English for Computer Science II Software(Runtime) Attacks Amir Neziri & Jurlind Budurushi Source: [6]
Where do we use Software Attacks?(1) <ul><li>Internet(confidentiality, anonymity, authentication) </li></ul>5/12/2011 | De...
Overview - Software Attacks <ul><li>OWASP Top 10 for 2010 </li></ul><ul><ul><li>A1: Injection  </li></ul></ul><ul><ul><li>...
Where do we use Software Attacks?(2) <ul><li>e-voting </li></ul>5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime...
Where do we use Software Attacks?(3) <ul><li>Bank Card payment </li></ul>5/12/2011 | Department 20  | B. IT Nieh | Softwar...
Where do we use Software Attacks?(4) <ul><li>TV decoder </li></ul>5/12/2011 | Department 20  | B. IT Nieh | Software(Runti...
Overview of Software(Runtime) Attacks <ul><li>Buffer Overflows (BO) </li></ul><ul><ul><li>Stack Smashing, Heap Overflow, I...
Content <ul><li>Buffer Overflows (BO) </li></ul><ul><ul><li>Stack Smashing </li></ul></ul><ul><li>Return-Oriented Programm...
We present… <ul><li>Buffer Overflow Attack </li></ul>5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks |...
BO Vulnerabilities: Statistics <ul><li>Still a major threat (e.g. in Internet Explorer or Acrobat Reader, etc.) </li></ul>...
The Stack Frame 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
The Stack Frame (cntd.) <ul><li>Stack is a last in, first out (LIFO) memory  </li></ul><ul><ul><li>Stack Pointer (SP) poin...
Vulnerable program <ul><li>Simple Echo program suffering from a stack overflow vulnerability </li></ul>5/12/2011 | Departm...
Buffer Overflow <ul><li>Attack Example </li></ul>5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. ...
(1) Program starts 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: ...
(2) The echo() function is called 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Bud...
(3) Call instruction pushes return address onto the stack 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Atta...
(4) Allocation of saved base pointer and buffer 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. N...
(5) echo() calls gets(buffer) function 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J...
(6) Adversary transmits malicious code 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J...
(7) Malicious code contains shellcode, pattern bytes, . . . 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) At...
(8) . . . , and a new return address 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. ...
(9) Before echo() returns to main, SP is updated 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. ...
(10) echo() issues return resulting in execution of shellcode 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) ...
BO - Countermeasures <ul><li>W xor X </li></ul><ul><li>ASRL – Address Space Layout Randomization </li></ul><ul><li>Compile...
ROP – The Big Picture 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Sourc...
ROP – The Big Picture 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
ROP – The Big Picture 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Sourc...
ROP – Architectures <ul><li>ROP attacks are applicable on broad range of architectures: </li></ul><ul><ul><li>Intel x86 </...
ROP – General idea <ul><li>Use small instruction sequences instead using whole functions </li></ul><ul><li>Instruction seq...
ROP <ul><li>Attack Example </li></ul>5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. ...
ROP – Waiting for input from user 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Bud...
ROP – Attacker overflows the buffer 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. B...
ROP – Input contains ret-addresses and one argument 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | ...
ROP – 1st sequence is executed 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Buduru...
ROP – „ret“ instruction transfers control 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri ...
ROP – Transfers control from 2nd to 3rd instruction 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | ...
ROP – POP argument from stack 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurus...
ROP – „ret“ has been reached 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurush...
ROP – Transfers control from 3rd to 4th instruction 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | ...
ROP – Transfers control from 1st gadget to the 2nd 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A...
ROP – Transfers control from 1st sequence to the 2nd 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks |...
ROP - Countermeasures <ul><li>Compiler based solutions </li></ul><ul><ul><li>Canary before the ret-address, shadow stack <...
Live Demo & Discussion <ul><li>Buffer Overflow Attack </li></ul>5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime...
Questions??? 5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
5/12/2011 | Department 20  | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
References <ul><ul><li>[1] https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project </li></ul></ul><ul><ul><li>[2] S...
Upcoming SlideShare
Loading in...5
×

Software(runtime) attacks

2,361

Published on

Published in: Spiritual
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,361
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • 2/3/2011 | | Hello to everyone and welcome to our presentation. The topic of our presentation is “Software Attacks”
  • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 2/3/2011 | |
  • Stealing Votes with ROP: http://www.youtube.com/watch?v=lsfG3KPrD1I 2/3/2011 | |
  • How many people do have a pay TV ???? 2/3/2011 | |
  • Push elements onto the stack (SP is decremented) Pop elements o the stack (SP is incremented) 2/3/2011 | |
  • Cann you see the problem ??? 2/3/2011 | |
  • 2/3/2011 | |
  • 2/3/2011 | |
  • 2/3/2011 | |
  • Software(runtime) attacks

    1. 1. English for Computer Science II Software(Runtime) Attacks Amir Neziri & Jurlind Budurushi Source: [6]
    2. 2. Where do we use Software Attacks?(1) <ul><li>Internet(confidentiality, anonymity, authentication) </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    3. 3. Overview - Software Attacks <ul><li>OWASP Top 10 for 2010 </li></ul><ul><ul><li>A1: Injection </li></ul></ul><ul><ul><li>A2: Cross-Site Scripting (XSS) </li></ul></ul><ul><ul><li>A3: Broken Authentication and Session Management </li></ul></ul><ul><ul><li>A4: Insecure Direct Object References </li></ul></ul><ul><ul><li>A5: Cross-Site Request Forgery (CSRF) </li></ul></ul><ul><ul><li>A6: Security Misconfiguration </li></ul></ul><ul><ul><li>A7: Insecure Cryptographic Storage </li></ul></ul><ul><ul><li>A8: Failure to Restrict URL Access </li></ul></ul><ul><ul><li>A9: Insufficient Transport Layer Protection </li></ul></ul><ul><ul><li>A10: Unvalidated Redirects and Forwards </li></ul></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    4. 4. Where do we use Software Attacks?(2) <ul><li>e-voting </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    5. 5. Where do we use Software Attacks?(3) <ul><li>Bank Card payment </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    6. 6. Where do we use Software Attacks?(4) <ul><li>TV decoder </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    7. 7. Overview of Software(Runtime) Attacks <ul><li>Buffer Overflows (BO) </li></ul><ul><ul><li>Stack Smashing, Heap Overflow, Integer Overflow, Format String </li></ul></ul><ul><li>Return-into-Libc </li></ul><ul><li>Return-Oriented Programming (ROP) </li></ul><ul><li>Return-Oriented Programming without Returns </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    8. 8. Content <ul><li>Buffer Overflows (BO) </li></ul><ul><ul><li>Stack Smashing </li></ul></ul><ul><li>Return-Oriented Programming (ROP) </li></ul><ul><li>Live Demo Buffer Overflow </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    9. 9. We present… <ul><li>Buffer Overflow Attack </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    10. 10. BO Vulnerabilities: Statistics <ul><li>Still a major threat (e.g. in Internet Explorer or Acrobat Reader, etc.) </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    11. 11. The Stack Frame 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    12. 12. The Stack Frame (cntd.) <ul><li>Stack is a last in, first out (LIFO) memory </li></ul><ul><ul><li>Stack Pointer (SP) points to the top word on the stack </li></ul></ul><ul><li>The stack can be accessed by two basic operations </li></ul><ul><ul><li>Push & Pop elements onto the stack (SP is decremented/ incremented) </li></ul></ul><ul><li>Stack is divided into following segments: </li></ul><ul><ul><li>Function arguments </li></ul></ul><ul><ul><li>Return address </li></ul></ul><ul><ul><li>Saved Base Pointer </li></ul></ul><ul><ul><li>Local variables </li></ul></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    13. 13. Vulnerable program <ul><li>Simple Echo program suffering from a stack overflow vulnerability </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    14. 14. Buffer Overflow <ul><li>Attack Example </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    15. 15. (1) Program starts 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    16. 16. (2) The echo() function is called 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    17. 17. (3) Call instruction pushes return address onto the stack 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    18. 18. (4) Allocation of saved base pointer and buffer 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    19. 19. (5) echo() calls gets(buffer) function 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    20. 20. (6) Adversary transmits malicious code 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    21. 21. (7) Malicious code contains shellcode, pattern bytes, . . . 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    22. 22. (8) . . . , and a new return address 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    23. 23. (9) Before echo() returns to main, SP is updated 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    24. 24. (10) echo() issues return resulting in execution of shellcode 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    25. 25. BO - Countermeasures <ul><li>W xor X </li></ul><ul><li>ASRL – Address Space Layout Randomization </li></ul><ul><li>Compiler Extensions </li></ul><ul><li>Stack shadowing </li></ul><ul><li>Run up to date software </li></ul><ul><li>Use security software (Firewall, Anti-Virus, Anti-spyware…) </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    26. 26. ROP – The Big Picture 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    27. 27. ROP – The Big Picture 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    28. 28. ROP – The Big Picture 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    29. 29. ROP – Architectures <ul><li>ROP attacks are applicable on broad range of architectures: </li></ul><ul><ul><li>Intel x86 </li></ul></ul><ul><ul><li>The SPARC Machine </li></ul></ul><ul><ul><li>Atmel AVR </li></ul></ul><ul><ul><li>Z80 Voting Machines </li></ul></ul><ul><ul><li>PowerPC </li></ul></ul><ul><ul><li>ARM </li></ul></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    30. 30. ROP – General idea <ul><li>Use small instruction sequences instead using whole functions </li></ul><ul><li>Instruction sequences range from 2 to 5 instructions </li></ul><ul><li>All sequences end with a “ret” instruction </li></ul><ul><li>Instruction sequences are chained together in a gadget </li></ul><ul><li>A gadget performs a particular task (e.g load/store, xor...) </li></ul><ul><li>Combine more gadgets for the desiered actions </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    31. 31. ROP <ul><li>Attack Example </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    32. 32. ROP – Waiting for input from user 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    33. 33. ROP – Attacker overflows the buffer 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    34. 34. ROP – Input contains ret-addresses and one argument 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    35. 35. ROP – 1st sequence is executed 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    36. 36. ROP – „ret“ instruction transfers control 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    37. 37. ROP – Transfers control from 2nd to 3rd instruction 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    38. 38. ROP – POP argument from stack 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    39. 39. ROP – „ret“ has been reached 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    40. 40. ROP – Transfers control from 3rd to 4th instruction 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    41. 41. ROP – Transfers control from 1st gadget to the 2nd 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    42. 42. ROP – Transfers control from 1st sequence to the 2nd 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi Source: [6]
    43. 43. ROP - Countermeasures <ul><li>Compiler based solutions </li></ul><ul><ul><li>Canary before the ret-address, shadow stack </li></ul></ul><ul><ul><li>Problem: not able to detect unintended instruction sequences </li></ul></ul><ul><li>Hardware based solutions </li></ul><ul><ul><li>HW to enforce ret-address protection </li></ul></ul><ul><ul><li>Problem: requieres new/specific hardware </li></ul></ul><ul><li>Dynamic Binary Instrumentation based on a JIT-Compiler </li></ul><ul><ul><li>Allows detection of unintended instruction sequences </li></ul></ul><ul><ul><li>Problem: high performance overhead </li></ul></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    44. 44. Live Demo & Discussion <ul><li>Buffer Overflow Attack </li></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    45. 45. Questions??? 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    46. 46. 5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    47. 47. References <ul><ul><li>[1] https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project </li></ul></ul><ul><ul><li>[2] Stephen Checkoway, Ariel J. Feldman, Brian Kantor, J. Alex Halderman, Edward W. Felten, and Hovav Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of EVT/WOTE 2009, 2009. http://www.youtube.com/watch?v=lsfG3KPrD1I </li></ul></ul><ul><ul><li>[3] Aleph One. Smashing the stack for fun and prot. Phrack Magazine, 49(14), 1996. </li></ul></ul><ul><ul><li>[4] PaX Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt </li></ul></ul><ul><ul><li>[5] Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS '07: Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 552-561. ACM, 2007. </li></ul></ul><ul><ul><li>[6] http://www.trust.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/LectureSlides/Chapter02%20-%20RuntimeAttacks.pdf </li></ul></ul>5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×