Secure Low-Level Programming via Hardware-Assisted Memory-Safe C
|
|
- Violet Gregory
- 5 years ago
- Views:
Transcription
1 Secure Low-Level Programming via Hardware-Assisted Memory-Safe C Prof. Milo Martin Santosh Nagarakatte, Joe Devietti, Jianzhou Zhao, Colin Blundell Prof. Steve Zdancewic University of Pennsylvania Please feel free to ask questions!
2 Two Long-Term Research Goals Easier multicore programming Multicore revolution parallel programs ubiquitous Programming is hard, parallel programming more so Safer and secure low-level programming C s lack of memory safety: root cause of vulnerabilities Goal: legacy C code as safe and secure as Java Unfortunately, C makes such checking a challenge This talk: hardware/compiler for spatial safety of C Using hardware and/or compiler techniques 2
3 Talk Overview & Project Evolution Hardware bounded pointer primitive New hardware/software contract for pointers Work in progress ~10% overhead Memory layout unchanged HardBound [ASPLOS 08] Seminar on Hardware Support for Security 05 Efficiency & Compatibility Spatial safety (J&K, SafeC/CCured/Cyclone) SoftBound [PLDI 2009] Hardware Software Today s hardware Compiler-based transformation, < 2x overhead 3
4 Why Care About Spatial Safety, Anyway? June 2, 2009: itunes-8.2 Open URL, stack overflow May 12, 2009: libxml, Safari Visit website, heap overflow Feb 20, 2009: Acrobat Reader Open PDF, overflow Jan 22, 2009: Windows RPC packet, overflow (Conficker worm) Buffer overflows are security vulnerabilities 4
5 struct BankAccount { char acctid[3]; int balance; a } b; acctid b p 0x12 0x13 0x10 0x17 0x11 b.balance = 0; Vulnerability c of the decade char* id = &(b.acctid); [Cowan et al] Variants (stack-, heap-, pointer-smashing, jump-to-libc) bal id memory memory 0x10 Spatial Violation Example registers reg Facilitated by integer overflow/underflow char* p = id; Can happen anywhere in the code Attackers are clever, highly motivated do { char ch = readchar(); *p = ch; p++; } while(ch); 5
6 Preventing Spatial Violations treat the symptoms use static analysis address space randomization add bounds use a safe language non-executable stack/heap what about false positives? checking to write perfect code protect return addresses existing C code all incomplete what about (existing) C code? SoftBound Santosh Nagarakatte PLDI
7 The Cockroach of Programming Languages Ubiquitous Is there any mainstream system without some C code? Relevant Sometimes the right tool for a task Gold standard for performance Evolving Research philosophy: English vs. Esperanto (1887) What if you can t wipe the slate clean? Modify the language? Or modify the hardware? 7
8 Modernizing Legacy C Code Can we provide unmodified C source code with key safety features of modern languages? Key feature: memory safety Spatial memory safety (bounds errors) What is this? Temporal memory safety (dangling pointers) char *c; Alas, such retrofitting challenging Pointer arithmetic, pointers to middle of objects, arrays in structs, legal out-of-bounds pointers, confluence of arrays and singleton pointers, visible memory layout, arbitrary type casts, Lack of bounds information key challenge today s talk 8
9 Taxonomy of Bounds Checking for C Prior work: [Hastings92, Austin94, Jones97, Jim02, Necula02, Yong03, Eigler03, Ruwase04, Nethercote04, Xu04, Dhurjati06, Criswell07, ] Tripwires e.g., Purify, Valgrind Few bits of state for each byte in memory A red-zone block between objects Pointer based e.g., SafeC, Cyclone, CCured, MSCC, Pointer becomes a fat pointer (ptr, base, bound) Pointer dereferences are checked Object based e.g., Jones & Kelly, CRED, SafeCode, SVA, Checks pointer manipulations Must point within same object All have one or more challenges: High runtime overheads Incompleteness (sub-objects, handling arbitrary casts) Incompatibilities (language changes, pointer representations) 9
10 The Tao of Dynamically Checking C Compatibility Completeness Continuous (fast enough) 10
11 memory acctid bal id Background: Fat Pointer Approach memory a b c 0 id_bse 0x10 0x10 id_bnd 0x13 registers p_bse 0x10 p reg 0x11 0x10 0x12 p_bnd 0x13 0x13 struct BankAccount { } b; char acctid[3]; int balance; b.balance = 0; char* id = &(b.acctid); char* id_bse = &(b.acctid); char* id_bnd = &(b.acctid) + 3; char* p = id; char* p_bse = id_bse; char* p_bnd = id_bnd; do { char ch = readchar(); check(p, p_bse, p_bnd);*p = ch; p++; } while(ch); 11
12 Background: Object Based Approach memory acctid bal memory a b c p table registers reg 0x12 0x17 0x16 0x10 0x13 0x11 object table 10,11 11,12 12,13 16,17 Obj id 0x10 10 to 16 struct BankAccount { } b; char acctid[3]; int balance; insert(b, &b, &b+sizeof(b)); b.balance = 0; char* id = &(b.acctid); char* p = id; do { char ch = readchar(); *p = ch; p++; p = lookup(p, p + 1); } while(ch); 12
13 Analysis: Comparison of Approaches Object based + Disjoint metadata memory layout unchanged high source compatibility Problem detecting sub-object overflows Range lookup overhead Fat pointers + Can detect sub-objects overflows Inline metadata memory layout changes low source compatibility Both Fail to protect against arbitrary casts (unless augmented, such as CCured s WILD pointers) 13
14 Our Approach: Disjoint Pointer Metadata memory acctid bal id memory a b c 0 registers p_bse 0x10 p reg data 0x13 0x10 0x12 0x11 p_bnd 0x13 metadata Meta 0x13 0x10 struct BankAccount { } b; char acctid[3]; int balance; b.balance = 0; char* id = &(b.acctid); lookup(&id)->bse = &(b.acctid); lookup(&id)->bnd = &(b.acctid) + 3; char* p = id; char* p_bse = lookup(&id)->bse; char* p_bnd = lookup(&id)->bnd; do { char ch = readchar(); check(p, p_bse, p_bnd);*p=ch; p++; } while(ch); 14
15 Our Approach: Disjoint Pointer Metadata memory acctid bal id memory a b c 0 registers p_bse 0x10 p reg metadata data 0x13 p_bnd 0x13 Meta 0x13 0x10 Compatibility Unchanged memory layout Completeness Sub-object bounds Arbitrary casts Continuous (fast) Direct lookup Hardware-assisted 15
16 Rest of Talk: HardBound & SoftBound HardBound: Hardware/software impl. [ASPLOS 08] How does it work? (pointer propagation & checking) How do we make HardBound fast? Dedicated datapaths, compressing metadata SoftBound: Compiler-only prototype [PLDI 09] What changes without hardware support? Experiments 16
17 HardBound Overview Bounded-pointer hardware primitive datatype All registers and memory have base/bound metadata Implemented via shadow memory and shadow registers Rewrite hardware/software contract for pointers Software identifies where pointers are created Examples: malloc, &variable (inserted by compiler) Using new setbound instruction Hardware checks and propagates the pointers + Fat pointer representation hidden by hardware + Compatibility (memory layout unchanged) + Enables optimized metadata encoding 17
18 Hardware Propagates & Checks Metadata All registers and memory have metadata Example operations: add R1 < R2 + imm R1.value < R2.value + imm R1.base < R2.base R1.bound < R2.bound load R1 < Memory[R2] insn propagation assert(r2.base <= R2.value < R2.bound) R1.value < Memory[R2.value].value insn R1.base < Memory[R2.value].base R1.bound < Memory[R2.value].bound propagation Performed in parallel (replicate datapath) bounds check 18
19 Software Identifies Pointer Creation Heap Objects p = malloc(size); Even without recompilation Modified runtime system p = setbound(malloc(size), size) Hardware executes p = malloc(size) p_base = p p_bound = p + size Allocation-granularity checking for heap 19
20 Software Identifies Pointer Creation Stack and Global Objects int array[100]; p = &array; Compiler p = setbound(&array, sizeof(array)); Hardware executes p = &array p_base = p p_bound = p + sizeof(array) Recompilation protects stack & globals Easy for compiler to identify 20
21 Bounding Pointers to Structure Fields option #1 struct { Entire Structure char acctid[3]; int balance; } *ptr; char* id = &(ptr->acctid);? #1 #2 option #2 Shrink to Field acctid bal id_base = ptr_base; id_bound = ptr_bound; id_base = &(ptr->acctid); id_bound = &(ptr->acctid) + 3; Programmer intent ambiguous; optional shrinking of bounds 21
22 memory acctid bal id memory a b c 0 HardBound Example registers p reg bnd data bse metadata Meta 0x13 0x10 struct BankAccount { } b; char acctid[3]; int balance; b.balance = 0; char* id = &(b.acctid); setbound(&b.acctid,3) char* p = id; do { char ch = readchar(); *p=ch; p++; } while(ch); Hdw. propagation Hdw. propagation Hdw. check 22
23 struct { int* ptr; int i; } s; HardBound Memory Layout Virtual Memory standard C layout ptr i base bound regular space (layout unchanged) enables compatibility how do we make it efficient? metadata shadow space 23
24 Eliminating Metadata for Non-Pointers Most data are not pointers tag pointer base bound 1 non-pointer 0 Add 1-bit tag to act as a filter Prevents an expensive base/bound lookup Lives in virtual memory (1 bit per word, 3% overhead) Add tag cache, accessed in parallel 24
25 Compressing In-Memory Metadata 1. Many pointers point to the beginning of an object 2. Many pointers point to small objects size pointer: 1000 base: 1000 bound: tag:1 + pointer: 1000 base: 1000 bound: 1003 used opportunistically (on each store) 25
26 Metadata Lookup and Tag Cache Processor Core tag$ TLB data$ TLB insn$ TLB L2$ Memory 26
27 Why Not Just Do HardBound in Software? SoftBound Compiler inserts code for propagation and checking Similarities Same disjoint pointer-based metadata approach Differences Memory: access metadata only on pointer load/store No need for tag space Doesn t (yet) use metadata compression Registers: base/bound just temporaries in compiler IR Bounds checks: compiler can elide redundant checks Works on today s hardware 27
28 SoftBound Checking & Propagation All pointer/array dereferences checked if ((p < p_base) (p + size > p_bound)) abort(); Five x86 instructions: cmp, br, add, cmp, br Loading/storing a pointer from memory Loads/stores base and bound from metadata space Five x86 instructions: shift, mask, add, two loads Pointer assignments, arithmetic, and casts Just propagate pointer base and bound (share register) Pointer arguments to a function Bounds passed as extra arguments (in registers) int f(char* p) { } int _f(char* p, void* p_base, void* p_bound) { } 28
29 More in the Papers Proof of spatial safety guarantees Region delineated by pointer metadata is always valid Formalized a rich subset of C Includes arbitrary casts, recursive structures, etc Mechanized proof in Coq Hashtable-based metadata storage Handling various aspects of C Separate compilation and library code memcpy() Function pointers Variable argument functions 29
30 Experiments Four questions Effective in detecting overflows? Compatible with existing C code? Reasonable overheads? Hardware support justified? 30
31 HardBound Prototypes Source-to-source compiler based on CIL Simulator: FeS 2 x86 + Simics Simple in-order core model + caches SoftBound prototype ~7K lines LLVM as its foundation of code Typed IR helps in pointer identification Bounds check elimination not focus Intra-procedural dominator based Existing techniques would help a lot Runtime results on Core 2 Duo Source Typed IR Optimize SoftBound Optimize Binary 31
32 Spatial Violation Detection Effective in detecting overflows? Suite of 286 spatial violations [Kratkiewicz 05] Synthetic attacks [Wilander et al] Prevented all these attacks Bugbench [Lu05]: overflows from real applications Benchmark SoftBound Mudflap Valgrind Go Yes No No Compress Yes Yes Yes Polymorph Yes Yes No Gzip Yes Yes Yes Detected all known violations 32
33 Source Compatibility Experiments Compatible with existing C code? 272K lines of code total 23 benchmarks from Spec, Olden BugBench Multithreaded HTTP Server with CGI support FTP server No spurious runtime violations encountered 33
34 25% 20% 15% 10% HardBound Runtime Results additional memory latency stalling on pointer metadata µops for loading/storing bounds setbound instructions 10% average overhead 5% 0% extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 bh bisort em3d health mst perim power treeadd tsp avg 34
35 Percent SoftBound Runtime Results Full Checking Store Only Checking 67% 21% Check only stores [Yong03, Castro06] Full Checking: default for development & testing Attacks predominantly use stores Store-only: for security critical apps, production code 35
36 Softbound: Runtime vs Dynamic Instructions Percent 132% Runtime overhead Instruction overhead % 82% 67% Processor exploits Instruction Level Parallelism (ILP) Bounds checking & propagation off the critical path 36
37 Experiments Recap Effective in detecting overflows? Yes Compatible with existing C code? Yes Reasonable overheads? You decide SoftBound: Full checking 67%, store-only 21% HardBound: Full checking ~10% Hardware support justified? Maybe Impact of simple versus sophisticated cores Cost/benefit tradeoff can we lower the cost? 37
38 Future Work: Hardware/Software Continuum High HardBound Hardware Modifications None Ideal None SoftBound Runtime Overhead High Hardware-accelerated temporal safety (without GC) Check freshness of each allocation with a capability 38
39 Conclusions HardBound/SoftBound provide spatial safety for C Pointer-based approach, but with disjoint metadata Compatible (no source code changes) Effective (catches know vulnerabilities) Software-only: fast enough for Debugging & testing: full checking Security-critical software: store only checking Hardware-assisted: even lower overhead 39
40 Want to try SoftBound out?
SoftBound: Highly Compatible and Complete Spatial Safety for C
SoftBound: Highly Compatible and Complete Spatial Safety for C Santosh Nagarakatte, Jianzhou Zhao, Milo Martin, Steve Zdancewic University of Pennsylvania {santoshn, jianzhou, milom, stevez}@cis.upenn.edu
More informationHardBound: Architectural Support for Spatial Safety of the C Programming Language
HardBound: Architectural Support for Spatial Safety of the C Programming Language Joe Devietti *, Colin Blundell, Milo Martin, Steve Zdancewic * University of Washington, University of Pennsylvania devietti@cs.washington.edu,
More informationCS-527 Software Security
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017 Eternal
More informationCS527 Software Security
Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and
More informationHardBound: Architectural Support for Spatial Safety of the C Programming Language
University of Pennsylvania ScholarlyCommons Departmental Papers (CIS) Department of Computer & Information Science 3-1-2008 HardBound: Architectural Support for Spatial Safety of the C Programming Language
More informationSoftBound: Highly Compatible and Complete Spatial Memory Safety for C
University of Pennsylvania ScholarlyCommons Technical Reports (CIS) Department of Computer & Information Science January 2009 SoftBound: Highly Compatible and Complete Spatial Memory Safety for C Santosh
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationSoftBound: Highly Compatible and Complete Spatial Memory Safety for C
SoftBound: Highly Compatible and Complete Spatial Memory Safety for C Santosh Nagarakatte Jianzhou Zhao Milo M. K. Martin Steve Zdancewic Computer and Information Sciences Department, University of Pennsylvania
More informationIronclad C++ A Library-Augmented Type-Safe Subset of C++
Ironclad C++ A Library-Augmented Type-Safe Subset of C++ Christian DeLozier, Richard Eisenberg, Peter-Michael Osera, Santosh Nagarakatte*, Milo M. K. Martin, and Steve Zdancewic October 30, 2013 University
More informationBaggy bounds checking. Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand
Baggy bounds checking Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand C/C++ programs are vulnerable Lots of exis5ng code in C and C++ More being wrieen every day C/C++ programs are prone to
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationHeriot-Watt University
Heriot-Watt University Heriot-Watt University Research Gateway Tag-Protector: An Effective and Dynamic Detection of Illegal Memory Accesses Through Compile-time Code Instrumentation Saeed, Ahmed; Ahmadinia,
More informationCCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs
CCured Type-Safe Retrofitting of C Programs [Necula, McPeak,, Weimer, Condit, Harren] #1 One-Slide Summary CCured enforces memory safety and type safety in legacy C programs. CCured analyzes how you use
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationSecure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack
Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack John Criswell, University of Illinois Andrew Lenharth, University of Illinois Dinakar Dhurjati, DoCoMo Communications
More informationTransparent Pointer Compression for Linked Data Structures
Transparent Pointer Compression for Linked Data Structures lattner@cs.uiuc.edu Vikram Adve vadve@cs.uiuc.edu June 12, 2005 MSP 2005 http://llvm.cs.uiuc.edu llvm.cs.uiuc.edu/ Growth of 64-bit computing
More informationChecked C. Michael Hicks The University of Maryland joint work with David Tarditi (MSR), Andrew Ruef (UMD), Sam Elliott (UW)
Checked C Michael Hicks The University of Maryland joint work with David Tarditi (MSR), Andrew Ruef (UMD), Sam Elliott (UW) UM Motivation - Lots of C/C++ code out there. - One open source code indexer
More informationBoundless Memory Blocks
Boundless Memory Blocks Cristian Cadar Massachusetts Institute of Technology (now Stanford University) M. Rinard, D. Dumitran D. Roy, T. Leu Massachusetts Institute of Technology Annual Computer Security
More informationCMPSC 497 Execution Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Execution Integrity
More informationAn Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs
An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs Wei Xu, Daniel C. DuVarney, and R. Sekar Department of Computer Science, Stony Brook University Stony Brook, NY
More informationAHEMS: Asynchronous Hardware-Enforced Memory Safety
Submitted for publication. Author copy - do not redistribute. AHEMS: Asynchronous Hardware-Enforced Memory Safety Kuan-Yu Tseng, Dao Lu, Zbigniew Kalbarczyk, Ravishankar Iyer Coordinated Science Laboratory
More informationDieHard: Probabilistic Memory Safety for Unsafe Programming Languages
DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery Berger University of Massachusetts Amherst Ben Zorn Microsoft Research Problems with Unsafe Languages C, C++: pervasive apps,
More informationSAFECODE: A PLATFORM FOR DEVELOPING RELIABLE SOFTWARE IN UNSAFE LANGUAGES DINAKAR DHURJATI
SAFECODE: A PLATFORM FOR DEVELOPING RELIABLE SOFTWARE IN UNSAFE LANGUAGES BY DINAKAR DHURJATI B.Tech., Indian Institute of Technology - Delhi, 2000 DISSERTATION Submitted in partial fulfillment of the
More informationPutting the Checks into Checked C. Archibald Samuel Elliott Quals - 31st Oct 2017
Putting the Checks into Checked C Archibald Samuel Elliott Quals - 31st Oct 2017 Added Runtime Bounds Checks to the Checked C Compiler 2 C Extension for Spatial Memory Safety Added Runtime Bounds Checks
More informationStack Bounds Protection with Low Fat Pointers
Stack Bounds Protection with Low Fat Pointers Gregory J. Duck, Roland H.C. Yap, and Lorenzo Cavallaro NDSS 2017 Overview Heap Bounds Protection with Low Fat Pointers, CC 2016 Stack New method for detecting
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationTypes II. Hwansoo Han
Types II Hwansoo Han Arrays Most common and important composite data types Homogeneous elements, unlike records Fortran77 requires element type be scalar Elements can be any type (Fortran90, etc.) A mapping
More informationHeap Bounds Protection with Low Fat Pointers
Heap Bounds Protection with Low Fat Pointers Gregory J. Duck Roland H. C. Yap Department of Computer Science National University of Singapore, Singapore {gregory,ryap}@comp.nus.edu.sg Abstract Heap buffer
More informationChapter 10. Improving the Runtime Type Checker Type-Flow Analysis
122 Chapter 10 Improving the Runtime Type Checker The runtime overhead of the unoptimized RTC is quite high, because it instruments every use of a memory location in the program and tags every user-defined
More informationMemory Safety for Embedded Devices with nescheck
Memory Safety for Embedded Devices with nescheck Daniele MIDI, Mathias PAYER, Elisa BERTINO Purdue University AsiaCCS 2017 Ubiquitous Computing and Security Sensors and WSNs are pervasive Small + cheap
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationCS 430 Spring Mike Lam, Professor. Data Types and Type Checking
CS 430 Spring 2015 Mike Lam, Professor Data Types and Type Checking Type Systems Type system Rules about valid types, type compatibility, and how data values can be used Benefits of a robust type system
More informationArchitectural Support for Low Overhead Detection of Memory Violations
Architectural Support for Low Overhead Detection of Memory Violations Saugata Ghose, Latoya Gilgeous, Polina Dudnik, Aneesh Aggarwal, Corey Waxman State University of New York, Binghamton, NY 13902 aneesh@binghamtonedu
More informationPractical Memory Safety with REST
Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors Is
More informationPreventing Use-after-free with Dangling Pointers Nullification
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University
More informationLimitations of the stack
The heap hic 1 Limitations of the stack int *table_of(int num, int len) { int table[len+1]; for (int i=0; i
More informationLecture 14 Pointer Analysis
Lecture 14 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis [ALSU 12.4, 12.6-12.7] Phillip B. Gibbons 15-745: Pointer Analysis
More informationType Checking Systems Code
Type Checking Systems Code Greg Morrisett Cornell University Abstract. Our critical computing systems are coded in low-level, typeunsafe languages such as C, and it is unlikely that they will be re-coded
More informationFast, precise dynamic checking of types and bounds in C
Fast, precise dynamic checking of types and bounds in C Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge p.1 Tool wanted if (obj >type == OBJ COMMIT) { if (process commit(walker,
More informationCode Injection Attacks Buffer Overflows
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 System Security Lecture 1 Code Injection Attacks Buffer Overflows Based on and extracted from Nickolai Zeldovitch, Computer System Security, course material at
More informationLecture 27. Pros and Cons of Pointers. Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis
Pros and Cons of Pointers Lecture 27 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis Many procedural languages have pointers
More informationLecture 20 Pointer Analysis
Lecture 20 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis (Slide content courtesy of Greg Steffan, U. of Toronto) 15-745:
More informationIn Java we have the keyword null, which is the value of an uninitialized reference type
+ More on Pointers + Null pointers In Java we have the keyword null, which is the value of an uninitialized reference type In C we sometimes use NULL, but its just a macro for the integer 0 Pointers are
More informationJava and C CSE 351 Spring
Java and C CSE 351 Spring 2018 https://xkcd.com/801/ Roadmap C: car *c = malloc(sizeof(car)); c->miles = 100; c->gals = 17; float mpg = get_mpg(c); free(c); Assembly language: Machine code: get_mpg: pushq
More informationBaggy bounds with LLVM
Baggy bounds with LLVM Anton Anastasov Chirantan Ekbote Travis Hance 6.858 Project Final Report 1 Introduction Buffer overflows are a well-known security problem; a simple buffer-overflow bug can often
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationCSE P 501 Compilers. Java Implementation JVMs, JITs &c Hal Perkins Winter /11/ Hal Perkins & UW CSE V-1
CSE P 501 Compilers Java Implementation JVMs, JITs &c Hal Perkins Winter 2008 3/11/2008 2002-08 Hal Perkins & UW CSE V-1 Agenda Java virtual machine architecture.class files Class loading Execution engines
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationMaking the Fast Case Common and the Uncommon Case Simple in Unbounded Transactional Memory
Making the Fast Case Common and the Uncommon Case Simple in Unbounded Transactional Memory Colin Blundell (University of Pennsylvania) Joe Devietti (University of Pennsylvania) E Christopher Lewis (VMware,
More informationDecoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor
1 Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Presenter: Yue Zheng Yulin Shi Outline Motivation & Background Hardware DIFT
More informationBuffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka September 24, 2011. 1 Introduction to the topic
More informationToday Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding
More informationMemory Safety for Low- Level Software/Hardware Interactions
Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Montreal or Bust! Vikram Adve Safety Future is Bright User-space memory safety is improving Safe languages SAFECode,
More informationEffective Memory Protection Using Dynamic Tainting
Effective Memory Protection Using Dynamic Tainting James Clause Alessandro Orso (software) and Ioanis Doudalis Milos Prvulovic (hardware) College of Computing Georgia Institute of Technology Supported
More informationType Checking and Type Equality
Type Checking and Type Equality Type systems are the biggest point of variation across programming languages. Even languages that look similar are often greatly different when it comes to their type systems.
More informationSecuring Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation
Securing Software Applications Using Dynamic Dataflow Analysis Steve Cook OWASP June 16, 2010 0 Southwest Research Institute scook@swri.org (210) 522-6322 Copyright The OWASP Foundation Permission is granted
More informationSystem Assertions. Andreas Zeller
System Assertions Andreas Zeller System Invariants Some properties of a program must hold over the entire run: must not access data of other processes must handle mathematical exceptions must not exceed
More informationOutline EEL 5764 Graduate Computer Architecture. Chapter 3 Limits to ILP and Simultaneous Multithreading. Overcoming Limits - What do we need??
Outline EEL 7 Graduate Computer Architecture Chapter 3 Limits to ILP and Simultaneous Multithreading! Limits to ILP! Thread Level Parallelism! Multithreading! Simultaneous Multithreading Ann Gordon-Ross
More informationLow level security. Andrew Ruef
Low level security Andrew Ruef What s going on Stuff is getting hacked all the time We re writing tons of software Often with little regard to reliability let alone security The regulatory environment
More informationLast week. Data on the stack is allocated automatically when we do a function call, and removed when we return
Last week Data can be allocated on the stack or on the heap (aka dynamic memory) Data on the stack is allocated automatically when we do a function call, and removed when we return f() {... int table[len];...
More informationWatchdog: Hardware for Safe and Secure Manual Memory Management and Full Memory Safety
University of Pennsylvania ScholarlyCommons Departmental Papers (CIS) Department of Computer & Information Science 6-2012 Watchdog: Hardware for Safe and Secure Manual Memory Management and Full Memory
More informationDecoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor
Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help
More informationSoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14
SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationSyed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut
CSE 5095 & ECE 6095 Spring 2016 Instructor Marten van Dijk System Security Lecture 1 Buffer Overflows Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut Email:
More informationFlexible and Efficient Memory Object Metadata
Flexible and Efficient Memory Object Metadata Zhengyang Liu Beijing University of Posts and Telecommunications, China zhengyang-liu@hotmail.com John Criswell University of Rochester, USA criswell@cs.rochester.edu
More informationUndefined Behaviour in C
Undefined Behaviour in C Report Field of work: Scientific Computing Field: Computer Science Faculty for Mathematics, Computer Science and Natural Sciences University of Hamburg Presented by: Dennis Sobczak
More informationCS252 S05. Main memory management. Memory hardware. The scale of things. Memory hardware (cont.) Bottleneck
Main memory management CMSC 411 Computer Systems Architecture Lecture 16 Memory Hierarchy 3 (Main Memory & Memory) Questions: How big should main memory be? How to handle reads and writes? How to find
More informationLecture 16 Pointer Analysis
Pros and Cons of Pointers Lecture 16 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis Many procedural languages have pointers
More informationRun-time Environments - 3
Run-time Environments - 3 Y.N. Srikant Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Principles of Compiler Design Outline of the Lecture n What is run-time
More informationDefeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)
Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationAPPENDIX Summary of Benchmarks
158 APPENDIX Summary of Benchmarks The experimental results presented throughout this thesis use programs from four benchmark suites: Cyclone benchmarks (available from [Cyc]): programs used to evaluate
More informationShort Notes of CS201
#includes: Short Notes of CS201 The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with < and > if the file is a system
More informationField Analysis. Last time Exploit encapsulation to improve memory system performance
Field Analysis Last time Exploit encapsulation to improve memory system performance This time Exploit encapsulation to simplify analysis Two uses of field analysis Escape analysis Object inlining April
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationJava and C I. CSE 351 Spring Instructor: Ruth Anderson
Java and C I CSE 351 Spring 2017 Instructor: Ruth Anderson Teaching Assistants: Dylan Johnson Kevin Bi Linxing Preston Jiang Cody Ohlsen Yufang Sun Joshua Curtis Administrivia Homework 5 Due TONIGHT Wed
More informationSecure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E
Secure Programming An introduction to Splint Christian D. Jensen René Rydhof Hansen Informatics and Mathematical Modelling Technical University of Denmark E05-02230 CDJ/RRH (IMM/DTU) Secure Programming
More informationSECOMP Efficient Formally Secure Compilers to a Tagged Architecture. Cătălin Hrițcu INRIA Paris
SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 1 SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 5 year vision
More informationHeap Arrays and Linked Lists. Steven R. Bagley
Heap Arrays and Linked Lists Steven R. Bagley Recap Data is stored in variables Can be accessed by the variable name Or in an array, accessed by name and index Variables and arrays have a type Create our
More informationCS201 - Introduction to Programming Glossary By
CS201 - Introduction to Programming Glossary By #include : The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with
More informationBounds-Checking for C++
Outsourcing Report Bounds-Checking for C++ Alexander Lamaison Department of Computing Imperial College London Supervisor: Paul H. J. Kelly 12 th January 2007 Contents
More informationCS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018
CS 31: Intro to Systems Pointers and Memory Kevin Webb Swarthmore College October 2, 2018 Overview How to reference the location of a variable in memory Where variables are placed in memory How to make
More informationCS558 Programming Languages
CS558 Programming Languages Fall 2016 Lecture 3a Andrew Tolmach Portland State University 1994-2016 Formal Semantics Goal: rigorous and unambiguous definition in terms of a wellunderstood formalism (e.g.
More information6.828: OS/Language Co-design. Adam Belay
6.828: OS/Language Co-design Adam Belay Singularity An experimental research OS at Microsoft in the early 2000s Many people and papers, high profile project Influenced by experiences at
More informationHA2lloc: Hardware-Assisted Secure Allocator
HA2lloc: Hardware-Assisted Secure Allocator Orlando Arias, Dean Sullivan, Yier Jin {oarias,dean.sullivan}@knights.ucf.edu yier.jin@ece.ufl.edu University of Central Florida University of Florida June 25,
More informationAgenda. CSE P 501 Compilers. Java Implementation Overview. JVM Architecture. JVM Runtime Data Areas (1) JVM Data Types. CSE P 501 Su04 T-1
Agenda CSE P 501 Compilers Java Implementation JVMs, JITs &c Hal Perkins Summer 2004 Java virtual machine architecture.class files Class loading Execution engines Interpreters & JITs various strategies
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More informationAdvances in Programming Languages: Regions
Advances in Programming Languages: Regions Allan Clark and Stephen Gilmore The University of Edinburgh February 22, 2007 Introduction The design decision that memory will be managed on a per-language basis
More informationInformation Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo
Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE The University of Tokyo furuse@yl.is.s.u-tokyo.ac.jp e-society MEXT project toward secure and reliable software
More informationOutline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction
Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp
More informationSimulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1
Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 2012 The MathWorks, Inc. 1 Agenda Formal Verification Key concept Applications Verification of designs against (functional) requirements Design error detection Test
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationChapter 1 GETTING STARTED. SYS-ED/ Computer Education Techniques, Inc.
Chapter 1 GETTING STARTED SYS-ED/ Computer Education Techniques, Inc. Objectives You will learn: Java platform. Applets and applications. Java programming language: facilities and foundation. Memory management
More informationUsing the Singularity Research Development Kit
Using the Research Development Kit James Larus & Galen Hunt Microsoft Research ASPLOS 08 Tutorial March 1, 2008 Outline Overview (Jim) Rationale & key decisions architecture Details (Galen) Safe Languages
More informationA JVM for Soft-Error-Prone Embedded Systems
A JVM for Soft-Error-Prone Embedded Systems Isabella S)lkerich, Michael Strotz, Christoph Erhardt, Mar7n Hoffmann, Daniel Lohmann, Fabian Scheler, Wolfgang Schröder- Preikschat Department of Computer Science
More informationFast Byte-Granularity Software Fault Isolation
Fast Byte-Granularity Software Fault Isolation Manuel Costa Microsoft Research, Cambridge Joint work with: Miguel Castro, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More information