Memory Attack - The Memory Attack Techniques

1. The Rise and Fall of   The Memory Attack Techniques 05. 26. Ubuntu Fest Kim Seong Min

2. Speaker Info 이름 : 김성민 직업 : 대학생 학번 : 16 (젊다!) 특기 : ARGOS 회장 취미 : 해킹 (멋있다!) 2

3. - Research Areas System / Network Security Reverse Engineering Mobile Application macOS / iOS Kernel Security - TMI Favorites : Drinking Alcohol…🤪, Playing Games My first “hello, world!” : 3 years ago Wanna be offensive security researcher :D 3

4. 목 차 1교시 메모리 공격이란? 2교시 스택을 때리자 3교시 창과 방패의 발전 4교시 질의응답

5. 메모리 공격이란? - Memory Bugs and Attack - Segmentation Fault - Types of Memory Bugs - Types of Memory Attack

6. 6 Memory Attack 시스템 해킹의 꽃 (메모리 공격 ⊂ 시스템 해킹) Attack : Trigger a vulnerability (Exploit) To write whatever I want in anywhere I want

7. 7 Memory Bugs and Attack Memory Bugs (Errors) != Memory Attack Every vulnerabilities are bugs,   but not every bugs are exploitable (maybe…?) [2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다

8. 8 Memory Bugs Typically, could be occurred because of unsafe languages (e.g. C, C++, …) Also cause segmentation fault sometimes Allow low-level memory access Allow weakly enforced typing Explicit memory management

9. 9 Segmentation Fault Notify an OS the software has attempted to access a restricted area of memory Good news for hackers or, you There are some memory errors that would be exploitable!

10. 10 Types of Memory Bugs De-reference pointer that is out of bounds

11. 11 Types of Memory Bugs De-reference pointer to the freed memory [pwnable.kr - Toddler’s Bottle] uaf, 8pt Dangling pointer

12. 12 Types of Memory Attack Code corruption Control-flow hijack Data-only Information leak “Eternal War in Memory” published in IEEE S&P Symposium, 2013

13. 13 Types of Memory Attack A Barresi, “Fighting the War in Memory”, 2014 Control-flow hijack

14. 14 Types of Memory Attack Information leak canary value (important information for security) output data should be interpreted

15. 스택을 때리자 - Memory Layout Overview - Stack Memory - Basic Stack-based Attack - NX Stack and Canaries - Return to Oriented Programming

16. 16 Memory Layout Overview 메모리 구조 (간단하게만!) TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 low high

17. 17 Memory Layout Overview TEXT (CODE) 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 프로그램 실행 코드가 여기 있음 - 기계어 들이 있음 low high

18. 18 Memory Layout Overview DATA & BSS 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 전역 변수, 정적 변수 등 - DATA : 초기화 된 데이터 - BSS : 초기화 되지 않은 데이터 low high

19. 19 Memory Layout Overview HEAP 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 동적 할당 영역 - malloc low high

20. 20 Memory Layout Overview STACK 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 지역 변수 - 임시 값 - 이제부터 볼 영역 low high

21. 21 Stack Memory Standard Stack Frame of function 0x41414141 0x42424242 0x43434343 0x00444444 0x00000000 SFP RET low high

22. 22 Stack Memory RETurn address? (RET) func2 func1 main call func1 call func2 ret ret func2 Stack Frame func1 Stack Frame main Stack Frame low high

23. 23 Stack Memory Stack Frame Pointer? (SFP) func’s stack frame 0xFFFFD588 0xFFFFD56C 0x41414141 0x42424242 0x43434343 0x00444444 0x00000000 SFP (0xFFFFD588) RET SFP RET func’s stack frame main stack frame low high

24. 24 Basic Stack-based Attack Buffer Overflow - Overruns the buffer’s boundary - Overwrites adjacent memory locations - First described in October, 1972  (Computer Security Technology Planning Study) 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 SFP  0x41414141 RET  0x41414141

25. 25 Basic Stack-based Attack Control-flow hijack with BOF : Call ‘evil’ function Trigger bug : jump to vuln() function 0x41414141 0x41414141 SFP  0x41414141 RET  0x08048486

26. 26 Basic Stack-based Attack Control-flow hijack with BOF : Execute shellcode 0x41414141 0x41414141 SFP  0x41414141 RET  &shellcode 0x41414141 0x6850c031 0x68732F2F … on somewhere in memory The set of instructions that executes shell

27. 27 Basic Stack-based Attack Morris Worm (1988) - First computer worm - Exploiting buffer overflow

28. 28 NX Stack and Canaries Non eXecutable Stack (1997) - Prevent executing code  in specific areas (e.g. stack, heap) - W^X (on BSD)  DEP (on Windows) - Text (Code) segment is non-writable  Stack (Heap) segment is non-executable 0x41414141 0x41414141 0x41414141 RET 0x41414141 0x6850c031 0x68732F2F … crash‼

29. 29 NX Stack and Canaries NX in GDB (Stack is not executable)

30. 30 NX Stack and Canaries Stack Canary (1998) - Place specific patterns called ‘canaries’ between stack variables and return address - Design to detect stack BOF - Cheap and powerful - Bypass using information leak 0x41414141 canary  0x41414141 0x41414141 RET 0x41414141 0x6850c031 0x68732F2F … crash‼

31. 31 Return 2 Oriented Programming ret2libc (1997) - No code injection needed - Bypassing the NX protection 0x41414141 0x41414141 SFP  0x41414141 RET  &system instructions… … system

32. 32 Return 2 Oriented Programming ret2plt (2001) - Call dynamic lib’s function via PLT - Bypassing the NX protection 0x41414141 0x41414141 SFP  0x41414141 RET  &puts@plt  &system@plt … system@plt … instructions… … Procedure Linkage Table system

33. 33 Return 2 Oriented Programming Krahmer’s code snippet reuse (2005) - Code reuse instead of entire  libc functions - Use “gadgets” or “snippets” - 진짜 프로그래밍을 다시 하는 느낌 - “ROP” 0x41414141 0x41414141 SFP  0x41414141 RET  &gadget1 Fake RET  &gadget2 instructions… instructions… instruction (ret) instructions… instruction (ret) gadget1 gadget2

34. 창과 방패의 발전 - ASLR : The end of memory war? - Bypassing ASLR - And, New Mitigations - Endgame

35. 35 ASLR : The end of memory war? Address Space Layout Randomization - PAX team’s ASLR (2001) - Randomness in the address space layout of processes - 전략?  Per process (Linux)  System-wide per boot (Windows) - PIC & PIE required

36. 36 A Barresi, “Fighting the War in Memory”, 2014

37. 37 Bypassing ASLR - Brute-force Attack (Low entropy)  it’s pretty good in x32, but almost impossible in x64 - Information Leak  Find base address of specific segment

38. 38 And, New Mitigations Enhanced Mitigation Experience Toolkit (EMET) - MS Windows를 위한 보안 툴킷 - Windows 보안 기능 활성화 및 설정을 도움 - 개인 PC 사용자 레벨(Non-kernel) 보안 - ROP 기법에 대한 보호

39. 39 And, New Mitigations Control Flow Guard (CFG) - Visual Studio 2015에서 지원하는 mitigation - 호출하는 함수가 유효한지 확인하는 로직을 추가함 - CFG 검사 실패 시, 프로그램을 강제로 종료시킴 - 악의적인 함수 또는 명령어 세트 호출을 원천 봉쇄

40. 40 Endgame

41. 41 Endgame But, hackers never die… - 스택이 안되면 힙을 때리면 되잖아? - 아니면 다른 버그들을 이용해도 되잖아? - Heap Spraying, Heap Feng Shui, Type Confusing,   Use-After-Free, so on… - 때릴건 아직도 많이 남아 있다

42. 42 Endgame Mitigation is not “Deus Ex Machina” - 미티케이션은 거들 뿐 - 다 뚫리고 막고를 반복하고 있다 - 버그를 만들지 않으려는 노력이 중요하다

43. 떠든애 김성민 1교시 메모리 공격이란? 2교시 스택을 때리자 3교시 창과 방패의 발전 4교시 질의응답 Q & A Thank you for listening!

Memory Attack - The Memory Attack Techniques

You are reading a preview.

Check these out next

Memory Attack - The Memory Attack Techniques

More Related Content

Similar to Memory Attack - The Memory Attack Techniques (20)

More from Ubuntu Korea Community (20)

Recently uploaded (20)