SlideShare ist ein Scribd-Unternehmen logo

AllBits presentation - Lower Level SW Security

AllBits BVBA (freelancer)
AllBits BVBA (freelancer)

Introduction in Security given by Bart Van Bos at Nalys. Topics: - Buffer overflows in C - Counter measures - Life demo of 2 attacks - Shellcode generation

Software
1 von 35
29-01-2015 by Bart Van Bos - AllBits29-01-2015 by Bart Van Bos - AllBits Low Level Software SecurityLow Level Software Security The never ending arms race
Presentation Overview ● Introduction – Buffer overflows – Memory management – Process memory layout – Function call stack frames ● Example attacks ● Defenses ● Conclusion
Vulnerability Landscape https://courses.cs.washington.edu/courses/cse484/14au/reading/25-years-vulnerabilities.pdf
Popular Vulnerabilities At The Vulnerability Oscars – NIST Common Vulnerabilities and Exposures DB (CVE) – Common Vulnerability Scoring System (CVSS) data from 1988 to 2012 (53.221 vulnerabilities) – Famous examples (all stack-based buffer overflows) ● Sasser worm: shut down X-ray machines at a Swedish hospital and caused Delta airlines to cancel several transatlantic flights ● Heartbleed: in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. ● Stuxnet: targeted Iran’s nuclear program and is believed to have caused it delays/damage Vulnerability All High Critical Buffer Overflow 7809 5528 1391 Cross-Site scripting (XSS) 7006 141 0
Hot off the press ● [27-01-2015] GHOST – glibc gethostbyname buffer overflow (CVE-2015-0235) – During a code audit, a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc) was discovered. This bug is reachable both locally and remotely via the gethostbyname*() functions. They named this vulnerability GHOST – Arbitrary code execution can be achieved. As a proof of concept, a full-fledged remote exploit against the Exim mail server, bypassing all existing protections (ASLR, PIE, and NX) on both 32-bit and 64-bit machines, is developed. The exploit will be published as a Metasploit module in the near future. – Vulnerability glibc <= 2.17 ● Debian 6-LTS and Debian 7 ● Ubuntu <= 13.10 ● RedHat Enterprise Linux 5, 6 and 7 ● CentOS 5, 6 and 7 http://www.openwall.com/lists/oss-security/2015/01/27/9
Memory corruption vulnerability ● Memory corruption vulnerabilities are a class of vulnerabilities for unsafe languages, like C, C++ and Objective C – Languages tat do not check whether programs access memory in a correct way – Hence bugs might get introduce that mess up part of memory at run-time ● In this presentation, the focus is on memory corruption in C programs. – An attacker will be allowed to do anything he wants on the machine...
Memory management in C ● Memory can be allocated in many ways – Automatic (local variables in functions) – Static (global variables) – Dynamic (malloc and new) ● Programmer is responsible for – Appropriate use of allocated memory: ● bounds checks, type checks, ... – Correct allocation and de-allocation in the case of dynamic memory (free)
Process memory layout Program Code RO [.init .text .rodata] Static & Global Data R/W [.data .bss] Run-time HEAP (created runtime - malloc) Unused and memory mapped region for shared libs User STACK (created at runtime) Program args + ENV vars High Addresses Low Addresses Stack grows down Heap grows up Grows & shrinks dynamically
Common memory bugs in C ● Memory management is very error prone ● Typical bugs – Buffer overflow: writing past the bounds of an array – Dangling pointers: pointers to deallocated memory – Double frees: deallocating memory twice – Memory leaks: never deallocating memory ● For efficiency reasons, C-like compilers don’t detect these bugs at run-time – C standard states behavior of such programs is undefined
Function call & stack frame ● Per call, an activation record or stack frame is pushed on the stack, containing – Actual parameters, return address, automatically allocated local variables, … – RBP and RSP (x86-64) ● register base pointer (ebp) ● register stack pointer (esp) long my_function(long a, long b, long c, long d, long e, long f, long g, long h) { long xx = a * b * c * d * e * f * g * h; long yy = a + b + c + d + e + f + g + h; long zz = util_function(xx, yy, xx % yy); return zz + 20; } h g return address saved RBP xx yy zz … ... high address low address RBP RBP-8 RBP-16 RBP-24 RBP+8 RBP+16 RBP+24 “red zone” 128 bytes a b c d f e RDI RSI RDX RCX R8 R9 x86-64 registers RSP RBP http://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64
Processor endianness ● Endianness refers to the convention used to interpret the bytes making up a data word when those bytes are stored in computer memory. When reading or writing a data word consisting of multiple bytes, the order of the bytes stored in memory determines the interpretation of the data word – Intel processors are little-endian (i386 i486 i586 i686 x86-64) LITTLE ENDIAN x41 x42 x43 x44 x44 x43 x42 x41 ... ... memory register a a+1 a+2 a+3 x41 x42 x43 x44 register x41 x42 x43 x44 ... ... memory a a+1 a+2 a+3 BIG ENDIAN
Presentation Overview ● Introduction ● Example attacks – Data-only attacks (by example) – Stack-based buffer overflow (by example) – Indirect pointer overwriting – Heap-based buffer overflow – Return-to-libc attacks ● Defenses ● Conclusion
Data only attack ● Change the outcome of a program by overwriting a variable you are not supposed to be able to access ● Make the following program print “you win!” return address saved RIP x6Cx6Bx6Ax69 x64x63x62x61 x68x67x66x65 x70x6Fx6Ex6D xF7xA3x5ExC5 x00x00x7FxFF x00x00x00x00 x00x00x00x00 LOW HIGH
Stack based overflow ● Overflow a variable in order to change the return address (RIP) and redirect it to injected shellcode – Shellcode is assembly code which performs some kind of attack – Shellcode can be easily generated using Metasploit framework – Should not contain 0x00, since this stops exploit execution – Often contains a NOP slide (0x90) when address uncertain [SECTION .text] global _start _start: int 0x80 ; OS syscall (SW interrupt) L: jmp L ; very short, direct infinite loop 00000000 CD 80 int 0x80 00000002 EB FE jmp short 0x2 unsigned char shellcode[] = { 0xcd, 0x80, 0xeb, 0xfe };
Stack based overflow F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP Stack
Stack based overflow F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 local variables F0 arguments F1 return address F1 saved frame pointer F1 buffer Stack
Stack based overflow Stack F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 local variables F0 arguments F1 overwrite return address injected shellcode
Stack based overflow F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP SP saved frame pointer F0 local variables F0 injected shellcode Stack
Indirect Pointer Overwriting ● Overwrite a target memory location by overwriting a data pointer – An attackers makes the data pointer point to the target location – When the pointer is dereferenced for writing, the target location is overwritten – If the attacker can specify the value of to write, he can overwrite arbitrary memory locations with arbitrary values
Indirect pointer overwriting F0: … call F1 ... F1: ptr = &data buffer[] overflow() *ptr = value ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 local variables F0 arguments F1 return address F1 saved frame pointer F1 data pointer Stack data buffer
Indirect pointer overwriting ● Make the data pointer refer to the address where the return address is stored F0: … call F1 ... F1: ptr = &data buffer[] overflow() *ptr = value ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 local variables F0 arguments F1 return address F1 saved frame pointer F1 overwrite data pointer Stack data injected shell code
Indirect pointer overwriting ● Change the memory at the address in ptr to be value F0: … call F1 ... F1: ptr = &data buffer[] overflow() *ptr = value ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 local variables F0 arguments F1 modified return address saved frame pointer F1 overwrite data pointer Stack data injected shell code
Indirect pointer overwriting F0: … call F1 ... F1: ptr = &data buffer[] overflow() *ptr = value ... other stack frames return address F0 saved frame pointer F0 local variables F0 IP FP SP saved frame pointer F0 local variables F0 Stack data injected shell code
Presentation Overview ● Introduction ● Example attacks ● Defenses – Stack canaries – None executable data – Layout randomization (ASLR) – Fortify source macro ● Conclusion
Stack canaries ● Basic idea – Insert a random number right in a stack frame right before the stored base pointer/return address – Verify on return from a function that this value was not modified – If changed, an overflow has occurred, terminate the program ● The inserted value is called a canary, after the coal mine canaries CFLAGS: -fstack-protector NOTE: In Ubuntu 6.10 and later versions this option is enabled by default for C, C++, ObjC, ObjC++, if -fno-stack-protector is not found.
Stack based overflow F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 canary arguments F1 return address F1 saved frame pointer F1 canary Stack buffer
Stack based overflow F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 canary arguments F1 overwrite return address canary Stack
None executable data ● Direct code injection attacks at some point execute data, since most programs never need to do this ● Hence, a simple countermeasure is to mark data memory (stack, heap, ...) as non-executable ● This counters direct code injection, but not return-into-libc or data-only attacks ● In addition, this countermeasure may break certain legacy applications LDFLAGS = -z noexecstack # execstack --set-execstack <program> tool to set, clear, or query executable stack flag of ELF binaries and shared libraries
Layout randomization ● Most attacks rely on precise knowledge of run time memory addresses ● Introducing artificial variation in these addresses significantly raises the bar for attackers ● Such address space layout randomization (ASLR) is a cheap and effective countermeasure ● Managed by the Linux Kernel # echo /proc/sys/kernel/randomize_va_space 2 Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment. This is the default setting.
Defense effectiveness Data only Stack return address Heap function* corruption Jump to libc Stack Canary (D1) Partial defense Partial defense Partial defense NX Data (D2) Partial defense Partial defense Partial defense ASLR (D3) Partial defense Partial defense Partial defense Partial defense ➢ There is no on defense that covers all attacks 100% ➢ More protection at the source level (compile-time)
Fortify source macro ● Lightweight checks to detect buffer overflow at both compile and run time ● Functions covered – memcpy, mempcpy, memmove, memset, stpcpy, strcpy, strncpy, strcat, strncat, sprintf, snprintf, vsprintf, vsnprintf, and gets. ● Since glibc 2.3.4 & gcc v4.0 CFLAGS = -D_FORTIFY_SOURCE=2 In Ubuntu 8.10 and later versions, -D_FORTIFY_SOURCE=2 is set by default. This enables additional compile-time and run-time checks for several libc functions.
Presentation Overview ● Introduction ● Example attacks ● Defenses ● Conclusion
Conclusion ● The design of attacks and countermeasures has led to an arms race between attackers and defenders ● While significant hardening of the execution of C-like languages is possible, the use of safe languages like Java / C# is from the point of view of security preferable ● Testing tools: blind/directed fuzzing ● Analysis tools ● Code review
References ● Smashing the Stack for Fun and Profit (Aleph One) – http://insecure.org/stf/smashstack.html ● Low level Software Security by Example (Erlingsson, Younan & Piessens) – https://courses.cs.washington.edu/courses/cse484/14au/reading/ low-level-security-by-example.pdf ● Insecure Programming by example – http://community.coresecurity.com/~gera/InsecureProgramming ● Code samples available on GitHub – https://github.com/boeboe/low-level-security
Q&A ● Thanks for your attention Email: bartvanbos@allbits.eu LinkedIn: http://lnkd.in/Kre-kR

Empfohlen

Embedded C - Lecture 4
Embedded C - Lecture 4Embedded C - Lecture 4
Embedded C - Lecture 4Mohamed Abdallah
 
Embedded c programming
Embedded c programmingEmbedded c programming
Embedded c programmingPriyaDYP
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Hsien-Hsin Sean Lee, Ph.D.
 
Lec19 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Pr...
Lec19 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Pr...Lec19 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Pr...
Lec19 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Pr...Hsien-Hsin Sean Lee, Ph.D.
 
Assembler
AssemblerAssembler
AssemblerJad Matta
 
Programming ATmega microcontroller using Embedded C
Programming ATmega microcontroller using Embedded CProgramming ATmega microcontroller using Embedded C
Programming ATmega microcontroller using Embedded CVarun A M
 
Introduction to Assembly Language
Introduction to Assembly LanguageIntroduction to Assembly Language
Introduction to Assembly LanguageMotaz Saad
 

Empfohlen

Embedded C - Lecture 4
Embedded C - Lecture 4Embedded C - Lecture 4
Embedded C - Lecture 4Mohamed Abdallah
 
Embedded c programming
Embedded c programmingEmbedded c programming
Embedded c programmingPriyaDYP
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Hsien-Hsin Sean Lee, Ph.D.
 
Lec19 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Pr...
Lec19 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Pr...Lec19 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Pr...
Lec19 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Pr...Hsien-Hsin Sean Lee, Ph.D.
 
Assembler
AssemblerAssembler
AssemblerJad Matta
 
Programming ATmega microcontroller using Embedded C
Programming ATmega microcontroller using Embedded CProgramming ATmega microcontroller using Embedded C
Programming ATmega microcontroller using Embedded CVarun A M
 
Introduction to Assembly Language
Introduction to Assembly LanguageIntroduction to Assembly Language
Introduction to Assembly LanguageMotaz Saad
 
Code GPU with CUDA - SIMT
Code GPU with CUDA - SIMTCode GPU with CUDA - SIMT
Code GPU with CUDA - SIMTMarina Kolpakova
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesMarina Kolpakova
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationNational Cheng Kung University
 
Code GPU with CUDA - Memory Subsystem
Code GPU with CUDA - Memory SubsystemCode GPU with CUDA - Memory Subsystem
Code GPU with CUDA - Memory SubsystemMarina Kolpakova
 
Lec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Pipelining
Lec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- PipeliningLec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Pipelining
Lec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- PipeliningHsien-Hsin Sean Lee, Ph.D.
 
Compiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory ManagementCompiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory ManagementEelco Visser
 
First session quiz
First session quizFirst session quiz
First session quizKeroles karam khalil
 
Code GPU with CUDA - Optimizing memory and control flow
Code GPU with CUDA - Optimizing memory and control flowCode GPU with CUDA - Optimizing memory and control flow
Code GPU with CUDA - Optimizing memory and control flowMarina Kolpakova
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
 
Hardware interfacing basics using AVR
Hardware interfacing basics using AVRHardware interfacing basics using AVR
Hardware interfacing basics using AVRMohamed Abdallah
 
Assembly Language Lecture 1
Assembly Language Lecture 1Assembly Language Lecture 1
Assembly Language Lecture 1Motaz Saad
 
Assembly 8086
Assembly 8086Assembly 8086
Assembly 8086Mustafa Salah
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic LinkingWang Hsiangkai
 
eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureNetronome
 
ROP
ROPROP
ROPJian-Yu Li
 
Demystify eBPF JIT Compiler
Demystify eBPF JIT CompilerDemystify eBPF JIT Compiler
Demystify eBPF JIT CompilerNetronome
 
4Developers 2018: The turbulent road to byte-addressable storage support at t...
4Developers 2018: The turbulent road to byte-addressable storage support at t...4Developers 2018: The turbulent road to byte-addressable storage support at t...
4Developers 2018: The turbulent road to byte-addressable storage support at t...PROIDEA
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDBJian-Yu Li
 
Pragmatic Optimization in Modern Programming - Mastering Compiler Optimizations
Pragmatic Optimization in Modern Programming - Mastering Compiler OptimizationsPragmatic Optimization in Modern Programming - Mastering Compiler Optimizations
Pragmatic Optimization in Modern Programming - Mastering Compiler OptimizationsMarina Kolpakova
 
Code GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersCode GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersMarina Kolpakova
 
test
testtest
testaaro11
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdfKhaledIbrahim10923
 

Weitere ähnliche Inhalte

Was ist angesagt?

Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesMarina Kolpakova
 
Code GPU with CUDA - Memory Subsystem
Code GPU with CUDA - Memory SubsystemCode GPU with CUDA - Memory Subsystem
Code GPU with CUDA - Memory SubsystemMarina Kolpakova
 
Lec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Pipelining
Lec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- PipeliningLec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Pipelining
Lec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- PipeliningHsien-Hsin Sean Lee, Ph.D.
 
Compiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory ManagementCompiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory ManagementEelco Visser
 
Code GPU with CUDA - Optimizing memory and control flow
Code GPU with CUDA - Optimizing memory and control flowCode GPU with CUDA - Optimizing memory and control flow
Code GPU with CUDA - Optimizing memory and control flowMarina Kolpakova
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
 
Hardware interfacing basics using AVR
Hardware interfacing basics using AVRHardware interfacing basics using AVR
Hardware interfacing basics using AVRMohamed Abdallah
 
Assembly Language Lecture 1
Assembly Language Lecture 1Assembly Language Lecture 1
Assembly Language Lecture 1Motaz Saad
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic LinkingWang Hsiangkai
 
eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureNetronome
 
Demystify eBPF JIT Compiler
Demystify eBPF JIT CompilerDemystify eBPF JIT Compiler
Demystify eBPF JIT CompilerNetronome
 
4Developers 2018: The turbulent road to byte-addressable storage support at t...
4Developers 2018: The turbulent road to byte-addressable storage support at t...4Developers 2018: The turbulent road to byte-addressable storage support at t...
4Developers 2018: The turbulent road to byte-addressable storage support at t...PROIDEA
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDBJian-Yu Li
 
Pragmatic Optimization in Modern Programming - Mastering Compiler Optimizations
Pragmatic Optimization in Modern Programming - Mastering Compiler OptimizationsPragmatic Optimization in Modern Programming - Mastering Compiler Optimizations
Pragmatic Optimization in Modern Programming - Mastering Compiler OptimizationsMarina Kolpakova
 
Code GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersCode GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersMarina Kolpakova
 

Was ist angesagt? (20)

Code GPU with CUDA - SIMT
Code GPU with CUDA - SIMTCode GPU with CUDA - SIMT
Code GPU with CUDA - SIMT
 
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization ApproachesPragmatic Optimization in Modern Programming - Ordering Optimization Approaches
Pragmatic Optimization in Modern Programming - Ordering Optimization Approaches
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
 
Code GPU with CUDA - Memory Subsystem
Code GPU with CUDA - Memory SubsystemCode GPU with CUDA - Memory Subsystem
Code GPU with CUDA - Memory Subsystem
 
Lec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Pipelining
Lec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- PipeliningLec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Pipelining
Lec1 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Pipelining
 
Compiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory ManagementCompiler Construction | Lecture 15 | Memory Management
Compiler Construction | Lecture 15 | Memory Management
 
First session quiz
First session quizFirst session quiz
First session quiz
 
Code GPU with CUDA - Optimizing memory and control flow
Code GPU with CUDA - Optimizing memory and control flowCode GPU with CUDA - Optimizing memory and control flow
Code GPU with CUDA - Optimizing memory and control flow
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
 
Hardware interfacing basics using AVR
Hardware interfacing basics using AVRHardware interfacing basics using AVR
Hardware interfacing basics using AVR
 
Assembly Language Lecture 1
Assembly Language Lecture 1Assembly Language Lecture 1
Assembly Language Lecture 1
 
Assembly 8086
Assembly 8086Assembly 8086
Assembly 8086
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic Linking
 
eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging Infrastructure
 
ROP
ROPROP
ROP
 
Demystify eBPF JIT Compiler
Demystify eBPF JIT CompilerDemystify eBPF JIT Compiler
Demystify eBPF JIT Compiler
 
4Developers 2018: The turbulent road to byte-addressable storage support at t...
4Developers 2018: The turbulent road to byte-addressable storage support at t...4Developers 2018: The turbulent road to byte-addressable storage support at t...
4Developers 2018: The turbulent road to byte-addressable storage support at t...
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDB
 
Pragmatic Optimization in Modern Programming - Mastering Compiler Optimizations
Pragmatic Optimization in Modern Programming - Mastering Compiler OptimizationsPragmatic Optimization in Modern Programming - Mastering Compiler Optimizations
Pragmatic Optimization in Modern Programming - Mastering Compiler Optimizations
 
Code GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersCode GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limiters
 

Ähnlich wie AllBits presentation - Lower Level SW Security

0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdfKhaledIbrahim10923
 
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIWLec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIWHsien-Hsin Sean Lee, Ph.D.
 
(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memoryNico Ludwig
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuEstelaJeffery653
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
07 140430-ipp-languages used in llvm during compilation
07 140430-ipp-languages used in llvm during compilation07 140430-ipp-languages used in llvm during compilation
07 140430-ipp-languages used in llvm during compilationAdam Husár
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary ExploitationFlorian Müller
 
2023-02-22_Tiberti_CyberX.pdf
2023-02-22_Tiberti_CyberX.pdf2023-02-22_Tiberti_CyberX.pdf
2023-02-22_Tiberti_CyberX.pdfcifoxo
 
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptxCA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptxtrupeace
 
Ds8000 Practical Performance Analysis P04 20060718
Ds8000 Practical Performance Analysis P04 20060718Ds8000 Practical Performance Analysis P04 20060718
Ds8000 Practical Performance Analysis P04 20060718brettallison
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 

Ähnlich wie AllBits presentation - Lower Level SW Security (20)

test
testtest
test
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf
 
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIWLec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
Lec15 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- EPIC VLIW
 
(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory(8) cpp stack automatic_memory_and_static_memory
(8) cpp stack automatic_memory_and_static_memory
 
C programming session10
C programming session10C programming session10
C programming session10
 
Embedded C programming session10
Embedded C programming session10Embedded C programming session10
Embedded C programming session10
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structu
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
07 140430-ipp-languages used in llvm during compilation
07 140430-ipp-languages used in llvm during compilation07 140430-ipp-languages used in llvm during compilation
07 140430-ipp-languages used in llvm during compilation
 
Lec05
Lec05Lec05
Lec05
 
Quiz 9
Quiz 9Quiz 9
Quiz 9
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation
 
2023-02-22_Tiberti_CyberX.pdf
2023-02-22_Tiberti_CyberX.pdf2023-02-22_Tiberti_CyberX.pdf
2023-02-22_Tiberti_CyberX.pdf
 
Software Security
Software SecuritySoftware Security
Software Security
 
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptxCA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
 
Ds8000 Practical Performance Analysis P04 20060718
Ds8000 Practical Performance Analysis P04 20060718Ds8000 Practical Performance Analysis P04 20060718
Ds8000 Practical Performance Analysis P04 20060718
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
x86_1.ppt
x86_1.pptx86_1.ppt
x86_1.ppt
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 

Kürzlich hochgeladen

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 

Kürzlich hochgeladen (20)

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 

AllBits presentation - Lower Level SW Security

  • 1. 29-01-2015 by Bart Van Bos - AllBits29-01-2015 by Bart Van Bos - AllBits Low Level Software SecurityLow Level Software Security The never ending arms race
  • 2. Presentation Overview ● Introduction – Buffer overflows – Memory management – Process memory layout – Function call stack frames ● Example attacks ● Defenses ● Conclusion
  • 4. Popular Vulnerabilities At The Vulnerability Oscars – NIST Common Vulnerabilities and Exposures DB (CVE) – Common Vulnerability Scoring System (CVSS) data from 1988 to 2012 (53.221 vulnerabilities) – Famous examples (all stack-based buffer overflows) ● Sasser worm: shut down X-ray machines at a Swedish hospital and caused Delta airlines to cancel several transatlantic flights ● Heartbleed: in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. ● Stuxnet: targeted Iran’s nuclear program and is believed to have caused it delays/damage Vulnerability All High Critical Buffer Overflow 7809 5528 1391 Cross-Site scripting (XSS) 7006 141 0
  • 5. Hot off the press ● [27-01-2015] GHOST – glibc gethostbyname buffer overflow (CVE-2015-0235) – During a code audit, a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc) was discovered. This bug is reachable both locally and remotely via the gethostbyname*() functions. They named this vulnerability GHOST – Arbitrary code execution can be achieved. As a proof of concept, a full-fledged remote exploit against the Exim mail server, bypassing all existing protections (ASLR, PIE, and NX) on both 32-bit and 64-bit machines, is developed. The exploit will be published as a Metasploit module in the near future. – Vulnerability glibc <= 2.17 ● Debian 6-LTS and Debian 7 ● Ubuntu <= 13.10 ● RedHat Enterprise Linux 5, 6 and 7 ● CentOS 5, 6 and 7 http://www.openwall.com/lists/oss-security/2015/01/27/9
  • 6. Memory corruption vulnerability ● Memory corruption vulnerabilities are a class of vulnerabilities for unsafe languages, like C, C++ and Objective C – Languages tat do not check whether programs access memory in a correct way – Hence bugs might get introduce that mess up part of memory at run-time ● In this presentation, the focus is on memory corruption in C programs. – An attacker will be allowed to do anything he wants on the machine...
  • 7. Memory management in C ● Memory can be allocated in many ways – Automatic (local variables in functions) – Static (global variables) – Dynamic (malloc and new) ● Programmer is responsible for – Appropriate use of allocated memory: ● bounds checks, type checks, ... – Correct allocation and de-allocation in the case of dynamic memory (free)
  • 8. Process memory layout Program Code RO [.init .text .rodata] Static & Global Data R/W [.data .bss] Run-time HEAP (created runtime - malloc) Unused and memory mapped region for shared libs User STACK (created at runtime) Program args + ENV vars High Addresses Low Addresses Stack grows down Heap grows up Grows & shrinks dynamically
  • 9. Common memory bugs in C ● Memory management is very error prone ● Typical bugs – Buffer overflow: writing past the bounds of an array – Dangling pointers: pointers to deallocated memory – Double frees: deallocating memory twice – Memory leaks: never deallocating memory ● For efficiency reasons, C-like compilers don’t detect these bugs at run-time – C standard states behavior of such programs is undefined
  • 10. Function call & stack frame ● Per call, an activation record or stack frame is pushed on the stack, containing – Actual parameters, return address, automatically allocated local variables, … – RBP and RSP (x86-64) ● register base pointer (ebp) ● register stack pointer (esp) long my_function(long a, long b, long c, long d, long e, long f, long g, long h) { long xx = a * b * c * d * e * f * g * h; long yy = a + b + c + d + e + f + g + h; long zz = util_function(xx, yy, xx % yy); return zz + 20; } h g return address saved RBP xx yy zz … ... high address low address RBP RBP-8 RBP-16 RBP-24 RBP+8 RBP+16 RBP+24 “red zone” 128 bytes a b c d f e RDI RSI RDX RCX R8 R9 x86-64 registers RSP RBP http://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64
  • 11. Processor endianness ● Endianness refers to the convention used to interpret the bytes making up a data word when those bytes are stored in computer memory. When reading or writing a data word consisting of multiple bytes, the order of the bytes stored in memory determines the interpretation of the data word – Intel processors are little-endian (i386 i486 i586 i686 x86-64) LITTLE ENDIAN x41 x42 x43 x44 x44 x43 x42 x41 ... ... memory register a a+1 a+2 a+3 x41 x42 x43 x44 register x41 x42 x43 x44 ... ... memory a a+1 a+2 a+3 BIG ENDIAN
  • 12. Presentation Overview ● Introduction ● Example attacks – Data-only attacks (by example) – Stack-based buffer overflow (by example) – Indirect pointer overwriting – Heap-based buffer overflow – Return-to-libc attacks ● Defenses ● Conclusion
  • 13. Data only attack ● Change the outcome of a program by overwriting a variable you are not supposed to be able to access ● Make the following program print “you win!” return address saved RIP x6Cx6Bx6Ax69 x64x63x62x61 x68x67x66x65 x70x6Fx6Ex6D xF7xA3x5ExC5 x00x00x7FxFF x00x00x00x00 x00x00x00x00 LOW HIGH
  • 14. Stack based overflow ● Overflow a variable in order to change the return address (RIP) and redirect it to injected shellcode – Shellcode is assembly code which performs some kind of attack – Shellcode can be easily generated using Metasploit framework – Should not contain 0x00, since this stops exploit execution – Often contains a NOP slide (0x90) when address uncertain [SECTION .text] global _start _start: int 0x80 ; OS syscall (SW interrupt) L: jmp L ; very short, direct infinite loop 00000000 CD 80 int 0x80 00000002 EB FE jmp short 0x2 unsigned char shellcode[] = { 0xcd, 0x80, 0xeb, 0xfe };
  • 15. Stack based overflow F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP Stack
  • 16. Stack based overflow F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 local variables F0 arguments F1 return address F1 saved frame pointer F1 buffer Stack
  • 17. Stack based overflow Stack F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 local variables F0 arguments F1 overwrite return address injected shellcode
  • 18. Stack based overflow F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP SP saved frame pointer F0 local variables F0 injected shellcode Stack
  • 19. Indirect Pointer Overwriting ● Overwrite a target memory location by overwriting a data pointer – An attackers makes the data pointer point to the target location – When the pointer is dereferenced for writing, the target location is overwritten – If the attacker can specify the value of to write, he can overwrite arbitrary memory locations with arbitrary values
  • 20. Indirect pointer overwriting F0: … call F1 ... F1: ptr = &data buffer[] overflow() *ptr = value ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 local variables F0 arguments F1 return address F1 saved frame pointer F1 data pointer Stack data buffer
  • 21. Indirect pointer overwriting ● Make the data pointer refer to the address where the return address is stored F0: … call F1 ... F1: ptr = &data buffer[] overflow() *ptr = value ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 local variables F0 arguments F1 return address F1 saved frame pointer F1 overwrite data pointer Stack data injected shell code
  • 22. Indirect pointer overwriting ● Change the memory at the address in ptr to be value F0: … call F1 ... F1: ptr = &data buffer[] overflow() *ptr = value ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 local variables F0 arguments F1 modified return address saved frame pointer F1 overwrite data pointer Stack data injected shell code
  • 23. Indirect pointer overwriting F0: … call F1 ... F1: ptr = &data buffer[] overflow() *ptr = value ... other stack frames return address F0 saved frame pointer F0 local variables F0 IP FP SP saved frame pointer F0 local variables F0 Stack data injected shell code
  • 24. Presentation Overview ● Introduction ● Example attacks ● Defenses – Stack canaries – None executable data – Layout randomization (ASLR) – Fortify source macro ● Conclusion
  • 25. Stack canaries ● Basic idea – Insert a random number right in a stack frame right before the stored base pointer/return address – Verify on return from a function that this value was not modified – If changed, an overflow has occurred, terminate the program ● The inserted value is called a canary, after the coal mine canaries CFLAGS: -fstack-protector NOTE: In Ubuntu 6.10 and later versions this option is enabled by default for C, C++, ObjC, ObjC++, if -fno-stack-protector is not found.
  • 26. Stack based overflow F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 canary arguments F1 return address F1 saved frame pointer F1 canary Stack buffer
  • 27. Stack based overflow F0: … call F1 ... F1: buffer[] overflow() ... other stack frames return address F0 saved frame pointer F0 local variables F0 arguments F1 IP FP SP saved frame pointer F0 canary arguments F1 overwrite return address canary Stack
  • 28. None executable data ● Direct code injection attacks at some point execute data, since most programs never need to do this ● Hence, a simple countermeasure is to mark data memory (stack, heap, ...) as non-executable ● This counters direct code injection, but not return-into-libc or data-only attacks ● In addition, this countermeasure may break certain legacy applications LDFLAGS = -z noexecstack # execstack --set-execstack <program> tool to set, clear, or query executable stack flag of ELF binaries and shared libraries
  • 29. Layout randomization ● Most attacks rely on precise knowledge of run time memory addresses ● Introducing artificial variation in these addresses significantly raises the bar for attackers ● Such address space layout randomization (ASLR) is a cheap and effective countermeasure ● Managed by the Linux Kernel # echo /proc/sys/kernel/randomize_va_space 2 Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment. This is the default setting.
  • 30. Defense effectiveness Data only Stack return address Heap function* corruption Jump to libc Stack Canary (D1) Partial defense Partial defense Partial defense NX Data (D2) Partial defense Partial defense Partial defense ASLR (D3) Partial defense Partial defense Partial defense Partial defense ➢ There is no on defense that covers all attacks 100% ➢ More protection at the source level (compile-time)
  • 31. Fortify source macro ● Lightweight checks to detect buffer overflow at both compile and run time ● Functions covered – memcpy, mempcpy, memmove, memset, stpcpy, strcpy, strncpy, strcat, strncat, sprintf, snprintf, vsprintf, vsnprintf, and gets. ● Since glibc 2.3.4 & gcc v4.0 CFLAGS = -D_FORTIFY_SOURCE=2 In Ubuntu 8.10 and later versions, -D_FORTIFY_SOURCE=2 is set by default. This enables additional compile-time and run-time checks for several libc functions.
  • 32. Presentation Overview ● Introduction ● Example attacks ● Defenses ● Conclusion
  • 33. Conclusion ● The design of attacks and countermeasures has led to an arms race between attackers and defenders ● While significant hardening of the execution of C-like languages is possible, the use of safe languages like Java / C# is from the point of view of security preferable ● Testing tools: blind/directed fuzzing ● Analysis tools ● Code review
  • 34. References ● Smashing the Stack for Fun and Profit (Aleph One) – http://insecure.org/stf/smashstack.html ● Low level Software Security by Example (Erlingsson, Younan & Piessens) – https://courses.cs.washington.edu/courses/cse484/14au/reading/ low-level-security-by-example.pdf ● Insecure Programming by example – http://community.coresecurity.com/~gera/InsecureProgramming ● Code samples available on GitHub – https://github.com/boeboe/low-level-security
  • 35. Q&A ● Thanks for your attention Email: bartvanbos@allbits.eu LinkedIn: http://lnkd.in/Kre-kR

Hinweis der Redaktion

  1. Red zone – a 128-byte area beyond the location pointed to by %rsp is considered to be reserved and shall not be modified by signal or interrupt handlers. Therefore, functions may use this area for temporary data that is not needed across function calls. In particular, leaf functions may use this area for their entire stack frame, rather than adjusting the stack pointer in the prologue and epilogue.