Preventing Use-after-free with Dangling Pointers Nullification
|
|
- Marvin Shaw
- 6 years ago
- Views:
Transcription
1 Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University
2 Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft,
3 Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft,
4 Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft,
5 Emerging Threat: Use-after-free Security-Critical Security-High Use-after-free Stack Overflow Heap Overflow The number of reported vulnerabilities in Chrome ( ) 3
6 Emerging Threat: Use-after-free Security-Critical Security-High Use-after-free Stack Overflow Heap Overflow The number of reported vulnerabilities in Chrome ( ) 3
7 Use-after-free A dangling pointer A pointer points to a freed memory region Using a dangling pointer leads to undefined program states Easy to achieve arbitrary code executions so called use-after-free 4
8 Understanding Use-after-free class Doc : public Element { // Element ; }; class Body : public Element { // Element ; }; Doc *doc = new Doc(); Body *body = new Body(); doc->child = body; delete body; if (doc->child) doc->child->getalign(); 5
9 Understanding Use-after-free *doc *body Doc Body Allocate objects Doc *doc = new Doc(); Body *body = new Body(); doc->child = body; delete body; if (doc->child) doc->child->getalign(); 6
10 Understanding Use-after-free *doc *body Doc Body Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; delete body; if (doc->child) doc->child->getalign(); 6
11 Understanding Use-after-free *doc *body Doc Body Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; delete body; if (doc->child) doc->child->getalign(); 6
12 Understanding Use-after-free *doc *body Doc Body Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; if (doc->child) doc->child->getalign(); 6
13 Understanding Use-after-free *doc *body Doc Body freed Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; if (doc->child) doc->child->getalign(); 6
14 Understanding Use-after-free *doc *body Doc Body freed a dangling pointer Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; if (doc->child) doc->child->getalign(); 6
15 Understanding Use-after-free *doc *body Doc Body freed a dangling pointer Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; Use a dangling pointer if (doc->child) doc->child->getalign(); 6
16 Understanding Use-after-free *doc *body Doc Body freed a dangling pointer Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; Use a dangling pointer if (doc->child) doc->child->getalign(); 6
17 Understanding Use-after-free *doc *body Doc a dangling pointer Body freed Attacker control object Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; Use a dangling pointer if (doc->child) doc->child->getalign(); 6
18 Related Work on Use-after-free free control objects use t Safe Allocators AddressSanitizer Delayed free Vtable protection Control Flow Integrity Memory Safety Use-after-free detector 7
19 Related Work on Use-after-free free control objects use t Safe Allocators AddressSanitizer Delayed free Vtable protection Control Flow Integrity Memory Safety Use-after-free detector Make exploitation harder, but still bypassable or Difficult to support large-scale software 7
20 Related Work on Use-after-free free control objects use t DangNull Safe Allocators AddressSanitizer Delayed free Vtable protection Control Flow Integrity Memory Safety Use-after-free detector Make exploitation harder, but still bypassable or Difficult to support large-scale software 7
21 DangNull: Use-after-free detector Tracking Object Relationships Coarse grained pointer semantic tracking Support large-scale software Nullify dangling pointers Immediately eliminate all dangling pointers Non-bypassable to sophisticated attacks 8
22 Tracking Object Relationships Intercept allocations/deallocations in runtime Maintain Shadow Object Tree Red-Black tree to efficiently keep object layout information Node: (base address, size) pair 9
23 Tracking Object Relationships Intercept allocations/deallocations in runtime Maintain Shadow Object Tree Red-Black tree to efficiently keep object layout information Node: (base address, size) pair Doc *doc = new Doc(); 9
24 Tracking Object Relationships Intercept allocations/deallocations in runtime Maintain Shadow Object Tree Red-Black tree to efficiently keep object layout information Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc 9
25 Tracking Object Relationships Intercept allocations/deallocations in runtime Maintain Shadow Object Tree Red-Black tree to efficiently keep object layout information Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc delete body; 9
26 Tracking Object Relationships Intercept allocations/deallocations in runtime Maintain Shadow Object Tree Red-Black tree to efficiently keep object layout information Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc Remove shadow obj: - Using base address (body) delete body; 9
27 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. doc->child = body; Doc *doc Body *body 10
28 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. doc->child = body; trace(&doc->child, body); Doc *doc Body *body 10
29 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; trace(&doc->child, body); back fwd Doc *doc Shadow obj. of Body Body back fwd *body 10
30 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; trace(&doc->child, body); back fwd *doc Doc Shadow obj. of Body Forward Body back fwd *body 10
31 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; trace(&doc->child, body); back fwd *doc Doc Shadow obj. of Body Forward Body Backward back fwd *body 10
32 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. doc->child = body; trace(&doc->child, body); Shadow obj. of Doc back fwd *doc Doc Body Backward back Forward This is coarse grained pointer semantic tracking, Shadow obj. of Body but enough to identify all dangling pointers. fwd *body 10
33 Nullifying Dangling Pointers Nullify all backward pointers of Body, once it is deleted. All backward pointers of Body are dangling pointers Dangling pointers have no semantics Doc *doc Body *body Freed 11
34 Nullifying Dangling Pointers delete body; Nullification doc->child = NULL if (doc->child) doc->child->getalign(); Null-dereference is safely contained in pre-mapped nullpadding 12
35 Nullifying Dangling Pointers delete body; Nullification Immediately eliminate all dangling pointers! doc->child = NULL if (doc->child) doc->child->getalign(); Null-dereference is safely contained in pre-mapped nullpadding 12
36 Implementation Prototype DangNull Instrumentation: LLVM pass, +389 LoC Runtime: compiler-rt, +3,955 LoC To build target applications, SPEC CPU 2006: one extra compiler and linker flag Chromium: +27 LoC to.gyp build configuration file 13
37 Performance Evaluation Chromium browser Instrumented 140k/16,831k (0.8%) instructions Passed all unit tests and layout tests Overall 28.9% overheads on various benchmarks A page loading time for the Alexa top 100 websites 7% increased load time While visiting 123k shadow objects and 32k shadow pointers 7k nullifications 14
38 Conclusion Presented DangNull, which detects use-after-free Supporting large-scale software Non-bypassable to sophisticated attacks 15
39 Demo Running Chromium browser (version ) Hardened using DangNull Testing use-after-free exploit (PoC) CVE : Heap-use-after-free in WebCore::RenderBlock::determineStartPosition 16
A program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationUniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/
More informationHDFI: Hardware-Assisted Data-flow Isolation
HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationSafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin
SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin in NDSS, 2014 Alexander Hefele Fakultät für Informatik Technische Universität
More informationCFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer
CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:
More informationPREVENTING EXPLOITS AGAINST MEMORY CORRUPTION VULNERABILITIES
PREVENTING EXPLOITS AGAINST MEMORY CORRUPTION VULNERABILITIES A Thesis Presented to The Academic Faculty by Chengyu Song In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in
More informationCS-527 Software Security
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017 Eternal
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationHA2lloc: Hardware-Assisted Secure Allocator
HA2lloc: Hardware-Assisted Secure Allocator Orlando Arias, Dean Sullivan, Yier Jin {oarias,dean.sullivan}@knights.ucf.edu yier.jin@ece.ufl.edu University of Central Florida University of Florida June 25,
More informationSoftware security, secure programming
Software security, secure programming Lecture 4: Protecting your code against software vulnerabilities? (overview) Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Preamble Bad news several
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationCS527 Software Security
Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and
More informationEnhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,
More informationShreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S
Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units
More informationDnmaloc: a more secure memory allocator
Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
More informationIronclad C++ A Library-Augmented Type-Safe Subset of C++
Ironclad C++ A Library-Augmented Type-Safe Subset of C++ Christian DeLozier, Richard Eisenberg, Peter-Michael Osera, Santosh Nagarakatte*, Milo M. K. Martin, and Steve Zdancewic October 30, 2013 University
More informationUFO: Predictive Concurrency Use-After-Free Detection
Parasol Laboratory Texas A&M University jeff@cse.tamu.edu ABSTRACT Use-After-Free (UAF) vulnerabilities are caused by the program operating on a dangling pointer and can be exploited to compromise critical
More informationSecurity through Multi-Layer Diversity
Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing Diversity to Computing Monoculture Current computing monoculture leaves our infrastructure vulnerable to
More informationHexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer
HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer Motivation C++ is a popular programming language Google Chrome, Firefox,
More informationBypassing AddressSanitizer
Abstract Bypassing AddressSanitizer Eric Wimberley September 5, 2013 This paper evaluates AddressSanitizer as a next generation memory corruption prevention framework. It provides demonstrable tests of
More informationDongseok Jang Zachary Tatlock. UC San Diego Washington
Dongseok Jang Zachary Tatlock UC San Diego University of Washington Sorin Lerner UC San Diego e l b a r e n l Vu Control Flow Hijacking Lead Program to Jump to Unexpected Code That does what a7acker wants
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationExploiting and Protecting Dynamic Code Generation
Exploiting and Protecting Dynamic Code Generation Chengyu Song Georgia Institute of Technology csong84@gatech.edu Chao Zhang UC Berkeley chaoz@berkeley.edu Tielei Wang, Wenke Lee Georgia Institute of Technology
More informationType Confusion: Discovery, Abuse, Protection. Mathias
Type Confusion: Discovery, Abuse, Protection Mathias Payer, @gannimo http://hexhive.github.io Type confusion leads to RCE Attack surface is huge Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: glibc: Linux
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationSystem Administration and Network Security
System Administration and Network Security Master SSCI, M2P subject Duration: up to 3 hours. All answers should be justified. Clear and concise answers will be rewarded. 1 Network Administration To keep
More informationSECURING SOFTWARE SYSTEMS BY PREVENTING INFORMATION LEAKS
SECURING SOFTWARE SYSTEMS BY PREVENTING INFORMATION LEAKS A Thesis Presented to The Academic Faculty by Kangjie Lu In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the
More informationSubversive-C: Abusing and Protecting Dynamic Message Dispatch
Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz
More informationOutline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction
Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp
More informationEnhancing Memory Error Detection for Large-Scale Applications and Fuzz testing
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, Chengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock
More informationAdvanced Systems Security: New Threats
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationArsenal. Shadow-Box: Lightweight Hypervisor-Based Kernel Protector. Seunghun Han, Jungwhan Kang (hanseunghun
Arsenal Shadow-Box: Lightweight Hypervisor-Based Kernel Protector Seunghun Han, Jungwhan Kang (hanseunghun ultract)@nsr.re.kr Who are we? - Senior security researcher at NSR (National Security Research
More informationSGXBounds Memory Safety for Shielded Execution
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,
More informationSoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14
SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes
More informationSoftBound: Highly Compatible and Complete Spatial Safety for C
SoftBound: Highly Compatible and Complete Spatial Safety for C Santosh Nagarakatte, Jianzhou Zhao, Milo Martin, Steve Zdancewic University of Pennsylvania {santoshn, jianzhou, milom, stevez}@cis.upenn.edu
More informationCMPSC 497 Other Memory Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory
More informationUndermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationDefeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)
Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science
More informationSecure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack
Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack John Criswell, University of Illinois Andrew Lenharth, University of Illinois Dinakar Dhurjati, DoCoMo Communications
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationMemory Corruption: Why Protection is Hard. Mathias Payer, Purdue University
Memory Corruption: Why Protection is Hard Mathias Payer, Purdue University http://hexhive.github.io 1 Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for
More informationASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks
ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee School of Computer Science, Georgia Institute of Technology
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Stony Brook University University of California, Berkeley Peking University Abstract Memory corruption bugs in software written
More informationEURECOM 6/2/2012 SYSTEM SECURITY Σ
EURECOM 6/2/2012 Name SYSTEM SECURITY 5 5 5 5 5 5 5 5 5 5 50 1 2 3 4 5 6 7 8 9 10 Σ Course material is not allowed during the exam. Try to keep your answers precise and short. You will not get extra points
More informationPatching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps
SESSION ID: EXP-R01 Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps James Lyne Global Head of Security Research Sophos / SANS Institute @jameslyne Stephen Sims Security Researcher
More informationHeriot-Watt University
Heriot-Watt University Heriot-Watt University Research Gateway Tag-Protector: An Effective and Dynamic Detection of Illegal Memory Accesses Through Compile-time Code Instrumentation Saeed, Ahmed; Ahmadinia,
More informationDigital Forensics Lecture 02 PDF Structure
Digital Forensics Lecture 02 PDF Structure PDF Files Structure Akbar S. Namin Texas Tech University Spring 2017 PDF Format and Structure Tools used Text editor (e.g., vi) ClamAV antivirus (http://www.clamav.net/lang/en/download/
More informationT-SGX: Eradicating Controlled-Channel
T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee Taesoo Kim Marcus Peinado Georgia Institute of Technology Microsoft Research 2 3 Intel SGX aims to secure
More informationStack Overflow. Faculty Workshop on Cyber Security May 23, 2012
Stack Overflow Faculty Workshop on Cyber Security May 23, 2012 Goals Learn to hack into computer systems using buffer overflow Steal sensitive data Crash computer programs Lay waste to systems throughout
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationCSE409, Rob Johnson, Alin Tomescu, November 11 th, 2011 Buffer overflow defenses
Buffer overflow defenses There are two categories of buffer-overflow defenses: - Make it hard for the attacker to exploit buffer overflow o Address space layout randomization o Model checking to catch
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationOpal. Robert Grimm New York University
Opal Robert Grimm New York University The Three Questions What is the problem? What is new or different? What are the contributions and limitations? The Three Questions What is the problem? Applications
More informationOn-Demand Proactive Defense against Memory Vulnerabilities
On-Demand Proactive Defense against Memory Vulnerabilities Gang Chen, Hai Jin, Deqing Zou, and Weiqi Dai Services Computing Technology and System Lab Cluster and Grid Computing Lab School of Computer Science
More informationA JVM for Soft-Error-Prone Embedded Systems
A JVM for Soft-Error-Prone Embedded Systems Isabella S)lkerich, Michael Strotz, Christoph Erhardt, Mar7n Hoffmann, Daniel Lohmann, Fabian Scheler, Wolfgang Schröder- Preikschat Department of Computer Science
More informationFast Byte-Granularity Software Fault Isolation
Fast Byte-Granularity Software Fault Isolation Manuel Costa Microsoft Research, Cambridge Joint work with: Miguel Castro, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul
More informationTo Detect Stack Buffer Overflow With Polymorphic Canaries
To Detect Stack Buffer Overflow With Polymorphic Canaries 何钟灵 April 29, 2018 1 Personal 1.1 intro This is based on an essay by Zhilong Wang in our group. Our group is named SECLAB in Lab 428, Building
More informationFast dynamic program analysis Race detection. Konstantin Serebryany May
Fast dynamic program analysis Race detection Konstantin Serebryany May 20 2011 Agenda Dynamic program analysis Race detection: theory ThreadSanitizer: race detector Making ThreadSanitizer
More informationSecurity Bugs in Embedded Interpreters
Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL Embedded interpreters Host system Bytecode Input Embedded
More informationGuarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University
Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University http://hexhive.github.io 1 Vulnerabilities everywhere? 2 Common Languages: TIOBE 18 Jul 2018 Jul 2017 Change Language 1
More informationDieHard: Probabilistic Memory Safety for Unsafe Programming Languages
DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery Berger University of Massachusetts Amherst Ben Zorn Microsoft Research Problems with Unsafe Languages C, C++: pervasive apps,
More informationSoK: Sanitizing for Security
SoK: Sanitizing for Security Dokyung Song, Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, Michael Franz University of California, Irvine {dokyungs,jlettner,rajasekp,yeouln,stijnv,perl,franz}@uci.edu
More informationPlatPal: Detecting Malicious Documents with Platform Diversity
PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia Institute of Technology 1 Malicious Documents On the Rise 2 3 4 Adobe Components Exploited Element parser JavaScript
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationBack To The Epilogue
Back To The Epilogue How to Evade Windows' Control Flow Guard with Less than 16 Bytes Andrea Biondo * Prof. Mauro Conti Daniele Lain * SPRITZ Group University of Padua, IT GOALS - Return to function epilogue
More informationENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks
ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationPutting the Checks into Checked C. Archibald Samuel Elliott Quals - 31st Oct 2017
Putting the Checks into Checked C Archibald Samuel Elliott Quals - 31st Oct 2017 Added Runtime Bounds Checks to the Checked C Compiler 2 C Extension for Spatial Memory Safety Added Runtime Bounds Checks
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationCNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated
CNIT 127: Exploit Development Ch 18: Source Code Auditing Updated 4-10-17 Why Audit Source Code? Best way to discover vulnerabilities Can be done with just source code and grep Specialized tools make it
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationAdaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
More informationFuzzing. compass-security.com 1
Fuzzing compass-security.com 1 Fuzzing Finding bugs by bombarding target with nonconform data Think: Flip a few bits in a PDF, then start Acrobat with that PDF Just more automated Steps: Create input corpus
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationCSC 405 Introduction to Computer Security Fuzzing
CSC 405 Introduction to Computer Security Fuzzing Alexandros Kapravelos akaprav@ncsu.edu Let s find some bugs (again) We have a potentially vulnerable program The program has some inputs which can be controlled
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationHeap Off by 1 Overflow Illustrated. Eric Conrad October 2007
Heap Off by 1 Overflow Illustrated Eric Conrad October 2007 1 The Attack Older CVS versions are vulnerable to an Off by 1 attack, where an attacker may insert one additional character into the heap CVS
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationManaged runtimes & garbage collection. CSE 6341 Some slides by Kathryn McKinley
Managed runtimes & garbage collection CSE 6341 Some slides by Kathryn McKinley 1 Managed runtimes Advantages? Disadvantages? 2 Managed runtimes Advantages? Reliability Security Portability Performance?
More informationSecurity Research at Harvard SEAS. Stephen Chong Asst. Prof. of Computer Science Harvard SEAS Cybersecurity Awareness Day Oct
Security Research at Harvard SEAS Stephen Chong Asst. Prof. of Computer Science Harvard SEAS Cybersecurity Awareness Day Oct 17 2012 What Must You Trust? Bank Browser User-level libraries EVERYTHING Operating
More informationPESIT Bangalore South Campus Hosur road, 1km before Electronic City, Bengaluru Department of Electronics and Communication Engineering
PESIT Bangalore South Campus Hosur road, 1km before Electronic City, Bengaluru -560100 Department of Electronics and Communication Engineering Faculty: Richa Sharma Subject: Operating System SCHEME & SOLUTION
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationPractical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
More informationDoes Making The Kernel Harder Make
Does Making The Kernel Harder Make Making The Kernel Harder? Casey Schaufler Intel Open Source Technology Center Casey Schaufler Kernel developer from the 1970 s Supercomputers in the 1990 s Smack Linux
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationBouncer: Securing Software by Blocking Bad Input
Bouncer: Securing Software by Blocking Bad Input Lidong Zhou Microsoft Research Mountain View, USA lidongz@microsoft.com Manuel Costa Microsoft Research Cambridge, UK manuelc@microsoft.com Lintao Zhang
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationSecuring Applications in C/C++
Securing Applications in C/C++ Application Security Training Datasheet Security Compass 2012. Application Security Training Datasheet. Securing Applications in C/C++ 1 It has long been discussed that identifying
More informationIntFlow: Integer Error Handling With Information Flow Tracking
mpomonis@cs.columbia.edu IntFlow Columbia University 1 / 29 IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D.
More informationInline Reference Monitoring Techniques
Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code
More informationNew features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany
New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany Agenda AddressSanitizer (ASan): a quick reminder New features: Initialization-order-fiasco Stack-use-after-scope
More informationObject-Oriented Programming
iuliana@cs.ubbcluj.ro Babes-Bolyai University 2018 1 / 37 Overview 1 2 3 4 5 2 / 37 Questions we will answer today What is the difference between the stack and the heap? How can we allocate and free memory
More informationManaged runtimes & garbage collection
Managed runtimes Advantages? Managed runtimes & garbage collection CSE 631 Some slides by Kathryn McKinley Disadvantages? 1 2 Managed runtimes Portability (& performance) Advantages? Reliability Security
More informationDynamic Race Detection with LLVM Compiler
Dynamic Race Detection with LLVM Compiler Compile-time instrumentation for ThreadSanitizer Konstantin Serebryany, Alexander Potapenko, Timur Iskhodzhanov, and Dmitriy Vyukov OOO Google, 7 Balchug st.,
More information