cs457 – introduction to information systems security software 3 elias athanasopoulos...

CS457 – Introduction to Information Systems Security

Software 3

Elias Athanasopouloselathan@ics.forth.gr

Elias Athanasopoulos 2

Software Exploitation – High Level

CS-457

Vulnerable Software (e.g., web browser)

Input (malicious web page)

Exploit Code

Renders malicious page

Exploit Runs Collect Gadgets

Build ROP Chain

Exec ROP Chain

Introduce new control

How the ROP chain works? –use esp as the instruction pointer

CS-457

ROP Chain TEXT Section (Code)

Addr. of G1

Addr. of G2

Addr. of G3

Addr. of GN

G1; ret

G2; ret

G3; ret

GN; ret

Heap Overflows

CS-457

Stack Heap Data Text

High Address Low Address

Vulnerability(VTable ptr)

(*)f()

Jump to Gadget

…; ret

Attacker does NOT control the stack!

Stack Pivoting

CS-457

Stack Heap Data Text

High Address Low Address

Vulnerability(VTable ptr)

(*)f()

Jump to Gadget

xchg %eax,%esp; ret

Stack Pivoting

Force %esp to point to

Execute the rest of the ROP chain

Defending ROP

CS-457

Randomization

ASLR- Address Space Layout Randomization

Fine-grained Randomization- Smashing the gadgets- Binary Stirring

CS-457

ASLR (demo)

CS-457

Fine-grained Randomization

Shuffle instructions, without changing the semantics

CS-457

Information Disclosure Bugs

String formatting bugsint main(){ char localStr[100]; printf("Username? "); fgets(localStr, sizeof(localStr), stdin); printf(localStr); printf("What is the access code? "); …}

CS-457

localStr = "AAAA %08x %08x %08x";

Just-in-time ROP

CS-457

Control-Flow Integrity (CFI)

CS-457

Ideal CFI

CS-457

Two problems:1) CFG discovery (especially in legacy apps)2) Performance in checks

Coarse-grained (loose) CFI

CS-457

Gadgets under CFI

CS-457

Linking Gadgets under CFI

CS-457

Exploitation under CFI

CS-457

Run-time ROP detection (kBouncer)

CS-457

kBouncer

CS-457

kBouncer Checks

call-ret pairing- Coarse-grained CFI

Heuristics- Up to 20 instructions is considered a gadget- 6 gadgets in a row is considered an attack

CS-457

kBouncer Heuristics

CS-457

Bypassing kBouncer

CS-457

kBouncer bypass PoC

CS-457

cs457 – introduction to information systems security software 3 elias athanasopoulos...

elias athanasopoulos22

elias athanasopoulos9

elias athanasopoulos8

elias athanasopoulos21

elias athanasopoulos14

elias athanasopoulos20

elias athanasopoulos6

elias athanasopoulos16

Documents

sockets programming in c using...

evolution management for preservation prelida consolidation...

real-time transport protocol matt boutell cs457: computer...

security michael foukarakis...

cs457 fall 2011 david kauchak

mind the (intelligibility) gap yannis tzitzikas, giorgos...

network layer -...

ΦΑΚΕΛΟΥ ΥΓΕΙΑΣ - ics.forth.gr · των...

prof. maria papadopouli university of crete ics-forth...

cs457/546a 1 chapter 7 roadmap

maximum entropy david kauchak cs457, spring 2011 some...

packet switching - colorado state...

cs457 – introduction to information systems security...

arc: protecting against http parameter pollution attacks...

quete: ontology-based query system for distributed sources...

http://. language modeling david kauchak cs457 – fall 2011...

final - ics.forth.gr · title: final.pdf author: alexis...

cs457 – introduction to information systems security...

function interoperability george athanasopoulos, ed fox,...

cs457 object-oriented databases chapters 21-22 as reference