Preventing Use-after-free with Dangling Pointers Nullification

Size: px
Start display at page:

Download "Preventing Use-after-free with Dangling Pointers Nullification"

Transcription

1 Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University

2 Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft,

3 Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft,

4 Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft,

5 Emerging Threat: Use-after-free Security-Critical Security-High Use-after-free Stack Overflow Heap Overflow The number of reported vulnerabilities in Chrome ( ) 3

6 Emerging Threat: Use-after-free Security-Critical Security-High Use-after-free Stack Overflow Heap Overflow The number of reported vulnerabilities in Chrome ( ) 3

7 Use-after-free A dangling pointer A pointer points to a freed memory region Using a dangling pointer leads to undefined program states Easy to achieve arbitrary code executions so called use-after-free 4

8 Understanding Use-after-free class Doc : public Element { // Element ; }; class Body : public Element { // Element ; }; Doc *doc = new Doc(); Body *body = new Body(); doc->child = body; delete body; if (doc->child) doc->child->getalign(); 5

9 Understanding Use-after-free *doc *body Doc Body Allocate objects Doc *doc = new Doc(); Body *body = new Body(); doc->child = body; delete body; if (doc->child) doc->child->getalign(); 6

10 Understanding Use-after-free *doc *body Doc Body Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; delete body; if (doc->child) doc->child->getalign(); 6

11 Understanding Use-after-free *doc *body Doc Body Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; delete body; if (doc->child) doc->child->getalign(); 6

12 Understanding Use-after-free *doc *body Doc Body Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; if (doc->child) doc->child->getalign(); 6

13 Understanding Use-after-free *doc *body Doc Body freed Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; if (doc->child) doc->child->getalign(); 6

14 Understanding Use-after-free *doc *body Doc Body freed a dangling pointer Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; if (doc->child) doc->child->getalign(); 6

15 Understanding Use-after-free *doc *body Doc Body freed a dangling pointer Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; Use a dangling pointer if (doc->child) doc->child->getalign(); 6

16 Understanding Use-after-free *doc *body Doc Body freed a dangling pointer Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; Use a dangling pointer if (doc->child) doc->child->getalign(); 6

17 Understanding Use-after-free *doc *body Doc a dangling pointer Body freed Attacker control object Allocate objects Doc *doc = new Doc(); Body *body = new Body(); Propagate pointers doc->child = body; Free an object delete body; Use a dangling pointer if (doc->child) doc->child->getalign(); 6

18 Related Work on Use-after-free free control objects use t Safe Allocators AddressSanitizer Delayed free Vtable protection Control Flow Integrity Memory Safety Use-after-free detector 7

19 Related Work on Use-after-free free control objects use t Safe Allocators AddressSanitizer Delayed free Vtable protection Control Flow Integrity Memory Safety Use-after-free detector Make exploitation harder, but still bypassable or Difficult to support large-scale software 7

20 Related Work on Use-after-free free control objects use t DangNull Safe Allocators AddressSanitizer Delayed free Vtable protection Control Flow Integrity Memory Safety Use-after-free detector Make exploitation harder, but still bypassable or Difficult to support large-scale software 7

21 DangNull: Use-after-free detector Tracking Object Relationships Coarse grained pointer semantic tracking Support large-scale software Nullify dangling pointers Immediately eliminate all dangling pointers Non-bypassable to sophisticated attacks 8

22 Tracking Object Relationships Intercept allocations/deallocations in runtime Maintain Shadow Object Tree Red-Black tree to efficiently keep object layout information Node: (base address, size) pair 9

23 Tracking Object Relationships Intercept allocations/deallocations in runtime Maintain Shadow Object Tree Red-Black tree to efficiently keep object layout information Node: (base address, size) pair Doc *doc = new Doc(); 9

24 Tracking Object Relationships Intercept allocations/deallocations in runtime Maintain Shadow Object Tree Red-Black tree to efficiently keep object layout information Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc 9

25 Tracking Object Relationships Intercept allocations/deallocations in runtime Maintain Shadow Object Tree Red-Black tree to efficiently keep object layout information Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc delete body; 9

26 Tracking Object Relationships Intercept allocations/deallocations in runtime Maintain Shadow Object Tree Red-Black tree to efficiently keep object layout information Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc Remove shadow obj: - Using base address (body) delete body; 9

27 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. doc->child = body; Doc *doc Body *body 10

28 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. doc->child = body; trace(&doc->child, body); Doc *doc Body *body 10

29 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; trace(&doc->child, body); back fwd Doc *doc Shadow obj. of Body Body back fwd *body 10

30 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; trace(&doc->child, body); back fwd *doc Doc Shadow obj. of Body Forward Body back fwd *body 10

31 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; trace(&doc->child, body); back fwd *doc Doc Shadow obj. of Body Forward Body Backward back fwd *body 10

32 Tracking Object Relationships Instrument pointer propagations Maintain backward/forward pointer trees for a shadow obj. doc->child = body; trace(&doc->child, body); Shadow obj. of Doc back fwd *doc Doc Body Backward back Forward This is coarse grained pointer semantic tracking, Shadow obj. of Body but enough to identify all dangling pointers. fwd *body 10

33 Nullifying Dangling Pointers Nullify all backward pointers of Body, once it is deleted. All backward pointers of Body are dangling pointers Dangling pointers have no semantics Doc *doc Body *body Freed 11

34 Nullifying Dangling Pointers delete body; Nullification doc->child = NULL if (doc->child) doc->child->getalign(); Null-dereference is safely contained in pre-mapped nullpadding 12

35 Nullifying Dangling Pointers delete body; Nullification Immediately eliminate all dangling pointers! doc->child = NULL if (doc->child) doc->child->getalign(); Null-dereference is safely contained in pre-mapped nullpadding 12

36 Implementation Prototype DangNull Instrumentation: LLVM pass, +389 LoC Runtime: compiler-rt, +3,955 LoC To build target applications, SPEC CPU 2006: one extra compiler and linker flag Chromium: +27 LoC to.gyp build configuration file 13

37 Performance Evaluation Chromium browser Instrumented 140k/16,831k (0.8%) instructions Passed all unit tests and layout tests Overall 28.9% overheads on various benchmarks A page loading time for the Alexa top 100 websites 7% increased load time While visiting 123k shadow objects and 32k shadow pointers 7k nullifications 14

38 Conclusion Presented DangNull, which detects use-after-free Supporting large-scale software Non-bypassable to sophisticated attacks 15

39 Demo Running Chromium browser (version ) Hardened using DangNull Testing use-after-free exploit (PoC) CVE : Heap-use-after-free in WebCore::RenderBlock::determineStartPosition 16

A program execution is memory safe so long as memory access errors never occur:

A program execution is memory safe so long as memory access errors never occur: A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories

More information

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/

More information

HDFI: Hardware-Assisted Data-flow Isolation

HDFI: Hardware-Assisted Data-flow Isolation HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia

More information

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교 Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability

More information

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual

More information

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin in NDSS, 2014 Alexander Hefele Fakultät für Informatik Technische Universität

More information

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:

More information

PREVENTING EXPLOITS AGAINST MEMORY CORRUPTION VULNERABILITIES

PREVENTING EXPLOITS AGAINST MEMORY CORRUPTION VULNERABILITIES PREVENTING EXPLOITS AGAINST MEMORY CORRUPTION VULNERABILITIES A Thesis Presented to The Academic Faculty by Chengyu Song In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in

More information

CS-527 Software Security

CS-527 Software Security CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017 Eternal

More information

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor

More information

HA2lloc: Hardware-Assisted Secure Allocator

HA2lloc: Hardware-Assisted Secure Allocator HA2lloc: Hardware-Assisted Secure Allocator Orlando Arias, Dean Sullivan, Yier Jin {oarias,dean.sullivan}@knights.ucf.edu yier.jin@ece.ufl.edu University of Central Florida University of Florida June 25,

More information

Software security, secure programming

Software security, secure programming Software security, secure programming Lecture 4: Protecting your code against software vulnerabilities? (overview) Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Preamble Bad news several

More information

SoK: Eternal War in Memory

SoK: Eternal War in Memory SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge

More information

Remix: On-demand Live Randomization

Remix: On-demand Live Randomization Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow

More information

CS527 Software Security

CS527 Software Security Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and

More information

Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization

Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,

More information

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units

More information

Dnmaloc: a more secure memory allocator

Dnmaloc: a more secure memory allocator Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium

More information

Ironclad C++ A Library-Augmented Type-Safe Subset of C++

Ironclad C++ A Library-Augmented Type-Safe Subset of C++ Ironclad C++ A Library-Augmented Type-Safe Subset of C++ Christian DeLozier, Richard Eisenberg, Peter-Michael Osera, Santosh Nagarakatte*, Milo M. K. Martin, and Steve Zdancewic October 30, 2013 University

More information

UFO: Predictive Concurrency Use-After-Free Detection

UFO: Predictive Concurrency Use-After-Free Detection Parasol Laboratory Texas A&M University jeff@cse.tamu.edu ABSTRACT Use-After-Free (UAF) vulnerabilities are caused by the program operating on a dangling pointer and can be exploited to compromise critical

More information

Security through Multi-Layer Diversity

Security through Multi-Layer Diversity Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1 Bringing Diversity to Computing Monoculture Current computing monoculture leaves our infrastructure vulnerable to

More information

HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer

HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer Motivation C++ is a popular programming language Google Chrome, Firefox,

More information

Bypassing AddressSanitizer

Bypassing AddressSanitizer Abstract Bypassing AddressSanitizer Eric Wimberley September 5, 2013 This paper evaluates AddressSanitizer as a next generation memory corruption prevention framework. It provides demonstrable tests of

More information

Dongseok Jang Zachary Tatlock. UC San Diego Washington

Dongseok Jang Zachary Tatlock. UC San Diego Washington Dongseok Jang Zachary Tatlock UC San Diego University of Washington Sorin Lerner UC San Diego e l b a r e n l Vu Control Flow Hijacking Lead Program to Jump to Unexpected Code That does what a7acker wants

More information

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing

More information

Exploiting and Protecting Dynamic Code Generation

Exploiting and Protecting Dynamic Code Generation Exploiting and Protecting Dynamic Code Generation Chengyu Song Georgia Institute of Technology csong84@gatech.edu Chao Zhang UC Berkeley chaoz@berkeley.edu Tielei Wang, Wenke Lee Georgia Institute of Technology

More information

Type Confusion: Discovery, Abuse, Protection. Mathias

Type Confusion: Discovery, Abuse, Protection. Mathias Type Confusion: Discovery, Abuse, Protection Mathias Payer, @gannimo http://hexhive.github.io Type confusion leads to RCE Attack surface is huge Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: glibc: Linux

More information

Runtime Defenses against Memory Corruption

Runtime Defenses against Memory Corruption CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,

More information

System Administration and Network Security

System Administration and Network Security System Administration and Network Security Master SSCI, M2P subject Duration: up to 3 hours. All answers should be justified. Clear and concise answers will be rewarded. 1 Network Administration To keep

More information

SECURING SOFTWARE SYSTEMS BY PREVENTING INFORMATION LEAKS

SECURING SOFTWARE SYSTEMS BY PREVENTING INFORMATION LEAKS SECURING SOFTWARE SYSTEMS BY PREVENTING INFORMATION LEAKS A Thesis Presented to The Academic Faculty by Kangjie Lu In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the

More information

Subversive-C: Abusing and Protecting Dynamic Message Dispatch

Subversive-C: Abusing and Protecting Dynamic Message Dispatch Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz

More information

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp

More information

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, Chengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock

More information

Advanced Systems Security: New Threats

Advanced Systems Security: New Threats Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Arsenal. Shadow-Box: Lightweight Hypervisor-Based Kernel Protector. Seunghun Han, Jungwhan Kang (hanseunghun

Arsenal. Shadow-Box: Lightweight Hypervisor-Based Kernel Protector. Seunghun Han, Jungwhan Kang (hanseunghun Arsenal Shadow-Box: Lightweight Hypervisor-Based Kernel Protector Seunghun Han, Jungwhan Kang (hanseunghun ultract)@nsr.re.kr Who are we? - Senior security researcher at NSR (National Security Research

More information

SGXBounds Memory Safety for Shielded Execution

SGXBounds Memory Safety for Shielded Execution SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,

More information

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes

More information

SoftBound: Highly Compatible and Complete Spatial Safety for C

SoftBound: Highly Compatible and Complete Spatial Safety for C SoftBound: Highly Compatible and Complete Spatial Safety for C Santosh Nagarakatte, Jianzhou Zhao, Milo Martin, Steve Zdancewic University of Pennsylvania {santoshn, jianzhou, milom, stevez}@cis.upenn.edu

More information

CMPSC 497 Other Memory Vulnerabilities

CMPSC 497 Other Memory Vulnerabilities Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory

More information

Undermining Information Hiding (And What to do About it)

Undermining Information Hiding (And What to do About it) Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating

More information

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014) Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science

More information

Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack

Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack John Criswell, University of Illinois Andrew Lenharth, University of Illinois Dinakar Dhurjati, DoCoMo Communications

More information

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Is Exploitation Over? Bypassing Memory Protections in Windows 7 Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap

More information

Memory Corruption: Why Protection is Hard. Mathias Payer, Purdue University

Memory Corruption: Why Protection is Hard. Mathias Payer, Purdue University Memory Corruption: Why Protection is Hard Mathias Payer, Purdue University http://hexhive.github.io 1 Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for

More information

ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks

ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee School of Computer Science, Georgia Institute of Technology

More information

SoK: Eternal War in Memory

SoK: Eternal War in Memory SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Stony Brook University University of California, Berkeley Peking University Abstract Memory corruption bugs in software written

More information

EURECOM 6/2/2012 SYSTEM SECURITY Σ

EURECOM 6/2/2012 SYSTEM SECURITY Σ EURECOM 6/2/2012 Name SYSTEM SECURITY 5 5 5 5 5 5 5 5 5 5 50 1 2 3 4 5 6 7 8 9 10 Σ Course material is not allowed during the exam. Try to keep your answers precise and short. You will not get extra points

More information

Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps

Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps SESSION ID: EXP-R01 Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps James Lyne Global Head of Security Research Sophos / SANS Institute @jameslyne Stephen Sims Security Researcher

More information

Heriot-Watt University

Heriot-Watt University Heriot-Watt University Heriot-Watt University Research Gateway Tag-Protector: An Effective and Dynamic Detection of Illegal Memory Accesses Through Compile-time Code Instrumentation Saeed, Ahmed; Ahmadinia,

More information

Digital Forensics Lecture 02 PDF Structure

Digital Forensics Lecture 02 PDF Structure Digital Forensics Lecture 02 PDF Structure PDF Files Structure Akbar S. Namin Texas Tech University Spring 2017 PDF Format and Structure Tools used Text editor (e.g., vi) ClamAV antivirus (http://www.clamav.net/lang/en/download/

More information

T-SGX: Eradicating Controlled-Channel

T-SGX: Eradicating Controlled-Channel T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee Taesoo Kim Marcus Peinado Georgia Institute of Technology Microsoft Research 2 3 Intel SGX aims to secure

More information

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012 Stack Overflow Faculty Workshop on Cyber Security May 23, 2012 Goals Learn to hack into computer systems using buffer overflow Steal sensitive data Crash computer programs Lay waste to systems throughout

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause

More information

Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology

Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical

More information

CSE409, Rob Johnson, Alin Tomescu, November 11 th, 2011 Buffer overflow defenses

CSE409, Rob Johnson,   Alin Tomescu, November 11 th, 2011 Buffer overflow defenses Buffer overflow defenses There are two categories of buffer-overflow defenses: - Make it hard for the attacker to exploit buffer overflow o Address space layout randomization o Model checking to catch

More information

Software Security II: Memory Errors - Attacks & Defenses

Software Security II: Memory Errors - Attacks & Defenses 1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow

More information

Opal. Robert Grimm New York University

Opal. Robert Grimm New York University Opal Robert Grimm New York University The Three Questions What is the problem? What is new or different? What are the contributions and limitations? The Three Questions What is the problem? Applications

More information

On-Demand Proactive Defense against Memory Vulnerabilities

On-Demand Proactive Defense against Memory Vulnerabilities On-Demand Proactive Defense against Memory Vulnerabilities Gang Chen, Hai Jin, Deqing Zou, and Weiqi Dai Services Computing Technology and System Lab Cluster and Grid Computing Lab School of Computer Science

More information

A JVM for Soft-Error-Prone Embedded Systems

A JVM for Soft-Error-Prone Embedded Systems A JVM for Soft-Error-Prone Embedded Systems Isabella S)lkerich, Michael Strotz, Christoph Erhardt, Mar7n Hoffmann, Daniel Lohmann, Fabian Scheler, Wolfgang Schröder- Preikschat Department of Computer Science

More information

Fast Byte-Granularity Software Fault Isolation

Fast Byte-Granularity Software Fault Isolation Fast Byte-Granularity Software Fault Isolation Manuel Costa Microsoft Research, Cambridge Joint work with: Miguel Castro, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul

More information

To Detect Stack Buffer Overflow With Polymorphic Canaries

To Detect Stack Buffer Overflow With Polymorphic Canaries To Detect Stack Buffer Overflow With Polymorphic Canaries 何钟灵 April 29, 2018 1 Personal 1.1 intro This is based on an essay by Zhilong Wang in our group. Our group is named SECLAB in Lab 428, Building

More information

Fast dynamic program analysis Race detection. Konstantin Serebryany May

Fast dynamic program analysis Race detection. Konstantin Serebryany May Fast dynamic program analysis Race detection Konstantin Serebryany May 20 2011 Agenda Dynamic program analysis Race detection: theory ThreadSanitizer: race detector Making ThreadSanitizer

More information

Security Bugs in Embedded Interpreters

Security Bugs in Embedded Interpreters Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL Embedded interpreters Host system Bytecode Input Embedded

More information

Guarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University

Guarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University http://hexhive.github.io 1 Vulnerabilities everywhere? 2 Common Languages: TIOBE 18 Jul 2018 Jul 2017 Change Language 1

More information

DieHard: Probabilistic Memory Safety for Unsafe Programming Languages

DieHard: Probabilistic Memory Safety for Unsafe Programming Languages DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery Berger University of Massachusetts Amherst Ben Zorn Microsoft Research Problems with Unsafe Languages C, C++: pervasive apps,

More information

SoK: Sanitizing for Security

SoK: Sanitizing for Security SoK: Sanitizing for Security Dokyung Song, Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, Michael Franz University of California, Irvine {dokyungs,jlettner,rajasekp,yeouln,stijnv,perl,franz}@uci.edu

More information

PlatPal: Detecting Malicious Documents with Platform Diversity

PlatPal: Detecting Malicious Documents with Platform Diversity PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia Institute of Technology 1 Malicious Documents On the Rise 2 3 4 Adobe Components Exploited Element parser JavaScript

More information

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer

More information

Back To The Epilogue

Back To The Epilogue Back To The Epilogue How to Evade Windows' Control Flow Guard with Less than 16 Bytes Andrea Biondo * Prof. Mauro Conti Daniele Lain * SPRITZ Group University of Padua, IT GOALS - Return to function epilogue

More information

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.

More information

Putting the Checks into Checked C. Archibald Samuel Elliott Quals - 31st Oct 2017

Putting the Checks into Checked C. Archibald Samuel Elliott Quals - 31st Oct 2017 Putting the Checks into Checked C Archibald Samuel Elliott Quals - 31st Oct 2017 Added Runtime Bounds Checks to the Checked C Compiler 2 C Extension for Spatial Memory Safety Added Runtime Bounds Checks

More information

Malware

Malware reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or

More information

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated CNIT 127: Exploit Development Ch 18: Source Code Auditing Updated 4-10-17 Why Audit Source Code? Best way to discover vulnerabilities Can be done with just source code and grep Specialized tools make it

More information

Buffer overflow prevention, and other attacks

Buffer overflow prevention, and other attacks Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks

More information

Adaptive Android Kernel Live Patching

Adaptive Android Kernel Live Patching USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel

More information

Fuzzing. compass-security.com 1

Fuzzing. compass-security.com 1 Fuzzing compass-security.com 1 Fuzzing Finding bugs by bombarding target with nonconform data Think: Flip a few bits in a PDF, then start Acrobat with that PDF Just more automated Steps: Create input corpus

More information

Bypassing Browser Memory Protections

Bypassing Browser Memory Protections Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and

More information

CSC 405 Introduction to Computer Security Fuzzing

CSC 405 Introduction to Computer Security Fuzzing CSC 405 Introduction to Computer Security Fuzzing Alexandros Kapravelos akaprav@ncsu.edu Let s find some bugs (again) We have a potentially vulnerable program The program has some inputs which can be controlled

More information

Inject malicious code Call any library functions Modify the original code

Inject malicious code Call any library functions Modify the original code Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt

More information

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007 Heap Off by 1 Overflow Illustrated Eric Conrad October 2007 1 The Attack Older CVS versions are vulnerable to an Off by 1 attack, where an attacker may insert one additional character into the heap CVS

More information

How to Sandbox IIS Automatically without 0 False Positive and Negative

How to Sandbox IIS Automatically without 0 False Positive and Negative How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1

More information

Lecture 4 September Required reading materials for this class

Lecture 4 September Required reading materials for this class EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer

More information

Managed runtimes & garbage collection. CSE 6341 Some slides by Kathryn McKinley

Managed runtimes & garbage collection. CSE 6341 Some slides by Kathryn McKinley Managed runtimes & garbage collection CSE 6341 Some slides by Kathryn McKinley 1 Managed runtimes Advantages? Disadvantages? 2 Managed runtimes Advantages? Reliability Security Portability Performance?

More information

Security Research at Harvard SEAS. Stephen Chong Asst. Prof. of Computer Science Harvard SEAS Cybersecurity Awareness Day Oct

Security Research at Harvard SEAS. Stephen Chong Asst. Prof. of Computer Science Harvard SEAS Cybersecurity Awareness Day Oct Security Research at Harvard SEAS Stephen Chong Asst. Prof. of Computer Science Harvard SEAS Cybersecurity Awareness Day Oct 17 2012 What Must You Trust? Bank Browser User-level libraries EVERYTHING Operating

More information

PESIT Bangalore South Campus Hosur road, 1km before Electronic City, Bengaluru Department of Electronics and Communication Engineering

PESIT Bangalore South Campus Hosur road, 1km before Electronic City, Bengaluru Department of Electronics and Communication Engineering PESIT Bangalore South Campus Hosur road, 1km before Electronic City, Bengaluru -560100 Department of Electronics and Communication Engineering Faculty: Richa Sharma Subject: Operating System SCHEME & SOLUTION

More information

Memory Corruption 101 From Primitives to Exploit

Memory Corruption 101 From Primitives to Exploit Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount

More information

Practical Techniques for Regeneration and Immunization of COTS Applications

Practical Techniques for Regeneration and Immunization of COTS Applications Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,

More information

Does Making The Kernel Harder Make

Does Making The Kernel Harder Make Does Making The Kernel Harder Make Making The Kernel Harder? Casey Schaufler Intel Open Source Technology Center Casey Schaufler Kernel developer from the 1970 s Supercomputers in the 1990 s Smack Linux

More information

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta 1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)

More information

Bouncer: Securing Software by Blocking Bad Input

Bouncer: Securing Software by Blocking Bad Input Bouncer: Securing Software by Blocking Bad Input Lidong Zhou Microsoft Research Mountain View, USA lidongz@microsoft.com Manuel Costa Microsoft Research Cambridge, UK manuelc@microsoft.com Lintao Zhang

More information

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation

More information

Securing Applications in C/C++

Securing Applications in C/C++ Securing Applications in C/C++ Application Security Training Datasheet Security Compass 2012. Application Security Training Datasheet. Securing Applications in C/C++ 1 It has long been discussed that identifying

More information

IntFlow: Integer Error Handling With Information Flow Tracking

IntFlow: Integer Error Handling With Information Flow Tracking mpomonis@cs.columbia.edu IntFlow Columbia University 1 / 29 IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D.

More information

Inline Reference Monitoring Techniques

Inline Reference Monitoring Techniques Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code

More information

New features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany

New features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany Agenda AddressSanitizer (ASan): a quick reminder New features: Initialization-order-fiasco Stack-use-after-scope

More information

Object-Oriented Programming

Object-Oriented Programming iuliana@cs.ubbcluj.ro Babes-Bolyai University 2018 1 / 37 Overview 1 2 3 4 5 2 / 37 Questions we will answer today What is the difference between the stack and the heap? How can we allocate and free memory

More information

Managed runtimes & garbage collection

Managed runtimes & garbage collection Managed runtimes Advantages? Managed runtimes & garbage collection CSE 631 Some slides by Kathryn McKinley Disadvantages? 1 2 Managed runtimes Portability (& performance) Advantages? Reliability Security

More information

Dynamic Race Detection with LLVM Compiler

Dynamic Race Detection with LLVM Compiler Dynamic Race Detection with LLVM Compiler Compile-time instrumentation for ThreadSanitizer Konstantin Serebryany, Alexander Potapenko, Timur Iskhodzhanov, and Dmitriy Vyukov OOO Google, 7 Balchug st.,

More information