c2b_default

Dobin 0x51_ExploitMitigations.pdf

Dobin 0x51_ExploitMitigations.pdf

Dobin 0x51_ExploitMitigations.pdf

19
0.0 (0)

Fichier Détails

Cartes-fiches 19
Langue English
Catégorie Informatique
Niveau Université
Crée / Actualisé 24.06.2019 / 28.06.2020
Lien de web
https://card2brain.ch/box/20190624_dobin_0x51exploitmitigations_pdf
Intégrer
<iframe src="https://card2brain.ch/box/20190624_dobin_0x51exploitmitigations_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
Étudier

What exploit mitigations do you know?

  • (ASCII Armor)
  • Stack Canary 
  • ASLR [Address Space Layout Ranfomization]
    • PIE
  • DEP [Data Exection Prevention]

How can you do to write secure code?

  • Use secure libraries
  • Perfom Static Analysis of the source code
  • Perform Dynamic Analysis of programs
  • Perform fuzzing of input vectors
  • Have a secure development lifecycle (SDL)
  • Manual source code reviews

What two types of protection can be put in place by sysadmins?

  • Compile Time Protection
  • Runtime Protection

What is required to create an exploit?

  • Executable Shellcode
    • Aka "Hacker instructions"
  • The distance form the buffer to the SIP (Stored Instruction Pointer)
    • Offset for the overflow
  • The address of shellcode
    • in memory of the target process

Name two compile time mitigations.

 Compile time mitigations:

  • Stack canaries
  • PIE

 

Name some runtime mitigations.

Runtime mitigations:

  • ASLR
  • DEP
  • ASCII Armor

Where is the stack cannary located on the stack?

Connecte-toi pour voir des images.

The stack canary is below the SIP (Stored Instruction Pointer) and the SBP [SFP] (Stored Base Pointer, Stored Frame Pointer)

   what does DEP stand for and what does it do?

DEP (Data Execution Prevention)

DEP makes the stack not executable.

What does DEP (Data Execution Prevention) do?

Memory regions 

  • Are mapped with permissions
  • Like files
    • R Read
    • W Write
    • X eXecute

DEP (Data Execution Prevention) removes X bit from memory which do not contain code

  • Stack
  • Heap
  • (Possibly others)

What happens if the EIP (Instruction Pointer) points into the stack or the heap when DEP (Data Execution Prevention) is active?

Connecte-toi pour voir des images.

When the program tries to execute code from the Heap or the Stack there is a segmentation fault.

What is the stack canary and what are other names for it?

Connecte-toi pour voir des images.

Other names:

  • Stack Protector
  • SSP: Stack Smashing Protector
  • Stack Cookie
  • Stack Canary

The stack canary is a secret value in front of control data ( SIP [ Stored Instruction Pointer], SFP/SBP [Stored Frame/Base Pointer]).

This is a value unknown to the attacker.

It is checked befor performing a "ret" (return)

  • i.e befor using the SIP (Stored Instruction Pointer)

Is the stack protector (stack canary) active by default?

Stack Protector was first introduced in the 

  • GCC patch in 1997

Last improvement by google in 2012 (-fstack-protect-strong)

It is enabled since like forever by default

  • most distributions
  • most packages

When does the stack protecter (stack canary) change?

The stack protector (stack canary) changes:

  • On execve()
    • (replace current process with a ELF file from disk)
  • It does NOT change on fork()
    • (copy of current process)

What does ASLR stand for and what does it do?

ASLR = Adress Space Layout Randomization

ASLR introduces a randomness in the memory regions. 

ASLR randomizes where in memory the stack, libraries and heap location in memory.

What are the restrictions of ASLR?

  • Pages have to be page aligned: 4096 bytes = 12 bit
  • Very restricted address space in x32 architecture
    • ~ 8 bit for stack (256 possibilities)
  • Much more space for x64
    • ~ 22 bit for stack

When is ASLR (Address Space Layout Randomization) applied?

  • ASLR is only applied on exec() [exec = execute new program]
  • Not applied on fork() [fork = copy]

What does ASCII armor?

ASCII Armor:

  • Maps Library addresses to memory addresses with null bytes

Why null bytes?

  • In C, Null bytes are string determinator
  • strcpy, strcat, strncpu, sprintf

This means the addresses of the librarys can not be included in shell code, because they include nullbytes. That means they cannt be coppied. by strcpy and others.

In short what does the stack canary, DEP, ASLR and ASCII Armor do?

Stack canary: Detects/blocks overflows

DEP: makes it impossible to execute uploaded code

ASLR makes it impossible to locate data

ASCII Armor: makes it impossible to insert certain data

At what level is ASLR (Adress Space Layout Randomization), DEP (Data Execution Prevention), Stack Canary?

ASLR (Address Space Layout Randomization) : System Level

DEP (Data Execution Prevention) :  System Level

Stack Canary: Per-program (3rd party programs?)

Étudier