Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[若渴計畫] 2016.6.21 Related Work: Reuse Code Attacks

1,284 views

Published on

在若渴計畫閱讀分享Reuse Code Attacks

  • Be the first to comment

[若渴計畫] 2016.6.21 Related Work: Reuse Code Attacks

  1. 1. Related Work: Code Reuse Attacks 2016.6.21 <ajblane0612@gmail.com> AJMachine @若渴
  2. 2. How to Explore Code Reuse to Construct a Turing Machine
  3. 3. https://www.quora.com/What-exactly-is-Turings-Automatic-Computing-Engine The Turing Machine • Finite state machine • Read head • Program
  4. 4. For Example: Return-Oriented Programming virtual memory heap high low code ADD gadget ret LOAD gadget ret stack ADD gadget Addr LOAD gadget AddrSP • Finite state machine • SP (read head) + ret • Program • LOAD gadget ret
  5. 5. For Simplicity, Code Reuse Attack Using ROP
  6. 6. László Szekeres, etc., “Eternal War in Memory” Stack overflow Use-After-Free 不只 ROP 沒畫到SMEP
  7. 7. Modify a Code Pointer … • Code pointer – Stack overflow modifies EIP. Once ret instruction is used, the execution flow is redirected. – Heap overflow modifies function pointer with an address that points to stack pivot gadget. Once the overwritten function pointer is used by the application, the execution flow is redirected. – Enrique Nissim, etc.,Windows SMEP Bypass U=S (!) – …
  8. 8. Just-In-Time ROP Kevin Z. Snow, etc., “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization” ROP ASLR ASLR
  9. 9. ROP semantics (Load/Store/…) RO Programming 自動化找gadgets ROP gadgets ROP compiler Just-in-time ROP compiler Bypassing ASLR Initial code pointer
  10. 10. 還需stack overflow,等來執行ROP payload
  11. 11. Network AttackerVictim Initial code pointer kuku補充
  12. 12. Researches on Code Reuse Attacks to Break Defenses • The different FSMs • The different gadgets
  13. 13. Code Reuse Attacks • Jump-oriented programming • Loop-oriented programming • Interrupt-oriented programming • Data-oriented programming • …
  14. 14. Jump-oriented Programming Tyler Bletsch, etc.,”Jump-Oriented Programming: A New Class of Code-Reuse Attack” • Bypassing ret integrity • Stackless
  15. 15. Loop-oriented(call-ret-pairing) Programming • Bypassing CFI and shadow stack
  16. 16. Interrupt-oriented Programming Samuel Junjie Tan, etc., “Interrupt-oriented Bugdoor Programming: A minimalist approach to bugdooring embedded systems firmware“
  17. 17. IOP Setup Timings are precise enough
  18. 18. The table is from László Szekeres, etc., “Eternal War in Memory” Data-oriented programming 假設data address已知
  19. 19. Data-oriented Exploit Hong Hu, etc., “Automatic Generation of Data-Oriented Exploits”
  20. 20. Data-oriented Exploit Hong Hu, etc., “Automatic Generation of Data-Oriented Exploits”
  21. 21. Data-oriented Exploit Hong Hu, etc., “Automatic Generation of Data-Oriented Exploits”
  22. 22. Data-oriented Exploit is Turing-complete Hong Hu, etc., “Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks”
  23. 23. • The data consumed by the interpreter is inherently under the remote attacker’s control • For example, all local variables are under the control of attackers using stack overflow The Concept of Data-oriented Programming Vulnerable FTP server with data-oriented gadgets
  24. 24. Data-oriented Programming a data-oriented gadget simulates three logical micro-operations • the load micro-operation • the intended virtual operation’s semantics • store micro-operation. The Evil interpreter data-oriented gadget of assignment operation
  25. 25. 利用DOP執行 74+612
  26. 26. round1 *type被 corrupted 成 !NONE 也不是 !STREAM,假設 *type =74。 假設srv被corrupted讓 srv + 0x8 (srv->type) 等於 size。 那執行assignment gadget時,*size = 74 而執行addition gadget是無意思的。 The Evil interpreter
  27. 27. round2 *type被 corrupted 成 !NONE 也不是 !STREAM,假設 *type =612。 假設srv被corrupted成 srv – 0x4, 讓 srv – 0x4 + 0x8 (srv->type) 會等於 srv + 0x4 (srv->total) 。 那執行assignment gadget時, srv->total = 612 而執行addition gadget是無意思的 The Evil interpreter
  28. 28. round3 *type被 corrupted 成 !NONE 也不是 !STREAM,假設 *type =612。 假設srv被corrupted成 (srv – 0x4) + 0x4 那執行assignment gadget時, 是無意思。 而執行addition gadget就會是 612 + 74存至srv->total The Evil interpreter
  29. 29. Reference • https://www.trust.cased.de/fileadmin/user_upload/Group_TRUST/ PubsPDF/blackhat-2013-jitrop.pdf • http://www.ieee-security.org/TC/SP2013/papers/4977a574.pdf • https://nebelwelt.net/publications/files/14SP.pdf • https://www.csc.ncsu.edu/faculty/jiang/pubs/ASIACCS11.pdf • http://tcipg.org/sites/default/files/papers/2014_q3_tfs1.pdf • https://www.usenix.org/sites/default/files/conference/protected- files/sec15_slides_hu_0.pdf • http://huhong-nus.github.io/advanced-DOP/ • https://www.ics.uci.edu/~perl/keynote_sadeghi_runtime_exploits. pdf • https://www.trust.cased.de/fileadmin/user_upload/Group_TRUST/ PubsPDF/blackhat-2013-jitrop.pdf • http://www.ieee-security.org/TC/SP2013/papers/4977a574.pdf

×