Alice in exploitland Attack & defense evolution. Zoltán Balázs Hacktivity 2013
|
|
- Bennett Perry
- 7 years ago
- Views:
Transcription
1 Alice in exploitland Attack & defense evolution Zoltán Balázs Hacktivity 2013
2 About:me OSCP, C HFI, CISSP, CPTS, MCP Senior IT security Deloitte Hungary Proud member of the gula.sh team zbalazs@deloittece.com Twitter zh4ck
3 What s next? Evolution of memory corruption attack & defense Stack based buffer overflows Stack canary Structured Exception Handling DEP ASLR Advanced mitigation
4 Scope of this presentation Focus on memory corruption Not Java vulnerabilities Focus on Windows Last 15 years Windows was the biggest target for memory corruption exploits High level overview only No details like Assembly Mostly stack overflow vulnerability No heap overflow No format string No null pointer dereference No integer overflow (just a little bit) No use after free
5 Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing
6 Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits
7 Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits You will find your product on the local Chinese market half the price
8 Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability
9 Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability Your projects will be revealed by hackers from Luxembourg
10 Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java)
11 Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked
12 Why you should care? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen
13 Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen Facebook wall spammed
14 Function calls void SayHello(char* userinput) { char buffer[100]; } strcpy(buffer, userinput); printf( Hello %s\n", buffer); int main() { SayHello(argv[1]); return 0; }
15 Function calls 0x New stack frame ESP - top of stack... 0xFFFFFFFF ESP - extended stack pointer
16 Function calls 0x ESP - top of stack ptr to argv[1]... 0xFFFFFFFF ESP - extended stack pointer
17 Function calls 0x ESP - top of stack Saved EIP ptr to argv[1]... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer Overwrite this for PROFIT
18 Function calls 0x ESP - top of stack Saved EBP Saved EIP ptr to argv[1]... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
19 Function calls ESP - top of stack 0x Space for buffer EBP - frame pointer Saved EBP Saved EIP ptr to argv[1]... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
20 Function calls ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Saved EBP Saved EIP ptr to argv[1]... 0xFFFFFFFF Strcpy writes this way EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
21
22 Stack based buffer overflow vulnerability Stack overflow happens when the user can put more data on the allocated stack, than available If more data is put on the stack (stack overflow)... magic will happen Buffer overflow Stack based buffer overflow Heap based buffer overflow
23 Stack overflow ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Saved EBP Saved EIP ptr to argv[1]... 0xFFFFFFFF Strcpy writes this way EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
24 Stack overflow ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Saved EBP AAAA Saved EIP ptr to argv[1]... 0xFFFFFFFF Strcpy writes this way EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
25 Stack overflow ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Saved EBP AAAA Saved EIP AAAA ptr to argv[1]... 0xFFFFFFFF Strcpy writes this way EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
26 Stack overflow ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Saved EBP AAAA Saved EIP AAAA ptr to argv[1] AAAA... 0xFFFFFFFF Strcpy writes this way EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
27
28 Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? ***
29 Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? PaX team in 2000
30 Stack overflow history 1972 Computer Security Technology Planning Study 1988 Morris worm 1996 Smashing the Stack for Fun and Profit (Aleph One) 2000 NSA SELinux open sourced 2000 PaX Team 2003 SELinux merged into mainline Linux Kernel 2004 Egghunters - against small buffers
31 Shellcode The attacker code what the attacker wants to execute The instructions given by Alice to the rabbit
32 Mitigation techniques All of the following mitigation techniques are used against every memory corruption vulnerabilities Not just against stack overflow
33 Stack canary/cookie ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Strcpy writes Random cookie 27384AB4CD457 way Saved EBP Saved EIP ptr to argv[1]... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer this Overwrite this for PROFIT
34 Stack canary/cookie ESP - top of stack 0x EBP - frame pointer AAAA AAAA... AAAA Strcpy writes Random cookie 27384AB4CD457 AAAA way Saved EBP AAAA Saved EIP AAAA ptr to argv[1] AAAA... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer this Overwrite this for PROFIT
35
36 Stack canary/cookie history (/GS) Linux (GCC) MS (Visual Studio)
37 Stack canary/cookie bypass Method 1: Replace cookie on stack and in.data temper the sensor in way where water does not trigger an alarm Method 2: Not protected buffer (no string buffer) use a pot which is not equipped with alarm system Method 3: Guess/calculate the cookie Static cookie Method 4: Overwriting stack data in functions up the stack, switch case
38 Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies way too complicated to trigger
39 Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies Stack cookie not checked at exception handling way too complicated to trigger
40 SEH exploit three step to profit Step 1. overwriting first element in the exception-handling chain Step 2. because of the overflow, the exception-handling is triggered Step 3. via exception handling, return to the malicious shellcode (PROFIT)
41 SEH exploit metaphor If chaos occurs disaster recovery process to handle the chaos Alice can rewrite the address, where the rabbit can find the disaster recovery process manual
42 SEH exploit mitigation SafeSEH table which specifies for the operating system about valid exception handlers only a limited set of addresses where the disaster recovery manual can be found Alice can not change those SEHop OS performs SEH chain validation breaks SEH overwrite exploitation techniques Stamp from the queen on the addressess where the disaster recovery manual can be found
43 DEP DEP - Data Execution Prevention Windows (OS level) Protection: mark the stack as non executable PageExec, W^X, NX, XD
44
45 PageExec, W^X, NX, XD, DEP NX - Never Execute AMD (CPU level) XD - execution Disabled Intel (CPU level) W^X - Write XOR Execute OpenBSD, OS X (OS level) Non-Executable Memory Linux (OS level) Windows If CPU NX/XD enabled/supported HW DEP == Real DEP If CPU NX/XD disabled/not supported Software DEP == SafeSEH!!! DEP modes Always off OptIn OptOut Always On
46 PageExec, W^X, NX, XD, DEP Openwall Solar designer PaX Team PageExec Exec shield (Ingó Molnár) OpenBSD Linux (Ingó Molnár) Windows XP SP OS X
47 PageExec, W^X, NX, XD, DEP bypass Method 1: Return oriented Programming (ROP) Roots from Solar Designer (return-into-libc)
48 PageExec, W^X, NX, XD, DEP bypass Method 2: Mark the stack part as executable Alice can override the command, that her handwritten orders can not be executed Does not work on protection always on Method 3: Disable the protection for the process Does not work on protection always on Method 4: Copy shellcode to executable area Exeucatable area usually read only Allocate new memory with read write - executable support (virtualalloc) If attacking browser JavaScript heap spraying Other magic here
49 ASLR metaphor ASLR = Address Space Layout Randomization Changing the addressess of the memory layout every time Changing the street names, house numbers every time Alice can only go to a house she won t know what will be the address at the time when the rabbit arrives
50 ASLR Memco PaX Team (RandExec/RandMmap/RandUStack/RandKStack) OpenBSD Linux first implementation weak Windows OS X Android
51 ASLR bypass 2007 MS ANI exploit Alex Sotirov Method 1: overwrite the first two bytes of EIP (low bytes) High bytes are random - we need that info, so won t change it Low bytes are modified to point to piece of code useful for attacker Alice case: we specify return address like 4 house to the left, next to the original Method 2: Low entropy in random brute force Catch all exception block is usually needed You never write try{ code_her } catch (Every exception) { Do nothing } do you? ASLR on 32 bit OS is 14m3 ASLR on 64 bit OS is 1337 (High Entropy ASLR on Win8)
52 ASLR bypass... Method 2: Low entropy in random brute force Alice can give 1000 addresses to the rabbit Rabbit will look for Alice in 1000 house Finally the rabbit can find Alice Alice can give him the malicious instructions PROFIT
53 ASLR bypass Method 3: ASLR not enforced Java 6 (static) used in Adobe Flash exploit Java 7 ASLR There are still some static street names, house numbers in exploitland, that never change Method 4: address space information disclosure Alice can ask an inhabitant in exploitland what the street name and house address will be of the house where Alice is when the rabbit arrives
54 EMET
55 Exploiting stack overflow in 2003 on Windows Collect three gems
56 Exploiting stack overflow in 2013 with ASLR + DEP You have 3 ammo left
57 ASLR + DEP bypass Metasploit windows/browser/ms13_037_svg_dashstyle demo Scenario 1. Disable ASLR, exploit fixed addresses Scenario 2. Enable ASLR, exploit is not working Scenario 3. Java 1.6 ROP with non-aslr module works Scenario 4. ASLR with original information leak exploit Scenario 5. EMET heapspray only blocks exploit
58 What to do if I m a user? Remove Java If you use Windows Upgrade to latest OS Use latest browser (Chrome/IE) If can t upgrade, use EMET If you use Linux Upgrade to latest OS Use latest browser (Chrome) If you use OS X Upgrade to latest OS Use latest browser (Safari/Chrome) Upgrade your software
59 What to do if I m a CISO? Remove Java At least in the browsers used for Internet browsing If you use Windows Upgrade to latest OS If can t upgrade, use EMET from GPO (Group policy) Install Microsoft and 3rd party patches
60 What to do if I m a developer? Remove Java At least in the browsers used for Internet browsing Learn secure application development Use switchers in Visual Studio /GS (VS 2002) /SafeSEH (VS 2003) /DynamicBase (VS 2005) /NXCompat (VS 2005) /HIGHENTROPYVA (VS 2012) #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 (VS 2005) BinScope
61 What to do if I m working for the Chinese government running vulnerable Poison Ivy servers? Develop your own backdoor client/server For details see previous slide Until it is finished use EMET
62 Lessons learned Always use ASLR (Always on, 64 bit) + DEP (Always On) together + EMET for additional protection Number of working IE9 (2011 March) exploits in Metasploit With Java 6 1 Without Java 6 1 Number of working IE10 exploits in Metasploit 0 Number of Java7 (2011 July) exploits in Metasploit 16 Price for zero day memory corruption exploit getting higher and higher
Bypassing Browser Memory Protections in Windows Vista
Bypassing Browser Memory Protections in Windows Vista Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Thesis Introduction
More informationBypassing Memory Protections: The Future of Exploitation
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript
More informationSoftware security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security
Software security Buffer overflow attacks SQL injections Lecture 11 EIT060 Computer Security Buffer overflow attacks Buffer overrun is another common term Definition A condition at an interface under which
More informationSoftware Vulnerabilities
Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in
More informationDefense in Depth: Protecting Against Zero-Day Attacks
Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth
More informationASL IT SECURITY XTREME XPLOIT DEVELOPMENT
ASL IT SECURITY XTREME XPLOIT DEVELOPMENT V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: The most dangerous threat is the one which do not have a CVE. Until now developing reliable exploits
More informationTurn the Page: Why now is the time to migrate off Windows Server 2003
Turn the Page: Why now is the time to migrate off Windows Server 2003 HP Security Research Contents Introduction... 1 What does End of Support mean?... 1 What End of Support doesn t mean... 1 Why you need
More informationAppSecUSA New York City 2013
AppSecUSA New York City 2013 ME? Simón Roses Femerling Founder & CEO, VULNEX www.vulnex.com Blog: www.simonroses.com Twitter: @simonroses Former Microsoft, PwC, @Stake DARPA Cyber Fast Track award on software
More informationCustom Penetration Testing
Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing - 2009 SANS 1 Objectives Penetration Testing Precompiled Tools
More informationSECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith
SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in
More informationHacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K
Hacking your perimeter. Social-Engineering Not everyone needs to use zero days David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K About the speaker Wrote the Social-Engineer Toolkit (SET),
More informationUnix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>
Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make
More information風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com
風 水 Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program
More informationOWASP Spain Barcelona 2014
OWASP Spain Barcelona 2014 ME & VULNEX Simon Roses Femerling Founder & CEO, VULNEX www.vulnex.com @simonroses @vulnexsl Former Microsoft, PwC, @Stake Black Hat, RSA, OWASP, SOURCE, AppSec, DeepSec, TECHNET,
More informationModern Binary Exploitation Course Syllabus
Modern Binary Exploitation Course Syllabus Course Information Course Title: Modern Binary Exploitation Course Number: CSCI 4968 Credit Hours: 4 Semester / Year: Spring 2015 Meeting Days: Tuesday/Friday
More informationHacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license http://creativecommonsorg/licenses/by-sa/30/ # whoami Ali
More informationBuffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015
CSCD27 Computer and Network Security Code Security: Buffer Overflows 13 Buffer Overflow CSCD27 Computer and Network Security 1 Buffer Overflows Extremely common bug. First major exploit: 1988 Internet
More informationBetriebssysteme KU Security
Betriebssysteme KU Security IAIK Graz University of Technology 1 1. Drivers 2. Security - The simple stuff 3. Code injection attacks 4. Side-channel attacks 2 1. Drivers 2. Security - The simple stuff
More informationIvan Medvedev Principal Security Development Lead Microsoft Corporation
Ivan Medvedev Principal Security Development Lead Microsoft Corporation Session Objectives and Takeaways Session Objective(s): Give an overview of the Security Development Lifecycle Discuss the externally
More informationEMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21
EMET 4.0 PKI MITIGATION Neil Sikka DefCon 21 ABOUT ME Security Engineer on MSRC (Microsoft Security Response Center) I look at 0Days EMET Developer I enjoy doing security research on my free time too:
More informationtelnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012
telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012 Content Part I Info Bug Telnet Exploit Part II Advanced Exploitation Meta Information Disclosed
More informationFormat string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com
Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic
More informationSoftware Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation
Software Vulnerability Exploitation Trends Exploring the impact of software mitigations on patterns of vulnerability exploitation Software Vulnerability Exploitation Trends This document is for informational
More informationhttp://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention
http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 skape mmiller@hick.org Skywing Skywing@valhallalegends.com One of the big changes that Microsoft introduced
More informationReturn-oriented programming without returns
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without urns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy
More informationI Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich
I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application
More informationCVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis
Your texte here. CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis October 11 th, 2012 Brian MARIANI & Frédéric BOURLA A FEW WORDS ABOUT FLASH PLAYER Your Adobe texte Flash here
More informationOff-by-One exploitation tutorial
Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend
More informationWhy should I care about PDF application security?
Why should I care about PDF application security? What you need to know to minimize your risk Table of contents 1: Program crashes present an opportunity for attack 2: Look for software that fully uses
More informationPREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES
PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES Ira Winkler Codenomicon Session ID: MBS-W05 Session Classification: Intermediate Zero Day Attacks Zero day attacks are rising in prominence They tend to be
More informationIntroduction to Information Security
Introduction to Information Security 0368-3065, Spring 2015 Lecture 1: Introduction, Control Hijacking (1/2) Eran Tromer Slides credit: Avishai Wool, Tel Aviv University 1 Administration Lecturer: Eran
More informationMSc Computer Science Dissertation
University of Oxford Computing Laboratory MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities Author: Sean Heelan Supervisor: Dr. Daniel
More informationPenetration Testing with Kali Linux
Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or
More informationUnix Security Technologies: Host Security Tools. Peter Markowsky <peterm[at]ccs.neu.edu>
Unix Security Technologies: Host Security Tools Peter Markowsky Syllabus An Answer to last week s assignment Four tools SSP W^X PaX Systrace Last time You were assigned to get a
More informationExploiting Trustzone on Android
1 Introduction Exploiting Trustzone on Android Di Shen(@returnsme) retme7@gmail.com This paper tells a real story about exploiting TrustZone step by step. I target an implementation of Trusted Execution
More informationBackground. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.
Microsoft s Enhanced Mitigation Experience Toolkit (EMET) is an enhancement to the Windows operating system that stops broad classes of malware from executing. EMET implements a set of anti-exploitation
More informationCS3235 - Computer Security Thirteenth topic: System attacks. defenses
Overflows... Security case studies CS3235 - Computer Security Thirteenth topic: System attacks and defenses Hugh Anderson National University of Singapore School of Computing March/April, 2016 Hugh Anderson
More informationCertified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led
Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led Course Description This class will immerse the student into an interactive environment where they will
More informationExploiting nginx chunked overflow bug, the undisclosed attack vector
Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET In this talk Nginx brief introduction Nginx chunked
More informationPractical taint analysis for protecting buggy binaries
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman Traditional Stack Smashing buf[16] GET / HTTP/1.100baseretnarg1arg2 Traditional
More informationEugene Tsyrklevich. Ozone HIPS: Unbreakable Windows
Eugene Tsyrklevich Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military
More informationHotpatching and the Rise of Third-Party Patches
Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments
More informationAdvanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com
Advanced IBM AIX Heap Exploitation Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com Introduction Our society has become dependent on computers and network systems.
More informationUsing a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com
Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement MJ0011 th_decoder@126.com Agenda Background A Patched Vulnerability: CVE-2010-4398 Bypass DSE on Windows7 x64 Windows8
More informationCataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems
Abstract: Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems *P.VADIVELMURUGAN #K.ALAGARSAMY *Research Scholar, Department of Computer Center, Madurai Kamaraj University,
More information0days: How hacking really works. V 1.0 Jan 29, 2005 Dave Aitel dave@immunitysec.com
0days: How hacking really works V 1.0 Jan 29, 2005 Dave Aitel dave@immunitysec.com Who am I? NSA->@stake->Immunity CEO of Immunity, Inc. Consulting (product assessments) Immunity CANVAS Immunity Partner's
More informationVulnerability Assessment and Penetration Testing
Vulnerability Assessment and Penetration Testing Module 1: Vulnerability Assessment & Penetration Testing: Introduction 1.1 Brief Introduction of Linux 1.2 About Vulnerability Assessment and Penetration
More informationHands-on Hacking Unlimited
About Zone-H Attacks techniques (%) File Inclusion Shares misconfiguration SQL Injection DNS attack through social engineering Web Server external module intrusion Attack against the administrator/user
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationAdobe Flash Player and Adobe AIR security
Adobe Flash Player and Adobe AIR security Both Adobe Flash Platform runtimes Flash Player and AIR include built-in security and privacy features to provide strong protection for your data and privacy,
More informationStack Overflows. Mitchell Adair
Stack Overflows Mitchell Adair Outline Why? What? There once was a VM Virtual Memory Registers Stack stack1, stack2, stack3 Resources Why? Real problem Real money Real recognition Still prevalent Very
More informationIf you know the enemy and know yourself, you need not fear the result of a hundred battles.
Rui Pereira,B.Sc.(Hons),CIPS ISP/ITCP,CISSP,CISA,CWNA/CWSP,CPTE/CPTC Principal Consultant, WaveFront Consulting Group ruiper@wavefrontcg.com 1 (604) 961-0701 If you know the enemy and know yourself, you
More informationWhen a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.
Ethical Hacking and Countermeasures Course Description: This class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 39 System Security Welcome
More informationSandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
More informationCORE SECURITY. Exploiting Adobe Flash Player in the era of Control Flow Guard. Francisco Falcon (@fdfalcon) Black Hat Europe 2015 November 12-13, 2015
CORE SECURITY Exploiting Adobe Flash Player in the era of Control Flow Guard Francisco Falcon (@fdfalcon) Black Hat Europe 2015 November 12-13, 2015 About me 2 About me Exploit Writer for Core Security.
More informationHeap-based Buffer Overflow Vulnerability in Adobe Flash Player
Analysis of Zero-Day Exploit_Issue 03 Heap-based Buffer Overflow Vulnerability in Adobe Flash Player CVE-2014-0556 20 December 2014 Table of Content Overview... 3 1. CVE-2014-0556 Vulnerability... 3 2.
More informationReturn-oriented Programming: Exploitation without Code Injection
Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham University of California, San Diego Bad code versus bad behavior Bad Bad behavior
More informationKernel Intrusion Detection System
Kernel Intrusion Detection System Rodrigo Rubira Branco rodrigo@kernelhacking.com rodrigo@risesecurity.org Monica's Team!! Brazilian famous H.Q. story Amazon Forest Yeah, Brazilian country! Soccer Brazilian
More informationSome Anti-Worm Efforts at Microsoft. Acknowledgements
Some Anti-Worm Efforts at Microsoft Helen J. Wang System and Networking Research Group Microsoft Research Oct 29, 2004 1 Acknowledgements Matt Braverman, Opher Dubrovsky, John Dunagan, Louis Lafreniere,
More informationFrom SQL Injection to MIPS Overflows
From SQL Injection to MIPS Overflows Rooting SOHO Routers Zachary Cutlip Black Hat USA 2012 Acknowledgements Tactical Network Solutions Craig Heffner What I m going to talk about Novel uses of SQL injection
More informationCHAPTER 4 System Exploitation
CHAPTER 4 System Exploitation In this chapter, we present the tactics of system exploitation used by attackers in targeted attacks. In the last chapter, we presented a variety of models deployed by attackers
More informationHow To Protect Your Computer From Being Hacked By A Hacker (For A Fee)
Illuminating the Security Issues with Lights-Out Server Management Anthony J. Bonkoski J. Alex Halderman University of Michigan What is IPMI? Need to manage a massive cluster of servers? OS installs, monitoring,
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security
More informationLinux exploit development part 2 (rev 2) - Real app demo (part 2)
Linux exploit development part 2 (rev 2) - Real app demo (part 2) This will be a short tutorial demonstrating a "buffer overflow" exploit on a real application which is freely available using the techniques
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationLast Class: OS and Computer Architecture. Last Class: OS and Computer Architecture
Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 3, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts
More informationIPMI: Understanding Your Server s Remote Backdoor
IPMI: Understanding Your Server s Remote Backdoor Anthony J. Bonkoski abonkosk@umich.edu SUMIT 2013 What is IPMI? Need to manage a massive cluster of servers? Operating system installs Monitoring Power
More informationChapter 15 Operating System Security
Operating Systems: Internals and Design Principles Chapter 15 Operating System Security Eighth Edition By William Stallings System Access Threats System access threats fall into two general categories:
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Program Security: Buffer Overflow 1 Buffer Overflow BO Basics Stack smashing Other buffer overflow
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Stony Brook University University of California, Berkeley Peking University Abstract Memory corruption bugs in software written
More informationEnhanced Mitigation Experience Toolkit 5.1
Enhanced Mitigation Experience Toolkit 5.1 User Guide November 2014 www.microsoft.com/emet Table of Contents Introduction... 1 Capabilities... 2 Mitigations... 2 Certificate Trust (configurable certificate
More informationApplication Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il
Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems
More informationExploits: XSS, SQLI, Buffer Overflow
Exploits: XSS, SQLI, Buffer Overflow These vulnerabilities continue to result in many active exploits. XSS Cross Site Scripting, comparable to XSRF, Cross Site Request Forgery. These vulnerabilities are
More informationDesign of a secure system. Example: trusted OS. Bell-La Pdula Model. Evaluation: the orange book. Buffer Overflow Attacks
Stware Security Holes and Defenses Design a secure system Follows a ring design. Every object has an associated security attribute. Every subject has a security clearance. Least secure Highest security
More informationERNW Newsletter 51 / September 2015
ERNW Newsletter 51 / September 2015 Playing With Fire: Attacking the FireEye MPS Date: 9/10/2015 Classification: Author(s): Public Felix Wilhelm TABLE OF CONTENT 1 MALWARE PROTECTION SYSTEM... 4 2 GAINING
More informationAttacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com
Attacking Host Intrusion Prevention Systems Eugene Tsyrklevich eugene@securityarchitects.com Agenda Introduction to HIPS Buffer Overflow Protection Operating System Protection Conclusions Demonstration
More informationEECS 354 Network Security. Introduction
EECS 354 Network Security Introduction Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how to think like an attacker Defense then becomes second-nature
More informationLecture Overview. INF3510 Information Security Spring 2015. Lecture 4 Computer Security. Meaningless transport defences when endpoints are insecure
Lecture Overview INF3510 Information Security Spring 2015 Fundamental computer security concepts CPU and OS kernel security mechanisms Virtualization Memory Protection Trusted computing and TPM Lecture
More informationSource Code Security Analysis Tool Functional Specification Version 1.0
Special Publication 500-268 Source Code Security Analysis Tool Functional Specification Version 1.0 Paul E. Black Michael Kass Michael Koo Software Diagnostics and Conformance Testing Division Information
More informationCS161: Operating Systems
CS161: Operating Systems Matt Welsh mdw@eecs.harvard.edu Lecture 2: OS Structure and System Calls February 6, 2007 1 Lecture Overview Protection Boundaries and Privilege Levels What makes the kernel different
More informationAn Analysis of Address Space Layout Randomization on Windows Vista
ADVANCED THREAT RESEARCH 2007 Symantec Corporation 1 An Analysis of Address Space Layout Randomization on Windows Vista Ollie Whitehouse, Architect, Symantec Advanced Threat Research Abstract: Address
More informationDefending Computer Networks Lecture 3: More On Vulnerabili3es. Stuart Staniford Adjunct Professor of Computer Science
Defending Computer Networks Lecture 3: More On Vulnerabili3es Stuart Staniford Adjunct Professor of Computer Science Enrollment Logis;cs Send request to cs- course- enroll@cornell.edu Cc me (sgs235@cornell.edu)
More informationReview and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU
Review and Exploit Neglected Attack Surface in ios 8 Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU BlackHat 2015 Agenda ios Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System
More informationAnti-exploit tools: The next wave of enterprise security
Anti-exploit tools: The next wave of enterprise security Intro From malware and ransomware to increasingly common state-sponsored attacks, organizations across industries are struggling to stay ahead of
More informationPayment Card Industry (PCI) Terminal Software Security. Best Practices
Payment Card Industry (PCI) Terminal Software Security Best Version 1.0 December 2014 Document Changes Date Version Description June 2014 Draft Initial July 23, 2014 Core Redesign for core and other August
More informationSafety measures in Linux
S a f e t y m e a s u r e s i n L i n u x Safety measures in Linux Krzysztof Lichota lichota@mimuw.edu.pl A g e n d a Standard Unix security measures: permissions, capabilities, ACLs, chroot Linux kernel
More informationA Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge
A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge Antonio Bianchi antoniob@cs.ucsb.edu University of California, Santa Barbara HITCON Enterprise August 27th, 2015 Agenda Shellphish The
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationCSC 405 Introduction to Computer Security
CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part II CSC 405 Dr. Peng Ning 1 Targeted Malicious Code General purpose malicious code Affect users and machines indiscriminately
More informationMalware and Attacks Further reading:
Malware and Attacks Further reading: Dwan B., The Malapropisms of Malware, Computer Fraud & Security, Volume 2004, Number 3 (2004), pp. 13-16 Bradbury, D., The metamorphosis of malware writers, Computers
More informationExample of Standard API
16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface
More informationEffects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication
Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication Kuniyasu Suzaki, Kengo Iijima, Toshiki Yagi, Cyrille Artho Research Institute for Secure Systems EuroSec 2012 at Bern,
More informationSecurity & Exploitation
Security & Exploitation Operating Systems Spring 2015 RPISEC - 05/11/2015 OS Security 1 whoami Markus Gaasedelen B.S. Computer Science 15 Security Enthusiast I like to hack things President of RPISEC http://rpis.ec
More informationTIME TO LIVE ON THE NETWORK
TIME TO LIVE ON THE NETWORK Executive Summary This experiment tests to see how well commonly used computer platforms withstand Internet attacks in the wild. The experiment quantifies the amount of time
More informationVulnerability-Focused Threat Detection: Protect Against the Unknown
Vulnerability-Focused Threat Detection: Protect Against the Unknown Vulnerabilities and threats are being discovered at a pace that traditional exploit-based attack detection technology cannot meet. Vulnerability-focused
More informationBoston University Security Awareness. What you need to know to keep information safe and secure
What you need to know to keep information safe and secure Introduction Welcome to Boston University s Security Awareness training. Depending on your reading speed, this presentation will take approximately
More informationCyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014
Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014 Introduction: Cyber attack is an unauthorized access to a computer
More information