Hacking at Mach Speed
Hacking at Mach Speed
Hacking at Mach Speed
INTRODUCTION
WHAT IS IT?
TASKS
THREADS
PORTS
MESSAGES
BASIC UNIT OF INTER-TASK COMMUNICATION
HEADER SPECIFIES SOURCE/DESTINATION, ETC.
BODY CONTAINS IN-LINE DATA
INTEGERS, STRINGS, FLOATING POINT NUMBERS
MESSAGE MAY ALSO CONTAIN OUT-OF-LINE DATA
PORT RIGHTS
MEMORY PAGES
MACH RPC
BOOTSTRAP SERVER
HOW CLIENTS FIND SERVERS
EVERY TASK IS GIVEN SEND
RIGHTS TO BOOTSTRAP
SERVERS RPC SERVICE
PORT
THE BOOTSTRAP SERVER
LIVES INSIDE LAUNCHD
LAUNCH SERVERS ON
DEMAND
WILL ALSO
AUTOMATICALLY
RELAUNCH CRASHED ONES
UPDATE_SHARING.DEFS
prajna% ls /System/Library/LaunchAgents/
com.apple.AOSNotificationOSX.plist
com.apple.AddressBook.abd.plist
com.apple.AirPortBaseStationAgent.plist
com.apple.AppleGraphicsWarning.plist
com.apple.BezelUI.plist
com.apple.CoreLocationAgent.plist
com.apple.DictionaryPanelHelper.plist
com.apple.Dock.plist
com.apple.FileSyncAgent.plist
com.apple.Finder.plist
com.apple.FontRegistryUIAgent.plist
com.apple.FontValidator.plist
com.apple.FontValidatorConduit.plist
com.apple.FontWorker.plist
com.apple.Kerberos.renew.plist
com.apple.KerberosHelper.LKDCHelper.plist
com.apple.NetworkDiagnostics.plist
com.apple.PCIESlotCheck.plist
[ ... ]
BOOTSTRAP_INFO
prajna% ./bootstrap_info
ru (Apple)_OpenStep ([0x0-0x27027].com.apple.AppleSpell) = ACTIVE
com.apple.finder.ServiceProvider (com.apple.Finder) = ACTIVE
com.apple.FontRegistry.FontRegistryUIAgent (com.apple.FontRegistryUIAgent) =
ON_DEMAND
com.apple.FontObjectsServer (com.apple.fontd) = ACTIVE
WaveMessagePort.314.23499425 (0x100403990.anonymous.wineloader) = ACTIVE
com.apple.rcd (0x100400510.mach_init.rcd) = ON_DEMAND
com.apple.netauth.useragent (com.apple.netauth.useragent) = ON_DEMAND
com.apple.datadetectors.compiler (com.apple.datadetectors.compiler) =
ON_DEMAND
com.apple.autologinPWHandler (0x100400000.anonymous.loginwindow) = ACTIVE
com.apple.FontWorker (com.apple.FontWorker) = ON_DEMAND
com.apple.Preview.ServiceProvider ([0x0-0x4b04b].com.apple.Preview) = ACTIVE
com.apple.ReportCrash (com.apple.ReportCrash) = ON_DEMAND
com.apple.coreservices.quarantine-resolver (com.apple.coreservices.uiagent) =
ON_DEMAND
com.apple.DictionaryPanelHelper (com.apple.DictionaryPanelHelper) = ON_DEMAND
[ ... ]
LETS GO A BUG-HUNTING
REDACTED
VULNERABILITY HANDLING
VULNERABILITIES VS.
EXPLOITS
A VULNERABILITY NEVER 0WNED ANYONE, AN EXPLOIT DID
THERE ARE MORE PEOPLE THAT CAN FIND VULNERABILITIES
THAN CAN WRITE RELIABLE EXPLOITS
COUNT NUMBER OF ZDI VULNERABILITY CONTRIBUTORS VS.
PWN2OWN CONTESTANTS PAST AND PRESENT
A MINORITY OF VULNERABILITIES HAVE THE POTENTIAL TO
BE TURNED INTO A DANGEROUS EXPLOIT
EXPLOITS MATTER
CYBERWARRIORS OR
CYBERPUNKS?
STOP FLATTERING YOURSELF, YOUR NETWORK IS
TRIVIAL TO 0WN
YOUR EMPLOYEES AND THEIR E-MAIL ADDRESSES ARE
ENUMERABLE ON SOCIAL NETWORKING SITES?
YOUR EMPLOYEES ANSWER EXTERNAL E-MAIL AND
ACCESS INTERNET WEB SITES ON THE SAME MACHINE
THAT THEY CREATE OR HANDLE PROPRIETARY IP?
ARE THEIR E-MAIL ADDRESSES
FIRSTNAME.LASTNAME@COMPANY.COM?
PREVENTION IS HARD
BECAUSE THE SECURITY INDUSTRY ISNT MAKING THE RIGHT
PRODUCTS OR TOOLS
NO ONE BOUGHT THE EFFECTIVE ONES BECAUSE THEY
DIDNT UNDERSTAND THEM OR COULDNT JUSTIFY THEM
VULNERABILITY AND EXPLOITABILITY ANALYSIS IS
CONFUSING
WHAT MITIGATIONS ARE ENABLED IN THIS APPLICATION?
ARE THEY EFFECTIVE? HAVE THEY BEEN DISABLED?
VULNERABILITY TERMINOLOGY
BUFFER OVERFLOW
WHAT ABOUT OUT-OF-BOUNDS ARRAY INDEXES?
ARBITRARY CODE EXECUTION
WHAT ABOUT SOLARIS TELNETD BUG => AUTH BYPASS
MEMORY CORRUPTION
WHAT ABOUT USE-AFTER-FREE?
WHAT ABOUT MEMORY DISCLOSURE VULNERABILITIES?
TYPE SAFETY
ALL OF THESE VULNERABILITIES ARE FAILURES OF TYPE
SAFETY
C/C++ ARE NOT MEMORY-SAFE OR TYPE-SAFE
TYPE-SAFE LANGUAGES ONLY HAVE THESE PROBLEMS WHEN
THEIR IMPLEMENTATIONS, WRITTEN IN UNSAFE LANGUAGES,
HAVE THESE VULNERABILITIES
OR PROGRAMS USE UNSAFE EXTENSIONS
WHAT SHOULD WE CALL THESE ISSUES?
MEMORY TRESPASS
MEMORY TRESPASS VULNERABILITIES ARE SOFTWARE
WEAKNESSES THAT ALLOW MEMORY ACCESSES OUTSIDE OF
THE SEMANTICS OF THE PROGRAMMING LANGUAGE IN WHICH
THE SOFTWARE WAS WRITTEN.
DAI ZOVI, SECURITY APPLICATIONS OF DYNAMIC BINARY
TRANSLATION, UNIVERSITY OF NEW MEXICO TECH REPORT
TR-CS-2002-38
YES, I AM QUOTING MYSELF. DEAL WITH IT.
CODE INJECTION AND EXECUTION IS ONLY ONE WAY TO EXPLOIT
A FEW SPECIFIC CLASSES OF MEMORY TRESPASS
VULNERABILITIES
OR...
TYPE VIOLATION
TYPE SAFETY BYPASS
MEMORY SAFETY BYPASS
JUST DONT SAY BUFFER OVERFLOW WHEN IT ISNT
DONT GET ME STARTED ON THE WORD SHELLCODE"
CODE-REUSE EXPLOITS
MY SANDBOX SOAPBOX
WHY DOES MY BROWSER NEED TO BE ABLE TO WRITE TO
ANYWHERE EXCEPT FOR ~/DOWNLOADS?
WHY DO DOC READERS, IM CLIENTS, NEED TO WRITE FILES AT ALL?
MULTI-USER DAC SECURITY MODEL IS ILL-SUITED TO THE
DESKTOP
WE NEED A NEW MULTI-APPLICATION DESKTOP SECURITY MODEL
PHONES (IPHONE AND ANDROID) ALREADY HAVE THIS
IPHONE PREVENTS INJECTED CODE AND APP MISBEHAVIOR
QUESTIONS?
@DINODAIZOVI / DDZ@THETA44.ORG