overflowing attack potential, scoring defence in-depth
DESCRIPTION
This presentation relates the Common Criteria attack potential calculation with the defence-in-depth technique used to avoid buffer overflows.TRANSCRIPT
![Page 1: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/1.jpg)
Overflowing Attack Potential
Scoring Scoring DefenceDefence--inin--DepthDepth
Javier Javier TallónTallón GuerriGuerri11ICCC 11ICCC -- TurkeyTurkey
![Page 2: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/2.jpg)
2
![Page 3: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/3.jpg)
3
![Page 4: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/4.jpg)
4
![Page 5: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/5.jpg)
1.Buffer overflows , a bit of background
2.Reviewing and bypassing defence -in-depth techniques
5
3.Impact in the CC
4.What to do?
![Page 6: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/6.jpg)
1.Buffer overflows , a bit of background
2.Reviewing and bypassing defence -in-depth techniques
6
3.Impact in the CC
4.What to do?
![Page 7: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/7.jpg)
1. Buffer overflows, a bit of background
� You know... The classic stack overflow….
#include <string.h>
void foo (char *bar) {
char c[12];
7
char c[12];
strcpy(c, bar); // no bounds checking...
}
int main (int argc, char **argv) {
foo(argv[1]);
}
![Page 8: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/8.jpg)
1. Buffer overflows, a bit of background
8
![Page 9: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/9.jpg)
1. Buffer overflows, a bit of background
9
![Page 10: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/10.jpg)
1. Buffer overflows, a bit of background
10
![Page 11: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/11.jpg)
1. Buffer overflows, a bit of background
� There are also heap and integer
overflows….
11
overflows….
![Page 12: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/12.jpg)
1. Buffer overflows, a bit of background
� Could lead to arbitrary code execution
12
![Page 13: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/13.jpg)
1. Buffer overflows, a bit of background
� Those were the old days…
13
� Very few problems for the attacker:� Null bytes
� Shellcode size and other constraints
� Shellcode development
![Page 14: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/14.jpg)
1.Buffer overflows , a bit of background
2.Reviewing defence -in-depth techniques
3.Impact in the CC
14
3.Impact in the CC
4.What to do?
![Page 15: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/15.jpg)
2. Reviewing defence-in-depth techniques
� Stack canaries
approach:� The compiler
place a value
before the return
15
before the return
address when a
function is called
and check that the
value has not
changed when the
function finalize.
![Page 16: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/16.jpg)
2. Reviewing defence-in-depth techniques
� Bypassing stack canaries:
� Implementation can be not correct
16
� Implementation can be not correct
� It can be a statistical problem
![Page 17: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/17.jpg)
2. Reviewing defence-in-depth techniques
� Bypassing stack canaries:
� Windows: SEH overwriting
17
� Protected by SafeSEH and so on…
� Unix: Other (more complex)
techniques…
![Page 18: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/18.jpg)
2. Reviewing defence-in-depth techniques
� Non-eXecutable Stack approach:
� Code is code and data is data
18
� Widely deployed (every computer since
2001 allows this)
![Page 19: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/19.jpg)
2. Reviewing defence-in-depth techniques
� Bypassing Non-eXecutable Stack:
� Save the payload in the heap
19
� Save the payload in the heap
� Return into libc attacks
![Page 20: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/20.jpg)
2. Reviewing defence-in-depth techniques
� 64bits hardware resolves the
problem:
20
� In 64 bits computers, arguments
are loaded from registers, not from
the stack.
� Return into libc attack is not
possible
![Page 21: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/21.jpg)
2. Reviewing defence-in-depth techniques
� 64bits hardware resolves the
problem:
21
� Borrowed Code Chunks or Return Oriented Programming
![Page 22: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/22.jpg)
2. Reviewing defence-in-depth techniques
22
![Page 23: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/23.jpg)
2. Reviewing defence-in-depth techniques
� ASLR (Address Space Layout
Randomization) approach:
23
� The code is loaded in different
memory regions each time
![Page 24: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/24.jpg)
2. Reviewing defence-in-depth techniques
� Bypassing ASLR:
24
� Bypassing ASLR:
� It could be an statistical question
![Page 25: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/25.jpg)
2. Reviewing defence-in-depth techniques
� Bypassing ASLR:
� Maybe not all the libraries are
randomly loaded
25
![Page 26: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/26.jpg)
2. Reviewing defence-in-depth techniques
� Mixed approach:
� Standalone use of these techniques
26
� Standalone use of these techniques
is not very useful
TechniqueA
TechniqueB
Betterresults
![Page 27: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/27.jpg)
2. Reviewing defence-in-depth techniques
� Non-eXecutable Stack + ASLR:
� Make very difficult the return
27
� Make very difficult the return
attacks.
![Page 28: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/28.jpg)
2. Reviewing defence-in-depth techniques
ASLR
NX Stack
28
Each technique makes successful exploitation more difficult
StackCanaries
![Page 29: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/29.jpg)
2. Reviewing defence-in-depth techniques
� There are more defence-in-depth
techniques
29
� Attackers always develop techniques
to bypass the new countermeasures
![Page 30: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/30.jpg)
2. Reviewing defence-in-depth techniques
30
![Page 31: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/31.jpg)
2. Reviewing defence-in-depth techniques
31
![Page 32: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/32.jpg)
1.Buffer overflows , a bit of background
2.Reviewing defence -in-depth techniques
3.Impact in the CC
32
3.Impact in the CC
4.What to do?
![Page 33: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/33.jpg)
3. Impact in the CC
� Overflow detected!
� Unique
characteristics
� Unique exploit path
33
� Unique exploit path
� Base attack
potential
![Page 34: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/34.jpg)
3. Impact in the CC
Buffer OverflowDetected
Base Attack
Potential
Defence in Depth
Modifiers
Base
34
Base Attack
Potential
Defencein DepthModifiers
Real Attack
Potential
![Page 35: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/35.jpg)
3. Impact in the CC
Defence in depth technique Attack potential factor
Stack Canaries (Windows) x 1.2
Stack Canaries + SafeSEH (Windows) x 1.3
Non-eXecutable Stack x 1.35
ASLR x 1.50
35
ASLR x 1.50
Stack Canaries (Unix) x 1.52
NX Stack + ASLR x 1.54
NX Stack + ASLR + Stack Canaries (Windows) x 1.62
NX Stack + ASLR + Stack Canaries + SafeSEH (Windows) x 1.66
NX Stack + ASLR + Stack Canaries (Unix) x 1.68
… …
![Page 36: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/36.jpg)
1.Buffer overflows , a bit of background
2.Reviewing defence -in-depth techniques
3.Impact in the CC
36
3.Impact in the CC
4.What to do?
![Page 37: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/37.jpg)
4. What to do?
37
![Page 38: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/38.jpg)
4. What to do?
38
![Page 39: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/39.jpg)
4. What to do?
39
![Page 40: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/40.jpg)
4. What to do?
� Whenever it is possible
40
� Whenever it is possible
� Through compiler
� Through Operating System
![Page 41: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/41.jpg)
4. What to do?
41
![Page 42: Overflowing attack potential, scoring defence in-depth](https://reader033.vdocuments.us/reader033/viewer/2022052903/55758a14d8b42ae7708b4976/html5/thumbnails/42.jpg)
ThanksThanks forfor youryour attentionattention !!
Javier Tallón
42
Epoche & Espri, S.L. Avda. de la Vega, 128108, Alcobendas,Madrid, Spain.