Date post: | 08-Jun-2015 |
Category: |
Spiritual |
Upload: | amir-neziri |
View: | 2,178 times |
Download: | 2 times |
English for Computer Science II
Software(Runtime) AttacksAmir Neziri & Jurlind Budurushi
Source: [6]
Where do we use Software Attacks?(1)
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 2
Internet(confidentiality, anonymity, authentication)
Overview - Software Attacks
OWASP Top 10 for 2010 A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 3
Where do we use Software Attacks?(2)
e-voting
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 4
Where do we use Software Attacks?(3)
Bank Card payment
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 5
Where do we use Software Attacks?(4)
TV decoder
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 6
Overview of Software(Runtime) Attacks
Buffer Overflows (BO) Stack Smashing, Heap Overflow, Integer Overflow, Format String
Return-into-Libc
Return-Oriented Programming (ROP)
Return-Oriented Programming without Returns
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 7
Content
Buffer Overflows (BO) Stack Smashing
Return-Oriented Programming (ROP)
Live Demo Buffer Overflow
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 8
We present…
Buffer Overflow Attack
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 9
BO Vulnerabilities: Statistics
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 10
Still a major threat (e.g. in Internet Explorer or Acrobat Reader, etc.)
Source: [6]
The Stack Frame
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 11
Source: [6]
The Stack Frame (cntd.)
Stack is a last in, first out (LIFO) memory Stack Pointer (SP) points to the top word on the stack
The stack can be accessed by two basic operations Push & Pop elements onto the stack (SP is decremented/
incremented)
Stack is divided into following segments: Function arguments Return address Saved Base Pointer Local variables
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 12
Vulnerable program
Simple Echo program suffering from a stack overflow vulnerability
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 13
Source: [6]
Buffer Overflow
Attack Example
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 14
(1) Program starts
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 15
Source: [6]
(2) The echo() function is called
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 16
Source: [6]
(3) Call instruction pushes return address onto the stack
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 17
Source: [6]
(4) Allocation of saved base pointer and buffer
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 18
Source: [6]
(5) echo() calls gets(buffer) function
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 19
Source: [6]
(6) Adversary transmits malicious code
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 20
Source: [6]
(7) Malicious code contains shellcode, pattern bytes, . . .
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 21
Source: [6]
(8) . . . , and a new return address
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 22
Source: [6]
(9) Before echo() returns to main, SP is updated
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 23
Source: [6]
(10) echo() issues return resulting in execution of shellcode
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 24
Source: [6]
BO - Countermeasures
W xor X
ASRL – Address Space Layout Randomization
Compiler Extensions
Stack shadowing
Run up to date software
Use security software (Firewall, Anti-Virus, Anti-spyware…)
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 25
ROP – The Big Picture
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 26
Source: [6]
ROP – The Big Picture
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 27
ROP – The Big Picture
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 28
Source: [6]
ROP – Architectures
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 29
ROP attacks are applicable on broad range of architectures: Intel x86
The SPARC Machine
Atmel AVR
Z80 Voting Machines
PowerPC
ARM
ROP – General idea
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 30
Use small instruction sequences instead using whole functions
Instruction sequences range from 2 to 5 instructions
All sequences end with a “ret” instruction
Instruction sequences are chained together in a gadget
A gadget performs a particular task (e.g load/store, xor...)
Combine more gadgets for the desiered actions
ROP
Attack Example
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 31
ROP – Waiting for input from user
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 32
Source: [6]
ROP – Attacker overflows the buffer
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 33
Source: [6]
ROP – Input contains ret-addresses and one argument
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 34
Source: [6]
ROP – 1st sequence is executed
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 35
Source: [6]
ROP – „ret“ instruction transfers control
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 36
Source: [6]
ROP – Transfers control from 2nd to 3rd instruction
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 37
Source: [6]
ROP – POP argument from stack
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 38
Source: [6]
ROP – „ret“ has been reached
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 39
Source: [6]
ROP – Transfers control from 3rd to 4th instruction
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 40
Source: [6]
ROP – Transfers control from 1st gadget to the 2nd
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 41
Source: [6]
ROP – Transfers control from 1st sequence to the 2nd
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 42
Source: [6]
ROP - Countermeasures
Compiler based solutions Canary before the ret-address, shadow stack Problem: not able to detect unintended instruction sequences
Hardware based solutions HW to enforce ret-address protection Problem: requieres new/specific hardware
Dynamic Binary Instrumentation based on a JIT-Compiler Allows detection of unintended instruction sequences Problem: high performance overhead
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 43
Live Demo & Discussion
Buffer Overflow Attack
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 44
Questions???
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 45
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 46
References
[1] https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project [2] Stephen Checkoway, Ariel J. Feldman, Brian Kantor, J. Alex Halderman,
Edward W. Felten, and Hovav Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of EVT/WOTE 2009, 2009. http://www.youtube.com/watch?v=lsfG3KPrD1I
[3] Aleph One. Smashing the stack for fun and prot. Phrack Magazine, 49(14), 1996.
[4] PaX Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt
[5] Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS '07: Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 552-561. ACM, 2007.
[6] http://www.trust.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/LectureSlides/Chapter02%20-%20RuntimeAttacks.pdf
5/12/2011 | Department 20 | B. IT Nieh | Software(Runtime) Attacks | A. Neziri & J. Budurushi 47