SecDocs Feed for author Mathias Payer

[Video] I Control Your Code

Tue, 24 Apr 2012 06:51:17 +0200

Authors: Mathias Payer
Tags: exploiting
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program. This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit. User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed. This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors. Observable Attack Vectors Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer). Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function. Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed. Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel. Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value. Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code. Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls. The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture. Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits. Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete.

[Audio] I Control Your Code

Mon, 23 Apr 2012 06:50:48 +0200

[Paper] I Control Your Code

Mon, 23 Apr 2012 06:50:48 +0200

[Slides] I Control Your Code

Mon, 23 Apr 2012 06:50:48 +0200

[Paper] String Oriented Programming

Sun, 11 Mar 2012 06:34:46 +0100

Authors: Mathias Payer
Tags: exploiting
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: The protection landscape is changing and exploits are getting more and more sophisticated. Exploit generation toolkits can be used to construct exploits for specific applications using well-defined algorithms. We present such an algorithm for leveraging format strings and introduce string oriented programming. String oriented programming takes format string exploits to the next level and turns an intrusion vector that needs hand-crafted exploits into arbitrary code execution. Similar to return oriented programming or jump oriented programming string oriented programming does not rely on existing code but concatenates gadgets in the application using static program analysis. This talk presents an algorithm and a technique that takes a vulnerable application that contains a format string exploit as a parameter and constructs a format string exploit that can be used to inject a dynamic jump oriented programming dispatcher into the running application. String oriented programming circumvents ASLR, DEP, and ProPolice.

[Slides] String Oriented Programming

Sun, 11 Mar 2012 06:34:46 +0100

[Video] String Oriented Programming

Sun, 11 Mar 2012 06:34:46 +0100

[Audio] String Oriented Programming

Sat, 10 Mar 2012 06:47:05 +0100

[Video] secuBT

Wed, 10 Feb 2010 06:12:19 +0100

Authors: Mathias Payer
Tags: virtualization security debugging malware analysis
Event: Chaos Communication Congress 26th (26C3) 2009
Abstract: In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator. In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator. secuBT implements user-space virtualization using dynamic binary translation and adds a system call interposition framework to limit and guard the interoperability of binary code with the kernel. Fast binary translation is a key component to user-space virtualization. secuBT uses and extends fastBT, a generator for low-overhead, table-based dynamic (just-in-time) binary translators. We discuss the most challenging sources of overhead and propose optimizations to further reduce these penalties. We argue for hardening techniques to ensure that the translated program can not escape out of the user-space virtualization. An important feature of secuBT is that only translated code is executed. This ensures code validity and makes it possible to rewrite individual instructions. The system call interposition framework validates every system call and offers the choice to (i) allow it, (ii) abort the program, (iii) redirect to an user-space emulation.

[Slides] secuBT

Wed, 10 Feb 2010 06:12:17 +0100

[Paper] secuBT

Wed, 10 Feb 2010 06:12:16 +0100