\documentclass[usenames,dvipsnames]{beamer} \usepackage{xcolor} \usepackage[utf8]{inputenc} \usepackage{listings} \usepackage{tikz} \usepackage[style=alphabetic,giveninits=true,terseinits=true]{biblatex} \usepackage{graphicx} \usetikzlibrary{matrix, positioning, decorations.pathreplacing, overlay-beamer-styles} \definecolor{tumblue}{RGB}{0,101,189} \definecolor{dkgreen}{rgb}{0,0.6,0} \definecolor{mauve}{rgb}{0.58,0,0.82} \lstset{ basicstyle=\footnotesize\ttfamily,% columns=fullflexible,% keywordstyle=\bfseries\color{blue},% commentstyle=\color{dkgreen},% stringstyle=\color{mauve},% } \DeclareFieldFormat{url}{\href{#1}{\resizebox{!}{2ex}{\lower3pt\hbox{\pgfuseimage{beamericononline}}}}} \addbibresource{slides.bib} \setbeamerfont{footnote}{size=\tiny} \renewcommand\footnoterule{} \usecolortheme{orchid} \setbeamertemplate{navigation symbols}{} \setbeamertemplate{sidebar right}{% also implies no navbar \llap{\tikz\fill[tumblue,scale=.1] (0,0) ++(-5cm,-5cm) ++(-10cm,0) +(0cm,0cm) -- +(4cm,0cm) -- +(4cm,-4cm) -- +(5cm,-4cm) -- +(5cm,0cm) -- +(10cm,0cm) -- +(10cm,-5cm) -- +(9cm,-5cm) -- +(9cm,-1cm) -- +(8cm,-1cm) -- +(8cm,-5cm) -- +(7cm,-5cm) -- +(7cm,-1cm) -- +(6cm,-1cm) -- +(6cm,-5cm) -- +(3cm,-5cm) -- +(3cm,-1cm) -- +(2cm,-1cm) -- +(2cm,-5cm) -- +(1cm,-5cm) -- +(1cm,-1cm) -- +(0cm,-1cm) -- cycle;} % Slide number in triangle. \vfill\llap{\tikz\path[fill=tumblue,inner sep=3pt] (0,0) -- ++(-1cm,0) -- +(1cm,1cm) -- cycle node[anchor=south east] {\usebeamerfont{footline}\color{white}\bfseries\insertframenumber};}% % Variant without triangle %\vfill\llap{\usebeamerfont{footline}\usebeamercolor[fg]{footline}\insertframenumber\hskip3pt}\vskip3pt% } \graphicspath{ {./images/} } \title{CoPaaS - Compiler-oriented Programming as a Service} \author{Simon Bußmann \and Johannes Maier} \institute{School of Computation, Information, and Technology\\Technical University of Munich} \date{Future} \begin{document} \begin{frame} \titlepage \end{frame} \begin{frame}{The program} \begin{itemize} \item JIT-Compiler for toy ISA \item Instructions: \lstinline{ADD, ADDI, SUB, COPY, LOADI} \item Important: No jumps, branches, function calls, etc. for simplicity \item Registers: \only<1> { \begin{tabular}{|l|l|l|} \hline \textbf Adelheid & \textbf Friedrich & \textbf Klaus \\ \hline \textbf Berthold & \textbf Giesela & \textbf Liesbeth \\ \hline \textbf Cornelia & \textbf Heinrich & \textbf Manfred \\ \hline \textbf Dora & \textbf Irmgard & \textbf Norbert \\ \hline \textbf Engelbert & \textbf Joachim & \\ \hline \end{tabular} } \only<2-> { \texttt A, \texttt B\dots \texttt N } \visible<3-> { \item Seccomp jail for generated code \item Except: \visible<4->{In premium mode activated by key} } \visible<5->{ \item NX, PIE, Full RERLO, Stack Canary } \end{itemize} \end{frame} \begin{frame}{x86-64 Instruction Encoding Basics} \begin{columns} \begin{column}{0.35\textwidth} Parts of an instruction: \begin{itemize} \item \textcolor<2>{blue}{Prefixes} \item Opcode \item \textcolor<3-5>{blue}{ModR/M} \item SIB \item Displacement \item Immediate \end{itemize} \end{column} \begin{column}{0.65\textwidth} \begin{tikzpicture}[scale=0.75] % REX.W prefix \matrix (rex) at (0,0) [ matrix of nodes, nodes={draw, minimum size=18pt, anchor=center}, column sep=-\pgflinewidth, row sep=-\pgflinewidth, ampersand replacement=\& ] { 0 \& 1\& 0 \& 0 \& \textcolor<2>{blue}{W} \& \textcolor<2>{blue}{R} \& X \& \textcolor<2>{blue}{B} \\ }; % ModR/M byte \matrix (modrm) [ below=20pt of rex, matrix of nodes, nodes={draw, minimum size=18pt, anchor=center}, column sep=-\pgflinewidth, row sep=-\pgflinewidth, ampersand replacement=\& ] { \textcolor<3>{blue}{1} \& \textcolor<3>{blue}{1} \& \textcolor<4>{blue}{0} \& \textcolor<4>{blue}{1} \& \textcolor<4>{blue}{0} \& \textcolor<5>{blue}{0} \& \textcolor<5>{blue}{0} \& \textcolor<5>{blue}{0} \\ }; % Labels \node[anchor=east] at (rex.west) {REX.W}; \node[anchor=east] at (modrm.west) {ModR/M}; % Brackets for ModR/M parts \draw[semithick, decorate, decoration={brace, amplitude=10pt, mirror, raise=4pt}, alt=<3>{blue}{black}] (modrm-1-1.south west) -- (modrm-1-2.south east) node[midway, below=14pt] {\textcolor<3>{blue}{Modifier}}; \draw[semithick, decorate, decoration={brace, amplitude=10pt, mirror, raise=4pt}, alt=<4>{blue}{black}] (modrm-1-3.south west) -- (modrm-1-5.south east) node[midway, below=14pt, xshift=-4pt] {\textcolor<4>{blue}{Reg}}; \draw[semithick, decorate, decoration={brace, amplitude=10pt, mirror, raise=4pt}, alt=<5>{blue}{black}] (modrm-1-6.south west) -- (modrm-1-8.south east) node[midway, below=14pt] {\textcolor<5>{blue}{RM}}; \end{tikzpicture} \end{column} \end{columns} \end{frame} \begin{frame}{The Bug} \only<2-3> { \begin{figure} \centering \includegraphics[scale=0.65]{bug} \end{figure} } \visible<3>{No, not you...} \only<4->{ \begin{itemize} \item Faulty encoding of instructions using \lstinline{r[8-15]} \item[$\Rightarrow$] Register ids are 4bit long \item Example: encode ModR/M for \lstinline{mov r8, r9} \item Register ids: $\text r8 = 0\text b1000, \text r9 = 0\text b1001$ \[\text{Mod R/M} = \textcolor<4>{blue}{0\text{b}1100\_0000} + \textcolor<5>{blue}{(\text{reg2\_id} \ll 3)} + \textcolor<6>{blue}{\text{reg1\_id}}\] \end{itemize} \begin{center} \begin{tikzpicture} \matrix (modrm) [ below=20pt of rex, matrix of nodes, nodes={draw, minimum size=18pt, anchor=center}, column sep=-\pgflinewidth, row sep=-\pgflinewidth, ampersand replacement=\& ] { \textcolor<4>{blue}{\textcolor<5>{red}{\alt<5->{0}{1}}} \& \textcolor<4>{blue}{\textcolor<5>{red}{\alt<5->{0}{1}}} \& \textcolor<5>{blue}{0} \& \textcolor<5>{blue}{\textcolor<6>{red}{\alt<6->{1}{0}}} \& \textcolor<5>{blue}{\textcolor<6>{red}{\alt<5>{1}{0}}} \& \textcolor<6>{blue}{0} \& \textcolor<6>{blue}{0} \& \textcolor<6>{blue}{0} \\ }; \end{tikzpicture} \end{center} } \only<6>{ \begin{itemize} \item Actually encoded instruction: \lstinline{mov [r8], r10} \end{itemize} } \end{frame} \begin{frame}{Exploit Primitives} But, what can we do with that? % TODO: describe primitives further \begin{itemize} \item Arbitrary write: \lstinline{mov [reg1], reg2} \only<1-2> { \begin{itemize} \item Use \lstinline{COPY} to generate \lstinline{mov}, overflow into modifier bits \item Register id constraints: $\text{\textcolor{ForestGreen}{reg1\_id}} = 0\text{b}0\text{xxx}, \text{\textcolor{blue}{reg2\_id}}=0\text{b}1\text{xxx}$ \item Example: \texttt{mov \textcolor{ForestGreen}{rax}, \textcolor{blue}{r8}} $\Rightarrow$ \texttt{mov [\textcolor{ForestGreen}{rax}], \textcolor{blue}{r8}} \end{itemize} \begin{center} \begin{tikzpicture} \matrix (modrm) [ below=20pt of rex, matrix of nodes, nodes={draw, minimum size=18pt, anchor=center}, column sep=-\pgflinewidth, row sep=-\pgflinewidth, ampersand replacement=\& ] { \textcolor<1>{black}{\textcolor<2>{red}{\alt<2>{0}{1}}} \& \textcolor<1>{black}{\textcolor<2>{red}{\alt<2>{0}{1}}} \& \textcolor<2>{blue}{0} \& \textcolor<2>{blue}{0} \& \textcolor<2>{blue}{0} \& \textcolor<2>{ForestGreen}{0} \& \textcolor<2>{ForestGreen}{0} \& \textcolor<2>{ForestGreen}{0} \\ }; \draw[semithick, decorate, decoration={brace, amplitude=10pt, mirror, raise=4pt}] (modrm-1-1.south west) -- (modrm-1-8.south east) node[midway, below=14pt] {ModR/M Byte}; \end{tikzpicture} \end{center} } \item Arbitrary read: \lstinline{mov reg1, [reg2]} \only<3>{ \begin{itemize} \item Actually: \lstinline{mov reg1, 0; add reg1, [reg2]} \item Use same trick as for write \item There exists multiple opcodes for add\footnote{Also for most other standard x86 operations.}, for example: \item Opcode $= 0x1$: \lstinline{add [reg2], reg1} \item Opcode $= 0x3$: \lstinline{add reg1, [reg2]} \end{itemize} } \item Stack access \only<4-5> { \begin{itemize} \item Achieved by overflow into \lstinline{reg2_id} \item \lstinline{COPY G, B} should be compiled to: \lstinline{mov r8, rbx} \item<5> Actually compiled: \lstinline{mov r8, rsp} \end{itemize} \begin{center} \begin{tikzpicture} \matrix (modrm) [ below=20pt of rex, matrix of nodes, nodes={draw, minimum size=18pt, anchor=center}, column sep=-\pgflinewidth, row sep=-\pgflinewidth, ampersand replacement=\& ] { 1 \& 1 \& \textcolor<5>{red}{\alt<5>{1}{0}} \& \textcolor<5>{red}{\alt<5>{0}{1}} \& \textcolor<5>{red}{\alt<5>{0}{1}} \& \textcolor<5>{blue}{0} \& \textcolor<5>{blue}{0} \& \textcolor<5>{blue}{0} \\ }; \draw[semithick, decorate, decoration={brace, amplitude=10pt, mirror, raise=4pt}] (modrm-1-1.south west) -- (modrm-1-8.south east) node[midway, below=14pt] {ModR/M Byte}; \end{tikzpicture} \end{center} } \end{itemize} \end{frame} \begin{frame}{The Exploit} \only<1-4>{ Steps: \begin{itemize} \item Leak activation key \only<2>{ \begin{itemize} \item Activation key is located in the binary \item Use stack access primitive to leak return address \item Use arbitrary read primitive to leak the key byte by byte \end{itemize} } \item Escape seccomp jail \only<3>{ \begin{itemize} \item Activate premium mode with the leaked key \item \it{much wow great hacking} \end{itemize} } \item Execute \lstinline{system("/bin/sh")} \only<4>{ \begin{itemize} \item Use stack access primitive to leak a libc address \item Calculate \lstinline{system} and \lstinline{/bin/sh} addresses \item Load \lstinline{/bin/sh} address into \lstinline{rdi} \item Use arbitrary write primitive to overwrite saved rip \end{itemize} } \end{itemize} } \only<5>{ \begin{figure} \centering \includegraphics[scale=0.22]{profit_penguin} \end{figure} } \end{frame} \end{document}