Failure Of DEP And ASLR
2 likes1,308 views
DEP and ASLR are security mechanisms to prevent code execution from non-executable memory regions and randomize memory locations of processes. DEP can be disabled at runtime by finding functions like NtSetInformationProcess. ASLR weaknesses include incompatible applications and DLLs that are statically positioned. Attackers can also bypass ASLR by partially overwriting memory or leveraging memory information leaks.
Failure Of DEP And ASLR
- 1. FAILURE OF DEP AND ASLR VISHWAS SHARMA
- 3. DEP DEP – Data execution prevention A Protection mechanism that prevents the execution of code in the memory non-executable. This protect the attacker from running shellcode on stack, heap or in data segments Now hardware support NX but – NX for No-eXecute Two types of DEP – software and hardware protection
- 4. DEP POLICIES
- 5. DEP @ RUNTIME KPROCESS Structure contains DEP information DEP Flag is set or queried with Query - NtQueryInformationProcess Set – NtSetInformationProcess Flag is contained in ProcessExecuteFlags Example: 0: kd> dt nt!_KPROCESS 849f3a90 –r 0: kd> !process 0 0 calc.exe +0x06b Flags : _KEXECUTE_OPTIONS PROCESS 849f3a90 SessionId: 1 Cid: 1474 Peb: 7ffdd000 ParentCid: 077c +0x000 ExecuteDisable : 0y1 DirBase: 7dc5c820 ObjectTable: a694ce68 HandleCount: 52. +0x000 ExecuteEnable : 0y0 Image: calc.exe +0x000 DisableThunkEmulation : 0y1 +0x000 Permanent : 0y1 +0x000 ExecuteDispatchEnable : 0y0 +0x000 ImageDispatchEnable : 0y0 +0x000 DisableExceptionChainValidation : 0y1 +0x000 Spare : 0y0 ExecuteDisable - “Disable execution from non-executable memory”
- 6. CHEAT BY DEP DisableThunkEmulation ATL library rely on some code to be executed from the writable memory. So permission to run code form heap should be given to application When Program Attempts to execute code on a non- executable page, the kernel calls KiEmulateAtlTrunk to check ATL sequences IF found any ATL sequence – then continue emulate the trunk and as if nothing has happened
- 7. NOW THE FUN PART - WEAKNESS Incompatible Application – Remember OptIn Policy R+W+X mappings – JVM and programming running on java has this mapping *Return-2-libc Attacks Find page mapping and protection functions and change default permissions on the page Create a process from the dump that is produced in the memory Just-In-Time compilers are making situation worse *Return Oriented Programming – Modern ret2libc Runtime Disable DEP Finding position of NtSetInformationProcess and changing the permission in runtime – This technique would only work with OptIn – OptOut policy * Explanation on board
- 8. ASLR Address Space Layout Randomization
- 9. ASLR ASLR – Address space Layout Randomization Randomize the address where objects are placed in virtual space of a given process ASLR randomizes the location PE/MZ files that are mapped on the virtual memory, Heaps, stacks and PEB and TEB It provides random stack and heap allocations and page load every time a process starts. Thus even if process is being hacked it cannot execute shellcode with a best chance of 1/254 or 2/255
- 10. ASLR Image Randomization Designed for a capability to randomly position both executable and DLLs This randomization is system wide and could not switched off at runtime A Registry entry control the implementation of ASLR Respect the base address in PE header Randomize all, even those which are incompatible Randomize only those which are compatible - Default
- 11. ASLR DLL Randomization DLL must be loaded in each process that uses it to allow the physical memory used by the DLL to be shared When the same DLL is loaded its section object - A section object represents a section of memory that can be shared – is reused and it is mapped at the same virtual addresses 50960000 50960000 50A28000 50A8C000 50AF0000 50B54000 50BB8000 _MiImageBitMap – A bitmap of size 0x2800 contains all position of 64KB aligned address Loading DLL into process is also randomized by SmpRandomizeDllList
- 12. ASLR Stack Randomization – 2 fold randomization The base of the stack is choose randomly This is implemented by searching holes into Virtual Memory of the process. Holes are regions where series of pages are not mapped into memory. Choosing hole is randomized by 5 bits random function Again a 9 bit random value is derived from time stamp – y Offset = y*4 --- For 32 bit alignment of stack
- 13. THE FUN PART Incompatible DLL – Statically positioned DLLs and Executable This can be initializing 3rd party ActiveX components, plugins in you browser Specially crafted data packet that could result in loading of DLL based for parsing the “special” data Embedded Media of various types that require loading of specific library to parse the data like image, video or flash content *Partially static object This concept is basically the mother of all spraying techniques that are used in bypassing ASLR For example a heap allocation is randomized by 2 MB but what would happen when we allocate data of much greater size eg. 500MB or similar * Explanation on board
- 14. THE FUN PART *Partial overwrites As demonstrated earlier that last 2 bytes of address space are not randomized we can have a partial overwrite or either 1 or 2 bytes of data on the stack It would be enough to jump to any offset location which would be relative that position by a maximum of 0xffff bytes *Memory information Leakage I have discussed it in null IRC channel this week Implications could be getting information of either module base address or stack base address, heap base address or TEB and PEB leakages * Explanation on board
- 15. Research