Shuffler: Fast and Deployable Continuous Code Re-Randomization
|
|
- Kathryn Fletcher
- 5 years ago
- Views:
Transcription
1 Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, William Aiello OSDI 20161
2 Software Remains Vulnerable High-profile server breaches are commonplace 2
3 Software Remains Vulnerable High-profile server breaches are commonplace 90% of today s attacks utilize ROP [1] 3
4 Return-Oriented Programming Reuse fragments of legitimate code (gadgets) Program code Stack func_1 func_2 ret addr func_3 4
5 Return-Oriented Programming Reuse fragments of legitimate code (gadgets) Program code Stack ret addr 5
6 Return-Oriented Programming Reuse fragments of legitimate code (gadgets) Program code Stack ret addr data ret addr ret addr ret addr Buffer Overrun 6
7 Return-Oriented Programming Reuse fragments of legitimate code (gadgets) Program code Stack ret addr data ret addr ret addr ret addr ROP gadget chain Buffer Overrun 7
8 Modern ROP Attacks JIT-ROP [2]: iteratively read code at runtime 8
9 Modern ROP Attacks JIT-ROP [2]: iteratively read code at runtime Target program Attacker func_1 func_2 func_3 9
10 Modern ROP Attacks JIT-ROP [2]: iteratively read code at runtime Target program Attacker func_1 func_2 func_3 10
11 Modern ROP Attacks JIT-ROP [2]: iteratively read code at runtime Target program Attacker func_1 func_2 ROP gadget chain func_3 11 Inject exploit
12 Modern ROP Attacks JIT-ROP [2]: iteratively read code at runtime Target program Attacker func_1 func_2 ROP gadget chain func_3 12 Inject exploit
13 The Shuffler Idea What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_2 func_3 13
14 The Shuffler Idea What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_2 func_3 14
15 The Shuffler Idea What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_2 func_2 func_3 func_3 func_1 15
16 The Shuffler Idea What if we re-randomize code more rapidly than an attacker discovers gadgets??? func_2 ROP gadget chain func_3 func_1 16 Inject exploit
17 The Shuffler Idea What if we re-randomize code more rapidly than an attacker discovers gadgets? ROP gadget chain 17 Inject exploit
18 How Is This Possible? Re-randomize code before an attacker uses it 18
19 How Is This Possible? Re-randomize code before an attacker uses it faster than disclosure vulnerability execution time; faster than gadget chain computation time; or, faster than network communication time 19
20 How Is This Possible? Re-randomize code before an attacker uses it faster than disclosure vulnerability execution time; faster than gadget chain computation time; or, faster than network communication time 20
21 How Is This Possible? Re-randomize code before an attacker uses it faster than disclosure vulnerability execution time; faster than gadget chain computation time; or, faster than network communication time one memory disclosure can only travel 820 miles! 21
22 What Is Shuffler? Defense based on continuous re-randomization Defeats all known code reuse attacks millisecond shuffling, scales to 24 threads Fast: bounds attacker s available time Deployable: Defeats even attackers with zero network latency Binary analysis w/o modifying kernel, compiler,... Egalitarian: Shuffler runs in same address space, defends itself 22
23 Outline 23
24 Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 24
25 Continuous Re-Randomization Easy to copy code & fix direct references func_1 func_2... call func_2... func_2 25
26 Continuous Re-Randomization Easy to copy code & fix direct references func_1 (deleted)... call func_2... func_2 26
27 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? 27
28 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? ptr: func_1 func_2... mov $func_2, ptr... call *ptr... 28
29 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? ptr: func_1 &func_2 func_2... mov $func_2, ptr... call *ptr... 29
30 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? ptr: func_1... mov $func_2, ptr... call *ptr... &func_2 func_2 (deleted) func_2 30
31 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? ptr: func_1... mov $func_2, ptr... call *ptr... &func_2 (deleted) func_2 31
32 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? ptr: &func_2 &func_2 &func_2 &func_2 &func_2 &func_2 &func_2 func_2 (deleted) How to update all propagated pointers? &func_2 func_2 32
33 Continuous Re-Randomization Solution: add extra level of indirection ptr: f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx %gs: (table) &func_2... func_2 33
34 Continuous Re-Randomization Solution: add extra level of indirection ptr: f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx &func_2... func_2 34
35 Continuous Re-Randomization Solution: add extra level of indirection ptr: f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx func_2 &func_2... f_2_idx func_2 35
36 Continuous Re-Randomization Solution: add extra level of indirection ptr: f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx func_2 &func_2... f_2_idx (deleted) 36
37 Code Pointer Abstraction Transforming *code_ptr into **code_ptr Correctness: pointer updates sound & precise Disclosure-resilience: code ptr table is hidden 37
38 Code Pointer Abstraction Transforming *code_ptr into **code_ptr Correctness: pointer updates sound & precise Disclosure-resilience: code ptr table is hidden ptr: f_2_idx func_2 %gs:... func_
39 Code Pointer Abstraction Transforming *code_ptr into **code_ptr Correctness: pointer updates sound & precise Disclosure-resilience: code ptr table is hidden ptr: f_2_idx func_2 %gs:... func_2... Rewrite call sites callq *%rax => callq *%gs:(%rax) Rewrite initialization points mov => mov $0x40054d, %rax $0x20, %rax 39
40 Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 40
41 Return Address Encryption Return addresses are code pointers too Could use code pointer table, but inefficient call/ret instructions highly optimized 41
42 Return Address Encryption Return addresses are code pointers too Could use code pointer table, but inefficient call/ret instructions highly optimized Alternative mechanism correct and hidden Use normal call instructions Encrypt return addresses with XOR key 42
43 Return Address Encryption Prevent return address disclosure 43
44 Return Address Encryption Prevent return address disclosure Thread Stack func_1 ret addr ret addr func_2 ret addr func_3 44
45 Return Address Encryption Prevent return address disclosure Thread Stack func_1 (encrypted) + (encrypted) + (encrypted) + func_2 func_3 XOR key 45
46 Return Address Encryption Prevent return address disclosure Thread Stack func_1 (encrypted) + (encrypted) + (encrypted) + func_2 func: ; original code ret func_3 XOR key 46
47 Return Address Encryption Prevent return address disclosure We use binary rewriting (expand basic blocks) Thread Stack func_1 (encrypted) + (encrypted) + (encrypted) + func_2 func: mov %fs:0x28,%r11 xor %r11,(%rsp) ; original code mov %fs:0x28,%r11 xor %r11,(%rsp) ret func_3 XOR key 47
48 Return Address Migration Unwind stack and re-encrypt new addresses func_1 func_2 Thread Stack (encrypted) + (encrypted) + (encrypted) + func_3 XOR key 48
49 Return Address Migration Unwind stack and re-encrypt new addresses func_1 func_2 Thread Stack (encrypted) + (encrypted) + (encrypted) func_3 func_1 + func_2 func_3 XOR key 49
50 Return Address Migration Unwind stack and re-encrypt new addresses (deleted) (deleted) Thread Stack (encrypted) + (encrypted) + (encrypted) (deleted) func_1 + func_2 func_3 XOR key 50
51 Asynchronous Randomization 51
52 Asynchronous Randomization Creating new code copies takes time 20ms shuffle period Computations 52
53 Asynchronous Randomization Creating new code copies takes time 5ms real work Computations 15ms shuffling overhead Generate permutation Make new code copy Fix call instructions Update code pointer table Stack unwind 53
54 Asynchronous Randomization Creating new code copies takes time Shuffler prepares new code asynchronously 5ms real work Computations 15ms shuffling overhead Generate permutation Make new code copy Fix call instructions Update code pointer table Stack unwind 54
55 Asynchronous Randomization Creating new code copies takes time Shuffler prepares new code asynchronously Computations Generate permutation Make new code copy 19.94ms real work 0.06ms Computations Stack unwind Fix call instructions Update code pointer table Stack unwind 55
56 Asynchronous Randomization Creating new code copies takes time Shuffler prepares new code asynchronously Each thread unwinds its own stack in parallel Computations Generate permutation Make new code copy 99.7% of runtime 0.3% Computations Stack unwind Fix call instructions Update code pointer table Stack unwind 56
57 Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 57
58 Augmented Binary Analysis Use additional info from unmodified compilers Symbols, to distinguish code and data (no -s) Relocations, to find all code pointers (--emit-relocs) 58
59 Augmented Binary Analysis Use additional info from unmodified compilers Symbols, to distinguish code and data (no -s) Relocations, to find all code pointers (--emit-relocs) Code pointer, or integer?.section.rodata:.quad 0x section.text: mov $0x400620, %rax 59
60 Augmented Binary Analysis Use additional info from unmodified compilers Symbols, to distinguish code and data (no -s) Relocations, to find all code pointers (--emit-relocs) Code pointer, or integer?.section.rodata:.quad 0x section.rodata:.quad section.text: mov $0x400620, %rax.section.text: mov $ , %rax 60
61 Augmented Binary Analysis Use additional info from unmodified compilers Symbols, to distinguish code and data (no -s) Relocations, to find all code pointers (--emit-relocs) Code pointer, or integer?.section.rodata:.quad 0x section.rodata:.quad section.text: mov $0x400620, %rax.section.text: mov $ , %rax Relocations (meta-data) 61
62 Augmented Binary Analysis Use additional info from unmodified compilers Symbols, to distinguish code and data (no -s) Relocations, to find all code pointers (--emit-relocs) ask linker to preserve relocations Code pointer, or integer?.section.rodata:.quad 0x section.rodata:.quad section.text: mov $0x400620, %rax.section.text: mov $ , %rax Relocations (meta-data) 62
63 Augmented Binary Analysis Allows accurate and complete disassembly 63
64 Augmented Binary Analysis Allows accurate and complete disassembly Many special cases, but we handle them 64
65 Where to Re-Randomize From Most defenses operate at higher privilege level i.e. kernel, hypervisor, hardware Or else declare their own code trusted 65
66 Where to Re-Randomize From Most defenses operate at higher privilege level i.e. kernel, hypervisor, hardware Or else declare their own code trusted Shuffler is egalitarian Same level of privilege, no system modifications Defends itself from attack 66
67 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers 67
68 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers memcpy s code mov jmpq 0x400620(,%rax,8),%rax *%rax 0x400620: 0x400630: 0x400640: 0x x x x x40052c 0x
69 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers memcpy s code mov jmpq 0x400620(,%rax,8),%rax *%rax 0x400620: 0x400630: 0x400640: 0x x x x x40052c 0x Rewrite main, printf,..., memcpy,... 69
70 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers New memcpy code memcpy s code mov jmpq 0x400620(,%rax,8),%rax *%rax 0x400620: 0x400630: 0x400640: 0x20 0x30 0x40 mov jmpq 0x400620(,%rax,8),%rax *%gs:(%rax) 0x28 0x88 0x48 Rewrite main, printf,..., memcpy,... Invalidates memcpy jump table But rewrite process uses (old) memcpy 70
71 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers New memcpy code memcpy s code mov jmpq 0x400620(,%rax,8),%rax *%rax 0x400620: 0x400630: 0x400640: 0x20 0x30 0x40 0x28 0x88 0x48 mov jmpq 0x400620(,%rax,8),%rax *%gs:(%rax)?? Rewrite main, printf,..., memcpy,... Invalidates memcpy jump table But rewrite process uses (old) memcpy 71
72 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler 72
73 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Other libraries C library Program Loader loads Shuffler stage 1 rewrites Shuffler stage 2 73
74 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Other libraries C library Program Shuffler stage 1 Loader invokes Shuffler stage 2 74
75 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Other libraries C library Program Shuffler stage 1 Loader erases erases Shuffler stage 2 75
76 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Make new copies Other libraries Other libraries C library C library Program Program Shuffler stage 2 Shuffler stage 2 76
77 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Make new copies Other libraries C library Program Shuffler stage 2 77
78 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Make new copies Other libraries Other libraries C library C library Program Program Shuffler stage 2 Shuffler stage 2 78
79 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Make new copies Other libraries C library Program Shuffler stage 2 79
80 Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 80
81 Performance Evaluation SPEC CPU overhead at 50ms = 14.9% 81
82 Performance Evaluation SPEC CPU overhead at 50ms = 14.9% Multiprocess Nginx up to 24 workers 82
83 Security Evaluation Two disclosure-based attack methodologies: Scan many pages for the desired gadgets impacted by disclosure time, network latency Explore gadget space in small number of pages impacted by ROP chain computation time (> 40 seconds) 83
84 Security Evaluation Two disclosure-based attack methodologies: Scan many pages for the desired gadgets impacted by disclosure time, network latency Explore gadget space in small number of pages impacted by ROP chain computation time (> 40 seconds) Published JIT-ROP takes ms We can re-randomize typically every ms 84
85 Demo 85
86 86
87 Conclusion Continuous re-randomization every ms 87
88 Conclusion Continuous re-randomization every ms Fast: Defeats all known code reuse attacks Asynchronous shuffling offloads overhead Deployable: Binary analysis w/o modifying kernel, compiler,... Egalitarian: No additional privileges required Shuffler defends its own code 88
89 Questions? Demo website:
90 Related Work JIT-ROP, SOSP 2013 Oxymoron, Usenix Sec 2014 Code Pointer Integrity, OSDI 2014 Stabilizer, SIGARCH 2013 Remix, CODASPY 2016 TASR, CCS more related work in our paper [1] [2] 90
91 Future Work Translating stack unwind information Cannot shuffle the loader currently Breaks C++ exceptions, pthread_cancel, etc. Breaks dlopen If shuffling takes too long, no mechanism to pause target program 91
92 Shuffler Thread Performance Asynchronous shuffling runs quickly Synchronous runtime is 0.3% of total runtime 92
93 Scalability Multithreaded program Multiprocess program 1 common Shuffler thread n Shuffler threads Computations unw Computations unw Computations unw Computations unw Computations unw unw unw unw Tradeoff for server workers Multithreaded => better performance overhead Multiprocess => no disclosures across workers Both techniques scale well in practice (up to 24x) 93
Remix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationDefeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationPRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES
PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationControl-flow Enforcement Technology H.J. Lu. Intel November, 2018
Control-flow Enforcement Technology H.J. Lu Intel November, 2018 Introduction Control-flow Enforcement Technology (CET) An upcoming Intel processor family feature that blocks return/jumporiented programming
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationHideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities
HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities Jason Gionta, William Enck, Peng Ning 1 JIT-ROP 2 Two Attack Categories Injection Attacks Code Integrity Data
More informationReturn-Oriented Rootkits
Return-Oriented Rootkits Ralf Hund Troopers March 10, 2010 What is Return-Oriented Programming? New emerging attack technique, pretty hyped topic Gained awareness in 2007 in Hovav Shacham s paper The Geometry
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks
ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee School of Computer Science, Georgia Institute of Technology
More informationIsomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming
Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationIsomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming
Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationInformation Leaks. Kyriakos Kyriakou
Information Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Just-in-time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationControl Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University
Control Flow Integrity & Software Fault Isolation David Brumley Carnegie Mellon University Our story so far Unauthorized Control Information Tampering http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html
More informationSecurity-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat
Security-Aware Processor Architecture Design CS 6501 Fall 2018 Ashish Venkat Agenda Theme Selection (due today at 11:59:59pm) Readings and Presentation Logistics Quick Processor Architecture Review (continued
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationControl Flow Integrity for COTS Binaries Report
Control Flow Integrity for COTS Binaries Report Zhang and Sekar (2013) January 2, 2015 Partners: Instructor: Evangelos Ladakis Michalis Diamantaris Giorgos Tsirantonakis Dimitris Kiosterakis Elias Athanasopoulos
More informationOn The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004
On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationWhat Cannot be Read, Cannot be Leveraged?
What Cannot be Read, Cannot be Leveraged? Revisiting Assumptions of JIT-ROP Defenses Giorgi Maisuradze, Michael Backes, Christian Rossow CISPA, Saarland University, Germany Overview Code Reuse Attacks/Defenses
More information238P: Operating Systems. Lecture 5: Address translation. Anton Burtsev January, 2018
238P: Operating Systems Lecture 5: Address translation Anton Burtsev January, 2018 Two programs one memory Very much like car sharing What are we aiming for? Illusion of a private address space Identical
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationRuntime Integrity Checking for Exploit Mitigation on Embedded Devices
Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org
More informationLecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.
Lecture Notes for 04/04/06 UNTRUSTED CODE Fatima Zarinni. Last class we started to talk about the different System Solutions for Stack Overflow. We are going to continue the subject. Stages of Stack Overflow
More informationDefeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)
Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science
More informationCyber Moving Targets. Yashar Dehkan Asl
Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target techniques, their threat models, and their technical details. Cyber moving target technique: Defend a system
More informationA Platform for Secure Static Binary Instrumentation
A Platform for Secure Static Binary Instrumentation Mingwei Zhang, Rui Qiao, Niranjan Hasabnis and R. Sekar Stony Brook University VEE 2014 Work supported in part by grants from AFOSR, NSF and ONR Motivation
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationReadactor: Practical Code Randomization Resilient to Memory Disclosure
2015 IEEE Symposium on Security and Privacy Readactor: Practical Code Randomization Resilient to Memory Disclosure Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationInfluential OS Research Security. Michael Raitza
Influential OS Research Security Michael Raitza raitza@os.inf.tu-dresden.de 1 Security recap Various layers of security Application System Communication Aspects of security Access control / authorization
More informationInline Reference Monitoring Techniques
Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationWhat You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon
What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon Ping Chen, Jun Xu, Zhisheng Hu, Xinyu Xing, Minghui Zhu, Bing Mao, Peng Liu College of Information Sciences and Technology, The
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley Florida State University {ychen,zwang,whalley}@cs.fsu.edu Long Lu Stony Brook University long@cs.stonybrook.edu ABSTRACT Code randomization
More information143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018
143A: Principles of Operating Systems Lecture 5: Address translation Anton Burtsev October, 2018 Two programs one memory Or more like renting a set of rooms in an office building Or more like renting a
More informationDon t Get Caught In the Cold, Warm-up Your JVM Understand and Eliminate JVM Warm-up Overhead in Data-parallel Systems
Don t Get Caught In the Cold, Warm-up Your JVM Understand and Eliminate JVM Warm-up Overhead in Data-parallel Systems David Lion, Adrian Chiu, Hailong Sun*, Xin Zhuang, Nikola Grcevski, Ding Yuan University
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationControl Flow Integrity
Control Flow Integrity Outline CFI Control Flow Integrity at Source Code Level BinCFI CFI for Binary Executables BinCC Binary Code Continent vfguard CFI Policy for Virtual Function Calls 1 M. Abadi, M.
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationData-Oriented Programming
Data-Oriented Programming On the Expressiveness of Non-Control Data Attacks Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, Zhenkai Liang Department of Computer Science National
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationCS5460: Operating Systems
CS5460: Operating Systems Lecture 2: OS Hardware Interface (Chapter 2) Course web page: http://www.eng.utah.edu/~cs5460/ CADE lab: WEB L224 and L226 http://www.cade.utah.edu/ Projects will be on Linux
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationkr^x Comprehensive Kernel Protection against Just-In-Time Code Reuse
mpomonis@cs.columbia.edu kr^x 1 / 30 kr^x Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos Petsios 1 Angelos D. Keromytis 1 Michalis Polychronakis 2 Vasileios
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow Integrity Reza Mirzazade farkhani, Saman Jafari, Sajjad Arshad, William Robertson, Engin Kirda, Hamed Okhravi DISTRIBUTION STATEMENT A. Approved for public
More informationSpectre Returns! Speculation Attacks Using Return Stack Buffer
Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationWedge: Splitting Applications into Reduced-Privilege Compartments
Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008 Vulnerabilities threaten sensitive data Exploits
More informationIt s a TRaP: Table Randomization and Protection against Function-Reuse Attacks
It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationROPInjector: Using Return- Oriented Programming for Polymorphism and AV Evasion
University of Piraeus Department of Digital Systems ROPInjector: Using Return- Oriented Programming for Polymorphism and AV Evasion G. Poulios, C. Ntantogian, C. Xenakis {gpoulios, dadoyan, xenakis}@unipi.gr
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationCS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan
CS 6V81-05 Control-Flow Integrity Principles, Implementations, and Applications Sureshbabu Murugesan Department of Computer Science University of Texas at Dallas February 29 th, 2012 Outline 1 Overview
More informationSecure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design. Todd Austin University of Michigan
Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design Todd Austin University of Michigan The Security Arms Race Question: Why are systems never safe? We deploy our designs
More informationFasten your seatbelts: We are escaping ios 11 sandbox! Min(Spark) Zheng & Xiaolong Alibaba Security Lab
Fasten your seatbelts: We are escaping ios 11 sandbox! Min(Spark) Zheng & Xiaolong Bai @ Lab Whoami SparkZheng @ Twitter spark @ Weibo Expert CUHK PhD, Blue-lotus and Insight-labs ios 9.3.4 & ios 11.3.1
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationSurvey of Cyber Moving Targets. Presented By Sharani Sankaran
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of
More informationCO 445H SECURE DESIGN PRINCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS. Dr. Ben Livshits
CO 445H SECURE DESIGN PRINCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits 2 Some Survey Responses Sunsetting Google+ 3 https://www.blog.google/technology/safety-security/project-strobe/
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationUndermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationBuffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout 0x00007fffffffffff not drawn to scale Stack... Caller
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationRetpoline: A Branch Target Injection Mitigation
Retpoline: A Branch Target Injection Mitigation White Paper Revision 003 June, 2018 Any future revisions to this content can be found at https://software.intel.com/security-software-guidance/ when new
More informationCS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 13: Address Translation
CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring 2004 Lecture 13: Address Translation 13.0 Main Points 13.1 Hardware Translation Overview CPU Virtual Address Translation
More informationAn Evil Copy: How the Loader Betrays You
An Evil Copy: How the Loader Betrays You Xinyang Ge 1,3, Mathias Payer 2 and Trent Jaeger 3 Microsoft Research 1 Purdue University 2 Penn State University 3 Page 1 Problem: A Motivating Example // main.c
More informationReduction of Code Reuse Attacks Using Code Randomization and Recursive Traversal Algorithm
Reduction of Code Reuse Attacks Using Code Randomization and Recursive Traversal Algorithm K. Krishna priya 1, Dr.P.Murugeswari 2 1 PG scholar, Department of CSE, Sri Vidya College of Engineering & Technology,
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationHETEROGENEOUS SYSTEM ARCHITECTURE: PLATFORM FOR THE FUTURE
HETEROGENEOUS SYSTEM ARCHITECTURE: PLATFORM FOR THE FUTURE Haibo Xie, Ph.D. Chief HSA Evangelist AMD China OUTLINE: The Challenges with Computing Today Introducing Heterogeneous System Architecture (HSA)
More informationIntro to x86 Binaries. From ASM to exploit
Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more
More informationBinary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code
University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationSpectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationPrac%cal Control Flow Integrity & Randomiza%on for Binary Executables
Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables Chao Zhang Tao Wei Zhaofeng Chen Lei Duan Peking University Peking University UC Berkeley Peking University Peking University László
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationTo accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh
To accelerate our learnings, we brought in an expert in CPU side channel attacks Anders Fogh Virtualization-based isolation Microsoft Azure, Hyper-V Affected Kernel-user separation Windows Affected Process-based
More informationHDFI: Hardware-Assisted Data-flow Isolation
HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More information