Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Information Security

Published byJessie Sutton Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to Information Security"— Presentation transcript:

1 Introduction to Information Security
ROP – Recitation 5 nirkrako at post.tau.ac.il infosec15.course at gmail.com

2 Return Oriented Programming
Return oriented programming is a different way to control the flow of EIP in a program Motivation: Write or Execute: as a result of overflows, the first prevention technique is to make: Executable memory segments read-only Writeable memory segments Non-Executable. They become mutually exclusive Most slides in this presentation were taken as is from: Return-oriented Programming: Exploitation without Code Injection By Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham from the University of California, San Diego

3

4 Getting started We need control of memory around %esp
Option #1- Rewrite stack: Buffer overflow on stack Format string vuln to rewrite stack contents Other Option #2 - Move stack: Overwrite saved frame pointer on stack; on leave/ret, move %esp to area under attacker control Overflow (heap) function pointer to a register spring for %esp: set or modify %esp from an attacker-controlled register then return

5 Schematic: return to libc
Control hijacking without executing code stack libc.so args ret-addr exec() sfp printf() local buf “/bin/sh” NX wasted effort?

6 Return to libc Stack progress trace

7 Questions ?

8 Buckle up!

9 Returning to Code Chunks (aka Gadgets)
Instead of working with small “opcodes” and %eip, we now use larger chunks of code and %esp All the “larger chunks” do multiple register manipulations, and we must consider the effect of all of them. Not everything we want is possible directly, so we have to be creative and work around the problem. We are effectively using a new ‘language’ to code. In case you are wondering: Its Turing complete.

10 Chunk guidelines All chunk ends with 0xc3 (opcode byte for RET)
Chunks should be as minimal as possible, containing minimum amount of data Chunks are better if they appear in more “stable” and common libraries such as: libc. (and can then be reused for different binaries). Chunks can not contain Junks. If the CPU can not interpret the junk in the chunk, it will stop the program with illegal instruction exception.

11 ROP – Machine level Stack pointer (%esp) determines which instruction
sequence to fetch & execute Processor doesn’t automatically increment %esp; — but the “ret” at end of each instruction sequence does

12 No-op equivalent No-op instruction does nothing but advance %eip
Return-oriented equivalent: point to return instruction advances %esp Useful in nop sled

13 Loading Immediates Instructions can encode constants
Return-oriented equivalent: Store on the stack; Pop into register to use

14 Control flow Ordinary programming: Return-oriented equivalent:
(Conditionally) set %eip to new value Return-oriented equivalent: (Conditionally) set %esp to new value

15 Multiple instruction sequence
Sometimes more than one instruction sequence needed to encode logical unit Example: load from memory into register: Load address of source word into %eax Load memory at (%eax) into %ebx

16 Conditional Jump #0 Negative causes the carry flag to be turn on.
Carry flag can be used in conjunction with ADC.

17 Conditional Jump #1 ADDR TO: XOR EAX,EAX ; RET ADDR TO: POP ECX ; RET
DWORD 0 ADDR TO: ADC CL, AL ; RET ADDR TO: ROL ECX, 1; RET ADDR TO: XCHG EAX, ECX ; RET ADDR TO: ADD ESP, EAX ; RET. ADDR TO: POP ESP ; RET # Go somewhere else. ADDR TO: EXIT

18 Gadget summary We can write complex shellcode by returning to relevant gadgets. All gadgets end with ret. (0xc3) Gadgets can not contain junk (everything must be interpretable) “JMP” is analogous to finding code that modifies the ESP. We don’t have to maintain the original alignment of code (on x86). Example: MOV EAX, 0x5DC3 This is interpreted into: B8 5D C3 However, POP EBP RETN This is interpreted into: 5D C3 Using rop_ptrace.py we debug the executable and are able to locate relevant gadgets To have we everything flowing correctly and make sure we are aware of where ESP and EIP are pointing to at all times.

19 Infosec ROP Tools ./rop_ptrace.py ./memmap.py ./disas_at_va.py

20 ./rop_ptrace.py ./rop_ptrace.py
Usage: ./rop_ptrace.py [filename] [depth] “OPCODE” rop_ptrace.py helps you by loading the binary into memory, therefore causing the creation of all linked shared objects (SO). The list of libraries can also be shown via shell command ‘ldd filename’. After loading the binary and waiting for the SOs to load it will search for code chunks ending with ROP and then look back until [depth] bytes. rop_ptrace.py then codes and disassembles the chunk rop_ptrace.py uses distorm3 to disassemble and python-ptrace library to debug the executable.

21 ./rop_ptrace.py cont. [rop_ptrace.py example]

22 ./memmap.py Usage: ./memmap.py [filename]
Prints the libraries, memories mapped to, and their permissions. Usage: ./memmap.py [filename] [string] Attempts to locate the string within the mapped memory sections. memmap.py uses python-ptrace

23 ./memmap.py cont. [memmap.py example]

24 ./disas_at_va.py cont. disas_at_va.py [filename] [va] [length]
Disassembles [length] number of bytes at virtual address [va] after loading the binary [filename] to memory. Uses python-ptrace and distorm3.

Download ppt "Introduction to Information Security"

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, 2010. All rights reserved. You may modify and copy this slide.

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
COMP 2003: Assembly Language and Digital Logic

COMP 2003: Assembly Language and Digital Logic
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Carnegie Mellon Introduction to Computer Systems 15-213/18-243, spring 2009 Recitation, Jan. 14 th.

Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Exploitation possibilities of memory related vulnerabilities

Exploitation possibilities of memory related vulnerabilities

Similar presentations

Ads by Google