Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables
|
|
- Cory Stewart
- 6 years ago
- Views:
Transcription
1 Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables Chao Zhang Tao Wei Zhaofeng Chen Lei Duan Peking University Peking University UC Berkeley Peking University Peking University László Szekeres Stephen McCamant Dawn Song Wei Zou Stony Brook University University of Minnesota UC Berkeley Peking University
2 Eternal War in Memory (Oakland 13) buffer overflow A t t a c k e r code injec%on 2libc, ROP code re- use Info Leakage W X ASLR? D e f e n d e r 2
3 Reac%ve Defense is not adequate > 5,000 CVE vulnerabili%es each year. Many more are under the iceberg. Vulnerabili%es are exploited millions of %mes. 7,000 6,000 5,000 4,000 3,000 2,000 1,000 #cve Symantec Internet Security Threat Report 3
4 Proac%ve Defense: Control Flow Integrity Control Flow Integrity, CFI [CCS 05] Security policy Each run- %me control transfer must comply with programmer s compile- %me intent, i.e., the control- flow graph A strong guarantee that can be reasoned about formally ROP, JOP, UAF A founda%on for other low- level code defenses SFI, sandboxing untrusted code Determinis%c, not probabilis%c defense 4
5 Control- Flow Graph condi%onal jump (jz ): target rela%ve address direct jump/call: target rela%ve or absolute address indirect jump/call: target? (read or computed from memory) urn: target urn address on the stack 5
6 Scope of Control- Flow Integrity Protec%on Control Transfer Method Transfer Targets Integrity Protec8on Excep%ons Excep%on handlers SafeSEH, SEHOP Direct CALL/JMP, Condi%onal jump (JZ) Hard- coded func%on pointers (embedded in the code) W X Indirect CALL/JMP In- memory func%on pointers CFI RET instruc%ons On- stack urn addresses /GS, shadow stack, CFI 6
7 Control Flow Integrity (CCS 05) call eax next_1: call ecx next_2: foo: bar: fun: build Control Flow Graph source code/debug info all modules 7
8 Control Flow Integrity (CCS 05) check ID_1 call eax next_1: call ecx next_2: foo: ID_1 bar: fun: build Control Flow Graph binary rewri%ng instrument IDs before transfer targets validate IDs before control transferring 8
9 Control Flow Integrity (CCS 05) check ID_1 call eax next_1: check ID_1 call ecx next_2: foo: ID_1 bar: ID_1 fun: ID_1 build Control Flow Graph binary rewri%ng diversity of IDs 9
10 Control Flow Integrity (CCS 05) check ID_1 call eax ID_2 next_1: check ID_1 call ecx ID_2 next_2: foo: ID_1 check ID_2 bar: ID_1 check ID_2 fun: ID_1 check ID_2 build Control Flow Graph binary rewri%ng diversity of IDs all indirect transfers indirect call indirect jmp 10
11 Challenges faced by CFI performance overhead: average 15%, max 46% check ID_1 call eax next_1: call foo foo: ID_1 Ø ID is embedded in a slow prefetchnta instruc%on Ø executed each %me the transfer target is reached Ø introduce overhead even if foo is called/jumped to directly ü most calls/jumps are direct 11
12 Challenges faced by CFI performance overhead modularity support A single module cannot be hardened independently module_a call printf ID_A module_b call printf ID_B libc printf: check which ID? 12
13 Challenges faced by CFI performance overhead modularity support backward compa%bility hardened module check ID_1 call eax next_1: foo: ID_1 bar: ID_1 unhardened module test: 13
14 Challenges faced by CFI performance overhead modularity support backward compa%bility source code/debug info dependency to build Control Flow Graph 14
15 Mo%va%on A light- weight CFI solu%on with a strong protec%on performance overhead modularity support backward compatibility source code independent 15
16 Assump%on ASLR and W X (e.g. DEP) are deployed NO self-modifying code or dynamically generated code. Limited informa%on disclosure vulnerabili%es e.g., cannot read en%re memory regions 16
17 Outline Mo%va%on Intui%on & Design Implementa%on Security Enhancement Evalua%on Conclusion 17
18 Intui%on Checking transfer targets kind, rather than IDs indirect call/jmp can only transfer to func%on- pointer stubs urns can only transfer to urn- address stubs 18
19 Intui%on: efficient check memory alignment func%on pointer stubs are 8- bytes aligned urn address stubs are 16- bytes aligned foo: test [esp],0x0f test eax,7 call eax next_1: bar: test [esp],0x0f test ecx,7 fun: call ecx test [esp],0x0f next_2: fast bit tes%ng performance overhead No IDs performance overhead only check type modularity support 19
20 Intui%on: security Transfer targets must be within memory region Springboard 27 th bit is 0 foo: test [esp],m_r test eax,m_f call eax next_1: bar: test [esp],m_r test ecx,m_f call ecx next_2: M_F = 0x fun: test [esp],m_r M_R = 0x f Policy: all indirect transfer targets must be aligned stubs in Springboard. 20
21 Design: Memory layout with Springboard Executable? Bits Springboard vs. normal code sec%on (27 th bit) Entries in the Springboard are all aligned. (0-2 bits) Three kinds of stubs in Springboard fp- stub entries vs. - stub entries sensi%ve vs. normal - stub Meaning No * * * *** Non- executable sec%on Yes 1 * * *** Normal code sec%on Yes 0 * *!000 Invalid entry in Springboard Yes 0 * fp- stub entry in Springboard Yes Sensi%ve - stub entry in Springboard Yes Normal - stub entry in Springboard (3 rd bit) (26 th bit) normal - stubs cannot urn into the middle of sensi%ve func%ons One or two fast bit tes%ng instruc%ons are sufficient 21
22 Architecture of our solu%on: CCFIR Find out all indirect transfer instruc%ons and their targets BitCover: disassemble target binary Redirect transfer targets to aligned stubs in Springboard Validate transfer targets BitRewrite: binary rewri%ng Verify the hardened binary BitVerify 22
23 Outline Mo%va%on Intui%on & Design Implementa%on Security Enhancement Evalua%on Conclusion 23
24 BitCover: disassembling Target: normal binaries generated by modern compilers Support ASLR On Windows, it implies the executable contains reloca%on informa%on We can iden%fy all legal func%on pointers (indirect call/jmps targets) Automa%cally disassemble most of normal binaries Based on well- defined rules performance overhead modularity support backward compatibility source code independent More accurate than IDA Pro, especially designed for binary rewri%ng 24
25 BitRewrite: binary rewri%ng Policy: all indirect transfers are enforced to aligned stubs in Springboard. Original code section mov eax, 5 1 call eax 2 5 Protected code section mov eax, 5 1 call eax 2 5 Validate s target. - stub in Springboard validate 6 3' Direct control transfer Indirect control transfer Springboard section 25
26 BitRewrite: binary rewri%ng Policy: all indirect transfers are enforced to aligned stubs in Springboard. Original code section Protected code section mov eax, 5 mov eax, call eax ' 5 validate 6 Validate s target. - stub in Springboard Redirect s target. move call to Springboard 2'' call eax 3' Direct control transfer Indirect control transfer Springboard section 26
27 BitRewrite: binary rewri%ng Policy: all indirect transfers are enforced to aligned stubs in Springboard. Original code section Protected code section mov eax, 5 mov eax, call eax 6 1 2' 3 4 2'' validate call eax validate 5 6 Validate s target. - stub in Springboard Redirect s target. move call to Springboard Validate call s target. fp- stub in Springboard 3' 5' Direct control transfer Indirect control transfer Springboard section 27
28 BitRewrite: binary rewri%ng Policy: all indirect transfers are enforced to aligned stubs in Springboard. Original code section Protected code section mov eax, 5 mov eax, 5' call eax '' 3' 5' 1 2' 5 validate call eax validate 6 Validate s target. - stub in Springboard Redirect s target. move call to Springboard Validate call s target. fp- stub in Springboard Redirect call s target. rewrite func%on pointers Direct control transfer Indirect control transfer Springboard section 28
29 BitRewrite: In a nutshell redirect func%on pointers and urn addresses rewrite func%on pointers in memory move call instruc%ons to springboard validate transfer targets with bit tes%ng instruc%ons mov eax,foo call eax next: foo: mov eax,foo_sb foo: test eax,8 jz error test eax,m_f jnz error jmp next_sb- 2 next: test [esp],m_r jnz error call eax next_sb: jmp back foo_sb: jmp foo Direct control transfer Indirect control transfer M_F = 0x M_R = 0x800000f or M_R = 0xC00000f 29
30 BitRewrite: Op%miza%ons performance overhead modularity support backward compatibility source code independent With the support of W X, we can skip redirecting or validating directly used func%on pointers call foo directly used imported func%ons call [imp_foo] switch statements and jump table jmp jump_table[eax*4] 30
31 BitRewrite: backward compa%bility performance overhead modularity support backward compatibility source code independent With a full deployment (i.e., all modules hardened), backward compa%bility issues no longer existed. With incremental deployment, such issues occur when CALL/JMP to func%ons in unhardened modules RET to urn addresses in unhardened modules 31
32 case 1: Imported func%ons Challenge Import Address Table (IAT) load- %me resolving the loader will update IAT we cannot sta%cally rewrite IAT entries (func%on pointers) Solu%on Replace IAT with a wrapper table mov ecx,[foo_slot] call ecx mov ecx, [foo_slot_wrap] call ecx.iat: foo_slot:.iat: foo_slot: foo points to foo IAT_wrapper foo_slot_wrap: foo_sb Springboard foo_sb: jmp [foo_slot] points to 32
33 case 2: Func%ons resolved by GetProcAddress Challenge GetProcAddress() urns a non- redirected func%on pointer. The instrumented security check will fail Solu%on wrapper for GetProcAddress redirect urn value at run%me mov ecx,[gpa_slot] call ecx call eax ;GPA s value mov ecx, [gpa_slot_wrap] call ecx call eax ;GPA s value IAT_wrapper gpa_slot_wrap: gpa_sb.iat: gpa_slot: GetProcAddress.iat: gpa_slot: GetProcAddress Springboard points to gpa_sb: jmp gpa_wrapper gpa_wrap: call [gpa_slot] #fill new stub # stub ptr points to 33
34 BitVerify: Offline Verifica%on whether a given binary conforms to security rules? 27 th bit of executable sec%on except Springboard should be 1 Code stubs in Springboard are all aligned Func%on pointers are redirected Call instruc%on has been redirected Check code has been correctly inserted 34
35 Outline Mo%va%on Intui%on & Design Implementa%on Security Enhancement Evalua%on Conclusion 35
36 Policy 1: Restrain sensi%ve func%ons Sensi%ve func%ons system(), execv(), VirtualProtect(), VirtualAlloc(), Policy: Sensi%ve func%ons should be used via direct calls. i.e., their addresses are never taken except hard-coded in instruc%ons Benefit: NO fp- stubs for sensi%ve func%ons in the Springboard Avackers cannot indirectly call/jump to these func%ons. 36
37 Policy 2: Load- %me Randomiza%on Policy: The order of all stubs in the Springboard are randomized at load- %me. Benefit: cannot guess one stub s address even if another address is leaked in the Springboard. A stronger randomiza%on than ASLR. It provides an extra layer of protec%on from the previous CFI- style checking. 37
38 Brief Security Analysis urn- to- libc libc system(): printf(): NO - stub for system() - stub for printf() is randomized jump- to- libc similar to urn- to- libc gadgets must start from fp- stubs in the Springboard ROP Valid gadgets must start from - stubs in the Springboard Few valid ROP gadgets much longer, hard to chain. foo(): test [esp], (info leakage is needed) 38
39 Outline Mo%va%on Intui%on & Design Implementa%on Security Enhancement Evalua%on Conclusion 39
40 Run%me Overhead SPECint2000, average 3.6%, max 8.6% SPECfp2000, average 0.59%, max 3.98% 40
41 Sta%c Analysis Time SPECint2000 & SPECfp2000, 10s seconds 41
42 ROP Elimina%on Mona is used to count ROP gadgets Valid gadgets must start from - stubs in Springboard SPECfp2000 App original #gadgets new #gadgets valid #gadgets wupwise swim mgrid applu mesa galgel art equake facerec ROP gadgets count (part) 42
43 Real World Exploits Protec%on 43
44 Outline Mo%va%on Intui%on & Design Implementa%on Security Enhancement Evalua%on Conclusion 44
45 Conclusion Performance and compa%bility issues limit the adop%on of Control Flow Integrity. CCFIR is a lightweight CFI solu%on providing a strong guarantee, can block control- flow hijacks like ROP and 2libc. CCFIR overcomes the performance and compa%bility issues, and make it a prac%cal solu%on. 45
46 Thanks! 46
Practical Control Flow Integrity & Randomization for Binary Executables
2013 IEEE Symposium on Security and Privacy Practical Control Flow Integrity & Randomization for Binary Executables Chao Zhang 1, Tao Wei 1,2, Zhaofeng Chen 1, Lei Duan 1, László Szekeres 2,3+, Stephen
More informationPRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES
PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationFPGate: The Last Building Block For A Practical CFI Solution
FPGate: The Last Building Block For A Practical CFI Solution Tao Wei 1,2, Chao Zhang 2, Zhaofeng Chen 2, Lei Duan 2, Laszlo Szekeres 1, Stephen McCamant 1, Dawn Song 1 1 UC Berkeley, EECS 2 Beijing Key
More informationWalls, Gates, and Guards
Walls, Gates, and Guards Thomas Gross ETH Zurich Joint work with A. Barresi (xorlab) and M. Payer (Purdue) In case you want to leave Safe languages, and verifica
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationBaggy bounds checking. Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand
Baggy bounds checking Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand C/C++ programs are vulnerable Lots of exis5ng code in C and C++ More being wrieen every day C/C++ programs are prone to
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationSoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14
SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationA Platform for Secure Static Binary Instrumentation
A Platform for Secure Static Binary Instrumentation Mingwei Zhang, Rui Qiao, Niranjan Hasabnis and R. Sekar Stony Brook University VEE 2014 Work supported in part by grants from AFOSR, NSF and ONR Motivation
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationOut Of Control: Overcoming Control-Flow Integrity
Out Of Control: Overcoming Control-Flow Integrity Enes Göktaş Vrije Universiteit Amsterdam, The Netherlands Email: enes.goktas@vu.nl Elias Athanasopoulos FORTH-ICS Heraklion, Crete, Greece Email: elathan@ics.forth.gr
More informationControl Flow Integrity
Control Flow Integrity Outline CFI Control Flow Integrity at Source Code Level BinCFI CFI for Binary Executables BinCC Binary Code Continent vfguard CFI Policy for Virtual Function Calls 1 M. Abadi, M.
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs How to run untrusted programs and not harm your system? Answer: Confinement (some:mes called
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationCODE reuse attacks (CRAs) emerged as a powerful attack, HCIC: Hardware-assisted Control-flow Integrity Checking
This article has been accepted for publication in a future issue of this journal, but has not been fully edited Content may change prior to final publication Citation information: DOI 101109/JIOT20182866164,
More informationModule: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation
More informationShuffler: Fast and Deployable Continuous Code Re-Randomization
Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis,
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationMemory Corruption: Why Protection is Hard. Mathias Payer, Purdue University
Memory Corruption: Why Protection is Hard Mathias Payer, Purdue University http://hexhive.github.io 1 Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationSo$ware Security (II): Buffer- overflow Defenses
Computer Security Course. Dawn Song So$ware Security (II): Buffer- overflow Defenses Dawn Song 1 PrevenBng hijacking afacks Fix bugs: Audit so$ware Automated tools: Coverity, Prefast/Prefix, ForBfy Rewrite
More informationCS161 Midterm 1 Review
CS161 Midterm 1 Review Midterm 1: March 4, 18:3020:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about
More informationBasic Memory Corrup+on A3acks
Memory Corrup+on Basic Memory Corrup+on A3acks Original slides were created by Prof. Dan Boneh Memory corrup+on a3acks A3acker s goal: Take over target machine (e.g. web server) Execute arbitrary code
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Stony Brook University University of California, Berkeley Peking University Abstract Memory corruption bugs in software written
More informationDefending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science
Defending Computer Networks Lecture 4: Exploit Defenses Stuart Staniford Adjunct Professor of Computer Science Logis;cs Course is now official Expect an email from Stephanie Meik with your PIN Need to
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationDefeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationControl-Flow Bending: On the Effectiveness of Control-Flow Integrity
Control-Flow Bending: On the Effectiveness of Control-Flow Integrity Nicolas Carlini UC Berkeley Antonio Barresi ETH Zurich Thomas R. Gross ETH Zurich Mathias Payer Purdue University David Wagner UC Berkeley
More informationWriting Exploits. Nethemba s.r.o.
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationInline Reference Monitoring Techniques
Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code
More informationBasic Memory Corrup+on A3acks
Memory Corrup+on Basic Memory Corrup+on A3acks Original slides were created by Prof. Dan Boneh Memory corrup+on a3acks A3acker s goal: Take over target machine (e.g. web server) Execute arbitrary code
More informationDynamoRIO Examples Part I Outline
Examples: Part I 1:30-1:40 Welcome + DynamoRIO History 1:40-2:40 DynamoRIO Internals 2:40-3:00 Examples, Part 1 3:00-3:15 Break 3:15-4:15 DynamoRIO API 4:15-5:15 Examples, Part 2 5:15-5:30 Feedback DynamoRIO
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationMitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011
Mitigating Code-Reuse Attacks with Control-Flow Locking Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011 Introduction Computer systems run complicated software, which is vulnerable We keep finding
More informationBasic Control Hijacking A5acks
Control Hijacking Basic Control Hijacking A5acks Last Class Memory Layout of binaries Stack for ac>va>on records (stack frame) Structure and purpose of stack of ac>va>on records Code, data and heap Security
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationA2C: Self Destruc-ng Exploit Execu-ons via Input Perturba-on
A2C: Self Destruc-ng Exploit Execu-ons via Input Perturba-on Yonghwi Kwon 1, Brendan Saltaformaggio 1, I Luk Kim 1, Kyu Hyung Lee 2, Xiangyu Zhang 1, and Dongyan Xu 1 1 Department of Computer Science,
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationPhysical Unclonable Functions-based Linear Encryption against Code Reuse Attacks
Physical Unclonable Functions-based Linear Encryption against Code Reuse Attacks Pengfei Qiu, Yongqiang Lyu Research Institute of Information Technology & TNList Tsinghua University Beijing, China {qpf15;luyq}@mails.tsinghua.edu.cn
More informationRuntime Integrity Checking for Exploit Mitigation on Embedded Devices
Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org
More information1358 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 7, JULY 2018
1358 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 7, JULY 2018 Control Flow Integrity Based on Lightweight Encryption Architecture Pengfei Qiu, Yongqiang
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationISOLATION DEFENSES GRAD SEC OCT
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:
More informationLecture 10 Code Reuse
Lecture 10 Code Reuse Computer and Network Security 4th of December 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 10, Code Reuse 1/23 Defense Mechanisms static & dynamic analysis
More informationVulnerability Analysis I:
Vulnerability Analysis I: Exploit Hardening Made Easy Surgically Returning to Randomized Lib(c) Mitchell Adair September 9 th, 2011 Outline 1 Background 2 Surgically Returning to Randomized lib(c) 3 Exploit
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationControl Flow Integrity for COTS Binaries Report
Control Flow Integrity for COTS Binaries Report Zhang and Sekar (2013) January 2, 2015 Partners: Instructor: Evangelos Ladakis Michalis Diamantaris Giorgos Tsirantonakis Dimitris Kiosterakis Elias Athanasopoulos
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationUndermining the Linux Kernel: Malicious Code Injec:on via /dev/mem
Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009 Overview What is a rootkit? Why is protec:on difficult? Current protec:on
More informationNever Let Your Guard Down: Finding Unguarded Gates to Bypass Control Flow Guard with Big Data
Never Let Your Guard Down: Finding Unguarded Gates to Bypass Control Flow Guard with Big Data Ke Sun Ya Ou Yanhui Zhao Xiaomin Song Xiaoning Li wildsator@gmail.com perfectno2015@gmail.com wildyz.yky@gmail.com
More informationIsomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming
Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,
More informationData Flow Analysis. Suman Jana. Adopted From U Penn CIS 570: Modern Programming Language Implementa=on (Autumn 2006)
Data Flow Analysis Suman Jana Adopted From U Penn CIS 570: Modern Programming Language Implementa=on (Autumn 2006) Data flow analysis Derives informa=on about the dynamic behavior of a program by only
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationRegister Alloca.on Deconstructed. David Ryan Koes Seth Copen Goldstein
Register Alloca.on Deconstructed David Ryan Koes Seth Copen Goldstein 12th Interna+onal Workshop on So3ware and Compilers for Embedded Systems April 24, 12009 Register Alloca:on Problem unbounded number
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationShellcode Analysis. Chapter 19
Shellcode Analysis Chapter 19 What is Shellcode Shellcode a payload of raw executable code, attackers use this code to obtain interactive shell access. A binary chunk of data Can be generally referred
More informationVirtual Memory: Concepts
Virtual Memory: Concepts 5-23 / 8-23: Introduc=on to Computer Systems 6 th Lecture, Mar. 8, 24 Instructors: Anthony Rowe, Seth Goldstein, and Gregory Kesden Today VM Movaon and Address spaces ) VM as a
More informationOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow Integrity Reza Mirzazade farkhani, Saman Jafari, Sajjad Arshad, William Robertson, Engin Kirda, Hamed Okhravi DISTRIBUTION STATEMENT A. Approved for public
More informationAdvanced Systems Security: Program Diversity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g
CSE 227 Computer Security Spring 2010 Software Df Defenses I Stefan Savage Kinds of defenses Eliminate violation of runtime model Better languages, code analysis Don t allow bad input Input validation
More informationAdvanced Systems Security: Control-Flow Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationResearch opportuni/es with me
Research opportuni/es with me Independent study for credit - Build PL tools (parsers, editors) e.g., JDial - Build educa/on tools (e.g., Automata Tutor) - Automata theory problems e.g., AutomatArk - Research
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationHideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities
HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities Jason Gionta, William Enck, Peng Ning 1 JIT-ROP 2 Two Attack Categories Injection Attacks Code Integrity Data
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationJust-in-Time Code Reuse
Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & A. Dmitrienko 2 C. Liebchen 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science University
More informationSmashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization
2012 IEEE Symposium on Security and Privacy Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis
More informationDachshund. Digging for and Securing Against (Non-)Blinded Constants in JIT Code
Dachshund Digging for and Securing Against (Non-)Blinded Constants in JIT Code Giorgi Maisuradze, Michael Backes, Chris;an Rossow CISPA, Saarland University, Germany NDSS Symposium 2017 Overview Code reuse
More informationThe geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler
The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler return-oriented programming Hovav Shacham presented by: Fabian
More informationCS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan
CS 6V81-05 Control-Flow Integrity Principles, Implementations, and Applications Sureshbabu Murugesan Department of Computer Science University of Texas at Dallas February 29 th, 2012 Outline 1 Overview
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More information