Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Buffer Overflows Attacker sends data bigger than the buffer, the excess data overwrites memory beyond the buffer Stack buffer overflows are the easiest attack to succeed with because return addresses are implicitly close in memory Code Injection Attack - the attacker includes malicious code as a part of the payload  then simply sets the return address to the code that was injected as part of the payload Modern OS’s though mark data memory pages as non-executable (NX on X86)

Address Space Layout Randomization Randomizes the location of code and data memory segments in the process address space Makes it hard to predict the location of code or even the stack in advance On 32 bit platforms usually only 16 bits for randomization Easy to Brute force attack it 64-bit systems have too many random bits to effectively brute force

Canaries – A secret value is determined in advance and placed before each saved frame pointer and return address When a function is returned the canaries are checked, if it has changed an attacked has been detected and the program terminates Canaries are guessed one byte at a time If canaries rerandom after every crash then ROP attacks are impossible

Return-Oriented Programming (ROP) Developed to defeat NX memory Relies on collecting gadgets Gadgets are machine instruction sequences already on the machine Return into Library – A high level library function such as system() is set as the return address 64 bit systems arguments are passed in registers so gadgets are need to populate registers

To defeat NX the attacker must know of where gadgets reside in the program executable To defeat ASLR the attacker must derandomize the location at which the executable’s text segment is actually loaded into memory The first requirement generally means you need to have a binary available for 64 bit If Position Independent Executables (PIE) is enabled on a linux device the entire address space is randomized

Registers rdi and rsi control the first 2 arguments of to systems calls Register rax controls controls the system call number Registers can be controlled by using pop gadgets and placing the value to load on the stack

Blind Remote Oriented Programming (BROP) We assume a stack vulnerability and knowledge of how to trigger it A server application that restarts after a crash Phases of a BROP attack Stack Reading: read the stack to leak canaries and a return address to defeat ASLR Blind ROP: Find enough gadgets to invoke write and control its arguments  you can now transfer the binary Build the exploit: Dump enough of the binary to find enough gadgets to build a shellcode, and launch the exploit

Finding Gadgets Remotely scan the applications text segment bye overwriting the saved return address The program will either crash or continue running, if it continues running you have found a gadget A stop gadget is a gadget which suspends program execution but keeps the connection running – like sleep or an infinite loop Stop gadgets are placed after the adress you are scanning, 2 are needed to keep pop from crashing

Probe – the address being scanned Stop – The address of a stop gadget that will not crash Trap – The address of non-executable memory that will cause a crash The idea is to vary the position of stops and traps on the stack to deduce what the gadget being probed is Probe, stop, trap, trap ….. Will find gadgets that do not pop the stack like ret or xor Probe, trap, stop, trap, trap…. Will find gadgets that pop exactly one thing off the stack like pop rax; ret or pop rdi; ret

Finding the PLT Each entry is 16 bytes apart Most PLT entries will not cause a crash since they are system calls The PLT is found by scanning from the programs origin The PLT can be verified by setting a prode stop trap and also by using offsets of six bytes to use the PLT slowpath

To control the third argument one needs to find a call to strcmp which sets rdx to the length of the string compared To identify PLT entries we control the first two arguments using the gadgets we found earlier and we see how the function responds Strcmp(bad, bad): Crash Strcmp(bad, readable): Crash Strcmp(readable, bad): Crash Strcmp(readable, readable): No Crash Now that we can control the first three arguments finding write is trivial because we just scan through the PLT entries and force a write to the socket, if a write occurs the location has been found

Summary Find where the executable is loaded. Either 0x400000 for non-PIE executables or stack read a saved return address Find a stop gadget. Like sleep or read. The attacker also finds the PLT at this point Find the BROP gadget. Find strcmp in the PLT. Find write in the PLT. Dump the binary to find more gadgets Build a shell code and exploit the server

If there is no BROP gadget or PLT the attack instead goes: Find all pop x; ret gadgets Find a syscall gadget Identify the pop gadgets