Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Published byEustace King Modified over 8 years ago

Similar presentations

Presentation on theme: "Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh"— Presentation transcript:

1 Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

2 Buffer Overflows Attacker sends data bigger than the buffer, the excess data overwrites memory beyond the buffer Stack buffer overflows are the easiest attack to succeed with because return addresses are implicitly close in memory Code Injection Attack - the attacker includes malicious code as a part of the payload  then simply sets the return address to the code that was injected as part of the payload Modern OS’s though mark data memory pages as non-executable (NX on X86)

3 Address Space Layout Randomization
Randomizes the location of code and data memory segments in the process address space Makes it hard to predict the location of code or even the stack in advance On 32 bit platforms usually only 16 bits for randomization Easy to Brute force attack it 64-bit systems have too many random bits to effectively brute force

4 Canaries – A secret value is determined in advance and placed before each saved frame pointer and return address When a function is returned the canaries are checked, if it has changed an attacked has been detected and the program terminates Canaries are guessed one byte at a time If canaries rerandom after every crash then ROP attacks are impossible

5

6 Return-Oriented Programming (ROP)
Developed to defeat NX memory Relies on collecting gadgets Gadgets are machine instruction sequences already on the machine Return into Library – A high level library function such as system() is set as the return address 64 bit systems arguments are passed in registers so gadgets are need to populate registers

7

8 To defeat NX the attacker must know of where gadgets reside in the program executable
To defeat ASLR the attacker must derandomize the location at which the executable’s text segment is actually loaded into memory The first requirement generally means you need to have a binary available for 64 bit If Position Independent Executables (PIE) is enabled on a linux device the entire address space is randomized

9

10 Registers rdi and rsi control the first 2 arguments of to systems calls
Register rax controls controls the system call number Registers can be controlled by using pop gadgets and placing the value to load on the stack

11

12 Blind Remote Oriented Programming (BROP)
We assume a stack vulnerability and knowledge of how to trigger it A server application that restarts after a crash Phases of a BROP attack Stack Reading: read the stack to leak canaries and a return address to defeat ASLR Blind ROP: Find enough gadgets to invoke write and control its arguments  you can now transfer the binary Build the exploit: Dump enough of the binary to find enough gadgets to build a shellcode, and launch the exploit

13

14

15 Finding Gadgets Remotely scan the applications text segment bye overwriting the saved return address The program will either crash or continue running, if it continues running you have found a gadget A stop gadget is a gadget which suspends program execution but keeps the connection running – like sleep or an infinite loop Stop gadgets are placed after the adress you are scanning, 2 are needed to keep pop from crashing

16

17 Probe – the address being scanned
Stop – The address of a stop gadget that will not crash Trap – The address of non-executable memory that will cause a crash The idea is to vary the position of stops and traps on the stack to deduce what the gadget being probed is Probe, stop, trap, trap ….. Will find gadgets that do not pop the stack like ret or xor Probe, trap, stop, trap, trap…. Will find gadgets that pop exactly one thing off the stack like pop rax; ret or pop rdi; ret

18

19 Finding the PLT Each entry is 16 bytes apart
Most PLT entries will not cause a crash since they are system calls The PLT is found by scanning from the programs origin The PLT can be verified by setting a prode stop trap and also by using offsets of six bytes to use the PLT slowpath

20

21 To control the third argument one needs to find a call to strcmp which sets rdx to the length of the string compared To identify PLT entries we control the first two arguments using the gadgets we found earlier and we see how the function responds Strcmp(bad, bad): Crash Strcmp(bad, readable): Crash Strcmp(readable, bad): Crash Strcmp(readable, readable): No Crash Now that we can control the first three arguments finding write is trivial because we just scan through the PLT entries and force a write to the socket, if a write occurs the location has been found

22 Summary Find where the executable is loaded. Either 0x for non-PIE executables or stack read a saved return address Find a stop gadget. Like sleep or read. The attacker also finds the PLT at this point Find the BROP gadget. Find strcmp in the PLT. Find write in the PLT. Dump the binary to find more gadgets Build a shell code and exploit the server

23 If there is no BROP gadget or PLT the attack instead goes:
Find all pop x; ret gadgets Find a syscall gadget Identify the pop gadgets

Download ppt "Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh"

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
University of VirginiaDARPA SRS - 27 Jan 20051 Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.

University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Framing Signals— A Return to Portable Shellcode

Framing Signals— A Return to Portable Shellcode
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.

CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Address Space Layout Permutation

Address Space Layout Permutation
On the Effectiveness of Address-Space Randomization CS6V81 - 005 Brian Ricks and Vasundhara Chimmad.

On the Effectiveness of Address-Space Randomization CS6V Brian Ricks and Vasundhara Chimmad.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Buffer overflows.

Buffer overflows.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Similar presentations

Ads by Google