Practical taint analysis for protecting buggy binaries
|
|
- Marjory Welch
- 8 years ago
- Views:
Transcription
1 Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman <erik@minemu.org>
2 Traditional Stack Smashing buf[16] GET / HTTP/1.100baseretnarg1arg2
3 Traditional Stack Smashing buf[16] GET / HTTP/1.100baseretnarg1arg2 SHELLCODE!@#$%^&*()_&buf
4 Address Space Layout Randomisation (ASLR) buf[16] GET / HTTP/1.100baseretnarg1arg2 SHELLCODE!@#$%^&*()_????
5 Stack Canaries buf[16] GET / HTTP/1.100 baseretnarg1
6 Stack Canaries buf[16] GET / HTTP/1.100 baseretnarg1 SHELLCODE!@#$%^&*()_!@#%&buf
7 buf[16] Non-executable data (DEP / NX) GET / HTTP/1.100baseretnarg1arg2 SHELLCODE!@#$%^&*()_&buf
8 Fortify Source char buf[16]; memcpy(buf, r->buf, r->len); GET / HTTP/1.100baseretnarg1arg2 sh;stacksmasheraaaaaaaaaaaaaaaaa
9 Fortify Source char buf[16]; memcpy(buf, r->buf, r->len); GET / HTTP/1.100baseretnarg1arg2 char buf[16]; memcpy_chk(buf, r->buf, r->len, 16); sh;stacksmasheraaaaaaaaaaaaaaaaa
10 *** buffer overflow detected ***: /my/fortified/binary terminated ======= Backtrace: ========= /lib/i386-linux-gnu/i686/cmov/libc.so.6( fortify_fail+0x50)[0xb774a4d0] /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xe040a)[0xb774940a] /my/fortified/binary[0x ] /lib/i386-linux-gnu/i686/cmov/libc.so.6( libc_start_main+0xe6)[0xb767fe46] /my/fortified/binary[0x ] ======= Memory map: ======== r-xp fe: /my/fortified/binary a000 rw-p fe: /my/fortified/binary rw-p :00 0 [heap] b764b000-b r-xp fe: /lib/i386-linux-gnu/libgcc_s.so.1 b b rw-p 0001b000 fe: /lib/i386-linux-gnu/libgcc_s.so.1 b b rw-p : Aborted
11
12 buf[16] Return Oriented Programming (ROP) GET / HTTP/1.100baseretnarg1arg2 sh;stacksmasher...rop1rop2var1 pointer to useful code
13 Some exploits still work with all these defense measures. Example: nginx buffer underrun (CVE )
14 CVE /%3F/../abcd0000BADP0000BAD_CTX0 r->uri_start
15 CVE /%3F/../abcd0000BADP0000BAD_CTX0 r->uri_start r->ctx[33] r->uri.data / u
16 CVE /%3F/../abcd0000BADP0000BAD_CTX0 r->ctx[33] r->uri.data /?.. u
17 CVE /%3F/../abcd0000BADP0000BAD_CTX0 r->ctx[33] r->uri.data xyz/ ctxp0000/?.. u
18 CVE /%3F/../abcd0000BADP0000BAD_CTX0 r->ctx[33] r->uri.data xyz/ badp0000bad_ctx0
19 typedef struct { ngx_buf_t ngx_chain_t ngx_chain_t ngx_chain_t unsigned unsigned unsigned ngx_pool_t ngx_int_t ngx_bufs_t ngx_buf_tag_t ngx_output_chain_filter_pt void } ngx_output_chain_ctx_t; *buf; *in; *free; *busy; sendfile; need_in_memory; need_in_temp; *pool; allocated; bufs; tag; output_filter; *filter_ctx;
20 typedef struct { ngx_buf_t ngx_chain_t ngx_chain_t ngx_chain_t unsigned unsigned unsigned ngx_pool_t ngx_int_t ngx_bufs_t ngx_buf_tag_t ngx_output_chain_filter_pt void } ngx_output_chain_ctx_t; *buf; *in; *free; *busy; sendfile; need_in_memory; need_in_temp; *pool; allocated; bufs; tag; output_filter; *filter_ctx; function pointer
21
22 805ba93: mov (%ecx),%ebx ; copy filename movl $0x3,0x10(%ecx) mov %ecx,(%esp) call *0x2c(%ecx)
23 805ba93: mov (%ecx),%ebx ; copy filename movl $0x3,0x10(%ecx) mov %ecx,(%esp) call : mov *0x2c(%ecx) %eax,0x4(%esp) ; push argv mov %ebx,(%esp) ; push filename call *0x14(%ebx)
24 805ba93: mov (%ecx),%ebx ; copy filename movl $0x3,0x10(%ecx) mov %ecx,(%esp) call : mov *0x2c(%ecx) %eax,0x4(%esp) ; push argv mov %ebx,(%esp) ; push filename call *0x14(%ebx) 804b274: <execve@plt> ; get shell
25 - defeats address randomisation (through info leak)
26 - defeats address randomisation (through info leak) - defeats non-executable data protection
27 - defeats address randomisation (through info leak) - defeats non-executable data protection - not a standard copy function (no fortify protections)
28 - defeats address randomisation (through info leak) - defeats non-executable data protection - not a standard copy function (no fortify protections) - not return oriented, so stack smash protection does not matter
29 But the situation is even worse
30 But the situation is even worse - needs to be enabled at compile time, and there is a lot of old code out there
31 But the situation is even worse - needs to be enabled at compile time, and there is a lot of old code out there - many packages do not apply these defence mechanisms even today
32 But the situation is even worse - needs to be enabled at compile time, and there is a lot of old code out there - many packages do not apply these defence mechanisms even today - implementation flaws
33 Can we do more?
34 Can we do more? >> DEP prevents untrusted data from being run as code
35 Can we do more? >> DEP prevents untrusted data from being run as code << ROP replaces untrusted code with pointers to original code.
36 Can we do more? >> DEP prevents untrusted data from being run as code << ROP replaces untrusted code with pointers to original code. >> Can we prevent untrusted pointers from being used as jump addresses?
37 Taint analysis 0805be be be d8 4b a0 2e K be90 94 be a ef be ad de a4 be x bea0 ac be f e 2f a4 be /bin/sh beb d e SAMETHINGWED 0805bec0 4f e e 4b 59 OEVERYNIGHTPINKY 0805bed e be ef 1f NARF bee0 ff fa ff f & bef bf
38 Taint tracking (1/2): - remember whether data is trusted or not - untrusted data is 'tainted' - when data is copied, its taint is copied along - taint is ORed for arithmetic operations
39 Taint tracking (2/2): When the code jumps to an address in memory, the source of this address is checked for taint. eg.: - RET - CALL *%eax - JMP *0x1c(%ebx)
40
41 Taint tracking photo: useful, but slow as hell
42 Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint
43 Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint
44 Emulator process-level emulator
45 Emulator process-level emulator fast x86 -> x86 jit compiler
46 Emulator process-level emulator fast x86 -> x86 jit compiler keeps register state the same
47 Emulator t_eax = t_eax t_ecx eax = eax + ecx eax = eax + ebx original code jit code
48 Emulator process-level emulator fast x86 -> x86 jit compiler keeps register state the same translates big chunks of code all at once
49 Emulator compile jit code
50 Emulator run jit code compile jit code
51 Emulator indirect jump run jit code find jump address compile jit code
52 Emulator indirect jump lookup miss run jit code find jump address compile jit code
53 Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint
54 Linux stack heap/libs User executable
55 Memory layout (linux) linux kernel USER
56 Memory layout (minemu) linux kernel USER minemu TAINT
57 Memory layout (minemu) linux kernel USER minemu TAINT
58 Memory layout (minemu) linux kernel USER write to x minemu TAINT
59 Memory layout (minemu) linux kernel USER write to x minemu TAINT x+const
60 Memory layout (minemu) linux kernel USER taint data to user memory minemu TAINT user data to taint memory
61 Memory layout (minemu) linux kernel USER taint data to user memory minemu TAINT user data to taint memory
62 Addressing shadow memory mov EAX, (EDX)
63 Addressing shadow memory mov EAX, (EDX) address: EDX
64 Addressing shadow memory mov EAX, (EDX) address: EDX taint: EDX+const
65 Addressing shadow memory mov EAX, (EDX+EBX*4)
66 Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4
67 Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4 taint: EDX+EBX*4+const
68 Addressing shadow memory push ESI
69 Addressing shadow memory push ESI address: ESP
70 Addressing shadow memory push ESI address: ESP taint: ESP+const
71 Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint
72 Taint propagation in SSE registers xmm5 xmm6 xmm7 scratch register T(eax) T(ecx) T(edx) T(ebx) T(esp) T(ebp) T(esi) T(edi) 128-bit
73 Taint propagation in SSE registers add EDX, x xmm5 xmm6 xmm7 scratch register T(eax) T(ecx) T(edx) T(ebx) T(esp) T(ebp) T(esi) T(edi) 128-bit
74 Taint propagation in SSE registers add EDX, x xmm5 xmm6 xmm7 scratch register T(eax) T(ecx) T(edx) T(ebx) T(esp) T(ebp) T(esi) T(edi)
75 Taint propagation in SSE registers add EDX, x xmm5 xmm6 xmm7 T(x) T(eax) T(ecx) T(edx) T(ebx) T(esp) T(ebp) T(esi) T(edi) vector insert
76 Taint propagation in SSE registers add EDX, x xmm5 xmm6 xmm7 T(x) T(eax) T(ecx) T(edx) T(ebx) T(esp) T(ebp) T(esi) T(edi) or
77 Effectiveness Application Type of vulnerability Security advisory Snort Stack overflow CVE Cyrus imapd Stack overflow CVE Samba Heap overflow CVE Memcached Heap overflow CVE Nginx Buffer underrun CVE Proftpd 1.3.3a Stack overflow CVE Samba Heap overflow CVE Telnetd 1.6 Heap overflow CVE Ncompress Stack overflow CVE Iwconfig V.26 Stack overflow CVE Aspell Stack overflow CVE Htget 0.93 Stack overflow CVE Socat 1.4 Format string CVE Aeon 0.2a Stack overflow CVE Exim 4.41 Stack overflow EDB-ID#796 Htget 0.93 Stack overflow Tipxd Format string OSVDB-ID#12346
78 Performance HTTP HTTPS
79 Performance SPECINT h264ref 462.libquantum 458.sjeng 456.hmmer 445.gobmk 429.mcf 403.gcc 401.bzip2 400.perlbench 2.4x overall overall 483.xalancbmk 473.astar 471.omnetpp gzip OpenSSH (scp+sshd) PostgreSQL (pgbench) MediaWiki (HTTPS)
80 Limitations
81 Limitations Doesn't prevent memory corruption, only acts when the untrusted data is used for arbitrary code execution.
82 Limitations Tainted pointer dereferences tainted_pointer->some_field = useful_untainted_value;
83 Limitations Tainted pointer dereferences tainted_pointer->some_field = useful_untainted_value; propagation can lead to false positives: dispatch_table[ checked_input]();
84 Limitations Taint whitewashing out = latin1_to_ascii[ in];
85 Limitations Format string attacks: printf( "%65534s %123$hn"); // Propagates taint in glibc printf( "FillerFiller...%123$hn"); // Does not :-(
86 Limitations Does not protect against non-control-flow exploits
87 Limitations Does not protect against non-control-flow exploits void try_system( char *username, char *cmd) { int user_rights = get_credentials(username); char buf[16] ; strcpy(buf, username); if (user_rights & ALLOW_SYSTEM ) system(cmd); else log_error( "user %s attempted login", buf); }
88 Limitations Does not protect against non-control-flow exploits void try_system( char *username, char *cmd) { int user_rights = get_credentials(username); char buf[16] ; strcpy(buf, username); if (user_rights & ALLOW_SYSTEM ) system(cmd); else log_error( "user %s attempted login", buf); }
89 Limitations Does not protect against non-control-flow exploits void try_system( char *username, char *cmd) { int user_rights = get_credentials(username); char buf[16] ; strcpy(buf, username); if (user_rights & ALLOW_SYSTEM ) system(cmd); else log_error( "user %s attempted login", buf); }
90 Limitations Does not protect against non-control-flow exploits void try_system( char *username, char *cmd) { int user_rights = get_credentials(username); char buf[16] ; strcpy(buf, username); if (user_rights & ALLOW_SYSTEM ) system(cmd); else log_error( "user %s attempted login", buf); }
91 Limitations Does not protect against non-control-flow exploits void try_system( char *username, char *cmd) { int user_rights = get_credentials(username); char buf[16] ; strcpy(buf, username); if (user_rights & ALLOW_SYSTEM ) system(cmd); else log_error( "user %s attempted login", buf); }
92 PROBLEM.php?-s
93 in some cases we can add validation hooks. mysql_query() can be hooked to check for taint outside of literals in SQL queries.
94 in some cases we can add validation hooks. mysql_query() can be hooked to check for taint outside of literals in SQL queries. _IO_vfprintf() in glibc can be hooked to check format strings for taint.
95 Demo bash
96 Minemu git clone
97 Minemu git clone any questions?
98
99 Memory layout (64 bit) USER USER TAINT USER TAINT TAINT USER TAINT
100 Memory layout (64 bit) alternative TAINT gs segment USER data/code/stack segment
Minemu: The World s Fastest Taint Tracker
Minemu: The World s Fastest Taint Tracker Erik Bosman, Asia Slowinska, and Herbert Bos Vrije Universiteit Amsterdam Abstract. Dynamic taint analysis is a powerful technique to detect memory corruption
More informationSoftware Vulnerabilities
Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in
More informationtelnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012
telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012 Content Part I Info Bug Telnet Exploit Part II Advanced Exploitation Meta Information Disclosed
More informationFor a 64-bit system. I - Presentation Of The Shellcode
#How To Create Your Own Shellcode On Arch Linux? #Author : N3td3v!l #Contact-mail : 4nonymouse@usa.com #Website : Nopotm.ir #Spcial tnx to : C0nn3ct0r And All Honest Hackerz and Security Managers I - Presentation
More informationReturn-oriented programming without returns
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without urns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy
More informationExploiting nginx chunked overflow bug, the undisclosed attack vector
Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET In this talk Nginx brief introduction Nginx chunked
More informationOff-by-One exploitation tutorial
Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend
More informationPerformance Characterization of SPEC CPU2006 Integer Benchmarks on x86-64 64 Architecture
Performance Characterization of SPEC CPU2006 Integer Benchmarks on x86-64 64 Architecture Dong Ye David Kaeli Northeastern University Joydeep Ray Christophe Harle AMD Inc. IISWC 2006 1 Outline Motivation
More informationSoftware security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security
Software security Buffer overflow attacks SQL injections Lecture 11 EIT060 Computer Security Buffer overflow attacks Buffer overrun is another common term Definition A condition at an interface under which
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version
Abysssec Research 1) Advisory information Title Version Discovery Vendor Impact Contact Twitter CVE : Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability : QuickTime player 7.6.5
More informationBuffer Overflows. Security 2011
Buffer Overflows Security 2011 Memory Organiza;on Topics Kernel organizes memory in pages Typically 4k bytes Processes operate in a Virtual Memory Space Mapped to real 4k pages Could live in RAM or be
More informationStack Overflows. Mitchell Adair
Stack Overflows Mitchell Adair Outline Why? What? There once was a VM Virtual Memory Registers Stack stack1, stack2, stack3 Resources Why? Real problem Real money Real recognition Still prevalent Very
More informationMSc Computer Science Dissertation
University of Oxford Computing Laboratory MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities Author: Sean Heelan Supervisor: Dr. Daniel
More informationBypassing Browser Memory Protections in Windows Vista
Bypassing Browser Memory Protections in Windows Vista Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Thesis Introduction
More informationUnix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>
Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make
More informationHotpatching and the Rise of Third-Party Patches
Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments
More informationSecure Cloud Computing: The Monitoring Perspective
Secure Cloud Computing: The Monitoring Perspective Peng Liu Penn State University 1 Cloud Computing is Less about Computer Design More about Use of Computing (UoC) CPU, OS, VMM, PL, Parallel computing
More informationFormat string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com
Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic
More informationModern Binary Exploitation Course Syllabus
Modern Binary Exploitation Course Syllabus Course Information Course Title: Modern Binary Exploitation Course Number: CSCI 4968 Credit Hours: 4 Semester / Year: Spring 2015 Meeting Days: Tuesday/Friday
More informationAssembly Language: Function Calls" Jennifer Rexford!
Assembly Language: Function Calls" Jennifer Rexford! 1 Goals of this Lecture" Function call problems:! Calling and returning! Passing parameters! Storing local variables! Handling registers without interference!
More informationBypassing Memory Protections: The Future of Exploitation
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Program Security: Buffer Overflow 1 Buffer Overflow BO Basics Stack smashing Other buffer overflow
More informationCS3235 - Computer Security Thirteenth topic: System attacks. defenses
Overflows... Security case studies CS3235 - Computer Security Thirteenth topic: System attacks and defenses Hugh Anderson National University of Singapore School of Computing March/April, 2016 Hugh Anderson
More informationAttacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com
Attacking Host Intrusion Prevention Systems Eugene Tsyrklevich eugene@securityarchitects.com Agenda Introduction to HIPS Buffer Overflow Protection Operating System Protection Conclusions Demonstration
More informationCS61: Systems Programing and Machine Organization
CS61: Systems Programing and Machine Organization Fall 2009 Section Notes for Week 2 (September 14 th - 18 th ) Topics to be covered: I. Binary Basics II. Signed Numbers III. Architecture Overview IV.
More informationHeap-based Buffer Overflow Vulnerability in Adobe Flash Player
Analysis of Zero-Day Exploit_Issue 03 Heap-based Buffer Overflow Vulnerability in Adobe Flash Player CVE-2014-0556 20 December 2014 Table of Content Overview... 3 1. CVE-2014-0556 Vulnerability... 3 2.
More informationDefense in Depth: Protecting Against Zero-Day Attacks
Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth
More informationSECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith
SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in
More informationHacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license http://creativecommonsorg/licenses/by-sa/30/ # whoami Ali
More informationAttacking x86 Windows Binaries by Jump Oriented Programming
Attacking x86 Windows Binaries by Jump Oriented Programming L. Erdődi * * Faculty of John von Neumann, Óbuda University, Budapest, Hungary erdodi.laszlo@nik.uni-obuda.hu Abstract Jump oriented programming
More informationTransparent ROP Detection using CPU Performance Counters. 他 山 之 石, 可 以 攻 玉 Stones from other hills may serve to polish jade
Transparent ROP Detection using CPU Performance Counters 他 山 之 石, 可 以 攻 玉 Stones from other hills may serve to polish jade Xiaoning Li Michael Crouse Intel Labs Harvard University THREADS Conference 2014
More information64-Bit NASM Notes. Invoking 64-Bit NASM
64-Bit NASM Notes The transition from 32- to 64-bit architectures is no joke, as anyone who has wrestled with 32/64 bit incompatibilities will attest We note here some key differences between 32- and 64-bit
More informationI Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich
I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application
More informationCompiler-Assisted Binary Parsing
Compiler-Assisted Binary Parsing Tugrul Ince tugrul@cs.umd.edu PD Week 2012 26 27 March 2012 Parsing Binary Files Binary analysis is common for o Performance modeling o Computer security o Maintenance
More informationIntroduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code
Introduction Application Security Tom Chothia Computer Security, Lecture 16 Compiled code is really just data which can be edit and inspected. By examining low level code protections can be removed and
More informationIntroduction to Information Security
Introduction to Information Security 0368-3065, Spring 2015 Lecture 1: Introduction, Control Hijacking (1/2) Eran Tromer Slides credit: Avishai Wool, Tel Aviv University 1 Administration Lecturer: Eran
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 20: Stack Frames 7 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Where We Are Source code if (b == 0) a = b; Low-level IR code
More informationStitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection
USENIX Security Symposium 2014, San Diego, CA, USA Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection Lucas Davi Intel Collaborative Research Institute for
More informationGadge Me If You Can Secure and Efficient Ad-hoc Instruction-Level Randomization for x86 and ARM
Gadge Me If You Can Secure and Efficient Ad-hoc Instruction-Level Randomization for x86 and ARM Lucas Davi 1,2, Alexandra Dmitrienko 3, Stefan Nürnberger 2, Ahmad-Reza Sadeghi 1,2,3 1 2 3 Intel Collaborative
More informationhttp://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention
http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 skape mmiller@hick.org Skywing Skywing@valhallalegends.com One of the big changes that Microsoft introduced
More informationBuffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015
CSCD27 Computer and Network Security Code Security: Buffer Overflows 13 Buffer Overflow CSCD27 Computer and Network Security 1 Buffer Overflows Extremely common bug. First major exploit: 1988 Internet
More informationThe Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014
Intelligent Things, Vehicles and Factories: Intel Workshop on Cyberphysical and Mobile Security 2014, Darmstadt, June 11 The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation
More informationesrever gnireenigne tfosorcim seiranib
esrever gnireenigne tfosorcim seiranib Alexander Sotirov asotirov@determina.com CanSecWest / core06 Reverse Engineering Microsoft Binaries Alexander Sotirov asotirov@determina.com CanSecWest / core06 Overview
More informationDynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software James Newsome jnewsome@ece.cmu.edu Carnegie Mellon University Abstract Software vulnerabilities
More informationEU FP6 LOBSTER. personal view on the future of ero-day Worm Containment. European Infrastructure for accurate network monitoring
EU FP6 LOBSTER European Infrastructure for accurate network monitoring personal view on the future of ero-day Worm Containment Herbert Bos Vrije Universiteit Amsterdam herbertb _AT_ cs.vu.nl 1 What is
More informationSecure Program Execution via Dynamic Information Flow Tracking
Secure Program Execution via Dynamic Information Flow Tracking G. Edward Suh, Jae W. Lee, David Zhang, Srinivas Devadas Computer Science and Artificial Intelligence Laboratory (CSAIL) Massachusetts Institute
More informationCS 161 Computer Security
Paxson Spring 2013 CS 161 Computer Security Homework 1 Due: Friday, February 15, at 10PM Instructions. You must submit this homework electronically. To submit, put a single solution file hw1.pdf in a directory
More informationData Structure Reverse Engineering
Data Structure Reverse Engineering Digging for Data Structures Polymorphic Software with DSLR Scott Hand October 28 th, 2011 Outline 1 Digging for Data Structures Motivations Introduction Laika Details
More informationWLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (www.argeniss.com)
WLSI Windows Local Shellcode Injection Cesar Cerrudo Argeniss (www.argeniss.com) Overview _ Introduction _ Establishing a LPC connection _ Creating a shared section _ The technique _ Building an exploit
More informationThere s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research
1 There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research That s unavoidable, but the linux kernel developers don t do very much to make the situation
More informationLecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com
CSCI-UA.0201-003 Computer Systems Organization Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Some slides adapted (and slightly modified)
More informationFine-Grained User-Space Security Through Virtualization. Mathias Payer and Thomas R. Gross ETH Zurich
Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application access
More informationReverse Engineering and Computer Security
Reverse Engineering and Computer Security Alexander Sotirov alex@sotirov.net Introduction Security researcher at Determina, working on our LiveShield product Responsible for vulnerability analysis and
More informationsecubt : Hacking the Hackers with User-Space Virtualization
secubt : Hacking the Hackers with User-Space Virtualization Mathias Payer Department of Computer Science ETH Zurich Abstract In the age of coordinated malware distribution and zero-day exploits security
More informationG-Free: Defeating Return-Oriented Programming through Gadget-less Binaries
G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries Kaan Onarlioglu Bilkent University, Ankara onarliog@cs.bilkent.edu.tr Davide Balzarotti Eurecom, Sophia Antipolis balzarotti@eurecom.fr
More informationApplying Clang Static Analyzer to Linux Kernel
Applying Clang Static Analyzer to Linux Kernel 2012/6/7 FUJITSU COMPUTER TECHNOLOGIES LIMITED Hiroo MATSUMOTO 管 理 番 号 1154ka1 Copyright 2012 FUJITSU COMPUTER TECHNOLOGIES LIMITED Abstract Now there are
More informationDesign of a secure system. Example: trusted OS. Bell-La Pdula Model. Evaluation: the orange book. Buffer Overflow Attacks
Stware Security Holes and Defenses Design a secure system Follows a ring design. Every object has an associated security attribute. Every subject has a security clearance. Least secure Highest security
More informationGSM. Global System for Mobile Communications, 1992. Security in mobile phones. System used all over the world. Sikkerhed04, Aften Trusler
GSM Global System for Mobile Communications, 1992 Security in mobile phones System used all over the world 1 GSM: Threat Model What Cloning Eavesdropping Tracking Who Criminals Secret Services Why Break
More informationExploiting Trustzone on Android
1 Introduction Exploiting Trustzone on Android Di Shen(@returnsme) retme7@gmail.com This paper tells a real story about exploiting TrustZone step by step. I target an implementation of Trusted Execution
More informationControl Flow Obfuscation with Information Flow Tracking
Control Flow Obfuscation with Information Flow Tracking Haibo Chen, Liwei Yuan, Xi Wu, Binyu Zang Parallel Processing Institute Fudan University {hbchen, yuanliwei, wuxi, byzang}@fudan.edu.cn Bo Huang
More informationReturn-oriented Programming: Exploitation without Code Injection
Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham University of California, San Diego Bad code versus bad behavior Bad Bad behavior
More informationInstruction Set Architecture
CS:APP Chapter 4 Computer Architecture Instruction Set Architecture Randal E. Bryant adapted by Jason Fritts http://csapp.cs.cmu.edu CS:APP2e Hardware Architecture - using Y86 ISA For learning aspects
More informationHacking. The Edge Pieces. Ken Gottry May2002. 2002 Ken Gottry
Hacking The Edge Pieces Ken Gottry May2002 Objective - Edge Pieces When you start a jigsaw puzzle, you pick out the edge pieces, the ones with the flat sides. You can do this without knowing what the picture
More informationLinux exploit development part 2 (rev 2) - Real app demo (part 2)
Linux exploit development part 2 (rev 2) - Real app demo (part 2) This will be a short tutorial demonstrating a "buffer overflow" exploit on a real application which is freely available using the techniques
More information1. General function and functionality of the malware
1. General function and functionality of the malware The malware executes in a command shell, it begins by checking to see if the executing file contains the MZP file extension, and then continues to access
More informationViolating Database - Enforced Security Mechanisms
Violating Database - Enforced Security Mechanisms Runtime Patching Exploits in SQL Server 2000: a case study Chris Anley [chris@ngssoftware.com] 18/06/2002 An NGSSoftware Insight Security Research (NISR)
More informationSecuring software by enforcing data-flow integrity
Securing software by enforcing data-flow integrity Miguel Castro Microsoft Research Manuel Costa Microsoft Research University of Cambridge Tim Harris Microsoft Research Abstract Software attacks often
More informationCruiser: Concurrent Heap Buffer Overflow Monitoring Using Lock-free Data Structures
Cruiser: Concurrent Heap Buffer Overflow Monitoring Using Lock-free Data Structures Qiang Zeng Department of Computer Science & Engineering, Pennsylvania State University, University Park, PA 16802 quz105@cse.psu.edu
More informationReview and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU
Review and Exploit Neglected Attack Surface in ios 8 Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU BlackHat 2015 Agenda ios Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System
More informationA Security Assessment of the Minos Architecture
A Security Assessment of the Minos Architecture Jedidiah R. Crandall and Frederic T. Chong University of California at Davis Computer Science Department crandall, chong @cs.ucdavis.edu Abstract Minos is
More informationCSC 405 Introduction to Computer Security
CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part II CSC 405 Dr. Peng Ning 1 Targeted Malicious Code General purpose malicious code Affect users and machines indiscriminately
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Stony Brook University University of California, Berkeley Peking University Abstract Memory corruption bugs in software written
More informationKernel Intrusion Detection System
Kernel Intrusion Detection System Rodrigo Rubira Branco rodrigo@kernelhacking.com rodrigo@risesecurity.org Monica's Team!! Brazilian famous H.Q. story Amazon Forest Yeah, Brazilian country! Soccer Brazilian
More informationReducing Dynamic Compilation Latency
LLVM 12 - European Conference, London Reducing Dynamic Compilation Latency Igor Böhm Processor Automated Synthesis by iterative Analysis The University of Edinburgh LLVM 12 - European Conference, London
More informationCORE SECURITY. Exploiting Adobe Flash Player in the era of Control Flow Guard. Francisco Falcon (@fdfalcon) Black Hat Europe 2015 November 12-13, 2015
CORE SECURITY Exploiting Adobe Flash Player in the era of Control Flow Guard Francisco Falcon (@fdfalcon) Black Hat Europe 2015 November 12-13, 2015 About me 2 About me Exploit Writer for Core Security.
More informationCarlos Villavieja, Nacho Navarro {cvillavi,nacho}@ac.upc.edu. Arati Baliga, Liviu Iftode {aratib,liviu}@cs.rutgers.edu
Continuous Monitoring using MultiCores Carlos Villavieja, Nacho Navarro {cvillavi,nacho}@ac.upc.edu Arati Baliga, Liviu Iftode {aratib,liviu}@cs.rutgers.edu Motivation Intrusion detection Intruder gets
More informationDefending Computer Networks Lecture 3: More On Vulnerabili3es. Stuart Staniford Adjunct Professor of Computer Science
Defending Computer Networks Lecture 3: More On Vulnerabili3es Stuart Staniford Adjunct Professor of Computer Science Enrollment Logis;cs Send request to cs- course- enroll@cornell.edu Cc me (sgs235@cornell.edu)
More informationBetriebssysteme KU Security
Betriebssysteme KU Security IAIK Graz University of Technology 1 1. Drivers 2. Security - The simple stuff 3. Code injection attacks 4. Side-channel attacks 2 1. Drivers 2. Security - The simple stuff
More informationFrom SQL Injection to MIPS Overflows
From SQL Injection to MIPS Overflows Rooting SOHO Routers Zachary Cutlip Black Hat USA 2012 Acknowledgements Tactical Network Solutions Craig Heffner What I m going to talk about Novel uses of SQL injection
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 2/8/06 Blackhat Federal 2006 1 Big
More informationSecurity types to the rescue
Security types to the rescue p. 1 Security types to the rescue David Wagner and Rob Johnson {daw,rtjohnso}@cs.berkeley.edu University of California, Berkeley Security types to the rescue p. 2 Problem statement
More informationAn introduction to the Return Oriented Programming. Why and How
An introduction to the Return Oriented Programming Why and How Course lecture at the Bordeaux university for the CSI Master Jonathan Salwan Keywords: ROP Intel / ARM, Tools, ROP chain generation, gadgets'
More informationCVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis
Your texte here. CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis October 11 th, 2012 Brian MARIANI & Frédéric BOURLA A FEW WORDS ABOUT FLASH PLAYER Your Adobe texte Flash here
More informationSECURITY APPLICATIONS OF DYNAMIC BINARY TRANSLATION DINO DAI ZOVI THESIS. Submitted in Partial Fulfillment of the Requirements for the Degree of
SECURITY APPLICATIONS OF DYNAMIC BINARY TRANSLATION by DINO DAI ZOVI THESIS Submitted in Partial Fulfillment of the Requirements for the Degree of Bachelor of Science Computer Science The University of
More informationSecure Program Execution via Dynamic Information Flow Tracking
Secure Program Execution via Dynamic Information Flow Tracking G. Edward Suh, Jaewook Lee, Srinivas Devadas Computer Science and Artificial Intelligence Laboratory (CSAIL) Massachusetts Institute of Technology
More informationSome Anti-Worm Efforts at Microsoft. Acknowledgements
Some Anti-Worm Efforts at Microsoft Helen J. Wang System and Networking Research Group Microsoft Research Oct 29, 2004 1 Acknowledgements Matt Braverman, Opher Dubrovsky, John Dunagan, Louis Lafreniere,
More informationASL IT SECURITY XTREME XPLOIT DEVELOPMENT
ASL IT SECURITY XTREME XPLOIT DEVELOPMENT V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: The most dangerous threat is the one which do not have a CVE. Until now developing reliable exploits
More informationVirtualization Technologies
12 January 2010 Virtualization Technologies Alex Landau (lalex@il.ibm.com) IBM Haifa Research Lab What is virtualization? Virtualization is way to run multiple operating systems and user applications on
More informationTitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com
TitanMist: Your First Step to Reversing Nirvana TitanMist mist.reversinglabs.com Contents Introduction to TitanEngine.. 3 Introduction to TitanMist 4 Creating an unpacker for TitanMist.. 5 References and
More informationAutomating Mimicry Attacks Using Static Binary Analysis
Automating Mimicry Attacks Using Static Binary Analysis Christopher Kruegel and Engin Kirda Technical University Vienna chris@auto.tuwien.ac.at, engin@infosys.tuwien.ac.at Darren Mutz, William Robertson,
More informationDatabase's Security Paradise. Joxean Koret
Database's Security Paradise Joxean Koret Security in Databases Many people still believe databases are hard to audit/hack. Name it as you prefer... Many people consider database software as too big products
More information風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com
風 水 Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program
More informationApplication-Specific Attacks: Leveraging the ActionScript Virtual Machine
IBM Global Technology Services April 2008 Application-Specific Attacks: Leveraging the ActionScript Virtual Machine By Mark Dowd X-Force Researcher IBM Internet Security Systems (markdowd@au1.ibm.com)
More informationCataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems
Abstract: Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems *P.VADIVELMURUGAN #K.ALAGARSAMY *Research Scholar, Department of Computer Center, Madurai Kamaraj University,
More informationSyscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES
Syscall Proxying - Simulating remote execution Maximiliano Caceres Copyright 2002 CORE SECURITY TECHNOLOGIES Table of Contents Abstract.........................................................................................
More informationAndreas Herrmann. AMD Operating System Research Center
Myth and facts about 64-bit Linux Andreas Herrmann André Przywara AMD Operating System Research Center March 2nd, 2008 Myths... You don't need 64-bit software with less than 3 GB RAM. There are less drivers
More informationW4118 Operating Systems. Junfeng Yang
W4118 Operating Systems Junfeng Yang Outline Linux overview Interrupt in Linux System call in Linux What is Linux A modern, open-source OS, based on UNIX standards 1991, 0.1 MLOC, single developer Linus
More informationRed Hat. www.redhat.com. By Karl Wirth
Red Hat Enterprise Linux 5 Security By Karl Wirth Abstract Red Hat Enterprise Linux has been designed by, and for, the most security-conscious organizations in the world. Accordingly, security has always
More information