More content

This commit is contained in:
Valentin Brandl 2019-12-11 20:21:10 +01:00
parent e53c639bb1
commit 5bd8c61a69
No known key found for this signature in database
GPG Key ID: 30D341DD34118D7D
3 changed files with 46 additions and 13 deletions

Binary file not shown.

View File

@ -1,6 +1,7 @@
\documentclass[conference]{IEEEtran} \documentclass[conference]{IEEEtran}
\IEEEoverridecommandlockouts{} \IEEEoverridecommandlockouts{}
% The preceding line is only needed to identify funding in the first footnote. If that is unneeded, please comment it out. % The preceding line is only needed to identify funding in the first footnote.
% If that is unneeded, please comment it out.
\usepackage{csquotes} \usepackage{csquotes}
\usepackage[style=ieee,backend=biber]{biblatex} \usepackage[style=ieee,backend=biber]{biblatex}
@ -30,7 +31,8 @@
%%fuer abkuerzungen begin %%fuer abkuerzungen begin
\usepackage[acronym,hyperfirst = false]{glossaries} \usepackage[acronym,hyperfirst = false]{glossaries}
\glsdisablehyper{} \glsdisablehyper{}
%\usepackage[acronym,acronymlists={main, abbreviationlist},shortcuts,toc,description,footnote]{glossaries} %\usepackage[acronym,acronymlists={main,
%abbreviationlist},shortcuts,toc,description,footnote]{glossaries}
\newglossary[clg]{abbreviationlist}{cyi}{cyg}{List of Abbreviations} \newglossary[clg]{abbreviationlist}{cyi}{cyg}{List of Abbreviations}
\newglossary[slg]{symbolslist}{syi}{syg}{Symbols} \newglossary[slg]{symbolslist}{syi}{syg}{Symbols}
\renewcommand{\firstacronymfont}[1]{\emph{#1}} \renewcommand{\firstacronymfont}[1]{\emph{#1}}
@ -149,9 +151,18 @@ attacker controlled code.
This is only one of several types and exploitation techniques but the general This is only one of several types and exploitation techniques but the general
idea stays the same: ovewrite the return address or some kind of function idea stays the same: ovewrite the return address or some kind of function
pointer (e.g. in vtables or the \ac{plt}) and once that function is called, the pointer (e.g.\ in vtables or the \ac{plt}) and once that function is called, the
execution flow is hijacked and the attacker can execute arbitiary code. execution flow is hijacked and the attacker can execute arbitiary code.
The most trivial kinds of exploits is known as a \mintinline{ASM}{NOP} sled.
Here the attacker appends as many \mintinline{ASM}{NOP} instructions before any
shellcode (e.g.\ to invoke \mintinline{shell}{/bin/sh}) and points the
overwritten \ac{ip} somewhere inside the \mintinline{ASM}{NOP}s. The execution
\enquote{slides} through the \mintinline{ASM}{NOP}s until it reaches the
shellcode. Most of the migration techniques described in this paper protect
against this kind of exploit but there are different and more complex ways of
exploiting \acp{bof} that are not that easily migrated.
\subsection{Implications} \subsection{Implications}
\section{Concept and Methods}\label{ref:concept} \section{Concept and Methods}\label{ref:concept}
@ -171,7 +182,9 @@ The easiest and maybe single most effective method to prevent \acp{bof} is to
check, if a write or read operation is out of bounds. This requires storing the check, if a write or read operation is out of bounds. This requires storing the
size of a buffer together with the pointer to the buffer and check for each read size of a buffer together with the pointer to the buffer and check for each read
or write in the buffer, if it is in bounds at runtime. Still almost any language or write in the buffer, if it is in bounds at runtime. Still almost any language
that comes with a runtime, uses runtime checking. that comes with a runtime, uses runtime checking. For this technique to be
effective effective in general, writes to a raw pointer must be disallowed.
Otherwise the security checks can be circumvented.
\subsection{Prevent/Detect Overriding Return Address} \subsection{Prevent/Detect Overriding Return Address}
@ -224,11 +237,16 @@ exploiting technique uses existing calls to the libc with attacker controlled
parameters, e.g.\ if the programm uses the \mintinline{shell}{system} command, parameters, e.g.\ if the programm uses the \mintinline{shell}{system} command,
the attacker can plant \mintinline{shell}{/bin/sh} as parameter on the stack, the attacker can plant \mintinline{shell}{/bin/sh} as parameter on the stack,
followed by the address of \mintinline{shell}{system} and get a shell on the followed by the address of \mintinline{shell}{system} and get a shell on the
system. \ac{rop} (a superset of ret-to-libc exploits) uses so called ROP system. \ac{rop} (a superset of ret-to-libc exploits) uses so called \ac{rop}
gadgets, combinations of memory modifying instructions followed by the ret gadgets, combinations of memory modifying instructions followed by the
instruction to build instruction chains, that execute the desired shellcode. \mintinline{ASM}{RET} instruction to build instruction chains, that execute the
This is done by placing the desired return addresses in the right order on the desired shellcode. This is done by placing the desired return addresses in the
stack and reuses the existing code to circumvent the w\^{}x protection. right order on the stack and reuses the existing code to circumvent the w\^{}x
protection. These combinations of memory modification followed by
\mintinline{ASM}{RET} instructions are called \ac{rop} chains and are turing
complete~\cite{Rop2007}, so in theory it is possible to implement any imaginable
payload, as long as the exploited program contains enough gadgets and the
overflowing buffer has enough space.
\section{Discussion}\label{ref:discussion} \section{Discussion}\label{ref:discussion}
@ -238,10 +256,11 @@ stack and reuses the existing code to circumvent the w\^{}x protection.
\subsubsection{\ac{aslr}} \subsubsection{\ac{aslr}}
\Ac{aslr} has been really effective and wildly used in production. It is \Ac{aslr} has been really effective and wildly used in production. It is
included in most major operating systems~\cite{FBSDaslr}. Some included in most major operating systems~\cite{FBSDaslr}. Some even use kernel
even use kernel \ac{aslr}~\cite{Linuxaslr}. Since this mechanism is active at %TODO \ac{aslr}~\cite{Linuxaslr}. Since this mechanism is active at runtime, it does
runtime, it does not require any changes in the code itself, the programm only not require any changes in the code itself, the programm only has to be compiled
has to be compiled as a \ac{pie}. as a \ac{pie}. On 32-bit CPUs, only 16-bit of the address are randomized. These
16-bit can be brute forced in a few minutes or seconds~\cite{AslrEffective2004}.
\subsubsection{w\^{}x} \subsubsection{w\^{}x}

View File

@ -8,6 +8,13 @@ own:
year = {2002} year = {2002}
} }
@inproceedings{Rop2007,
author = {{Shacham, Hovav}},
booktitle = {{Proceedings of the 14th ACM conference on Computer and communications security (CCS)}},
title = {{The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)}},
year = {2007}
}
@inproceedings{Detection2018, @inproceedings{Detection2018,
author = {{Chaim, Marcos and Santos, Daniel and Cruzes, Daniela}}, author = {{Chaim, Marcos and Santos, Daniel and Cruzes, Daniela}},
booktitle = {{International Journal of Systems and Software Security and Protection (IJSSSP)}}, booktitle = {{International Journal of Systems and Software Security and Protection (IJSSSP)}},
@ -46,6 +53,13 @@ year = {2001}
year = {1998} year = {1998}
} }
@inproceedings{AslrEffective2004,
year = {2004},
booktitle = {{11\textsuperscript{th} ACM conference on Computer and communications security (CCS)}},
title = {{On the Effectiveness of Address-Space Randomization}},
author = {{Shacham, Hovav and Page, Matthew and Pfaff, Ben and Goh, Eu-Jin and Modadugu, Nagendra and Boneh, Dan}}
}
@ARTICLE{Smashing2004, @ARTICLE{Smashing2004,
author={J. {Pincus} and B. {Baker}}, author={J. {Pincus} and B. {Baker}},
journal={{IEEE Security \& Privacy}}, journal={{IEEE Security \& Privacy}},