Failure Of DEP And ASLR


Published on

Talk on the recent IE8 exploit for pwn2own 2010

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Failure Of DEP And ASLR

  2. 2. DEP Data Execution Prevention
  3. 3. DEP DEP – Data execution prevention A Protection mechanism that prevents the execution of code in the memory non-executable. This protect the attacker from running shellcode on stack, heap or in data segments Now hardware support NX but – NX for No-eXecute Two types of DEP – software and hardware protection
  5. 5. DEP @ RUNTIME KPROCESS Structure contains DEP information DEP Flag is set or queried with Query - NtQueryInformationProcess Set – NtSetInformationProcess Flag is contained in ProcessExecuteFlags Example: 0: kd> dt nt!_KPROCESS 849f3a90 –r 0: kd> !process 0 0 calc.exe +0x06b Flags : _KEXECUTE_OPTIONS PROCESS 849f3a90 SessionId: 1 Cid: 1474 Peb: 7ffdd000 ParentCid: 077c +0x000 ExecuteDisable : 0y1 DirBase: 7dc5c820 ObjectTable: a694ce68 HandleCount: 52. +0x000 ExecuteEnable : 0y0 Image: calc.exe +0x000 DisableThunkEmulation : 0y1 +0x000 Permanent : 0y1 +0x000 ExecuteDispatchEnable : 0y0 +0x000 ImageDispatchEnable : 0y0 +0x000 DisableExceptionChainValidation : 0y1 +0x000 Spare : 0y0 ExecuteDisable - “Disable execution from non-executable memory”
  6. 6. CHEAT BY DEP DisableThunkEmulation ATL library rely on some code to be executed from the writable memory. So permission to run code form heap should be given to application When Program Attempts to execute code on a non- executable page, the kernel calls KiEmulateAtlTrunk to check ATL sequences IF found any ATL sequence – then continue emulate the trunk and as if nothing has happened
  7. 7. NOW THE FUN PART - WEAKNESS Incompatible Application – Remember OptIn Policy R+W+X mappings – JVM and programming running on java has this mapping *Return-2-libc Attacks Find page mapping and protection functions and change default permissions on the page Create a process from the dump that is produced in the memory Just-In-Time compilers are making situation worse *Return Oriented Programming – Modern ret2libc Runtime Disable DEP Finding position of NtSetInformationProcess and changing the permission in runtime – This technique would only work with OptIn – OptOut policy * Explanation on board
  8. 8. ASLR Address Space Layout Randomization
  9. 9. ASLR ASLR – Address space Layout Randomization Randomize the address where objects are placed in virtual space of a given process ASLR randomizes the location PE/MZ files that are mapped on the virtual memory, Heaps, stacks and PEB and TEB It provides random stack and heap allocations and page load every time a process starts. Thus even if process is being hacked it cannot execute shellcode with a best chance of 1/254 or 2/255
  10. 10. ASLR Image Randomization Designed for a capability to randomly position both executable and DLLs This randomization is system wide and could not switched off at runtime A Registry entry control the implementation of ASLR Respect the base address in PE header Randomize all, even those which are incompatible Randomize only those which are compatible - Default
  11. 11. ASLR DLL Randomization DLL must be loaded in each process that uses it to allow the physical memory used by the DLL to be shared When the same DLL is loaded its section object - A section object represents a section of memory that can be shared – is reused and it is mapped at the same virtual addresses 50960000 50960000 50A28000 50A8C000 50AF0000 50B54000 50BB8000 _MiImageBitMap – A bitmap of size 0x2800 contains all position of 64KB aligned address Loading DLL into process is also randomized by SmpRandomizeDllList
  12. 12. ASLR Stack Randomization – 2 fold randomization The base of the stack is choose randomly This is implemented by searching holes into Virtual Memory of the process. Holes are regions where series of pages are not mapped into memory. Choosing hole is randomized by 5 bits random function Again a 9 bit random value is derived from time stamp – y Offset = y*4 --- For 32 bit alignment of stack
  13. 13. THE FUN PART Incompatible DLL – Statically positioned DLLs and Executable This can be initializing 3rd party ActiveX components, plugins in you browser Specially crafted data packet that could result in loading of DLL based for parsing the “special” data Embedded Media of various types that require loading of specific library to parse the data like image, video or flash content *Partially static object This concept is basically the mother of all spraying techniques that are used in bypassing ASLR For example a heap allocation is randomized by 2 MB but what would happen when we allocate data of much greater size eg. 500MB or similar * Explanation on board
  14. 14. THE FUN PART *Partial overwrites As demonstrated earlier that last 2 bytes of address space are not randomized we can have a partial overwrite or either 1 or 2 bytes of data on the stack It would be enough to jump to any offset location which would be relative that position by a maximum of 0xffff bytes *Memory information Leakage I have discussed it in null IRC channel this week Implications could be getting information of either module base address or stack base address, heap base address or TEB and PEB leakages * Explanation on board
  15. 15. Research