Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Operating Systems Lesson 0x12h: Return to User.

Published byRylee Dunston Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Operating Systems Lesson 0x12h: Return to User."— Presentation transcript:

1 Secure Operating Systems Lesson 0x12h: Return to User

2 Where are we?  Done! Yay! Code Complete!  But there’s always more  So, let’s look at a new trend in OS exploitation: ret2usr

3 Exploiting the Kernel  When we exploit the kernel, it can be hard to actually gain control  In particular, NULL pointer dereference has often been thought of as unexploitable… Fortunately (?) that’s not true: return to user!!!

4 Underlying Vuln  Think about memory layout for a little bit…  Right… the kernel can still write to user space (any part of user space)  This means that ‘nuisance’ attacks like NULL pointer dereference can be deadly in Kernel space (i.e. deadly == not just a DoS attack)

5 What happens…  Imagine we can get a struct inside the kernel to be dereferenced, and this struct contains a function pointer which the kernel will use…  Boom! The pointer is now in memory which is valid in user mode (somewhere around – x000000nn, typically)  Aside: this is really confused deputy all over again

6 Example Exploit  Let’s look at the step-by-step vuln in the paper…  Discussion: turtles all the way down?

7 SMEP  Supervisor Mode Execution Prevention Prevent code execution of user-mode code page in CPL=0 Note: does not prevent modification (read and write) Does not raise a #GP but a #PF Can use kernel mode ROP to avoid this…

8 Questions & Comments  What do you want to know?

Download ppt "Secure Operating Systems Lesson 0x12h: Return to User."

Similar presentations

Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.

Secure Operating Systems Lesson 9: Multics. Where are we?  We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very.
Secure Operating Systems Lesson 10: SCOMP. Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom.

Secure Operating Systems Lesson 10: SCOMP. Where are we?  Multics is busy being explored, which is kind of cool…  But Multics wasn’t the end of custom.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
1 A Real Problem  What if you wanted to run a program that needs more memory than you have?

1 A Real Problem  What if you wanted to run a program that needs more memory than you have?
January 2010 Boston Area Windows Server User Group Tim Mangan Kahuna, TMurgent Technologies.

January 2010 Boston Area Windows Server User Group Tim Mangan Kahuna, TMurgent Technologies.
Software-based Code Attestation for Wireless Sensors.

Software-based Code Attestation for Wireless Sensors.
1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.

1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.
CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.

CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.
Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 5 Looping.

Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 5 Looping.
Pointers “Absolute C++” Section 10.1

Pointers “Absolute C++” Section 10.1
CE6105 Linux 作業系統 Linux Operating System 許 富 皓. Chapter 2 Memory Addressing.

CE6105 Linux 作業系統 Linux Operating System 許 富 皓. Chapter 2 Memory Addressing.
CS 140 Lecture Notes: Virtual MemorySlide 1 Load-Time Relocation Process 1 0 ∞ Process 3 Operating System Process 6.

CS 140 Lecture Notes: Virtual MemorySlide 1 Load-Time Relocation Process 1 0 ∞ Process 3 Operating System Process 6.
Process Description and Control A process is sometimes called a task, it is a program in execution.

Process Description and Control A process is sometimes called a task, it is a program in execution.
OS Organization. OS Requirements Provide resource abstractions –Process abstraction of CPU/memory use Address space Concurrency Thread abstraction of.

OS Organization. OS Requirements Provide resource abstractions –Process abstraction of CPU/memory use Address space Concurrency Thread abstraction of.
CH12 CPU Structure and Function

CH12 CPU Structure and Function
Factorial Calculator and Debug Mode Slides: tures/Eclipse.pdf

Factorial Calculator and Debug Mode Slides: tures/Eclipse.pdf
Host and Application Security Lesson 4: The Win32 Boot Process.

Host and Application Security Lesson 4: The Win32 Boot Process.
Secure Operating Systems Lesson B: Let’s go break something.

Secure Operating Systems Lesson B: Let’s go break something.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

Similar presentations

Ads by Google