julian cohen [email protected] thotcon 0x2€¦ · linux bugs exist in code anything that...
TRANSCRIPT
![Page 5: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/5.jpg)
Capture The Flag competition Application Security Worldwide
http://csawctf.poly.edu/
http://www.poly.edu/csaw
![Page 6: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/6.jpg)
Insecure platform Too much attack surface Outdated software We don’t want to get owned!
![Page 7: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/7.jpg)
Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated
![Page 8: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/8.jpg)
Make it really fucking hard to land an exploit
![Page 9: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/9.jpg)
Memory Corruption
Integer Manipulation
Uncontrolled Format String
Memory Mismanagement
Race Condition
Smashing the Stack
Return To Library
Return Oriented Programming
Global Offset Table Overwrite
Use After Free
![Page 10: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/10.jpg)
![Page 11: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/11.jpg)
-D_FORTIFY_SOURCE=2
Bounds checking on dangerous function calls http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
http://isisblogs.poly.edu/?p=205
-Wformat -Wformat-security -Werror=format-security
Uncontrolled format string detection http://gcc.gnu.org/onlinedocs/gcc-4.6.0/gcc/Warning-Options.html
![Page 12: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/12.jpg)
![Page 13: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/13.jpg)
![Page 14: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/14.jpg)
![Page 15: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/15.jpg)
Stack canaries
-fstack-protector-all
Push word onto stack before return address
http://gcc.gnu.org/onlinedocs/gcc-4.6.0/gcc/Optimize-Options.html
![Page 16: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/16.jpg)
![Page 17: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/17.jpg)
![Page 18: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/18.jpg)
Prevents data from being treated as code Hardware and kernel support
http://people.redhat.com/mingo/exec-shield/ANNOUNCE-exec-shield
http://pax.grsecurity.net/
![Page 19: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/19.jpg)
![Page 20: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/20.jpg)
![Page 21: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/21.jpg)
![Page 22: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/22.jpg)
Shared libraries are compiled PIC
-fpic -fPIC -shared
http://gcc.gnu.org/onlinedocs/gcc-4.6.0/gcc/Code-Gen-Options.html#Code-Gen-Options
http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
http://www.gentoo.org/proj/en/hardened/pic-internals.xml
http://www.gentoo.org/proj/en/hardened/pic-guide.xml
![Page 23: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/23.jpg)
![Page 24: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/24.jpg)
Stack, Heap, Libraries Loaded dynamically into random at runtime
kernel.randomize_va_space = 2
http://people.redhat.com/mingo/exec-shield/ANNOUNCE-exec-shield
http://pax.grsecurity.net/
![Page 25: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/25.jpg)
![Page 26: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/26.jpg)
![Page 27: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/27.jpg)
![Page 28: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/28.jpg)
Binaries can be compiled PIE
-pie -fpie
http://gcc.gnu.org/onlinedocs/gcc-4.6.0/gcc/Code-Gen-Options.html#Code-Gen-Options
http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
![Page 29: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/29.jpg)
![Page 30: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/30.jpg)
![Page 31: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/31.jpg)
.got always mapped to same memory location GOT dynamically updated during runtime An attacker can overwrite GOT entries
![Page 32: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/32.jpg)
Internal sections mapped before other sections Internal sections mapped read-only
-Wl,-z,relro,-z,now
.got .dtors .dynamic
Dynamic linker resolves all symbols at start Colloquially known as RELRO
http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html
![Page 33: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/33.jpg)
![Page 34: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/34.jpg)
grsecurity kernel patch PaX
http://grsecurity.net/
http://pax.grsecurity.net/
![Page 35: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/35.jpg)
![Page 36: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/36.jpg)
![Page 37: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/37.jpg)
![Page 38: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/38.jpg)
![Page 39: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/39.jpg)
checksec.sh paxtest
http://www.trapkit.de/tools/checksec.html
![Page 40: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/40.jpg)
Locations of randomized sections are secret
If an attacker can obtain a piece of memory
An attacker can calculate the random offset
![Page 41: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/41.jpg)
Stack Smashing Stack Canary Stack Canary
Bypass Heap
Exploitation
No eXecute Bit Return To
Library
Position Independent
Code / Address Space Layout
Randomization
Global Offset Table Overwrite
RELocation Read-Only
Return Oriented Programming
Position Independent Executable
Memory Disclosure
![Page 42: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/42.jpg)
Actually, no. Our protections are based on exploits that
leverage known memory locations
But we achieved something A weaponized vulnerability for a release
version of software we used would not land
![Page 43: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/43.jpg)
Make it really fucking hard to land an exploit
Protected from Jon Oberheide
![Page 44: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/44.jpg)
Make it really fucking hard to land an exploit
Protected from @SecureTips
![Page 45: Julian Cohen HockeyInJune@isis.poly.edu THOTCON 0x2€¦ · Linux Bugs exist in code Anything that has attack surface is vulnerable Exploitation cost can be manipulated Make it really](https://reader033.vdocuments.us/reader033/viewer/2022060222/5f0789d17e708231d41d7ae2/html5/thumbnails/45.jpg)
Thanks Jon Oberheide Dan Guido Brandon Edwards Dino Dai Zovi
Alex Sotirov Erik Cabetas Paolo Soto Stephen Ridley
Mike Zusman Kelly Lum Marcin W. Aaron Portnoy
Amber Baldet Shyama Rose Mark Dowd Peter Silberman
Chris Wysopal Zane Lackey Brian Holyfield Joe Hemler
Boris Kochergin Luis Garcia Efstratios Gavas Michael Aiello
Jon Tomek Ben Nell Zack Fasel M. Jakubowski
Beckie Mossman Apneet Jolly Leigh Hollowell Phil Da Silva
Jeff Jarmoc Mario Heiderich Kevin Nassery Justin Clarke
Nicholas Percoco Dug Song Dave Goldsmith Matthieu Suiche
Zach Lanier Spencer Pratt Colin Ames Raphael Mudge
Hugo Fortier Leigh Honeywell Dean De Beer Chris Valasek
Shawn Moyer Barnaby Jack Ron Gutierrez Rafal Los
NECCDC Red Team Dr. Raid Dual Core Tamari Kirtadze
SophSec PainSec MOBiLEDiSCO busticati.org