Shuffler: Fast and Deployable Continuous Code Re-Randomization
Size: px
Start display at page:

Download "Shuffler: Fast and Deployable Continuous Code Re-Randomization"

Transcription

1 Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, William Aiello OSDI 20161

2 Software Remains Vulnerable High-profile server breaches are commonplace 2

3 Software Remains Vulnerable High-profile server breaches are commonplace 90% of today s attacks utilize ROP [1] 3

4 Return-Oriented Programming Reuse fragments of legitimate code (gadgets) Program code Stack func_1 func_2 ret addr func_3 4

5 Return-Oriented Programming Reuse fragments of legitimate code (gadgets) Program code Stack ret addr 5

6 Return-Oriented Programming Reuse fragments of legitimate code (gadgets) Program code Stack ret addr data ret addr ret addr ret addr Buffer Overrun 6

7 Return-Oriented Programming Reuse fragments of legitimate code (gadgets) Program code Stack ret addr data ret addr ret addr ret addr ROP gadget chain Buffer Overrun 7

8 Modern ROP Attacks JIT-ROP [2]: iteratively read code at runtime 8

9 Modern ROP Attacks JIT-ROP [2]: iteratively read code at runtime Target program Attacker func_1 func_2 func_3 9

10 Modern ROP Attacks JIT-ROP [2]: iteratively read code at runtime Target program Attacker func_1 func_2 func_3 10

11 Modern ROP Attacks JIT-ROP [2]: iteratively read code at runtime Target program Attacker func_1 func_2 ROP gadget chain func_3 11 Inject exploit

12 Modern ROP Attacks JIT-ROP [2]: iteratively read code at runtime Target program Attacker func_1 func_2 ROP gadget chain func_3 12 Inject exploit

13 The Shuffler Idea What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_2 func_3 13

14 The Shuffler Idea What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_2 func_3 14

15 The Shuffler Idea What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_2 func_2 func_3 func_3 func_1 15

16 The Shuffler Idea What if we re-randomize code more rapidly than an attacker discovers gadgets??? func_2 ROP gadget chain func_3 func_1 16 Inject exploit

17 The Shuffler Idea What if we re-randomize code more rapidly than an attacker discovers gadgets? ROP gadget chain 17 Inject exploit

18 How Is This Possible? Re-randomize code before an attacker uses it 18

19 How Is This Possible? Re-randomize code before an attacker uses it faster than disclosure vulnerability execution time; faster than gadget chain computation time; or, faster than network communication time 19

20 How Is This Possible? Re-randomize code before an attacker uses it faster than disclosure vulnerability execution time; faster than gadget chain computation time; or, faster than network communication time 20

21 How Is This Possible? Re-randomize code before an attacker uses it faster than disclosure vulnerability execution time; faster than gadget chain computation time; or, faster than network communication time one memory disclosure can only travel 820 miles! 21

22 What Is Shuffler? Defense based on continuous re-randomization Defeats all known code reuse attacks millisecond shuffling, scales to 24 threads Fast: bounds attacker s available time Deployable: Defeats even attackers with zero network latency Binary analysis w/o modifying kernel, compiler,... Egalitarian: Shuffler runs in same address space, defends itself 22

23 Outline 23

24 Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 24

25 Continuous Re-Randomization Easy to copy code & fix direct references func_1 func_2... call func_2... func_2 25

26 Continuous Re-Randomization Easy to copy code & fix direct references func_1 (deleted)... call func_2... func_2 26

27 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? 27

28 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? ptr: func_1 func_2... mov $func_2, ptr... call *ptr... 28

29 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? ptr: func_1 &func_2 func_2... mov $func_2, ptr... call *ptr... 29

30 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? ptr: func_1... mov $func_2, ptr... call *ptr... &func_2 func_2 (deleted) func_2 30

31 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? ptr: func_1... mov $func_2, ptr... call *ptr... &func_2 (deleted) func_2 31

32 Continuous Re-Randomization Easy to copy code & fix direct references What about code pointers? ptr: &func_2 &func_2 &func_2 &func_2 &func_2 &func_2 &func_2 func_2 (deleted) How to update all propagated pointers? &func_2 func_2 32

33 Continuous Re-Randomization Solution: add extra level of indirection ptr: f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx %gs: (table) &func_2... func_2 33

34 Continuous Re-Randomization Solution: add extra level of indirection ptr: f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx &func_2... func_2 34

35 Continuous Re-Randomization Solution: add extra level of indirection ptr: f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx func_2 &func_2... f_2_idx func_2 35

36 Continuous Re-Randomization Solution: add extra level of indirection ptr: f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx func_2 &func_2... f_2_idx (deleted) 36

37 Code Pointer Abstraction Transforming *code_ptr into **code_ptr Correctness: pointer updates sound & precise Disclosure-resilience: code ptr table is hidden 37

38 Code Pointer Abstraction Transforming *code_ptr into **code_ptr Correctness: pointer updates sound & precise Disclosure-resilience: code ptr table is hidden ptr: f_2_idx func_2 %gs:... func_

39 Code Pointer Abstraction Transforming *code_ptr into **code_ptr Correctness: pointer updates sound & precise Disclosure-resilience: code ptr table is hidden ptr: f_2_idx func_2 %gs:... func_2... Rewrite call sites callq *%rax => callq *%gs:(%rax) Rewrite initialization points mov => mov $0x40054d, %rax $0x20, %rax 39

40 Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 40

41 Return Address Encryption Return addresses are code pointers too Could use code pointer table, but inefficient call/ret instructions highly optimized 41

42 Return Address Encryption Return addresses are code pointers too Could use code pointer table, but inefficient call/ret instructions highly optimized Alternative mechanism correct and hidden Use normal call instructions Encrypt return addresses with XOR key 42

43 Return Address Encryption Prevent return address disclosure 43

44 Return Address Encryption Prevent return address disclosure Thread Stack func_1 ret addr ret addr func_2 ret addr func_3 44

45 Return Address Encryption Prevent return address disclosure Thread Stack func_1 (encrypted) + (encrypted) + (encrypted) + func_2 func_3 XOR key 45

46 Return Address Encryption Prevent return address disclosure Thread Stack func_1 (encrypted) + (encrypted) + (encrypted) + func_2 func: ; original code ret func_3 XOR key 46

47 Return Address Encryption Prevent return address disclosure We use binary rewriting (expand basic blocks) Thread Stack func_1 (encrypted) + (encrypted) + (encrypted) + func_2 func: mov %fs:0x28,%r11 xor %r11,(%rsp) ; original code mov %fs:0x28,%r11 xor %r11,(%rsp) ret func_3 XOR key 47

48 Return Address Migration Unwind stack and re-encrypt new addresses func_1 func_2 Thread Stack (encrypted) + (encrypted) + (encrypted) + func_3 XOR key 48

49 Return Address Migration Unwind stack and re-encrypt new addresses func_1 func_2 Thread Stack (encrypted) + (encrypted) + (encrypted) func_3 func_1 + func_2 func_3 XOR key 49

50 Return Address Migration Unwind stack and re-encrypt new addresses (deleted) (deleted) Thread Stack (encrypted) + (encrypted) + (encrypted) (deleted) func_1 + func_2 func_3 XOR key 50

51 Asynchronous Randomization 51

52 Asynchronous Randomization Creating new code copies takes time 20ms shuffle period Computations 52

53 Asynchronous Randomization Creating new code copies takes time 5ms real work Computations 15ms shuffling overhead Generate permutation Make new code copy Fix call instructions Update code pointer table Stack unwind 53

54 Asynchronous Randomization Creating new code copies takes time Shuffler prepares new code asynchronously 5ms real work Computations 15ms shuffling overhead Generate permutation Make new code copy Fix call instructions Update code pointer table Stack unwind 54

55 Asynchronous Randomization Creating new code copies takes time Shuffler prepares new code asynchronously Computations Generate permutation Make new code copy 19.94ms real work 0.06ms Computations Stack unwind Fix call instructions Update code pointer table Stack unwind 55

56 Asynchronous Randomization Creating new code copies takes time Shuffler prepares new code asynchronously Each thread unwinds its own stack in parallel Computations Generate permutation Make new code copy 99.7% of runtime 0.3% Computations Stack unwind Fix call instructions Update code pointer table Stack unwind 56

57 Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 57

58 Augmented Binary Analysis Use additional info from unmodified compilers Symbols, to distinguish code and data (no -s) Relocations, to find all code pointers (--emit-relocs) 58

59 Augmented Binary Analysis Use additional info from unmodified compilers Symbols, to distinguish code and data (no -s) Relocations, to find all code pointers (--emit-relocs) Code pointer, or integer?.section.rodata:.quad 0x section.text: mov $0x400620, %rax 59

60 Augmented Binary Analysis Use additional info from unmodified compilers Symbols, to distinguish code and data (no -s) Relocations, to find all code pointers (--emit-relocs) Code pointer, or integer?.section.rodata:.quad 0x section.rodata:.quad section.text: mov $0x400620, %rax.section.text: mov $ , %rax 60

61 Augmented Binary Analysis Use additional info from unmodified compilers Symbols, to distinguish code and data (no -s) Relocations, to find all code pointers (--emit-relocs) Code pointer, or integer?.section.rodata:.quad 0x section.rodata:.quad section.text: mov $0x400620, %rax.section.text: mov $ , %rax Relocations (meta-data) 61

62 Augmented Binary Analysis Use additional info from unmodified compilers Symbols, to distinguish code and data (no -s) Relocations, to find all code pointers (--emit-relocs) ask linker to preserve relocations Code pointer, or integer?.section.rodata:.quad 0x section.rodata:.quad section.text: mov $0x400620, %rax.section.text: mov $ , %rax Relocations (meta-data) 62

63 Augmented Binary Analysis Allows accurate and complete disassembly 63

64 Augmented Binary Analysis Allows accurate and complete disassembly Many special cases, but we handle them 64

65 Where to Re-Randomize From Most defenses operate at higher privilege level i.e. kernel, hypervisor, hardware Or else declare their own code trusted 65

66 Where to Re-Randomize From Most defenses operate at higher privilege level i.e. kernel, hypervisor, hardware Or else declare their own code trusted Shuffler is egalitarian Same level of privilege, no system modifications Defends itself from attack 66

67 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers 67

68 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers memcpy s code mov jmpq 0x400620(,%rax,8),%rax *%rax 0x400620: 0x400630: 0x400640: 0x x x x x40052c 0x

69 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers memcpy s code mov jmpq 0x400620(,%rax,8),%rax *%rax 0x400620: 0x400630: 0x400640: 0x x x x x40052c 0x Rewrite main, printf,..., memcpy,... 69

70 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers New memcpy code memcpy s code mov jmpq 0x400620(,%rax,8),%rax *%rax 0x400620: 0x400630: 0x400640: 0x20 0x30 0x40 mov jmpq 0x400620(,%rax,8),%rax *%gs:(%rax) 0x28 0x88 0x48 Rewrite main, printf,..., memcpy,... Invalidates memcpy jump table But rewrite process uses (old) memcpy 70

71 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers New memcpy code memcpy s code mov jmpq 0x400620(,%rax,8),%rax *%rax 0x400620: 0x400630: 0x400640: 0x20 0x30 0x40 0x28 0x88 0x48 mov jmpq 0x400620(,%rax,8),%rax *%gs:(%rax)?? Rewrite main, printf,..., memcpy,... Invalidates memcpy jump table But rewrite process uses (old) memcpy 71

72 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler 72

73 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Other libraries C library Program Loader loads Shuffler stage 1 rewrites Shuffler stage 2 73

74 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Other libraries C library Program Shuffler stage 1 Loader invokes Shuffler stage 2 74

75 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Other libraries C library Program Shuffler stage 1 Loader erases erases Shuffler stage 2 75

76 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Make new copies Other libraries Other libraries C library C library Program Program Shuffler stage 2 Shuffler stage 2 76

77 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Make new copies Other libraries C library Program Shuffler stage 2 77

78 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Make new copies Other libraries Other libraries C library C library Program Program Shuffler stage 2 Shuffler stage 2 78

79 Egalitarian Bootstrapping Problem: transformations break original code e.g. memcpy uses code pointers Solution: use two copies of Shuffler Make new copies Other libraries C library Program Shuffler stage 2 79

80 Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 80

81 Performance Evaluation SPEC CPU overhead at 50ms = 14.9% 81

82 Performance Evaluation SPEC CPU overhead at 50ms = 14.9% Multiprocess Nginx up to 24 workers 82

83 Security Evaluation Two disclosure-based attack methodologies: Scan many pages for the desired gadgets impacted by disclosure time, network latency Explore gadget space in small number of pages impacted by ROP chain computation time (> 40 seconds) 83

84 Security Evaluation Two disclosure-based attack methodologies: Scan many pages for the desired gadgets impacted by disclosure time, network latency Explore gadget space in small number of pages impacted by ROP chain computation time (> 40 seconds) Published JIT-ROP takes ms We can re-randomize typically every ms 84

85 Demo 85

86 86

87 Conclusion Continuous re-randomization every ms 87

88 Conclusion Continuous re-randomization every ms Fast: Defeats all known code reuse attacks Asynchronous shuffling offloads overhead Deployable: Binary analysis w/o modifying kernel, compiler,... Egalitarian: No additional privileges required Shuffler defends its own code 88

89 Questions? Demo website:

90 Related Work JIT-ROP, SOSP 2013 Oxymoron, Usenix Sec 2014 Code Pointer Integrity, OSDI 2014 Stabilizer, SIGARCH 2013 Remix, CODASPY 2016 TASR, CCS more related work in our paper [1] [2] 90

91 Future Work Translating stack unwind information Cannot shuffle the loader currently Breaks C++ exceptions, pthread_cancel, etc. Breaks dlopen If shuffling takes too long, no mechanism to pause target program 91

92 Shuffler Thread Performance Asynchronous shuffling runs quickly Synchronous runtime is 0.3% of total runtime 92

93 Scalability Multithreaded program Multiprocess program 1 common Shuffler thread n Shuffler threads Computations unw Computations unw Computations unw Computations unw Computations unw unw unw unw Tradeoff for server workers Multithreaded => better performance overhead Multiprocess => no disclosures across workers Both techniques scale well in practice (up to 24x) 93

Similar documents

Remix: On-demand Live Randomization

Remix: On-demand Live Randomization Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow

More information

Defeating Return-Oriented Rootkits with Return-less Kernels

Defeating Return-Oriented Rootkits with Return-less Kernels 5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer

More information

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer

More information

String Oriented Programming Exploring Format String Attacks. Mathias Payer

String Oriented Programming Exploring Format String Attacks. Mathias Payer String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:

More information

Return-orientated Programming

Return-orientated Programming Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming

More information

Control-flow Enforcement Technology H.J. Lu. Intel November, 2018

Control-flow Enforcement Technology H.J. Lu. Intel November, 2018 Control-flow Enforcement Technology H.J. Lu Intel November, 2018 Introduction Control-flow Enforcement Technology (CET) An upcoming Intel processor family feature that blocks return/jumporiented programming

More information

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

kguard++: Improving the Performance of kguard with Low-latency Code Inflation kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin

More information

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization 04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.

More information

The Geometry of Innocent Flesh on the Bone

The Geometry of Innocent Flesh on the Bone The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop

More information

HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities

HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities Jason Gionta, William Enck, Peng Ning 1 JIT-ROP 2 Two Attack Categories Injection Attacks Code Integrity Data

More information

Return-Oriented Rootkits

Return-Oriented Rootkits Return-Oriented Rootkits Ralf Hund Troopers March 10, 2010 What is Return-Oriented Programming? New emerging attack technique, pretty hyped topic Gained awareness in 2007 in Hovav Shacham s paper The Geometry

More information

Runtime Defenses against Memory Corruption

Runtime Defenses against Memory Corruption CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,

More information

ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks

ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee School of Computer Science, Georgia Institute of Technology

More information

Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming

Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,

More information

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of

More information

Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming

Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,

More information

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks

More information

Inject malicious code Call any library functions Modify the original code

Inject malicious code Call any library functions Modify the original code Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt

More information

Information Leaks. Kyriakos Kyriakou

Information Leaks. Kyriakos Kyriakou Information Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Just-in-time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization

More information

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker

More information

Control Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University

Control Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University Control Flow Integrity & Software Fault Isolation David Brumley Carnegie Mellon University Our story so far Unauthorized Control Information Tampering http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html

More information

Security-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat

Security-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat Security-Aware Processor Architecture Design CS 6501 Fall 2018 Ashish Venkat Agenda Theme Selection (due today at 11:59:59pm) Readings and Presentation Logistics Quick Processor Architecture Review (continued

More information

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.

More information

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow

More information

Control Flow Integrity for COTS Binaries Report

Control Flow Integrity for COTS Binaries Report Control Flow Integrity for COTS Binaries Report Zhang and Sekar (2013) January 2, 2015 Partners: Instructor: Evangelos Ladakis Michalis Diamantaris Giorgos Tsirantonakis Dimitris Kiosterakis Elias Athanasopoulos

More information

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code

More information

How to Sandbox IIS Automatically without 0 False Positive and Negative

How to Sandbox IIS Automatically without 0 False Positive and Negative How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1

More information

Abstraction Recovery for Scalable Static Binary Analysis

Abstraction Recovery for Scalable Static Binary Analysis Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause

More information

What Cannot be Read, Cannot be Leveraged?

What Cannot be Read, Cannot be Leveraged? What Cannot be Read, Cannot be Leveraged? Revisiting Assumptions of JIT-ROP Defenses Giorgi Maisuradze, Michael Backes, Christian Rossow CISPA, Saarland University, Germany Overview Code Reuse Attacks/Defenses

More information

238P: Operating Systems. Lecture 5: Address translation. Anton Burtsev January, 2018

238P: Operating Systems. Lecture 5: Address translation. Anton Burtsev January, 2018 238P: Operating Systems Lecture 5: Address translation Anton Burtsev January, 2018 Two programs one memory Very much like car sharing What are we aiming for? Illusion of a private address space Identical

More information

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases

More information

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org

More information

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni. Lecture Notes for 04/04/06 UNTRUSTED CODE Fatima Zarinni. Last class we started to talk about the different System Solutions for Stack Overflow. We are going to continue the subject. Stages of Stack Overflow

More information

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014) Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science

More information

Cyber Moving Targets. Yashar Dehkan Asl

Cyber Moving Targets. Yashar Dehkan Asl Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target techniques, their threat models, and their technical details. Cyber moving target technique: Defend a system

More information

A Platform for Secure Static Binary Instrumentation

A Platform for Secure Static Binary Instrumentation A Platform for Secure Static Binary Instrumentation Mingwei Zhang, Rui Qiao, Niranjan Hasabnis and R. Sekar Stony Brook University VEE 2014 Work supported in part by grants from AFOSR, NSF and ONR Motivation

More information

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks 2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption

More information

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow

More information

Readactor: Practical Code Randomization Resilient to Memory Disclosure

Readactor: Practical Code Randomization Resilient to Memory Disclosure 2015 IEEE Symposium on Security and Privacy Readactor: Practical Code Randomization Resilient to Memory Disclosure Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza

More information

Malware

Malware reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or

More information

SoK: Eternal War in Memory

SoK: Eternal War in Memory SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge

More information

Influential OS Research Security. Michael Raitza

Influential OS Research Security. Michael Raitza Influential OS Research Security Michael Raitza raitza@os.inf.tu-dresden.de 1 Security recap Various layers of security Application System Communication Aspects of security Access control / authorization

More information

Inline Reference Monitoring Techniques

Inline Reference Monitoring Techniques Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code

More information

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection

More information

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT) Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation

More information

What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon

What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon Ping Chen, Jun Xu, Zhisheng Hu, Xinyu Xing, Minghui Zhu, Bing Mao, Peng Liu College of Information Sciences and Technology, The

More information

Remix: On-demand Live Randomization

Remix: On-demand Live Randomization Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley Florida State University {ychen,zwang,whalley}@cs.fsu.edu Long Lu Stony Brook University long@cs.stonybrook.edu ABSTRACT Code randomization

More information

143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018

143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018 143A: Principles of Operating Systems Lecture 5: Address translation Anton Burtsev October, 2018 Two programs one memory Or more like renting a set of rooms in an office building Or more like renting a

More information

Don t Get Caught In the Cold, Warm-up Your JVM Understand and Eliminate JVM Warm-up Overhead in Data-parallel Systems

Don t Get Caught In the Cold, Warm-up Your JVM Understand and Eliminate JVM Warm-up Overhead in Data-parallel Systems Don t Get Caught In the Cold, Warm-up Your JVM Understand and Eliminate JVM Warm-up Overhead in Data-parallel Systems David Lion, Adrian Chiu, Hailong Sun*, Xin Zhuang, Nikola Grcevski, Ding Yuan University

More information

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5

More information

Control Flow Integrity

Control Flow Integrity Control Flow Integrity Outline CFI Control Flow Integrity at Source Code Level BinCFI CFI for Binary Executables BinCC Binary Code Continent vfguard CFI Policy for Virtual Function Calls 1 M. Abadi, M.

More information

Outline. Format string attack layout. Null pointer dereference

Outline. Format string attack layout. Null pointer dereference CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string

More information

On Compilers, Memory Errors and Control-Flow Integrity

On Compilers, Memory Errors and Control-Flow Integrity On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView

More information

Buffer overflow background

Buffer overflow background and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer

More information

Data-Oriented Programming

Data-Oriented Programming Data-Oriented Programming On the Expressiveness of Non-Control Data Attacks Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, Zhenkai Liang Department of Computer Science National

More information

Outline. Heap meta-data. Non-control data overwrite

Outline. Heap meta-data. Non-control data overwrite Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap

More information

CS5460: Operating Systems

CS5460: Operating Systems CS5460: Operating Systems Lecture 2: OS Hardware Interface (Chapter 2) Course web page: http://www.eng.utah.edu/~cs5460/ CADE lab: WEB L224 and L226 http://www.cade.utah.edu/ Projects will be on Linux

More information

Selected background on ARM registers, stack layout, and calling convention

Selected background on ARM registers, stack layout, and calling convention Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),

More information

kr^x Comprehensive Kernel Protection against Just-In-Time Code Reuse

kr^x Comprehensive Kernel Protection against Just-In-Time Code Reuse mpomonis@cs.columbia.edu kr^x 1 / 30 kr^x Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos Petsios 1 Angelos D. Keromytis 1 Michalis Polychronakis 2 Vasileios

More information

T Jarkko Turkulainen, F-Secure Corporation

T Jarkko Turkulainen, F-Secure Corporation T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In

More information

On the Effectiveness of Type-based Control Flow Integrity

On the Effectiveness of Type-based Control Flow Integrity On the Effectiveness of Type-based Control Flow Integrity Reza Mirzazade farkhani, Saman Jafari, Sajjad Arshad, William Robertson, Engin Kirda, Hamed Okhravi DISTRIBUTION STATEMENT A. Approved for public

More information

Spectre Returns! Speculation Attacks Using Return Stack Buffer

Spectre Returns! Speculation Attacks Using Return Stack Buffer Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA

More information

Software Security II: Memory Errors - Attacks & Defenses

Software Security II: Memory Errors - Attacks & Defenses 1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow

More information

in memory: an evolution of attacks Mathias Payer Purdue University

in memory: an evolution of attacks Mathias Payer Purdue University in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory

More information

Wedge: Splitting Applications into Reduced-Privilege Compartments

Wedge: Splitting Applications into Reduced-Privilege Compartments Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008 Vulnerabilities threaten sensitive data Exploits

More information

It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks

It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten

More information

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD

More information

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks

More information

ROPInjector: Using Return- Oriented Programming for Polymorphism and AV Evasion

ROPInjector: Using Return- Oriented Programming for Polymorphism and AV Evasion University of Piraeus Department of Digital Systems ROPInjector: Using Return- Oriented Programming for Polymorphism and AV Evasion G. Poulios, C. Ntantogian, C. Xenakis {gpoulios, dadoyan, xenakis}@unipi.gr

More information

Memory Safety (cont d) Software Security

Memory Safety (cont d) Software Security Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office

More information

CS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan

CS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan CS 6V81-05 Control-Flow Integrity Principles, Implementations, and Applications Sureshbabu Murugesan Department of Computer Science University of Texas at Dallas February 29 th, 2012 Outline 1 Overview

More information

Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design. Todd Austin University of Michigan

Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design. Todd Austin University of Michigan Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design Todd Austin University of Michigan The Security Arms Race Question: Why are systems never safe? We deploy our designs

More information

Fasten your seatbelts: We are escaping ios 11 sandbox! Min(Spark) Zheng & Xiaolong Alibaba Security Lab

Fasten your seatbelts: We are escaping ios 11 sandbox! Min(Spark) Zheng & Xiaolong Alibaba Security Lab Fasten your seatbelts: We are escaping ios 11 sandbox! Min(Spark) Zheng & Xiaolong Bai @ Lab Whoami SparkZheng @ Twitter spark @ Weibo Expert CUHK PhD, Blue-lotus and Insight-labs ios 9.3.4 & ios 11.3.1

More information

C and C++ Secure Coding 4-day course. Syllabus

C and C++ Secure Coding 4-day course. Syllabus C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course

More information

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Survey of Cyber Moving Targets. Presented By Sharani Sankaran Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of

More information

CO 445H SECURE DESIGN PRINCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS. Dr. Ben Livshits

CO 445H SECURE DESIGN PRINCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS. Dr. Ben Livshits CO 445H SECURE DESIGN PRINCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits 2 Some Survey Responses Sunsetting Google+ 3 https://www.blog.google/technology/safety-security/project-strobe/

More information

Advanced Buffer Overflow

Advanced Buffer Overflow Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering

More information

Undermining Information Hiding (And What to do About it)

Undermining Information Hiding (And What to do About it) Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating

More information

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout 0x00007fffffffffff not drawn to scale Stack... Caller

More information

0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:

More information

18-600: Recitation #4 Exploits

18-600: Recitation #4 Exploits 18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:

More information

Retpoline: A Branch Target Injection Mitigation

Retpoline: A Branch Target Injection Mitigation Retpoline: A Branch Target Injection Mitigation White Paper Revision 003 June, 2018 Any future revisions to this content can be found at https://software.intel.com/security-software-guidance/ when new

More information

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 13: Address Translation

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 13: Address Translation CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring 2004 Lecture 13: Address Translation 13.0 Main Points 13.1 Hardware Translation Overview CPU Virtual Address Translation

More information

An Evil Copy: How the Loader Betrays You

An Evil Copy: How the Loader Betrays You An Evil Copy: How the Loader Betrays You Xinyang Ge 1,3, Mathias Payer 2 and Trent Jaeger 3 Microsoft Research 1 Purdue University 2 Penn State University 3 Page 1 Problem: A Motivating Example // main.c

More information

Reduction of Code Reuse Attacks Using Code Randomization and Recursive Traversal Algorithm

Reduction of Code Reuse Attacks Using Code Randomization and Recursive Traversal Algorithm Reduction of Code Reuse Attacks Using Code Randomization and Recursive Traversal Algorithm K. Krishna priya 1, Dr.P.Murugeswari 2 1 PG scholar, Department of CSE, Sri Vidya College of Engineering & Technology,

More information

CMPSC 497 Buffer Overflow Vulnerabilities

CMPSC 497 Buffer Overflow Vulnerabilities Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow

More information

HETEROGENEOUS SYSTEM ARCHITECTURE: PLATFORM FOR THE FUTURE

HETEROGENEOUS SYSTEM ARCHITECTURE: PLATFORM FOR THE FUTURE HETEROGENEOUS SYSTEM ARCHITECTURE: PLATFORM FOR THE FUTURE Haibo Xie, Ph.D. Chief HSA Evangelist AMD China OUTLINE: The Challenges with Computing Today Introducing Heterogeneous System Architecture (HSA)

More information

Intro to x86 Binaries. From ASM to exploit

Intro to x86 Binaries. From ASM to exploit Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more

More information

Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code

Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis

More information

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems

More information

Spectre and Meltdown. Clifford Wolf q/talk

Spectre and Meltdown. Clifford Wolf q/talk Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative

More information

Advanced Buffer Overflow

Advanced Buffer Overflow Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering

More information

Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables

Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables Chao Zhang Tao Wei Zhaofeng Chen Lei Duan Peking University Peking University UC Berkeley Peking University Peking University László

More information

Software Security: Buffer Overflow Defenses

Software Security: Buffer Overflow Defenses CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

To accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh

To accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh To accelerate our learnings, we brought in an expert in CPU side channel attacks Anders Fogh Virtualization-based isolation Microsoft Azure, Hyper-V Affected Kernel-user separation Windows Affected Process-based

More information

HDFI: Hardware-Assisted Data-flow Isolation

HDFI: Hardware-Assisted Data-flow Isolation HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia

More information

Lecture 08 Control-flow Hijacking Defenses

Lecture 08 Control-flow Hijacking Defenses Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation

More information

Q: Exploit Hardening Made Easy

Q: Exploit Hardening Made Easy Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback