报告预览

Asia-24-Ye-One-Flip-Is-All.pdf

编号：161399

PDF 37页 4.49MB 下载积分：VIP专享

下载报告请您先登录！

Asia-24-Ye-One-Flip-Is-All.pdf

1、#BHASIA BlackHatEventsOne Flip is All It Takes:Identifying Syscall-Guard Variables for Data-Only Attacks Speaker:Hengkai YeThe Pennsylvania State UniversityOther Contributors:Hong Hu,Song Liu,Zhechang Zhang2TeamHengkai YePh.D.StudentPenn State UniversitySong LiuPh.D.StudentPenn State UniversityZhech

2、ang ZhangPh.D.StudentPenn State UniversityHong HuAssistant ProfessorPenn State University3Current Exploit Method:Control-Flow HijackingMemory-Access PrimitivesArbitrary ReadArbitrary WriteControl DataReturn Address Function PointerControl-FlowHijackingCode InjectionCode Reuse4Control-Flow HijackingM

3、emory-Access PrimitivesArbitrary ReadArbitrary WriteCode InjectionCode ReuseControl DataReturn Address Function PointerCode-Pointer IntegrityControl-Flow IntegrityCurrent Exploit Method:Control-Flow Hijacking5Control-Flow HijackingMemory-Access PrimitivesArbitrary ReadArbitrary WriteCode InjectionCo

4、de ReuseControl DataReturn Address Function PointerNon-Control DataData-Only AttackData-Oriented ProgrammingBlock-Oriented ProgrammingNext Gen Exploit Method:Data-Only AttackCode-Pointer IntegrityControl-Flow Integrity67Data-Only AttackChen,Shuo,et al.Non-control-data attacks are realistic threats.U

5、SENIX security symposium.Vol.5.2005.CGI-BIN configuration string in Null Httpd Load CGI-BIN configuration:/usr/local/httpd/cgi-binServerClient/cgi-bin/:a CGI requestcalculator:executable name POST/cgi-bin/calculator Search calculator in/usr/local/httpd/cgi-binRun calculatorif foundWhat if configurat

6、ion/usr/local/httpd/cgi-bin gets corrupted?8Data-Only AttackChen,Shuo,et al.Non-control-data attacks are realistic threats.USENIX security symposium.Vol.5.2005.CGI-BIN configuration string in Null Httpd Load CGI-BIN configuration:/usr/local/httpd/cgi-binServerClient/cgi-bin/:a CGI requestsh:executab

7、le name Heap corruptionOverwrite CGI-BIN to/binSearch sh in/binRun/bin/sh and remove/tmp/root-private-filePOST/cgi-bin/sh rm/tmp/root-private-file9Data-Only AttackShuo Chen et al.at USENIX Security05Attack:Root privilege in WU-FTPD serverCritical Data:seteuid(pw-pw_uid);Yang Yu at BlackHat USA14Atta

8、ck:Code execution in IE browser Critical Data:if(safemode&0 xB=0)Turn_on_God_Mode();Bing Sun et al.at BlackHat Asia17Attack:Bypass Control Flow Guard in WindowsCritical Data:gIsCFGEnabled Moritz Jodeit et al.at HITB GSEC16Attack:Bypass EMET in WindowsCritical Data:EnableProtectionPtr10Control-Flow H

9、ijackingMemory-Access PrimitivesArbitrary ReadArbitrary WriteCode InjectionCode ReuseControl DataReturn Address Function PointerNon-Control DataData-Only AttackData-Oriented ProgrammingBlock-Oriented ProgrammingNext Gen Exploit Method:Data-Only AttackCode-Pointer IntegrityControl-Flow Integrity11Con

10、trol-Flow AttackMemory-Access PrimitivesArbitrary ReadArbitrary WriteCode InjectionCode ReuseControl DataReturn Address Function PointerNon-Control DataData-Only AttackData-Oriented ProgrammingBlock-Oriented ProgrammingNext Gen Exploit Method:Data-Only Attack?Code-Pointer IntegrityControl-Flow Integ

11、rity?How to Automatically Identify Security-Critical Non-Control Data(Critical Data)12Spotting Critical Data is Challenging Previous work Manual inspection:tedious human efforts,not scalable FlowStitch Security15:rely on explicit sources/sinks e.g.,argument of setuid KENALI NDSS16:rely on error code

12、s in Linux KernelCritical data No common low-level properties(e.g.,data type,memory location)Difficult to infer high-level semantics13Our ContributionAutomatic identification of syscall-guard variablesBranch forceCorruptibility assessmentA framework-VIPER34 unknown syscall-guard variables from 13 pr

13、ograms4 new data-only attacks on SQLite and V8https:/ ExampleChen,Shuo,et al.Non-control-data attacks are realistic threats.USENIX security symposium.Vol.5.2005.How to identify“authenticated”?15Motivating ExampleChen,Shuo,et al.Non-control-data attacks are realistic threats.USENIX security symposium

14、.Vol.5.2005.How to identify“authenticated”?Most data-only attacks rely on security-related syscallsSecurity-related syscalls are often guarded by security checksSyscall-Guard Branch:security checks as conditional branches Syscall-Guard Variable:variables in syscall-guard branches VIPER:identify sysc

15、all-guard variables16Does Syscall-Guard Variable Matter?A=syscall argumentsC=syscall-guard variables11 syscall arguments6 syscall-guard variables17Challenges Identify sole contribution of each variable Symbolic execution can identify a complete path Limitation:cannot tell which variables are more cr

16、itical Efficient and scalable analysis Static analysis Limitations:indirect calls,inter-procedural analysis,etc18Branch Force:Identify Syscall-Guard Branches Flip every branch during execution Hook syscalls to find newly invoked ones If yes,the flipped is a syscall-guard branchISS1IIS2ISn19Corruptib

17、ility Assessment Backward Data-Flow Analysis Generate data flow of syscall-guard variables Assessment(for each memory node in the data flow)Metric 1:memory location Global Heap Stack Metric 2:number of memory-write instructions Assumption:every memory-write could be abusedVariableRatorBranchForcer20

18、Workflow of VIPERRecordpassrecordbinaryRecordexecuteoriginalsyscallsbranchesFlippassflipbinaryFlipexecutenewsyscallsComparebranchsyscallinputRecordexecuteexecutiontraceSyscall-guardvariableBranchSyscallInputCorruptibilityprogramLLVM IRBackwarddataflowanalysismemorylocation#memorywrite insnUnique Bra

19、nch FlippingForkserversaveuniqflippedbranchesRecord execution trace on LLVM IR levelSimulate execution based on recorded traceProgramInput21Evaluation(setting)20 programs for evaluation 9 programs with known data-only attacks(e.g.,OpenSSH)7 programs from FuzzBench(e.g.,SQLite)4 other well-tested pro

20、grams(e.g.,V8)Corpus Testcases in source code repository Online corpus(e.g.,FuzzBench Dataset)Fuzz with AFL+22Evaluation(identified syscall-guard variables)3636 syscallsyscall-guard variables from 14 programsguard variables from 14 programs361623Evaluation(exploitability investigation)4Exploit Const

21、ructionCVE InvestigationGDB Emulation24Evaluation(time costs)We can combine VIPER with other tools for automatic exploit generation25Case Study:Attacks on SQLiteSQLite:Most widely deployed database engine Used in Android,iOS,Chrome,Safari,Opera VIPER result 7 syscall-guard variables 3 new data-only

22、attacks on top 3 syscall-guard variables(demo 1)p-doXdgOpen:arbitrary command execution(demo 2)p-zTempFile:arbitrary file deletion isDelete:arbitrary file deletion26Case Study 1:Command Execution on SQLiteHow SQLite handles query results Print on stdout Save to a file(.output filename)Edit before sa

23、ving(.once e/.once x)How VIPER identified p-doXdgOpen BranchForce flips if(p-doXdgOpen)and catches execve VariableRator generates data flow graph for p-doXdgOpen and p-zTempFile27Case Study 1:Command Execution on SQLiteData-flow Graph of p-doXdgOpen28Case Study 1:Command Execution on SQLiteData-flow

24、 Graph of p-zTempFile29Case Study 1:Command Execution on SQLiteOne memory bug to corrupt p-doXdgOpen and p-zTempFile CVE 2017-6983(Kun Yang at BlackHat USA17)Arbitrary write primitive Bypass ASLR is feasible30Demo 131Case Study 2:File Deletion on SQLitezTempFile is also used in other places Flip if(

25、p-zTempFile=0)and catches unlink Both syscall-guard variable and syscall argument are zTempFile One shot exploit32Demo 233Case Study 3:New Attack on V8 V8:Chromium JavaScript engine Used in Google Chrome,Microsoft Edge,Opera,Node.js 3,586 KLoC in the latest versionVIPER result 2 potential syscall-gu

26、ard variables 1 highly corruptible variable Location:global variable Memory-Write instructions:93,512,60734Case Study 3:New Attack on V8 Our Attack(CVE-2021-30632)Arbitrary read privilege Bypass ASLR Arbitrary write privilege Set options.enable_os_system to 135Demo36ConclusionVIPER:automatically spotting syscall-guard variables for data-only attacksDesign branch force and corruptibility assessmentFind 34 previous unknown syscall-guard variablesBuild 4 new data-only attacks on SQLite and V8Open SourceVIPER:https:/ YouThank YouQuestion?hengkaipsu.edu

友情提示

1、下载报告失败解决办法
2、PDF文件下载后，可能会被浏览器默认打开，此种情况可以点击浏览器菜单，保存网页到桌面，就可以正常下载了。
3、本站不支持迅雷下载，请使用电脑自带的IE浏览器，或者360浏览器、谷歌浏览器下载即可。
4、本站报告下载后的文档和图纸-无水印,预览文档经过压缩，下载后原文更清晰。

本文（Asia-24-Ye-One-Flip-Is-All.pdf）为本站（张5G）主动上传，三个皮匠报告文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若此文所含内容侵犯了您的版权或隐私，请立即通知三个皮匠报告文库（点击联系客服），我们立即给予删除！

温馨提示：如果因为网速或其他原因下载失败请重新下载，重复下载不扣分。

上海品茶

Asia-24-Ye-One-Flip-Is-All.pdf

Asia-24-Ye-One-Flip-Is-All.pdf