Building a Reactive Immune System for Software Services
|
|
- Ashlynn Gibbs
- 6 years ago
- Views:
Transcription
1 Building a Reactive Immune System for Software Services Tobias Haupt January 24, 2007 Abstract In this article I summarize the ideas and concepts of the paper Building a Reactive Immune System for Software Services by Sidiroglou, Locasto, Boyd and Keromytis from Columbia University in which the authors propose a way to treat software bugs that may not be foreseen during development and testing of that software. These may be software failures, ranging from remotely exploitable vulnerabilities to more mundane bugs that cause abnormal program termination [...] or other recognizable bad behaviour [...] [SLBK05]. Various software tools are used to create an environment in which an application can be monitored. Whenever abnormal program behaviour is observed inside the application, it can be healed with the help of an instruction level emulator and special exception handling methods so that future use of the application should than be possible without running into the same problem. In the paper, the structure of such a reactive immune system is discussed by demonstrating a prototypical implementation. Focus is also put on performance issues resulting from emulating parts of the application. Contents 1 Introduction 2 2 Basics 2 3 Reactive Immune System Overview Monitoring the application Selective Transactional EMulation (STEM) Types of treated errors Division by zero Memory dereferencing Buffer overflow (see also [TK02]) Denial of service Error handling Implementation of STEM Evaluation Attacks, exploits Error virtualization Performance Related Work 8 6 Discussion 8 7 Conclusion 9 1
2 2 2 BASICS 1 Introduction There are different approaches to avoiding failures in software systems but even today, when a number of well trained software developers work together on large projects, there are still bugs in these systems that nobody will find until they can, for example, be exploited by attackers or lead to critical errors in the system. This is most dangerous in the domain of (web) services which have to be highly available or deal with most valuable private data. The current approaches to avoiding vulnerabilities in these systems can be classified in four categories: Proactive approaches Selection of safe programming languages and other development tools and methodologies aims to make the software as dependable as possible during development. Debugging Analysis after faults have happened to determine the error in the source code. Runtime Prevent access of faulty applications to the underlying system and valuable data by providing a safe environment for the execution of the application (sandboxes, emulators). Fault tolerance Multiple instances of the application agree on the result of an operation to be able to ignore an error or attack on a single instance. In the paper the authors describe a reactive approach. This is an approach whose aim is to react to the occurrence of previously unseen errors by trying to fix the error and ensuring safe execution of the erroneous operation. The backbone of the system is a so-called Observe Orient Decide Act (OODA) feedback loop. At first the application will be observed by the operating system. Whenever a failure occurs, a recovery mechanism will be invoked to handle the failure by choosing and extending the region of code that will be emulated in the future by altering the application s source code and recompiling and restarting it. The system is capable of running unemulated and emulated code simultaneously because the emulator will be integrated into the source code of the application. Another main idea in the paper is the so-called error virtualization a method to extend the error handling mechanisms of the application by retrofit[ting]h an exception catching mechanism onto code that wasn t explicitly written to have such a capability. [SLBK05] The domain of the application studied in the paper are server applications because in general those applications have higher requirements in terms of reliability. Those applications, e.g. the Apache webserver, process input streams that arrive over the network. Therefore it is easy to replay the sequence of events that lead to the error Easier than, for example, in user-oriented applications with graphical user interfaces. The experiments in the paper show that the error virtualization and emulation techniques make applications a lot more dependable but have a deep impact on the performance of applications. Future work will focus on this issue by fine-tuning the whole system, especially the work of the emulator. 2 Basics Server applications like web or database servers have very strong requirements regarding availability and security. Often these applications are exposed to arbitrary input from any number of different clients. Therefore, bugs and vulnerabilities are a serious threat. Attacks that lead to critical errors, like execution of dangerous code through buffer overflows, or simply to denial of service have to be avoided at all costs. Therefore server applications are normally checking all input and provide error handling routines to handle invalid input streams. Nevertheless, unforeseen boundary conditions may still occur and result in vulnerabilities if they are discovered and
3 3 misused by attackers. It often takes time to provide a suitable bug fix and even more time until everybody has updated the vulnerable application. In a normal scenario an attacker can use this time to intrude different instances of the same version of the vulnerable application on different servers to exploit the bug. It is most dangerous, if the attacker can get access to secret data about other users, the system or the company. Attackers usually need more than one attempt to figure out how to construct a dangerous input sequence and this is the point at which the approach described in the paper comes into play. The first abnormal behaviour of the application will trigger a sequence of actions to prevent the same error in the future. 3 Reactive Immune System 3.1 Overview Figure 1: Immune system overview [SLBK05] In figure 1 you can see an overview of the reactive immune system proposed by the authors of the paper. The system is separated into three main sections. On the production server the application is running attached with several kinds of sensors that can detect different kinds of errors in the application. On a second server an instrumented instance of the same application is running and tests can be performed on this instance to get a vaccine for an error that occurred in the application on the production server. This is done by reusing the sequence of input vectors that potentially let to the previous error. The third part is some kind of automated testing environment where some knowledge about types of errors and techniques to avoid those errors can be applied to and inserted into the testing instance of the application. 3.2 Monitoring the application In the paper, two types of sensors are described. The first approach is based on the operating system the application is running on. Whenever an abnormal program termination occurs, the operating system stops the application and creates a core dump file with the type of failure and a stack trace. The search for the very point of the failure in the code can be started at the last called method and continued according to the call graph in the application. The second approach makes use of a so-called honeypot server that will only be visible to attackers that scan the network for available server instances. Normal requests will not be processed by this server. In this instance of the application one can instrument the parts of the application that may be vulnerable to a specific type of attack with an instruction level emulator that checks every single instruction before it will actually be executed. In such an environment it is much easier to extract the input that lead to the failure and afterwards replay the attack. Furthermore, the performance is not a critical factor on such a server that does not process normal service requests.
4 4 3 REACTIVE IMMUNE SYSTEM 3.3 Selective Transactional EMulation (STEM) The recovery mechanism uses an instruction-level emulator, STEM, that can be selectively invoked for arbitrary segments of code. [SLBK05] Code that is in some way error-prone (shown by previously detected errors in this code region) can be emulated by STEM. STEM allows to run single instructions on a virtual processor and therefore to handle errors in a way that they do not affect the real operation environment. Snapshots of internal states can be copied to the real environment whenever an emulated part of the application is processed successfully. Should an instruction provoke an error, STEM can handle that failure by ignoring all changes to the memory and the processor registers. To do that, it simply ignores the internal states of the virtual environment. This procedure explains the transactional in the name of the emulator. The emulated part of the program is treated like a single operation. It will either succeed without fault or have no influence on the processor and memory. 3.4 Types of treated errors Depending on the sensor that detected the fault, the emulator knows different methods to prevent future failures in the emulated code. Some examples mentioned in the paper are listed below Division by zero The emulator only needs to check the operand to a div instruction Memory dereferencing Any memory access has to be checked for whether the addressed page is inside the address space of the process. This can be done by using the mincore() system call Buffer overflow (see also [TK02]) A very serious threat to software systems on servers is the buffer overflow and derived methods for attacking a vulnerable system. Buffer overflows occur when a large string is copied to a fixedsize memory buffer by an unsafe C function that does not check the boundaries of the target buffer. Whenever an input string from a client is handled directly by such an unsafe function without checking the length and content of that string, an attacker can force the buffer overflow by providing malicious data. Figure 2: Stack Layout [TK02]
5 3.5 Error handling 5 Figure 3: Operation of strcpy [TK02] Figure 2 shows a stack layout of a function compiled by gcc while figure 3 shows the influence of a strcpy call with too large of a string as parameter on that stack in memory. As you can see, the result of such a call may overwrite the return address of the function and thus cause the instruction pointer to point to an undefined position in the stack. An attacker can construct the string in such a way that it contains executable code and the return address of the vulnerable function points to that code, leading to an undesired execution of the inserted code with the permissions of the running process. STEM is able to detect buffer overflows by tagging the available buffer memory with one extra byte and controlling memory access to this very byte. Writing over the boundaries of a fixed-length buffer can be avoided this way Denial of service Some attacks aim to force a denial of service by requesting an algorithmically complex operation. A very simple example would be that the program runs into an infinite loop because of malicious input signals. Denial of service can also be achieved by coupling multiple clients to request the service at the same time. The server will not be able to distinguish between requests from attackers and normal requests and will therefore deny service to a number of incoming requests because it is overloaded. STEM can also prevent those attacks by counting the number of instructions and aborting after a predefined threshold is exceeded. 3.5 Error handling Upon detecting a fault, our recovery mechanism undoes all memory changes and forces an error return from the currently executing function. To determine the appropriate error return value, we analyse the declared type of the function. [SLBK05] Based on some heuristics, an error return value is generated from the type of the function that may crash. For example, -1 is returned when the type is int. More difficult to determine is the result of a pointer or value return parameters. Depending on the code of the calling function, one might need to expand the emulated area of code to this function because simply returning a NULL value is not always useful and may lead to more errors. Evaluation shows that these heuristics work extremely well but future work should analyse the source code more exactly and may even ask the programmer to define a common error-code convention.
6 6 4 EVALUATION 3.6 Implementation of STEM STEM is implemented as a C library which defines special methods that can be inserted into the source code of the application that shall be emulated. It is possible to switch the emulator on only for a part of the program for example, for a method that handles the input code from the client. This is beneficial because only parts of the application need to run inside an emulated environment rather than the entire application. This results in lower performance costs. The downside is that, at least at the moment, you need the sources of the application that is to be emulated in order to insert the special emulator commands that start and stop the emulation. Figure 4: Inserting the emulator in the method foo() [SLBK05] Figure 4 shows an extract of the source code of an application with the required calls to initialise, start, stop and terminate the emulator inside of a single method foo(). The only instruction that is emulated in this example is the incrementing of a local variable. The first call to emulate init() moves all the program state into a data structure for the emulator. This structure represents the virtual environment needed by the emulator. Emulate begin() starts the emulation process by getting the instruction address of the first emulated instruction. Emulate end() stops the emulation if no error occurred during emulation, emulate term copies the virtual environment back to the real environment. Execution can continue under normal conditions. In case of an error, the emulator is capable of returning to the original program state of the time before emulation began. 4 Evaluation A large part of the original paper is about evaluation of the presented approach. Three main points are mentioned: First, the usability of the system when it comes to real life attacks in a productive environment. Second, some tests on whether the idea of error virtualization and the slicing off of functionality in vulnerable methods will work in practice. The last point is about performance of fully and partially emulated systems. 4.1 Attacks, exploits One example for real attacks is the Apache server and the Apache-Scalp exploit that takes advantage of a buffer overflow vulnerability based on the incorrect calculation of the required buffer sizes for chunked encoding requests. [SLBK05]
7 4.2 Error virtualization 7 The Apache server was inserted into the immune system environment and the system had no knowledge about the vulnerabilities inside of the server application. Appropriate sensors were used to detect errors in the software as stated in previous sections. During the experiment, the selective emulator was attached to the vulnerable method, therefore successfully recovering from the attack and serving subsequent requests. 4.2 Error virtualization To handle errors, STEM works by slicing off the functionality of the emulated methods by returning predefined error values. The question was if an application could work without the missing functionality and would not crash. The authors again tested the Apache server by automatically inserting early return statements into leaf methods (that do not call other methods). A webservice performance measurement tool was used to test the altered server application. The result was if the method aborting did not influence the test in 139 of 154 different cases. The Question arises if the functionality of those applications is still correct, regarding security issues. Missing functionality may, for example, result in missing authorization checks. 4.3 Performance The main issue regarding the performance of the system is the emulation of parts or the whole application. To check the performance, the application was tested by a performance measurement tool and different areas of the code were emulated. Figure 5: Performance testing by emulating different parts of the apache application [SLBK05] In figure 5 you can see the number of handled requests per second related to the number of threads for different clients that were running. The graph at the bottom shows a complete emulation of Apache inside of a different emulator than STEM the Valgrind emulator. In
8 8 6 DISCUSSION contrast to STEM, Valgrind is a high performance emulator because it has been optimised in a lot of different ways, so full emulation is much faster with Valgrind than with STEM. However the partial emulation with STEM is still faster than full emulation with Valgrind. Future work has to be done to optimise the performance of STEM. This can be done by applying some well-known techniques like caching translated instructions. Other ways to improve performance aim at minimizing the size of the emulated regions in the application s code. More intelligent mechanisms to detect the origin of the fault in the code may be applied. 5 Related Work Valgrind is a program supervision framework that enables in-depth instrumentation and analysis of IA-32 binaries without recompilation. Valgrind has been used [...] to implement instruction set randomization techniques to protect programs against code insertion attacks. (see [SLBK05] and [BAF + 03]) There are other approaches to make applications safer and more resistant against attacks, such as sandboxing or virtual machines. Often these approaches also work with safe languages like Java. The approach in this paper does, in contrast, focus on an unsafe language like C and will not only prevent errors in the application but will also try to repair the vulnerable application by automatically providing some kind of bug fix. It is usable in production environments at runtime. 6 Discussion The only bad thing about the paper is that structure is not clear enough. Some things are described in more or less detail in multiple sections. Therefore it is sometimes hard to read. The authors put a lot of focus on the evaluation and testing of their idea. They mention some promising things but also do not ignore the problems that occurred. My opinion is that the approach will lead to a suitable environment for safer software that can handle errors automatically by itself. I think that those systems will not work without some human interaction. Most of the approaches suffer from a lack of knowledge about the application they work with. This may lead to serious threats, too and is also the reason why the authors plan to create a framework for correctness testing. During my presentation, there were some questions about real performance numbers or the way to interpret these numbers. The system was capable to detect and heal about 88% of the bugs that were inside the application. The system did not know those bugs at the beginning of the test. Obviously, the authors did know the attacks that used vulnerabilities of the application and tested the system by running those attacks on it. So, in general, one can say that the system does heal unknown bugs and does prevent unknown attacks. In any case, the system needs to have knowledge about the kind of bugs that may occur. Appropriate sensors have to be provided which are capable of detecting errors like code injection through buffer overflow vulnerabilities. Another question was how one can figure out which input exactly lead to the detected error. In a production environment this is very difficult because one has to take into account multiple clients and their request strings. So it will always be hard to isolate the actual sequence of inputs that triggered the error. The most convincing method is the so-called honeypot server that only attackers will track down inside of the network. In this way, the malicious sequence of inputs can be isolated from normal inputs and the testing and analysis can determine the size of the emulated region in the code by replaying these inputs until the application does not crash anymore. Because the performance of the honeypot server is not relevant, one might even start the whole application inside the emulator and check every single instruction for occurrence of different kinds of errors. In this environment it is easy to provide a vaccine that, for example, implements array bounds checking to prevent buffer overflows. The question about the size of the input sequence the immune system uses to replay the error and find a cure for it is hard to answer. The authors do not mention much about this issue in
9 9 the paper. There might be different strategies to minimise the input. One might be to enlarge the amount of replayed input step by step until the error will show up again. In the scenario with the honeypot server there will probably be only one client that tries to attack the application. A more intelligent analysis algorithm may look for patterns in the client s input vector to isolate the dangerous sequence. An example might be a sequence of slightly changed requests with the goal of constructing a successful exploit. 7 Conclusion It has been shown that there are ways to cope with unknown errors even in larger software applications. Automatic environments can be set up to ensure the quality and correctness of server applications in the internet. The greatest problem is still the performance of such applications that will be compromised by the use of emulators. A lot of investigation has to be done regarding the correctness of self-altering application systems so that these alterations do not merely lead to more bugs. References [BAF + 03] E. G. Barrantes, D. H. Ackley, S. Forrest, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In 10th ACM Conference on Computer and Communication Security (CCS), October [SLBK05] Stelios Sidiroglou, Michael E. Locasto, Stephen W. Boyd, and Angelos D. Keromytis. Building a reactive immune system for software services. USENIX Annual Technical Conference, pages , (document), 1, 1, 3.3, 3.5, 4, 4.1, 5, 5 [TK02] T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th Symposium on Recent Advances in Intrusion Detection (RAID), October (document), 3.4.3, 2, 3
Hardware Support For Self-Healing Software Services
Hardware Support For Self-Healing Software Services Stelios Sidiroglou Michael E. Locasto Angelos D. Keromytis Department of Computer Science, Columbia University in the City of New York {stelios,locasto,angelos}@cs.columbia.edu
More informationDynamic Emulation and Fault- Injection using Dyninst. Presented by: Rean Griffith Programming Systems Lab (PSL)
Dynamic Emulation and Fault- Injection using Dyninst Presented by: Rean Griffith Programming Systems Lab (PSL) rg2023@cs.columbia.edu 1 Overview Introduction Background Dynamic Emulation Example Solution
More informationUndefined Behaviour in C
Undefined Behaviour in C Report Field of work: Scientific Computing Field: Computer Science Faculty for Mathematics, Computer Science and Natural Sciences University of Hamburg Presented by: Dennis Sobczak
More informationApplication Communities: Using Monoculture for Dependability
Application Communities: Using Monoculture for Dependability Michael E. Locasto, Stelios Sidiroglou, and Angelos D. Keromytis etwork Security Lab, Computer Science Department, Columbia University {locasto,
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.
More informationCyber Moving Targets. Yashar Dehkan Asl
Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target techniques, their threat models, and their technical details. Cyber moving target technique: Defend a system
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationTesting Exceptions with Enforcer
Testing Exceptions with Enforcer Cyrille Artho February 23, 2010 National Institute of Advanced Industrial Science and Technology (AIST), Research Center for Information Security (RCIS) Abstract Java library
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationHow to Break Software by James Whittaker
How to Break Software by James Whittaker CS 470 Practical Guide to Testing Consider the system as a whole and their interactions File System, Operating System API Application Under Test UI Human invokes
More informationBlack Hat Webcast Series. C/C++ AppSec in 2014
Black Hat Webcast Series C/C++ AppSec in 2014 Who Am I Chris Rohlf Leaf SR (Security Research) - Founder / Consultant BlackHat Speaker { 2009, 2011, 2012 } BlackHat Review Board Member http://leafsr.com
More informationInline Reference Monitoring Techniques
Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code
More informationAdvanced Memory Allocation
Advanced Memory Allocation Call some useful functions of the GNU C library to save precious memory and to find nasty bugs. by Gianluca Insolvibile Dealing with dynamic memory traditionally has been one
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationEnd-Point Counter-Worm Mechanism Using Automated Software Patching. Angelos Keromytis Columbia University
End-Point Counter-Worm Mechanism Using Automated Software Patching Angelos Keromytis Columbia University angelos@cs.columbia.edu Summary End-network architecture for protecting network services against
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationChapter 8 Software Testing. Chapter 8 Software testing
Chapter 8 Software Testing 1 Topics covered Introduction to testing Stages for testing software system are: Development testing Release testing User testing Test-driven development as interleave approach.
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationCS 161 Computer Security. Security Throughout the Software Development Process
Popa & Wagner Spring 2016 CS 161 Computer Security 1/25 Security Throughout the Software Development Process Generally speaking, we should think of security is an ongoing process. For best results, it
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More information19.1. Security must consider external environment of the system, and protect it from:
Module 19: Security The Security Problem Authentication Program Threats System Threats Securing Systems Intrusion Detection Encryption Windows NT 19.1 The Security Problem Security must consider external
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationCS558 Programming Languages
CS558 Programming Languages Winter 2017 Lecture 4a Andrew Tolmach Portland State University 1994-2017 Semantics and Erroneous Programs Important part of language specification is distinguishing valid from
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationAutomated Signature Generation: Overview and the NoAH Approach. Bernhard Tellenbach
Automated Signature Generation: Overview and the NoAH Approach Structure Motivation: The speed of insecurity Overview Building Blocks and Techniques The NoAH approach 2 The speed of insecurity Source:
More informationSteps for project success. git status. Milestones. Deliverables. Homework 1 submitted Homework 2 will be posted October 26.
git status Steps for project success Homework 1 submitted Homework 2 will be posted October 26 due November 16, 9AM Projects underway project status check-in meetings November 9 System-building project
More informationRegression testing. Whenever you find a bug. Why is this a good idea?
Regression testing Whenever you find a bug Reproduce it (before you fix it!) Store input that elicited that bug Store correct output Put into test suite Then, fix it and verify the fix Why is this a good
More informationOn-Demand Proactive Defense against Memory Vulnerabilities
On-Demand Proactive Defense against Memory Vulnerabilities Gang Chen, Hai Jin, Deqing Zou, and Weiqi Dai Services Computing Technology and System Lab Cluster and Grid Computing Lab School of Computer Science
More informationOverview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks
Overview Handling Security Incidents Chapter 7 Lecturer: Pei-yih Ting Attacks Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Standard
More informationOutline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction
Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp
More informationCSci 4061 Introduction to Operating Systems. Programs in C/Unix
CSci 4061 Introduction to Operating Systems Programs in C/Unix Today Basic C programming Follow on to recitation Structure of a C program A C program consists of a collection of C functions, structs, arrays,
More informationSurvey of Cyber Moving Targets. Presented By Sharani Sankaran
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of
More informationCritical Systems. Objectives. Topics covered. Critical Systems. System dependability. Importance of dependability
Objectives Critical Systems To explain what is meant by a critical system where system failure can have severe human or economic consequence. To explain four dimensions of dependability - availability,
More informationPart 5. Verification and Validation
Software Engineering Part 5. Verification and Validation - Verification and Validation - Software Testing Ver. 1.7 This lecture note is based on materials from Ian Sommerville 2006. Anyone can use this
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationCode with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function
1 Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function IsPasswordOK(), and compares it with the correct password.
More informationHacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019
Hacking in C Pointers Radboud University, Nijmegen, The Netherlands Spring 2019 Allocation of multiple variables Consider the program main(){ char x; int i; short s; char y;... } What will the layout of
More informationCS 520 Theory and Practice of Software Engineering Fall 2018
CS 520 Theory and Practice of Software Engineering Fall 2018 Nediyana Daskalova Monday, 4PM CS 151 Debugging October 30, 2018 Personalized Behavior-Powered Systems for Guiding Self-Experiments Help me
More informationLecture 3 Notes Arrays
Lecture 3 Notes Arrays 15-122: Principles of Imperative Computation (Summer 1 2015) Frank Pfenning, André Platzer 1 Introduction So far we have seen how to process primitive data like integers in imperative
More informationSelf-defending software: Automatically patching errors in deployed software
Self-defending software: Automatically patching errors in deployed software Michael Ernst University of Washington Joint work with: Saman Amarasinghe, Jonathan Bachrach, Michael Carbin, Sung Kim, Samuel
More informationCYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output
CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 6 Readings 2 Secure Coding String management Pointer Subterfuge
More information2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge
CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 6 Readings 2 String management Pointer Subterfuge Secure
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationModern Buffer Overflow Prevention Techniques: How they work and why they don t
Modern Buffer Overflow Prevention Techniques: How they work and why they don t Russ Osborn CS182 JT 4/13/2006 1 In the past 10 years, computer viruses have been a growing problem. In 1995, there were approximately
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationCNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated
CNIT 127: Exploit Development Ch 18: Source Code Auditing Updated 4-10-17 Why Audit Source Code? Best way to discover vulnerabilities Can be done with just source code and grep Specialized tools make it
More informationCS558 Programming Languages
CS558 Programming Languages Fall 2016 Lecture 3a Andrew Tolmach Portland State University 1994-2016 Formal Semantics Goal: rigorous and unambiguous definition in terms of a wellunderstood formalism (e.g.
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationSystem Administration and Network Security
System Administration and Network Security Master SSCI, M2P subject Duration: up to 3 hours. All answers should be justified. Clear and concise answers will be rewarded. 1 Network Administration To keep
More informationProtection. Thierry Sans
Protection Thierry Sans Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems Build Better Programs Why are
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationShuntaint: Emulation-based Security Testing for Formal Verification
Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz ramosblc@gmail.com Abstract. This paper describes an emulated approach to collect traces of program states, in order to verify
More informationVerification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1
Verification and Validation Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1 Verification vs validation Verification: "Are we building the product right?. The software should
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationLecture 15 Software Testing
Lecture 15 Software Testing Includes slides from the companion website for Sommerville, Software Engineering, 10/e. Pearson Higher Education, 2016. All rights reserved. Used with permission. Topics covered
More informationLecture 9 Assertions and Error Handling CS240
Lecture 9 Assertions and Error Handling CS240 The C preprocessor The C compiler performs Macro expansion and directive handling Preprocessing directive lines, including file inclusion and conditional compilation,
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationVerification and Validation
Chapter 5 Verification and Validation Chapter Revision History Revision 0 Revision 1 Revision 2 Revision 3 Revision 4 original 94/03/23 by Fred Popowich modified 94/11/09 by Fred Popowich reorganization
More informationSummary: Issues / Open Questions:
Summary: The paper introduces Transitional Locking II (TL2), a Software Transactional Memory (STM) algorithm, which tries to overcomes most of the safety and performance issues of former STM implementations.
More informationEnhanced Debugging with Traces
Enhanced Debugging with Traces An essential technique used in emulator development is a useful addition to any programmer s toolbox. Peter Phillips Creating an emulator to run old programs is a difficult
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis Host Based Attacks Pavel Laskov Wilhelm Schickard Institute for Computer Science Software security threats Modification of program code viruses and self-replicating
More informationIntroduction to Parallel Performance Engineering
Introduction to Parallel Performance Engineering Markus Geimer, Brian Wylie Jülich Supercomputing Centre (with content used with permission from tutorials by Bernd Mohr/JSC and Luiz DeRose/Cray) Performance:
More informationType Checking and Type Equality
Type Checking and Type Equality Type systems are the biggest point of variation across programming languages. Even languages that look similar are often greatly different when it comes to their type systems.
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More informationBoundless Memory Blocks
Boundless Memory Blocks Cristian Cadar Massachusetts Institute of Technology (now Stanford University) M. Rinard, D. Dumitran D. Roy, T. Leu Massachusetts Institute of Technology Annual Computer Security
More informationLecture Notes: Unleashing MAYHEM on Binary Code
Lecture Notes: Unleashing MAYHEM on Binary Code Rui Zhang February 22, 2017 1 Finding Exploitable Bugs 1.1 Main Challenge in Exploit Generation Exploring enough of the state space of an application to
More informationLecture Notes on Arrays
Lecture Notes on Arrays 15-122: Principles of Imperative Computation July 2, 2013 1 Introduction So far we have seen how to process primitive data like integers in imperative programs. That is useful,
More informationDetermining the Fundamental Basis of Software Vulnerabilities. Larry Wagoner NSA
Determining the Fundamental Basis of Software Vulnerabilities Larry Wagoner NSA Agenda Background Analogous background Matt Bishop work CWEs Tool reporting of CWEs KDM Analytics Determining the fundamental
More informationCS2141 Software Development using C/C++ Debugging
CS2141 Software Development using C/C++ Debugging Debugging Tips Examine the most recent change Error likely in, or exposed by, code most recently added Developing code incrementally and testing along
More informationN-Variant SystemsA Secretless Framework for Security through. Diversity Cox et al.
N-Variant Systems A Secretless Framework for Security through Diversity Cox et al. The problem Software homogeneity makes the process of leveraging a known exploit easy. Some solutions Address space randomization
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Intruders & Attacks Cyber criminals Activists State-sponsored organizations Advanced Persistent
More informationAbstract. 1 Introduction
RAD A Compile-Time Solution to Buffer Overflow Attacks Advisee Fu-Hau Hsu Advisor Professor Tzi-Cker Chiueh Department of Computer Science State University of NewYork at Stony Brook Abstract This paper
More informationLimitations of the stack
The heap hic 1 Limitations of the stack int *table_of(int num, int len) { int table[len+1]; for (int i=0; i
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Contents Motivation and basics (Why and what?) IDS types and detection principles Key Data Problems
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationRisk Management. I.T. Mock Interview Correction
Risk Management I.T. Mock Interview Correction General I.T. Questions 1) A computer can only run binary code, whose human-readable version is assembly language. Any higher-level language is only an abstraction
More informationAppendix to The Health of Software Engineering Research
Appendix to The Health of Software Engineering Research David Lo School of Information Systems Singapore Management University Singapore davidlo@smu.edu.sg Nachiappan Nagappan and Thomas Zimmermann Research
More informationBuffer Overflow attack avoiding Signature free technique
Buffer Overflow attack avoiding Signature free technique Umesh Deshmukh Student of Comuter Engineering S.E.C.O.E.Kopargaon,A Nagar Maharastra,India Prof.P.N.Kalawadekar Department of Computer Engineering
More informationLow level security. Andrew Ruef
Low level security Andrew Ruef What s going on Stuff is getting hacked all the time We re writing tons of software Often with little regard to reliability let alone security The regulatory environment
More informationGlossary. abort. application schema
Glossary abort An abnormal termination of a transaction. When a transaction aborts, its changes to the database are erased, and the database is effectively restored to its state as of the moment the transaction
More informationSecurity Coding Module - Buffer Overflow Data Gone Wild CS1
Security Coding Module - Buffer Overflow Data Gone Wild CS1 Background Summary: Buffer overflow occurs when data is input or written beyond the allocated bounds of an buffer, array, or other object causing
More informationECS 153 Discussion Section. April 6, 2015
ECS 153 Discussion Section April 6, 2015 1 What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc)
More informationProgramming Languages Third Edition. Chapter 7 Basic Semantics
Programming Languages Third Edition Chapter 7 Basic Semantics Objectives Understand attributes, binding, and semantic functions Understand declarations, blocks, and scope Learn how to construct a symbol
More information1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques
1 Bug Hunting Bug hunting is the process of finding bugs in software or hardware. In this book, however, the term bug hunting will be used specifically to describe the process of finding security-critical
More information18-642: Code Style for Compilers
18-642: Code Style for Compilers 9/25/2017 1 Anti-Patterns: Coding Style: Language Use Code compiles with warnings Warnings are turned off or over-ridden Insufficient warning level set Language safety
More informationSingularity Technical Report 1: Singularity Design Motivation
Singularity Technical Report 1: Singularity Design Motivation Galen C. Hunt James R. Larus December 17, 2004 MSR-TR-2004-105 Microsoft Research Microsoft Corporation One Microsoft Way Redmond, WA 98052
More information