% ---------------------------- \subsubsection{Exploits} % ---------------------------- \begin{frame}[fragile] \frametitle{Exploit Types} \begin{itemize} \item Application Level Exploits \begin{itemize} \item SQL Injection \item Cross-side scripting \item Backdoors \item Protocol Implementation \item \dots \end{itemize} \item Low-Level Exploits \begin{itemize} \item Stack \item Heap \item Syscall \item Race conditions \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Stack: Code Example I} \begin{beamerboxesrounded}[shadow=true]{Bad copy to stack local buffer} \begin{tiny} \begin{verbatim} #include void foo (char *p) { char buf[16]; strcpy(buf, p); } int main (int argc, char **argv) { foo(argv[1]); } \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Stack: Code Example II} \begin{beamerboxesrounded}[shadow=true]{Manipulation of return address} \begin{tiny} \begin{verbatim} #include #include void function(int a, int b, int c) { char buffer1[8]; char buffer2[16]; char *ret; ret = (char *)(buffer1 + 0x18); (*ret) += 0x7; } void main(void) { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); } \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Stack: Layout I} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/em_stack_layout1.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Stack} \begin{itemize} \item Overwrite return address \item change stack-local variables \item inject malicious code \begin{itemize} \item shell code \item backdoors \item thread hijacking \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{Mitigation} % ---------------------------- \begin{frame}[fragile] \frametitle{Address Space Layout} \begin{itemize} \item Fixed layout of segment start addresses \item Easy to exploit \item Address Space Layout Randomization \begin{itemize} \item basic implementation (Linux v2.6.12) \item full implementation (Linux v3.19) \end{itemize} \item Configuration: /proc/sys/kernel/randomize\_va\_space \begin{itemize} \item 0: Disabled \item 1: randomize stack, data, dynamic libraries \item 2: randomize stack, data, dynamic libraries, heap \end{itemize} \item Process maps: /proc//maps \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{Process Memory Map} \begin{beamerboxesrounded}[shadow=true]{/proc//maps} \begin{tiny} \begin{verbatim} $ cat /proc/self/maps 00400000-0040c000 r-xp 00000000 fe:00 23360017 /bin/cat 0060b000-0060c000 r--p 0000b000 fe:00 23360017 /bin/cat 0060c000-0060d000 rw-p 0000c000 fe:00 23360017 /bin/cat 0060d000-0062e000 rw-p 00000000 00:00 0 [heap] 7ffff7a31000-7ffff7bd3000 r-xp 00000000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7bd3000-7ffff7dd2000 ---p 001a2000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dd2000-7ffff7dd6000 r--p 001a1000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dd6000-7ffff7dd8000 rw-p 001a5000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dd8000-7ffff7ddc000 rw-p 00000000 00:00 0 7ffff7ddc000-7ffff7dfc000 r-xp 00000000 fe:00 2359533 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7e09000-7ffff7fce000 r--p 00000000 fe:00 3932237 /usr/lib/locale/locale-archive 7ffff7fce000-7ffff7fd1000 rw-p 00000000 00:00 0 7ffff7fd4000-7ffff7ff8000 rw-p 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffa000-7ffff7ffc000 r--p 00000000 00:00 0 [vvar] 7ffff7ffc000-7ffff7ffd000 r--p 00020000 fe:00 2359533 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7ffd000-7ffff7ffe000 rw-p 00021000 fe:00 2359533 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Stack Protect} \begin{itemize} \item Canaries \begin{itemize} \item Compiler Support (gcc) \begin{itemize} \item -fno-stack-protector \item -fstack-protector \item -fstack-protector-all \item -fstack-protector-strong (since gcc v4.9) \end{itemize} \end{itemize} \begin{itemize} \item Kernel Configuration \begin{itemize} \item CONFIG\_CC\_STACKPROTECTOR\_NONE \item CONFIG\_CC\_STACKPROTECTOR\_REGULAR \\ (coverage: 2.81 \%, code size: +0.33 \% ) \item CONFIG\_CC\_STACKPROTECTOR\_STRONG \\ (coverage: 20.5 \%, code size: +2.4 \% ) \end{itemize} \end{itemize} \item Stack order randomization \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Stack Canaries: Stack layout} \begin{figure}[h] \centering \includegraphics[width=6cm]{images/em_stack_layout2.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Hardware-based} \begin{itemize} \item NX (no execute flag for pages) \begin{itemize} \item No Execute Flag for pages (PTE) \item Architectures: x86, PPC, S390, ARM (some) \end{itemize} \item MPX (Boundary Protection) \begin{itemize} \item Architecture: x86 \item high performance impact \item test only \end{itemize} \end{itemize} \end{frame} % % ---------------------------- \begin{frame}[fragile] \frametitle{grsecurity} \begin{itemize} \item Security enhancement \item Kernel patches (PAX) \item Role-based access control \item Thread isolation \item Container isolation \item BPF JIT enhancements \item Return Address Protection (GCC) \end{itemize} \end{frame}