![Page 2: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/2.jpg)
Elias Athanasopoulos 2
Software Exploitation – High Level
CS-457
Vulnerable Software (e.g., web browser)
Input (malicious web page)
Exploit Code
Renders malicious page
Exploit Runs Collect Gadgets
Build ROP Chain
Exec ROP Chain
Introduce new control
flows
HACK
ED
![Page 3: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/3.jpg)
Elias Athanasopoulos 3
How the ROP chain works? –use esp as the instruction pointer
CS-457
ROP Chain TEXT Section (Code)
Addr. of G1
Addr. of G2
Addr. of G3
Addr. of GN
G1; ret
G2; ret
G3; ret
GN; ret
![Page 4: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/4.jpg)
Elias Athanasopoulos 4
Heap Overflows
CS-457
Stack Heap Data Text
High Address Low Address
Vulnerability(VTable ptr)
(*)f()
Jump to Gadget
G1
…; ret
Attacker does NOT control the stack!
![Page 5: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/5.jpg)
Elias Athanasopoulos 5
Stack Pivoting
CS-457
Stack Heap Data Text
High Address Low Address
Vulnerability(VTable ptr)
(*)f()
Jump to Gadget
G1
xchg %eax,%esp; ret
Stack Pivoting
Force %esp to point to
heap
Execute the rest of the ROP chain
![Page 6: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/6.jpg)
Elias Athanasopoulos 6
Defending ROP
CS-457
![Page 7: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/7.jpg)
Elias Athanasopoulos 7
Randomization
ASLR- Address Space Layout Randomization
Fine-grained Randomization- Smashing the gadgets- Binary Stirring
CS-457
![Page 8: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/8.jpg)
Elias Athanasopoulos 8
ASLR (demo)
CS-457
![Page 9: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/9.jpg)
Elias Athanasopoulos 9
Fine-grained Randomization
Shuffle instructions, without changing the semantics
CS-457
![Page 10: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/10.jpg)
Elias Athanasopoulos 10
Information Disclosure Bugs
String formatting bugsint main(){ char localStr[100]; printf("Username? "); fgets(localStr, sizeof(localStr), stdin); printf(localStr); printf("What is the access code? "); …}
CS-457
localStr = "AAAA %08x %08x %08x";
![Page 11: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/11.jpg)
Elias Athanasopoulos 11
Just-in-time ROP
CS-457
![Page 12: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/12.jpg)
Elias Athanasopoulos 12
Control-Flow Integrity (CFI)
CS-457
![Page 13: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/13.jpg)
Elias Athanasopoulos 13
Ideal CFI
CS-457
Two problems:1) CFG discovery (especially in legacy apps)2) Performance in checks
![Page 14: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/14.jpg)
Elias Athanasopoulos 14
Coarse-grained (loose) CFI
CS-457
![Page 15: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/15.jpg)
Elias Athanasopoulos 15
Gadgets under CFI
CS-457
![Page 16: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/16.jpg)
Elias Athanasopoulos 16
Linking Gadgets under CFI
CS-457
![Page 17: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/17.jpg)
Elias Athanasopoulos 17
Exploitation under CFI
CS-457
![Page 18: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/18.jpg)
Elias Athanasopoulos 18
Run-time ROP detection (kBouncer)
CS-457
![Page 19: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/19.jpg)
Elias Athanasopoulos 19
kBouncer
CS-457
![Page 20: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/20.jpg)
Elias Athanasopoulos 20
kBouncer Checks
call-ret pairing- Coarse-grained CFI
Heuristics- Up to 20 instructions is considered a gadget- 6 gadgets in a row is considered an attack
CS-457
![Page 21: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/21.jpg)
Elias Athanasopoulos 21
kBouncer Heuristics
CS-457
![Page 22: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/22.jpg)
Elias Athanasopoulos 22
Bypassing kBouncer
CS-457
![Page 23: CS457 – Introduction to Information Systems Security Software 3](https://reader030.vdocuments.us/reader030/viewer/2022032804/56812a64550346895d8ddbb2/html5/thumbnails/23.jpg)
Elias Athanasopoulos 23
kBouncer bypass PoC
CS-457