More content
This commit is contained in:
parent
e53c639bb1
commit
5bd8c61a69
BIN
work/01paper.pdf
BIN
work/01paper.pdf
Binary file not shown.
@ -1,6 +1,7 @@
|
|||||||
\documentclass[conference]{IEEEtran}
|
\documentclass[conference]{IEEEtran}
|
||||||
\IEEEoverridecommandlockouts{}
|
\IEEEoverridecommandlockouts{}
|
||||||
% The preceding line is only needed to identify funding in the first footnote. If that is unneeded, please comment it out.
|
% The preceding line is only needed to identify funding in the first footnote.
|
||||||
|
% If that is unneeded, please comment it out.
|
||||||
\usepackage{csquotes}
|
\usepackage{csquotes}
|
||||||
\usepackage[style=ieee,backend=biber]{biblatex}
|
\usepackage[style=ieee,backend=biber]{biblatex}
|
||||||
|
|
||||||
@ -30,7 +31,8 @@
|
|||||||
%%fuer abkuerzungen begin
|
%%fuer abkuerzungen begin
|
||||||
\usepackage[acronym,hyperfirst = false]{glossaries}
|
\usepackage[acronym,hyperfirst = false]{glossaries}
|
||||||
\glsdisablehyper{}
|
\glsdisablehyper{}
|
||||||
%\usepackage[acronym,acronymlists={main, abbreviationlist},shortcuts,toc,description,footnote]{glossaries}
|
%\usepackage[acronym,acronymlists={main,
|
||||||
|
%abbreviationlist},shortcuts,toc,description,footnote]{glossaries}
|
||||||
\newglossary[clg]{abbreviationlist}{cyi}{cyg}{List of Abbreviations}
|
\newglossary[clg]{abbreviationlist}{cyi}{cyg}{List of Abbreviations}
|
||||||
\newglossary[slg]{symbolslist}{syi}{syg}{Symbols}
|
\newglossary[slg]{symbolslist}{syi}{syg}{Symbols}
|
||||||
\renewcommand{\firstacronymfont}[1]{\emph{#1}}
|
\renewcommand{\firstacronymfont}[1]{\emph{#1}}
|
||||||
@ -149,9 +151,18 @@ attacker controlled code.
|
|||||||
|
|
||||||
This is only one of several types and exploitation techniques but the general
|
This is only one of several types and exploitation techniques but the general
|
||||||
idea stays the same: ovewrite the return address or some kind of function
|
idea stays the same: ovewrite the return address or some kind of function
|
||||||
pointer (e.g. in vtables or the \ac{plt}) and once that function is called, the
|
pointer (e.g.\ in vtables or the \ac{plt}) and once that function is called, the
|
||||||
execution flow is hijacked and the attacker can execute arbitiary code.
|
execution flow is hijacked and the attacker can execute arbitiary code.
|
||||||
|
|
||||||
|
The most trivial kinds of exploits is known as a \mintinline{ASM}{NOP} sled.
|
||||||
|
Here the attacker appends as many \mintinline{ASM}{NOP} instructions before any
|
||||||
|
shellcode (e.g.\ to invoke \mintinline{shell}{/bin/sh}) and points the
|
||||||
|
overwritten \ac{ip} somewhere inside the \mintinline{ASM}{NOP}s. The execution
|
||||||
|
\enquote{slides} through the \mintinline{ASM}{NOP}s until it reaches the
|
||||||
|
shellcode. Most of the migration techniques described in this paper protect
|
||||||
|
against this kind of exploit but there are different and more complex ways of
|
||||||
|
exploiting \acp{bof} that are not that easily migrated.
|
||||||
|
|
||||||
\subsection{Implications}
|
\subsection{Implications}
|
||||||
|
|
||||||
\section{Concept and Methods}\label{ref:concept}
|
\section{Concept and Methods}\label{ref:concept}
|
||||||
@ -171,7 +182,9 @@ The easiest and maybe single most effective method to prevent \acp{bof} is to
|
|||||||
check, if a write or read operation is out of bounds. This requires storing the
|
check, if a write or read operation is out of bounds. This requires storing the
|
||||||
size of a buffer together with the pointer to the buffer and check for each read
|
size of a buffer together with the pointer to the buffer and check for each read
|
||||||
or write in the buffer, if it is in bounds at runtime. Still almost any language
|
or write in the buffer, if it is in bounds at runtime. Still almost any language
|
||||||
that comes with a runtime, uses runtime checking.
|
that comes with a runtime, uses runtime checking. For this technique to be
|
||||||
|
effective effective in general, writes to a raw pointer must be disallowed.
|
||||||
|
Otherwise the security checks can be circumvented.
|
||||||
|
|
||||||
\subsection{Prevent/Detect Overriding Return Address}
|
\subsection{Prevent/Detect Overriding Return Address}
|
||||||
|
|
||||||
@ -224,11 +237,16 @@ exploiting technique uses existing calls to the libc with attacker controlled
|
|||||||
parameters, e.g.\ if the programm uses the \mintinline{shell}{system} command,
|
parameters, e.g.\ if the programm uses the \mintinline{shell}{system} command,
|
||||||
the attacker can plant \mintinline{shell}{/bin/sh} as parameter on the stack,
|
the attacker can plant \mintinline{shell}{/bin/sh} as parameter on the stack,
|
||||||
followed by the address of \mintinline{shell}{system} and get a shell on the
|
followed by the address of \mintinline{shell}{system} and get a shell on the
|
||||||
system. \ac{rop} (a superset of ret-to-libc exploits) uses so called ROP
|
system. \ac{rop} (a superset of ret-to-libc exploits) uses so called \ac{rop}
|
||||||
gadgets, combinations of memory modifying instructions followed by the ret
|
gadgets, combinations of memory modifying instructions followed by the
|
||||||
instruction to build instruction chains, that execute the desired shellcode.
|
\mintinline{ASM}{RET} instruction to build instruction chains, that execute the
|
||||||
This is done by placing the desired return addresses in the right order on the
|
desired shellcode. This is done by placing the desired return addresses in the
|
||||||
stack and reuses the existing code to circumvent the w\^{}x protection.
|
right order on the stack and reuses the existing code to circumvent the w\^{}x
|
||||||
|
protection. These combinations of memory modification followed by
|
||||||
|
\mintinline{ASM}{RET} instructions are called \ac{rop} chains and are turing
|
||||||
|
complete~\cite{Rop2007}, so in theory it is possible to implement any imaginable
|
||||||
|
payload, as long as the exploited program contains enough gadgets and the
|
||||||
|
overflowing buffer has enough space.
|
||||||
|
|
||||||
|
|
||||||
\section{Discussion}\label{ref:discussion}
|
\section{Discussion}\label{ref:discussion}
|
||||||
@ -238,10 +256,11 @@ stack and reuses the existing code to circumvent the w\^{}x protection.
|
|||||||
\subsubsection{\ac{aslr}}
|
\subsubsection{\ac{aslr}}
|
||||||
|
|
||||||
\Ac{aslr} has been really effective and wildly used in production. It is
|
\Ac{aslr} has been really effective and wildly used in production. It is
|
||||||
included in most major operating systems~\cite{FBSDaslr}. Some
|
included in most major operating systems~\cite{FBSDaslr}. Some even use kernel
|
||||||
even use kernel \ac{aslr}~\cite{Linuxaslr}. Since this mechanism is active at %TODO
|
\ac{aslr}~\cite{Linuxaslr}. Since this mechanism is active at runtime, it does
|
||||||
runtime, it does not require any changes in the code itself, the programm only
|
not require any changes in the code itself, the programm only has to be compiled
|
||||||
has to be compiled as a \ac{pie}.
|
as a \ac{pie}. On 32-bit CPUs, only 16-bit of the address are randomized. These
|
||||||
|
16-bit can be brute forced in a few minutes or seconds~\cite{AslrEffective2004}.
|
||||||
|
|
||||||
\subsubsection{w\^{}x}
|
\subsubsection{w\^{}x}
|
||||||
|
|
||||||
|
@ -8,6 +8,13 @@ own:
|
|||||||
year = {2002}
|
year = {2002}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@inproceedings{Rop2007,
|
||||||
|
author = {{Shacham, Hovav}},
|
||||||
|
booktitle = {{Proceedings of the 14th ACM conference on Computer and communications security (CCS)}},
|
||||||
|
title = {{The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)}},
|
||||||
|
year = {2007}
|
||||||
|
}
|
||||||
|
|
||||||
@inproceedings{Detection2018,
|
@inproceedings{Detection2018,
|
||||||
author = {{Chaim, Marcos and Santos, Daniel and Cruzes, Daniela}},
|
author = {{Chaim, Marcos and Santos, Daniel and Cruzes, Daniela}},
|
||||||
booktitle = {{International Journal of Systems and Software Security and Protection (IJSSSP)}},
|
booktitle = {{International Journal of Systems and Software Security and Protection (IJSSSP)}},
|
||||||
@ -46,6 +53,13 @@ year = {2001}
|
|||||||
year = {1998}
|
year = {1998}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@inproceedings{AslrEffective2004,
|
||||||
|
year = {2004},
|
||||||
|
booktitle = {{11\textsuperscript{th} ACM conference on Computer and communications security (CCS)}},
|
||||||
|
title = {{On the Effectiveness of Address-Space Randomization}},
|
||||||
|
author = {{Shacham, Hovav and Page, Matthew and Pfaff, Ben and Goh, Eu-Jin and Modadugu, Nagendra and Boneh, Dan}}
|
||||||
|
}
|
||||||
|
|
||||||
@ARTICLE{Smashing2004,
|
@ARTICLE{Smashing2004,
|
||||||
author={J. {Pincus} and B. {Baker}},
|
author={J. {Pincus} and B. {Baker}},
|
||||||
journal={{IEEE Security \& Privacy}},
|
journal={{IEEE Security \& Privacy}},
|
||||||
|
Loading…
Reference in New Issue
Block a user