SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin
|
|
- George Lindsey
- 6 years ago
- Views:
Transcription
1 SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin in NDSS, 2014 Alexander Hefele Fakultät für Informatik Technische Universität München December 16, 2016 Alexander Hefele SafeDispatch December 16, / 17
2 Outline 1 Introduction 2 SafeDispatch Class Hierarchy Analysis Method Checking Instrumentation Optimizations 3 Alternatives 4 Evaluation 5 Security implications 6 Related work Alexander Hefele SafeDispatch December 16, / 17
3 Introduction Real World Exploits Most applications are written in C++, not in pure C C++ has more features that are exploitable Not many defense methods available Exploits nowadays focus on these vulnerabilities Alexander Hefele SafeDispatch December 16, / 17
4 Introduction Dynamic Dispatch in C++ Implemented with vtables First word of C++ object with virtual methods is pointer to its vtable Vtables store one function pointer for each virtual method vtab ptr attr 1... attr n vptr 1 vptr 2... vptr m Alexander Hefele SafeDispatch December 16, / 17
5 Introduction Vtable hijacking Can be triggered by many different programming errors Use-after-free Buffer overflow (stack and heap) Type confusion attacks Manipulate vtable pointer Let it point to the vtable of some other object Or even create own vtable Hijack control flow whenever object calls one of its virtual methods Execute existing methods Of other objects In arbitrary order With different parameters Very powerful exploitation technique Alexander Hefele SafeDispatch December 16, / 17
6 Vtable hijacking example 1 c l a s s S h e l l { 2 p u b l i c : v i r t u a l s t r i n g run ( s t r i n g cmd) {... } 3 } 4 c l a s s Window { 5 p u b l i c : v i r t u a l v o i d d i s p l a y ( s t r i n g s ) {... } 6 } 7 c l a s s MobileWin : p u b l i c Window { 8 p u b l i c : v i r t u a l v o i d d i s p l a y ( s t r i n g s ) {... } 9 } 10 v o i d t a b _ r e q u e s t _ h a n d l e r _ l o o p ( v o i d ) { 11 S h e l l sh = NULL ; 12 Window win = SMALL_SCREEN? new MobileWin ( ) : new Window ( ) ; 13 w h i l e (TRUE) { 14 TabRequest r = recv_tab_request ( ) ; 15 s w i t c h ( r. k i n d ) { 16 c a s e GET_DATE: 17 i f ( sh == NULL) 18 sh = new S h e l l ( ) ; 19 s t r i n g d = sh >run ( " d a t e " ) ; 20 send_tab_response ( r. originating_ tab, d ) ; 21 break ; 22 c a s e DISPLAY_ALERT : 23 win >d i s p l a y ( r. msg ) ; 24 break ; 25 c a s e GET_HTML: d e l e t e win ; // a c c i d e n t a l d e l e t e, win p t r now d a n g l i n g break ; 30 } 31 } 32 } Alexander Hefele SafeDispatch December 16, / 17
7 Introduction Existing vtable hijacking defenses Either incomplete or don t specifically take advantage of the C++ type system Reference counting is not sufficient Control flow integrity based methods are inefficient Solution: SafeDispatch Check integrity of virtual method calls Compare runtime method implementation with static type of the object Insert checking code at every virtual method call Alexander Hefele SafeDispatch December 16, / 17
8 SafeDispatch Class Hierarchy Analysis (CHA) General idea Compile-time analysis of class hierarchy Compute mapping from each class and virtual method to the set of valid method implementations Example: Alexander Hefele SafeDispatch December 16, / 17
9 SafeDispatch Class Hierarchy Analysis (CHA) Downsides Increases compile time Always overestimates the set of valid method implementations Requires all code to be available at compile time Alexander Hefele SafeDispatch December 16, / 17
10 SafeDispatch Method Checking Instrumentation Overview Call special check-function before every virtual method call check-function ensures that virtual method is in set computed by the CHA Data Structures Array of sets Every element of array corresponds to one class and one method Sets are unordered arrays of valid pointers to method addresses check-call requires array lookup and linear search Average set size is very small (1.44) Alexander Hefele SafeDispatch December 16, / 17
11 SafeDispatch Optimizations Partially inline check-function calls based on profiling information Run program with one input and measure method calls Inline most frequent method calls in order of frequency Devirtualization Possible if there is only one single valid method implementation Completely replace the vtable lookup for that method Low-level optimizations to improve branch prediction Don t call superclass method, but the method of the child class Set up the call arguments before the check which method to take to prevent code duplication Alexander Hefele SafeDispatch December 16, / 17
12 Alternatives Background: the this-pointer Needed for multiple inheritance Offset of data fields of each inherited class is stored in vtable Not protected by our previous approach Vtable checking Verify vtable pointer instead of function pointer at each method call Basis: modified CHA Replace check-function by vt_check-function Called before method implementation lookup Consequences Higher security guarantee than method checking Higher runtime overhead Number of valid vtables number of valid method implementations Alexander Hefele SafeDispatch December 16, / 17
13 Alternatives Background: Method pointers 1 c l a s s A { p u b l i c : v i r t u a l v o i d f o o ( i n t ) {... } } 2 c l a s s B : A { p u b l i c : v i r t u a l v o i d f o o ( i n t ) {... } } 3 4 v o i d (A : : f ) ( i n t ) = &A : : f o o ; 5 A a = new A( ) ; 6 ( a > f ) ( 5 ) ; 7 a = new B( ) ; 8 ( a > f ) ( 5 ) ; Method pointers store vtable index instead of concrete address Method pointer protection Very expensive with method checking approach With vtable checking: simply add condition that index is in range Hybrid approach Method checking at traditional call sites Vtable checking at method pointer call sites Alexander Hefele SafeDispatch December 16, / 17
14 Evaluation Testing Conditions Target: Google Chromium Benchmarks: JavaScript and HTML performance suits Runtime Overhead: 2.1% for the hybrid approach Memory Overhead: 7% for the hybrid approach Alexander Hefele SafeDispatch December 16, / 17
15 Security implications Guarantees Every virtual method call invokes a valid implementation of that method Cannot accidentally be nullified by a programming error Protection against all vtable hijacking attacks Protection against accidental illegal typecasts by the programmer SafeDispatch is always safe to apply Limitations Attacker could still invoke a method implementation of a child class Does not prevent corrupting arbitrary function pointer values Dynamically loaded libraries (not compiled with SafeDispatch) are not protected Requires CHA on the entire program Security tradeoff for using method checking over vtable checking Alexander Hefele SafeDispatch December 16, / 17
16 Related work Other protection mechanisms Reference counting Only protects use-after-free errors Reference counts are also stored on the heap Control Flow Integrity Encompasses more than just dynamic dispatch Generally has higher overhead GCC VTV Only uses vtable checking instead of method checking Supports separate compilation Alexander Hefele SafeDispatch December 16, / 17
17 Thank you for your attention! Questions? Source: Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin. SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks. In NDSS, Alexander Hefele SafeDispatch December 16, / 17
Dongseok Jang Zachary Tatlock. UC San Diego Washington
Dongseok Jang Zachary Tatlock UC San Diego University of Washington Sorin Lerner UC San Diego e l b a r e n l Vu Control Flow Hijacking Lead Program to Jump to Unexpected Code That does what a7acker wants
More informationPreventing Use-after-free with Dangling Pointers Nullification
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationQUIZ. Write the following for the class Bar: Default constructor Constructor Copy-constructor Overloaded assignment oper. Is a destructor needed?
QUIZ Write the following for the class Bar: Default constructor Constructor Copy-constructor Overloaded assignment oper. Is a destructor needed? Or Foo(x), depending on how we want the initialization
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationCSE 504: Compiler Design. Runtime Environments
Runtime Environments Pradipta De pradipta.de@sunykorea.ac.kr Current Topic Procedure Abstractions Mechanisms to manage procedures and procedure calls from compiler s perspective Runtime Environment Choices
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationCS-527 Software Security
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017 Eternal
More informationTerm Paper. Daniel Sarnow. Interface-based Programming in C++ Fakultät Technik und Informatik Studiendepartment Informatik
Term Paper Daniel Sarnow Interface-based Programming in C++ Fakultät Technik und Informatik Studiendepartment Informatik Faculty of Engineering and Computer Science Department of Computer Science Daniel
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationSubversive-C: Abusing and Protecting Dynamic Message Dispatch
Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz
More informationCS527 Software Security
Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and
More informationLecture 9 Dynamic Compilation
Lecture 9 Dynamic Compilation I. Motivation & Background II. Overview III. Compilation Policy IV. Partial Method Compilation V. Partial Dead Code Elimination VI. Escape Analysis VII. Results Partial Method
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationWeek 7. Statically-typed OO languages: C++ Closer look at subtyping
C++ & Subtyping Week 7 Statically-typed OO languages: C++ Closer look at subtyping Why talk about C++? C++ is an OO extension of C Efficiency and flexibility from C OO program organization from Simula
More informationAdvanced Systems Security: New Threats
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationISA564 SECURITY LAB. Code Injection Attacks
ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized
More informationDynamic Dispatch and Duck Typing. L25: Modern Compiler Design
Dynamic Dispatch and Duck Typing L25: Modern Compiler Design Late Binding Static dispatch (e.g. C function calls) are jumps to specific addresses Object-oriented languages decouple method name from method
More informationProtecting C++ Dynamic Dispatch Through VTable Interleaving
Protecting C++ Dynamic Dispatch Through VTable Interleaving Dimitar Bounov Computer Science and Engineering University of California, San Diego dbounov@cs.ucsd.edu Rami Gökhan Kıcı Computer Science and
More informationThe Java Language Implementation
CS 242 2012 The Java Language Implementation Reading Chapter 13, sections 13.4 and 13.5 Optimizing Dynamically-Typed Object-Oriented Languages With Polymorphic Inline Caches, pages 1 5. Outline Java virtual
More informationC++ Yanyan SHEN. slide 1
C++ Yanyan SHEN slide 1 History C++ is an object-oriented extension of C Designed by Bjarne Stroustrup at Bell Labs His original interest at Bell Labs was research on simulation Early extensions to C are
More informationLecture 15: Even more pointer stuff Virtual function table
CIS 330: / / / / (_) / / / / _/_/ / / / / / \/ / /_/ / `/ \/ / / / _/_// / / / / /_ / /_/ / / / / /> < / /_/ / / / / /_/ / / / /_/ / / / / / \ /_/ /_/_/_/ _ \,_/_/ /_/\,_/ \ /_/ \ //_/ /_/ Lecture 15:
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationBouncer: Securing Software by Blocking Bad Input
Bouncer: Securing Software by Blocking Bad Input Sathish Kuppuswamy & Yufei Fu Department of computer Science University of Texas at Dallas March 21 st, 2012 Outline Bouncer Existing Techniques Bouncer
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationCSE409, Rob Johnson, Alin Tomescu, November 11 th, 2011 Buffer overflow defenses
Buffer overflow defenses There are two categories of buffer-overflow defenses: - Make it hard for the attacker to exploit buffer overflow o Address space layout randomization o Model checking to catch
More informationSecuring Applications in C/C++
Securing Applications in C/C++ Application Security Training Datasheet Security Compass 2012. Application Security Training Datasheet. Securing Applications in C/C++ 1 It has long been discussed that identifying
More informationAn Evil Copy: How the Loader Betrays You
An Evil Copy: How the Loader Betrays You Xinyang Ge 1,3, Mathias Payer 2 and Trent Jaeger 3 Microsoft Research 1 Purdue University 2 Penn State University 3 Page 1 Problem: A Motivating Example // main.c
More informationInheritance, Polymorphism and the Object Memory Model
Inheritance, Polymorphism and the Object Memory Model 1 how objects are stored in memory at runtime? compiler - operations such as access to a member of an object are compiled runtime - implementation
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationThwarting unknown bugs: hardening features in the mainline Linux kernel
Thwarting unknown bugs: hardening features in the mainline Linux kernel Mark Rutland ARM Ltd Embedded Linux Conference Europe 2016 October 11, 2016 ARM 2016 2 ARM 2016 What s the
More informationStack Overflow. Faculty Workshop on Cyber Security May 23, 2012
Stack Overflow Faculty Workshop on Cyber Security May 23, 2012 Goals Learn to hack into computer systems using buffer overflow Steal sensitive data Crash computer programs Lay waste to systems throughout
More informationCS558 Programming Languages Winter 2013 Lecture 8
OBJECT-ORIENTED PROGRAMMING CS558 Programming Languages Winter 2013 Lecture 8 Object-oriented programs are structured in terms of objects: collections of variables ( fields ) and functions ( methods ).
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationType Confusion: Discovery, Abuse, Protection. Mathias
Type Confusion: Discovery, Abuse, Protection Mathias Payer, @gannimo http://hexhive.github.io Type confusion leads to RCE Attack surface is huge Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: glibc: Linux
More informationBypassing AddressSanitizer
Abstract Bypassing AddressSanitizer Eric Wimberley September 5, 2013 This paper evaluates AddressSanitizer as a next generation memory corruption prevention framework. It provides demonstrable tests of
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationIt s a TRaP: Table Randomization and Protection against Function-Reuse Attacks
It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten
More informationCS161 Midterm 1 Review
CS161 Midterm 1 Review Midterm 1: March 4, 18:3020:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about
More informationBuffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka September 24, 2011. 1 Introduction to the topic
More informationC++ Crash Kurs. Polymorphism. Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck
C++ Crash Kurs Polymorphism Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck http://www.itm.uni-luebeck.de/people/pfisterer C++ Polymorphism Major abstractions of C++ Data abstraction
More informationSoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14
SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationsecubt Hacking the Hackers with User Space Virtualization
secubt Hacking the Hackers with User Space Virtualization Mathias Payer Mathias Payer: secubt User Space Virtualization 1 Motivation Virtualizing and encapsulating running programs
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationLecture Notes: Unleashing MAYHEM on Binary Code
Lecture Notes: Unleashing MAYHEM on Binary Code Rui Zhang February 22, 2017 1 Finding Exploitable Bugs 1.1 Main Challenge in Exploit Generation Exploring enough of the state space of an application to
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationShort Notes of CS201
#includes: Short Notes of CS201 The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with < and > if the file is a system
More informationHistory C++ Design Goals. How successful? Significant constraints. Overview of C++
1 CS 242 History C++ John Mitchell C++ is an object-oriented extension of C C was designed by Dennis Ritchie at Bell Labs used to write Unix based on BCPL C++ designed by Bjarne Stroustrup at Bell Labs
More informationGet the (Spider)monkey off your back
Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda and bkth from phoenhex Who are we? Security enthusiasts who dabble in vulnerability research on their free
More informationCS201 - Introduction to Programming Glossary By
CS201 - Introduction to Programming Glossary By #include : The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More informationOverview. Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading
How C++ Works 1 Overview Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading Motivation There are lot of myths about C++
More informationG Programming Languages - Fall 2012
G22.2110-003 Programming Languages - Fall 2012 Lecture 4 Thomas Wies New York University Review Last week Control Structures Selection Loops Adding Invariants Outline Subprograms Calling Sequences Parameter
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationPredicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning
Fakultät für Informatik Technische Universität München 26th USENIX Security Symposium Predicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning Sebastian Banescu
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationWhat is Polymorphism? Quotes from Deitel & Deitel s. Why polymorphism? How? How? Polymorphism Part 1
Polymorphism Part 1 What is Polymorphism? Polymorphism refers to a programming language s ability to process objects differently depending on their data type or class. Number person real complex kid adult
More informationBoundless Memory Blocks
Boundless Memory Blocks Cristian Cadar Massachusetts Institute of Technology (now Stanford University) M. Rinard, D. Dumitran D. Roy, T. Leu Massachusetts Institute of Technology Annual Computer Security
More informationCpt S 122 Data Structures. Course Review Midterm Exam # 2
Cpt S 122 Data Structures Course Review Midterm Exam # 2 Nirmalya Roy School of Electrical Engineering and Computer Science Washington State University Midterm Exam 2 When: Monday (11/05) 12:10 pm -1pm
More informationBrowser Security Guarantees through Formal Shim Verification
Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable:
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks
ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow
More informationCMPSC 497 Other Memory Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory
More informationPolymorphism Part 1 1
Polymorphism Part 1 1 What is Polymorphism? Polymorphism refers to a programming language s ability to process objects differently depending on their data type or class. Number person real complex kid
More informationMemory Corruption Vulnerabilities, Part II
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows
More informationSyed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut
CSE 5095 & ECE 6095 Spring 2016 Instructor Marten van Dijk System Security Lecture 1 Buffer Overflows Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut Email:
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationInline Reference Monitoring Techniques
Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code
More informationChapter 13: Indexing. Chapter 13. ? value. Topics. Indexing & Hashing. value. Conventional indexes B-trees Hashing schemes (self-study) record
Chapter 13: Indexing (Slides by Hector Garcia-Molina, http://wwwdb.stanford.edu/~hector/cs245/notes.htm) Chapter 13 1 Chapter 13 Indexing & Hashing value record? value Chapter 13 2 Topics Conventional
More informationIronclad C++ A Library-Augmented Type-Safe Subset of C++
Ironclad C++ A Library-Augmented Type-Safe Subset of C++ Christian DeLozier, Richard Eisenberg, Peter-Michael Osera, Santosh Nagarakatte*, Milo M. K. Martin, and Steve Zdancewic October 30, 2013 University
More informationMarx Uncovering Class Hierarchies in C++ Programs
Marx Uncovering Class Hierarchies in C++ Programs NDSS 2017, San Diego Andre Pawlowski, Moritz Contag, Victor van der Veen, Chris Ouwehand, Thorsten Holz, Herbert Bos, Elias Anthonasopoulos, Cristiano
More informationCSc 453 Interpreters & Interpretation
CSc 453 Interpreters & Interpretation Saumya Debray The University of Arizona Tucson Interpreters An interpreter is a program that executes another program. An interpreter implements a virtual machine,
More informationBlackBox. Lightweight Security Monitoring for COTS Binaries. Byron Hawkins and Brian Demsky University of California, Irvine, USA
BlackBox Lightweight Security Monitoring for COTS Binaries Byron Hawkins and Brian Demsky University of California, Irvine, USA Michael B. Taylor University of California, San Diego, USA Why Security Monitoring?
More informationCode Injection Attacks Buffer Overflows
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 System Security Lecture 1 Code Injection Attacks Buffer Overflows Based on and extracted from Nickolai Zeldovitch, Computer System Security, course material at
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationDEVIRTUALIZATION IN LLVM
DEVIRTUALIZATION IN LLVM Piotr Padlewski piotr.padlewski@gmail.com University of Warsaw IIIT @PiotrPadlewski CURRENT DEVIRTUALIZATION IN THE FRONTEND struct A { ; virtual void foo(); void f() { A a; a.foo();
More informationBuffer Overflow Attacks
Buffer Overflow Attacks 1. Smashing the Stack 2. Other Buffer Overflow Attacks 3. Work on Preventing Buffer Overflow Attacks Smashing the Stack An Evil Function void func(char* inp){ } char buffer[16];
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationDynamic Race Detection with LLVM Compiler
Dynamic Race Detection with LLVM Compiler Compile-time instrumentation for ThreadSanitizer Konstantin Serebryany, Alexander Potapenko, Timur Iskhodzhanov, and Dmitriy Vyukov OOO Google, 7 Balchug st.,
More informationHexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer
HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer Motivation C++ is a popular programming language Google Chrome, Firefox,
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationCFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer
CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:
More informationOS COMPONENTS OVERVIEW OF UNIX FILE I/O. CS124 Operating Systems Fall , Lecture 2
OS COMPONENTS OVERVIEW OF UNIX FILE I/O CS124 Operating Systems Fall 2017-2018, Lecture 2 2 Operating System Components (1) Common components of operating systems: Users: Want to solve problems by using
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationTowards an EA View Template Marketplace
Towards an EA View Template Marketplace 29.06.2016, Prof. Dr. Florian Matthes Software Engineering für betriebliche Informationssysteme (sebis) Fakultät für Informatik Technische Universität München wwwmatthes.in.tum.de
More informationEmbedded/Connected Device Secure Coding. 4-Day Course Syllabus
Embedded/Connected Device Secure Coding 4-Day Course Syllabus Embedded/Connected Device Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted
More informationSubtyping (Dynamic Polymorphism)
Fall 2018 Subtyping (Dynamic Polymorphism) Yu Zhang Course web site: http://staff.ustc.edu.cn/~yuzhang/tpl References PFPL - Chapter 24 Structural Subtyping - Chapter 27 Inheritance TAPL (pdf) - Chapter
More informationCSE351 Winter 2016, Final Examination March 16, 2016
CSE351 Winter 2016, Final Examination March 16, 2016 Please do not turn the page until 2:30. Rules: The exam is closed-book, closed-note, etc. Please stop promptly at 4:20. There are 125 (not 100) points,
More information