SlideShare a Scribd company logo

Can We Prevent Use-after-free Attacks?

I
inaz2

2017/06/04 ssmjp Special

Technology
1 of 44
Download to read offline
Can We Prevent Use-after-free Attacks? 2017/06/04 ssmjp Special inaz2
About me • @inaz2 – https://twitter.com/inaz2 • Python programmer & Security engineer • Blog: ももいろテクノロジー – http://inaz2.hatenablog.com/ 2
Questions • Are you a programmer? • Can you do basic C++ programming? • Do you know what use-after-free attack is? • Do you know how to prevent the attack when you write your codes? 3
Important warning • The purpose of this talk is to tell you how computers work, what the problem is and my current thoughts to prevent it • NEVER ABUSE THE KNOWLEDGE YOU GET – Comply strictly with the law. Think about ethics. Never harm others definitely • Some of Japanese laws about computer security – 不正アクセス行為の禁止等に関する法律(不正アクセス禁止法) – 刑法第168条の2及び3 不正指令電磁的記録に関する罪(ウイルス作 成罪) – 刑法第234条の2 電子計算機損壊等業務妨害罪 4
Dynamic memory allocation and heap 5
Dynamic memory allocation • C: malloc() / free() • C++: new / delete • Win32API: HeapAlloc() / HeapFree() 6
Heap • First allocate a pool of memory • malloc(): Use some of the pool as a chunk • free(): Give it back • Freed chunks are generally reused for efficiency 7https://commons.wikimedia.org/wiki/File:Tannin_heap.jpeg
Use-after-free attacks 8
Allocate a chunk 9 heap chunkptr = 0x100000
Free the chunk (or trigger garbage collection) 10 heap chunk (freed) ptr = 0x100000 Now this points invalid address: dangling pointer
Reallocate the freed chunk with crafted data 11 heap chunk (crafted) ptr = 0x100000
Access freed memory via dangling pointer 12 heap chunk (crafted) ptr = 0x100000 Arbitrary read/write through pointer in chunk 0x41414141
Virtual function table 13
Virtual function • Handle derived classes as their base class and call functions of the former in the same manner – This characteristics is called “Polymorphism” 14
15
16
Virtual function table (vtable) 17 vptr char name [0x20] &Dog::cry() &Cat::cry() Animal instance Dog::cry() Cat::cry() Dog vtable Cat vtable * gray indicates read only
Virtual function table (vtable) 18 vptr char name [0x20] &Dog::cry() &Cat::cry() Animal instance Dog::cry() Cat::cry() Dog vtable Cat vtable &boom boom Crafted buffer * gray indicates read only Hijacking EIP
On Linux … • Test program on glibc’s ptmalloc – https://gist.github.com/inaz2/f24f6d09cbf406d344debc649106fd 89 19
Even on Windows 10 … • Test program (unprotected) on low fragmentation heap – https://gist.github.com/inaz2/0c6edd5f485b95a114104fd48a533 750 20
When will it be a problem? • When user can call functions in arbitrary order – Parser / command interpreter – Script engine (especially JavaScript) – OS kernel / drivers • Security Vulnerabilities Related To CWE-416 - CVE Details – http://www.cvedetails.com/vulnerability-list/cweid- 416/vulnerabilities.html • Published Advisories 2017 - Zero Day Initiative – http://www.zerodayinitiative.com/advisories/published/2017/ 21
Zero-day vulnerabilities • CVE-2014-1776 (Remote code execution) – Use-after-free vulnerability in MSHTML!CMarkup::IsConnectedToPrimaryMarkup() in Microsoft Internet Explorer 6 through 11 – https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day- exploit-targeting-internet-explorer-versions-9-through-11-identified-in- targeted-attacks.html • CVE-2017-0263 (Local privilege escalation) – Use-after-free vulnerability in win32k!xxxDestroyWindow() in Microsoft Windows 7, 8.1, 10 and Windows Server 2008, 2012, 2016 – https://www.fireeye.com/blog/threat-research/2017/05/eps- processing-zero-days.html 22
Preventing use-after-free attacks 23
C++11: Using smart pointers and references • Smart Pointers (Modern C++) – https://msdn.microsoft.com/en-us/library/hh279674.aspx • #include <memory> • unique_ptr<T> (pointer with ownership) – when the object is pointed by only one pointer • shared_ptr<T> (pointer with reference count) – when the object is pointed by more than one pointers – To avoid circular reference, weak_ptr<T> is used together 24
The unique pointer across functions 25
Bidirectional linked list by using shared_ptr 26
Assigning NULL immediately after free • MEM01-CPP. Store a valid value in pointers immediately after deallocation - SEI CERT C++ Coding Standard [outdated] – https://www.securecoding.cert.org/confluence/display/cplusplus/MEM01- CPP.+Store+a+valid+value+in+pointers+immediately+after+deallocation 27
28
Microsoft Visual C++: enable SDL checks • /sdl (Enable Additional Security Checks) – https://msdn.microsoft.com/en-us/library/jj161081.aspx 29
Microsoft Visual C++: enable SDL checks • Enabled by default in Visual Studio 2015 “New Win32 Project” 30
31
Magic address ds:002b:00008123 • Guarding against re-use of stale object references | Microsoft Secure Blog – https://blogs.microsoft.com/microsoftsecure/2012/04/24/guarding- against-re-use-of-stale-object-references/ 32
But copied pointers remain dangling • If more than one pointer pointing to the same address exist, others are not nullified – Need tracking copies to prevent completely • FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers [NDSS 2015] – https://www.internetsociety.org/doc/freesentry-protecting-against-use- after-free-vulnerabilities-due-dangling-pointers • Preventing Use-after-free with Dangling Pointers Nullification (DangNull) [NDSS 2015] – https://sslab.gtisc.gatech.edu/2015/dang-null.html • DangSan: Scalable Use-after-free Detection [EUROSYS 2017] – http://www.cs.vu.nl/~giuffrida/papers/dangsan_eurosys17.pdf 33
GCC / Clang: AddressSanitizer • -fsanitize=address – https://github.com/google/sanitizers/wiki/AddressSanitizer – Runtime memory error detection 34
Eliminating all dangling pointers is hard … 35
Windows 8.1+: Control Flow Guard • /guard:cf (Enable Control Flow Guard) – https://msdn.microsoft.com/en- us/library/windows/desktop/mt637065(v=vs.85).aspx – Add check if the target of indirect call is the beginning of function 36
Windows 8.1+: Control Flow Guard • Not enabled by default in Visual Studio 2015 “New Win32 Project” • Incompatible with /ZI (Edit and Continue debug information) 37
Linux grsecurity: RAP • https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf • Indirect Control Transfer Protection – Prepend type signature before each function and verify it before indirect call 38
Windows 10: VTGuard (IE & Edge) • Append canary to vtable and verify it before call • Understanding the Attack Surface and Attack Resilience of Project Spartans New EdgeHTML Rendering Engine [Black Hat USA 2015] – https://www.blackhat.com/docs/us-15/materials/us-15-Yason- Understanding-The-Attack-Surface-And-Attack-Resilience-Of-Project- Spartans-New-EdgeHTML-Rendering-Engine.pdf 39 vptr char name [0x20] &Dog::cry() Animal instance Dog::cry() Dog vtable _vtguard
Windows 10: MemGC (IE & Edge) • Managed heap and garbage collector which don’t free if there are dangling pointers – Enabled by default • MemGC: Use-After-Free Exploit Mitigation in Edge and IE on Windows 10 – https://securityintelligence.com/memgc-use-after-free-exploit- mitigation-in-edge-and-ie-on-windows-10/ • You can read it on GitHub!!1 – https://github.com/Microsoft/ChakraCore/blob/master/lib/Common /Memory/Recycler.cpp 40
Comprehensive mitigations • Mandatory access control – Mandatory Integrity Control (Windows Vista+) / SELinux (Linux) – Enforce the access policy between processes and resources (files etc.) • Isolation – AppContainer (Windows 8+) / Namespaces (Linux) – Execute in separated context • Endpoint security solution – Provided by many security venders including Microsoft – Monitoring host activities and detect critical accesses • Patch update 41
Recap • Use-after-free attacks are caused by dangling pointers to freed memory area – Recent vulnerabilities are not only buffer overflow • There are ways to mitigate it – Safer language features, carefully programming, compiler’s security option, smart GC, comprehensive mitigations – Enable /guard:cf in Release build of your new MSVC projects • Think about what our problem is 42
References • use-after-freeによるC++ vtable overwriteをやってみる - ももいろテクノロジー – http://inaz2.hatenablog.com/entry/2014/06/18/220735 • ROP検知手法RAPについてまとめてみる - ももいろテクノロジー – http://inaz2.hatenablog.com/entry/2015/10/30/024234 • Beyond Zero-day Attacks(4):Use After Freeとヒープスプレー - @IT – http://www.atmarkit.co.jp/ait/articles/1409/22/news010.html • Use After Free 脆弱性攻撃を試す – https://www.slideshare.net/monochrojazz/use-after-free • Understanding the Low Fragmentation Heap (Black Hat USA 2010) – http://illmatics.com/Understanding_the_LFH_Slides.pdf • Getting back determinism in the Low Fragmentation Heap - LSE Blog – https://blog.lse.epita.fr/articles/74-getting-back-determinism-in-the-lfh.html • saaramar/Deterministic_LFH: Have fun with the LowFragmentationHeap – https://github.com/saaramar/Deterministic_LFH • katagaitai CTF勉強会 #8 pwnables編 – https://speakerdeck.com/bata_24/katagaitai-ctf-number-8 43
Thank You! @inaz2 44

Recommended

暗認本読書会4
暗認本読書会4暗認本読書会4
暗認本読書会4MITSUNARI Shigeo
 
Unicodeで半角全角を扱うAmbiguous(曖昧さ)とUncertainty(不確実性)の恐怖
Unicodeで半角全角を扱うAmbiguous(曖昧さ)とUncertainty(不確実性)の恐怖Unicodeで半角全角を扱うAmbiguous(曖昧さ)とUncertainty(不確実性)の恐怖
Unicodeで半角全角を扱うAmbiguous(曖昧さ)とUncertainty(不確実性)の恐怖Atsushi Nakamura
 
暗認本読書会5
暗認本読書会5暗認本読書会5
暗認本読書会5MITSUNARI Shigeo
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
代数的実数とCADの実装紹介
代数的実数とCADの実装紹介代数的実数とCADの実装紹介
代数的実数とCADの実装紹介Masahiro Sakai
 
暗認本読書会6
暗認本読書会6暗認本読書会6
暗認本読書会6MITSUNARI Shigeo
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team FrameworkAdrian Sanabria
 
暗認本読書会7
暗認本読書会7暗認本読書会7
暗認本読書会7MITSUNARI Shigeo
 

Recommended

暗認本読書会4
暗認本読書会4暗認本読書会4
暗認本読書会4MITSUNARI Shigeo
 
Unicodeで半角全角を扱うAmbiguous(曖昧さ)とUncertainty(不確実性)の恐怖
Unicodeで半角全角を扱うAmbiguous(曖昧さ)とUncertainty(不確実性)の恐怖Unicodeで半角全角を扱うAmbiguous(曖昧さ)とUncertainty(不確実性)の恐怖
Unicodeで半角全角を扱うAmbiguous(曖昧さ)とUncertainty(不確実性)の恐怖Atsushi Nakamura
 
暗認本読書会5
暗認本読書会5暗認本読書会5
暗認本読書会5MITSUNARI Shigeo
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
代数的実数とCADの実装紹介
代数的実数とCADの実装紹介代数的実数とCADの実装紹介
代数的実数とCADの実装紹介Masahiro Sakai
 
暗認本読書会6
暗認本読書会6暗認本読書会6
暗認本読書会6MITSUNARI Shigeo
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team FrameworkAdrian Sanabria
 
暗認本読書会7
暗認本読書会7暗認本読書会7
暗認本読書会7MITSUNARI Shigeo
 
暗号化したまま計算できる暗号技術とOSS開発による広がり
暗号化したまま計算できる暗号技術とOSS開発による広がり暗号化したまま計算できる暗号技術とOSS開発による広がり
暗号化したまま計算できる暗号技術とOSS開発による広がりMITSUNARI Shigeo
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
レベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfesレベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfesTokoroten Nakayama
 
書くネタがCoqしかない
書くネタがCoqしかない書くネタがCoqしかない
書くネタがCoqしかないMasaki Hara
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for youToby Kohlenberg
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
RSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpRSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpsonickun
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
猫にはわかる暗号技術 1
猫にはわかる暗号技術 1猫にはわかる暗号技術 1
猫にはわかる暗号技術 1Yu Ogawa
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
楕円曲線と暗号
楕円曲線と暗号楕円曲線と暗号
楕円曲線と暗号MITSUNARI Shigeo
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話mariydi1
 
211120 他人の書いたPythonスクリプトをステップ実行で理解する
211120 他人の書いたPythonスクリプトをステップ実行で理解する211120 他人の書いたPythonスクリプトをステップ実行で理解する
211120 他人の書いたPythonスクリプトをステップ実行で理解するTakuya Nishimoto
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
研究を基にしたオープンソース開発チェックポイント
研究を基にしたオープンソース開発チェックポイント研究を基にしたオープンソース開発チェックポイント
研究を基にしたオープンソース開発チェックポイントRecruit Technologies
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)kikuchan98
 
MITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよMITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよshuna roo
 
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomugMasahiro NAKAYAMA
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門shiracamus
 

More Related Content

What's hot

暗号化したまま計算できる暗号技術とOSS開発による広がり
暗号化したまま計算できる暗号技術とOSS開発による広がり暗号化したまま計算できる暗号技術とOSS開発による広がり
暗号化したまま計算できる暗号技術とOSS開発による広がりMITSUNARI Shigeo
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
レベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfesレベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfesTokoroten Nakayama
 
書くネタがCoqしかない
書くネタがCoqしかない書くネタがCoqしかない
書くネタがCoqしかないMasaki Hara
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for youToby Kohlenberg
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
RSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpRSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpsonickun
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
猫にはわかる暗号技術 1
猫にはわかる暗号技術 1猫にはわかる暗号技術 1
猫にはわかる暗号技術 1Yu Ogawa
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話mariydi1
 
211120 他人の書いたPythonスクリプトをステップ実行で理解する
211120 他人の書いたPythonスクリプトをステップ実行で理解する211120 他人の書いたPythonスクリプトをステップ実行で理解する
211120 他人の書いたPythonスクリプトをステップ実行で理解するTakuya Nishimoto
 
研究を基にしたオープンソース開発チェックポイント
研究を基にしたオープンソース開発チェックポイント研究を基にしたオープンソース開発チェックポイント
研究を基にしたオープンソース開発チェックポイントRecruit Technologies
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)kikuchan98
 
MITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよMITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよshuna roo
 

What's hot (20)

暗号化したまま計算できる暗号技術とOSS開発による広がり
暗号化したまま計算できる暗号技術とOSS開発による広がり暗号化したまま計算できる暗号技術とOSS開発による広がり
暗号化したまま計算できる暗号技術とOSS開発による広がり
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
レベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfesレベルを上げて物理で殴れ、Fuzzing入門 #pyfes
レベルを上げて物理で殴れ、Fuzzing入門 #pyfes
 
書くネタがCoqしかない
書くネタがCoqしかない書くネタがCoqしかない
書くネタがCoqしかない
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for you
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
RSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpRSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjp
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
猫にはわかる暗号技術 1
猫にはわかる暗号技術 1猫にはわかる暗号技術 1
猫にはわかる暗号技術 1
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
楕円曲線と暗号
楕円曲線と暗号楕円曲線と暗号
楕円曲線と暗号
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
初心者がRSA暗号を教わったら自力でCTFの問題が解けるようになった話
 
211120 他人の書いたPythonスクリプトをステップ実行で理解する
211120 他人の書いたPythonスクリプトをステップ実行で理解する211120 他人の書いたPythonスクリプトをステップ実行で理解する
211120 他人の書いたPythonスクリプトをステップ実行で理解する
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
研究を基にしたオープンソース開発チェックポイント
研究を基にしたオープンソース開発チェックポイント研究を基にしたオープンソース開発チェックポイント
研究を基にしたオープンソース開発チェックポイント
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)CTF超入門 (for 第12回セキュリティさくら)
CTF超入門 (for 第12回セキュリティさくら)
 
MITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよMITRE ATT&CKマッピングのペストプラクティスでたよ
MITRE ATT&CKマッピングのペストプラクティスでたよ
 

Viewers also liked

細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomugMasahiro NAKAYAMA
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門shiracamus
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?inaz2
 
Spring bootでweb セキュリティ(ログイン認証)編
Spring bootでweb セキュリティ(ログイン認証)編Spring bootでweb セキュリティ(ログイン認証)編
Spring bootでweb セキュリティ(ログイン認証)編なべ
 
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjpAWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjpMasahiro NAKAYAMA
 
Edomae 2015 - マルウェアを解析してみよう
Edomae 2015 - マルウェアを解析してみようEdomae 2015 - マルウェアを解析してみよう
Edomae 2015 - マルウェアを解析してみようSatoshi Mimura
 
Esoteric, Obfuscated, Artistic Programming in Ruby
Esoteric, Obfuscated, Artistic Programming in RubyEsoteric, Obfuscated, Artistic Programming in Ruby
Esoteric, Obfuscated, Artistic Programming in Rubymametter
 

Viewers also liked (7)

細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
細かすぎて伝わらないSORACOM Funnelのオプション紹介 #soracomug
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?
 
Spring bootでweb セキュリティ(ログイン認証)編
Spring bootでweb セキュリティ(ログイン認証)編Spring bootでweb セキュリティ(ログイン認証)編
Spring bootでweb セキュリティ(ログイン認証)編
 
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjpAWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
 
Edomae 2015 - マルウェアを解析してみよう
Edomae 2015 - マルウェアを解析してみようEdomae 2015 - マルウェアを解析してみよう
Edomae 2015 - マルウェアを解析してみよう
 
Esoteric, Obfuscated, Artistic Programming in Ruby
Esoteric, Obfuscated, Artistic Programming in RubyEsoteric, Obfuscated, Artistic Programming in Ruby
Esoteric, Obfuscated, Artistic Programming in Ruby
 

Similar to Can We Prevent Use-after-free Attacks?

DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014Bryce Kunz
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for MiddlewareManuel Brugnoli
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinDigicomp Academy AG
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
44 con slides (1)
44 con slides (1)44 con slides (1)
44 con slides (1)geeksec80
 
44 con slides
44 con slides44 con slides
44 con slidesgeeksec80
 
Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)ITCamp
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 

Similar to Can We Prevent Use-after-free Attacks? (20)

DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for Middleware
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
44 con slides (1)
44 con slides (1)44 con slides (1)
44 con slides (1)
 
44 con slides
44 con slides44 con slides
44 con slides
 
Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
 

More from inaz2

HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwordsinaz2
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)inaz2
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primerinaz2
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesinaz2
 
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)inaz2
 
How to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksHow to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksinaz2
 
CRYPT+YOU, UNDERSTAND TODAY!
CRYPT+YOU, UNDERSTAND TODAY!CRYPT+YOU, UNDERSTAND TODAY!
CRYPT+YOU, UNDERSTAND TODAY!inaz2
 
Making a Proxy for Fun and Profit
Making a Proxy for Fun and ProfitMaking a Proxy for Fun and Profit
Making a Proxy for Fun and Profitinaz2
 
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~inaz2
 

More from inaz2 (12)

HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primer
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
 
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
 
How to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksHow to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocks
 
CRYPT+YOU, UNDERSTAND TODAY!
CRYPT+YOU, UNDERSTAND TODAY!CRYPT+YOU, UNDERSTAND TODAY!
CRYPT+YOU, UNDERSTAND TODAY!
 
Making a Proxy for Fun and Profit
Making a Proxy for Fun and ProfitMaking a Proxy for Fun and Profit
Making a Proxy for Fun and Profit
 
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
 

Recently uploaded

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Recently uploaded (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Can We Prevent Use-after-free Attacks?

  • 1. Can We Prevent Use-after-free Attacks? 2017/06/04 ssmjp Special inaz2
  • 2. About me • @inaz2 – https://twitter.com/inaz2 • Python programmer & Security engineer • Blog: ももいろテクノロジー – http://inaz2.hatenablog.com/ 2
  • 3. Questions • Are you a programmer? • Can you do basic C++ programming? • Do you know what use-after-free attack is? • Do you know how to prevent the attack when you write your codes? 3
  • 4. Important warning • The purpose of this talk is to tell you how computers work, what the problem is and my current thoughts to prevent it • NEVER ABUSE THE KNOWLEDGE YOU GET – Comply strictly with the law. Think about ethics. Never harm others definitely • Some of Japanese laws about computer security – 不正アクセス行為の禁止等に関する法律(不正アクセス禁止法) – 刑法第168条の2及び3 不正指令電磁的記録に関する罪(ウイルス作 成罪) – 刑法第234条の2 電子計算機損壊等業務妨害罪 4
  • 6. Dynamic memory allocation • C: malloc() / free() • C++: new / delete • Win32API: HeapAlloc() / HeapFree() 6
  • 7. Heap • First allocate a pool of memory • malloc(): Use some of the pool as a chunk • free(): Give it back • Freed chunks are generally reused for efficiency 7https://commons.wikimedia.org/wiki/File:Tannin_heap.jpeg
  • 10. Free the chunk (or trigger garbage collection) 10 heap chunk (freed) ptr = 0x100000 Now this points invalid address: dangling pointer
  • 11. Reallocate the freed chunk with crafted data 11 heap chunk (crafted) ptr = 0x100000
  • 12. Access freed memory via dangling pointer 12 heap chunk (crafted) ptr = 0x100000 Arbitrary read/write through pointer in chunk 0x41414141
  • 14. Virtual function • Handle derived classes as their base class and call functions of the former in the same manner – This characteristics is called “Polymorphism” 14
  • 15. 15
  • 16. 16
  • 17. Virtual function table (vtable) 17 vptr char name [0x20] &Dog::cry() &Cat::cry() Animal instance Dog::cry() Cat::cry() Dog vtable Cat vtable * gray indicates read only
  • 18. Virtual function table (vtable) 18 vptr char name [0x20] &Dog::cry() &Cat::cry() Animal instance Dog::cry() Cat::cry() Dog vtable Cat vtable &boom boom Crafted buffer * gray indicates read only Hijacking EIP
  • 19. On Linux … • Test program on glibc’s ptmalloc – https://gist.github.com/inaz2/f24f6d09cbf406d344debc649106fd 89 19
  • 20. Even on Windows 10 … • Test program (unprotected) on low fragmentation heap – https://gist.github.com/inaz2/0c6edd5f485b95a114104fd48a533 750 20
  • 21. When will it be a problem? • When user can call functions in arbitrary order – Parser / command interpreter – Script engine (especially JavaScript) – OS kernel / drivers • Security Vulnerabilities Related To CWE-416 - CVE Details – http://www.cvedetails.com/vulnerability-list/cweid- 416/vulnerabilities.html • Published Advisories 2017 - Zero Day Initiative – http://www.zerodayinitiative.com/advisories/published/2017/ 21
  • 22. Zero-day vulnerabilities • CVE-2014-1776 (Remote code execution) – Use-after-free vulnerability in MSHTML!CMarkup::IsConnectedToPrimaryMarkup() in Microsoft Internet Explorer 6 through 11 – https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day- exploit-targeting-internet-explorer-versions-9-through-11-identified-in- targeted-attacks.html • CVE-2017-0263 (Local privilege escalation) – Use-after-free vulnerability in win32k!xxxDestroyWindow() in Microsoft Windows 7, 8.1, 10 and Windows Server 2008, 2012, 2016 – https://www.fireeye.com/blog/threat-research/2017/05/eps- processing-zero-days.html 22
  • 24. C++11: Using smart pointers and references • Smart Pointers (Modern C++) – https://msdn.microsoft.com/en-us/library/hh279674.aspx • #include <memory> • unique_ptr<T> (pointer with ownership) – when the object is pointed by only one pointer • shared_ptr<T> (pointer with reference count) – when the object is pointed by more than one pointers – To avoid circular reference, weak_ptr<T> is used together 24
  • 25. The unique pointer across functions 25
  • 26. Bidirectional linked list by using shared_ptr 26
  • 27. Assigning NULL immediately after free • MEM01-CPP. Store a valid value in pointers immediately after deallocation - SEI CERT C++ Coding Standard [outdated] – https://www.securecoding.cert.org/confluence/display/cplusplus/MEM01- CPP.+Store+a+valid+value+in+pointers+immediately+after+deallocation 27
  • 28. 28
  • 29. Microsoft Visual C++: enable SDL checks • /sdl (Enable Additional Security Checks) – https://msdn.microsoft.com/en-us/library/jj161081.aspx 29
  • 30. Microsoft Visual C++: enable SDL checks • Enabled by default in Visual Studio 2015 “New Win32 Project” 30
  • 31. 31
  • 32. Magic address ds:002b:00008123 • Guarding against re-use of stale object references | Microsoft Secure Blog – https://blogs.microsoft.com/microsoftsecure/2012/04/24/guarding- against-re-use-of-stale-object-references/ 32
  • 33. But copied pointers remain dangling • If more than one pointer pointing to the same address exist, others are not nullified – Need tracking copies to prevent completely • FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers [NDSS 2015] – https://www.internetsociety.org/doc/freesentry-protecting-against-use- after-free-vulnerabilities-due-dangling-pointers • Preventing Use-after-free with Dangling Pointers Nullification (DangNull) [NDSS 2015] – https://sslab.gtisc.gatech.edu/2015/dang-null.html • DangSan: Scalable Use-after-free Detection [EUROSYS 2017] – http://www.cs.vu.nl/~giuffrida/papers/dangsan_eurosys17.pdf 33
  • 34. GCC / Clang: AddressSanitizer • -fsanitize=address – https://github.com/google/sanitizers/wiki/AddressSanitizer – Runtime memory error detection 34
  • 35. Eliminating all dangling pointers is hard … 35
  • 36. Windows 8.1+: Control Flow Guard • /guard:cf (Enable Control Flow Guard) – https://msdn.microsoft.com/en- us/library/windows/desktop/mt637065(v=vs.85).aspx – Add check if the target of indirect call is the beginning of function 36
  • 37. Windows 8.1+: Control Flow Guard • Not enabled by default in Visual Studio 2015 “New Win32 Project” • Incompatible with /ZI (Edit and Continue debug information) 37
  • 38. Linux grsecurity: RAP • https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf • Indirect Control Transfer Protection – Prepend type signature before each function and verify it before indirect call 38
  • 39. Windows 10: VTGuard (IE & Edge) • Append canary to vtable and verify it before call • Understanding the Attack Surface and Attack Resilience of Project Spartans New EdgeHTML Rendering Engine [Black Hat USA 2015] – https://www.blackhat.com/docs/us-15/materials/us-15-Yason- Understanding-The-Attack-Surface-And-Attack-Resilience-Of-Project- Spartans-New-EdgeHTML-Rendering-Engine.pdf 39 vptr char name [0x20] &Dog::cry() Animal instance Dog::cry() Dog vtable _vtguard
  • 40. Windows 10: MemGC (IE & Edge) • Managed heap and garbage collector which don’t free if there are dangling pointers – Enabled by default • MemGC: Use-After-Free Exploit Mitigation in Edge and IE on Windows 10 – https://securityintelligence.com/memgc-use-after-free-exploit- mitigation-in-edge-and-ie-on-windows-10/ • You can read it on GitHub!!1 – https://github.com/Microsoft/ChakraCore/blob/master/lib/Common /Memory/Recycler.cpp 40
  • 41. Comprehensive mitigations • Mandatory access control – Mandatory Integrity Control (Windows Vista+) / SELinux (Linux) – Enforce the access policy between processes and resources (files etc.) • Isolation – AppContainer (Windows 8+) / Namespaces (Linux) – Execute in separated context • Endpoint security solution – Provided by many security venders including Microsoft – Monitoring host activities and detect critical accesses • Patch update 41
  • 42. Recap • Use-after-free attacks are caused by dangling pointers to freed memory area – Recent vulnerabilities are not only buffer overflow • There are ways to mitigate it – Safer language features, carefully programming, compiler’s security option, smart GC, comprehensive mitigations – Enable /guard:cf in Release build of your new MSVC projects • Think about what our problem is 42
  • 43. References • use-after-freeによるC++ vtable overwriteをやってみる - ももいろテクノロジー – http://inaz2.hatenablog.com/entry/2014/06/18/220735 • ROP検知手法RAPについてまとめてみる - ももいろテクノロジー – http://inaz2.hatenablog.com/entry/2015/10/30/024234 • Beyond Zero-day Attacks(4):Use After Freeとヒープスプレー - @IT – http://www.atmarkit.co.jp/ait/articles/1409/22/news010.html • Use After Free 脆弱性攻撃を試す – https://www.slideshare.net/monochrojazz/use-after-free • Understanding the Low Fragmentation Heap (Black Hat USA 2010) – http://illmatics.com/Understanding_the_LFH_Slides.pdf • Getting back determinism in the Low Fragmentation Heap - LSE Blog – https://blog.lse.epita.fr/articles/74-getting-back-determinism-in-the-lfh.html • saaramar/Deterministic_LFH: Have fun with the LowFragmentationHeap – https://github.com/saaramar/Deterministic_LFH • katagaitai CTF勉強会 #8 pwnables編 – https://speakerdeck.com/bata_24/katagaitai-ctf-number-8 43