SlideShare a Scribd company logo

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-spec embedded devices- by Yuuma Taki

CODE BLUE
CODE BLUE

Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year). At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365. Currently, he is learning about ROP derivative technology and embedded equipment security.

1 of 43
Download to read offline
Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-spec embedded devices. - YUUMA TAKI 1
Self introduction Yuuma Taki ・Hokkaido Information University Department of Information Media A Senior ・Interested in lower layer security around OS and CPU. Having Researched KASLR deployment using Prekern at SecHack365. A Japanese security Hackathon 2
Overview ・Investigate possibilities of ROP attacks against OSs and processors for embedded systems. → Execute vulnerable test programs on embedded system, launch ROP Attack(details later). →Emulate both high spec and low spec embedded devices using QEMU. 3
Background ・Radically Increase demand for embedded systems by proliferation of IoT devices. → Due to various restrictions in some embedded devices, cannot deploy rich security systems. ・Low Power ・Small Capacity ・Low Electricity Consumption ・High Power ・Large Capacity ・High Electricity Consumption 4
Background ・Evolution of Return Oriented Programming(ROP) Attacks →ROP attack is an attack combining code execution snippets inside a program to perform arbitrary processing. →Derivative techniques of ROP attacks are being researched. ・ROP attacks can be utilized to various architectures. 5
Previous Research A ROP countermeasure: Implementing security controls such as Control-Flow Integrity Drawback: High cost to execute the security controls. →Implementing security control in low-spec embedded devices is difficult. 6
This Research ・Investigate embedded devices that have no ROP countermeasures. ・Devising a new countermeasures which can be implemented to low spec embedded devices 7
ROP Overview ・What is ROP(Return Oriented Programming) ? →Attack method devised to circumvent Nxbit security control. ・No eXecutable bit (NX bit) → Security control that disables code execution of code set in the heap or stack region. This can hinder shell code execution by exploiting stack overflow vulnerabilities. 8
Visualizing ROP ・ROP Attack →Trigger code execution by chaining code fragments called gadgets into a ROP chain. Command fragment 1 Command fragment 2 Command fragment 3 Command fragment 4 Command fragment 5 Command fragment 6 Ordinary Execution File Command Fragment 1 Command Fragment 3 Command Fragment 5 Command Fragment 6 ROP Chain Collect command fragments needed for attack Code Region Data Region Execution File ROP Chain Embed into ROP Chain 9
ROP on x86_64 ・Execute system(/bin/sh) to steal control Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code buf (0x10) rbp rsp saved rbp Return Address rbp + 8 ・ ・ ・ Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address 10
・Write ROP chain by filling up to the return address with ‘A’ ROP on x86_64 Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 11 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code buf (0x10) rbp rsp saved rbp Return Address rbp + 8 ・ ・ ・ Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address
ROP on x86_64 AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address ・After embedding ROP Chain Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 12 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address
ROP on x86_64 AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 13 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: 0x400100 rbp:0x4141414141414141 rsp: Store stack top address ・Right after processing functions (pop rbp; ret;)
ROP on x86_64 Stack top “/bin/sh” address gets stored into rdi at pop rdi execution ・pop rdi execution time Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 14 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address Register rdi: “/bin/sh” address rsi: Store parameter 2 rdx: Store parameter 3 rip: 0x400102 rbp:0x4141414141414141 rsp: Store stack top address
ROP on x86_64 By ret command the ‘system’ actual address gets stored in rip ・ret execution time Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 15 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address Register rdi: “/bin/sh” address rsi: Store parameter 2 rdx: Store parameter 3 rip: ‘system’ actual address rbp:0x4141414141414141 rsp: Store stack top address
Effective Security Countermeasures against ROP① Address Space Layer Randomization(ASLR): ASLR is a security measurement that randomize the address space where program code and data are stored, which makes access to specific code and data difficult. KASLR is ASLR deployed to the kernel 16
ASLR Assembly Code buf (0x10) rbp rsp saved rbp Return Address rbp + 8 ・ ・ ・ Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address 17 0x400100: 0x400102: : 0x400200: 0x400202: : 0x400300: 0x400302: : pop rdi ret pop rsi ret pop rdx ret ?????? ?????? ?????? ?????? ?????? ?????? Address of the instruction has been randomized, so building ROP chains is not possible.
Effective Security Countermeasures against ROP② 18 Control-Flow Integrity (CFI): Security measure that creates a model of normal control flow then compares that model to the flow at execution time to detect anomalous control flow.
CFI normal control flow main() ↓ function1() ↓ function2() ↓ function3() Jumping to Instructions in Other Functions with ROP main() ↓ function1() ↓ function3() Record normal control flow at compile time. ok!
ASLR Weaknesses ・In less than 32 bit address space, address leaks can be triggered by brute force attacks. →Not realistic to implement in low spec embedded devices with narrow address space. 20
CFI Weakness ・Resource intensive for the processor, therefore, requires high capability CPU →Difficult to implement into low spec embedded devices. 21
Details regarding the ROP evaluation in this research ・Using simple ROP attacks. →Find embedded devices that can be overtaken with simple ROP ・Use QEMU to emulate embedded devices. →QEMU enables us to check the register and memory content in the guest environment. 22
R0P examination using QEMU The schematics is as following: 23
ROP Examination ・Conducted ROP Examination in the following three environments. - CentOS6 on i686 - Raspberry Pi OS on Arm Cortex-a53 24
ROP demo on CentOS6 on i686 ・Emulate CentOS6 on i686 using QEMU and launch ROP attack against vulnerable test server. Attack 25
Attack Target Environment OS: CentOS6.0 Arch: x86 Server program source code: http://kozos.jp/samples/rop-sample.html Security measures: ・NX bit: Active ・SSP: Inactive ・ASLR: Inactive ・CFI: Inactive 26
ROP Demo against CentOS6 on i686 27
Examination Results ・Because many security measures such as SSP and ASLR are active by default, unless those are made inactive a simple ROP attack will not result in gaining control. 28
ROP against Raspi OS on Arm Cortex-a53 ・Emulate Raspi OS on Arm Cortex-a53 using QEMU and launch ROP attack against vulnerable test server. 29
Attack Target Environment OS: Raspberry Pi OS Arch: Armv8-A Server program source code: http://kozos.jp/samples/rop-sample.html Processor execution state: AArch32 Security Measures: ・NX bit: Active ・SSP: Inactive ・ASLR: Inactive ・CFI: Inactive 30
ROP demo against Raspi OS on Arm Cortex-a53 31
Exploit code (ROP chain part) R0 register: store parameter 1 pc register: Program counter register r4 register: Not used here 32
Examination Results ・Raspberry Pi 3B+ is a high spec embedded device and many security measures are available, therefore without disabling these security measures ROP attack was unsuccessful. 33
Verification summary so far Security※ Target NX bit ASLR SSP CFI CentOS6 on i686 〇 〇 〇 × RaspiOS on Arm Cortex-A53 〇 〇 〇 × ZephyrOS on Arm Cortex-M0 ? ? ? ? ※Enabled by default
ROP attack to low spec embedded device Investigate possibilities of ROP attacks against ZephyrOS on Arm Cortex-M0. →Survey results, ZephyrOS on Arm Cortex-M0 may not have countermeasures against ROP.
ZephyrOS ・An Embedded OS that can run on boards with strict restrictions. ・ZephyrOS can be utilized to various boards. e.g. Arduino-mega2560, microbit, STM32F0 series…
Memory protection in ZephyrOS The following Memory protection are implemented. ・Stack protection ・Memory isolation ・Thread isolation Requires MPU
Memory Protection Unit(MPU) ・In, low-spec processors that cannot implement MMU, Critical hardware for Memory protection ・Divide the address space into several areas, set access rights for each area.
Arm Cortex-M0 ・As a low-power processor, it is used in STM32F0 series board and microbit. ・Memory Protection Unit(MPU) is not implemented, security using MPU used in many OS cannot be applied.
ROP countermeasure in low spec embedded devices. ・Currently the following countermeasures can be considered for implementation. 40
Conclusion ・When CFI and ASLR are not applied in the program gaining control is possible with a simple ROP attack. ・Consider implementing ROP countermeasures in low spec embedded devices, implement security measures if necessary. 41
Acknowledgements ・Special thanks to the National Institute of Information and Communications Technology organized SecHack365 and its trainer Hiroaki Sakai , who showed the basics of program execution and debug methods, which this research is founded upon. Thank you Mr.Sakai and all SecHack365 staff. 42
Thank You For Your Kind Attention. 43

More Related Content

Similar to [cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-spec embedded devices- by Yuuma Taki

Arm
ArmArm
Arm
Suresh Kaliyaperumal
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
CanSecWest
 
Processor types
Processor typesProcessor types
Processor types
Amr Aboelgood
 
Arm architecture
Arm architectureArm architecture
Arm architecture
MinYeop Na
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
NikitaAndhale
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
OSPFv2 on IOS XR
OSPFv2 on IOS XROSPFv2 on IOS XR
OSPFv2 on IOS XR
CoderGenie Technologies
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
Amr Ali
 
ARM - Advance RISC Machine
ARM - Advance RISC MachineARM - Advance RISC Machine
ARM - Advance RISC Machine
EdutechLearners
 
arm
armarm
arm
Pratik Gohel
 
BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!
Linaro
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
Riscure
 
arm-intro.ppt
arm-intro.pptarm-intro.ppt
arm-intro.ppt
MostafaParvin1
 
Efficient JIT to 32-bit Arches
Efficient JIT to 32-bit ArchesEfficient JIT to 32-bit Arches
Efficient JIT to 32-bit Arches
Netronome
 
Embedded C programming session10
Embedded C programming session10Embedded C programming session10
Embedded C programming session10
Keroles karam khalil
 
2 introduction to arm architecture
2 introduction to arm architecture2 introduction to arm architecture
2 introduction to arm architecture
satish1jisatishji
 
ARM Introduction
ARM IntroductionARM Introduction
ARM Introduction
Ramasubbu .P
 
Unit 4 _ ARM Processors .pptx
Unit 4 _ ARM Processors .pptxUnit 4 _ ARM Processors .pptx
Unit 4 _ ARM Processors .pptx
VijayKumar201823
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 

Similar to [cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-spec embedded devices- by Yuuma Taki (20)

Arm
ArmArm
Arm
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Processor types
Processor typesProcessor types
Processor types
 
Arm architecture
Arm architectureArm architecture
Arm architecture
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
OSPFv2 on IOS XR
OSPFv2 on IOS XROSPFv2 on IOS XR
OSPFv2 on IOS XR
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
ARM - Advance RISC Machine
ARM - Advance RISC MachineARM - Advance RISC Machine
ARM - Advance RISC Machine
 
arm
armarm
arm
 
BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
 
arm-intro.ppt
arm-intro.pptarm-intro.ppt
arm-intro.ppt
 
Efficient JIT to 32-bit Arches
Efficient JIT to 32-bit ArchesEfficient JIT to 32-bit Arches
Efficient JIT to 32-bit Arches
 
Embedded C programming session10
Embedded C programming session10Embedded C programming session10
Embedded C programming session10
 
2 introduction to arm architecture
2 introduction to arm architecture2 introduction to arm architecture
2 introduction to arm architecture
 
ARM Introduction
ARM IntroductionARM Introduction
ARM Introduction
 
Unit 4 _ ARM Processors .pptx
Unit 4 _ ARM Processors .pptxUnit 4 _ ARM Processors .pptx
Unit 4 _ ARM Processors .pptx
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
CODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
CODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
 

Recently uploaded

At the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentationAt the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentation
Vanda Pokecz
 
calcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptxcalcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptx
Skmch
 
Pengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anakPengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anak
DeviDamayanti53
 
A study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD methodA study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD method
Dr. Chihiro
 
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC WorkshopWorkshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
saastr
 
Destyney Duhon personal brand exploration
Destyney Duhon personal brand explorationDestyney Duhon personal brand exploration
Destyney Duhon personal brand exploration
minxxmaree
 
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
ankitamarik05
 
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
NETWAYS
 
Call India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.pptCall India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.ppt
Best International calling app on the market
 
Effective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedinEffective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedin
DivyaMehta193660
 
stackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jesterstackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jester
NETWAYS
 
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITYTEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
AaSs197122
 
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
NETWAYS
 
the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2
Rashi427200
 
Recruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitmentRecruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitment
Rashi427200
 
Building Digital Products & Content Leadership
Building Digital Products & Content LeadershipBuilding Digital Products & Content Leadership
Building Digital Products & Content Leadership
Rajesh Math
 
Biography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdfBiography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdf
AbdulSadickZutah
 
HERO.pdf hero company working cap management project
HERO.pdf hero company working cap management projectHERO.pdf hero company working cap management project
HERO.pdf hero company working cap management project
SambalpurTokaSatyaji
 
2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx
Dale Wells
 
Risks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdfRisks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdf
Home
 

Recently uploaded (20)

At the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentationAt the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentation
 
calcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptxcalcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptx
 
Pengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anakPengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anak
 
A study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD methodA study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD method
 
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC WorkshopWorkshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
 
Destyney Duhon personal brand exploration
Destyney Duhon personal brand explorationDestyney Duhon personal brand exploration
Destyney Duhon personal brand exploration
 
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
 
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
 
Call India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.pptCall India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.ppt
 
Effective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedinEffective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedin
 
stackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jesterstackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jester
 
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITYTEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
 
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
 
the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2
 
Recruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitmentRecruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitment
 
Building Digital Products & Content Leadership
Building Digital Products & Content LeadershipBuilding Digital Products & Content Leadership
Building Digital Products & Content Leadership
 
Biography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdfBiography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdf
 
HERO.pdf hero company working cap management project
HERO.pdf hero company working cap management projectHERO.pdf hero company working cap management project
HERO.pdf hero company working cap management project
 
2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx
 
Risks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdfRisks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdf
 

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-spec embedded devices- by Yuuma Taki

  • 1. Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-spec embedded devices. - YUUMA TAKI 1
  • 2. Self introduction Yuuma Taki ・Hokkaido Information University Department of Information Media A Senior ・Interested in lower layer security around OS and CPU. Having Researched KASLR deployment using Prekern at SecHack365. A Japanese security Hackathon 2
  • 3. Overview ・Investigate possibilities of ROP attacks against OSs and processors for embedded systems. → Execute vulnerable test programs on embedded system, launch ROP Attack(details later). →Emulate both high spec and low spec embedded devices using QEMU. 3
  • 4. Background ・Radically Increase demand for embedded systems by proliferation of IoT devices. → Due to various restrictions in some embedded devices, cannot deploy rich security systems. ・Low Power ・Small Capacity ・Low Electricity Consumption ・High Power ・Large Capacity ・High Electricity Consumption 4
  • 5. Background ・Evolution of Return Oriented Programming(ROP) Attacks →ROP attack is an attack combining code execution snippets inside a program to perform arbitrary processing. →Derivative techniques of ROP attacks are being researched. ・ROP attacks can be utilized to various architectures. 5
  • 6. Previous Research A ROP countermeasure: Implementing security controls such as Control-Flow Integrity Drawback: High cost to execute the security controls. →Implementing security control in low-spec embedded devices is difficult. 6
  • 7. This Research ・Investigate embedded devices that have no ROP countermeasures. ・Devising a new countermeasures which can be implemented to low spec embedded devices 7
  • 8. ROP Overview ・What is ROP(Return Oriented Programming) ? →Attack method devised to circumvent Nxbit security control. ・No eXecutable bit (NX bit) → Security control that disables code execution of code set in the heap or stack region. This can hinder shell code execution by exploiting stack overflow vulnerabilities. 8
  • 9. Visualizing ROP ・ROP Attack →Trigger code execution by chaining code fragments called gadgets into a ROP chain. Command fragment 1 Command fragment 2 Command fragment 3 Command fragment 4 Command fragment 5 Command fragment 6 Ordinary Execution File Command Fragment 1 Command Fragment 3 Command Fragment 5 Command Fragment 6 ROP Chain Collect command fragments needed for attack Code Region Data Region Execution File ROP Chain Embed into ROP Chain 9
  • 10. ROP on x86_64 ・Execute system(/bin/sh) to steal control Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code buf (0x10) rbp rsp saved rbp Return Address rbp + 8 ・ ・ ・ Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address 10
  • 11. ・Write ROP chain by filling up to the return address with ‘A’ ROP on x86_64 Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 11 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code buf (0x10) rbp rsp saved rbp Return Address rbp + 8 ・ ・ ・ Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address
  • 12. ROP on x86_64 AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address ・After embedding ROP Chain Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 12 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address
  • 13. ROP on x86_64 AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 13 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: 0x400100 rbp:0x4141414141414141 rsp: Store stack top address ・Right after processing functions (pop rbp; ret;)
  • 14. ROP on x86_64 Stack top “/bin/sh” address gets stored into rdi at pop rdi execution ・pop rdi execution time Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 14 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address Register rdi: “/bin/sh” address rsi: Store parameter 2 rdx: Store parameter 3 rip: 0x400102 rbp:0x4141414141414141 rsp: Store stack top address
  • 15. ROP on x86_64 By ret command the ‘system’ actual address gets stored in rip ・ret execution time Assembly Command Used pop xxx: Contain rsp value into xxx register ret: Same value for pop rip 15 0x400100: pop rdi 0x400102: ret : 0x400200: pop rsi 0x400202: ret : 0x400300: pop rdx 0x400302: ret : Assembly Code Stack Region AAAAAAAA AAAAAAAA rsp AAAAAAAA 0x400100 “/bin/sh” Address ‘system’ actual address Register rdi: “/bin/sh” address rsi: Store parameter 2 rdx: Store parameter 3 rip: ‘system’ actual address rbp:0x4141414141414141 rsp: Store stack top address
  • 16. Effective Security Countermeasures against ROP① Address Space Layer Randomization(ASLR): ASLR is a security measurement that randomize the address space where program code and data are stored, which makes access to specific code and data difficult. KASLR is ASLR deployed to the kernel 16
  • 17. ASLR Assembly Code buf (0x10) rbp rsp saved rbp Return Address rbp + 8 ・ ・ ・ Stack Region Register rdi: Store parameter 1 rsi: Store parameter 2 rdx: Store parameter 3 rip: Store next address for execution rbp: Store lowest address inside the stack frame rsp: Store stack top address 17 0x400100: 0x400102: : 0x400200: 0x400202: : 0x400300: 0x400302: : pop rdi ret pop rsi ret pop rdx ret ?????? ?????? ?????? ?????? ?????? ?????? Address of the instruction has been randomized, so building ROP chains is not possible.
  • 18. Effective Security Countermeasures against ROP② 18 Control-Flow Integrity (CFI): Security measure that creates a model of normal control flow then compares that model to the flow at execution time to detect anomalous control flow.
  • 19. CFI normal control flow main() ↓ function1() ↓ function2() ↓ function3() Jumping to Instructions in Other Functions with ROP main() ↓ function1() ↓ function3() Record normal control flow at compile time. ok!
  • 20. ASLR Weaknesses ・In less than 32 bit address space, address leaks can be triggered by brute force attacks. →Not realistic to implement in low spec embedded devices with narrow address space. 20
  • 21. CFI Weakness ・Resource intensive for the processor, therefore, requires high capability CPU →Difficult to implement into low spec embedded devices. 21
  • 22. Details regarding the ROP evaluation in this research ・Using simple ROP attacks. →Find embedded devices that can be overtaken with simple ROP ・Use QEMU to emulate embedded devices. →QEMU enables us to check the register and memory content in the guest environment. 22
  • 23. R0P examination using QEMU The schematics is as following: 23
  • 24. ROP Examination ・Conducted ROP Examination in the following three environments. - CentOS6 on i686 - Raspberry Pi OS on Arm Cortex-a53 24
  • 25. ROP demo on CentOS6 on i686 ・Emulate CentOS6 on i686 using QEMU and launch ROP attack against vulnerable test server. Attack 25
  • 26. Attack Target Environment OS: CentOS6.0 Arch: x86 Server program source code: http://kozos.jp/samples/rop-sample.html Security measures: ・NX bit: Active ・SSP: Inactive ・ASLR: Inactive ・CFI: Inactive 26
  • 27. ROP Demo against CentOS6 on i686 27
  • 28. Examination Results ・Because many security measures such as SSP and ASLR are active by default, unless those are made inactive a simple ROP attack will not result in gaining control. 28
  • 29. ROP against Raspi OS on Arm Cortex-a53 ・Emulate Raspi OS on Arm Cortex-a53 using QEMU and launch ROP attack against vulnerable test server. 29
  • 30. Attack Target Environment OS: Raspberry Pi OS Arch: Armv8-A Server program source code: http://kozos.jp/samples/rop-sample.html Processor execution state: AArch32 Security Measures: ・NX bit: Active ・SSP: Inactive ・ASLR: Inactive ・CFI: Inactive 30
  • 31. ROP demo against Raspi OS on Arm Cortex-a53 31
  • 32. Exploit code (ROP chain part) R0 register: store parameter 1 pc register: Program counter register r4 register: Not used here 32
  • 33. Examination Results ・Raspberry Pi 3B+ is a high spec embedded device and many security measures are available, therefore without disabling these security measures ROP attack was unsuccessful. 33
  • 34. Verification summary so far Security※ Target NX bit ASLR SSP CFI CentOS6 on i686 〇 〇 〇 × RaspiOS on Arm Cortex-A53 〇 〇 〇 × ZephyrOS on Arm Cortex-M0 ? ? ? ? ※Enabled by default
  • 35. ROP attack to low spec embedded device Investigate possibilities of ROP attacks against ZephyrOS on Arm Cortex-M0. →Survey results, ZephyrOS on Arm Cortex-M0 may not have countermeasures against ROP.
  • 36. ZephyrOS ・An Embedded OS that can run on boards with strict restrictions. ・ZephyrOS can be utilized to various boards. e.g. Arduino-mega2560, microbit, STM32F0 series…
  • 37. Memory protection in ZephyrOS The following Memory protection are implemented. ・Stack protection ・Memory isolation ・Thread isolation Requires MPU
  • 38. Memory Protection Unit(MPU) ・In, low-spec processors that cannot implement MMU, Critical hardware for Memory protection ・Divide the address space into several areas, set access rights for each area.
  • 39. Arm Cortex-M0 ・As a low-power processor, it is used in STM32F0 series board and microbit. ・Memory Protection Unit(MPU) is not implemented, security using MPU used in many OS cannot be applied.
  • 40. ROP countermeasure in low spec embedded devices. ・Currently the following countermeasures can be considered for implementation. 40
  • 41. Conclusion ・When CFI and ASLR are not applied in the program gaining control is possible with a simple ROP attack. ・Consider implementing ROP countermeasures in low spec embedded devices, implement security measures if necessary. 41
  • 42. Acknowledgements ・Special thanks to the National Institute of Information and Communications Technology organized SecHack365 and its trainer Hiroaki Sakai , who showed the basics of program execution and debug methods, which this research is founded upon. Thank you Mr.Sakai and all SecHack365 staff. 42
  • 43. Thank You For Your Kind Attention. 43