Outline Threat modeling, cont’d Shellcode techniques CSci 4271W Development of Secure Software Systems Binary-level GDB commands and demo Day 5: Memory safety attacks In-person lab logistics reminders Stephen McCamant Project 1 bcimgview intro and demo University of Minnesota, Computer Science & Engineering Exploiting other vulnerabilities Trust boundaries example Attacks come with data flows Principle: attacks propagate along data flows Therefore, enumerate flows to enumerate attacks A more specific prompt, but does not eliminate the need for imagination Other half is types of attacks, see next slide STRIDE threat taxonomy What to do about threats Spoofing (vs authentication) Mitigate: add a defense, which may not be complete Tampering (vs integrity) Eliminate: such as by removing functionality Repudiation (vs. non-repdiation) Transfer functionality: let someone else handle it Information disclosure (vs. confidentiality) Transfer risk: convince another to bear the cost Denial of service (vs. availability) Accept risk: decide that the risk (probability ✁ loss) is sufficiently low Elevation of privilege (vs. authortization) Spoofing threat examples Tampering threat examples Using someone else’s account Modifying an important file Making a program use the wrong file Rearranging directory structure False address on network traffic Changing contents of network packets
Repudiation threat examples Info. disclosure threat examples Performing an important action without logging Eavesdropping on network traffic Destroying existing logs Reading sensitive files Add fake events to make real events hard to find or Learning sensitive information from meta-data not credible DoS threat examples Elevation of privilege threat examples Flood network link with bogus traffic Cause data to be interpreted as code Make a server use up available memory Change process to run as root/administrator Make many well-formed but non-productive Convince privileged process to run attacker’s code interactions Outline Basic definition Threat modeling, cont’d Shellcode: attacker supplied instructions Shellcode techniques implementing malicious functionality Binary-level GDB commands and demo Name comes from example of starting a shell In-person lab logistics reminders Often requires attention to machine-language Project 1 bcimgview intro and demo encoding Exploiting other vulnerabilities Classic execve ✴❜✐♥✴s❤ Avoiding zero bytes ❡①❡❝✈❡✭❢♥❛♠❡✱ ❛r❣✈✱ ❡♥✈♣✮ system call Common requirement for shellcode in C string Specialized syscall calling conventions Analogy: broken 0 key on keyboard Omit unneeded arguments May occur in other parts of encoding as well Doable in under 25 bytes for Linux/x86
More restrictions Transformations No newlines Fold case, escapes, Latin1 to Unicode, etc. Only printable characters Invariant: unchanged by transformation Only alphanumeric characters Pre-image: becomes shellcode only after “English Shellcode” (CCS’09) transformation Multi-stage approach NOP sleds Initially executable portion unpacks rest from Goal: make the shellcode an easier target to hit another format Long sequence of no-op instructions, real shellcode Improves efficiency in restricted environments at the end x86: 0x90 0x90 0x90 0x90 0x90 . . . shellcode But self-modifying code has pitfalls Where to put shellcode? Where to put shellcode? Environment variables In overflowed buffer, if big enough Anywhere else you can get it Nice to have: predictable location Convenient choice of Unix local exploits: Code reuse Outline Threat modeling, cont’d Shellcode techniques If can’t get your own shellcode, use existing code Classic example: s②st❡♠ implementation in C library Binary-level GDB commands and demo “Return to libc” attack In-person lab logistics reminders More variations on this later Project 1 bcimgview intro and demo Exploiting other vulnerabilities
GDB commands Outline Threat modeling, cont’d Shellcode techniques Binary-level GDB commands and demo (See separate slides) In-person lab logistics reminders Project 1 bcimgview intro and demo Exploiting other vulnerabilities In-person and online labs this week Electronic collaboration in-person Because of social distancing, in-person labs still Starting tomorrow, in-person labs will be available need screen sharing Zoom room posted for staff interaction In 1-250 Keller, same time as online labs Any groups you want, in one area of the lab Online labs also still available, no name split But still not too close together Collaboration may use t♠❛t❡ , Zoom, anything else Labs safety reminders Outline Threat modeling, cont’d Mask or other face covering is required Shellcode techniques Stay 6 feet apart, don’t come if you’re sick Binary-level GDB commands and demo Self-service disinfecting wipes In-person lab logistics reminders You might also consider gloves Safety rules are a compromise, no pressure to Project 1 bcimgview intro and demo attend if it’s not worth it Exploiting other vulnerabilities Project 1 aspects Project 1 scenario Threat modeling (from now) Benign but buggy image viewer Code auditing Key threat class: opening untrusted images Attack creation Imagine web or email downloads Security report Similar to many historical problems Revision and fixes (second submission)
Project 1 logistics ❜❝✐♠❣✈✐❡✇ demo Individual project Simple image viewer functionality Submission deadlines finalized with code release Planned for Thursday Outline Non-control data overwrite Threat modeling, cont’d Shellcode techniques Overwrite other security-sensitive data Binary-level GDB commands and demo No change to program control flow In-person lab logistics reminders Set user ID to 0, set permissions to all, etc. Project 1 bcimgview intro and demo Exploiting other vulnerabilities Heap meta-data Heap meta-data Boundary tags similar to doubly-linked list Overwritten on heap overflow Arbitrary write triggered on ❢r❡❡ Simple version stopped by sanity checks Use after free Integer overflows Easiest to use: overflow in small (8-, 16-bit) value, or Write to new object overwrites old, or vice-versa only overflowed value used 2GB write in 100 byte buffer Key issue is what heap object is reused for Find some other way to make it stop Influence by controlling other heap operations Arbitrary single overwrite Use math to figure out overflowing value
Null pointer dereference Format string attack Add offset to make a predictable pointer Attacker-controlled format: little interpreter On Windows, interesting address start low Allocate data on the zero page Step one: add extra integer specifiers, dump stack Already useful for information disclosure Most common in user-space to kernel attacks Read more dangerous than a write Format string attack layout Format string attack layout Format string attack: overwrite ✪♥ specifier: store number of chars written so far to pointer arg Advance format arg pointer to other attacker-controlled data Control number of chars written with padding On x86, can use unaligned stores to create pointer
Recommend
More recommend