Against Corruption Andrii Kukharuk Resident Advisor OECD Anti-Corruption Project for Ukraine

International Legal Framework Against Corruption Andrii Kukharuk Resident Advisor OECD Anti-Corruption Project for Ukraine Anti-Corruption Workshop for Legal Professionals 19 March, 2015 Kyiv, Ukraine Defining corruption Definition of

407 views • 14 slides
POLI 437: International Relations of Latin America This week Corruption and the Odebrecht

POLI 437: International Relations of Latin America This week Corruption and the Odebrecht

POLI 437: International Relations of Latin America This week Corruption and the Odebrecht Scandal Can transparency reduce corruption? Corruption is an everywhere problem Roasted at Mardi Gras But what is it, exactly? Corruption is

980 views • 68 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
PRESENTATION TO THE 2 ND SESSION OF THE ANTI- CORRUPTION LEARNING NETWORK DETECTING CORRUPTION

PRESENTATION TO THE 2 ND SESSION OF THE ANTI- CORRUPTION LEARNING NETWORK DETECTING CORRUPTION

PRESENTATION TO THE 2 ND SESSION OF THE ANTI- CORRUPTION LEARNING NETWORK DETECTING CORRUPTION THROUGH THE USE OF WHISTLEBLOWING MECHANISMS PRESENTER: MR J. MUDAU DIRECTOR: NACH DATE: 30 JULY 2009 VENUE: SUMMERSTRAND, PORT

231 views • 20 slides
Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Transparency and

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Transparency and

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Transparency and Corruption Introduction Tansparency and corruption In theory, transparency in public spending and bureaucratic activities should reduce corruption:

232 views • 12 slides
Memory corruption public enemy number 1 Erik Poll Digital Security Radboud University Nijmegen

Memory corruption public enemy number 1 Erik Poll Digital Security Radboud University Nijmegen

Software Security Memory corruption public enemy number 1 Erik Poll Digital Security Radboud University Nijmegen 1 Security in the development lifecycle 2.1 week 3: exercise week4: group project Security in the development lifecycle

1.82k views • 146 slides
white elephants and corruption in Durban what were losing what crony fat cats are winning

white elephants and corruption in Durban what were losing what crony fat cats are winning

white elephants and corruption in Durban what were losing what crony fat cats are winning dedicated to the memory of Durban civil society activists who in the last decade died early, including by assassination: Nkululeko Gwala, Sajida

893 views • 60 slides
Political Economy - Economics 410/510 February 14, 2014 1/40 Outline Introduction Corruption

Political Economy - Economics 410/510 February 14, 2014 1/40 Outline Introduction Corruption

Outline Introduction Corruption Efficient Corruption Agency Model The Grabbing Hand Self-Reinforcing Corruption Political Economy - Economics 410/510 February 14, 2014 1/40 Outline Introduction Corruption Efficient Corruption Agency

2.18k views • 192 slides
development in the SADC region: Panel Data Analysis SHEWANGU DZOMIRA INTRODUCTION Jain

development in the SADC region: Panel Data Analysis SHEWANGU DZOMIRA INTRODUCTION Jain

Corruption and economic development in the SADC region: Panel Data Analysis SHEWANGU DZOMIRA INTRODUCTION Jain (2001) identifies three kinds of corruption: grand corruption, bureaucratic corruption, and legislative corruption .

449 views • 17 slides
Corruption Risks in Mergers and American Conference Institute's 4th Russia and CIA Summit on

Corruption Risks in Mergers and American Conference Institute's 4th Russia and CIA Summit on

Corruption Risks in Mergers and Acquisitions Page 1 of 4 search... home Experts Anti-corruption conference - London 2012-06-26 Corruption Risks in Mergers and American Conference Institute's 4th Russia and CIA Summit on Anti-Corruption

340 views • 4 slides
ECON4921 Lecture 13: Corruption Eivind Hammersmark Olsen University of Oslo

ECON4921 Lecture 13: Corruption Eivind Hammersmark Olsen University of Oslo

ECON4921 Lecture 13: Corruption Eivind Hammersmark Olsen University of Oslo e.h.olsen@econ.uio.no November 11, 2015 1 43 Introduction Corruption empirics is lagging behind theory, in part because corruption is hard to measure (and

770 views • 43 slides
Corruption Prevention Department Corruption Prevention Department Corruption in the Corruption

Corruption Prevention Department Corruption Prevention Department Corruption in the Corruption

Joe Lee, Head of Advisory Services Joe Lee, Head of Advisory Services Corruption Prevention Department Corruption Prevention Department Corruption in the Corruption in the Private Sector Private Sector Corruption Prevention Corruption

581 views • 33 slides

More recommend