468 lines
11 KiB
TeX
468 lines
11 KiB
TeX
% $Header$
|
|
|
|
\documentclass{beamer}
|
|
\usepackage{graphicx}
|
|
\usepackage{color}
|
|
|
|
% This file is a solution template for:
|
|
|
|
% - Talk at a conference/colloquium.
|
|
% - Talk length is about 20min.
|
|
% - Style is ornate.
|
|
|
|
|
|
|
|
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
|
|
%
|
|
% In principle, this file can be redistributed and/or modified under
|
|
% the terms of the GNU Public License, version 2.
|
|
%
|
|
% However, this file is supposed to be a template to be modified
|
|
% for your own needs. For this reason, if you use this file as a
|
|
% template and not specifically distribute it as part of a another
|
|
% package/program, I grant the extra permission to freely copy and
|
|
% modify this file as you see fit and even to delete this copyright
|
|
% notice.
|
|
|
|
|
|
\mode<presentation>
|
|
{
|
|
% \usetheme{}
|
|
% or ...
|
|
|
|
% \usecolortheme{seahorse}
|
|
% \usecolortheme{crane}
|
|
% \useinnertheme{inmargin}
|
|
|
|
% \setbeamercovered{transparent}
|
|
% or whatever (possibly just delete it)
|
|
|
|
}
|
|
|
|
\usepackage[english]{babel}
|
|
% or whatever
|
|
|
|
\usepackage[latin1]{inputenc}
|
|
% or whatever
|
|
|
|
\usepackage{times}
|
|
\usepackage[T1]{fontenc}
|
|
% Or whatever. Note that the encoding and the font should match. If T1
|
|
% does not look nice, try deleting the line with the fontenc.
|
|
|
|
|
|
\title{What what, oh what}
|
|
\author[HD Moore, spoonm]
|
|
{HD Moore \and spoonm}
|
|
|
|
\date[CSW 2005] % (optional, should be abbreviation of conference name)
|
|
{CanSecWest, 2005}
|
|
|
|
\subject{Hax0ring}
|
|
% This is only inserted into the PDF information catalog. Can be left
|
|
% out.
|
|
|
|
% \pgfdeclareimage[height=0.5cm]{university-logo}{mp}
|
|
% \logo{\pgfuseimage{university-logo}}
|
|
|
|
% Delete this, if you do not want the table of contents to pop up at
|
|
% the beginning of each subsection:
|
|
\AtBeginSubsection[]
|
|
{
|
|
\begin{frame}<beamer>
|
|
\frametitle{Outline}
|
|
\tableofcontents[currentsection,currentsubsection]
|
|
\end{frame}
|
|
}
|
|
|
|
|
|
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
|
|
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 6pt}{\end{itemize}}
|
|
|
|
% turn off the navigation on the bottom yo
|
|
\setbeamertemplate{navigation symbols}{}
|
|
|
|
\begin{document}
|
|
|
|
\begin{frame}
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
|
|
\pdfpart{part-some}
|
|
|
|
\begin{frame}
|
|
\frametitle{Hawwt}
|
|
\begin{definition}
|
|
A \alert{foo}
|
|
\end{definition}
|
|
\begin{example}
|
|
\begin{sitemize}
|
|
\item holla
|
|
\item back
|
|
\pause
|
|
\item killa
|
|
\end{sitemize}
|
|
\end{example}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{holla backz}
|
|
\begin{columns}[t]
|
|
\column{.5\textwidth}
|
|
foo
|
|
\pause
|
|
\column{.5\textwidth}
|
|
bar \\
|
|
car \\
|
|
zar
|
|
\end{columns}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Outline}
|
|
\tableofcontents
|
|
\end{frame}
|
|
|
|
|
|
% Structuring a talk is a difficult task and the following structure
|
|
% may not be suitable. Here are some rules that apply for this
|
|
% solution:
|
|
|
|
% - Exactly two or three sections (other than the summary).
|
|
% - At *most* three subsections per section.
|
|
% - Talk about 30s to 2min per frame. So there should be between about
|
|
% 15 and 30 frames, all told.
|
|
|
|
% - A conference audience is likely to know very little of what you
|
|
% are going to talk about. So *simplify*!
|
|
% - In a 20min talk, getting the main ideas across is hard
|
|
% enough. Leave out details, even if it means being less precise than
|
|
% you think necessary.
|
|
% - If you omit details that are vital to the proof/implementation,
|
|
% just say so once. Everybody will be happy with that.
|
|
|
|
\section{Meta-what?}
|
|
|
|
\subsection{Who we are}
|
|
\begin{frame}
|
|
\frametitle{foo}
|
|
\end{frame}
|
|
\subsection{What our project is}
|
|
|
|
\pdfpart{waka}
|
|
\begin{frame}
|
|
\partpage
|
|
\end{frame}
|
|
\pdfpart{Improving Randomness in Attacks}
|
|
|
|
\begin{frame}
|
|
\frametitle{Outline}
|
|
\tableofcontents
|
|
\end{frame}
|
|
|
|
\section{Introduction}
|
|
\begin{frame}
|
|
\frametitle{Randomness, who cares?}
|
|
\begin{sitemize}
|
|
\item NOTE: this slide can probably be trashed.. just temp for now
|
|
\item Adding randomness to exploits
|
|
\begin{sitemize}
|
|
\item Less to signature / anti-nids
|
|
\item Helps to uncover bugs in your exploit
|
|
\end{sitemize}
|
|
\pause
|
|
\item Adding randomness to machine code
|
|
\begin{sitemize}
|
|
\item Less to signature / anti-nids
|
|
\item Increased robustness (bad chars / bad regs)
|
|
\item Street credz? :-)
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\section{Conservative Polymorphism}
|
|
|
|
\newcommand{\incshi}[1]{\includegraphics[height=3in]{#1}}
|
|
|
|
\begin{frame}
|
|
\frametitle{R0x Iterationz}
|
|
\only<9>{\incshi{shi8}}
|
|
\only<8>{\incshi{shi7}}
|
|
\only<7>{\incshi{shi6}}
|
|
\only<6>{\incshi{shi5}}
|
|
\only<5>{\incshi{shi4}}
|
|
\only<4>{\incshi{shi3}}
|
|
\only<3>{\incshi{shi2}}
|
|
\only<2>{\incshi{shi1}}
|
|
\only<1>{\incshi{shi0}}
|
|
\end{frame}
|
|
|
|
\section{Building a Nop Sled}
|
|
|
|
\subsection{Tekneek}
|
|
|
|
\begin{frame}
|
|
\frametitle{Multibyte Sled Concept}
|
|
\begin{sitemize}
|
|
\item Optyx released multibyte generator at Interz0ne 1
|
|
\item Generates instructions 1 to 6 bytes long, and 0x66 prefix
|
|
\item 1 byte aligned, land anywhere, end at the same byte
|
|
\end{sitemize}
|
|
\begin{sitemize}
|
|
\pause
|
|
\item Builds the sled from back to front
|
|
\item Continually prepending byte (opcode) to sled
|
|
\item Generates random byte and check against tables
|
|
\pause
|
|
\begin{sitemize}
|
|
\item Is the instruction length too long?
|
|
\item Is it a valid instruction?
|
|
\item Does it have any bad bytes?
|
|
\item Does it modify don't-smash registers?
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{Backwardz}
|
|
{\footnotesize
|
|
\begin{semiverbatim}
|
|
\textbf<11>{bb} \textbf<10,11>{b0} \textbf<9,10,11>{bf} \textbf<8,9,11>{2c} \textbf<7,8,9,11>{b6} \textbf<6,7,9>{27} \textbf<5,9>{67} \textbf<4,5>{2F} \textbf<3>{4A} \textbf<2>{1b} \textbf<1,2>{f9} --- shellcode
|
|
| | | | | | | | | | | \textbf<1>{... stc}
|
|
| | | | | | | | | |____^ \textbf<2>{. sbb edi,ecx}
|
|
| | | | | | | | | \textbf<3>{......... dec edx}
|
|
| | | | | | | | \textbf<4>{............ das}
|
|
| | | | | | |____^ \textbf<5>{.......... a16 das}
|
|
| | | | | | \textbf<6>{.................. daa}
|
|
| | | | |____^ \textbf<7>{................ mov dh, 0x27}
|
|
| | | |____^ \textbf<8>{................... sub al, 0xb6}
|
|
| | |_____________^ \textbf<9>{............. mov edi, 0x6727b62c}
|
|
| |____^ \textbf<10>{......................... mov al, 0xbf}
|
|
|_____________^ \textbf<11>{................... mov ebx, 0xb62cbfb0}
|
|
\end{semiverbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
\subsection{Implementation}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{OptyNop2 Output}
|
|
{\footnotesize
|
|
\begin{verbatim}
|
|
$ ./waka 1000 4 5 | ndisasm -u - | head -700 | tail -20
|
|
000003B6 05419F40D4 add eax,0xd4409f41
|
|
000003BB 711C jno 0x3d9
|
|
000003BD 9B wait
|
|
000003BE 2C98 sub al,0x98
|
|
000003C0 37 aaa
|
|
000003C1 24A8 and al,0xa8
|
|
000003C3 27 daa
|
|
000003C4 E00D loopne 0x3d3
|
|
000003C6 6692 xchg ax,dx
|
|
000003C8 2F das
|
|
000003C9 49 dec ecx
|
|
000003CA B34A mov bl,0x4a
|
|
000003CC F5 cmc
|
|
000003CD BA4B257715 mov edx,0x1577254b
|
|
000003D2 700C jo 0x3e0
|
|
000003D4 C0D6B0 rcl dh,0xb0
|
|
000003D7 A9FD469342 test eax,0x429346fd
|
|
000003DC 67BBB191B23D a16 mov ebx,0x3db291b1
|
|
000003E2 1D9938FCB6 sbb eax,0xb6fc3899
|
|
000003E7 43 inc ebx
|
|
\end{verbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
|
|
|
|
\subsection{Analysis}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{ADMmutate and optyx-mutate Gzip'd}
|
|
{\footnotesize
|
|
\begin{verbatim}
|
|
# ADMmutate
|
|
|
|
$ time ./nops 1000000| gzip -v >/dev/null
|
|
27.3%
|
|
real 0m0.241s
|
|
|
|
# optyx's interz0ne mutate
|
|
|
|
$ time ./driver nop 1000000 | gzip -v >/dev/null
|
|
29.7%
|
|
real 0m0.467s
|
|
\end{verbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{OptyNop2 Gzip'd}
|
|
{\footnotesize
|
|
\begin{verbatim}
|
|
# C version, save ESP and EBP
|
|
|
|
$ time ./waka 1000000 4 5 | gzip -v >/dev/null
|
|
12.2%
|
|
real 0m11.900s
|
|
|
|
# save just ESP
|
|
|
|
$ time ./waka 1000000 4 | gzip -v >/dev/null
|
|
11.7%
|
|
real 0m11.277s
|
|
|
|
# save nothing (good way to crash process)
|
|
|
|
$ time ./waka 1000000 | gzip -v >/dev/null
|
|
8.3%
|
|
real 0m12.404s
|
|
\end{verbatim}
|
|
}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{ADMmutate Distribution - 1}
|
|
\include{admtable}
|
|
\end{frame}
|
|
\begin{frame}[fragile]
|
|
\frametitle{ADMmutate Distribution - 2}
|
|
\include{admtable2}
|
|
\end{frame}
|
|
\begin{frame}[fragile]
|
|
\frametitle{OptyNop2 Distribution - 1}
|
|
\include{optytable}
|
|
\end{frame}
|
|
\begin{frame}[fragile]
|
|
\frametitle{OptyNop2 Distribution - 2}
|
|
\include{optytable2}
|
|
\end{frame}
|
|
|
|
\subsection{Conclusion}
|
|
\begin{frame}
|
|
\frametitle{Benefits}
|
|
\begin{sitemize}
|
|
\item Not very difficult to gain lots more randomness
|
|
\item NIDS is far, far, behind
|
|
\item Added robustness (bad char / bad regs)
|
|
\item More versatile sled generation (nop stuffing, etc)
|
|
\end{sitemize}
|
|
\end{frame}
|
|
\begin{frame}
|
|
\frametitle{Possible Improvements}
|
|
\begin{sitemize}
|
|
\item Support processor flags (nop stuffing)
|
|
\item Support 2-byte opcodes / escape groups (not worth it)
|
|
\item Improved scoring systems, look-ahead, etc
|
|
\item Try to output according to a given byte distribution
|
|
\item Make it faster and use less memory
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\section{Our Results/Contribution}
|
|
|
|
\subsection{Main Results}
|
|
|
|
\begin{frame}
|
|
\frametitle{Make Titles Informative.}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Make Titles Informative.}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Make Titles Informative.}
|
|
\end{frame}
|
|
|
|
|
|
\subsection{Basic Ideas for Proofs/Implementation}
|
|
|
|
\begin{frame}
|
|
\frametitle{Make Titles Informative.}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Make Titles Informative.}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Make Titles Informative.}
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
\section*{Summary}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle<presentation>{Summary}
|
|
|
|
% Keep the summary *very short*.
|
|
\begin{sitemize}
|
|
\item
|
|
The \alert{first main message} of your talk in one or two lines.
|
|
\item
|
|
The \alert{second main message} of your talk in one or two lines.
|
|
\item
|
|
Perhaps a \alert{third message}, but not more than that.
|
|
\end{sitemize}
|
|
|
|
% The following outlook is optional.
|
|
\vskip0pt plus.5fill
|
|
\begin{sitemize}
|
|
\item
|
|
Outlook
|
|
\begin{sitemize}
|
|
\item
|
|
Something you haven't solved.
|
|
\item
|
|
Something else you haven't solved.
|
|
\end{sitemize}
|
|
\end{sitemize}
|
|
\end{frame}
|
|
|
|
|
|
|
|
% All of the following is optional and typically not needed.
|
|
\appendix
|
|
\section<presentation>*{\appendixname}
|
|
\subsection<presentation>*{For Further Reading}
|
|
|
|
\begin{frame}[allowframebreaks]
|
|
\frametitle<presentation>{For Further Reading}
|
|
|
|
\begin{thebibliography}{10}
|
|
|
|
\beamertemplatebookbibitems
|
|
% Start with overview books.
|
|
|
|
\bibitem{Author1990}
|
|
A.~Author.
|
|
\newblock {\em Handbook of Everything}.
|
|
\newblock Some Press, 1990.
|
|
|
|
|
|
\beamertemplatearticlebibitems
|
|
% Followed by interesting articles. Keep the list short.
|
|
|
|
\bibitem{Someone2000}
|
|
S.~Someone.
|
|
\newblock On this and that.
|
|
\newblock {\em Journal of This and That}, 2(1):50--100,
|
|
2000.
|
|
\end{thebibliography}
|
|
\end{frame}
|
|
|
|
\end{document}
|
|
|
|
|