lectures.alex.balgavy.eu

Lecture notes from university.
git clone git://git.alex.balgavy.eu/lectures.alex.balgavy.eu.git
Log | Files | Refs | Submodules

Lecture 13_ advanced exploitation 2.md (2068B)

      1 +++
      2 title = "Lecture 13: advanced exploitation 2"
      3 +++
      4 # Lecture 13: advanced exploitation 2
      5 
      6 ## BlindSide
      7 - Combines thread models of spectre attacks (speculative execution) + hacking blind (exploits crash-resistant programs)
      8 - enables hacking blind in crash-sensitive domain
      9 - makes buffer overflows more powerful by adding possibility of exploitation
     10 
     11 Speculative execution
     12 - modern CPUs need deep pipelines for performance (CPU simultaneously executes many instructions in different steps)
     13 - CPU can't always determine next instruction because of conditional ⇒ branch prediction
     14 - branch prediction: predict target of branch based on previous executions, speculatively execute, roll back if needed
     15 
     16 Spectre vulnerability
     17 - in Intel CPUs
     18 - related to speculative execution where rollback is incomplete (mem read stays in cache)
     19 - attacker can train branch prediction to expect a path, have program execute this path, determine which memory was speculatively loaded into cache by timing mem accesses
     20 - v1: bounds check bypass, make program e.g. predict that index will be in bounds when checking conditionals
     21 - v2: branch target injection, make call instruction mis-predict to trained target
     22 
     23 Hacking blind
     24 - requirement: crash-resistant program (cause a crash, but program continues running without re-randomizing ASLR), not possible in kernel
     25 - lacks information leaking primitive
     26 - use buffer overflow to corrupt and probe memory
     27 - infer targets from measurable side-effects of probes
     28 
     29 BlindSide:
     30 - use buffer overflow to corrupt function pointer
     31 - execute corrupted function pointer speculatively to probe memory
     32 - infer targets from measurable side effects of probe
     33 - lets you do crashless probing in crash-sensitive domain (speculation is suppressor of crashes)
     34 
     35 Newton:
     36 - instead of static analysis for ROP, does dynamic analysis
     37 - taint tracking (lol), taint tracker-controlled bytes and monitor branches (taint sinks) that depend on tainted memory, dump taint source for each sink
     38 - newton gadgets: callsite is tainted by addresses and may call a function