Robust Shell Code Return Oriented Programming and HeapSpray
Recommend Documents
Apr 16, 2012 - Simple add into %eax ... The shellcode invokes the execve system call to run a shell. Steps in creating R
Applying Return Oriented and Jump Oriented. Programming Exploitation Techniques with. Heap Spraying. László ErdÅdi. Ãbuda University, Faculty of Applied ...
almost all favourable characteristics of the combined techniques together such as .... jump oriented programming attacks using the heap spray payload delivery. It is ..... https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-.
Jun 26, 2017 - 49-58. DOI=10.1145/1920261.1920269 -http://doi.acm.org/10.1145/1920261.1920269. [2] Kali Linux - https://www.kali.org/. [3] Dhaval. Kapil.
systems, has negative implications for an entire class of security mechanisms: those that seek to prevent malicious ...
We introduce return-oriented programming, a technique by which an attacker can
induce ... Return-oriented programming defeats the W+X protections recently ...
Mar 5, 2014 - gramming [3, 4, 17, 19, 12] could be a good way to close this gap. .... iOS, where self-generating code is not allowed. Document, image, audio ...
Smashing the Gadgets: Hindering Return-Oriented. Programming Using In-Place
Code Randomization. Vasilis Pappas. Columbia University.
Comparing Paradigm Characteristics by Example Implementations. Nicolás Cardozoââ ... Email: {nicolas.cardozo,kim.mens}@uclouvain.be. â Software ...
Any Unix command can go in a shell script. – Commands are executed in order
or in the flow determined by control statements. ◇ Different shells have different ...
Shell Programming and Unix Utilities. ○ Creating Shell Scripts. ○ Variables,
Arguments, and Expressions. ○ Shell I/O and Debugging. ○ Testing Conditions
...
injecting shellcodes to well-known executable files including acrobat reader, firefox, Java, etc. Quantitative ..... 1489 Version 10.1.12 of Adobe Acrobat Reader X.
pop %ebp; or $0xF3, %al; jmp â(%edx) pop %esi; or $0xF3, %al; jmp â(%edx) pop %edi; cmp %bl, %dl; jmp â(%edx) pop %esp; or %edi, %esi; jmp â(%eax).
of all instructions are randomized. In this paper ... Keywords-return-oriented programming; address space ran- ... memory), we will know the addresses of all the instructions .... braries such as PHP (CVE-2010-2094, CVE-2007-0909), etc. All ...
The Shell Programming course provides students with the skills to read, write, and debug UNIX shell ... Create scripts t
HP Education Services course data sheet. POSIX shell programming. H4322S.
Course Overview. This course covers advanced POSIX shell programming for ...
May 19, 2000 ... UNIX 3. Shell. Programming. May 2000. Document Number: 2630 .... and so any
shell constructs can be used within the backquotes.
Students learn to read, write, and debug shell scripts, thus increasing productivity
by taking ... Audience: UNIX users, programmers, and system administrators.
programming we have created AML, a system for sparse matrix computation .... library writer rather than the application programmer who writes the code for.
of an ITS can suit the tutoring process for each individual user. Traditional ITSs are concentrated on the fields (domains) they are supposed to present, hence ...
object-oriented programming languages such as C++ and Java owe much of their .... problem-solving methods to build modern knowledge-based systems ...
Object Oriented Programming and Perl. Prog for Biol 2011. Simon Prochnik. 1.
Sunday, October 23, 2011. Why do we teach you about objects? • Objects allow ...
books, including Ubuntu Unleashed, The Official Ubuntu Book, and VMware ... and Shell Programming (4th Edition) PDF free
Mar 27, 2009 ... points are the outstanding use of examples, and the Command Refer- .... The first
three commands display the contents of three files: stationery ...
Robust Shell Code Return Oriented Programming and HeapSpray
Apr 16, 2012 - arbitrary code execution. Targeted at browsers, document viewers, etc. Current attacks include IE, Adobe
Background
Return Oriented Programming
Heap Spray
CS 6V81-05: System Security and Malicious Code Analysis
Robust Shell Code Return Oriented Programming and HeapSpray
Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16th , 2012
Summary
Background
Return Oriented Programming
Outline
1
Background
2
Return Oriented Programming
3
Heap Spray
4
Summary
Heap Spray
Summary
Outline
1
Background
2
Return Oriented Programming
3
Heap Spray
4
Summary
Background
Return Oriented Programming
Heap Spray
Memory Exploit
For a successful memory exploits, it usually involves: 1
2
Put malicious code at a predictable location in memory, usually masquerading as > shellcode = unescape("%u4343%u4343%...''); 1
In courtesy of Ratanaworabhan et al [Nozzle] for this example
Summary
Background
Return Oriented Programming
Heap Spray
Revealing Heap Spraying (2)
Drive-By Heap Spraying (2)
Program Heap ok bad
PC
Creates the malicious object
ok
2
In courtesy of Ratanaworabhan et al [Nozzle] for this example
Summary
Background
Return Oriented Programming
Heap Spray
Revealing Heap Spraying (2)
Drive-By Heap Spraying (2)
Program Heap ok bad
PC
Creates the malicious object
ok
Triggers the jump
3
In courtesy of Ratanaworabhan et al [Nozzle] for this example
Summary
Background
Return Oriented Programming
Heap Spray
Revealing Heap Spraying (2)
Drive-By Heap Spraying (2)
ASLR prevents the attack Program Heap ok bad
PC
Creates the malicious object
ok
Triggers the jump
4
In courtesy of Ratanaworabhan et al [Nozzle] for this example
Summary
Background
Return Oriented Programming
Heap Spray
Revealing Heap Spraying (2)
Drive-By Heap Spraying (2)
ASLR prevents the attack Program Heap ok
PC
bad
Creates the malicious object
ok
Triggers the jump
5
In courtesy of Ratanaworabhan et al [Nozzle] for this example
Summary
Background
Return Oriented Programming
Heap Spray
Revealing Heap Spraying (3)
Program Heap ok
ok 39
In courtesy of Ratanaworabhan et al [Nozzle] for this example
Summary
Background
Return Oriented Programming
Heap Spray
Revealing Heap Spraying (3)
Program Heap bad
ok
bad
bad
bad ok
bad
bad
40
In courtesy of Ratanaworabhan et al [Nozzle] for this example
Summary
Background
Return Oriented Programming
Heap Spray
Heap-spraying Attacks
How? 1
Attacker must have existing vulnerability (i.e., overwrite a function pointer)
2
Attacker allocates many copies of malicious code as JavaScript strings
3
When attacker subverts control flow, jump is likely to land in malicious code
Summary
Outline
1
Background
2
Return Oriented Programming
3
Heap Spray
4
Summary
Background
Return Oriented Programming
Heap Spray
Summary
Summary
Code injection is not necessary for arbitrary exploitation. Defenses that distinguish “good code” from “bad code” are hard and also useless. Return-oriented programming (ROP) likely possible on every architecture, not just x86. ROP shell code can be automatically generated (Q [USENIX Security 2011]) from application binary code There are many ways to write robust shell code besides ROP
Background
Return Oriented Programming
Heap Spray
Summary
References
[CCS07]H. Shacham “The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)” [CCS08] Buchanan et al.:“ When good instructions go bad: Generalizing return-oriented programming to RISC” [USENIX Securiy09] Hund et al.“Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms” [ACSAC09] “Surgically Returning to Randomized Lib(c)” [USENIX Securiy11] “Q: Exploit Hardening Made Easy” [USENIX Securiy09] “Nozzle: A Defense Against Heap-spraying Code Injection Attacks”
