1 / 13

CS457 – Introduction to Information Systems Security Software 2

CS457 – Introduction to Information Systems Security Software 2. Elias Athanasopoulos elathan@ics.forth.gr. More Jargon. Vulnerability type Stack overflow, heap overflow, integer overflow, use-after-free, formatting bug Vulnerability scope Kernel/user, local/remote Exploit type

uriah-hale
Download Presentation

CS457 – Introduction to Information Systems Security Software 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS457 – Introduction to Information Systems SecuritySoftware 2 Elias Athanasopoulos elathan@ics.forth.gr

  2. More Jargon • Vulnerability type • Stack overflow, heap overflow, integer overflow, use-after-free, formatting bug • Vulnerability scope • Kernel/user, local/remote • Exploit type • Code execution, privilege escalation, DoS Elias Athanasopoulos

  3. Buffer Overflow Stack RetAddress Local Var. Vulnerable Buffer Stack NEW RET Shellcode Stack NEW RET Shellcode Sled Elias Athanasopoulos

  4. Defense 1 Stack RetAddress Local Var. Vulnerable Buffer Stack RetAddress Local Var. Vulnerable Buffer Canary (a random value) Elias Athanasopoulos

  5. Canary Values (stack canaries) • Produced by the compiler • Checked at run-time • Can be disclosed • Can be brute-forced Elias Athanasopoulos

  6. Defense 2 Stack RetAddress Local Var. Vulnerable Buffer Stack RetAddress Local Var. Vulnerable Buffer Executable? Executable? Executable? Executable Stack Heap Data Text High Address Low Address Elias Athanasopoulos

  7. NX-bit • Non Executable bit • Data Execution Prevention (DEP) • W xor X • Can be either Writable or Executable • Enforced in the MMU • Most modern CPUs support this (Intel, ARM,etc.) Elias Athanasopoulos

  8. Limitations of NX-bit • JIT and dynamic code • Web browsers Elias Athanasopoulos

  9. Bypassing NX-bit Elias Athanasopoulos

  10. Return to libc Stack (non-exec) RET (*f)() Vulnerable Buffer Stack (non-exec) RET (*f)() Vulnerable Buffer libc code execve(“/bin/sh”, …); Elias Athanasopoulos

  11. Return Oriented Programming (ROP) mov (%rcx),%rbx test %rbx,%rbx je 41c523 <main+0x803> mov %rbx,%rdi callq 42ab00 mov %rax,0x2cda9d(%rip) cmpb $0x2d,(%rbx) je 41c4ac <main+0x78c> mov 0x2cda8d(%rip),%rax ret test %rbx,%rbx mov $0x4ab054,%eax cmove %rax,%rbx mov %rbx,0x2cda6a(%rip) test %rdi,%rdi je 41c0c2 <main+0x3a2> mov $0x63b,%edx mov $0x4ab01d,%esi callq 46cab0 <sh_xfree> ret mov %rax,0x2d2945(%rip) mov 0x2cda16(%rip),%rax test %rax,%rax je 41c112 <main+0x3f2> movzbl (%rax),%edx callq 41b640 <time@plt> mov 0xb8(%rsp),%r15d cmp 0xc(%rsp),%r15d mov %rax,0x2d2670(%rip) je 41c214 <main+0x4f4> xchg %ax,%ax mov (%rsp),%rdx movslq %r15d,%rax mov (%rdx,%rax,8),%r14 ret je 41c214 <main+0x4f4> cmpb $0x2d,(%r14) jne 41c214 <main+0x4f4> movzbl 0x1(%r14),%r12d movl $0x0,0x18(%rsp) je 41c440 <main+0x720> xor %ebp,%ebp mov $0x4c223a,%ebx add $0x1,%r14 jmp 41c1a3 <main+0x483> cmp (%rbx),%r12b mov %ebp,%r13d jne 41c188 <main+0x468> mov %rbx,%rsi test %eax,%eax xchg %ax,%ax jne 41c188 <main+0x468> movslq %ebp,%rax ret cmpl $0x1,0x4ab3c8(%rax) je 41c461 <main+0x741> mov (%rsp),%rcx add $0x1,%r15d movslq %r15d,%rdx mov (%rcx,%rdx,8),%rdx Gadget 1 Gadget 3 Gadget 2 Elias Athanasopoulos

  12. ROP in action Stack (non-exec) RET (*f)() Vulnerable Buffer Virtual Stack Stack (non-exec) RET (*f)() ROP Chain Elias Athanasopoulos

  13. How the ROP chain works? –use esp as the instruction pointer TEXT Section (Code) ROP Chain Addr. of G1 G2; ret Addr. of G2 GN; ret Addr. of G3 G1; ret Addr. of GN G3; ret Elias Athanasopoulos

More Related