SlideShare a Scribd company logo

Scale17x buffer overflows

J
johseg

This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder. We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.

Technology
1 of 99
Download to read offline
Buffer overflows and counter meassures Johannes Segitz SUSE Security Team 2019-03-08 1 of 41
whoami Johannes Segitz, security engineer at SUSE (Nuremberg, Germany) • code review • product pentesting 2 of 41
whoami Johannes Segitz, security engineer at SUSE (Nuremberg, Germany) • code review • product pentesting Joined April 2014, got Heartbleed as signing bonus 2 of 41
Outline Buffer overflows and protections: • Stack canaries • Fortify source • Address space layout randomization • No-execute memory (NX, WˆX) 3 of 41
Outline Buffer overflows and protections: • Stack canaries • Fortify source • Address space layout randomization • No-execute memory (NX, WˆX) Used by SUSE products, there are other protection mechanisms out there 3 of 41
Outline Requires some C and assembler background, but I’ll explain most on the fly 4 of 41
Outline Requires some C and assembler background, but I’ll explain most on the fly Stop me if I’m going to fast with the examples 4 of 41
Outline Requires some C and assembler background, but I’ll explain most on the fly Stop me if I’m going to fast with the examples This is short overview, not something to make you 31337 4axx0rs 4 of 41
Outline Requires some C and assembler background, but I’ll explain most on the fly Stop me if I’m going to fast with the examples This is short overview, not something to make you 31337 4axx0rs Also I will try to keep it at least a bit interactive 4 of 41
General mechanism We’re talking here about stack based buffer overflows and counter meassures 5 of 41
General mechanism We’re talking here about stack based buffer overflows and counter meassures A problem in languages in which you manage your own memory (primary example is C) 5 of 41
General mechanism We’re talking here about stack based buffer overflows and counter meassures A problem in languages in which you manage your own memory (primary example is C) Really simple example: 1 #include <string.h> 2 3 int main(int argc , char ** argv) { 4 char buffer [20]; 5 6 strcpy(buffer , argv [1]); 7 8 return EXIT_SUCCESS ; 9 } 5 of 41
General mechanism The problem is that for a given buffer size too much data is placed in there 6 of 41
General mechanism The problem is that for a given buffer size too much data is placed in there Usually a size check is just missing 6 of 41
General mechanism The problem is that for a given buffer size too much data is placed in there Usually a size check is just missing Sometimes the check is there but faulty or can be circumvented (think integer overflows) 6 of 41
Why is this a problem? Because in data of the application and control information about execution is mixed 7 of 41
Why is this a problem? Part of the control information (saved instruction pointer RIP/EIP) is the address where execution will continue after the current function 8 of 41
Why is this a problem? If a buffer overflow happens this control information can be overwritten 9 of 41
Why is this a problem? If a buffer overflow happens this control information can be overwritten If this is done carefully arbitrary code can be executed 9 of 41
Why is this a problem? 10 of 41
Other overwrites Not only saved RIP/EIP can be highjacked. Think of • Function pointers • Exceptions handlers • Other application specific data (is admin flag ...) 11 of 41
Other overwrites Not only saved RIP/EIP can be highjacked. Think of • Function pointers • Exceptions handlers • Other application specific data (is admin flag ...) So what can be done against these problems? 11 of 41
Other overwrites Not only saved RIP/EIP can be highjacked. Think of • Function pointers • Exceptions handlers • Other application specific data (is admin flag ...) So what can be done against these problems? Just use Java for everything. Done! We’re safe ;) 11 of 41
Simple 32 bit exploitation 1 # include <unistd .h> 2 3 void vulnerable( void ) { 4 char buffer [256]; 5 6 read(0, buffer , 512); 7 8 return; 9 } 10 11 int main(int argc , char ** argv) { 12 vulnerable (); 13 14 return EXIT_SUCCESS ; 15 } 12 of 41
Simple 32 bit exploitation Demo time 13 of 41
Mitigations: Stack canaries 14 of 41
Mitigations: Stack canaries General idea: Compiler generates extra code that puts a canary value at predefined locations within a stack frame 15 of 41
Mitigations: Stack canaries General idea: Compiler generates extra code that puts a canary value at predefined locations within a stack frame Before returning check if canary is still valid 15 of 41
Mitigations: Stack canaries General idea: Compiler generates extra code that puts a canary value at predefined locations within a stack frame Before returning check if canary is still valid Types: • Terminator canaries: NULL, CR, LF, and -1 15 of 41
Mitigations: Stack canaries General idea: Compiler generates extra code that puts a canary value at predefined locations within a stack frame Before returning check if canary is still valid Types: • Terminator canaries: NULL, CR, LF, and -1 • Random canaries 15 of 41
Mitigations: Stack canaries General idea: Compiler generates extra code that puts a canary value at predefined locations within a stack frame Before returning check if canary is still valid Types: • Terminator canaries: NULL, CR, LF, and -1 • Random canaries • Random XOR canaries 15 of 41
Mitigations: Stack canaries Four variants in gcc: • -fstack-protector: code only for functions that put ≥ 8 bytes buffers on the stack 16 of 41
Mitigations: Stack canaries Four variants in gcc: • -fstack-protector: code only for functions that put ≥ 8 bytes buffers on the stack • -fstack-protector-strong: ◦ local variable is an array (or union containing an array), regardless of array type or length ◦ uses register local variables ◦ local variable address is used as part of the right hand side of an assignment or function argument 16 of 41
Mitigations: Stack canaries Four variants in gcc: • -fstack-protector: code only for functions that put ≥ 8 bytes buffers on the stack • -fstack-protector-strong: ◦ local variable is an array (or union containing an array), regardless of array type or length ◦ uses register local variables ◦ local variable address is used as part of the right hand side of an assignment or function argument • -fstack-protector-all: extra code for each and every function 16 of 41
Mitigations: Stack canaries Four variants in gcc: • -fstack-protector: code only for functions that put ≥ 8 bytes buffers on the stack • -fstack-protector-strong: ◦ local variable is an array (or union containing an array), regardless of array type or length ◦ uses register local variables ◦ local variable address is used as part of the right hand side of an assignment or function argument • -fstack-protector-all: extra code for each and every function • -fstack-protector-explicit: extra code every function annotated with stack protect 16 of 41
Mitigations: Stack canaries Short reminder of the example code: 1 #include <string.h> 2 3 int main(int argc , char ** argv) 4 { 5 char buffer [20]; 6 7 strcpy(buffer , argv [1]); 8 9 return EXIT_SUCCESS ; 10 } 17 of 41
Mitigations: Stack canaries Original code: 1 00000000000006 b0 <main >: 2 6b0: 55 push rbp 3 6b1: 48 89 e5 mov rbp ,rsp 4 6b4: 48 83 ec 30 sub rsp ,0 x30 5 6b8: 89 7d dc mov DWORD PTR [rbp -0x24],edi 6 6bb: 48 89 75 d0 mov QWORD PTR [rbp -0 x30],rsi 7 6bf: 48 8b 45 d0 mov rax ,QWORD PTR [rbp -0x30] 8 6c3: 48 83 c0 08 add rax ,0x8 9 6c7: 48 8b 10 mov rdx ,QWORD PTR [rax] 10 6ca: 48 8d 45 e0 lea rax ,[rbp -0 x20] 11 6ce: 48 89 d6 mov rsi ,rdx 12 6d1: 48 89 c7 mov rdi ,rax 13 6d4: e8 87 fe ff ff call 560 <strcpy@plt > 14 6d9: b8 00 00 00 00 mov eax ,0x0 15 6de: c9 leave 16 6df: c3 ret 18 of 41
Mitigations: Stack canaries Protected code: 1 0000000000000720 <main >: 2 720: 55 push rbp 3 721: 48 89 e5 mov rbp ,rsp 4 724: 48 83 ec 30 sub rsp ,0 x30 5 728: 89 7d dc mov DWORD PTR [rbp -0x24],edi 6 72b: 48 89 75 d0 mov QWORD PTR [rbp -0 x30],rsi 7 72f: 64 48 8b 04 25 28 00 mov rax ,QWORD PTR fs:0 x28 8 736: 00 00 9 738: 48 89 45 f8 mov QWORD PTR [rbp -0x8],rax 10 73c: 31 c0 xor eax ,eax 11 73e: 48 8b 45 d0 mov rax ,QWORD PTR [rbp -0 x30] 12 742: 48 83 c0 08 add rax ,0x8 13 746: 48 8b 10 mov rdx ,QWORD PTR [rax] 14 749: 48 8d 45 e0 lea rax ,[rbp -0 x20] 15 74d: 48 89 d6 mov rsi ,rdx 16 750: 48 89 c7 mov rdi ,rax 17 753: e8 68 fe ff ff call 5c0 <strcpy@plt > 18 758: b8 00 00 00 00 mov eax ,0x0 19 75d: 48 8b 4d f8 mov rcx ,QWORD PTR [rbp -0x8] 20 761: 64 48 33 0c 25 28 00 xor rcx ,QWORD PTR fs:0x28 21 768: 00 00 22 76a: 74 05 je 771 <main +0x51 > 23 76c: e8 5f fe ff ff call 5d0 <__stack_chk_fail@plt > 24 771: c9 leave 25 772: c3 ret 19 of 41
Mitigations: Stack canaries Protected code: 1 0000000000000720 <main >: 2 720: 55 push rbp 3 721: 48 89 e5 mov rbp ,rsp 4 724: 48 83 ec 30 sub rsp ,0 x30 5 728: 89 7d dc mov DWORD PTR [rbp -0x24],edi 6 72b: 48 89 75 d0 mov QWORD PTR [rbp -0 x30],rsi 7 72f: 64 48 8b 04 25 28 00 mov rax ,QWORD PTR fs:0 x28 8 736: 00 00 9 738: 48 89 45 f8 mov QWORD PTR [rbp -0x8],rax 10 73c: 31 c0 xor eax ,eax 11 73e: 48 8b 45 d0 mov rax ,QWORD PTR [rbp -0 x30] 12 742: 48 83 c0 08 add rax ,0x8 13 746: 48 8b 10 mov rdx ,QWORD PTR [rax] 14 749: 48 8d 45 e0 lea rax ,[rbp -0 x20] 15 74d: 48 89 d6 mov rsi ,rdx 16 750: 48 89 c7 mov rdi ,rax 17 753: e8 68 fe ff ff call 5c0 <strcpy@plt > 18 758: b8 00 00 00 00 mov eax ,0x0 19 75d: 48 8b 4d f8 mov rcx ,QWORD PTR [rbp -0x8] 20 761: 64 48 33 0c 25 28 00 xor rcx ,QWORD PTR fs:0x28 21 768: 00 00 22 76a: 74 05 je 771 <main +0x51 > 23 76c: e8 5f fe ff ff call 5d0 <__stack_chk_fail@plt > 24 771: c9 leave 25 772: c3 ret 19 of 41
Mitigations: Stack canaries Protected code: 1 0000000000000720 <main >: 2 720: 55 push rbp 3 721: 48 89 e5 mov rbp ,rsp 4 724: 48 83 ec 30 sub rsp ,0 x30 5 728: 89 7d dc mov DWORD PTR [rbp -0x24],edi 6 72b: 48 89 75 d0 mov QWORD PTR [rbp -0 x30],rsi 7 72f: 64 48 8b 04 25 28 00 mov rax ,QWORD PTR fs:0 x28 8 736: 00 00 9 738: 48 89 45 f8 mov QWORD PTR [rbp -0x8],rax 10 73c: 31 c0 xor eax ,eax 11 73e: 48 8b 45 d0 mov rax ,QWORD PTR [rbp -0 x30] 12 742: 48 83 c0 08 add rax ,0x8 13 746: 48 8b 10 mov rdx ,QWORD PTR [rax] 14 749: 48 8d 45 e0 lea rax ,[rbp -0 x20] 15 74d: 48 89 d6 mov rsi ,rdx 16 750: 48 89 c7 mov rdi ,rax 17 753: e8 68 fe ff ff call 5c0 <strcpy@plt > 18 758: b8 00 00 00 00 mov eax ,0x0 19 75d: 48 8b 4d f8 mov rcx ,QWORD PTR [rbp -0x8] 20 761: 64 48 33 0c 25 28 00 xor rcx ,QWORD PTR fs:0x28 21 768: 00 00 22 76a: 74 05 je 771 <main +0x51 > 23 76c: e8 5f fe ff ff call 5d0 <__stack_chk_fail@plt > 24 771: c9 leave 25 772: c3 ret 19 of 41
Mitigations: Stack canaries Demo time 20 of 41
Limitations of stack canaries Limitations: 21 of 41
Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk 21 of 41
Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk • Does not protect against generic write primitives 21 of 41
Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk • Does not protect against generic write primitives • Can be circumvented with exeption handlers 21 of 41
Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk • Does not protect against generic write primitives • Can be circumvented with exeption handlers • Chain buffer overflow with information leak 21 of 41
Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk • Does not protect against generic write primitives • Can be circumvented with exeption handlers • Chain buffer overflow with information leak • No protection for inlined functions 21 of 41
Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk • Does not protect against generic write primitives • Can be circumvented with exeption handlers • Chain buffer overflow with information leak • No protection for inlined functions • Can be used to cause DoS 21 of 41
Mitigations: Fortify source Transparently fix insecure functions to prevent buffer overflows (memcpy, memset, strcpy, . . .). 22 of 41
Mitigations: Fortify source Transparently fix insecure functions to prevent buffer overflows (memcpy, memset, strcpy, . . .). 22 of 41
Mitigations: Fortify source Transparently fix insecure functions to prevent buffer overflows (memcpy, memset, strcpy, . . .). What is checked: For statically sized buffers the compiler can check calls to certain functions. 22 of 41
Mitigations: Fortify source Transparently fix insecure functions to prevent buffer overflows (memcpy, memset, strcpy, . . .). What is checked: For statically sized buffers the compiler can check calls to certain functions. Enable it with -DFORTIFY SOURCE=2 (only with optimization). 22 of 41
Mitigations: Fortify source 1 void fun(char *s) { 2 char buf [0 x100 ]; 3 strcpy(buf , s); 4 /* Don ’t allow gcc to optimise away the buf */ 5 asm volatile("" :: "m" (buf)); 6 } 7 8 int main(int argc , char ** argv) 9 { 10 fun( argv [1] ); 11 12 return EXIT_SUCCESS ; 13 } Example based on Matthias’ work 23 of 41
Mitigations: Fortify source 1 00000000000006 b0 <fun >: 2 6b0: 55 push rbp 3 6b1: 48 89 e5 mov rbp ,rsp 4 6b4: 48 81 ec 10 01 00 00 sub rsp ,0 x110 5 6bb: 48 89 bd f8 fe ff ff mov QWORD PTR [rbp -0 x108],rdi 6 6c2: 48 8b 95 f8 fe ff ff mov rdx ,QWORD PTR [rbp -0 x108] 7 6c9: 48 8d 85 00 ff ff ff lea rax ,[rbp -0 x100] 8 6d0: 48 89 d6 mov rsi ,rdx 9 6d3: 48 89 c7 mov rdi ,rax 10 6d6: e8 85 fe ff ff call 560 <strcpy@plt > 11 6db: 90 nop 12 6dc: c9 leave 13 6dd: c3 ret 24 of 41
Mitigations: Fortify source gcc -o fortify -O2 -D FORTIFY SOURCE=2 fortify.c 1 ,0000000000000700 <fun >: 2 , 700: 48 81 ec 08 01 00 00 sub rsp ,0 x108 3 , 707: 48 89 fe mov rsi ,rdi 4 , 70a: ba 00 01 00 00 mov edx ,0 x100 5 , 70f: 48 89 e7 mov rdi ,rsp 6 , 712: e8 69 fe ff ff call 580 <__strcpy_chk@plt > 7 , 717: 48 81 c4 08 01 00 00 add rsp ,0 x108 8 , 71e: c3 ret 9 , 71f: 90 nop 25 of 41
Mitigations: Fortify source gcc -o fortify -O2 -D FORTIFY SOURCE=2 fortify.c 1 ,0000000000000700 <fun >: 2 , 700: 48 81 ec 08 01 00 00 sub rsp ,0 x108 3 , 707: 48 89 fe mov rsi ,rdi 4 , 70a: ba 00 01 00 00 mov edx ,0 x100 5 , 70f: 48 89 e7 mov rdi ,rsp 6 , 712: e8 69 fe ff ff call 580 <__strcpy_chk@plt > 7 , 717: 48 81 c4 08 01 00 00 add rsp ,0 x108 8 , 71e: c3 ret 9 , 71f: 90 nop 25 of 41
Mitigations: Fortify source Demo time 26 of 41
Limitation of fortify source Limitations / problems: 27 of 41
Limitation of fortify source Limitations / problems: • Limited to some functions/situations 27 of 41
Limitation of fortify source Limitations / problems: • Limited to some functions/situations • Can still lead to DoS 27 of 41
Limitation of fortify source Limitations / problems: • Limited to some functions/situations • Can still lead to DoS • Developers might keep using these functions 27 of 41
Limitation of fortify source Limitations / problems: • Limited to some functions/situations • Can still lead to DoS • Developers might keep using these functions But it comes with almost no cost, so enable it 27 of 41
Mitigations: ASLR ASLR: Address space layout randomization 28 of 41
Mitigations: ASLR ASLR: Address space layout randomization Memory segments (stack, heap and code) are loaded at random locations 28 of 41
Mitigations: ASLR ASLR: Address space layout randomization Memory segments (stack, heap and code) are loaded at random locations Atttackers don’t know return addresses into exploit code or C library code reliably any more 28 of 41
Mitigations: ASLR 1 bash -c ’cat /proc/$$/maps ’ 2 56392 d605000 -56392 d60d000 r-xp 00000000 fe:01 12058638 /bin/cat 3 <snip > 4 56392 dd05000 -56392 dd26000 rw -p 00000000 00:00 0 [heap] 5 7fb2bd101000 -7 fb2bd296000 r-xp 00000000 fe:01 4983399 /lib/x86_64 -linux -gnu/libc -2.24. so 6 <snip > 7 7fb2bd6b2000 -7 fb2bd6b3000 r--p 00000000 fe:01 1836878 /usr/lib/locale/en_AG/ LC_MESSAGES/ SYS_LC_MESSAGES 8 <snip > 9 7fffd5c36000 -7 fffd5c57000 rw -p 00000000 00:00 0 [stack] 10 7fffd5ce9000 -7 fffd5ceb000 r--p 00000000 00:00 0 [vvar] 11 7fffd5ceb000 -7 fffd5ced000 r-xp 00000000 00:00 0 [vdso] 12 ffffffffff600000 - ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 29 of 41
Mitigations: ASLR 1 bash -c ’cat /proc/$$/maps ’ 2 56392 d605000 -56392 d60d000 r-xp 00000000 fe:01 12058638 /bin/cat 3 <snip > 4 56392 dd05000 -56392 dd26000 rw -p 00000000 00:00 0 [heap] 5 7fb2bd101000 -7 fb2bd296000 r-xp 00000000 fe:01 4983399 /lib/x86_64 -linux -gnu/libc -2.24. so 6 <snip > 7 7fb2bd6b2000 -7 fb2bd6b3000 r--p 00000000 fe:01 1836878 /usr/lib/locale/en_AG/ LC_MESSAGES/ SYS_LC_MESSAGES 8 <snip > 9 7fffd5c36000 -7 fffd5c57000 rw -p 00000000 00:00 0 [stack] 10 7fffd5ce9000 -7 fffd5ceb000 r--p 00000000 00:00 0 [vvar] 11 7fffd5ceb000 -7 fffd5ced000 r-xp 00000000 00:00 0 [vdso] 12 ffffffffff600000 - ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 1 for i in ‘seq 1 5‘; do bash -c ’cat /proc/$$/maps | grep stack ’; done 2 7ffcb8e0f000 -7 ffcb8e30000 rw -p 00000000 00:00 0 [stack] 3 7fff64dc9000 -7 fff64dea000 rw -p 00000000 00:00 0 [stack] 4 7ffc3b408000 -7 ffc3b429000 rw -p 00000000 00:00 0 [stack] 5 7ffcee799000 -7 ffcee7ba000 rw -p 00000000 00:00 0 [stack] 6 7ffd4b904000 -7 ffd4b925000 rw -p 00000000 00:00 0 [stack] 29 of 41
Mitigations: ASLR cat /proc/sys/kernel/randomize va space shows you the current settings for your system. • 0: No randomization • 1: Randomize positions of the stack, VDSO page, and shared memory regions • 2: Randomize positions of the stack, VDSO page, shared memory regions, and the data segment 30 of 41
Mitigations: ASLR cat /proc/sys/kernel/randomize va space shows you the current settings for your system. • 0: No randomization • 1: Randomize positions of the stack, VDSO page, and shared memory regions • 2: Randomize positions of the stack, VDSO page, shared memory regions, and the data segment To get the full benefit you need to compile your binaries with -fPIE 30 of 41
Mitigations: ASLR Limitations: 31 of 41
Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines 31 of 41
Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines • Limited entropy on 32 bit systems 31 of 41
Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines • Limited entropy on 32 bit systems • Brute forcing still an issue if restart is not handled properly. 31 of 41
Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines • Limited entropy on 32 bit systems • Brute forcing still an issue if restart is not handled properly. • Can be circumvented by chaining an information leak into the exploit 31 of 41
Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines • Limited entropy on 32 bit systems • Brute forcing still an issue if restart is not handled properly. • Can be circumvented by chaining an information leak into the exploit • Some exotic software might rely on fixed addresses (think inline assembly) 31 of 41
Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines • Limited entropy on 32 bit systems • Brute forcing still an issue if restart is not handled properly. • Can be circumvented by chaining an information leak into the exploit • Some exotic software might rely on fixed addresses (think inline assembly) • Sometimes you have usable memory locations in registers 31 of 41
Mitigations: No-execute memory Modern processors support memory to be mapped as non-executable 32 of 41
Mitigations: No-execute memory Modern processors support memory to be mapped as non-executable Another term for this feature is NX or WˆX 32 of 41
Mitigations: No-execute memory Modern processors support memory to be mapped as non-executable Another term for this feature is NX or WˆX The most interesting memory regions for this feature to use are the stack and heap memory regions 32 of 41
Mitigations: No-execute memory Modern processors support memory to be mapped as non-executable Another term for this feature is NX or WˆX The most interesting memory regions for this feature to use are the stack and heap memory regions A stack overflow could still take place, but it is not be possible to directly return to a stack address for execution 32 of 41
Mitigations: No-execute memory Modern processors support memory to be mapped as non-executable Another term for this feature is NX or WˆX The most interesting memory regions for this feature to use are the stack and heap memory regions A stack overflow could still take place, but it is not be possible to directly return to a stack address for execution 1 bash -c ’cat /proc/$$/maps | grep stack ’ 2 7ffcb8e0f000 -7 ffcb8e30000 rw -p 00000000 00:00 0 [stack] 32 of 41
Mitigations: NX Limitations 33 of 41
Mitigations: NX Limitations • Use existing code in the exploited program 33 of 41
Mitigations: NX Limitations • Use existing code in the exploited program • Return to libc: Use existing functions 33 of 41
Mitigations: NX Limitations • Use existing code in the exploited program • Return to libc: Use existing functions • ROP (Return Oriented Programming): Structure the data on the stack so that instruction sequences ending in ret can be used 33 of 41
ROP Graphic taken from https://www.cs.columbia.edu/ angelos/Papers/theses/vpappas thesis.pdf 34 of 41
Mitigations: Are we safe? So, with • Stack canaries • ALSR • NX • Fortify source we should be safe?! 35 of 41
Mitigations: Are we safe? So, with • Stack canaries • ALSR • NX • Fortify source we should be safe?! Counter example take from http://www.antoniobarresi.com/ security/exploitdev/2014/05/03/64bitexploitation/ Leaving out fortify source to allow simple creation of buffer overflow 35 of 41
Mitigations: Circumventing them 1 #include <stdio.h> 2 #include <string.h> 3 #include <unistd.h> 4 5 void memLeak( void ) { 6 char buf [512]; 7 scanf("%s", buf); 8 printf(buf); 9 } 10 11 void vulnFunc( void ) { 12 char buf [1024]; 13 read(0, buf , 2048); 14 } 15 16 int main(int argc , char* argv []) { 17 setbuf(stdout , NULL); 18 printf("echo > "); 19 memLeak (); 20 printf("n"); 21 printf("read > "); 22 vulnFunc (); 23 24 printf("ndone .n"); 25 26 return EXIT_SUCCESS ; 27 } 36 of 41
Mitigations: Circumventing them To be able to use our own shellcode we need to make the stack executable again 1 int mprotect(void *addr , size_t len , int prot); 37 of 41
Mitigations: Circumventing them To be able to use our own shellcode we need to make the stack executable again 1 int mprotect(void *addr , size_t len , int prot); On x86 64 the first few arguments go into registers → to set registers we need to execute code 37 of 41
Mitigations: Circumventing them To be able to use our own shellcode we need to make the stack executable again 1 int mprotect(void *addr , size_t len , int prot); On x86 64 the first few arguments go into registers → to set registers we need to execute code But NX blocks us → ROP 37 of 41
Mitigations: Circumventing them To be able to use our own shellcode we need to make the stack executable again 1 int mprotect(void *addr , size_t len , int prot); On x86 64 the first few arguments go into registers → to set registers we need to execute code But NX blocks us → ROP Finding gadgets: 1 ROPgadget.py --binary /lib64/libc.so.6 | grep ’pop rdi ’ 37 of 41
Mitigations: Circumventing them Demo time 38 of 41
What we didn’t cover A lot. For example: • -fstack-clash-protection • relro 39 of 41
Outlook ROP is used in a lot of modern exploits: • Shadow stacks • (Hardware) control flow integrity (CFI) • Data flow intgerity (DFI) 40 of 41
Outlook ROP is used in a lot of modern exploits: • Shadow stacks • (Hardware) control flow integrity (CFI) • Data flow intgerity (DFI) These mitigations are rather costly, hard to convince users to take the hit 40 of 41
Outlook ROP is used in a lot of modern exploits: • Shadow stacks • (Hardware) control flow integrity (CFI) • Data flow intgerity (DFI) These mitigations are rather costly, hard to convince users to take the hit And they also can be circumvented 40 of 41
Thank you for your attention! Questions? 41 of 41

Recommended

StackOverflow
StackOverflowStackOverflow
StackOverflowSusam Pal
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 

Recommended

StackOverflow
StackOverflowStackOverflow
StackOverflowSusam Pal
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Worksfrom Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu WorksZhen Wei
 
Lec05
Lec05Lec05
Lec05siddu kadiwal
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processorsRISC-V International
 
第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料Asuka Nakajima
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part In|u - The Open Security Community
 
TensorFlow XLA RPC
TensorFlow XLA RPCTensorFlow XLA RPC
TensorFlow XLA RPCMr. Vengineer
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary ExploitationFlorian Müller
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROPMihir Shah
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Debugging 2013- Jesper Brouer
Debugging 2013- Jesper BrouerDebugging 2013- Jesper Brouer
Debugging 2013- Jesper BrouerMediehuset Ingeniøren Live
 
The forgotten art of assembly
The forgotten art of assemblyThe forgotten art of assembly
The forgotten art of assemblyMarian Marinov
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 

More Related Content

What's hot

Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Worksfrom Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu WorksZhen Wei
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processorsRISC-V International
 
第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料Asuka Nakajima
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary ExploitationFlorian Müller
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROPMihir Shah
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 

What's hot (19)

Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
 
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Worksfrom Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Works
 
Lec05
Lec05Lec05
Lec05
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processors
 
第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
 
TensorFlow XLA RPC
TensorFlow XLA RPCTensorFlow XLA RPC
TensorFlow XLA RPC
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Python
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 

Similar to Scale17x buffer overflows

The forgotten art of assembly
The forgotten art of assemblyThe forgotten art of assembly
The forgotten art of assemblyMarian Marinov
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 
HHVM on AArch64 - BUD17-400K1
HHVM on AArch64 - BUD17-400K1HHVM on AArch64 - BUD17-400K1
HHVM on AArch64 - BUD17-400K1Linaro
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanDefconRussia
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Architecture innovations in POWER ISA v3.01 and POWER10
Architecture innovations in POWER ISA v3.01 and POWER10Architecture innovations in POWER ISA v3.01 and POWER10
Architecture innovations in POWER ISA v3.01 and POWER10Ganesan Narayanasamy
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...Positive Hack Days
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFBrendan Gregg
 
C++ and Assembly: Debugging and Reverse Engineering
C++ and Assembly: Debugging and Reverse EngineeringC++ and Assembly: Debugging and Reverse Engineering
C++ and Assembly: Debugging and Reverse Engineeringcorehard_by
 
General Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics HardwareGeneral Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics HardwareDaniel Blezek
 
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIWLec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIWHsien-Hsin Sean Lee, Ph.D.
 

Similar to Scale17x buffer overflows (20)

Debugging 2013- Jesper Brouer
Debugging 2013- Jesper BrouerDebugging 2013- Jesper Brouer
Debugging 2013- Jesper Brouer
 
The forgotten art of assembly
The forgotten art of assemblyThe forgotten art of assembly
The forgotten art of assembly
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 
HHVM on AArch64 - BUD17-400K1
HHVM on AArch64 - BUD17-400K1HHVM on AArch64 - BUD17-400K1
HHVM on AArch64 - BUD17-400K1
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Architecture innovations in POWER ISA v3.01 and POWER10
Architecture innovations in POWER ISA v3.01 and POWER10Architecture innovations in POWER ISA v3.01 and POWER10
Architecture innovations in POWER ISA v3.01 and POWER10
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
Page table manipulation attack
Page table manipulation attackPage table manipulation attack
Page table manipulation attack
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPF
 
C++ and Assembly: Debugging and Reverse Engineering
C++ and Assembly: Debugging and Reverse EngineeringC++ and Assembly: Debugging and Reverse Engineering
C++ and Assembly: Debugging and Reverse Engineering
 
General Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics HardwareGeneral Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics Hardware
 
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIWLec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Scale17x buffer overflows

  • 1. Buffer overflows and counter meassures Johannes Segitz SUSE Security Team 2019-03-08 1 of 41
  • 2. whoami Johannes Segitz, security engineer at SUSE (Nuremberg, Germany) • code review • product pentesting 2 of 41
  • 3. whoami Johannes Segitz, security engineer at SUSE (Nuremberg, Germany) • code review • product pentesting Joined April 2014, got Heartbleed as signing bonus 2 of 41
  • 4. Outline Buffer overflows and protections: • Stack canaries • Fortify source • Address space layout randomization • No-execute memory (NX, WˆX) 3 of 41
  • 5. Outline Buffer overflows and protections: • Stack canaries • Fortify source • Address space layout randomization • No-execute memory (NX, WˆX) Used by SUSE products, there are other protection mechanisms out there 3 of 41
  • 6. Outline Requires some C and assembler background, but I’ll explain most on the fly 4 of 41
  • 7. Outline Requires some C and assembler background, but I’ll explain most on the fly Stop me if I’m going to fast with the examples 4 of 41
  • 8. Outline Requires some C and assembler background, but I’ll explain most on the fly Stop me if I’m going to fast with the examples This is short overview, not something to make you 31337 4axx0rs 4 of 41
  • 9. Outline Requires some C and assembler background, but I’ll explain most on the fly Stop me if I’m going to fast with the examples This is short overview, not something to make you 31337 4axx0rs Also I will try to keep it at least a bit interactive 4 of 41
  • 10. General mechanism We’re talking here about stack based buffer overflows and counter meassures 5 of 41
  • 11. General mechanism We’re talking here about stack based buffer overflows and counter meassures A problem in languages in which you manage your own memory (primary example is C) 5 of 41
  • 12. General mechanism We’re talking here about stack based buffer overflows and counter meassures A problem in languages in which you manage your own memory (primary example is C) Really simple example: 1 #include <string.h> 2 3 int main(int argc , char ** argv) { 4 char buffer [20]; 5 6 strcpy(buffer , argv [1]); 7 8 return EXIT_SUCCESS ; 9 } 5 of 41
  • 13. General mechanism The problem is that for a given buffer size too much data is placed in there 6 of 41
  • 14. General mechanism The problem is that for a given buffer size too much data is placed in there Usually a size check is just missing 6 of 41
  • 15. General mechanism The problem is that for a given buffer size too much data is placed in there Usually a size check is just missing Sometimes the check is there but faulty or can be circumvented (think integer overflows) 6 of 41
  • 16. Why is this a problem? Because in data of the application and control information about execution is mixed 7 of 41
  • 17. Why is this a problem? Part of the control information (saved instruction pointer RIP/EIP) is the address where execution will continue after the current function 8 of 41
  • 18. Why is this a problem? If a buffer overflow happens this control information can be overwritten 9 of 41
  • 19. Why is this a problem? If a buffer overflow happens this control information can be overwritten If this is done carefully arbitrary code can be executed 9 of 41
  • 20. Why is this a problem? 10 of 41
  • 21. Other overwrites Not only saved RIP/EIP can be highjacked. Think of • Function pointers • Exceptions handlers • Other application specific data (is admin flag ...) 11 of 41
  • 22. Other overwrites Not only saved RIP/EIP can be highjacked. Think of • Function pointers • Exceptions handlers • Other application specific data (is admin flag ...) So what can be done against these problems? 11 of 41
  • 23. Other overwrites Not only saved RIP/EIP can be highjacked. Think of • Function pointers • Exceptions handlers • Other application specific data (is admin flag ...) So what can be done against these problems? Just use Java for everything. Done! We’re safe ;) 11 of 41
  • 24. Simple 32 bit exploitation 1 # include <unistd .h> 2 3 void vulnerable( void ) { 4 char buffer [256]; 5 6 read(0, buffer , 512); 7 8 return; 9 } 10 11 int main(int argc , char ** argv) { 12 vulnerable (); 13 14 return EXIT_SUCCESS ; 15 } 12 of 41
  • 25. Simple 32 bit exploitation Demo time 13 of 41
  • 27. Mitigations: Stack canaries General idea: Compiler generates extra code that puts a canary value at predefined locations within a stack frame 15 of 41
  • 28. Mitigations: Stack canaries General idea: Compiler generates extra code that puts a canary value at predefined locations within a stack frame Before returning check if canary is still valid 15 of 41
  • 29. Mitigations: Stack canaries General idea: Compiler generates extra code that puts a canary value at predefined locations within a stack frame Before returning check if canary is still valid Types: • Terminator canaries: NULL, CR, LF, and -1 15 of 41
  • 30. Mitigations: Stack canaries General idea: Compiler generates extra code that puts a canary value at predefined locations within a stack frame Before returning check if canary is still valid Types: • Terminator canaries: NULL, CR, LF, and -1 • Random canaries 15 of 41
  • 31. Mitigations: Stack canaries General idea: Compiler generates extra code that puts a canary value at predefined locations within a stack frame Before returning check if canary is still valid Types: • Terminator canaries: NULL, CR, LF, and -1 • Random canaries • Random XOR canaries 15 of 41
  • 32. Mitigations: Stack canaries Four variants in gcc: • -fstack-protector: code only for functions that put ≥ 8 bytes buffers on the stack 16 of 41
  • 33. Mitigations: Stack canaries Four variants in gcc: • -fstack-protector: code only for functions that put ≥ 8 bytes buffers on the stack • -fstack-protector-strong: ◦ local variable is an array (or union containing an array), regardless of array type or length ◦ uses register local variables ◦ local variable address is used as part of the right hand side of an assignment or function argument 16 of 41
  • 34. Mitigations: Stack canaries Four variants in gcc: • -fstack-protector: code only for functions that put ≥ 8 bytes buffers on the stack • -fstack-protector-strong: ◦ local variable is an array (or union containing an array), regardless of array type or length ◦ uses register local variables ◦ local variable address is used as part of the right hand side of an assignment or function argument • -fstack-protector-all: extra code for each and every function 16 of 41
  • 35. Mitigations: Stack canaries Four variants in gcc: • -fstack-protector: code only for functions that put ≥ 8 bytes buffers on the stack • -fstack-protector-strong: ◦ local variable is an array (or union containing an array), regardless of array type or length ◦ uses register local variables ◦ local variable address is used as part of the right hand side of an assignment or function argument • -fstack-protector-all: extra code for each and every function • -fstack-protector-explicit: extra code every function annotated with stack protect 16 of 41
  • 36. Mitigations: Stack canaries Short reminder of the example code: 1 #include <string.h> 2 3 int main(int argc , char ** argv) 4 { 5 char buffer [20]; 6 7 strcpy(buffer , argv [1]); 8 9 return EXIT_SUCCESS ; 10 } 17 of 41
  • 37. Mitigations: Stack canaries Original code: 1 00000000000006 b0 <main >: 2 6b0: 55 push rbp 3 6b1: 48 89 e5 mov rbp ,rsp 4 6b4: 48 83 ec 30 sub rsp ,0 x30 5 6b8: 89 7d dc mov DWORD PTR [rbp -0x24],edi 6 6bb: 48 89 75 d0 mov QWORD PTR [rbp -0 x30],rsi 7 6bf: 48 8b 45 d0 mov rax ,QWORD PTR [rbp -0x30] 8 6c3: 48 83 c0 08 add rax ,0x8 9 6c7: 48 8b 10 mov rdx ,QWORD PTR [rax] 10 6ca: 48 8d 45 e0 lea rax ,[rbp -0 x20] 11 6ce: 48 89 d6 mov rsi ,rdx 12 6d1: 48 89 c7 mov rdi ,rax 13 6d4: e8 87 fe ff ff call 560 <strcpy@plt > 14 6d9: b8 00 00 00 00 mov eax ,0x0 15 6de: c9 leave 16 6df: c3 ret 18 of 41
  • 38. Mitigations: Stack canaries Protected code: 1 0000000000000720 <main >: 2 720: 55 push rbp 3 721: 48 89 e5 mov rbp ,rsp 4 724: 48 83 ec 30 sub rsp ,0 x30 5 728: 89 7d dc mov DWORD PTR [rbp -0x24],edi 6 72b: 48 89 75 d0 mov QWORD PTR [rbp -0 x30],rsi 7 72f: 64 48 8b 04 25 28 00 mov rax ,QWORD PTR fs:0 x28 8 736: 00 00 9 738: 48 89 45 f8 mov QWORD PTR [rbp -0x8],rax 10 73c: 31 c0 xor eax ,eax 11 73e: 48 8b 45 d0 mov rax ,QWORD PTR [rbp -0 x30] 12 742: 48 83 c0 08 add rax ,0x8 13 746: 48 8b 10 mov rdx ,QWORD PTR [rax] 14 749: 48 8d 45 e0 lea rax ,[rbp -0 x20] 15 74d: 48 89 d6 mov rsi ,rdx 16 750: 48 89 c7 mov rdi ,rax 17 753: e8 68 fe ff ff call 5c0 <strcpy@plt > 18 758: b8 00 00 00 00 mov eax ,0x0 19 75d: 48 8b 4d f8 mov rcx ,QWORD PTR [rbp -0x8] 20 761: 64 48 33 0c 25 28 00 xor rcx ,QWORD PTR fs:0x28 21 768: 00 00 22 76a: 74 05 je 771 <main +0x51 > 23 76c: e8 5f fe ff ff call 5d0 <__stack_chk_fail@plt > 24 771: c9 leave 25 772: c3 ret 19 of 41
  • 39. Mitigations: Stack canaries Protected code: 1 0000000000000720 <main >: 2 720: 55 push rbp 3 721: 48 89 e5 mov rbp ,rsp 4 724: 48 83 ec 30 sub rsp ,0 x30 5 728: 89 7d dc mov DWORD PTR [rbp -0x24],edi 6 72b: 48 89 75 d0 mov QWORD PTR [rbp -0 x30],rsi 7 72f: 64 48 8b 04 25 28 00 mov rax ,QWORD PTR fs:0 x28 8 736: 00 00 9 738: 48 89 45 f8 mov QWORD PTR [rbp -0x8],rax 10 73c: 31 c0 xor eax ,eax 11 73e: 48 8b 45 d0 mov rax ,QWORD PTR [rbp -0 x30] 12 742: 48 83 c0 08 add rax ,0x8 13 746: 48 8b 10 mov rdx ,QWORD PTR [rax] 14 749: 48 8d 45 e0 lea rax ,[rbp -0 x20] 15 74d: 48 89 d6 mov rsi ,rdx 16 750: 48 89 c7 mov rdi ,rax 17 753: e8 68 fe ff ff call 5c0 <strcpy@plt > 18 758: b8 00 00 00 00 mov eax ,0x0 19 75d: 48 8b 4d f8 mov rcx ,QWORD PTR [rbp -0x8] 20 761: 64 48 33 0c 25 28 00 xor rcx ,QWORD PTR fs:0x28 21 768: 00 00 22 76a: 74 05 je 771 <main +0x51 > 23 76c: e8 5f fe ff ff call 5d0 <__stack_chk_fail@plt > 24 771: c9 leave 25 772: c3 ret 19 of 41
  • 40. Mitigations: Stack canaries Protected code: 1 0000000000000720 <main >: 2 720: 55 push rbp 3 721: 48 89 e5 mov rbp ,rsp 4 724: 48 83 ec 30 sub rsp ,0 x30 5 728: 89 7d dc mov DWORD PTR [rbp -0x24],edi 6 72b: 48 89 75 d0 mov QWORD PTR [rbp -0 x30],rsi 7 72f: 64 48 8b 04 25 28 00 mov rax ,QWORD PTR fs:0 x28 8 736: 00 00 9 738: 48 89 45 f8 mov QWORD PTR [rbp -0x8],rax 10 73c: 31 c0 xor eax ,eax 11 73e: 48 8b 45 d0 mov rax ,QWORD PTR [rbp -0 x30] 12 742: 48 83 c0 08 add rax ,0x8 13 746: 48 8b 10 mov rdx ,QWORD PTR [rax] 14 749: 48 8d 45 e0 lea rax ,[rbp -0 x20] 15 74d: 48 89 d6 mov rsi ,rdx 16 750: 48 89 c7 mov rdi ,rax 17 753: e8 68 fe ff ff call 5c0 <strcpy@plt > 18 758: b8 00 00 00 00 mov eax ,0x0 19 75d: 48 8b 4d f8 mov rcx ,QWORD PTR [rbp -0x8] 20 761: 64 48 33 0c 25 28 00 xor rcx ,QWORD PTR fs:0x28 21 768: 00 00 22 76a: 74 05 je 771 <main +0x51 > 23 76c: e8 5f fe ff ff call 5d0 <__stack_chk_fail@plt > 24 771: c9 leave 25 772: c3 ret 19 of 41
  • 42. Limitations of stack canaries Limitations: 21 of 41
  • 43. Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk 21 of 41
  • 44. Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk • Does not protect against generic write primitives 21 of 41
  • 45. Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk • Does not protect against generic write primitives • Can be circumvented with exeption handlers 21 of 41
  • 46. Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk • Does not protect against generic write primitives • Can be circumvented with exeption handlers • Chain buffer overflow with information leak 21 of 41
  • 47. Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk • Does not protect against generic write primitives • Can be circumvented with exeption handlers • Chain buffer overflow with information leak • No protection for inlined functions 21 of 41
  • 48. Limitations of stack canaries Limitations: • Does not protect data before the canary (especially function pointers). Some implementions reorder variables to minimize this risk • Does not protect against generic write primitives • Can be circumvented with exeption handlers • Chain buffer overflow with information leak • No protection for inlined functions • Can be used to cause DoS 21 of 41
  • 49. Mitigations: Fortify source Transparently fix insecure functions to prevent buffer overflows (memcpy, memset, strcpy, . . .). 22 of 41
  • 50. Mitigations: Fortify source Transparently fix insecure functions to prevent buffer overflows (memcpy, memset, strcpy, . . .). 22 of 41
  • 51. Mitigations: Fortify source Transparently fix insecure functions to prevent buffer overflows (memcpy, memset, strcpy, . . .). What is checked: For statically sized buffers the compiler can check calls to certain functions. 22 of 41
  • 52. Mitigations: Fortify source Transparently fix insecure functions to prevent buffer overflows (memcpy, memset, strcpy, . . .). What is checked: For statically sized buffers the compiler can check calls to certain functions. Enable it with -DFORTIFY SOURCE=2 (only with optimization). 22 of 41
  • 53. Mitigations: Fortify source 1 void fun(char *s) { 2 char buf [0 x100 ]; 3 strcpy(buf , s); 4 /* Don ’t allow gcc to optimise away the buf */ 5 asm volatile("" :: "m" (buf)); 6 } 7 8 int main(int argc , char ** argv) 9 { 10 fun( argv [1] ); 11 12 return EXIT_SUCCESS ; 13 } Example based on Matthias’ work 23 of 41
  • 54. Mitigations: Fortify source 1 00000000000006 b0 <fun >: 2 6b0: 55 push rbp 3 6b1: 48 89 e5 mov rbp ,rsp 4 6b4: 48 81 ec 10 01 00 00 sub rsp ,0 x110 5 6bb: 48 89 bd f8 fe ff ff mov QWORD PTR [rbp -0 x108],rdi 6 6c2: 48 8b 95 f8 fe ff ff mov rdx ,QWORD PTR [rbp -0 x108] 7 6c9: 48 8d 85 00 ff ff ff lea rax ,[rbp -0 x100] 8 6d0: 48 89 d6 mov rsi ,rdx 9 6d3: 48 89 c7 mov rdi ,rax 10 6d6: e8 85 fe ff ff call 560 <strcpy@plt > 11 6db: 90 nop 12 6dc: c9 leave 13 6dd: c3 ret 24 of 41
  • 55. Mitigations: Fortify source gcc -o fortify -O2 -D FORTIFY SOURCE=2 fortify.c 1 ,0000000000000700 <fun >: 2 , 700: 48 81 ec 08 01 00 00 sub rsp ,0 x108 3 , 707: 48 89 fe mov rsi ,rdi 4 , 70a: ba 00 01 00 00 mov edx ,0 x100 5 , 70f: 48 89 e7 mov rdi ,rsp 6 , 712: e8 69 fe ff ff call 580 <__strcpy_chk@plt > 7 , 717: 48 81 c4 08 01 00 00 add rsp ,0 x108 8 , 71e: c3 ret 9 , 71f: 90 nop 25 of 41
  • 56. Mitigations: Fortify source gcc -o fortify -O2 -D FORTIFY SOURCE=2 fortify.c 1 ,0000000000000700 <fun >: 2 , 700: 48 81 ec 08 01 00 00 sub rsp ,0 x108 3 , 707: 48 89 fe mov rsi ,rdi 4 , 70a: ba 00 01 00 00 mov edx ,0 x100 5 , 70f: 48 89 e7 mov rdi ,rsp 6 , 712: e8 69 fe ff ff call 580 <__strcpy_chk@plt > 7 , 717: 48 81 c4 08 01 00 00 add rsp ,0 x108 8 , 71e: c3 ret 9 , 71f: 90 nop 25 of 41
  • 58. Limitation of fortify source Limitations / problems: 27 of 41
  • 59. Limitation of fortify source Limitations / problems: • Limited to some functions/situations 27 of 41
  • 60. Limitation of fortify source Limitations / problems: • Limited to some functions/situations • Can still lead to DoS 27 of 41
  • 61. Limitation of fortify source Limitations / problems: • Limited to some functions/situations • Can still lead to DoS • Developers might keep using these functions 27 of 41
  • 62. Limitation of fortify source Limitations / problems: • Limited to some functions/situations • Can still lead to DoS • Developers might keep using these functions But it comes with almost no cost, so enable it 27 of 41
  • 63. Mitigations: ASLR ASLR: Address space layout randomization 28 of 41
  • 64. Mitigations: ASLR ASLR: Address space layout randomization Memory segments (stack, heap and code) are loaded at random locations 28 of 41
  • 65. Mitigations: ASLR ASLR: Address space layout randomization Memory segments (stack, heap and code) are loaded at random locations Atttackers don’t know return addresses into exploit code or C library code reliably any more 28 of 41
  • 66. Mitigations: ASLR 1 bash -c ’cat /proc/$$/maps ’ 2 56392 d605000 -56392 d60d000 r-xp 00000000 fe:01 12058638 /bin/cat 3 <snip > 4 56392 dd05000 -56392 dd26000 rw -p 00000000 00:00 0 [heap] 5 7fb2bd101000 -7 fb2bd296000 r-xp 00000000 fe:01 4983399 /lib/x86_64 -linux -gnu/libc -2.24. so 6 <snip > 7 7fb2bd6b2000 -7 fb2bd6b3000 r--p 00000000 fe:01 1836878 /usr/lib/locale/en_AG/ LC_MESSAGES/ SYS_LC_MESSAGES 8 <snip > 9 7fffd5c36000 -7 fffd5c57000 rw -p 00000000 00:00 0 [stack] 10 7fffd5ce9000 -7 fffd5ceb000 r--p 00000000 00:00 0 [vvar] 11 7fffd5ceb000 -7 fffd5ced000 r-xp 00000000 00:00 0 [vdso] 12 ffffffffff600000 - ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 29 of 41
  • 67. Mitigations: ASLR 1 bash -c ’cat /proc/$$/maps ’ 2 56392 d605000 -56392 d60d000 r-xp 00000000 fe:01 12058638 /bin/cat 3 <snip > 4 56392 dd05000 -56392 dd26000 rw -p 00000000 00:00 0 [heap] 5 7fb2bd101000 -7 fb2bd296000 r-xp 00000000 fe:01 4983399 /lib/x86_64 -linux -gnu/libc -2.24. so 6 <snip > 7 7fb2bd6b2000 -7 fb2bd6b3000 r--p 00000000 fe:01 1836878 /usr/lib/locale/en_AG/ LC_MESSAGES/ SYS_LC_MESSAGES 8 <snip > 9 7fffd5c36000 -7 fffd5c57000 rw -p 00000000 00:00 0 [stack] 10 7fffd5ce9000 -7 fffd5ceb000 r--p 00000000 00:00 0 [vvar] 11 7fffd5ceb000 -7 fffd5ced000 r-xp 00000000 00:00 0 [vdso] 12 ffffffffff600000 - ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 1 for i in ‘seq 1 5‘; do bash -c ’cat /proc/$$/maps | grep stack ’; done 2 7ffcb8e0f000 -7 ffcb8e30000 rw -p 00000000 00:00 0 [stack] 3 7fff64dc9000 -7 fff64dea000 rw -p 00000000 00:00 0 [stack] 4 7ffc3b408000 -7 ffc3b429000 rw -p 00000000 00:00 0 [stack] 5 7ffcee799000 -7 ffcee7ba000 rw -p 00000000 00:00 0 [stack] 6 7ffd4b904000 -7 ffd4b925000 rw -p 00000000 00:00 0 [stack] 29 of 41
  • 68. Mitigations: ASLR cat /proc/sys/kernel/randomize va space shows you the current settings for your system. • 0: No randomization • 1: Randomize positions of the stack, VDSO page, and shared memory regions • 2: Randomize positions of the stack, VDSO page, shared memory regions, and the data segment 30 of 41
  • 69. Mitigations: ASLR cat /proc/sys/kernel/randomize va space shows you the current settings for your system. • 0: No randomization • 1: Randomize positions of the stack, VDSO page, and shared memory regions • 2: Randomize positions of the stack, VDSO page, shared memory regions, and the data segment To get the full benefit you need to compile your binaries with -fPIE 30 of 41
  • 71. Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines 31 of 41
  • 72. Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines • Limited entropy on 32 bit systems 31 of 41
  • 73. Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines • Limited entropy on 32 bit systems • Brute forcing still an issue if restart is not handled properly. 31 of 41
  • 74. Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines • Limited entropy on 32 bit systems • Brute forcing still an issue if restart is not handled properly. • Can be circumvented by chaining an information leak into the exploit 31 of 41
  • 75. Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines • Limited entropy on 32 bit systems • Brute forcing still an issue if restart is not handled properly. • Can be circumvented by chaining an information leak into the exploit • Some exotic software might rely on fixed addresses (think inline assembly) 31 of 41
  • 76. Mitigations: ASLR Limitations: • 5 - 10% performance loss on i386 machines • Limited entropy on 32 bit systems • Brute forcing still an issue if restart is not handled properly. • Can be circumvented by chaining an information leak into the exploit • Some exotic software might rely on fixed addresses (think inline assembly) • Sometimes you have usable memory locations in registers 31 of 41
  • 77. Mitigations: No-execute memory Modern processors support memory to be mapped as non-executable 32 of 41
  • 78. Mitigations: No-execute memory Modern processors support memory to be mapped as non-executable Another term for this feature is NX or WˆX 32 of 41
  • 79. Mitigations: No-execute memory Modern processors support memory to be mapped as non-executable Another term for this feature is NX or WˆX The most interesting memory regions for this feature to use are the stack and heap memory regions 32 of 41
  • 80. Mitigations: No-execute memory Modern processors support memory to be mapped as non-executable Another term for this feature is NX or WˆX The most interesting memory regions for this feature to use are the stack and heap memory regions A stack overflow could still take place, but it is not be possible to directly return to a stack address for execution 32 of 41
  • 81. Mitigations: No-execute memory Modern processors support memory to be mapped as non-executable Another term for this feature is NX or WˆX The most interesting memory regions for this feature to use are the stack and heap memory regions A stack overflow could still take place, but it is not be possible to directly return to a stack address for execution 1 bash -c ’cat /proc/$$/maps | grep stack ’ 2 7ffcb8e0f000 -7 ffcb8e30000 rw -p 00000000 00:00 0 [stack] 32 of 41
  • 83. Mitigations: NX Limitations • Use existing code in the exploited program 33 of 41
  • 84. Mitigations: NX Limitations • Use existing code in the exploited program • Return to libc: Use existing functions 33 of 41
  • 85. Mitigations: NX Limitations • Use existing code in the exploited program • Return to libc: Use existing functions • ROP (Return Oriented Programming): Structure the data on the stack so that instruction sequences ending in ret can be used 33 of 41
  • 86. ROP Graphic taken from https://www.cs.columbia.edu/ angelos/Papers/theses/vpappas thesis.pdf 34 of 41
  • 87. Mitigations: Are we safe? So, with • Stack canaries • ALSR • NX • Fortify source we should be safe?! 35 of 41
  • 88. Mitigations: Are we safe? So, with • Stack canaries • ALSR • NX • Fortify source we should be safe?! Counter example take from http://www.antoniobarresi.com/ security/exploitdev/2014/05/03/64bitexploitation/ Leaving out fortify source to allow simple creation of buffer overflow 35 of 41
  • 89. Mitigations: Circumventing them 1 #include <stdio.h> 2 #include <string.h> 3 #include <unistd.h> 4 5 void memLeak( void ) { 6 char buf [512]; 7 scanf("%s", buf); 8 printf(buf); 9 } 10 11 void vulnFunc( void ) { 12 char buf [1024]; 13 read(0, buf , 2048); 14 } 15 16 int main(int argc , char* argv []) { 17 setbuf(stdout , NULL); 18 printf("echo > "); 19 memLeak (); 20 printf("n"); 21 printf("read > "); 22 vulnFunc (); 23 24 printf("ndone .n"); 25 26 return EXIT_SUCCESS ; 27 } 36 of 41
  • 90. Mitigations: Circumventing them To be able to use our own shellcode we need to make the stack executable again 1 int mprotect(void *addr , size_t len , int prot); 37 of 41
  • 91. Mitigations: Circumventing them To be able to use our own shellcode we need to make the stack executable again 1 int mprotect(void *addr , size_t len , int prot); On x86 64 the first few arguments go into registers → to set registers we need to execute code 37 of 41
  • 92. Mitigations: Circumventing them To be able to use our own shellcode we need to make the stack executable again 1 int mprotect(void *addr , size_t len , int prot); On x86 64 the first few arguments go into registers → to set registers we need to execute code But NX blocks us → ROP 37 of 41
  • 93. Mitigations: Circumventing them To be able to use our own shellcode we need to make the stack executable again 1 int mprotect(void *addr , size_t len , int prot); On x86 64 the first few arguments go into registers → to set registers we need to execute code But NX blocks us → ROP Finding gadgets: 1 ROPgadget.py --binary /lib64/libc.so.6 | grep ’pop rdi ’ 37 of 41
  • 95. What we didn’t cover A lot. For example: • -fstack-clash-protection • relro 39 of 41
  • 96. Outlook ROP is used in a lot of modern exploits: • Shadow stacks • (Hardware) control flow integrity (CFI) • Data flow intgerity (DFI) 40 of 41
  • 97. Outlook ROP is used in a lot of modern exploits: • Shadow stacks • (Hardware) control flow integrity (CFI) • Data flow intgerity (DFI) These mitigations are rather costly, hard to convince users to take the hit 40 of 41
  • 98. Outlook ROP is used in a lot of modern exploits: • Shadow stacks • (Hardware) control flow integrity (CFI) • Data flow intgerity (DFI) These mitigations are rather costly, hard to convince users to take the hit And they also can be circumvented 40 of 41
  • 99. Thank you for your attention! Questions? 41 of 41