Merken

Shooting the OS X El Capitan Kernel Like a Sniper

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
. death and the and the
dead in the it and and be no
I think this the other the call it the the the the flow of the time I'm looking at the local and the set of all possible the In the early in the and the little OK so we are happy to introduce the the next 2 speakers that's Lynch energy that it who will be doing a talk about shooting you should was Excel capital kernel like a sacred can the and thanks everyone and the good
afternoon and I'm happy to be presenting become uh to some 16 to which is the 10th anniversary and that of my talk today is shooting the OSX idea Captain could know like a sniper solar why we use of the term sniper is because of 3 reasons the 1st of our team from the team called tense and the secreted
thing sniper and that will also we start hasn't PC manager team and of the this team actually was about what must topple Yeang Pontil to to sound and the the uh 16 and the 2nd reason is that we actually do doing the upon event we we we do Safari and remote exploits and the finally what we got through the privilege and the so the reason is that we from well for what exploits of the kernel of a particle we used that is very likely to be a sniper because of the long oral buffer it is very far away from the buffer that we are targeting muscle it needs vary proceeds as a as memory layout T and in this talk we well and we will talk about the some something about exploited Technologies CEO captain so 1st so we will introduce you introduce ourselves so my name is mentioned and I am a senior secrete engineer being that and there are my main focus is brawls low-probability Research Inc. IOS kernel and the sandbox 6 and also I did something about you the route so that's flanker will influence the minimization of and I'm also assume there's a good research and have
collapsed under my main focus a similar circuit random overstability including enjoyed and hours of was that the the land and the kernel of the sun so our agenda today includes the that's something we want to talk about OSX kernel exploit each patient mitigation introduced the full-year patterned after you captain and also she doesn't go well that talk about the new approaches that we found to exploit to some and not perfect back after your captain and finally what do them or to wrap up a lot of what took so I to the preclinical rules the mitigation the 1st case they are this is a very outcome wing of the modern a list of I think of both Windows Linux and OS X that has the KSA starting in the in the kernel to randomize the kernel followed to address and also there is a D P which is the power of uh execution Prevention to disallow the could appear at page and also of its any key snip snip is mitigation method that to disallow kernel as excretion directly from the user meant so that's after that you you when you the Q League some pointers seeing the the kernel but instead of doing it and executing show coding value this directly the OK
so after your captain actually snap is also are introduced and this matter actually is the whilst their current the Windows mitigation because the will 5 we know that's windows don't have mapping implemented at the moment but only audio captain it is implemented but before that so we also need some support under the CPU architecture so 0 we can use the commander US ceased assistant you to to check whether our CPU supports of map or not so we can find that that it's it is seen the 7 feature so from unknown support is an aerial only as and snap is listed under of from the new Mac book but we can find that of this map uh snapped as MHC is also listed on this kind of CQ architecture includes the latest some model of medical kind of new Mac book unlikable and the new MacBook the the
yeah so we have some of mitigation is the by Yale captain as also this includes many falling Felecan technologies so before yeah captain we actually have a half of the VM copy approach to leak some of someone kernel kernel addresses a soul uh before you know kept and we can find that so if we use the all L to us the message of to to to a kernel actually also we will have this of that copy of structures which can clue includes to keep the key field 1 field is that K. the top which you can modify it to using of overflow the ability to modify K to it as something else so so that's when you receive that's all their message you can read or whatever you want the soul of the this this 1 and another is the sites filters you can modify the sites so that's you can read off of bumped so this is before before your captain and introduced the by Yale captain and 10 point it's 11 and actually you can find that k the top point actually is moved and the instead it to use the inline the structure which uh that they call world directly append it uh after via map a copy of MIT had a tough struct fill up after that uh there is no such point of so you can alter or modify that pointer but still there is some are
somewhat ways to bypass these so 1st you may for we cannot do arbitrary on memory reads a we can still try to use the you use say of all for all 1 the ability to increase the size field so that so we can put another important objects after that sort of struct and then try to try to read at the table alt so that we can bypass the case light uh you do we can because the slide to bypass KSR another Opel approach is that in but is funded by the by a lookup of leech he suggested that a weekend I can increase the size field and the try to read it out so that's a that's map copy teased structure will be freed the to and another so so that you can play of 0 we saw a zone where I'm and it the emic and again the gains of the EU you later on
the but after the war dl captain 10 . 11 . 1 actually another mitigation is introduced you can find that so if you use any vulnerability to modify size field of all in all of those of yeah map struct then you try to receive the data and then you will find that the the kernel will be lower will panic and immediately so let's see what happens so here you can
see that there are 2 structure thus struct y is the marker message all well descriptor which had this quick required of all elements each learning the kernel before you receive it and then the gene this structure there is the field the chord address which points to of yeah map copy obstruct and you can find that a bowl structure has the field and them the sites so that uh where you type you receive the whole message it will do
I check to see if these 2 sides feel dimensions if it's a mismatch of all the the sides of the old L and the descriptor message of sites that have not equal to 2 to the VMS copy size then well do about panic of immediately about if it finds a it is equal well which passed the check then it will call the next of function Q copy but also the memory to you the more so here it's the introduced a new program which is talked a lot to come object to time of time-of-use so you can assume that's the 1st to check back but is part and in between 2 sentences you can that had to use another of thread to try to try to do all of flow to the sites so if that's succeeds the race succeeds then you you can bypass these mitigation still but
say all of them in the mitigation introduced the by apple eating your captain is very effective and although we have the topical issues do exists it is not very reliable because the time window in between 2 sentences is very short if you fail to race and to to get some some instructions to execute between 2 sentences thing about the threat and then you will receive a panic which is not very reliable a soul of such mitigation aware require us some harder the to exploit the kernel the kernel of especially you don't have well separated 1940 commander ability and also if you want to exploits of that year captain I think before of what box of you in the public or we can find all of them are kind of perfect overflow 1 ability which means you need to if all you need a overflow 1 ability and it's less and it's a uh is written content Opel's controllable so in many cases such vulnerability of wall we will have some non perfect at once which you would have to give out before that so let's look at the a kernel exploitation requirement teen elicits 1st off course you need to speak the case light so that you that you can bypass that KSR and the currently mutual Apple did a lot of mitigation and also you need to the some address pointers to of controllable data of this is that previous the laid down by a monk Paul the object but so this is also mitigated actually before the captain and the even worse all you will see is that but we we might actually need very perfect about to achieve those and also of uh because so we we and you you know you encounter Jews understood in 16 we actually targeting the browser still up not only your back there needed to be triggered the moon by the browser because the the brother which has a very strict sandbox of context and also that your exploitation method also needs to to be reachable from a remote attacks surface so this is the class of higher exploitation technologies even tho
sometimes so we we may have some non perfect like you can write all you can overflow but slow value you all of the value you do all the right is not so arbitary value actually it is has some limitations and so if that is case you will get so you more trouble of soul of it reminded me actually the hot come off the internet exploitation meaning that the year 2 thousand and 12 where I think a lot of it is very unlikely to for you to exploit a you have floor or something similar which is not a very it perfect thank the the
all of another thing that I need to think about is some memories free soul of full members bring all what that reminds me is the heap spray on the brawl the sites of which is very reliable is string made uh and especially in the 32 bit systems because of the reasoning is that the memory at that time is much larger than the of address space because the young Saudi to beat the system of the up address space is for gigabytes but your memory is larger than that so you can do some of our test and so on uh you you can do a lot of a allocation on duplicate values so that T on the specific under fix the value you can get so your and reliable can show that the top and the on 64 bit system it will be less effective the system because that if you to Matlock of my log-sum memory a lot of times you can see that on the Mac OS system the 5th fighter is always different and there's a relatively random so that you need plenty of to some 200 and the fifties 6 of multiple by a full gigabyte to have reliable of reliable keeps spring a which is not likely at the current and the situation still a let's think
about the memory spraying also in all articles of like all those of yeah that copy structure is in its cage uh mitigated a lot uh it's a feature it has to do some good features for of memories spring because that before you receive that they'd had unit of the all we did how well keeping it will keep Inconel before you receive it and also on you can consider that all those always sex of kernel is 64 that bits and actually the address space is very large my much larger than the physical memory on so it looks like a on an achievable but if you research into it in more detail today and you will find it is still possible because of it depends on 2 questions 1st is of the OSS kernel address really lot that address space really large although those spaces larger but a whole about it 0 what what address it actually choose it is really random or not to the full up after leaving such that I know of the address we we can find that so 1st though kernel on the TEXT test base is very dependent on the case light so it's a load addressing is actually a very fix the base class the case light which is less than and to all and be all that mimic upright so of this about these of revenge is much smaller than current of physical memory size and another is also of the kind of cut kernel database which is very likely very similar as the test the base so and also
we found that when when you do that can knock uh the catalog of adaptation of memory actually we can find the starts of that's address is that it can be find answers so map about it should be out of being stuff stopped and the week we tight you on slides that memory at address of apology tuple of each foot and the based on a lot of statistics we can find the that's the 1 slide that low value off that address is very close which means that that that's and also that annotation started from the lower sides to the hot house at Seoul which is a very good and there we can use to try
to do the screening will we all L a whistle more then a war of 500 and the 12 megabytes of multiple by 2 which is a 1 gigabyte so if we do a 1 gigabytes of all spring we can do a very reliable memory spring which means you can have look controllable the title very fixed address so
of that the this graph actually show shows that so when we uh we see while more than 1 gigabyte offspring you can we find that the height of their it seeks to address that you can't a half of controllable data soul up
after we've research would find that's a we we should ask us the ourselves why we need a spring soul sprayed but if you have a very good book good approach of memory screen actually you have flow gotta walk around the unique some kind the address because uh to bypass this map and this you have to use that used to in the somewhat of kernel address and of those addressed you need a somewhat a controllable data from the to to
prepare the op channel or something like that and another reason but before that besides those reasons are there are also some very good features which a flanker well aware introduced later to heal policy sniper to to realize the final Paul so we will introduce the case study network OK of environmental of introducing the detailed case study of the city of 20
sitting 18 of the 15 on women it has the be art and this kernel model used in this series of upon long condition and this bond lies in the I accelerator family under we believe editors is this so the in the moment will models and the this is the 1st of all my books and also I marks on the process and also of the models that have a not elaborate about at the detail on the spot here because of the time not not enough but I will do a brief introduction on the impact of this part of the final impact of it back there is a vector right so that we'll goes out about after a certain a carefully prepared other situations and the cabaret prepare the memory and the Nico winning the lack of data al-Qaeda cost to trigger this spark and the level of honorable memory allocation lies in the Kellogg Co 48 block and the local image in the bottom of this of presentation shows the a memory layout when the poppy the trigger or we can see that the that the 1st of 6 and 6 blocks are on the other most books are along the analyzing the for the it is on this a location contains the origin only by g rector under which it has the size capacity and the storage field and we can prepare a carefully controlled the 48 block after this on the nite for the data block and put it someplace some fake IG rectors there and the more honorable function will finally goes into the energy vector that enable you to all the rights the and
the this function we can see that well that someone who's there is some actually filter letters are each of the from of structure and in the vector rectangle parity of the rectangle parity Yoshua is O 2 rectangles and there's like a flows and the useful also due to the limitation of this bargain box nature each filter must be in range likely-negative you ever have to positive about member format and the order with starts at a storage . 0 0 + 24 + this ourselves out and the is at a storage it we can see that this right is descending for is the descending fashion and so on are saying we need to know that thing I triple the sound of the of 5 series format that the flows in range FFI properties actually represent his American history have is 0 there a all of starts from and this led you and that is that of of force so it's about there was a world and the the negative and they can you part of this so falls by the rapid and his in a PF propagate there there'll and so the seasons from fff there there and this the you memory repetition of this profiles the and the with this and knowledge in mind we were now introduces the generic excoriation approach of for this the non-poor factor or be right
so I have the honor to introduce the before that and we'll get a perfect anything anywhere on a is and is the some Hall where it is harder to exploit it in the place where the more than exploitation but faces it's not a very big of a problem but the way you you you get a right restricted or something anywhere on bit just like a little please on 1 and take and you can only write 8 floats continuously in this range and like a light look to warrant you can write on only begins likely industry have seen for 7 0 at the beginning that you have and this is the 7th and with this 1 I made a Hawkeye you achieve real reliable exploitation
so how to turn into API control under the you have you have to ask that we have asked ourselves well where we write on the what do we write and the whole time we ensure stability especially for competitions like long and there we must make the dispersion technique ritual in some books and the hope comedy features of modern makes of medications like a TSR and that are likely as map and as MEP and Cowley poem the kernel just for you this single unknown perfecto box
and the answer is yes it's a hot but is not impossible the so we have
Sarah challenges that of the 1st thing comes in mind of skilled all assets kernel story petitioned the researcher at him a single overriding of we are map populace about has ever the as that and the answer there in the previous slides of my fixated in certain I the sum of medications in the 10 . 11 . 1 although we still have a ways to bypass it but is not applicable to our own ability a because the please I want ability requires a continuously
because it ladies and continuously a decently from high addressed address and
it will all right they which useful alright lens in the way I'm not properly and we will definitely alright there had also right the head the only on the public and it will lead to a kernel panic also we can see that the value of the 2 were really right he's not WordPerfect it because the to address history have the BF in kernel is not a valid address or you has he's another ritual addressing the kernel so that we cannot the are mapped copulas to to transportation and the we can think of links within a week of right some of that could be if people location or some other addresses and the 1st so amazing
call is override his some like of people locations of the table pointer location and it would do our aligned advisor right of them although we all right of heat location uh we can see that so we will run the location with some be afraid 0 there there and of course it will not work because the idea is the old address it does not use a is not about addressing the kernel address space a of you would do so full
bus full byte aligned right that already in the lawful bytes over these people dressed all the table pointer address the we can into the into a valid alright and the size for the acts 64 architecture that allows us to 2 of 4 bytes or even 1 byte of parliament writing a movie instructions so we can see that in the the recognize in this in the Trojan like 0 move are absolute plus Az By side class at 18th and the limo would write our for this location on the REX and I ables comparable bias on the part of the is a is limited to the range we have discussed that before so I'm probably so why not we
all right and some will be table point and the head of some you the clients and we to we do not show this approach because in most cellular kinds the Hivites starting I've ever ever ever some have and this this season knows the high bias or will he addresses because in kernel in the OSX correlative address at the URI have a high bias of ever ever ever ever ages 0 so you will write a little we a point here we not we cannot get it to redirect some the dress we can control so we cannot help but we do we cannot all a song readable pointed to get hobby control of their exception that would only to the client and it has a little point her starting of holes locals for spies is it's 0 but that the but later cited too small and the it it with a size it was small because there may be some it will introduce a new obstacles for politicians the 1st is the we prefer to support a all out OK the sound of peak you the clients of holders Isely's the multi then multiply pages size to ensure that it's a little point there will be will be located either starting on page and so will make it is that which makes this address more readable and also a smaller clients willing introduces spray speedy shows the and they are all we all observer
that of this race speed all you look clients decreases as the Euler climate cars increases and the people we might ask why and in this kernel structure the
oval opening new look lines because the that In the files so it's new the clients the will finally calls into some of our registry of attached which have potential parent unattached child and finally into the I remember and this the
feature over the Iowa just replying that each value the kind need to link to the apparent our stories and their Paris and maintains the collection of our students and we can see that in this function and the attached to parent so it will finally the the need apparent effect will be found need to set to true and the in the if set of true it will cost
will parent attached shout moment in which the parent Allosaurus as the the new trying to its collection under that would have the that it made it hit the collection the maintaining of format of always rate and the error member perform the linear search in this but in this always a rate so anyway always with some fundamental data structure of our barbarism technology and will you will realize that the total time complexity here is always square complexity and what makes things worse see that tho we see we see
the effect object function in the maker links that'll the of the new boss as Oslo you that you client is inserted into the authoring and it is capacity need to be ensured by which means that all it will be spending it cover that is not enough but it lists
expanded all we can see that there some out of allocating and freeing up coming the freeing up of course she occur here and this will make the a total and new you the client the function of the total time cost of by a single new the client a function it will make the time much longer and the
way to a static sermonises here with us and we can see that the totals time is the increasing of like in all the square a time considered is very obvious that the time increases very much as the as you panic on the use rate increases so it is a pity that anything to 2016 now and we still have always square upon comes function been a part of the whole in the probability of reduces system and we hope that average nearest 0 we fix that to make also a foster the and so now collect
for exploit addition and we know that we cannot alright so that we do but pointers and but a higher mommy artillery her and so we have low field will have a pointer field in the clients that we call right because we can see that the in nearly all out our sort of family to the clients they have a source point her associated and these appointed tool in tells the reader and the dangerous surgery actually the rapid the representative of the uh the graphics the graphics driver itself and and it is located in the also in a calico H 1 and 9 to ozone and also hit is a hit locations that is the of use of force by 2 is a 0 and it is perfect for our 2 over over right and they'd also contains a virtual of function cost fast will obtain API control and we call and appointed to comfortable memory we will use all their messages to spray so we can see that in this the 1st screen these screenshot it the memory layout of IGT so would you contest and we can see that the oversight all 5 to 8 as the a heap address and this is actually the address of the Intel's reader and we commodified will call write it the but another problem arises right is that utterly kind
not at the relay call the a fake the fake sources the fake in-house Lotus were to function because we know that have the had all we map probably is something we cannot control it is the a determinant buys the OVM map probably top itself is under a we cannot you they tell you the head of it as a little that we table addressed look at somewhere to function cost a so we need I indirect over function call and the selector 0 the contents finish function is our superstar because it contains that are in your approach function call in the service of a point to an even a machine and it will cause the contest finish so now we have seen it in that we have always of API contour and we need some ways to prepare memory and the little step so the number praying is the least as follows 1st week was with some I could affect solvent or mass or messages and although my our size out to a problem which size and the push of pushing will push up the people covering the 2 towering tool people address allow the it was only the appear it is 0 and so we can see this is the full to represent the position of and they give you need if you want to handle or why we chose this address so why we don't use the address starting with the CIA have always see or like a starting with the surreal study was for a because of PSR we'll push it location up or pull push people location Don additional time they said determined by a life and the way your observation that this addresses the every 0 it is fixed a stable fixed point addressed a originally spring and summer higher dress like us address study Lucy is not applicable because it too high and the we will free of middle part the or a message and a few with the idea so we do contest but a whole the size these also probably to size and lower power and other key address that his address when and as address a that is a 6 2 3 it is 0 0 0 0 I will provide rights you the result when overtake as a stories pointer descending and we'll pointed to all message you only walk was count and we can control and we'll call all the we'll will be talking a full of we'll call each object so we do contest external method and even while and allows only well the microbead on what will we call this last of external Massart actor contest finished at the hop you will be redirected how we get the control the control flow and this is some this may be
called of for the spray under the Indian embodied Doss array the offset was little about anticipated so we are we're using 2030 at this moment also by the same that we now have
the perfect approach for RT control and weight by sliding window that have either address the a which is the with the which is the half of ever have 0 the of the base 0 0 0 0 and it is powered by arms sort of the is as we address these cholera by the way have mapped public content and the count and the the company we can control will to spring and address space and study ways of ever have a 0 6 2 story or whatever it is the Coralie's Agic so we do context and with this in mind with this to the address the mind we come all and for the 2 in folic
it and then but they're they're interesting function in the high we'll context was namely the get how were stabbings and is so that the function is actually a very simple and that we can see that line 6 to line not iterators the sum particulated particle or offset content use those stories in the intel sorry to itself but the line defense is very interesting because it retrieves the summer dressed as a of Title 1 2 8 8 in the intel sorry to hear and know it will return the value at this address to only has we we know that a we how pointed out that the carotid IG murdered by them so that you would you contest the pointer to overcome for we're my public content so that line 9 underlying line the study from my 6th line I will only return the count in the in the we have my property and the common these non us because we prepare the content but line thing they will prepare some addressed as the whole a 1 to it's a bit of me that we can get all of which were you address read From this of from this particle is statement and this is our it is over a useful in use express statement so long as we we come
up with of the initial linking strategy that we know that a by spring would have sure that the lies on the address a life as you so we do contest and either be utilized them we're property was common we have already known before was spread and the way alright source pointed to be and that it will the sort I will point to the them up copying and that will wait will reduce we feel that the amount of map copy with the 4 1 4 1 4 1 and we know that the code
of here from 6 to 9 it
where it out so it's 4 1 4 1 4 and we use it has a as the needle to detect and the this statement where it has a
at on addressed with specified by
the the all set to 128 so here the figure
on the we believe the figure will help us to understand the more it more clearly and this is the initial layout but before the 1 orbit has been triggered offer the memory layout has been prepared we can see that in normal situations even 0 by Sabrina that only we can ensure that the unhygienic Excel we do contest right at the games that addresses the uh and we see that the of of 5 to 8 uh it has a high the pointer pointed to by intel Sarita a who is also on the he ponders the and in some higher dressed up for might address be there lies on the and the company and they are as a Kellogg could at 1 1 9 2 which is probably the size zone and of which occurred please I wanna ability here and
we all right to the other so it's field on we make it pointed to this but for Serena controlled of content and the other how do we feel this content
and this can be explained in this figure that out of the pools along the pool that can into some something we cannot control it is a header we're map covered about the other the other address for the employing this little whites I reckon goes away feeling who was a form of life on and the needle the needle addresses of ways of would clue what are illustrated by some I like hope what brung a product and those the needle and all that data it is it could be the corresponds to the line 9 to line at line 6 under to line 9 of the get hollow studies it will return the content of the iterative 1 4 1 and the way you that has the needle and the the grade degrees on the green rectangle is I address and we actually want to read the poem has that is some addressed here and we use it to to our we we read and we make it a pointer back to the Agic so we do contest which means that we can read the had over the adjective so we do contents and get away table pointer addressed so it looks a some Hall of perfect about cos some of you may have may have pressures not and that's the whole kind ensure that has the IGE excel will you contest the whole the size is double page a Hawkeye ensure that data will begin to address a a why not a the become white kind of the the begins at address b + 0 pp size so is it is
object was either you cannot be sure you cannot you cannot say that it and we'll must follows either address a or for that address a plasma decides there the 50 to 50 chance of for both of them so also for the M puppy you you also can ensure that has to the appropriate whose size it double page it will fall that the address be addressed the past page size you cannot be sure that so we needed to know that in the view only a user 1 address and the you can only you can only get a 50 success rate of so we need to write ties to ensure a 100 per cent success rate so we do I'll be right of post at to pay under the plus 0 pages size and the we will we are preparing the content of the American public only provide some whatever the address of addressable sides so 1 to it underwent with the minus precise that is to a its and the writing of this part also reason the
spending of in the figure more clearly this is
the ideal content this is ideal situation that but the other as a Elijah IG of soda contest on here and the address being the on the published on here on the what he's the false
the address a falls the right in the middle of logic so we do contest of the other was logic so do contest begins at address the minus produce eyes on the so by by implies we can ensure that those but the least tho 1 of this tool by G. we do contest that we'll have a their servers pointer corrupted or for this situation but we do a double
right away we all what would be a corrupt the IG Excel we do contest starting address space and in this situation we can see
that the digits 0 to contest a study at the address they minus pages size is not corrupted because we know origins in this field starting at 2 1 5 to based boss the idea so you can't as a starting eyes of address the + pages size is granted and we can use it to continue our exploitation and also of for this we met poverty and the what if the them up map copy it over the address the of falls in the middle of the endemic malaria map company it it does not a begins at address b and we can also do a bubble prepare and what is the content of them probably and a fully this situation they have addressed the is right in the middle of the we and the public and the leak out with prepared at 2 locations of both sides a y 1 for the 0 and the 1 to and also I to that to address minuses pages size and there we can see that the the so I so we contest the will happily use Mary recombinase starting out of yeah it 0 which has addressed be under study in the past to produce size you use this comes and as a fake incarcerated and it'll we'll retrieves the content here and as a as a lot of them but all of which we address read and as we have already prepared a some address here and we can still do our evil because technique of we we we can still pointed back to the just a all with as if he had a problem they appointed back to address a we're not really in the visible comes in varied in the all the so we do contest which means the which raises
0 is another useful content so how how how we solve this problem actually
sense for the feature of all we end up probably that we can do but very few of free and the review this little them up cooperate which means that you wait to a region that I just a and we found is 0 it means that we need tools read address they passed pages size and we just so we can just free this we have covariance finally if we review it was a degree the gray rectangle modified or with under modify the ways that address they pass pages size so that we can still read all the way to go point address and the continue or exploit Hisham so and now we have a expand our strategy of lithium fully could only Ovonic solution
and is so that the whole world the steps that can we can see in this figure that 1st of all we feel the all will prepared at the Bell and affiliate or messages on the left of the field the field where messages are free some of them under feeling that accelerated contest and which triggered adapting by will connect part is the link bite is 0 on me it means that we hope will we need to adjust the 3 address by pretty size and will replaces the older messages with the with address the past of pages size and the and we can recall that the in the function get powers that
means uh at each time only about 101 bytes is the because out here so we need to do like updates in
politics under we replace P the
steps and alive and but the closer and plus 1 byte and of waste to a free and reviewed or messages unduly could all the bias of the we which a pointer all this the people is clear the on the way this up cleared his virtual or to the table pointer the hand and we really field a message you with this address and the we use it to link a kernel of such as it is because that's you would be cut out of the virtual table a pointer or the key the i it is actually in that they the residential in that that a section of the power so at her family to I'm about to do the group power p undertakes it it could have some other would come and so we need the the address of the kernel itself so we which which was for the the address of the all as object a reduce function which is the 1st the function of all or subjects who were should tables and this the a function is actually not that section of the kernel for that we can use data to get a kernel of sets of pairs such offset a leak to so
actually there's some pattern always exists and we will I've access for readers actually the given to be so so I to tory capital ways the ball Slavonic technology and oppose the API control that how we get over a whole at local or what Haitian and the 1st always like a sum to a gigabytes Our messages and that attended a with a 4 1 4 1 and prepare some of address we on to reach out to the 2 sets and also with freeze on middle part so we asked the Philly who is actually kill contest and trigger will be right and we iterate all the open the clients and the colleague at Harvard studies and to look for for for on the we get a full of 1 has this I'll buy cheap so would you contest is but definitely the 1 that is granted and now we can use it to and so the the 1 problem is that it is located at the address space always look the address they plus 0 1 of past 1 pp size so we can use it to to for further exploitation and so we would but that's the real question 1 by the Y 1 and together the table and the address of the the and also the kernels of taxation address of set and we will finally it will reveal the messages with our feature and 0 we'll call contest finish to do the API control and finally to a point here so actually we can see that the fully could steps are much more complicated and then the API control on the and this this with this thanks for that might additionally introduced by the authors kernel at a makes our or come much more harder so your conclusion so we have discussed in the previous expression techniques and theories for addition or locker might editions of by the Bob Hope under we have presented the new generalize the explosion technique a walking that even you have 1 not so called on a restricted all be right you guys do you they to get like a 100 per cent the states stable our kernel of exploiting and we can see that uh except acceptor we have you know the the like the hollowware steppings function
on the lack of the contest the Finnish function and also the sprays and it this out that you make it a measurement of the
features you know SS kernel and it
is not related to anyone ability and which means that we can top data to other will be right on abilities or even he wore flow or his and the so this is we recorded on generalized is correlation approaches 3rd so here and there are only 2 credits for those people from some in our teams that Marco could be we share and some from time will likely note now so look at and also well my classmate of was single go to food for price on the size and exploitation and and so we will do a demo with a demo here to save some time because the winner lattice of rain take some time especially on this low and another of the memory is restricted and the the the virus in this in my book so that like them or is it too time-consuming we we we do them here and there with our is the fully exploit it is quite cold of you Felix in the in the could help and the police are elaborated itself will be discussed in lovely gossip had and this is this summer and we hope to see you there and so we can get away with if you want to know the that the hell of a lot of it itself another explosion methods and of course the exploit of the we can recall that to achieve a stable memory layouts a
linear weights how to achieve
a stable memory layout here actually activated takes some walk because the chemical 48 is only the frequently using kernel and you is is somehow hard to achieve a stable covariance and I we we introduce or other techniques
use they and in this uniformity In the
please are talk under so it so as to optimal here on
shh and the this goes to school Hans Zimmer for the background music and and I assume he's
not here the Prof which and
I was
and and and I interesting or was all the racially out by you conduct you actually you cannot Popov was would progressively user-mode but these were injured hand in hand to hand it to the nobility the
Kernel <Informatik>
Energiedichte
Menge
Systemaufruf
Datenfluss
Computeranimation
Kernel <Informatik>
Humanoider Roboter
Kernel <Informatik>
Extremwert
Besprechung/Interview
Browser
Routing
Exploit
Ein-Ausgabe
Fokalpunkt
Term
Ereignishorizont
Computeranimation
Kernel <Informatik>
Puffer <Netzplantechnik>
RPC
Wurzel <Mathematik>
Festspeicher
Fokalpunkt
Identitätsverwaltung
Computersicherheit
Mobiles Internet
Softwareschwachstelle
Partikelsystem
Humanoider Roboter
Kernel <Informatik>
Momentenproblem
Mikroarchitektur
Zentraleinheit
Computeranimation
Kernel <Informatik>
Homepage
Unternehmensarchitektur
Adressraum
Code
Bildschirmfenster
Fokalpunkt
Rechenschieber
Randomisierung
Computersicherheit
Softwareschwachstelle
Notepad-Computer
Mobiles Internet
Modelltheorie
Zeiger <Informatik>
Demo <Programm>
Leistung <Physik>
Prozess <Informatik>
Raum-Zeit
Browser
Ähnlichkeitsgeometrie
Schlussregel
Mailing-Liste
Fokalpunkt
Mapping <Computergraphik>
Wurzel <Mathematik>
Digitaltechnik
Codierung
Schlüsselverwaltung
Unternehmensarchitektur
Zentraleinheit
Leck
Kernel <Informatik>
Web Site
Filter <Stochastik>
Punkt
Zeitzone
Quick-Sort
Computeranimation
Kernel <Informatik>
Rechenschieber
Objekt <Kategorie>
Mapping <Computergraphik>
Freeware
Datenfeld
Datenstruktur
Pufferüberlauf
Festspeicher
Datenstruktur
Zeiger <Informatik>
Zeitzone
Objektorientierte Programmiersprache
Message-Passing
Tabelle <Informatik>
Leck
Chord <Kommunikationsprotokoll>
Konvexe Hülle
Adressraum
Element <Mathematik>
Computeranimation
Kernel <Informatik>
Mapping <Computergraphik>
Datenfeld
Softwareschwachstelle
Datentyp
Datenstruktur
Objektorientierte Programmiersprache
Message-Passing
Kernel <Informatik>
Web Site
Quader
Hausdorff-Dimension
Browser
Flächentheorie
Klasse <Mathematik>
Adressraum
Familie <Mathematik>
Information
Kernel <Informatik>
Perfekte Gruppe
Proxy Server
Adressraum
Bildschirmfenster
Rechenschieber
Thread
Optimierung
Zeiger <Informatik>
Leck
Lineares Funktional
Machsches Prinzip
Browser
Zeiger <Informatik>
Exploit
Kontextbezogenes System
Datenfluss
Objekt <Kategorie>
Pufferüberlauf
Softwareschwachstelle
Festspeicher
Gerade Zahl
Objektorientierte Programmiersprache
Message-Passing
Quelle <Physik>
Betriebsmittelverwaltung
Web Site
Bit
Freeware
Adressraum
Information
ROM <Informatik>
Computeranimation
Internetworking
Perfekte Gruppe
Inverser Limes
Softwaretest
Umwandlungsenthalpie
Gruppe <Mathematik>
Konvexe Hülle
Browser
Physikalisches System
Exploit
Arithmetisches Mittel
Rechter Winkel
Pufferüberlauf
Festspeicher
Speicherverwaltung
Zeichenkette
Speicherverwaltung
Quelle <Physik>
Kernel <Informatik>
Bit
Adressraum
Physikalismus
n-Tupel
Online-Katalog
ROM <Informatik>
Raum-Zeit
Computeranimation
Kernel <Informatik>
Einheit <Mathematik>
Adressraum
Rechenschieber
Vererbungshierarchie
Datenstruktur
Schnitt <Graphentheorie>
Betriebsmittelverwaltung
Softwaretest
Statistik
Raum-Zeit
Datenhaltung
Güte der Anpassung
Störungstheorie
Rechenschieber
Last
Festspeicher
Anpassung <Mathematik>
Zeitzone
Objektorientierte Programmiersprache
Quelle <Physik>
Kernel <Informatik>
Multiplikation
Kontrolltheorie
Graph
Adressraum
Festspeicher
Adressraum
Objektorientierte Programmiersprache
ROM <Informatik>
Computeranimation
Leck
Quelle <Physik>
Beobachtungsstudie
Kernel <Informatik>
Datennetz
Adressraum
Güte der Anpassung
Besprechung/Interview
Datenfluss
ROM <Informatik>
Computeranimation
Kernel <Informatik>
Mapping <Computergraphik>
Adressraum
Festspeicher
System-on-Chip
Touchscreen
Prozess <Physik>
Momentenproblem
Natürliche Zahl
Ausbreitungsfunktion
Familie <Mathematik>
Bildschirmfenster
Computeranimation
Kernel <Informatik>
Übergang
Minimum
Lineares Funktional
Torus
Kategorie <Mathematik>
Reihe
Profil <Aerodynamik>
p-Block
Hoax
Spannweite <Stochastik>
Texteditor
Datenfeld
Forcing
Rechter Winkel
Gerade Zahl
Konditionszahl
Festspeicher
Dateiformat
URL
Ordnung <Mathematik>
p-Block
SCI <Informatik>
Quader
Rechteck
Vektorraum
Kombinatorische Gruppentheorie
E-Mail
Spannweite <Stochastik>
Inverser Limes
Modelltheorie
Speicher <Informatik>
Bildgebendes Verfahren
Normalvektor
Kanalkapazität
Elektronischer Datenaustausch
Vektorraum
Datenfluss
Energiedichte
Generizität
Mereologie
Speicherverwaltung
Bit
Stabilitätstheorie <Logik>
Kontrolltheorie
Quader
Einfache Genauigkeit
Exploit
Computeranimation
Kernel <Informatik>
Stabilitätstheorie <Logik>
Mapping <Computergraphik>
Spannweite <Stochastik>
Softwareschwachstelle
Rippen <Informatik>
Kontrolltheorie
Rechenschieber
Mapping <Computergraphik>
Gewichtete Summe
Adressraum
Proxy Server
NP-hartes Problem
Kernel <Informatik>
Drei
Adressraum
Elektronischer Datenaustausch
Kopula <Mathematik>
Laurent-Reihe
Binder <Informatik>
Transportproblem
Kernel <Informatik>
Rechter Winkel
Adressraum
Proxy Server
URL
Schreib-Lese-Kopf
Adressraum
Klasse <Mathematik>
Farbverwaltungssystem
Systemaufruf
Trojanisches Pferd <Informatik>
Computeranimation
Kernel <Informatik>
Spannweite <Stochastik>
Rechter Winkel
Mereologie
Bus <Informatik>
URL
Zeiger <Informatik>
Unternehmensarchitektur
Tabelle <Informatik>
Punkt
Kontrolltheorie
Adressraum
Stellenring
Ausnahmebehandlung
Computeranimation
Homepage
Kernel <Informatik>
Multiplikation
Client
Client
Luenberger-Beobachter
Verband <Mathematik>
Datenstruktur
Betriebsmittelverwaltung
Korrelationsfunktion
Hilfesystem
Schreib-Lese-Kopf
Tabelle <Informatik>
Soundverarbeitung
Fundamentalsatz der Algebra
Lineares Funktional
Vektorpotenzial
Total <Mathematik>
Momentenproblem
Sequentielle Suche
Vererbungshierarchie
Machsches Prinzip
t-Test
Kolmogorov-Komplexität
Elektronische Publikation
Bitrate
Komplex <Algebra>
Computeranimation
Client
Ebene
Verschlingung
Client
Vererbungshierarchie
Dateiformat
Datenstruktur
Gerade
Fehlermeldung
Konfigurationsdatenbank
Soundverarbeitung
Autorisierung
Lineares Funktional
Client
Total <Mathematik>
Verschlingung
Benutzerschnittstellenverwaltungssystem
Globale Optimierung
Kanalkapazität
Hill-Differentialgleichung
Bildschirmsymbol
Binder <Informatik>
Computeranimation
Total <Mathematik>
Punkt
Selbstrepräsentation
Adressraum
Familie <Mathematik>
Dienst <Informatik>
ROM <Informatik>
Computeranimation
Client
Virtuelle Realität
Zeiger <Informatik>
Touchscreen
Lineares Funktional
Addition
Kontrolltheorie
Physikalisches System
Quellcode
Zeiger <Informatik>
Bitrate
Quick-Sort
Chirurgie <Mathematik>
Druckertreiber
Quadratzahl
Datenfeld
Forcing
Rechter Winkel
Festspeicher
Mereologie
Client
URL
Speicherverwaltung
Message-Passing
Speicherverwaltung
Quelle <Physik>
Resultante
Mereologie
Punkt
Momentenproblem
Adressraum
Snake <Bildverarbeitung>
Content <Internet>
Zahlenbereich
Dienst <Informatik>
E-Mail
Zählen
ROM <Informatik>
Computeranimation
Virtuelle Maschine
Adressraum
Determiniertheit <Informatik>
Virtuelle Realität
Luenberger-Beobachter
Kontrollstruktur
Verband <Mathematik>
Inhalt <Mathematik>
Internationalisierung <Programmierung>
Leistung <Physik>
Schreib-Lese-Kopf
Beobachtungsstudie
Addition
Videospiel
Lineares Funktional
Kontrolltheorie
Ruhmasse
Systemaufruf
Quellcode
Systemaufruf
Mapping <Computergraphik>
Objekt <Kategorie>
Dienst <Informatik>
Funktion <Mathematik>
Rechter Winkel
Festspeicher
Mereologie
URL
Schlüsselverwaltung
Message-Passing
Tabelle <Informatik>
Bit
Gewichtete Summe
Gewicht <Mathematik>
Adressraum
Dienst <Informatik>
Zählen
Information
Steuerwerk
Computeranimation
Arithmetischer Ausdruck
Perfekte Gruppe
Adressraum
Bildschirmfenster
Inhalt <Mathematik>
Zeiger <Informatik>
Gerade
Beobachtungsstudie
Leck
Lineares Funktional
Befehl <Informatik>
Kontrolltheorie
Kategorie <Mathematik>
Kontextbezogenes System
Quick-Sort
Partikelsystem
Intel
Lesen <Datenverarbeitung>
Quelle <Physik>
Videospiel
Befehl <Informatik>
Kategorie <Mathematik>
Adressraum
Dienst <Informatik>
Quellcode
Zeiger <Informatik>
Steuerwerk
Code
Quick-Sort
Computeranimation
Strategisches Spiel
Mapping <Computergraphik>
Softwaretest
Client
Strategisches Spiel
Lie-Gruppe
Orbit <Mathematik>
Indexberechnung
Dienst <Informatik>
Zeiger <Informatik>
Zeitzone
Steuerwerk
Computeranimation
Strategisches Spiel
Softwaretest
Spieltheorie
Festspeicher
Zeiger <Informatik>
Zeitzone
Figurierte Zahl
Intel
Adressraum
Rechteck
E-Mail
Computeranimation
Gradient
Homepage
Bildschirmmaske
Perfekte Gruppe
Inhalt <Mathematik>
Zeiger <Informatik>
E-Mail
Figurierte Zahl
Gerade
Beobachtungsstudie
Videospiel
Multifunktion
Kontrolltheorie
Konvexe Hülle
Biprodukt
Mapping <Computergraphik>
Druckverlauf
Minimalgrad
Datenfeld
Zeitzone
Tabelle <Informatik>
Sichtenkonzept
Adressraum
Prognostik
Schreiben <Datenverarbeitung>
Bitrate
Extrempunkt
Computeranimation
Homepage
Homepage
Strategisches Spiel
Objekt <Kategorie>
Rechter Winkel
Adressraum
Mereologie
Client
Inhalt <Mathematik>
Figurierte Zahl
Uniforme Struktur
Rechter Winkel
Adressraum
Server
Hill-Differentialgleichung
Inhalt <Mathematik>
Extrempunkt
E-Mail
Mathematische Logik
Computeranimation
Beobachtungsstudie
Schreiben <Datenverarbeitung>
Adressraum
Prognostik
Exploit
Computeranimation
Homepage
Homepage
Strategisches Spiel
Mapping <Computergraphik>
Leck
Datenfeld
Benutzerschnittstellenverwaltungssystem
Adressraum
Digitalisierer
Client
Inhalt <Mathematik>
URL
Lineares Funktional
Kovarianzfunktion
Punkt
Adressraum
Rechteck
Binder <Informatik>
Computeranimation
Homepage
Datenfeld
Minimalgrad
Mereologie
Anpassung <Mathematik>
Strategisches Spiel
Figurierte Zahl
Message-Passing
Lesen <Datenverarbeitung>
Bell and Howell
Leistung <Physik>
Adressraum
Familie <Mathematik>
Gruppenkeim
Dienst <Informatik>
E-Mail
Steuerwerk
Computeranimation
Kernel <Informatik>
Strategisches Spiel
Homepage
Leck
Adressraum
Zeiger <Informatik>
Leistung <Physik>
Lineares Funktional
Konvexe Hülle
Prognostik
Arithmetisches Mittel
Objekt <Kategorie>
Menge
Client
Garbentheorie
Schlüsselverwaltung
Message-Passing
Tabelle <Informatik>
Kernel <Informatik>
Mereologie
Punkt
Gewichtete Summe
Adressraum
Gefrieren
Abstraktionsebene
Physikalische Theorie
Computeranimation
Kernel <Informatik>
Strategisches Spiel
Freeware
Client
Arithmetischer Ausdruck
Iteration
Adressraum
Torus
Mustersprache
Rechenschieber
Kette <Mathematik>
Beobachtungsstudie
Autorisierung
Leck
Lineares Funktional
Addition
Kontrolltheorie
Stellenring
Systemaufruf
Garbentheorie
Menge
Mereologie
Ext-Funktor
Message-Passing
Tabelle <Informatik>
Aggregatzustand
Lineares Funktional
Demo <Programm>
Computervirus
Prognostik
Dienst <Informatik>
Abstraktionsebene
Exploit
Datenfluss
Steuerwerk
Computeranimation
Homepage
Kernel <Informatik>
Strategisches Spiel
GRASS <Programm>
Adressraum
Festspeicher
Gittermodell
Einflussgröße
Korrelationsfunktion
Demo <Programm>
Stabilitätstheorie <Logik>
Kovarianzfunktion
Mereologie
Vektorraum
Content <Internet>
Kolmogorov-Komplexität
Dienst <Informatik>
E-Mail
ROM <Informatik>
Computeranimation
Strategisches Spiel
Kernel <Informatik>
Stabilitätstheorie <Logik>
Adressraum
Gruppe <Mathematik>
Lineare Regression
Uniforme Struktur
Virtuelle Realität
Booten
Rippen <Informatik>
Kontrolltheorie
Demo <Programm>
Vererbungshierarchie
Gesetz <Physik>
Funktion <Mathematik>
Verschlingung
Festspeicher
p-Block
Humanoider Roboter
Kernel <Informatik>
Morphismus
Information
Bildschirmfenster
Lie-Gruppe
Analysis
Computeranimation
Axiom
Chirurgie <Mathematik>
Font
Hook <Programmierung>
Digitalsignal
Code
Computersicherheit
Punkt
Druckertreiber
Torus
Turm <Mathematik>
Dichte <Stochastik>
Gruppe <Mathematik>
Reverse Engineering
Pufferüberlauf
Kryptologie
Dualitätssatz
Computervirus
Software
Funktion <Mathematik>
Wurzel <Mathematik>
ATM
Mailbox
Adobe Acrobat
Systemidentifikation
Formale Semantik
Kontrollstruktur
Spielkonsole
Dezimalbruch
Kraft
Gebäude <Mathematik>
Ablaufverfolgung
Patch <Software>
Dienst <Informatik>
Dialekt
Nummerung
Wurm <Informatik>
TUNIS <Programm>
Systemprogrammierung
Physikalisches System
Iteration
Proxy Server
Datennetz
Bus <Informatik>
Virtuelle Realität
Ordnungsreduktion
Booten
Stochastische Abhängigkeit
Transaktionsverwaltung
Hardware
Programm
Verschiebungsoperator
Binärcode
Elektronische Publikation
Konvexe Hülle
Vektorpotenzial
Sichtenkonzept
Visuelles System
E-Learning
Software Radio
Binomialbaum
Office-Paket
System Dynamics
Avatar <Informatik>

Metadaten

Formale Metadaten

Titel Shooting the OS X El Capitan Kernel Like a Sniper
Serientitel REcon 2016
Teil 04
Anzahl der Teile 20
Autor Chen, Liang
He, Qidan
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32738
Herausgeber REcon
Erscheinungsjahr 2016
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract OS X El Capitan has introduced new exploit mitigations to the kernel. Such mitigations include “vm map copy” mitigation, System Integrity Protection/Rootless, SMAP (enforced on new model of Macbook Pro), etc. Combining with the existing modern OS exploit mitigations like kASLR, DEP, exploiting OS X El Capitan kernel became harder. Approaches to defeat those new mitigations have been discovered by security researchers in late 2015, but most of them have additional prerequisite to either the bug or the environment. For example, the technology to overwrite the size of vm map copy requires a perfect zone overflow (overflowed length controllable + content controllable), also some of the technology requires creating specific user client which is prohibited by sandboxed processes (Safari WebContent, Chrome sandbox, etc.) In this talk, we will introduce a new approach to exploit the El Capitan kernel from the most restrictive sandboxed process (Safari WebContent). The new approach is universal to all OS X kernel and doesn’t require too much on bug quality. Only a single write (not necessarily arbitrary value) is needed to pwn everything (including info leak, kASLR, DEP, SIP, SMAP bypass). The new technology will be illustrated by a live remote root demo during the talk.

Ähnliche Filme

Loading...