251 research outputs found
Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets
Wireless communication standards and implementations have a troubled history
regarding security. Since most implementations and firmwares are closed-source,
fuzzing remains one of the main methods to uncover Remote Code Execution (RCE)
vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from
several shortcomings, such as constrained speed, limited repeatability, and
restricted ability to debug. In this paper, we present Frankenstein, a fuzzing
framework based on advanced firmware emulation, which addresses these
shortcomings. Frankenstein brings firmware dumps "back to life", and provides
fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing
method is sufficient to maintain interoperability with the attached operating
system, hence triggering realistic full-stack behavior. We demonstrate the
potential of Frankenstein by finding three zero-click vulnerabilities in the
Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many
Samsung smartphones, the Raspberry Pis, and many others.
Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond
the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that
crashes multiple operating system kernels and a design flaw in the Bluetooth
5.2 specification that allows link key extraction from the host. Turning off
Bluetooth will not fully disable the chip, making it hard to defend against RCE
attacks. Moreover, when testing our chip-based vulnerabilities on those
devices, we find BlueFrag, a chip-independent Android RCE.Comment: To be published at USENIX Securit
Cyber-security protection techniques to mitigate memory errors exploitation
Tesis por compendio[EN] Practical experience in software engineering has demonstrated that the goal of
building totally fault-free software systems, although desirable, is impossible
to achieve. Therefore, it is necessary to incorporate mitigation techniques in
the deployed software, in order to reduce the impact of latent faults.
This thesis makes contributions to three memory corruption mitigation
techniques: the stack smashing protector (SSP), address space layout
randomisation (ASLR) and automatic software diversification.
The SSP is a very effective protection technique used against stack buffer
overflows, but it is prone to brute force attacks, particularly the dangerous
byte-for-byte attack. A novel modification, named RenewSSP, has been proposed
which eliminates brute force attacks, can be used in a completely transparent
way with existing software and has negligible overheads. There are two
different kinds of application for which RenewSSP is especially beneficial:
networking servers (tested in Apache) and application launchers (tested on
Android).
ASLR is a generic concept with multiple designs and implementations. In this
thesis, the two most relevant ASLR implementations of Linux have been analysed
(Vanilla Linux and PaX patch), and several weaknesses have been found. Taking
into account technological improvements in execution support (compilers and
libraries), a new ASLR design has been proposed, named ASLR-NG, which
maximises entropy, effectively addresses the fragmentation issue and removes a
number of identified weaknesses. Furthermore, ASLR-NG is transparent to
applications, in that it preserves binary code compatibility and does not add
overheads. ASLR-NG has been implemented as a patch to the Linux kernel 4.1.
Software diversification is a technique that covers a wide range of faults,
including memory errors. The main problem is how to create variants,
i.e. programs which have identical behaviours on normal inputs but
where faults manifest differently. A novel form of automatic variant
generation has been proposed, using multiple cross-compiler suites and
processor emulators.
One of the main goals of this thesis is to create applicable results.
Therefore, I have placed particular emphasis on the development of real
prototypes in parallel with the theoretical study. The results of this thesis
are directly applicable to real systems; in fact, some of the results have
already been included in real-world products.[ES] La creación de software supone uno de los retos más complejos para el
ser humano ya que requiere un alto grado de abstracción. Aunque se ha
avanzado mucho en las metodologías para la prevención de los fallos
software, es patente que el software resultante dista mucho de ser
confiable, y debemos asumir que el software que se produce no está
libre de fallos. Dada la imposibilidad de diseñar o implementar
sistemas libres de fallos, es necesario incorporar técnicas de
mitigación de errores para mejorar la seguridad.
La presente tesis realiza aportaciones en tres de las principales
técnicas de mitigación de errores de corrupción de memoria: Stack
Smashing Protector (SSP), Address Space Layout Randomisation (ASLR) y
Automatic Software Diversification.
SSP es una técnica de protección muy efectiva contra
ataques de desbordamiento de buffer en pila, pero es sensible a ataques de
fuerza bruta, en particular al peligroso ataque denominado byte-for-byte.
Se ha propuesto una novedosa modificación del SSP, llamada RenewSSP,
la cual elimina los ataques de fuerza bruta. Puede ser usada
de manera completamente transparente con los programas existentes sin
introducir sobrecarga. El RenewSSP es especialmente beneficioso en dos áreas de
aplicación: Servidores de red (probado en Apache) y
lanzadores de aplicaciones eficientes (probado en Android).
ASLR es un concepto genérico, del cual hay multitud de diseños e
implementaciones. Se han analizado las dos implementaciones más
relevantes de Linux (Vanilla Linux y PaX patch), encontrándose en
ambas tanto debilidades como elementos mejorables. Teniendo en cuenta
las mejoras tecnológicas en el soporte a la ejecución (compiladores y
librerías), se ha propuesto un nuevo diseño del ASLR, llamado
ASLR-NG, el cual: maximiza la entropía, soluciona el problema de la
fragmentación y elimina las debilidades encontradas. Al igual que la
solución propuesta para el SSP, la nueva propuesta de ASLR es
transparente para las aplicaciones y compatible a nivel
binario sin introducir sobrecarga. ASLR-NG ha sido implementado como
un parche del núcleo de Linux para la versión 4.1.
La diversificación software es una técnica que cubre una amplia gama
de fallos, incluidos los errores de memoria. La principal dificultad
para aplicar esta técnica radica en la generación de las
"variantes", que son programas que tienen un comportamiento idéntico
entre ellos ante entradas normales, pero tienen un comportamiento
diferenciado en presencia de entradas anormales. Se ha propuesto una
novedosa forma de generar variantes de forma automática a partir de un
mismo código fuente, empleando la emulación de sistemas.
Una de las máximas de esta investigación ha sido la aplicabilidad de
los resultados, por lo que se ha hecho especial hincapié en el
desarrollo de prototipos sobre sistemas reales a la par que se llevaba
a cabo el estudio teórico. Como resultado, las propuestas de esta
tesis son directamente aplicables a sistemas reales, algunas de ellas
ya están siendo explotadas en la práctica.[CA] La creació de programari suposa un dels reptes més complexos per al ser humà ja
que requerix un alt grau d'abstracció. Encara que s'ha avançat molt en les
metodologies per a la prevenció de les fallades de programari, és palès que el
programari resultant dista molt de ser confiable, i hem d'assumir que el
programari que es produïx no està lliure de fallades. Donada la impossibilitat
de dissenyar o implementar sistemes lliures de fallades, és necessari
incorporar tècniques de mitigació d'errors per a millorar la seguretat.
La present tesi realitza aportacions en tres de les principals tècniques de
mitigació d'errors de corrupció de memòria: Stack Smashing Protector (SSP),
Address Space Layout Randomisation (ASLR) i Automatic Software
Diversification.
SSP és una tècnica de protecció molt efectiva contra atacs de desbordament de
buffer en pila, però és sensible a atacs de força bruta, en particular al
perillós atac denominat byte-for-byte.
S'ha proposat una nova modificació del SSP, RenewSSP, la qual elimina els atacs
de força bruta. Pot ser usada de manera completament transparent amb els
programes existents sense introduir sobrecàrrega. El RenewSSP és especialment
beneficiós en dos àrees d'aplicació: servidors de xarxa (provat en Apache) i
llançadors d'aplicacions eficients (provat en Android).
ASLR és un concepte genèric, del qual hi ha multitud de dissenys i
implementacions. S'han analitzat les dos implementacions més rellevants de
Linux (Vanilla Linux i PaX patch), trobant-se en ambdues tant debilitats com
elements millorables. Tenint en compte les millores tecnològiques en el suport
a l'execució (compiladors i llibreries), s'ha proposat un nou disseny de
l'ASLR: ASLR-NG, el qual, maximitza l'entropia, soluciona el problema de
la fragmentació i elimina les debilitats trobades. Igual que la solució
proposada per al SSP, la nova proposta d'ASLR és transparent per a les
aplicacions i compatible a nivell binari sense introduir sobrecàrrega. ASLR-NG
ha sigut implementat com un pedaç del nucli de Linux per a la versió 4.1.
La diversificació de programari és una tècnica que cobrix una àmplia gamma de
fa\-llades, inclosos els errors de memòria. La principal dificultat per a aplicar
esta tècnica radica en la generació de les "variants", que són programes que
tenen un comportament idèntic entre ells davant d'entrades normals, però tenen
un comportament diferenciat en presència d'entrades anormals. S'ha proposat una
nova forma de generar variants de forma automàtica a partir d'un mateix codi
font, emprant l'emulació de sistemes.
Una de les màximes d'esta investigació ha sigut l'aplicabilitat dels resultats,
per la qual cosa s'ha fet especial insistència en el desenrotllament de
prototips sobre sistemes reals al mateix temps que es duia a terme l'estudi
teòric. Com a resultat, les propostes d'esta tesi són directament aplicables
a sistemes reals, algunes d'elles ja estan sent explotades en la pràctica.Marco Gisbert, H. (2015). Cyber-security protection techniques to mitigate memory errors exploitation [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/57806TESISCompendi
SSPFA: Effective Stack Smashing Protection for Android OS
[EN] In this paper, we detail why the stack smashing protector (SSP), one of the most effective techniques to mitigate stack bufferoverflow attacks, fails to protect the Android operating system and thus causes a false sense of security that affects all Androiddevices. We detail weaknesses of existing SSP implementations, revealing that current SSP is not secure. We propose SSPFA,the first effective and practical SSP for Android devices. SSPFA provides security against stack buffer overflows withoutchanging the underlying architecture. SSPFA has been implemented and tested on several real devices showing that it is notintrusive, and it is binary-compatible with Android applications. Extensive empirical validation has been carried out over theproposed solution.This work was partially funded by Universitat Politecnica de Valencia (Grant No. 20160251-ASLR-NG).Marco Gisbert, H.; Ripoll Ripoll, JI. (2019). SSPFA: Effective Stack Smashing Protection for Android OS. International Journal of Information Security. 18(4):519-532. https://doi.org/10.1007/s10207-018-00425-8S519532184Buchanan, W.J., Chiale, S., Macfarlane, R.: A methodology for the security evaluation within third-party android marketplaces. Digit. Investig. 23(Supplement C), 88–98 (2017). https://doi.org/10.1016/j.diin.2017.10.002Tian, D., Jia, X., Chen, J., Hu, C., Xue, J.: A practical online approach to protecting kernel heap buffers in kernel modules. China Commun. 1, 143–152 (2016)One, A.: Smashing the stack for fun and profit. Phrack, 7(49) (1996)Younan, Y., Pozza, D., Piessens, F., Joosen, W.: Extended protection against stack smashing attacks without performance loss. In: In Proceedings of ACSAC (2006)Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow Integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, Series CCS ’05, pp. 340–353. ACM, New York (2005). https://doi.org/10.1145/1102120.1102165Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, Series CCS ’12, pp. 157–168. ACM, New York (2012). https://doi.org/10.1145/2382196.2382216Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: Proceedings of the 2009 Annual Computer Security Applications Conference, Series ACSAC ’09, pp. 60–69. IEEE Computer Society, Washington (2009). https://doi.org/10.1109/ACSAC.2009.16Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1–2:34 (2012). https://doi.org/10.1145/2133375.2133377Pappas, V., Polychronakis, M., Keromytis, A.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 601–615 (2012)S. R. to Thwart Return Oriented Programming in Embedded Systems, Stack Redundancy to Thwart Return Oriented Programming in Embedded Systems, IEEE Embedded Systems Letters, vol. (first on-line), pp. 1–1 (2018)Moula, V., Niksefat, S.: ROPK++: an enhanced ROP attack detection framework for Linux operating system. In: International Conference on Cyber Security And Protection Of Digital Services (Cyber Security). IEEE (2017)Das, S., Zhang, W., Liu, Y.: A fine-grained control flow integrity approach against runtime memory attacks for embedded systems. IEEE Trans. Very Large Scale Integr. VLSI Syst. 25, 3193–3207 (2016)Alam, M., Roy, D.B., Bhattacharya, S., Govindan, V., Chakraborty, R.S., Mukhopadhyay, D.: SmashClean: a hardware level mitigation to stack smashing attacks in OpenRISC. In: ACM/IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE), pp. 1–4. IEEE (2016)Kananizadeh, S., Kononenko, K.: Development of dynamic protection against timing channels. Int. J. Inf. Secur. 16, 641–651 (2017)Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a board range of memory error exploits. In: Proceedings of the 12th Conference on USENIX Security Symposium—volume 12, Series SSYM’03, p. 8. USENIX Association, Berkeley (2003). http://dl.acm.org/citation.cfm?id=1251353.1251361 . Accessed 18 Jan 2019Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 574–588. IEEE (2013)Kumar, K.S., Kisore, N.R.: Protection against buffer overflow attacks through runtime memory layout randomization. In: International Conference on Information Technology (ICIT). IEEE (2014)Oberheide, J.: A look at ASLR in Android ice cream sandwich 4.0 (2012). https://www.duosecurity.com/blog/a-look-at-aslr-in-android-ice-cream-sandwich-4-0 . Accessed 18 Jan 2019Zabrocki, A.P.: Scraps of notes on remote stack overflow exploitation (2010). http://www.phrack.org/issues.html?issue=67&id=13#article . Accessed 18 Jan 2019Saito, T., Watanabe, R., Kondo, S., Sugawara, S., Yokoyama, M.: A survey of prevention/mitigation against memory corruption attacks. In: 19th International Conference on Network-Based Information Systems (NBiS). IEEE (2016)Meike, G.B.: Inside the Android OS: Building, Customizing, Managing and Operating Android System Services, illustrated ed., P. Education, Ed. Pearson Education, vol. 1 (2018). https://www.amazon.com/Inside-Android-OS-Customizing-Operating/dp/0134096347?SubscriptionId=0JYN1NVW651KCA56C102&tag=techkie-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=0134096347 . Accessed 18 Jan 2019Cowan, C., Pu, C., Maier, D., Hintongif, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium, pp. 63–78 (1998)’xorl’: Linux GLibC stack canary values (2010). http://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/ . Accessed 18 Jan 2019Lee, B., Lu, L., Wang, T., Kim, T., Lee, W.: From zygote to morula: fortifying weakened ASLR on Android. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, Series SP ’14, pp. 424–439. IEEE Computer Society, Washington (2014). https://doi.org/10.1109/SP.2014.34Miller, D.: Security measures in OpenSSH (2007). http://www.openbsd.org/papers/openssh-measures-asiabsdcon2007-slides.pdf . Accessed 18 Jan 2019Molnar, I.: Exec shield, new Linux security feature (2003). https://lwn.net/Articles/31032/ . Accessed 18 Jan 2019Wagle, P., Cowan, C.: StackGuard: simple stack smash protection for GCC. In: Proceedings of the GCC Developers Summit, pp. 243–256 (2003)Etoh, H.: GCC extension for protecting applications from stack-smashing attacks (ProPolice) (2003). http://www.trl.ibm.com/projects/security/ssp/ . Accessed 18 Jan 2019Erb, C., Collins, M., Greathouse, J. L.: Dynamic buffer overflow detection for GPGPUs. In: IEEE/ACM International Symposium on Code Generation and Optimization (CGO), pp. 61–73 IEEE (2017)Molnar, I.: Stackprotector updates for v3.14 (2014). https://lwn.net/Articles/584278/Shen, H.: Add a new option “-fstack-protector-strong” (2012). http://gcc.gnu.org/ml/gcc-patches/2012-06/msg00974.html . Accessed 18 Jan 2019Guan, X., Ji, J., Jiang, J., Zhang, S.: Stack overflow protection device, method, and related compiler and computing device, August 22 2013, uS Patent App. 13/772,858. https://www.google.com/patents/US20130219373 . Accessed 18 Jan 2019Backes, M., Bugiel, S., Derr, E.: Reliable third-party library detection in Android and its security applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Series. CCS ’16, pp. 356–367. ACM, New York (2016)Greenberg, A.: SC magazine: trojanized Android apps steal authentication tokens, put accounts at risk (2014). www.scmagazine.com/trojanized-android-apps-steal-authentication-tokens-put-accounts-at-risk/article/342208/Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, Series SEC’11, pp. 21–21. USENIX Association, Berkeley (2011) http://dl.acm.org/citation.cfm?id=2028067.2028088 . Accessed 18 Jan 2019Poll: How often do you reboot? (2014). http://www.androidcentral.com/poll-how-often-do-you-reboot . Accessed 18 Jan 2019Wang, H., Li, H., Li, L., Guo, Y., Xu, G.: Why are android apps removed from Google play? A large-scale empirical study. In Proceedings of the 15th International Conference on Mining Software Repositories, Series MSR ’18, pp. 231–242. ACM, New York (2018). http://doi.acm.org/10.1145/3196398.3196412Marco-Gisbert, H., Ripoll, I.: Preventing brute force attacks against stack canary protection on networking servers. In: 12th International Symposium on Network Computing and Applications, pp. 243–250 (2013)Petsios, T., Kemerlis, V.P., Polychronakis, M., Keromytis, A.D.: DynaGuard: armoring canary-based protections against brute-force attacks. In: Proceedings of the 31st Annual Computer Security Applications Conference, Series ACSAC 2015, pp. 351–360. ACM, New York (2015). http://doi.acm.org/10.1145/2818000.281803
An automated approach to fix buffer overflows
Buffer overflows are one of the most common software vulnerabilities that occur when more data is inserted into a buffer than it can hold. Various manual and automated techniques for detecting and fixing specific types of buffer overflow vulnerability have been proposed, but the solution to fix Unicode buffer overflow has not been proposed yet. Public security vulnerability repository e.g., Common Weakness Enumeration (CWE) holds useful articles about software security vulnerabilities. Mitigation strategies listed in CWE may be useful for fixing the specified software security vulnerabilities. This research contributes by developing a prototype that automatically fixes different types of buffer overflows by using the strategies suggested in CWE articles and existing research. A static analysis tool has been used to evaluate the performance of the developed prototype tools. The results suggest that the proposed approach can automatically fix buffer overflows without inducing errors
Security analyses for detecting deserialisation vulnerabilities : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealand
An important task in software security is to identify potential vulnerabilities. Attackers exploit security vulnerabilities in systems to obtain confidential information, to breach system integrity, and to make systems unavailable to legitimate users. In recent years, particularly 2012, there has been a rise in reported Java vulnerabilities. One type of vulnerability involves (de)serialisation, a commonly used feature to store objects or data structures to an external format and restore them. In 2015, a deserialisation vulnerability was reported involving Apache Commons Collections, a popular Java library, which affected numerous Java applications. Another major deserialisation-related vulnerability that affected 55\% of Android devices was reported in 2015. Both of these vulnerabilities allowed arbitrary code execution on vulnerable systems by malicious users, a serious risk, and this came as a call for the Java community to issue patches to fix serialisation related vulnerabilities in both the Java Development Kit and libraries.
Despite attention to coding guidelines and defensive strategies, deserialisation remains a risky feature and a potential weakness in object-oriented applications. In fact, deserialisation related vulnerabilities (both denial-of-service and remote code execution) continue to be reported for Java applications. Further, deserialisation is a case of parsing where external data is parsed from their external representation to a program's internal data structures and hence, potentially similar vulnerabilities can be present in parsers for file formats and serialisation languages.
The problem is, given a software package, to detect either injection or denial-of-service vulnerabilities and propose strategies to prevent attacks that exploit them. The research reported in this thesis casts detecting deserialisation related vulnerabilities as a program analysis task. The goal is to automatically discover this class of vulnerabilities using program analysis techniques, and to experimentally evaluate the efficiency and effectiveness of the proposed methods on real-world software. We use multiple techniques to detect reachability to sensitive methods and taint analysis to detect if untrusted user-input can result in security violations.
Challenges in using program analysis for detecting deserialisation vulnerabilities include addressing soundness issues in analysing dynamic features in Java (e.g., native code). Another hurdle is that available techniques mostly target the analysis of applications rather than library code.
In this thesis, we develop techniques to address soundness issues related to analysing Java code that uses serialisation, and we adapt dynamic techniques such as fuzzing to address precision issues in the results of our analysis. We also use the results from our analysis to study libraries in other languages, and check if they are vulnerable to deserialisation-type attacks. We then provide a discussion on mitigation measures for engineers to protect their software against such vulnerabilities.
In our experiments, we show that we can find unreported vulnerabilities in Java code; and how these vulnerabilities are also present in widely-used serialisers for popular languages such as JavaScript, PHP and Rust. In our study, we discovered previously unknown denial-of-service security bugs in applications/libraries that parse external data formats such as YAML, PDF and SVG
- …