SLIDE 1
Memory Corruption
The (almost) Complete History...
haroon meer - 2010 @haroonmeer | haroon@thinkst.com
Who ?
haroon meer thinkst ? some papers, some books, some talks academic wannabe
Memory Corruption The (almost) Complete History... haroon meer - - - PowerPoint PPT Presentation
Memory Corruption The (almost) Complete History... haroon meer - - - PowerPoint PPT Presentation
Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer | haroon@thinkst.com Who ? haroon meer thinkst ? some papers, some books, some talks academic wannabe Why? Why? Why? Why? Why? twitter made me do it!
SLIDE 2
SLIDE 3
Why?
SLIDE 4
Why?
SLIDE 5
Why?
SLIDE 6
Why?
SLIDE 7
Why? twitter made me do it!
SLIDE 8
Why?
de-mystify some of the otherwise mystical convince you that Solar Designer was skynet
SLIDE 9
Why?
(Some silly Stats) Stack : 140 Heap : 74
!" #" $!" $#" %!" %#" &!" &#" '!" $(((" %!!!" %!!$" %!!%" %!!&" %!!'" %!!#" %!!)" %!!*" %!!+" %!!(" !" #" $!" $#" %!" %#" &!" $'''" %!!!" %!!$" %!!%" %!!&" %!!(" %!!#" %!!)" %!!*" %!!+" %!!'"
SLIDE 10
Why?
(Some silly Stats) Stack : 140 Heap : 74
!" #" $!" $#" %!" %#" &!" &#" '!" $(((" %!!!" %!!$" %!!%" %!!&" %!!'" %!!#" %!!)" %!!*" %!!+" %!!(" !" #" $!" $#" %!" %#" &!" $'''" %!!!" %!!$" %!!%" %!!&" %!!(" %!!#" %!!)" %!!*" %!!+" %!!'"
SLIDE 11
Caveats - Limits
SLIDE 12
Caveats - Limits
SLIDE 13
Caveats - Myopia
SLIDE 14
Caveats - Myopia
SLIDE 15
332880 : 1
Caveats -Compression Ratio
SLIDE 16
Disclosure, Bugs and Counts
VS.
SLIDE 17
Disclosed Bugs
SLIDE 18
Our Approach
Clearly naive initially
SLIDE 19
http://ilm.thinkst.com/folklore/
SLIDE 20
http://ilm.thinkst.com/folklore/
SLIDE 21
http://ilm.thinkst.com/folklore/
SLIDE 22
the paper
(read it)
SLIDE 23
So at the end of this..
You wont be able to suddenly use free() to obtain a 4-byte write anything anywhere primitive. You will understand what that means. You will be able to see: When that was first used; What prevents it’s use/abuse today;
SLIDE 24
Where did it start?
SLIDE 25
SLIDE 26
Memory Basics
SLIDE 27
Memory Basics
SLIDE 28
0x00000000
Memory Basics
User
PageTable
{
4 gig
Kernel
SLIDE 29
0x00000000
Memory Basics
User
PageTable
{
4 gig
Kernel
SLIDE 30
0x00000000 User Kernel
{
3 gig
0x00000000 User Kernel 0x00000000 User Kernel
Multiple Processes
SLIDE 31
0x00000000 User Kernel
{
3 gig
0x00000000 User Kernel 0x00000000 User Kernel
Multiple Processes
Kernel
SLIDE 32
0x00000000 User
PageTable
{
4 gig
Kernel
Segments
SLIDE 33
0x00000000 User
{
4 gig
Kernel
Segments
SLIDE 34
0x00000000 User
{
4 gig
Kernel
0x00000000
Segments
SLIDE 35
0x00000000 User
{
4 gig
Kernel
0x00000000 Text
Segments
SLIDE 36
0x00000000 User
{
4 gig
Kernel
0x00000000 Text Data
Segments
SLIDE 37
0x00000000 User
{
4 gig
Kernel
0x00000000 Text Data ...
Segments
SLIDE 38
0x00000000 User
{
4 gig
Kernel
0x00000000 Text Data ... Heap Grows Upwards
Segments
SLIDE 39
0x00000000 User
{
4 gig
Kernel
0x00000000 Text Data ... Heap Grows Upwards mmap (Shared Memory)
Segments
SLIDE 40
0x00000000 User
{
4 gig
Kernel
0x00000000 Text Data ... Heap Grows Upwards mmap (Shared Memory) Stack Grows Downwards
Segments
SLIDE 41
So what is code?
SLIDE 42
So what is code?
SLIDE 43
So what is code?
SLIDE 44
So what is code?
SLIDE 45
Is this code?
SLIDE 46
Is this code?
SLIDE 47
Is this code?
SLIDE 48
Is this code?
SLIDE 49
Is this code?
SLIDE 50
SLIDE 51
0x00000000 User
{
4 gig
Kernel
0x00000000 Text Data ... Heap Grows Upwards mmap (Shared Memory) Stack Grows Downwards
SLIDE 52
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Upwards Grows Downwards 0x00000000 Stack mmap (Shared Memory) Heap Text Data ...
Stack Basics
SLIDE 53
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Upwards Grows Downwards 0x00000000 Stack mmap (Shared Memory) Heap Text Data ...
Stack Basics
SLIDE 54
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Downwards 0x00000000 int argc char **envp char **argv
Stack Basics
SLIDE 55
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Downwards 0x00000000 Saved EIP Saved EBP int argc char **envp char **argv
Stack Basics
SLIDE 56
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Downwards 0x00000000 Saved EIP Saved EBP int argc char **envp char **argv
Stack Basics
SLIDE 57
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Downwards 0x00000000 int i Saved EIP Saved EBP int argc char **envp char **argv
Stack Basics
SLIDE 58
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Downwards 0x00000000 int i Saved EIP Saved EBP int argc char **envp char **argv
Stack Basics
SLIDE 59
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Downwards 0x00000000 int i Saved EIP function_1 argument_2 (b) function_1 argument_1 (a) Saved EBP int argc char **envp char **argv
Stack Basics
SLIDE 60
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Downwards 0x00000000 int i Saved EIP function_1 argument_2 (b) function_1 argument_1 (a) Saved EBP int argc char **envp char **argv
Stack Basics
SLIDE 61
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Downwards 0x00000000 int i Saved EIP function_1 argument_2 (b) function_1 argument_1 (a) Saved EBP Saved EIP Saved EBP int argc char **envp char **argv
Stack Basics
SLIDE 62
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Downwards 0x00000000 int i Saved EIP function_1 argument_2 (b) function_1 argument_1 (a) Saved EBP Saved EIP Saved EBP int argc char **envp char **argv
Stack Basics
SLIDE 63
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Grows Downwards 0x00000000 int i Saved EIP function_1 argument_2 (b) function_1 argument_1 (a) Saved EBP int j Saved EIP Saved EBP int argc char **envp char **argv
Stack Basics
SLIDE 64
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Stack Basics
Grows Downwards 0x00000000 int i Saved EIP function_1 argument_2 (b) function_1 argument_1 (a) Saved EBP Saved EIP Saved EBP int argc char **envp char **argv
SLIDE 65
int function_1(int a, int b) { int j; // do stuff return j; } int main(int argc, char **argv, char **envp) { int i; i = function_1(1,2); printf(“answer is %d”, i) return i; }
Stack Basics
Grows Downwards 0x00000000 int i Saved EIP function_1 argument_2 (b) function_1 argument_1 (a) Saved EBP int argc char **envp char **argv
SLIDE 66
Classic Overflow
Stack Grows Downwards Saved EIP function_1 argument_1 (a) Saved EBP int j Saved EIP Saved EBP int argc char **envp char **argv buff
Overflow Direction
Where to go
SLIDE 67
non-terminated strings
strcpy(buf1, buf2);
SLIDE 68
non-terminated strings
strcpy(buf1, buf2);
SLIDE 69
non-terminated strings
strcpy(buf1, buf2); char buf1[4]; strncpy(buf1, buf2, 4);
SLIDE 70
non-terminated strings
strcpy(buf1, buf2); char buf1[4]; strncpy(buf1, buf2, 4);
SLIDE 71
non-terminated strings
strcpy(buf1, buf2); char buf1[4]; strncpy(buf1, buf2, 4);
T E S T I N G \0
char buf1[4] char buf2[] = “TESTING”
SLIDE 72
non-terminated strings
strcpy(buf1, buf2); char buf1[4]; strncpy(buf1, buf2, 4);
T E S T I N G \0
char buf1[4] char buf2[] = “TESTING”
T E S T
SLIDE 73
non-terminated strings
strcpy(buf1, buf2); char buf1[4]; strncpy(buf1, buf2, 4);
T E S T I N G \0
char buf1[4] char buf2[] = “TESTING”
T E S T
printf(“buf1 is [%s]\n”,buf1);
SLIDE 74
non-terminated strings
strcpy(buf1, buf2); char buf1[4]; strncpy(buf1, buf2, 4);
T E S T I N G \0
char buf1[4] char buf2[] = “TESTING”
T E S T
printf(“buf1 is [%s]\n”,buf1); $ buf1 is [TESTTESTING]
SLIDE 75
heap-unlink()
bk fd bk fd bk fd 7 8 9
SLIDE 76
heap-unlink()
bk fd bk fd bk fd 7 8 9 [x] [8] [7] [9] [8] [x] 7 8 9 back forward back forward
SLIDE 77
heap-unlink()
[x] [8] [7] [9] [8] [x] 7 8 9 back forward back forward
SLIDE 78
heap-unlink()
[x] [8] [7] [9] [8] [x] 7 8 9 back forward back forward [x] [8] [7] [9] [8] [x] 7 8 9 back forward back forward
SLIDE 79
heap-unlink()
[x] [9] [7] [9] [8] [x] 7 8 9 back forward back
SLIDE 80
heap-unlink()
[x] [9] [7] [9] [7] [x] 7 8 9 forward back
SLIDE 81
heap-unlink()
[x] [9] [7] [9] [7] [x] 7 8 9 forward back WHERE WHAT
SLIDE 82
slapper
* Peter Szor - analysis of the slapper worm
SLIDE 83
gs vs params
Stack Growth Saved EBP int j Saved EIP buff
Overflow Direction
Pointers Arguments
int func(char *a, char *b) { char buf[12]; strcpy(buf, a); strcpy(b, buf); return 1; }
SLIDE 84
gs vs params
Stack Growth Saved EBP int j Saved EIP buff
Overflow Direction
Pointers Arguments
int func(char *a, char *b) { char buf[12]; strcpy(buf, a); strcpy(b, buf); return 1; }
Stack Growth Saved EBP int j Saved EIP buff
Overflow Direction
Pointers Arguments (shadow copy) Arguments
SLIDE 85
so..
Everything executable --> DEP DEP vs ret-2-libc (ROP)
SLIDE 86
so..
ASLR to beat ret-2-libc / ROP Single leaked / static address beats ASLR Partial Overwrites App specific..
SLIDE 87
so..
ASLR to beat ret-2-libc / ROP Single leaked / static address beats ASLR Partial Overwrites App specific..
Stack Growth int x int j function pointer b buff LSB's MSB's function pointer a
Overflow Direction
SLIDE 88
SLIDE 89
So..
DEP without ASLR ASLR without DEP without
SLIDE 90
Conclusions?
What the ASLR/DEP taketh.. The rich client side applications giveth back.
- Info. leakage attacks are an area of
much research http://ilm.thinkst.com/folklore/
SLIDE 91
Thanks!
- Marco Slaviero
- Brad Spengler (spender)
- PaX Team
- Halvar Flake
- icesurfer
- Nate Lawson
- Chris Wysopal
- Saumil Shah
- Matt Miller
- Ollie Whitehouse
- Dennis Groves
- Ivan Arce
- Mario Vilas
- Tyler Shields
- Dion Blazakis
- georgie
- Ben Nagy
- the Grugq.
- Bradley Cowie
- Barry Irwin
SLIDE 92
Questions ?
http://ilm.thinkst.com/folklore
@haroonmeer haroon@thinkst.com http://blog.thinkst.com