CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
CS457 – Introduction to Information Systems Security Software 2 Elias Athanasopoulos
Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
The OWASP Top 10 and Buffer Overflow Attacks
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Computer Security and Penetration Testing
Buffer Overflow Computer Organization II 1 © McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.
Exploitation possibilities of memory related vulnerabilities
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Buffer overflow and stack smashing attacks Principles of application software security.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
About Exploits Writing ABOUT EXPLOITS WRITING Gerardo Richarte 
CS 3214 Computer Systems Godmar Back Lecture 7. Announcements Stay tuned for Project 2 & Exercise 4 Project 1 due Sep 16 Auto-fail rule 1: –Need at least.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Control Hijacking: Defenses
Introduction to Information Security
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Return Oriented Programming
Introduction to Information Security
The Hardware/Software Interface CSE351 Winter 2013
Yaoqi Jia, Zheng Leong Chua, Hong Hu,
Introduction to Information Security
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
CSC 495/583 Topics of Software Security Stack Overflows (2)
CSC 495/583 Topics of Software Security Return-oriented programming
Software Security.
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Advanced Buffer Overflow: Pointer subterfuge
Understanding Program Address Space
Lecture 9: Buffer Overflow*
Machine Level Representation of Programs (IV)
CTF Class 2018 By: Shawn Stone
Week 2: Buffer Overflow Part 2.
CS5123 Software Validation and Quality Assurance
System and Cyber Security
Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization Nathaniel Enos.
Return-to-libc Attacks
Presentation transcript:

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

Software Exploitation – High Level CS-457Elias Athanasopoulos2 Vulnerable Software (e.g., web browser) Input (malicious web page) Exploit Code Renders malicious page Exploit Runs Collect Gadgets Build ROP Chain Exec ROP Chain Introduce new control flows HACKED

How the ROP chain works? –use esp as the instruction pointer CS-457Elias Athanasopoulos3 ROP Chain TEXT Section (Code) Addr. of G1 Addr. of G2 Addr. of G3 Addr. of GN G1; ret G2; ret G3; ret GN; ret

Heap Overflows CS-457Elias Athanasopoulos4 Stack Heap Data Text High AddressLow Address Vulnerability (VTable ptr) Vulnerability (VTable ptr) (*)f() Jump to Gadget G1 …; ret Attacker does NOT control the stack!

Stack Pivoting CS-457Elias Athanasopoulos5 Stack Heap Data Text High AddressLow Address Vulnerability (VTable ptr) Vulnerability (VTable ptr) (*)f() Jump to Gadget G1 xchg %eax,%esp; ret Stack Pivoting Force %esp to point to heap Execute the rest of the ROP chain

CS-457Elias Athanasopoulos6

Randomization  ASLR - Address Space Layout Randomization  Fine-grained Randomization - Smashing the gadgets - Binary Stirring CS-457Elias Athanasopoulos7

CS-457Elias Athanasopoulos8

Fine-grained Randomization  Shuffle instructions, without changing the semantics CS-457Elias Athanasopoulos9

Information Disclosure Bugs  String formatting bugs int main() { char localStr[100]; printf("Username? "); fgets(localStr, sizeof(localStr), stdin); printf(localStr); printf("What is the access code? "); … } CS-457Elias Athanasopoulos10 localStr = "AAAA %08x %08x %08x";

Just-in-time ROP CS-457Elias Athanasopoulos11

CS-457Elias Athanasopoulos12

Ideal CFI CS-457Elias Athanasopoulos13 Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks

Coarse-grained (loose) CFI CS-457Elias Athanasopoulos14

Gadgets under CFI CS-457Elias Athanasopoulos15

Linking Gadgets under CFI CS-457Elias Athanasopoulos16

Exploitation under CFI CS-457Elias Athanasopoulos17

CS-457Elias Athanasopoulos18

kBouncer CS-457Elias Athanasopoulos19

kBouncer Checks  call-ret pairing - Coarse-grained CFI  Heuristics - Up to 20 instructions is considered a gadget - 6 gadgets in a row is considered an attack CS-457Elias Athanasopoulos20

kBouncer Heuristics CS-457Elias Athanasopoulos21

Bypassing kBouncer CS-457Elias Athanasopoulos22

kBouncer bypass PoC CS-457Elias Athanasopoulos23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.