Dec-09 Sep-09 Jun-09 Mar-09 Dec-08 Sep-08 Jun-08 Mar-08 Biz Info Org Net Com Domain Names: 2008 to 2009 Source: http://www.zooknic.com/Domains/counts.html 84 million registered .coms
user per 3.72 humans 1 user per active IP address 9 users per registered hostname 17 US residents per 100 users 21 users per registered .com 21 users per active web site IP address ratios 86% of the IPv4 space is usable 91% of usable space is allocated 50% of this space is active
= low bandwidth Billing is based on “transfers” Clouds makes blocking the source hard Get a new IP anytime you like Handy for penetration tests Clouds make internet-wide attacks easy 10 servers = Russia in 60 seconds Cost = ~$50.00 USD
• Hosts are allocated a /64 each Finding systems becomes the hard part • Local networks are discoverable • Remote networks depends on DNS Legacy software rarely binds to IPv6 • Fewer extra services running Still some downsides • Not all firewalls block IPv6 correctly • Easy to hide remote rogue systems • Hosts are IPv6 ready, users are not
@ 1333Mhz) $0.02 per megabyte Netbooks ship with 1G or 2g Video cards “average” 512M Supply drives price 6 years to peak Old RAM costs more Based on supply Source: http://www.pricewatch.com/system_memory/ Source: http://www.tezzaron.com/about/papers/dram_pricing.pdf Source: http://store.steampowered.com/hwsurvey/
2000 32Mb minimum • Windows 7 1024Mb minimum • Office 2000 8Mb minimum (+OS) • Office 2010 256Mb minimum (+OS) Gamers (as usual) are a good indicator of trend 84% have 2Gb or more 27% have 4Gb or more 4% have less than 1G Source: http://store.steampowered.com/hwsurvey/
32-bits of memory • Virtual memory must also include device I/O • PAE and other tricks help, but are not efficient • Real maximum is between 2.0Gb and 3.5Gb Source: http://blogs.technet.com/markrussinovich/archive/2008/07/21/3092070.aspx
trends 33% run 64-bit Windows 28% run 32-bit Vista / 7 54% of Vista / 7 are 64-bit! Source: http://store.steampowered.com/hwsurvey/ Source: http://download.microsoft.com/download/5/b/9/5b97017b-e28a-4bae-ba48-174cf47d23cd/BUS080_WH06.ppt Great stats from Microsoft WinHEC 2006 0% 20% 40% 60% 80% 100% 2003 2004 2005 2006 2007 32-bit 64-bit
• Prevent execution of data: DEP + NX • Limit predictability of memory: ASLR • Limit exception handlers: /SafeSEH • Prevent return address overwrites: /GS Newer techniques bypass most if not all • Bypass /GS with smashed exception handlers • Sometimes bypass /SafeSEH with VEH • Bypass DEP with Return-Oriented-Programming (ROP) • Bypass ASLR with heap spraying or brute forcing Security mitigations are limited by the 32-bit platform
• 0x00000001 = 1 signed or 1 unsigned • 0xFFFFFFFF = -1 signed or 4,294,967,296 unsigned • 0x7FFFFFFF = 2,147,483,647 • 0x80000000 = -2,147,483,648 Even smart coders didn’t account for huge input int i = strlen(input); // casting bug if (i < MAX_LEN) badness(); Solutions for legacy code? • Set process memory limits to under 2G • Force migration to 64-bit platforms
tiny • Attacker supplied files or scripts negate ASLR • Most client-side applications are vulnerable • Address prediction leads to DEP bypass Application.exe Application.exe Filled Heap Normal
to 2Gb • Transferring 2Gb of data is not feasible (yet) • Client-side code can easily allocate memory • Javascript, Java, Flash, .NET, etc Trivial to do without client-side scripting • Builtin protocol compression (gzip, deflate) • Compressed containers (docx, odt, zip, ole) • Compressed graphics and sound (mp3, png) Often possible against server-side applications • Protocol compression works as well (SSL) • XDR and NDR encoding control allocations • HTTP Content-Length and File Uploads
Pixels stored as one byte for Red, Blue, and Green • 32-bit graphics include one byte alpha channel • Allows for 16.7 million colors per pixel plus alpha • Memory allocation determined by dimensions Examples • 1 x 1 white block with no transparency FF FF FF 00 • 32 x 32 white block with full transparency FF FF FF FF x 1024 (4096 bytes) • 16384 x 16384 image for x86 “debug trap” CC CC CC CC x 268435456 (1Gb+)
No need for software DEP, NX is built-in • The stack is non-executable by default • Randomization actually effective (48-bits) • Better kernel protection in Windows • ELF64 ABI mandates register passing “This is the end of exploit development” - <censored>
• Qmail on 64-bit is trivially exploitable (and unpatched) • Problems when 64-bit pointers meet 32-bit integers • Windows 64-bit still runs exploitable 32-bit apps • Unexploitable 32-bit bugs become possible • Return Oriented Programming (ROP) still possible