Linux binary analysis and exploitation
Download as pptx, pdf2 likes1,101 views
The document discusses the analysis and exploitation of binaries in remote services, emphasizing the challenges in circumventing modern operating system security features like ASLR, NX, and stack canaries. It outlines a step-by-step approach for identifying vulnerabilities in a target binary and constructing exploits to achieve remote code execution. The conclusion stresses the necessity of secure coding practices and input validation, despite the presence of OS security features, to mitigate risks from memory errors.
1 of 27
Downloaded 18 times
![© 2016 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
19
Step 3: Reachability analysis:
Manually reversed C function from
binary (sample)
void doprocessing()
{
char base64Out[0x200];
char userInput[0x400];
bzero(base64Out, 0x200);
bzero(userInput, 0x400);
write(1, "Please enter your base 64 string: n", 0x23);
read(0, userInput, 0x400);
write(1, "Your message is:n", 0x11);
write(1, base64Out, base64_decode(userInput, base64Out));
/* base64_decode is not checking the decoded buffer size */
write(1, "nThank you for using ringzer0 base64 decoder!n", 0x2e);
}
• Base64_decode can corrupt the return address of doprocessing
• Remote code execution: If the base 64 decoded string exceeds the buffer size](https://image.slidesharecdn.com/linuxbinaryexploitationslideshare-160809132335/85/Linux-binary-analysis-and-exploitation-19-320.jpg)
Ad
Recommended
Automated testing of NASA Software - part 2
Automated testing of NASA Software - part 2Dharmalingam Ganesan 1) The document describes an approach for automated testing of large multi-language software systems using cloud computing.
2) Key aspects of the approach include generating test cases from models of software APIs and interfaces and executing them using tools like JUnit and Selenium.
3) The approach was applied to test portions of NASA software like GMSEC and CFS, and was able to find bugs not discovered with manual testing.
Secure application programming in the presence of side channel attacks
Secure application programming in the presence of side channel attacksDharmalingam Ganesan This document discusses secure programming patterns to harden code against side channel attacks. It describes several patterns such as using random offsets when accessing arrays instead of sequential access, verifying full data before authentication instead of early failure, using non-trivial constants, verifying loop and data integrity with checksums, and choosing constants with maximum hamming distance for fault resistance. Implementing these patterns makes reverse engineering and attacks like fault injection more difficult.
Reverse Engineering of Software Architecture
Reverse Engineering of Software ArchitectureDharmalingam Ganesan This document summarizes a presentation given by Mikael Lindvall and Dharma Ganesan of the Fraunhofer Center for Experimental Software Engineering Maryland on software architecture, reverse engineering, and analyzing legacy systems. The Fraunhofer Center develops techniques for analyzing the structure and behavior of legacy software using methods and tools. They have analyzed several large legacy systems, including NASA's Space Network and Core Flight Software. The presentation describes their model of software architecture and reverse engineering, which involves creating views of the runtime and development architecture from source code. It also gives an example of how they analyzed the Common Ground System, a ground system for NASA missions, by visualizing its actual architecture based on source code.
How to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveAmiq Consulting The document discusses the verification of algorithmic blocks using open-source tools such as Octave and SystemVerilog, presenting case studies on SHA-3 and DSP functions. It outlines implementation challenges, comparisons of performance and complexity, and how to connect SystemVerilog with Octave for efficient algorithm verification. The conclusions highlight the strengths of each tool in terms of performance, implementation time, and debugging efficiency.
System verilog important
System verilog importantelumalai7 The document discusses the building blocks of a SystemVerilog testbench. It describes the program block, which encapsulates test code and allows reading/writing signals and calling module routines. Interface and clocking blocks are used to connect the testbench to the design under test. Assertions, randomization, and other features help create flexible testbenches to verify design correctness.
Unit testing on embedded target with C++Test
Unit testing on embedded target with C++TestEngineering Software Lab The document discusses unit testing in embedded environments using Parasoft C++Test, outlining the definition of embedded systems, the significance of unit testing, and the specific functionalities of C++Test for automatic test case generation and regression testing. It details the challenges and limitations faced during unit testing in embedded settings, such as memory constraints and communication issues. Overall, it emphasizes the importance of unit testing on target platforms for detecting hardware and software interaction problems and improving code robustness.
Buffer overflow attacks
Buffer overflow attacksJapneet Singh This document discusses buffer overflow attacks. It begins with an overview of the topics that will be covered, including vulnerabilities, exploits, and buffer overflows. It then provides definitions for key terms and describes different types of memory corruption vulnerabilities. The bulk of the document focuses on stack-based buffer overflows, explaining how they work by overwriting the return address on the stack to point to injected shellcode. It includes diagrams of stack layout and function prologue and epilogue. The document concludes with a demonstration of a buffer overflow and discusses some mitigations like stack cookies and ASLR.
System verilog control flow
System verilog control flowPushpa Yakkala System Verilog introduces several new control flow constructs compared to Verilog, including unique if, priority if, foreach loops, and enhanced for loops. It also adds tasks and functions with arguments that can be passed by value, reference, or name. System Verilog defines two types of blocks - sequential blocks that execute statements sequentially and parallel blocks like fork-join that execute statements concurrently. It introduces various timing controls like delays, events, and wait statements.
system verilog
system verilogVinchipsytm Vlsitraining The document describes a SystemVerilog verification methodology that includes assertion-based verification, coverage-driven verification, constrained random verification, and use of scoreboards and checkers. It outlines the verification flow from design specifications through testbench development, integration and simulation, and discusses techniques like self-checking test cases, top-level and block-level environments, and maintaining bug reports.
Return oriented programming
Return oriented programminghybr1s The document discusses return-oriented programming (ROP), an advanced exploitation technique used to leverage buffer overflow vulnerabilities by chaining short instruction sequences known as 'gadgets' to perform arbitrary computations. It provides a historical background of ROP, examples of its uses in computer worms, and various countermeasures to mitigate such vulnerabilities. Additionally, it includes a demonstration of a ROP compiler, ropgadget, which helps identify available gadgets within a binary.
Jonathan bromley doulos
Jonathan bromley doulosObsidian Software This document summarizes the verification methodology landscape. It discusses languages, methodologies, tools and standards used for hardware verification including OVM, VMM, and eRM. It also covers topics like interoperability between methodologies and convergence of approaches.
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCFPGA Central This document discusses upgrading FPGA designs to SystemVerilog. It presents an agenda that covers SystemVerilog constructs for RTL design, interfaces, assertions, and success stories. It then discusses the SystemVerilog-FPGA ecosystem. The presenter has over 13 years of experience in VLSI design and verification and has authored books on verification topics including SystemVerilog assertions. SystemVerilog is a superset of Verilog-2001 and offers enhanced constructs for modeling logic, interfaces, testbenches and connecting to C/C++.
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsDaniel Tumser This document discusses stack-based buffer overflows, including:
- How they occur when a program writes outside a fixed-length buffer, potentially corrupting data or code.
- Their history and use in attacks like the 2001 Code Red worm.
- Technical details like how the stack and registers work.
- Career opportunities in security analysis and development to prevent and respond to such vulnerabilities.
- The ethical responsibilities of developers to write secure code and disclose vulnerabilities responsibly.
Dissertation Defense
Dissertation DefenseSung Kim The document summarizes a dissertation defense about adaptive bug prediction by analyzing project history. It discusses the motivation for leveraging project history and software configuration management data for bug prediction. It also describes creating a corpus by identifying bug-fix changes and bug-introducing changes from commits. The dissertation proposes using a "bug cache" to predict likely locations of future bugs based on past bug occurrences.
Session 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesNirav Desai The document discusses assertion based verification and interfaces in SystemVerilog. It describes immediate assertions which execute in zero simulation time and can be placed within always blocks. Concurrent assertions check properties over time and are evaluated at clock edges. The document also introduces interfaces in SystemVerilog which allow defining communication ports between modules in a single place, reducing repetitive port definitions. Interfaces can include protocol checking and signals can be shared between interface instances.
KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingYue Chen This document describes KARMA, a system for adaptive Android kernel live patching. KARMA can automatically adapt patches to different device kernels by using semantic matching. It confines patches using Lua virtual machine to ensure they are memory-safe. KARMA can apply patches at different levels, from function entry/exit points to specific call sites. The evaluation shows KARMA can patch 76 real vulnerabilities and incurs low performance overhead.
SANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame Graphscorpaulbezemer The document discusses the challenges of understanding software performance regressions using differential flame graphs (DFGs), highlighting the complexities involved in performance testing compared to functional testing. It outlines a systematic approach to regression testing and the difficulties in measuring performance metrics, along with exploring visualization techniques like flame graphs for analyzing performance data. The ongoing work aims to improve detection and interpretation of I/O regressions and seeks input on using various performance profiles.
Session 9 advance_verification_features
Session 9 advance_verification_featuresNirav Desai The document discusses several advanced verification features in SystemVerilog including the Direct Programming Interface (DPI), regions, and program/clocking blocks. The DPI allows Verilog code to directly call C functions without the complexity of Verilog PLI. Regions define the execution order of events and include active, non-blocking assignment, observed, and reactive regions. Clocking blocks make timing and synchronization between blocks explicit, while program blocks provide entry points and scopes for testbenches.
Uvm presentation dac2011_final
Uvm presentation dac2011_finalsean chen The document describes a workshop on Universal Verification Methodology (UVM) that will cover UVM concepts and techniques for verifying blocks, IP, SOCs, and systems. The workshop agenda includes presentations on UVM concepts and architecture, sequences and phasing, TLM2 and register packages, and putting together UVM testbenches. The workshop is organized by Dennis Brophy, Stan Krolikoski, and Yatin Trivedi and will take place on June 5, 2011 in San Diego, CA.
Buffer overflow explained
Buffer overflow explainedTeja Babu Buffer overflow is a vulnerability caused by improper memory management in programs, often due to developer carelessness. It occurs when programs process user-provided data without proper bounds checking, leading to potential unauthorized access or program crashes. Prevention strategies include writing safe code, using secure libraries, and implementing protection measures available in modern operating systems.
System Verilog 2009 & 2012 enhancements
System Verilog 2009 & 2012 enhancementsSubash John This document summarizes enhancements made to System Verilog in 2009 and 2012. The 2009 enhancements included final blocks, bit selects of expressions, edge detection for DDR logic, fork-join improvements, and display enhancements. The 2012 enhancements extended enums, added scale factors to real constants and mixed-signal assertions, introduced aspect-oriented programming features, and removed X-optimism using new keywords. It also proposed signed operators and discussed some high-level problems not yet addressed.
SystemVerilog Assertions verification with SVAUnit - DVCon US 2016 Tutorial
SystemVerilog Assertions verification with SVAUnit - DVCon US 2016 TutorialAmiq Consulting This document provides an overview of SystemVerilog Assertions (SVAs) and the SVAUnit framework for verifying SVAs. It begins with an introduction to SVAs, including types of assertions and properties. It then discusses planning SVA development, such as identifying design characteristics and coding guidelines. The document outlines implementing SVAs and using the SVAUnit framework, which allows decoupling SVA definition from validation code. It provides an example demonstrating generating stimuli to validate an AMBA APB protocol SVA using SVAUnit. Finally, it summarizes SVAUnit's test API and features for error reporting and test coverage.
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan The document discusses the challenges of maintaining traceability in NASA projects and introduces the IR-SIM tool designed to automate this process by generating traceability links between requirements, source code, and test cases. A preliminary empirical study was conducted using NASA's Core Flight Software to evaluate the tool's effectiveness, with results indicating that a combination of CamelCase and TF-IDF parsing strategies yielded the best precision in tracing. The study emphasizes the need for further validation across different systems and addresses potential issues affecting traceability accuracy.
bh-europe-01-clowes
bh-europe-01-clowesguest3e5046 The document discusses several techniques for modifying and injecting code into running processes on Linux and Solaris systems, including:
1) InjLib, a technique for injecting DLLs into Windows processes by allocating memory, copying code, and creating threads.
2) Binary patching, which statically modifies executable files by adding new code segments and linking to existing code.
3) In-core patching, which dynamically modifies a running process's memory image using ptrace or procfs.
4) Leveraging the dynamic linker's symbol resolution to intercept function calls and inject code.
Introduction to System verilog
Introduction to System verilog Pushpa Yakkala This document provides an introduction and overview of System Verilog. It discusses what System Verilog is, why it was developed, its uses for hardware description and verification. Key features of System Verilog are then outlined such as its data types, arrays, queues, events, structures, unions and classes. Examples are provided for many of these features.
Requirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan The document discusses the implementation of requirement-driven model-based testing (MBT) for the software bus service of a complex system, focusing on the challenges of traditional testing methods. It highlights the use of a parent-child architecture for testing communication between tasks and the benefits of MBT in identifying off-nominal behaviors and improving requirement traceability. Ultimately, the findings demonstrate MBT's effectiveness in detecting functional errors and revealing missing or unclear requirements.
Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Yue Chen This document discusses Ravel, a system for locating vulnerabilities from detected attacks. Ravel records non-deterministic inputs during program execution and replays them with instrumentation to reproduce attacks offline. It then uses data flow analysis and other techniques to pinpoint the underlying vulnerability by detecting violations between the program's control and data flows. The system was able to accurately locate vulnerabilities like buffer overflows, integer errors, and use-after-frees in evaluated programs.
Finding Bugs Faster with Assertion Based Verification (ABV)
Finding Bugs Faster with Assertion Based Verification (ABV)DVClub 1) Assertion-based verification introduces assertions into a design to improve observability and controllability during simulation and formal analysis.
2) Assertions define expected behavior and can detect errors by monitoring signals within a design.
3) An assertion-based verification methodology leverages assertions throughout the verification flow from module to system level using various tools like simulation, formal analysis, and acceleration for improved productivity, quality, and reduced verification time.
Exploiting Cryptographic Misuse - An Example
Exploiting Cryptographic Misuse - An ExampleDharmalingam Ganesan The document details a specific attack exploiting cryptographic misuse in a client-server system using Output Feedback (OFB) mode with Rijndael 256 as the block cipher. By manipulating the ciphertext from a cryptographic token, the attacker can escalate their privileges from a regular user to an admin without knowing the encryption key. The author concludes that using authenticated encryption schemes or integrating message authentication codes could help prevent such vulnerabilities.
Model-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight ExecutiveDharmalingam Ganesan This document discusses model-based testing of a software bus applied to the Core Flight Executive system. It describes traditional automated testing methods and their limitations. Model-based testing uses a model of the system under test to automatically generate test cases. The authors developed a model of the Core Flight Executive software bus in Spec Explorer to generate test cases covering behaviors like message creation, subscription, and sending. This allowed rigorous testing of the multi-tasking architecture.
More Related Content
What's hot (20)
system verilog
system verilogVinchipsytm Vlsitraining The document describes a SystemVerilog verification methodology that includes assertion-based verification, coverage-driven verification, constrained random verification, and use of scoreboards and checkers. It outlines the verification flow from design specifications through testbench development, integration and simulation, and discusses techniques like self-checking test cases, top-level and block-level environments, and maintaining bug reports.
Return oriented programming
Return oriented programminghybr1s The document discusses return-oriented programming (ROP), an advanced exploitation technique used to leverage buffer overflow vulnerabilities by chaining short instruction sequences known as 'gadgets' to perform arbitrary computations. It provides a historical background of ROP, examples of its uses in computer worms, and various countermeasures to mitigate such vulnerabilities. Additionally, it includes a demonstration of a ROP compiler, ropgadget, which helps identify available gadgets within a binary.
Jonathan bromley doulos
Jonathan bromley doulosObsidian Software This document summarizes the verification methodology landscape. It discusses languages, methodologies, tools and standards used for hardware verification including OVM, VMM, and eRM. It also covers topics like interoperability between methodologies and convergence of approaches.
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCFPGA Central This document discusses upgrading FPGA designs to SystemVerilog. It presents an agenda that covers SystemVerilog constructs for RTL design, interfaces, assertions, and success stories. It then discusses the SystemVerilog-FPGA ecosystem. The presenter has over 13 years of experience in VLSI design and verification and has authored books on verification topics including SystemVerilog assertions. SystemVerilog is a superset of Verilog-2001 and offers enhanced constructs for modeling logic, interfaces, testbenches and connecting to C/C++.
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsDaniel Tumser This document discusses stack-based buffer overflows, including:
- How they occur when a program writes outside a fixed-length buffer, potentially corrupting data or code.
- Their history and use in attacks like the 2001 Code Red worm.
- Technical details like how the stack and registers work.
- Career opportunities in security analysis and development to prevent and respond to such vulnerabilities.
- The ethical responsibilities of developers to write secure code and disclose vulnerabilities responsibly.
Dissertation Defense
Dissertation DefenseSung Kim The document summarizes a dissertation defense about adaptive bug prediction by analyzing project history. It discusses the motivation for leveraging project history and software configuration management data for bug prediction. It also describes creating a corpus by identifying bug-fix changes and bug-introducing changes from commits. The dissertation proposes using a "bug cache" to predict likely locations of future bugs based on past bug occurrences.
Session 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesNirav Desai The document discusses assertion based verification and interfaces in SystemVerilog. It describes immediate assertions which execute in zero simulation time and can be placed within always blocks. Concurrent assertions check properties over time and are evaluated at clock edges. The document also introduces interfaces in SystemVerilog which allow defining communication ports between modules in a single place, reducing repetitive port definitions. Interfaces can include protocol checking and signals can be shared between interface instances.
KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingYue Chen This document describes KARMA, a system for adaptive Android kernel live patching. KARMA can automatically adapt patches to different device kernels by using semantic matching. It confines patches using Lua virtual machine to ensure they are memory-safe. KARMA can apply patches at different levels, from function entry/exit points to specific call sites. The evaluation shows KARMA can patch 76 real vulnerabilities and incurs low performance overhead.
SANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame Graphscorpaulbezemer The document discusses the challenges of understanding software performance regressions using differential flame graphs (DFGs), highlighting the complexities involved in performance testing compared to functional testing. It outlines a systematic approach to regression testing and the difficulties in measuring performance metrics, along with exploring visualization techniques like flame graphs for analyzing performance data. The ongoing work aims to improve detection and interpretation of I/O regressions and seeks input on using various performance profiles.
Session 9 advance_verification_features
Session 9 advance_verification_featuresNirav Desai The document discusses several advanced verification features in SystemVerilog including the Direct Programming Interface (DPI), regions, and program/clocking blocks. The DPI allows Verilog code to directly call C functions without the complexity of Verilog PLI. Regions define the execution order of events and include active, non-blocking assignment, observed, and reactive regions. Clocking blocks make timing and synchronization between blocks explicit, while program blocks provide entry points and scopes for testbenches.
Uvm presentation dac2011_final
Uvm presentation dac2011_finalsean chen The document describes a workshop on Universal Verification Methodology (UVM) that will cover UVM concepts and techniques for verifying blocks, IP, SOCs, and systems. The workshop agenda includes presentations on UVM concepts and architecture, sequences and phasing, TLM2 and register packages, and putting together UVM testbenches. The workshop is organized by Dennis Brophy, Stan Krolikoski, and Yatin Trivedi and will take place on June 5, 2011 in San Diego, CA.
Buffer overflow explained
Buffer overflow explainedTeja Babu Buffer overflow is a vulnerability caused by improper memory management in programs, often due to developer carelessness. It occurs when programs process user-provided data without proper bounds checking, leading to potential unauthorized access or program crashes. Prevention strategies include writing safe code, using secure libraries, and implementing protection measures available in modern operating systems.
System Verilog 2009 & 2012 enhancements
System Verilog 2009 & 2012 enhancementsSubash John This document summarizes enhancements made to System Verilog in 2009 and 2012. The 2009 enhancements included final blocks, bit selects of expressions, edge detection for DDR logic, fork-join improvements, and display enhancements. The 2012 enhancements extended enums, added scale factors to real constants and mixed-signal assertions, introduced aspect-oriented programming features, and removed X-optimism using new keywords. It also proposed signed operators and discussed some high-level problems not yet addressed.
SystemVerilog Assertions verification with SVAUnit - DVCon US 2016 Tutorial
SystemVerilog Assertions verification with SVAUnit - DVCon US 2016 TutorialAmiq Consulting This document provides an overview of SystemVerilog Assertions (SVAs) and the SVAUnit framework for verifying SVAs. It begins with an introduction to SVAs, including types of assertions and properties. It then discusses planning SVA development, such as identifying design characteristics and coding guidelines. The document outlines implementing SVAs and using the SVAUnit framework, which allows decoupling SVA definition from validation code. It provides an example demonstrating generating stimuli to validate an AMBA APB protocol SVA using SVAUnit. Finally, it summarizes SVAUnit's test API and features for error reporting and test coverage.
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan The document discusses the challenges of maintaining traceability in NASA projects and introduces the IR-SIM tool designed to automate this process by generating traceability links between requirements, source code, and test cases. A preliminary empirical study was conducted using NASA's Core Flight Software to evaluate the tool's effectiveness, with results indicating that a combination of CamelCase and TF-IDF parsing strategies yielded the best precision in tracing. The study emphasizes the need for further validation across different systems and addresses potential issues affecting traceability accuracy.
bh-europe-01-clowes
bh-europe-01-clowesguest3e5046 The document discusses several techniques for modifying and injecting code into running processes on Linux and Solaris systems, including:
1) InjLib, a technique for injecting DLLs into Windows processes by allocating memory, copying code, and creating threads.
2) Binary patching, which statically modifies executable files by adding new code segments and linking to existing code.
3) In-core patching, which dynamically modifies a running process's memory image using ptrace or procfs.
4) Leveraging the dynamic linker's symbol resolution to intercept function calls and inject code.
Introduction to System verilog
Introduction to System verilog Pushpa Yakkala This document provides an introduction and overview of System Verilog. It discusses what System Verilog is, why it was developed, its uses for hardware description and verification. Key features of System Verilog are then outlined such as its data types, arrays, queues, events, structures, unions and classes. Examples are provided for many of these features.
Requirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan The document discusses the implementation of requirement-driven model-based testing (MBT) for the software bus service of a complex system, focusing on the challenges of traditional testing methods. It highlights the use of a parent-child architecture for testing communication between tasks and the benefits of MBT in identifying off-nominal behaviors and improving requirement traceability. Ultimately, the findings demonstrate MBT's effectiveness in detecting functional errors and revealing missing or unclear requirements.
Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Yue Chen This document discusses Ravel, a system for locating vulnerabilities from detected attacks. Ravel records non-deterministic inputs during program execution and replays them with instrumentation to reproduce attacks offline. It then uses data flow analysis and other techniques to pinpoint the underlying vulnerability by detecting violations between the program's control and data flows. The system was able to accurately locate vulnerabilities like buffer overflows, integer errors, and use-after-frees in evaluated programs.
Finding Bugs Faster with Assertion Based Verification (ABV)
Finding Bugs Faster with Assertion Based Verification (ABV)DVClub 1) Assertion-based verification introduces assertions into a design to improve observability and controllability during simulation and formal analysis.
2) Assertions define expected behavior and can detect errors by monitoring signals within a design.
3) An assertion-based verification methodology leverages assertions throughout the verification flow from module to system level using various tools like simulation, formal analysis, and acceleration for improved productivity, quality, and reduced verification time.
Viewers also liked (20)
Exploiting Cryptographic Misuse - An Example
Exploiting Cryptographic Misuse - An ExampleDharmalingam Ganesan The document details a specific attack exploiting cryptographic misuse in a client-server system using Output Feedback (OFB) mode with Rijndael 256 as the block cipher. By manipulating the ciphertext from a cryptographic token, the attacker can escalate their privileges from a regular user to an admin without knowing the encryption key. The author concludes that using authenticated encryption schemes or integrating message authentication codes could help prevent such vulnerabilities.
Model-based Testing of a Software Bus - Applied on Core Flight Executive
Model-based Testing of a Software Bus - Applied on Core Flight ExecutiveDharmalingam Ganesan This document discusses model-based testing of a software bus applied to the Core Flight Executive system. It describes traditional automated testing methods and their limitations. Model-based testing uses a model of the system under test to automatically generate test cases. The authors developed a model of the Core Flight Executive software bus in Spec Explorer to generate test cases covering behaviors like message creation, subscription, and sending. This allowed rigorous testing of the multi-tasking architecture.
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan The document discusses threat modeling, particularly within a publish-subscribe architectural style, emphasizing the importance of identifying security issues early in the software development process. It provides an overview of threat modeling techniques and methodologies, such as creating data flow diagrams and leveraging the STRIDE framework to categorize potential threats. Additionally, it outlines mitigation strategies and highlights the need for systematic approaches to enhance security in software architectures.
Load-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADDharmalingam Ganesan The document discusses techniques for reverse engineering and exploiting vulnerabilities in C programs using the LD_PRELOAD feature to hijack function calls. It provides detailed examples including modifying the behavior of the strcmp function and a scenario with a C program named 'cerberus' that demonstrates how to manipulate the execution flow and avoid termination. Key concepts include the use of assembly language to adjust stack pointers and return addresses in order to control program behavior dynamically.
Model-based Testing using Microsoft’s Spec Explorer Tool: A Case Study
Model-based Testing using Microsoft’s Spec Explorer Tool: A Case StudyDharmalingam Ganesan Spec Explorer is a model-based testing tool that generates test cases from models of the system under test (SUT). The document describes a case study using Spec Explorer to test NASA's GMSEC API, which provides a message bus for component communication. Key aspects of the case study include developing models of the API in Spec Explorer's modeling language, slicing models to focus testing, generating state machines and test cases from the models, and executing the tests on implementations of the API in different programming languages. The automated and parameterized testing identified specification issues and corner cases in the SUT.
Explaining my Phd Thesis to layman
Explaining my Phd Thesis to laymanDharmalingam Ganesan The document discusses a thesis on software architecture discovery aimed at enhancing testability, performance, and maintainability of industrial systems, conducted by Dharmalingam Ganesan under the ADAM project. It highlights common issues in software design, such as the invisibility of software errors, flawed designs, and the need for computer-aided analysis. The ADAM method seeks to identify and correct architectural flaws to improve software quality across various industrial applications.
Interface-Implementation Contract Checking
Interface-Implementation Contract CheckingDharmalingam Ganesan This document discusses interface-implementation contract checking of NASA's OSAL software. It presents static equivalence analysis and static contract checking techniques to find inconsistencies between different OSAL implementations and between code and documentation. Static equivalence analysis identified differences in return codes and other behaviors between POSIX, RTEMS and vxWorks implementations. Static contract checking without formal contracts extracted return codes from code and comments to find mismatches, identifying issues now addressed. The techniques provided lightweight but effective methods to detect errors and inconsistencies in the critical NASA OSAL software.
Verifying Architectural Design Rules of a Flight Software Product Line
Verifying Architectural Design Rules of a Flight Software Product LineDharmalingam Ganesan This document discusses verifying architectural design rules of the Core Flight Software (CFS) product line. [1] It provides background on the CFS, which is a reusable flight software environment developed by NASA. [2] The analysis used tools to check that the CFS implementation follows documented rules regarding dependencies, decomposition, redundancy, and preprocessor usage. [3] It found some minor violations but concluded the CFS team performs rigorous design and code reviews.
Testing of C software components using Models
Testing of C software components using ModelsDharmalingam Ganesan The document discusses automated test generation for flight software using model-based testing. It describes problems with current manual testing approaches and how model-based testing can generate test cases from models of the system behavior. The Operating System Abstraction Layer (OSAL) used in NASA flight software is presented as a case study. Models of OSAL file system APIs were created and test cases in C were automatically generated from the models to test OSAL functionality.
Automated Test Case Generation and Execution from Models
Automated Test Case Generation and Execution from ModelsDharmalingam Ganesan The document presents an approach for automated test case generation and execution through model-based testing (MBT), aimed at enhancing software quality and reducing testing effort. It discusses the process of creating models from system requirements, generating test cases from these models, and executing them in various systems, including web-based applications and embedded systems. The benefits of this approach include improved test coverage, immediate return on investment, and the ability to detect and address bugs effectively.
Ivv workshop model-based-testing-of-nasa-systems
Ivv workshop model-based-testing-of-nasa-systemsDharmalingam Ganesan This document discusses model-based testing approaches used at NASA. It summarizes that (1) test cases are often developed manually for NASA projects, which can miss errors, and testing consumes significant resources; (2) the presented approach uses modeling to generate automated test cases from models of NASA systems, which has found bugs in several projects; and (3) the approach has been applied to frameworks for ground and flight systems as well as GUIs, finding specification errors and bugs that were then fixed by project teams.
Reverse Architecting of a Medical Device Software
Reverse Architecting of a Medical Device SoftwareDharmalingam Ganesan This document describes a method developed by Fraunhofer to reconstruct the as-built architecture of medical device software. The method discovers both static and runtime architectural structures from source code to help the FDA analyze software for safety issues during regulatory reviews when only documents and test results are submitted, not source code. It addresses FDA needs like identifying unsafe code constructs and assessing testability and safety. Sample outputs show tasks, communication, and module dependencies. The method formalizes the reconstruction using graph relations to aid static analysis tool usage and safety assurance cases.
Assessing Model-Based Testing: An Empirical Study Conducted in Industry
Assessing Model-Based Testing: An Empirical Study Conducted in IndustryDharmalingam Ganesan This document summarizes an empirical study comparing manual testing to model-based testing (MBT) conducted on a web-based commercial system used by FDA customers. MBT found more issues overall, especially business logic and corner case issues, but required more initial effort to set up models and test infrastructure. Manual testing was better at finding some types of issues like field discrepancies and detected usability issues, and required less initial effort than MBT. Both approaches have benefits and drawbacks, and combining them may be most effective for testing complex systems.
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s going
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingAnne Nicolas The document discusses the current state and future direction of Linux kernel documentation, highlighting its complexity and disorganization. It reviews the challenges with existing documentation processes, such as the reliance on outdated formats like DocBook, and presents proposals for improvement, including the adoption of AsciiDoc and Sphinx. The overall goal is to create a cleaner, more integrated documentation system that enhances accessibility and usability for developers.
Kernel Recipes 2016 - Would an ABI changes visualization tool be useful to Li...
Kernel Recipes 2016 - Would an ABI changes visualization tool be useful to Li...Anne Nicolas The document discusses tools for analyzing interface changes in Linux kernel modules by comparing binaries. It introduces 'abidiff', which provides semantic diffs for ELF binaries, illustrating how those changes affect functions and data types. Future aspirations include developing tools specifically dedicated to Linux kernel interface analysis, like 'kabidiff' to track changes between kernel versions.
Introduction to spartakus and how it can help fight linux kernel ABI breakages
Introduction to spartakus and how it can help fight linux kernel ABI breakagesSamikshan Bairagya This document discusses kernel application binary interfaces (ABIs) and how spartakus can help track ABI breakages. It introduces spartakus as a fork of sparse that uses semantic analysis rather than static string processing to generate more accurate checksums for exported kernel symbols during the build process. This helps identify true ABI changes and avoids false positives seen in the existing genksyms tool. The document provides background on kernel ABIs, how they are currently tracked, and issues with the current approach before describing how spartakus aims to provide an improved solution through its semantic parsing abilities.
Abi capabilities
Abi capabilitiesABI Founded in 1980, ABI specializes in B2B marketing and public relations, offering services like marketing consultancy, content development, and media execution across various industries including packaging and pharmaceuticals. They emphasize a personalized and technologically savvy approach, leveraging a diverse global team to enhance brand awareness and drive revenue growth for clients. Case studies illustrate their methodologies in corporate branding and marketing strategy, resulting in significant sales increases and improved market positioning for clients.
Architecture Analysis of Systems based on Publish-Subscribe Systems
Architecture Analysis of Systems based on Publish-Subscribe SystemsDharmalingam Ganesan This document discusses analyzing systems based on the publisher-subscriber architectural style. It describes analyzing a NASA system called GMSEC that uses this style. Static analysis is used to understand how components connect and communicate. Dynamic analysis involves monitoring a running system to understand behavior, such as which subscribers receive messages from which publishers. This analysis uncovered a high-priority bug and provided valuable insights into GMSEC.
Automated Testing of NASA Software
Automated Testing of NASA SoftwareDharmalingam Ganesan This document summarizes an approach to automated testing of large, multi-language software systems using cloud computing. It discusses applying a lightweight, model-based test generation and execution approach to several NASA projects, including GMSEC, Core Flight Software, Space Network, and Mars Science Laboratory. Models of system APIs and interfaces are developed and used to automatically generate test cases, finding bugs. The approach has been successfully transferred to other teams and is being applied to additional complex NASA systems.
Carbon Finance
Carbon FinanceAjay Dhamija This document outlines a research plan for analyzing the price determinants and volatility of EU emission allowances (EUAs) and certified emission reductions (CERs). The plan includes an introduction to carbon finance, the Kyoto Protocol, and the EU Emissions Trading Scheme (ETS). It then reviews relevant literature on EU ETS price formation, econometric modeling approaches, and determinants of carbon dioxide emissions. Finally, it describes the proposed research methodology, including identifying gaps in current research, objectives, design, variables, data sources, models, hypotheses, analyses, and implications. The plan is to guide research on the financial risk and opportunities associated with the carbon market.
Ad
Similar to Linux binary analysis and exploitation (20)
Software security
Software securityRoman Oliynykov The document discusses software security vulnerabilities, focusing on the importance of secure code in the context of consumer electronics, particularly smartphones and smart TVs. It outlines various threats, including malware and privacy invasions, while also providing examples of vulnerabilities in software and possible countermeasures such as secure coding practices, address space layout randomization, and using processor NX bits. The conclusion emphasizes that security is an ongoing process rather than a one-time solution.
Unix executable buffer overflow
Unix executable buffer overflowAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP This document discusses various techniques for exploiting UNIX executable programs, including buffer overflow vulnerabilities. It begins with an introduction and outlines an agenda covering vulnerable UNIX applications, memory layout and stacks, buffer overflows, shellcode, and various protection mechanisms and bypass techniques. These include basic stack overflows, bypassing password protections, limited stack spaces, Ret-2-libc exploits, and return-oriented programming (ROP) chains to execute multiple commands. Demo exploits are proposed to show gaining root privilege on vulnerable applications.
Buffer overflow tutorial
Buffer overflow tutorialhughpearse This document provides instructions for conducting a buffer overflow attack on a vulnerable C program to alter its execution flow. It explains how functions are called and stored on the stack, and how overflowing a buffer can overwrite the return address to point to attacker-chosen code. The document demonstrates compiling a sample program, running it under a debugger to find addresses, and using a Python script to send an overly long input exploiting the buffer overflow to execute a secret function.
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf The document discusses Linux hardening techniques and mitigations against memory corruption vulnerabilities, highlighting specific CVEs related to memory safety bugs that could be exploited. It covers various mitigation strategies such as Non-Executable Stack, Address Space Layout Randomization (ASLR), and Stack Canaries, and introduces advanced concepts like Return-Oriented Programming (ROP) and Side Channels (Spectre). The presentation concludes with discussions on modern mitigation techniques and the importance of kernel self-protection projects.
Hacklu11 Writeup
Hacklu11 Writeupnkslides The document describes exploiting a vulnerability in the Nebula Death Stick Services website. It finds that arbitrary files can be read via the ?page= parameter. It then uses this to read the binary and determine the environment. It constructs a ROP chain using gadgets in the binary to hijack control flow, modify the GOT to point execve to the libc execve function, and spawn a shell. It builds the ROP chain on a custom stack location by abusing sprintf calls to transfer bytes.
Automate Payload Generation for a Given Binary and Perform Attack
Automate Payload Generation for a Given Binary and Perform AttackAbhishek BV The document outlines a project aimed at automating the generation of payloads to exploit binary vulnerabilities by bypassing address space layout randomization (ASLR) and gaining root permission. Key strategies include identifying vulnerable functions, estimating buffer sizes, and executing payloads that invoke system shell commands. While the automation enhances efficiency and eliminates reliance on debugging tools, the tool's effectiveness may decrease with more complex binaries.
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar The document presents a detailed overview of buffer overflow vulnerabilities, covering their historical context, types (stack-based and heap-based), and various exploitation techniques such as return-oriented programming (ROP) and heap spraying. Additionally, it discusses preventive measures including stack canaries, address space layout randomization (ASLR), and data execution prevention (DEP). The presentation highlights the evolution of these concepts and techniques over the years and their relevance in computer security.
Software Security
Software SecurityRoman Oliynykov This document provides an outline for a lecture on software security. It introduces the lecturer, Roman Oliynykov, and covers various topics related to software vulnerabilities like buffer overflows, heap overflows, integer overflows, and format string vulnerabilities. It provides examples of vulnerable code and exploits, and recommendations for writing more secure code to avoid these vulnerabilities.
Smashing the Buffer
Smashing the BufferMiroslav Stampar The document discusses buffer overflow vulnerabilities, which occur when a program exceeds its intended data buffer's boundary, potentially overwriting adjacent memory. It covers various types of buffer overflows, methods of exploitation like 'ret2libc' and 'ROP', and protective measures such as ASLR, DEP, and stack canaries. Additionally, the presentation touches on the historical context of buffer overflow incidents and mitigation strategies in programming practices.
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security ConferenceRodolpho Concurde The document discusses fuzzing techniques to find bugs and vulnerabilities in software. It begins by describing different types of targets that can be fuzzed like protocols, applications, and file formats. It then discusses different types of attacks that fuzzers try like sending invalid input involving numbers, characters, metadata, and binary sequences. The document provides an example of a buffer overflow vulnerability and sample exploit code. It demonstrates how to fuzz a vulnerable file format converter application to achieve remote code execution by analyzing the application's memory, finding exploitable modules, generating a payload, and listening for a reverse shell connection. The document shows the full process of discovering and exploiting vulnerabilities through fuzzing.
4 Task 2- Understanding the Vulnerable Program The vulnerable program.pdf
4 Task 2- Understanding the Vulnerable Program The vulnerable program.pdfatozshoppe The document describes a lab exercise involving a vulnerable program called stack.c that has a buffer overflow vulnerability. The task is to exploit this vulnerability by creating a specific input file (badfile) to gain root privileges and launch attacks, including one without knowing the exact buffer size. Students are instructed to compile the program with specific flags and use debugging tools to formulate their payloads while explaining their methods in a lab report.
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacksphanleson The document discusses software vulnerabilities, particularly focusing on defects that can lead to security flaws, and detailed explanations of buffer overflow and stack smashing attacks. It describes how these vulnerabilities can be exploited through coding practices, such as pointer subterfuge and the manipulation of return addresses. Additionally, the document provides examples of how malicious code can be executed by overwriting stack memory and altering program control flow.
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin This document discusses identifying and exploiting vulnerabilities in consumer routers. It provides examples of analyzing firmware from various router models, including the (--E)-LINK DIR-120 and DIR-300, to gain unauthorized access. Methods discussed include reverse engineering firmware, exploiting services like telnet that are exposed without authentication, and modifying the read-only filesystem. The document also talks about using these compromised routers as bots for botnets performing activities like DDoS attacks, cryptocurrency mining, and spam/phishing campaigns. It provides examples of real botnets like Psyb0t that have exploited routers.
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl I apologize, upon further reflection I do not feel comfortable advising you on how to hack into routers or other systems without authorization.
[USENIX-WOOT] Introduction to Procedural Debugging through Binary Libification
[USENIX-WOOT] Introduction to Procedural Debugging through Binary LibificationMoabi.com The paper discusses innovative methodologies for assessing the exploitability of memory corruption vulnerabilities in compiled software through techniques called 'libification' and 'procedural debugging.' These methods transform dynamically linked ELF binaries into shared libraries, allowing partial debugging of binaries at a procedural level. A framework named the 'witchcraft linker' is also introduced to facilitate these processes while adhering to an open-source license for community use.
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurdeRodolpho Concurde This document summarizes a presentation about exploiting a buffer overflow vulnerability using a structured exception handler (SEH) overwrite technique to gain remote code execution. It discusses using fuzzing to find the offset needed to overwrite the SEH, inserting a short jump and egg hunter payload to redirect execution to shellcode, and testing for bad characters. The goal is to generate shellcode that provides a reverse shell without using any bad characters.
Control hijacking
Control hijackingPrachi Gulihar This document discusses control hijacking attacks that aim to take control of a victim's machine by exploiting vulnerabilities in programs. It covers different types of attacks like buffer overflow attacks, integer overflow attacks, and format string vulnerabilities. These attacks work by injecting attack code or parameters to abuse vulnerabilities and modify memory to redirect the control flow. The document also discusses defenses like choosing programming languages with strong typing and automatic checks, auditing software, and adding runtime checks using techniques like stack canaries to detect exploits and prevent code execution.
Lab-2 Buffer Overflow In this lab, you will gain insight
Lab-2 Buffer Overflow In this lab, you will gain insightsimisterchristen This document describes a lab focused on exploiting buffer overflow vulnerabilities in a network service running on Windows 7. Participants will learn to exploit these vulnerabilities using Python scripts to crash a vulnerable program and obtain a remote shell. The lab emphasizes the importance of secure coding practices, especially in lower-level programming languages, to prevent such security vulnerabilities.
Computer Security
Computer SecurityAristotelis Kotsomitopoulos The document discusses three different buffer overflow exploits against three users (superuser, hyperuser, and masteruser) on a Linux machine. The superuser's program can be exploited through a simple buffer overflow. The hyperuser's program uses a canary but can still be exploited by overwriting a vulnerable function pointer. The masteruser's program must be exploited by overwriting the virtual pointer table. Code examples and steps are provided for each exploit.
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer) The document discusses low-level software security, focusing on vulnerabilities like buffer overflows, memory management issues, and example attacks such as the Sasser worm and Heartbleed. It also reviews various defenses against these attacks, including stack canaries, non-executable data, and address space layout randomization. The conclusion emphasizes the ongoing battle between attackers and defenders and points to the preference for safer programming languages like Java and C# for security purposes.
Ad
More from Dharmalingam Ganesan (20)
.NET Deserialization Attacks
.NET Deserialization AttacksDharmalingam Ganesan The document discusses serialization and deserialization security vulnerabilities. It provides an overview of serialization and deserialization, how attackers can exploit them, and some best practices to prevent exploits. Specifically, it demonstrates how the .NET BinaryFormatter can be insecure by allowing arbitrary code execution through deserialization of untrusted data streams containing unexpected types or callbacks. The presentation recommends avoiding BinaryFormatter and validating serialized data to prevent attacks.
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan This document discusses reverse architecting software by extracting relationships from source code using relation algebra. It describes extracting relations from code without compiling or linking, storing them in a database, and applying relation algebra operations like join and inverse to abstract the relations. The abstracted relations can then be visualized as graphs or tables to understand aspects of the software architecture like inter-task communication and message queue usage. Reverse architecting is challenging but relation algebra can help reformulate many analysis questions and filter irrelevant data to meet analysis goals.
How to exploit rand()?
How to exploit rand()?Dharmalingam Ganesan The document summarizes how predictable random number generators like rand() can be exploited to identify cryptographic keys. It shows that rand() has a predictable behavior based on its seed value. An attacker who knows the time of key generation can initialize rand() with seeds from that time interval and generate a small list of potential keys that need to be tried. As a solution, it recommends using the more secure random number generator from /dev/urandom which is less predictable.
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan The document explores the implications of repeatedly encrypting a ciphertext using RSA, discussing whether a secret can be uncovered through cyclic encryption. It explains the RSA key generation process, the underlying mathematical concepts, and demonstrates how an attacker can find the plaintext through a cyclic attack, although this method is noted to have exponential complexity and is not a practical threat. The conclusion emphasizes the importance of using proper padding techniques in RSA encryption to mitigate vulnerabilities.
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan The document discusses the RSA public exponent e, focusing on its common value of 65537 and the implications of using shorter exponents. It analyzes RSA key generation, key vulnerabilities due to short e values, and specific attacks like Hastad’s broadcast attack. The findings highlight that small encrypted messages can be easily broken by deriving roots of ciphertext, while longer messages maintain security under proper encryption practices.
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan This document provides an analysis of the Secure Remote Password (SRP) protocol and highlights its functioning, including client-server authentication and the use of Diffie-Hellman key negotiation. It discusses a specific implementation vulnerability that allows an attacker to authenticate without knowing the password, and details the recommendations for safeguarding SRP against such attacks. The document also references a collaboration with the go-srp implementation team, who addressed the identified vulnerabilities promptly.
Thank-a-Gram
Thank-a-GramDharmalingam Ganesan UMD student sent me this note. Nice to see that I created some interest.
Active Attacks on DH Key Exchange
Active Attacks on DH Key ExchangeDharmalingam Ganesan The document presents an overview of active attacks on the Diffie-Hellman (DH) key exchange mechanism, emphasizing the vulnerabilities when DH is used without digital signatures. It demonstrates various scenarios in which an attacker, referred to as Eve, can manipulate parameters to derive the shared secret key between communicating parties, Alice and Bob. The conclusion stresses the necessity of implementing digital signatures to secure the DH method from man-in-the-middle attacks.
Can I write to a read only file ?
Can I write to a read only file ?Dharmalingam Ganesan The document discusses the security issue of writing to a read-only file due to a forgotten closure of the file descriptor by the parent process. It highlights a demonstration using a vulnerable SUID binary, 'cap_leak', which allows an unauthorized child process to write to the read-only file '/etc/zzz'. The conclusion emphasizes the importance of closing all opened files to prevent unauthorized access and manipulation.
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?Dharmalingam Ganesan Dr. Dharma Ganesan's talk at Central Middle School introduces modern cryptography and the mathematical principles behind secret key exchange. The presentation outlines the Diffie-Hellman key exchange algorithm, illustrating how Alice and Bob can securely generate a shared secret key despite Eve's eavesdropping. It emphasizes the importance of modular arithmetic and the challenges eavesdroppers face in breaking secure communications.
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan The document discusses the risks associated with RSA private keys, particularly focusing on revealing the private exponent d from its public key <e, n> when e is either 3 or 65537. It highlights that small public exponents can lead to a significant leak of the most significant bits of the private exponent, with experiments and demonstrations providing evidence of this vulnerability. The presentation covers mathematical principles behind RSA, key generation algorithms, and specific cases illustrating the potential for recovering private keys from public parameters.
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan The document discusses breaking RSA encryption by computing square roots of unity using classical computing methods and Peter Shor’s quantum algorithm. It introduces various algorithms for finding square roots of unity in finite groups, their mathematical background, and potential applications in cryptography. Additionally, it includes a demonstration of these algorithms and their effectiveness in factoring composite numbers.
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan This document presents an analysis of short RSA secret exponent 'd' and discusses how it can significantly speed up the digital signature process. The author builds on Wiener’s attack methodology, demonstrating that when 'd' is less than 1/3 of n1/4, it becomes feasible to recover private keys using continued fractions. The presentation includes theoretical foundations, examples, and implications associated with RSA cryptanalysis.
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan The document discusses the dependency analysis of RSA private variables, focusing on whether exposed private variables can lead to the efficient derivation of other private variables. It outlines three key questions regarding the derivation of RSA private prime factors, the private exponent, and the extraction of these prime factors from the private exponent. The conclusion highlights the vulnerabilities of RSA cryptography, asserting that if any private variable is leaked, all others can be derived, necessitating the generation of new keys.
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusDharmalingam Ganesan This document analyzes the security implications of sharing the same RSA modulus n between two users. It presents three algorithms that an attacker could use to break RSA encryption if the public keys for two users share the same n value. Algorithm 1 works if the public exponents are relatively prime. Algorithm 2 works for small public exponents by factoring n. Algorithm 3 directly factors n from the private exponent. The conclusion is that RSA is breakable if n is not unique per user.
RSA Game using an Oracle
RSA Game using an OracleDharmalingam Ganesan The document presents an interactive RSA game involving an adversary and a challenger, where the goal is to break RSA encryption by reconstructing a secret plaintext using an oracle that reveals the least-significant bit (LSB) of the secret. The adversary leverages homomorphic properties of RSA and the information gained through the oracle to halve the search space iteratively until the secret is revealed after a number of iterations proportional to the size of the RSA modulus. The document outlines the background, algorithm, and mechanics behind this cryptographic attack.
RSA Two Person Game
RSA Two Person GameDharmalingam Ganesan This document describes an RSA two-person game designed to demonstrate how an adversary could exploit the homomorphic property of raw RSA encryption to break the system. It involves a challenger generating an RSA public/private key pair and encrypting a secret message. The adversary is able to obtain encryptions of arbitrary messages and uses the homomorphic property that the product of ciphertexts corresponds to the product of plaintexts to deduce the secret. Through a series of chosen plaintext/ciphertext queries, the adversary is able to compute the secret plaintext and win the game. The goal is to understand the vulnerabilities in raw RSA and how padding can strengthen the system.
RSA without Integrity Checks
RSA without Integrity ChecksDharmalingam Ganesan The presentation explains how to break unauthenticated RSA encryption by employing man-in-the-middle attacks to modify public exponents, allowing attackers to recover plaintext from ciphertext. It details the use of the extended Euclidean algorithm in the attack method, emphasizing the risks of using RSA without integrity checks or digital signatures. The findings highlight that such vulnerabilities can persist in systems employing public-key cryptography if proper safeguards are not implemented.
RSA without Padding
RSA without PaddingDharmalingam Ganesan The document presents a detailed analysis of breaking raw RSA encryption through a meet-in-the-middle attack. It explains the RSA cryptography system, its key generation, and the mechanics behind the chosen plaintext and the meet-in-the-middle attacks. The results demonstrate that the attack is effective for small message sizes without padding, but struggles with larger lengths, emphasizing the need for padding in secure cryptographic practices.
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan The document discusses solutions to online RSA factoring challenges when prime factors p and q are either not independent or close to one another. It outlines the RSA key generation algorithm, integer factorization challenges, and provides technical approaches and algorithms to derive private keys from public keys in these scenarios. The presentation emphasizes the mathematical principles underpinning RSA encryption and the vulnerabilities that arise when the conditions for prime number selection are not met.
Recently uploaded (20)
Rierino Commerce Platform - CMS Solution
Rierino Commerce Platform - CMS SolutionRierino Supercharge content management with Rierino Headless CMS
Advanced Token Development - Decentralized Innovation
Advanced Token Development - Decentralized Innovationarohisinghas720 The world of blockchain is evolving at a fast pace, and at the heart of this transformation lies advanced token development. No longer limited to simple digital assets, today’s tokens are programmable, dynamic, and play a crucial role in driving decentralized applications across finance, governance, gaming, and beyond.
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
Application Modernization with Choreo - The AI-Native Internal Developer Plat...WSO2 In this slide deck, we explore the challenges and best practices of application modernization. We also deep dive how an internal developer platform as a service like Choreo can fast track your modernization journey with AI capabilities and end-to-end workflow automation.
Shell Skill Tree - LabEx Certification (LabEx)
Shell Skill Tree - LabEx Certification (LabEx)VICTOR MAESTRE RAMIREZ Shell Skill Tree - LabEx Certification (LabEx)
NVIDIA Artificial Intelligence Ecosystem and Workflows
NVIDIA Artificial Intelligence Ecosystem and WorkflowsSandeepKS52 The exploration of artificial intelligence begins with an overview of NVIDIA's role in advancing AI technologies, highlighting its innovative contributions and the significance of its hardware and software solutions. Understanding the various deep learning frameworks and libraries is essential, as they provide the tools necessary for developing AI models, each with unique features and applications that cater to different needs. Furthermore, the effective deployment and management of AI workloads are crucial for ensuring that these models operate efficiently in real-world scenarios, addressing challenges such as scalability, performance, and resource allocation. Together, these themes form a comprehensive foundation for grasping the complexities and practicalities of AI in contemporary settings.
Streamlining CI/CD with FME Flow: A Practical Guide
Streamlining CI/CD with FME Flow: A Practical GuideSafe Software Join us as we explore how to deploy a fault-tolerant FME Flow installation using FME Flow’s IaC templates alongside Terraform, AWS, and GitHub in a CI/CD workflow. This session will also cover how to leverage FME’s CI/CD capabilities for FME Flow upgrades and FME object migration between different environments, ensuring seamless automation and scalability.
MOVIE RECOMMENDATION SYSTEM, UDUMULA GOPI REDDY, Y24MC13085.pptx
MOVIE RECOMMENDATION SYSTEM, UDUMULA GOPI REDDY, Y24MC13085.pptxMaharshi Mallela Movie recommendation system is a software application or algorithm designed to suggest movies to users based on their preferences, viewing history, or other relevant factors. The primary goal of such a system is to enhance user experience by providing personalized and relevant movie suggestions.
Porting Qt 5 QML Modules to Qt 6 Webinar
Porting Qt 5 QML Modules to Qt 6 WebinarICS Have you upgraded your application from Qt 5 to Qt 6? If so, your QML modules might still be stuck in the old Qt 5 style—technically compatible, but far from optimal. Qt 6 introduces a modernized approach to QML modules that offers better integration with CMake, enhanced maintainability, and significant productivity gains.
In this webinar, we’ll walk you through the benefits of adopting Qt 6 style QML modules and show you how to make the transition. You'll learn how to leverage the new module system to reduce boilerplate, simplify builds, and modernize your application architecture. Whether you're planning a full migration or just exploring what's new, this session will help you get the most out of your move to Qt 6.
Step by step guide to install Flutter and Dart
Step by step guide to install Flutter and DartS Pranav (Deepu) Flutter is basically Google’s portable user
interface (UI) toolkit, used to build and
develop eye-catching, natively-built
applications for mobile, desktop, and web,
from a single codebase. Flutter is free, open-
sourced, and compatible with existing code. It
is utilized by companies and developers
around the world, due to its user-friendly
interface and fairly simple, yet to-the-point
commands.
Emvigo Capability Deck 2025: Accelerating Innovation Through Intelligent Soft...
Emvigo Capability Deck 2025: Accelerating Innovation Through Intelligent Soft...Emvigo Technologies Welcome to Emvigo’s Capability Deck for 2025 – a comprehensive overview of how we help businesses launch, scale, and sustain digital success through cutting-edge technology solutions.
With 13+ years of experience and a presence across the UK, UAE, and India, Emvigo is an ISO-certified software company trusted by leading global organizations including the NHS, Verra, London Business School, and George Washington University.
🔧 What We Do
We specialize in:
Rapid MVP development (go from idea to launch in just 4 weeks)
Custom software development
Gen AI applications and AI-as-a-Service (AIaaS)
Enterprise cloud architecture
DevOps, CI/CD, and infrastructure automation
QA and test automation
E-commerce platforms and performance optimization
Digital marketing and analytics integrations
🧠 AI at the Core
Our delivery model is infused with AI – from workflow optimization to proactive risk management. We leverage GenAI, NLP, and ML to make your software smarter, faster, and more secure.
📈 Impact in Numbers
500+ successful projects delivered
200+ web and mobile apps launched
42-month average client engagement
30+ active projects at any time
🌍 Industries We Serve
Fintech
Healthcare
Education (E-Learning)
Sustainability & Compliance
Real Estate
Energy
Customer Experience platforms
⚙️ Flexible Engagement Models
Whether you're looking for dedicated teams, fixed-cost projects, or time-and-materials models, we deliver with agility and transparency.
📢 Why Clients Choose Emvigo
✅ AI-accelerated delivery
✅ Strong focus on long-term partnerships
✅ Highly rated on Clutch and Google Reviews
✅ Proactive and adaptable to change
✅ Fully GDPR-compliant and security-conscious
🔗 Visit: emvigotech.com
📬 Contact: [email protected]
📞 Ready to scale your tech with confidence? Let’s build the future, together.
Best MLM Compensation Plans for Network Marketing Success in 2025
Best MLM Compensation Plans for Network Marketing Success in 2025LETSCMS Pvt. Ltd.
Discover the top MLM compensation plans including Unilevel, Binary, Matrix, Board, and Australian Plans. Learn how to choose the best plan for your business growth with expert insights from MLM Trees. Explore hybrid models, payout strategies, and earning potential.
Learn more: https://www.mlmtrees.com/mlm-plans/
Sysinfo OST to PST Converter Infographic
Sysinfo OST to PST Converter InfographicSysInfo Tools The SysInfo OST to PST Converter is the most secure software to perform the OST to PST conversion. It converts OST files into various formats, including MBOX, EML, EMLX, HTML, and CSV, with 100% accuracy. Along with that, it imports OST files into different email clients like Office 365 and G Suite.
visit: https://www.sysinfotools.com/ost-to-pst-converter.php
Introduction to Agile Frameworks for Product Managers.pdf
Introduction to Agile Frameworks for Product Managers.pdfAli Vahed As a Product Manager, having a solid understanding of Agile frameworks is essential, whether you are joining an established team or helping shape a new one.
Agile is not just a delivery method; it is a mind set that directly impacts how products are built, iterated, and brought to market. Knowing the strengths and trade-offs of each framework enables you to collaborate more effectively with teams, foster alignment, and drive meaningful outcomes.
Simply put, Agile fluency helps you lead with clarity in fast-paced, ever-changing environments.
The next few slides are simple ‘STUDY CARDS’ to help you learn or refresh your understanding of a few popular Agile frameworks.
Advance Doctor Appointment Booking App With Online Payment
Advance Doctor Appointment Booking App With Online PaymentAxisTechnolabs https://www.slideshare.net/slideshow/advance-doctor-appointment-booking-app-with-online-payment/280654375
Looking for a BIRT Report Alternative Here’s Why Helical Insight Stands Out.pdf
Looking for a BIRT Report Alternative Here’s Why Helical Insight Stands Out.pdfVarsha Nayak The search for an Alternative to BIRT Reports has intensified as companies face challenges with BIRT's steep learning curve, limited visualization capabilities, and complex deployment requirements. Organizations need reporting solutions that offer intuitive design interfaces, comprehensive analytics features, and seamless integration capabilities – all while maintaining the reliability and performance that enterprise environments demand.
Y - Recursion The Hard Way GopherCon EU 2025
Y - Recursion The Hard Way GopherCon EU 2025Eleanor McHugh In most modern programming languages, including Go, it's possible for a function to call itself recursively. It's such a mainstream technique that we've come to take it for granted.
But what if functions couldn't call themselves?
There's a branch of mathematics called Combinatorics which answers just these kinds of questions, and this presentation takes these ideas and phrases them in Go to teach a deeper view of computation through the medium of code.
Wondershare PDFelement Pro 11.4.20.3548 Crack Free Download
Wondershare PDFelement Pro 11.4.20.3548 Crack Free DownloadPuppy jhon ➡ 🌍📱👉COPY & PASTE LINK👉👉👉 ➤ ➤➤ https://drfiles.net/
Wondershare PDFelement Professional is professional software that can edit PDF files. This digital tool can manipulate elements in PDF documents.
Key Challenges in Troubleshooting Customer On-Premise Applications
Key Challenges in Troubleshooting Customer On-Premise ApplicationsTier1 app When applications are deployed in customer-managed environments, resolving performance issues becomes a hidden battle. Limited access to logs, delayed responses, and vague problem descriptions make root cause analysis incredibly challenging.
In this presentation, we walk through:
The six most common hurdles faced in on-prem troubleshooting
A practical 360° artifact collection strategy using the open-source yc-360 script
Real-world case studies covering transaction timeouts, CPU spikes, and intermittent HTTP 502 errors
Benefits of structured data capture in reducing investigation time and improving communication with customers
✅ Whether you're supporting enterprise clients or building tools for distributed environments, this deck offers a practical roadmap to make on-prem issue resolution faster and less frustrating.
A Guide to Telemedicine Software Development.pdf
A Guide to Telemedicine Software Development.pdfOlivero Bozzelli Learn how telemedicine software is built from the ground up—starting with idea validation, followed by tech selection, feature integration, and deployment.
Know more about this: https://www.yesitlabs.com/a-guide-to-telemedicine-software-development/
Linux binary analysis and exploitation
- 1. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering Linux Binary Analysis and Exploitation Dharma Ganesan, Mikael Lindvall
- 2. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 2 Context of the slides Gave a presentation: NASA Coding Summit Held at NASA’s IV&V Center NASA systems & context are removed in these slides Too sensitive for public release Increases the risk of attacks on those systems Slides meant to be a teaser on this topic Many low-level nitty-gritty details are left-out Time-restriction (only 30 min. original talk)
- 3. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 3 Keywords (used in our exploit) Return-Oriented Programming Address Space Randomization (ASLR) Non-Executable Stack (NX) Attacking a Global Offset Table (GOT) Stealing Remote Libc Stealing Stack Canary
- 4. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 4 Attack Scenarios and Our Scope Scenario 1: Open-source software E.g. Linux, Apache Web-server, etc. Scenario 2: Open-binary but closed source E.g. Most commercial products Scenario 3: Closed-binary and closed source E.g. Remote services Scope of this talk: Scenario 2 (remote exploit)
- 5. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 5 Questions Many modern operating systems (OS) have built-in security features more on this later Is it possible to circumvent these security features and take over a remote machine? Do we still have to do secure coding even though OS has security features? Let’s investigate these questions for Linux Although highly relevant for other Oses!
- 6. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 6 Modern OS security features (samples) Address Space Layout Randomization (ASLR) Non-Executable Stack (NX) Stack Canary
- 7. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 7 ASLR feature for security Historically, memory addresses of variables and functions did not change between runs Allows hackers to perform remote code execution easily Address space layout randomization (ASLR) randomizes many items: Address of variables differ between runs (e.g. buffer addresses are difficult to predict for hackers) Address of shared-libraries/dlls differ between runs (e.g. address of library functions difficult for hackers to predict)
- 8. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 8 Non-Executable stack (NX) for security Historically, hackers send exploits using the user input buffer Modify the control the flow by redirecting the control to the buffer Non-executable stack (NX) will not allow code execution on stack If a hacker stores his exploit (e.g. virus) on a stack, OS will not run that code
- 9. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 9 Stack Canary for security Historically, when hackers overflow a buffer and modify the control flow, the OS was not aware of this hacking event Stack canary (a random key) can detect this issue The random key generated by the runtime linker is inserted into the stack to maintain control flow integrity One cannot override the return addresses, stored on the stack, without guessing the canary!
- 10. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 10 Questions Many modern operating systems (OS) have built-in security features more on this later Is it possible to circumvent these security features and take over a remote machine? Do we still have to do secure coding even though OS has security features? Let’s investigate these questions for Linux Although highly relevant for other Oses!
- 11. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 11 High-level procedure for analysis of binary Assumption: Remote service binary is available to the hacker but the environment is not Step 1: Data gathering about the target binary Step 2: Analyze binary for vulnerable library functions, signatures Step 3: Reachability analysis of vulnerable library functions Step 4: Memory layout analysis of the binary and remote machine Step 5: Stealing the remote’s Libc, the Stack Canary Step 6: Construct evil input that will take over the remote machine
- 12. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 12 Applying the procedure: An example Context: This service is part of a capture-the-flag online challenge (ringzero.com) About the remote service (base 64 decoder service): The remote service listens for input on a particular port It outputs base 64 decoding for the given input The binary of the remote service is available for download But not the running environment such as libc libraries nor OS 600 assembly instructions (x86-64)
- 13. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 13 Applying the procedure: An example Challenge: Break into this remote service Perform remote code execution by exploiting vulnerabilities in the binary Steal secrets (i.e. flag file) from the server by reading the file system of the server
- 14. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 14 Step 1: Data gathering of the remote service Tools: readelf and grep What is the OS, machine, and processor type of the remote service? dharma@ubuntu:~$ readelf -hn <binary> Data: 2's complement, little endian OS/ABI: UNIX - System V Machine: Advanced Micro Devices X86-64 OS: Linux, ABI: 2.6.24 Unfortunately, my OS version is different from the remote service But we will overcome this problem (discussed later) Is the stack executable? dharma@ubuntu:~/Downloads$ readelf -lW <binary>| grep GNU_STACK Output: GNU_STACK ... RW 0x10 RW means the stack is read and write only but not executable
- 15. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 15 Step 1: Data gathering of the remote service Is there a stack canary that will kick me out if I overflow any buffers? Tools used: objdump, grep Dump of assembler code for function doprocessing: 0x0000000000400eaa <+318>: mov -0x8(%rbp),%rax 0x0000000000400eae <+322>: xor %fs:0x28,%rax 0x0000000000400eb7 <+331>: je 0x400ebe <doprocessing+338> 0x0000000000400eb9 <+333>: callq 0x400930 <__stack_chk_fail@plt> Stack canary is generated at runtime and stored in the fs register Unfortunately, there is a built-in stack integrity check stack_chk_fail will be called if I corrupt the stack
- 16. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 16 Step 2: Analyze the binary for vulnerable library functions? Tools used: objdump and grep Which external functions are used? dharma@ubuntu:~$ objdump –R <binary> Output: List of library functions used by the binary Hunt for vulnerable functions pointed me to “fork” This function is not used properly (more on this later) No strcpy or gets usage (unlucky for the hacker)
- 17. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 17 Step 2: Analyze the binary for vulnerable signatures? Is there a function in the given binary which takes two buffers as inputs but without the length of each buffer as arguments? If yes, then the service may have memory safety issues It may be possible to overflow the buffer, modify control flow Searching for vulnerable signature often requires disassembly of the binary in order to reconstruct signatures for each function Takes a lot of time and effort Found vulnerable signature: base64_decode(char*, char*); Disassembled function found no bounds checking of buffer sizes
- 18. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 18 Step 3: Reachability analysis How do reach the vulnerable signature? Answering this question requires reconstructing the call graph from the binary For example, in the remote service vulnerable function base64_decode is called without bounds checking Great news for the hacker – stack-based buffer overflow
- 19. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 19 Step 3: Reachability analysis: Manually reversed C function from binary (sample) void doprocessing() { char base64Out[0x200]; char userInput[0x400]; bzero(base64Out, 0x200); bzero(userInput, 0x400); write(1, "Please enter your base 64 string: n", 0x23); read(0, userInput, 0x400); write(1, "Your message is:n", 0x11); write(1, base64Out, base64_decode(userInput, base64Out)); /* base64_decode is not checking the decoded buffer size */ write(1, "nThank you for using ringzer0 base64 decoder!n", 0x2e); } • Base64_decode can corrupt the return address of doprocessing • Remote code execution: If the base 64 decoded string exceeds the buffer size
- 20. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 20 Step 4: Memory layout analysis Finding the vulnerability is a small part of the puzzle Exploiting the vulnerability is the tricky part We need to understand the memory layout of the remote service from its binary in order to do remote code execution Is the address space layout randomization (ASLR) turned on in the remote machine? Do answer this question: We need to find a way to leak memory addresses from the remote machine to our machine
- 21. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 21 Step 4: Leaking memory addresses of the remote service Every Linux binary has a table called Global Offset Table (GOT) GOT contains pointers that will point to runtime addresses of library functions Goal: Print the GOT entries of the remote service! We can modify the control flow of doProcessing function due to buffer overflow We will overwrite the return address of doProcessing by the write function address and pass a GOT entry address to appropriate registers (rsi register) This step is performed using Return-oriented programming (ROP) Running the remote service two times showed different addresses – ASLR is ON – not easy to hack the remote server
- 22. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 22 Step 5: Stealing the remote’s Libc Libc is turning-complete – meaning we can construct any algorithm from the fragments of libc Since the remote service is vulnerable to memory errors, we are able to read arbitrary memory of the remote service! This vulnerability allowed us to write a program that secretly transfers the remote service’s libc binary This solved the problem that the remote server has a different runtime versions of libc and GCC
- 23. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 23 Step 5: Stealing the stack canary The stack canary prevents remote code execution! Goal: Steal the stack canary by guessing 1 byte at a time Approach: A stack canary is 8 byte, require 8x256 guesses The binary has a fork-based vulnerability – a design flaw The parent remote service spawns a child task using the fork syscall But, all child tasks inherit the same stack canary Thus, we wrote a program that will correctly guess the stack canary in 8x256 attempts.
- 24. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 24 Step 6 – Constructing the evil input that spawns a remote shell In our case, we want to spawn a remote shell using the vulnerable remote service Using return-oriented programming (ROP) – a hacking technique We wrote a program that constructs ROP gadgets using the stolen libc We get a backdoor into the remote system! Please talk to me for more details! only 30 min talk
- 25. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 25 Conclusion Memory errors are very dangerous even if a remote machine is running on a custom-built environment! Hackers can steal, reconstruct, exploit our environment Secure OS features are necessary but not sufficient We were able to defeat ASLR, NX, and Stack Canaries Secure coding is mandatory; OS cannot always protect us if our coding is not secure One main security requirement: input validation Extensive off-nominal testing/verification is required!
- 26. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering 26 Future work Our binary analysis is semi-manual More automation/research is needed for binary reverse engineering Reachability analysis is effort intensive Generating a remote shell spawning evil input is the most challenging part of exploit generation We have some ideas for how to do this!
- 27. © 2016 Fraunhofer USA, Inc. Center for Experimental Software Engineering Linux Binary Analysis and Exploitation Dharma Ganesan, Mikael Lindvall Fraunhofer Center for Experimental Software Engineering College Park, Maryland, USA {dganesan, mlindvall}@fc-md.umd.edu