CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The...
Transcript of CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The...
![Page 1: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/1.jpg)
Outline
1 The Adversary2 A Cracking Example!
The Adversary 1/44
![Page 2: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/2.jpg)
Who’s our adversary?
What does a typical program look like?
The Adversary 2/44
![Page 3: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/3.jpg)
Who’s our adversary?
What does a typical program look like?
What valuables does the program contain?
The Adversary 2/44
![Page 4: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/4.jpg)
Who’s our adversary?
What does a typical program look like?
What valuables does the program contain?
What is the adversary’s motivation for attacking yourprogram?
The Adversary 2/44
![Page 5: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/5.jpg)
Who’s our adversary?
What does a typical program look like?
What valuables does the program contain?
What is the adversary’s motivation for attacking yourprogram?
What information does he start out with as he attacks yourprogram?
The Adversary 2/44
![Page 6: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/6.jpg)
Who’s our adversary?
What does a typical program look like?
What valuables does the program contain?
What is the adversary’s motivation for attacking yourprogram?
What information does he start out with as he attacks yourprogram?
What is his overall strategy for reaching his goals?
The Adversary 2/44
![Page 7: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/7.jpg)
Who’s our adversary?
What does a typical program look like?
What valuables does the program contain?
What is the adversary’s motivation for attacking yourprogram?
What information does he start out with as he attacks yourprogram?
What is his overall strategy for reaching his goals?
What tools does he have to his disposal?
The Adversary 2/44
![Page 8: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/8.jpg)
Who’s our adversary?
What does a typical program look like?
What valuables does the program contain?
What is the adversary’s motivation for attacking yourprogram?
What information does he start out with as he attacks yourprogram?
What is his overall strategy for reaching his goals?
What tools does he have to his disposal?
What specific techniques does he use to attack the program?
The Adversary 2/44
![Page 9: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/9.jpg)
Example Program
audioplayer key
encryptedmedia
tamper−detectlicense−check
decrypt decode
analogue
fingerprintviolation−response
activationcode
user key
The Adversary 3/44
![Page 10: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/10.jpg)
Example Program
✞ ☎
1 t y p ed e f un s i gned i n t u i n t ;2 t y p ed e f u i n t ∗ waddr t ;3 u i n t p l a y e r k e y = 0 xbabeca75 ;4 u i n t t h e k e y ;5 u i n t ∗ key = & the key ;6 FILE ∗ aud io ;7 i n t a c t i v a t i o n c o d e = 42;8
9 void FIRST FUN(){}10 u i n t hash ( waddr t addr , waddr t l a s t ) {11 u i n t h = ∗ addr ;12 f o r ( ; addr<=l a s t ; addr++) hˆ=∗addr ;13 return h ;14 }15 void d i e ( char ∗ msg ) {16 f p r i n t f ( s t d e r r , ”%s !\ n” ,msg ) ;The Adversary 4/44
![Page 11: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/11.jpg)
Example Program
✞ ☎
19 u i n t p l a y ( u i n t u s e r key ,20 u i n t enc r yp t ed med i a [ ] ,21 i n t med i a l en ) {22 i n t code ;23 p r i n t f ( ” P l e a s e e n t e r a c t i v a t i o n code : ” ) ;24 s c a n f ( ”%i ” ,&code ) ;25 i f ( code != a c t i v a t i o n c o d e ) d i e ( ”wrong code ” ) ;26
27 ∗ key = u s e r k e y ˆ p l a y e r k e y ;✝ ✆
The Adversary 5/44
![Page 12: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/12.jpg)
Example Program
✞ ☎
27 i n t i ;28 f o r ( i =0; i<med i a l en ; i ++) {29 u i n t dec r yp t ed = ∗ key ˆ enc r yp t ed med i a [ i ] ;30 asm v o l a t i l e (31 ”jmp L1 \n\ t ”32 ” . a l i g n 4 \n\ t ”33 ” . l ong 0xb0b5b0b5\n\ t ”34 ”L1 : \n\ t ”35 ) ;36 i f ( t ime (0) > 1221011472) d i e ( ” e x p i r e d ” ) ;37 f l o a t decoded = ( f l o a t ) dec r yp t ed ;38 f p r i n t f ( aud io , ”%f \n” , decoded ) ; f f l u s h ( aud io ) ;39 }40 }
✝ ✆
The Adversary 6/44
![Page 13: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/13.jpg)
Example Program
✞ ☎
41 void LAST FUN(){}42 u i n t p l a y e r ma i n ( u i n t argc , char ∗ a rgv [ ] ) {43 u i n t u s e r k e y = · · ·44 u i n t enc r yp t ed med i a [ 100 ] = · · ·45 u i n t med i a l en = · · ·46 u i n t hashVal = hash ( ( waddr t )FIRST FUN ,47 ( waddr t )LAST FUN ) ;48 i f ( hashVal != HASH) d i e ( ” tampered ” ) ;49 p l a y ( u s e r key , encrypted med ia , med i a l en ) ;50 }
✝ ✆
The Adversary 7/44
![Page 14: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/14.jpg)
What’s the Adversary’s Motivation?
The adversary’s wants to
remove the protection semantics .
ProtectionSemantics
CoreSemantics
ProtectionSemantics
CoreSemantics
AttackSemantics
P
P
The Adversary 8/44
![Page 15: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/15.jpg)
What’s the Adversary’s Motivation?
The adversary’s wants to
remove the protection semantics .
add his own attack semantics (ability to save game-state,print,. . . )
ProtectionSemantics
CoreSemantics
ProtectionSemantics
CoreSemantics
AttackSemantics
P
P
The Adversary 8/44
![Page 16: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/16.jpg)
What’s the Adversary’s Motivation?
The adversary’s wants to
remove the protection semantics .
add his own attack semantics (ability to save game-state,print,. . . )
ensure that the core semantics remains unchanged.
ProtectionSemantics
CoreSemantics
ProtectionSemantics
CoreSemantics
AttackSemantics
P
P
The Adversary 8/44
![Page 17: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/17.jpg)
What does he want to do to our Player program?
get decrypted digital media
The Adversary 9/44
![Page 18: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/18.jpg)
What does he want to do to our Player program?
get decrypted digital media
extract the player key
The Adversary 9/44
![Page 19: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/19.jpg)
What does he want to do to our Player program?
get decrypted digital media
extract the player key
use the program after the expiration date
remove use-before checkremove activation code
The Adversary 9/44
![Page 20: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/20.jpg)
What does he want to do to our Player program?
get decrypted digital media
extract the player key
use the program after the expiration date
remove use-before checkremove activation code
distribute the program to other users
remove fingerprint 0xb0b5b0b5
The Adversary 9/44
![Page 21: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/21.jpg)
What does he want to do to our Player program?
get decrypted digital media
extract the player key
use the program after the expiration date
remove use-before checkremove activation code
distribute the program to other users
remove fingerprint 0xb0b5b0b5
reverse engineer the algorithms in the player
The Adversary 9/44
![Page 22: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/22.jpg)
What are the methods of attack?
1 the black box phase
feed the program inputs,record its outputs,draw conclusions about its behavior.
The Adversary 10/44
![Page 23: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/23.jpg)
What are the methods of attack?
1 the black box phase
feed the program inputs,record its outputs,draw conclusions about its behavior.
2 the dynamic analysis phase
execute the programrecord which parts get executed for different inputs.
The Adversary 10/44
![Page 24: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/24.jpg)
What are the methods of attack?
1 the black box phase
feed the program inputs,record its outputs,draw conclusions about its behavior.
2 the dynamic analysis phase
execute the programrecord which parts get executed for different inputs.
3 the static analysis phase
examining the executable code directlyuse disassembler, decompiler, . . .
The Adversary 10/44
![Page 25: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/25.jpg)
What are the methods of attack?
4 the editing phase
use understanding of the internals of the programmodify the executabledisable license checks
The Adversary 11/44
![Page 26: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/26.jpg)
What are the methods of attack?
4 the editing phase
use understanding of the internals of the programmodify the executabledisable license checks
5 the automation phase.
encapsulates his knowledge of the attack in an automatedscript
use in future attacks.
The Adversary 11/44
![Page 27: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/27.jpg)
Outline
1 The Adversary2 A Cracking Example!
A Cracking Example! 12/44
![Page 28: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/28.jpg)
Let’s crack!
Let’s get a feel for the types of techniques attackers typicallyuse.
Our example cracking target will be the DRM player.
Our chief cracking tool will be the gdb debugger.
A Cracking Example! 13/44
![Page 29: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/29.jpg)
Step 1: Learn about the executable file
✞ ☎
> f i l e p l a y e rp l a y e r : ELF 64− b i t LSB execu tab l e , d ynam i c a l l y l i n k e
> objdump −T p l a y e rDYNAMIC SYMBOL TABLE:0xa4 s c an f0x90 f p r i n t f0x12 t ime
> objdump −x p l a y e r | egrep ’ r oda ta | t e x t |Name ’Name S i z e VMA LMA F i l e o f f. t e x t 0 x4 f 8 0 x4006a0 0x4006a0 0 x6a0. r oda ta 0x84 0 x400ba8 0x400ba8 0xba8
> objdump − f p l a y e r | grep s t a r ts t a r t a dd r e s s 0 x4006a0
✝ ✆A Cracking Example! 14/44
![Page 30: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/30.jpg)
Step 2: Breaking on library functions
Treat the program as a black box
Feed it inputs to see how it behaves.✞ ☎
> p l a y e r 0 xca7ca115 1 2 3 4P l e a s e e n t e r a c t i v a t i o n code : 4 2e x p i r e d !Segmentat ion f a u l t
✝ ✆
Find the assembly code equivalent of
if (time(0) > some value)· · ·
Replace it with
if (time(0) <= some value)· · ·
A Cracking Example! 15/44
![Page 31: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/31.jpg)
Example Program
✞ ☎
27 i n t i ;28 f o r ( i =0; i<med i a l en ; i ++) {29 u i n t dec r yp t ed = ∗ key ˆ enc r yp t ed med i a [ i ] ;30 asm v o l a t i l e (31 ”jmp L1 \n\ t ”32 ” . a l i g n 4 \n\ t ”33 ” . l ong 0xb0b5b0b5\n\ t ”34 ”L1 : \n\ t ”35 ) ;36 i f ( t ime (0) > 1221011472) d i e ( ” e x p i r e d ” ) ;37 f l o a t decoded = ( f l o a t ) dec r yp t ed ;38 f p r i n t f ( aud io , ”%f \n” , decoded ) ; f f l u s h ( aud io ) ;39 }40 }
✝ ✆
A Cracking Example! 16/44
![Page 32: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/32.jpg)
Step 2: Breaking on library functions
At 0x4008bc is the offending conditional branch:✞ ☎
> gdb −wr i t e − s i l e n t −−a r g s p l a y e r 0 xca7ca115 \1000 2000 3000 4000
( gdb ) break t imeBreakpo i n t 1 a t 0 x400680( gdb ) runP l e a s e e n t e r a c t i v a t i o n code : 4 2Breakpo i n t 1 , 0 x400680 i n t ime ( )( gdb ) where 2#0 0x400680 i n t ime#1 0x4008b6 i n ??( gdb ) up#1 0x4008b6 i n ??( gdb ) d i s a s s emb l e $pc−5 $pc+70x4008b1 c a l l q 0 x4006800x4008b6 cmp $0x48c72810 ,% rax
✝ ✆
A Cracking Example! 17/44
![Page 33: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/33.jpg)
Step 2: Breaking on library functions
Patch the executable:
replace the jle with a jg (x86 opcode 0x7f)✞ ☎
( gdb ) s e t { uns i gned char }0 x4008bc = 0 x7 f( gdb ) d i s a s s emb l e 0 x4008bc 0 x4008be0 x4008bc j g 0 x4008c8
✝ ✆
A Cracking Example! 18/44
![Page 34: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/34.jpg)
Step 3: Static pattern-matching
search the executable for character strings.✞ ☎
> p l a y e r 0 xca7ca115 1000 2000 3000 4000tampered !P l e a s e e n t e r a c t i v a t i o n code : 9 9wrong code !Segmentat ion f a u l t
✝ ✆
A Cracking Example! 19/44
![Page 35: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/35.jpg)
Example Program
✞ ☎
19 u i n t p l a y ( u i n t u s e r key ,20 u i n t enc r yp t ed med i a [ ] ,21 i n t med i a l en ) {22 i n t code ;23 p r i n t f ( ” P l e a s e e n t e r a c t i v a t i o n code : ” ) ;24 s c a n f ( ”%i ” ,&code ) ;25 i f ( code != a c t i v a t i o n c o d e ) d i e ( ”wrong code ” ) ;26
27 ∗ key = u s e r k e y ˆ p l a y e r k e y ;✝ ✆
A Cracking Example! 20/44
![Page 36: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/36.jpg)
Step 3: Static pattern-matching
the code that checks the activation code looks something likethis:
✞ ☎
addr1 : . a s c i i ”wrong code ”. . .cmp read value,activation code
j e somewhereaddr2 : move addr1 , r eg0
c a l l p r i n t f✝ ✆
A Cracking Example! 21/44
![Page 37: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/37.jpg)
Step 3: Static pattern-matching
1 search the data segment to find address addr1 where"wrong code" is allocated.
2 search through the text segment for an instruction thatcontains that address as a literal:
✞ ☎
( gdb ) f i n d 0 x400ba8 ,+0x84 , ”wrong code ”0 x400be2( gdb ) f i n d 0 x4006a0 ,+0 x4f8 , 0 x400be20x400862( gdb ) d i s a s s emb l e 0 x40085d 0 x4008670x40085d cmp %eax ,%edx0 x40085f j e 0 x40086b0x400861 mov $0x400be2 ,% ed i0 x400866 c a l l q 0 x4007e0
✝ ✆
A Cracking Example! 22/44
![Page 38: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/38.jpg)
Step 3: Static pattern-matching
Replace the jump-on-equal with a jump-always✞ ☎
( gdb ) s e t { uns i gned char }0 x40085f = 0 xeb( gdb ) d i s a s s emb l e 0 x40085f 0 x4008600 x40085f jmp 0x40086b
✝ ✆
A Cracking Example! 23/44
![Page 39: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/39.jpg)
Step 4: Watching memory
the program still crashes with a segmentation violation
the edits cause the tamper detection mechanism to kick in!✞ ☎
> p l a y e r 0 xca7ca115 1000 2000 3000 4000tampered !P l e a s e e n t e r a c t i v a t i o n code : 5 5Segmentat ion f a u l t
✝ ✆
A Cracking Example! 24/44
![Page 40: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/40.jpg)
Example Program
✞ ☎
1 t y p ed e f un s i gned i n t u i n t ;2 t y p ed e f u i n t ∗ waddr t ;3 u i n t p l a y e r k e y = 0 xbabeca75 ;4 u i n t t h e k e y ;5 u i n t ∗ key = & the key ;6 FILE ∗ aud io ;7 i n t a c t i v a t i o n c o d e = 42;8
9 void FIRST FUN(){}10 u i n t hash ( waddr t addr , waddr t l a s t ) {11 u i n t h = ∗ addr ;12 f o r ( ; addr<=l a s t ; addr++) hˆ=∗addr ;13 return h ;14 }15 void d i e ( char ∗ msg ) {16 f p r i n t f ( s t d e r r , ”%s !\ n” ,msg ) ;A Cracking Example! 25/44
![Page 41: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/41.jpg)
Example Program
✞ ☎
27 i n t i ;28 f o r ( i =0; i<med i a l en ; i ++) {29 u i n t dec r yp t ed = ∗ key ˆ enc r yp t ed med i a [ i ] ;30 asm v o l a t i l e (31 ”jmp L1 \n\ t ”32 ” . a l i g n 4 \n\ t ”33 ” . l ong 0xb0b5b0b5\n\ t ”34 ”L1 : \n\ t ”35 ) ;36 i f ( t ime (0) > 1221011472) d i e ( ” e x p i r e d ” ) ;37 f l o a t decoded = ( f l o a t ) dec r yp t ed ;38 f p r i n t f ( aud io , ”%f \n” , decoded ) ; f f l u s h ( aud io ) ;39 }40 }
✝ ✆
A Cracking Example! 26/44
![Page 42: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/42.jpg)
Step 4: Watching memory
1 let the program run until it crashes
2 rerun the program while watching the address
3 find the location which sets it to an illegal value✞ ☎
( gdb ) runProgram r e c e i v e d s i g n a l SIGSEGV0x40087b i n ? ? ( )( gdb ) d i s a s s emb l e 0 x40086b 0 x40087d0x40086b mov 0 x2009ce(% r i p ) ,% rax # 0x6012400x400872 mov 0 x2009c0(% r i p ) ,% edx # 0x6012380x400878 xor −0x14(%rbp ) ,% edx0x40087b mov %edx ,(% rax )
✝ ✆
A Cracking Example! 27/44
![Page 43: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/43.jpg)
Step 4: Watching memory
1 set a watchpoint2 rerun the program from the beginning
✞ ☎
( gdb ) watch ∗0 x601240( gdb ) runtampered !Hardware watchpo in t 2 : ∗ 0 x601240
Old v a l u e = 6296176New va l u e = 0
0x400811 i n ? ? ( )
( gdb ) d i s a s s emb l e 0 x400806 0 x4008120x400806 movq $0x0 , 0 x200a2f(% r i p ) # 0x6012400x400811 l e a v eq
✝ ✆A Cracking Example! 28/44
![Page 44: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/44.jpg)
Step 4: Watching memory
the instruction at 0x400806 is setting the word at address0x601240 to 0!
This corresponds to✞ ☎
void d i e ( char ∗ msg ) {f p r i n t f ( s t d e r r , ”%s !\ n” ,msg ) ;key = NULL ;
}✝ ✆
A Cracking Example! 29/44
![Page 45: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/45.jpg)
Step 4: Watching memory
overwrite with a sequence of nop instructions (x86 opcode0x90):
✞ ☎
( gdb ) s e t { uns i gned char }0 x400806 = 0 x90. . . .
( gdb ) s e t { uns i gned char }0 x400810 = 0 x90
( gdb ) d i s a s s emb l e 0 x400806 0 x4008120x400806 nop. . .0 x400810 nop0x400811 l e a v eq
✝ ✆
A Cracking Example! 30/44
![Page 46: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/46.jpg)
Step 5: Recovering internal data
1 ask the debugger to print out decrypted media data!✞ ☎
( gdb ) hbreak ∗0 x4008a6( gdb ) commands>x/x −0x8+$rbp>continue
>end( gdb ) contP l e a s e e n t e r a c t i v a t i o n code : 4 2Breakpo i n t 2 , 0 x4008a60 x 7 f f f f f f f d c 8 8 : 0 xbabec99dBreakpo i n t 2 , 0 x4008a60 x 7 f f f f f f f d c 8 8 : 0 xbabecda5
. . .✝ ✆
A Cracking Example! 31/44
![Page 47: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/47.jpg)
Step 6: Tampering with the environment
1 To avoid triggering the timeout, wind back the system clock!
2 Change the library search path to force the program to pickup hacked libraries!
3 Hack the OS (we’ll see this later).
A Cracking Example! 32/44
![Page 48: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/48.jpg)
Step 7: Dynamic pattern-matching
Pattern-match not on static code and data but on itsdynamic behavior .
What encryption algorithm is this?✞ ☎
0x0804860b cmpl $0x0 , 0 x f f f f f f f 0 (%ebp )0 x0804860f j g 0 x8048589
0x08048589 mov 0x8(%ebp ) ,% edx0x08048592 s h l $0x2 ,%eax0x080485a0 s h l $0x2 ,%eax0x080485ab s h l $0x2 ,%eax0x080485ba s h r $0x5 ,%edx0 x080485c0 s h l $0x2 ,%eax0 x080485c5 xor %eax ,%ecx. . . . . .
✝ ✆
A Cracking Example! 33/44
![Page 49: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/49.jpg)
Step 8: Differential attacks
1 Find two differently fingerprinted copies of the program2 Diff them!✞ ☎
asm v o l a t i l e (”jmp L1 \n\ t ”” . a l i g n 4 \n\ t ”” . l ong 0xb0b5b0b5\n\ t ””L1 : \n\ t ”
) ;✝ ✆✞ ☎
asm v o l a t i l e (”jmp L1 \n\ t ”” . a l i g n 4 \n\ t ”” . l ong 0 xada5ada5\n\ t ””L1 : \n\ t ”
) ;✝ ✆
A Cracking Example! 34/44
![Page 50: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/50.jpg)
Example Program
✞ ☎
27 i n t i ;28 f o r ( i =0; i<med i a l en ; i ++) {29 u i n t dec r yp t ed = ∗ key ˆ enc r yp t ed med i a [ i ] ;30 asm v o l a t i l e (31 ”jmp L1 \n\ t ”32 ” . a l i g n 4 \n\ t ”33 ” . l ong 0xb0b5b0b5\n\ t ”34 ”L1 : \n\ t ”35 ) ;36 i f ( t ime (0) > 1221011472) d i e ( ” e x p i r e d ” ) ;37 f l o a t decoded = ( f l o a t ) dec r yp t ed ;38 f p r i n t f ( aud io , ”%f \n” , decoded ) ; f f l u s h ( aud io ) ;39 }40 }
✝ ✆
A Cracking Example! 35/44
![Page 51: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/51.jpg)
![Page 52: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/52.jpg)
Step 9: Decompilation
✞ ☎
L080482A0 (A8 , Ac , A10 ) {ebx = A8 ;esp = ” P l e a s e e n t e r a c t i v a t i o n code : ” ;eax = L080499C0 ( ) ;V4 = ebp − 16;∗ esp = 0 x80a0831 ;eax = L080499F0 ( ) ;eax = ∗( ebp − 16) ;i f ( eax != ∗L080BE2CC ) {
V8 = ”wrong code ” ;V4 = 0 x80a082c ;∗ esp = ∗L080BE704 ;eax = L08049990 ( ) ;∗L080BE2C8 = 0;
}✝ ✆
A Cracking Example! 37/44
![Page 53: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/53.jpg)
Example Program
✞ ☎
19 u i n t p l a y ( u i n t u s e r key ,20 u i n t enc r yp t ed med i a [ ] ,21 i n t med i a l en ) {22 i n t code ;23 p r i n t f ( ” P l e a s e e n t e r a c t i v a t i o n code : ” ) ;24 s c a n f ( ”%i ” ,&code ) ;25 i f ( code != a c t i v a t i o n c o d e ) d i e ( ”wrong code ” ) ;26
27 ∗ key = u s e r k e y ˆ p l a y e r k e y ;✝ ✆
A Cracking Example! 38/44
![Page 54: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/54.jpg)
✞ ☎
eax = ∗L080BE2C8 ;e d i = 0 ;ebx = ebx ˆ ∗ L080BE2C4 ;∗ eax = ebx ;eax = A10 ;i f ( eax <= 0) {} e l s e {
whi le ( 1 ) {e s i = ∗(Ac + ed i ∗ 4 ) ;
L08048368 : ∗ esp = 0 ;i f ( L08056DD0 () > 1521011472) {
V8 = ” e x p i r e d ” ;V4 = 0 x80a082c ;∗ esp = ∗L080BE704 ;L08049990 ( ) ;∗L080BE2C8 = 0;
}✝ ✆
![Page 55: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/55.jpg)
Example Program
✞ ☎
1 t y p ed e f un s i gned i n t u i n t ;2 t y p ed e f u i n t ∗ waddr t ;3 u i n t p l a y e r k e y = 0 xbabeca75 ;4 u i n t t h e k e y ;5 u i n t ∗ key = & the key ;6 FILE ∗ aud io ;7 i n t a c t i v a t i o n c o d e = 42;8
9 void FIRST FUN(){}10 u i n t hash ( waddr t addr , waddr t l a s t ) {11 u i n t h = ∗ addr ;12 f o r ( ; addr<=l a s t ; addr++) hˆ=∗addr ;13 return h ;14 }15 void d i e ( char ∗ msg ) {16 f p r i n t f ( s t d e r r , ”%s !\ n” ,msg ) ;A Cracking Example! 40/44
![Page 56: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/56.jpg)
✞ ☎
ebx = ebx ˆ e s i ;( save ) 0 ;e d i = ed i + 1 ;( save ) ebx ;esp = esp + 8 ;V8 = ∗ esp ;V4 = ”%f \n” ; ∗ esp = ∗L080C02C8 ;eax = L08049990 ( ) ;eax = ∗L080C02C8 ;∗ esp = eax ;eax = L08049A20 ( ) ;i f ( e d i == A10 ) { goto L080483a7 ;}eax = ∗L080BE2C8 ; ebx = ∗ eax ;
}ch = 176 ; ch = 176;goto L08048368 ;
}L080483a7 :}
✝ ✆
![Page 57: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/57.jpg)
✞ ☎
L080483AF (A8 , Ac ) {· · ·ecx = 0 x8048260 ;edx = 0 x8048230 ;eax = ∗ L08048230 ;i f (0 x8048260 >= 0x8048230 ) {
do {eax = eax ˆ ∗ edx ;edx = edx + 4 ;
} whi le ( ecx >= edx ) ;}i f ( eax != 318563869) {
V8 = ” tampered ” ;V4 = 0 x80a082c ;∗ esp = ∗L080BE704 ;L08049990 ( ) ;∗L080BE2C8 = 0;
}V8 = A8 − 2;V4 = ebp + −412;∗ esp = ∗( ebp + −416);
![Page 58: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/58.jpg)
Example Program
✞ ☎
1 t y p ed e f un s i gned i n t u i n t ;2 t y p ed e f u i n t ∗ waddr t ;3 u i n t p l a y e r k e y = 0 xbabeca75 ;4 u i n t t h e k e y ;5 u i n t ∗ key = & the key ;6 FILE ∗ aud io ;7 i n t a c t i v a t i o n c o d e = 42;8
9 void FIRST FUN(){}10 u i n t hash ( waddr t addr , waddr t l a s t ) {11 u i n t h = ∗ addr ;12 f o r ( ; addr<=l a s t ; addr++) hˆ=∗addr ;13 return h ;14 }15 void d i e ( char ∗ msg ) {16 f p r i n t f ( s t d e r r , ”%s !\ n” ,msg ) ;A Cracking Example! 43/44
![Page 59: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/59.jpg)
Discussion
Who is our prototypical cracker? He can
pattern-match on static code and execution patterns,
A Cracking Example! 44/44
![Page 60: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/60.jpg)
Discussion
Who is our prototypical cracker? He can
pattern-match on static code and execution patterns,
relate external program behavior to internal code locations,
A Cracking Example! 44/44
![Page 61: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/61.jpg)
Discussion
Who is our prototypical cracker? He can
pattern-match on static code and execution patterns,
relate external program behavior to internal code locations,
disassemble and decompile binary machine code,
A Cracking Example! 44/44
![Page 62: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/62.jpg)
Discussion
Who is our prototypical cracker? He can
pattern-match on static code and execution patterns,
relate external program behavior to internal code locations,
disassemble and decompile binary machine code,
debug binary code without access to source code,
A Cracking Example! 44/44
![Page 63: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/63.jpg)
Discussion
Who is our prototypical cracker? He can
pattern-match on static code and execution patterns,
relate external program behavior to internal code locations,
disassemble and decompile binary machine code,
debug binary code without access to source code,
compare (statically or dynamically) two closely relatedversions of the same program,
A Cracking Example! 44/44
![Page 64: CSc 466/566 [5mm] Computer Security [5mm] 14 : Man-At-The ...collberg/Teaching/466-566/2012/Slide… · What is the adversary’s motivation for attacking your program? What information](https://reader035.fdocuments.net/reader035/viewer/2022071216/604802bbb51122482a591eed/html5/thumbnails/64.jpg)
Discussion
Who is our prototypical cracker? He can
pattern-match on static code and execution patterns,
relate external program behavior to internal code locations,
disassemble and decompile binary machine code,
debug binary code without access to source code,
compare (statically or dynamically) two closely relatedversions of the same program,
modify the executable and its execution environment.
A Cracking Example! 44/44