Techniques&Mi-ga-on

YanivShani

WhatisExploit?

Apieceofso=warethatleverageanapplica-onvulnerabilitytocauseunintendedapplica-onbehavior

ExploitsTechniques•  Stackoverflow•  SEHframeoverwrite•  Heapoverflow•  Ret2LibC•  ReturnOrientedPrograming•  JITSpraying•  BypasstheSandboxModel

Stackoverflow

Overwritethethereturnaddressonthestackwithapointertosomemaliciousshellcode

SEHFrameoverwrite

OverridetheSEHrecordstojumptotheshellcode

Heapoverflow

•  Overwritetheallocatedbufferinternallinkedlistpointers.

•  Usetheresul=ngpointerexchangetooverwriteprogramcounter.

•  Changethereturnaddressonthestacktoaknownfunc=oninasharedlibrary

•  Doesn’tincludeshellcode

Ret2LibC

ReturnOrientedPrograming

•  FormGadgetsbycombinevariousinstruc-ons.•  Gadgetperformhigh-levelac-on•  i.eVirtualAlloc(),SetProcessDEPPolicy()

JITSpraying•  MakeuseofthefactthatJITcompilergenerated

executablecodeatrun=me•  SprayingNOPslides,XORandshellcodeintomemory

BypasstheSandboxModel

•  Bypassthesecuritymechanism•  Enableuntrustedapplica-onanaccessto

underlyingsystemresources.

Mi-ga-ontechniques

•  StackProtec-on•  SafeSEH•  HeapProtec-on•  DEP•  ASLR

StackProtec-on

•  AddCanarybeforestackreturnpointer•  CheckCanary&terminateonmismatch

SafeSEH

•  ALink=meop=onthatgenerateatablewithallSEHthatwillbeusedbytheprogram

HeapProtec-on

•  Unlinkcheck•  Entryheadercookie•  Pointerencoding•  Randomizedmetadataandbaseaddress

DataExecu-onPreven-on

•  Preven=ngapplica=onfromexecu=ngcodefromnon-executablememoryregion

AddressSpaceLayoutRandomiza-on

•  Randomlyarrangingtheposi=onofkeydataarea(heap,stack,exec.,libraryspace).

MalwareProtec=onSolu=on

•  An=-Virus:Blacklistoffilesignature.•  Onlyeffec=veagainstknownthreads

•  Whitelis=ngandSandboxingsolu=on•  Hardtoimplement•  Requireconsistentmaintenance

•  Statefulapplica=oncontrol•  Automatedmalwareprotec=on•  ProtectfromzerodayaZack

ThankYou