Mac OS X Return-Oriented Exploitation

Presented at REcon 2010, July 10, 2010, 3 p.m. (60 minutes)

The latest advances in exploitation of memory corruption vulnerabilities revolve around applying return-oriented exploitation techniques to evade non-executable memory protections such as Microsoft's Data Execution Prevention (DEP), CPU-supported non-executable memory (NX/XD), and mandatory code-signing such as on iPhone OS. Although the ideas behind these exploitation techniques can be traced quite far back, they are receiving more attention as non-executable memory protections become more prevalent. This presentation will describe how return-oriented exploitation techniques can be applied to bypass non-executable memory protections in 32-bit x86 processes on Mac OS X Leopard and Snow Leopard. While most processes in Snow Leopard are 64-bit x64 processes, many key parts of the client-side attack surface remain 32-bit x86 processes (3rd party web browser plugins for Safari, Mozilla Firefox, and Google Chrome). Finally, the presentation will conclude with a review of the key differences in the exploitation environment between 32-bit and 64-bit processes on Snow Leopard, detailing how 64-bit processes are more difficult to exploit by default.

Presenters:

• Dino Dai Zovi
  Dino Dai Zovi, currently an independent security consultant and researcher, has been working in information security for over 9 years with experience in red teaming, penetration testing, software security, and information security management. Mr. Dai Zovi is also a regular speaker at information security conferences having presented his independent research on memory corruption exploitation techniques, 802.11 wireless client attacks, and Intel VT-x virtualization rootkits over the last 10 years at conferences around the world including DEFCON, BlackHat, and CanSecWest. He is a co-author of the books "The Mac Hacker's Handbook" (Wiley, 2009) and "The Art of Software Security Testing" (Addison-Wesley, 2006). In 2008, eWEEK named him one of the 15 Most Influential People in Security. He is perhaps best known in the information security and Mac communities for winning the first PWN2OWN contest at CanSecWest 2007

Links:

• https://recon.cx/2010/speakers.html#returnoriented
• https://recon.cx/2010/slides/mac-os-x_roe.pdf

Similar Presentations:

• REcon 2008 / 64-bit Imports Rebuilding and Unpacking
• Black Hat Asia 2018 / return-to-csu: A New Method to Bypass 64-bit Linux ASLR
• Black Hat USA 2010 / Return-Oriented Exploitation