CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Software Exploitation – High Level CS-457Elias Athanasopoulos2 Vulnerable Software (e.g., web browser) Input (malicious web page) Exploit Code Renders malicious page Exploit Runs Collect Gadgets Build ROP Chain Exec ROP Chain Introduce new control flows HACKED
How the ROP chain works? –use esp as the instruction pointer CS-457Elias Athanasopoulos3 ROP Chain TEXT Section (Code) Addr. of G1 Addr. of G2 Addr. of G3 Addr. of GN G1; ret G2; ret G3; ret GN; ret
Heap Overflows CS-457Elias Athanasopoulos4 Stack Heap Data Text High AddressLow Address Vulnerability (VTable ptr) Vulnerability (VTable ptr) (*)f() Jump to Gadget G1 …; ret Attacker does NOT control the stack!
Stack Pivoting CS-457Elias Athanasopoulos5 Stack Heap Data Text High AddressLow Address Vulnerability (VTable ptr) Vulnerability (VTable ptr) (*)f() Jump to Gadget G1 xchg %eax,%esp; ret Stack Pivoting Force %esp to point to heap Execute the rest of the ROP chain
CS-457Elias Athanasopoulos6
Randomization ASLR - Address Space Layout Randomization Fine-grained Randomization - Smashing the gadgets - Binary Stirring CS-457Elias Athanasopoulos7
CS-457Elias Athanasopoulos8
Fine-grained Randomization Shuffle instructions, without changing the semantics CS-457Elias Athanasopoulos9
Information Disclosure Bugs String formatting bugs int main() { char localStr[100]; printf("Username? "); fgets(localStr, sizeof(localStr), stdin); printf(localStr); printf("What is the access code? "); … } CS-457Elias Athanasopoulos10 localStr = "AAAA %08x %08x %08x";
Just-in-time ROP CS-457Elias Athanasopoulos11
CS-457Elias Athanasopoulos12
Ideal CFI CS-457Elias Athanasopoulos13 Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks
Coarse-grained (loose) CFI CS-457Elias Athanasopoulos14
Gadgets under CFI CS-457Elias Athanasopoulos15
Linking Gadgets under CFI CS-457Elias Athanasopoulos16
Exploitation under CFI CS-457Elias Athanasopoulos17
CS-457Elias Athanasopoulos18
kBouncer CS-457Elias Athanasopoulos19
kBouncer Checks call-ret pairing - Coarse-grained CFI Heuristics - Up to 20 instructions is considered a gadget - 6 gadgets in a row is considered an attack CS-457Elias Athanasopoulos20
kBouncer Heuristics CS-457Elias Athanasopoulos21
Bypassing kBouncer CS-457Elias Athanasopoulos22
kBouncer bypass PoC CS-457Elias Athanasopoulos23