CS3235 - Computer Security Thirteenth topic: System attacks. defenses

Similar documents
Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Software Vulnerabilities

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

TLS/SSL in distributed systems. Eugen Babinciuc

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc()

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Bypassing Memory Protections: The Future of Exploitation

Summary of the SEED Labs For Authors and Publishers

Supply Chain Management of Open Source Software used within Software Development Lifecycle

Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?

Defense in Depth: Protecting Against Zero-Day Attacks

Bypassing Browser Memory Protections in Windows Vista

Practical taint analysis for protecting buggy binaries

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

CSC 2405: Computer Systems II

For a 64-bit system. I - Presentation Of The Shellcode

Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems

Off-by-One exploitation tutorial

Project: Simulated Encrypted File System (SEFS)

Modern Binary Exploitation Course Syllabus

Exploiting Trustzone on Android

ERNW Newsletter 51 / September 2015

Stack Overflows. Mitchell Adair

An Analysis of Address Space Layout Randomization on Windows Vista

EECS 354 Network Security. Introduction

1) The postfix expression for the infix expression A+B*(C+D)/F+D*E is ABCD+*F/DE*++

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Betriebssysteme KU Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

Introduction to Information Security

Security & Exploitation

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012

Jonathan Worthington Scarborough Linux User Group

Advanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com

Custom Penetration Testing

Where s the FEEB? The Effectiveness of Instruction Set Randomization

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Virtualization for Cloud Computing

Lecture 11 Doubly Linked Lists & Array of Linked Lists. Doubly Linked Lists

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

How To Protect Your Computer From Being Hacked By A Hacker (For A Fee)

IPMI: Understanding Your Server s Remote Backdoor

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

File Systems for Flash Memories. Marcela Zuluaga Sebastian Isaza Dante Rodriguez

Hotpatching and the Rise of Third-Party Patches

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

Data Structure Reverse Engineering

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

CS 356 Lecture 23 and 24 Software Security. Spring 2013

Discovering passwords in the memory

Computer forensics

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

SYMANTEC ADVANCED THREAT RESEARCH. An Analysis of Address Space Layout Randomization on Windows Vista

CS 416: Opera-ng Systems Design

CS5460: Operating Systems

Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations OWASP. The OWASP Foundation. Marco Morana & Scott Nusbaum

DataTrust Backup Software. Whitepaper Data Security. Version 6.8

Windows XP Login Vulnerabilities

Memory Allocation. Static Allocation. Dynamic Allocation. Memory Management. Dynamic Allocation. Dynamic Storage Allocation

90% of data breaches are caused by software vulnerabilities.

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

Leak Check Version 2.1 for Linux TM

CS161: Operating Systems

Buffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015

Programming Flaws and How to Fix Them

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Windows XP SP3 Registry Handling Buffer Overflow

Bypassing Windows Hardware-enforced Data Execution Prevention

CS 155 Final Exam. CS 155: Spring 2013 June 11, 2013

Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications

Fast Arithmetic Coding (FastAC) Implementations

6.828 Operating System Engineering: Fall Quiz II Solutions THIS IS AN OPEN BOOK, OPEN NOTES QUIZ.

static void insecure (localhost *unix)

Buffer Overflows. Security 2011

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Homeland Security Red Teaming

Simple C Programs. Goals for this Lecture. Help you learn about:

Memory management. Announcements. Safe user input. Function pointers. Uses of function pointers. Function pointer example

Operating Systems and Networks

Analysis of FileVault 2: Apple's full disk encryption. Omar Choudary Felix Grobert Joachim Metz

Virtual Servers. Virtual machines. Virtualization. Design of IBM s VM. Virtual machine systems can give everyone the OS (and hardware) that they want.

Cyber Security Workshop Encryption Reference Manual

EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21

Computer Security: Principles and Practice

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Operating System Engineering: Fall 2005

Transcription:

Overflows... Security case studies CS3235 - Computer Security Thirteenth topic: System attacks and defenses Hugh Anderson National University of Singapore School of Computing March/April, 2016 Hugh Anderson CS3235 - Computer Security Thirteenth topic: System attacks

System attacks

Outline Overflows... Security case studies 1 Overflows... Buffer overflow attacks Heartbleed (April 2014) 2 Security case studies DVD security Hugh Anderson CS3235 - Computer Security Thirteenth topic: System attacks

Outline Overflows... Security case studies 1 Overflows... Buffer overflow attacks Heartbleed (April 2014) 2 Security case studies DVD security Hugh Anderson CS3235 - Computer Security Thirteenth topic: System attacks

Outline Overflows... Security case studies Buffer overflow attacks Heartbleed (April 2014) 1 Overflows... Buffer overflow attacks Heartbleed (April 2014) 2 Security case studies DVD security Hugh Anderson CS3235 - Computer Security Thirteenth topic: System attacks

Windows (32-bit) memory allocation Several space options 0xffffffff 2G Option 3G Option 0xffffffff kernel 0xc0000000 0xbfffffff 0x80000000 0x7fffffff user 0x00000000 0x00000000 The Kernel area of memory has the HAL, drivers, page tables... The User area contains your exe code, dlls, stacks...

Linux (32-bit) memory allocation 3G before kernel v2.6, 4G afterwards 0xffffffff 3G (before v2.6) 4G (after v2.6) 0xffffffff 0xc0000000 0xbfffffff kernel 0x80000000 0x7fffffff user 0x00000000 0x00000000 The Kernel area of memory has drivers, system stacks, page tables... The User area contains executable code, libraries, stacks...

Windows process memory allocation...for 2G model... Windows user memory 0x00010000 0x00000000 guard user 0x7fffffff 0x7ffeffff TEB, PEB, guard TEB and PEB are thread and process environment blocks. The 64K guard blocks are sacrificial... against bad pointer references.

Linux ELF format user segments Program, shared libraries, stack... Linux/ELF user memory stack bss data code malloc bss data code 0x00010000 0x00000000 guard Program 0x40000000 C libraries 0x84000000 stack 0xbfffffff guard The malloc ed memory is above the program. As always, the stack grows downwards.

Memory attack 1: simple program (CS2107) Normal operation 00 11 00 11 00 11 00 11 00 11 00 11 Buffer (512 bytes) Computer s Memory 0000000000000 1111111111111 0000000000000 1111111111111 0000000000000 1111111111111 0000000000000 1111111111111 Arguments Variables Stack grows down... Stack Return address Overwrite the end of an array, with an "EGG" Computer s Memory 0000000000000 1111111111111 0000000000000 1111111111111 0000000000000 1111111111111 0000000000000 1111111111111 000000000000000000000000 111111111111111111111111 000000000000000000000000 111111111111111111111111 000000000000000000000000 111111111111111111111111 000000000000000000000000 111111111111111111111111 Stack 000000000000000000000000 111111111111111111111111 000000000000000000000000 111111111111111111111111 Arguments Variables Stack grows down... Return address

Smashing the stack - the payload! (CS2107) Contents of the payload Computer s Memory Stack The payload Multiple no op machine code Machine code for the exploit Multiple copies of Malicious return address

Payload code for an exploit A C program which calls a shell... #include <stdio.h> void main() { char *nm[2]; nm[0] = "/bin/sh"; nm[1] = NULL; execve(nm[0], nm, NULL); } movl string,string_addr movb $0x0,null_byte movl $0x0,null_addr movl $0xb,%eax movl string,%ebx leal string,%ecx leal null_string,%edx int $0x80 // OS call /bin/sh string goes here. At the left we see some C source code for running the program /bin/sh. On the right we see assembler code with extra OS nonsense removed. Note that the binary code program has zeroes in it, and these will have to be removed if strcpy is to copy the program onto the stack. We can use translations like: movb $0x0,null_byte xorl %eax,%eax movb eax, null_byte

Using the buffer overflow attack 3 examples of situations in which we can use it 1 A server (say a web server) that expects a query, and returns a response. The demo buffer overflow attack done in CS2107 was one of these. 2 A CGI/ASP or perl script inside a web server 3 A SUID root program on a UNIX system Example attack Find a program that has a buffer,... and that does not check its bounds. Then deliver an EGG to it to overflow the buffer. Overwrite stack return address with address of OUR code. The program then runs OUR code. Many attacks on Microsoft systems are based on various buffer overflow problems. CA-2003-20 W32/Blaster worm: The W32/Blaster worm exploits a vulnerability in Microsoft s DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution...

Overflows... Security case studies Buffer overflow attacks Heartbleed (April 2014) Memory attack 2: heap overflow (CS2107) The normal free() and merge... Chunk of free Chunk of free Merged (bigger) Chunk of free p[1] p[0] m[p[1]] is location that p1 points to. Chunk of in use Return this one: free() m[p[1]][1] Chunk of free Then merge the links (garbage collection) m[p[1]][0] is the forward pointer m[p[1]][1] is the backward pointer m[p[1]][0] Chunk of in use Chunk of in use Chunk of in use Note that merging involves setting m[p[1]][0] to have the value in p[0]. 1 2 3 The OS heap management software automatically rewrites the values of the forward and backward links, using the values in the next links. Hugh Anderson CS3235 - Computer Security Thirteenth topic: System attacks

Overflows... Security case studies Buffer overflow attacks Heartbleed (April 2014) Memory attack 2: heap overflow (CS2107) Consider the scenario where attacker changes pointers... Chunk of free Chunk of free Links all messed up now... Address of bad code Address of return vector Address of bad code Address of return vector The garbage collector writes the address of the bad code into the return vector. Chunk of in use Return this one: free() Chunk of in use Then merge the links (garbage collection) Later the return instruction is done (same as in buffer overflow), and the system starts executing bad code. Chunk of in use Chunk of in use Chunk of in use 1 2 3 The attacker uses the OS GC to write the address of malicious code into a return-address location, as for the buffer overflow. Hugh Anderson CS3235 - Computer Security Thirteenth topic: System attacks

Stack, heap protection Three methods to make buffer overflow attacks harder: 1 Not allow execution of code in the stack segment (as in MacOSX/openBSD). 2 Randomly move the starting stack for processes. 3 Put a value just below the return address (a canary), and check it before doing a return from subroutine. It is hard to overwrite the return address without overwriting the canary. The Memory/Mitigations paper from CS2107 is relevant here - I will bring a copy of it to class. Windows 7 includes a wide range of protection against stack/heap overflows: They include the removal of commonly targeted data structures, heap entry metadata randomization, header is more complex, there are randomized heap base addresses, function pointer are encoded, as well as the normal DEP and ASLR.

Outline Overflows... Security case studies Buffer overflow attacks Heartbleed (April 2014) 1 Overflows... Buffer overflow attacks Heartbleed (April 2014) 2 Security case studies DVD security Hugh Anderson CS3235 - Computer Security Thirteenth topic: System attacks

OpenSSL Heartbeat What is a heartbeat in openssl? A heartbeat is a recent (February 2012) extension to TLS, to allow a client to check if a TLS server is still alive (rather than tearing down a connection and renegotiating). It is described in https://tools.ietf.org/html/rfc6520. The general idea is that clients can request a heartbeat, sending a heartbeat_request message with this structure: struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[payload_length];... } HeartbeatMessage; The server will send back the payload in a matching heartbeat_response. What is the issue? What if the client lied about the payload_length?

OpenSSL Heartbeat, Hearts bleed Request and response different...

OpenSSL Heartbeat Original openssl-1.0.1f/ssl/d1_both.c... /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); pl = p;... The original source gets the type from the record that p points to, and puts it into hbtype. It then copies the next two bytes into the variable payload. This is the length of the payload, and is done without checking. The variable pl is the actual payload, which is later echoed, using the length value without any more checking. Fixed openssl-1.0.1g/ssl/d1_both.c... /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard */ pl = p;... (There is a little more, but that is the general idea).

Outline Overflows... Security case studies DVD security 1 Overflows... Buffer overflow attacks Heartbleed (April 2014) 2 Security case studies DVD security Hugh Anderson CS3235 - Computer Security Thirteenth topic: System attacks

DVD security What is the point of DVD regions? The DVD CSS is a Content Scrambling System - data encryption scheme, developed by commercial interests to stop copying... but it is easy to copy a DVD: CSS only prevents decrypting, changing and re-recording. The CSS algorithm details are a trade secret. There is a master set of 400 keys stored on every DVD, and the DVD player uses these to generate a key needed to decrypt data from the disc. LINUX and the CSS Linux users were excluded from access to CSS licenses because of the open-source nature of Linux. The source code for decoding DVDs is available on a T-shirt, because in October 1999, hobbyists/hackers in Europe cracked the CSS algorithm. Since then DVD industry players have been trying to prevent distribution of any software

DVD security What do we learn? The lesson to learn from this is that security-through-obscurity is a very poor strategy. The source code and detailed descriptions for a CSS descrambler is available at: http://www-2.cs.cmu.edu/ dst/decss/gallery/ Description of the key/descrambling process: First one must have a master key, which is unique to the DVD player manufacturer. It is also known as a player key. The player reads an encrypted disk key from the DVD, and uses its player key to decrypt the disk key. Then the player reads the encrypted title key for the file to be played. (The DVD will likely contain multiple files, typically 4 to 8, each with its own title key.) It uses the decrypted disk key (DK) to decrypt the title key. Finally, the decrypted title key, TK, is used to descramble the actual content.

DVD security Confusion and diffusion... #define m(i)(x[i]^s[i+84])<< unsigned char x[5],y,s[2048];main(n){for(read(0,x,5);read(0,s,n=2048); write(1,s,n))if(s[y=s[13]%8+20]/16%4==1){int i=m(1)17^256+m(0)8,k=m(2) 0,j=m(4)17^m(3)9^k *2-k%8^8,a=0,c=26;for(s[y]-=16;--c;j*=2) a=a*2^i&1,i=i/2^j&1<<24;for(j=127;++j<n ;c=c>y)c+=y=i^i/8^i>>4^ i>>12,i=i>>8^y<<17,a^=a>>14,y=a^a*8^a<<6,a=a>>8^y<<9,k=s [j],k="7 Wo~ G_\216"[k&7]+2^"cr3sfw6v;*k+>/n."[k>>4]*2^k*257/8,s[j]=k^(k&k *2&34) *6^c+~y;}}

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information