SlideShare uma empresa Scribd logo
1 de 42
Baixar para ler offline
COREBack to the
PoC
• ACE
• Target for ACE
• KernelIo
• Target for kernelIo
• Overflows & techs
• KASLR,
PoolSpary,
Info Leaks
• MMU
• Conclusions
ROP
- Historical issue
- First ROP appear in
MSDOS
- Widely used as
bypass for DEP
- Using gadgets
- ROP compilers /
finders
- Depends on prepared
stack layout
http://www.exploit-monday.com/2011/11/man-vs-rop-overcoming-adversity-one.htmlhttps://www.auscert.org.au/render.html?it=13408
Solving old problem
ROP
• offset to code
gadgets - relative
• Reuse of existing
code
• Jumps from one
gadget to another
• Based on gadgets
• Depends heavily on
stack layout
anti-ROP
• Randomization of
function position
• Randomization of
instructions (pos)
• Symbolic execution
at selected points
• CFG
• X
https://ropguard.googlecode.com/svn-
history/r2/trunk/doc/ropguard.pdf
www.cs.columbia.edu/~vpappas/papers/kbouncer.pdf www.vdalabs.com/tools/
DeMott_BlueHat_Submission.pdfhttp://www.microsoft.com/en-us/download/details.aspx?id=41138
CFG
- Protect virtual calls
- In kernel mode not so
widely used anyway,
unfortunately …
- Per process bitmap
- Per process registered
functions
- Fast lookup!
- Only approximation of
problem
- Handle only old known
ROP way of thinking
- But finally there! Good
job!!
- Not handle stack
hooking / pivoting
- Not handle integrity
problems
- Not handle ROP in
general
http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/
http://www.powerofcommunity.net/poc2014/mj0011.pdf http://www.alex-ionescu.com/?p=246
CF Hijack
continue!
- Do not use ROP for
everything!
- ROP are old & obsolete
- Use functions in smart
way!
- Check args, checks
output, match your
goal!
- Mix ROP and functions
- Misuse functions as
your payload!
- Use stack hooking if
you *really* need ACE
on your code
- Find similar, but
CFG-approved functions!
- 一步一步 (step-by-step)
http://blogs.msdn.com/b/vcblog/archive/2014/12/08/visual-studio-2015-preview-work-in-progress-security-feature.aspx
http://research.microsoft.com/pubs/101332/BGI-SOSP.pdfhttp://research.microsoft.com/pubs/69217/ccs05-cfi.pdf
TO THE ROOTS OF
PROBLEM!
Integrity guards
fast, reliable, no easy targets anymore!
Integrity guards
• No PLAIN function pointers anymore!
– Target reduction
– More info leaks needed!
• Protect integrity per object level
– Results in UAF mitigation
• Easy implementation
– Objective-C manually ( PROTECTED_ASIGN )
– C++ => compiler can hide this logic
• Protect only virtual calls
• Fast : only few instructions added
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1332.pdf
Control Flow Stack
Separated stack, only CF instructions can write
to this stack
idea comes to me from this creative guy : https://sk.linkedin.com/pub/ladislav-nevery/26/a87/498
Control flow stack
• Two stacks
– args & vars
– return pointers
• ROP is not applicable anymore
• Stack hooking and pivoting are offline
as well!
• Special register for cf-stack
– cpl0 & cpl3, maintained by context switch
– No direct write, as (e/r)ip at x86
– Write onto cf-stack only by cf-instructions
• call, jmp, jx, ret, privileged switch
– Processor solution needed …
Safe
Memory
- Code-Pointer
Integrity
- Kuznetsov at OSDI
- Separate memory for
‘sensitive’ pointers
- Isolation on
instruction level by
using segments fs
(gs)
- Impressive output –
performance & results
- No need for addition
instructions / regs
http://www.cs.berkeley.edu/~dawnsong/papers/
osdi14-paper-kuznetsov.pdf
https://www.usenix.org/sites/default/files/conference/
protected-files/osdi14_slides_kuznetsov.pdf
KERNEL IO – SMEP / SMAP
windows memory layout
On linux caches, on windows pools
http://www.alex-ionescu.com/?p=231 http://www.alex-ionescu.com/?p=246
Cool objects everywhere
• Kernel objects in plain state
– function pointers
– object pointers (buffers, other objs)
– object members (size,count,refcount..)
• In modules RW states – plain
– freelists
– ‘vtables’
– locks
• Target pool & find your object
– nt!_eprocess (->VadRoot)
– win32k!tagWND
– page tables (cr3)
– ...
OVERFLOWS
protections
• SMAP
• SMEP
• KASLR
• Pool hardening
response
• Your data is in kernel
already!
• Turn your bug to
boosted kernel io
• ExAllocatePool or
Pagetables
• You pwn pool object -
be relative!
• Try - big allocs ...
POC : http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204
details soon!
Kernel
Pool
- About BIG allocs :
- Deterministic
- especial windows
- Linux SLUB +1
- User controllable
- alloc
- free
- data control!
- FULL == epic!
- Predictable :
- Pointers
{base + align}
- size
- properties
- Layout-able!
- Targeted overflow
TBD : http://confidence.org.pl/en/agenda/lecture/when-something-overflowing/
X64 vs overflows!
• Fact : Overflows are (relatively) easy to
exploit even on x64
– Although it should be mitigated on secure oriented
architecture (/OS) by design
• virt addr space > phys addr space
– gaps => page_noaccess
• Randomized bases of pools
• Hunting for buffer overflows :
– boost pageheap
– Use virt-phys gap more!
– Use page guards more!
– Randomize more!
https://msdn.microsoft.com/en-us/library/windows/hardware/ff549561%28v=vs.85%29.aspx
reserve, randomize, guard!
Overflow results in trap, no stable UAF,
sometimes wasting address space can secure it
whole! – see cfg ..
Hunting pool overflows
try {
• Over/under flow to
another object
• Try to use UAF
• Performance
• Waste of space
• Small allocs
ex(p/c)ect }
• Results in trap –
page_noaccess
• Reused pool but object at
different address
• Page tables & Vad
– coalescing :/
– classic pageheap problems
• X64 finally, use it!
• Target only big allocs,
and (+inner)arrays
(compile time)
KASLR & MMU
KASLR – user calling!
• _sidt / _sgdt
– Instruction :/
– basically leaks
&ntoskrnl
(use kernelio)
• user32!gSharedInfo
– Bad joke of security
– Leaks session pool
– leaks nt!_eprocess
pointers!
(use kernelio)
http://www.mista.nu/research/mandt-win32k-slides.pdf
KASLR – user calling!
• SESSION_POOL - Problem bro ?
• X64 large address space
• but leaks session pool
• On session pool mighty objects!
win32k!_bitmap
• arbitrary write to boost size, or other
property
• Pool layout & align *NO PROBLEM*
• PWN DONE!
KASLR – timer is calling!
Guess where is pool for nt!_ethread
Timing
attacks
- Doable
- Simple
- Ping kernel by time
- Spray kernel pool
- Ping kernel again
- Measure difference
- Got kernel pool base!
- MMU mechanism was
build:
- To be fast not ‘too
secure’!
- TSX is to be disabled
by microcode update
- But other research &
approaches well known!
http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/
http://felinemenace.org/~nem
o/docs/TR-HGI-2013-001.pdf
MMU continue!
concept, multiple layers of PXN in real
http://www.cs.ucla.edu/classes/spring14/cs111/scribe/14b/
Basic
idea
1. Per page privilages
2. Supervisor vs User
priv
3. Make mmap /
VirtualAlloc
4. memcpy data
5. Flag you page as
Supervisor
6. Trigger ACE or Data
access
7. Bypass SMEP
8. Bypass SMAP
http://viralpatel.net/taj/tutorial/paging.php
POC – by MWR labs
1.choose address with isolated page tables
1.To be sure write-where does not hit other used
memory
2.0x100804020001
1.far enough in memory
2.Kinda magic address, explain later
3.mmap 0x100804020001
4.memcpy
5.Patch S/U bits (write-where)
6.S/U bits need to patch per PXE !
7.pwn
https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/
MMU logic
• Unmapped memory
cause PageFault
• Bad access cause
PageFault
• PageFault handler do
lookups
• VAD / vm_area
• On behalf of lookup
will continue
• Create / Read Page
Tables
VAD /
VM_AREA
 malloc is lazy
 Reserve memory in
memory struct (AVL
tree)
 Do not create Page
Table entries!
 PTE are created on
first access in
PageFault handler!
 NULLPTR deref killed
by checking here
http://www.codemachine.com/article_protopte.html
MMU
PWNED!
1. write-where
2. nt!_eprocess->VadRoot
(task_struct->mm)
3. Substitue with own
simple member
4. Fake member covers
whole memory range
5. Trigger PageFault
(f.e. nullptr deref ;)
6. PageFault handler
find it in Vad / mm
7. MMU will create page
tables
8. FirstPrototypePte
is physical address,
you choose!
9. Leads to read / write
arbitrary memory!
10.nullptr revival!
Virtual address == SYMBOLIC
Not checked if it is *really* cpl0 or cpl3 page!
KERNEL - FAIL – SAFE – CHECKS
copy_to/from_user
ProbeForRead/Write
The ProbeForRead routine checks that a
user-mode buffer actually resides in the
user portion of the address space, and is
correctly aligned.
Think deeper!
Make user mode alias translated to target, and
then use rw to kernel mode target!
Self -
REF
• write-where to patch
• but where to write ?
• x64 => 4lvl of PXE
• PML4, PDP, PT, PTE
• c3 holds the PML4
base
• others PXE are need
to be readed!
• … unless self
referencing comes in
place!
• bonus cr3 : physical
addresses not so
well randomized ;)
!pte 0x100804020001
How magic is it, self-ref tricking…
Exploring
Potential
 in every PXE is
physical addresses!
 We point to PM4,
after last
translation
 Byte Offset points
to PHYSICAL address
to be read / write /
exec
 Virtual addresses
are just symbolic
links to physical
ones
 RWE to all physical
memory
 Equivalent to broke
KASLR, SMEP, SMAP,
W^X, NonPagePoolNx
 Windows playing with MMU pagetables,
self-ref at INFILTRATE by Alex!
http://infiltratecon.com/speakers.html#alex
Page fault on write
Confused state => COW
Framework
1. Provide page dir
addr
2. Provide write-where
vuln
1. will be used
once in current
state of OS
2. more generic,
write more times
3. Use as KernelIo
4. Snapshot for arm
Conclusions
• Kernel was build meant to be faster than
secure
• Security is (/can be) boosted by hardware
features, incredibly!
• Compiler can secure a lot, especially for
C++
• Patching to add security != security based
model
• Redesigning from scratch is not undoable,
and maybe not bad idea ..
• But I do not expect many core changes, or
changes at all, so facts remains :
– Changes are hard & slow process
– Attack surface is large
• We are hiring!
 Kernel & app sec
 A *LOT* of research
 mobile, pc
 M$, android, OSX ..
Thank You!
Q & A
@K33nTeam
@zer0mem
peter (at) keencloudtech.com

Mais conteúdo relacionado

Mais procurados

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)Tim Bunce
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Introduction to .NET Performance Measurement
Introduction to .NET Performance MeasurementIntroduction to .NET Performance Measurement
Introduction to .NET Performance MeasurementSasha Goldshtein
 

Mais procurados (20)

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Packers
PackersPackers
Packers
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10
 
Introduction to .NET Performance Measurement
Introduction to .NET Performance MeasurementIntroduction to .NET Performance Measurement
Introduction to .NET Performance Measurement
 

Destaque

Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)ReCrypt
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Nate Lawson
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bugGustavo Martinez
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and preventionNicholas Davis
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk   potentially malicious ur ls(130216) #fitalk   potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Ricardo L0gan
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...frank2
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeTeodoro Cipresso
 
Generic attack detection engine
Generic attack detection engineGeneric attack detection engine
Generic attack detection engineVikrant Kansal
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlJosé Castro
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Vijay Amarnath - Updated
Vijay Amarnath - UpdatedVijay Amarnath - Updated
Vijay Amarnath - UpdatedVijay Amarnath
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernelSeguridad Apple
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security EvasionInvincea, Inc.
 

Destaque (20)

Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk   potentially malicious ur ls(130216) #fitalk   potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Generic attack detection engine
Generic attack detection engineGeneric attack detection engine
Generic attack detection engine
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in Perl
 
EvasionTechniques
EvasionTechniquesEvasionTechniques
EvasionTechniques
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Vijay Amarnath - Updated
Vijay Amarnath - UpdatedVijay Amarnath - Updated
Vijay Amarnath - Updated
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernel
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
 

Semelhante a Back to the CORE

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
OSDC 2017 - Werner Fischer - Open power for the data center
OSDC 2017 - Werner Fischer - Open power for the data centerOSDC 2017 - Werner Fischer - Open power for the data center
OSDC 2017 - Werner Fischer - Open power for the data centerNETWAYS
 
OSDC 2017 | Linux Performance Profiling and Monitoring by Werner Fischer
OSDC 2017 | Linux Performance Profiling and Monitoring by Werner FischerOSDC 2017 | Linux Performance Profiling and Monitoring by Werner Fischer
OSDC 2017 | Linux Performance Profiling and Monitoring by Werner FischerNETWAYS
 
OSDC 2017 | Open POWER for the data center by Werner Fischer
OSDC 2017 | Open POWER for the data center by Werner FischerOSDC 2017 | Open POWER for the data center by Werner Fischer
OSDC 2017 | Open POWER for the data center by Werner FischerNETWAYS
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injectionDhaval Kapil
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
Caching with Memcached and APC
Caching with Memcached and APCCaching with Memcached and APC
Caching with Memcached and APCBen Ramsey
 
Host and Boast: Best Practices for Magento Hosting | Imagine 2013 Technolog…
Host and Boast: Best Practices for Magento Hosting | Imagine 2013 Technolog…Host and Boast: Best Practices for Magento Hosting | Imagine 2013 Technolog…
Host and Boast: Best Practices for Magento Hosting | Imagine 2013 Technolog…Atwix
 
php & performance
 php & performance php & performance
php & performancesimon8410
 
Preparing OpenSHMEM for Exascale
Preparing OpenSHMEM for ExascalePreparing OpenSHMEM for Exascale
Preparing OpenSHMEM for Exascaleinside-BigData.com
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Hajime Tazaki
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringScyllaDB
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Hsien-Hsin Sean Lee, Ph.D.
 
Fault Tolerance in Spark: Lessons Learned from Production: Spark Summit East ...
Fault Tolerance in Spark: Lessons Learned from Production: Spark Summit East ...Fault Tolerance in Spark: Lessons Learned from Production: Spark Summit East ...
Fault Tolerance in Spark: Lessons Learned from Production: Spark Summit East ...Spark Summit
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
Spark Summit EU talk by Luca Canali
Spark Summit EU talk by Luca CanaliSpark Summit EU talk by Luca Canali
Spark Summit EU talk by Luca CanaliSpark Summit
 

Semelhante a Back to the CORE (20)

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Esctp snir
Esctp snirEsctp snir
Esctp snir
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Scalable Web Apps
Scalable Web AppsScalable Web Apps
Scalable Web Apps
 
OSDC 2017 - Werner Fischer - Open power for the data center
OSDC 2017 - Werner Fischer - Open power for the data centerOSDC 2017 - Werner Fischer - Open power for the data center
OSDC 2017 - Werner Fischer - Open power for the data center
 
OSDC 2017 | Linux Performance Profiling and Monitoring by Werner Fischer
OSDC 2017 | Linux Performance Profiling and Monitoring by Werner FischerOSDC 2017 | Linux Performance Profiling and Monitoring by Werner Fischer
OSDC 2017 | Linux Performance Profiling and Monitoring by Werner Fischer
 
OSDC 2017 | Open POWER for the data center by Werner Fischer
OSDC 2017 | Open POWER for the data center by Werner FischerOSDC 2017 | Open POWER for the data center by Werner Fischer
OSDC 2017 | Open POWER for the data center by Werner Fischer
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
 
Caching with Memcached and APC
Caching with Memcached and APCCaching with Memcached and APC
Caching with Memcached and APC
 
CPU Caches
CPU CachesCPU Caches
CPU Caches
 
Host and Boast: Best Practices for Magento Hosting | Imagine 2013 Technolog…
Host and Boast: Best Practices for Magento Hosting | Imagine 2013 Technolog…Host and Boast: Best Practices for Magento Hosting | Imagine 2013 Technolog…
Host and Boast: Best Practices for Magento Hosting | Imagine 2013 Technolog…
 
php & performance
 php & performance php & performance
php & performance
 
Preparing OpenSHMEM for Exascale
Preparing OpenSHMEM for ExascalePreparing OpenSHMEM for Exascale
Preparing OpenSHMEM for Exascale
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
 
Fault Tolerance in Spark: Lessons Learned from Production: Spark Summit East ...
Fault Tolerance in Spark: Lessons Learned from Production: Spark Summit East ...Fault Tolerance in Spark: Lessons Learned from Production: Spark Summit East ...
Fault Tolerance in Spark: Lessons Learned from Production: Spark Summit East ...
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Spark Summit EU talk by Luca Canali
Spark Summit EU talk by Luca CanaliSpark Summit EU talk by Luca Canali
Spark Summit EU talk by Luca Canali
 

Último

Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...
Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...
Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...Splashtop Inc
 
Large Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of SimplicityLarge Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of SimplicityRandy Shoup
 
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptx
BusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptxBusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptx
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptxAGATSoftware
 
8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.Ritesh Kanjee
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleShane Coughlan
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfICS
 
Unlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsUnlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsconfluent
 
8 key point on optimizing web hosting services in your business.pdf
8 key point on optimizing web hosting services in your business.pdf8 key point on optimizing web hosting services in your business.pdf
8 key point on optimizing web hosting services in your business.pdfOffsiteNOC
 
MinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young EntrepreneurMinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young EntrepreneurPriyadarshini T
 
Leveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDevLeveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDevpmgdscunsri
 
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...MyFAA
 
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...jackiepotts6
 
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...Maxim Salnikov
 
Mobile App Development company Houston
Mobile  App  Development  company HoustonMobile  App  Development  company Houston
Mobile App Development company Houstonjennysmithusa549
 
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdf
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdfFlutter the Future of Mobile App Development - 5 Crucial Reasons.pdf
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdfMind IT Systems
 
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptxCYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptxBarakaMuyengi
 
Technical improvements. Reasons. Methods. Estimations. CJ
Technical improvements.  Reasons. Methods. Estimations. CJTechnical improvements.  Reasons. Methods. Estimations. CJ
Technical improvements. Reasons. Methods. Estimations. CJpolinaucc
 
Steps to Successfully Hire Ionic Developers
Steps to Successfully Hire Ionic DevelopersSteps to Successfully Hire Ionic Developers
Steps to Successfully Hire Ionic Developersmichealwillson701
 
MUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow ModelsMUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow ModelsUniversity of Antwerp
 

Último (20)

Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...
Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...
Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...
 
Large Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of SimplicityLarge Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of Simplicity
 
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptx
BusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptxBusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptx
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptx
 
8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdf
 
Unlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsUnlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insights
 
8 key point on optimizing web hosting services in your business.pdf
8 key point on optimizing web hosting services in your business.pdf8 key point on optimizing web hosting services in your business.pdf
8 key point on optimizing web hosting services in your business.pdf
 
MinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young EntrepreneurMinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
 
Leveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDevLeveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDev
 
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...
 
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
 
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
 
Mobile App Development company Houston
Mobile  App  Development  company HoustonMobile  App  Development  company Houston
Mobile App Development company Houston
 
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdf
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdfFlutter the Future of Mobile App Development - 5 Crucial Reasons.pdf
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdf
 
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptxCYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
 
Technical improvements. Reasons. Methods. Estimations. CJ
Technical improvements.  Reasons. Methods. Estimations. CJTechnical improvements.  Reasons. Methods. Estimations. CJ
Technical improvements. Reasons. Methods. Estimations. CJ
 
Steps to Successfully Hire Ionic Developers
Steps to Successfully Hire Ionic DevelopersSteps to Successfully Hire Ionic Developers
Steps to Successfully Hire Ionic Developers
 
20140812 - OBD2 Solution
20140812 - OBD2 Solution20140812 - OBD2 Solution
20140812 - OBD2 Solution
 
MUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow ModelsMUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow Models
 

Back to the CORE

  • 2. PoC • ACE • Target for ACE • KernelIo • Target for kernelIo • Overflows & techs • KASLR, PoolSpary, Info Leaks • MMU • Conclusions
  • 3. ROP - Historical issue - First ROP appear in MSDOS - Widely used as bypass for DEP - Using gadgets - ROP compilers / finders - Depends on prepared stack layout http://www.exploit-monday.com/2011/11/man-vs-rop-overcoming-adversity-one.htmlhttps://www.auscert.org.au/render.html?it=13408
  • 4. Solving old problem ROP • offset to code gadgets - relative • Reuse of existing code • Jumps from one gadget to another • Based on gadgets • Depends heavily on stack layout anti-ROP • Randomization of function position • Randomization of instructions (pos) • Symbolic execution at selected points • CFG • X https://ropguard.googlecode.com/svn- history/r2/trunk/doc/ropguard.pdf www.cs.columbia.edu/~vpappas/papers/kbouncer.pdf www.vdalabs.com/tools/ DeMott_BlueHat_Submission.pdfhttp://www.microsoft.com/en-us/download/details.aspx?id=41138
  • 5. CFG - Protect virtual calls - In kernel mode not so widely used anyway, unfortunately … - Per process bitmap - Per process registered functions - Fast lookup! - Only approximation of problem - Handle only old known ROP way of thinking - But finally there! Good job!! - Not handle stack hooking / pivoting - Not handle integrity problems - Not handle ROP in general http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/ http://www.powerofcommunity.net/poc2014/mj0011.pdf http://www.alex-ionescu.com/?p=246
  • 6. CF Hijack continue! - Do not use ROP for everything! - ROP are old & obsolete - Use functions in smart way! - Check args, checks output, match your goal! - Mix ROP and functions - Misuse functions as your payload! - Use stack hooking if you *really* need ACE on your code - Find similar, but CFG-approved functions! - 一步一步 (step-by-step) http://blogs.msdn.com/b/vcblog/archive/2014/12/08/visual-studio-2015-preview-work-in-progress-security-feature.aspx http://research.microsoft.com/pubs/101332/BGI-SOSP.pdfhttp://research.microsoft.com/pubs/69217/ccs05-cfi.pdf
  • 7. TO THE ROOTS OF PROBLEM!
  • 8. Integrity guards fast, reliable, no easy targets anymore!
  • 9. Integrity guards • No PLAIN function pointers anymore! – Target reduction – More info leaks needed! • Protect integrity per object level – Results in UAF mitigation • Easy implementation – Objective-C manually ( PROTECTED_ASIGN ) – C++ => compiler can hide this logic • Protect only virtual calls • Fast : only few instructions added http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1332.pdf
  • 10. Control Flow Stack Separated stack, only CF instructions can write to this stack idea comes to me from this creative guy : https://sk.linkedin.com/pub/ladislav-nevery/26/a87/498
  • 11. Control flow stack • Two stacks – args & vars – return pointers • ROP is not applicable anymore • Stack hooking and pivoting are offline as well! • Special register for cf-stack – cpl0 & cpl3, maintained by context switch – No direct write, as (e/r)ip at x86 – Write onto cf-stack only by cf-instructions • call, jmp, jx, ret, privileged switch – Processor solution needed …
  • 12. Safe Memory - Code-Pointer Integrity - Kuznetsov at OSDI - Separate memory for ‘sensitive’ pointers - Isolation on instruction level by using segments fs (gs) - Impressive output – performance & results - No need for addition instructions / regs http://www.cs.berkeley.edu/~dawnsong/papers/ osdi14-paper-kuznetsov.pdf https://www.usenix.org/sites/default/files/conference/ protected-files/osdi14_slides_kuznetsov.pdf
  • 13. KERNEL IO – SMEP / SMAP
  • 14. windows memory layout On linux caches, on windows pools http://www.alex-ionescu.com/?p=231 http://www.alex-ionescu.com/?p=246
  • 15. Cool objects everywhere • Kernel objects in plain state – function pointers – object pointers (buffers, other objs) – object members (size,count,refcount..) • In modules RW states – plain – freelists – ‘vtables’ – locks • Target pool & find your object – nt!_eprocess (->VadRoot) – win32k!tagWND – page tables (cr3) – ...
  • 16. OVERFLOWS protections • SMAP • SMEP • KASLR • Pool hardening response • Your data is in kernel already! • Turn your bug to boosted kernel io • ExAllocatePool or Pagetables • You pwn pool object - be relative! • Try - big allocs ... POC : http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204 details soon!
  • 17. Kernel Pool - About BIG allocs : - Deterministic - especial windows - Linux SLUB +1 - User controllable - alloc - free - data control! - FULL == epic! - Predictable : - Pointers {base + align} - size - properties - Layout-able! - Targeted overflow TBD : http://confidence.org.pl/en/agenda/lecture/when-something-overflowing/
  • 18. X64 vs overflows! • Fact : Overflows are (relatively) easy to exploit even on x64 – Although it should be mitigated on secure oriented architecture (/OS) by design • virt addr space > phys addr space – gaps => page_noaccess • Randomized bases of pools • Hunting for buffer overflows : – boost pageheap – Use virt-phys gap more! – Use page guards more! – Randomize more! https://msdn.microsoft.com/en-us/library/windows/hardware/ff549561%28v=vs.85%29.aspx
  • 19. reserve, randomize, guard! Overflow results in trap, no stable UAF, sometimes wasting address space can secure it whole! – see cfg ..
  • 20. Hunting pool overflows try { • Over/under flow to another object • Try to use UAF • Performance • Waste of space • Small allocs ex(p/c)ect } • Results in trap – page_noaccess • Reused pool but object at different address • Page tables & Vad – coalescing :/ – classic pageheap problems • X64 finally, use it! • Target only big allocs, and (+inner)arrays (compile time)
  • 22. KASLR – user calling! • _sidt / _sgdt – Instruction :/ – basically leaks &ntoskrnl (use kernelio) • user32!gSharedInfo – Bad joke of security – Leaks session pool – leaks nt!_eprocess pointers! (use kernelio) http://www.mista.nu/research/mandt-win32k-slides.pdf
  • 23. KASLR – user calling! • SESSION_POOL - Problem bro ? • X64 large address space • but leaks session pool • On session pool mighty objects! win32k!_bitmap • arbitrary write to boost size, or other property • Pool layout & align *NO PROBLEM* • PWN DONE!
  • 24. KASLR – timer is calling! Guess where is pool for nt!_ethread
  • 25. Timing attacks - Doable - Simple - Ping kernel by time - Spray kernel pool - Ping kernel again - Measure difference - Got kernel pool base! - MMU mechanism was build: - To be fast not ‘too secure’! - TSX is to be disabled by microcode update - But other research & approaches well known! http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/ http://felinemenace.org/~nem o/docs/TR-HGI-2013-001.pdf
  • 26. MMU continue! concept, multiple layers of PXN in real http://www.cs.ucla.edu/classes/spring14/cs111/scribe/14b/
  • 27. Basic idea 1. Per page privilages 2. Supervisor vs User priv 3. Make mmap / VirtualAlloc 4. memcpy data 5. Flag you page as Supervisor 6. Trigger ACE or Data access 7. Bypass SMEP 8. Bypass SMAP http://viralpatel.net/taj/tutorial/paging.php
  • 28. POC – by MWR labs 1.choose address with isolated page tables 1.To be sure write-where does not hit other used memory 2.0x100804020001 1.far enough in memory 2.Kinda magic address, explain later 3.mmap 0x100804020001 4.memcpy 5.Patch S/U bits (write-where) 6.S/U bits need to patch per PXE ! 7.pwn https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/
  • 29. MMU logic • Unmapped memory cause PageFault • Bad access cause PageFault • PageFault handler do lookups • VAD / vm_area • On behalf of lookup will continue • Create / Read Page Tables
  • 30. VAD / VM_AREA  malloc is lazy  Reserve memory in memory struct (AVL tree)  Do not create Page Table entries!  PTE are created on first access in PageFault handler!  NULLPTR deref killed by checking here http://www.codemachine.com/article_protopte.html
  • 31. MMU PWNED! 1. write-where 2. nt!_eprocess->VadRoot (task_struct->mm) 3. Substitue with own simple member 4. Fake member covers whole memory range 5. Trigger PageFault (f.e. nullptr deref ;) 6. PageFault handler find it in Vad / mm 7. MMU will create page tables 8. FirstPrototypePte is physical address, you choose! 9. Leads to read / write arbitrary memory! 10.nullptr revival!
  • 32. Virtual address == SYMBOLIC Not checked if it is *really* cpl0 or cpl3 page!
  • 33. KERNEL - FAIL – SAFE – CHECKS copy_to/from_user ProbeForRead/Write The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned.
  • 34. Think deeper! Make user mode alias translated to target, and then use rw to kernel mode target!
  • 35. Self - REF • write-where to patch • but where to write ? • x64 => 4lvl of PXE • PML4, PDP, PT, PTE • c3 holds the PML4 base • others PXE are need to be readed! • … unless self referencing comes in place! • bonus cr3 : physical addresses not so well randomized ;)
  • 36. !pte 0x100804020001 How magic is it, self-ref tricking…
  • 37. Exploring Potential  in every PXE is physical addresses!  We point to PM4, after last translation  Byte Offset points to PHYSICAL address to be read / write / exec  Virtual addresses are just symbolic links to physical ones  RWE to all physical memory  Equivalent to broke KASLR, SMEP, SMAP, W^X, NonPagePoolNx  Windows playing with MMU pagetables, self-ref at INFILTRATE by Alex! http://infiltratecon.com/speakers.html#alex
  • 38. Page fault on write
  • 40. Framework 1. Provide page dir addr 2. Provide write-where vuln 1. will be used once in current state of OS 2. more generic, write more times 3. Use as KernelIo 4. Snapshot for arm
  • 41. Conclusions • Kernel was build meant to be faster than secure • Security is (/can be) boosted by hardware features, incredibly! • Compiler can secure a lot, especially for C++ • Patching to add security != security based model • Redesigning from scratch is not undoable, and maybe not bad idea .. • But I do not expect many core changes, or changes at all, so facts remains : – Changes are hard & slow process – Attack surface is large
  • 42. • We are hiring!  Kernel & app sec  A *LOT* of research  mobile, pc  M$, android, OSX .. Thank You! Q & A @K33nTeam @zer0mem peter (at) keencloudtech.com

Notas do Editor

  1. To view this presentation, first, turn up your volume and second, launch the self-running slide show.