Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

Similar presentations


Presentation on theme: "CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos"— Presentation transcript:

1 CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

2 Software Exploitation – High Level CS-457Elias Athanasopoulos2 Vulnerable Software (e.g., web browser) Input (malicious web page) Exploit Code Renders malicious page Exploit Runs Collect Gadgets Build ROP Chain Exec ROP Chain Introduce new control flows HACKED

3 How the ROP chain works? –use esp as the instruction pointer CS-457Elias Athanasopoulos3 ROP Chain TEXT Section (Code) Addr. of G1 Addr. of G2 Addr. of G3 Addr. of GN G1; ret G2; ret G3; ret GN; ret

4 Heap Overflows CS-457Elias Athanasopoulos4 Stack Heap Data Text High AddressLow Address Vulnerability (VTable ptr) Vulnerability (VTable ptr) (*)f() Jump to Gadget G1 …; ret Attacker does NOT control the stack!

5 Stack Pivoting CS-457Elias Athanasopoulos5 Stack Heap Data Text High AddressLow Address Vulnerability (VTable ptr) Vulnerability (VTable ptr) (*)f() Jump to Gadget G1 xchg %eax,%esp; ret Stack Pivoting Force %esp to point to heap Execute the rest of the ROP chain

6 CS-457Elias Athanasopoulos6

7 Randomization  ASLR - Address Space Layout Randomization  Fine-grained Randomization - Smashing the gadgets - Binary Stirring CS-457Elias Athanasopoulos7

8 CS-457Elias Athanasopoulos8

9 Fine-grained Randomization  Shuffle instructions, without changing the semantics CS-457Elias Athanasopoulos9

10 Information Disclosure Bugs  String formatting bugs int main() { char localStr[100]; printf("Username? "); fgets(localStr, sizeof(localStr), stdin); printf(localStr); printf("What is the access code? "); … } CS-457Elias Athanasopoulos10 localStr = "AAAA %08x %08x %08x";

11 Just-in-time ROP CS-457Elias Athanasopoulos11

12 CS-457Elias Athanasopoulos12

13 Ideal CFI CS-457Elias Athanasopoulos13 Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks

14 Coarse-grained (loose) CFI CS-457Elias Athanasopoulos14

15 Gadgets under CFI CS-457Elias Athanasopoulos15

16 Linking Gadgets under CFI CS-457Elias Athanasopoulos16

17 Exploitation under CFI CS-457Elias Athanasopoulos17

18 CS-457Elias Athanasopoulos18

19 kBouncer CS-457Elias Athanasopoulos19

20 kBouncer Checks  call-ret pairing - Coarse-grained CFI  Heuristics - Up to 20 instructions is considered a gadget - 6 gadgets in a row is considered an attack CS-457Elias Athanasopoulos20

21 kBouncer Heuristics CS-457Elias Athanasopoulos21

22 Bypassing kBouncer CS-457Elias Athanasopoulos22

23 kBouncer bypass PoC CS-457Elias Athanasopoulos23


Download ppt "CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos"

Similar presentations


Ads by Google