Introduction - Immunity Inc
Introduction Jon Oberheide Dan RosenbergStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #2
Introduction Jon Oberheide Dan RosenbergStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #3
Introduction“I get excited every time I see aconference add requirements totheir talk selection along the linesof 'exploitation presentations mustbe against grsecurity/PaX' -- butthen there never ends up being anypresentations of this kind.”– spender prattStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #4
Agenda A review of Linux kernel security Exploitation vs. grsecurity/PaX Bypassing grsecurity/PaXStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #5
A decade of kernel securityStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #6
A decade of kernel securityStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #7
Upstream attitude Security is hard when upstream ignores the problems Linux still hasn't had its “security awakening”Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #8
How about last year? 142 CVE's assigned 30% worse than the previous worst year (2009)Based on public CVE requests, issues tracked atRed Hat Bugzilla, and Eugene's tagged git treeMissing dozens of non-CVE vulnerabilities (i.e. the“Dan Carpenter factor”)61 (43%) discovered by six people Kees (4), Brad (3), Tavis (7), Vasiliy (4), Dan (37),Nelson (6)Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #9
Kernel vulns in 201012 known exploits for local privilegeescalation 13 remotely triggerable issues 33 potential privilege escalations Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #10
Breakdown by Target2317633CoreDistroExoticRed HatStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #11
Breakdown by Impact1312676530BypassDOSInfoPriv Esc?Priv EscNothingStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #12
Interesting exploits of 2010 full-nelson.c half-nelson.c Arbitrary write in RDS packet familyi-CAN-haz-MODHARDEN.c First Linux kernel stack overflow (not buffer overflow) exploitlinux-rds-exploit.c Combined three vulns to get a NULL writeSLUB overflow in CAN packet familyamerican-sign-language.c Exploit payload written in ACPI's ASL/AMLStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #13
Agenda A review of Linux kernel security Exploitation vs. grsecurity/PaX Bypassing grsecurity/PaXStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #14
Traditional Linux exploitationPerhaps most general exploitationprimitive is an arbitrary kernel write Sometimes occurs naturally, othertimes can be constructed (e.g.overwriting pointers in an overflow totrigger a write) Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #15
Linux exploitation examplesWrites to known addresses (IDT) Function pointer overwrites Redirecting control flow to userspace Influencing privesc-related kernel data(eg. credentials structures) Relying on kallsyms and other info Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #16
Overview of grsecurity/PaX grsecurity/PaX Third-party patchset to harden Linuxuserspace/kernel securityAttempts to prevent Introduction/execution of arbitrary code Execution of existing code out of original order Execution of existing code in original order witharbitrary dataStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #17
grsecurity/PaX hardening Kernel hardening features: KERNEXEC UDEREF Prevent invalid userspace pointer dereferencesHIDESYM Prevent the introduction of new executable codeHide info that may be useful to an attacker (kallsyms,slabinfo, kernel address leaks, etc)MODHARDEN Prevent auto-loading of crappy unused packet families(CAN, RDS, econet, etc)Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #18
Agenda A review of Linux kernel security Exploitation vs. grsecurity/PaX Bypassing grsecurity/PaXStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #19
The main event A technique we call stackjacking Enables the bypass of common grsecurity/PaXconfigurations with common exploit primitivesIndependently discovered, collaborativelyexploited, with slightly different techniquesStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #20
Plan of acking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #21
Target kernel assumptions Hardened kernel with grsec/PaX Config level GRKERNSEC HIGH KERNEXEC UDEREF HIDESYM MODHARDEN Etc.Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #22
Stronger target assumptions Let's make some extra assumptions We like a challenge, and these are assumptions thatmay possibly be obtainable now or in the futureStronger target assumptions Zero knowledge of kernel address space Fully randomized kernel text/data Cannot introduce new code into kernel address space Cannot modify kernel control flow (eg. data-only)Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #23
Attacker assumption #1 Assumption: arbitrary kmem write A common kernel exploitation primitive Examples: RDS, MCAST MSFILTER Other vulns can be turned into writes, e.g.overflowing into a pointer that's written toWut? “You mean I can't escalate privs with an arbitrarykernel memory write normally?” NOPE.Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #24
Arbitrary write into the abyssDARKNESS!0xffffffffkernel0xc0000000(TASK SIZE)user0x00000000No clue where to write!Exploitation is infeasible.Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #25
What's the secret sauce?ARBITRARYWRITE ? 3Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #26
Maybe?ARBITRARYWRITE 3dave?Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #27
Nah, he's taken 3Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #28
Need to know something One way: arbitrary kmem disclosure procfs (2005) sctp (2008) move pages (2009) pktcdvd (2010)Just dump entire address space! But these are rare! And in many instances, mitigated by grsec/PaXStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #29
Something more common?How about a more common vuln? Hints. Widely considered to be a useless vulnerability Commonly assigned a CVSS score of 1.9 (low) 25 such vulnerabilities reported in 2010 Often referred to as a Dan RosenbugCan you guess it?Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #30
KSTACK MEM DISCLOSURE!ARBITRARYWRITE KSTACKLEAK 3Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #31
How does kstack leak help?Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #32
A bit about Linux kernel stacks Each userspace thread isallocated a kernel stackStores stack frames for kernelsyscalls and other metadataMost commonly 8k, somedistros use 4k high addressgrows down4k/8kstackunusedTHREAD SIZE 2*PAGE SIZE 2*4086 8192Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberglow addressSlide #33
Kernel stack mem disclosures Kstack mem disclosures Leak of memory from the kernel stack to userspaceCommon cause Copying a struct on the kstack back to userspacewith uninitialized fieldsImproper initialization/memset, forgetting memberassignment, structure padding/holesA frequent occurrence, especially in compatStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #34
Kernel stack mem disclosureskstack framekstack framefoo.barsensitive data.1) processmakes syscalland leavessensitive dataon kstacksensitivefoo.leakdatafoo.baz2) kstack is reusedon subsequentsyscall and structoverlaps withsensitive datastruct foouint32 tuint32 tuint32 t};{bar;leak;baz;syscall() {struct foo;foo.bar 1;foo.baz 2;copy to user(foo);}3) foo struct is copied touserspace, leaking 4bytes of kstack throughuninitialized foo.leakmemberStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #35
Thanks ddz!Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #36
Plan of attack!Arbitrary writeKstack disclosure?STACKJACKINGOVERVIEW?ROOT?Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #37
What's useful on the kstack? Leak data off kstack? Sensitive data left behind? Not really.Leak addresses off kstack? Sensitive addresses left behind? Maybe. Pointers to known structures could be exploitedToo specific of an attack!Need something more general kstack disclosures differ widely in size/offsetsStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #38
Kernel stack addresses How about a leaking an address that: Is stored on the stack; and Points to an address on the stackThese are pretty common Eg. pointers to local stack vars, saved ebp, etcBut what does this gain us?Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #39
Kernel stack self-discovery If we can leak an pointerto the kstack off the kstack,we can calculate the baseaddress of the kstack0xcdef2000kstack frame0xcdef1234kstack base addr & (THREAD SIZE – 1);0xdeadbeef0xcdef1234kstack base 0xcdef1234 & (8192 – 1)kstack base 0xcdef00000xcdef0000.We call this kstack self-discoveryStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #40
Effective kstack discovery Not all kstack disclosures are alike May only leak a few bytes, non-consecutive How do we effectively self-discover?Manual analysis Figure out where kstack leak overlaps addressesAutomatic analysis libkstackStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #41
Manual kstack self-discovery Manual, offline analysis 1. prime stack with random syscall 2. leak bytes, see if any leaks match real kstack 3. repeat until we've collected enough bytes 4. construct list of priming syscalls needed for theparticular leak to spill the beansStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #42
Automatic with libkstack We can automate this process forruntime self-discovery with libkstack 1. prime stack with random syscall2. leak bytes, infer whether bytes belong to a kstackaddr3. repeat until we have sufficient confidence tocalculate the kstack base addrStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #43
Plan of attack!Arbitrary writeKstack ERYManual analysis?Auto with libkstackStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #44
No longer complete darknessA random pinpoint of light!0xffffffffkernel0xc0000000(TASK SIZE)kstackuser0x00000000We can self-discover kstack address!Exploitation is.maybe feasible?Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #45
The next step We now have a tiny island Where to write? Pointers, data, metadata on kstackWhat to write? Use arbitrary write to modify anything on kstackNo userspace addrs (UDEREF), limited kernelGame over? Not yet!Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #46
Metadata on kernel stackAnything else of interest on the kstack?high addressstart of stackgrows down4k/8kstackstack pointerunusedcurrent thread infothread infolow addressthread info struct stashed at base of kstack!Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #47
thread info candidatesstruct thread info {struct task struct *task;struct exec domain *exec domain; u32flags;u32status;u32cpu;intpreempt count;mm segment taddr limit;struct restart block restart block;void user*sysenter return;#ifdef CONFIG X86 32unsigned longprevious esp;u8supervisor stack;#endifintuaccess err;};What can wemodify withinthread info toescalate privs?Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #48
restart block func ptr?struct thread info {struct task struct *task; struct exec domain *exec domain;u32flags;u32status;u32cpu;intpreempt count;mm segment taddr limit;struct restart block restart block;void user*sysenter return;#ifdef CONFIG X86 32unsigned longprevious esp;u8supervisor stack;#endifintuaccess err;};restart block? Has a func ptr wecan overwrite andinvoke via userspace!Can't point touserspace (UDEREF)Can't point to kmem(blackbox)Plus assuming nocontrol flow modStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #49
task struct pointer?struct thread info {struct task struct *task; struct exec domain *exec domain;u32flags;u32status;u32cpu;intpreempt count;mm segment taddr limit;struct restart block restart block;void user*sysenter return;#ifdef CONFIG X86 32unsigned longprevious esp;u8supervisor stack;#endifintuaccess err;};task struct? Could point it atinit task struct forgetting creds/caps ofthe init taskBut we don't knowthe address ofinit task struct!Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #50
Attacking task structstruct thread info {struct task struct *task;.}; task struct- creds? struct task struct {.const struct cred *real cred;const struct cred *cred;.};struct cred {.uid t uid;gid t gid;.}; Modify creds of our processdirectly to escalate privileges?But in order to writetask struct- creds, we needto know the address oftask struct!If we could read the addressof task struct off the end ofthe kstack, we might win!Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #51
Connecting the dotsExpanding our visibility0xffffffffkernel0xc0000000creds(TASK SIZE)task structkstackuser0x00000000If we can read off the kstack,we can find task struct/creds!Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #52
Attacking task struct We have write kleak Can we turn this into an arbitrary read?If we can get arbitrary read: Read base of kstack to find address of task struct Read task struct to find address of creds struct Write into creds struct to set uids/gids/caps Spawn a root shell!Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #53
Plan of attack!Arbitrary writeKstack ERYSTACKGROPINGSTACKJACKINGManual analysis? / taskRead threadAuto with libkstackOverwrite credsStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #54
The Rosengrope TechniqueStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #55
Remember thread info?struct thread info {struct task struct *task;struct exec domain *exec domain;u32flags;u32status;u32cpu;intpreempt count;mm segment taddr limit;struct restart block restart block;void user*sysenter return;#ifdef CONFIG X86 32unsigned longprevious esp;u8supervisor stack;#endifintuaccess err;};Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #56
Vanilla kernel No segmentation, user/kernel separationenforced by pagingcopy * user functions check user pointersagainst addr limit (per-thread variable inthread info struct)On vanilla, setting addr limit toKERNEL DS (ULONG MAX) givesarbitrary read/write (all checks pass)Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #57
set fs() Sometimes kernel wants to reuse codewith kernel pointer arguments kernel sendmsg, kernel recvmsg, etc.Calls set fs(KERNEL DS) to setaddr limit and allow copy * userfunctions to copy kernel-to-kernelCareful to make sure no user-influencedpointers are usedStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #58
PAX UDEREFStrict user/kernel separation usingsegmentation Reload segment registers at kerneltraps, used during copy operations Fault on invalid accessStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #59
PAX UDEREF and KERNEL DSUse %gs register to keep track ofsegment for source/dest of copy set fs(KERNEL DS) sets addr limitand reloads %gs register to containKERNEL DS segment selector Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #60
No more easy root.Writing KERNEL DS to addr limit isno longer sufficient Access checks on pointers will pass,but we'll still fault in copy functionsbecause of incorrect segmentregisters Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #61
But.%gs register is reloaded on contextswitch (necessary to keep track ofthread state) Reloaded based on contents ofaddr limit! Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #62
Using KERNEL DS trick Write KERNEL DS into addr limit ofcurrent threadLoop on write(pipefd, addr, size) Eventually, thread will be scheduled out at rightmoment (before copy from user)When thread resumes, %gs register will bereloaded with KERNEL DS, and read target willbe copied into pipe buffer (kernel-to-kernel copying)Restore addr limit and readStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #63
Plan of attack!Arbitrary writeKstack ERYSTACKGROPINGSTACKJACKINGManual analysisRosengrope technique? / taskRead threadAuto with libkstackOverwrite credsStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #64
Pros and cons of KERNEL DS The Rosengrope technique Pros: clean, simple, generic method to obtainarbitrary read from write kleakCons: depends on knowing the location ofaddr limit member of thread infoIt's possible to move thread info out of the kstack!Any alternatives? Let's get a bit crazier.Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #65
The Obergrope TechniqueStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #66
The Obergrope TechniqueStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #67
The Obergrope TechniqueStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #68
Attacking the kstack frames The Obergrope technique Don't attack the thread info metadata on kstack Attack the kstack frames themselves!End goal is a read How to read data by writing a kstack frame?Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #69
Observations Lots of kernel codepaths copy data to userland,via copy to user(), put user(), etcThere may be copy to user() calls that use asource address argument that is, at some point,stored on the kernel stackIf we can overwrite that source address on thekstack, we can control source of thecopy to user() and leak data to userspaceStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #70
A problem How can we write to our own kstack? Unlikely to be able to write into our own stack whileexploiting the vulnerability for our arbitrary writeUse parent/child processes Child self-discovers kstack addr Passes kstack addr to parent Parent writes into child while child is in syscallStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #71
More problemsHow can we write to stack reliably? We have a tricky race to win: Parent needs to write into child's kstack betweenwhen the copy to user() source register is pushedand popped from the kstackThis is a very small race window.Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #72
Winning Linux kernel races How to win Linux kernel races Get very lucky w/scheduling on SMP machine Cause a resource to be in contention (eg. locks) Cause kernel to page in from slow I/O device(sgrakkyu)Ehhh. We might hose the kernel if we lose the race Anything better?Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #73
A twist on winning races This isn't a “standard” race though We can have child execute ANY codepath thatperforms copy to user() with a src arg on kstackEnter, sleepy syscalls! Syscalls that allow us to put process to sleep for anarbitrary amount of timenanosleep, wait, select, etcStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #74
Sleepy syscall conditionsAny of these sleepy syscalls have ourrequired conditions? Needs to: Push a register to the stack Go to sleep for an arbitrary amount of time Pop that register off the stack Use that register as the source for copy to user()Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #75
compat sys waitidasmlinkage long compat sys waitid(int which, compat pid t pid,struct compat siginfo user *uinfo, int options,struct compat rusage user *uru){struct rusage ru;.ret sys waitid(which, pid, (siginfo t user *)&info,uru ? (struct rusage user *)&ru : NULL);.ret put compat rusage(&ru, uru);.}int put compat rusage(const struct rusage *r, struct compat rusageuser *ru){if (!access ok(VERIFY WRITE, ru, sizeof(*ru)) put user(r ru utime.tv sec, &ru ru utime.tv sec) .}Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #76
compat sys waitid disasmDump of assembler code for function compat sys waitid:.0xffffffff810aba4e 62 : lea 0x140(%rbp),%r14.0xffffffff810aba8b 123 : callq 0xffffffff81063b70 sys waitid .0xffffffff810abaae 158 : mov%r14,%rdi0xffffffff810abab1 161 : callq 0xffffffff810aa700 put compat rusage .Dump of assembler code for function sys waitid:.0xffffffff81063bf9 137 : callq 0xffffffff810637e0 do wait .1) compat sys waitid() stores address of ru in r142) compat sys waitid() calls sys waitid()3) sys waitid() calls do wait()4) do wait() pushes r14 on kstack5) do wait() sleeps indefinitely6) we clobber the saved r14 reg on the kstack7) do wait() wakes up8) do wait() pops r14 off the kstack9) do wait() returnsDump of assembler code for function do wait:.0xffffffff810637e6 6 :push%r14.PROCESS GOES TO SLEEP HERE.0xffffffff810639fb 539 : pop%r14.10) sys waitid() returns11) compat sys waitid() calls put compat rusage()12) put compat rusage() uses clobbered source addr13) put user() copies from source addr to userspaceStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #77
compat sys waitid reliability Is this reliable across kernel versions? Yes, tested on: Lucid default build vmlinuz-2.6.32-24-genericLucid custom build vmlinuz-2.6.32.26 drm33.12Vanilla build vmlinuz-2.6.36.3Vanilla build grsec vmlinuz-2.6.36.3-grsecHow about compilers? Across most gcc 4.x? Needs more investigation Potentially could runtime fingerprint compilerStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #78
High-level exploit flow1. jacker forks/execs groper8. helper wakes up from sleep2. groper gets its own kstack addr9. groper returns from waitid3. groper passes kstack addr up tojacker10. groper leaks task struct addressback to userspace4. groper forks/execs helper11. groper passes leaked addressback up with jacker5. helper goes to sleep fora bit12. steps 4-11 are repeated to leaktask/cred addresses6. groper calls waitid on helper7. jacker overwrites the requiredoffset on groper's stack13. jacker modifies groper's credstruct in-place14. groper forks off a root shellStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #79
Plan of attack!Arbitrary writeKstack ERYSTACKGROPINGSTACKJACKINGManual analysisRosengrope technique? / taskRead threadAuto with libkstackObergrope techniqueOverwrite credsStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #80
Live demo! Exploit againstlive hardenedsystem.Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #81
Defenses? Mitigate the exploitation vectors? Remove thread info metadata from kstack RANDKSTACK?Eliminate all kstack disclosures? Clear kstack between syscalls? Compiler/toolchain magic?Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #82
Greetz #busticati 1 kk1q85Xp Id.gAcJOg7uelf36VQwJQ/ ;PpPppPpPpPPPpPStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #83
Q&AQUESTIONS?Jon Oberheidejon@oberheide.orgDuo SecurityDan Rosenbergdan.j.rosenberg@gmail.comVirtual Security ResearchStackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan RosenbergSlide #84
Stackjacking Your Way to grsecurity/PaX Bypass - Jon Oberheide / Dan Rosenberg Slide #13 Interesting exploits of 2010 full-nelson.c Combined three vulns to get a NULL write half-nelson.c First Linux kernel stack overflow (not buffer overflow) exploit linux-rds-exploit.c Arbitrary write in RDS packet family i-CAN-haz-MODHARDEN.c SLUB overflow in CAN packet family
The onset of immunity against MD has been shown from 4 days of age. NO IMMUNITY GAP The immunity gap between waning of passive immunity and the onset of active immunity. During this period, birds are unprotected against IBD virus infection. vvIBDv or variant Active immunity Passive immunity Age AB titre Protective level Classical IBD vaccination
Active Immunity Immunity develops over time as a result of the body's contact with antigens Causes B cells to secrete the antibodies for the antigen Memory Cellsprovide long lasting immunity Natural Active Immunity Occurs when you are naturally exposed to antigen Acquired Active Immunity Occurs when you are injected with .
Types of Immunity Humoral immunity antibody -mediated immunity Provided by antibodies present in body fluids Cellular immunity cell -mediated immunity Targets virus -infected cells, cancer cells, and cells of foreign grafts _ _ _
immunity) Inherited immunity to certain diseases, born with genetic information that provides immunity to certain diseases. Acquired Immunity: Received during a person's lifetime, achieved naturally or artificially. Naturally Acquired Immunity: Own body produced antibodies ( also called active immunity- generally long lasting).
IEC 61000-4-11 Voltage Dips/Short Interruptions Immunity N/A Notes: 1. Harmonic Current Emissions, Voltage Fluctuations Emissions, Burst Immunity, Conducted RF Immunity, Surge Immunity, Voltage Dips/Short Interruptions Immunity tests were not performed as EUT is DC powered equipment and all I/O cables are less then 3.0m in length. .
immunity - active and passive. Active immunity Active immunity is protection that is produced by an individual's own immune system and is usually long-lasting. Such immunity generally involves cellular responses, serum antibodies or a combination acting against one or more antigens on the infecting organism. Active immunity can be acquired by
Protective immunity against viral infections involves humoral immunity and cell-mediated immunity (Fig. 1). Humoral immunity is provided by B lymphocytes which produce antibodies which may neutralize virus by bind-ing virus and preventing its entry into host cells. Cell-mediated immunity includes macrophages and CD8 sues. Productive T cell .
Whether Sovereign Immunity is a Defense for States in Bankruptcy Cases Melanie Lee, J.D. Candidate 2017 Cite as: Whether Sovereign Immunity is a Defense for States in Bankruptcy Cases, 8 ST.JOHN’S BANKR.RESEARCH LIBR.NO. 17 (2016) Introduction Sovereign immunity, generally, prohibits suit against a so
