Upload File

exploits & mitigations - memory corruption techniques

  • Home
  • Software
  • Exploits & Mitigations - Memory Corruption Techniques
16
Exploits and Mitigations Memory Corruption Techniques Sameer Patil CysInfo

Upload: cysinfo-cyber-security-community

Post on 15-Jan-2017

146 views

Category:

Software


0 download

Report

TRANSCRIPT

Page 1: Exploits & Mitigations - Memory Corruption Techniques

Exploits and MitigationsMemory Corruption Techniques

Sameer PatilCysInfo

Page 2: Exploits & Mitigations - Memory Corruption Techniques

Topics to cover

• Stack bof, DEP• ROP attacks and Mitigations• Heap Spray• Abusing vptrs• Use After Free• Flash exploitations• Heap Memory Management• Mitigations

Page 3: Exploits & Mitigations - Memory Corruption Techniques

Virtual Memory Mapping

Page 4: Exploits & Mitigations - Memory Corruption Techniques

Stack BOF

• EIP overwrite• Mitigation-> DEP

Page 5: Exploits & Mitigations - Memory Corruption Techniques

ROP Attack

• Defeat DEP• Shifting the stack location• Chain of small gadgets

Original

Stack

Attacker

Controlled

area

Stack Pivot

Page 6: Exploits & Mitigations - Memory Corruption Techniques

ROP Attack

CODE

0x02010000:pop eaxret...

0x02010020:pop ebxret...

0x02010030:add eax, ebxret...

ACTION

eax = 1

ebx = 2

eax = eax + ebx

Page 7: Exploits & Mitigations - Memory Corruption Techniques

ROP Mitigations

• ASLR• Stack limit check during API call (caller check)• API call using retn instruction• SimExecFlow

Page 8: Exploits & Mitigations - Memory Corruption Techniques

Heap Spray

• Introduced by skylined• Overwrite EIP• Payload-> NOP + shellcode

Page 9: Exploits & Mitigations - Memory Corruption Techniques

Virtual Functions and vptrs

Page 10: Exploits & Mitigations - Memory Corruption Techniques

Abusing vptrs

Page 11: Exploits & Mitigations - Memory Corruption Techniques

Use after Free

• Dangling pointer• Addref() to keep count of direct references• Vulnerability- Replace object with another

object

Page 12: Exploits & Mitigations - Memory Corruption Techniques

Flash Exploitation (CVE-2014-1776)

ROP chain

Page 13: Exploits & Mitigations - Memory Corruption Techniques

Heap Memory Management

• Front-End Allocators– LookAside Lists– Low Fragmentation Heap

• Back End Allocator– FreeLists

Page 14: Exploits & Mitigations - Memory Corruption Techniques

Mitigations

• Isolated Heap• MemoryProtect• Vector and bytearray objects hardening• ROP mitigations

Page 15: Exploits & Mitigations - Memory Corruption Techniques

References

• Mechanism behind IE CVE-2014-1776• Heap Feng Shui in JavaScript• UBIQUITOUS FLASH, UBIQUITOUS EXPLOITS• kBouncer: Efficient and Transparent ROP

Mitigation• Bypassing EMET 4.1

https://community.hpe.com/t5/Security-Research/The-mechanism-behind-Internet-Explorer-CVE-2014-1776-exploits/ba-p/6476220#.V9v7XK3JKZC
https://www.blackhat.com/presentations/bh-usa-07/.../bh-usa-07-sotirov-WP.pdf
https://www.blackhat.com/presentations/bh-usa-07/.../bh-usa-07-sotirov-WP.pdf
https://www.blackhat.com/presentations/bh-usa-07/.../bh-usa-07-sotirov-WP.pdf
https://www.blackhat.com/presentations/bh-usa-07/.../bh-usa-07-sotirov-WP.pdf
https://www.blackhat.com/presentations/bh-usa-07/.../bh-usa-07-sotirov-WP.pdf
https://www.blackhat.com/presentations/bh-usa-07/.../bh-usa-07-sotirov-WP.pdf
https://www.virusbulletin.com/uploads/pdf/conference/.../VB2014-FengFlorio.pdf
https://www.virusbulletin.com/uploads/pdf/conference/.../VB2014-FengFlorio.pdf
https://www.virusbulletin.com/uploads/pdf/conference/.../VB2014-FengFlorio.pdf
http://www.cs.columbia.edu/~vpappas/papers/kbouncer.pdf
http://www.cs.columbia.edu/~vpappas/papers/kbouncer.pdf
https://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf
Page 16: Exploits & Mitigations - Memory Corruption Techniques

Thank You!


The Exploit Intelligence Project - NCC Group · 52 Intelligence-Driven Mitigations Easy mitigations (22 out of 27 exploits) DEP on IE, Firefox, and Reader No Java in the Internet

Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]

TLP:WHITE - WaterISACU... · EMET employs several mitigations techniques to combat memory corruption techniques. It is recommended all hosts and servers on the network implement mitigation

Les exploits

SECURE PROGRAMMING Chapter 1. Overview What is the problem Cost? Threat? Software Security Concepts Policy Flaws Vulnerabilities Exploits Mitigations

Bypassing Mitigations by Attacking JIT Server in Microsoft ......Memory corruption in the JIT Process. Exploiting process permissions Exploiting memory management Exploiting an ACG

0days, Exploits and Bug bounties - Pwn2Own · Aug 2014 –Sept 2015, chasing the bounties •Getting ready for big bounties •Dealing with last minute mitigations •Why you do absolutely

Debt Settlement LOSS MITIGATIONS LLC. Loss Mitigations LLC Debt Settlement Program Overview 01

Windows Exploit Mitigations - exploit.courses Exploit Mitigations Some statements:

I. Introduction · using standard techniques known to real attackers. ... allowing trivial memory corruption. This is an ... develop reliable exploits for what might otherwise have

Speculative Execution Side Channel Mitigations

Slide 1 Vitaly Shmatikov CS 380S Memory Corruption Exploits Slides on return-oriented programming courtesy of Hovav Shacham

us-16-Silvanovich-The-Year-In-Flash.pdf - Black Hat | … · The year in Flash New bugs and bug classes 0-days, 1-days and other exploits Mitigations The future? ... Display UaFs

Software Exploits

Linux Exploit Mitigation 1 - Compass Security · To understand exploit mitigations Need to understand exploit techniques I’ll lead ... Memory Corruption Types Memory Corruptions

Memory Corruption Exploits - University of Texas at Austinshmat/courses/cs380s_fall09/02memattacks.pdf · Memory Corruption Exploits. Slides on return-oriented programming. courtesy

12. environmental issues, impacts, mitigations

BABAR Risks and Mitigations

Slide Griffin - Practical Attacks and Mitigations

HACKING TECHNIQUES and Mitigations Brady Bloxham

The year in Flash bugs, exploits and mitigations The Secret … Secret Life of... ·  · 2017-08-09How does X impact exploitability Work on mitigations ... MP4 and RegEx bugs Browser

Calculating Cybersecurity Risk and Selecting Mitigations

Defeat Exploit Mitigations - PIE

Threats and their mitigations

TCP Exploits

Anonymity in MANETs Threats and Mitigations

Environmental Impacts (and Mitigations)

Abusing Silent Mitigations - Black Hat | Home · Abusing Silent Mitigations ... two new exploit mitigations into their browser with the ... or it might be a stale pointer that is

Refinery Power Outage Mitigations - 2014 · Refinery Power Outage Mitigations - 2014 Hydrocarbon Publishing Company

Attacks and their mitigations

Memory Corruption Mitigations and Their Implementation ... · corruption attacks still hold the lion’s share among all exploitation techniques used against software systems. The

The Evolution of Microsoft’s Exploitation Mitigations

Next Level Cheating and Leveling-Up Mitigations - Black … · Next Level Cheating and Leveling Up Mitigations ... •World of Warcraft ... Next Level Cheating and Leveling-Up Mitigations

Welfare Reform Mitigations Working Group Report: Next ... · The Welfare Reform Mitigations Working Group Report (the “Evason report”) proposes mitigations that will make a significant

BALANCING MITIGATIONS - California Preservation