Dr. Hector Marco-Gisbert & Dr. Ismael Ripoll presented new techniques for exploiting the Linux, using its weaknesses.
http://www.ehacking.net/2016/06/exploiting-linux-on-32-bit-and-64-bit.html
The lecture by Bjoern Doebel for Summer Systems School'12.
IPC mechanisms and memory management in Fiasco.OC and L4Re
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
The lecture by Bjoern Doebel for Summer Systems School'12.
L4Linux, DDEkit, POSIX compatabls
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
The lecture by Bjoern Doebel for Summer Systems School'12.
Brief introduction to microkernels illustrated by examples (Fiasco.OC and L4Re).
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
Presentation of paper "LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis" for the course of Advanced Topics in Computer Security of prof. Stefano Zanero.
Source and further information: https://github.com/pietrodn/lo-phi
Exploiting the Linux Kernel via Intel's SYSRET Implementationnkslides
Intel handles SYSRET instructions weirdly and might throw around exceptions while still being in ring0. When the kernel is not being extra careful when returning to userland after being signaled with a syscall bad things can happen. Like root shells.
How to Make People Click on a Dangerous Link Despite their Security Awareness mark-smith
It is possible to make virtually any person click on a link, as any person will be curious about something, or interested in some topic, or find the message plausible because they know the sender, or because it fits their expectations (context).
The lecture by Bjoern Doebel for Summer Systems School'12.
IPC mechanisms and memory management in Fiasco.OC and L4Re
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
The lecture by Bjoern Doebel for Summer Systems School'12.
L4Linux, DDEkit, POSIX compatabls
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
The lecture by Bjoern Doebel for Summer Systems School'12.
Brief introduction to microkernels illustrated by examples (Fiasco.OC and L4Re).
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
1. http://ksyslabs.org/
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
Presentation of paper "LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis" for the course of Advanced Topics in Computer Security of prof. Stefano Zanero.
Source and further information: https://github.com/pietrodn/lo-phi
Exploiting the Linux Kernel via Intel's SYSRET Implementationnkslides
Intel handles SYSRET instructions weirdly and might throw around exceptions while still being in ring0. When the kernel is not being extra careful when returning to userland after being signaled with a syscall bad things can happen. Like root shells.
How to Make People Click on a Dangerous Link Despite their Security Awareness mark-smith
It is possible to make virtually any person click on a link, as any person will be curious about something, or interested in some topic, or find the message plausible because they know the sender, or because it fits their expectations (context).
Demonstrates remote code execution in the presence of modern OS security features. Stresses the importance of secure programming. Explains the binary reverse engineering process.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
امروزه مجازیسازی یکی از روشهای پرطرفدار برای پیادهسازی کارگزاران وب است. این فناوری موجب کاهش هزینههای تجارتهای کوچک میشود. مجازیسازی یکی از جنبههای مهم ارائه خدمات ابری است که حتی برای تجارتهای بزرگ نیز از جذابیت زیادی برخوردار است.
در این سخنرانی به امکاناتی همچون Control Groups و Containers که در نسخههای جدیدتر هسته سیستم عامل لینوکس پیادهسازی شده است میپردازیم. هرچند این امکانات مجازیسازی کامل را به ارمغان نمیآورند، اما بسیاری از مزایای آن را با سربار بسیار کم در سطح هسته فراهم میکنند. راه حلهایی همچون LXC و Docker بر اساس این امکانات توانستهاند به نتایج خوبی برسند که هم از لحاظ تجاری در خور توجه هستند و هم تبعات و کاربردهای امنیتی دارند.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
The Raspberry Pi is a series of credit card–sized single-board computers developed in the UK by the Raspberry Pi Foundation with the intention of promoting the teaching of basic computer science in schools.
The original Raspberry Pi and Raspberry Pi 2 are manufactured in several board configurations through licensed manufacturing agreements with Newark element14 (Premier Farnell), RS Components and Egoman. These companies sell the Raspberry Pi online. Egoman produces a version for distribution solely in China and Taiwan, which can be distinguished from other Pis by their red colouring and lack of FCC/CE marks. The hardware is the same across all manufacturers.
The original Raspberry Pi is based on the Broadcom BCM2835 system on a chip (SoC), which includes an ARM1176JZF-S 700 MHz processor, VideoCore IV GPU, and was originally shipped with 256 megabytes of RAM, later upgraded (models B and B+) to 512 MB. The system has Secure Digital (SD) (models A and B) or MicroSD (models A+ and B+) sockets for boot media and persistent storage.
If the four 32-bit constants of SHA-1 can be modified, then exploitable collisions can be constructed. No need to panic, this doesn’t affect the original SHA-1. However, vendors and customers of products with custom cryptography will be interested.
for more info, check http://malicioussha1.github.io/
packageFor certain workloads and environments: Consolidation on large virtualized servers raises utilization, reduces core requirements, and lowers cost per workload
Apache Spark on Supercomputers: A Tale of the Storage Hierarchy with Costin I...Databricks
In this session, the speakers will discuss their experiences porting Apache Spark to the Cray XC family of supercomputers. One scalability bottleneck is in handling the global file system present in all large-scale HPC installations. Using two techniques (file open pooling, and mounting the Spark file hierarchy in a specific manner), they were able to improve scalability from O(100) cores to O(10,000) cores. This is the first result at such a large scale on HPC systems, and it had a transformative impact on research, enabling their colleagues to run on 50,000 cores.
With this baseline performance fixed, they will then discuss the impact of the storage hierarchy and of the network on Spark performance. They will contrast a Cray system with two levels of storage with a “data intensive” system with fast local SSDs. The Cray contains a back-end global file system and a mid-tier fast SSD storage. One conclusion is that local SSDs are not needed for good performance on a very broad workload, including spark-perf, TeraSort, genomics, etc.
They will also provide a detailed analysis of the impact of latency of file and network I/O operations on Spark scalability. This analysis is very useful to both system procurements and Spark core developers. By examining the mean/median value in conjunction with variability, one can infer the expected scalability on a given system. For example, the Cray mid-tier storage has been marketed as the magic bullet for data intensive applications. Initially, it did improve scalability and end-to-end performance. After understanding and eliminating variability in I/O operations, they were able to outperform any configurations involving mid-tier storage by using the back-end file system directly. They will also discuss the impact of network performance and contrast results on the Cray Aries HPC network with results on InfiniBand.
Apache Spark on Supercomputers: A Tale of the Storage Hierarchy with Costin I...Databricks
In this session, the speakers will discuss their experiences porting Apache Spark to the Cray XC family of supercomputers. One scalability bottleneck is in handling the global file system present in all large-scale HPC installations. Using two techniques (file open pooling, and mounting the Spark file hierarchy in a specific manner), they were able to improve scalability from O(100) cores to O(10,000) cores. This is the first result at such a large scale on HPC systems, and it had a transformative impact on research, enabling their colleagues to run on 50,000 cores.
With this baseline performance fixed, they will then discuss the impact of the storage hierarchy and of the network on Spark performance. They will contrast a Cray system with two levels of storage with a “data intensive” system with fast local SSDs. The Cray contains a back-end global file system and a mid-tier fast SSD storage. One conclusion is that local SSDs are not needed for good performance on a very broad workload, including spark-perf, TeraSort, genomics, etc.
They will also provide a detailed analysis of the impact of latency of file and network I/O operations on Spark scalability. This analysis is very useful to both system procurements and Spark core developers. By examining the mean/median value in conjunction with variability, one can infer the expected scalability on a given system. For example, the Cray mid-tier storage has been marketed as the magic bullet for data intensive applications. Initially, it did improve scalability and end-to-end performance. After understanding and eliminating variability in I/O operations, they were able to outperform any configurations involving mid-tier storage by using the back-end file system directly. They will also discuss the impact of network performance and contrast results on the Cray Aries HPC network with results on InfiniBand.
The Performance of μ-Kernel-Based Systems from Mach to L4. Analysing evolution in kernel structures, ipc - message based communication in monolithic linux kernel and microkernel
A talk I gave about Meltdown and Specter to the Papers We Love SG meetup.
https://engineers.sg/v/2302
Meltdown Paper: https://meltdownattack.com/meltdown.pdf
Spectre Paper: https://spectreattack.com/spectre.pdf
The economics is the best way to view attacker and defender strategies. The traditional approach to defense is to raise the cost for your attackers by making attacks as difficult as possible. This, unfortunately, has a tendency to raise costs for the defender and their users too and does not scale well.
More Related Content
Similar to Exploiting Linux On 32-bit and 64-bit Systems
Demonstrates remote code execution in the presence of modern OS security features. Stresses the importance of secure programming. Explains the binary reverse engineering process.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
امروزه مجازیسازی یکی از روشهای پرطرفدار برای پیادهسازی کارگزاران وب است. این فناوری موجب کاهش هزینههای تجارتهای کوچک میشود. مجازیسازی یکی از جنبههای مهم ارائه خدمات ابری است که حتی برای تجارتهای بزرگ نیز از جذابیت زیادی برخوردار است.
در این سخنرانی به امکاناتی همچون Control Groups و Containers که در نسخههای جدیدتر هسته سیستم عامل لینوکس پیادهسازی شده است میپردازیم. هرچند این امکانات مجازیسازی کامل را به ارمغان نمیآورند، اما بسیاری از مزایای آن را با سربار بسیار کم در سطح هسته فراهم میکنند. راه حلهایی همچون LXC و Docker بر اساس این امکانات توانستهاند به نتایج خوبی برسند که هم از لحاظ تجاری در خور توجه هستند و هم تبعات و کاربردهای امنیتی دارند.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
The Raspberry Pi is a series of credit card–sized single-board computers developed in the UK by the Raspberry Pi Foundation with the intention of promoting the teaching of basic computer science in schools.
The original Raspberry Pi and Raspberry Pi 2 are manufactured in several board configurations through licensed manufacturing agreements with Newark element14 (Premier Farnell), RS Components and Egoman. These companies sell the Raspberry Pi online. Egoman produces a version for distribution solely in China and Taiwan, which can be distinguished from other Pis by their red colouring and lack of FCC/CE marks. The hardware is the same across all manufacturers.
The original Raspberry Pi is based on the Broadcom BCM2835 system on a chip (SoC), which includes an ARM1176JZF-S 700 MHz processor, VideoCore IV GPU, and was originally shipped with 256 megabytes of RAM, later upgraded (models B and B+) to 512 MB. The system has Secure Digital (SD) (models A and B) or MicroSD (models A+ and B+) sockets for boot media and persistent storage.
If the four 32-bit constants of SHA-1 can be modified, then exploitable collisions can be constructed. No need to panic, this doesn’t affect the original SHA-1. However, vendors and customers of products with custom cryptography will be interested.
for more info, check http://malicioussha1.github.io/
packageFor certain workloads and environments: Consolidation on large virtualized servers raises utilization, reduces core requirements, and lowers cost per workload
Apache Spark on Supercomputers: A Tale of the Storage Hierarchy with Costin I...Databricks
In this session, the speakers will discuss their experiences porting Apache Spark to the Cray XC family of supercomputers. One scalability bottleneck is in handling the global file system present in all large-scale HPC installations. Using two techniques (file open pooling, and mounting the Spark file hierarchy in a specific manner), they were able to improve scalability from O(100) cores to O(10,000) cores. This is the first result at such a large scale on HPC systems, and it had a transformative impact on research, enabling their colleagues to run on 50,000 cores.
With this baseline performance fixed, they will then discuss the impact of the storage hierarchy and of the network on Spark performance. They will contrast a Cray system with two levels of storage with a “data intensive” system with fast local SSDs. The Cray contains a back-end global file system and a mid-tier fast SSD storage. One conclusion is that local SSDs are not needed for good performance on a very broad workload, including spark-perf, TeraSort, genomics, etc.
They will also provide a detailed analysis of the impact of latency of file and network I/O operations on Spark scalability. This analysis is very useful to both system procurements and Spark core developers. By examining the mean/median value in conjunction with variability, one can infer the expected scalability on a given system. For example, the Cray mid-tier storage has been marketed as the magic bullet for data intensive applications. Initially, it did improve scalability and end-to-end performance. After understanding and eliminating variability in I/O operations, they were able to outperform any configurations involving mid-tier storage by using the back-end file system directly. They will also discuss the impact of network performance and contrast results on the Cray Aries HPC network with results on InfiniBand.
Apache Spark on Supercomputers: A Tale of the Storage Hierarchy with Costin I...Databricks
In this session, the speakers will discuss their experiences porting Apache Spark to the Cray XC family of supercomputers. One scalability bottleneck is in handling the global file system present in all large-scale HPC installations. Using two techniques (file open pooling, and mounting the Spark file hierarchy in a specific manner), they were able to improve scalability from O(100) cores to O(10,000) cores. This is the first result at such a large scale on HPC systems, and it had a transformative impact on research, enabling their colleagues to run on 50,000 cores.
With this baseline performance fixed, they will then discuss the impact of the storage hierarchy and of the network on Spark performance. They will contrast a Cray system with two levels of storage with a “data intensive” system with fast local SSDs. The Cray contains a back-end global file system and a mid-tier fast SSD storage. One conclusion is that local SSDs are not needed for good performance on a very broad workload, including spark-perf, TeraSort, genomics, etc.
They will also provide a detailed analysis of the impact of latency of file and network I/O operations on Spark scalability. This analysis is very useful to both system procurements and Spark core developers. By examining the mean/median value in conjunction with variability, one can infer the expected scalability on a given system. For example, the Cray mid-tier storage has been marketed as the magic bullet for data intensive applications. Initially, it did improve scalability and end-to-end performance. After understanding and eliminating variability in I/O operations, they were able to outperform any configurations involving mid-tier storage by using the back-end file system directly. They will also discuss the impact of network performance and contrast results on the Cray Aries HPC network with results on InfiniBand.
The Performance of μ-Kernel-Based Systems from Mach to L4. Analysing evolution in kernel structures, ipc - message based communication in monolithic linux kernel and microkernel
A talk I gave about Meltdown and Specter to the Papers We Love SG meetup.
https://engineers.sg/v/2302
Meltdown Paper: https://meltdownattack.com/meltdown.pdf
Spectre Paper: https://spectreattack.com/spectre.pdf
Similar to Exploiting Linux On 32-bit and 64-bit Systems (20)
The economics is the best way to view attacker and defender strategies. The traditional approach to defense is to raise the cost for your attackers by making attacks as difficult as possible. This, unfortunately, has a tendency to raise costs for the defender and their users too and does not scale well.
High Definition Fuzzing; Exploring HDMI vulnerabilitiesE Hacking
Most modern Android-based phones and tablets have a Slimport(r) connection that supports HDMI-CEC like Samsung and HTC among mobile devices, and many JVC, Kenwood, Panasonic, and Sony car stereos and other 750 million devices in the world so far.
The most important steps to become a hacker have been revealed. Learn the steps that are highly required to become a information security professional.
http://academy.ehacking.net/blog/125408/tips-to-become-a-hacker
Penetrating the Perimeter - Tales from the BattlefieldE Hacking
Presentation and demonstration by Phil Grimes at Central Ohio Infosec Summit 2016.
Read more about it:
http://www.ehacking.net/2016/05/penetrating-perimeter-tales-from.html
Finding ways to fingerprint the websites on tor project. Read more and see the video: http://www.ehacking.net/2016/02/website-fingerprinting-on-tor-attacks.html
The tool has been developed to be used inside a Linux environment. At the host system level, the only prerequisites are support for Python 2,7 or higher and the Android SDK.
Advanced Persistent Threat (APT) attacks are highly organised and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns.
Shodan is basically a search engine which helps to find (routers, switches, Scada etc.) mainly vulnerable systems on the internet .It is widely known as Google for hackers
It was launched in 2009 by computer programmer John Matherly. It is mainly a search engine of service banners in which metadata (data about data) is sent from the server to client. Shodan currently probes for 50+ ports.
Your machine (mobile phone, bluetooth device, router etc etc) may betrayed you and can be used to detect your position or even invade your privacy. They are watching you, stay alert.
Bluetooth is watching you, bluetooth is everywhere and they are tracking your every move. Learn how to detect the surveillance system. For hacking, for fun and for privacy.
Unmasking is the process to remove mask from the face and to reveal the real identity; at defcon17, Robert “RSnake” Hansen & Joshua “Jabra” Abraham have discussed the concept with demonstration
Sir I want to hack whatsapp chat ? Please give me a tutorial link. This question made me to write this simple POC tutorial to hack/steal whatsapp chats
http://www.ehacking.net/2014/09/poc-tutorial-of-stealing-whatsapp-chat.html
Presented by JP Dunning “.ronin” BlackHat Asia 2014; Demonstration of how to build a hardware based trojan at home. Create your own hardware of Trojan Virus. http://www.ehacking.net/2014/09/building-trojan-hardware-at-home.html
Social Media Monitoring tools as an OSINT platform for intelligenceE Hacking
This whitepaper discusses how social media monitoring tools can be applied as powerful and cost effective Open Source Intelligence (OSINT) platforms; and how they can support collection and analysis of relevant and targeted information relating to counter-terrorism, criminal and political open sources.
LDAP Services are a key component
in companies. The information stored in them
is used for corporate applications. If one of these
applications accepts input from a client and
execute it without first validating it, attackers h
ave the potential to execute their own
queries and thereby extract sensitive information f
rom the LDAP directory. In this paper a
deep analysis of the LDAP injection techniques is p
resented including Blind attacks
The objective of this course material is to demonstrate reverse engineering and malware analysis, malware analysis is very helpful in penetration testing and vulnerability assessment.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting Linux and PaX ASLR’s weaknesses
on 32- and 64-bit systems
Hector Marco-Gisbert, Ismael Ripoll
Universitat Polit`ecnica de Val`encia (Spain)
http://cybersecurity.upv.es
Black Hat Asia
March 29 - April 1, 2016
1 / 42
2. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Table of contents
1 ASLR overview & background
2 Linux and PaX ASLR weaknesses
Too low entropy
Non-uniform distribution
Correlation between objects
Inheritance
3 Exploiting the Correlation weakness: offset2lib
Example: Offset2lib in stack buffer overflows
Demo: Root shell in < 1 sec.
Mitigations
4 ASLR-NG: ASLR Next Generation
New randomisation forms
ASLRA: ASLR Analyzer
Linux vs PaX vs ASLR-NG
5 Conclusions
2 / 42
3. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR overview & background
What have we done ?
We have deeply analyzed the ASLR of Linux and PaX and:
Found some weaknesses and limitations on the current implementations:
1 Too low entropy
2 Non-uniform distribution
3 Correlation between objects
4 Inheritance
Built attacks which exploit these weaknesses:
Offset2lib: bypasses the NX, SSP and ASLR in in < 1 sec.
Also, other attack vectors (exploiting other weaknesses)
We have contributed to Linux kernel by:
Fixing the Offset2lib weakness.
Sketches a working in progress version of the ASLR → ASLR-NG.
Also some mitigation techniques will be presented (RenewSSP)
We present ASLRA, a suit tool to analyze the entropy of Linux ASLR
implementations.
3 / 42
4. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR overview & background
ASLR Background
ASLR does not remove vulnerabilities but make more difficult to
exploit them.
ASLR deters exploits which relays on knowing the memory map.
ASLR is effective when all memory areas are randomise. Otherwise,
the attacker can use these non-random areas.
Full ASLR is achieved when:
Applications are compiled with PIE (-fpie -pie).
The kernel is configured with randomize va space = 2
(stack, VDSO, shared memory, data segment)
4 / 42
5. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR overview & background
What is ASLR ?
ASLR is a protection provided by the kernel
to applications which:
It loads the stack, executable, libraries
and heap at random locations.
It tries to deter attacks that rely on
knowing the location of the target data
or code.
It makes vulnerabilities more difficult to
exploit.
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
5 / 42
6. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR overview & background
How the ASLR works: A simple example
The attacker redirects the execution to the
exec() library function (lib1):
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
6 / 42
7. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR overview & background
How the ASLR works: A simple example
The attacker redirects the execution to the
exec() library function (lib1):
Trivial if ASLR is off.
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
6 / 42
8. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR overview & background
How the ASLR works: A simple example
The attacker redirects the execution to the
exec() library function (lib1):
Trivial if ASLR is off.
But it fails when the ASLR is on.
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
6 / 42
9. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR overview & background
How the ASLR works: A simple example
The attacker redirects the execution to the
exec() library function (lib1):
Trivial if ASLR is off.
But it fails when the ASLR is on.
Not only the libraries but all other memory
areas are randomized:
→ How difficult is to predict the target ?
• Depends on the entropy.
→ Are there other attack vectors ?
• Yes, We have found new weaknesses.
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
6 / 42
10. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Linux and PaX ASLR weaknesses
Linux and PaX ASLR weaknesses
Current ASLR was designed considering that
some zones are growable but:
Cannot be used safely because collisions
with other allocations cannot be avoided.
Currently, only used in the Stack and the
Heap.
Growable objects impose strong limitations
on ASLR design:
Linux places each object as separately as
possible (Stack and Heap)
Unfortunately, this introduce weaknesses.
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
7 / 42
11. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Linux and PaX ASLR weaknesses
Weakness 1) Too low entropy
Brute force attacks to bypass ASLR:
x86 Entropy 100% Mean
Linux
32-bit 28
(256) < 1 sec < 1 sec
64-bit 228
(260M.) 74 Hours 37 Hours
ASLR entropy and cost time (1000 trials/sec).
→ ASLR in 32-bit is almost useless (very low entropy).
→ In 64-bit the attack is feasible in some scenarios.
→ The weakness is present since the first Linux ASLR.
Flowredirect
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
?
8 / 42
12. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Linux and PaX ASLR weaknesses
Weakness 2) Non-uniform distribution
0
0.002
0.004
0.006
0.008
0.01
0.012
0.014
0.016
0.018
0.02
0 20 40 60 80 100
Probability
Bins
Expected
i386
PaX Libraries distribution in i386
0
0.005
0.01
0.015
0.02
0 20 40 60 80 100
Probability
Bins
Expected
x86_64
PaX Libraries distribution in x86 64
Libraries are not uniformly distributed:
Faster attacks by focusing on the most frequent (likely) addresses.
Other objects are also affected.
9 / 42
13. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Linux and PaX ASLR weaknesses
Weakness 3) Correlation between objects
Instead of de-randomizing the target object, first de-randomize an
intermediate object and then use it to de-randomize the target
→ We made the first demonstration [Offset2lib]
The Offset2lib attack vector:
It bypass the full Linux ASLR on any architecture in < 1 sec.
It does not use the GOT or PLT.
It works even with NX and SSP enabled.
It exploits a stack buffer overflow.
10 / 42
14. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Linux and PaX ASLR weaknesses
Weakness 3) Correlation between objects
We have developed a PoC to exploit the
Offset2lib weakness:
1 De-randomize the executable exploiting a
stack buffer overflow.
2 Calculate (offline) the constant distance to
the target libraries.
3 The libraries are now de-randomized.
stack
lib1
lib2
exec
heap
LOW
HIGH
VM space
FlowredirectConstant !
11 / 42
15. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Linux and PaX ASLR weaknesses
Weakness 3) Correlation between objects
Memory map of an application PIE compiled.
The ld is loaded consecutively to the app.: 0x7f36c6feb000
12 / 42
16. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Linux and PaX ASLR weaknesses
Weakness 4) Inheritance
Again, all child processes share the same
memory layout !
New allocations belonging only to a
child can be predicted by its parent and
siblings !
Example: Child 1 can easily guess where
the private file 2 has been
mapped.
stack
lib1
lib2
private file 1
heap
exec
LOW
HIGH
VM space
Flowredirect
Child 1
stack
lib1
lib2
private file 2
heap
exec
LOW
HIGH
VM space
Flowredirect
Child n
13 / 42
17. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Loading shared objects
The problem appears when the application is compiled with PIE because the
GNU/Linux algorithm for loading shared objects works as follows:
The first shared object is loaded at a random position.
The next object is located right below (lower addresses) the last object.
...
libc-2.19.so
ld-2.19.so
server 64 PIE
...
Stack
...
All libraries are located ”side by side” at a single random place.
0x000000000000
0x7FFFFFFFFFFF
mmap base
Executable Base
Dynamic Linker Base
Libc Base
14 / 42
18. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Offset2lib
$ cat /proc/<pid>/server 64 PIE
7fd1b414f000-7fd1b430a000 r-xp /lib/.../libc-2.19.so
7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so
7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so
7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so
7fd1b4510000-7fd1b4515000 rw-p
7fd1b4515000-7fd1b4538000 r-xp /lib/.../ld-2.19.so
7fd1b4718000-7fd1b471b000 rw-p
7fd1b4734000-7fd1b4737000 rw-p
7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so
7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so
7fd1b4739000-7fd1b473a000 rw-p
7fd1b473a000-7fd1b473c000 r-xp /root/server 64 PIE
7fd1b493b000-7fd1b493c000 r--p /root/server_64_PIE
7fd1b493c000-7fd1b493d000 rw-p /root/server_64_PIE
7fff981fa000-7fff9821b000 rw-p [stack]
7fff983fe000-7fff98400000 r-xp [vdso]
15 / 42
19. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Offset2lib
$ cat /proc/<pid>/server 64 PIE
7fd1b414f000-7fd1b430a000 r-xp /lib/.../libc-2.19.so
7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so
7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so
7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so
7fd1b4510000-7fd1b4515000 rw-p
7fd1b4515000-7fd1b4538000 r-xp /lib/.../ld-2.19.so
7fd1b4718000-7fd1b471b000 rw-p
7fd1b4734000-7fd1b4737000 rw-p
7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so
7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so
7fd1b4739000-7fd1b473a000 rw-p
7fd1b473a000-7fd1b473c000 r-xp /root/server 64 PIE
7fd1b493b000-7fd1b493c000 r--p /root/server_64_PIE
7fd1b493c000-7fd1b493d000 rw-p /root/server_64_PIE
7fff981fa000-7fff9821b000 rw-p [stack]
7fff983fe000-7fff98400000 r-xp [vdso]
0x5eb000
15 / 42
20. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Offset2lib
$ cat /proc/<pid>/server 64 PIE
7fd1b414f000-7fd1b430a000 r-xp /lib/.../libc-2.19.so
7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so
7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so
7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so
7fd1b4510000-7fd1b4515000 rw-p
7fd1b4515000-7fd1b4538000 r-xp /lib/.../ld-2.19.so
7fd1b4718000-7fd1b471b000 rw-p
7fd1b4734000-7fd1b4737000 rw-p
7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so
7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so
7fd1b4739000-7fd1b473a000 rw-p
7fd1b473a000-7fd1b473c000 r-xp /root/server 64 PIE
7fd1b493b000-7fd1b493c000 r--p /root/server_64_PIE
7fd1b493c000-7fd1b493d000 rw-p /root/server_64_PIE
7fff981fa000-7fff9821b000 rw-p [stack]
7fff983fe000-7fff98400000 r-xp [vdso]
0x5eb000
0x225000
15 / 42
21. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Offset2lib
7fd1b414f000-7fd1b430a000 r-xp /lib/.../libc-2.19.so
7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so
7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so
7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so
7fd1b4510000-7fd1b4515000 rw-p
7fd1b4515000-7fd1b4538000 r-xp /lib/.../ld-2.19.so
7fd1b4718000-7fd1b471b000 rw-p
7fd1b4734000-7fd1b4737000 rw-p
7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so
7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so
7fd1b4739000-7fd1b473a000 rw-p
7fd1b473a000-7fd1b473c000 r-xp /root/server 64 PIE
7fd1b493b000-7fd1b493c000 r--p /root/server_64_PIE
7fd1b493c000-7fd1b493d000 rw-p /root/server_64_PIE
7fff981fa000-7fff9821b000 rw-p [stack]
7fff983fe000-7fff98400000 r-xp [vdso]
offset2lib
offset2lib
We named this invariant distance offset2lib which:
It is a constant distance between two shared objects even in different
executions of the application.
16 / 42
22. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Offset2lib
7fd1b414f000-7fd1b430a000 r-xp /lib/.../libc-2.19.so
7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so
7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so
7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so
7fd1b4510000-7fd1b4515000 rw-p
7fd1b4515000-7fd1b4538000 r-xp /lib/.../ld-2.19.so
7fd1b4718000-7fd1b471b000 rw-p
7fd1b4734000-7fd1b4737000 rw-p
7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so
7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so
7fd1b4739000-7fd1b473a000 rw-p
7fd1b473a000-7fd1b473c000 r-xp /root/server 64 PIE
7fd1b493b000-7fd1b493c000 r--p /root/server_64_PIE
7fd1b493c000-7fd1b493d000 rw-p /root/server_64_PIE
7fff981fa000-7fff9821b000 rw-p [stack]
7fff983fe000-7fff98400000 r-xp [vdso]
offset2lib
offset2lib
We named this invariant distance offset2lib which:
It is a constant distance between two shared objects even in different
executions of the application.
Any address of the app. → de-randomize all mmapped areas !!!
16 / 42
23. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Why the Offset2lib is dangerous ?
Offset2lib scope:
Realistic; applications are more prone than libraries to errors.
Makes some vulnerabilities faster, easier and more reliable to
exploit them.
It is not a self-exploitable vulnerability but an ASLR-design weakness
exploitable.
It opens new (and old) attack vectors.
17 / 42
24. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Why the Offset2lib is dangerous ?
Offset2lib scope:
Realistic; applications are more prone than libraries to errors.
Makes some vulnerabilities faster, easier and more reliable to
exploit them.
It is not a self-exploitable vulnerability but an ASLR-design weakness
exploitable.
It opens new (and old) attack vectors.
Next example:
Offset2lib on a standard stack buffer overflow.
17 / 42
25. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Building the attack
The steps to build the attack are:
1 Extracting static information
2 Brute force part of saved-IP
3 Calculate base app. address
4 Calculate library offsets
5 Obtain mmapped areas
18 / 42
26. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
1) Extracting static information
→ Our goal is to obtain an address belonging to the application.
→ We are going to obtain the saved-IP of vulnerable function caller.
Offset2lib with saved-IP ⇒ all mmapped areas.
STACK
0000000000001063 <attend_client>:
1063: 55 push %rbp
1064: 48 89 e5 mov %rsp,%rbp
1067: 48 81 ec 60 04 00 00 sub $0x460,%rsp
106e: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
1075: 00 00
..... ..... .....
12d7: 48 89 c7 mov %rax,%rdi
12da: e8 1c fc ff ff callq efb <vuln func>
12df: 48 8d 85 c0 fb ff ff lea -0x440(%rbp),%rax
12e6: 48 89 c7 mov %rax,%rdi
..... ..... .....
...
BUFFER
RBP
0x???????????????
...
Stackgrowsdown
19 / 42
27. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
1) Extracting static information
→ Our goal is to obtain an address belonging to the application.
→ We are going to obtain the saved-IP of vulnerable function caller.
Offset2lib with saved-IP ⇒ all mmapped areas.
STACK
0000000000001063 <attend_client>:
1063: 55 push %rbp
1064: 48 89 e5 mov %rsp,%rbp
1067: 48 81 ec 60 04 00 00 sub $0x460,%rsp
106e: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
1075: 00 00
..... ..... .....
12d7: 48 89 c7 mov %rax,%rdi
12da: e8 1c fc ff ff callq efb <vuln func>
12df: 48 8d 85 c0 fb ff ff lea -0x440(%rbp),%rax
12e6: 48 89 c7 mov %rax,%rdi
..... ..... .....
...
BUFFER
RBP
0x???????????????
...
Stackgrowsdown
19 / 42
28. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
1) Extracting static information
→ Our goal is to obtain an address belonging to the application.
→ We are going to obtain the saved-IP of vulnerable function caller.
Offset2lib with saved-IP ⇒ all mmapped areas.
STACK
0000000000001063 <attend_client>:
1063: 55 push %rbp
1064: 48 89 e5 mov %rsp,%rbp
1067: 48 81 ec 60 04 00 00 sub $0x460,%rsp
106e: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
1075: 00 00
..... ..... .....
12d7: 48 89 c7 mov %rax,%rdi
12da: e8 1c fc ff ff callq efb <vuln func>
12df: 48 8d 85 c0 fb ff ff lea -0x440(%rbp),%rax
12e6: 48 89 c7 mov %rax,%rdi
..... ..... .....
...
BUFFER
RBP
0x???????????????
...
Stackgrowsdown
Next IP
19 / 42
29. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
1) Extracting static information
→ Our goal is to obtain an address belonging to the application.
→ We are going to obtain the saved-IP of vulnerable function caller.
Offset2lib with saved-IP ⇒ all mmapped areas.
STACK
0000000000001063 <attend_client>:
1063: 55 push %rbp
1064: 48 89 e5 mov %rsp,%rbp
1067: 48 81 ec 60 04 00 00 sub $0x460,%rsp
106e: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
1075: 00 00
..... ..... .....
12d7: 48 89 c7 mov %rax,%rdi
12da: e8 1c fc ff ff callq efb <vuln func>
12df: 48 8d 85 c0 fb ff ff lea -0x440(%rbp),%rax
12e6: 48 89 c7 mov %rax,%rdi
..... ..... .....
...
BUFFER
RBP
0x???????????????
...
Stackgrowsdown
Next IP
Address point to
19 / 42
30. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
1) Extracting static information
Memory map STACK
7fd1b414f000-7fd1b430a000 r-xp /lib/.../libc-2.19.so
7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so
7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so
7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so
7fd1b4510000-7fd1b4515000 rw-p
7fd1b4515000-7fd1b4538000 r-xp /lib/.../ld-2.19.so
7fd1b4718000-7fd1b471b000 rw-p
7fd1b4734000-7fd1b4737000 rw-p
7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so
7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so
7fd1b4739000-7fd1b473a000 rw-p
7fd1b473a000-7fd1b473c000 r-xp /root/server 64 PIE
7fd1b493b000-7fd1b493c000 r--p /root/server 64 PIE
7fd1b493c000-7fd1b493d000 rw-p /root/server 64 PIE
7fff981fa000-7fff9821b000 rw-p [stack]
7fff983fe000-7fff98400000 r-xp [vdso]
...
BUFFER
RBP
0x????????????????
...
Stackgrowsdown
This value (0x00007F) can be obtained:
1 Running the application and showing the memory map.
2 Checking the source code if set any limit to stack.
20 / 42
31. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
1) Extracting static information
Memory map STACK
7fd1b414f000-7fd1b430a000 r-xp /lib/.../libc-2.19.so
7fd1b430a000-7fd1b450a000 ---p /lib/.../libc-2.19.so
7fd1b450a000-7fd1b450e000 r--p /lib/.../libc-2.19.so
7fd1b450e000-7fd1b4510000 rw-p /lib/.../libc-2.19.so
7fd1b4510000-7fd1b4515000 rw-p
7fd1b4515000-7fd1b4538000 r-xp /lib/.../ld-2.19.so
7fd1b4718000-7fd1b471b000 rw-p
7fd1b4734000-7fd1b4737000 rw-p
7fd1b4737000-7fd1b4738000 r--p /lib/.../ld-2.19.so
7fd1b4738000-7fd1b4739000 rw-p /lib/.../ld-2.19.so
7fd1b4739000-7fd1b473a000 rw-p
7fd1b473a000-7fd1b473c000 r-xp /root/server 64 PIE
7fd1b493b000-7fd1b493c000 r--p /root/server 64 PIE
7fd1b493c000-7fd1b493d000 rw-p /root/server 64 PIE
7fff981fa000-7fff9821b000 rw-p [stack]
7fff983fe000-7fff98400000 r-xp [vdso]
...
BUFFER
RBP
0x00007F??????????
...
Stackgrowsdown
Highest 24 bits
This value (0x00007F) can be obtained:
1 Running the application and showing the memory map.
2 Checking the source code if set any limit to stack.
20 / 42
32. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
1) Extracting static information
Since the executable has to be PAGE SIZE aligned, the 12 lower bits will
not change when the executable is randomly loaded.
ASM Code STACK
0000000000001063 <attend_client>:
1063: 55 push %rbp
1064: 48 89 e5 mov %rsp,%rbp
1067: 48 81 ec 60 04 00 00 sub $0x460,%rsp
106e: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
1075: 00 00
1077: 48 89 45 f8 mov %rax,-0x8(%rbp)
107b: 31 c0 xor %eax,%eax
..... ..... .....
12d7: 48 89 c7 mov %rax,%rdi
12da: e8 1c fc ff ff callq efb <vuln_func>
12df: 48 8d 85 c0 fb ff ff lea -0x440(%rbp),%rax
12e6: 48 89 c7 mov %rax,%rdi
..... ..... [From the ELF] .....
...
BUFFER
RBP
0x0007F??????????
...
Stackgrowsdown
21 / 42
33. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
1) Extracting static information
Since the executable has to be PAGE SIZE aligned, the 12 lower bits will
not change when the executable is randomly loaded.
ASM Code STACK
0000000000001063 <attend_client>:
1063: 55 push %rbp
1064: 48 89 e5 mov %rsp,%rbp
1067: 48 81 ec 60 04 00 00 sub $0x460,%rsp
106e: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
1075: 00 00
1077: 48 89 45 f8 mov %rax,-0x8(%rbp)
107b: 31 c0 xor %eax,%eax
..... ..... .....
12d7: 48 89 c7 mov %rax,%rdi
12da: e8 1c fc ff ff callq efb <vuln_func>
12df: 48 8d 85 c0 fb ff ff lea -0x440(%rbp),%rax
12e6: 48 89 c7 mov %rax,%rdi
..... ..... [From the ELF] .....
...
BUFFER
RBP
0x0007F???????2DF
...
Lower 12 bits
Stackgrowsdown
21 / 42
34. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
2) Brute forcing Saved-IP address
STACKvoid vuln_func(char *str, int lstr){
char buff[48];
int i = 0;
...
for (i = 0; i < lstr; i++) {
if (str[i] != ’n’)
buff[lbuff++] = str[i];
...
}
The unknown 28 random bits: “byte-for-byte” attack.
The first byte is “special”, we know the lowest 4 bits:
0x?216 → ??102 → 24 = 16 attempts
{0x02, 0x12, 0x22 ... 0xC2, 0xD2, 0xE2, 0xF2}
...
BUFFER
RBP
0x0007F???????2DF
...
Stackgrowsdown
22 / 42
35. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
2) Brute forcing Saved-IP address
STACKvoid vuln_func(char *str, int lstr){
char buff[48];
int i = 0;
...
for (i = 0; i < lstr; i++) {
if (str[i] != ’n’)
buff[lbuff++] = str[i];
...
}
The unknown 28 random bits: “byte-for-byte” attack.
The first byte is “special”, we know the lowest 4 bits:
0x?216 → ??102 → 24 = 16 attempts
{0x02, 0x12, 0x22 ... 0xC2, 0xD2, 0xE2, 0xF2}
...
BUFFER
RBP
0x0007F??????C2DF
...
Stackgrowsdown
half-byte
22 / 42
36. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
2) Brute forcing Saved-IP address
STACKvoid vuln_func(char *str, int lstr){
char buff[48];
int i = 0;
...
for (i = 0; i < lstr; i++) {
if (str[i] != ’n’)
buff[lbuff++] = str[i];
...
}
The unknown 28 random bits: “byte-for-byte” attack.
The first byte is “special”, we know the lowest 4 bits:
0x?216 → ??102 → 24 = 16 attempts
{0x02, 0x12, 0x22 ... 0xC2, 0xD2, 0xE2, 0xF2}
The remaining 3 bytes → standard “byte-for-byte” attack
3x28 = 768 attempts.
After execute the byte-for-byte we obtained 0x36C6FE
...
BUFFER
RBP
0x0007F??????C2DF
...
Stackgrowsdown
22 / 42
37. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
2) Brute forcing Saved-IP address
STACKvoid vuln_func(char *str, int lstr){
char buff[48];
int i = 0;
...
for (i = 0; i < lstr; i++) {
if (str[i] != ’n’)
buff[lbuff++] = str[i];
...
}
The unknown 28 random bits: “byte-for-byte” attack.
The first byte is “special”, we know the lowest 4 bits:
0x?216 → ??102 → 24 = 16 attempts
{0x02, 0x12, 0x22 ... 0xC2, 0xD2, 0xE2, 0xF2}
The remaining 3 bytes → standard “byte-for-byte” attack
3x28 = 768 attempts.
After execute the byte-for-byte we obtained 0x36C6FE
...
BUFFER
RBP
0x0007F36C6FEC2DF
...
Stackgrowsdown
Brute
forced
bytes
22 / 42
38. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
2) Brute forcing Saved-IP address
STACKvoid vuln_func(char *str, int lstr){
char buff[48];
int i = 0;
...
for (i = 0; i < lstr; i++) {
if (str[i] != ’n’)
buff[lbuff++] = str[i];
...
}
The unknown 28 random bits: “byte-for-byte” attack.
The first byte is “special”, we know the lowest 4 bits:
0x?216 → ??102 → 24 = 16 attempts
{0x02, 0x12, 0x22 ... 0xC2, 0xD2, 0xE2, 0xF2}
The remaining 3 bytes → standard “byte-for-byte” attack
3x28 = 768 attempts.
After execute the byte-for-byte we obtained 0x36C6FE
We need to perform 24
+3∗28
2
= 392 attempts on average.
...
BUFFER
RBP
0x0007F36C6FEC2DF
...
Stackgrowsdown
22 / 42
44. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
5) Getting app. process mapping
Obtaining library base addresses:
Application Base = 0x7FD1B473A000
Offset2lib (libc) = 0x5eb000
Offset2lib (ld) = 0x225000
...
libc-2.19.so
ld-2.19.so
server 64 PIE
...
0x000000000000
0x7FFFFFFFFFFF
mmap base
Libc Base
ld Base
Application Base
25 / 42
45. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
5) Getting app. process mapping
Obtaining library base addresses:
Application Base = 0x7FD1B473A000
Offset2lib (libc) = 0x5eb000
Offset2lib (ld) = 0x225000
...
libc-2.19.so
ld-2.19.so
server 64 PIE
...
Libc Base = 0x7FD1B473A000 - 0x5eb000 = 0x7FD1B414F000
0x5eb000
0x000000000000
0x7FFFFFFFFFFF
mmap base
Libc Base
ld Base
Application Base
25 / 42
46. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
5) Getting app. process mapping
Obtaining library base addresses:
Application Base = 0x7FD1B473A000
Offset2lib (libc) = 0x5eb000
Offset2lib (ld) = 0x225000
...
libc-2.19.so
ld-2.19.so
server 64 PIE
...
Libc Base = 0x7FD1B473A000 - 0x5eb000 = 0x7FD1B414F000
0x5eb000
ld Base = 0x7FD1B473A000 - 0x225000 = 0x7fd1b4515000
0x2225000
0x000000000000
0x7FFFFFFFFFFF
mmap base
Libc Base
ld Base
Application Base
25 / 42
47. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
The vulnerable server
To show a more realistic PoC:
Bypass NX, SSP, ASLR, FORTIFY or RELRO.
We do not use GOT neither PLT.
Valid for any application (Gadgets only from libraries)
We use a fully updated Linux.
Parameter Comment Configuration
App. relocatable Yes -fpie -pie
Lib. relocatable Yes -Fpic
ASLR config. Enabled randomize va space = 2
SSP Enabled -fstack-protector-all
Arch. 64 bits x86 64 GNU/Linux
NX Enabled PAE or x64
RELRO Full -wl,-z,-relro,-z,now
FORTIFY Yes -D FORTIFY SOURCE=2
Optimisation Yes -O2
26 / 42
48. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Bypassing NX, SSP and ASLR on 64-bit Linux
Demo: Bypass NX, SSP and ASLR in < 1 sec.
27 / 42
49. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
How to prevent exploitation
There are many vectors to exploit this weakness: Imagination is the
limit. Basically, an attacker needs:
1 The knowledge (information leak).
2 A way to use it.
There are many solutions to address this weakness:
Avoid information leaks at once:
Don’t design weak applications/protocols.
Don’t write code with errors.
. . .
Make the leaked information useless:
PaX patch
Linux Kenrel >= 4.1
RenewSSP: Improve stack-smashing-protector.
28 / 42
50. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
Solutions overview
PaX
The Offset2lib weakness
Solved with
RenewSSP
ASLR patch :
Linux >= 4.1
Solved with
The Offset2lib attack
All weaknesses are only solved by the ASLR-NG
29 / 42
52. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Exploiting the Correlation weakness: offset2lib
With Linux Kernel >= 4.1
# hello_world_dynamic_pie
54859ccd6000-54859ccd7000 r-xp 00000000 00:02 4896 /bin/hello world dynamic pie
54859ced6000-54859ced7000 r--p 00000000 00:02 4896 /bin/hello world dynamic pie
54859ced7000-54859ced8000 rw-p 00001000 00:02 4896 /bin/hello world dynamic pie
7f75be764000-7f75be91f000 r-xp 00000000 00:02 5192 /lib/x86_64-linux-gnu/libc.so.6
7f75be91f000-7f75beb1f000 ---p 001bb000 00:02 5192 /lib/x86_64-linux-gnu/libc.so.6
7f75beb1f000-7f75beb23000 r--p 001bb000 00:02 5192 /lib/x86_64-linux-gnu/libc.so.6
7f75beb23000-7f75beb25000 rw-p 001bf000 00:02 5192 /lib/x86_64-linux-gnu/libc.so.6
7f75beb25000-7f75beb2a000 rw-p 00000000 00:00 0
7f75beb2a000-7f75beb4d000 r-xp 00000000 00:02 4917 /lib64/ld-linux-x86-64.so.2
7f75bed45000-7f75bed46000 rw-p 00000000 00:00 0
7f75bed46000-7f75bed47000 r-xp 00000000 00:00 0
7f75bed47000-7f75bed4c000 rw-p 00000000 00:00 0
7f75bed4c000-7f75bed4d000 r--p 00022000 00:02 4917 /lib64/ld-linux-x86-64.so.2
7f75bed4d000-7f75bed4e000 rw-p 00023000 00:02 4917 /lib64/ld-linux-x86-64.so.2
7f75bed4e000-7f75bed4f000 rw-p 00000000 00:00 0
7fffb3741000-7fffb3762000 rw-p 00000000 00:00 0 [stack]
7fffb377b000-7fffb377d000 r--p 00000000 00:00 0 [vvar]
7fffb377d000-7fffb377f000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
31 / 42
53. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
Addressing the ASLR weaknesses
ASLR-NG addresses all these weaknesses but because of the urgency to
fix the Offset2lib weakness, it was fixed in current Linux.
It can be seen as a minor part of the ASLR-NG.
It does not remove the correlation problem between all objects.
How we addressed the Offset2lib weakness ?
32 / 42
54. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
The particular Offset2lib fix
Offset2lib fix:
We have removed the correlation between
the executable ↔ libraries
stack
lib1
lib2
exec
heap
LOW
HIGH
VM space
FlowredirectConstant !
stack
lib1
lib2
exec
heap
LOW
HIGH
VM space
Flowredirect
Random !
33 / 42
55. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
The particular Offset2lib fix
Offset2lib fix:
We have removed the correlation between
the executable ↔ libraries
Attack rewarded by Packet Storm Security:
Offset2lib was classified as 1-day vulnerability
stack
lib1
lib2
exec
heap
LOW
HIGH
VM space
FlowredirectConstant !
stack
lib1
lib2
exec
heap
LOW
HIGH
VM space
Flowredirect
Random !
33 / 42
56. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
The particular Offset2lib fix
Offset2lib fix:
We have removed the correlation between
the executable ↔ libraries
Attack rewarded by Packet Storm Security:
Offset2lib was classified as 1-day vulnerability
Linux Kernel 4.1 patch:
We have created and sent a patch to Linux,
which was considered urgent.
stack
lib1
lib2
exec
heap
LOW
HIGH
VM space
FlowredirectConstant !
stack
lib1
lib2
exec
heap
LOW
HIGH
VM space
Flowredirect
Random !
33 / 42
57. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: Address Space Layout
Randomization Next Generation
34 / 42
58. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: The core ideas
A deep analysis of growable objects shows
that they (stack and heap) can be bounded.
This key idea allowed me to load objects:
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
Linux ASLR
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
Linux ASLR-NG
35 / 42
59. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: The core ideas
A deep analysis of growable objects shows
that they (stack and heap) can be bounded.
This key idea allowed me to load objects:
Freely along the VM:
→ Huge increment of entropy.
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
Linux ASLR
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
Linux ASLR-NG
35 / 42
60. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: The core ideas
A deep analysis of growable objects shows
that they (stack and heap) can be bounded.
This key idea allowed me to load objects:
Freely along the VM:
→ Huge increment of entropy.
Uniformly distributed:
→ No more likely addresses.
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
Linux ASLR
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
Linux ASLR-NG
35 / 42
61. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: The core ideas
A deep analysis of growable objects shows
that they (stack and heap) can be bounded.
This key idea allowed me to load objects:
Freely along the VM:
→ Huge increment of entropy.
Uniformly distributed:
→ No more likely addresses.
Uncorrelated:
→ No more correlated attacks.
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
Linux ASLR
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
Linux ASLR-NG
35 / 42
62. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: The core ideas
A deep analysis of growable objects shows
that they (stack and heap) can be bounded.
This key idea allowed me to load objects:
Freely along the VM:
→ Huge increment of entropy.
Uniformly distributed:
→ No more likely addresses.
Uncorrelated:
→ No more correlated attacks.
Have different VM layout:
→ Forking model more secure.
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
Linux ASLR
stack
lib1
lib2
mmap files
heap
exec
LOW
HIGH
VM space
Flowredirect
Linux ASLR-NG
35 / 42
63. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: New randomisation forms
We have categorized and designed new randomization forms:
Feature Description
When
Per-boot Every time the system is booted.
Per-exec Every time a new image is executed.
Per-fork Every time a new process is spawned. new!
Per-object Every time a new object is created. new!
What
Stack Stack of the main process.
LD Dynamic linker/loader.
Executable Loadable segments (text, data, bss, ...).
Heap Old-fashioned dynamic memory of the process: brk(). improved !
vDSO/VVAR Objects exported by the kernel to the user space.
Mmaps/libs Objects allocated calling mmap(). improved !
How
Partial VM A sub-range of the VM space is used to map the object.
Full VM The full VM space is used to map the object. new!
Isolated-object The object is randomised independently from any other. new!
Sub-page Page offset bits are randomised. new!
Bit-slicing Different slices of the address are randomised at different times. Google!
Direction Topdown/downtop search side used on a first-fit allocation strategy. new!
Specific-zone A base address and a direction where objects are allocated together. new!
36 / 42
64. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: Profile modes
stack thread3
stack thread3
stack thread3
stack thread1
Libc.so
mmap file a
Executable
stack
Heap (brk)
ld.so
vDSO
stack thread2
VM space
mmap_base
stack thread1
Libc.so
mmap file a
Executable
stack
Heap (brk)
ld.so
vDSO
stack thread2
VM space
stack thread1
Libc.so
mmap file a
Executable
stack
Heap (brk)
ld.so
vDSO
stack thread2
VM space
stack thread1
Libc.so
mmap file a
Executable
stack
Heap (brk)
ld.so
vDSO
stack thread2
VM space
(a) Concentrated (b) Conservative (c) Extended (d) Paranoid
LOW_ADDR
HIGH_ADDR
ASLR-NG: Profile mode examples. 37 / 42
65. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: Evaluation
We have developed ASLRA, a test suit to analyze the entropy of objects.
ASLRA is composed of three tools:
1 Simulator:
→ Simulates several ASLRs, including the proposed ASLR-NG.
2 Sampler:
→ An application which generate million of samples (address of
mapped objects) and saves the raw data.
3 Analyzer:
→ Performs the statistical analysis.
→ Individual byte, Shannon entropy, flipping bits, etc.
38 / 42
66. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: Evaluation
We have developed ASLRA, a test suit to analyze the entropy of objects.
ASLRA is composed of three tools:
1 Simulator:
→ Simulates several ASLRs, including the proposed ASLR-NG.
2 Sampler:
→ An application which generate million of samples (address of
mapped objects) and saves the raw data.
3 Analyzer:
→ Performs the statistical analysis.
→ Individual byte, Shannon entropy, flipping bits, etc.
↓
H(X) = −
x∈X
p(x) log2 p(x)
The most interesting!
38 / 42
67. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
ASLR-NG: ASLR analyzer tool
ASLR analyser: Screenshot of a Heap (brk)
39 / 42
68. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
ASLR-NG: ASLR Next Generation
Linux vs PaX vs ASLR-NG
32-bits 64-bits
Object Linux PaX ASLR-NG Linux PaX ASLR-NG
ARGV 11 27 31.5 22 39 47
Main stack 19 23 27.5 30 35 43
Heap (brk) 13 23.3 27.5 28 35 43
Heap (mmap) 8 15.7 27.5 28 28.5 43
Thread stacks 8 15.7 27.5 28 28.5 43
Sub-page object - - 27.5 - - 43
Regular mmaps 8 15.7 19.5 28 28.5 35
Libraries 8 15.7 19.5 28 28.5 35
vDSO 8 15.7 19.5 21.4 28.5 35
Executable 8 15 19.5 28 27 35
Huge pages 0 5.7 9.5 19 19.5 26
Comparative summary of bits of entropy.
40 / 42
69. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Conclusions
ASLR-NG: Benefits
The main features of ASLR-NG are:
Uses full memory space to randomise objects, which in turn provides
maximum entropy.
A novel solution for reducing fragmentation, without reducing entropy.
Objects containing sensitive information are automatically isolated.
Sequentially loaded libraries are randomised.
It provides a strong protection against absolute and correlation attacks.
Effectively removes the four weaknesses previously identified.
During the design of the ASLR-NG we have fixed three vulnerabilities in the
Linux ASLR that were rewarded by Google.
The Offset2lib attack was rewarded by Packet Storm Security classified as a
1-day vulnerability.
41 / 42
70. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems Hector Marco
Questions ?
* Hector Marco-Gisbert http://hmarco.org
* Ismael Ripoll Ripoll http://personales.upv.es/iripoll
* Cyber-security research group at http://cybersecurity.upv.es
42 / 42