Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Information Security

Published byRachel Shepherd Modified over 5 years ago

Similar presentations

Presentation on theme: "Introduction to Information Security"— Presentation transcript:

1 Introduction to Information Security
ROP

2 Return Oriented Programming
Return oriented programming is a different way to control the flow of EIP in a program Motivation: Write or Execute: as a result of overflows, the first prevention technique is to make: Executable memory segments read-only Writeable memory segments Non-Executable. Most slides in this presentation were taken as is from: Return-oriented Programming: Exploitation without Code Injection By Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham from the University of California, San Diego

3 Getting started Need control of memory around %esp Rewrite stack:
Buffer overflow on stack Format string vuln to rewrite stack contents Move stack: Overwrite saved frame pointer on stack; on leave/ret, move %esp to area under attacker control Overflow function pointer to a register spring for %esp: set or modify %esp from an attacker-controlled register then return

4 Schematic: return to libc
Control hijacking without executing code stack libc.so args ret-addr exec() sfp printf() NX wasted effort? local buf “/bin/sh”

5 Principals of ROP Instruction pointer (%eip) determines which instruction to fetch & execute Once processor has executed the instruction, it automatically increments %eip to next instruction Control flow by changing value of %eip

6 ROP – Machine level Stack pointer (%esp) determines which instruction
sequence to fetch & execute Processor doesn’t automatically increment %esp; — but the “ret” at end of each instruction sequence does

7 No-op equivalent No-op instruction does nothing but advance %eip
Return-oriented equivalent: point to return instruction advances %esp Useful in nop sled

8 Loading Immediates Instructions can encode constants
Return-oriented equivalent: Store on the stack; Pop into register to use

9 Control flow Ordinary programming: Return-oriented equivalent:
(Conditionally) set %eip to new value Return-oriented equivalent: (Conditionally) set %esp to new value

10 Multiple instruction sequence
Sometimes more than one instruction sequence needed to encode logical unit Example: load from memory into register: Load address of source word into %eax Load memory at (%eax) into %ebx

11 Return to code chunk Write complex shellcode by returning to relevant code chunks in memory where code that meets our needs exists. All code must end with ret. (0xc3) We can create loops by finding code that modifies the stack pointer. We don’t have to maintain the original alignment of code

12 Code chunk example mov eax, 0x5dc3 This is interpreted into: B8 5D C3
POP EBP RETN This is interpreted into: 5D C3 We can use binary search to identify where the shellcode we want exists

13 Code chunks We can find them in any of the libraries that are loaded in the binary Any memory area that is executable is kosher. We only need to find memory chunks that end in 0xc3 We need to verify that everything is interpretable until the 0xc3 The best way to find them, is to compile the commands we need into binary and search for them.

Download ppt "Introduction to Information Security"

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Calling sequence ESP.

Calling sequence ESP.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin

Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Carnegie Mellon Introduction to Computer Systems 15-213/18-243, spring 2009 Recitation, Jan. 14 th.

Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.

Similar presentations

Ads by Google