SlideShare une entreprise Scribd logo

Software Vulnerability Detection and Prevention

F
fg.informatik Universität Basel

This document discusses software vulnerabilities and exploits. It begins with an introduction to remote code execution and provides legal aspects of data interception for Germany and Switzerland. It then discusses the goals of preventing teaching how to write malware or hack systems illegally. The document covers basics of function calls, stack smashing vulnerabilities, and how to redirect program flow to injected shellcode through buffer overflows. It provides examples of finding vulnerabilities using debuggers and generating exploits in Python to execute shellcode by overwriting return addresses. Methods discussed include placing shellcode in registers or on the stack and dealing with gaps between the stack pointer and shellcode.

IngénierieTechnologie
1  sur  52
Télécharger pour lire hors ligne
Software Vulnerability INTRODUCTION IN SOFTWARE EXPLOITING
What does Remote code executing mean?
Legal Aspects (for Germany) • § 202b Abfangen von Daten • Wer unbefugt sich oder einem anderen unter Anwendung von technischen Mitteln nicht für ihn bestimmte Daten (§ 202a Abs. 2) aus einer nichtöffentlichen Datenübermittlung oder aus der elektromagnetischen Abstrahlung einer Datenverarbeitungsanlage verschafft, wird mit Freiheitsstrafe bis zu zwei Jahren oder mit Geldstrafe bestraft, wenn die Tat nicht in anderen Vorschriften mit schwererer Strafe bedroht ist. • § 202c Vorbereiten des Ausspähens und Abfangens von Daten • Wer eine Straftat nach § 202a oder § 202b vorbereitet, indem er • Passwörter oder sonstige Sicherungscodes, die den Zugang zu Daten (§ 202a Abs. 2) ermöglichen, oder • Computerprogramme, deren Zweck die Begehung einer solchen Tat ist, • herstellt, sich oder einem anderen verschafft, verkauft, einem anderen überlässt, verbreitet oder sonst zugänglich macht, wird mit Freiheitsstrafe bis zu einem Jahr oder mit Geldstrafe bestraft.
Legal Aspects (for Switzerland) • Art. 144 Datenbeschädigung • Wer unbefugt elektronisch oder in vergleichbarer Weise gespeicherte oder übermittelte Daten verändert, löscht oder unbrauchbar macht, wird, auf Antrag, mit Freiheitsstrafe bis zu drei Jahren oder Geldstrafe bestraft • Hat der Täter einen grossen Schaden verursacht, so kann auf Freiheitsstrafe von einem Jahr bis zu fünf Jahren erkannt werden. Die Tat wird von Amtes wegen verfolgt. • Wer Programme, von denen er weiss oder annehmen muss, dass sie zu den in Ziffer 1 genannten Zwecken verwendet werden sollen, herstellt, einführt, in Verkehr bringt, anpreist, anbietet oder sonst wie zugänglich macht oder zu ihrer Herstellung Anleitung gibt, wird mit Freiheitsstrafe bis zu drei Jahren oder Geldstrafe bestraft. • Handelt der Täter gewerbsmässig, so kann auf Freiheitsstrafe von einem Jahr bis zu fünf Jahren erkannt werden.
What are NOT the goals of this workshop • Teaching how to write malware • Hacking course • Reverse engineering • Cracking Software • Motivate you to break the law • But: to secure software it is important to understand how it will be attacked
What are the goals of this workshop • Sensitize for commonest mistakes • It’s easy to redirect the program flow if a programmer do not care • If a programmer care it may be harder to exploit • Software won’t be perfect secured • Keep at least script kiddies out • Explain principles of • Finding software exploits • Using software exploits • Present existing counter mechanisms • Small project
Essentials • Goal: redirect original program flow to shell code • Shell code: compiled code sequence • = series of opcodes (e.g. 0xEB 0x06 0x90 0x90) • In this case: malicious code to be executed • How comes the shell code into the program? • How to jump to the shell code?
Windows Process and Memory management 0x00000000 0x7FFFFFFF 0x00400000 stack heap Push: decrement stack pointer Grows to higher addresses Program image: PE header .text (code) .data (data), etc. Additional Heap space Space for DLLs DLLs have header, .text, .data, etc PEB Shared user page No Access 0x7FFDF000 PED: Process Execution Block: location of main executable dll addresses, heap infos
Basic: Function Calls • Each function has its own stack frame (space for local variables) • Stack pointer: points on the top of the stack frame. • Frame/Base pointer: points on the button of the stack frame. • Instruction Pointer: points on the next instruction to be executed. • Before entering a function: • Push function parameter on the stack • Push current Instruction pointer to the stack • Used to return the program flow • Push Base Pointer to the stack • After entering a function: • MOV EBP, ESP (current stack pointer becomes new base pointer)
Basic: Function Calls Main stackframe void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 1. after program initialization Stack ESP EBP
Basic: Function Calls Main stackframe void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 2. push function parameter Stack ptr to argv[1] ESP EBP
Basic: Function Calls Main stackframe void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 3. Push instruction pointer Stack ptr to argv[1] EIP ESP EBP
Basic: Function Calls void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 4. push base pointer Main stackframe Stack ptr to argv[1] EIP EBP ESP EBP
Basic: Function Calls void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 5. new stack frame: MOV EBP, ESP Main stackframe Stack ptr to argv[1] EIP EBP ESPEBP
Basic: Stack space allocation • Local variables of a function are stored on the current stack frame • decrement stack pointer to store a new variable on top of the stack • How to allocate arrays? • SUB ESP, <arraysize> • decrement stack pointer with array size • How to store data in a array? • Array begin + position • Find “array begin” with fixed offset or LEA (load effective address) instruction • Remember: a[4] == *(a+4)
Basic: Allocate Stack Array void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 6. Allocate array: SUB ESP, 0x80 Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array
Basic: Write to Stack Array void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 7. Allocate array: MOV ESP, ECX INC ECX Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array
Basic: Return from a function: LEAVE void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 8. Return: LEAVE Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Leave Step 1: MOV ESP, EBP
Basic: Return from a function: LEAVE void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 9. Return: LEAVE Main stackframe Stack ptr to argv[1] EIP EBP EBP Array Leave Step 2: POP EBP ESP
Basic: Return from a function: RET void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 10. Return: RETN Main stackframe Stack ptr to argv[1] EIP EBP EBP Array Restore the instruction pointer ESP
Stack smashing • What can possibly go wrong? void do_sth(char *buf){ char var[128]; strcpy(var, buffer); } int main(int argc, char** argv){ do_sth(argv[1]) }
Stack smashing • What can possible go wrong? • strcpy terminates when a ‘0’ character is reached • What happens if argv[1] is larger than 128 characters? void do_sth(char *buf){ char var[128]; strcpy(var, buffer); } int main(int argc, char** argv){ do_sth(argv[1]) }
Stack smashing • What can possible go wrong? • strcpy terminates when a ‘0’ character is reached! • What happens if argv[1] is larger than 128 characters? •  EBP and EIP are overwritten, and possible other stack frames  program will crash void do_sth(char *buf){ char var[128]; strcpy(var, buffer); } int main(int argc, char** argv){ do_sth(argv[1]) } Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array
From stack smashing to exploiting • Used to redirect the program flow • Overwrite the return address of a function call with address of injected shellcode • Program flow is changed •  Execute Shell code • Software Exploit: • An advanced version of stack smashing • Use an buffer overflow attack • Overwrite the stored EIP with a meaningful address
Shell code • How to inject shell code in the programs memory? • Use program IO similar as for overwriting EIP • write OP_CODES into input array behind EIP Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode
Shell code • How to start the shell code? • Jump to address where shell code is stored • BUT: when executing on different machines the address may be different! • Additional: 0x00 in the address breaks the exploit •  you cannot overwrite EIP with hardcoded address Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode
Shell code • How to start the shell code? • Idea: After executing “ret” ESP points below the stored EIP •  search an address which contains jmp esp • In a application dll (address is constant there) • In a system dll (may differ in differentOS versions) • Overwrite EIP with this address • When ret is executed the program will jmp to address  jmp esp is executed  shellcode is executed Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode
Reliable jmp to Shell code • Search for an address in the .text where JMP ESP is executed • Overwrite EIP with this address. • This is reliable, since the address of a program code is constant • Search in shared libraries / DLLs for OP_CODES to jmp to the shell code • Not necessary JMP ESP • CALL ESP effects the same • use another register if it points on your shellcode • May use multiple instructions like: POP; JMP ESP etc. • depends on position of your shell code
Shell code development Write shellcode: • There is a metasploit compiler to create shellcode • gcc –c filename and objdump –d • Write own opcodes: • Look in disassembly • Search in opcode table Find opcodes to jump to shell code • Search in disassembly, • or use debugger for op-code search • First search in program, then in system libraries
Windbg/GNU GDB to find vulnerability Windgb GNU GDB breakpoint bp label address break file:line Memory dump d address (e.g. “d esp”) • dump (binary/memory) start_adr end_adr • x function • x $esp x/x, x/d, x/u to dump hex, signed, unsigned dump 4 words as hex: x/4xw $sp disassemble u/uf address/function_name disassemble address/function_name search in binary s start_addr end_addr pattern find start_addr end_addr pattern show library addresses shown by default on the top of the output info sharedlibrary Windbg can be installed as crash debugger using: „windbg –I“
Example void readfile(char *filename){ char file[10]; memset(file, 0, sizeof(file)); FILE *f = fopen(filename,"r"); if (!f) { printf("FILE NOT FOUNDn"); return; } fseek(f, 0L, SEEK_END); int size = ftell(f); rewind(f); printf("Size: %dn", size); fread(file, size, 1, f); printf("%s", file); }
Example int main(int argc, char** argv){ char *filename = "C:/foo.txt"; printf("Open file: %sn", filename); readfile(filename); }
Example • Start application with large file will crash it! (char file[10])  overflow) • e.g. use a file with many ‘A‘ • Debugger shows an Access violation
Example • Dump stack • Wingdb: “d esp“ • Stack contains many ‘A‘  Base and stored Instruction Pointer are overwritten  when returning Instruction Pointer is set to AAAA or 41414141  behind the stack pointer there are many ‘A’  place shellcode here
Example • Dump the base pointer: • Wingdb: “d ebp“ • EBP contains now the address 41414141 • ‘A‘ is 0x41 in ASCI • Same for the instruction pointer
Example • How to find the address of the instruction pointer? • Use meaningful content for the exploit and dump eip: • ABCDEFGHIJKLMNOPQUVWXYZabcdefghijklmnopquvwxyz • The instruction pointer now contains: 63646566 • (intel is little endian) •  EIP is where cdef is (look in ASCII table)
Example • How to place shell code? • Place shellcode behind the instruction pointer on the stack • dump ESP • ESP is where the ’f’ is • Simple shellcode: 9090eef4 •  twice NOP and jump back to esp • eef4 is the opcode for “jmp esp” • 0x90 is opcode for NOP
Example • What address to use to overwrite the EIP? • ffe4 is the opcode for “jmp esp” • Search this opcode in ddl and the binary • Kernel32.dll is loaded in address space 7c800000 to 7c906000 • It contains ffe4 at 0x7c803234 •  replace cdef with 3432807c to execute jmp esp •  Program hang in a loop
Entire Exploit generation (Python) f = open('C:/foo.txt', 'w') offset1 = „ABCEDEFHIJKLMNOPQRSTUVWXYZab" eip = chr (0x34) + chr (0x32) + chr (0x80) + chr(0x7c) #jmp esp is on this address in dll opcode = chr(0x90) + chr(0x90) +chr(0xff) + chr(0xe4) # NOP, NOP, jmp esp for i in offset1: f.write(i) for i in eip: f.write(i) for i in opcode: f.write(i) f.close()
Jumping • For some reason you cannot place your shellcode in ESP • Search the shellcode in other registers: • jmp EAX or jmp EBX • Search the shellcode on the stack • Search the address of the shellcode on the stack • What if only a few bytes are usable for the shellcode • What if
Gap between ESP and shellcode • Sometimes it is not possible to write the shellcode directly to ESP • May overwritten by other data or • OS counter mechanism. • Assume you have 8 byte gap  overwrite EIP with an address that contains “pop pop ret”  first bytes of the shellcode are address of “jmp esp” • Pop takes 4 byte from stack (32bit) • ret loads the first stack value in EIP • goto “jmp esp” address and execute shellcode • popad removes 32bytes from stack if pop is not enough Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode gap
Search the address of the shellcode on the stack • Sometimes the shellcode address is not in any register • but it can be found on the stack • POP until you reached shellcode address • execute ret to load the address to EIP • if the gap is 8 bytes again overwrite EIP with an address that points on a “pop pop ret” Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode address gap Shellcode
What if only a few bytes are usable for the shellcode • Sometimes only a few bytes are usable for shellcode behind EIP • but you can place more shellcode above • use the few bytes to jmp the the shellcode above: • Small shellcode can be: sub esp, 80 jmp esp • Start shellcode with NOPs • no exact jmp required Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode Shellcode
Counter Mechanisms • GS • Reorder variables on the stack. Put arrays to higher addresses • Other variables cannot be overwritten, but still EIP • DEP • Stack is not executable. • Enforced by hardware. • OS can disable it (required for JIT programs) • You can ret to the lib function that disable DEP • Stack Cookie
SEH (Structured Exception Handler) exploits • a try-catch block runs in its own stack frame • Information about the EH are pushed on the stack • 8bytes: • pointer to the next exception handler (for the case the current exception handler cannot handle the exception) • pointer to the actual exception handler •  Chain of exception handlers • FFFFFFFF marks the end of the chain  OS exception handler kicks in Main stackframe Stack EH ptr to argv[1] EIP Array EBP
SEH (Structured Exception Handler) exploits • Cause an exception to kick EH in • Overwrite the pointer to the next EH record with some jmpcode (to jmp to shellcode) e.g. eb069090 = jmp +06 NOP NOP • Overwrite the EH with a pointer to an instruction that will bring you back to next EH and execute the jmpcode (e.g. pop pop ret) • The shellcode can be directly after the overwritten EH. next EH next EH FFFFFFFF EH1 EH2 EH3
Stack Cookies • Compiler flag (only for string buffer) • Random value is computed when application starts (stack cookie) • Stored in .data section on the program • After saving EBP and EIP push stack cookie on the stack • To overwrite EIP you have to overwrite the Stack Cookie • Before ret the stack cookie will be checked. • So do not return, overwrite SEH to exploit • Sometimes you can compute the value or it is constant • Overwrite stack cookie in .data Main stackframe Stack EH EIP Stack Cookie Array ptr to argv[1] ESP
Final words • Check array bounds • ensure nobody can overwrite • Be carefully with pointer arithmetic • Use secure programming languages (C#, Java, Haskell, Ada) • but down forget: • it runs on a unsecure basis • JAVA programs cannot be exploited with buffer overruns - theoretically • JVM is written without focus on security  there are many issues! • SoftBound +CETS: Complete andCompatible Full Memory Safety for C • proven approach to eliminate all possible bufferoverflows! • Most of this problem are not caused by OS or software, but by unsafe CPU-architectures. • Possible futureCPU-architectures are less vulnerable (MILLCPU) • on this architecture concept call stack cannot be overwritten to redirect program flow • many popular exploiting technics become harder or impossible • not classic buffer overruns, but there are other technics e.g. dangling pointers
Preventing Buffer Overflows • ALWAY check array boundaries • Do NOT forget to check for index overflows: 0 1 2 3 4 5 6 7 8 9 10 11 12 base bound int array[4]: ptr: array • Iterate through the array: ++array; • Boundary check: array > base && array+elementsize < bound
Preventing Buffer Overflows • ALWAY check array boundaries • Do NOT forget to check for index overflows: 0 1 2 3 4 5 6 7 8 9 10 11 12 boundbase int array[4]: ptr: array • Boundary check: array > base && array+elementsize < bound • Point with long long *ptr2 on element 12: • ptr2 > base: 12 > 9 • ptr2 + 1 < bound: 1 < 12  Access to element 0! ptr2
Preventing Buffer Overflows • ALWAY check array boundaries • Do NOT forget to check for index overflows: 0 1 2 3 4 5 6 7 8 9 10 11 12 boundbase int array[4]: ptr: array ptr2 • Boundary check correct: array > base && array+elementsize < bound && base < array+elementsize • ptr2 > base: 12 > 9 • ptr2 + 1 < bound: 0 < 12 • ptr2 + 1 > base: 0 > 9 X
Any Questions?

Recommandé

08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)Pipat Methavanitpong
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
Ida python intro
Ida python introIda python intro
Ida python intro小静 安
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programminghybr1s
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101n|u - The Open Security Community
 

Recommandé

08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)Pipat Methavanitpong
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
Ida python intro
Ida python introIda python intro
Ida python intro小静 安
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programminghybr1s
 
Exploiting stack overflow 101
Exploiting stack overflow 101Exploiting stack overflow 101
Exploiting stack overflow 101n|u - The Open Security Community
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida pythongeeksec80
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdfTECHNOLOGY CONTROL CO.
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Intro To Spring Python
Intro To Spring PythonIntro To Spring Python
Intro To Spring Pythongturnquist
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testersChristian Martorella
 
Pycon Sec
Pycon SecPycon Sec
Pycon Secguesta762e4
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part In|u - The Open Security Community
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigationYaniv Shani
 
Basics of ANT
Basics of ANTBasics of ANT
Basics of ANTPuneet Sharma - Steepgraph Systems
 
x86
x86x86
x86Wei-Bo Chen
 
Python - An Introduction
Python - An IntroductionPython - An Introduction
Python - An IntroductionEueung Mulyana
 
Penetration testing using python
Penetration testing using pythonPenetration testing using python
Penetration testing using pythonPurna Chander K
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash CourseUTD Computer Security Group
 
System Programming and Administration
System Programming and AdministrationSystem Programming and Administration
System Programming and AdministrationKrasimir Berov (Красимир Беров)
 
Gift-VT Tools Development Overview
Gift-VT Tools Development OverviewGift-VT Tools Development Overview
Gift-VT Tools Development Overviewstn_tkiller
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
Looking out on the Horizon
Looking out on the Horizon Looking out on the Horizon
Looking out on the Horizon 192TIS
 
Manfaat sarapan & makan teratur
Manfaat sarapan & makan teraturManfaat sarapan & makan teratur
Manfaat sarapan & makan teraturMade Sumiarta
 

Contenu connexe

Tendances

Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida pythongeeksec80
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Intro To Spring Python
Intro To Spring PythonIntro To Spring Python
Intro To Spring Pythongturnquist
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigationYaniv Shani
 
Python - An Introduction
Python - An IntroductionPython - An Introduction
Python - An IntroductionEueung Mulyana
 
Penetration testing using python
Penetration testing using pythonPenetration testing using python
Penetration testing using pythonPurna Chander K
 
Gift-VT Tools Development Overview
Gift-VT Tools Development OverviewGift-VT Tools Development Overview
Gift-VT Tools Development Overviewstn_tkiller
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 

Tendances (20)

Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
 
Intro To Spring Python
Intro To Spring PythonIntro To Spring Python
Intro To Spring Python
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 
Pycon Sec
Pycon SecPycon Sec
Pycon Sec
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigation
 
Basics of ANT
Basics of ANTBasics of ANT
Basics of ANT
 
x86
x86x86
x86
 
Python - An Introduction
Python - An IntroductionPython - An Introduction
Python - An Introduction
 
Penetration testing using python
Penetration testing using pythonPenetration testing using python
Penetration testing using python
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
System Programming and Administration
System Programming and AdministrationSystem Programming and Administration
System Programming and Administration
 
Gift-VT Tools Development Overview
Gift-VT Tools Development OverviewGift-VT Tools Development Overview
Gift-VT Tools Development Overview
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 

En vedette

Looking out on the Horizon
Looking out on the Horizon Looking out on the Horizon
Looking out on the Horizon 192TIS
 
Manfaat sarapan & makan teratur
Manfaat sarapan & makan teraturManfaat sarapan & makan teratur
Manfaat sarapan & makan teraturMade Sumiarta
 
smart ms voip for lte networks
smart ms voip for lte networkssmart ms voip for lte networks
smart ms voip for lte networksStreamWIDE
 
VAT Jewellery ERP Software in Dubai
VAT Jewellery ERP Software in DubaiVAT Jewellery ERP Software in Dubai
VAT Jewellery ERP Software in DubaiWinGold Next
 
nota lukisan persembahan senibina
nota lukisan persembahan senibinanota lukisan persembahan senibina
nota lukisan persembahan senibinaAishah Liman
 
Lukisan senibina
Lukisan senibinaLukisan senibina
Lukisan senibinastekkkt
 
Prinsip rekaan premis makanan
Prinsip rekaan premis makananPrinsip rekaan premis makanan
Prinsip rekaan premis makananAsif Yahya
 
Nike Final's ERP Implementation
Nike Final's ERP ImplementationNike Final's ERP Implementation
Nike Final's ERP Implementationsoumya.parhi
 
Architectural Design 1 Lectures by Dr. Yasser Mahgoub - Lecture 1 Introduction
Architectural Design 1 Lectures by Dr. Yasser Mahgoub - Lecture 1 IntroductionArchitectural Design 1 Lectures by Dr. Yasser Mahgoub - Lecture 1 Introduction
Architectural Design 1 Lectures by Dr. Yasser Mahgoub - Lecture 1 IntroductionGalala University
 
Architectural Professional Practice - Design
Architectural Professional Practice - DesignArchitectural Professional Practice - Design
Architectural Professional Practice - DesignGalala University
 
¿Qué aprendemos en clase de música?
¿Qué aprendemos en clase de música?¿Qué aprendemos en clase de música?
¿Qué aprendemos en clase de música?mariajesusmusica
 
Enterprise Resource Planning- BEST PPT
Enterprise Resource Planning- BEST PPTEnterprise Resource Planning- BEST PPT
Enterprise Resource Planning- BEST PPTSiddharth Modi
 

En vedette (17)

Looking out on the Horizon
Looking out on the Horizon Looking out on the Horizon
Looking out on the Horizon
 
Manfaat sarapan & makan teratur
Manfaat sarapan & makan teraturManfaat sarapan & makan teratur
Manfaat sarapan & makan teratur
 
smart ms voip for lte networks
smart ms voip for lte networkssmart ms voip for lte networks
smart ms voip for lte networks
 
VAT Jewellery ERP Software in Dubai
VAT Jewellery ERP Software in DubaiVAT Jewellery ERP Software in Dubai
VAT Jewellery ERP Software in Dubai
 
ERP Software
ERP SoftwareERP Software
ERP Software
 
ERP Software For Textile Industry
ERP Software For Textile Industry ERP Software For Textile Industry
ERP Software For Textile Industry
 
nota lukisan persembahan senibina
nota lukisan persembahan senibinanota lukisan persembahan senibina
nota lukisan persembahan senibina
 
01 intro(prehistoric)
01 intro(prehistoric)01 intro(prehistoric)
01 intro(prehistoric)
 
Lukisan senibina
Lukisan senibinaLukisan senibina
Lukisan senibina
 
The Architecture Profession
The Architecture ProfessionThe Architecture Profession
The Architecture Profession
 
Prinsip rekaan premis makanan
Prinsip rekaan premis makananPrinsip rekaan premis makanan
Prinsip rekaan premis makanan
 
Nike Final's ERP Implementation
Nike Final's ERP ImplementationNike Final's ERP Implementation
Nike Final's ERP Implementation
 
Architectural Design 1 Lectures by Dr. Yasser Mahgoub - Lecture 1 Introduction
Architectural Design 1 Lectures by Dr. Yasser Mahgoub - Lecture 1 IntroductionArchitectural Design 1 Lectures by Dr. Yasser Mahgoub - Lecture 1 Introduction
Architectural Design 1 Lectures by Dr. Yasser Mahgoub - Lecture 1 Introduction
 
Architectural Professional Practice - Design
Architectural Professional Practice - DesignArchitectural Professional Practice - Design
Architectural Professional Practice - Design
 
Green building
Green buildingGreen building
Green building
 
¿Qué aprendemos en clase de música?
¿Qué aprendemos en clase de música?¿Qué aprendemos en clase de música?
¿Qué aprendemos en clase de música?
 
Enterprise Resource Planning- BEST PPT
Enterprise Resource Planning- BEST PPTEnterprise Resource Planning- BEST PPT
Enterprise Resource Planning- BEST PPT
 

Similaire à Software Vulnerability Detection and Prevention

Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROPJapneet Singh
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit developmentPayampardaz
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1Payampardaz
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
05_Return_to_Libc.pdf
05_Return_to_Libc.pdf05_Return_to_Libc.pdf
05_Return_to_Libc.pdfTesterteste3
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthDEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthFelipe Prado
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeFelipe Prado
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne
 

Similaire à Software Vulnerability Detection and Prevention (20)

Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
 
Process management
Process managementProcess management
Process management
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Return Oriented Programming
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programming
 
05_Return_to_Libc.pdf
05_Return_to_Libc.pdf05_Return_to_Libc.pdf
05_Return_to_Libc.pdf
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthDEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depth
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 

Plus de fg.informatik Universität Basel

JavaScript packt aus: "Alle haben mich falsch verstanden!"
JavaScript packt aus: "Alle haben mich falsch verstanden!"JavaScript packt aus: "Alle haben mich falsch verstanden!"
JavaScript packt aus: "Alle haben mich falsch verstanden!"fg.informatik Universität Basel
 

Plus de fg.informatik Universität Basel (17)

fg.workshop: Opensource licenses
fg.workshop: Opensource licensesfg.workshop: Opensource licenses
fg.workshop: Opensource licenses
 
Version management mit Git und Github
Version management mit Git und Github Version management mit Git und Github
Version management mit Git und Github
 
Drahtlose Kommunikation und SDR
Drahtlose Kommunikation und SDR Drahtlose Kommunikation und SDR
Drahtlose Kommunikation und SDR
 
OpenCL Grundlagen
OpenCL GrundlagenOpenCL Grundlagen
OpenCL Grundlagen
 
Website-Security
Website-SecurityWebsite-Security
Website-Security
 
Hardware-Basteleien für Informatiker
Hardware-Basteleien für InformatikerHardware-Basteleien für Informatiker
Hardware-Basteleien für Informatiker
 
Emergent gameplay
Emergent gameplayEmergent gameplay
Emergent gameplay
 
JavaScript packt aus: "Alle haben mich falsch verstanden!"
JavaScript packt aus: "Alle haben mich falsch verstanden!"JavaScript packt aus: "Alle haben mich falsch verstanden!"
JavaScript packt aus: "Alle haben mich falsch verstanden!"
 
Game Design Dokumentation und Projekt Management
Game Design Dokumentation und Projekt Management Game Design Dokumentation und Projekt Management
Game Design Dokumentation und Projekt Management
 
Hydraulische Erosion und Terraingeneration (GPGPU)
Hydraulische Erosion und Terraingeneration (GPGPU)Hydraulische Erosion und Terraingeneration (GPGPU)
Hydraulische Erosion und Terraingeneration (GPGPU)
 
Ruby, Ruby, Ruby!
Ruby, Ruby, Ruby!Ruby, Ruby, Ruby!
Ruby, Ruby, Ruby!
 
CS108 Bootcamp Eyeballs
CS108 Bootcamp EyeballsCS108 Bootcamp Eyeballs
CS108 Bootcamp Eyeballs
 
CS108 Bootcamp Einführung YASY
CS108 Bootcamp Einführung YASYCS108 Bootcamp Einführung YASY
CS108 Bootcamp Einführung YASY
 
CS108 Bootcamp 2011 Intro - Jarwars
CS108 Bootcamp 2011 Intro - JarwarsCS108 Bootcamp 2011 Intro - Jarwars
CS108 Bootcamp 2011 Intro - Jarwars
 
NumericOS - How to build your own Operatingsystem
NumericOS - How to build your own OperatingsystemNumericOS - How to build your own Operatingsystem
NumericOS - How to build your own Operatingsystem
 
DLL-Injection
DLL-InjectionDLL-Injection
DLL-Injection
 
Open source hardware
Open source hardwareOpen source hardware
Open source hardware
 

Dernier

Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
lifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxlifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxsomshekarkn64
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction managementMariconPadriquez1
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - GuideGOPINATHS437943
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913
 

Dernier (20)

Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
lifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxlifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptx
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction management
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
 

Software Vulnerability Detection and Prevention

  • 2. What does Remote code executing mean?
  • 3. Legal Aspects (for Germany) • § 202b Abfangen von Daten • Wer unbefugt sich oder einem anderen unter Anwendung von technischen Mitteln nicht für ihn bestimmte Daten (§ 202a Abs. 2) aus einer nichtöffentlichen Datenübermittlung oder aus der elektromagnetischen Abstrahlung einer Datenverarbeitungsanlage verschafft, wird mit Freiheitsstrafe bis zu zwei Jahren oder mit Geldstrafe bestraft, wenn die Tat nicht in anderen Vorschriften mit schwererer Strafe bedroht ist. • § 202c Vorbereiten des Ausspähens und Abfangens von Daten • Wer eine Straftat nach § 202a oder § 202b vorbereitet, indem er • Passwörter oder sonstige Sicherungscodes, die den Zugang zu Daten (§ 202a Abs. 2) ermöglichen, oder • Computerprogramme, deren Zweck die Begehung einer solchen Tat ist, • herstellt, sich oder einem anderen verschafft, verkauft, einem anderen überlässt, verbreitet oder sonst zugänglich macht, wird mit Freiheitsstrafe bis zu einem Jahr oder mit Geldstrafe bestraft.
  • 4. Legal Aspects (for Switzerland) • Art. 144 Datenbeschädigung • Wer unbefugt elektronisch oder in vergleichbarer Weise gespeicherte oder übermittelte Daten verändert, löscht oder unbrauchbar macht, wird, auf Antrag, mit Freiheitsstrafe bis zu drei Jahren oder Geldstrafe bestraft • Hat der Täter einen grossen Schaden verursacht, so kann auf Freiheitsstrafe von einem Jahr bis zu fünf Jahren erkannt werden. Die Tat wird von Amtes wegen verfolgt. • Wer Programme, von denen er weiss oder annehmen muss, dass sie zu den in Ziffer 1 genannten Zwecken verwendet werden sollen, herstellt, einführt, in Verkehr bringt, anpreist, anbietet oder sonst wie zugänglich macht oder zu ihrer Herstellung Anleitung gibt, wird mit Freiheitsstrafe bis zu drei Jahren oder Geldstrafe bestraft. • Handelt der Täter gewerbsmässig, so kann auf Freiheitsstrafe von einem Jahr bis zu fünf Jahren erkannt werden.
  • 5. What are NOT the goals of this workshop • Teaching how to write malware • Hacking course • Reverse engineering • Cracking Software • Motivate you to break the law • But: to secure software it is important to understand how it will be attacked
  • 6. What are the goals of this workshop • Sensitize for commonest mistakes • It’s easy to redirect the program flow if a programmer do not care • If a programmer care it may be harder to exploit • Software won’t be perfect secured • Keep at least script kiddies out • Explain principles of • Finding software exploits • Using software exploits • Present existing counter mechanisms • Small project
  • 7. Essentials • Goal: redirect original program flow to shell code • Shell code: compiled code sequence • = series of opcodes (e.g. 0xEB 0x06 0x90 0x90) • In this case: malicious code to be executed • How comes the shell code into the program? • How to jump to the shell code?
  • 8. Windows Process and Memory management 0x00000000 0x7FFFFFFF 0x00400000 stack heap Push: decrement stack pointer Grows to higher addresses Program image: PE header .text (code) .data (data), etc. Additional Heap space Space for DLLs DLLs have header, .text, .data, etc PEB Shared user page No Access 0x7FFDF000 PED: Process Execution Block: location of main executable dll addresses, heap infos
  • 9. Basic: Function Calls • Each function has its own stack frame (space for local variables) • Stack pointer: points on the top of the stack frame. • Frame/Base pointer: points on the button of the stack frame. • Instruction Pointer: points on the next instruction to be executed. • Before entering a function: • Push function parameter on the stack • Push current Instruction pointer to the stack • Used to return the program flow • Push Base Pointer to the stack • After entering a function: • MOV EBP, ESP (current stack pointer becomes new base pointer)
  • 10. Basic: Function Calls Main stackframe void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 1. after program initialization Stack ESP EBP
  • 11. Basic: Function Calls Main stackframe void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 2. push function parameter Stack ptr to argv[1] ESP EBP
  • 12. Basic: Function Calls Main stackframe void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 3. Push instruction pointer Stack ptr to argv[1] EIP ESP EBP
  • 13. Basic: Function Calls void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 4. push base pointer Main stackframe Stack ptr to argv[1] EIP EBP ESP EBP
  • 14. Basic: Function Calls void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 5. new stack frame: MOV EBP, ESP Main stackframe Stack ptr to argv[1] EIP EBP ESPEBP
  • 15. Basic: Stack space allocation • Local variables of a function are stored on the current stack frame • decrement stack pointer to store a new variable on top of the stack • How to allocate arrays? • SUB ESP, <arraysize> • decrement stack pointer with array size • How to store data in a array? • Array begin + position • Find “array begin” with fixed offset or LEA (load effective address) instruction • Remember: a[4] == *(a+4)
  • 16. Basic: Allocate Stack Array void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 6. Allocate array: SUB ESP, 0x80 Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array
  • 17. Basic: Write to Stack Array void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 7. Allocate array: MOV ESP, ECX INC ECX Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array
  • 18. Basic: Return from a function: LEAVE void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 8. Return: LEAVE Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Leave Step 1: MOV ESP, EBP
  • 19. Basic: Return from a function: LEAVE void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 9. Return: LEAVE Main stackframe Stack ptr to argv[1] EIP EBP EBP Array Leave Step 2: POP EBP ESP
  • 20. Basic: Return from a function: RET void do_sth(char *buf){ char var[128]; … } int main(int argc, char** argv){ do_sth(argv[1]) } 10. Return: RETN Main stackframe Stack ptr to argv[1] EIP EBP EBP Array Restore the instruction pointer ESP
  • 21. Stack smashing • What can possibly go wrong? void do_sth(char *buf){ char var[128]; strcpy(var, buffer); } int main(int argc, char** argv){ do_sth(argv[1]) }
  • 22. Stack smashing • What can possible go wrong? • strcpy terminates when a ‘0’ character is reached • What happens if argv[1] is larger than 128 characters? void do_sth(char *buf){ char var[128]; strcpy(var, buffer); } int main(int argc, char** argv){ do_sth(argv[1]) }
  • 23. Stack smashing • What can possible go wrong? • strcpy terminates when a ‘0’ character is reached! • What happens if argv[1] is larger than 128 characters? •  EBP and EIP are overwritten, and possible other stack frames  program will crash void do_sth(char *buf){ char var[128]; strcpy(var, buffer); } int main(int argc, char** argv){ do_sth(argv[1]) } Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array
  • 24. From stack smashing to exploiting • Used to redirect the program flow • Overwrite the return address of a function call with address of injected shellcode • Program flow is changed •  Execute Shell code • Software Exploit: • An advanced version of stack smashing • Use an buffer overflow attack • Overwrite the stored EIP with a meaningful address
  • 25. Shell code • How to inject shell code in the programs memory? • Use program IO similar as for overwriting EIP • write OP_CODES into input array behind EIP Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode
  • 26. Shell code • How to start the shell code? • Jump to address where shell code is stored • BUT: when executing on different machines the address may be different! • Additional: 0x00 in the address breaks the exploit •  you cannot overwrite EIP with hardcoded address Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode
  • 27. Shell code • How to start the shell code? • Idea: After executing “ret” ESP points below the stored EIP •  search an address which contains jmp esp • In a application dll (address is constant there) • In a system dll (may differ in differentOS versions) • Overwrite EIP with this address • When ret is executed the program will jmp to address  jmp esp is executed  shellcode is executed Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode
  • 28. Reliable jmp to Shell code • Search for an address in the .text where JMP ESP is executed • Overwrite EIP with this address. • This is reliable, since the address of a program code is constant • Search in shared libraries / DLLs for OP_CODES to jmp to the shell code • Not necessary JMP ESP • CALL ESP effects the same • use another register if it points on your shellcode • May use multiple instructions like: POP; JMP ESP etc. • depends on position of your shell code
  • 29. Shell code development Write shellcode: • There is a metasploit compiler to create shellcode • gcc –c filename and objdump –d • Write own opcodes: • Look in disassembly • Search in opcode table Find opcodes to jump to shell code • Search in disassembly, • or use debugger for op-code search • First search in program, then in system libraries
  • 30. Windbg/GNU GDB to find vulnerability Windgb GNU GDB breakpoint bp label address break file:line Memory dump d address (e.g. “d esp”) • dump (binary/memory) start_adr end_adr • x function • x $esp x/x, x/d, x/u to dump hex, signed, unsigned dump 4 words as hex: x/4xw $sp disassemble u/uf address/function_name disassemble address/function_name search in binary s start_addr end_addr pattern find start_addr end_addr pattern show library addresses shown by default on the top of the output info sharedlibrary Windbg can be installed as crash debugger using: „windbg –I“
  • 31. Example void readfile(char *filename){ char file[10]; memset(file, 0, sizeof(file)); FILE *f = fopen(filename,"r"); if (!f) { printf("FILE NOT FOUNDn"); return; } fseek(f, 0L, SEEK_END); int size = ftell(f); rewind(f); printf("Size: %dn", size); fread(file, size, 1, f); printf("%s", file); }
  • 32. Example int main(int argc, char** argv){ char *filename = "C:/foo.txt"; printf("Open file: %sn", filename); readfile(filename); }
  • 33. Example • Start application with large file will crash it! (char file[10])  overflow) • e.g. use a file with many ‘A‘ • Debugger shows an Access violation
  • 34. Example • Dump stack • Wingdb: “d esp“ • Stack contains many ‘A‘  Base and stored Instruction Pointer are overwritten  when returning Instruction Pointer is set to AAAA or 41414141  behind the stack pointer there are many ‘A’  place shellcode here
  • 35. Example • Dump the base pointer: • Wingdb: “d ebp“ • EBP contains now the address 41414141 • ‘A‘ is 0x41 in ASCI • Same for the instruction pointer
  • 36. Example • How to find the address of the instruction pointer? • Use meaningful content for the exploit and dump eip: • ABCDEFGHIJKLMNOPQUVWXYZabcdefghijklmnopquvwxyz • The instruction pointer now contains: 63646566 • (intel is little endian) •  EIP is where cdef is (look in ASCII table)
  • 37. Example • How to place shell code? • Place shellcode behind the instruction pointer on the stack • dump ESP • ESP is where the ’f’ is • Simple shellcode: 9090eef4 •  twice NOP and jump back to esp • eef4 is the opcode for “jmp esp” • 0x90 is opcode for NOP
  • 38. Example • What address to use to overwrite the EIP? • ffe4 is the opcode for “jmp esp” • Search this opcode in ddl and the binary • Kernel32.dll is loaded in address space 7c800000 to 7c906000 • It contains ffe4 at 0x7c803234 •  replace cdef with 3432807c to execute jmp esp •  Program hang in a loop
  • 39. Entire Exploit generation (Python) f = open('C:/foo.txt', 'w') offset1 = „ABCEDEFHIJKLMNOPQRSTUVWXYZab" eip = chr (0x34) + chr (0x32) + chr (0x80) + chr(0x7c) #jmp esp is on this address in dll opcode = chr(0x90) + chr(0x90) +chr(0xff) + chr(0xe4) # NOP, NOP, jmp esp for i in offset1: f.write(i) for i in eip: f.write(i) for i in opcode: f.write(i) f.close()
  • 40. Jumping • For some reason you cannot place your shellcode in ESP • Search the shellcode in other registers: • jmp EAX or jmp EBX • Search the shellcode on the stack • Search the address of the shellcode on the stack • What if only a few bytes are usable for the shellcode • What if
  • 41. Gap between ESP and shellcode • Sometimes it is not possible to write the shellcode directly to ESP • May overwritten by other data or • OS counter mechanism. • Assume you have 8 byte gap  overwrite EIP with an address that contains “pop pop ret”  first bytes of the shellcode are address of “jmp esp” • Pop takes 4 byte from stack (32bit) • ret loads the first stack value in EIP • goto “jmp esp” address and execute shellcode • popad removes 32bytes from stack if pop is not enough Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode gap
  • 42. Search the address of the shellcode on the stack • Sometimes the shellcode address is not in any register • but it can be found on the stack • POP until you reached shellcode address • execute ret to load the address to EIP • if the gap is 8 bytes again overwrite EIP with an address that points on a “pop pop ret” Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode address gap Shellcode
  • 43. What if only a few bytes are usable for the shellcode • Sometimes only a few bytes are usable for shellcode behind EIP • but you can place more shellcode above • use the few bytes to jmp the the shellcode above: • Small shellcode can be: sub esp, 80 jmp esp • Start shellcode with NOPs • no exact jmp required Main stackframe Stack ptr to argv[1] EIP EBP EBP ESP Array Shellcode Shellcode
  • 44. Counter Mechanisms • GS • Reorder variables on the stack. Put arrays to higher addresses • Other variables cannot be overwritten, but still EIP • DEP • Stack is not executable. • Enforced by hardware. • OS can disable it (required for JIT programs) • You can ret to the lib function that disable DEP • Stack Cookie
  • 45. SEH (Structured Exception Handler) exploits • a try-catch block runs in its own stack frame • Information about the EH are pushed on the stack • 8bytes: • pointer to the next exception handler (for the case the current exception handler cannot handle the exception) • pointer to the actual exception handler •  Chain of exception handlers • FFFFFFFF marks the end of the chain  OS exception handler kicks in Main stackframe Stack EH ptr to argv[1] EIP Array EBP
  • 46. SEH (Structured Exception Handler) exploits • Cause an exception to kick EH in • Overwrite the pointer to the next EH record with some jmpcode (to jmp to shellcode) e.g. eb069090 = jmp +06 NOP NOP • Overwrite the EH with a pointer to an instruction that will bring you back to next EH and execute the jmpcode (e.g. pop pop ret) • The shellcode can be directly after the overwritten EH. next EH next EH FFFFFFFF EH1 EH2 EH3
  • 47. Stack Cookies • Compiler flag (only for string buffer) • Random value is computed when application starts (stack cookie) • Stored in .data section on the program • After saving EBP and EIP push stack cookie on the stack • To overwrite EIP you have to overwrite the Stack Cookie • Before ret the stack cookie will be checked. • So do not return, overwrite SEH to exploit • Sometimes you can compute the value or it is constant • Overwrite stack cookie in .data Main stackframe Stack EH EIP Stack Cookie Array ptr to argv[1] ESP
  • 48. Final words • Check array bounds • ensure nobody can overwrite • Be carefully with pointer arithmetic • Use secure programming languages (C#, Java, Haskell, Ada) • but down forget: • it runs on a unsecure basis • JAVA programs cannot be exploited with buffer overruns - theoretically • JVM is written without focus on security  there are many issues! • SoftBound +CETS: Complete andCompatible Full Memory Safety for C • proven approach to eliminate all possible bufferoverflows! • Most of this problem are not caused by OS or software, but by unsafe CPU-architectures. • Possible futureCPU-architectures are less vulnerable (MILLCPU) • on this architecture concept call stack cannot be overwritten to redirect program flow • many popular exploiting technics become harder or impossible • not classic buffer overruns, but there are other technics e.g. dangling pointers
  • 49. Preventing Buffer Overflows • ALWAY check array boundaries • Do NOT forget to check for index overflows: 0 1 2 3 4 5 6 7 8 9 10 11 12 base bound int array[4]: ptr: array • Iterate through the array: ++array; • Boundary check: array > base && array+elementsize < bound
  • 50. Preventing Buffer Overflows • ALWAY check array boundaries • Do NOT forget to check for index overflows: 0 1 2 3 4 5 6 7 8 9 10 11 12 boundbase int array[4]: ptr: array • Boundary check: array > base && array+elementsize < bound • Point with long long *ptr2 on element 12: • ptr2 > base: 12 > 9 • ptr2 + 1 < bound: 1 < 12  Access to element 0! ptr2
  • 51. Preventing Buffer Overflows • ALWAY check array boundaries • Do NOT forget to check for index overflows: 0 1 2 3 4 5 6 7 8 9 10 11 12 boundbase int array[4]: ptr: array ptr2 • Boundary check correct: array > base && array+elementsize < bound && base < array+elementsize • ptr2 > base: 12 > 9 • ptr2 + 1 < bound: 0 < 12 • ptr2 + 1 > base: 0 > 9 X