Optimizing AI for immediate response in Smart CCTV
Memory Attack - The Memory Attack Techniques
1. The Rise and Fall of
The Memory Attack Techniques
05. 26. Ubuntu Fest
Kim Seong Min
2. Speaker Info
이름 : 김성민
직업 : 대학생
학번 : 16 (젊다!)
특기 : ARGOS 회장
취미 : 해킹 (멋있다!)
2
3. - Research Areas
System / Network Security
Reverse Engineering Mobile Application
macOS / iOS Kernel Security
- TMI
Favorites : Drinking Alcohol…🤪, Playing Games
My first “hello, world!” : 3 years ago
Wanna be offensive security researcher :D
3
4. 목 차
1교시 메모리 공격이란?
2교시 스택을 때리자
3교시 창과 방패의 발전
4교시 질의응답
5. 메모리 공격이란?
- Memory Bugs and Attack
- Segmentation Fault
- Types of Memory Bugs
- Types of Memory Attack
6. 6
Memory Attack
시스템 해킹의 꽃 (메모리 공격 ⊂ 시스템 해킹)
Attack : Trigger a vulnerability (Exploit)
To write whatever I want in anywhere I want
7. 7
Memory Bugs and Attack
Memory Bugs (Errors) != Memory Attack
Every vulnerabilities are bugs,
but not every bugs are exploitable (maybe…?)
[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다
8. 8
Memory Bugs
Typically, could be occurred because of
unsafe languages (e.g. C, C++, …)
Also cause segmentation fault sometimes
Allow low-level memory access
Allow weakly enforced typing
Explicit memory management
9. 9
Segmentation Fault
Notify an OS the software has attempted to
access a restricted area of memory
Good news for hackers
or, you
There are some memory errors
that would be exploitable!
11. 11
Types of Memory Bugs
De-reference pointer to the freed memory
[pwnable.kr - Toddler’s Bottle] uaf, 8pt
Dangling pointer
12. 12
Types of Memory Attack
Code corruption
Control-flow hijack
Data-only
Information leak
“Eternal War in Memory” published in IEEE S&P Symposium, 2013
13. 13
Types of Memory Attack
A Barresi, “Fighting the War in Memory”, 2014
Control-flow hijack
14. 14
Types of Memory Attack
Information leak
canary value (important information for security)
output data should be interpreted
17. 17
Memory Layout Overview
TEXT (CODE) 영역
TEXT
DATA
BSS
HEAP
…
STACK
코드
전역변수
동적 할당
함수, 임시 데이터 등
- 프로그램 실행 코드가 여기 있음
- 기계어 들이 있음
low
high
18. 18
Memory Layout Overview
DATA & BSS 영역
TEXT
DATA
BSS
HEAP
…
STACK
코드
전역변수
동적 할당
함수, 임시 데이터 등
- 전역 변수, 정적 변수 등
- DATA : 초기화 된 데이터
- BSS : 초기화 되지 않은 데이터
low
high
20. 20
Memory Layout Overview
STACK 영역
TEXT
DATA
BSS
HEAP
…
STACK
코드
전역변수
동적 할당
함수, 임시 데이터 등
- 지역 변수
- 임시 값
- 이제부터 볼 영역
low
high
21. 21
Stack Memory
Standard Stack Frame of function
0x41414141
0x42424242
0x43434343
0x00444444
0x00000000
SFP
RET
low
high
22. 22
Stack Memory
RETurn address? (RET)
func2
func1
main
call func1
call func2
ret
ret
func2
Stack
Frame
func1
Stack
Frame
main
Stack
Frame
low
high
23. 23
Stack Memory
Stack Frame Pointer? (SFP)
func’s stack frame
0xFFFFD588
0xFFFFD56C
0x41414141
0x42424242
0x43434343
0x00444444
0x00000000
SFP (0xFFFFD588)
RET
SFP
RET
func’s stack frame
main stack frame
low
high
24. 24
Basic Stack-based Attack
Buffer Overflow
- Overruns the buffer’s boundary
- Overwrites adjacent memory locations
- First described in October, 1972
(Computer Security Technology Planning Study)
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
0x41414141
SFP
0x41414141
RET
0x41414141
25. 25
Basic Stack-based Attack
Control-flow hijack with BOF : Call ‘evil’ function
Trigger bug :
jump to vuln() function
0x41414141
0x41414141
SFP
0x41414141
RET
0x08048486
26. 26
Basic Stack-based Attack
Control-flow hijack with BOF : Execute shellcode
0x41414141
0x41414141
SFP
0x41414141
RET
&shellcode
0x41414141
0x6850c031
0x68732F2F
…
on somewhere in memory
The set of instructions that executes shell
28. 28
NX Stack and Canaries
Non eXecutable Stack (1997)
- Prevent executing code
in specific areas (e.g. stack, heap)
- W^X (on BSD)
DEP (on Windows)
- Text (Code) segment is non-writable
Stack (Heap) segment is non-executable
0x41414141
0x41414141
0x41414141
RET
0x41414141
0x6850c031
0x68732F2F
…
crash‼
29. 29
NX Stack and Canaries
NX in GDB (Stack is not executable)
30. 30
NX Stack and Canaries
Stack Canary (1998)
- Place specific patterns called ‘canaries’
between stack variables and return
address
- Design to detect stack BOF
- Cheap and powerful
- Bypass using information leak
0x41414141
canary
0x41414141
0x41414141
RET
0x41414141
0x6850c031
0x68732F2F
…
crash‼
31. 31
Return 2 Oriented Programming
ret2libc (1997)
- No code injection needed
- Bypassing the NX protection
0x41414141
0x41414141
SFP
0x41414141
RET
&system
instructions…
…
system
32. 32
Return 2 Oriented Programming
ret2plt (2001)
- Call dynamic lib’s function via PLT
- Bypassing the NX protection
0x41414141
0x41414141
SFP
0x41414141
RET
&puts@plt
&system@plt
…
system@plt
…
instructions…
…
Procedure Linkage Table
system
33. 33
Return 2 Oriented Programming
Krahmer’s code snippet reuse (2005)
- Code reuse instead of entire
libc functions
- Use “gadgets” or “snippets”
- 진짜 프로그래밍을 다시 하는 느낌
- “ROP”
0x41414141
0x41414141
SFP
0x41414141
RET
&gadget1
Fake RET
&gadget2
instructions…
instructions…
instruction (ret)
instructions…
instruction (ret)
gadget1
gadget2
34. 창과 방패의 발전
- ASLR : The end of memory war?
- Bypassing ASLR
- And, New Mitigations
- Endgame
35. 35
ASLR : The end of memory war?
Address Space Layout Randomization
- PAX team’s ASLR (2001)
- Randomness in the address space layout of processes
- 전략?
Per process (Linux)
System-wide per boot (Windows)
- PIC & PIE required
37. 37
Bypassing ASLR
- Brute-force Attack (Low entropy)
it’s pretty good in x32, but almost impossible in x64
- Information Leak
Find base address of specific segment
38. 38
And, New Mitigations
Enhanced Mitigation Experience Toolkit (EMET)
- MS Windows를 위한 보안 툴킷
- Windows 보안 기능 활성화 및 설정을 도움
- 개인 PC 사용자 레벨(Non-kernel) 보안
- ROP 기법에 대한 보호
39. 39
And, New Mitigations
Control Flow Guard (CFG)
- Visual Studio 2015에서 지원하는 mitigation
- 호출하는 함수가 유효한지 확인하는 로직을 추가함
- CFG 검사 실패 시, 프로그램을 강제로 종료시킴
- 악의적인 함수 또는 명령어 세트 호출을 원천 봉쇄
41. 41
Endgame
But, hackers never die…
- 스택이 안되면 힙을 때리면 되잖아?
- 아니면 다른 버그들을 이용해도 되잖아?
- Heap Spraying, Heap Feng Shui, Type Confusing,
Use-After-Free, so on…
- 때릴건 아직도 많이 남아 있다