outline
play

Outline The Adversary 1 A Cracking Example! 2 The Adversary - PowerPoint PPT Presentation

Outline The Adversary 1 A Cracking Example! 2 The Adversary 1/44 Whos our adversary? What does a typical program look like? The Adversary 2/44 Whos our adversary? What does a typical program look like? What valuables does the


  1. Outline The Adversary 1 A Cracking Example! 2 The Adversary 1/44

  2. Who’s our adversary? What does a typical program look like? The Adversary 2/44

  3. Who’s our adversary? What does a typical program look like? What valuables does the program contain? The Adversary 2/44

  4. Who’s our adversary? What does a typical program look like? What valuables does the program contain? What is the adversary’s motivation for attacking your program? The Adversary 2/44

  5. Who’s our adversary? What does a typical program look like? What valuables does the program contain? What is the adversary’s motivation for attacking your program? What information does he start out with as he attacks your program? The Adversary 2/44

  6. Who’s our adversary? What does a typical program look like? What valuables does the program contain? What is the adversary’s motivation for attacking your program? What information does he start out with as he attacks your program? What is his overall strategy for reaching his goals? The Adversary 2/44

  7. Who’s our adversary? What does a typical program look like? What valuables does the program contain? What is the adversary’s motivation for attacking your program? What information does he start out with as he attacks your program? What is his overall strategy for reaching his goals? What tools does he have to his disposal? The Adversary 2/44

  8. Who’s our adversary? What does a typical program look like? What valuables does the program contain? What is the adversary’s motivation for attacking your program? What information does he start out with as he attacks your program? What is his overall strategy for reaching his goals? What tools does he have to his disposal? What specific techniques does he use to attack the program? The Adversary 2/44

  9. Example Program user key encrypted media decode decrypt analogue player key audio activation license−check tamper−detect code violation−response fingerprint The Adversary 3/44

  10. Example Program ✞ ☎ typedef unsigned u i n t ; int 1 typedef u i n t ∗ waddr t ; 2 u i n t p l a y e r k e y = 0 xbabeca75 ; 3 u i n t the key ; 4 u i n t ∗ key = & the key ; 5 FILE ∗ audio ; 6 int a c t i v a t i o n c o d e = 42; 7 8 void FIRST FUN() {} 9 u i n t hash ( waddr t addr , waddr t l a s t ) { 10 u i n t h = ∗ addr ; 11 for ( ; addr < =l a s t ; addr++) hˆ= ∗ addr ; 12 return h ; 13 } 14 d i e ( char ∗ msg ) { void 15 f p r i n t f ( s t d er r , ”%s ! \ n” ,msg ) ; 16 The Adversary 4/44

  11. Example Program ✞ ☎ u i n t play ( u i n t user key , 19 u i n t encrypted media [ ] , 20 int media len ) { 21 code ; int 22 p r i n t f ( ” Please en t er a c t i v a t i o n code : ” ) ; 23 scanf ( ”%i ”,&code ) ; 24 i f ( code!= a c t i v a t i o n c o d e ) d i e ( ”wrong code” ) ; 25 26 ∗ key = u s er key ˆ p l a y e r k e y ; 27 ✝ ✆ The Adversary 5/44

  12. Example Program ✞ ☎ int i ; 27 for ( i =0; i < media len ; i ++) { 28 u i n t decrypted = ∗ key ˆ encrypted media [ i ] ; 29 asm ( v o l a t i l e 30 ”jmp L1 \ n \ t ” 31 ” . a l i g n 4 \ n \ t ” 32 ” . long 0xb0b5b0b5 \ n \ t ” 33 ”L1 : \ n \ t ” 34 ) ; 35 i f ( time (0) > 1221011472) d i e ( ” ex p i r ed ” ) ; 36 decoded = ( f l o a t ) decrypted ; f l o a t 37 f p r i n t f ( audio , ”%f \ n” , decoded ) ; f f l u s h ( audio ) ; 38 } 39 } 40 ✝ ✆ The Adversary 6/44

  13. Example Program ✞ ☎ void LAST FUN() {} 41 u i n t player main ( u i n t argc , char ∗ argv [ ] ) { 42 u i n t u s er key = · · · 43 u i n t encrypted media [100] = · · · 44 u i n t media len = · · · 45 u i n t hashVal = hash (( waddr t )FIRST FUN , 46 ( waddr t )LAST FUN ) ; 47 ( hashVal != HASH) d i e ( ”tampered ” ) ; i f 48 play ( user key , encrypted media , media len ) ; 49 } 50 ✝ ✆ The Adversary 7/44

  14. What’s the Adversary’s Motivation? The adversary’s wants to remove the protection semantics. P Core P Semantics Core Semantics Protection Semantics Protection Semantics Attack Semantics The Adversary 8/44

  15. What’s the Adversary’s Motivation? The adversary’s wants to remove the protection semantics. add his own attack semantics (ability to save game-state, print,. . . ) P Core P Semantics Core Semantics Protection Semantics Protection Semantics Attack Semantics The Adversary 8/44

  16. What’s the Adversary’s Motivation? The adversary’s wants to remove the protection semantics. add his own attack semantics (ability to save game-state, print,. . . ) ensure that the core semantics remains unchanged. P Core P Semantics Core Semantics Protection Semantics Protection Semantics Attack Semantics The Adversary 8/44

  17. What does he want to do to our Player program? get decrypted digital media The Adversary 9/44

  18. What does he want to do to our Player program? get decrypted digital media extract the player key The Adversary 9/44

  19. What does he want to do to our Player program? get decrypted digital media extract the player key use the program after the expiration date remove use-before check remove activation code The Adversary 9/44

  20. What does he want to do to our Player program? get decrypted digital media extract the player key use the program after the expiration date remove use-before check remove activation code distribute the program to other users remove fingerprint 0xb0b5b0b5 The Adversary 9/44

  21. What does he want to do to our Player program? get decrypted digital media extract the player key use the program after the expiration date remove use-before check remove activation code distribute the program to other users remove fingerprint 0xb0b5b0b5 reverse engineer the algorithms in the player The Adversary 9/44

  22. What are the methods of attack? 1 the black box phase feed the program inputs, record its outputs, draw conclusions about its behavior. The Adversary 10/44

  23. What are the methods of attack? 1 the black box phase feed the program inputs, record its outputs, draw conclusions about its behavior. 2 the dynamic analysis phase execute the program record which parts get executed for different inputs. The Adversary 10/44

  24. What are the methods of attack? 1 the black box phase feed the program inputs, record its outputs, draw conclusions about its behavior. 2 the dynamic analysis phase execute the program record which parts get executed for different inputs. 3 the static analysis phase examining the executable code directly use disassembler, decompiler, . . . The Adversary 10/44

  25. What are the methods of attack? 4 the editing phase use understanding of the internals of the program modify the executable disable license checks The Adversary 11/44

  26. What are the methods of attack? 4 the editing phase use understanding of the internals of the program modify the executable disable license checks 5 the automation phase. encapsulates his knowledge of the attack in an automated script use in future attacks. The Adversary 11/44

  27. Outline The Adversary 1 A Cracking Example! 2 A Cracking Example! 12/44

  28. Let’s crack! Let’s get a feel for the types of techniques attackers typically use. Our example cracking target will be the DRM player. Our chief cracking tool will be the gdb debugger. A Cracking Example! 13/44

  29. Step 1: Learn about the executable file ✞ ☎ > f i l e p l a y e r p l a y e r : ELF 64 − b i t LSB executable , dynamically l i n k e > objdump − T p l a y e r DYNAMIC SYMBOL TABLE: 0xa4 scanf 0x90 f p r i n t f 0x12 time > objdump − x p l a y e r | egrep ’ rodata | t ex t | Name ’ Name Size VMA LMA F i l e o f f . t ex t 0 x4f8 0x4006a0 0x4006a0 0x6a0 . rodata 0x84 0x400ba8 0x400ba8 0xba8 > objdump − f p l a y e r | grep s t a r t s t a r t address 0 x4006a0 A Cracking Example! 14/44

  30. Step 2: Breaking on library functions Treat the program as a black box Feed it inputs to see how it behaves. ✞ ☎ > p l a y e r 0 xca7ca115 1 2 3 4 Please en t er a c t i v a t i o n code : 42 ex p i r ed ! Segmentation f a u l t ✝ ✆ Find the assembly code equivalent of if (time(0) > some value ) · · · Replace it with if (time(0) <= some value ) · · · A Cracking Example! 15/44

  31. Example Program ✞ ☎ int i ; 27 for ( i =0; i < media len ; i ++) { 28 u i n t decrypted = ∗ key ˆ encrypted media [ i ] ; 29 asm ( v o l a t i l e 30 ”jmp L1 \ n \ t ” 31 ” . a l i g n 4 \ n \ t ” 32 ” . long 0xb0b5b0b5 \ n \ t ” 33 ”L1 : \ n \ t ” 34 ) ; 35 i f ( time (0) > 1221011472) d i e ( ” ex p i r ed ” ) ; 36 decoded = ( f l o a t ) decrypted ; f l o a t 37 f p r i n t f ( audio , ”%f \ n” , decoded ) ; f f l u s h ( audio ) ; 38 } 39 } 40 ✝ ✆ A Cracking Example! 16/44

Recommend


More recommend