Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

RPISEC lecture notes - Computer Science Department

advertisement 
Security & Exploitation
Operating Systems
Fall 2014
RPISEC - 12/01/2014
OS Security
1
whoami
• Markus Gaasedelen
– B.S. Computer Science ’15
• Security Enthusiast
– I like to hack things
• President of RPISEC
– http://rpis.ec
RPISEC - 12/01/2014
OS Security
2
RPISEC
• The Computer Security Club @ RPI
– http://rpis.ec
• The leading authority on campus for any and all things
computer security related
• We compete in hacking competitions known as CTFs
(Capture The Flag) and we’re very good at them
• We teach cool and applicable security skills at our weekly
meetings
– 5-7pm Fridays, DCC 318
RPISEC - 12/01/2014
OS Security
3
CSAW 2014 Finals
RPISEC - 12/01/2014
OS Security
4
CSAW 2014 Finals
RPISEC - 12/01/2014
OS Security
5
CSAW 2014 Awards
RPISEC - 12/01/2014
OS Security
6
let’s get rolling…
WHAT IS SECURITY?
RPISEC - 12/01/2014
OS Security
7
RPISEC - 12/01/2014
OS Security
8
What is Security?
• Security == Hacking
– ‘politically correct’
– Cyber is the buzzword
• Very technical and
rewarding challenges
• Rarely taught or talked
about in school ):
• Many different categories
of security
RPISEC - 12/01/2014
OS Security
9
Categories of Security
•
•
•
•
•
•
•
•
•
•
•
•
•
Cryptography
Web Security
Vulnerability Research
Binary Exploitation
Reverse Engineering
Malware Analysis
Systems Security
Embedded Hardware Hacking
Network Security
Digital Forensics
Physical Security
Pentesting
…
RPISEC - 12/01/2014
OS Security
10
Categories of Security
•
•
•
•
•
•
•
•
•
•
•
•
•
Cryptography
Web Security
Vulnerability Research
Binary Exploitation
Reverse Engineering
Malware Analysis
Systems Security
Embedded Hardware Hacking
Network Security
Digital Forensics
Physical Security
Pentesting
…
RPISEC - 12/01/2014
The kind of stuff I’ll
talk about today (:
OS Security
11
MEMORY CORRUPTION
& BINARY EXPLOITATION
RPISEC - 12/01/2014
OS Security
12
Binary Exploitation
• The simplest definition:
– Leveraging bugs in an executable to cause
unintended, controlled actions by an attacker
• Requires intimate knowledge of the language,
compiler, and the machine
RPISEC - 12/01/2014
OS Security
13
Bugs Are Everywhere
• C is a ‘low level’ language
– Compiles straight to machine code (x86, ARM, etc)
• Very fast
– Very fine control over the machine and memory
• It’s like driving a manual!
– Easy to do stupid things
RPISEC - 12/01/2014
OS Security
14
RPISEC - 12/01/2014
OS Security
15
The Unexciting Languages
• Binary exploitation isn’t really a thing for
managed or scripting languages
– C#, .NET, JavaScript, Lua, Python, etc
• Slower, automate lots of stuff for you
– Driving an automatic
RPISEC - 12/01/2014
OS Security
16
let’s dive right in and try breaking some stuff
WELCOME TO THE WARZONE
RPISEC - 12/01/2014
OS Security
17
warzone.rpis.ec
ssh username/password
intro01:intro01
RPISEC - 12/01/2014
OS Security
18
Getting Started / Tips
• cd /levels
• ./intro01
• In GDB:
– AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
AAAAAAAA
• python –c ‘print “A”*20’
• gdb ./intro01
– run
RPISEC - 12/01/2014
– Info functions
– Info registers
• ir
– disassemble <function>
• disas main
– breakpoint <function>
• b main
– breakpoint * <address>
• b * 0x08048455
OS Security
19
Stack Overview
• The stack is a region of
memory for a program to
maintain function variables
and stuff during execution
• This is main()’s stack
RPISEC - 12/01/2014
------->
OS Security
20
Understanding the Stack
RPISEC - 12/01/2014
OS Security
21
Understanding the Stack
RPISEC - 12/01/2014
OS Security
22
Corrupting the Stack
RPISEC - 12/01/2014
OS Security
23
PWNING the Stack
RPISEC - 12/01/2014
OS Security
24
Endianess
• Endianess – How data is stored in memory
• Modern computers are generally little endian
– ‘little end in’
• Endianess can be confusing, and I don’t want
to get into the details
– 0x41424344 stored as 0x44, 0x43, 0x42, 0x41
– 0xdeadbeef stored as 0xef, 0xbe, 0xad, 0xde
RPISEC - 12/01/2014
OS Security
25
Intro01 Exploit
(python -c 'print "A"*64 + "\xef\xbe\xad\xde"'; cat) | ./intro01
RPISEC - 12/01/2014
OS Security
26
Bend it like Beckham
UNDERSTANDING CONTROL FLOW
RPISEC - 12/01/2014
OS Security
27
Example ELF / EXE in Memory
Runtime Memory
0x00000000 – Start of memory
Libraries (libc)
ELF Executable
0x08048000 – Start of .text Segment
.text segment
.data segment
Heap
Stack
0xbfff0000 – Top of stack
0xFFFFFFFF – End of memory
RPISEC - 12/01/2014
OS Security
28
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
.text segment
.data segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
29
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
EIP
.text segment
.data segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
30
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
EIP
.data segment
.text segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
31
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
.data segment
Executable code
EIP
.text segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
32
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
.data segment
Executable code
.text segment
EIP
Heap
Stack
RPISEC - 12/01/2014
OS Security
33
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
.text segment
.data segment
EIP
Heap
Stack
RPISEC - 12/01/2014
OS Security
34
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
.text segment
.data segment
EIP
Heap
Stack
RPISEC - 12/01/2014
OS Security
35
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
EIP
ELF Executable
.text segment
.text segment
.data segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
36
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
.text segment
.data segment
EIP
Heap
Stack
RPISEC - 12/01/2014
OS Security
37
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
ELF Executable
.text segment
Executable code
.text segment
.data segment
EIP
Heap
Stack
RPISEC - 12/01/2014
OS Security
38
Example ELF / EXE in Memory
Runtime Memory
Libraries (libc)
EIP
ELF Executable
.text segment
.text segment
.data segment
Heap
Stack
RPISEC - 12/01/2014
OS Security
39
How Calling Works
EIP
RPISEC - 12/01/2014
OS Security
40
How Calling Works
EIP
RPISEC - 12/01/2014
OS Security
41
How Calling Works
EIP
…
RPISEC - 12/01/2014
OS Security
42
How Calling Works
EIP
…
RPISEC - 12/01/2014
OS Security
43
How Calling Works
EIP
…
RPISEC - 12/01/2014
OS Security
44
How Calling Works
EIP
RPISEC - 12/01/2014
…
OS Security
45
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
46
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
47
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
48
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
49
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
50
Now that you know how it works …
OWNING CONTROL FLOW
RPISEC - 12/01/2014
OS Security
51
Stack Smashing
EIP
RPISEC - 12/01/2014
…
OS Security
52
Stack Smashing
EIP
RPISEC - 12/01/2014
…
OS Security
53
Stack Smashing
…
EIP
RPISEC - 12/01/2014
OS Security
54
Returning
…
EIP
RPISEC - 12/01/2014
OS Security
55
Returning home
…
EIP
RPISEC - 12/01/2014
SEGFAULT
0x41414141
OS Security
56
RPISEC - 12/01/2014
OS Security
57
“If your program simply segfaulted,
consider yourself lucky.”
-Chuck Stewart
RPISEC - 12/01/2014
OS Security
58
Redirecting Control Flow
…
Overwrite with
a code address
EIP
RPISEC - 12/01/2014
OS Security
59
warzone.rpis.ec
SSH in as intro02
use the password you got from solving intro01
RPISEC - 12/01/2014
OS Security
60
RPISEC - 12/01/2014
OS Security
61
Modern Protections
•
•
•
•
•
•
•
Address Space Layout Randomization (ASLR)
Data Execution Prevention (DEP)
Stack Cookies (Canaries)
Stack Rearrangement
Read Only Relocation (RELRO)
FORTIFY_SOURCE
These only make things harder, not impossible
– Take MBE if you want to know more about these
RPISEC - 12/01/2014
OS Security
62
Those were only educational challenges
LETS TRY SOMETHING REAL(ER)
RPISEC - 12/01/2014
OS Security
63
Courtesy of Goldschmidt
CHATSERVER V3
RPISEC - 12/01/2014
OS Security
64
ChatServer V3
• From NetProg (CSCI-4220)
• 32bit Linux Exploitation
• Vulnerable to a stack smash
– Compiler’s stack cookies save the day
• I’ll be demoing without cookies, not
exploitable otherwise ):
RPISEC - 12/01/2014
OS Security
65
Courtesy of Goldschmidt
CHATSERVER V3 – DEMO
RPISEC - 12/01/2014
OS Security
66
Windows 8.1 Exploitation (x64)
CSAW 2014 LINKS.EXE
RPISEC - 12/01/2014
OS Security
67
links.exe
•
•
•
•
Challenge from the CSAW 2014 CTF Finals
64bit Exploitation on Windows 8.1
Basically all protections are on by default
No source, lots of reversing :0
RPISEC - 12/01/2014
OS Security
68
reversing is tedious
RPISEC - 12/01/2014
OS Security
69
Windows 8.1 Exploitation (x64)
CSAW 2014 LINKS.EXE - DEMO
RPISEC - 12/01/2014
OS Security
70
CSAW 2014 Finals
RPISEC - 12/01/2014
OS Security
71
Wrapping up Binary Exploitation
• You might consider yourself a rockstar programmer, but you
probably know nothing about secure coding practices or
the implications of your mistakes
• Compilers go out of their way to prevent your bugs from
causing catastrophic failure
• Because your program doesn’t appear to segfault or crash,
doesn’t mean it is bug free or without vulnerabilities
• Binary exploitation is nothing like standard software
development - I truly think of it as an art
RPISEC - 12/01/2014
OS Security
72
welcome to the real world
JOB OPPORTUNITIES
RPISEC - 12/01/2014
OS Security
73
…so…many…jobs…
• Typical titles / positions
–
–
–
–
–
–
–
–
–
Information Security Analyst / Engineer
Security Software Engineer
Vulnerability Research Engineer
Web Application Security Engineer
Computer Network Operations
Threat & Incident Response Engineer
Product Security Reverse Engineer
Malware Analyst / Reverse Engineer
…
RPISEC - 12/01/2014
OS Security
74
Entering the Job Market
• There are so few qualified security individuals,
companies are totally starved ):
• Skilled in security & have a B.S. in CS?
– Government, Contractors, FFRDCs
• $70k – $90k+
– Private / Commercial
• $100k – ??
• Anything less and you’re missing out
RPISEC - 12/01/2014
OS Security
75
Coming Soon - Spring 2015
MODERN BINARY EXPLOITATION
RPISEC - 12/01/2014
OS Security
76
Modern Binary Exploitation
• An official class developed by RPISEC
• http://rpis.ec/binexp
• Class cap is raised to 50!
– Thank Goldschmidt & Stewart for getting us an
awesome room that seats 50+, Walker 5113
– General registration re-opens December 8th
• Tuesday/Friday 2-4pm, Spring 2015
• DON’T MISS THIS!
– ZERO guarantee it’ll ever be offered again
RPISEC - 12/01/2014
OS Security
77
Questions?
•
•
•
•
gaasem@rpi.edu
security.cs.rpi.edu/~gaasem
@gaasedelen
irc.rpis.ec 6667
RPISEC - 12/01/2014
OS Security
78
Related documents
Presentation - Business.govt.nz
Presentation - Business.govt.nz
Market Segmentation
Market Segmentation
Real Life examples of Geometry
Real Life examples of Geometry
Phase II - Typepad
Phase II - Typepad
Task 1 PPT
Task 1 PPT
Early Help - some signals and examples
Early Help - some signals and examples
Smart Cities Capacity Building Event Invitation for
Smart Cities Capacity Building Event Invitation for
An open source QA stack
An open source QA stack
Strategies for Organizations
Strategies for Organizations
President of the Board of Governors
President of the Board of Governors
Download
advertisement