SlideShare une entreprise Scribd logo

Can We Prevent Use-after-free Attacks?

I
inaz2

2017/06/04 ssmjp Special

Technologie
1  sur  44
Télécharger pour lire hors ligne
Can We Prevent Use-after-free Attacks? 2017/06/04 ssmjp Special inaz2
About me • @inaz2 – https://twitter.com/inaz2 • Python programmer & Security engineer • Blog: ももいろテクノロジー – http://inaz2.hatenablog.com/ 2
Questions • Are you a programmer? • Can you do basic C++ programming? • Do you know what use-after-free attack is? • Do you know how to prevent the attack when you write your codes? 3
Important warning • The purpose of this talk is to tell you how computers work, what the problem is and my current thoughts to prevent it • NEVER ABUSE THE KNOWLEDGE YOU GET – Comply strictly with the law. Think about ethics. Never harm others definitely • Some of Japanese laws about computer security – 不正アクセス行為の禁止等に関する法律(不正アクセス禁止法) – 刑法第168条の2及び3 不正指令電磁的記録に関する罪(ウイルス作 成罪) – 刑法第234条の2 電子計算機損壊等業務妨害罪 4
Dynamic memory allocation and heap 5
Dynamic memory allocation • C: malloc() / free() • C++: new / delete • Win32API: HeapAlloc() / HeapFree() 6
Heap • First allocate a pool of memory • malloc(): Use some of the pool as a chunk • free(): Give it back • Freed chunks are generally reused for efficiency 7https://commons.wikimedia.org/wiki/File:Tannin_heap.jpeg
Use-after-free attacks 8
Allocate a chunk 9 heap chunkptr = 0x100000
Free the chunk (or trigger garbage collection) 10 heap chunk (freed) ptr = 0x100000 Now this points invalid address: dangling pointer
Reallocate the freed chunk with crafted data 11 heap chunk (crafted) ptr = 0x100000
Access freed memory via dangling pointer 12 heap chunk (crafted) ptr = 0x100000 Arbitrary read/write through pointer in chunk 0x41414141
Virtual function table 13
Virtual function • Handle derived classes as their base class and call functions of the former in the same manner – This characteristics is called “Polymorphism” 14
15
16
Virtual function table (vtable) 17 vptr char name [0x20] &Dog::cry() &Cat::cry() Animal instance Dog::cry() Cat::cry() Dog vtable Cat vtable * gray indicates read only
Virtual function table (vtable) 18 vptr char name [0x20] &Dog::cry() &Cat::cry() Animal instance Dog::cry() Cat::cry() Dog vtable Cat vtable &boom boom Crafted buffer * gray indicates read only Hijacking EIP
On Linux … • Test program on glibc’s ptmalloc – https://gist.github.com/inaz2/f24f6d09cbf406d344debc649106fd 89 19
Even on Windows 10 … • Test program (unprotected) on low fragmentation heap – https://gist.github.com/inaz2/0c6edd5f485b95a114104fd48a533 750 20
When will it be a problem? • When user can call functions in arbitrary order – Parser / command interpreter – Script engine (especially JavaScript) – OS kernel / drivers • Security Vulnerabilities Related To CWE-416 - CVE Details – http://www.cvedetails.com/vulnerability-list/cweid- 416/vulnerabilities.html • Published Advisories 2017 - Zero Day Initiative – http://www.zerodayinitiative.com/advisories/published/2017/ 21
Zero-day vulnerabilities • CVE-2014-1776 (Remote code execution) – Use-after-free vulnerability in MSHTML!CMarkup::IsConnectedToPrimaryMarkup() in Microsoft Internet Explorer 6 through 11 – https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day- exploit-targeting-internet-explorer-versions-9-through-11-identified-in- targeted-attacks.html • CVE-2017-0263 (Local privilege escalation) – Use-after-free vulnerability in win32k!xxxDestroyWindow() in Microsoft Windows 7, 8.1, 10 and Windows Server 2008, 2012, 2016 – https://www.fireeye.com/blog/threat-research/2017/05/eps- processing-zero-days.html 22
Preventing use-after-free attacks 23
C++11: Using smart pointers and references • Smart Pointers (Modern C++) – https://msdn.microsoft.com/en-us/library/hh279674.aspx • #include <memory> • unique_ptr<T> (pointer with ownership) – when the object is pointed by only one pointer • shared_ptr<T> (pointer with reference count) – when the object is pointed by more than one pointers – To avoid circular reference, weak_ptr<T> is used together 24
The unique pointer across functions 25
Bidirectional linked list by using shared_ptr 26
Assigning NULL immediately after free • MEM01-CPP. Store a valid value in pointers immediately after deallocation - SEI CERT C++ Coding Standard [outdated] – https://www.securecoding.cert.org/confluence/display/cplusplus/MEM01- CPP.+Store+a+valid+value+in+pointers+immediately+after+deallocation 27
28
Microsoft Visual C++: enable SDL checks • /sdl (Enable Additional Security Checks) – https://msdn.microsoft.com/en-us/library/jj161081.aspx 29
Microsoft Visual C++: enable SDL checks • Enabled by default in Visual Studio 2015 “New Win32 Project” 30
31
Magic address ds:002b:00008123 • Guarding against re-use of stale object references | Microsoft Secure Blog – https://blogs.microsoft.com/microsoftsecure/2012/04/24/guarding- against-re-use-of-stale-object-references/ 32
But copied pointers remain dangling • If more than one pointer pointing to the same address exist, others are not nullified – Need tracking copies to prevent completely • FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers [NDSS 2015] – https://www.internetsociety.org/doc/freesentry-protecting-against-use- after-free-vulnerabilities-due-dangling-pointers • Preventing Use-after-free with Dangling Pointers Nullification (DangNull) [NDSS 2015] – https://sslab.gtisc.gatech.edu/2015/dang-null.html • DangSan: Scalable Use-after-free Detection [EUROSYS 2017] – http://www.cs.vu.nl/~giuffrida/papers/dangsan_eurosys17.pdf 33
GCC / Clang: AddressSanitizer • -fsanitize=address – https://github.com/google/sanitizers/wiki/AddressSanitizer – Runtime memory error detection 34
Eliminating all dangling pointers is hard … 35
Windows 8.1+: Control Flow Guard • /guard:cf (Enable Control Flow Guard) – https://msdn.microsoft.com/en- us/library/windows/desktop/mt637065(v=vs.85).aspx – Add check if the target of indirect call is the beginning of function 36
Windows 8.1+: Control Flow Guard • Not enabled by default in Visual Studio 2015 “New Win32 Project” • Incompatible with /ZI (Edit and Continue debug information) 37
Linux grsecurity: RAP • https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf • Indirect Control Transfer Protection – Prepend type signature before each function and verify it before indirect call 38
Windows 10: VTGuard (IE & Edge) • Append canary to vtable and verify it before call • Understanding the Attack Surface and Attack Resilience of Project Spartans New EdgeHTML Rendering Engine [Black Hat USA 2015] – https://www.blackhat.com/docs/us-15/materials/us-15-Yason- Understanding-The-Attack-Surface-And-Attack-Resilience-Of-Project- Spartans-New-EdgeHTML-Rendering-Engine.pdf 39 vptr char name [0x20] &Dog::cry() Animal instance Dog::cry() Dog vtable _vtguard
Windows 10: MemGC (IE & Edge) • Managed heap and garbage collector which don’t free if there are dangling pointers – Enabled by default • MemGC: Use-After-Free Exploit Mitigation in Edge and IE on Windows 10 – https://securityintelligence.com/memgc-use-after-free-exploit- mitigation-in-edge-and-ie-on-windows-10/ • You can read it on GitHub!!1 – https://github.com/Microsoft/ChakraCore/blob/master/lib/Common /Memory/Recycler.cpp 40
Comprehensive mitigations • Mandatory access control – Mandatory Integrity Control (Windows Vista+) / SELinux (Linux) – Enforce the access policy between processes and resources (files etc.) • Isolation – AppContainer (Windows 8+) / Namespaces (Linux) – Execute in separated context • Endpoint security solution – Provided by many security venders including Microsoft – Monitoring host activities and detect critical accesses • Patch update 41
Recap • Use-after-free attacks are caused by dangling pointers to freed memory area – Recent vulnerabilities are not only buffer overflow • There are ways to mitigate it – Safer language features, carefully programming, compiler’s security option, smart GC, comprehensive mitigations – Enable /guard:cf in Release build of your new MSVC projects • Think about what our problem is 42
References • use-after-freeによるC++ vtable overwriteをやってみる - ももいろテクノロジー – http://inaz2.hatenablog.com/entry/2014/06/18/220735 • ROP検知手法RAPについてまとめてみる - ももいろテクノロジー – http://inaz2.hatenablog.com/entry/2015/10/30/024234 • Beyond Zero-day Attacks(4):Use After Freeとヒープスプレー - @IT – http://www.atmarkit.co.jp/ait/articles/1409/22/news010.html • Use After Free 脆弱性攻撃を試す – https://www.slideshare.net/monochrojazz/use-after-free • Understanding the Low Fragmentation Heap (Black Hat USA 2010) – http://illmatics.com/Understanding_the_LFH_Slides.pdf • Getting back determinism in the Low Fragmentation Heap - LSE Blog – https://blog.lse.epita.fr/articles/74-getting-back-determinism-in-the-lfh.html • saaramar/Deterministic_LFH: Have fun with the LowFragmentationHeap – https://github.com/saaramar/Deterministic_LFH • katagaitai CTF勉強会 #8 pwnables編 – https://speakerdeck.com/bata_24/katagaitai-ctf-number-8 43
Thank You! @inaz2 44

Recommandé

Race condition
Race conditionRace condition
Race conditionМихаил Фирстов
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxAnne Nicolas
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Metasploit
MetasploitMetasploit
MetasploitInstitute of Information Security (IIS)
 
I pv6 addressing-rg-animated
I pv6 addressing-rg-animatedI pv6 addressing-rg-animated
I pv6 addressing-rg-animatedmasbangkit
 
Network scanner
Network scannerNetwork scanner
Network scannerShrikrishna Parab
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to MetasploitGTU
 

Recommandé

Race condition
Race conditionRace condition
Race conditionМихаил Фирстов
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxAnne Nicolas
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Metasploit
MetasploitMetasploit
MetasploitInstitute of Information Security (IIS)
 
I pv6 addressing-rg-animated
I pv6 addressing-rg-animatedI pv6 addressing-rg-animated
I pv6 addressing-rg-animatedmasbangkit
 
Network scanner
Network scannerNetwork scanner
Network scannerShrikrishna Parab
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to MetasploitGTU
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Cisco Security
 
Introduction to Makefile
Introduction to MakefileIntroduction to Makefile
Introduction to MakefileTusharadri Sarkar
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Metaploit
MetaploitMetaploit
MetaploitAjinkya Pathak
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseSite-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseHarris Andrea
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
OWASP-VulnerableFlaskApp
OWASP-VulnerableFlaskAppOWASP-VulnerableFlaskApp
OWASP-VulnerableFlaskAppanilyelken
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP SnoopingNetProtocol Xpert
 
BTRisk X86 Tersine Mühendislik Eğitim Sunumu - Bölüm-2
BTRisk X86 Tersine Mühendislik Eğitim Sunumu - Bölüm-2BTRisk X86 Tersine Mühendislik Eğitim Sunumu - Bölüm-2
BTRisk X86 Tersine Mühendislik Eğitim Sunumu - Bölüm-2BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Aruba OS 6.3 Command Line Interface Reference Guide
Aruba OS 6.3 Command Line Interface Reference GuideAruba OS 6.3 Command Line Interface Reference Guide
Aruba OS 6.3 Command Line Interface Reference GuideAruba, a Hewlett Packard Enterprise company
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13Murat KARA
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
Wireless penetration testing
Wireless penetration testingWireless penetration testing
Wireless penetration testingKamlesh Dhanwani
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI BGA Cyber Security
 
MSSQL Hacking ve Post Exploitation Yontemleri
MSSQL Hacking ve Post Exploitation YontemleriMSSQL Hacking ve Post Exploitation Yontemleri
MSSQL Hacking ve Post Exploitation YontemleriEyüp ÇELİK
 
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomugMasahiro NAKAYAMA
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門shiracamus
 

Contenu connexe

Tendances

Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Cisco Security
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseSite-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseHarris Andrea
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
OWASP-VulnerableFlaskApp
OWASP-VulnerableFlaskAppOWASP-VulnerableFlaskApp
OWASP-VulnerableFlaskAppanilyelken
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13Murat KARA
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
Wireless penetration testing
Wireless penetration testingWireless penetration testing
Wireless penetration testingKamlesh Dhanwani
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)NetProtocol Xpert
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI BGA Cyber Security
 
MSSQL Hacking ve Post Exploitation Yontemleri
MSSQL Hacking ve Post Exploitation YontemleriMSSQL Hacking ve Post Exploitation Yontemleri
MSSQL Hacking ve Post Exploitation YontemleriEyüp ÇELİK
 

Tendances (20)

Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
 
Introduction to Makefile
Introduction to MakefileIntroduction to Makefile
Introduction to Makefile
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
 
Metaploit
MetaploitMetaploit
Metaploit
 
Metasploit
MetasploitMetasploit
Metasploit
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and PfsenseSite-to-Site IPSEC VPN Between Cisco ASA and Pfsense
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
OWASP-VulnerableFlaskApp
OWASP-VulnerableFlaskAppOWASP-VulnerableFlaskApp
OWASP-VulnerableFlaskApp
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
 
BTRisk X86 Tersine Mühendislik Eğitim Sunumu - Bölüm-2
BTRisk X86 Tersine Mühendislik Eğitim Sunumu - Bölüm-2BTRisk X86 Tersine Mühendislik Eğitim Sunumu - Bölüm-2
BTRisk X86 Tersine Mühendislik Eğitim Sunumu - Bölüm-2
 
Aruba OS 6.3 Command Line Interface Reference Guide
Aruba OS 6.3 Command Line Interface Reference GuideAruba OS 6.3 Command Line Interface Reference Guide
Aruba OS 6.3 Command Line Interface Reference Guide
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13Siber Güvenlik ve Etik Hacking Sunu - 13
Siber Güvenlik ve Etik Hacking Sunu - 13
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
 
Wireless penetration testing
Wireless penetration testingWireless penetration testing
Wireless penetration testing
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1
 
PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI PORT TARAMA ve KEŞİF ÇALIŞMALARI
PORT TARAMA ve KEŞİF ÇALIŞMALARI
 
MSSQL Hacking ve Post Exploitation Yontemleri
MSSQL Hacking ve Post Exploitation YontemleriMSSQL Hacking ve Post Exploitation Yontemleri
MSSQL Hacking ve Post Exploitation Yontemleri
 

En vedette

細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomugMasahiro NAKAYAMA
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門shiracamus
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?inaz2
 
Spring bootでweb セキュリティ(ログイン認証)編
Spring bootでweb セキュリティ(ログイン認証)編Spring bootでweb セキュリティ(ログイン認証)編
Spring bootでweb セキュリティ(ログイン認証)編なべ
 
CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)kikuchan98
 
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjpAWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjpMasahiro NAKAYAMA
 
Edomae 2015 - マルウェアを解析してみよう
Edomae 2015 - マルウェアを解析してみようEdomae 2015 - マルウェアを解析してみよう
Edomae 2015 - マルウェアを解析してみようSatoshi Mimura
 
Esoteric, Obfuscated, Artistic Programming in Ruby
Esoteric, Obfuscated, Artistic Programming in RubyEsoteric, Obfuscated, Artistic Programming in Ruby
Esoteric, Obfuscated, Artistic Programming in Rubymametter
 

En vedette (8)

細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?
 
Spring bootでweb セキュリティ(ログイン認証)編
Spring bootでweb セキュリティ(ログイン認証)編Spring bootでweb セキュリティ(ログイン認証)編
Spring bootでweb セキュリティ(ログイン認証)編
 
CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)
 
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjpAWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
 
Edomae 2015 - マルウェアを解析してみよう
Edomae 2015 - マルウェアを解析してみようEdomae 2015 - マルウェアを解析してみよう
Edomae 2015 - マルウェアを解析してみよう
 
Esoteric, Obfuscated, Artistic Programming in Ruby
Esoteric, Obfuscated, Artistic Programming in RubyEsoteric, Obfuscated, Artistic Programming in Ruby
Esoteric, Obfuscated, Artistic Programming in Ruby
 

Similaire à Can We Prevent Use-after-free Attacks?

DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014Bryce Kunz
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for MiddlewareManuel Brugnoli
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinDigicomp Academy AG
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
44 con slides
44 con slides44 con slides
44 con slidesgeeksec80
 
44 con slides (1)
44 con slides (1)44 con slides (1)
44 con slides (1)geeksec80
 
Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)ITCamp
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 

Similaire à Can We Prevent Use-after-free Attacks? (20)

DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for Middleware
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
44 con slides
44 con slides44 con slides
44 con slides
 
44 con slides (1)
44 con slides (1)44 con slides (1)
44 con slides (1)
 
Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
 

Plus de inaz2

HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwordsinaz2
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)inaz2
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primerinaz2
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesinaz2
 
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)inaz2
 
How to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksHow to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksinaz2
 
CRYPT+YOU, UNDERSTAND TODAY!
CRYPT+YOU, UNDERSTAND TODAY!CRYPT+YOU, UNDERSTAND TODAY!
CRYPT+YOU, UNDERSTAND TODAY!inaz2
 
Making a Proxy for Fun and Profit
Making a Proxy for Fun and ProfitMaking a Proxy for Fun and Profit
Making a Proxy for Fun and Profitinaz2
 
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~inaz2
 

Plus de inaz2 (12)

HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primer
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
 
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
 
How to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksHow to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocks
 
CRYPT+YOU, UNDERSTAND TODAY!
CRYPT+YOU, UNDERSTAND TODAY!CRYPT+YOU, UNDERSTAND TODAY!
CRYPT+YOU, UNDERSTAND TODAY!
 
Making a Proxy for Fun and Profit
Making a Proxy for Fun and ProfitMaking a Proxy for Fun and Profit
Making a Proxy for Fun and Profit
 
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
 

Dernier

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Dernier (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Can We Prevent Use-after-free Attacks?

  • 1. Can We Prevent Use-after-free Attacks? 2017/06/04 ssmjp Special inaz2
  • 2. About me • @inaz2 – https://twitter.com/inaz2 • Python programmer & Security engineer • Blog: ももいろテクノロジー – http://inaz2.hatenablog.com/ 2
  • 3. Questions • Are you a programmer? • Can you do basic C++ programming? • Do you know what use-after-free attack is? • Do you know how to prevent the attack when you write your codes? 3
  • 4. Important warning • The purpose of this talk is to tell you how computers work, what the problem is and my current thoughts to prevent it • NEVER ABUSE THE KNOWLEDGE YOU GET – Comply strictly with the law. Think about ethics. Never harm others definitely • Some of Japanese laws about computer security – 不正アクセス行為の禁止等に関する法律(不正アクセス禁止法) – 刑法第168条の2及び3 不正指令電磁的記録に関する罪(ウイルス作 成罪) – 刑法第234条の2 電子計算機損壊等業務妨害罪 4
  • 6. Dynamic memory allocation • C: malloc() / free() • C++: new / delete • Win32API: HeapAlloc() / HeapFree() 6
  • 7. Heap • First allocate a pool of memory • malloc(): Use some of the pool as a chunk • free(): Give it back • Freed chunks are generally reused for efficiency 7https://commons.wikimedia.org/wiki/File:Tannin_heap.jpeg
  • 10. Free the chunk (or trigger garbage collection) 10 heap chunk (freed) ptr = 0x100000 Now this points invalid address: dangling pointer
  • 11. Reallocate the freed chunk with crafted data 11 heap chunk (crafted) ptr = 0x100000
  • 12. Access freed memory via dangling pointer 12 heap chunk (crafted) ptr = 0x100000 Arbitrary read/write through pointer in chunk 0x41414141
  • 14. Virtual function • Handle derived classes as their base class and call functions of the former in the same manner – This characteristics is called “Polymorphism” 14
  • 15. 15
  • 16. 16
  • 17. Virtual function table (vtable) 17 vptr char name [0x20] &Dog::cry() &Cat::cry() Animal instance Dog::cry() Cat::cry() Dog vtable Cat vtable * gray indicates read only
  • 18. Virtual function table (vtable) 18 vptr char name [0x20] &Dog::cry() &Cat::cry() Animal instance Dog::cry() Cat::cry() Dog vtable Cat vtable &boom boom Crafted buffer * gray indicates read only Hijacking EIP
  • 19. On Linux … • Test program on glibc’s ptmalloc – https://gist.github.com/inaz2/f24f6d09cbf406d344debc649106fd 89 19
  • 20. Even on Windows 10 … • Test program (unprotected) on low fragmentation heap – https://gist.github.com/inaz2/0c6edd5f485b95a114104fd48a533 750 20
  • 21. When will it be a problem? • When user can call functions in arbitrary order – Parser / command interpreter – Script engine (especially JavaScript) – OS kernel / drivers • Security Vulnerabilities Related To CWE-416 - CVE Details – http://www.cvedetails.com/vulnerability-list/cweid- 416/vulnerabilities.html • Published Advisories 2017 - Zero Day Initiative – http://www.zerodayinitiative.com/advisories/published/2017/ 21
  • 22. Zero-day vulnerabilities • CVE-2014-1776 (Remote code execution) – Use-after-free vulnerability in MSHTML!CMarkup::IsConnectedToPrimaryMarkup() in Microsoft Internet Explorer 6 through 11 – https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day- exploit-targeting-internet-explorer-versions-9-through-11-identified-in- targeted-attacks.html • CVE-2017-0263 (Local privilege escalation) – Use-after-free vulnerability in win32k!xxxDestroyWindow() in Microsoft Windows 7, 8.1, 10 and Windows Server 2008, 2012, 2016 – https://www.fireeye.com/blog/threat-research/2017/05/eps- processing-zero-days.html 22
  • 24. C++11: Using smart pointers and references • Smart Pointers (Modern C++) – https://msdn.microsoft.com/en-us/library/hh279674.aspx • #include <memory> • unique_ptr<T> (pointer with ownership) – when the object is pointed by only one pointer • shared_ptr<T> (pointer with reference count) – when the object is pointed by more than one pointers – To avoid circular reference, weak_ptr<T> is used together 24
  • 25. The unique pointer across functions 25
  • 26. Bidirectional linked list by using shared_ptr 26
  • 27. Assigning NULL immediately after free • MEM01-CPP. Store a valid value in pointers immediately after deallocation - SEI CERT C++ Coding Standard [outdated] – https://www.securecoding.cert.org/confluence/display/cplusplus/MEM01- CPP.+Store+a+valid+value+in+pointers+immediately+after+deallocation 27
  • 28. 28
  • 29. Microsoft Visual C++: enable SDL checks • /sdl (Enable Additional Security Checks) – https://msdn.microsoft.com/en-us/library/jj161081.aspx 29
  • 30. Microsoft Visual C++: enable SDL checks • Enabled by default in Visual Studio 2015 “New Win32 Project” 30
  • 31. 31
  • 32. Magic address ds:002b:00008123 • Guarding against re-use of stale object references | Microsoft Secure Blog – https://blogs.microsoft.com/microsoftsecure/2012/04/24/guarding- against-re-use-of-stale-object-references/ 32
  • 33. But copied pointers remain dangling • If more than one pointer pointing to the same address exist, others are not nullified – Need tracking copies to prevent completely • FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers [NDSS 2015] – https://www.internetsociety.org/doc/freesentry-protecting-against-use- after-free-vulnerabilities-due-dangling-pointers • Preventing Use-after-free with Dangling Pointers Nullification (DangNull) [NDSS 2015] – https://sslab.gtisc.gatech.edu/2015/dang-null.html • DangSan: Scalable Use-after-free Detection [EUROSYS 2017] – http://www.cs.vu.nl/~giuffrida/papers/dangsan_eurosys17.pdf 33
  • 34. GCC / Clang: AddressSanitizer • -fsanitize=address – https://github.com/google/sanitizers/wiki/AddressSanitizer – Runtime memory error detection 34
  • 35. Eliminating all dangling pointers is hard … 35
  • 36. Windows 8.1+: Control Flow Guard • /guard:cf (Enable Control Flow Guard) – https://msdn.microsoft.com/en- us/library/windows/desktop/mt637065(v=vs.85).aspx – Add check if the target of indirect call is the beginning of function 36
  • 37. Windows 8.1+: Control Flow Guard • Not enabled by default in Visual Studio 2015 “New Win32 Project” • Incompatible with /ZI (Edit and Continue debug information) 37
  • 38. Linux grsecurity: RAP • https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf • Indirect Control Transfer Protection – Prepend type signature before each function and verify it before indirect call 38
  • 39. Windows 10: VTGuard (IE & Edge) • Append canary to vtable and verify it before call • Understanding the Attack Surface and Attack Resilience of Project Spartans New EdgeHTML Rendering Engine [Black Hat USA 2015] – https://www.blackhat.com/docs/us-15/materials/us-15-Yason- Understanding-The-Attack-Surface-And-Attack-Resilience-Of-Project- Spartans-New-EdgeHTML-Rendering-Engine.pdf 39 vptr char name [0x20] &Dog::cry() Animal instance Dog::cry() Dog vtable _vtguard
  • 40. Windows 10: MemGC (IE & Edge) • Managed heap and garbage collector which don’t free if there are dangling pointers – Enabled by default • MemGC: Use-After-Free Exploit Mitigation in Edge and IE on Windows 10 – https://securityintelligence.com/memgc-use-after-free-exploit- mitigation-in-edge-and-ie-on-windows-10/ • You can read it on GitHub!!1 – https://github.com/Microsoft/ChakraCore/blob/master/lib/Common /Memory/Recycler.cpp 40
  • 41. Comprehensive mitigations • Mandatory access control – Mandatory Integrity Control (Windows Vista+) / SELinux (Linux) – Enforce the access policy between processes and resources (files etc.) • Isolation – AppContainer (Windows 8+) / Namespaces (Linux) – Execute in separated context • Endpoint security solution – Provided by many security venders including Microsoft – Monitoring host activities and detect critical accesses • Patch update 41
  • 42. Recap • Use-after-free attacks are caused by dangling pointers to freed memory area – Recent vulnerabilities are not only buffer overflow • There are ways to mitigate it – Safer language features, carefully programming, compiler’s security option, smart GC, comprehensive mitigations – Enable /guard:cf in Release build of your new MSVC projects • Think about what our problem is 42
  • 43. References • use-after-freeによるC++ vtable overwriteをやってみる - ももいろテクノロジー – http://inaz2.hatenablog.com/entry/2014/06/18/220735 • ROP検知手法RAPについてまとめてみる - ももいろテクノロジー – http://inaz2.hatenablog.com/entry/2015/10/30/024234 • Beyond Zero-day Attacks(4):Use After Freeとヒープスプレー - @IT – http://www.atmarkit.co.jp/ait/articles/1409/22/news010.html • Use After Free 脆弱性攻撃を試す – https://www.slideshare.net/monochrojazz/use-after-free • Understanding the Low Fragmentation Heap (Black Hat USA 2010) – http://illmatics.com/Understanding_the_LFH_Slides.pdf • Getting back determinism in the Low Fragmentation Heap - LSE Blog – https://blog.lse.epita.fr/articles/74-getting-back-determinism-in-the-lfh.html • saaramar/Deterministic_LFH: Have fun with the LowFragmentationHeap – https://github.com/saaramar/Deterministic_LFH • katagaitai CTF勉強会 #8 pwnables編 – https://speakerdeck.com/bata_24/katagaitai-ctf-number-8 43