1. CS457 – Introduction to Information Systems Security Software 2 Elias Athanasopoulos elathan@ics.forth.gr

2. More Jargon  Vulnerability type - Stack overflow, heap overflow, integer overflow, use-after-free, formatting bug  Vulnerability scope - Kernel/user, local/remote  Exploit type - Code execution, privilege escalation, DoS CS-457Elias Athanasopoulos2

3. Stack Buffer Overflow CS-457Elias Athanasopoulos3 Stack Ret Address Local Var. Vulnerable Buffer NEW RET Shellcode Stack NEW RET ShellcodeSled

4. Defense 1 CS-457Elias Athanasopoulos4 Stack Ret Address Local Var. Vulnerable Buffer Stack Ret Address Local Var. Vulnerable Buffer Canary (a random value) Canary (a random value)

5. Canary Values (stack canaries)  Produced by the compiler  Checked at run-time  Can be disclosed  Can be brute-forced CS-457Elias Athanasopoulos5

6. Defense 2 CS-457Elias Athanasopoulos6 Stack Ret Address Local Var. Vulnerable Buffer Stack Ret Address Local Var. Vulnerable Buffer Stack Heap Data Text High AddressLow Address Executable Executable?

7. NX-bit  Non Executable bit  Data Execution Prevention (DEP)  W xor X - Can be either Writable or Executable  Enforced in the MMU - Most modern CPUs support this (Intel, ARM, etc.) CS-457Elias Athanasopoulos7

8. Limitations of NX-bit  JIT and dynamic code - Web browsers CS-457Elias Athanasopoulos8

9. CS-457Elias Athanasopoulos9

10. Return to libc CS-457Elias Athanasopoulos10 Stack (non-exec) RETVulnerable Buffer(*f)() Stack (non-exec) RETVulnerable Buffer(*f)() execve(“/bin/sh”, …); libc code

11. Return Oriented Programming (ROP) CS-457Elias Athanasopoulos11 mov (%rcx),%rbx test %rbx,%rbx je 41c523 mov %rbx,%rdi callq 42ab00 mov %rax,0x2cda9d(%rip) cmpb $0x2d,(%rbx) je 41c4ac mov 0x2cda8d(%rip),%rax ret test %rbx,%rbx mov $0x4ab054,%eax cmove %rax,%rbx mov %rbx,0x2cda6a(%rip) test %rdi,%rdi je 41c0c2 mov $0x63b,%edx mov $0x4ab01d,%esi callq 46cab0 ret mov (%rcx),%rbx test %rbx,%rbx je 41c523 <main+0x803> mov %rbx,%rdi callq 42ab00 mov %rax,0x2cda9d(%rip) cmpb $0x2d,(%rbx) je 41c4ac <main+0x78c> mov 0x2cda8d(%rip),%rax ret test %rbx,%rbx mov $0x4ab054,%eax cmove %rax,%rbx mov %rbx,0x2cda6a(%rip) test %rdi,%rdi je 41c0c2 <main+0x3a2> mov $0x63b,%edx mov $0x4ab01d,%esi callq 46cab0 <sh_xfree> ret mov %rax,0x2d2945(%rip) mov 0x2cda16(%rip),%rax test %rax,%rax je 41c112 movzbl (%rax),%edx callq 41b640 mov 0xb8(%rsp),%r15d cmp 0xc(%rsp),%r15d mov %rax,0x2d2670(%rip) je 41c214 xchg %ax,%ax mov (%rsp),%rdx movslq %r15d,%rax mov (%rdx,%rax,8),%r14 ret je 41c214 cmpb $0x2d,(%r14) jne 41c214 movzbl 0x1(%r14),%r12d movl $0x0,0x18(%rsp) mov %rax,0x2d2945(%rip) mov 0x2cda16(%rip),%rax test %rax,%rax je 41c112 <main+0x3f2> movzbl (%rax),%edx callq 41b640 <time@plt> mov 0xb8(%rsp),%r15d cmp 0xc(%rsp),%r15d mov %rax,0x2d2670(%rip) je 41c214 <main+0x4f4> xchg %ax,%ax mov (%rsp),%rdx movslq %r15d,%rax mov (%rdx,%rax,8),%r14 ret je 41c214 <main+0x4f4> cmpb $0x2d,(%r14) jne 41c214 <main+0x4f4> movzbl 0x1(%r14),%r12d movl $0x0,0x18(%rsp) je 41c440 xor %ebp,%ebp mov $0x4c223a,%ebx add $0x1,%r14 jmp 41c1a3 cmp (%rbx),%r12b mov %ebp,%r13d jne 41c188 mov %rbx,%rsi test %eax,%eax xchg %ax,%ax jne 41c188 movslq %ebp,%rax ret cmpl $0x1,0x4ab3c8(%rax) je 41c461 mov (%rsp),%rcx add $0x1,%r15d movslq %r15d,%rdx mov (%rcx,%rdx,8),%rdx je 41c440 <main+0x720> xor %ebp,%ebp mov $0x4c223a,%ebx add $0x1,%r14 jmp 41c1a3 <main+0x483> cmp (%rbx),%r12b mov %ebp,%r13d jne 41c188 <main+0x468> mov %rbx,%rsi test %eax,%eax xchg %ax,%ax jne 41c188 <main+0x468> movslq %ebp,%rax ret cmpl $0x1,0x4ab3c8(%rax) je 41c461 <main+0x741> mov (%rsp),%rcx add $0x1,%r15d movslq %r15d,%rdx mov (%rcx,%rdx,8),%rdx Gadget 1 Gadget 2 Gadget 3

12. ROP in action CS-457Elias Athanasopoulos12 Stack (non-exec) RETVulnerable Buffer(*f)() Stack (non-exec) RETROP Chain(*f)() Virtual Stack

13. How the ROP chain works? –use esp as the instruction pointer CS-457Elias Athanasopoulos13 ROP Chain TEXT Section (Code) Addr. of G1 Addr. of G2 Addr. of G3 Addr. of GN G1; ret G2; ret G3; ret GN; ret