FAILURE OF DEP AND ASLRVISHWAS SHARMA

DEP Data Execution Prevention

DEPDEP – Data execution prevention

A Protection mechanism that prevents the execution of code in the memory non-executable.This protect the attacker from running shellcode on stack, heap or in data segmentsNow hardware support NX but – NX for No-eXecuteTwo types of DEP – software and hardware protection

DEP POLICIES

DEP @ RUNTIMEKPROCESS Structure contains DEP informationDEP Flag is set or queried with

Query - NtQueryInformationProcess

Set – NtSetInformationProcess

Flag is contained in ProcessExecuteFlags

Example:0: kd> !process 0 0 calc.exePROCESS 849f3a90 SessionId: 1 Cid: 1474 Peb: 7ffdd000 ParentCid: 077cDirBase: 7dc5c820 ObjectTable: a694ce68 HandleCount: 52.Image: calc.exe

0: kd> dt nt!_KPROCESS 849f3a90 –r+0x06b Flags : _KEXECUTE_OPTIONS+0x000 ExecuteDisable : 0y1+0x000 ExecuteEnable : 0y0+0x000 DisableThunkEmulation : 0y1+0x000 Permanent : 0y1+0x000 ExecuteDispatchEnable : 0y0+0x000 ImageDispatchEnable : 0y0+0x000 DisableExceptionChainValidation : 0y1+0x000 Spare : 0y0

ExecuteDisable - “Disable execution from non-executable memory”

CHEAT BY DEPDisableThunkEmulation

ATL library rely on some code to be executed from the writable memory. So permission to run code form heap should be given to application When Program Attempts to execute code on a non-executable page, the kernel calls KiEmulateAtlTrunk to check ATL sequencesIF found any ATL sequence – then continue emulate the trunk and as if nothing has happened

NOW THE FUN PART - WEAKNESSIncompatible Application – Remember OptIn Policy R+W+X mappings – JVM and programming running on java has this mapping*Return-2-libc Attacks

Find page mapping and protection functions and change default permissions on the pageCreate a process from the dump that is produced in the memoryJust-In-Time compilers are making situation worse

*Return Oriented Programming – Modern ret2libcRuntime Disable DEP

Finding position of NtSetInformationProcess and changing the permission in runtime – This technique would only work with OptIn – OptOut policy

* Explanation on board

ASLR Address Space Layout Randomization

ASLRASLR – Address space Layout Randomization

Randomize the address where objects are placed in virtual space of a given processASLR randomizes the location PE/MZ files that are mapped on the virtual memory, Heaps, stacks and PEB and TEBIt provides random stack and heap allocations and page load every time a process starts. Thus even if process is being hacked it cannot execute shellcode with a best chance of 1/254 or 2/255

ASLRImage Randomization

Designed for a capability to randomly position both executable and DLLsThis randomization is system wide and could not switched off at runtimeA Registry entry control the implementation of ASLR

Respect the base address in PE headerRandomize all, even those which are incompatibleRandomize only those which are compatible - Default

ASLRDLL Randomization

DLL must be loaded in each process that uses it to allow the physical memory used by the DLL to be sharedWhen the same DLL is loaded its section object - A section object represents a section of memory that can be shared – is reused and it is mapped at the same virtual addresses

50960000 50960000 50A28000 50A8C000 50AF0000 50B54000 50BB8000

_MiImageBitMap – A bitmap of size 0x2800 contains all position of 64KB aligned address

Loading DLL into process is also randomized by SmpRandomizeDllList

ASLRStack Randomization – 2 fold randomization

The base of the stack is choose randomlyThis is implemented by searching holes into Virtual Memory of the process. Holes are regions where series of pages are not mapped into memory. Choosing hole is randomized by 5 bits random functionAgain a 9 bit random value is derived from time stamp – yOffset = y*4 --- For 32 bit alignment of stack

THE FUN PARTIncompatible DLL – Statically positioned DLLs and Executable

This can be initializing 3rd party ActiveX components, plugins in you browserSpecially crafted data packet that could result in loading of DLL based for parsing the “special” dataEmbedded Media of various types that require loading of specific library to parse the data like image, video or flash content

*Partially static objectThis concept is basically the mother of all spraying techniques that are used in bypassing ASLR

For example a heap allocation is randomized by 2 MB but what would happen when we allocate data of much greater size eg. 500MB or similar

* Explanation on board

THE FUN PART*Partial overwrites

As demonstrated earlier that last 2 bytes of address space are not randomized we can have a partial overwrite or either 1 or 2 bytes of data on the stackIt would be enough to jump to any offset location which would be relative that position by a maximum of 0xffff bytes

*Memory information LeakageI have discussed it in null IRC channel this weekImplications could be getting information of either module base address or stack base address, heap base address or TEB and PEB leakages

* Explanation on board

Research