security in mobile devices
play

Security in Mobile Devices Hacking Mobiles for Fun and Profit - PowerPoint PPT Presentation

Intro Hardware Security Platform Security Hacking Q&A Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at Hamburg & Dublin City University 2010-12-16 1 / 54 Intro Hardware Security


  1. Intro Hardware Security Platform Security Hacking Q&A Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit¨ at Hamburg & Dublin City University 2010-12-16 1 / 54

  2. Intro Hardware Security Platform Security Hacking Q&A 1 Hardware Security 2 Platform Security 3 Hacking 4 Q&A 2 / 54

  3. Intro Hardware Security About me Platform Security Motivation Hacking Q&A About me Contact Jabber muelli@jabber.ccc.de ACF0 F5EC E9DC 1BDC F09D B992 4147 7261 7CB6 4CEF Mail muelli@cryptobitch.de CF3E D935 AE6B DE0A D508 AF86 3EE0 57FF AA20 8D9E Talk ∼ 40 mins Ask immediately Q&A afterwards 3 / 54

  4. Intro Hardware Security About me Platform Security Motivation Hacking Q&A Motivation Why the heck? Show underlying Technology Show Security Frameworks Show Exploits in the Wild Maybe get you started hacking Making you feel responsible No Policies Not showing anything very new No cr4ckz for ur appz Explore not exploit 4 / 54

  5. Intro Hardware Security About me Platform Security Motivation Hacking Q&A Why mobile? Interfaces WiFi Bluetooth Email Web Video (Podcasts?) GSM (Calls, Texts) 5 / 54

  6. Intro Hardware Security About me Platform Security Motivation Hacking Q&A Why mobile? (cont.) More than a PC Personal Data GPS Cellular Financial Gain/Loss Always on Infection Not Obvious pwn 1 pwn many (cloud syndrome) 6 / 54

  7. Intro Hardware Security About me Platform Security Motivation Hacking Q&A Why mobile? (cont.) However... few publicly known vulnerabilities just PoCs, nobody really exploiting... orly? 7 / 54

  8. In the news

  9. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A Outline 1 Hardware Security Complexity Buffer Overflow Function Calls Overwrite Ret Addr Shellcode Protection 2 Platform Security 3 Hacking 4 Q&A 9 / 54

  10. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A x86 vs. ARM What’s different then? Classic Vulnerabilites/Architecture revisited: Opcodes Buffer Overflows Endianness Format Strings 10 / 54

  11. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A Complexity ARM is much less complex Opcodes Usage: N900: Cortex A8, N800: ARM 9E ARM, MIPS, SPARC: 4 bytes, “NOP”: 4 bytes (ARM with THUMBS: 2 bytes) x86: omgwtf NOP: 1 byte 11 / 54

  12. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A Complexity (cont.) Remember f0 0f c7 c8 ? Admittedly, it’s old: 1997, but still interesting lock cmpxchg8b eax Using the LOCK prefix on this form of CMPXCHG8B is illegal in and of itself. LOCK prefixes are only allowed on memory-based read-modify-write instructions. Hence a LOCK prefix on the register-based CMPXCHG8B EAX instruction should also generate an invalid opcode exception. 12 / 54

  13. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A function calls call label next instruction the stack . . . ↓ 0xFF . . . ← %ebp label: . . . push %ebp . . . ← %esp mov %esp, %ebp return address %ebp sub $0x08,%esp bytebuffer do something interesting mov %ebp, %esp ↑ 0x00 pop %ebp ret 13 / 54

  14. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A function calls call label next instruction the stack . . . ↓ 0xFF . . . ← %ebp label: . . . push %ebp . . . mov %esp, %ebp return address ← %esp %ebp sub $0x08,%esp bytebuffer do something interesting mov %ebp, %esp ↑ 0x00 pop %ebp ret 13 / 54

  15. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A function calls call label next instruction the stack . . . ↓ 0xFF . . . ← %ebp label: . . . push %ebp . . . mov %esp, %ebp return address %ebp ← %esp sub $0x08,%esp bytebuffer do something interesting mov %ebp, %esp ↑ 0x00 pop %ebp ret 13 / 54

  16. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A function calls call label next instruction the stack . . . ↓ 0xFF . . . label: . . . push %ebp . . . mov %esp, %ebp return address %ebp ← %ebp %esp sub $0x08,%esp bytebuffer do something interesting mov %ebp, %esp ↑ 0x00 pop %ebp ret 13 / 54

  17. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A function calls call label next instruction the stack . . . ↓ 0xFF . . . label: . . . push %ebp . . . mov %esp, %ebp return address %ebp ← %ebp sub $0x08,%esp bytebuffer ← %esp do something interesting mov %ebp, %esp ↑ 0x00 pop %ebp ret 13 / 54

  18. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A function calls call label next instruction the stack . . . ↓ 0xFF . . . label: . . . push %ebp . . . mov %esp, %ebp return address %ebp ← %ebp sub $0x08,%esp bytebuffer ← %esp do something interesting mov %ebp, %esp ↑ 0x00 pop %ebp ret 13 / 54

  19. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A function calls call label next instruction the stack . . . ↓ 0xFF . . . label: . . . push %ebp . . . mov %esp, %ebp return address %ebp sub $0x08,%esp ← %ebp ← %esp bytebuffer do something interesting mov %ebp, %esp ↑ 0x00 pop %ebp ret 13 / 54

  20. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A function calls call label next instruction the stack . . . ↓ 0xFF . . . ← %ebp label: . . . push %ebp . . . mov %esp, %ebp return address ← %esp %ebp sub $0x08,%esp bytebuffer do something interesting mov %ebp, %esp ↑ 0x00 pop %ebp ret 13 / 54

  21. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A function calls call label next instruction the stack . . . ↓ 0xFF . . . ← %ebp label: . . . push %ebp . . . ← %esp mov %esp, %ebp return address sub $0x08,%esp %ebp bytebuffer do something interesting mov %ebp, %esp ↑ 0x00 pop %ebp ret = pop %eip 13 / 54

  22. Intro Complexity Hardware Security Buffer Overflow Platform Security Shellcode Hacking Protection Q&A function calls call label next instruction the stack . . . ↓ 0xFF . . . ← %ebp label: . . . push %ebp . . . ← %esp mov %esp, %ebp return address %ebp sub $0x08,%esp bytebuffer do something interesting mov %ebp, %esp ↑ 0x00 pop %ebp ret 13 / 54

  23. Example: vulnerable.c #include < s t d i o . h > #include < s t r i n g . h > void v u l n e r a b l e ( char ∗ source ) { char d e s t i n a t i o n [ 8 0 ] ; s t r c p y ( d e s t i n a t i o n , source ) ; } void main ( int argc , char ∗∗ argv ) { v u l n e r a b l e ( argv [ 1 ] ) ; }

  24. Overwrite Return Address “push *source” #1st arg the stack call vulnerableFunction next instruction ↓ 0xFF . . . . . . *source vulnerableFunction: pushl %ebp movl %esp, %ebp subl $80, %esp leal -80(%ebp), %eax pushl 8(%ebp) # source pushl %eax call strcpy mov %ebp, %esp pop %ebp ↑ 0x00 . . . ret

  25. Overwrite Return Address “push *source” #1st arg the stack call vulnerableFunction next instruction ↓ 0xFF . . . . . . *source vulnerableFunction: pushl %ebp return address movl %esp, %ebp subl $80, %esp leal -80(%ebp), %eax pushl 8(%ebp) # source pushl %eax call strcpy mov %ebp, %esp pop %ebp ↑ 0x00 . . . ret

  26. Overwrite Return Address “push *source” #1st arg the stack call vulnerableFunction next instruction ↓ 0xFF . . . . . . *source vulnerableFunction: pushl %ebp return address movl %esp, %ebp %ebp subl $80, %esp leal -80(%ebp), %eax pushl 8(%ebp) # source pushl %eax call strcpy mov %ebp, %esp pop %ebp ↑ 0x00 . . . ret

  27. Overwrite Return Address “push *source” #1st arg the stack call vulnerableFunction next instruction ↓ 0xFF . . . . . . *source vulnerableFunction: pushl %ebp return address movl %esp, %ebp %ebp subl $80, %esp leal -80(%ebp), %eax pushl 8(%ebp) # source pushl %eax call strcpy mov %ebp, %esp pop %ebp ↑ 0x00 . . . ret

  28. Overwrite Return Address “push *source” #1st arg the stack call vulnerableFunction next instruction ↓ 0xFF . . . . . . *source vulnerableFunction: pushl %ebp return address movl %esp, %ebp %ebp subl $80, %esp buffer[76-79] leal -80(%ebp), %eax . . . pushl 8(%ebp) # source buffer[0-3] pushl %eax call strcpy mov %ebp, %esp pop %ebp ↑ 0x00 . . . ret

  29. Overwrite Return Address “push *source” #1st arg the stack call vulnerableFunction next instruction ↓ 0xFF . . . . . . *source vulnerableFunction: pushl %ebp return address movl %esp, %ebp %ebp subl $80, %esp buffer[76-79] leal -80(%ebp), %eax . . . pushl 8(%ebp) # source buffer[0-3] pushl %eax call strcpy mov %ebp, %esp pop %ebp ↑ 0x00 . . . ret

Recommend


More recommend