security & exploitation - science at...

Security & Exploitation

Operating Systems Spring 2015

RPISEC - 05/11/2015 OS Security 1

whoami


• Markus Gaasedelen – B.S. Computer Science ’15

• Security Enthusiast

– I like to hack things

• President of RPISEC

– http://rpis.ec

What is RPISEC? • The Computer Security Club @ RPI

– http://rpis.ec

• The leading authority on campus for any and all things computer security related

• We compete in hacking competitions known as CTFs (Capture The Flag) and we’re very good at them


CSAW 2014 Finals


CSAW 2014 Awards


What is RPISEC? • The Computer Security Club @ RPI

– http://rpis.ec

• The leading authority on campus for any and all things computer security related

• We compete in hacking competitions known as CTFs (Capture The Flag) and we’re very good at them

• We teach cool and applicable security skills at our weekly meetings – 5-7pm Fridays, DCC 324


Weekly Meetings


WHAT IS SECURITY? let’s get rolling…


What is Security? • Security == Hacking

– ‘politically correct’ – Cyber is the buzzword

• Very technical and

rewarding challenges

• Rarely touched upon in academia

• Many different categories of security


Categories of Security • Cryptography • Web Security • Vulnerability Research • Binary Exploitation • Reverse Engineering • Malware Analysis • Systems Security • Embedded Hardware Hacking • Network Security • Digital Forensics • Physical Security • Pentesting • …


Categories of Security • Cryptography • Web Security • Vulnerability Research • Binary Exploitation • Reverse Engineering • Malware Analysis • Systems Security • Embedded Hardware Hacking • Network Security • Digital Forensics • Physical Security • Pentesting • …


The kind of stuff I’ll talk about today

MEMORY CORRUPTION & BINARY EXPLOITATION


Defining Binary Exploitation

• Binary Exploitation – Carefully leveraging bugs in an application to

cause extreme but controlled failure


Binary Exploitation

‘extreme but controlled failure’


Binary Exploitation



Binary Exploitation

But what does that even mean?



Visualizing Exploitation




wat

Super Mario World Sillyness


https://youtu.be/jnZ2NNYySuE?t=38

https://youtu.be/jnZ2NNYySuE?t=38

Defining Binary Exploitation

• Binary Exploitation – Carefully leveraging bugs in an application to

cause extreme but controlled failure

• Exploitation requires intimate knowledge of

the language, compiler, and the machine


Language Pyramid


The Unexciting Languages

• Binary exploitation isn’t really a thing for managed or scripting languages – C#, .NET, JavaScript, Lua, Python, etc



• Binary exploitation isn’t really a thing for managed or scripting languages – C#, .NET, JavaScript, Lua, Python, etc

• Slower, automates a lot of stuff for you

– Driving an automatic


The C Language

• C is a ‘low level’ language


The C Language

• C is a ‘low level’ language – Compiles straight to machine code

• Very fast


The C Language


The C Language


• Very fast

– Very fine control over the machine and memory • It’s like driving a manual!


The C Language


• Very fast

– Very fine control over the machine and memory • It’s like driving a manual!

– Easy to do stupid things


Going Deeper


Pulling Back the Curtain


“… there's way too much information to decode the Matrix. You get used to it, though. Your brain does the translating. I don't even see the code. All I see is blonde, brunette, redhead.” -Cypher, The Matrix

WELCOME TO THE WARZONE let’s dive right in and try breaking some stuff


warzone.rpis.ec ssh username/password

lab2C / …


Getting Started / Tips

• cd /levels/lab2 • ./lab2C AAAA… • python –c ‘print “A”*20’ • gdb ./lab2C

– run

• In GDB: – Info functions – Info registers

• i r

– disassemble <function> • disas main

– breakpoint <function> • b main

– breakpoint * <address> • b * 0x08048455


Stack Overview • The stack is a region of

memory for a program to maintain function variables, arguments, and control flow metadata during execution


Understanding the Stack


Corrupting the Stack


PWNING the Stack


Endianess

• Endianess – How data is stored in memory

• Modern computers are generally little endian – ‘little end in’

• Endianess can be confusing, and I don’t want to get

into the details – 0x41424344 stored as 0x44, 0x43, 0x42, 0x41 – 0xdeadbeef stored as 0xef, 0xbe, 0xad, 0xde


lab2C Exploit

./lab2C $(python -c 'print "A"*15 + "\xef\xbe\xad\xde"')


UNDERSTANDING CONTROL FLOW Bend it like Beckham


Example ELF / EXE in Memory


Runtime Memory

Stack

ELF Executable

.text segment

.data segment

Heap

0x00000000 – Start of memory

0xFFFFFFFF – End of memory

0x08048000 – Start of .text Segment

0xbfff0000 – Top of stack

Libraries (libc)

.text segment



Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment

.text segment



Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

.text segment



Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment EIP

.text segment



Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

.text segment



Runtime Memory

Stack

Heap

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

.text segment



Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

.text segment



Runtime Memory

Stack

Heap

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

How Calling Works


EIP

How Calling Works


EIP

…

How Calling Works


EIP …

Returning


…

EIP

OWNING CONTROL FLOW Now that you know how it works …


Stack Smashing


… EIP

Stack Smashing


…

EIP

Returning


…

EIP

Returning home


…

EIP SEGFAULT 0x41414141

“If your program simply segfaulted, consider yourself lucky.”

-Chuck Stewart


Redirecting Control Flow


…

EIP

Overwrite with a code address

warzone.rpis.ec SSH in as lab2B

use the password you got from solving lab2C


lab2B Exploit

./lab2B $(python -c 'print "A"*27 + "\x7d\x84\x04\x08" + "B"*4 + "\xa0\x85\x04\x08"')


Modern Protections

• Data Execution Prevention (DEP) • Address Space Layout Randomization (ASLR) • Stack Cookies (Canaries) • Read Only Relocation (RELRO) • FORTIFY_SOURCE • … • These only make things harder, not impossible


BREAKING SOMETHING MODERN Those were more academic challenges


CSAW 2014 LINKS.EXE Exploitation on Windows 8.1 (x64)


links.exe

• Challenge from the CSAW 2014 CTF Finals • 64bit exploitation on Windows 8.1

– Basically all protections are on by default

• No source code, lots of x64 reversing – Doubly linked circular list implementation

• pushfront, pushback, delete, copy, print, sort …


reversing is tedious


CSAW 2014 LINKS.EXE - DEMO Windows 8.1 Exploitation (x64)


CSAW 2014 Finals


Wrapping up Binary Exploitation • You might consider yourself a *rockstar* programmer, but

you probably know little to nothing about secure coding practices or the implications of your mistakes

• Compilers go out of their way to prevent your bugs from causing catastrophic failure

• Because your program doesn’t appear to segfault or crash, doesn’t mean it is bug free or without vulnerabilities

• Binary exploitation is nothing like standard software development - I truly think of it as an art


JOB OPPORTUNITIES welcome to the real world


…so…many…jobs…

• Typical titles / positions – Information Security Analyst / Engineer – Security Software Engineer – Vulnerability Research Engineer – Web Application Security Engineer – Computer Network Operations – Threat & Incident Response Engineer – Product Security Reverse Engineer – Malware Analyst / Reverse Engineer – …


Entering the Job Market

• There is a major shortage of qualified security individuals in industry

• Skilled in security & have a B.S. in CS? – Government, Contractors, FFRDCs

• $70k – $100k – Private / Commercial

• $100k – ??

• Anything less and you’re missing out


One Great Adventure


SECURITY @ RPI


Security @ RPI

• Malware Analysis – Fall 2015 – Coming soon!

• Modern Binary Exploitation – Spring 2015 – http://rpis.ec/binexp/

• Hardware Reverse Engineering – Spring 2014 – http://security.cs.rpi.edu/courses/hwre-spring2014/

• Malware Analysis – Spring 2013 – http://security.cs.rpi.edu/courses/malware-spring2013/

• Secure Software Principles – Spring 2010 – http://cs.rpi.edu/academics/courses/spring10/csci4971/


Questions?

• gaasem [at] rpi.edu • security.cs.rpi.edu/~gaasem • @gaasedelen • irc.rpis.ec 6667


security & exploitation - science at...

Documents