Reference 1
Reference 1 Heart Bleed CVE-2014-0160 OpenSSL 1.0.1f, Fixed in 1.0.1g tlsl_process_heartbeat() in t1_lib.c // 2553 int tls1_process_heartbeat(SSL *s){ unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned short hbtype; unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); pl = p; if (s->msg_callback) s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, &s->s3->rrec.data[0], s->s3->rrec.length, s, s->msg_callback_arg); if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp; int r; /* Allocate memory for the response, size is 1 bytes * message type, plus 2 bytes payload length, plus * payload, plus padding */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); bp += payload; /* Random padding */ RAND_pseudo_bytes(bp, padding); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); .
Reference 1 2016 Sp Dop References: reference MINIDOP language: pattern –> operations. Example: The attack that overwrites the data and convert a program from code1 to code2: Example code of addition: Example code of assignment and dereference: The attack model with DOP gadgets: More reference ↩
Reference 1 Persistent Data-only Malware: Function Hooks without Code Reference 1 Persistent Data-only Malware: Function Hooks without Code. NDSS, 2014. ↩ reference ↩
References: Control-Flow Bending: On the Effectiveness of Control-Flow Integrity, 2015 USENIX Security. Attacks on Fully-Precise Static CFI CFI with shadow stack. Dispatcher function/gadgets: Any function that contains a “write-what-where” primitive when the arguments are under the attacker’s control can be used as a dispatcher function. Alternatively, a function that can write to only limited addresses can still work as long as the return address is within the limits.
References: reference More Jujutsu References: [1] Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. CCS, 2015. A new attack on fine-grained CF that exploit the incompleteness of pointer analysis, when combined with common software engineering practices, to enable an attacker to execute arbitrary malicious code. Concepts: ICS: Indirect Call Site ACICS: Argument Corruptible Indirect Call Site RCE: Remote Code Execution DSA: Data Structure Analysis DEP: Data Execution Prevention ASLR: Address Space Layout Randomization SSP: Stack Smashing Protection ROP: Return-oriented Programming JOP: Jump-Oriented Programming Threat Model The threat model in this paper is a remote attacker trying to hijack control of a machine by exploiting memory vulnerabilities.
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?