SlideShare a Scribd company logo

Back to the CORE

Download as PPTX, PDF
P
Peter Hlavaty

The document discusses various techniques and challenges in exploiting kernel vulnerabilities, focusing on return-oriented programming (ROP) and methods to mitigate it, such as control flow protection and memory management unit (MMU) enhancements. It highlights the evolution of attack strategies, the importance of integrity guards, and the balance between performance and security in kernel design. Additionally, it emphasizes the need for innovative research and development in kernel and application security to address the continually expanding attack surface.

Software
1 of 42
Downloaded 211 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
COREBack to the
PoC • ACE • Target for ACE • KernelIo • Target for kernelIo • Overflows & techs • KASLR, PoolSpary, Info Leaks • MMU • Conclusions
ROP - Historical issue - First ROP appear in MSDOS - Widely used as bypass for DEP - Using gadgets - ROP compilers / finders - Depends on prepared stack layout http://www.exploit-monday.com/2011/11/man-vs-rop-overcoming-adversity-one.htmlhttps://www.auscert.org.au/render.html?it=13408
Solving old problem ROP • offset to code gadgets - relative • Reuse of existing code • Jumps from one gadget to another • Based on gadgets • Depends heavily on stack layout anti-ROP • Randomization of function position • Randomization of instructions (pos) • Symbolic execution at selected points • CFG • X https://ropguard.googlecode.com/svn- history/r2/trunk/doc/ropguard.pdf www.cs.columbia.edu/~vpappas/papers/kbouncer.pdf www.vdalabs.com/tools/ DeMott_BlueHat_Submission.pdfhttp://www.microsoft.com/en-us/download/details.aspx?id=41138
CFG - Protect virtual calls - In kernel mode not so widely used anyway, unfortunately … - Per process bitmap - Per process registered functions - Fast lookup! - Only approximation of problem - Handle only old known ROP way of thinking - But finally there! Good job!! - Not handle stack hooking / pivoting - Not handle integrity problems - Not handle ROP in general http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/ http://www.powerofcommunity.net/poc2014/mj0011.pdf http://www.alex-ionescu.com/?p=246
CF Hijack continue! - Do not use ROP for everything! - ROP are old & obsolete - Use functions in smart way! - Check args, checks output, match your goal! - Mix ROP and functions - Misuse functions as your payload! - Use stack hooking if you *really* need ACE on your code - Find similar, but CFG-approved functions! - 一步一步 (step-by-step) http://blogs.msdn.com/b/vcblog/archive/2014/12/08/visual-studio-2015-preview-work-in-progress-security-feature.aspx http://research.microsoft.com/pubs/101332/BGI-SOSP.pdfhttp://research.microsoft.com/pubs/69217/ccs05-cfi.pdf
TO THE ROOTS OF PROBLEM!
Integrity guards fast, reliable, no easy targets anymore!
Integrity guards • No PLAIN function pointers anymore! – Target reduction – More info leaks needed! • Protect integrity per object level – Results in UAF mitigation • Easy implementation – Objective-C manually ( PROTECTED_ASIGN ) – C++ => compiler can hide this logic • Protect only virtual calls • Fast : only few instructions added http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1332.pdf
Control Flow Stack Separated stack, only CF instructions can write to this stack idea comes to me from this creative guy : https://sk.linkedin.com/pub/ladislav-nevery/26/a87/498
Control flow stack • Two stacks – args & vars – return pointers • ROP is not applicable anymore • Stack hooking and pivoting are offline as well! • Special register for cf-stack – cpl0 & cpl3, maintained by context switch – No direct write, as (e/r)ip at x86 – Write onto cf-stack only by cf-instructions • call, jmp, jx, ret, privileged switch – Processor solution needed …
Safe Memory - Code-Pointer Integrity - Kuznetsov at OSDI - Separate memory for ‘sensitive’ pointers - Isolation on instruction level by using segments fs (gs) - Impressive output – performance & results - No need for addition instructions / regs http://www.cs.berkeley.edu/~dawnsong/papers/ osdi14-paper-kuznetsov.pdf https://www.usenix.org/sites/default/files/conference/ protected-files/osdi14_slides_kuznetsov.pdf
KERNEL IO – SMEP / SMAP
windows memory layout On linux caches, on windows pools http://www.alex-ionescu.com/?p=231 http://www.alex-ionescu.com/?p=246
Cool objects everywhere • Kernel objects in plain state – function pointers – object pointers (buffers, other objs) – object members (size,count,refcount..) • In modules RW states – plain – freelists – ‘vtables’ – locks • Target pool & find your object – nt!_eprocess (->VadRoot) – win32k!tagWND – page tables (cr3) – ...
OVERFLOWS protections • SMAP • SMEP • KASLR • Pool hardening response • Your data is in kernel already! • Turn your bug to boosted kernel io • ExAllocatePool or Pagetables • You pwn pool object - be relative! • Try - big allocs ... POC : http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204 details soon!
Kernel Pool - About BIG allocs : - Deterministic - especial windows - Linux SLUB +1 - User controllable - alloc - free - data control! - FULL == epic! - Predictable : - Pointers {base + align} - size - properties - Layout-able! - Targeted overflow TBD : http://confidence.org.pl/en/agenda/lecture/when-something-overflowing/
X64 vs overflows! • Fact : Overflows are (relatively) easy to exploit even on x64 – Although it should be mitigated on secure oriented architecture (/OS) by design • virt addr space > phys addr space – gaps => page_noaccess • Randomized bases of pools • Hunting for buffer overflows : – boost pageheap – Use virt-phys gap more! – Use page guards more! – Randomize more! https://msdn.microsoft.com/en-us/library/windows/hardware/ff549561%28v=vs.85%29.aspx
reserve, randomize, guard! Overflow results in trap, no stable UAF, sometimes wasting address space can secure it whole! – see cfg ..
Hunting pool overflows try { • Over/under flow to another object • Try to use UAF • Performance • Waste of space • Small allocs ex(p/c)ect } • Results in trap – page_noaccess • Reused pool but object at different address • Page tables & Vad – coalescing :/ – classic pageheap problems • X64 finally, use it! • Target only big allocs, and (+inner)arrays (compile time)
KASLR & MMU
KASLR – user calling! • _sidt / _sgdt – Instruction :/ – basically leaks &ntoskrnl (use kernelio) • user32!gSharedInfo – Bad joke of security – Leaks session pool – leaks nt!_eprocess pointers! (use kernelio) http://www.mista.nu/research/mandt-win32k-slides.pdf
KASLR – user calling! • SESSION_POOL - Problem bro ? • X64 large address space • but leaks session pool • On session pool mighty objects! win32k!_bitmap • arbitrary write to boost size, or other property • Pool layout & align *NO PROBLEM* • PWN DONE!
KASLR – timer is calling! Guess where is pool for nt!_ethread
Timing attacks - Doable - Simple - Ping kernel by time - Spray kernel pool - Ping kernel again - Measure difference - Got kernel pool base! - MMU mechanism was build: - To be fast not ‘too secure’! - TSX is to be disabled by microcode update - But other research & approaches well known! http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/ http://felinemenace.org/~nem o/docs/TR-HGI-2013-001.pdf
MMU continue! concept, multiple layers of PXN in real http://www.cs.ucla.edu/classes/spring14/cs111/scribe/14b/
Basic idea 1. Per page privilages 2. Supervisor vs User priv 3. Make mmap / VirtualAlloc 4. memcpy data 5. Flag you page as Supervisor 6. Trigger ACE or Data access 7. Bypass SMEP 8. Bypass SMAP http://viralpatel.net/taj/tutorial/paging.php
POC – by MWR labs 1.choose address with isolated page tables 1.To be sure write-where does not hit other used memory 2.0x100804020001 1.far enough in memory 2.Kinda magic address, explain later 3.mmap 0x100804020001 4.memcpy 5.Patch S/U bits (write-where) 6.S/U bits need to patch per PXE ! 7.pwn https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/
MMU logic • Unmapped memory cause PageFault • Bad access cause PageFault • PageFault handler do lookups • VAD / vm_area • On behalf of lookup will continue • Create / Read Page Tables
VAD / VM_AREA  malloc is lazy  Reserve memory in memory struct (AVL tree)  Do not create Page Table entries!  PTE are created on first access in PageFault handler!  NULLPTR deref killed by checking here http://www.codemachine.com/article_protopte.html
MMU PWNED! 1. write-where 2. nt!_eprocess->VadRoot (task_struct->mm) 3. Substitue with own simple member 4. Fake member covers whole memory range 5. Trigger PageFault (f.e. nullptr deref ;) 6. PageFault handler find it in Vad / mm 7. MMU will create page tables 8. FirstPrototypePte is physical address, you choose! 9. Leads to read / write arbitrary memory! 10.nullptr revival!
Virtual address == SYMBOLIC Not checked if it is *really* cpl0 or cpl3 page!
KERNEL - FAIL – SAFE – CHECKS copy_to/from_user ProbeForRead/Write The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned.
Think deeper! Make user mode alias translated to target, and then use rw to kernel mode target!
Self - REF • write-where to patch • but where to write ? • x64 => 4lvl of PXE • PML4, PDP, PT, PTE • c3 holds the PML4 base • others PXE are need to be readed! • … unless self referencing comes in place! • bonus cr3 : physical addresses not so well randomized ;)
!pte 0x100804020001 How magic is it, self-ref tricking…
Exploring Potential  in every PXE is physical addresses!  We point to PM4, after last translation  Byte Offset points to PHYSICAL address to be read / write / exec  Virtual addresses are just symbolic links to physical ones  RWE to all physical memory  Equivalent to broke KASLR, SMEP, SMAP, W^X, NonPagePoolNx  Windows playing with MMU pagetables, self-ref at INFILTRATE by Alex! http://infiltratecon.com/speakers.html#alex
Page fault on write
Confused state => COW
Framework 1. Provide page dir addr 2. Provide write-where vuln 1. will be used once in current state of OS 2. more generic, write more times 3. Use as KernelIo 4. Snapshot for arm
Conclusions • Kernel was build meant to be faster than secure • Security is (/can be) boosted by hardware features, incredibly! • Compiler can secure a lot, especially for C++ • Patching to add security != security based model • Redesigning from scratch is not undoable, and maybe not bad idea .. • But I do not expect many core changes, or changes at all, so facts remains : – Changes are hard & slow process – Attack surface is large
• We are hiring!  Kernel & app sec  A *LOT* of research  mobile, pc  M$, android, OSX .. Thank You! Q & A @K33nTeam @zer0mem peter (at) keencloudtech.com

More Related Content

PPTX
Guardians of your CODE
Peter Hlavaty
 
PPTX
Vulnerability desing patterns
Peter Hlavaty
 
PPTX
Racing with Droids
Peter Hlavaty
 
PPTX
Attack on the Core
Peter Hlavaty
 
PPTX
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
PPTX
Power of linked list
Peter Hlavaty
 
PDF
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
PPTX
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Guardians of your CODE
Peter Hlavaty
 
Vulnerability desing patterns
Peter Hlavaty
 
Racing with Droids
Peter Hlavaty
 
Attack on the Core
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Power of linked list
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 

What's hot (20)

PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
PDF
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PDF
When is something overflowing
Peter Hlavaty
 
PPTX
Hacking - high school intro
Peter Hlavaty
 
PPTX
How Safe is your Link ?
Peter Hlavaty
 
PDF
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
PPTX
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
PPTX
Steelcon 2014 - Process Injection with Python
infodox
 
PPTX
Practical Windows Kernel Exploitation
zeroSteiner
 
PDF
Packers
Ange Albertini
 
PDF
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
PDF
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
PPTX
Software to the slaughter
Quinn Wilton
 
PDF
Process injection - Malware style
Sander Demeester
 
PPTX
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
PPTX
BSides Hannover 2015 - Shell on Wheels
infodox
 
PDF
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Tim Bunce
 
PDF
Bypassing patchguard on Windows 8.1 and Windows 10
Honorary_BoT
 
PPTX
Introduction to .NET Performance Measurement
Sasha Goldshtein
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Security research over Windows #defcon china
Peter Hlavaty
 
When is something overflowing
Peter Hlavaty
 
Hacking - high school intro
Peter Hlavaty
 
How Safe is your Link ?
Peter Hlavaty
 
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
Steelcon 2014 - Process Injection with Python
infodox
 
Practical Windows Kernel Exploitation
zeroSteiner
 
Packers
Ange Albertini
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Software to the slaughter
Quinn Wilton
 
Process injection - Malware style
Sander Demeester
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
BSides Hannover 2015 - Shell on Wheels
infodox
 
Devel::NYTProf v3 - 200908 (OUTDATED, see 201008)
Tim Bunce
 
Bypassing patchguard on Windows 8.1 and Windows 10
Honorary_BoT
 
Introduction to .NET Performance Measurement
Sasha Goldshtein
 
Ad

Viewers also liked (20)

PDF
Deobfuscation and beyond (ZeroNights, 2014)
ReCrypt
 
PDF
Designing and Attacking DRM (RSA 2008)
Nate Lawson
 
PDF
Find your own iOS kernel bug
Gustavo Martinez
 
PPT
Intrusion detection and prevention
Nicholas Davis
 
PDF
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
PDF
Desofuscando um webshell em php h2hc Ed.9
Ricardo L0gan
 
PDF
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
frank2
 
PDF
Applying Anti-Reversing Techniques to Machine Code
Teodoro Cipresso
 
PDF
Spo2 t19 spo2-t19
SelectedPresentations
 
PDF
Generic attack detection engine
Vikrant Kansal
 
PPTX
Software Security : From school to reality and back!
Peter Hlavaty
 
PPT
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
PDF
Obfuscation, Golfing and Secret Operators in Perl
José Castro
 
PDF
EvasionTechniques
Candan BOLUKBAS
 
PDF
CSIRT_16_Jun
Candan BOLUKBAS
 
PDF
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser
 
PPTX
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
DOCX
Vijay Amarnath - Updated
Vijay Amarnath
 
PDF
Targeting the iOS kernel
Seguridad Apple
 
PPTX
Endpoint Security Evasion
Invincea, Inc.
 
Deobfuscation and beyond (ZeroNights, 2014)
ReCrypt
 
Designing and Attacking DRM (RSA 2008)
Nate Lawson
 
Find your own iOS kernel bug
Gustavo Martinez
 
Intrusion detection and prevention
Nicholas Davis
 
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
Desofuscando um webshell em php h2hc Ed.9
Ricardo L0gan
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
frank2
 
Applying Anti-Reversing Techniques to Machine Code
Teodoro Cipresso
 
Spo2 t19 spo2-t19
SelectedPresentations
 
Generic attack detection engine
Vikrant Kansal
 
Software Security : From school to reality and back!
Peter Hlavaty
 
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
Obfuscation, Golfing and Secret Operators in Perl
José Castro
 
EvasionTechniques
Candan BOLUKBAS
 
CSIRT_16_Jun
Candan BOLUKBAS
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Vijay Amarnath - Updated
Vijay Amarnath
 
Targeting the iOS kernel
Seguridad Apple
 
Endpoint Security Evasion
Invincea, Inc.
 
Ad

Similar to Back to the CORE (20)

PDF
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
PPTX
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
ahmed8790
 
PDF
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
CODE BLUE
 
PPTX
unit 1 Control against Program threats 6.pptx
AmolJoglekar5
 
PPT
Linux memory
ericrain911
 
PDF
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
PPT
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
PDF
Software Security
Roman Oliynykov
 
PDF
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
PDF
Smashing the Buffer
Miroslav Stampar
 
PDF
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
PDF
Csw2016 economou nissim-getting_physical
CanSecWest
 
PDF
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
PPT
memory_mapping.ppt
KalimuthuVelappan
 
PDF
CONFidence 2015: when something overflowing... - Peter Hlavaty
PROIDEA
 
PPT
Memory
Muhammed Mazhar Khan
 
PPTX
grsecurity and PaX
Kernel TLV
 
PDF
Memory Mapping Implementation (mmap) in Linux Kernel
Adrian Huang
 
PDF
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
RootedCON
 
PDF
Micro control idsecconf2010
idsecconf
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
ahmed8790
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
CODE BLUE
 
unit 1 Control against Program threats 6.pptx
AmolJoglekar5
 
Linux memory
ericrain911
 
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
Software Security
Roman Oliynykov
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
Smashing the Buffer
Miroslav Stampar
 
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
Csw2016 economou nissim-getting_physical
CanSecWest
 
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
memory_mapping.ppt
KalimuthuVelappan
 
CONFidence 2015: when something overflowing... - Peter Hlavaty
PROIDEA
 
Memory
Muhammed Mazhar Khan
 
grsecurity and PaX
Kernel TLV
 
Memory Mapping Implementation (mmap) in Linux Kernel
Adrian Huang
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
RootedCON
 
Micro control idsecconf2010
idsecconf
 

Recently uploaded (20)

PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PDF
AI in Product Development-omnex systems
omnex systems
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Introduction to Artificial Intelligence
lohedi9363
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Introduction Database Management System for Course Database
ReinertYosua
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Transform Your Business with a Software ERP System
Canada Software Company
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
System and Network Administration Chapter 2
jaramharo
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
AI in Product Development-omnex systems
omnex systems
 

Back to the CORE

  • 2. PoC • ACE • Target for ACE • KernelIo • Target for kernelIo • Overflows & techs • KASLR, PoolSpary, Info Leaks • MMU • Conclusions
  • 3. ROP - Historical issue - First ROP appear in MSDOS - Widely used as bypass for DEP - Using gadgets - ROP compilers / finders - Depends on prepared stack layout http://www.exploit-monday.com/2011/11/man-vs-rop-overcoming-adversity-one.htmlhttps://www.auscert.org.au/render.html?it=13408
  • 4. Solving old problem ROP • offset to code gadgets - relative • Reuse of existing code • Jumps from one gadget to another • Based on gadgets • Depends heavily on stack layout anti-ROP • Randomization of function position • Randomization of instructions (pos) • Symbolic execution at selected points • CFG • X https://ropguard.googlecode.com/svn- history/r2/trunk/doc/ropguard.pdf www.cs.columbia.edu/~vpappas/papers/kbouncer.pdf www.vdalabs.com/tools/ DeMott_BlueHat_Submission.pdfhttp://www.microsoft.com/en-us/download/details.aspx?id=41138
  • 5. CFG - Protect virtual calls - In kernel mode not so widely used anyway, unfortunately … - Per process bitmap - Per process registered functions - Fast lookup! - Only approximation of problem - Handle only old known ROP way of thinking - But finally there! Good job!! - Not handle stack hooking / pivoting - Not handle integrity problems - Not handle ROP in general http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/ http://www.powerofcommunity.net/poc2014/mj0011.pdf http://www.alex-ionescu.com/?p=246
  • 6. CF Hijack continue! - Do not use ROP for everything! - ROP are old & obsolete - Use functions in smart way! - Check args, checks output, match your goal! - Mix ROP and functions - Misuse functions as your payload! - Use stack hooking if you *really* need ACE on your code - Find similar, but CFG-approved functions! - 一步一步 (step-by-step) http://blogs.msdn.com/b/vcblog/archive/2014/12/08/visual-studio-2015-preview-work-in-progress-security-feature.aspx http://research.microsoft.com/pubs/101332/BGI-SOSP.pdfhttp://research.microsoft.com/pubs/69217/ccs05-cfi.pdf
  • 7. TO THE ROOTS OF PROBLEM!
  • 8. Integrity guards fast, reliable, no easy targets anymore!
  • 9. Integrity guards • No PLAIN function pointers anymore! – Target reduction – More info leaks needed! • Protect integrity per object level – Results in UAF mitigation • Easy implementation – Objective-C manually ( PROTECTED_ASIGN ) – C++ => compiler can hide this logic • Protect only virtual calls • Fast : only few instructions added http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1332.pdf
  • 10. Control Flow Stack Separated stack, only CF instructions can write to this stack idea comes to me from this creative guy : https://sk.linkedin.com/pub/ladislav-nevery/26/a87/498
  • 11. Control flow stack • Two stacks – args & vars – return pointers • ROP is not applicable anymore • Stack hooking and pivoting are offline as well! • Special register for cf-stack – cpl0 & cpl3, maintained by context switch – No direct write, as (e/r)ip at x86 – Write onto cf-stack only by cf-instructions • call, jmp, jx, ret, privileged switch – Processor solution needed …
  • 12. Safe Memory - Code-Pointer Integrity - Kuznetsov at OSDI - Separate memory for ‘sensitive’ pointers - Isolation on instruction level by using segments fs (gs) - Impressive output – performance & results - No need for addition instructions / regs http://www.cs.berkeley.edu/~dawnsong/papers/ osdi14-paper-kuznetsov.pdf https://www.usenix.org/sites/default/files/conference/ protected-files/osdi14_slides_kuznetsov.pdf
  • 13. KERNEL IO – SMEP / SMAP
  • 14. windows memory layout On linux caches, on windows pools http://www.alex-ionescu.com/?p=231 http://www.alex-ionescu.com/?p=246
  • 15. Cool objects everywhere • Kernel objects in plain state – function pointers – object pointers (buffers, other objs) – object members (size,count,refcount..) • In modules RW states – plain – freelists – ‘vtables’ – locks • Target pool & find your object – nt!_eprocess (->VadRoot) – win32k!tagWND – page tables (cr3) – ...
  • 16. OVERFLOWS protections • SMAP • SMEP • KASLR • Pool hardening response • Your data is in kernel already! • Turn your bug to boosted kernel io • ExAllocatePool or Pagetables • You pwn pool object - be relative! • Try - big allocs ... POC : http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204 details soon!
  • 17. Kernel Pool - About BIG allocs : - Deterministic - especial windows - Linux SLUB +1 - User controllable - alloc - free - data control! - FULL == epic! - Predictable : - Pointers {base + align} - size - properties - Layout-able! - Targeted overflow TBD : http://confidence.org.pl/en/agenda/lecture/when-something-overflowing/
  • 18. X64 vs overflows! • Fact : Overflows are (relatively) easy to exploit even on x64 – Although it should be mitigated on secure oriented architecture (/OS) by design • virt addr space > phys addr space – gaps => page_noaccess • Randomized bases of pools • Hunting for buffer overflows : – boost pageheap – Use virt-phys gap more! – Use page guards more! – Randomize more! https://msdn.microsoft.com/en-us/library/windows/hardware/ff549561%28v=vs.85%29.aspx
  • 19. reserve, randomize, guard! Overflow results in trap, no stable UAF, sometimes wasting address space can secure it whole! – see cfg ..
  • 20. Hunting pool overflows try { • Over/under flow to another object • Try to use UAF • Performance • Waste of space • Small allocs ex(p/c)ect } • Results in trap – page_noaccess • Reused pool but object at different address • Page tables & Vad – coalescing :/ – classic pageheap problems • X64 finally, use it! • Target only big allocs, and (+inner)arrays (compile time)
  • 22. KASLR – user calling! • _sidt / _sgdt – Instruction :/ – basically leaks &ntoskrnl (use kernelio) • user32!gSharedInfo – Bad joke of security – Leaks session pool – leaks nt!_eprocess pointers! (use kernelio) http://www.mista.nu/research/mandt-win32k-slides.pdf
  • 23. KASLR – user calling! • SESSION_POOL - Problem bro ? • X64 large address space • but leaks session pool • On session pool mighty objects! win32k!_bitmap • arbitrary write to boost size, or other property • Pool layout & align *NO PROBLEM* • PWN DONE!
  • 24. KASLR – timer is calling! Guess where is pool for nt!_ethread
  • 25. Timing attacks - Doable - Simple - Ping kernel by time - Spray kernel pool - Ping kernel again - Measure difference - Got kernel pool base! - MMU mechanism was build: - To be fast not ‘too secure’! - TSX is to be disabled by microcode update - But other research & approaches well known! http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/ http://felinemenace.org/~nem o/docs/TR-HGI-2013-001.pdf
  • 26. MMU continue! concept, multiple layers of PXN in real http://www.cs.ucla.edu/classes/spring14/cs111/scribe/14b/
  • 27. Basic idea 1. Per page privilages 2. Supervisor vs User priv 3. Make mmap / VirtualAlloc 4. memcpy data 5. Flag you page as Supervisor 6. Trigger ACE or Data access 7. Bypass SMEP 8. Bypass SMAP http://viralpatel.net/taj/tutorial/paging.php
  • 28. POC – by MWR labs 1.choose address with isolated page tables 1.To be sure write-where does not hit other used memory 2.0x100804020001 1.far enough in memory 2.Kinda magic address, explain later 3.mmap 0x100804020001 4.memcpy 5.Patch S/U bits (write-where) 6.S/U bits need to patch per PXE ! 7.pwn https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/
  • 29. MMU logic • Unmapped memory cause PageFault • Bad access cause PageFault • PageFault handler do lookups • VAD / vm_area • On behalf of lookup will continue • Create / Read Page Tables
  • 30. VAD / VM_AREA  malloc is lazy  Reserve memory in memory struct (AVL tree)  Do not create Page Table entries!  PTE are created on first access in PageFault handler!  NULLPTR deref killed by checking here http://www.codemachine.com/article_protopte.html
  • 31. MMU PWNED! 1. write-where 2. nt!_eprocess->VadRoot (task_struct->mm) 3. Substitue with own simple member 4. Fake member covers whole memory range 5. Trigger PageFault (f.e. nullptr deref ;) 6. PageFault handler find it in Vad / mm 7. MMU will create page tables 8. FirstPrototypePte is physical address, you choose! 9. Leads to read / write arbitrary memory! 10.nullptr revival!
  • 32. Virtual address == SYMBOLIC Not checked if it is *really* cpl0 or cpl3 page!
  • 33. KERNEL - FAIL – SAFE – CHECKS copy_to/from_user ProbeForRead/Write The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned.
  • 34. Think deeper! Make user mode alias translated to target, and then use rw to kernel mode target!
  • 35. Self - REF • write-where to patch • but where to write ? • x64 => 4lvl of PXE • PML4, PDP, PT, PTE • c3 holds the PML4 base • others PXE are need to be readed! • … unless self referencing comes in place! • bonus cr3 : physical addresses not so well randomized ;)
  • 36. !pte 0x100804020001 How magic is it, self-ref tricking…
  • 37. Exploring Potential  in every PXE is physical addresses!  We point to PM4, after last translation  Byte Offset points to PHYSICAL address to be read / write / exec  Virtual addresses are just symbolic links to physical ones  RWE to all physical memory  Equivalent to broke KASLR, SMEP, SMAP, W^X, NonPagePoolNx  Windows playing with MMU pagetables, self-ref at INFILTRATE by Alex! http://infiltratecon.com/speakers.html#alex
  • 38. Page fault on write
  • 40. Framework 1. Provide page dir addr 2. Provide write-where vuln 1. will be used once in current state of OS 2. more generic, write more times 3. Use as KernelIo 4. Snapshot for arm
  • 41. Conclusions • Kernel was build meant to be faster than secure • Security is (/can be) boosted by hardware features, incredibly! • Compiler can secure a lot, especially for C++ • Patching to add security != security based model • Redesigning from scratch is not undoable, and maybe not bad idea .. • But I do not expect many core changes, or changes at all, so facts remains : – Changes are hard & slow process – Attack surface is large
  • 42. • We are hiring!  Kernel & app sec  A *LOT* of research  mobile, pc  M$, android, OSX .. Thank You! Q & A @K33nTeam @zer0mem peter (at) keencloudtech.com

Editor's Notes

  • #43: To view this presentation, first, turn up your volume and second, launch the self-running slide show.