nCircle.com >> 360 Security

« cansecwest/core06: "Insiders View: Network Security Devices" | Main | SCADAGard SIG To Be Established »

cansecwest/core06: "More on uninitialized local variables"

Halvar Flake
SABRE Security GmbH
Halvar.falke@sabre-security.com
Title: More on uninitialized local variables

This is really hard to describe without diagrams so I am only going to give a high level summary. For details, find Halvar at a show and check it out.

Trickery and abuse of memory is always the popular topic when you are trying to exploit a condition. It comes down to “How can we exploit some undefined behavior?"

In terms of trickery, no one will argue that Halvar is one of the best tricksters.

Exploitation via this vector was thought to be too large of a space to be feasible but Halvar found a way via graph structures and sequential patterns to shrink the space significantly and with just the right maneuvers, can author content in this uninitialized space (the residual of some previous actions) such that it can be subsequently used to run exploit code.

This is an area of research that over the next 12 months, I am sure there will be some discoveries that will rock the world of computing. Halvar, BINDIFF rocks and keep up the great work.

The next talk entitled “Security Issues Related to Pentium System Mgmt Mode” (SMM) employs a similar memory range problem but a billion times more severe given that most Pentium-x86-based Unix systems running an Xserver display can fall victim to this technique.

--tk

Posted on April 7, 2006 12:06 AM |

Comments (2)

jrichards:

BinDiff is great... BinNavi is revolutionary :)

Halvar was kind enough to provide a preview copy and I've been testing it out for the last few months... working my fun into a business case.

Here is a flash intro to give you an idea...

http://www.sabre-security.com/products/BinNavi/flash.html

My favorite thing about it is the debugger...

Run the process with the debugger attached.

Run something against the running process.. for example, nmap the thing if it opens ports.

Go back to BinNavi and check out all the new coloured in code segments... those are the ones that were hit during the scan.

How cool is that?

Posted by jrichards | April 10, 2006 7:39 AM

Posted on April 10, 2006 07:39

Byron Sonne:

Jer, you never said BinNavi did *that* - wow!

Posted by Byron Sonne | April 10, 2006 9:06 AM

Posted on April 10, 2006 09:06

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on April 7, 2006 12:06 AM.

The previous post in this blog was cansecwest/core06: "Insiders View: Network Security Devices".

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]