SlideShare a Scribd company logo
1 of 43
Download to read offline
The Rise and Fall of 

The Memory Attack Techniques
05. 26. Ubuntu Fest
Kim Seong Min
Speaker Info
이름 : 김성민
직업 : 대학생
학번 : 16 (젊다!)
특기 : ARGOS 회장
취미 : 해킹 (멋있다!)
2
- Research Areas
System / Network Security
Reverse Engineering Mobile Application
macOS / iOS Kernel Security
- TMI
Favorites : Drinking Alcohol…🤪, Playing Games
My first “hello, world!” : 3 years ago
Wanna be offensive security researcher :D
3
목 차
1교시 메모리 공격이란?
2교시 스택을 때리자
3교시 창과 방패의 발전
4교시 질의응답
메모리 공격이란?
- Memory Bugs and Attack
- Segmentation Fault
- Types of Memory Bugs
- Types of Memory Attack
6
Memory Attack
시스템 해킹의 꽃 (메모리 공격 ⊂ 시스템 해킹)
Attack : Trigger a vulnerability (Exploit)
To write whatever I want in anywhere I want
7
Memory Bugs and Attack
Memory Bugs (Errors) != Memory Attack
Every vulnerabilities are bugs, 

but not every bugs are exploitable (maybe…?)
[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다
8
Memory Bugs
Typically, could be occurred because of
unsafe languages (e.g. C, C++, …)
Also cause segmentation fault sometimes
Allow low-level memory access
Allow weakly enforced typing
Explicit memory management
9
Segmentation Fault
Notify an OS the software has attempted to
access a restricted area of memory
Good news for hackers
or, you
There are some memory errors
that would be exploitable!
10
Types of Memory Bugs
De-reference pointer that is out of bounds
11
Types of Memory Bugs
De-reference pointer to the freed memory
[pwnable.kr - Toddler’s Bottle] uaf, 8pt
Dangling pointer
12
Types of Memory Attack
Code corruption
Control-flow hijack
Data-only
Information leak
“Eternal War in Memory” published in IEEE S&P Symposium, 2013
13
Types of Memory Attack
A Barresi, “Fighting the War in Memory”, 2014
Control-flow hijack
14
Types of Memory Attack
Information leak
canary value (important information for security)
output data should be interpreted
스택을 때리자
- Memory Layout Overview
- Stack Memory
- Basic Stack-based Attack
- NX Stack and Canaries
- Return to Oriented Programming
16
Memory Layout Overview
메모리 구조 (간단하게만!)
TEXT
DATA
BSS
HEAP
…
STACK
코드
전역변수
동적 할당
함수, 임시 데이터 등
low
high
17
Memory Layout Overview
TEXT (CODE) 영역
TEXT
DATA
BSS
HEAP
…
STACK
코드
전역변수
동적 할당
함수, 임시 데이터 등
- 프로그램 실행 코드가 여기 있음
- 기계어 들이 있음
low
high
18
Memory Layout Overview
DATA & BSS 영역
TEXT
DATA
BSS
HEAP
…
STACK
코드
전역변수
동적 할당
함수, 임시 데이터 등
- 전역 변수, 정적 변수 등
- DATA : 초기화 된 데이터
- BSS : 초기화 되지 않은 데이터
low
high
19
Memory Layout Overview
HEAP 영역
TEXT
DATA
BSS
HEAP
…
STACK
코드
전역변수
동적 할당
함수, 임시 데이터 등
- 동적 할당 영역
- malloc
low
high
20
Memory Layout Overview
STACK 영역
TEXT
DATA
BSS
HEAP
…
STACK
코드
전역변수
동적 할당
함수, 임시 데이터 등
- 지역 변수
- 임시 값
- 이제부터 볼 영역
low
high
21
Stack Memory
Standard Stack Frame of function
0x41414141
0x42424242
0x43434343
0x00444444
0x00000000
SFP
RET
low
high
22
Stack Memory
RETurn address? (RET)
func2
func1
main
call func1
call func2
ret
ret
func2
Stack
Frame
func1
Stack
Frame
main
Stack
Frame
low
high
23
Stack Memory
Stack Frame Pointer? (SFP)
func’s stack frame
0xFFFFD588
0xFFFFD56C
0x41414141
0x42424242
0x43434343
0x00444444
0x00000000
SFP (0xFFFFD588)
RET
SFP
RET
func’s stack frame
main stack frame
low
high
24
Basic Stack-based Attack
Buffer Overflow
- Overruns the buffer’s boundary
- Overwrites adjacent memory locations
- First described in October, 1972

(Computer Security Technology Planning Study)
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
SFP

0x41414141
RET

0x41414141
25
Basic Stack-based Attack
Control-flow hijack with BOF : Call ‘evil’ function
Trigger bug :
jump to vuln() function
0x41414141
0x41414141
SFP

0x41414141
RET

0x08048486
26
Basic Stack-based Attack
Control-flow hijack with BOF : Execute shellcode
0x41414141
0x41414141
SFP

0x41414141
RET

&shellcode
0x41414141
0x6850c031
0x68732F2F
…
on somewhere in memory
The set of instructions that executes shell
27
Basic Stack-based Attack
Morris Worm (1988)
- First computer worm
- Exploiting buffer overflow
28
NX Stack and Canaries
Non eXecutable Stack (1997)
- Prevent executing code

in specific areas (e.g. stack, heap)
- W^X (on BSD)

DEP (on Windows)
- Text (Code) segment is non-writable

Stack (Heap) segment is non-executable
0x41414141
0x41414141
0x41414141
RET
0x41414141
0x6850c031
0x68732F2F
…
crash‼
29
NX Stack and Canaries
NX in GDB (Stack is not executable)
30
NX Stack and Canaries
Stack Canary (1998)
- Place specific patterns called ‘canaries’
between stack variables and return
address
- Design to detect stack BOF
- Cheap and powerful
- Bypass using information leak
0x41414141
canary

0x41414141
0x41414141
RET
0x41414141
0x6850c031
0x68732F2F
…
crash‼
31
Return 2 Oriented Programming
ret2libc (1997)
- No code injection needed
- Bypassing the NX protection
0x41414141
0x41414141
SFP

0x41414141
RET

&system
instructions…
…
system
32
Return 2 Oriented Programming
ret2plt (2001)
- Call dynamic lib’s function via PLT
- Bypassing the NX protection
0x41414141
0x41414141
SFP

0x41414141
RET

&puts@plt

&system@plt
…
system@plt
…
instructions…
…
Procedure Linkage Table
system
33
Return 2 Oriented Programming
Krahmer’s code snippet reuse (2005)
- Code reuse instead of entire

libc functions
- Use “gadgets” or “snippets”
- 진짜 프로그래밍을 다시 하는 느낌
- “ROP”
0x41414141
0x41414141
SFP

0x41414141
RET

&gadget1
Fake RET

&gadget2
instructions…
instructions…
instruction (ret)
instructions…
instruction (ret)
gadget1
gadget2
창과 방패의 발전
- ASLR : The end of memory war?
- Bypassing ASLR
- And, New Mitigations
- Endgame
35
ASLR : The end of memory war?
Address Space Layout Randomization
- PAX team’s ASLR (2001)
- Randomness in the address space layout of processes
- 전략?

Per process (Linux)

System-wide per boot (Windows)
- PIC & PIE required
36
A Barresi, “Fighting the War in Memory”, 2014
37
Bypassing ASLR
- Brute-force Attack (Low entropy)

it’s pretty good in x32, but almost impossible in x64
- Information Leak

Find base address of specific segment
38
And, New Mitigations
Enhanced Mitigation Experience Toolkit (EMET)
- MS Windows를 위한 보안 툴킷
- Windows 보안 기능 활성화 및 설정을 도움
- 개인 PC 사용자 레벨(Non-kernel) 보안
- ROP 기법에 대한 보호
39
And, New Mitigations
Control Flow Guard (CFG)
- Visual Studio 2015에서 지원하는 mitigation
- 호출하는 함수가 유효한지 확인하는 로직을 추가함
- CFG 검사 실패 시, 프로그램을 강제로 종료시킴
- 악의적인 함수 또는 명령어 세트 호출을 원천 봉쇄
40
Endgame
41
Endgame
But, hackers never die…
- 스택이 안되면 힙을 때리면 되잖아?
- 아니면 다른 버그들을 이용해도 되잖아?
- Heap Spraying, Heap Feng Shui, Type Confusing, 

Use-After-Free, so on…
- 때릴건 아직도 많이 남아 있다
42
Endgame
Mitigation is not “Deus Ex Machina”
- 미티케이션은 거들 뿐
- 다 뚫리고 막고를 반복하고 있다
- 버그를 만들지 않으려는 노력이 중요하다
떠든애
김성민
1교시 메모리 공격이란?
2교시 스택을 때리자
3교시 창과 방패의 발전
4교시 질의응답
Q & A
Thank you for listening!

More Related Content

Similar to Memory Attack - The Memory Attack Techniques

Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...Hsien-Hsin Sean Lee, Ph.D.
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]RootedCON
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacksMarian Marinov
 
Performance and predictability (1)
Performance and predictability (1)Performance and predictability (1)
Performance and predictability (1)RichardWarburton
 
Performance and Predictability - Richard Warburton
Performance and Predictability - Richard WarburtonPerformance and Predictability - Richard Warburton
Performance and Predictability - Richard WarburtonJAXLondon2014
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memoryNico Ludwig
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
 

Similar to Memory Attack - The Memory Attack Techniques (20)

Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacks
 
Performance and predictability (1)
Performance and predictability (1)Performance and predictability (1)
Performance and predictability (1)
 
Performance and Predictability - Richard Warburton
Performance and Predictability - Richard WarburtonPerformance and Predictability - Richard Warburton
Performance and Predictability - Richard Warburton
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
 
(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit Detection
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
 
Advanced Windows Exploitation
Advanced Windows ExploitationAdvanced Windows Exploitation
Advanced Windows Exploitation
 

More from Ubuntu Korea Community

권총 사격하러 우분투 써밋 참가한 썰.txt
 권총 사격하러 우분투 써밋 참가한 썰.txt  권총 사격하러 우분투 써밋 참가한 썰.txt
권총 사격하러 우분투 써밋 참가한 썰.txt Ubuntu Korea Community
 
머신러닝/딥러닝 개발자/연구자에게 필요한 개발/연구 환경
머신러닝/딥러닝 개발자/연구자에게 필요한 개발/연구 환경머신러닝/딥러닝 개발자/연구자에게 필요한 개발/연구 환경
머신러닝/딥러닝 개발자/연구자에게 필요한 개발/연구 환경Ubuntu Korea Community
 
우분투한국커뮤니티 2022년 활동 정리
우분투한국커뮤니티 2022년 활동 정리우분투한국커뮤니티 2022년 활동 정리
우분투한국커뮤니티 2022년 활동 정리Ubuntu Korea Community
 
우분투한국커뮤니티 2022년 신년회
우분투한국커뮤니티 2022년 신년회우분투한국커뮤니티 2022년 신년회
우분투한국커뮤니티 2022년 신년회Ubuntu Korea Community
 
Python을 이용한 Linux Desktop Application
Python을 이용한 Linux Desktop ApplicationPython을 이용한 Linux Desktop Application
Python을 이용한 Linux Desktop ApplicationUbuntu Korea Community
 
케라스와 함께하는 재밌는 딥러닝 활용 사례들
케라스와 함께하는 재밌는 딥러닝 활용 사례들케라스와 함께하는 재밌는 딥러닝 활용 사례들
케라스와 함께하는 재밌는 딥러닝 활용 사례들Ubuntu Korea Community
 
딥러닝 세계에 입문하기 위반 분투
딥러닝 세계에 입문하기 위반 분투딥러닝 세계에 입문하기 위반 분투
딥러닝 세계에 입문하기 위반 분투Ubuntu Korea Community
 
9월 서울지역 세미나 GPG 키사이닝 파티
9월 서울지역 세미나 GPG 키사이닝 파티9월 서울지역 세미나 GPG 키사이닝 파티
9월 서울지역 세미나 GPG 키사이닝 파티Ubuntu Korea Community
 
우분투한국커뮤니티 2018년도 상반기 활동 보고
우분투한국커뮤니티 2018년도 상반기 활동 보고우분투한국커뮤니티 2018년도 상반기 활동 보고
우분투한국커뮤니티 2018년도 상반기 활동 보고Ubuntu Korea Community
 
새로운 Libhanjp 라이브러리 구조
새로운 Libhanjp 라이브러리 구조새로운 Libhanjp 라이브러리 구조
새로운 Libhanjp 라이브러리 구조Ubuntu Korea Community
 
스타트업에서 하드웨어 개발 프로세스 도입하기
스타트업에서 하드웨어 개발 프로세스 도입하기스타트업에서 하드웨어 개발 프로세스 도입하기
스타트업에서 하드웨어 개발 프로세스 도입하기Ubuntu Korea Community
 
지방에서 개발자 커뮤니티 운영하기
지방에서 개발자 커뮤니티 운영하기지방에서 개발자 커뮤니티 운영하기
지방에서 개발자 커뮤니티 운영하기Ubuntu Korea Community
 

More from Ubuntu Korea Community (20)

권총 사격하러 우분투 써밋 참가한 썰.txt
 권총 사격하러 우분투 써밋 참가한 썰.txt  권총 사격하러 우분투 써밋 참가한 썰.txt
권총 사격하러 우분투 써밋 참가한 썰.txt
 
머신러닝/딥러닝 개발자/연구자에게 필요한 개발/연구 환경
머신러닝/딥러닝 개발자/연구자에게 필요한 개발/연구 환경머신러닝/딥러닝 개발자/연구자에게 필요한 개발/연구 환경
머신러닝/딥러닝 개발자/연구자에게 필요한 개발/연구 환경
 
우분투한국커뮤니티 2022년 활동 정리
우분투한국커뮤니티 2022년 활동 정리우분투한국커뮤니티 2022년 활동 정리
우분투한국커뮤니티 2022년 활동 정리
 
우분투한국커뮤니티 2022년 신년회
우분투한국커뮤니티 2022년 신년회우분투한국커뮤니티 2022년 신년회
우분투한국커뮤니티 2022년 신년회
 
Ubuntu Korea at FOSSASIA Summit 2022
Ubuntu Korea at FOSSASIA Summit 2022Ubuntu Korea at FOSSASIA Summit 2022
Ubuntu Korea at FOSSASIA Summit 2022
 
Overview of the Flatpak
Overview of the FlatpakOverview of the Flatpak
Overview of the Flatpak
 
Usage of the MQTT
Usage of the MQTTUsage of the MQTT
Usage of the MQTT
 
Open Source and the License
Open Source and the LicenseOpen Source and the License
Open Source and the License
 
Python을 이용한 Linux Desktop Application
Python을 이용한 Linux Desktop ApplicationPython을 이용한 Linux Desktop Application
Python을 이용한 Linux Desktop Application
 
나의 우분투 이야기
나의 우분투 이야기나의 우분투 이야기
나의 우분투 이야기
 
Malware Dataset & Ubuntu
Malware Dataset & UbuntuMalware Dataset & Ubuntu
Malware Dataset & Ubuntu
 
케라스와 함께하는 재밌는 딥러닝 활용 사례들
케라스와 함께하는 재밌는 딥러닝 활용 사례들케라스와 함께하는 재밌는 딥러닝 활용 사례들
케라스와 함께하는 재밌는 딥러닝 활용 사례들
 
딥러닝 세계에 입문하기 위반 분투
딥러닝 세계에 입문하기 위반 분투딥러닝 세계에 입문하기 위반 분투
딥러닝 세계에 입문하기 위반 분투
 
9월 서울지역 세미나 GPG 키사이닝 파티
9월 서울지역 세미나 GPG 키사이닝 파티9월 서울지역 세미나 GPG 키사이닝 파티
9월 서울지역 세미나 GPG 키사이닝 파티
 
우분투한국커뮤니티 2018년도 상반기 활동 보고
우분투한국커뮤니티 2018년도 상반기 활동 보고우분투한국커뮤니티 2018년도 상반기 활동 보고
우분투한국커뮤니티 2018년도 상반기 활동 보고
 
새로운 Libhanjp 라이브러리 구조
새로운 Libhanjp 라이브러리 구조새로운 Libhanjp 라이브러리 구조
새로운 Libhanjp 라이브러리 구조
 
스타트업에서 하드웨어 개발 프로세스 도입하기
스타트업에서 하드웨어 개발 프로세스 도입하기스타트업에서 하드웨어 개발 프로세스 도입하기
스타트업에서 하드웨어 개발 프로세스 도입하기
 
기계들의 소셜 미디어, MQTT
기계들의 소셜 미디어, MQTT기계들의 소셜 미디어, MQTT
기계들의 소셜 미디어, MQTT
 
모바일에 딥러닝 심기
모바일에 딥러닝 심기모바일에 딥러닝 심기
모바일에 딥러닝 심기
 
지방에서 개발자 커뮤니티 운영하기
지방에서 개발자 커뮤니티 운영하기지방에서 개발자 커뮤니티 운영하기
지방에서 개발자 커뮤니티 운영하기
 

Recently uploaded

Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmuxevmux96
 
[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)Dimitrios Platis
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Maxim Salnikov
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfkalichargn70th171
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphNeo4j
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Henry Schreiner
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
Rapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and InsightsRapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and Insightsrapidoform
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIInflectra
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky
 

Recently uploaded (20)

Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Rapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and InsightsRapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and Insights
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 

Memory Attack - The Memory Attack Techniques

  • 1. The Rise and Fall of 
 The Memory Attack Techniques 05. 26. Ubuntu Fest Kim Seong Min
  • 2. Speaker Info 이름 : 김성민 직업 : 대학생 학번 : 16 (젊다!) 특기 : ARGOS 회장 취미 : 해킹 (멋있다!) 2
  • 3. - Research Areas System / Network Security Reverse Engineering Mobile Application macOS / iOS Kernel Security - TMI Favorites : Drinking Alcohol…🤪, Playing Games My first “hello, world!” : 3 years ago Wanna be offensive security researcher :D 3
  • 4. 목 차 1교시 메모리 공격이란? 2교시 스택을 때리자 3교시 창과 방패의 발전 4교시 질의응답
  • 5. 메모리 공격이란? - Memory Bugs and Attack - Segmentation Fault - Types of Memory Bugs - Types of Memory Attack
  • 6. 6 Memory Attack 시스템 해킹의 꽃 (메모리 공격 ⊂ 시스템 해킹) Attack : Trigger a vulnerability (Exploit) To write whatever I want in anywhere I want
  • 7. 7 Memory Bugs and Attack Memory Bugs (Errors) != Memory Attack Every vulnerabilities are bugs, 
 but not every bugs are exploitable (maybe…?) [2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다
  • 8. 8 Memory Bugs Typically, could be occurred because of unsafe languages (e.g. C, C++, …) Also cause segmentation fault sometimes Allow low-level memory access Allow weakly enforced typing Explicit memory management
  • 9. 9 Segmentation Fault Notify an OS the software has attempted to access a restricted area of memory Good news for hackers or, you There are some memory errors that would be exploitable!
  • 10. 10 Types of Memory Bugs De-reference pointer that is out of bounds
  • 11. 11 Types of Memory Bugs De-reference pointer to the freed memory [pwnable.kr - Toddler’s Bottle] uaf, 8pt Dangling pointer
  • 12. 12 Types of Memory Attack Code corruption Control-flow hijack Data-only Information leak “Eternal War in Memory” published in IEEE S&P Symposium, 2013
  • 13. 13 Types of Memory Attack A Barresi, “Fighting the War in Memory”, 2014 Control-flow hijack
  • 14. 14 Types of Memory Attack Information leak canary value (important information for security) output data should be interpreted
  • 15. 스택을 때리자 - Memory Layout Overview - Stack Memory - Basic Stack-based Attack - NX Stack and Canaries - Return to Oriented Programming
  • 16. 16 Memory Layout Overview 메모리 구조 (간단하게만!) TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 low high
  • 17. 17 Memory Layout Overview TEXT (CODE) 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 프로그램 실행 코드가 여기 있음 - 기계어 들이 있음 low high
  • 18. 18 Memory Layout Overview DATA & BSS 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 전역 변수, 정적 변수 등 - DATA : 초기화 된 데이터 - BSS : 초기화 되지 않은 데이터 low high
  • 19. 19 Memory Layout Overview HEAP 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 동적 할당 영역 - malloc low high
  • 20. 20 Memory Layout Overview STACK 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 지역 변수 - 임시 값 - 이제부터 볼 영역 low high
  • 21. 21 Stack Memory Standard Stack Frame of function 0x41414141 0x42424242 0x43434343 0x00444444 0x00000000 SFP RET low high
  • 22. 22 Stack Memory RETurn address? (RET) func2 func1 main call func1 call func2 ret ret func2 Stack Frame func1 Stack Frame main Stack Frame low high
  • 23. 23 Stack Memory Stack Frame Pointer? (SFP) func’s stack frame 0xFFFFD588 0xFFFFD56C 0x41414141 0x42424242 0x43434343 0x00444444 0x00000000 SFP (0xFFFFD588) RET SFP RET func’s stack frame main stack frame low high
  • 24. 24 Basic Stack-based Attack Buffer Overflow - Overruns the buffer’s boundary - Overwrites adjacent memory locations - First described in October, 1972
 (Computer Security Technology Planning Study) 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 SFP
 0x41414141 RET
 0x41414141
  • 25. 25 Basic Stack-based Attack Control-flow hijack with BOF : Call ‘evil’ function Trigger bug : jump to vuln() function 0x41414141 0x41414141 SFP
 0x41414141 RET
 0x08048486
  • 26. 26 Basic Stack-based Attack Control-flow hijack with BOF : Execute shellcode 0x41414141 0x41414141 SFP
 0x41414141 RET
 &shellcode 0x41414141 0x6850c031 0x68732F2F … on somewhere in memory The set of instructions that executes shell
  • 27. 27 Basic Stack-based Attack Morris Worm (1988) - First computer worm - Exploiting buffer overflow
  • 28. 28 NX Stack and Canaries Non eXecutable Stack (1997) - Prevent executing code
 in specific areas (e.g. stack, heap) - W^X (on BSD)
 DEP (on Windows) - Text (Code) segment is non-writable
 Stack (Heap) segment is non-executable 0x41414141 0x41414141 0x41414141 RET 0x41414141 0x6850c031 0x68732F2F … crash‼
  • 29. 29 NX Stack and Canaries NX in GDB (Stack is not executable)
  • 30. 30 NX Stack and Canaries Stack Canary (1998) - Place specific patterns called ‘canaries’ between stack variables and return address - Design to detect stack BOF - Cheap and powerful - Bypass using information leak 0x41414141 canary
 0x41414141 0x41414141 RET 0x41414141 0x6850c031 0x68732F2F … crash‼
  • 31. 31 Return 2 Oriented Programming ret2libc (1997) - No code injection needed - Bypassing the NX protection 0x41414141 0x41414141 SFP
 0x41414141 RET
 &system instructions… … system
  • 32. 32 Return 2 Oriented Programming ret2plt (2001) - Call dynamic lib’s function via PLT - Bypassing the NX protection 0x41414141 0x41414141 SFP
 0x41414141 RET
 &puts@plt
 &system@plt … system@plt … instructions… … Procedure Linkage Table system
  • 33. 33 Return 2 Oriented Programming Krahmer’s code snippet reuse (2005) - Code reuse instead of entire
 libc functions - Use “gadgets” or “snippets” - 진짜 프로그래밍을 다시 하는 느낌 - “ROP” 0x41414141 0x41414141 SFP
 0x41414141 RET
 &gadget1 Fake RET
 &gadget2 instructions… instructions… instruction (ret) instructions… instruction (ret) gadget1 gadget2
  • 34. 창과 방패의 발전 - ASLR : The end of memory war? - Bypassing ASLR - And, New Mitigations - Endgame
  • 35. 35 ASLR : The end of memory war? Address Space Layout Randomization - PAX team’s ASLR (2001) - Randomness in the address space layout of processes - 전략?
 Per process (Linux)
 System-wide per boot (Windows) - PIC & PIE required
  • 36. 36 A Barresi, “Fighting the War in Memory”, 2014
  • 37. 37 Bypassing ASLR - Brute-force Attack (Low entropy)
 it’s pretty good in x32, but almost impossible in x64 - Information Leak
 Find base address of specific segment
  • 38. 38 And, New Mitigations Enhanced Mitigation Experience Toolkit (EMET) - MS Windows를 위한 보안 툴킷 - Windows 보안 기능 활성화 및 설정을 도움 - 개인 PC 사용자 레벨(Non-kernel) 보안 - ROP 기법에 대한 보호
  • 39. 39 And, New Mitigations Control Flow Guard (CFG) - Visual Studio 2015에서 지원하는 mitigation - 호출하는 함수가 유효한지 확인하는 로직을 추가함 - CFG 검사 실패 시, 프로그램을 강제로 종료시킴 - 악의적인 함수 또는 명령어 세트 호출을 원천 봉쇄
  • 41. 41 Endgame But, hackers never die… - 스택이 안되면 힙을 때리면 되잖아? - 아니면 다른 버그들을 이용해도 되잖아? - Heap Spraying, Heap Feng Shui, Type Confusing, 
 Use-After-Free, so on… - 때릴건 아직도 많이 남아 있다
  • 42. 42 Endgame Mitigation is not “Deus Ex Machina” - 미티케이션은 거들 뿐 - 다 뚫리고 막고를 반복하고 있다 - 버그를 만들지 않으려는 노력이 중요하다
  • 43. 떠든애 김성민 1교시 메모리 공격이란? 2교시 스택을 때리자 3교시 창과 방패의 발전 4교시 질의응답 Q & A Thank you for listening!