q exploit hardening made easy
play

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis - PowerPoint PPT Presentation

Feb 09, 2024 •249 likes •837 views

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

  1. Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1

  2. Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

  3. 8/15/2011 3

  4. Downloading Exploits Why didn’t the exploit work? Evil Ed Windows 7 8/15/2011 4

  5. Causes of Broken Exploits 1. Exploit used OS/binary- specific tricks/features 2. OS Defenses 8/15/2011 5

  6. OS Defenses • Modern OS defenses are designed to make exploiting difficult – ASLR: Address Space Layout Randomization – DEP: Data Execution Prevention – Do not guarantee control flow integrity • How difficult? 8/15/2011 6

  7. Exploit hardening: Modifying exploits to bypass defenses 8/15/2011 7

  8. Overview • Background: Defenses and Return Oriented Programming (ROP) • Q: ROP + Hardening – Automatic ROP – Automatic Hardening • Evaluation • Limitations • Conclusion 8/15/2011 8

  9. Simple Exploit Exploit Shellcode Padding Pointer Control Computation 8/15/2011 9

  10. Data Execution Prevention (DEP) Exploit Shellcode Padding Pointer Crash User input is DEP : Buffers cannot be writable non-executable and executable 8/15/2011 10

  11. Bypassing DEP • Goal: Specify exploit computation even when DEP is enabled • Return Oriented Programming [S07] – Use existing instructions from program in special order to encode computation 8/15/2011 11

  12. Return Oriented Programming Example: How can we write to memory without shellcode? 8/15/2011 12

  13. Return Oriented Programming nextaddr Exploit addr3 eax address ebx addr2 value stack Gadgets addr1 addr2 addr3 pop %eax pop %ebx movl %eax, (%ebx) ret ret ret 8/15/2011 13

  14. Address Space Layout Randomization (ASLR) ASLR disabled Exploit Gadgets ASLR enabled Exploit Gadgets Crash ASLR : Addresses are unpredictable 8/15/2011 14

  15. Return Oriented Programming + ASLR • Bad news: Randomized code can’t be used for ROP • Good news: ASLR implementations leave small amounts of code Evil Ed unrandomized 8/15/2011 15

  16. ASLR in Linux (Example) Unrandomized Randomized Program Image Libc Stack Heap Executable 8/15/2011 16

  17. Consequences • Challenge: Program image is often the only unrandomized code – Small – Program-specific • Prior work on ROP assumes unrandomized large code bases; can’t simply reuse • We developed new automated ROP techniques for targeting the program image 8/15/2011 17

  18. Overview • Background: Defenses and Return Oriented Programming (ROP) • Q: ROP + Hardening – Automatic ROP – Automatic Hardening • Evaluation • Limitations • Conclusion 8/15/2011 18

  19. Automatic ROP Overview Instructions Source P from P Computation 8/15/2011 19

  20. ROP Overview Source P Discovery Assignment Computation Arrangement 8/15/2011 20

  21. Gadget Discovery • Gadget Discovery: Does instruction sequence do something we can use for our computation? • Fast randomized test for every program location (thousands or millions) sbb %eax, %eax; Source P neg %eax; ret 8/15/2011 21

  22. Randomized Testing EAX 0x0298a7bc Before OutReg <- InReg CF 0x1 Semantic ESP 0x81e4f104 Definition For Move sbb %eax, %eax; neg %eax; ret If 10 random runs EAX 0x1 satisfy a semantic After definition, then Q ESP 0x81e4f108 probably found a EBX 0x0298a7bc gadget of that type 8/15/2011 22

  23. Q’s Gadget Types Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret mov %dl, 0x13(%eax); StoreMemG M[Addr + Offset] <- In ret add 0x1376dbe4(%ebx), ArithmeticLoadG Out +<- M[Addr + Offset] %ecx ; (…); ret ArithmeticStoreG M[Addr + Offset] +<- In add %al, 0x5de474c0(%ebp); ret 8/15/2011 23

  24. Q’s Gadget Types Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret mov %dl, 0x13(%eax); StoreMemG M[Addr + Offset] <- In ret add 0x1376dbe4(%ebx), ArithmeticLoadG Out +<- M[Addr + Offset] %ecx ; (…); ret ArithmeticStoreG M[Addr + Offset] +<- In add %al, 0x5de474c0(%ebp); ret 8/15/2011 24

  25. Q’s Gadget Types Gadget Type Semantic Definition Real World Example MoveRegG Out <- In xchg %eax, %ebp; ret LoadConstG Out <- Constant pop %ebp; ret ArithmeticG Out <- In1 + In2 add %edx, %eax; ret LoadMemG Out <- M[Addr + Offset] movl 0x60(%eax), %eax; ret mov %dl, 0x13(%eax); StoreMemG M[Addr + Offset] <- In ret add 0x1376dbe4(%ebx), ArithmeticLoadG Out +<- M[Addr + Offset] %ecx ; (…); ret ArithmeticStoreG M[Addr + Offset] +<- In add %al, 0x5de474c0(%ebp); ret 8/15/2011 25

  26. Randomized Testing • Randomized testing tells us we likely found a gadget – Fast; filters out many candidates – Enables more expensive second stage • Second stage: SMT-based gadget discovery – Gadget discovery is program verification 8/15/2011 26

  27. SMT-Based Gadget Discovery sbb %eax, %eax [D76] neg %eax; ret Weakest F EAX <- CF Precondition Valid (Gadget) SMT Validity F Invalid (not Check Gadget)

  28. SMT-Based Gadget Discovery • Q is better at finding gadgets than I am! Move %eax to %ebx imul $1, %eax, %ebx ret Store %ebx+%ecx in %eax lea (%ebx,%ecx,1), %eax ret Move carry flag to %eax sbb %eax, %eax; neg %eax ret 8/15/2011 28

  29. ROP Overview Source P Discovery Assignment Computation Arrangement 8/15/2011 29

  30. Gadget Arrangement • Gadget Arrangement: How can gadget types be combined to implement a computation? • Alternate view: Compile user computation for gadget type architecture • Example : M[0xcafecafe] := 0xdeadbeef 8/15/2011 30

  31. Arrangement: Storing to Memory T1 T2 T3 LoadConst deadbeef LoadConst Address cafecafe Value StoreMem, u32 8/15/2011 31

  32. Gadget Arrangement How can we write to memory without StoreMem? 8/15/2011 32

  33. Arrangement: Storing to Memory T1 T2 T3 Writes zero to LoadConst M[cafecafe] 0 LoadConst Address cafecafe Value ArithmeticStore, u32, Bitwise And 8/15/2011 33

  34. Arrangement: Storing to Memory T1 T2 T3 Adds deadbeef to LoadConst M[cafecafe]. deadbeef 0 + deadbeef = deadbeef LoadConst Address cafecafe Value ArithmeticStore, u32, Plus 8/15/2011 34

  35. Gadget Arrangement • Gadgets types are often unavailable – Synthesize alternatives on the fly • Flexible arrangement rules are necessary for small code bases 8/15/2011 35

  36. ROP Overview Source P Discovery Assignment Computation Arrangement 8/15/2011 36

  37. Assignment • Gadget Assignment: Assign concrete gadgets found in source program to arrangements • Assignments must be compatible 8/15/2011 37

  38. Assignment: Register Mismatch CONFLICT %ebx and %ecx LoadConst mismatch deadbeef pop %eax StoreMem, u32 ret mov %eax, (%ecx) LoadConst ret cafecafe pop %ebx ret 8/15/2011 38

  39. Gadget Assignment • Need to search over – Gadgets – Schedules • We developed dynamic programming approach to find assignment • Easy to print payload bytes with assignment 8/15/2011 39

  40. Overview • Background: Defenses and Return Oriented Programming (ROP) • Q: ROP + Hardening – Automatic ROP – Automatic Hardening • Evaluation • Limitations • Conclusion 8/15/2011 40

  41. Exploit Hardening Old Exploit (stopped by DEP+ASLR) Hardened Exploit (bypasses DEP+ASLR) ROP Payload 8/15/2011 41

  42. Trace-based Analysis • Record P on the old exploit Branch 1 Branch 2 Branch 3 Stop at vulnerability condition 8/15/2011 42

  43. Reasoning about Executions Logical [SAB10] Formula Symbolic For All Execution Inputs On Path 8/15/2011 43

  44. Exploit Constraints Path Exploit 8/15/2011 44

  45. Exploit Constraints How do we ensure the ROP payload gets in the exploit? Exploit Gadgets M[ESP] = &gadget1 M[ESP+off1] = &gadget2 M[ESP+off2] = &gadget3 Exploit Constraints SMT Exploit Path Constraints 8/15/2011 45

  46. Demo! 8/15/2011 46

  47. Overview • Background: Defenses and Return Oriented Programming (ROP) • Q: ROP + Hardening – Automatic ROP – Automatic Hardening • Evaluation • Limitations • Conclusion 8/15/2011 47

  48. Evaluation Questions 1. Can Q harden exploits for real binary programs? 2. How much unrandomized code is sufficient to create ROP payloads? 8/15/2011 48

  49. Real Exploits • Q was able to automatically harden nine exploits downloaded from exploit-db.com Name Total Time OS Free CD to MP3 Converter 130s Windows 7 Fatplayer 133s Windows 7 A-PDF Converter 378s Windows 7 A-PDF Converter (SEH exploit) 357s Windows 7 MP3 CD Converter Pro 158s Windows 7 rsync 65s Linux opendchub 225s Linux gv 237s Linux Proftpd 44s Linux 8/15/2011 49

Recommend

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy

Meal Planning Made Easy Meal Planning Made Easy Healthy Utah Meal Planning Made Easy Welcome! Welcome! Housekeeping Webinar polling Recording will be a ailable available http://www.healthyutah.org/ programs/seminars.php

387 views • 19 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens

WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens

WD 290 IQ Intelligence Made Easy WD 290 IQ Intuitive, easy to use 10.4 touch screens Reduced water use Same footprint as our WD 290 Compatible with WD 290 racks and carts Compatible with WA 290 and SISO

303 views • 17 slides
Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

884 views • 41 slides
The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase

The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase

The Pulse monitors: Statistics Smartpods PULSE 1 - Improve Facility Efficiencies 2 - Increase ROI 3 - Provide DATA and Reports Statistics Analysis Statistics Made Easy Statistics Made Easy Statistics Made Easy Statistics Made Easy

335 views • 18 slides
Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2

Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2

Q2 ION Metals Analysis Made Easy Elemental 1 19/01/2012 Instrument Impressions Elemental 2 19/01/2012 Q2 ION Metals Analysis Made Easy System overview Properties &amp; Features Technology Ultra-compact design, patented

785 views • 19 slides
AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain

AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain

AUDIENCE INTERACTION MADE EASY Let your conference attendees join the conversation and gain valuable industry insight Robert Morris Chief Communications Officer Georgia Ports Authority BRIDGING THE GAP Slido is an easy-to-use Q&amp;A and

293 views • 4 slides
From x-ray crystallography to electron microscopy and back -- how best to exploit the continuum of

From x-ray crystallography to electron microscopy and back -- how best to exploit the continuum of

From x-ray crystallography to electron microscopy and back -- how best to exploit the continuum of structure-determination methods now available Scripps EM course, November 14, 2007 What aspects of contemporary x-ray crystallography have made

609 views • 33 slides
Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public Service Commission May 4, 2007 Mark A. Jamison, PURC Director Leadership in Infrastructure Policy Leadership in Infrastructure Policy

487 views • 45 slides
Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use

Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use

Easy-to-Use Easy-to-Install Easy on the Budget orecx.com Easy-to-Use Easy-to-Install Easy on the Budget OrecX Call Recording The issue is simple: You want to comply with regulatory requirements and improve customer service by

204 views • 9 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
Outdoors NV Made Easy First question Why? Customer Service Deliver value

Outdoors NV Made Easy First question Why? Customer Service Deliver value

Outdoors NV Made Easy First question Why? Customer Service Deliver value Ease confusion Reduce mistakes Make it easier for our customers to engage What about the money? Revenue neutral Difficult to model

532 views • 22 slides
FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your

FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your

FIRST AID KIT MADE EASY with things You Already Have In The Kitchen OATMEAL Amazing for your skin! Relieves rashes, simple sun burn and eczema HONEY Honey, did I tell you I Love You! TEA BAGS They spell relief or make tea CLING

355 views • 32 slides
IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit

IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit

IoT solution made easy with NFC Session 1 : NFC commissioning solution with the NTAG I 2 C plus kit for Arduino pinout JORDI JOFRE NFC READERS NFC EVERYWHERE 11/07/2017 PUBLIC IoT and smart home adoption today 1 The Internet of Things in

590 views • 29 slides
Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are The exploit problem Modern software vulnerabilities Hardware-assisted exploit Agenda prevention Prior research

674 views • 45 slides
Static Analysis of Dynamically Typed Languages made Easy Yin

Static Analysis of Dynamically Typed Languages made Easy Yin

Static Analysis of Dynamically Typed Languages made Easy Yin Wang School of Informatics and Computing Indiana University Overview Work done as two internships at

797 views • 65 slides
Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

www.toolcrypt.org Standing on the shoulders of the Blue Monster: Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The Toolcrypt Group www.toolcrypt.org www.toolcrypt.org Agenda Agenda Introduction

532 views • 32 slides
LTE Radio Analy.cs Made Easy and Accessible Swarun Kumar

LTE Radio Analy.cs Made Easy and Accessible Swarun Kumar

LTE Radio Analy.cs Made Easy and Accessible Swarun Kumar Ezzeldin Hamed, Dina Katabi and Li Erran Li LTE A Big Part of Our Lives LTE

863 views • 70 slides
Charon: linear algebra made easy G. M. Crosswhite Department of Physics University of Washington

Charon: linear algebra made easy G. M. Crosswhite Department of Physics University of Washington

The Vision Components Charon: linear algebra made easy G. M. Crosswhite Department of Physics University of Washington Thursday, April 16, 2009 G. M. Crosswhite Charon: linear algebra made easy The Vision Components My story Quantum

990 views • 81 slides
Office 365 Reporting Made Easy Product Presentation Acceleratio Ltd. Who we are? Acceleratio is

Office 365 Reporting Made Easy Product Presentation Acceleratio Ltd. Who we are? Acceleratio is

Office 365 Reporting Made Easy Product Presentation Acceleratio Ltd. Who we are? Acceleratio is a software Acceleratio specializes in developing development company high-quality enterprise applications and based in Zagreb, Croatia, providing

483 views • 21 slides
The SPS Advantage Customer Financing Made Easy! www.securepaymentsystems.com | Las Vegas San

The SPS Advantage Customer Financing Made Easy! www.securepaymentsystems.com | Las Vegas San

The SPS Advantage Customer Financing Made Easy! www.securepaymentsystems.com | Las Vegas San Diego Denver Tampa | 844.430.1281 WHAT IS EZPAY ADVANTAGE? Advantage is a deferred payment program that allows consumers to extend their

292 views • 27 slides
The SPS Advantage Customer Financing Made Easy! www.securepaymentsystems.com | Las Vegas San

The SPS Advantage Customer Financing Made Easy! www.securepaymentsystems.com | Las Vegas San

The SPS Advantage Customer Financing Made Easy! www.securepaymentsystems.com | Las Vegas San Diego Denver Tampa | 844.430.1281 WHAT IS EZPAY ADVANTAGE? Advantage is a deferred payment program that allows consumers to extend their

608 views • 19 slides
Simple Made Easy Rich Hickey Simplicity is prerequisite for reliability Edsger W. Dijkstra

Simple Made Easy Rich Hickey Simplicity is prerequisite for reliability Edsger W. Dijkstra

Simple Made Easy Rich Hickey Simplicity is prerequisite for reliability Edsger W. Dijkstra Word Origins Simple Easy sim- plex ease &lt; aise &lt; adjacens one fold/braid lie near vs complex vs hard Simple One fold/braid But not One

678 views • 40 slides
Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing

Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing

Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing History 1989 AIDS TROJAN DISK distributed/infected via floppy disk developer was caught and put into jail 2005 first internet attack

748 views • 54 slides

More recommend