Andrea Bittau: 2014 Security Workshop


Monday, April 14, 2014
Location: Fisher Conference Center, Arrillaga Alumni Center

"Hacking Blind"


We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a server that restarts after a crash. We implemented Braille, a fully automated exploit that yielded a shell in under 4,000 requests (20 minutes) against a contemporary nginx vulnerability, yaSSL + MySQL, and a toy proprietary server written by a colleague. The attack works against modern 64-bit Linux with address space layout randomization (ASLR) and no-execute page protection (NX).


Andrea Bittau is a research associate at Stanford's Secure Computer Systems group. Some of his recent work includes: BROP, a technique for attacking proprietary services without either binary or source-code knowledge; tcpcrypt, a TCP option for opportunistic encryption; and Dune, a system that lets applications have direct access to privileged CPU features (page tables, ring protections) in a safe manner. Andrea holds a BSc and PhD in computer science from University College London.