A Modern History of Offensive Security Research

Dino Dai Zovi�Staff Security Engineer�Square, Inc.

My offensive security research journey

• 1992: First Internet account (VAX/VMS), discovered Gopher and USENET
• 1994: First Unix account (SunOS), started learning Unix
• 1996: Installed Linux, subscribe to BUGTRAQ, read all of Phrack, etc.
• 1998: Wrote my first buffer local/remote overflow exploits, shellcode, etc.
• 2000: Presented “SPARC Buffer Overflows” at DEFCON 8
• 2002: Started writing Windows exploits, payloads, etc.
• 2004: Started writing browser exploits (Internet Explorer)
• 2007: Won first PWN2OWN w/ QuickTime for Java memory corruption exploit
• 2010: Presented “Return-Oriented Exploitation” at BlackHat, etc.
• 2011: Presented “iOS 4 Security Evaluation” at BlackHat
• 2011: Started doing keynotes instead of technical talks

0 - 1997: We Could Be Happy Underground

7 Years

How long that the technique of buffer overflow exploitation was “lost”

1997 - 2007: Hacking gets down to business

Advanced Buffer Overflow Technique (Hoglund, 2000)

• Dealing with low memory return addresses (0x00AABBCC)
• Calling payload through indirect register jumps/calls
• Trespassing the heap and overwriting C++ vtables
• Payload XOR encoding
• Payload imports functions by CRC checksum of name

Third Generation Exploitation (Flake, 2002)

• Introduced heap metadata corruption exploitation techniques for Windows NT-based operating systems
• Overwritten heap manager metadata in adjacent free block stores free list next/prev pointers
• When block is removed from free list, attacker chosen values are used to perform an arbitrary memory overwrite
• Overwrite Unhandled Exception Filter with address of a register-indirect jump instruction to execute payload

Remote Windows Kernel Exploitation (Jack, 2005)

​

• Detailed remote exploitation of kernel stack buffer overflow in DNS response parsing
• Describes “clean return” techniques to ensure that kernel continues execution cleanly after exploit succeeds
• Payload returns logged keystrokes in ICMP echo reply packets
• “Sayonara Windows!” switches Ring 0 Protected Mode to Real Mode, plays graphical demoscene payload

Heap Feng Shui in JavaScript (Sotirov, 2007)

​

• Introduced heap manipulation techniques to ensure that heap overflows precisely corrupted chosen target object memory
• Particular JavaScript instructions and sequences cause chosen-sized heap allocation and free operations
• Crafted sequence of chosen-sized heap allocations and frees can be used to ensure two heap allocations are adjacent in memory
• Overwrite C++ vtable with a pointer to address (0x0c0c0c0c) in heap spray

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine (Dowd, 2008)

• Demonstrates exploitation of a memory allocation failure resulting in a NULL-pointer + chosen offset memory write in Adobe Flash
• This single write is used to overwrite an AVM instruction length, resulting in that ActionScript being able to execute unverified instructions
• Illegal AVM bytecode transfers control to payload

2007-2017: Offensive Research Gets Real

Bug Bounties Become the Norm

• 2002: iDefense launches Vulnerability Contributor Program (2nd party bounty)
• 2004: Mozilla launches Firefox Bug Bounty ($500)
• 2005: TippingPoint launches Zero Day Initiative (2nd party bounty)
• 2007: First PWN2OWN ($10k)
• 2009: “No More Free Bugs”
• 2010: Google launches Chrome bounty ($500-$1337)
• 2010: Mozilla raises FireFox bug bounty to $3000, Google to $3133.70
• 2016: Apple launches iOS bug bounty program
• 2016: Microsoft launches bounty for Edge on Windows Insider Preview
• 2017: Microsoft launches bounty for Windows Insider Preview

PWN2OWN Becomes a Team Sport

2017 - ∞