DOCSLIB.ORG

Copyrighted Material

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Copyrighted Material 80238bindex.qxd:WileyRed 7/11/07 7:42 AM Page 705 Index NUMERICS arrays, 12 0day, definition, 4 ASCII, converting to Unicode, 0day kernel vulnerabilities, Unix, 210–211 636–642 ASCII Venetian implementation, 214–217 A ASLR (Address Space Layout AAAS (ASCII Armored Address Randomization), 313, 396–399 Space), 394–395 asm( ) statements, 132 abusing frame-based exception assembler references, 430 handlers, 161–166 assembly language, 6 existing handlers, 162–164 C code constructs, 7–10 alphanumeric filters, exploits, C++ code constructs, 7–10 writing, 205–209 registers and, 6 application layer attacks, database asymmetry, problems, 511–512 software, 618–619 attack detection, bypassing arbitrary free vulnerabilities, 271 alternate encodings, 514 arbitrary size overflow, stack attack signatures, 517 overflows, COPYRIGHTED232–233 file-handling MATERIAL features, 515–517 architectural failures length limitations, 517–520 asymmetry and, 511–512 stripping bad data, 513–514 authentication and, 512 auditing binaries. See binary authorization and, 512 auditing boundaries and, 508–509 auditing source code data translation and, 509–511 automated analysis tools, 484 archives, paper, 438 705 80238bindex.qxd:WileyRed 7/11/07 7:42 AM Page 706 706 Index ■ A–C auditing source code (continued) B methodology binary auditing bottom-up approach, 485 C++ code constructs, 561 selective approach, 485–486 calling conventions, 554–555 top-down approach, 485 C calling convention, 555 tools Stdcall calling convention, 555 Cbrowser, 484 compiler-generated code Cscope, 482–483 for loops, 557–558 Ctags, 483 function layouts, 556 editors, 483 if statements, 556–557 vulnerabilities switch statements, 558–560 different-sized integer while loops, 557–558 conversions, 497–498 IDA Pro, 550–552 double free, 498 manual, 563–566 extinct bug classes, 487 memcpy-like code constructs, 560 format strings, 487–489 source code auditing, 550 generic logic errors, 486 stack frames, 552–553 incorrect bounds-checking, BP-based, 553, 554 489–490 frame pointer, 553–554 integer-related vulnerabilities, strlen-like code constructs, 560–561 495–497 this pointer, 561–562 loop constructs, 490 bit flipping, 469–470 multithreading and, 500–501 boundaries, problems, 518–509 non-null termination issues, 492 bounds-checking, 489–490 off-by-one, 490–492 bridge building, 206 out-of-scope memory usage, 499 BSD, OS X and, 314 signed comparison buffer overflows vulnerabilities, 494–495 exploiting, 197–202 skipping null-termination issues, heap-based, 173 493 exploiting, 178–194 uninitialized variable usage, stack-based, 156 499–500 buffers, 12–13 use after free vulnerabilities, arrays, 12 499–500 length, 95 authentication, problems, 512 overflowing on stack, 18–23 Authentication Tokens, 116 bug discovery, exploitation and, 6 authorization, problems, 512 automated source code analysis C tools, 484 C, code constructs, 7–10 C++, code constructs, 7–10 80238bindex.qxd:WileyRed 7/11/07 7:42 AM Page 707 Index ■ C–D 707 canaries, 166, 388–389 control registers, 7 Cbrowser, 484 cookies, 403 chained ret2code, 379 countermeasures, 601–602 Check Heaps, 359 brute forcing, 602–603 Cisco IOS, 339–340 information leaks, 605–606 crash dumps, 354–355 local exploits, 603 exploiting OS/application fingerprinting, heap overflows, 359–361 603–605 stack overflows, 357–359 preparation, 602 GDB agent, 355–356 cross-platform shellcode (OS X), hardware platforms, 340 332–333 images Cscope, 482–483 diffing, 350–351 Ctags, 483 taking apart, 349–350 partial attacks global variable overwrite, 363–364 D NVRAM invalidation, 362 data, instructions and, 4 reverse engineering, 348–356 data translation, problems, 509–511 runtime analysis, 351–356 database software ROMMON, 351–354 application layer attacks, 618–619 shellcode, bind shell, 370–372 network layer attacks, 608–618 shellcodes operating system commands configuration changing, 364–370 IBM DB2, 621–623 runtime image patching, 370 Oracle, 620–621 software packages, 340–343 SQL Server, 619–620 system architecture DB (define byte) directive, 56 IO memory, 346 DCE-RPC, 116 IOS heap, 344–346 DCE-RPC tools, 118 memory layout, 343–344 recon, 118–120 vulnerabilities, 346–347 SPIKE, 118–120 command-line interface, 348 DCOM (Distributed Component protocol parsing code, 347 Object), 111 security, 347–348 DCE-RPC and, 116–123 services, router, 347 exploitation, 120 class definitions, reconstructing debugging vtables, 562–563 debug trick, 433–434 configuration related shellcode, 599 OllyDbg, 112–114 continuation of execution, 441–442 unhandled exception filter and, 186 80238bindex.qxd:WileyRed 7/11/07 7:42 AM Page 708 708 Index ■ D–E debugging (continued) EIP (Extended Instruction Pointer), 7 Windows controlling, 22–23 kernel debugger, 124 ellipsis syntax, 84 Microsoft tool chain, 124 encryption, end-to-end, 299 OllyDbg, 124 end-to-end encryption, 299 SetDefaultExceptionHandler, 126 exception filter, unhandled, shellcode, writing, 125 overwrite pointer to, 185–191 SoftICE, 124 exception handlers TlsSetValue( ), 126 abusing existing, 162–164 VirtualProtect( ), 126 frame-based, 156–161 Win XP, 127 triggering, continuation and, 441 Win2K, 126 exception handling Win32, 124–125 signal( ) system call, 122 Win9X/ME, 126 vectored, 181 WinDbg, 124 Vectored Exception Handling, 123 Windows 2003 Server, 127 Win32 and, 122–123 Windows Vista, 127 Windows, searches and, 148–153 WinNT, 126 Exception Registration Record, 392 WSASocket( ), 126 EXCEPTION_REGISTRATION decoder, Unicode, 218–221 structure, 156 delay slot, SPARC, 227 execution device drivers, 683 continuation of, 441–442 I/O control code components, controlling for exploitation, 75–84 693–694 execve function, 54 IOCTL handlers, 694–695 execve syscal, 52 directives, DB (define byte), 56 exit( ) syscall, shellcode for, 44–48 dlmalloc, 89 exploitation DOS attacks, 521 Cisco IOS double free vulnerabilities, 270, 498 heap overflows, 359–361 dynamic analysis, fuzzing and, 470 stack overflows, 357–359 dynamic heaps, 173 execution, controlling, 75–84 dynamic linking heaps, OS X, 333–335 single stepping dynamic linker, overruns, SQL level, SQL 281–296 functions, 623–625 SPARC ABI, 279 Solaris/SPARC, methodology, dynamic string table, 280 263–270 stack overflows, 236–241 E exploits EAX register, 177 countermeasures, 601–606 EBP register, 15 definition, 4 editors, source code, 483 one-factor, 598 EFLAGS (Extended Flags), 7 planning, 439 80238bindex.qxd:WileyRed 7/11/07 7:42 AM Page 709 Index ■ E–G 709 exploits (continued) format strings, 61–63, 487–489 root privileges and, 25–35 bugs, 63–67 stabilization and, 442–443 reasons for, 84–85 writing exploits, 68–69 alphanumeric filters, 205–209 crashing services, 69–70 Unicode filters, 209–211 information leakage, 70–75 Extended Flags (EFLAGS), 7 techniques, 85–88 extended stack pointer (ESP) frame pointers, 15 register, 6 frame-based exception handlers, extinct bug classes, 487 156–161 extproc overflow, 504–508 abusing, 161–166 existing, 162–164 F fstat (BSD), 435 fault injection, 445–446 functions design, 447–456 execve, 54 fault delivery, 455 HeapAllocate( ), 173 fuzzing and, 461 KiUserExceptionDispatcher, 161 heuristics, 455–456 MyExceptionHandler, 158 input generation, 447–448 printf, 63–64 automated, 449 RtlImageNtheader, 161 fuzz generation, 449–450 stack and, 15–18 live capture, 449 fuzzers, 433 manual, 448 bit flipping, 469–470 modification engines, 450–451 Blackhat, 480 delimiting logic, 451–453 CHAM, 480 input sanitization, 453–454 definition, 4 Nagel algorithm, 455 Hailstorm, 480 state-based protocols, 456 open source, modifying, 470 stateless protocols, 456 weaknesses in, 468 timing, 455–456 fuzzing, 99 fault monitoring, 456–457 dynamic analysis and, 470 debuggers and, 457 fault injection and, 461 FaultMon, 457–458 introduction, 461–465 fault testing, 446 scalability, 466–467 FIFO (first in first out), 5 sharefuzz, 462 filters static analysis versus, 466 alphanumeric, exploits, writing, 205–209 G Unicode, exploits, writing, 209–211 gcc (GNU Compiler Collection), 430 Windows, 129–130 gdb (GNU Debugger), 430–431 foo( ) function, strcpy( ) call, 176 general-purpose registers, 6 generic logic errors, 486 80238bindex.qxd:WileyRed 7/11/07 7:42 AM Page 710 710 Index ■ G–I GetSystemTimeAsFileTime, 167 HeapAllocate( ), 115 global registers, SPARC, 225 HeapCreate( ), 114 GOT (Global Offset Table), 279 initialization, 5 GPG 1.2.2 randomness patch, 583 introduction, 90 malloc( ), 91 overview, 91 H process heap, 173–177 hardware, Cisco IOS, 340 realloc( ), 91 heap overflows, 91 repairing, 191–193 advanced exploitation, 105–107 RtlHeapAllocate( ), 115 breakpoints, 96 RtlHeapFree( ), 115 buffer length, 95 strcpy( ), 176 Cisco IOS, 359–361 threading and, 115–116 partial attacks, 362–364 host IDS related shellcode, 599 dlmalloc, 96 example, 271–276 intermediate, 98–105 I limitations, Solaris, 266–267 IBM DB2, operating system ltrace output, 93 commands, 619–620 malloc, 95 IDA Pro, 550–552 Microsoft IIS, 92 ideal stack layout, 389–394 repairing, 179 impersonation, tokens and, 120–122 samba, 92 incorrect bounds-checking, 489–490 Solaris, 92 input validation, bypassing SPARC, 296–299 alternate encodings, 514 heap protections, 399–407 attack signatures, evading, 517 heap-based buffer overflows, 173 file-handling features, 515–517 COM objects and, 193–194 length limitations, 517–520 exploiting, 178–194 stripping bad data, 513–514 logic program control data, 194 Instruction Pointer, 7 Solaris/SPARC, 241–263 instructions, data and, 4 HeapAlloc, 177 integer-related vulnerabilities, HeapAllocate( ) function, 173 495–497
Load more

Recommended publications
  • Lecture 1: Introduction to Reverse Engineering
    Boston, 2001 Table of Contents Table of Contents Table of Contents............................................................................................. 2 1. Introduction................................................................................................. 5 1.1 About the Course and Notes ............................................................................ 5 1.2 Definitions...................................................................................................... 5 1.3 Typical Examples ............................................................................................ 6 1.3.1 Hacking ................................................................................................... 7 1.3.2 Hiding Information from Public .................................................................. 7 1.3.3 Cell Phones ............................................................................................ 10 1.3.4 Computer Applications ............................................................................ 10 1.4 Requirements............................................................................................... 12 1.5 Scope .......................................................................................................... 13 1.6 Ethics .......................................................................................................... 13 1.7 Miscellaneous Information ............................................................................. 14 2. Programming Processors
    [Show full text]
  • Softice Patch
    Softice patch click here to download SoftICE is a kernel mode debugger for Microsoft Windows up to Windows XP. Crucially, it is Newer versions of SoftICE patch deep into Microsoft Windows. i have installed softice along with the windows xp patch. When i go to start softice however i get a message stating 16 bit MS-DOS Subsystem. THE SOFTiCE PRESERVATiON SOCiETY - NuMega SoftICE v NT with XP patch & French keyboard. Compuware DriverStudio v Compuware. WindowsXP-deadlyxdose crack Softice +Patch&Serial keygen >> Download Actual patch SoftICE Depositfiles. SoftICE from "SoftICE Driver Suite " is used for debugging my program. Even I try the patch, softice still doesn't break!! mesfet. 年11月18日 Softice patch serial. It is designed to run underneath windows such that the operating system isconvert softice v3. Softice patch serial. SoftICE/Win 95 Patch clavier QWERTY -> AZERTY 4 APR 97 SoftICE Command Reference 30 MAR 97 SoftICE User Guide 30 MAR Even if Softice is not running, Skype complains with this error message and then exits: "Skype is not To patch Skype, I've used Ollydbg, a free debugger. Loading SoftICE for Windows 9x. .. Using Windows NT//XP Symbol (DBG) Files with SoftICE. to prevent SoftICE from patching the keyboard driver. SoftICE can be used for local kernel debugging, which is a feature that is very Very useful for patching, disassembling, and debugging. www.doorway.ru accessories: ice iron on patches cute soft ice applique as iron-on badge made of denim to embellish your jeans jacket or repair your pants as knee patches. An uninstall of Softice is required for correct.
    [Show full text]
  • The Shellcoder's Handbook
    80238ffirs.qxd:WileyRed 7/11/07 7:22 AM Page iii The Shellcoder’s Handbook Discovering and Exploiting Security Holes Second Edition Chris Anley John Heasman Felix “FX” Linder Gerardo Richarte The Shellcoder’s Handbook: Discovering and Exploiting Security Holes (1st Edition) was written by Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta, and Riley Hassell. Wiley Publishing, Inc. 80238ffirs.qxd:WileyRed 7/11/07 7:22 AM Page ii 80238ffirs.qxd:WileyRed 7/11/07 7:22 AM Page i The Shellcoder’s Handbook Second Edition 80238ffirs.qxd:WileyRed 7/11/07 7:22 AM Page ii 80238ffirs.qxd:WileyRed 7/11/07 7:22 AM Page iii The Shellcoder’s Handbook Discovering and Exploiting Security Holes Second Edition Chris Anley John Heasman Felix “FX” Linder Gerardo Richarte The Shellcoder’s Handbook: Discovering and Exploiting Security Holes (1st Edition) was written by Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta, and Riley Hassell. Wiley Publishing, Inc. 80238ffirs.qxd:WileyRed 7/11/07 7:22 AM Page iv The Shellcoder’s Handbook, Second Edition: Discovering and Exploiting Security Holes Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2007 by Chris Anley, John Heasman, Felix “FX” Linder, and Gerardo Richarte Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-08023-8 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.
    [Show full text]
  • Compuware.Com
    Using SoftICE® Version 3.2 Technical support is available from our Technical Support Hotline or via our FrontLine Support Web site. Technical Support Hotline: 1-800-538-7822 FrontLine Support Web Site: http://frontline.compuware.com This document and the product referenced in it are subject to the following legends: Access is limited to authorized users. Use of this product is subject to the terms and conditions of the user’s License Agreement with Compuware Corporation. © 2004 Compuware Corporation. All rights reserved. Unpublished - rights reserved under the Copyright Laws of the United States. U.S. GOVERNMENT RIGHTS Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in Compuware Corporation license agreement and as provided in DFARS 227.7202-1(a) and 227.7202-3(a) (1995), DFARS 252.227-7013(c)(1)(ii)(OCT 1988), FAR 12.212(a) (1995), FAR 52.227-19, or FAR 52.227-14 (ALT III), as applicable. Compuware Corporation. This product contains confidential information and trade secrets of Compuware Corporation. Use, disclosure, or reproduction is prohibited without the prior express written permission of Compuware Corporation. DriverStudio, SoftICE Driver Suite, DriverNetworks, DriverWorks, TrueCoverage, and DriverWorkbench are trademarks of Compuware Corporation. BoundsChecker, SoftICE, and TrueTime are registered trademarks of Compuware Corporation. Acrobat® Reader copyright © 1987-2003 Adobe Systems Incorporated. All rights reserved. Adobe, Acrobat, and Acrobat Reader are trademarks of Adobe Systems Incorporated. All other company or product names are trademarks of their respective owners. US Patent Nos.: Not Applicable. Doc. 11577a December 10, 2004 Table of Contents Preface Purpose of This Manual .
    [Show full text]
  • The Measured Performance of Personal Computer Operating Systems
    The Measured Performance of Personal Computer Operating Systems J. Bradley Chen, Yasuhiro Endo, Kee Chan, David Mazi&res Antonio Dias, Margo Seltzer, and Michael D. Smith Division of Applied Sciences Harvard University Abstract dews. The differences between the OS platforms used in research and mainstream OS products makes some systems research mrele- This paper presents a comparative study of the performance of vant with respect to the current needs of the software industry. At three operating systems that run on the personal computer archi- the same time, researchers ignore important problems in non- tecture derived from the IBM-PC, The operating systems, Win- UNIX systems. dows for Workgroups, Windows NT, and NetBSD (a freely The operating system most commonly used on PC platforms available variant of the UNIX operating system), cover a broad is Microsoft Windows. Windows lacks many features that the OS range ofs ystem functionalist y and user requirements, from a single research community takes for granted, most notably preemptive address space model to full protection with preemptive multi-task- multitasking and protected address spaces. New operating systems ing. Our measurements were enabled by hardware counters in for the PC market such as Windows NT and 0S/2 incorporate the Intel’s Pentium processor that permit measurement of a broad multitasking support found in modern UNIX operating systems, range of processor events including instruction counts and on-chip while also supporting Windows applications. Though the operat- cache miss counts. We used both microbenchmarks, which expose ing systems community is familiar with the benefits of features specific differences between the systems, and application work- such as separate protected address spaces, little attention has been loads, which provide an indication of expected end-to-end perfor- given to systems without them.
    [Show full text]
  • Attacking the Windows Kernel
    Attacking the Windows Kernel Jonathan Lindsay ([email protected]) An NGSSoftware Insight Security Research (NISR) Publication ©2007 Next Generation Security Software Ltd http://www.ngssoftware.com Abstract Most modern processors provide a supervisor mode that is intended to run privileged operating system services that provide resource management transparently or otherwise to non-privileged code. Although a lot of research has been conducted into exploiting bugs in user mode code for privilege escalation within the operating system defined boundaries as well as what can be done if one has arbitrary supervisor access (typically related to modern root kit work), not a great deal of research has been done on the interface between supervisor and non-supervisor, and potential routes from one to the other. The biggest problem arises when trying to protect the kernel from itself - for example, under the IA32 architecture implementation of Windows, the distinction between user mode and kernel mode from the user mode perspective is easily enforced through hardware based protection. However, as the kernel is running as supervisor, how does the kernel make distinctions between what it should be accessing? This would be irrelevant if the supervisor was not exposed to interaction with supervisee; but that would defeat the purpose of having a kernel. This paper is focused on Windows and the Intel Architecture, and will briefly outline the current supervisor boundaries provided. Different attack vectors, along with relevant examples, will be provided to demonstrate how to attack the supervisor from the perspective of the supervised, as well as an outline of what possible architectures could be used to mitigate such attacks, such as the research operating system Singularity.
    [Show full text]
  • Stealth Breakpoints
    Stealth Breakpoints Amit Vasudevan and Ramesh Yerraballi Department of Computer Science and Engineering University of Texas at Arlington {vasudeva,ramesh}@cse.uta.edu Abstract 1. Introduction Microscopic analysis of malicious code (malware) re- Microscopic malware analysis — a fine-grained analysis quires the aid of a variety of powerful tools. Chief among process that provides insight into malware structure and in- them is a debugger that enables runtime binary analysis at ner functioning — helps in gleaning important information an instruction level. One of the important services provided regarding a malware to facilitate the development of an anti- by a debugger is the ability to stop execution of code at dote. Fine-grained analysis requires the aid of various pow- an arbitrary point during runtime, using breakpoints. Soft- erful tools, chief among them being a debugger that enables ware breakpoints support an unlimited number of breakpoint runtime binary analysis at an instruction level. One of the im- locations by changing the code being debugged so that it portant services provided by a debugger is the ability to stop can be interrupted during runtime. Most, if not all, malware execution of code being debugged at an arbitrary point dur- are very sensitive to code modification with self-modifying ing runtime. This is achieved using breakpoints, which can and/or self-checking (SM-SC) capabilities, rendering the use be of two types: Hardware and Software. Hardware break- of software breakpoints limited in their scope. Hardware points, as the name suggests, are provided by the underly- breakpoints supported by the underlying processor, on the ing processor and support precise breakpoints on code, data other hand, use a subset of the processor register set and ex- and I/O.
    [Show full text]
  • The Measured Performance of Computer Operating Systems Personal
    The Measured Performance of Personal Computer Operating Systems J. BRADLEY CHEN, YASJHIRO ENDO, KEE CHAN, DAVID MAZIERES, ANTONlO DIAS, MARGO SELTZER, AND MICHAEL D. SMITH Harvard University This article presents a comparative study of the pefiormance of three operating systems that run on the personal computer architecture derived from the IBM-PC. The operating systems, Windows for Workgroups, Windows NT, and NetBSD (a freely available variant of the UNIX operating system), cover a broad range of system functionality and user requirements, from a single-address-space model to full protection with preemptive multitasking, Our measurements are enabled by hardware counters in Intel’s Pentium processor that permit measurement of a broad range of processor events including instruction counts and on-chip cache miss counts, We use both microbenchmarks, which expose spcific differences between the systems, and applica- tion workloads, which provide an indication of expected end-to-end performance, Our micro- benchmark results show that accessing system functionality is often more expensive in Windows for Workgroups than in the other two systems due to frequent changes in machine mode and the use of system call hooks. When running native applications, Windows NT is more efficient than Windows, but it incurs overhead similar tQthat of a microkernel, since its application interface (the Win32 API) is implemented as a user-level server. Overall, system functionality can be accessed most efficiently in NetBSD; we attribute this to its monolithic structure and to the absence of the complications created by hardware backward-compatibility requirements in the other systems, Measurements of application performance show that although the impact of these differences is significant in terms of instruction counts and other hardware eventa (often a factor of 2 to 7 difference between the systems), overall performance is sometimes determined by the functionality provided by specific subsystems, such as the graphics subsystem or the file system buffer cache.
    [Show full text]
  • Rootkits and Bootkits with a Record of Discovering Advanced Malware.” — Rodrigo Rubira Branco Rootkits
    “Follow in the footsteps of professionals Bootkits and Rootkits with a record of discovering advanced malware.” Rootkits — Rodrigo Rubira Branco Rootkits and Bootkits will teach you how How to better understand the delivery stage to understand and counter sophisticated, of threats against BIOS and UEFI firmware advanced threats buried deep in a machine’s in order to create detection capabilities boot process or UEFI firmware. How to use virtualization tools like VMware and Bootkits With the aid of numerous case studies and Workstation to reverse engineer bootkits professional research from three of the world’s and the Intel Chipsec tool to dig into forensic leading security experts, you’ll trace malware analysis development over time from rootkits like TDL3 Reversing Modern Malware and to present-day UEFI implants and examine Cybercrime syndicates and malicious actors how they infect a system, persist through will continue to write ever more persistent reboot, and evade security software. As you and covert attacks, but the game is not lost. Next Generation Threats inspect and dissect real malware, you’ll learn: Explore the cutting edge of malware analysis with Rootkits and Bootkits. How Windows boots—including 32-bit, 64-bit, and UEFI mode—and where to find About the Authors vulnerabilities and Malware Modern Reversing Alex Matrosov is an Offensive Security The details of boot process security Threats Generation Next mechanisms like Secure Boot, including Research Lead at NVIDIA with over 20 years of an overview of Virtual Secure Mode (VSM) experience in reverse engineering, advanced and Device Guard malware analysis, firmware security, and exploitation techniques.
    [Show full text]
  • Malware Dynamic Analysis Evasion Techniques: a Survey
    Malware Dynamic Analysis Evasion Techniques: A Survey Amir Afianian1, Salman Niksefat1, Babak Sadeghiyan1, and David Baptiste2 1APA Research Center, Amirkabir University of Technology 2ESIEA (C + V)O lab 1fa.afianian, niksefat, [email protected] [email protected] June 2018 Abstract The Cyber world is plagued with ever-evolving malware that readily infiltrates all defense mechanisms, operates viciously unbeknownst to the user and surreptitiously exfiltrate sensitive data. Understanding the in- ner workings of such malware provides a leverage to effectively combat them. This understanding, is pursued through dynamic analysis which is conducted manually or automatically. Malware authors accordingly, have devised and advanced evasion techniques to thwart or evade these analyses. In this paper, we present a comprehensive survey on malware dynamic analysis evasion techniques. In addition, we propose a detailed classification of these techniques and further demonstrate how their effi- cacy hold against different types of detection and analysis approach. Our observations attest that evasive behavior is mostly interested in detecting and evading sandboxes. The primary tactic of such malware we argue, is fingerprinting followed by new trends for reverse Turing test tac- tic which aims at detecting human interaction. Furthermore, we will posit that the current defensive strategies beginning with reactive methods to arXiv:1811.01190v1 [cs.CR] 3 Nov 2018 endeavors for more transparent analysis systems, are readily foiled by zero- day fingerprinting techniques or other evasion tactics such as stalling. Ac- cordingly, we would recommend pursuit of more generic defensive strate- gies with emphasis on path exploration techniques that has the potential to thwart all the evasive tactics.
    [Show full text]
  • Freebsd 802.11 Remote Integer Overflow
    FreeBSD 802.11 Remote Integer Overflow Vulnerability found and exploit developed by Karl Janmar <[email protected]> IEEE802.11 framework in FreeBSD The IEEE802.11 system in FreeBSD in its current shape is relatively new (around 2001). The framework unifies all the handling of wireless devices. Problems faced auditing the code Complex link-layer protocol IEEE802.11 has a complex link-layer protocol, as a rough metric we compare the size of some input functions. ● IEEE802.11 input function, ieee80211_input(), 437 lines ● Ethernet input function, ether_input(), 107 lines ● Internet Protocol input function, ip_input(), 469 lines Source-code hard to read The code itself is not written to be easily read. It contains huge recursive switch- statements, for example a 274-line recursive switch-statement in the input function. Other examples are macros that include return statements and so on. User-controlled data The link-layer management in IEEE802.11 is unencrypted and unauthenticated, and because the traffic is transmitted in the air it's very easy for an attacker to manipulate state. Issues found An issue was found in an IOCTL, this issue was the result of a logical error. The vulnerability could allow a local user-process to disclose kernel-memory. Another more interesting issue was also found, it is in a function called by the IOCTL which retrieves the list of access-points in a scan. This list is maintained by the kernel, and is built from beacon frames received. Here is a snippet of the code in question: static int ieee80211_ioctl_getscanresults(struct
    [Show full text]
  • KERNEL-EXPLOITATION DEMYSTIFIED Introduction to Kernel-Mode Vulnerabilities and Exploitation
    KERNEL WARS: KERNEL-EXPLOITATION DEMYSTIFIED Introduction to kernel-mode vulnerabilities and exploitation • Why exploit kernel level vulnerabilities? – It's fun! – Relatively few are doing it – Bypasses defense mechanisms and restrictions 2 Introduction to kernel-mode vulnerabilities and exploitation • Why exploit kernel level vulnerabilities? – Attacks at the lowest level • Does not rely on any particular application being installed • Does not rely on how applications are configured • Does not rely on file / registry permissions 3 Introduction to kernel-mode vulnerabilities and exploitation • Reasons not to exploit kernel level vulnerabilities – Usually one-shot, exploit needs to be very reliable – Kernel debugging can be tedious setting up – Need some knowledge about kernel internals 4 Introduction to kernel-mode vulnerabilities and exploitation • Common targets for attack in a kernel – Systemcalls – I/O and IOCTL-messages through devicefiles – Handling of files in pseudofilesystems (like procfs) – Handling of data from the network (wireless/wired) – Interaction with hardware (USB, Firewire, etc) – Executable file format loaders (ELF, PE, etc) 5 Introduction to kernel-mode vulnerabilities and exploitation • Payload strategy – Elevating privileges • Altering the UID-field (Unix) • Stealing access tokens (Windows) – Injecting backdoors • Stealth! Do everything in kernel-mode 6 Introduction to kernel-mode vulnerabilities and exploitation • Payload strategy – Breaking chroot / jail / other restrictions • Everything can be bypassed in kernel-mode
    [Show full text]