Marx Uncovering Class Hierarchies in C++ Programs
|
|
- Damian Wilkins
- 6 years ago
- Views:
Transcription
1 Marx Uncovering Class Hierarchies in C++ Programs NDSS 2017, San Diego Andre Pawlowski, Moritz Contag, Victor van der Veen, Chris Ouwehand, Thorsten Holz, Herbert Bos, Elias Anthonasopoulos, Cristiano Giuffrida Ruhr-Universität Bochum Vrije Universiteit Amsterdam University of Cyprus
2 Introduction
3 Introduction We present Marx, a tool to extract class hierarchies from legacy binaries. This eases static analysis of C++ applications. We use the results for security-related use cases: 1. Control-Flow Integrity 2. Type-safe Object Reuse Marx Uncovering Class Hierarchies in C++ Programs 1
4 Motivation C++ applications are hard to analyze statically. Class inheritance. Objects allocated on the heap. Indirect function calls (polymorphism). Marx Uncovering Class Hierarchies in C++ Programs 2
5 Motivation C++ applications are hard to analyze statically. Class inheritance. Objects allocated on the heap. Indirect function calls (polymorphism). Solving these problems aids in the reverse engineering process. Exploit mitigations would profit from solutions to these problems. Counterfeit Object-oriented Programming. Fine-grained control over forward edge. Marx Uncovering Class Hierarchies in C++ Programs 2
6 Control-Flow Integrity
7 Control-Flow Integrity Code Function X new object A mov rdi, object call [[rdi] + offset] Marx Uncovering Class Hierarchies in C++ Programs 3
8 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object call [[rdi] + offset] Marx Uncovering Class Hierarchies in C++ Programs 3
9 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 3
10 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 3
11 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 3
12 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object object in hierarchy? call [[rdi] + offset] Marx Uncovering Class Hierarchies in C++ Programs 4
13 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object object in hierarchy? call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 4
14 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object object in hierarchy? call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 4
15 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object object in hierarchy? call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 4
16 Approach
17 Approach Code High Level Function X mov rdi, object call [[rdi] + offset] Class A function_a1 function_a2 Class B function_b1 function_b2 Class C function_c1 function_c2 Source Code objectfunction_a1() Indirect function calls are prominent C++ artifacts on binary level. Marx Uncovering Class Hierarchies in C++ Programs 5
18 Approach Code High Level Function X mov rdi, object call [[rdi] + offset] Class A function_a1 function_a2 Class B function_b1 function_b2 Class C function_c1 function_c2 At high level, a class may inherit from another. Marx Uncovering Class Hierarchies in C++ Programs 5
19 Approach Code Memory Function X mov rdi, object call [[rdi] + offset] Class A function_a1 function_a2 X Class B function_b1 function_b2 Class C function_c1 function_c2 Inheritance relationships are not readily available in the binary. Marx Uncovering Class Hierarchies in C++ Programs 5
20 Approach Code Memory Function X mov rdi, object call [[rdi] + offset] vtable A function_a1 function_a2 X vtable B function_b1 function_b2 vtable C function_c1 function_c2 Classes are (loosely) represented by vtables instead. Marx Uncovering Class Hierarchies in C++ Programs 5
21 Approach Marx statically recovers the class hierarchy from an x86-64 binary (Itanium ABI). Represents class hierarchy as set of vtables. Ties set of vtables to indirect function call. Marx Uncovering Class Hierarchies in C++ Programs 6
22 Approach Marx statically recovers the class hierarchy from an x86-64 binary (Itanium ABI). Represents class hierarchy as set of vtables. Ties set of vtables to indirect function call. Analysis steps: 1. Identify vtables, 2. inspect their usages, 3. refine results using heuristics, 4. merge results across modules. Marx Uncovering Class Hierarchies in C++ Programs 6
23 Approach 1. Vtable Candidates
24 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... Marx Uncovering Class Hierarchies in C++ Programs 7
25 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... Marx Uncovering Class Hierarchies in C++ Programs 7
26 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... resides in readonly memory (e.g.,.rodata) Marx Uncovering Class Hierarchies in C++ Programs 7
27 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... only first function entry is referenced Marx Uncovering Class Hierarchies in C++ Programs 7
28 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... metadata fields are within defined range or 0 Marx Uncovering Class Hierarchies in C++ Programs 7
29 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... point into code section or are relocation entries Marx Uncovering Class Hierarchies in C++ Programs 7
30 Approach 2. Vtable Usages
31 Approach Overwrite Analysis Hierarchy A B Object Function X new object B call constructor B Constructor B call constructor A write vtblptr B return Code init. variable_1 Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8
32 Approach Overwrite Analysis Hierarchy Object Code A B Object B vtblptr variable_1 Function X new object B call constructor B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8
33 Approach Overwrite Analysis Hierarchy Object Code A B Object B vtblptr variable_1 Function X new object B call constructor B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8
34 Approach Overwrite Analysis Hierarchy Object Code A B Object B vtblptr A variable_1 Function X new object B call constructor B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8
35 Approach Overwrite Analysis Hierarchy Object Code A Object B vtblptr A variable_1 Function X new object B call constructor B B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8
36 Approach Overwrite Analysis Hierarchy Object Code A Object B vtblptr A B variable_1 Function X new object B call constructor B B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8
37 Approach Overwrite Analysis Hierarchy Object Code A Object B vtblptr B variable_1 Function X new object B call constructor B B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8
38 Approach Path Generation In a function, build paths visiting 1. indirect calls, 2. direct calls to new, and 3. instructions operating on vtables. Resolve indirect function calls for known vtables in current context. Follows calls with a call depth of 2. Marx Uncovering Class Hierarchies in C++ Programs 9
39 Approach 3. Vtable Heuristics
40 Approach Function Heuristics Hierarchy Class A virt. func_a1() virt. func_a2() Class B virt. func_a1() virt. func_b1() Data Memory Vtable A 0x10 0 0x08 0 0x00 A::func_a1 0x08 A::func_a2 Vtable B 0x10 0 0x08 0 0x00 B::func_a1 0x08 A::func_a2 0x10 B::func_b1 Marx Uncovering Class Hierarchies in C++ Programs 10
41 Approach Function Heuristics Hierarchy Class A virt. func_a1() virt. func_a2() Class B virt. func_a1() virt. func_b1() Data Memory Vtable A 0x10 0 0x08 0 0x00 A::func_a1 0x08 A::func_a2 Vtable B 0x10 0 0x08 0 0x00 B::func_a1 0x08 A::func_a2 0x10 B::func_b1 Marx Uncovering Class Hierarchies in C++ Programs 10
42 Approach Function Heuristics Hierarchy Class A virt. func_a1() virt. func_a2() Class B virt. func_a1() virt. func_b1() Data Memory Vtable A 0x10 0 0x08 0 0x00 A::func_a1 0x08 A::func_a2 Vtable B 0x10 0 0x08 0 0x00 B::func_a1 0x08 A::func_a2 0x10 B::func_b1 Different pointer, yields no information Marx Uncovering Class Hierarchies in C++ Programs 10
43 Approach Function Heuristics Hierarchy Class A virt. func_a1() virt. func_a2() Class B virt. func_a1() virt. func_b1() Data Memory Vtable A 0x10 0 0x08 0 0x00 A::func_a1 0x08 A::func_a2 Vtable B 0x10 0 0x08 0 0x00 B::func_a1 0x08 A::func_a2 0x10 B::func_b1 Same function entry, probably same hierarchy Marx Uncovering Class Hierarchies in C++ Programs 10
44 Approach 4. Inter-Modular Dependencies
45 Approach Inter-Modular Dependencies Applications may consist of several modules. Shared Library Application Marx Uncovering Class Hierarchies in C++ Programs 11
46 Approach Inter-Modular Dependencies Independent analysis yields, e. g., three distinct hierarchies. Shared Library D E F Application G J H I K L Marx Uncovering Class Hierarchies in C++ Programs 11
47 Approach Inter-Modular Dependencies Unless we merge results across modules, we underestimate the hierarchy. Shared Library D E F Application G J H I K L Marx Uncovering Class Hierarchies in C++ Programs 11
48 Evaluation
49 Evaluation Class Hierarchy Reconstruction Application No. of Hierarchies Exactly Reconstructed Time (h) MySQL Server (88%) 11:36 MongoDB (87%) 1:08 Node.js (93%) 0:33 Marx Uncovering Class Hierarchies in C++ Programs 12
50 Evaluation Class Hierarchy Reconstruction Application No. of Hierarchies Exactly Reconstructed Time (h) MySQL Server (88%) 11:36 MongoDB (87%) 1:08 Node.js (93%) 0:33 Marx Uncovering Class Hierarchies in C++ Programs 12
51 Evaluation Class Hierarchy Reconstruction Application No. of Hierarchies Exactly Reconstructed Time (h) MySQL Server (88%) 11:36 MongoDB (87%) 1:08 Node.js (93%) 0:33 48 min analysis time on average for 5 real-world applications. Marx Uncovering Class Hierarchies in C++ Programs 12
52 Evaluation Class Hierarchy Reconstruction Application No. of Hierarchies Exactly Reconstructed Time (h) MySQL Server (88%) 11:36 MongoDB (87%) 1:08 Node.js (93%) 0:33 Application Overestimated Underestimated Not Found MySQL Server 1 (1%) 7 (9%) 1 (1%) MongoDB 0 8 (5%) 13 (8%) Node.js 2 (3%) 2 (3%) 0 48 min analysis time on average for 5 real-world applications. Marx Uncovering Class Hierarchies in C++ Programs 12
53 Evaluation Binary Hardening Use MARX results to harden legacy binaries. Marx Uncovering Class Hierarchies in C++ Programs 13
54 Evaluation Binary Hardening Use MARX results to harden legacy binaries. Implemented and tested two applications: 1. Control-Flow Integrity binary-level Vtable Verification (VTV) 2. Type-safe Object Reuse binary-level Cling, bucketing by hierarchy Lack of precision of analysis? Marx Uncovering Class Hierarchies in C++ Programs 13
55 Evaluation Precision Type-safe Object Reuse allows imprecision, lowered security. Control-Flow Integrity may break applications. Marx Uncovering Class Hierarchies in C++ Programs 14
56 Evaluation Precision Type-safe Object Reuse allows imprecision, lowered security. Control-Flow Integrity may break applications. Enrich static results with dynamic analysis (unit tests). Fall-back to computationally intensive slow path (PathArmor). Marx Uncovering Class Hierarchies in C++ Programs 14
57 Evaluation Precision Type-safe Object Reuse allows imprecision, lowered security. Control-Flow Integrity may break applications. Enrich static results with dynamic analysis (unit tests). Fall-back to computationally intensive slow path (PathArmor). Please refer to the paper for further details. Marx Uncovering Class Hierarchies in C++ Programs 14
58 Conclusion
59 Limitations Approach is compiler-dependent, optimizations may break assumptions. Abstract base classes may not yield a vtable for us to discover. Marx Uncovering Class Hierarchies in C++ Programs 15
60 Limitations Approach is compiler-dependent, optimizations may break assumptions. Abstract base classes may not yield a vtable for us to discover. Analysis is prone to path explosion (inter/intra-procedural path generation). Marx Uncovering Class Hierarchies in C++ Programs 15
61 Limitations Approach is compiler-dependent, optimizations may break assumptions. Abstract base classes may not yield a vtable for us to discover. Analysis is prone to path explosion (inter/intra-procedural path generation). Applications building upon results have to tolerate imprecision. Marx Uncovering Class Hierarchies in C++ Programs 15
62 Conclusion Marx succeeds in recovering the majority of class hierarchies. Large, real-world applications. Promising results. Results are applicable to security-related use cases on the binary level. Our C++ open-source implementation based on libvex is available at Marx Uncovering Class Hierarchies in C++ Programs 16
63 Thank you for your attention. Marx Uncovering Class Hierarchies in C++ Programs 16
64 Conclusion Marx succeeds in recovering the majority of class hierarchies. Large, real-world applications. Promising results. Results are applicable to security-related use cases on the binary level. Our C++ open-source implementation based on libvex is available at Marx Uncovering Class Hierarchies in C++ Programs 17
SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin
SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin in NDSS, 2014 Alexander Hefele Fakultät für Informatik Technische Universität
More informationUndermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationProgramming Languages
Programming Languages Dr. Michael Petter 13.02.2017 Exam First Name Surname Student ID Signature Fill out the fields above. Make use only of an indelible pen in black or blue color. Do not make use of
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationAdvanced Systems Security: Program Diversity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationIsomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming
Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,
More informationIt s a TRaP: Table Randomization and Protection against Function-Reuse Attacks
It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten
More informationType Confusion: Discovery, Abuse, Protection. Mathias
Type Confusion: Discovery, Abuse, Protection Mathias Payer, @gannimo http://hexhive.github.io Type confusion leads to RCE Attack surface is huge Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: glibc: Linux
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationIsomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming
Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,
More informationCFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer
CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:
More informationDevirtualize Documentation
Devirtualize Documentation Release 0.1 Adam Schwalm January 25, 2017 Contents 1 The basics 1 1.1 Requirements............................................... 1 1.2 Installation................................................
More informationAdaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
More informationTypeSan: Practical Type Confusion Detection
TypeSan: Practical Type Confusion Detection Hui Peng peng124@purdue.edu Istvan Haller istvan.haller@gmail.com Herbert Bos herbertb@few.vu.nl Yuseok Jeon jeon41@purdue.edu Mathias Payer mathias.payer@nebelwelt.net
More informationIt s a TRaP: Table Randomization and Protection against Function-Reuse Attacks
It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationPROCESS VIRTUAL MEMORY. CS124 Operating Systems Winter , Lecture 18
PROCESS VIRTUAL MEMORY CS124 Operating Systems Winter 2015-2016, Lecture 18 2 Programs and Memory Programs perform many interactions with memory Accessing variables stored at specific memory locations
More informationSubtyping (Dynamic Polymorphism)
Fall 2018 Subtyping (Dynamic Polymorphism) Yu Zhang Course web site: http://staff.ustc.edu.cn/~yuzhang/tpl References PFPL - Chapter 24 Structural Subtyping - Chapter 27 Inheritance TAPL (pdf) - Chapter
More informationStackVsHeap SPL/2010 SPL/20
StackVsHeap Objectives Memory management central shared resource in multiprocessing RTE memory models that are used in Java and C++ services for Java/C++ programmer from RTE (JVM / OS). Perspectives of
More informationMemory Corruption: Why Protection is Hard. Mathias Payer, Purdue University
Memory Corruption: Why Protection is Hard Mathias Payer, Purdue University http://hexhive.github.io 1 Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for
More informationStorage in Programs. largest. address. address
Storage in rograms Almost all operand storage used by programs is provided by memory. Even though registers are more efficiently accessed by instructions, there are too few registers to hold the stored
More informationCompiler-Agnostic Function Detection in Binaries
Compiler-Agnostic Function Detection in Binaries Dennis Andriesse, Asia Slowinska, Herbert Bos Vrije Universiteit Amsterdam EuroS&P 2017 Introduction Disassembly in Systems Security Disassembly is the
More informationEnhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,
More informationRUHR-UNIVERSITÄT BOCHUM. Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs
RUHR-UNIVERSITÄT BOCHUM Horst Görtz Institute for IT Security Technical Report TR-HGI-2014-004 Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs Robert Gawlik and
More informationPatching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps
SESSION ID: EXP-R01 Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps James Lyne Global Head of Security Research Sophos / SANS Institute @jameslyne Stephen Sims Security Researcher
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationCPS 506 Comparative Programming Languages. Programming Language
CPS 506 Comparative Programming Languages Object-Oriented Oriented Programming Language Paradigm Introduction Topics Object-Oriented Programming Design Issues for Object-Oriented Oriented Languages Support
More informationENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks
ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow
More informationA Tough call: Mitigating Advanced Code-Reuse Attacks At The Binary Level
A Tough call: Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen, Enes Göktaş, Moritz Contag, Andre Pawlowski, Xi Chen, Sanjay Rawat, Herbert Bos, Thorsten Holz, Elias Athanasopoulos,
More informationCSolve: Verifying C With Liquid Types
CSolve: Verifying C With Liquid Types Patrick Rondon, Alexander Bakst, Ming Kawaguchi, and Ranjit Jhala University of California, San Diego {prondon, abakst, mwookawa, jhala@cs.ucsd.edu Abstract. We present
More informationBack To The Epilogue
Back To The Epilogue How to Evade Windows' Control Flow Guard with Less than 16 Bytes Andrea Biondo * Prof. Mauro Conti Daniele Lain * SPRITZ Group University of Padua, IT GOALS - Return to function epilogue
More informationMemory Management Basics
Memory Management Basics 1 Basic Memory Management Concepts Address spaces! Physical address space The address space supported by the hardware Ø Starting at address 0, going to address MAX sys! MAX sys!!
More informationFormal Verication of C++ Object Construction and Destruction
Formal Verication of C++ Object Construction and Destruction Tahina Ramananandro 1 1 INRIA Paris-Rocquencourt November 18th, 2011 Ramananandro (INRIA) Formal verif. of C++ object constr. and destr.november
More informationRUHR-UNIVERSITÄT BOCHUM. Probfuscation: An Obfuscation Approach using Probabilistic Control Flows
RUHR-UNIVERSITÄT BOCHUM Horst Görtz Institute for IT Security Technical Report TR-HGI-2016-002 Probfuscation: An Obfuscation Approach using Probabilistic Control Flows Andre Pawlowski, Moritz Contag, Thorsten
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationInheritance (Chapter 7)
Inheritance (Chapter 7) Prof. Dr. Wolfgang Pree Department of Computer Science University of Salzburg cs.uni-salzburg.at Inheritance the soup of the day?! Inheritance combines three aspects: inheritance
More informationHeapHopper. Bringing Bounded Model Checking to Heap Implementation Security
HeapHopper Bringing Bounded Model Checking to Heap Implementation Security Moritz Eckert*, Antonio Bianchi*, Ruoyu Wang*, Yan Shoshitaishvili, Christopher Kruegel*, and Giovanni Vigna* *University of California,
More informationRun-Time Environments/Garbage Collection
Run-Time Environments/Garbage Collection Department of Computer Science, Faculty of ICT January 5, 2014 Introduction Compilers need to be aware of the run-time environment in which their compiled programs
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationGuarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University
Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University http://hexhive.github.io 1 Vulnerabilities everywhere? 2 Common Languages: TIOBE 18 Jul 2018 Jul 2017 Change Language 1
More informationSubversive-C: Abusing and Protecting Dynamic Message Dispatch
Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz
More information2. Reachability in garbage collection is just an approximation of garbage.
symbol tables were on the first exam of this particular year's exam. We did not discuss register allocation in this This exam has questions from previous CISC 471/672. particular year. Not all questions
More informationOverview. Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading
HOW C++ WORKS Overview Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading Motivation There are lot of myths about C++
More informationClass Inheritance and OLE Integration (Formerly the Common Object Model)
TM Class Inheritance and OLE Integration (Formerly the Common Object Model) Technical Overview Shawn Woods, Mike Vogl, and John Parodi August 1995 Digital Equipment Corporation Introduction This paper
More informationOverview. Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading
How C++ Works 1 Overview Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading Motivation There are lot of myths about C++
More informationCSE 504: Compiler Design. Runtime Environments
Runtime Environments Pradipta De pradipta.de@sunykorea.ac.kr Current Topic Procedure Abstractions Mechanisms to manage procedures and procedure calls from compiler s perspective Runtime Environment Choices
More informationVirtual Memory. Today. Segmentation Paging A good, if common example
Virtual Memory Today Segmentation Paging A good, if common example Virtual memory system Goals Transparency Programs should not know that memory is virtualized; the OS +HW multiplex memory among processes
More informationToday: Segmentation. Last Class: Paging. Costs of Using The TLB. The Translation Look-aside Buffer (TLB)
Last Class: Paging Process generates virtual addresses from 0 to Max. OS divides the process onto pages; manages a page table for every process; and manages the pages in memory Hardware maps from virtual
More informationThis Unit: Main Memory. Virtual Memory. Virtual Memory. Other Uses of Virtual Memory
This Unit: Virtual Application OS Compiler Firmware I/O Digital Circuits Gates & Transistors hierarchy review DRAM technology A few more transistors Organization: two level addressing Building a memory
More informationStrict Virtual Call Integrity Checking for C++ Binaries
Strict Virtual Call Integrity Checking for C++ Binaries Mohamed Elsabagh melsabag@gmu.edu Dan Fleck dfleck@gmu.edu Department of Computer Science George Mason University Fairfax, VA 22030, USA Angelos
More informationTopics on Compilers Spring Semester Christine Wagner 2011/04/13
Topics on Compilers Spring Semester 2011 Christine Wagner 2011/04/13 Availability of multicore processors Parallelization of sequential programs for performance improvement Manual code parallelization:
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationQPSI. Qualcomm Technologies Countermeasures Update
QPSI Qualcomm Technologies Countermeasures Update 1 Introduction Sometime back in 2010 Let s have exploit countermeasures on our products Why? Hard to fix all bugs. We might as well make them more fun
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationJonathan Afek, 1/8/07, BlackHat USA
Dangling Pointer Jonathan Afek, 1/8/07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 2 What is a Dangling Pointer?
More informationCSE P 501 Compilers. Java Implementation JVMs, JITs &c Hal Perkins Winter /11/ Hal Perkins & UW CSE V-1
CSE P 501 Compilers Java Implementation JVMs, JITs &c Hal Perkins Winter 2008 3/11/2008 2002-08 Hal Perkins & UW CSE V-1 Agenda Java virtual machine architecture.class files Class loading Execution engines
More informationCMPSC 497 Other Memory Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationC++ Programming: Polymorphism
C++ Programming: Polymorphism 2018 년도 2 학기 Instructor: Young-guk Ha Dept. of Computer Science & Engineering Contents Run-time binding in C++ Abstract base classes Run-time type identification 2 Function
More informationInference of Memory Bounds
Research Review 2017 Will Klieber, software security researcher Joint work with Will Snavely public release and unlimited distribution. 1 Copyright 2017 Carnegie Mellon University. All Rights Reserved.
More informationPharos Static Analysis Framework
Pharos Static Analysis Framework Cory F. Cohen Senior Malware Analysis Researcher cfc@cert.org [DISTRIBUTION 2017 Carnegie Mellon STATEMENT University A] This 1 [DISTRIBUTION release and unlimited STATEMENT
More informationDedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector
2016 IEEE Symposium on Security and Privacy Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector Erik Bosman Vrije Universiteit Amsterdam erik@minemu.org Kaveh Razavi Vrije Universiteit
More informationHorizon 2020 Program ( ) Deliverable D4.1: Requirements of the SHARCS Runtime System, Software Tools and Reporting
Horizon 2020 Program (2014-2020) Cybersecurity, Trustworthy ICT Research & Innovation Actions Security-by-design for end-to-end security ICT 32-2014 Secure Hardware-Software Architectures for Robust Computing
More informationHacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University
Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University Hacking 101 Exploit GET /0xDEAD HTTP/1.0 shell $ cat /etc/passwd root:x:0:0:::/bin/sh sorbo:x:6:9:pac:/bin/sh
More informationThe Java Language Implementation
CS 242 2012 The Java Language Implementation Reading Chapter 13, sections 13.4 and 13.5 Optimizing Dynamically-Typed Object-Oriented Languages With Polymorphic Inline Caches, pages 1 5. Outline Java virtual
More informationFrequently asked questions from the previous class survey
CS 370: OPERATING SYSTEMS [MEMORY MANAGEMENT] Shrideep Pallickara Computer Science Colorado State University L20.1 Frequently asked questions from the previous class survey Virtual addresses L20.2 SLIDES
More informationOperating Systems and Computer Networks. Memory Management. Dr.-Ing. Pascal A. Klein
Operating Systems and Computer Networks Memory Management pascal.klein@uni-due.de Alexander Maxeiner, M.Sc. Faculty of Engineering Agenda 1 Swapping 2 Segmentation Algorithms 3 Memory Allocation 4 Virtual
More informationInterprocedural Analysis with Data-Dependent Calls. Circularity dilemma. A solution: optimistic iterative analysis. Example
Interprocedural Analysis with Data-Dependent Calls Circularity dilemma In languages with function pointers, first-class functions, or dynamically dispatched messages, callee(s) at call site depend on data
More informationCS6303 Computer Architecture Regulation 2013 BE-Computer Science and Engineering III semester 2 MARKS
CS6303 Computer Architecture Regulation 2013 BE-Computer Science and Engineering III semester 2 MARKS UNIT-I OVERVIEW & INSTRUCTIONS 1. What are the eight great ideas in computer architecture? The eight
More informationManaged. Code Rootkits. Hooking. into Runtime. Environments. Erez Metula ELSEVIER. Syngress is an imprint of Elsevier SYNGRESS
Managed Code Rootkits Hooking into Runtime Environments Erez Metula ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEWYORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an imprint
More informationLecture Notes on Advanced Garbage Collection
Lecture Notes on Advanced Garbage Collection 15-411: Compiler Design André Platzer Lecture 21 November 4, 2010 1 Introduction More information on garbage collection can be found in [App98, Ch 13.5-13.7]
More informationReturn-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling University of Mannheim Page 1 Motivation (1) Operating systems separate system
More information08 A: Sorting III. CS1102S: Data Structures and Algorithms. Martin Henz. March 10, Generated on Tuesday 9 th March, 2010, 09:58
08 A: Sorting III CS1102S: Data Structures and Algorithms Martin Henz March 10, 2010 Generated on Tuesday 9 th March, 2010, 09:58 CS1102S: Data Structures and Algorithms 08 A: Sorting III 1 1 Recap: Sorting
More informationAgenda. CSE P 501 Compilers. Java Implementation Overview. JVM Architecture. JVM Runtime Data Areas (1) JVM Data Types. CSE P 501 Su04 T-1
Agenda CSE P 501 Compilers Java Implementation JVMs, JITs &c Hal Perkins Summer 2004 Java virtual machine architecture.class files Class loading Execution engines Interpreters & JITs various strategies
More informationVirtual Memory 1. To do. q Segmentation q Paging q A hybrid system
Virtual Memory 1 To do q Segmentation q Paging q A hybrid system Address spaces and multiple processes IBM OS/360 Split memory in n parts (possible!= sizes) A process per partition Program Code Heap Operating
More informationParalleX. A Cure for Scaling Impaired Parallel Applications. Hartmut Kaiser
ParalleX A Cure for Scaling Impaired Parallel Applications Hartmut Kaiser (hkaiser@cct.lsu.edu) 2 Tianhe-1A 2.566 Petaflops Rmax Heterogeneous Architecture: 14,336 Intel Xeon CPUs 7,168 Nvidia Tesla M2050
More informationDefeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)
Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science
More informationInheritance, Polymorphism and the Object Memory Model
Inheritance, Polymorphism and the Object Memory Model 1 how objects are stored in memory at runtime? compiler - operations such as access to a member of an object are compiled runtime - implementation
More informationCS 471 Operating Systems. Yue Cheng. George Mason University Fall 2017
CS 471 Operating Systems Yue Cheng George Mason University Fall 2017 Review: Segmentation 2 Virtual Memory Accesses o Approaches: Static Relocation Dynamic Relocation Base Base-and-Bounds Segmentation
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationUnderstand the factors involved in instruction set
A Closer Look at Instruction Set Architectures Objectives Understand the factors involved in instruction set architecture design. Look at different instruction formats, operand types, and memory access
More informationOutline STRANGER. Background
Outline Malicious Code Analysis II : An Automata-based String Analysis Tool for PHP 1 Mitchell Adair 2 November 28 th, 2011 Outline 1 2 Credit: [: An Automata-based String Analysis Tool for PHP] Background
More information12: Memory Management
12: Memory Management Mark Handley Address Binding Program goes through multiple steps from compilation to execution. At some stage, addresses in the program must be bound to physical memory addresses:
More informationHigh-Level Language VMs
High-Level Language VMs Outline Motivation What is the need for HLL VMs? How are these different from System or Process VMs? Approach to HLL VMs Evolutionary history Pascal P-code Object oriented HLL VMs
More information17/05/2018. Outline. Outline. Divide and Conquer. Control Abstraction for Divide &Conquer. Outline. Module 2: Divide and Conquer
Module 2: Divide and Conquer Divide and Conquer Control Abstraction for Divide &Conquer 1 Recurrence equation for Divide and Conquer: If the size of problem p is n and the sizes of the k sub problems are
More informationTriggering Deep Vulnerabilities Using Symbolic Execution
Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the
More informationMalicious Code Analysis II
Malicious Code Analysis II STRANGER: An Automata-based String Analysis Tool for PHP Mitchell Adair November 28 th, 2011 Outline 1 STRANGER 2 Outline 1 STRANGER 2 STRANGER Credit: [STRANGER: An Automata-based
More informationVUzzer: Application-Aware Evolutionary Fuzzing
VUzzer: Application-Aware Evolutionary Fuzzing Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cocojar, Cristiano Giuffrida, Herbert Bos (Presenter: Dennis Andriesse ) Vrije Universiteit Amsterdam IIIT
More informationPointers II. Class 31
Pointers II Class 31 Compile Time all of the variables we have seen so far have been declared at compile time they are written into the program code you can see by looking at the program how many variables
More informationGeneral Objective:To understand the basic memory management of operating system. Specific Objectives: At the end of the unit you should be able to:
F2007/Unit6/1 UNIT 6 OBJECTIVES General Objective:To understand the basic memory management of operating system Specific Objectives: At the end of the unit you should be able to: define the memory management
More informationWhen less is more. G. Ramalingam Microsoft Research India
When less is more G. Ramalingam Microsoft Research India The Dark Side of Programming Common scenario huge existing legacy code base building on top of existing code transforming existing code integrating
More informationSingularity Reviewed an Operating System Challenging Common Concepts
an Operating System Challenging Common Concepts by Lothar Schäfer lothar.schaefer@sbg.ac.at Overview Singularity is a research operating system at Microsoft Research. The project started in 2003 and is
More informationInterprocedural Analysis with Data-Dependent Calls. Circularity dilemma. A solution: optimistic iterative analysis. Example
Interprocedural Analysis with Data-Dependent Calls Circularity dilemma In languages with function pointers, first-class functions, or dynamically dispatched messages, callee(s) at call site depend on data
More informationDynamic Dispatch and Duck Typing. L25: Modern Compiler Design
Dynamic Dispatch and Duck Typing L25: Modern Compiler Design Late Binding Static dispatch (e.g. C function calls) are jumps to specific addresses Object-oriented languages decouple method name from method
More informationShrinkWrap: VTable protection without loose ends
ShrinkWrap: VTable protection without loose ends Istvan Haller Vrije Universiteit Amsterdam i.haller@student.vu.nl ABSTRACT Georgios Portokalidis Stevens Institute of Technology gportoka@stevens.edu As
More informationCYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge
CYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge Instructor: Dr. Kun Sun This lecture: [Seacord]: Chapter 3 Readings 2 Outline Secure Coding Topics String management
More information