SlideShare ist ein Scribd-Unternehmen logo

Overflowing attack potential, scoring defence in-depth

Javier Tallón
Javier Tallón

This presentation relates the Common Criteria attack potential calculation with the defence-in-depth technique used to avoid buffer overflows.

TechnologieBusiness
1 von 42
Downloaden Sie, um offline zu lesen
Overflowing Attack Potential Scoring Defence-in-Depth Defence-in- Javier Tallón Guerri 11ICCC - Turkey
2
3
4
1.Buffer overflows, a bit of background 2.Reviewing and bypassing defence-in- depth techniques 3.Impact in the CC 4.What to do? 5
1.Buffer overflows, a bit of background 2.Reviewing and bypassing defence-in- depth techniques 3.Impact in the CC 4.What to do? 6
1. Buffer overflows, a bit of background You know... The classic stack overflow…. #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) { foo(argv[1]); } 7
1. Buffer overflows, a bit of background 8
1. Buffer overflows, a bit of background 9
1. Buffer overflows, a bit of background 10
1. Buffer overflows, a bit of background There are also heap and integer overflows…. 11
1. Buffer overflows, a bit of background Could lead to arbitrary code execution 12
1. Buffer overflows, a bit of background Those were the old days… Very few problems for the attacker: Null bytes Shellcode size and other constraints Shellcode development 13
1.Buffer overflows, a bit of background 2.Reviewing defence-in-depth techniques 3.Impact in the CC 4.What to do? 14
2. Reviewing defence-in-depth techniques Stack canaries approach: The compiler place a value before the return address when a function is called and check that the value has not changed when the function finalize. 15
2. Reviewing defence-in-depth techniques Bypassing stack canaries: Implementation can be not correct It can be a statistical problem 16
2. Reviewing defence-in-depth techniques Bypassing stack canaries: Windows: SEH overwriting Protected by SafeSEH and so on… Unix: Other (more complex) techniques… 17
2. Reviewing defence-in-depth techniques Non-eXecutable Stack approach: Code is code and data is data Widely deployed (every computer since 2001 allows this) 18
2. Reviewing defence-in-depth techniques Bypassing Non-eXecutable Stack: Save the payload in the heap Return into libc attacks 19
2. Reviewing defence-in-depth techniques 64bits hardware resolves the problem: In 64 bits computers, arguments are loaded from registers, not from the stack. Return into libc attack is not possible 20
2. Reviewing defence-in-depth techniques 64bits hardware resolves the problem: Borrowed Code Chunks or Return Oriented Programming 21
2. Reviewing defence-in-depth techniques 22
2. Reviewing defence-in-depth techniques ASLR (Address Space Layout Randomization) approach: The code is loaded in different memory regions each time 23
2. Reviewing defence-in-depth techniques Bypassing ASLR: It could be an statistical question 24
2. Reviewing defence-in-depth techniques Bypassing ASLR: Maybe not all the libraries are randomly loaded 25
2. Reviewing defence-in-depth techniques Mixed approach: Standalone use of these techniques is not very useful Technique Technique Better A B results 26
2. Reviewing defence-in-depth techniques Non-eXecutable Stack + ASLR: Make very difficult the return attacks. 27
2. Reviewing defence-in-depth techniques NX Stack ASLR Stack Canaries Each technique makes successful exploitation more difficult 28
2. Reviewing defence-in-depth techniques There are more defence-in-depth techniques Attackers always develop techniques to bypass the new countermeasures 29
2. Reviewing defence-in-depth techniques 30
2. Reviewing defence-in-depth techniques 31
1.Buffer overflows, a bit of background 2.Reviewing defence-in-depth techniques 3.Impact in the CC 4.What to do? 32
3. Impact in the CC Overflow detected! Unique characteristics Unique exploit path Base attack potential 33
3. Impact in the CC Buffer Base Defence in Overflow Attack Depth Detected Potential Modifiers Base Attack Potential Real Attack Potential Defence in Depth Modifiers 34
3. Impact in the CC Defence in depth technique Attack potential factor Stack Canaries (Windows) x 1.2 Stack Canaries + SafeSEH (Windows) x 1.3 Non-eXecutable Stack x 1.35 ASLR x 1.50 Stack Canaries (Unix) x 1.52 NX Stack + ASLR x 1.54 NX Stack + ASLR + Stack Canaries (Windows) x 1.62 NX Stack + ASLR + Stack Canaries + SafeSEH (Windows) x 1.66 NX Stack + ASLR + Stack Canaries (Unix) x 1.68 … … 35
1.Buffer overflows, a bit of background 2.Reviewing defence-in-depth techniques 3.Impact in the CC 4.What to do? 36
4. What to do? 37
4. What to do? 38
4. What to do? 39
4. What to do? Whenever it is possible Through compiler Through Operating System 40
4. What to do? 41
Thanks for your attention! attention! Javier Tallón Epoche & Espri, S.L. Avda. de la Vega, 1 28108, Alcobendas, Madrid, Spain. eval@epoche.es 42

Empfohlen

15.Security
15.Security15.Security
15.SecuritySenthil Kanth
 
Iss lecture 2
Iss lecture 2Iss lecture 2
Iss lecture 2Ali Habeeb
 
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniBSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniShellmates
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information SecurityDr Naim R Kidwai
 
Kleptography
KleptographyKleptography
KleptographyErfan Mallick
 
Network security
Network securityNetwork security
Network securityRamasubbu .P
 
Overview on Cryptography and Network Security
Overview on Cryptography and Network SecurityOverview on Cryptography and Network Security
Overview on Cryptography and Network SecurityDr. Rupa Ch
 
Cryptography cse,ru
Cryptography cse,ruCryptography cse,ru
Cryptography cse,ruHossain Md Shakhawat
 

Empfohlen

15.Security
15.Security15.Security
15.SecuritySenthil Kanth
 
Iss lecture 2
Iss lecture 2Iss lecture 2
Iss lecture 2Ali Habeeb
 
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniBSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniShellmates
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information SecurityDr Naim R Kidwai
 
Kleptography
KleptographyKleptography
KleptographyErfan Mallick
 
Network security
Network securityNetwork security
Network securityRamasubbu .P
 
Overview on Cryptography and Network Security
Overview on Cryptography and Network SecurityOverview on Cryptography and Network Security
Overview on Cryptography and Network SecurityDr. Rupa Ch
 
Cryptography cse,ru
Cryptography cse,ruCryptography cse,ru
Cryptography cse,ruHossain Md Shakhawat
 
Dt32742746
Dt32742746Dt32742746
Dt32742746IJERA Editor
 
07security
07security07security
07securitydouglaslyon
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyBharat Kumar Katur
 
Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Aaron Zauner
 
Pki Training V1.5
Pki Training V1.5Pki Training V1.5
Pki Training V1.5Sylvain Maret
 
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemoSamia Elsayed
 
Ch12 Encryption
Ch12 EncryptionCh12 Encryption
Ch12 Encryptionphanleson
 
Cryptography
CryptographyCryptography
CryptographySuhepi Saputri
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptographyHossain Md Shakhawat
 
OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)Tech4 Helper
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
Security challenges in Ethereum smart contract programming (ver. 2)
Security challenges in Ethereum smart contract programming (ver. 2)Security challenges in Ethereum smart contract programming (ver. 2)
Security challenges in Ethereum smart contract programming (ver. 2)Sergei Tikhomirov
 
basic encryption and decryption
basic encryption and decryption basic encryption and decryption
basic encryption and decryptionRashmi Burugupalli
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyPopescu Petre
 
Cryptography
CryptographyCryptography
CryptographyDeepak Kumar
 
El modelo de seguridad de iOS
El modelo de seguridad de iOSEl modelo de seguridad de iOS
El modelo de seguridad de iOSJavier Tallón
 
ISO 15408 Common Criteria
ISO 15408 Common CriteriaISO 15408 Common Criteria
ISO 15408 Common CriteriaJulio Santy Gómez Torres
 
Introducción a la certificación Common Criteria
Introducción a la certificación Common CriteriaIntroducción a la certificación Common Criteria
Introducción a la certificación Common CriteriaJavier Tallón
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way Javier Tallón
 
Sistema Opreativo IOS
Sistema Opreativo IOSSistema Opreativo IOS
Sistema Opreativo IOSAntonioBarraganCasas
 
iOS
iOSiOS
iOSDaniel Martínez
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Aaron Zauner
 
Ch12 Encryption
Ch12 EncryptionCh12 Encryption
Ch12 Encryptionphanleson
 
OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)Tech4 Helper
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
Security challenges in Ethereum smart contract programming (ver. 2)
Security challenges in Ethereum smart contract programming (ver. 2)Security challenges in Ethereum smart contract programming (ver. 2)
Security challenges in Ethereum smart contract programming (ver. 2)Sergei Tikhomirov
 
basic encryption and decryption
basic encryption and decryption basic encryption and decryption
basic encryption and decryptionRashmi Burugupalli
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyPopescu Petre
 

Was ist angesagt? (15)

Dt32742746
Dt32742746Dt32742746
Dt32742746
 
07security
07security07security
07security
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)
 
Pki Training V1.5
Pki Training V1.5Pki Training V1.5
Pki Training V1.5
 
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemo
 
Ch12 Encryption
Ch12 EncryptionCh12 Encryption
Ch12 Encryption
 
Cryptography
CryptographyCryptography
Cryptography
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
 
OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)OpenCard hack (projekt chameleon)
OpenCard hack (projekt chameleon)
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®
 
Security challenges in Ethereum smart contract programming (ver. 2)
Security challenges in Ethereum smart contract programming (ver. 2)Security challenges in Ethereum smart contract programming (ver. 2)
Security challenges in Ethereum smart contract programming (ver. 2)
 
basic encryption and decryption
basic encryption and decryption basic encryption and decryption
basic encryption and decryption
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 

Andere mochten auch

El modelo de seguridad de iOS
El modelo de seguridad de iOSEl modelo de seguridad de iOS
El modelo de seguridad de iOSJavier Tallón
 
Introducción a la certificación Common Criteria
Introducción a la certificación Common CriteriaIntroducción a la certificación Common Criteria
Introducción a la certificación Common CriteriaJavier Tallón
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way Javier Tallón
 
iOS d'estar per casa - Jornades Apple 2011 Ulldecona
iOS d'estar per casa - Jornades Apple 2011 UlldeconaiOS d'estar per casa - Jornades Apple 2011 Ulldecona
iOS d'estar per casa - Jornades Apple 2011 UlldeconaRaimon Lapuente
 
Seguridad Dispositivos móviles Extened Edition
Seguridad Dispositivos móviles Extened EditionSeguridad Dispositivos móviles Extened Edition
Seguridad Dispositivos móviles Extened EditionJose Manuel Ortega Candel
 
Introducción Curso iOS
Introducción Curso iOSIntroducción Curso iOS
Introducción Curso iOSbrainybogota
 
Seminario iOS SIETCG (feb 2014)
Seminario iOS SIETCG (feb 2014)Seminario iOS SIETCG (feb 2014)
Seminario iOS SIETCG (feb 2014)Albert Marques
 
Presentacion segi seminario_yisell
Presentacion segi seminario_yisellPresentacion segi seminario_yisell
Presentacion segi seminario_yisellYiz Puentes Cubides
 
Mobile Day - Desarrollo Apple Watch con Xamarin
Mobile Day - Desarrollo Apple Watch con XamarinMobile Day - Desarrollo Apple Watch con Xamarin
Mobile Day - Desarrollo Apple Watch con XamarinSoftware Guru
 

Andere mochten auch (20)

El modelo de seguridad de iOS
El modelo de seguridad de iOSEl modelo de seguridad de iOS
El modelo de seguridad de iOS
 
ISO 15408 Common Criteria
ISO 15408 Common CriteriaISO 15408 Common Criteria
ISO 15408 Common Criteria
 
Introducción a la certificación Common Criteria
Introducción a la certificación Common CriteriaIntroducción a la certificación Common Criteria
Introducción a la certificación Common Criteria
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbas
 
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
 
Sistema Opreativo IOS
Sistema Opreativo IOSSistema Opreativo IOS
Sistema Opreativo IOS
 
iOS
iOSiOS
iOS
 
LINE. Android e iOS - Presentación Ciberseg15
LINE. Android e iOS - Presentación Ciberseg15LINE. Android e iOS - Presentación Ciberseg15
LINE. Android e iOS - Presentación Ciberseg15
 
iOS d'estar per casa - Jornades Apple 2011 Ulldecona
iOS d'estar per casa - Jornades Apple 2011 UlldeconaiOS d'estar per casa - Jornades Apple 2011 Ulldecona
iOS d'estar per casa - Jornades Apple 2011 Ulldecona
 
Facebook to whatsapp
Facebook to whatsappFacebook to whatsapp
Facebook to whatsapp
 
Seguridad Dispositivos móviles Extened Edition
Seguridad Dispositivos móviles Extened EditionSeguridad Dispositivos móviles Extened Edition
Seguridad Dispositivos móviles Extened Edition
 
iOS
iOSiOS
iOS
 
Training apple
Training appleTraining apple
Training apple
 
Introducción Curso iOS
Introducción Curso iOSIntroducción Curso iOS
Introducción Curso iOS
 
Seminario iOS SIETCG (feb 2014)
Seminario iOS SIETCG (feb 2014)Seminario iOS SIETCG (feb 2014)
Seminario iOS SIETCG (feb 2014)
 
Presentación ios
Presentación iosPresentación ios
Presentación ios
 
Presentacion segi seminario_yisell
Presentacion segi seminario_yisellPresentacion segi seminario_yisell
Presentacion segi seminario_yisell
 
Hardening murcia lan party 2013
Hardening murcia lan party 2013Hardening murcia lan party 2013
Hardening murcia lan party 2013
 
iOS
iOSiOS
iOS
 
Mobile Day - Desarrollo Apple Watch con Xamarin
Mobile Day - Desarrollo Apple Watch con XamarinMobile Day - Desarrollo Apple Watch con Xamarin
Mobile Day - Desarrollo Apple Watch con Xamarin
 

Ähnlich wie Overflowing attack potential, scoring defence in-depth

Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelJinbumPark
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
Grow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM StackGrow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM StackKeitaSugiyama1
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacksMarian Marinov
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)Alexandre Borges
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JITMarcus Denker
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Containers Sandboxing (KubeCon 2018)
Containers Sandboxing (KubeCon 2018)Containers Sandboxing (KubeCon 2018)
Containers Sandboxing (KubeCon 2018)Ariel Shuper
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorSeunghun han
 
Linux Security Status on 2017
Linux Security Status on 2017Linux Security Status on 2017
Linux Security Status on 2017Kazuki Omo
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blindNikitaAndhale
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopQuey-Liang Kao
 

Ähnlich wie Overflowing attack potential, scoring defence in-depth (20)

SnakeGX (full version)
SnakeGX (full version) SnakeGX (full version)
SnakeGX (full version)
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
 
System Integrity
System IntegritySystem Integrity
System Integrity
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
 
Grow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM StackGrow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM Stack
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacks
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
 
VMs, Interpreters, JIT
VMs, Interpreters, JITVMs, Interpreters, JIT
VMs, Interpreters, JIT
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Containers Sandboxing (KubeCon 2018)
Containers Sandboxing (KubeCon 2018)Containers Sandboxing (KubeCon 2018)
Containers Sandboxing (KubeCon 2018)
 
SnakeGX (short version)
SnakeGX (short version)SnakeGX (short version)
SnakeGX (short version)
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
 
Linux Security Status on 2017
Linux Security Status on 2017Linux Security Status on 2017
Linux Security Status on 2017
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
 

Mehr von Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and productsJavier Tallón
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaJavier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesJavier Tallón
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...Javier Tallón
 

Mehr von Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 

Kürzlich hochgeladen

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Overflowing attack potential, scoring defence in-depth

  • 1. Overflowing Attack Potential Scoring Defence-in-Depth Defence-in- Javier Tallón Guerri 11ICCC - Turkey
  • 2. 2
  • 3. 3
  • 4. 4
  • 5. 1.Buffer overflows, a bit of background 2.Reviewing and bypassing defence-in- depth techniques 3.Impact in the CC 4.What to do? 5
  • 6. 1.Buffer overflows, a bit of background 2.Reviewing and bypassing defence-in- depth techniques 3.Impact in the CC 4.What to do? 6
  • 7. 1. Buffer overflows, a bit of background You know... The classic stack overflow…. #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) { foo(argv[1]); } 7
  • 8. 1. Buffer overflows, a bit of background 8
  • 9. 1. Buffer overflows, a bit of background 9
  • 10. 1. Buffer overflows, a bit of background 10
  • 11. 1. Buffer overflows, a bit of background There are also heap and integer overflows…. 11
  • 12. 1. Buffer overflows, a bit of background Could lead to arbitrary code execution 12
  • 13. 1. Buffer overflows, a bit of background Those were the old days… Very few problems for the attacker: Null bytes Shellcode size and other constraints Shellcode development 13
  • 14. 1.Buffer overflows, a bit of background 2.Reviewing defence-in-depth techniques 3.Impact in the CC 4.What to do? 14
  • 15. 2. Reviewing defence-in-depth techniques Stack canaries approach: The compiler place a value before the return address when a function is called and check that the value has not changed when the function finalize. 15
  • 16. 2. Reviewing defence-in-depth techniques Bypassing stack canaries: Implementation can be not correct It can be a statistical problem 16
  • 17. 2. Reviewing defence-in-depth techniques Bypassing stack canaries: Windows: SEH overwriting Protected by SafeSEH and so on… Unix: Other (more complex) techniques… 17
  • 18. 2. Reviewing defence-in-depth techniques Non-eXecutable Stack approach: Code is code and data is data Widely deployed (every computer since 2001 allows this) 18
  • 19. 2. Reviewing defence-in-depth techniques Bypassing Non-eXecutable Stack: Save the payload in the heap Return into libc attacks 19
  • 20. 2. Reviewing defence-in-depth techniques 64bits hardware resolves the problem: In 64 bits computers, arguments are loaded from registers, not from the stack. Return into libc attack is not possible 20
  • 21. 2. Reviewing defence-in-depth techniques 64bits hardware resolves the problem: Borrowed Code Chunks or Return Oriented Programming 21
  • 23. 2. Reviewing defence-in-depth techniques ASLR (Address Space Layout Randomization) approach: The code is loaded in different memory regions each time 23
  • 24. 2. Reviewing defence-in-depth techniques Bypassing ASLR: It could be an statistical question 24
  • 25. 2. Reviewing defence-in-depth techniques Bypassing ASLR: Maybe not all the libraries are randomly loaded 25
  • 26. 2. Reviewing defence-in-depth techniques Mixed approach: Standalone use of these techniques is not very useful Technique Technique Better A B results 26
  • 27. 2. Reviewing defence-in-depth techniques Non-eXecutable Stack + ASLR: Make very difficult the return attacks. 27
  • 28. 2. Reviewing defence-in-depth techniques NX Stack ASLR Stack Canaries Each technique makes successful exploitation more difficult 28
  • 29. 2. Reviewing defence-in-depth techniques There are more defence-in-depth techniques Attackers always develop techniques to bypass the new countermeasures 29
  • 32. 1.Buffer overflows, a bit of background 2.Reviewing defence-in-depth techniques 3.Impact in the CC 4.What to do? 32
  • 33. 3. Impact in the CC Overflow detected! Unique characteristics Unique exploit path Base attack potential 33
  • 34. 3. Impact in the CC Buffer Base Defence in Overflow Attack Depth Detected Potential Modifiers Base Attack Potential Real Attack Potential Defence in Depth Modifiers 34
  • 35. 3. Impact in the CC Defence in depth technique Attack potential factor Stack Canaries (Windows) x 1.2 Stack Canaries + SafeSEH (Windows) x 1.3 Non-eXecutable Stack x 1.35 ASLR x 1.50 Stack Canaries (Unix) x 1.52 NX Stack + ASLR x 1.54 NX Stack + ASLR + Stack Canaries (Windows) x 1.62 NX Stack + ASLR + Stack Canaries + SafeSEH (Windows) x 1.66 NX Stack + ASLR + Stack Canaries (Unix) x 1.68 … … 35
  • 36. 1.Buffer overflows, a bit of background 2.Reviewing defence-in-depth techniques 3.Impact in the CC 4.What to do? 36
  • 37. 4. What to do? 37
  • 38. 4. What to do? 38
  • 39. 4. What to do? 39
  • 40. 4. What to do? Whenever it is possible Through compiler Through Operating System 40
  • 41. 4. What to do? 41
  • 42. Thanks for your attention! attention! Javier Tallón Epoche & Espri, S.L. Avda. de la Vega, 1 28108, Alcobendas, Madrid, Spain. eval@epoche.es 42