SlideShare une entreprise Scribd logo

Mr201308 understanding bypassing aslr by a pointer at a fixed address eng

FFRI, Inc.
FFRI, Inc.
Technologie
1  sur  12
Télécharger pour lire hors ligne
FFRI,Inc. 1 Monthly Research Understanding bypassing ASLR by a pointer at a fixed address FFRI,Inc. http://www.ffri.jp Ver 2.00.01
FFRI,Inc. • Security patch published by Microsoft in Aug 2013 • Includes a fix for ALSR bypassing vulnerability(CVE-2013-2556) • This slide is about the detail of the vulnerability and the fix MS13-063 2
FFRI,Inc. • Published in CansecWest2013 – This vulnerability alone does not allow an attacker to exploit an application (need another vulnerability for successful exploit) – This vulnerability allows an attacker to bypass ASLR if another specific kind of vulnerability can be found. A summary of the ASLR bypassing vulnerability(CVE-2013-2556) 3
FFRI,Inc. • This vulnerability was published with a title “DEP/ASLR bypass without ROP/JIT” in CanSecWest2013 by Yang Yu. • Mainly 2 problems – In 32bit Windows, a pointer to KiFastSystemCall is at a fixed address – In a 32bit process on 64bit Windows, a pointer to LdrHotPatchRoutine is at a fixed address Why these pointers at fixed addresses are problem? Can be used to bypass ASLR if there is use-after-free/heap overflow vulnerability which leads overwriting a pointer to a vtable of C++ objects. What is “overwriting a pointer to a vtable” Details of the vulnerability 4
FFRI,Inc. • C++ Object layout in general C++ implementation. • How C++ calls member functions Preliminary knowledge:C++ object layout 5 A pointer to a vtable // Note that member functions are “virtual” class MyClass { public: MyClass(); virtual ~MyClass(); virtual void doWork(); private: int m_myVariable; }; Instantiate m_myVariable A pointer to ~MyClass() A pointer to doWork() MyClass object // code to call doWork() // ecx has the address of a MyWorker object mov eax,dword ptr [ecx] // eax is the address of the vtable push ecx // argument for the function call(*) call dword ptr [eax+4] // call doWork() (the address is obtained from the vtable) * The first argument for cdecl calling convention is “this” pointer vtable for MyClass class
FFRI,Inc. • What happens if a pointer to a vtable can be rewritten? A problem of rewriting a pointer to a vtable 6 A pointer to a vtable m_myVariable A pointer to ~MyClass() A pointer to doWork() MyClass object vtable for MyClass class Rewrite here Value in memory 1 Value in memory 2 Somewhere in memory ??? //The exactly same code from the previous slide. //Rewriting a pointer to a vtable results in executing another function mov eax,dword ptr [ecx] // eax is the address of vtable push ecx // argument for the function call call dword ptr [eax+4] // Execute the memory “Value in memory 2” points to
FFRI,Inc. • Rewrite a pointer to a vtable in such a way that KiFastSystemCall is called • KiFastSystemCall is a shared code to call system call in Windows • ASLR is irrelevant in this scenario In case of a pointer to KiFastSystemCall is at a fixed address 7 A pointer to a vtable m_myVariable A pointer to ~MyClass() A pointer to doWork() MyClass object vtable for MyClass classRewrite with a fixed value by utilizing a vulnerability (use-after-free/heap overflow) Value in memory 1 KiFastSystemCallへのポインタ Fixed address KiFastSystemCall KiFastSystemCall is called. However, calling system call with some arguments as an attacker intends to is difficult. mov eax,dword ptr [ecx] // eax is the address of vtable push ecx // argument for the function call call dword ptr [eax+4] // call KiFastSystemCall
FFRI,Inc. • In 64bit Windows, a pointer KiFastSystemCall does not exist at a fixed address. • But 32bit processes on 64bit Windows have a pointer to LdrHotPatchRoutine at a fixed address. • LdrHotPatchRoutine internally loads a DLL which is specified via its argument. • A pointer to LdrHotPatchRoutine resides in SharedUserData in 32bit processes on 64bit Windows • SharedUserData is at a fixed address(0x7ffe0000) Overwrite C++ object in such a way that the vtable includes a pointer to LdrHotPatchRoutine. DLL can be loaded. Using LdrHotPatchRoutine 8 … … 0x7ffe0000 (fixed address) SharedUserData A pointer to LdrHotPatchRoutine LdrHotPatchRoutine struct HotPatchBuffer{ … USHORT PatcherNameOffset; // An offset to a DLL name to load USHORT PatcherNameLen; // The length of the DLL … }; void LdrHotPatchRoutine( struct *HotPatchBuffer);
FFRI,Inc. • Rewrite a pointer to a vtable in such a way as calling LdrHotPatchRoutine In case of a pointer to LdrHotPatchRoutine is at a fixed address 9 A pointer to a vtable A pointe to ~MyClass() A pointer to doWork() MyClass object mov eax,dword ptr [ecx] // eax is the address of vtable push ecx // pass the object address as an argument call dword ptr [eax+4] // call LdrHotPatchRoutine A vtable for MyClass classRewrite here by utilizing a vulnerability Value in memory 1 A pointer to LdrHotPatchRoutine Fixed address LdrHotPatchRoutine • LdrHotPatchRoutine is called. • Constructing an argument to LdrHotPatchRoutine (with a DLL name such as ¥¥192.168.1.100¥foo.dll) will results in loading a DLL on a server. • Note that the object can be overwritten with arbitrary data when an attacker overwrites a pointer to a vtable Construct here as a HotPatchBuffer structure
FFRI,Inc. • MS13-063 fixes the vulnerability in such a way that a pointer to LdrHotPatchRoutine is not at a fixed address. – Eliminate a function table in SharedUserData – Move the function table to a data section in ntdll.dll and export it as LdrSystemDllInitBlock • ASLR is enabled on ntdll.dll and it makes the address of the function table not fixed. Can not bypass ASLR to load a DLL by utilizing LdrHotPatchRoutine The fix in MS13-063 10 A pointer to LdrHotPatchRoutine Randomized
FFRI,Inc. References • http://technet.microsoft.com/ja-jp/security/bulletin/ms13- 063 • http://cansecwest.com/slides/2013/DEP- ASLR%20bypass%20without%20ROP-JIT.pdf • http://blogs.technet.com/b/srd/archive/2013/08/12/mitigatin g-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13- 063.aspx • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2013-2556 11
FFRI,Inc. Contact Information E-Mail : research-feedback@ffri.jp Twitter: @FFRI_Research 12

Recommandé

Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threadsShuo Chen
 
Computer Science Homework Help
Computer Science Homework HelpComputer Science Homework Help
Computer Science Homework HelpProgramming Homework Help
 
Computer Science Assignment Help
Computer Science Assignment HelpComputer Science Assignment Help
Computer Science Assignment HelpProgramming Homework Help
 
Operating System Engineering Quiz
Operating System Engineering QuizOperating System Engineering Quiz
Operating System Engineering QuizProgramming Homework Help
 
Operating System Assignment Help
Operating System Assignment HelpOperating System Assignment Help
Operating System Assignment HelpProgramming Homework Help
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
Programming Assignment Help
Programming Assignment HelpProgramming Assignment Help
Programming Assignment HelpProgramming Homework Help
 
Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Shuo Chen
 

Recommandé

Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threadsShuo Chen
 
Computer Science Homework Help
Computer Science Homework HelpComputer Science Homework Help
Computer Science Homework HelpProgramming Homework Help
 
Computer Science Assignment Help
Computer Science Assignment HelpComputer Science Assignment Help
Computer Science Assignment HelpProgramming Homework Help
 
Operating System Engineering Quiz
Operating System Engineering QuizOperating System Engineering Quiz
Operating System Engineering QuizProgramming Homework Help
 
Operating System Assignment Help
Operating System Assignment HelpOperating System Assignment Help
Operating System Assignment HelpProgramming Homework Help
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
Programming Assignment Help
Programming Assignment HelpProgramming Assignment Help
Programming Assignment HelpProgramming Homework Help
 
Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Shuo Chen
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
The Unicorn Getting Interested in KDE
The Unicorn Getting Interested in KDEThe Unicorn Getting Interested in KDE
The Unicorn Getting Interested in KDEAndrey Karpov
 
Coding for multiple cores
Coding for multiple coresCoding for multiple cores
Coding for multiple coresLee Hanxue
 
Interpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratchInterpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratchNational Cheng Kung University
 
Lockless Programming GDC 09
Lockless Programming GDC 09Lockless Programming GDC 09
Lockless Programming GDC 09Lee Hanxue
 
FreeRTOS Course - Queue Management
FreeRTOS Course - Queue ManagementFreeRTOS Course - Queue Management
FreeRTOS Course - Queue ManagementAmr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 
Embedded Rust on IoT devices
Embedded Rust on IoT devicesEmbedded Rust on IoT devices
Embedded Rust on IoT devicesLars Gregori
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
FreeRTOS Xilinx Vivado: Hello World!
FreeRTOS Xilinx Vivado: Hello World!FreeRTOS Xilinx Vivado: Hello World!
FreeRTOS Xilinx Vivado: Hello World!Vincent Claes
 
P threads
P threadsP threads
P threadsDr. C.V. Suresh Babu
 
Embedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesEmbedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesLars Gregori
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
FreeRTOS
FreeRTOSFreeRTOS
FreeRTOSAnkita Tiwari
 
Virtual machine re building
Virtual machine re buildingVirtual machine re building
Virtual machine re buildingMartin Dominguez Alvarez
 
S emb t13-freertos
S emb t13-freertosS emb t13-freertos
S emb t13-freertosJoão Moreira
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsEdgar Barbosa
 
Ricon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeRicon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeSusan Potter
 
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...Alexey Smirnov
 
Free FreeRTOS Course-Task Management
Free FreeRTOS Course-Task ManagementFree FreeRTOS Course-Task Management
Free FreeRTOS Course-Task ManagementAmr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017Andrey Karpov
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksVadym Muliavka
 

Contenu connexe

Tendances

john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
The Unicorn Getting Interested in KDE
The Unicorn Getting Interested in KDEThe Unicorn Getting Interested in KDE
The Unicorn Getting Interested in KDEAndrey Karpov
 
Coding for multiple cores
Coding for multiple coresCoding for multiple cores
Coding for multiple coresLee Hanxue
 
Lockless Programming GDC 09
Lockless Programming GDC 09Lockless Programming GDC 09
Lockless Programming GDC 09Lee Hanxue
 
Embedded Rust on IoT devices
Embedded Rust on IoT devicesEmbedded Rust on IoT devices
Embedded Rust on IoT devicesLars Gregori
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
FreeRTOS Xilinx Vivado: Hello World!
FreeRTOS Xilinx Vivado: Hello World!FreeRTOS Xilinx Vivado: Hello World!
FreeRTOS Xilinx Vivado: Hello World!Vincent Claes
 
Embedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesEmbedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesLars Gregori
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsEdgar Barbosa
 
Ricon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeRicon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeSusan Potter
 
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...Alexey Smirnov
 

Tendances (20)

john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
 
The Unicorn Getting Interested in KDE
The Unicorn Getting Interested in KDEThe Unicorn Getting Interested in KDE
The Unicorn Getting Interested in KDE
 
Coding for multiple cores
Coding for multiple coresCoding for multiple cores
Coding for multiple cores
 
Interpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratchInterpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratch
 
Lockless Programming GDC 09
Lockless Programming GDC 09Lockless Programming GDC 09
Lockless Programming GDC 09
 
FreeRTOS Course - Queue Management
FreeRTOS Course - Queue ManagementFreeRTOS Course - Queue Management
FreeRTOS Course - Queue Management
 
Embedded Rust on IoT devices
Embedded Rust on IoT devicesEmbedded Rust on IoT devices
Embedded Rust on IoT devices
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
FreeRTOS Xilinx Vivado: Hello World!
FreeRTOS Xilinx Vivado: Hello World!FreeRTOS Xilinx Vivado: Hello World!
FreeRTOS Xilinx Vivado: Hello World!
 
P threads
P threadsP threads
P threads
 
Embedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesEmbedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devices
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
FreeRTOS
FreeRTOSFreeRTOS
FreeRTOS
 
Virtual machine re building
Virtual machine re buildingVirtual machine re building
Virtual machine re building
 
S emb t13-freertos
S emb t13-freertosS emb t13-freertos
S emb t13-freertos
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkits
 
Ricon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeRicon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak Pipe
 
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
 
Free FreeRTOS Course-Task Management
Free FreeRTOS Course-Task ManagementFree FreeRTOS Course-Task Management
Free FreeRTOS Course-Task Management
 

Similaire à Mr201308 understanding bypassing aslr by a pointer at a fixed address eng

PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017Andrey Karpov
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksVadym Muliavka
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteJeremy Haung
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
 
ESET’s guide to deobfuscating and devirtualizing FinFisher
ESET’s guide to deobfuscating and devirtualizing FinFisherESET’s guide to deobfuscating and devirtualizing FinFisher
ESET’s guide to deobfuscating and devirtualizing FinFisherESET Middle East
 
C++ Interview Question And Answer
C++ Interview Question And AnswerC++ Interview Question And Answer
C++ Interview Question And AnswerJagan Mohan Bishoyi
 
C++ questions And Answer
C++ questions And AnswerC++ questions And Answer
C++ questions And Answerlavparmar007
 
Go Reactive: Event-Driven, Scalable, Resilient & Responsive Systems
Go Reactive: Event-Driven, Scalable, Resilient & Responsive SystemsGo Reactive: Event-Driven, Scalable, Resilient & Responsive Systems
Go Reactive: Event-Driven, Scalable, Resilient & Responsive SystemsJonas Bonér
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
A Collection of Examples of 64-bit Errors in Real Programs
A Collection of Examples of 64-bit Errors in Real ProgramsA Collection of Examples of 64-bit Errors in Real Programs
A Collection of Examples of 64-bit Errors in Real ProgramsAndrey Karpov
 
A fresh eye on Oracle VM VirtualBox
A fresh eye on Oracle VM VirtualBoxA fresh eye on Oracle VM VirtualBox
A fresh eye on Oracle VM VirtualBoxPVS-Studio
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareCylance
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
1183 c-interview-questions-and-answers
1183 c-interview-questions-and-answers1183 c-interview-questions-and-answers
1183 c-interview-questions-and-answersAkash Gawali
 
DEF CON 23 - Tamas Szakaly - shall we play a game
DEF CON 23 - Tamas Szakaly - shall we play a gameDEF CON 23 - Tamas Szakaly - shall we play a game
DEF CON 23 - Tamas Szakaly - shall we play a gameFelipe Prado
 
Windows Server 2008 for Developers - Part 2
Windows Server 2008 for Developers - Part 2Windows Server 2008 for Developers - Part 2
Windows Server 2008 for Developers - Part 2ukdpe
 

Similaire à Mr201308 understanding bypassing aslr by a pointer at a fixed address eng (20)

PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
 
ESET’s guide to deobfuscating and devirtualizing FinFisher
ESET’s guide to deobfuscating and devirtualizing FinFisherESET’s guide to deobfuscating and devirtualizing FinFisher
ESET’s guide to deobfuscating and devirtualizing FinFisher
 
C++ Interview Question And Answer
C++ Interview Question And AnswerC++ Interview Question And Answer
C++ Interview Question And Answer
 
C++ questions And Answer
C++ questions And AnswerC++ questions And Answer
C++ questions And Answer
 
Go Reactive: Event-Driven, Scalable, Resilient & Responsive Systems
Go Reactive: Event-Driven, Scalable, Resilient & Responsive SystemsGo Reactive: Event-Driven, Scalable, Resilient & Responsive Systems
Go Reactive: Event-Driven, Scalable, Resilient & Responsive Systems
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
A Collection of Examples of 64-bit Errors in Real Programs
A Collection of Examples of 64-bit Errors in Real ProgramsA Collection of Examples of 64-bit Errors in Real Programs
A Collection of Examples of 64-bit Errors in Real Programs
 
64-bit Loki
64-bit Loki64-bit Loki
64-bit Loki
 
A fresh eye on Oracle VM VirtualBox
A fresh eye on Oracle VM VirtualBoxA fresh eye on Oracle VM VirtualBox
A fresh eye on Oracle VM VirtualBox
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security Software
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
1183 c-interview-questions-and-answers
1183 c-interview-questions-and-answers1183 c-interview-questions-and-answers
1183 c-interview-questions-and-answers
 
DEF CON 23 - Tamas Szakaly - shall we play a game
DEF CON 23 - Tamas Szakaly - shall we play a gameDEF CON 23 - Tamas Szakaly - shall we play a game
DEF CON 23 - Tamas Szakaly - shall we play a game
 
Windows Server 2008 for Developers - Part 2
Windows Server 2008 for Developers - Part 2Windows Server 2008 for Developers - Part 2
Windows Server 2008 for Developers - Part 2
 

Plus de FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
 

Plus de FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 

Dernier

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Dernier (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Mr201308 understanding bypassing aslr by a pointer at a fixed address eng

  • 1. FFRI,Inc. 1 Monthly Research Understanding bypassing ASLR by a pointer at a fixed address FFRI,Inc. http://www.ffri.jp Ver 2.00.01
  • 2. FFRI,Inc. • Security patch published by Microsoft in Aug 2013 • Includes a fix for ALSR bypassing vulnerability(CVE-2013-2556) • This slide is about the detail of the vulnerability and the fix MS13-063 2
  • 3. FFRI,Inc. • Published in CansecWest2013 – This vulnerability alone does not allow an attacker to exploit an application (need another vulnerability for successful exploit) – This vulnerability allows an attacker to bypass ASLR if another specific kind of vulnerability can be found. A summary of the ASLR bypassing vulnerability(CVE-2013-2556) 3
  • 4. FFRI,Inc. • This vulnerability was published with a title “DEP/ASLR bypass without ROP/JIT” in CanSecWest2013 by Yang Yu. • Mainly 2 problems – In 32bit Windows, a pointer to KiFastSystemCall is at a fixed address – In a 32bit process on 64bit Windows, a pointer to LdrHotPatchRoutine is at a fixed address Why these pointers at fixed addresses are problem? Can be used to bypass ASLR if there is use-after-free/heap overflow vulnerability which leads overwriting a pointer to a vtable of C++ objects. What is “overwriting a pointer to a vtable” Details of the vulnerability 4
  • 5. FFRI,Inc. • C++ Object layout in general C++ implementation. • How C++ calls member functions Preliminary knowledge:C++ object layout 5 A pointer to a vtable // Note that member functions are “virtual” class MyClass { public: MyClass(); virtual ~MyClass(); virtual void doWork(); private: int m_myVariable; }; Instantiate m_myVariable A pointer to ~MyClass() A pointer to doWork() MyClass object // code to call doWork() // ecx has the address of a MyWorker object mov eax,dword ptr [ecx] // eax is the address of the vtable push ecx // argument for the function call(*) call dword ptr [eax+4] // call doWork() (the address is obtained from the vtable) * The first argument for cdecl calling convention is “this” pointer vtable for MyClass class
  • 6. FFRI,Inc. • What happens if a pointer to a vtable can be rewritten? A problem of rewriting a pointer to a vtable 6 A pointer to a vtable m_myVariable A pointer to ~MyClass() A pointer to doWork() MyClass object vtable for MyClass class Rewrite here Value in memory 1 Value in memory 2 Somewhere in memory ??? //The exactly same code from the previous slide. //Rewriting a pointer to a vtable results in executing another function mov eax,dword ptr [ecx] // eax is the address of vtable push ecx // argument for the function call call dword ptr [eax+4] // Execute the memory “Value in memory 2” points to
  • 7. FFRI,Inc. • Rewrite a pointer to a vtable in such a way that KiFastSystemCall is called • KiFastSystemCall is a shared code to call system call in Windows • ASLR is irrelevant in this scenario In case of a pointer to KiFastSystemCall is at a fixed address 7 A pointer to a vtable m_myVariable A pointer to ~MyClass() A pointer to doWork() MyClass object vtable for MyClass classRewrite with a fixed value by utilizing a vulnerability (use-after-free/heap overflow) Value in memory 1 KiFastSystemCallへのポインタ Fixed address KiFastSystemCall KiFastSystemCall is called. However, calling system call with some arguments as an attacker intends to is difficult. mov eax,dword ptr [ecx] // eax is the address of vtable push ecx // argument for the function call call dword ptr [eax+4] // call KiFastSystemCall
  • 8. FFRI,Inc. • In 64bit Windows, a pointer KiFastSystemCall does not exist at a fixed address. • But 32bit processes on 64bit Windows have a pointer to LdrHotPatchRoutine at a fixed address. • LdrHotPatchRoutine internally loads a DLL which is specified via its argument. • A pointer to LdrHotPatchRoutine resides in SharedUserData in 32bit processes on 64bit Windows • SharedUserData is at a fixed address(0x7ffe0000) Overwrite C++ object in such a way that the vtable includes a pointer to LdrHotPatchRoutine. DLL can be loaded. Using LdrHotPatchRoutine 8 … … 0x7ffe0000 (fixed address) SharedUserData A pointer to LdrHotPatchRoutine LdrHotPatchRoutine struct HotPatchBuffer{ … USHORT PatcherNameOffset; // An offset to a DLL name to load USHORT PatcherNameLen; // The length of the DLL … }; void LdrHotPatchRoutine( struct *HotPatchBuffer);
  • 9. FFRI,Inc. • Rewrite a pointer to a vtable in such a way as calling LdrHotPatchRoutine In case of a pointer to LdrHotPatchRoutine is at a fixed address 9 A pointer to a vtable A pointe to ~MyClass() A pointer to doWork() MyClass object mov eax,dword ptr [ecx] // eax is the address of vtable push ecx // pass the object address as an argument call dword ptr [eax+4] // call LdrHotPatchRoutine A vtable for MyClass classRewrite here by utilizing a vulnerability Value in memory 1 A pointer to LdrHotPatchRoutine Fixed address LdrHotPatchRoutine • LdrHotPatchRoutine is called. • Constructing an argument to LdrHotPatchRoutine (with a DLL name such as ¥¥192.168.1.100¥foo.dll) will results in loading a DLL on a server. • Note that the object can be overwritten with arbitrary data when an attacker overwrites a pointer to a vtable Construct here as a HotPatchBuffer structure
  • 10. FFRI,Inc. • MS13-063 fixes the vulnerability in such a way that a pointer to LdrHotPatchRoutine is not at a fixed address. – Eliminate a function table in SharedUserData – Move the function table to a data section in ntdll.dll and export it as LdrSystemDllInitBlock • ASLR is enabled on ntdll.dll and it makes the address of the function table not fixed. Can not bypass ASLR to load a DLL by utilizing LdrHotPatchRoutine The fix in MS13-063 10 A pointer to LdrHotPatchRoutine Randomized
  • 11. FFRI,Inc. References • http://technet.microsoft.com/ja-jp/security/bulletin/ms13- 063 • http://cansecwest.com/slides/2013/DEP- ASLR%20bypass%20without%20ROP-JIT.pdf • http://blogs.technet.com/b/srd/archive/2013/08/12/mitigatin g-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13- 063.aspx • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2013-2556 11
  • 12. FFRI,Inc. Contact Information E-Mail : research-feedback@ffri.jp Twitter: @FFRI_Research 12