Table Of Content

Identifying Memory Address Disclosures JohnNorth BSc(Hons),MSc Athesissubmittedinpartialfulfilmentof therequirementsforthedegreeof DoctorofPhilosophy at DeMontfortUniversity January2015 Abstract Softwareisstillbeingproducedandusedthatisvulnerabletoexploitation. Aswellasbeingindevicesin thehomesofmanypeoplearoundtheworld,programswiththesevulnerabilitiesaremaintaininglife-critical systemssuchaspower-stations,aircraftandmedicaldevicesandaremanagingthecreationanddistribution of billions of pounds every year. These systems are actively being exploited by governments, criminals and opportunists and have led to loss of life and a loss of wealth. This dependence on software that is vulnerabletoexploitationhasledtoasocietywithtangibleconcernsovercyber-crime,cyber-terrorismand cyber-warfare. Aswellasattemptstoeliminatethesevulnerabilities,techniqueshavebeendevelopedtomitigatetheir effects;theseprophylactictechniquesdonoteliminatethevulnerabilitiesbutmakethemhardertoexploit. As software exploitation is an ever evolving battle between the attackers and the defenders, identifying methodsto bypassthese mitigationshas becomea newbattlefield inthisstruggle andthe techniquesthat areusedtodothisrequirevulnerabilitiesoftheirown. Asmanyofthemitigationtechniquesaredependentuponsecrecyofoneformoranother,vulnerabilities whichallowanattackerto viewthosesecretsarenowofimportance toattackersanddefenders. Leaking of the contents of computer memory has always been considered a vulnerability, but until recently it has nottypicallybeenconsideredaseriousone. Asthiscanbeusedtobypasskeymitigationtechniques,these vulnerabilitiesarenowconsideredcriticaltopreventingwholeclassesofsoftwareexploitation. This thesis is about detecting these types of leaks and the information they disclose. It discusses the importance of these disclosures, both currently and in the future. It then introduces the first published techniquetobeabletoreliablyidentifyspecificclassesoftheseleaks,particularlyaddressdisclosuresand canary-disclosures. The technique is tested against a series of applications, across multiple operating systems, using both artificialexamplesandsoftwarethatiscritical,commonplaceandcomplex. Acknowledgements Iwouldliketothankthemany,manypeopleinvolvedinhelpingmetocreatethisthesisandfortolerating meduringtheprocess. Inparticular,IwouldliketothankmypartnerRikkeforbeingthepersonsheis. I wouldliketothankmyparentsandmybrotherforencouragingmetoundertakethisworkandtocontinue withitwhenitwasnolongerfun. Aswellasthemanythathavehelpedmepersonally,Iamverygrateful tothosewhohavehelpedmeacademically,inparticularmysupervisorsandeverybodywhohasreviewed thiswork,inwhateverformitwasatthetime. Finally,IwouldliketothankOllieWhitehouseforinitially pointing me to the Fermin J. Serna paper, as well as for his encouragement with this problem and kind wordsregardingthesolution. i Publications ThefollowingpaperswerecreatedandpublishedaspartoftheinitialstagesofthisPhD. • EstebanJPalomo,JohnNorth,DavidElizondo,RafaelMarcosLuque,andTimWatson.Visualisation of network forensics traffic data with a self-organising map for qualitative features. In Neural networks(IJCNN),The2011internationaljointconferenceon,pages17401747. IEEE,2011. • ChristianBitter,JohnNorth,DavidAElizondo,andTimWatson.Anintroductiontotheuseofneural networks for network intrusion detection. In Computational Intelligence for Privacy and Security, pages524. Springer,2012. • EstebanJPalomo,JohnNorth,DavidElizondo,RafaelMarcosLuque,andTimWatson. Application of growing hierarchical som for visualisation of network forensics traffic data. Neural Networks, 32:275284,2012. ii Contents Bibliography 1 Contents vii ListofFigures viii ListofTables ix Abbreviations xvi 1 Introduction 1 1.1 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 ConventionsAdopted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 ThesisOutline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 ProphylacticMeasures: AttacksandDefences 7 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 ExploitingSoftware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3 ExploitationBasics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.4 StackCanaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.5 DataExecutionPrevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.6 AddressSpaceLayoutRandomisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.7 CodeRe-UseAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.7.1 Return-OrientedProgramming . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3 TheImportanceofMemoryDisclosures 19 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 iii 3.2 WhatisaMemoryDisclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.3 Whyaretheyimportant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.3.1 Importantinformationleakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.3.2 Bypassingprobabilisticmitigations . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.4 CausesofDisclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.4.1 Formatstrings/buffersoverflows,boundschecking. . . . . . . . . . . . . . . . . 22 3.4.2 Lackofclearinginformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.4.3 Inappropriaterelease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.4.4 Forensicretrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.4.5 Non-Userspacedisclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.4.6 Sidechannelattacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.5 AlternativestoAddressDisclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.5.1 Bypassingdisclosureswithnon-ASLRdcode . . . . . . . . . . . . . . . . . . . . 25 3.5.2 Guessingandbruteforcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.5.3 Heapspraying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.5.4 Partialoverwrites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.5.5 Stackreading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.6 TheFutureRelevanceofAddressDisclosures . . . . . . . . . . . . . . . . . . . . . . . . 30 3.6.1 ImprovedASLRimplementations . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.6.2 Increaseindiversificationmitigations . . . . . . . . . . . . . . . . . . . . . . . . 33 3.6.3 Futureeffectivenessofcode-reuseattacks . . . . . . . . . . . . . . . . . . . . . . 36 3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4 TestingforMemoryProblems 40 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 4.2 StaticAnalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.2.1 Peiro´ etal.(2014). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.3 DynamicAnalysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.3.1 Dynamicbinaryinstrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.4 SymbolicExecution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 5 DEBT:ADifferentialEntropy-BasedTestingmethodology 48 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 5.2 Approachtaken . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 iv 5.3 BasicPrinciples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.3.1 Principle1: Trustboundaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.3.2 Principle2: ASLRasanindicatoraddressdisclosures . . . . . . . . . . . . . . . 52 5.3.3 Principle3: UsingentropyasanindicatorofASLR . . . . . . . . . . . . . . . . . 53 5.3.4 Principle4: Trustboundarydatacomparison . . . . . . . . . . . . . . . . . . . . 53 5.3.5 Principle5: Principlescanbecombined . . . . . . . . . . . . . . . . . . . . . . . 53 5.4 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 5.5 PracticalityofMethodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 5.5.1 Recordingdataflowoveratrustboundary . . . . . . . . . . . . . . . . . . . . . . 56 5.5.2 Bigbangoriterativeapproach . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 5.5.3 Userinputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 5.5.4 Mechanismforeliminatingsourcesofentropy . . . . . . . . . . . . . . . . . . . 59 5.5.5 Numberofcapturesrequired . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 5.6 NoveltyofMethodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 5.7 StrengthsandWeaknessesofMethodology . . . . . . . . . . . . . . . . . . . . . . . . . 61 5.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 6 Experiments 65 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.1.1 Experimentaldesign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.1.2 Principlestobetested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 6.1.3 Summaryofexperiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 6.2 Experiment1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 6.2.1 ExperimentObjectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 6.2.2 ExperimentDesign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6.2.3 ExecutionofExperiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 6.2.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 6.3 Experiments2,3and4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 6.3.1 Experimentobjectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 6.3.2 Experimentdesign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 6.3.3 ExecutionofExperiment2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 6.3.4 ExecutionofExperiment3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 6.3.5 ExecutionofExperiment4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 6.3.6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 v 6.4 Experiments5,6and7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 6.4.1 Experimentobjectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 6.4.2 Experimentdesign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 6.4.3 ExecutionofExperiment5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 6.4.4 ExecutionofExperiment6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 6.4.5 ExecutionofExperiment7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 6.4.6 Experimentresults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 6.5 Experiment8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 6.5.1 Experimentobjectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 6.5.2 Experimentdesign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 6.5.3 Executionofexperiments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 6.5.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 6.6 Experiment9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 6.6.1 Experimentobjectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 6.6.2 Experimentdesign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 6.6.3 Executionofexperiments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 6.6.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 6.7 Experiment10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 6.7.1 Experimentobjectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 6.7.2 Experimentdesign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 6.7.3 Programundertest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 6.7.4 DataSetselection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 6.7.5 Trustboundarytobetested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 6.7.6 Frameworkimplementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 6.7.7 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 6.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 7 ConclusionsandReflections 94 7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 7.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 7.3 Reflections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 7.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 7.5 FutureWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 7.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 vi 8 References 100 Appendices 117 A SimpleProgramforcreatingaDisclosure 118 B ScriptforTestingasingleinput 120 C Programsusedforcreatingstackcookiedisclosures 121 C.1 SimpleCookieProgramforOSXusingtheClangcompiler. . . . . . . . . . . . . . . . . 121 C.2 SimpleCookieProgramforLinuxusingGCC . . . . . . . . . . . . . . . . . . . . . . . . 123 C.3 SimpleCookieProgramforWindowsusingtheVisualStudiocompiler . . . . . . . . . . 124 D HeartBleedtestApplication 125 E MethodologyforreviewingliteratureonMemoryDisclosures 131 vii List of Figures 2.1 Diagramshowinghowcontiguousaddressesonthestackcandirectprogramexecutionto differentpiecesofcode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.1 Flow-chartdepictingthestepsinvolvedinimplementingtheDEBITmethodology.. . . . . 55 6.1 DiagramshowingtheinteractionbetweenthetwoscriptsinvolvedinexecutingExperiment1. 71 6.2 DiagramshowingthedifferentcomponentsoftheframeworkusedtoexecuteExperiment8 andtheinteractionsbetweenthem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 viii

Description:
C.3 Simple Cookie Program for Windows using the Visual Studio compiler 124 Created using Ubuntu with kernel 3.2.0-29, the different starting Heap and 3.1 A code listing generated by a static XOR sequence in ActionScript . It has infected the French navy's computer network, Royal.
ebook img

Identifying Memory Address Disclosures PDF

150 Pages·2015·0.58 MB·English
by  
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Download Identifying Memory Address Disclosures PDF Free - Full Version

by Unknow| 2015| 150 pages| 0.58| English

Download Identifying Memory Address Disclosures by in PDF format completely FREE. No registration required, no payment needed. Get instant access to this valuable resource on PDFdrive.to!

Free Download PDF

About Identifying Memory Address Disclosures

C.3 Simple Cookie Program for Windows using the Visual Studio compiler 124 Created using Ubuntu with kernel 3.2.0-29, the different starting Heap and 3.1 A code listing generated by a static XOR sequence in ActionScript . It has infected the French navy's computer network, Royal.

Detailed Information

Author:Unknown
Publication Year:2015
Pages:150
Language:English
File Size:0.58
Format:PDF
Price:FREE
Download Free PDF

Safe & Secure Download - No registration required

Why Choose PDFdrive for Your Free Identifying Memory Address Disclosures Download?

  • 100% Free: No hidden fees or subscriptions required for one book every day.
  • No Registration: Immediate access is available without creating accounts for one book every day.
  • Safe and Secure: Clean downloads without malware or viruses
  • Multiple Formats: PDF, MOBI, Mpub,... optimized for all devices
  • Educational Resource: Supporting knowledge sharing and learning

Free Books Similar to Identifying Memory Address Disclosures

Frequently Asked Questions

Is it really free to download Identifying Memory Address Disclosures PDF?

Yes, on https://PDFdrive.to you can download Identifying Memory Address Disclosures by completely free. We don't require any payment, subscription, or registration to access this PDF file. For 3 books every day.

How can I read Identifying Memory Address Disclosures on my mobile device?

After downloading Identifying Memory Address Disclosures PDF, you can open it with any PDF reader app on your phone or tablet. We recommend using Adobe Acrobat Reader, Apple Books, or Google Play Books for the best reading experience.

Is this the full version of Identifying Memory Address Disclosures?

Yes, this is the complete PDF version of Identifying Memory Address Disclosures by Unknow. You will be able to read the entire content as in the printed version without missing any pages.

Is it legal to download Identifying Memory Address Disclosures PDF for free?

https://PDFdrive.to provides links to free educational resources available online. We do not store any files on our servers. Please be aware of copyright laws in your country before downloading.

The materials shared are intended for research, educational, and personal use in accordance with fair use principles.

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
We use cookies

We use cookies to ensure you get the best browsing experience on our website. By clicking "Accept Cookies", you agree that we can store cookies on your device in accordance with our Terms and Privacy.

DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users