The document discusses various code vulnerabilities related to TOCTOU (time-of-check to time-of-use) injections and their implications in security. It covers real-world cases, injection techniques, buffer overflows, return-oriented programming (ROP), and various mitigations against these attacks, including safe functions, ASLR, and control flow integrity. The document also addresses definitions and classifications of these vulnerabilities to provide a comprehensive understanding of the security challenges they pose.

1. TOCTOU Injection Conclusion
Code Vulnerabilities & Attacks
Marcus Botacin
Code Vulnerabilities & Attacks

2. TOCTOU Injection Conclusion
Topics
1 TOCTOU
Back to O.S.
The security Problem
A real world case
2 Injection
Back to O.S. (again)
Buffer Overflow
Return to libc
Return Oriented Programming (ROP)
Mitigations
3 Conclusion
Code Vulnerabilities & Attacks

3. TOCTOU Injection Conclusion
Back to O.S.
Topics
1 TOCTOU
Back to O.S.
The security Problem
A real world case
2 Injection
Back to O.S. (again)
Buffer Overflow
Return to libc
Return Oriented Programming (ROP)
Mitigations
3 Conclusion
Code Vulnerabilities & Attacks

4. TOCTOU Injection Conclusion
Back to O.S.
Producer-Consumer Problem
Definition
Circular Buffer
How to guarantee order ?
Code
producer ()
while (1)
i f b u f f e r s i z e == FULL
s l e e p
consumer ()
while (1)
i f b u f f e r s i z e == EMPTY
s l e e p
Code Vulnerabilities & Attacks

5. TOCTOU Injection Conclusion
Back to O.S.
Race Condition
Definition
“Condic¸˜ao em que o resultado do processo ´e dependente da
sequˆencia ou sincronia de outros eventos”.
Problem
Leva a resultados incorretos.
Code Vulnerabilities & Attacks

6. TOCTOU Injection Conclusion
The security Problem
Topics
1 TOCTOU
Back to O.S.
The security Problem
A real world case
2 Injection
Back to O.S. (again)
Buffer Overflow
Return to libc
Return Oriented Programming (ROP)
Mitigations
3 Conclusion
Code Vulnerabilities & Attacks

7. TOCTOU Injection Conclusion
The security Problem
Password Check
Code
Checker ()
i f allowed
g r a n t a c c e s s
Creator ()
c r e a t e u s e r
allowed=True
Code Vulnerabilities & Attacks

8. TOCTOU Injection Conclusion
The security Problem
TOCTOU
Definition
“Um bug causado por uma race condition”.
Severity
“De computac¸˜oes incorretas a acessos indevidos”.
Code Vulnerabilities & Attacks

9. TOCTOU Injection Conclusion
A real world case
Topics
1 TOCTOU
Back to O.S.
The security Problem
A real world case
2 Injection
Back to O.S. (again)
Buffer Overflow
Return to libc
Return Oriented Programming (ROP)
Mitigations
3 Conclusion
Code Vulnerabilities & Attacks

10. TOCTOU Injection Conclusion
A real world case
Background
Memory Management
Page faults retries
Dirty bits
Copy-on-write
Linux
PTRACE POKE DATAa
mdavise syscallb
a
man ptrace
b
man madvise
Code Vulnerabilities & Attacks

11. TOCTOU Injection Conclusion
A real world case
Dirty Cow
Part I - Page Fault
h a n d l e p t e f a u l t
d o f a u l t <− pte i s not present
do cow fault <− FAULT FLAG WRITE
Part II - Write Fault
do wp page
PageAnon () <− t h i s i s CoWed page a l r e a d y
reuse swap page <− page i s e x c l u s i v e l y ours
wp page reuse
maybe mkwrite <− d i r t y but RO again
0
https://dirtycow.ninja/
Code Vulnerabilities & Attacks

12. TOCTOU Injection Conclusion
A real world case
Dirty Cow
Part III - Read Fault
cond resched −> d i f f e r e n t thread w i l l now
unmap v i a madvise
follow page mask ! p t e p r e s e n t && pte none
f a u l t i n p a g e
handle mm fault
handle mm fault
h a n d l e p t e f a u l t
d o f a u l t <− pte i s not present
d o r e a d f a u l t <− t h i s i s a read
f a u l t and we w i l l get pagecache
Code Vulnerabilities & Attacks

13. TOCTOU Injection Conclusion
Back to O.S. (again)
Topics
1 TOCTOU
Back to O.S.
The security Problem
A real world case
2 Injection
Back to O.S. (again)
Buffer Overflow
Return to libc
Return Oriented Programming (ROP)
Mitigations
3 Conclusion
Code Vulnerabilities & Attacks

14. TOCTOU Injection Conclusion
Back to O.S. (again)
ABIs and Calling conventions
How parameters are passed.
The order they are passed.
Where they are passed.
Code Vulnerabilities & Attacks

15. TOCTOU Injection Conclusion
Back to O.S. (again)
Calling conventions
cstd: Arguments on the stack, on the reverse order.
x64: Arguments on registers.
syscalls: Syscall number on eax.
Code Vulnerabilities & Attacks

16. TOCTOU Injection Conclusion
Back to O.S. (again)
Concept Definitions
ABI
“Uma definic¸˜ao da interface entre m´odulos de software, tais como
entre c´odigos e o sistema operacional. Uma ABI especifica uma
calling convention.”
Calling Convention
“Uma definic¸˜ao de como trechos de c´odigo s˜ao chamados,
incluindo a ordem, localizac¸˜ao, e a restaurac¸˜ao dos parˆametros.”
Code Vulnerabilities & Attacks

17. TOCTOU Injection Conclusion
Back to O.S. (again)
Stack frame
Figure: Stack Frame
0
https://tinyurl.com/hhq934r
Code Vulnerabilities & Attacks

18. TOCTOU Injection Conclusion
Back to O.S. (again)
Stack Frame
Definition
“Uma definic¸˜ao de contexto de func¸˜ao de forma tempor´aria.”
Code Vulnerabilities & Attacks

19. TOCTOU Injection Conclusion
Buffer Overflow
Topics
1 TOCTOU
Back to O.S.
The security Problem
A real world case
2 Injection
Back to O.S. (again)
Buffer Overflow
Return to libc
Return Oriented Programming (ROP)
Mitigations
3 Conclusion
Code Vulnerabilities & Attacks

20. TOCTOU Injection Conclusion
Buffer Overflow
For fun and for profit
Figure: Aleph One’s article.
0
http://phrack.org/issues/49/14.html
Code Vulnerabilities & Attacks

21. TOCTOU Injection Conclusion
Buffer Overflow
A typical payload
Figure: Buffer overflow payload structure
0
https://tinyurl.com/y9dornpu
Code Vulnerabilities & Attacks

22. TOCTOU Injection Conclusion
Buffer Overflow
Vulnerable code
Listing 1: Vulnerable code
i n t main ( i n t argc , char ∗ argv [ ] )
{
char s t r [ 3 2 ] ;
s t r c p y ( str , argv [ 1 ] ) ;
r e t u r n 0;
}
Code Vulnerabilities & Attacks

23. TOCTOU Injection Conclusion
Buffer Overflow
Shellcodes
Figure: Shellcode Repository.
0
http://shell-storm.org/shellcode/
Code Vulnerabilities & Attacks

24. TOCTOU Injection Conclusion
Buffer Overflow
No Executable pages
Figure: Page protection bits
0
https://tinyurl.com/y8wodhn2
Code Vulnerabilities & Attacks

25. TOCTOU Injection Conclusion
Buffer Overflow
Still overflowing
Listing 2: variable overflow
i n t main ( i n t argc , char ∗ argv [ ] )
{
i n t a = 10;
char s t r [ 3 2 ] ;
scanf (”%s ” , s t r ) :
p r i n t f (”%dn ” , a ) ;
r e t u r n 0;
}
Code Vulnerabilities & Attacks

26. TOCTOU Injection Conclusion
Buffer Overflow
Concept Definitions
Buffer
“Regi˜ao cont´ıgua de mem´oria, de tamanho limitado, utilizada
para armazenamento tempor´ario.”
Buffer Overflow
“Exceder a capacidade de armazenamento de um buffer.”
Buffer Overflow Attack
“Utilizar-se de um buffer overflow para alterar intencionalmente
o estado de um programa.”
Code Vulnerabilities & Attacks

27. TOCTOU Injection Conclusion
Buffer Overflow
Concept Definitions
Program Hijacking
Variable Hijacking: “Alterar uma vari´avel que controla um
estado”.
Instruction Hijacking: “Inserc¸˜ao de instruc¸˜oes para alterar o
estado”.
Control Flow Hijacking: ”Uso das t´ecnicas anteriores para
alterar o estado”.
Code Vulnerabilities & Attacks

28. TOCTOU Injection Conclusion
Buffer Overflow
Concept Definitions
Payload
“Conte´udo de preenchimento do buffer em um ataque do tipo
overflow”
Shellcode
“Conjunto de instruc¸˜oes que comp˜oem um payload”
NOP
“Uma operac¸˜ao que n˜ao altera estados”
NOP Sled
“Sequˆencia de NOPs que comp˜oem um payload”
Code Vulnerabilities & Attacks

29. TOCTOU Injection Conclusion
Buffer Overflow
Buffer Overflow Classification
Types
Stack-based.
Heap-based.
Code Vulnerabilities & Attacks

30. TOCTOU Injection Conclusion
Return to libc
Topics
1 TOCTOU
Back to O.S.
The security Problem
A real world case
2 Injection
Back to O.S. (again)
Buffer Overflow
Return to libc
Return Oriented Programming (ROP)
Mitigations
3 Conclusion
Code Vulnerabilities & Attacks

31. TOCTOU Injection Conclusion
Return to libc
Back to O.S (again!!)
Libs and permissions
Figure: Memory mapping and protection
Code Vulnerabilities & Attacks

32. TOCTOU Injection Conclusion
Return to libc
The attack
Figure: Return to libc
0
https://tinyurl.com/yd8r36q4
Code Vulnerabilities & Attacks

33. TOCTOU Injection Conclusion
Return to libc
Payload building
Finding strings
objdump -s ret2libc
(gdb) find 0x400000, 0x401000, ”/bin”
Finding gadgets
ropper –file ret2libc –search ”% ?di”
Code Vulnerabilities & Attacks

34. TOCTOU Injection Conclusion
Return to libc
Ret2LibC Concepts
Definition
“Ataque de Control Flow Hijacking atrav´es da explorac¸˜ao de um
buffer overflow tendo o enderec¸o de func¸˜oes e argumentos da libc
como payload”
Code Vulnerabilities & Attacks

35. TOCTOU Injection Conclusion
Return Oriented Programming (ROP)
Topics
1 TOCTOU
Back to O.S.
The security Problem
A real world case
2 Injection
Back to O.S. (again)
Buffer Overflow
Return to libc
Return Oriented Programming (ROP)
Mitigations
3 Conclusion
Code Vulnerabilities & Attacks

36. TOCTOU Injection Conclusion
Return Oriented Programming (ROP)
The attack
Figure: ROP gadget chaining
0
https://tinyurl.com/y7p3hrkk
Code Vulnerabilities & Attacks

37. TOCTOU Injection Conclusion
Return Oriented Programming (ROP)
Questions
What is the relation between ROP attacks and the x64 calling
convention ?
How to find gadgets ?
Code Vulnerabilities & Attacks

38. TOCTOU Injection Conclusion
Return Oriented Programming (ROP)
More background
Figure: Binary disassembly
Code Vulnerabilities & Attacks

39. TOCTOU Injection Conclusion
Return Oriented Programming (ROP)
Unaligned Instructions
Listing 3: Static disassembly of the MSVCR71.dll library.
c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0
c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp )
Listing 4: ROP Gadget.
c0a : 58 pop rax
c0b : c3 r e t
Code Vulnerabilities & Attacks

40. TOCTOU Injection Conclusion
Return Oriented Programming (ROP)
ROP Concepts
Gadgets
“Sequˆencia independente de instruc¸˜oes terminadas por RET”
Gadget Chain
“Encadeamento de gadgets com o objetivo de realizar uma
computac¸˜ao.”
ROP Attack
“Ataque de control flow hijacking atrav´es da explorac¸˜ao de um
buffer overlow tendo um gadget chain como parte do payload.”
Code Vulnerabilities & Attacks

41. TOCTOU Injection Conclusion
Mitigations
Topics
1 TOCTOU
Back to O.S.
The security Problem
A real world case
2 Injection
Back to O.S. (again)
Buffer Overflow
Return to libc
Return Oriented Programming (ROP)
Mitigations
3 Conclusion
Code Vulnerabilities & Attacks

42. TOCTOU Injection Conclusion
Mitigations
Safe functions/languages
Listing 5: Popular strcpy prototype
char ∗ s t r c p y ( char ∗ dst , char ∗ s r c ) ;
Listing 6: Not so popular strncpy prototype
char ∗ strncpy ( char ∗ det , char ∗ src , s i z e t num ) ;
Code Vulnerabilities & Attacks

43. TOCTOU Injection Conclusion
Mitigations
Safe functions/languages
Listing 7: String definition example
typedef s t r u c t s t r {
char s t r [MAX] ;
u i n t s i z e ;
u i n t max=MAX;
} s t r i n g ;
Listing 8: Concat implementation example
concat ( str1 , s t r 2 )
i f str1 −>s i z e + str2 −>s i z e < str1 −>max
Code Vulnerabilities & Attacks

44. TOCTOU Injection Conclusion
Mitigations
Safe String Functions
Definition
“Func¸˜ao que verifica os tamanhos dos buffers a fim de evitar um
overflow.”
Code Vulnerabilities & Attacks

45. TOCTOU Injection Conclusion
Mitigations
Stack Canaries
Figure: Stack canary
0
https://tinyurl.com/yd9947ol
0
Disable with: gcc -fno-stack-protector
Code Vulnerabilities & Attacks

46. TOCTOU Injection Conclusion
Mitigations
Stack Canaries
Definition
“Marcador da continˆencia de um buffer.”
Code Vulnerabilities & Attacks

47. TOCTOU Injection Conclusion
Mitigations
Question
Compile-time solutions
Advantages ?
Disadvantages ?
Code Vulnerabilities & Attacks

48. TOCTOU Injection Conclusion
Mitigations
ASLR
Figure: Address Space Layout Randomization
0
https://tinyurl.com/ycg2dlvoCode Vulnerabilities & Attacks

49. TOCTOU Injection Conclusion
Mitigations
ASLR
Table: aslr - library placement after two consecutive reboots.
library ntdll kernel32 kernelbase
address 1 0xbaf80000 0xb9610000 0xb8190000
address 2 0x987b0000 0x98670000 0x958c0000
Code Vulnerabilities & Attacks

50. TOCTOU Injection Conclusion
Mitigations
ASLR
Definition
“Aleatorizac¸˜ao do posicionamento de conte´udos de mem´oria a fim
de evitar ataques de offset fixo.”
Code Vulnerabilities & Attacks

51. TOCTOU Injection Conclusion
Mitigations
ASLR
Position Independent Code
GCC -fpic
Jump Tables
Figure: Jump Table
Code Vulnerabilities & Attacks

52. TOCTOU Injection Conclusion
Mitigations
ASLR - Solution ?
Figure: Breaking ASLR 1
Figure: Breaking ASLR 2
Code Vulnerabilities & Attacks

53. TOCTOU Injection Conclusion
Mitigations
Write XOR Execute Policy
Write Xor Execute
How to implement ?
Listing 9: /proc/cpuinfo
f l a g s : fpu vme de pse t s c msr pae mce apic nx
Code Vulnerabilities & Attacks

54. TOCTOU Injection Conclusion
Mitigations
Write XOR Execute Policy
Definition
“Pol´ıtica que assegura que p´aginas de mem´oria execut´aveis n˜ao
podem ser escritas.”
Code Vulnerabilities & Attacks

55. TOCTOU Injection Conclusion
Mitigations
Control Flow Integrity
Figure: CALL-RET policy
Code Vulnerabilities & Attacks

56. TOCTOU Injection Conclusion
Mitigations
Shadow Stacks
Figure: Branch Stack
0
Code Vulnerabilities & Attacks

57. TOCTOU Injection Conclusion
Mitigations
CFI - solution ?
Figure: CFI Bypass.
Code Vulnerabilities & Attacks

58. TOCTOU Injection Conclusion
Mitigations
CFI
CFI Definition
“Imposic¸˜ao de que o fluxo de execuc¸˜ao siga uma determinada
pol´ıtica.”
CALL-RET Definition
“Pol´ıtica que exige que todas as instruc¸˜oes RET sejam precedidas
por um CALL.”
Code Vulnerabilities & Attacks

59. TOCTOU Injection Conclusion
Mitigations
Heuristics
Questions
What gadget feature ?
Limitations ?
Code Vulnerabilities & Attacks

60. TOCTOU Injection Conclusion
Mitigations
Gadget Size Heuristic - solution ?
Figure: Heuristic Bypass.
Code Vulnerabilities & Attacks

61. TOCTOU Injection Conclusion
Conclusion
Questions ?
Code Vulnerabilities & Attacks