cs457 – introduction to information systems security software 3
DESCRIPTION
CS457 – Introduction to Information Systems Security Software 3. Elias Athanasopoulos [email protected]. Software Exploitation – High Level. Exploit Code. HACKED. Vulnerable Software (e.g., web browser). Input (malicious web page). Renders malicious page. Introduce new control flows. - PowerPoint PPT PresentationTRANSCRIPT
Elias Athanasopoulos 2
Software Exploitation – High Level
CS-457
Vulnerable Software (e.g., web browser)
Input (malicious web page)
Exploit Code
Renders malicious page
Exploit Runs Collect Gadgets
Build ROP Chain
Exec ROP Chain
Introduce new control
flows
HACK
ED
Elias Athanasopoulos 3
How the ROP chain works? –use esp as the instruction pointer
CS-457
ROP Chain TEXT Section (Code)
Addr. of G1
Addr. of G2
Addr. of G3
Addr. of GN
G1; ret
G2; ret
G3; ret
GN; ret
Elias Athanasopoulos 4
Heap Overflows
CS-457
Stack Heap Data Text
High Address Low Address
Vulnerability(VTable ptr)
(*)f()
Jump to Gadget
G1
…; ret
Attacker does NOT control the stack!
Elias Athanasopoulos 5
Stack Pivoting
CS-457
Stack Heap Data Text
High Address Low Address
Vulnerability(VTable ptr)
(*)f()
Jump to Gadget
G1
xchg %eax,%esp; ret
Stack Pivoting
Force %esp to point to
heap
Execute the rest of the ROP chain
Elias Athanasopoulos 6
Defending ROP
CS-457
Elias Athanasopoulos 7
Randomization
ASLR- Address Space Layout Randomization
Fine-grained Randomization- Smashing the gadgets- Binary Stirring
CS-457
Elias Athanasopoulos 8
ASLR (demo)
CS-457
Elias Athanasopoulos 9
Fine-grained Randomization
Shuffle instructions, without changing the semantics
CS-457
Elias Athanasopoulos 10
Information Disclosure Bugs
String formatting bugsint main(){ char localStr[100]; printf("Username? "); fgets(localStr, sizeof(localStr), stdin); printf(localStr); printf("What is the access code? "); …}
CS-457
localStr = "AAAA %08x %08x %08x";
Elias Athanasopoulos 11
Just-in-time ROP
CS-457
Elias Athanasopoulos 12
Control-Flow Integrity (CFI)
CS-457
Elias Athanasopoulos 13
Ideal CFI
CS-457
Two problems:1) CFG discovery (especially in legacy apps)2) Performance in checks
Elias Athanasopoulos 14
Coarse-grained (loose) CFI
CS-457
Elias Athanasopoulos 15
Gadgets under CFI
CS-457
Elias Athanasopoulos 16
Linking Gadgets under CFI
CS-457
Elias Athanasopoulos 17
Exploitation under CFI
CS-457
Elias Athanasopoulos 18
Run-time ROP detection (kBouncer)
CS-457
Elias Athanasopoulos 19
kBouncer
CS-457
Elias Athanasopoulos 20
kBouncer Checks
call-ret pairing- Coarse-grained CFI
Heuristics- Up to 20 instructions is considered a gadget- 6 gadgets in a row is considered an attack
CS-457
Elias Athanasopoulos 21
kBouncer Heuristics
CS-457
Elias Athanasopoulos 22
Bypassing kBouncer
CS-457
Elias Athanasopoulos 23
kBouncer bypass PoC
CS-457