QPSI. Qualcomm Technologies Countermeasures Update
|
|
- Samantha Hines
- 5 years ago
- Views:
Transcription
1 QPSI Qualcomm Technologies Countermeasures Update 1
2 Introduction Sometime back in 2010 Let s have exploit countermeasures on our products Why? Hard to fix all bugs. We might as well make them more fun difficult to exploit. Where? All embedded images. Let our customers worry about Linux/Windows How? Lets start with some basics
3 Introduction Sometime back in 2010 Let s have exploit countermeasures on our products Why? Hard to fix all bugs. We might as well make them more fun difficult to exploit. Where? All embedded images. Let our customers worry about Linux/Windows How? Lets start with some basics
4 Introduction SoC architecture An SoC contains a number of processor cores Applications, Modem, DSP, Wireless, Sensors, Processors may have different architectures ARM, Hexagon, etc. Each processor has one or more images ROM images, Bootloaders, TrustZone HLOS (High-Level Operating System) Modem Peripheral images
5 Baseline mitigations Data Execution Prevention (DEP) Memory should not be writable and executable at the same time (W^X). Also make sure page 0 is not mapped. Stack Protection Enable stack canaries in builds. Make sure the canaries are generated randomly. Heap Hardening Protect heap metadata, do safe linking/unlinking/... ASLR Randomize as much as possible
6 Data Execution Prevention (DEP) Hardware support needed Processor cores must support non-executable mappings Hexagon DSPs for Modem etc. ARM7 (ARMv3), ARM9 (ARMv5) as peripheral processors. ARM11 (ARMv6) or Scorpion (ARMv7) as the applications processor. Memory permissions must be adjusted Either RW or RX, but never WX. Also do not map page 0 Requires image alignment -> has physical memory impact. Default permissions must be fixed. No more RWX for new mappings.
7 Software Stack Protection (SSP) Toolchain support needed: -fstack-protector RVCT (ARM) compiler v3.8 had no stack protection support We asked ARM to add support for stack protection It was delivered in v5.01 of the compiler. GCC used for Hexagon DSP already had support. Need random numbers during initialization Hardware RNG available. Had to enable it early on. Make drivers available in all images.
8 Heap Hardening SafeHeap: Guidelines for a robust heap implementation Header integrity and safe unlinking Debugging aids Secure redesign Implementing SafeHeap Identify heap implementations 17 distinct heap implementations across 12 images, 2 SoC s. Evaluate them against SafeHeap criteria Come up with a plan to transition to SafeHeap compliant heaps. Fixing existing heaps did not work. Converged to two heaps we reviewed.
9 Address Space Layout Randomization Randomize all the things Turns out it is hard to randomize embedded images. Many assumptions about physical addresses. Lack of MMU in some cases. Architectural limitations. Time critical code that needs to run from fixed locations. Performance/size concerns regarding position independent code. Toolchain limitations No PIE (Position Independent Executable) support We ended up randomizing heap/stack base on certain images. Started exploring alternatives to code layout randomization.
10 Countermeasures Roadmap 10
11 Countermeasures Roadmap Overview Lets do this for ALL products Work with all image/product leads Establish security requirements for products Work with developers to implement countermeasures Provide proof-of-concept implementations Review the implementations. Test for the presence of countermeasures Figure out solutions for non-standard cases New architectures/images/toolchains. Research domain-specific countermeasures
12 Countermeasures Roadmap ALL products Initial work focused on embedded cores in mobile chipsets. MSM/APQ/MDM. Embedded (non-hlos) images. We need to cover other products. Router, Automotive, Small cell, IoT, QNX, OpenWRT, other embedded Linux distributions,. Android and Windows are fine. What about OpenWRT? Need to engage with HLOS images as well.
13 Countermeasures Roadmap Domain Specific Countermeasures DEP for ARM9 (video core) Use SMMU to enforce DEP TrustZone Secure application ASLR Linux kernel Kernel randomness at boot for SSP Privileged Access Never (PAN) support for ARMv8 Stack protection for Xtensa cores Register window architecture with no compiler support. Hexagon FRAMEKEY Stack frame scrambling in hardware
14 Countermeasures Roadmap Testing Need both static and dynamic tests. DEP dynamic allocations. Stack protection presence and canary randomness. Error handlers. Successful tests crash the system Opposite of how functional testing frameworks determine success. Interesting issues A new feature introduced aliased RW mappings, breaking DEP. Only the test code was actually compiled with SSP. QSEE Application ASLR randomness.
15 Domain-Specific Countermeasures 15
16 StackGhost Tensilica Xtensa Register File ar0 ar3 ar4 ar7 ar8 ar11 ar12 ar15 ar16 ar19 ar20 ar23 ar24 ar27 ar28 ar31
17 StackGhost Tensilica Xtensa Register File ar0 ar3 ar4 ar7 ar8 ar11 Register Window ar12 ar15 ar16 ar19 ar20 ar23 ar24 ar27 ar28 ar31
18 StackGhost Tensilica Xtensa Register File call0 call4 call8 call12 ar0 ar3 ar4 ar7 ar8 ar11 ar12 ar15 ar16 ar19 ar20 ar23 ar24 ar27 ar28 ar31 Register Window
19 StackGhost Tensilica Xtensa Register File ar0 ar3 call0 call4 call8 call12 ar4 ar7 ar8 ar11 ar12 ar15 ar16 ar19 ar20 ar23 ar24 ar27 ar28 ar31 Register Window
20 StackGhost Tensilica Xtensa Register File File ar0 ar3 call0 call4 call8 call12 ar4 ar7 ar8 ar11 ar12 ar15 ar16 ar19 ar20 ar23 ar24 ar27 ar28 ar31 Register Window???
21 StackGhost Tensilica Xtensa Register File File ar0 ar3 ar4 ar7 call0 call4 call8 call12 ar8 ar11 ar12 ar15 ar16 ar19 ar20 ar23 ar24 ar27 Register Window ar28 ar31
22 StackGhost Tensilica Xtensa Stack Protection Saved return addresses are spilled onto the stack during window overflow and restored during window underflow. Stack canaries make little sense.
23 StackGhost StackGhost: Hardware Facilitated Stack Protection Window {over,under}flows are exceptions handled by the kernel. Encode the saved return address and frame pointer before spilling them onto the stack. Decode the saved return address and frame pointer after restoring them from the stack. The key is stored in a special register when available or memory. The key can be refreshed in some situations.
24 Countermeasures Research 24
25 Control Flow Integrity Definition Control Flow Integrity (CFI) is a property of a program where the control flow follows only legitimate paths through the program determined in advance.
26 Control Flow Integrity Call Flow Graph
27 Control Flow Integrity Exploitation
28 Control Flow Integrity
29 Control Flow Integrity Active research area since about Control-Flow Integrity: Principles, Implementations, and Applications. Microsoft s Control Flow Guard. LLVM implementations. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. GRSecurity Reuse Attack Protector (RAP).
30 Control Flow Integrity Challenges and Lessons Key challenges / goals for embedded images. Low performance overhead. Low code size overhead. Support modern software engineering practices. Interoperability. Security. Lessons Protecting indirect branches is less expensive than protecting return addresses. Use different solutions for indirect branches and return addresses. Hardware support is necessary.
31 Hexagon Hardware Stack Protection FRAMEKEY Hexagon has instructions to allocate/deallocate stack frames. allocframe pushes LR and FP to the stack and adjusts SP. deallocframe restores LR and FP and adjusts SP. FRAMEKEY scrambles the return address. Encode the return address before spilling it onto the stack in allocframe. Decode the return address after restoring it from the stack in deallocframe. The key is stored in a new FRAMEKEY register. Kernel manages FRAMEKEY for threads. Generate a random FRAMEKEY when creating a new thread. Save/restore FRAMEKEY when switching threads.
32 Hexagon Hardware Stack Protection SSP FRAMEKEY Coverage 2 % of functions. 100 % of non-leaf functions. Size and Performance Impact Information Leaks Error Handling Proportional to coverage The canary value can be recovered from the stack. All threads use the same canary value. A software error handler is invoked when a mismatch is detected. None The key can be recovered from the stack. Each thread uses a different key. The program counter is set to an unpredictable address and a fault occurs if the address is unaligned, if non-executable memory is executed, etc.
33 Code Pointer Authentication Proposal for a New Hardware Primitive What if we could detect corrupted pointers? Without additional memory overhead. Without expensive software operations. Observation: 64-bit function pointers have many unused bits. Make use of these bits to store an authentication tag. Use a cryptographically secure algorithm. Use an ephemeral, per process key. Compute the tag over the pointer and a context. Context determines where the authentication tag is valid. Makes it harder to substitute signed pointers for other signed pointers.
34 Code Pointer Authentication New Instructions Authenticate a pointer with a MAC when it is created. TAUTH Rd, Rs, Rc Verify the pointer before it is dereferenced. TVERIFY Rd, Rs, Rc Address Tag MAC Context Key
35 Conclusion pointers
36 Thank you All data and information contained in or disclosed by this document is confidential and proprietary information of Qualcomm Technologies, Inc. and all rights therein are expressly reserved. By accepting this material the recipient agrees that this material and the information contained therein is to be held in confidence and in trust and will not be used, copied, reproduced in whole or in part, nor its contents revealed in any manner to others without the express written permission of Qualcomm Technologies, Inc QUALCOMM Incorporated and/or its subsidiaries. All Rights Reserved. Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other products and brand names may be trademarks or registered trademarks of their respective owners References in this presentation to Qualcomm may mean Qualcomm Incorporated, Qualcomm Technologies, Inc., and/or other subsidiaries or business units within the Qualcomm corporate structure, as applicable. Qualcomm Incorporated includes Qualcomm s licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm s engineering, research and development functions, and substantially all of its product and services businesses, including its semiconductor business. 36
Qualcomm Snapdragon 450 Mobile Platform
Qualcomm Snapdragon 450 Mobile Platform Kedar Kondap Vice President, Product Management Qualcomm Technologies, Inc. Snapdragon 400 Tier @qualcomm Qualcomm Snapdragon is a product of Qualcomm Technologies,
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationARMv8.3 Pointer Authentication
ARMv8.3 Pointer Authentication Mark Rutland Linux Security Summit September 14, 2017 ARM 2017 Background Memory protections are commonly deployed today... largely prevents code injection
More informationThwarting unknown bugs: hardening features in the mainline Linux kernel
Thwarting unknown bugs: hardening features in the mainline Linux kernel Mark Rutland ARM Ltd Embedded Linux Conference Europe 2016 October 11, 2016 ARM 2016 2 ARM 2016 What s the
More informationthe ARMv8-M architecture
Connect TrustZone User technology Guide for the ARMv8-M architecture Version 0.1 Version 2.0 Page 1 of 28 Revision Information The following revisions have been made to this User Guide. Date Issue Confidentiality
More informationMobile technology: A catalyst for change. Kedar Kondap Vice President, Product Management Qualcomm Technologies, Inc.
Mobile technology: A catalyst for change Kedar Kondap Vice President, Product Management Qualcomm Technologies, Inc. Evolution of Wireless 384 kbps 21 Mbps 150 Mbps 2G Digital voice D-AMPS, GSM, IS-95
More informationIoT and Security: ARM v8-m Architecture. Robert Boys Product Marketing DSG, ARM. Spring 2017: V 3.1
IoT and Security: ARM v8-m Architecture Robert Boys Product Marketing DSG, ARM Spring 2017: V 3.1 ARM v8-m Trustzone. Need to add security to Cortex -M processors. IoT Cortex-A has had TrustZone for a
More informationThe Next Steps in the Evolution of Embedded Processors
The Next Steps in the Evolution of Embedded Processors Terry Kim Staff FAE, ARM Korea ARM Tech Forum Singapore July 12 th 2017 Cortex-M Processors Serving Connected Applications Energy grid Automotive
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationSecure software guidelines for ARMv8-M. for ARMv8-M. Version 0.1. Version 2.0. Copyright 2017 ARM Limited or its affiliates. All rights reserved.
Connect Secure software User Guide guidelines for ARMv8-M Version 0.1 Version 2.0 Page 1 of 19 Revision Information The following revisions have been made to this User Guide. Date Issue Confidentiality
More informationExploring Qualcomm Baseband via ModKit. Tencent Blade Team Tencent Security Platform Department
Exploring Qualcomm Baseband via ModKit Tencent Blade Team Tencent Security Platform Department About Us - Tencent Blade Team A security research team from Tencent Security Platform Department Focus security
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More informationUndermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationKernel Self Protection
Kernel Self Protection Kernel Summit 2016, Santa Fe Kees ( Case ) Cook keescook@chromium.org @kees_cook http://kernsec.org/wiki/index.php/kernel_self_protection_project http://www.openwall.com/lists/kernel-hardening/
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationDate: 13 June Location: Sophia Antipolis. Integrating the SIM. Dr. Adrian Escott. Qualcomm Technologies, Inc.
Date: 13 June 2018 @qualcomm Location: Sophia Antipolis Integrating the SIM Dr. Adrian Escott Qualcomm Technologies, Inc. Agenda 1 2 3 4 5 6 Path to isim isim Size benefit Hardware Architecture Certification
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationThe Next Steps in the Evolution of ARM Cortex-M
The Next Steps in the Evolution of ARM Cortex-M Joseph Yiu Senior Embedded Technology Manager CPU Group ARM Tech Symposia China 2015 November 2015 Trust & Device Integrity from Sensor to Server 2 ARM 2015
More informationIntel Analysis of Speculative Execution Side Channels
Intel Analysis of Speculative Execution Side Channels White Paper Revision 1.0 January 2018 Document Number: 336983-001 Intel technologies features and benefits depend on system configuration and may require
More informationRISC-V: Opportunities and Challenges in SoCs
December 5, 2018 @qualcomm Santa Clara, CA RISC-V: Opportunities and Challenges in SoCs Greg Wright Sr Director, Engineering Qualcomm Technologies, Inc. Introductions Who am I? Why am I here? 2 Quick tour
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationARM TrustZone for ARMv8-M for software engineers
ARM TrustZone for ARMv8-M for software engineers Ashok Bhat Product Manager, HPC and Server tools ARM Tech Symposia India December 7th 2016 The need for security Communication protection Cryptography,
More informationWhat the Stack? On Memory Exploitation and Protection in Resource Constrained Automotive Systems
What the Stack? On Memory Exploitation and Protection in Resource Constrained Automotive Systems Aljoscha Lautenbach Magnus Almgren Tomas Olovsson Dept. of Computer Science and Engineering Chalmers University
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationBaseband exploitation in 2013: Hexagon challenges
Baseband exploitation in 2013: Hexagon challenges Ralf-Philipp Weinmann Presented at Pacsec 2013 2013-11-13, Tokyo, Japan Who am I? Security researcher from Germany Previously in
More informationImplementing Secure Software Systems on ARMv8-M Microcontrollers
Implementing Secure Software Systems on ARMv8-M Microcontrollers Chris Shore, ARM TrustZone: A comprehensive security foundation Non-trusted Trusted Security separation with TrustZone Isolate trusted resources
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationARMv8-A Software Development
ARMv8-A Software Development Course Description ARMv8-A software development is a 4 days ARM official course. The course goes into great depth and provides all necessary know-how to develop software for
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationTo Detect Stack Buffer Overflow With Polymorphic Canaries
To Detect Stack Buffer Overflow With Polymorphic Canaries 何钟灵 April 29, 2018 1 Personal 1.1 intro This is based on an essay by Zhilong Wang in our group. Our group is named SECLAB in Lab 428, Building
More informationARM Security Solutions and Numonyx Authenticated Flash
ARM Security Solutions and Numonyx Authenticated Flash How to integrate Numonyx Authenticated Flash with ARM TrustZone* for maximum system protection Introduction Through a combination of integrated hardware
More informationAndroid Kernel Security
Jeff Vander Stoep and Sami Tolvanen Android Kernel Security Linux Security Summit Aug 2018 Acknowledgements People who have reported security vulnerabilities to Android security: https://source.android.com/security/overview/acknowledgements
More informationAArch64 Virtualization
Connect AArch64 User Virtualization Guide Version Version 0.11.0 Page 1 of 13 Revision Information The following revisions have been made to this User Guide. Date Issue Confidentiality Change 03 March
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationI run a Linux server, so we re secure
Silent Signal vsza@silentsignal.hu 18 September 2010 Linux from a security viewpoint we re talking about the kernel, not GNU/Linux distributions Linux from a security viewpoint we re talking about the
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationTrends in Open Source Security. FOSDEM 2013 Florian Weimer Red Hat Product Security Team
Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat Product Security Team 2013-02-02 Overview 2 Vulnerability tracking Tool-chain hardening Distribution-wide defect analysis
More informationSoftware security, secure programming
Software security, secure programming Lecture 4: Protecting your code against software vulnerabilities? (overview) Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Preamble Bad news several
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationLinux Security Summit Europe 2018
Linux Security Summit Europe 2018 Kernel Hardening: Protecting the Protection Mechanisms Igor Stoppa - igor.stoppa@huawei.com Cyber Security & Privacy Protection Labs - Huawei introduction memory classification
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationAdvanced Systems Security: Program Diversity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationResilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models Xiao Sun Senior Application Engineer ARM Tech Symposia China 2015 November 2015 Evolution from M2M to IoT M2M Silos of Things Standards Security
More informationMemory corruption countermeasures
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 30th January 2014 Outline Announcement Recap Containment and curtailment Stack tamper detection
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationSnapdragon NPE Overview
March 2018 Linaro Connect Hong Kong Snapdragon NPE Overview Mark Charlebois Director, Engineering Qualcomm Technologies, Inc. Caffe2 Snapdragon Neural Processing Engine Efficient execution on Snapdragon
More informationQSEE TrustZone Kernel Integer Overflow Vulnerability
QSEE TrustZone Kernel Integer Overflow Vulnerability Dan Rosenberg dr@azimuthsecurity.com July 1, 2014 1 Introduction This paper discusses the nature of a vulnerability within the Qualcomm QSEE TrustZone
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationDavid Williams. Next Generation ecall
David Williams Next Generation ecall 1 Background ecall standardisation began in 2004 A GSM & UMTS world The chosen solution was in-band modem and circuit switched 112 call The in-band modem was optimised
More informationDesigning Security & Trust into Connected Devices
Designing Security & Trust into Connected Devices Eric Wang Sr. Technical Marketing Manager Tech Symposia China 2015 November 2015 Agenda Introduction Security Foundations on ARM Cortex -M Security Foundations
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationHDFI: Hardware-Assisted Data-flow Isolation
HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationARMv8-M Architecture Technical Overview
ARMv8-M Architecture Technical Overview 10-Nov-2015 Joseph Yiu Senior Embedded Technology Manager, CPU Product Group, ARM Introduction ARM Cortex -M Processors are the most popular processor series in
More informationVersion:1.1. Overview of speculation-based cache timing side-channels
Author: Richard Grisenthwaite Date: January 2018 Version 1.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers
More informationRuntime Integrity Checking for Exploit Mitigation on Embedded Devices
Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org
More informationPractical and Efficient Exploit Mitigation for Embedded Devices
Practical and Efficient Exploit Mitigation for Embedded Devices Matthias Neugschwandtner IBM Research, Zurich Collin Mulliner Northeastern University, Boston Qualcomm Mobile Security Summit 2015 1 Embedded
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationIntel Security Dev API 1.0 Production Release
1.0 Production Release Release Notes 24 August 2017 Version History/Revision History Date Revision Description August 2017 1.0 Limited Production Release March 2017 0.61 Limited External Distribution Intended
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationOpen Source and Standards: A Proposal for Collaboration
ETSI Workshop on Open Source and ization: Legal Interactions September 16, 2016 Sophia Antipolis Open Source and s: A Proposal for Collaboration David Marr VP & Legal Counsel Open Source Group Qualcomm
More informationPRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES
PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationFirmware Updates for Internet of Things Devices
Firmware Updates for Internet of Things Devices Brendan Moran, Milosch Meriac, Hannes Tschofenig Drafts: draft-moran-suit-architecture draft-moran-suit-manifest 1 WHY DO WE CARE? 2 IoT needs a firmware
More informationSystem-level threats: Dangerous assumptions in modern Product Security. Cristofaro
System-level threats: Dangerous assumptions in modern Product Security Cristofaro Mune (c.mune@pulse-sec.com) @pulsoid Me Cristofaro Mune (@pulsoid) - Product Security Consultant/Researcher - Keywords:
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More informationEmbedded Linux Architecture
Embedded Linux Architecture Types of Operating Systems Real-Time Executive Monolithic Kernel Microkernel Real-Time Executive For MMU-less processors The entire address space is flat or linear with no memory
More informationNew Technologies for UAV/UGV
Qualcomm Research New Technologies for UAV/UGV Charles Bergan VP, Engineering Qualcomm Research Qualcomm Technologies, Inc. 2013-2016 QUALCOMM Incorporated and/or its subsidiaries. All rights reserved
More informationSecurity and Exploit Mitigation. CMSC Spring 2016 Lawrence Sebald
Security and Exploit Mitigation CMSC 421 - Spring 2016 Lawrence Sebald Security is of Supreme Importance in Systems As we have seen in the past two classes, even with sophisticated security systems, small
More informationThe lowrisc project Alex Bradbury
The lowrisc project Alex Bradbury lowrisc C.I.C. 3 rd April 2017 lowrisc We are producing an open source Linux capable System-on-a- Chip (SoC) 64-bit multicore Aim to be the Linux of the Hardware world
More informationDnmaloc: a more secure memory allocator
Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
More informationSemiconductor Strategies for 4G Mobile Broadband
Semiconductor Strategies for 4G Mobile Broadband Lars Johnsson ComSoc - May 13, 2009 1 Discussion Topics PROPRIETARY & CONFIDENTIAL The path to undisputed WiMAX Leadership What it takes to get to the top
More informationProtection. Thierry Sans
Protection Thierry Sans Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems Build Better Programs Why are
More informationImpact of the current LLVM inlining strategy on complex embedded application memory utilization and performance
Impact of the current LLVM inlining strategy on complex embedded application memory utilization and performance Sergei Larin Senior Staff Engineer, Harsha Jagasia Staff Engineer, Tobias Edler von Koch
More informationCSE Computer Security
CSE 543 - Computer Security Lecture 17 - Language-based security October 25, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Engineering Disaster? Millions of Bots Compromised applications Programming
More informationEnhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,
More informationCSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018 Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationARM Processors for Embedded Applications
ARM Processors for Embedded Applications Roadmap for ARM Processors ARM Architecture Basics ARM Families AMBA Architecture 1 Current ARM Core Families ARM7: Hard cores and Soft cores Cache with MPU or
More informationInline Reference Monitoring Techniques
Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code
More informationDesigning Security & Trust into Connected Devices
Designing Security & Trust into Connected Devices Eric Wang Senior Technical Marketing Manager Shenzhen / ARM Tech Forum / The Ritz-Carlton June 14, 2016 Agenda Introduction Security Foundations on Cortex-A
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationDesigning Security & Trust into Connected Devices
Designing Security & Trust into Connected Devices Rob Coombs Security Marketing Director TechCon 11/10/15 Agenda Introduction Security Foundations on Cortex-M Security Foundations on Cortex-A Use cases
More informationBeyond TrustZone PSA Reed Hinkel Senior Manager Embedded Security Market Development
Beyond TrustZone PSA Reed Hinkel Senior Manager Embedded Security Market Development Part1 - PSA Tech Seminars 2017 Agenda Platform Security Architecture Architecture overview Trusted Firmware-M IoT Threat
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationSecuring IoT with the ARM mbed ecosystem
Securing IoT with the ARM mbed ecosystem Xiao Sun / Senior Applications Engineer / ARM ARM mbed Connect / Shenzhen, China December 5, 2016 Lots of interest in IoT security Researchers are looking into
More informationVersion:2.1. Overview of speculation-based cache timing side-channels
Date: May 2018 Version 2.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers at Google on new potential cache
More informationLecture 4: Mechanism of process execution. Mythili Vutukuru IIT Bombay
Lecture 4: Mechanism of process execution Mythili Vutukuru IIT Bombay Low-level mechanisms How does the OS run a process? How does it handle a system call? How does it context switch from one process to
More information