1 / 23

CS457 – Introduction to Information Systems Security Software 3

CS457 – Introduction to Information Systems Security Software 3. Elias Athanasopoulos elathan@ics.forth.gr. Software Exploitation – High Level. Exploit Code. HACKED. Vulnerable Software (e.g., web browser). Input (malicious web page). Renders malicious page. Introduce new control flows.

laura-solomon
Télécharger la présentation

CS457 – Introduction to Information Systems Security Software 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS457 – Introduction to Information Systems SecuritySoftware 3 Elias Athanasopoulos elathan@ics.forth.gr

  2. Software Exploitation – High Level Exploit Code HACKED Vulnerable Software (e.g., web browser) Input (malicious web page) Renders malicious page Introduce new control flows Exploit Runs Collect Gadgets Build ROP Chain Exec ROP Chain Elias Athanasopoulos

  3. How the ROP chain works? –use esp as the instruction pointer TEXT Section (Code) ROP Chain Addr. of G1 G2; ret Addr. of G2 GN; ret Addr. of G3 G1; ret Addr. of GN G3; ret Elias Athanasopoulos

  4. Heap Overflows Attacker does NOT control the stack! Jump to Gadget Vulnerability (VTableptr) …; ret Stack Heap Data Text (*)f() G1 High Address Low Address Elias Athanasopoulos

  5. Stack Pivoting Execute the rest of the ROP chain Force %esp to point to heap Jump to Gadget Stack Pivoting Vulnerability (VTableptr) xchg %eax,%esp; ret Stack Heap Data Text (*)f() G1 High Address Low Address Elias Athanasopoulos

  6. Defending ROP Elias Athanasopoulos

  7. Randomization • ASLR • Address Space Layout Randomization • Fine-grained Randomization • Smashing the gadgets • Binary Stirring Elias Athanasopoulos

  8. ASLR (demo) Elias Athanasopoulos

  9. Fine-grained Randomization • Shuffle instructions, without changing the semantics Elias Athanasopoulos

  10. Information Disclosure Bugs • String formatting bugs intmain() { charlocalStr[100]; printf("Username? "); fgets(localStr, sizeof(localStr), stdin); printf(localStr); printf("What is the access code? "); … } localStr= "AAAA %08x %08x %08x"; Elias Athanasopoulos

  11. Just-in-time ROP Elias Athanasopoulos

  12. Control-Flow Integrity (CFI) Elias Athanasopoulos

  13. Ideal CFI Two problems: CFG discovery (especially in legacy apps) Performance in checks Elias Athanasopoulos

  14. Coarse-grained (loose) CFI Elias Athanasopoulos

  15. Gadgets under CFI Elias Athanasopoulos

  16. Linking Gadgets under CFI Elias Athanasopoulos

  17. Exploitation under CFI Elias Athanasopoulos

  18. Run-time ROP detection (kBouncer) Elias Athanasopoulos

  19. kBouncer Elias Athanasopoulos

  20. kBouncer Checks • call-ret pairing • Coarse-grained CFI • Heuristics • Up to 20 instructions is considered a gadget • 6 gadgets in a row is considered an attack Elias Athanasopoulos

  21. kBouncer Heuristics Elias Athanasopoulos

  22. Bypassing kBouncer Elias Athanasopoulos

  23. kBouncer bypass PoC Elias Athanasopoulos

More Related