Lucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher
|
|
- Roland Long
- 6 years ago
- Views:
Transcription
1 17 th May 2017, ICRI-SC Retreat, Darmstadt, Germany Can Systems ever be Protected against Run-time Attacks? Lucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher
2 Motivation
3 Motivation App A App B
4 Motivation App A exploit bugs App B
5 Motivation App A exploit bugs App B App M inject malicious code
6 Motivation App A exploit bugs App B App M inject malicious code
7 Motivation App A exploit bugs App B App M inject malicious code Large attack surface for remote malware attacks and software exploits on embedded systems [Costin et al., USENIX Security 2014 and Chen et al., NDSS 2016 ]
8 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] Adversary Memory write Program flow
9 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] A B C D E F Adversary Memory write Program flow
10 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] A B Basic Block ENTRY asm_ins, EXIT Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] C D E F Adversary Memory write Program flow
11 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] A B Basic Block ENTRY asm_ins, EXIT Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] C D E F Adversary Memory write Program flow
12 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] A B Basic Block ENTRY asm_ins, EXIT Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] C D E X F inject malicious code Adversary Memory write Program flow
13 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] Basic Block Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] A ENTRY asm_ins, EXIT B C D E corrupt code pointer X F inject malicious code Adversary Memory write Program flow
14 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] Basic Block Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] A ENTRY asm_ins, EXIT B C D E corrupt code pointer DEP X F inject malicious code Adversary Memory write Program flow
15 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] Basic Block Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] A ENTRY asm_ins, EXIT B C D E corrupt code pointer DEP X F inject malicious code Adversary Memory write Program flow
16 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] Basic Block Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] A ENTRY asm_ins, EXIT A C D B E corrupt code pointer C D B E DEP X F inject malicious code Adversary F Memory write Program flow
17 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] C D A B E Basic Block switch(opmode) ENTRY case recovery: C asm_ins, case op1: D EXIT case op2: E,F corrupt code pointer Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] C D A B E DEP X F inject malicious code Adversary F Memory write Program flow
18 Classification Control-Flow Attack [AlephOne, Phrack 1996] [Shacham, CCS 2007] C D A B E Basic Block switch(opmode) ENTRY case recovery: C asm_ins, case op1: D EXIT case op2: E,F corrupt code pointer Non-Control-Data Attack [Chen et al., USENIX Sec. 2005] [Carlini et al., USENIX Sec. 2015] C D A B E DEP X F inject malicious code Adversary corrupt data pointer/variable F Memory write Program flow
19 Main Defense Techniques (Fine-grained) Code Randomization [Cohen 1993 & Larsen et al., SoK IEEE S&P 2014] Control-Flow Integrity (CFI) [Abadi et al., CCS 2005 & TISSEC 2009] 19
20 Main Defense Techniques (Fine-grained) Code Randomization [Cohen 1993 & Larsen et al., SoK IEEE S&P 2014] Control-Flow Integrity (CFI) [Abadi et al., CCS 2005 & TISSEC 2009] A B C E D F 20
21 Main Defense Techniques (Fine-grained) Code Randomization [Cohen 1993 & Larsen et al., SoK IEEE S&P 2014] A B C E D F Memory Control-Flow Integrity (CFI) [Abadi et al., CCS 2005 & TISSEC 2009] 21
22 Main Defense Techniques (Fine-grained) Code Randomization [Cohen 1993 & Larsen et al., SoK IEEE S&P 2014] D A E F B C Memory (randomized) Control-Flow Integrity (CFI) [Abadi et al., CCS 2005 & TISSEC 2009] 22
23 Main Defense Techniques (Fine-grained) Code Randomization [Cohen 1993 & Larsen et al., SoK IEEE S&P 2014] D A E F B C Memory (randomized) Control-Flow Integrity (CFI) [Abadi et al., CCS 2005 & TISSEC 2009] C E A B D F 23
24 Main Defense Techniques (Fine-grained) Code Randomization [Cohen 1993 & Larsen et al., SoK IEEE S&P 2014] D A E F B C Memory (randomized) Control-Flow Integrity (CFI) [Abadi et al., CCS 2005 & TISSEC 2009] Label_3 C E Label_5 A B Label_1 Label_2 D F Label_6 Label_4 24
25 Main Defense Techniques (Fine-grained) Code Randomization [Cohen 1993 & Larsen et al., SoK IEEE S&P 2014] D A E F B C Memory (randomized) Control-Flow Integrity (CFI) [Abadi et al., CCS 2005 & TISSEC 2009] Label_3 C E Label_5 A B Label_1 Label_2 D F Label_6 Label_4 25
26 Main Defense Techniques (Fine-grained) Code Randomization [Cohen 1993 & Larsen et al., SoK IEEE S&P 2014] D A E F B C Memory (randomized) Control-Flow Integrity (CFI) [Abadi et al., CCS 2005 & TISSEC 2009] Exit(B) == Label_5 Label_3 C E Label_5 A B Label_1 Label_2 D F Label_6 Label_4 26
27 Our Research on Return-Oriented Programming Attacks Jump-Oriented Programming with Checkoway et al. CCS 2010 Just-in-time Code Reuse with Snow et al. IEEE S&P 2013 Stitching Gadgets Davi et al. USENIX Sec COOP with Schuster et al. IEEE S&P 2015 Losing Control with Conti et al. CCS 2015
28 Our Research on Return-Oriented Programming Attacks Undermines Shadow Stacks Jump-Oriented Programming with Checkoway et al. Just-in-time Code Reuse with Snow et al. Stitching Gadgets Davi et al. COOP with Schuster et al. Losing Control with Conti et al. CCS 2010 IEEE S&P 2013 USENIX Sec IEEE S&P 2015 CCS 2015
29 Our Research on Return-Oriented Programming Attacks Undermines Shadow Stacks Jump-Oriented Programming with Checkoway et al. Just-in-time Code Reuse with Snow et al. Stitching Gadgets Davi et al. COOP with Schuster et al. Losing Control with Conti et al. CCS 2010 IEEE S&P 2013 USENIX Sec IEEE S&P 2015 CCS 2015 Bypasses fine-grained code randomization (incl. ASLR)
30 Our Research on Return-Oriented Programming Attacks Undermines Shadow Stacks Attacks against Microsoft EMET Jump-Oriented Programming with Checkoway et al. Just-in-time Code Reuse with Snow et al. Stitching Gadgets Davi et al. COOP with Schuster et al. Losing Control with Conti et al. CCS 2010 IEEE S&P 2013 USENIX Sec IEEE S&P 2015 CCS 2015 Bypasses fine-grained code randomization (incl. ASLR)
31 Our Research on Return-Oriented Programming Attacks Undermines Shadow Stacks Attacks against Microsoft EMET Jump-Oriented Programming with Checkoway et al. Just-in-time Code Reuse with Snow et al. Stitching Gadgets Davi et al. COOP with Schuster et al. Losing Control with Conti et al. CCS 2010 IEEE S&P 2013 USENIX Sec IEEE S&P 2015 CCS 2015 Bypasses fine-grained code randomization (incl. ASLR) Limitations of Binary-CFI
32 Our Research on Return-Oriented Programming Attacks Undermines Shadow Stacks Attacks against Microsoft EMET Bypasses Google s Forward-Edge CFI Jump-Oriented Programming with Checkoway et al. Just-in-time Code Reuse with Snow et al. Stitching Gadgets Davi et al. COOP with Schuster et al. Losing Control with Conti et al. CCS 2010 IEEE S&P 2013 USENIX Sec IEEE S&P 2015 CCS 2015 Bypasses fine-grained code randomization (incl. ASLR) Limitations of Binary-CFI
33 HAFIX: Hardware Flow Integrity Extensions [O. Arias, L. Davi, M. Hanreich, Y. Jin, P. Koeberl, D. Paul, A.-R. Sadeghi, D. Sullivan, DAC 2015, Best Paper]
34 State 0 Normal Execution Big Picture
35 Big Picture State 0 Normal Execution Function Call Indirect Jump Function Return
36 Big Picture State 0 Normal Execution CFI State Only CFI instructions allowed Function Call Indirect Jump Function Return
37 Big Picture State 0 Normal Execution Function Call Indirect Jump Function Return CFI State Only CFI instructions allowed CFI_CALL label CFI_JMP label CFI_RET label
38 Big Picture State 0 Normal Execution Function Call Indirect Jump Function Return CFI State Only CFI instructions allowed CFI_CALL label CFI_JMP label CFI_RET label
39 Big Picture State 0 Normal Execution Function Call Indirect Jump Function Return CFI State Only CFI instructions allowed CFI_CALL label CFI_JMP label CFI_RET label
40 Overview on HAFIX
41 Overview on HAFIX Contributions Efficient CFI hardware implementation for Intel Siskiyou Peak and SPARC-LEON3 Dedicated CFI instructions and memory
42 Overview on HAFIX Contributions Efficient CFI hardware implementation for Intel Siskiyou Peak and SPARC-LEON3 Dedicated CFI instructions and memory HAFIX Policies 1. Function returns only allowed to target active call sites or the last active call site 2. Function calls need to target a valid function entry
43 Overview on HAFIX Contributions Efficient CFI hardware implementation for Intel Siskiyou Peak and SPARC-LEON3 Dedicated CFI instructions and memory HAFIX Policies 1. Function returns only allowed to target active call sites or the last active call site 2. Function calls need to target a valid function entry Limitations No policy enforcement for indirect jumps Coarse-grained policy for indirect calls
44 HAFIX++ Strategy Without Tactics: Policy-Agnostic Hardware-Enhanced Control-Flow Integrity [Dean Sullivan, Orlando Arias, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Yier Jin, DAC 2016]
45 What about attacks inside the benign control flow? How can we attest control-flow paths of an application?
46 C-FLAT: Control-Flow Attestation of Embedded Systems Software Tigist Abera, N. Asokan, Lucas Davi, Jan-Erik Ekberg, Thomas Nyman, Andrew Paverd, Ahmad-Reza Sadeghi, Gene Tsudik ACM CCS 2016
47 C-FLAT: Big Picture Verifier Prover App A
48 C-FLAT: Big Picture Verifier Prover App A Control-Flow Graph (CFG) Analysis
49 C-FLAT: Big Picture Verifier Prover App A Control-Flow Graph (CFG) Analysis P 1 P 2
50 C-FLAT: Big Picture Verifier Prover App A Control-Flow Graph (CFG) Analysis LP 1 P 1 P 2
51 C-FLAT: Big Picture Verifier Prover App A Control-Flow Graph (CFG) Analysis LP 1 Path Measurement App A P 1 P 1, #LP 1 P 2 P 1 P 2
52 C-FLAT: Big Picture Verifier Prover App A Control-Flow Graph (CFG) Analysis LP 1 Path Measurement App A Run-Time Path Measurement P 1 P 1, #LP 1 P 2 P 1 P 2
53 C-FLAT: Big Picture Verifier Prover App A Control-Flow Graph (CFG) Analysis LP 1 Path Measurement App A Run-Time Path Measurement P 1 P 1, #LP 1 P 2 P 1 P 2 P* 2
54 C-FLAT: Big Picture Verifier Prover App A Control-Flow Graph (CFG) Analysis Path Measurement Control-Flow Validation Run-Time Path Measurement LP 1 App A P 1 P 1, #LP 1 P 2 P 1 P 2 P* 2
55 C-FLAT: Big Picture Verifier Prover App A Control-Flow Graph (CFG) Analysis Path Measurement Control-Flow Validation Run-Time Path Measurement LP 1 App A P 1 P 1, #LP 1 P 2 P* 2 P 1 P 2 P* 2
56 C-FLAT: Big Picture Verifier Prover App A Control-Flow Graph (CFG) Analysis Path Measurement Control-Flow Validation Run-Time Path Measurement LP 1 App A P 1 P 1, #LP 1 P 2 P* 2 P 1 P 2 P* x P* 2
57 C-FLAT: Big Picture Verifier Prover App A Control-Flow Graph (CFG) Analysis Path Measurement Control-Flow Validation Run-Time Path Measurement LP 1 App A P 1 P* x P 1, #LP 1 P 2 P* 2 P 1 P 2 P* x P* 2
58 How to attest the executed control flows without transmitting all executed branches?
59 C-FLAT Measurement Function Cumulative Hash Value: H i = H ( H i-1, N ) H i-1 -- previous hash result N -- instruction block (node) just executed A B C D E F
60 C-FLAT Measurement Function Cumulative Hash Value: H i = H ( H i-1, N ) H i-1 -- previous hash result N -- instruction block (node) just executed A H 1 = H(0,A) B C D E F
61 C-FLAT Measurement Function Cumulative Hash Value: H i = H ( H i-1, N ) H i-1 -- previous hash result N -- instruction block (node) just executed H 2 = H( H 1,B) H 1 = H(0,A) A B C D E F
62 C-FLAT Measurement Function Cumulative Hash Value: H i = H ( H i-1, N ) H i-1 -- previous hash result N -- instruction block (node) just executed H 2 = H( H 1,B) H 1 = H(0,A) A B C D E H 3 = H( H 2,C) H 4 = H( H 2,D) F
63 C-FLAT Measurement Function Cumulative Hash Value: H i = H ( H i-1, N ) H i-1 -- previous hash result N -- instruction block (node) just executed H 2 = H( H 1,B) H 1 = H(0,A) A B C D H 3 = H( H 2,C) H 4 = H( H 2,D) E F H 5 = H( H 2,E) H 6 = H( H 5,F)
64 Loops are a challenge! Different loop paths and loop iterations lead to many valid hash values
65 C-FLAT Approach: Treat loops as sub-graphs and report their hash values and # of iterations separately
66 C-FLAT Approach: Treat loops as sub-graphs and report their hash values and # of iterations separately H Final H loop-entry Loop Entry Hash H loop_1,#h loop_1 H loop_2,#h loop_2 Loop Hash,Iteration
67 Prototype Architecture Implementation on Raspberry Pi 2 Application Binary Trampolines Measurement Engine and Attestation Hardware
68 Prototype Architecture Implementation on Raspberry Pi 2 Application Binary Trampolines Measurement Engine and Attestation Hardware
69 Prototype Architecture Implementation on Raspberry Pi 2 Application Binary Trampolines Measurement Engine and Attestation Hardware
70 Prototype Architecture Implementation on Raspberry Pi 2 Application Binary Trampolines Measurement Engine and Attestation Hardware
71 Evaluation: Case Studies Syringe Pump Soldering Iron Temperature Controller
72 Syringe Pump Source: open-syringe-pump
73 Syringe Pump Source: open-syringe-pump Original implementation targets Arduino boards We ported the code to Raspberry Pi 13,000 instructions with 332 CFG edges of which 20 are loops Main functions are set-quantity and move-syringe
74 Applying C-FLAT to Syringe Pump main() while (1) { if (serialready()) { processserial(); } } Please note that this slide shows a simplified view of the Syringe pump code and control-flow graph.
75 Applying C-FLAT to Syringe Pump main() while (1) { if (serialready()) { cfa_init; processserial(); cfa_quote; } } Please note that this slide shows a simplified view of the Syringe pump code and control-flow graph.
76 Applying C-FLAT to Syringe Pump main() while (1) { if (serialready()) { cfa_init; processserial(); cfa_quote; } } processserial() if (input == + ) { action(push,bolus); updatescreen(); } else if (input == - ) { action(pull,bolus); updatescreen(); } action(direction,bolus) steps = bolus * steps_per_ml if (direction == PUSH) { /* set stepper direction */ } else { /* PULL */ /* set stepper direction */ } for (steps) { /* move stepper */ } bolus = dose of drug; volume of cylinder for a particular height x Please note that this slide shows a simplified view of the Syringe pump code and control-flow graph.
77 Applying C-FLAT to Syringe Pump while (1) { if (serialready()) { cfa_init; processserial(); 1 cfa_quote; 14 } } if (input == + ) { action(push,bolus); 3 updatescreen(); 9 } else if (input == - ) { } main() processserial() action(pull,bolus); updatescreen(); action(direction,bolus) steps = bolus * steps_per_ml if (direction == PUSH) { /* set stepper direction */ } else { /* PULL */ /* set stepper direction */ } for (steps) { /* move stepper */ } bolus = dose of drug; volume of cylinder for a particular height x Please note that this slide shows a simplified view of the Syringe pump code and control-flow graph.
78 Final Hash Measurements action(direction,bolus) steps = bolus * steps_per_ml if (direction = PUSH) { /* set stepper direction */ } else /* PULL */ /* set stepper direction */ } for (steps) { /* move stepper */ }
79 Final Hash Measurements action(direction,bolus) steps = bolus * steps_per_ml if (direction = PUSH) { /* set stepper direction */ } else /* PULL */ /* set stepper direction */ } for (steps) { /* move stepper */ } Final Measurements for PUSH, PULL operations: b3 c5 ca c4 6f dc 6a d0 4a af a e0 9a f a7 0b 06 f0 ba e
80 Final Hash Measurements action(direction,bolus) steps = bolus * steps_per_ml if (direction = PUSH) { /* set stepper direction */ } else /* PULL */ /* set stepper direction */ } for (steps) { /* move stepper */ } Final Measurements for PUSH, PULL operations: b3 c5 ca c4 6f dc 6a d0 4a af a e0 9a f a7 0b 06 f0 ba e Loop Measurement: fb fc e d7 ac 32 5d 65 eb c (#iterations)
81 C-FLAT Log for PUSH action PUSH 0.1 ml Used ml Bolus ml [INFO] cfa_quote: f 9e bb a5 f7 5d 2a dc 8a 7b 5f [INFO] loop[000]: b3 c5 ca c4 6f dc 6a d0 4a af a [INFO] path[000]: fb fc e d7 ac 32 5d 65 eb c (682) [INFO] loop[001]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (1) [INFO] loop[002]: 6d 05 6e b2 3a 27 1e 2b 78 3e f9 4c e3 a7 cb f8 [INFO] path[000]: 62 f7 b8 0b 65 4b de 35 c7 05 bc e (2) [INFO] loop[003]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (3) [INFO] loop[004]: f5 77 b7 94 bd 6c 81 e2 2f 36 da ad cd df 56 6e [INFO] path[000]: 67 c6 5e d bc 4a 5d 60 a f4 ed (9) [INFO] path[001]: af 09 0f d5 64 f4 39 b4 7a 0d c (2) [INFO] loop[005]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (1) [INFO] loop[006]: 6d 05 6e b2 3a 27 1e 2b 78 3e f9 4c e3 a7 cb f8 [INFO] path[000]: 62 f7 b8 0b 65 4b de 35 c7 05 bc e (2) [INFO] loop[007]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (3) [INFO] loop[008]: ca 34 cb 8a 0b 8a f 59 e9 b2 8d [INFO] path[000]: 67 c6 5e d bc 4a 5d 60 a f4 ed (10) [INFO] path[001]: af 09 0f d5 64 f4 39 b4 7a 0d c (2) [INFO] loop[009]: 2d c f1 61 b d 0a 96 be be a8 1f [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (13) [INFO] loop[010]: d2 32 da 39 c8 7f 0d bb 13 c0 a7 12 7d 4b 0c ce [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (2) [INFO] loop[011]: 73 e3 be b a 59 1b 2b c c6 36 [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (14) [INFO] loop[012]: c dd c 0d 37 f6 d3 be fd 09 [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (2) PUSH 0.2 ml Used ml Bolus ml [INFO] cfa_quote: f 9e bb a5 f7 5d 2a dc 8a 7b 5f [INFO] loop[000]: b3 c5 ca c4 6f dc 6a d0 4a af a [INFO] path[000]: fb fc e d7 ac 32 5d 65 eb c (1365) [INFO] loop[001]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (1) [INFO] loop[002]: 6d 05 6e b2 3a 27 1e 2b 78 3e f9 4c e3 a7 cb f8 [INFO] path[000]: 62 f7 b8 0b 65 4b de 35 c7 05 bc e (2) [INFO] loop[003]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (3) [INFO] loop[004]: f5 77 b7 94 bd 6c 81 e2 2f 36 da ad cd df 56 6e [INFO] path[000]: 67 c6 5e d bc 4a 5d 60 a f4 ed (9) [INFO] path[001]: af 09 0f d5 64 f4 39 b4 7a 0d c (2) [INFO] loop[005]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (1) [INFO] loop[006]: 6d 05 6e b2 3a 27 1e 2b 78 3e f9 4c e3 a7 cb f8 [INFO] path[000]: 62 f7 b8 0b 65 4b de 35 c7 05 bc e (2) [INFO] loop[007]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (3) [INFO] loop[008]: ca 34 cb 8a 0b 8a f 59 e9 b2 8d [INFO] path[000]: 67 c6 5e d bc 4a 5d 60 a f4 ed (10) [INFO] path[001]: af 09 0f d5 64 f4 39 b4 7a 0d c (2) [INFO] loop[009]: 2d c f1 61 b d 0a 96 be be a8 1f [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (13) [INFO] loop[010]: d2 32 da 39 c8 7f 0d bb 13 c0 a7 12 7d 4b 0c ce [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (2) [INFO] loop[011]: 73 e3 be b a 59 1b 2b c c6 36 [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (14) [INFO] loop[012]: c dd c 0d 37 f6 d3 be fd 09 [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (2)
82 C-FLAT Log for PUSH action PUSH 0.1 ml Used ml Bolus ml [INFO] cfa_quote: f 9e bb a5 f7 5d 2a dc 8a 7b 5f PUSH 0.2 ml Used ml Bolus ml [INFO] cfa_quote: f 9e bb a5 f7 5d 2a dc 8a 7b 5f [INFO] loop[000]: b3 c5 ca c4 6f dc 6a d0 4a af a [INFO] path[000]: fb fc e d7 ac 32 5d 65 eb c (682) [INFO] loop[001]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (1) [INFO] loop[002]: 6d 05 6e b2 3a 27 1e 2b 78 3e f9 4c e3 a7 cb f8 [INFO] path[000]: 62 f7 b8 0b 65 4b de 35 c7 05 bc e (2) [INFO] loop[003]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (3) [INFO] loop[004]: f5 77 b7 94 bd 6c 81 e2 2f 36 da ad cd df 56 6e [INFO] path[000]: 67 c6 5e d bc 4a 5d 60 a f4 ed (9) [INFO] path[001]: af 09 0f d5 64 f4 39 b4 7a 0d c (2) [INFO] loop[005]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (1) [INFO] loop[006]: 6d 05 6e b2 3a 27 1e 2b 78 3e f9 4c e3 a7 cb f8 [INFO] path[000]: 62 f7 b8 0b 65 4b de 35 c7 05 bc e (2) [INFO] loop[007]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (3) [INFO] loop[008]: ca 34 cb 8a 0b 8a f 59 e9 b2 8d [INFO] path[000]: 67 c6 5e d bc 4a 5d 60 a f4 ed (10) [INFO] path[001]: af 09 0f d5 64 f4 39 b4 7a 0d c (2) [INFO] loop[009]: 2d c f1 61 b d 0a 96 be be a8 1f [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (13) [INFO] loop[010]: d2 32 da 39 c8 7f 0d bb 13 c0 a7 12 7d 4b 0c ce [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (2) [INFO] loop[011]: 73 e3 be b a 59 1b 2b c c6 36 [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (14) [INFO] loop[012]: c dd c 0d 37 f6 d3 be fd 09 [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (2) [INFO] loop[000]: b3 c5 ca c4 6f dc 6a d0 4a af a [INFO] path[000]: fb fc e d7 ac 32 5d 65 eb c (1365) [INFO] loop[001]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (1) [INFO] loop[002]: 6d 05 6e b2 3a 27 1e 2b 78 3e f9 4c e3 a7 cb f8 [INFO] path[000]: 62 f7 b8 0b 65 4b de 35 c7 05 bc e (2) [INFO] loop[003]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (3) [INFO] loop[004]: f5 77 b7 94 bd 6c 81 e2 2f 36 da ad cd df 56 6e [INFO] path[000]: 67 c6 5e d bc 4a 5d 60 a f4 ed (9) [INFO] path[001]: af 09 0f d5 64 f4 39 b4 7a 0d c (2) [INFO] loop[005]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (1) [INFO] loop[006]: 6d 05 6e b2 3a 27 1e 2b 78 3e f9 4c e3 a7 cb f8 [INFO] path[000]: 62 f7 b8 0b 65 4b de 35 c7 05 bc e (2) [INFO] loop[007]: eb a d2 3b c6 19 f d ee cb 1c 13 [INFO] path[000]: b9 7d cf 8d 00 b6 5f 63 b3 7c 60 e4 e3 be (3) [INFO] loop[008]: ca 34 cb 8a 0b 8a f 59 e9 b2 8d [INFO] path[000]: 67 c6 5e d bc 4a 5d 60 a f4 ed (10) [INFO] path[001]: af 09 0f d5 64 f4 39 b4 7a 0d c (2) [INFO] loop[009]: 2d c f1 61 b d 0a 96 be be a8 1f [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (13) [INFO] loop[010]: d2 32 da 39 c8 7f 0d bb 13 c0 a7 12 7d 4b 0c ce [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (2) [INFO] loop[011]: 73 e3 be b a 59 1b 2b c c6 36 [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (14) [INFO] loop[012]: c dd c 0d 37 f6 d3 be fd 09 [INFO] path[000]: 74 af 0f dc 3b 17 ff d0 db fe b (2) Only the number of loop iterations is different per bolus 682 (0.1 ml), 1365 (0.2 ml)
83 Attacking the Syringe Pumb Constructed several exploits to validate the effectiveness of C-FLAT Control-flow attack uses ROP to dispense liquid at unexpected time C-FLAT detects attack due to unexpected measurement Non-control-data attack that dispenses more liquid than requested C-FLAT detects attack due to an unexpectedly high number of loop iterations
84 Discussion on C-FLAT C-FLAT attests control flow Pure data attacks that don t affect control flow are not covered
85 Discussion on C-FLAT C-FLAT attests control flow Pure data attacks that don t affect control flow are not covered Scalability depends on program size and complexity We target typical (simple) embedded software, e.g., Syringe Pump that scales well for C-FLAT
86 Discussion on C-FLAT C-FLAT attests control flow Pure data attacks that don t affect control flow are not covered Scalability depends on program size and complexity We target typical (simple) embedded software, e.g., Syringe Pump that scales well for C-FLAT Reducing context switch overhead ARMv8 Cortex-A53 needs ~3700 cycles at 800MHz; TrustZone-M only requires a few cycles
87 Open Challenges
88 Open Challenges
89 Open Challenges CFI enforcement in the context of real-time operating systems and autonomous system
90 Open Challenges CFI enforcement in the context of real-time operating systems and autonomous system Addressing new attack techniques (e.g., dataoriented exploits, rowhammer)
91 Open Challenges CFI enforcement in the context of real-time operating systems and autonomous system Addressing new attack techniques (e.g., dataoriented exploits, rowhammer) Control-flow attestation of a network of devices inside an autonomous car
92 Open Challenges CFI enforcement in the context of real-time operating systems and autonomous system Addressing new attack techniques (e.g., dataoriented exploits, rowhammer) Control-flow attestation of a network of devices inside an autonomous car Data-flow attestation
Bit Flips in Memory Rowhammer Attacks and Defenses
Bit Flips in Memory Rowhammer Attacks and Defenses Memory Corruption Attacks Software code injection return-oriented programming Data Code Hardware Memory Corruption Attacks Software code injection return-oriented
More informationCIS-331 Exam 2 Fall 2015 Total of 105 Points Version 1
Version 1 1. (20 Points) Given the class A network address 117.0.0.0 will be divided into multiple subnets. a. (5 Points) How many bits will be necessary to address 4,000 subnets? b. (5 Points) What is
More informationSecurity of Embedded Systems
Security of Embedded Systems Matthias Schunter, Intel Labs, Ahmad Sadeghi, TU Darmstadt + Teams (F. Brasser, L. Davi, P. Koeberl, S. Schulz, et. al.) 1 2015 Intel Corporation What is an Embedded System?
More informationCIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1
Version 1 1. (24 Points) Show the routing tables for routers A, B, C, and D. Make sure you account for traffic to the Internet. NOTE: Router E should only be used for Internet traffic. Router A Router
More informationCIS-331 Exam 2 Fall 2014 Total of 105 Points. Version 1
Version 1 1. (20 Points) Given the class A network address 119.0.0.0 will be divided into a maximum of 15,900 subnets. a. (5 Points) How many bits will be necessary to address the 15,900 subnets? b. (5
More informationCIS-331 Exam 2 Spring 2016 Total of 110 Points Version 1
Version 1 1. (20 Points) Given the class A network address 121.0.0.0 will be divided into multiple subnets. a. (5 Points) How many bits will be necessary to address 8,100 subnets? b. (5 Points) What is
More information4. Specifications and Additional Information
4. Specifications and Additional Information AGX52004-1.0 8B/10B Code This section provides information about the data and control codes for Arria GX devices. Code Notation The 8B/10B data and control
More informationHAFIX: Hardware-Assisted Flow Integrity Extension
HAFIX: Hardware-Assisted Flow Integrity Extension Lucas Davi, Matthias Hanreich, Debayan Paul, Ahmad-Reza Sadeghi Technische Universität Darmstadt, Germany Patrick Koeberl Intel Labs Dean Sullivan, Orlando
More informationThree Decades of Runtime Attacks
instead of Motivation Three Decades of Runtime Attacks Morris Worm 1988 return-intolibc Solar Designer 1997 Return-oriented programming Shacham CCS 2007 Continuing Arms Race Code Injection AlephOne 1996
More informationCIS-331 Spring 2016 Exam 1 Name: Total of 109 Points Version 1
Version 1 Instructions Write your name on the exam paper. Write your name and version number on the top of the yellow paper. Answer Question 1 on the exam paper. Answer Questions 2-4 on the yellow paper.
More informationCIS-331 Fall 2014 Exam 1 Name: Total of 109 Points Version 1
Version 1 1. (24 Points) Show the routing tables for routers A, B, C, and D. Make sure you account for traffic to the Internet. Router A Router B Router C Router D Network Next Hop Next Hop Next Hop Next
More informationStephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA
Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy ACM CCS 2010, Chicago, USA Ad hoc defense against code injection: W X DEP Code injection unnecessary
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationCIS-331 Final Exam Spring 2015 Total of 115 Points. Version 1
Version 1 1. (25 Points) Given that a frame is formatted as follows: And given that a datagram is formatted as follows: And given that a TCP segment is formatted as follows: Assuming no options are present
More informationC1098 JPEG Module User Manual
C1098 JPEG Module User Manual General Description C1098 is VGA camera module performs as a JPEG compressed still camera that can be attached to a wireless or PDA host. Users can send out a snapshot command
More informationBreaking Active-Set Backward-Edge CFI
Breaking Active-Set Backward-Edge CFI Michael Theodorides and David Wagner Department of Electrical Engineering and Computer Sciences University of California, Berkeley {theodorides,daw@cs.berkeley.edu
More informationIt s a TRaP: Table Randomization and Protection against Function-Reuse Attacks
It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten
More informationThe cache is 4-way set associative, with 4-byte blocks, and 16 total lines
Sample Problem 1 Assume the following memory setup: Virtual addresses are 20 bits wide Physical addresses are 15 bits wide The page size if 1KB (2 10 bytes) The TLB is 2-way set associative, with 8 total
More informationHardware-assisted Security: So Close yet So Far
Hardware-assisted Security: So Close yet So Far Ahmad-Reza Sadeghi, Ferdinand Brasser Technische Universität Darmstadt & Intel Collaborative Research Institute for Secure Computing Collaborators N. Asokan,
More informationBlackBox. Lightweight Security Monitoring for COTS Binaries. Byron Hawkins and Brian Demsky University of California, Irvine, USA
BlackBox Lightweight Security Monitoring for COTS Binaries Byron Hawkins and Brian Demsky University of California, Irvine, USA Michael B. Taylor University of California, San Diego, USA Why Security Monitoring?
More informationCIS-331 Final Exam Spring 2018 Total of 120 Points. Version 1
Version 1 Instructions 1. Write your name and version number on the top of the yellow paper and the routing tables sheet. 2. Answer Question 2 on the routing tables sheet. 3. Answer Questions 1, 3, 4,
More informationECHO Process Instrumentation, Inc. Modbus RS485 Module. Operating Instructions. Version 1.0 June 2010
ECHO Process Instrumentation, Inc. Modbus RS485 Module Operating Instructions Version 1.0 June 2010 ECHO Process Instrumentation, Inc. PO Box 800 Shalimar, FL 32579 PH: 850-609-1300 FX: 850-651-4777 EM:
More informationGateway Ascii Command Protocol
Gateway Ascii Command Protocol Table Of Contents Introduction....2 Ascii Commands.....3 Messages Received From The Gateway....3 Button Down Message.....3 Button Up Message....3 Button Maintain Message....4
More informationTriple DES and AES 192/256 Implementation Notes
Triple DES and AES 192/256 Implementation Notes Sample Password-to-Key and KeyChange results of Triple DES and AES 192/256 implementation For InterWorking Labs customers who require detailed information
More informationAdvanced Systems Security: Program Diversity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationZN-DN312XE-M Quick User Guide
ZN-DN312XE-M Quick User Guide This manual provides instructions for quick installation and basic configuration of your IP device. Step1. Connect cables to IP device Connect required cables to the device
More informationControl-Flow Attacks and Defenses
Lecture Embedded System Security Summer Term 2016 Control-Flow Attacks and Defenses Prof. Dr.-Ing. Ahmad-Reza Sadeghi Dr.-Ing. Lucas Davi CRISP, Technische Universität Darmstadt Intel Collaborative Research
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationJuly Registration of a Cyrillic Character Set. Status of this Memo
Network Working Group Request for Comments: 1489 A. Chernov RELCOM Development Team July 1993 Status of this Memo Registration of a Cyrillic Character Set This memo provides information for the Internet
More informationDBK24. Isolated Digital Output Chassis. Overview
DBK24 Isolated Digital Output Chassis Overview 1 Power Requirements 2 Hardware Setup 2 Card Connection 2 Card Configuration 3 DaqBook and DaqBoard Connection 4 DaqBoard/2000 Series Board Connection 5 DaqBook
More information6.1 Combinational Circuits. George Boole ( ) Claude Shannon ( )
6. Combinational Circuits George Boole (85 864) Claude Shannon (96 2) Signals and Wires Digital signals Binary (or logical ) values: or, on or off, high or low voltage Wires. Propagate digital signals
More informationID: Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/2018 Version:
ID: 42417 Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationAcquirer JCB EMV Test Card Set
Acquirer JCB EMV Test Card Set July, 2017 Powered by Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information available
More informationAPPLESHARE PC UPDATE INTERNATIONAL SUPPORT IN APPLESHARE PC
APPLESHARE PC UPDATE INTERNATIONAL SUPPORT IN APPLESHARE PC This update to the AppleShare PC User's Guide discusses AppleShare PC support for the use of international character sets, paper sizes, and date
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More information6.1 Font Types. Font Types
6 Font This chapter explains basic features of GP-Pro EX's "Font" and basic ways of placing text with each font. Please start by reading "6.1 Font Types" (page 6-2) and then turn to the corresponding page.
More informationATRIUM: Runtime Attestation Resilient Under Memory Attacks
ATRIUM: Runtime Attestation Resilient Under Memory Attacks Shaza Zeitouni TU Darmstadt, Germany shaza.zeitouni@trust. tu-darmstadt.de Ghada Dessouky TU Darmstadt, Germany ghada.dessouky@trust. tu-darmstadt.de
More informationDefeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationSecuring Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future?
Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? Ahmad-Reza Sadeghi, Lucas Davi Technische Universität Darmstadt, Germany and Intel Collaborative Research
More informationFirst Data Dual Interface EMV Test Card Set. Version 1.20
First Data Dual Interface EMV Test Card Set August, 2016 Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information available
More informationFirst Data EMV Test Card Set. Version 1.30
First Data EMV Test Card Set.30 January, 2018 Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information available from industry
More informationTEST DVD-VIDEO/ DVD-ROM For Checking DVD Players, DVD Recorders and DVD Drives TDH-940
TEST DVD-VIDEO/ DVD-ROM For Checking DVD Players, DVD Recorders and DVD Drives TDH-940 Product Introduction. Purpose of use, Features TDH-940 is a Test Disc designed for confirmation of operation of DVD
More informationFirst Data EMV Test Card Set. Version 2.00
First Data EMV Test Card Set.00 February, 2018 Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information available from industry
More informationCMSC 313 Lecture 03 Multiple-byte data big-endian vs little-endian sign extension Multiplication and division Floating point formats Character Codes
Multiple-byte data CMSC 313 Lecture 03 big-endian vs little-endian sign extension Multiplication and division Floating point formats Character Codes UMBC, CMSC313, Richard Chang 4-5 Chapter
More informationMitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011
Mitigating Code-Reuse Attacks with Control-Flow Locking Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011 Introduction Computer systems run complicated software, which is vulnerable We keep finding
More informationCDR File Information. Comments Direct PCM
IMPORTANT NOTICE: Robert Bosch LLC and the manufacturers whose vehicles are accessible using the CDR System urge end users to use the latest production release of the Crash Data Retrieval system software
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationHash Constant C Determinants leading to collisionfree
Hash Constant C Determinants leading to collisionfree (Ernst Erich Schnoor) eschnoor@multi-matrix.de Addendum to article: Core of the CypherMatrix Method http://www.telecypher.net/corecyph.htm#z6 Object
More information6. Specifications & Additional Information
6. Specifications & Additional Information SIIGX52004-3.1 Transceier Blocks Table 6 1 shows the transceier blocks for Stratix II GX and Stratix GX deices and compares their features. Table 6 1. Stratix
More informationUNH-IOL MIPI Alliance Test Program
DSI Receiver Protocol Conformance Test Report UNH-IOL 121 Technology Drive, Suite 2 Durham, NH 03824 +1-603-862-0090 mipilab@iol.unh.edu +1-603-862-0701 Engineer Name engineer@company.com Panel Company
More informationAcquirer JCB Dual Interface EMV Test Card Set
Acquirer JCB Dual Interface EMV Test Card Set.00 July, 2018 Powered by Disclaimer Information provided in this document describes capabilities available at the time of developing and delivering this document
More informationHere is a C function that will print a selected block of bytes from such a memory block, using an array-based view of the necessary logic:
Pointer Manipulations Pointer Casts and Data Accesses Viewing Memory The contents of a block of memory may be viewed as a collection of hex nybbles indicating the contents of the byte in the memory region;
More informationCIS-331 Final Exam Fall 2015 Total of 120 Points. Version 1
Version 1 1. (25 Points) Given that a frame is formatted as follows: And given that a datagram is formatted as follows: And given that a TCP segment is formatted as follows: Assuming no options are present
More informationSubversive-C: Abusing and Protecting Dynamic Message Dispatch
Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz
More informationJust-in-Time Code Reuse
Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & A. Dmitrienko 2 C. Liebchen 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science University
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationAdvanced Systems Security: Control-Flow Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationDigital Lighting Systems, Inc.
Digital Lighting Systems, Inc. Four Channel Dry Contacts Relays Switch Pack DMX512 compatible USER'S MANUAL -UM User's Manual - Page 1 GENERAL DESCRIPTION The is a 4-channel DMX-512 compatible electro-mechanical
More informationProblem 3. (12 points):
Problem 3. (12 points): This problem tests your understanding of basic cache operations. Harry Q. Bovik has written the mother of all game-of-life programs. The Game-of-life is a computer game that was
More informationFirst Data DCC Test Card Set. Version 1.30
First Data DCC Test Card Set.30 April, 2018 Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information available from industry
More informationEDR Report Information
EDR Report File Information Value VIN 5YJXCDE20HF041782 Retrieval Date 2017/06/30 02:16:00 (UTC) Retrieval User Comments Retrieval Program Information EDR Report Information Tesla EDR Reporting Service
More informationModule: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation
More informationID: Cookbook: browseurl.jbs Time: 19:37:50 Date: 11/05/2018 Version:
ID: 59176 Cookbook: browseurl.jbs Time: 19:37:50 Date: 11/05/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 02, FALL 2012
CMSC 33 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 2, FALL 22 TOPICS TODAY Bits of Memory Data formats for negative numbers Modulo arithmetic & two s complement Floating point formats
More informationOne subset of FEAL, called FEAL-NX, is N round FEAL using a 128-bit key without key parity.
FEAL-NX SPECIFICATIONS 1 Introduction 1.1 Outline of the FEAL-NX cipher FEAL, the Fast Data Encipherment Algorithm, is a 64-bit block cipher algorithm that enciphers 64-bit plaintexts into 64-bit ciphertexts
More informationCIS-331 Final Exam Spring 2016 Total of 120 Points. Version 1
Version 1 1. (25 Points) Given that a frame is formatted as follows: And given that a datagram is formatted as follows: And given that a TCP segment is formatted as follows: Assuming no options are present
More informationA survey of Hardware-based Control Flow Integrity (CFI)
A survey of Hardware-based Control Flow Integrity (CFI) RUAN DE CLERCQ and INGRID VERBAUWHEDE, KU Leuven Control Flow Integrity (CFI) is a computer security technique that detects runtime attacks by monitoring
More informationDigital Lighting Systems, Inc. CD400-DMX DMX512 Four Channel Dimmer and Switch module
, Inc. DMX512 Four Channel Dimmer and Switch module Input: 5 Amps @ 6-24 VDC Outputs: 5 Amps Maximum each, total 4 outputs 8 Amps Maximum. FRONT BACK USER'S MANUAL -UM User's Manual - Page 1 GENERAL DESCRIPTION
More informationVM7000A PAPERLESS RECORDER COMMUNICATION FUNCTION OPERATION MANUAL
VM7000A PAPERLESS RECORDER COMMUNICATION FUNCTION OPERATION MANUAL WXPVM70mnA0002E October, 2009(Rev.1) All Rights Reserved, Copyright 2009, Ohkura Electric Co.,Ltd. To use this equipment safely Thank
More informationCSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms
CSCI 454/554 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms? Security by
More informationReadactor: Practical Code Randomization Resilient to Memory Disclosure
2015 IEEE Symposium on Security and Privacy Readactor: Practical Code Randomization Resilient to Memory Disclosure Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza
More informationTechnical Specification. Third Party Control Protocol. AV Revolution
Technical Specification Third Party Control Protocol AV Revolution Document AM-TS-120308 Version 1.0 Page 1 of 31 DOCUMENT DETAILS Document Title: Technical Specification, Third Party Control Protocol,
More informationEnhanced Play Fair Cipher
P Enhanced Play Fair Cipher 1 1 Naveen KMP P, PDepartment of Information Technology, Velammal Engineering College, Chennai, Tamil Nadu, India. Abstract The theme of this research work is to design and
More informationAutodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationPhysical Unclonable Functions-based Linear Encryption against Code Reuse Attacks
Physical Unclonable Functions-based Linear Encryption against Code Reuse Attacks Pengfei Qiu, Yongqiang Lyu Research Institute of Information Technology & TNList Tsinghua University Beijing, China {qpf15;luyq}@mails.tsinghua.edu.cn
More informationInformation Security Research and Education at Aalto. N. Asokan
Information Security Research and Education at Aalto N. Asokan http://asokan.org/asokan/ @nasokan About me Professor, Aalto University, from Aug 2013 Professor, University of Helsinki, 2012-2017 IEEE Fellow
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationInterac USA Interoperability EMV Test Card Set
Interac USA Interoperability EMV Test Card Set.00 April, 2018 Powered by Disclaimer Information provided in this document describes capabilities available at the time of developing this document and information
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More information2-Type Series Pressurized Closures
2-Type Series Pressurized Closures A complete pressure tight reenterable closure system for enclosing spliced connections of communications cables in a wide variety of applications. The 2-type Closure
More informationPCL ISO 8859/5 Latin/Cyrillic
Page 1 of 5 PCL Symbol Se t: 10N Unicode gly ph correspondence tables. Contact:help@redtitan.com http://pcl.to $20 U0020 Space -- -- -- -- $21 U0021 Ê Exclamation mark -- -- -- -- $22 U0022 Ë Quotation
More informationCPSC213/2014W1 Midterm EXTRA Practice
CPSC213/2014W1 Midterm EXTRA Practice DEC/HEX/BIN NUMERACY 1. Convert into decimal: 1a. 0x33 1b. 0x57 1c. 0xaf 1d. 0x7a 1e. 0x1234 1f. 0x69bd 1g. 0x1a64 1h. 0xdead 2. Convert into hex numbers of the specified
More informationRuntime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include
2 Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationSystems/DBG Debugger Version 2.20
Systems/DBG Debugger Version 2.20 Copyright c 2018, Dignus, LLC Systems/DBG Debugger Version 2.20 i Copyright c 2018 Dignus LLC, 8378 Six Forks Road Suite 203, Raleigh NC, 27615. World rights reserved.
More informationModbus Register Map: InRow ACRD60x / ACRC60x
Modbus Map: InRow ACRD60x / ACRC60x Notes: 1. 16-bit registers (INT16, UINT16, ENUM) are transmitted MSB first (i.e., big-endian). 2. INT32 and UINT32 are most-significant word in n+0, least significant
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 3.1 Secret Key Cryptography Algorithms Instructor: Dr. Kun Sun Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms?
More information10. RS-232C communication
10. RS-232C communication PB9200(P5XMLA) Connecting the cable (1) Turn off the projector and the computer power supplies. (2) Connect the CONTROL port of the projector with a RS-232C port of the computer
More informationCS 537: Introduction to Operating Systems Fall 2015: Midterm Exam #1
CS 537: Introduction to Operating Systems Fall 2015: Midterm Exam #1 This exam is closed book, closed notes. All cell phones must be turned off. No calculators may be used. You have two hours to complete
More informationRegister Map: Ecoflair Indirect Air Economizer
Register Map: Ecoflair Indirect Air Economizer Notes: 1. 16-bit registers (INT16, UINT16, ENUM) are transmitted MSB first (i.e., big-endian). 2. INT32 and UINT32 are most-significant word in n+0, least
More informationVM7000A PAPERLESS RECORDER COMMUNICATION FUNCTION OPERATION MANUAL
VM7000A PAPERLESS RECORDER COMMUNICATION FUNCTION OPERATION MANUAL WXPVM70mnA0002E March, 2014(Rev.5) Copyright 2009-2014, Ohkura Electric Co.,Ltd. All Rights Reserved. To use this equipment safely Thank
More informationDigital Lighting Systems, Inc.
, Inc. PD402-DMX Four Channel Dimmer and Switch Packs 4 x 2.5 Amps @ 6VDC to 24 VDC DMX52 compatible DMX52 4 x 2.5 Amps Dimmer Pack C UL US LISTED Digital Lighting Systems, Inc. USER'S MANUAL User's Manual
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems (block encoding) Encrypting a small block of text (say 64
More informationScan Results - ( Essentials - Onsharp )
Scan Results - www.onsharp.com ( Essentials - Onsharp ) Overview Open Ports (18) Scan ID: 7675527 Target: www.onsharp.com Max Score: 2.6 Compliance: Passing PCI compliance, Expires undefined Profile: 15
More informationETSI TS V ( )
TS 135 233 V12.1.0 (2014-10) TECHNICAL SPECIFICATION Universal Mobile Telecommunications System (UMTS); LTE; Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication
More informationHere is a C function that will print a selected block of bytes from such a memory block, using an array-based view of the necessary logic:
Pointer Manipulations Pointer Casts and Data Accesses Viewing Memory The contents of a block of memory may be viewed as a collection of hex nybbles indicating the contents of the byte in the memory region;
More informationDigital Lighting Systems, Inc. PD405-DMX. Four Channel Dimmer and Switch Packs. DMX512 compatible. PD405-DMX-24DC DMX512 4 x 5 Amps Dimmer Pack
Digital Lighting Systems, Inc. PD405DMX Four Channel Dimmer and Switch Packs DMX52 compatible PD405DMX24DC DMX52 4 x 5 Amps Dimmer Pack C UL US LISTED www.digitallighting.com Digital Lighting Systems,
More informationID: Sample Name: MobaXterm_installer_10.5.msi Cookbook: defaultwindowsmsicookbook.jbs Time: 18:29:36 Date: 25/05/2018 Version: 22.0.
ID: 61258 Sample Name: MobaXterm_installer_10.5.msi Cookbook: defaultwindowsmsicookbook.jbs Time: 18:29:36 Date: 25/05/2018 Version: 22.0.0 Table of Contents Analysis Report Overview Information Detection
More information