Asia-24-Ye-One-Flip-Is-All.pdf

《Asia-24-Ye-One-Flip-Is-All.pdf》由会员分享，可在线阅读，更多相关《Asia-24-Ye-One-Flip-Is-All.pdf（37页珍藏版）》请在三个皮匠报告上搜索。

1、#BHASIA BlackHatEventsOne Flip is All It Takes:Identifying Syscall-Guard Variables for Data-Only Attacks Speaker:Hengkai YeThe Pennsylvania State UniversityOther Contributors:Hong Hu,Song Liu,Zhechang Zhang2TeamHengkai YePh.D.StudentPenn State UniversitySong LiuPh.D.StudentPenn State UniversityZhech

2、ang ZhangPh.D.StudentPenn State UniversityHong HuAssistant ProfessorPenn State University3Current Exploit Method:Control-Flow HijackingMemory-Access PrimitivesArbitrary ReadArbitrary WriteControl DataReturn Address Function PointerControl-FlowHijackingCode InjectionCode Reuse4Control-Flow HijackingM

3、emory-Access PrimitivesArbitrary ReadArbitrary WriteCode InjectionCode ReuseControl DataReturn Address Function PointerCode-Pointer IntegrityControl-Flow IntegrityCurrent Exploit Method:Control-Flow Hijacking5Control-Flow HijackingMemory-Access PrimitivesArbitrary ReadArbitrary WriteCode InjectionCo

4、de ReuseControl DataReturn Address Function PointerNon-Control DataData-Only AttackData-Oriented ProgrammingBlock-Oriented ProgrammingNext Gen Exploit Method:Data-Only AttackCode-Pointer IntegrityControl-Flow Integrity67Data-Only AttackChen,Shuo,et al.Non-control-data attacks are realistic threats.U

5、SENIX security symposium.Vol.5.2005.CGI-BIN configuration string in Null Httpd Load CGI-BIN configuration:/usr/local/httpd/cgi-binServerClient/cgi-bin/:a CGI requestcalculator:executable name POST/cgi-bin/calculator Search calculator in/usr/local/httpd/cgi-binRun calculatorif foundWhat if configurat

6、ion/usr/local/httpd/cgi-bin gets corrupted?8Data-Only AttackChen,Shuo,et al.Non-control-data attacks are realistic threats.USENIX security symposium.Vol.5.2005.CGI-BIN configuration string in Null Httpd Load CGI-BIN configuration:/usr/local/httpd/cgi-binServerClient/cgi-bin/:a CGI requestsh:executab