K-Miner Uncovering Memory Corruption in Linux
|
|
- Elinor Pierce
- 6 years ago
- Views:
Transcription
1 K-Miner Uncovering Memory Corruption in Linux David Gens Simon Schmitt Ahmad-Reza Sadeghi Cyber Security Center (CYSEC) Technische Universität Darmstadt Lucas Davi Universität of Duisburg-Essen
2 Why Static Analysis?
3 Big Picture KERNEL FILES COMPILER Memory Corruption: Use-After-Free Double Free Use-After-Return Memory Leaks OS HARDWARE
4 Big Picture KERNEL FILES COMPILER Attacke r Memory Corruption: Use-After-Free Double Free Use-After-Return Memory Leaks OS HARDWARE Static Analysis at compile time. Dynamic Analysis at run time.
5 Data-Flow Analysis: Graphs void main() { int a = 1; int *p; if (a!= 0) p = &a; Entry: int a = 1 int main *p printf p = &a } printf( %d\n, *p); Call Graph printf( %d\n, *p); Control-Flow Graph
6 Data-Flow Analysis: Graphs void main() { int a = 1; int *p; Pointer p Obj_p Obj_a a a p=&a Stack } if (a!= 0) p = &a; printf( %d\n, *p); p phi *p Pointer Value-Flow Constraint Assignment Graph Graph
7 Source-Sink Analysis kalloc_x p alloc SOURCE void main() { int *p = alloc(); p=alloc() if (p!= NULL) free(p); free SINK } free(p); phi free SINK There exists a path that reaches two sinks.
8 Scalability and Precision High Complexity Context-Sensitive Field-Sensitive Inter-Procedural Analysis Low Complexity
9 Kernel Static Analysis - History Sparse [by Torvalds] APISAN [Yun et al. USENIX 16] Smatch [by Charpenter] Coccinelle [Padioleau et al. EuroSys 08] EBA [Abal et al. Springer 17]
10 Linux Kernel: Lines of Code 25M 20M 15M 10M Lines of Code 5M 0 M Version
11 Contributions and Challenges Analysis Format Large Codebase Expandability Data-Flow Analysis Different Kernel Versions Transformation of the kernel source into the LLVM intermediate representation Scaling inter-procedural Data-Flow Analysis to millions of kernel code lines A modular design, adding new checkers is straightforward Combine existing and novel approaches for inter-procedural bug checkers Reports of different kernel versions can be managed using a web-based interface
12 Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Syscall API Vulnerabilities have to be exploited though system calls KERNEL Driver API HARDWARE
13 Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Vulnerabilities have to be exploited though system calls HARDWARE
14 Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Vulnerabilities have to be exploited though system calls HARDWARE
15 Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Vulnerabilities have to be exploited though system calls HARDWARE
16 Design and Workflow KERNEL FILES COMPILER MAKE FILE IR Pre-Processing Model Memory Obj Define Contexts Init Contexts K-MINER
17 Design and Workflow KERNEL FILES COMPILER MAKE FILE IR K-MINER Pre-Processing Model Memory Obj Define Contexts Init Contexts Partitioner Report Engine Bug Checker global_x global_y Memory-Corruption Report: Use-After-Return: global_x -> local_y
18 Implementation Details K-Miner builds on top of LLVM and SVF Environment Setup: Register allocation sites by using a list of kernel allocation functions for dynamically allocated objects Context Handling: Defines syscalls and initcalls contexts Performs a call-graph analysis and pointer analysis Multi-Level reduction of relevant partitions Bug Checker: Exploit LLVM s Pass-Infrastructure Covers Use-After-Return, Double-Free and Memory-Leaks Performs particular analysis and several validation checks
19 Use-After-Return Checker void sys_foo() { do_foo() return } 6 global_p local_x void do_foo() { int local_x = 1 add_x(&local_x) if(cond()) remove_x() return } 3 5 null remove_x 4 add_x void add_x(int *p) { global_p = p } 1 2 do_foo 5 void remove_foo() { 6 global_p = NULL } 4 Value-Flow Graph
20 Use-After-Return Checker void sys_foo() { do_foo() return } 6 global_p local_x void do_foo() { int local_x = 1 add_x(&local_x) if(cond()) remove_x() return } 3 5 null remove_x 4 add_x void add_x(int *p) { global_p = p } 1 2 do_foo 5 void remove_foo() { 6 global_p = NULL } 4 Value-Flow Graph
21 Evaluation Coverage: Four Kernel Versions ca. 300 system calls Scalability: Ø 25 min. per system call Ø 12 GB memory usage Real-world Impact: CVE (UAR) CVE (DFree) Extensibility: Additional bug checkers can be added as Passes Version MLoC Functions Run-Time Globals Memory Locals UAR MLeak Total Pointer DFree v / s 124/ GB 6967/ /40 3/ / /13 v / s 122/ GB 9309/ /46 2/ / /19 v / s 126/ GB 9947/ /50 2/ / /31 v / s 157/ GB 9873/ /65 1/ / /22
22
23
24
25
26 Questions?
ECE 598 Advanced Operating Systems Lecture 12
ECE 598 Advanced Operating Systems Lecture 12 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 1 March 2018 Announcements Next homework will be due after break. Midterm next Thursday
More informationTowards Automatic Generation of Vulnerability- Based Signatures
Towards Automatic Generation of Vulnerability- Based Signatures David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha (presented by Boniface Hicks) Systems and Internet Infrastructure Security
More informationTesting Error Handling Code in Device Drivers Using Characteristic Fault Injection
1 Testing Error Handling Code in Device Drivers Using Characteristic Fault Injection Jia-Ju Bai, Yu-Ping Wang, Jie Yin, Shi-Min Hu Department of Computer Science and Technology Tsinghua University Beijing,
More informationVerification & Validation of Open Source
Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc Open Source is Ubiquitous Most commercial and proprietary software systems have some open
More informationFlowTwist: Efficient Context-Sensitive Inside- Out Taint Analysis for Large Codebases
FlowTwist: Efficient Context-Sensitive Inside- Out Taint Analysis for Large Codebases Johannes Lerch, Ben Hermann, Eric Bodden, and Mira Mezini {lastname@cs.tu-darmstadt.de https://github.com/johanneslerch/flowtwist
More informationImproving Linux Development with better tools. Andi Kleen. Oct 2013 Intel Corporation
Improving Linux Development with better tools Andi Kleen Oct 2013 Intel Corporation ak@linux.intel.com Linux complexity growing Source lines in Linux kernel All source code 16.5 16 15.5 M-LOC 15 14.5 14
More informationLanguage Security. Lecture 40
Language Security Lecture 40 (from notes by G. Necula) Prof. Hilfinger CS 164 Lecture 40 1 Lecture Outline Beyond compilers Looking at other issues in programming language design and tools C Arrays Exploiting
More informationHow Double-Fetch Situations turn into Double-Fetch Vulnerabilities:
How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel Pengfei Wang, Jens Krinke, Kai Lu, Gen Li, Steve Dodier-Lazaro College of Computer National
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationHyperkernel: Push-Button Verification of an OS Kernel
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week - 01 Lecture - 03 From Programs to Processes Hello. In
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationCSCI 6411: Operating Systems. Acknowledgements: Some slide material derived from Silberschatz, et al.
CSCI 6411: Operating Systems Acknowledgements: Some slide material derived from Silberschatz, et al. High level Cars Computers ...details... Cars Computers ... low level Cars Computers What is an Operating
More informationCSC 1600 Memory Layout for Unix Processes"
CSC 16 Memory Layout for Unix Processes" 1 Lecture Goals" Behind the scenes of running a program" Code, executable, and process" Memory layout for UNIX processes, and relationship to C" : code and constant
More informationImproving Linux development with better tools
Improving Linux development with better tools Andi Kleen Oct 2013 Intel Corporation ak@linux.intel.com Linux complexity growing Source lines in Linux kernel All source code 16.5 16 15.5 M-LOC 15 14.5 14
More informationSubversive-C: Abusing and Protecting Dynamic Message Dispatch
Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz
More informationo Code, executable, and process o Main memory vs. virtual memory
Goals for Today s Lecture Memory Allocation Prof. David August COS 217 Behind the scenes of running a program o Code, executable, and process o Main memory vs. virtual memory Memory layout for UNIX processes,
More informationLucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher
17 th May 2017, ICRI-SC Retreat, Darmstadt, Germany Can Systems ever be Protected against Run-time Attacks? Lucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher Motivation Motivation
More informationCFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer
CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:
More informationFinding User/Kernel Pointer Bugs with Type Inference p.1
Finding User/Kernel Pointer Bugs with Type Inference Rob Johnson David Wagner rtjohnso,daw}@cs.berkeley.edu. UC Berkeley Finding User/Kernel Pointer Bugs with Type Inference p.1 User/Kernel Pointer Bugs
More informationFuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team
Fuzzing AOSP For the Masses AOSP for the Masses Attack Android Right Out of the Box Dan Austin, Google Dan Austin Google Android SDL Research Team Exploitation: Find the Needle Needles are Interesting
More informationScaling CQUAL to millions of lines of code and millions of users p.1
Scaling CQUAL to millions of lines of code and millions of users Jeff Foster, Rob Johnson, John Kodumal and David Wagner {jfoster,rtjohnso,jkodumal,daw}@cs.berkeley.edu. UC Berkeley Scaling CQUAL to millions
More informationWindows architecture. user. mode. Env. subsystems. Executive. Device drivers Kernel. kernel. mode HAL. Hardware. Process B. Process C.
Structure Unix architecture users Functions of the System tools (shell, editors, compilers, ) standard library System call Standard library (printf, fork, ) OS kernel: processes, memory management, file
More informationAPISan: Sanitizing API Usages through Semantic Cross-checking
APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, Mayur Naik Georgia Institute of Technology 1 APIs in today s software are plentiful
More informationOperating System Architecture. CS3026 Operating Systems Lecture 03
Operating System Architecture CS3026 Operating Systems Lecture 03 The Role of an Operating System Service provider Provide a set of services to system users Resource allocator Exploit the hardware resources
More informationCS 550 Operating Systems Spring System Call
CS 550 Operating Systems Spring 2018 System Call 1 Recap: The need for protection When running user processes, the OS needs to protect itself and other system components For reliability: buggy programs
More information15-411: LLVM. Jan Hoffmann. Substantial portions courtesy of Deby Katz
15-411: LLVM Jan Hoffmann Substantial portions courtesy of Deby Katz and Gennady Pekhimenko, Olatunji Ruwase,Chris Lattner, Vikram Adve, and David Koes Carnegie What is LLVM? A collection of modular and
More informationFrom Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel
From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, Dawu Gu Group of Software Security In
More informationMC: Meta-level Compilation
MC: Meta-level Compilation Extending the Process of Code Compilation with Application-Specific Information for the layman developer (code monkey) Gaurav S. Kc 8 th October, 2003 1 Outline Dawson Engler
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationOne-Slide Summary. Lecture Outline. Language Security
Language Security Or: bringing a knife to a gun fight #1 One-Slide Summary A language s design principles and features have a strong influence on the security of programs written in that language. C s
More informationCode: analysis, bugs, and security
Code: analysis, bugs, and security supported by Bitdefender Marius Minea marius@cs.upt.ro 4 October 2017 Course goals improve skills: write robust, secure code understand program internals learn about
More informationDR. CHECKER. A Soundy Analysis for Linux Kernel Drivers. University of California, Santa Barbara. USENIX Security seclab
DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky, Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationOS Structure. Kevin Webb Swarthmore College January 25, Relevant xkcd:
OS Structure Kevin Webb Swarthmore College January 25, 2018 Relevant xkcd: One of the survivors, poking around in the ruins with the point of a spear, uncovers a singed photo of Richard Stallman. They
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationCMPSC 497 Other Memory Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory
More informationDynamic Memory Management! Goals of this Lecture!
Dynamic Memory Management!!! 1 Goals of this Lecture! Help you learn about:! Dynamic memory management techniques! Garbage collection by the run-time system (Java)! Manual deallocation by the programmer
More informationUniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/
More informationLowering and Backend in libfirm
1 Lowering and Backend in libfirm Saarland University 20. Januar 2012 2 Necessary Preparations for the Backend No unreachable code No Bad nodes Create vtables Lower Sels to address calculations/vtable
More informationOptimizing for Bugs Fixed
Optimizing for Bugs Fixed The Design Principles behind the Clang Static Analyzer Anna Zaks, Manager of Program Analysis Team @ Apple What is This Talk About? LLVM/clang project Overview of the Clang Static
More informationEnhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,
More informationThe Low-Level Bounded Model Checker LLBMC
The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Carsten Sinz Stephan Falke Florian Merz October 7, 2010 VERIFICATION MEETS ALGORITHM ENGINEERING KIT University of the State of
More informationFirst order of Business
First order of Business First order of Business You probably feel like this MBE TA s Hardware Enforced Model 0: Privileged, Kernelspace 3: Restricted, Userspace Hardware Enforced Model 0: Privileged,
More informationJust-in-Time Code Reuse
Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & A. Dmitrienko 2 C. Liebchen 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science University
More informationLecture 1: Course Overview
Lecture 1: Course Overview Computer Systems Organization (Spring 2017) CSCI-UA 201, Section 3 Instructor: Joanna Klukowska Slides adapted from Randal E. Bryant and David R. O Hallaron (CMU) Mohamed Zahran
More informationAdaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
More information"Secure" Coding Practices Nicholas Weaver
"Secure" Coding Practices based on David Wagner s slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 2 3 This is a Remarkably Typical C Problem Computer Science 161 Fall 2016 if ((options
More informationSystem Administration and Network Security
System Administration and Network Security Master SSCI, M2P subject Duration: up to 3 hours. All answers should be justified. Clear and concise answers will be rewarded. 1 Network Administration To keep
More informationImproving Integer Security for Systems with KINT. Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS
Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS Integer error Expected result goes out of bounds Math ( -
More informationSGXBounds Memory Safety for Shielded Execution
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,
More informationUnderstanding the Genetic Makeup of Linux Device Drivers
Understanding the Genetic Makeup of Linux Device Drivers (Work in Progress) Peter Senna Tschudin, Laurent Réveillère, Lingxiao Jiang, David Lo, Julia Lawall, Gilles Muller LIP6 Inria & UPMC, LaBRI, Singapore
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationOperating System Structure
Operating System Structure Heechul Yun Disclaimer: some slides are adopted from the book authors slides with permission Recap OS needs to understand architecture Hardware (CPU, memory, disk) trends and
More informationLinux Security Summit Europe 2018
Linux Security Summit Europe 2018 Kernel Hardening: Protecting the Protection Mechanisms Igor Stoppa - igor.stoppa@huawei.com Cyber Security & Privacy Protection Labs - Huawei introduction memory classification
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationInformation Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo
Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE The University of Tokyo furuse@yl.is.s.u-tokyo.ac.jp e-society MEXT project toward secure and reliable software
More informationLimitations of the stack
The heap hic 1 Limitations of the stack int *table_of(int num, int len) { int table[len+1]; for (int i=0; i
More informationBaggy bounds with LLVM
Baggy bounds with LLVM Anton Anastasov Chirantan Ekbote Travis Hance 6.858 Project Final Report 1 Introduction Buffer overflows are a well-known security problem; a simple buffer-overflow bug can often
More informationCodeTickler: Automated Software Testing as a Service. Cris%an Zamfir, Vitaly Chipounov, George Candea
CodeTickler: Automated Software Testing as a Service Cris%an Zamfir, Vitaly Chipounov, George Candea Wouldn t it be nice to have reliable software? Vision Machines should find corner cases do tricky security
More informationDynamic Memory Management
Dynamic Memory Management 1 Goals of this Lecture Help you learn about: Dynamic memory management techniques Garbage collection by the run-time system (Java) Manual deallocation by the programmer (C, C++)
More informationSecure C Coding...yeah right. Andrew Zonenberg Alex Radocea
Secure C Coding...yeah right Andrew Zonenberg Alex Radocea Agenda Some Quick Review Data Representation Pointer Arithmetic Memory Management Basic C Vulnerabilities Memory Corruption Ignoring Return values
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationSecure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack
Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack John Criswell, University of Illinois Andrew Lenharth, University of Illinois Dinakar Dhurjati, DoCoMo Communications
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationsottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani
Titolo presentazione Piattaforme Software per la Rete sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Outline 1) Introduction to System Security 2) Basic Exploits 3) Network
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationLinux Kernel Futex Fun: Exploiting CVE Dougall Johnson
Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call Kernel implementation CVE-2014-3153 My approach to exploiting it Futexes Fast user-space mutexes 32-bit integer
More informationcsci3411: Operating Systems
csci3411: Operating Systems Lecture 3: System structure and Processes Gabriel Parmer Some slide material from Silberschatz and West System Structure System Structure How different parts of software 1)
More informationAndroid Kernel Security
Jeff Vander Stoep and Sami Tolvanen Android Kernel Security Linux Security Summit Aug 2018 Acknowledgements People who have reported security vulnerabilities to Android security: https://source.android.com/security/overview/acknowledgements
More informationHardware Enclave Attacks CS261
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Service (IAS) Process Enclave Untrusted Trusted Enclave Code Enclave Data Process Process Other Enclave OS and/or Hypervisor
More informationDynamic Memory Allocation. Zhaoguo Wang
Dynamic Memory Allocation Zhaoguo Wang Why dynamic memory allocation? Do not know the size until the program runs (at runtime). #define MAXN 15213 int array[maxn]; int main(void) { int i, n; scanf("%d",
More informationCA341 - Comparative Programming Languages
CA341 - Comparative Programming Languages David Sinclair Dynamic Data Structures Generally we do not know how much data a program will have to process. There are 2 ways to handle this: Create a fixed data
More informationOperating System Structure
Operating System Structure Heechul Yun Disclaimer: some slides are adopted from the book authors slides with permission Recap: Memory Hierarchy Fast, Expensive Slow, Inexpensive 2 Recap Architectural support
More informationPreventing Use-after-free with Dangling Pointers Nullification
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University
More informationChangelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part
1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems
More informationOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow Integrity Reza Mirzazade farkhani, Saman Jafari, Sajjad Arshad, William Robertson, Engin Kirda, Hamed Okhravi DISTRIBUTION STATEMENT A. Approved for public
More informationINITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS
INITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS Pages 792 to 800 Anna Rakitianskaia, University of Pretoria INITIALISING POINTER VARIABLES Pointer variables are declared by putting
More informationOpenCL: History & Future. November 20, 2017
Mitglied der Helmholtz-Gemeinschaft OpenCL: History & Future November 20, 2017 OpenCL Portable Heterogeneous Computing 2 APIs and 2 kernel languages C Platform Layer API OpenCL C and C++ kernel language
More informationDeveloping Real-Time Applications
Developing Real-Time Applications Real Time Operating Systems and Middleware Luca Abeni luca.abeni@unitn.it Characterised by temporal constraints deadlines Concurrent (application: set of real-time tasks)
More informationTHREADS: (abstract CPUs)
CS 61 Scribe Notes (November 29, 2012) Mu, Nagler, Strominger TODAY: Threads, Synchronization - Pset 5! AT LONG LAST! Adversarial network pong handling dropped packets, server delays, overloads with connection
More informationA Translation Framework for Automatic Translation of Annotated LLVM IR into OpenCL Kernel Function
A Translation Framework for Automatic Translation of Annotated LLVM IR into OpenCL Kernel Function Chen-Ting Chang, Yu-Sheng Chen, I-Wei Wu, and Jyh-Jiun Shann Dept. of Computer Science, National Chiao
More informationROSE-CIRM Detecting C-Style Errors in UPC Code
ROSE-CIRM Detecting C-Style Errors in UPC Code Peter Pirkelbauer 1 Chunhuah Liao 1 Thomas Panas 2 Daniel Quinlan 1 1 2 Microsoft Parallel Data Warehouse This work was funded by the Department of Defense
More informationSECURING SOFTWARE AGAINST LIBRARY ATTACKS
SECURING SOFTWARE AGAINST LIBRARY ATTACKS Roland Yap School of Computing National University of Singapore ryap@comp.nus.edu.sg Session ID: DAS W05 Session Classification: Advanced Untrusted Libraries Software
More information[0569] p 0318 garbage
A Pointer is a variable which contains the address of another variable. Declaration syntax: Pointer_type *pointer_name; This declaration will create a pointer of the pointer_name which will point to the
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationStatic Analysis in Practice
in Practice 15-313: Foundations of Software Engineering Jonathan Aldrich 1 Outline: in Practice Case study: Analysis at ebay Case study: Analysis at Microsoft Analysis Results and Process Example: Standard
More informationShoal: smart allocation and replication of memory for parallel programs
Shoal: smart allocation and replication of memory for parallel programs Stefan Kaestle, Reto Achermann, Timothy Roscoe, Tim Harris $ ETH Zurich $ Oracle Labs Cambridge, UK Problem Congestion on interconnect
More informationDynamic Memory Management
Dynamic Memory Management Professor Jennifer Rexford http://www.cs.princeton.edu/~jrex 1 Goals of Today s Lecture Dynamic memory management o Garbage collection by the run-time system (Java) o Manual deallocation
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationIn Java we have the keyword null, which is the value of an uninitialized reference type
+ More on Pointers + Null pointers In Java we have the keyword null, which is the value of an uninitialized reference type In C we sometimes use NULL, but its just a macro for the integer 0 Pointers are
More informationCS2141 Software Development using C/C++ Debugging
CS2141 Software Development using C/C++ Debugging Debugging Tips Examine the most recent change Error likely in, or exposed by, code most recently added Developing code incrementally and testing along
More informationJailbreaking. Apple Watch. Max Bazaliy. December 4-7, 2017
1 2 Jailbreaking 3 4 5 Apple Watch 6 7 8 9 Max Bazaliy 10 11 12 whoami 1 2 3 o Security researcher at Lookout o ios/tvos/watchos jailbreak author o Lead researcher on Pegasus exploit chain o Focused on
More informationMemory (Stack and Heap)
Memory (Stack and Heap) Praktikum C-Programmierung Nathanael Hübbe, Eugen Betke, Michael Kuhn, Jakob Lüttgau, Jannek Squar Wissenschaftliches Rechnen Fachbereich Informatik Universität Hamburg 2018-12-03
More informationFundamentals of Programming Session 12
Fundamentals of Programming Session 12 Instructor: Reza Entezari-Maleki Email: entezari@ce.sharif.edu 1 Fall 2014 These slides have been created using Deitel s slides Sharif University of Technology Outlines
More informationBrave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World
Brave New 64-Bit World An MWR InfoSecurity Whitepaper 2 nd June 2010 2010-06-02 Page 1 of 12 Abstract Abstract Memory requirements on server and desktop systems have risen considerably over the past few
More informationKSMA: Breaking Android kernel isolation and Rooting with ARM MMU features. WANG, YONG a.k.a. Pandora Lab of Ali Security
KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features WANG, YONG a.k.a. ThomasKing(@ThomasKing2014) Pandora Lab of Ali Security About WANG, YONG a.k.a. ThomasKing(@ThomasKing2014) Security
More informationDowsing for overflows: a guided fuzzer to find buffer boundary violations
Dowsing for overflows: a guided fuzzer to find buffer boundary violations István Haller, Asia Slowinska, Matthias Neugschwandtner, Herbert Bos Usenix Security 2013 August 14, 2013 1 / 22 Bugs, bugs everywhere
More information