12. 12 / 30
L’approche Lazart
12 / 30
1 int triesLeft = 3;
2
3 int verify(char buffer[], int ofs, int len) {
4
5 int i;
6
7 /* No comparison if PIN is blocked */
8 if (triesLeft < 0)
9 return EXIT_FAILURE;
10 //bb1
11 /* Main Comparison */
12 for (i = 0; i < len; i++) { //bb5
13 if(buffer[ofs + i] != pin[i]) { //bb2
14 triesLeft--;
15 authenticated = 0;
16 return EXIT_FAILURE;
17 }
18 }
19
20 /* Comparison is successful */
21 triesLeft = MAX_TRIES;
22 authenticated = 1;
23 return EXIT_SUCCESS;
24 }
CFG for 'verify' function
entry:
triesLeft < 0?
T F
FAILURE
bb1
bb7
bb5:
T F
return
bb2:
T F
SUCCESS
FAILURE bb4:
13. 13 / 30
L’approche Lazart
13 / 30
1 int triesLeft = 3;
2
3 int verify(char buffer[], int ofs, int len) {
4
5 int i;
6
7 /* No comparison if PIN is blocked */
8 if (triesLeft < 0)
9 null;
10
11 /* Main Comparison */
12 for (i = 0; i < len; i++) {
13 if(buffer[ofs + i] != pin[i]) {
14 triesLeft--;
15 authenticated = 0;
16 return EXIT_FAILURE;
17 }
18 }
19
20 /* Comparison is successful */
21 triesLeft = MAX_TRIES;
22 authenticated = 1;
23 return EXIT_SUCCESS;
24 }
CFG for 'verify' function
entry:
triesLeft < 0?
T F
FAILURE
bb1
bb7
bb5:
T F
return:
bb2:
T F
SUCCESS
FAILURE bb4:
14. 14 / 30
Plan
1 Principe d’une attaque
2 L’approche Lazart
3 Mod`ele d’attaque
4 Les attaques de type JUMP ← NOP
5 Noppy
6 Exemple : verify
14 / 30
15. 15 / 30
Mod`ele d’attaque
On consid`ere l’attaquant capable :
d’injection de 0x00 - c’est-`a-dire NOP
sur plusieurs octets cons´ecutifs
de fa¸con exacte (`a l’octet pr`es)
de r´ealiser plusieurs injections durant la mˆeme ex´ecution
CPU Architecture OPCODE SIZE (Byte)
Intel x86 0x90 1
Intel 8051 0x00 1
ARM 0x00000000 4
MIPS 0x00000000 4
PIC 0b000000000000 1,5
15 / 30
16. 16 / 30
Plan
1 Principe d’une attaque
2 L’approche Lazart
3 Mod`ele d’attaque
4 Les attaques de type JUMP ← NOP
5 Noppy
6 Exemple : verify
16 / 30
17. 17 / 30
Structures algorithmiques concern´ees
if|elsif|else
while - for
return
call
switch
17 / 30
18. 18 / 30
Cons´equences d’un NOP sur le CFG
18 / 30
1 if:
2 CMP i, $0 ; test de la condition
3 JNE else
4 [...] ; instructions du if
5 BRA endif
6 else:
7 [...] ; instructions du else
8 endif:
9 [...]
CFG d'une structure if|else
entry
T F
if else
endif
return
19. 19 / 30
Cons´equences d’un NOP sur le CFG
19 / 30
1 if:
2 CMP i, $0 ; test de la condition
3 NOP ; INJECTION DE NOP
4 [...] ; instructions du if
5 BRA endif
6 else:
7 [...] ; instructions du else
8 endif:
9 [...]
CFG d'une structure if|else
entry
T F
if else
endif
return
20. 20 / 30
Cons´equences d’un NOP sur le CFG
20 / 30
1 if:
2 CMP i, $0 ; test de la condition
3 JNE else
4 [...] ; instructions du if
5 NOP ; INJECTION DE NOP
6 else:
7 [...] ; instructions du else
8 endif:
9 [...]
CFG d'une structure if|else
entry
T F
if else
endif
return
21. 21 / 30
Plan
1 Principe d’une attaque
2 L’approche Lazart
3 Mod`ele d’attaque
4 Les attaques de type JUMP ← NOP
5 Noppy
6 Exemple : verify
21 / 30
22. 22 / 30
Noppy - algorithme
1 G = (V,E): graphe de flot
2
3 Pour tout N in V tel que N a au moins deux fils faire:
4 /* Traitement de deux fils consecutifs */
5 Pour i allant de 1 a (N.nombreDeFils() - 1) faire :
6 /* Determination du point de conjonction */
7 PointDeRencontre = TrouverPointdeRencontre(N.fils[i], N.fils[i+1]);
8 si (PointDeRencontre == N) :
9 /* Si le point de rencontre est le point de disjonction
10 alors on est sur une structure de boucle */
11 N1 = NoeudPere(N.fils[i], N);
12 N2 = N.fils[i+1];
13 /* On prend le dernier noeud du premier bloc */
14 N1 = PointDeRencontre.pereGauche();
15 /* Le premier noeud du second bloc */
16 N2 = N.fils[i+1];
17 /* Et on les relie */
18 E.ajouterArc(N1,N2);
19 fin faire
20 fin faire
22 / 30
24. 24 / 30
Plan
1 Principe d’une attaque
2 L’approche Lazart
3 Mod`ele d’attaque
4 Les attaques de type JUMP ← NOP
5 Noppy
6 Exemple : verify
24 / 30
25. 25 / 30
verify - Code et CFG
25 / 30
1 int triesLeft = 3;
2
3 int verify(char buffer[], int ofs, int len) {
4
5 int i;
6
7 /* No comparison if PIN is blocked */
8 if (triesLeft < 0)
9 return EXIT_FAILURE;
10
11 /* Main Comparison */
12 for (i = 0; i < len; i++) {
13 if(buffer[ofs + i] != pin[i]) {
14 triesLeft--;
15 authenticated = 0;
16 return EXIT_FAILURE;
17 }
18 }
19
20 /* Comparison is successful */
21 triesLeft = MAX_TRIES;
22 authenticated = 1;
23 return EXIT_SUCCESS;
24 }
CFG for 'verify' function
entry:
triesLeft < 0?
T F
FAILURE
bb1
bb7
bb5:
T F
return
bb2:
T F
SUCCESS
FAILURE bb4:
26. 26 / 30
verify - Code et CFG
26 / 30
1 int triesLeft = 3;
2
3 int verify(char buffer[], int ofs, int len) {
4
5 int i;
6
7 /* No comparison if PIN is blocked */
8 if (triesLeft < 0)
9 return EXIT_FAILURE;
10
11 /* Main Comparison */
12 for (i = 0; i < len; i++) {
13 if(buffer[ofs + i] != pin[i]) {
14 triesLeft--;
15 authenticated = 0;
16 return EXIT_FAILURE;
17 }
18 }
19
20 /* Comparison is successful */
21 triesLeft = MAX_TRIES;
22 authenticated = 1;
23 return EXIT_SUCCESS;
24 }
CFG for 'verify' function after Noppy
entry:
triesLeft < 0?
T F
FAILURE
bb1
bb7
bb5:
T F
return
bb2:
T F
SUCCESS
FAILURE bb4:
27. 27 / 30
verify
27 / 30
1 int triesLeft = 3;
2
3 int verify(char buffer[], int ofs, int len) {
4
5 int i;
6
7 /* No comparison if PIN is blocked */
8 if (triesLeft < 0)
9 return EXIT_FAILURE;
10
11 /* Main Comparison */
12 for (i = 0; i < len; i++) {
13 if(buffer[ofs + i] != pin[i]) {
14 triesLeft--;
15 authenticated = 0;
16 return EXIT_FAILURE;
17 }
18 }
19
20 /* Comparison is successful */
21 triesLeft = MAX_TRIES;
22 authenticated = 1;
23 return EXIT_SUCCESS;
24 }
CFG for 'verify' function after Noppy
entry:
triesLeft < 0?
T F
FAILURE
bb1
bb7
bb5:
T F
return:
bb2:
T F
SUCCESS
FAILURE bb4:
28. 28 / 30
verify
28 / 30
CFG for 'verify' function
entry:
triesLeft < 0?
T F
FAILURE
bb1
bb7
bb5:
T F
return:
bb2:
T F
SUCCESS
FAILURE bb4:
CFG for 'verify' function after Noppy
entry:
triesLeft < 0?
T F
FAILURE
bb1
bb7
bb5:
T F
return:
bb2:
T F
SUCCESS
FAILURE bb4:
29. 29 / 30
Conclusion
Travail r´ealis´e :
´Etude th´eorique sur les NOP
Noppy
Perspectives :
Compl´eter Noppy
Prendre en compte diff´erents sch´emas de compilation
Ce que j’ai appris :
llvm, Klee, dot, ...
Travail de recherche
29 / 30