Dissecting complex codereuse attacks with ROPMEMU Mariano Graziano
- Slides: 52
Dissecting complex code-reuse attacks with ROPMEMU Mariano Graziano Cisco Talos
whoami § Security researcher at Cisco Talos § Ph. D. from Telecom Paris. Tech/Eurecom § Hackademic § Malware analysis / Memory forensics / Mitigations
CODE INJECTION ATTACKS
CODE INJECTION ATTACKS
CODE INJECTION ATTACKS Attackers inject or load malicious code (or modify the existing one)
CODE-REUSE ATTACKS - ROP
CODE-REUSE ATTACKS - ROP SP = 0 x. FFFF 88001 B 800000 0 x 00) 0 x 30)
CODE-REUSE ATTACKS - ROP SP = 0 x. FFFF 88001 B 800000 0 x 00) 0 x 30)
CODE-REUSE ATTACKS - ROP SP = 0 x. FFFF 88001 B 800000 0 x 00) 0 x 30)
CODE-REUSE ATTACKS - ROP SP = 0 x. FFFF 88001 B 800000 0 x 00) 0 x 30)
CODE-REUSE ATTACKS - ROP SP = 0 x. FFFF 88001 B 800000 0 x 00) 0 x 30)
CODE-REUSE ATTACKS - ROP SP = 0 x. FFFF 88001 B 800000 0 x 00) 0 x 30)
CODE-REUSE ATTACKS - ROP SP = 0 x. FFFF 88001 B 800000 0 x 00) 0 x 30)
CODE-REUSE ATTACKS - ROP SP = 0 x. FFFF 88001 B 800000 0 x 00) 0 x 30)
CODE-REUSE ATTACKS - ROP SP = 0 x. FFFF 88001 B 800000 0 x 00) 0 x 30) ? !?
MOTIVATION HW and OS countermeasures forced ROP adoption
MOTIVATION HW and OS countermeasures forced ROP adoption § Persistent ROP rootkit – Vogl et al. [NDSS 14] § ROP as an obfuscation technique (malware in the wild) § All existing tools cope with injected code § No tools to dissect ROP payloads
ROP ROOTKITS
CHUCK - CHALLENGES § Memory region for the persistent control structure § Overwrites protection: § Interrupts § Self-overwriting § Resume original/normal control flow § Activate the persistent component
CHUCK - CHALLENGES § Memory region for the persistent memory region § Overwrites protection: § Interrupts § Self-overwriting § Resume original/normal control flow § Activate the persistent component
CHUCK - PERSISTENCE § CVE-2013 -2094 § sysenter § IA 32_SYSENTER_ESP (0 x 175) § IA 32_SYSENTER_EIP (0 x 176)
CHUCK - PERSISTENCE § CVE-2013 -2094 § sysenter § IA 32_SYSENTER_ESP (0 x 175) – Copy chain § IA 32_SYSENTER_EIP (0 x 176) - ret
CHUCK § Po. C 1: § LPE: CVE-2013 -2094 § OS: Ubuntu Server 3. 8 with secure boot § Hooks: § sys_read § sys_getdents § Chains: § Copy chain (persistent) § Dispatcher chain § Payload chain 1 https: //www. sec. in. tum. de/persistent-data-only-malware/
CHALLENGES
CHALLENGES [C 1] Verbosity
CHALLENGES [C 1] Verbosity [C 2] Lack of immediate values
CHALLENGES [C 1] Verbosity [C 2] Lack of immediate values [C 3] Stack based instruction chaining
CHALLENGES [C 1] Verbosity [C 2] Lack of immediate values [C 3] Stack based instruction chaining [C 4] Conditional branches
CHALLENGES [C 1] Verbosity [C 2] Lack of immediate values [C 3] Stack based instruction chaining [C 4] Conditional branches [C 5] Return to functions
CHALLENGES [C 1] Verbosity [C 2] Lack of immediate values [C 3] Stack based instruction chaining [C 4] Conditional branches [C 5] Return to functions [C 6] Dynamically generated chains
CHALLENGES [C 1] Verbosity [C 2] Lack of immediate values [C 3] Stack based instruction chaining [C 4] Conditional branches [C 5] Return to functions [C 6] Dynamically generated chains [C 7] Stop condition
CHALLENGES [C 1] Verbosity [C 2] Lack of immediate values [C 3] Stack based instruction chaining [C 4] Conditional branches [C 5] Return to functions [C 6] Dynamically generated chains [C 7] Stop condition
- Lu et al. – ACSAC 12 - Yadegari et al. – S&P 15 [C 1] Verbosity [C 2] Lack of immediate values [C 3] Stack based instruction chaining [C 4] Conditional branches [C 5] Return to functions [C 6] Dynamically generated chains [C 7] Stop condition CHALLENGES - Stancill et al. – RAID 13 - Lu et al. – ACSAC 12
APPROACH § ROPMEMU framework adopts many techniques: § Memory forensics § Code emulation § Multi-path exploration § CFG recovery § Compiler transformations
IMPLEMENTATION § Volatility plugins (ropemu and unchain) depend on: § Capstone § Unicorn § nasm § Standalone scripts (bash and python): § GDB python § pygraphviz
ROPMEMU
ROPMEMU
DEMO 0 x 01
ROPMEMU
DEMO 0 x 02
ROPMEMU
DEMO 0 x 03
ROPMEMU
ROPMEMU
EXPERIMENT CHAINS INSTRUCTIO NS GADGET S BLOCK S BRANCHE S FUNCTION CALLS S COPY 414275 184126 1 - - - DISPATCHE R 63515 18874 7 3 1 5 PAYLOAD 6320 2913 34 26 9 17
RESULTS - CFG
RESULTS - CFG
RESULTS - IDA
DEMO 0 x 04
LIMITATIONS § Prone to anti-acquisition § Prone to anti-emulation § Lack of completeness on arbitrary inputs
CONCLUSIONS § Source code: https: //github. com/vrtadmin/ROPMEMU § First public tool to analyze code-reuse payloads § Tested on the most complex public threat
QUESTIONS? Mariano Graziano @emd 3 l magrazia@cisco. com
- Mariano graziano
- Grass frog for dissection
- What does tap mean in writing
- Used to hold or lift specimens
- Graziano and raulin
- Flebotrombosis adalah
- Chicken wing dissection lab answers
- Paolo graziano anatomia patologica
- Function of a dissecting pins
- Short summary of othello by william shakespeare
- Graziano diritto canonico
- Graziano serragiotto
- Eye dissection
- Graziano othello
- Frog organs
- Dissecting the preamble
- Almerindo graziano
- Dissecting a chicken leg
- Graziano and raulin
- Droplet infection
- Mbti breakdown
- Simple and compound sentences quiz
- Freud complexes
- Simple compound complex and compound-complex sentences quiz
- Difference between oedipus complex and electra complex
- Dogmas mariano
- Mariano fuentes lira biografia
- Ceip mariano castillo
- Mariano galvez villa nueva
- Scuola griselli montescudaio
- Massimo mariano psicologo
- Universidad mariano galvez villa nueva
- Fratelli ungaretti parafrasi
- Rebeliones criollas del siglo xix
- Vicente balanguer
- Q10 mariano moreno
- Mariano hidalgo plataforma
- Tavi edwards sapien 3
- Leonardo sarao picture
- She married mariano herbosa of calamba
- The lonely shepherd film
- Mariano marcos state university
- Mariano di vanni dei filipepi
- Mariano francisco laplane
- Silvia citlalli gama gonzalez
- Pic du midi d'ossau mariano
- Mariano de larrobla
- Apogania rizali
- Dr. alpino, mariano roberto
- Alessandro di mariano filipepi
- Tetcho suehiro and rizal
- Colegio distrital hogar mariano
- Mes de mayo mariano