rpisec - 12/01/2014os security1. rpisec - 12/01/2014os security2 markus gaasedelen – b.s. computer...
TRANSCRIPT
OS Security 1
Security & Exploitation
Operating SystemsFall 2014
RPISEC - 12/01/2014
OS Security 2
whoami
RPISEC - 12/01/2014
• Markus Gaasedelen– B.S. Computer Science ’15
• Security Enthusiast– I like to hack things
• President of RPISEC– http://rpis.ec
OS Security 3
RPISEC
• The Computer Security Club @ RPI– http://rpis.ec
• The leading authority on campus for any and all things computer security related
• We compete in hacking competitions known as CTFs (Capture The Flag) and we’re very good at them
• We teach cool and applicable security skills at our weekly meetings– 5-7pm Fridays, DCC 318
RPISEC - 12/01/2014
OS Security 4
CSAW 2014 Finals
RPISEC - 12/01/2014
OS Security 5
CSAW 2014 Finals
RPISEC - 12/01/2014
OS Security 6
CSAW 2014 Awards
RPISEC - 12/01/2014
OS Security 7
WHAT IS SECURITY?let’s get rolling…
RPISEC - 12/01/2014
OS Security 8RPISEC - 12/01/2014
OS Security 9
What is Security?• Security == Hacking
– ‘politically correct’– Cyber is the buzzword
• Very technical and rewarding challenges
• Rarely taught or talked about in school ):
• Many different categories of security
RPISEC - 12/01/2014
OS Security 10
Categories of Security• Cryptography• Web Security• Vulnerability Research• Binary Exploitation• Reverse Engineering• Malware Analysis• Systems Security• Embedded Hardware Hacking• Network Security• Digital Forensics• Physical Security• Pentesting• …
RPISEC - 12/01/2014
OS Security 11
Categories of Security• Cryptography• Web Security• Vulnerability Research• Binary Exploitation• Reverse Engineering• Malware Analysis• Systems Security• Embedded Hardware Hacking• Network Security• Digital Forensics• Physical Security• Pentesting• …
RPISEC - 12/01/2014
The kind of stuff I’ll talk about today (:
OS Security 12
MEMORY CORRUPTION& BINARY EXPLOITATION
RPISEC - 12/01/2014
OS Security 13
Binary Exploitation
• The simplest definition:– Leveraging bugs in an executable to cause
unintended, controlled actions by an attacker
• Requires intimate knowledge of the language, compiler, and the machine
RPISEC - 12/01/2014
OS Security 14
Bugs Are Everywhere
• C is a ‘low level’ language– Compiles straight to machine code (x86, ARM, etc)• Very fast
– Very fine control over the machine and memory• It’s like driving a manual!
– Easy to do stupid things
RPISEC - 12/01/2014
OS Security 15RPISEC - 12/01/2014
OS Security 16
The Unexciting Languages
• Binary exploitation isn’t really a thing for managed or scripting languages– C#, .NET, JavaScript, Lua, Python, etc
• Slower, automate lots of stuff for you– Driving an automatic
RPISEC - 12/01/2014
OS Security 17
WELCOME TO THE WARZONElet’s dive right in and try breaking some stuff
RPISEC - 12/01/2014
OS Security 18
warzone.rpis.ecssh username/password
intro01:intro01
RPISEC - 12/01/2014
OS Security 19
Getting Started / Tips
• cd /levels• ./intro01– AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
• python –c ‘print “A”*20’• gdb ./intro01– run
• In GDB:– Info functions– Info registers
• i r
– disassemble <function>• disas main
– breakpoint <function>• b main
– breakpoint * <address>• b * 0x08048455
RPISEC - 12/01/2014
OS Security 20
Stack Overview• The stack is a region of
memory for a program to maintain function variables and stuff during execution
• This is main()’s stack ------->
RPISEC - 12/01/2014
OS Security 21
Understanding the Stack
RPISEC - 12/01/2014
OS Security 22
Understanding the Stack
RPISEC - 12/01/2014
OS Security 23
Corrupting the Stack
RPISEC - 12/01/2014
OS Security 24
PWNING the Stack
RPISEC - 12/01/2014
OS Security 25
Endianess
• Endianess – How data is stored in memory
• Modern computers are generally little endian– ‘little end in’
• Endianess can be confusing, and I don’t want to get into the details– 0x41424344 stored as 0x44, 0x43, 0x42, 0x41– 0xdeadbeef stored as 0xef, 0xbe, 0xad, 0xde
RPISEC - 12/01/2014
OS Security 26
Intro01 Exploit
(python -c 'print "A"*64 + "\xef\xbe\xad\xde"'; cat) | ./intro01
RPISEC - 12/01/2014
OS Security 27
UNDERSTANDING CONTROL FLOWBend it like Beckham
RPISEC - 12/01/2014
OS Security 28
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
ELF Executable
.text segment
.data segment
Heap
0x00000000 – Start of memory
0xFFFFFFFF – End of memory
0x08048000 – Start of .text Segment
0xbfff0000 – Top of stack
Libraries (libc)
OS Security 29
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
OS Security 30
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
OS Security 31
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segmentEIP
OS Security 32
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment EIP
OS Security 33
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment EIP
OS Security 34
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segmentEIP
OS Security 35
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
OS Security 36
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
OS Security 37
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
OS Security 38
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
OS Security 39
.text segment
Example ELF / EXE in Memory
RPISEC - 12/01/2014
Runtime Memory
Stack
Heap
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
OS Security 40
How Calling Works
RPISEC - 12/01/2014
EIP
OS Security 41
How Calling Works
RPISEC - 12/01/2014
EIP
OS Security 42
How Calling Works
RPISEC - 12/01/2014
EIP
…
OS Security 43
How Calling Works
RPISEC - 12/01/2014
EIP
…
OS Security 44
How Calling Works
RPISEC - 12/01/2014
EIP
…
OS Security 45
How Calling Works
RPISEC - 12/01/2014
EIP …
OS Security 46
Returning
RPISEC - 12/01/2014
…
EIP
OS Security 47
Returning
RPISEC - 12/01/2014
…
EIP
OS Security 48
Returning
RPISEC - 12/01/2014
…
EIP
OS Security 49
Returning
RPISEC - 12/01/2014
…
EIP
OS Security 50
Returning
RPISEC - 12/01/2014
…
EIP
OS Security 51
OWNING CONTROL FLOWNow that you know how it works …
RPISEC - 12/01/2014
OS Security 52
Stack Smashing
RPISEC - 12/01/2014
…EIP
OS Security 53
Stack Smashing
RPISEC - 12/01/2014
…EIP
OS Security 54
Stack Smashing
RPISEC - 12/01/2014
…
EIP
OS Security 55
Returning
RPISEC - 12/01/2014
…
EIP
OS Security 56
Returning home
RPISEC - 12/01/2014
…
EIP SEGFAULT0x41414141
OS Security 57RPISEC - 12/01/2014
OS Security 58
“If your program simply segfaulted, consider yourself lucky.”
-Chuck Stewart
RPISEC - 12/01/2014
OS Security 59
Redirecting Control Flow
RPISEC - 12/01/2014
…
EIP
Overwrite witha code address
OS Security 60
warzone.rpis.ecSSH in as intro02
use the password you got from solving intro01
RPISEC - 12/01/2014
OS Security 61RPISEC - 12/01/2014
OS Security 62
Modern Protections
• Address Space Layout Randomization (ASLR)• Data Execution Prevention (DEP)• Stack Cookies (Canaries)• Stack Rearrangement• Read Only Relocation (RELRO)• FORTIFY_SOURCE• These only make things harder, not impossible– Take MBE if you want to know more about these
RPISEC - 12/01/2014
OS Security 63
LETS TRY SOMETHING REAL(ER)Those were only educational challenges
RPISEC - 12/01/2014
OS Security 64
CHATSERVER V3Courtesy of Goldschmidt
RPISEC - 12/01/2014
OS Security 65
ChatServer V3
• From NetProg (CSCI-4220)• 32bit Linux Exploitation• Vulnerable to a stack smash– Compiler’s stack cookies save the day
• I’ll be demoing without cookies, not exploitable otherwise ):
RPISEC - 12/01/2014
OS Security 66
CHATSERVER V3 – DEMOCourtesy of Goldschmidt
RPISEC - 12/01/2014
OS Security 67
CSAW 2014 LINKS.EXEWindows 8.1 Exploitation (x64)
RPISEC - 12/01/2014
OS Security 68
links.exe
• Challenge from the CSAW 2014 CTF Finals• 64bit Exploitation on Windows 8.1• Basically all protections are on by default• No source, lots of reversing :0
RPISEC - 12/01/2014
OS Security 69
reversing is tedious
RPISEC - 12/01/2014
OS Security 70
CSAW 2014 LINKS.EXE - DEMOWindows 8.1 Exploitation (x64)
RPISEC - 12/01/2014
OS Security 71
CSAW 2014 Finals
RPISEC - 12/01/2014
OS Security 72
Wrapping up Binary Exploitation
• You might consider yourself a rockstar programmer, but you probably know nothing about secure coding practices or the implications of your mistakes
• Compilers go out of their way to prevent your bugs from causing catastrophic failure
• Because your program doesn’t appear to segfault or crash, doesn’t mean it is bug free or without vulnerabilities
• Binary exploitation is nothing like standard software development - I truly think of it as an art
RPISEC - 12/01/2014
OS Security 73
JOB OPPORTUNITIESwelcome to the real world
RPISEC - 12/01/2014
OS Security 74
…so…many…jobs…
• Typical titles / positions– Information Security Analyst / Engineer– Security Software Engineer– Vulnerability Research Engineer– Web Application Security Engineer– Computer Network Operations– Threat & Incident Response Engineer– Product Security Reverse Engineer– Malware Analyst / Reverse Engineer– …
RPISEC - 12/01/2014
OS Security 75
Entering the Job Market
• There are so few qualified security individuals, companies are totally starved ):
• Skilled in security & have a B.S. in CS?– Government, Contractors, FFRDCs• $70k – $90k+
– Private / Commercial• $100k – ??
• Anything less and you’re missing out
RPISEC - 12/01/2014
OS Security 76
MODERN BINARY EXPLOITATIONComing Soon - Spring 2015
RPISEC - 12/01/2014
OS Security 77
Modern Binary Exploitation
• An official class developed by RPISEC• http://rpis.ec/binexp• Class cap is raised to 50!– Thank Goldschmidt & Stewart for getting us an
awesome room that seats 50+, Walker 5113– General registration re-opens December 8th
• Tuesday/Friday 2-4pm, Spring 2015• DON’T MISS THIS! – ZERO guarantee it’ll ever be offered again
RPISEC - 12/01/2014
OS Security 78
Questions?
• [email protected]• security.cs.rpi.edu/~gaasem• @gaasedelen• irc.rpis.ec 6667
RPISEC - 12/01/2014