A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

Slides:



Advertisements
Similar presentations
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Advertisements

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Chapter 8: Central Processing Unit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
CPS3340 COMPUTER ARCHITECTURE Fall Semester, /17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.
Lecture 6 Machine Code: How the CPU is programmed.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
CS 536 Spring Run-time organization Lecture 19.
3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Run-time Environment and Program Organization
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Hacking Windows CE
Programming & Development of Mobile & Embedded Systems Lin Zhong ELEC424, Fall 2010.
Compiler Construction Lecture 17 Mapping Variables to Memory.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
6.828: PC hardware and x86 Frans Kaashoek
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Chapter 10 The Stack Stack: An Abstract Data Type An important abstraction that you will encounter in many applications. We will describe two uses:
Lecture 2: Basic Instructions CS 2011 Fall 2014, Dr. Rozier.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Objective At the conclusion of this chapter you will be able to:
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Topic 2d High-Level languages and Systems Software
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Introduction to Honeypot, measurement, and vulnerability exploits
Exploitation possibilities of memory related vulnerabilities
More on Assembly 1 CSE 2312 Computer Organization and Assembly Language Programming Vassilis Athitsos University of Texas at Arlington.
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
by Richard P. Paul, 2nd edition, 2000.
Lecture 5 Page 1 CS 111 Online Processes CS 111 On-Line MS Program Operating Systems Peter Reiher.
Security Architecture and Design Chapter 4 Part 1 Pages 297 to 319.
Operating Systems Security
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
More on Assembly 1 CSE 2312 Computer Organization and Assembly Language Programming Vassilis Athitsos University of Texas at Arlington.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
Copyright 2006 by Timothy J. McGuire, Ph.D. 1 MIPS Programming Model CS 333 Sam Houston State University Dr. Tim McGuire.
LECTURE 19 Subroutines and Parameter Passing. ABSTRACTION Recall: Abstraction is the process by which we can hide larger or more complex code fragments.
Intel Xscale® Assembly Language and C. The Intel Xscale® Programmer’s Model (1) (We will not be using the Thumb instruction set.) Memory Formats –We will.
Secure Programming Dr. X
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Secure Programming Dr. X
ECE 3430 – Intro to Microcomputer Systems
The Stack.
CSC 495/583 Topics of Software Security Stack Overflows (2)
Overview Introduction General Register Organization Stack Organization
Von Neumann model - Memory
Topic 2e High-Level languages and Systems Software
Chapter 10 The Stack.
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Chapter 8 Central Processing Unit
Von Neumann model - Memory
Week 2: Buffer Overflow Part 2.
ECE 3430 – Intro to Microcomputer Systems
Understanding and Preventing Buffer Overflow Attacks in Unix
COMP755 Advanced Operating Systems
Presentation transcript:

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou

Abstract Buffer overflow issues on ARM based handheld devices (HTC touch mobile phone) Theoretical analysis and practical testing programming

Acknowledgement 怡群 Collin Mulliner – Exploiting PocketPC, What the Hack! July Collin Mulliner – BlackHat Japen, October 2008 Everybody and 老師

Outline Introduction Background Programming Evaluation and Discussion Future work Conclusion

Introduction ARM based handheld devices – Most widely used processor PDAs GPS devices – Mobile phone devices Symbian WinCE iPhone Our test platform: HTC touch ARM processor Windows mobile 6.0 (WinCE 5)

Introduction Buffer overflow issues – Without social engineering – Computer compromised – String data manipulation without proper bound check – Memory corruption and possible malicious execution flow redirection shellcode programming on ARM based WinCE – ARM assembler and disassembler Visual studio with windows mobile 6.0 sdk – ARM instruction set reference – C. Mulliner’s work since 2003

Background ARM – RISC Instruction set architecture 32 bit word (4 bytes long) Separated Instruction and data cache – Register organization (user32/system mode) r0-r12 are general purpose register r13 is stack pointer SP r14 is subroutine link register LR r15 is program counter PC

Background WinCE – Slot virtual memory designed 32-bit addressing, 4G address space Divided into 32 MB sized slots Slot 0 mapped for the “current execution” process 33 slots used for user processes (including slot 0) 1 slot for DLLs Others slots used for kernel Memory protection exists ( claimed by C. Mulliner)

Background WinCE – Processes Basically no thread limit (by C. Mulliner) All processes share the same 4G virtual address space Only few slots can be accessed by a certain process – XIP DLLs eXecutin In Place DLLs ROM Function addresses are always the same (By C. Mulliner)

Background C programming on WinCE – Dangerous string manipulation functions Strcpy, strcat, sscanf…etc – Excution flow control variable in stack LR is designed for resuming the execution address when subroutine call is finished – (mov pc,lr) – Hard to change the execution flow Actually in our test program, saving return address in stack is still used on WinCE, when issuing a further subroutine call and current LR needs to be save in stack The saved return address is always directly loaded to PC – (ldr pc, [sp],#4) – Buffer overflow vulnerabilities may exist!

Programming Memory analysis program – Show the address of global variables 0x000140dc (slot 0) – Show the address of local variables in stack 0x??07fe7c (device) 0x1807fe7c (emulator) Different slot – Show the start address of function exectest() 0x (slot 0) – Show the address of function MessageBoxW 0x03f7f720 (fixed in slot 1)

Programming Execution flow redirection testing – By directly rewriting the guessed memory address of first local variable plus offsets – The new redirected address point to a static link compiled target procedure in code segment because of leak information of : Execution in stack Execution in global data Execution among unknown memory layout

Programming Code and result

Programming Simple MessageBox pop up Shellcode – Call MessageBoxW(0,0,0,0) by directly issuing a function pointer call from 0x03f7f720 ((int(*)(DOWRD, DOWRD, DOWRD, DOWRD))(0x3f7f720))(0,0,0,0); 感謝怡群 – 32 bytes of 8 instructions “\x00\x30\xa0\xe3” mov r3, #0 “\x00\x20\xa0\xe3” mov r2, #0 “\x00\x10\xa0\xe3” mov r1, #0 “\x00\x00\xa0\xe3” mov r0, #0 “\xfe\x47\xa0\xe3” mov r4, #0xEF, 14 “\x8e\x4e\x44\xe2” sub r4, r4, #0x8E, 28 “\x0f\xe0\xa0\xe1” mov lr, pc “\x04\xf0\xa0\xe1” mov pc, r4

Programming According to result of analysis so far and the finished shellcode, we can write a test program on our HTC touch phone. To test executing shellcode in global data area To test executing shellcode in stack Both above execution are launched by rewriting the return address in stack

Programming Code: execution in global data area

Programming Code: execution in stack

Evaluation and Discussion Injected instruction in Stack – Success(emulator) – Failed (device) Injected instruction in global data – success

Evaluation and Discussion Executing in stack failed – Instruction cache? Global data is much closer to code segment composed of instructions compared to local variable, which is in stack Therefore, global data may be cached into instruction cache with other instructions (just guessing…) – Address range? Any execution limitation of program counter? Other possible execution limitations cause such failure Found GS function on WinCE – __security_check_cookie – I will test it in the future

Evaluation and Discussion Programs on ARM based WinCE platform – Extremely similar layout between emulator and HTC device. – No variation of layout when re-executing the program – Easy to decide addresses of functions within XIP DLLs without changed (ROM) – By default, GS function always protects our execution flow from control variable in stack being changed by malicious craft attacking string Good for security

Evaluation and Discussion Programming on ARM based WinCE platform – Once program are compiled without GS on. – Once execution control variables can be changed through buffer overflow vulnerabilities – Once there is at least one enough writable global data space, especially string( because of XIP DLLs, may not be necessary) – We induce that such kind of program on a device is dangerous for compromising

Future work Vulnerable program threat analysis – How much possibility for attacker changing the value of control variable in stack – GS function Well attacking execution – Execution in global data – Execution by repeated calls within XIP DLLs Completely proof of concept – A vulnerable program buffer overflow vulnerable program on HTC touch phone – A classic attacking string Malicious craft attacking string – A practical compromising Download and execution … etc

Conclusion Introduction of ARM register usage and its operation during subroutine call WinCE memory layout analysis on emulator and HTC touch Practical shellcode programming on ARM Practical shellcode execution on HTC touch GS function found

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.