Memory Attack - The Memory Attack Techniques
1 like386 views
The document is a presentation on memory attack techniques given by Kim Seong Min. It covers 4 topics: 1. What are memory attacks and types of memory bugs and attacks. 2. Attacking the stack, including buffer overflows, control-flow hijacking, and mitigations like NX stacks and canaries. 3. The evolution of defenses like ASLR and techniques like return-oriented programming to bypass them. 4. Q&A portion to discuss the ongoing "eternal war in memory" between attackers and defenders.
![7
Memory Bugs and Attack
Memory Bugs (Errors) != Memory Attack
Every vulnerabilities are bugs,
but not every bugs are exploitable (maybe…?)
[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다](https://image.slidesharecdn.com/2-190527102200/85/Memory-Attack-The-Memory-Attack-Techniques-7-320.jpg)
![11
Types of Memory Bugs
De-reference pointer to the freed memory
[pwnable.kr - Toddler’s Bottle] uaf, 8pt
Dangling pointer](https://image.slidesharecdn.com/2-190527102200/85/Memory-Attack-The-Memory-Attack-Techniques-11-320.jpg)
Memory Attack - The Memory Attack Techniques
- 1. The Rise and Fall of The Memory Attack Techniques 05. 26. Ubuntu Fest Kim Seong Min
- 2. Speaker Info 이름 : 김성민 직업 : 대학생 학번 : 16 (젊다!) 특기 : ARGOS 회장 취미 : 해킹 (멋있다!) 2
- 3. - Research Areas System / Network Security Reverse Engineering Mobile Application macOS / iOS Kernel Security - TMI Favorites : Drinking Alcohol…🤪, Playing Games My first “hello, world!” : 3 years ago Wanna be offensive security researcher :D 3
- 4. 목 차 1교시 메모리 공격이란? 2교시 스택을 때리자 3교시 창과 방패의 발전 4교시 질의응답
- 5. 메모리 공격이란? - Memory Bugs and Attack - Segmentation Fault - Types of Memory Bugs - Types of Memory Attack
- 6. 6 Memory Attack 시스템 해킹의 꽃 (메모리 공격 ⊂ 시스템 해킹) Attack : Trigger a vulnerability (Exploit) To write whatever I want in anywhere I want
- 7. 7 Memory Bugs and Attack Memory Bugs (Errors) != Memory Attack Every vulnerabilities are bugs, but not every bugs are exploitable (maybe…?) [2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다
- 8. 8 Memory Bugs Typically, could be occurred because of unsafe languages (e.g. C, C++, …) Also cause segmentation fault sometimes Allow low-level memory access Allow weakly enforced typing Explicit memory management
- 9. 9 Segmentation Fault Notify an OS the software has attempted to access a restricted area of memory Good news for hackers or, you There are some memory errors that would be exploitable!
- 10. 10 Types of Memory Bugs De-reference pointer that is out of bounds
- 11. 11 Types of Memory Bugs De-reference pointer to the freed memory [pwnable.kr - Toddler’s Bottle] uaf, 8pt Dangling pointer
- 12. 12 Types of Memory Attack Code corruption Control-flow hijack Data-only Information leak “Eternal War in Memory” published in IEEE S&P Symposium, 2013
- 13. 13 Types of Memory Attack A Barresi, “Fighting the War in Memory”, 2014 Control-flow hijack
- 14. 14 Types of Memory Attack Information leak canary value (important information for security) output data should be interpreted
- 15. 스택을 때리자 - Memory Layout Overview - Stack Memory - Basic Stack-based Attack - NX Stack and Canaries - Return to Oriented Programming
- 16. 16 Memory Layout Overview 메모리 구조 (간단하게만!) TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 low high
- 17. 17 Memory Layout Overview TEXT (CODE) 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 프로그램 실행 코드가 여기 있음 - 기계어 들이 있음 low high
- 18. 18 Memory Layout Overview DATA & BSS 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 전역 변수, 정적 변수 등 - DATA : 초기화 된 데이터 - BSS : 초기화 되지 않은 데이터 low high
- 19. 19 Memory Layout Overview HEAP 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 동적 할당 영역 - malloc low high
- 20. 20 Memory Layout Overview STACK 영역 TEXT DATA BSS HEAP … STACK 코드 전역변수 동적 할당 함수, 임시 데이터 등 - 지역 변수 - 임시 값 - 이제부터 볼 영역 low high
- 21. 21 Stack Memory Standard Stack Frame of function 0x41414141 0x42424242 0x43434343 0x00444444 0x00000000 SFP RET low high
- 22. 22 Stack Memory RETurn address? (RET) func2 func1 main call func1 call func2 ret ret func2 Stack Frame func1 Stack Frame main Stack Frame low high
- 23. 23 Stack Memory Stack Frame Pointer? (SFP) func’s stack frame 0xFFFFD588 0xFFFFD56C 0x41414141 0x42424242 0x43434343 0x00444444 0x00000000 SFP (0xFFFFD588) RET SFP RET func’s stack frame main stack frame low high
- 24. 24 Basic Stack-based Attack Buffer Overflow - Overruns the buffer’s boundary - Overwrites adjacent memory locations - First described in October, 1972 (Computer Security Technology Planning Study) 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 SFP 0x41414141 RET 0x41414141
- 25. 25 Basic Stack-based Attack Control-flow hijack with BOF : Call ‘evil’ function Trigger bug : jump to vuln() function 0x41414141 0x41414141 SFP 0x41414141 RET 0x08048486
- 26. 26 Basic Stack-based Attack Control-flow hijack with BOF : Execute shellcode 0x41414141 0x41414141 SFP 0x41414141 RET &shellcode 0x41414141 0x6850c031 0x68732F2F … on somewhere in memory The set of instructions that executes shell
- 27. 27 Basic Stack-based Attack Morris Worm (1988) - First computer worm - Exploiting buffer overflow
- 28. 28 NX Stack and Canaries Non eXecutable Stack (1997) - Prevent executing code in specific areas (e.g. stack, heap) - W^X (on BSD) DEP (on Windows) - Text (Code) segment is non-writable Stack (Heap) segment is non-executable 0x41414141 0x41414141 0x41414141 RET 0x41414141 0x6850c031 0x68732F2F … crash‼
- 29. 29 NX Stack and Canaries NX in GDB (Stack is not executable)
- 30. 30 NX Stack and Canaries Stack Canary (1998) - Place specific patterns called ‘canaries’ between stack variables and return address - Design to detect stack BOF - Cheap and powerful - Bypass using information leak 0x41414141 canary 0x41414141 0x41414141 RET 0x41414141 0x6850c031 0x68732F2F … crash‼
- 31. 31 Return 2 Oriented Programming ret2libc (1997) - No code injection needed - Bypassing the NX protection 0x41414141 0x41414141 SFP 0x41414141 RET &system instructions… … system
- 32. 32 Return 2 Oriented Programming ret2plt (2001) - Call dynamic lib’s function via PLT - Bypassing the NX protection 0x41414141 0x41414141 SFP 0x41414141 RET &puts@plt &system@plt … system@plt … instructions… … Procedure Linkage Table system
- 33. 33 Return 2 Oriented Programming Krahmer’s code snippet reuse (2005) - Code reuse instead of entire libc functions - Use “gadgets” or “snippets” - 진짜 프로그래밍을 다시 하는 느낌 - “ROP” 0x41414141 0x41414141 SFP 0x41414141 RET &gadget1 Fake RET &gadget2 instructions… instructions… instruction (ret) instructions… instruction (ret) gadget1 gadget2
- 34. 창과 방패의 발전 - ASLR : The end of memory war? - Bypassing ASLR - And, New Mitigations - Endgame
- 35. 35 ASLR : The end of memory war? Address Space Layout Randomization - PAX team’s ASLR (2001) - Randomness in the address space layout of processes - 전략? Per process (Linux) System-wide per boot (Windows) - PIC & PIE required
- 36. 36 A Barresi, “Fighting the War in Memory”, 2014
- 37. 37 Bypassing ASLR - Brute-force Attack (Low entropy) it’s pretty good in x32, but almost impossible in x64 - Information Leak Find base address of specific segment
- 38. 38 And, New Mitigations Enhanced Mitigation Experience Toolkit (EMET) - MS Windows를 위한 보안 툴킷 - Windows 보안 기능 활성화 및 설정을 도움 - 개인 PC 사용자 레벨(Non-kernel) 보안 - ROP 기법에 대한 보호
- 39. 39 And, New Mitigations Control Flow Guard (CFG) - Visual Studio 2015에서 지원하는 mitigation - 호출하는 함수가 유효한지 확인하는 로직을 추가함 - CFG 검사 실패 시, 프로그램을 강제로 종료시킴 - 악의적인 함수 또는 명령어 세트 호출을 원천 봉쇄
- 40. 40 Endgame
- 41. 41 Endgame But, hackers never die… - 스택이 안되면 힙을 때리면 되잖아? - 아니면 다른 버그들을 이용해도 되잖아? - Heap Spraying, Heap Feng Shui, Type Confusing, Use-After-Free, so on… - 때릴건 아직도 많이 남아 있다
- 42. 42 Endgame Mitigation is not “Deus Ex Machina” - 미티케이션은 거들 뿐 - 다 뚫리고 막고를 반복하고 있다 - 버그를 만들지 않으려는 노력이 중요하다
- 43. 떠든애 김성민 1교시 메모리 공격이란? 2교시 스택을 때리자 3교시 창과 방패의 발전 4교시 질의응답 Q & A Thank you for listening!