首页
社区
课程
招聘
[转帖]Blackhat USA 2008
发表于: 2008-8-10 13:14 3541

[转帖]Blackhat USA 2008

2008-8-10 13:14
3541
Blackhat USA 2008

Sometimes names just do not reflect the nature of things. Sometimes it is our fault to attribute a wrong meaning to a nams. I do not know which of the above holds for Windows ASLR. After Alex Sotirov and Mark Dowd's https://www.blackhat.com/html/bh-usa-08/bh-usa-08-speakers.html#Sotirov talk at Blackhat I know that ASLR is not that random despite of its name.

The http://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR abbreviation contains "randomization", which is enough (at least for me) to deduce that EXEs and DLLs get loaded at randomly chosen addresses. I was wrong to think that this makes it hard for the attacker to guess the loaded addresses. As it turns out, binaries get loaded to somehow predictable addresses.

While I understand that there were some technical difficulties and compatibility issues, the implementation choices made for ASLR effectively weakened it a lot to the point that it failed to deliver the promised.

Another revelation of this talk was that IE happily loads any .NET DLL provided by the web server using the plain old LoadLibrary function. The ramifications of this are enormous because the system is essentially accepting raw binary data (a file of the PE file format) and runs it on the user's computer. No need to talk about GS, SafeSEH and any other protections mechanisms after this.

The outcome of these two choices is also predictable, as Alex and Mark demonstrated to us: anyone visiting a malicious web site with IE can be easily owned.

There were other interesting talks at Blackhat, no way I can mention all of them here. Just one more pointer: I was amused and amazed by Hovav Scacham's https://www.blackhat.com/html/bh-usa-08/bh-usa-08-speakers.html#Shacham Return-Oriented Programming. As it turns out, pieces of "good" code in standard libraries can be used to build a turing-complete machine. This machine is programmable by the attacker using a byte code which does not require the X (execute) bit in the page permissions. This defeats W^X or DEP protections.

My http://www.hex-rays.com/idapro/ppt/decompilers_and_beyond.ppt talk on decompilers was received well. If you missed it, find the http://www.hex-rays.com/idapro/ppt/decompilers_and_beyond_white_paper.pdf white paper here.

Heading to DEFCON now, for more interesting talks!




http://hexblog.com/2008/08/blackhat_usa_2008.html

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 1
支持
分享
最新回复 (3)
雪    币: 98761
活跃值: (201044)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
2
本地备档一份.
上传的附件:
2008-8-10 13:17
0
雪    币: 134
活跃值: (84)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
3
呀,难得的好文章。。。
2008-8-10 14:33
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
学习,谢谢楼主分享。
期待更多Blackhat USA 2008
2008-8-11 15:20
0
游客
登录 | 注册 方可回帖
返回
//