Скачать презентацию Nicolas T Courtois — University College London Скачать презентацию Nicolas T Courtois — University College London

43f66094651b462bbca35a7ae866849a.ppt

  • Количество слайдов: 65

Nicolas T. Courtois - University College London Nicolas T. Courtois - University College London

Reading 2 Nicolas T. Courtois, January 2009 Reading 2 Nicolas T. Courtois, January 2009

3 Nicolas T. Courtois, January 2009 3 Nicolas T. Courtois, January 2009

Goals of Attackers Goals of Attackers

Comp. Sec COMPGA 01 Stage 1: Get to run some code (even without privileges). Comp. Sec COMPGA 01 Stage 1: Get to run some code (even without privileges). Stage 2: Gain admin access, usually by calling other local programs and exploiting their vulnerabilities. 5 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 6 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 6 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 • • 7 crash software (can be DOS) crash hardware Comp. Sec COMPGA 01 • • 7 crash software (can be DOS) crash hardware (e. g. hard drive) get some data or side channels inject arbitrary code Nicolas T. Courtois, December 2009

What’s Wrong? What’s Wrong?

Comp. Sec COMPGA 01 9 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 9 Nicolas T. Courtois, December 2009

Vectors of Attack - Inputs Vectors of Attack - Inputs

Comp. Sec COMPGA 01 11 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 11 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 12 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 12 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 13 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 13 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 14 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 14 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 15 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 15 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 16 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 16 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 17 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 17 Nicolas T. Courtois, December 2009

Buffer Overflow Buffer Overflow

Comp. Sec COMPGA 01 19 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 19 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 20 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 20 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 21 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 21 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 • C and C++ particularly dangerous – – Fast, therefore Comp. Sec COMPGA 01 • C and C++ particularly dangerous – – Fast, therefore used in servers and all critical code (fast data manipulation, crypto and security functions) allows arbitrary manipulation of pointers • 22 but not outside the virtual 2 Gbyte space allocated by the OS Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 23 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 23 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 = pointers that do not point to a valid object Comp. Sec COMPGA 01 = pointers that do not point to a valid object in the program For example in C use malloc, realloc and free, Then the pointer is not automatically reset to NULL. Good practice is to do it manually all the time. 24 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 25 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 25 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 26 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 26 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 28 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 28 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 29 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 29 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 0 x 08048000 Text Heap Grow s tow ard high Comp. Sec COMPGA 01 0 x 08048000 Text Heap Grow s tow ard high m em ory Grow s tow ard low m em ory 0 x 40000000 Stack 0 x. C 0000000 30 Nicolas T. Courtois, December 2009 • Text: loaded from exec code and readonly data size fixed at compilation • Heap: runtime allocated objects, large (2 Gb) • Stack: LIFO, holds function arguments and local variables, small size (256 K)

Comp. Sec COMPGA 01 Stack 31 Stack Nicolas T. Courtois, December 2009 Stack Comp. Sec COMPGA 01 Stack 31 Stack Nicolas T. Courtois, December 2009 Stack

Comp. Sec COMPGA 01 built in this order Stack 32 Stack Nicolas T. Courtois, Comp. Sec COMPGA 01 built in this order Stack 32 Stack Nicolas T. Courtois, December 2009 Stack

Comp. Sec COMPGA 01 increasing addresses Stack 33 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 increasing addresses Stack 33 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 shell code Stack 34 Nicolas T. Courtois, December 2009 increasing Comp. Sec COMPGA 01 shell code Stack 34 Nicolas T. Courtois, December 2009 increasing addresses

Comp. Sec COMPGA 01 shell code Stack 35 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 shell code Stack 35 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 NOP slide 36 Nicolas T. Courtois, December 2009 shell code Comp. Sec COMPGA 01 NOP slide 36 Nicolas T. Courtois, December 2009 shell code

Comp. Sec COMPGA 01 up to very high, up to 100% (there are stable Comp. Sec COMPGA 01 up to very high, up to 100% (there are stable exploits, never fail and produce consistent results) 37 Nicolas T. Courtois, December 2009

What Hackers Do? What Hackers Do?

Comp. Sec COMPGA 01 39 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 39 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 40 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 40 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 41 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 41 Nicolas T. Courtois, December 2009

Can We Fix It? Can We Fix It?

Comp. Sec COMPGA 01 43 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 43 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 44 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 44 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 45 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 45 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 46 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 46 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 47 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 47 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 shell code Stack 48 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 shell code Stack 48 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 shell code Stack 49 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 shell code Stack 49 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 50 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 50 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 51 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 51 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 52 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 52 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 53 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 53 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 54 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 54 Nicolas T. Courtois, December 2009

END END

Comp. Sec COMPGA 01 0 x 08048000 Text Heap Grow s tow ard high Comp. Sec COMPGA 01 0 x 08048000 Text Heap Grow s tow ard high m em ory Grow s tow ard low m em ory 0 x 40000000 Stack 0 x. C 0000000 57 Nicolas T. Courtois, December 2009 • Text: loaded from exec code and readonly data size fixed at compilation • Heap: runtime allocated objects, large (2 Gb) • Stack: LIFO, holds function arguments and local variables, small size (256 K)

Comp. Sec COMPGA 01 Text Heap can take most of the 2 -4 Gbytes Comp. Sec COMPGA 01 Text Heap can take most of the 2 -4 Gbytes space Grow s tow ard high m em ory Stack 58 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 59 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 59 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 60 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 60 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 shell code 61 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 shell code 61 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 shell code 62 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 shell code 62 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 shell code 63 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 shell code 63 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 shell code 64 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 shell code 64 Nicolas T. Courtois, December 2009

Comp. Sec COMPGA 01 shell code 65 Nicolas T. Courtois, December 2009 Comp. Sec COMPGA 01 shell code 65 Nicolas T. Courtois, December 2009