1 / 23

Framing Signals— A Return to Portable Shellcode

Best Student Paper Award. Framing Signals— A Return to Portable Shellcode. Erik Bosman and Herbert Bos Vrije Universiteit , Amsterdam 35 th Security and Privacy (May, 2014). Outline. Introduction Signal Delivery on UNIX Systems SROP Turing-Complete Interpreter Mitigation.

nida
Download Presentation

Framing Signals— A Return to Portable Shellcode

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Best Student Paper Award Framing Signals—A Return to Portable Shellcode Erik Bosman and Herbert Bos VrijeUniversiteit, Amsterdam 35th Security and Privacy (May, 2014)

  2. Outline • Introduction • Signal Delivery on UNIX Systems • SROP • Turing-Complete Interpreter • Mitigation A Seminar at Advanced Defense Lab

  3. Introduction User Space Kernel Space System Kernel Application System Call, Interrupt Signal A Seminar at Advanced Defense Lab

  4. In This Paper… • While each flavor handles signals in slightly differentways, the different implementationsare all very similar. • We show that the implementation can be used as an attack method in exploits and backdoors. A Seminar at Advanced Defense Lab

  5. Stack Smashing Attacks Stack • But… • W^X (OpenBSD) • Exec Shield (Linux) • DEP (Windows) Return Address Buffer Shellcode A Seminar at Advanced Defense Lab

  6. Code Reuse Attacks Code Stack Return Address Return Address Return Address Buffer A Seminar at Advanced Defense Lab

  7. Ret-to-libc vs. ROP A Seminar at Advanced Defense Lab

  8. Signal Delivery on Early UNIX Systems Code Stack ip sp User Context User Code Signal Handler Signal Frame Signal Parameters Kernel Code Return Address Signal Dispatcher A Seminar at Advanced Defense Lab

  9. UNIX V6 Interrupt Routine A Seminar at Advanced Defense Lab

  10. sigreturn System call (4.3BSD) Code Stack ip sp User Context User Code Signal Handler Invoke sigreturn Signal Parameters Kernel Code Return Address Signal Dispatcher A Seminar at Advanced Defense Lab

  11. A Signal Frame in Linux x86-64 A Seminar at Advanced Defense Lab

  12. SROP Code Stack ip sp User Context User Code Signal Handler Invoke sigreturn Signal Parameters Kernel Code Return Address Signal Dispatcher A Seminar at Advanced Defense Lab

  13. A Seminar at Advanced Defense Lab

  14. A example of sigreturn chain in SROP Stack Code rip: syscall ip ip ip movsigreturn, %rax syscall ret rax: sys_yyynum sp sp sp sp sp Other register: Syscall arguments Ret: sigreturn rip: syscall rax: sys_xxxnum rax Other register: Syscall arguments sigreturn sys_xxx sys_yyy Ret: sigreturn A Seminar at Advanced Defense Lab

  15. SROP Pre-conditions • The attacker should have control over the instruction pointer. • The stack pointer should be located on attacker controlled data and NULL bytes must be allowed. • The attacker knows the address of a piece of data controlled by the attacker. • The attacker knows the location of code calling sigreturn, or syscall. A Seminar at Advanced Defense Lab

  16. Finding a sigreturn Gadget A Seminar at Advanced Defense Lab

  17. Linux x86-64 vsyscall page A Seminar at Advanced Defense Lab

  18. A Linux x86-64 SROP Exploit A Seminar at Advanced Defense Lab

  19. SROP as a Backdoor A Seminar at Advanced Defense Lab

  20. A SROP syscall proxy on iOS A Seminar at Advanced Defense Lab

  21. Turing-Complete Interpreter A Seminar at Advanced Defense Lab

  22. Mitigation • Signal Frame Canaries A Seminar at Advanced Defense Lab

  23. Q & A A Seminar at Advanced Defense Lab

More Related