Strato: A Retargetable Framework for Low- Level Inlined Reference Monitors
|
|
- Diana Briggs
- 5 years ago
- Views:
Transcription
1 Strato: A Retargetable Framework for Low- Level Inlined Reference Monitors Bin Zeng, Gang Tan, Úlfar Erlingsson Lehigh University Google Inc. USENIX Security DC, USA
2 ASacks How asacks happen Arrive as user input through a communicavon channel Trigger pre- exisvng bugs Take over program execuvons ASack vector Mobile code, untrusted extensions Memory corrupvon asacks [StackSmash] Return Oriented Programming [ROP] 2
3 ExisVng Countermeasures Data ExecuVon ProtecVon [DEP] Address Space Layout RandomizaVon [PaX] Program Shepherding [Shepherding] Inlined Reference Monitors [IRM] Control Flow Integrity [CFI, XFI, HyperSafe] So]ware- based Fault IsolaVon [PiSsfield, NaVve Client] 3
4 Inlined Reference Monitors (IRMs) IRM: embed security checks in programs Well- established against various asacks E.g., buffer overflows, Return- Oriented Programming asacks 4
5 Inlined Reference Monitors (IRMs) CFI (Control- Flow Integrity): checks control flow SFI (So]ware- based Fault IsolaVon) also checks memory reads and writes Example: Google s NaVve Client Verifiable machine code plugins for browsers 5
6 However, Most IRM ImplementaVons are Low- Level Binary rewrivng, assembly instrumentavon, ImplementaVons Tightly coupled with architectures Hard to reuse For example, NaVve Client (NaCl) has mulvple implementavons x86-32; x
7 Our General Idea Perform IRM rewrivng at an Intermediate- RepresentaVon (IR) level Use an IR that is largely architecture- independent (in parvcular, LLVM IR) Benefits Reuse transformavons among architectures IR is amenable to opvmizavons Retain verifiability of low- level code 7
8 Challenges of IR- level RewriVng Compiler transformavons a]er the IR can invalidate security assumpvons Have to trust the compiler back- end from IR to low- level code TCB Bloat 8
9 Are Compilers Trustworthy? Source Code Compiler Binary Code 9
10 Compilers are Buggy Source Code Compiler Binary Code 10
11 Compilers are Buggy Compilers have a huge code base GCC 4.8 has more than 7.3 million lines of code Csmith found 300+ unknown bugs [PLDI 11] LLVM has a steady bug rate 11
12 Buggy Compiler OpVmizaVons Any sufficiently opvmizing compiler is indisvnguishable from magic. - - Paraphrasing Arthur C. Clarke 12
13 Compiler OpVmizaVons Compiler opvmizavons invalidate security assumpvons They only care about funcvonal semanvcs Security properves are o]en non- funcvonal 13
14 Research QuesVon How to do IRM rewrivng at the IR level, and preserve low- level security? Our paper s contribuvon: Strato: a IRM- implementavon framework that performs IR- level rewrivng and preserves low- level security 14
15 Key Challenge Challenge: a]er checks are inserted at the IR level, backend transformavons may invalidate security if all data memory is untrusted Before register allocavon A]er register allocavon ptr.safe = check(ptr) tmp = load *ptr.safe store v, *ptr.safe Register spilling ptr.safe = check(ptr) tmp = load *ptr.safe store ptr.safe, *stack_loc ptr.safe2 = load *stack_loc store v, *ptr.safe2 15
16 ASack Model Guard region is mprotected Anything from memory is untrusted 16
17 Our Idea for Addressing the Problem Insert more- than- enough checks at the IR level ASach constraints to checks to encode condivons that might be invalidated by the compiler A]er compiler transformavons, perform constraint checking at the low level Remove checks iff constraints are svll valid If a compiler transformavon invalidates a constraint, then the check is le] intact for security Let s go through an example next 17
18 Uninstrumented IR Code entry: tmp = 0 if(v > 47) goto then else: tmp = load *ptr goto end then: store v, *ptr end: ret tmp 18
19 Instrumented and OpVmized IR entry: ptr.safe = check(ptr) // check1 tmp = 0 if(v > 47) goto then else: ptr.safe1 = check(ptr.safe) // check2 # nospill(ptr.safe, check1, check2) tmp = load *ptr.safe1 goto end then: ptr.safe2 = call check(ptr.safe) // check3 # nospill(ptr.safe, check1, check3) store v, *ptr.safe2 end: ret tmp Security checks Constraints Original code Redundant Check EliminaVon 19
20 A]er Constraint Checking entry: ptr.safe = check(ptr) // check1 tmp = 0 if(v > 47) goto then else: ptr.safe1 = check(ptr.safe) // check2 # nospill(ptr.safe, check1, check2) tmp = load *ptr.safe goto end then: ptr.safe2 = call check(ptr.safe) // check3 # nospill(ptr.safe, check1, check3) store v, *ptr.safe2 end: ret tmp Assume ptr.safe not spilled between check1 and check2, but spilled between check2 and check3 20
21 Another Example: Uninstrumented IR Code x = gep p, 0, 0 tmp1 = load *x y = gep p, 0, 1 tmp2 = load *y sum = add tmp1, tmp2 ret sum 21
22 Instrumented and OpVmized IR p.safe = check(p) // check1 x = gep p.safe, 0, 0 x.safe = check(x) // check2 # nospill(p.safe, check1, check2) # sizeof(struct s)*0 + sizeof(long)*0 < GZSize tmp1 = load *x.safe y = gep p.safe, 0, 1 y.safe = check(y) // check3 # nospill(p.safe, check1, check3) # sizeof(struct s)*0 + sizeof(long)*1 < GZSize tmp2 = load *y.safe sum = add tmp1, tmp2 ret sum SequenVal Memory Access OpVmizaVon 22
23 A]er Constraint Checking p.safe = check(p) // check1 x = gep p.safe, 0, 0 x.safe = check(x) // check2 # nospill(p.safe, check1, check2) # sizeof(struct s)*0 + sizeof(long)*0 < GSize tmp1 = load *x.safe y = gep p.safe, 0, 1 y.safe = check(y) // check3 # nospill(p.safe, check1, check3) # sizeof(struct s)*0 + sizeof(long)*1 < GSize tmp2 = load *y.safe sum = add tmp1, tmp2 ret sum Assume (1) ptr.safe not spilled between check1 and check2, or check1 and check3 (2) offsets less than guard- zone size 23
24 Strato: Retargetable IRMs InstrumentaVon at intermediate representavon level, i.e. LLVM IR IR- level checks OpVmizaVons of security checks and asach constraints Constraint- checking before lowering If a constraint holds, remove the check Otherwise, lower the IR- level check to machine code VerificaVon at the low level Remove everything else outside the TCB (including constraint checking) 24
25 The Architecture of Strato Source IR IR Secured IR Secured IR Compiler Frontend Compiler Optimizations Check Instrumentation Check Optimizations Code Gen Constraint Checking x32 ASM x64 ASM ASM Check Lowering x32 ASM x64 ASM ASM Verification x32 ASM x64 ASM ASM 25
26 Benefits Retargetable Easy to port to other architectures Enable opvmizavons Structured informavon at the IR level StaVc Single Assignment form Code reuse InstrumentaVon and opvmizavons can be shared among various architectures 26
27 The ImplementaVon of Strato Two policies: CFI & SFI InstrumentaVon FuncVon passes into the end LLVM pipeline OpVmizaVons Redundant Check EliminaVon SequenVal Memory Access OpVmizaVon Loop- based Check OpVmizaVon OpVmizaVons asach constraints Constraint checking Range analysis (interval analysis) based verifier 27
28 VerificaVon Based on CCS paper [CCS 11] A]er all the opvmizavons, constraint checking, a verifier verifies the final result in assembly code Removes everything before out of TCB Based on range analysis Found a few bugs in our implementavon 28
29 Performance EvaluaVon LLVM 2.9 To demonstrate retargetability: x86-32 x86-64 (small changes on x86-32) 29
30 CFI Overhead on SPEC2k 30 % 25 % 20 % 15 % 10 % x86-32: ~6% x86-64: ~8% gzip vpr gcc mcf crafty parser eon perlbmk gap vortex bzip2 twolf avg 5 % 0 % x86-32 x
31 Overhead of CFI with Data Sandboxing for Both Reads and Writes on SPEC2K 70 % 60 % 50 % 40 % 30 % 20 % x86-32: ~20% x86-64: ~25% gzip vpr gcc mcf crafty parser eon perlbmk gap vortex bzip2 twolf avg 10 % 0 % x86-32 x
32 Compare with Previous work s performance Even though our framework is retargetable and trustworthy, the performance is compevvve 32
33 Summary A retargetable framework for IRMs OpVmizaVons on checks CompeVVve performance Constraint language Range analysis based verifier 33
34 References [CFI] Abadi et al. Control- Flow Integrity Principles, ImplementaVons, and ApplicaVons, ACM CCS 2005 [csmith] Yang et al. Finding and Understanding Bugs in C Compilers, PLDI 2011 [HyperSafe] Wang et al. HyperSafe: A Lightweight Approach to Provide LifeVme Hypervisor Control- Flow Integrity, IEEE S&P 2010 [IRM] Erlingsson et al. The Inlined Reference Monitor Approach to Security Policy Enforcement, doctoral dissertavon, 2004 [NaVve Client] Yee et al. NaVve Client: A Sandbox for Portable, Untrusted x86 NaVve Code, IEEE S&P 2009 [PiSsfield] McCamant et al. EvaluaVng SFI for a CISCI Architecture, USENIX Security 2006 [ROP] Roemer et al. Return- oriented Programming: Systems, Languages, and ApplicaVons, ACM TISSEC 2012 [Shepherding] Kiriansky et al. Secure ExecuVon Via Program Shepherding, USENIX Security 2002 [SmashStack] Aleph One. Smashing the stack for fun and profit, Phrack Magazine, 1996 [XFI] Erlingsson et al. XFI: So]ware Guards for System Address Spaces, OSDI
35 Strato: A Retargetable Framework for Low- Level Inlined- Reference Monitors Thank you! QuesVons? Bin Zeng zeb209@lehigh.edu Gang Tan gtan@cse.lehigh.edu Úlfar Erlingsson ulfar@google.com 35
Strato: A Retargetable Framework for Low-Level Inlined-Reference Monitors
Strato: A Retargetable Framework for Low-Level Inlined-Reference Monitors Bin Zeng and Gang Tan, Lehigh University; Úlfar Erlingsson, Google Inc. This paper is included in the Proceedings of the 22nd USENIX
More informationControl Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University
Control Flow Integrity & Software Fault Isolation David Brumley Carnegie Mellon University Our story so far Unauthorized Control Information Tampering http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html
More informationSimple and Efficient Construction of Static Single Assignment Form
Simple and Efficient Construction of Static Single Assignment Form saarland university Matthias Braun, Sebastian Buchwald, Sebastian Hack, Roland Leißa, Christoph Mallon and Andreas Zwinkau computer science
More informationGreg Morrisett Dartmouth -- April 2014
Trustworthy Hardened Code Greg Morrisett Dartmouth -- April 2014 Much Help Gang Tan (Lehigh) Vikram Adve (Illinois) Andrew Myers (Cornell) Stephen Chong (Harvard) Jean-Baptiste Tristan (Oracle) Paul Govereau
More informationHDFI: Hardware-Assisted Data-flow Isolation
HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationShengyue Wang, Xiaoru Dai, Kiran S. Yellajyosula, Antonia Zhai, Pen-Chung Yew Department of Computer Science & Engineering University of Minnesota
Loop Selection for Thread-Level Speculation, Xiaoru Dai, Kiran S. Yellajyosula, Antonia Zhai, Pen-Chung Yew Department of Computer Science & Engineering University of Minnesota Chip Multiprocessors (CMPs)
More informationAries: Transparent Execution of PA-RISC/HP-UX Applications on IPF/HP-UX
Aries: Transparent Execution of PA-RISC/HP-UX Applications on IPF/HP-UX Keerthi Bhushan Rajesh K Chaurasia Hewlett-Packard India Software Operations 29, Cunningham Road Bangalore 560 052 India +91-80-2251554
More informationMitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011
Mitigating Code-Reuse Attacks with Control-Flow Locking Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011 Introduction Computer systems run complicated software, which is vulnerable We keep finding
More informationImprovements to Linear Scan register allocation
Improvements to Linear Scan register allocation Alkis Evlogimenos (alkis) April 1, 2004 1 Abstract Linear scan register allocation is a fast global register allocation first presented in [PS99] as an alternative
More informationEffective Memory Protection Using Dynamic Tainting
Effective Memory Protection Using Dynamic Tainting James Clause Alessandro Orso (software) and Ioanis Doudalis Milos Prvulovic (hardware) College of Computing Georgia Institute of Technology Supported
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationMidterm Review. COMS W4118 Prof. Kaustubh R. Joshi hcp://
Midterm Review COMS W4118 Prof. Kaustubh R. Joshi krj@cs.columbia.edu hcp://www.cs.columbia.edu/~krj/os References: OperaVng Systems Concepts (9e), Linux Kernel Development, previous W4118s Copyright no2ce:
More informationPOSH: A TLS Compiler that Exploits Program Structure
POSH: A TLS Compiler that Exploits Program Structure Wei Liu, James Tuck, Luis Ceze, Wonsun Ahn, Karin Strauss, Jose Renau and Josep Torrellas Department of Computer Science University of Illinois at Urbana-Champaign
More informationReusable Tools for Formal Modeling of Machine Code
Reusable Tools for Formal Modeling of Machine Code Gang Tan (Lehigh University) Greg Morrisett (Harvard University) Other contributors: Joe Tassarotti Edward Gan Jean-Baptiste Tristan (Oracle Labs) @ PiP;
More informationDecoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor
Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help
More informationDnmaloc: a more secure memory allocator
Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
More informationA Platform for Secure Static Binary Instrumentation
A Platform for Secure Static Binary Instrumentation Mingwei Zhang, Rui Qiao, Niranjan Hasabnis and R. Sekar Stony Brook University VEE 2014 Work supported in part by grants from AFOSR, NSF and ONR Motivation
More informationProtecting Dynamic Code by Modular Control-Flow Integrity
Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State Univ. At International Workshop on Modularity Across the System Stack (MASS) Mar 14 th, 2016, Malaga, Spain
More informationLow-level software security
Low-level software security App1 App2 Pictures such as these ones make sense only if a component cannot circumvent or hijack other components. Inter-component communication reference monitor Android middleware
More informationTo Detect Stack Buffer Overflow With Polymorphic Canaries
To Detect Stack Buffer Overflow With Polymorphic Canaries 何钟灵 April 29, 2018 1 Personal 1.1 intro This is based on an essay by Zhilong Wang in our group. Our group is named SECLAB in Lab 428, Building
More informationMonitor Integrity Protection with Space Efficiency and Separate Compilation
Monitor Integrity Protection with Space Efficiency and Separate Compilation ABSTRACT Ben Niu Lehigh University 19 Memorial Drive West Bethlehem, PA, 18015 ben210@lehigh.edu Low-level inlined reference
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationControl Flow Integrity
Control Flow Integrity Outline CFI Control Flow Integrity at Source Code Level BinCFI CFI for Binary Executables BinCC Binary Code Continent vfguard CFI Policy for Virtual Function Calls 1 M. Abadi, M.
More informationControl-Flow Integrity
Control-Flow Integrity Principles, Implementations, and Applications Martín Abadi Computer Science Dept. University of California Santa Cruz Mihai Budiu Úlfar Erlingsson Microsoft Research Silicon Valley
More informationInline Reference Monitoring Techniques
Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code
More informationIntFlow: Integer Error Handling With Information Flow Tracking
mpomonis@cs.columbia.edu IntFlow Columbia University 1 / 29 IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D.
More informationSecuring Untrusted Code
Securing Untrusted Code Untrusted Code May be untrustworthy Intended to be benign, but may be full of vulnerabilities These vulnerabilities may be exploited by attackers (or other malicious processes)
More informationBaggy bounds checking. Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand
Baggy bounds checking Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand C/C++ programs are vulnerable Lots of exis5ng code in C and C++ More being wrieen every day C/C++ programs are prone to
More informationMicroarchitecture Overview. Performance
Microarchitecture Overview Prof. Scott Rixner Duncan Hall 3028 rixner@rice.edu January 18, 2005 Performance 4 Make operations faster Process improvements Circuit improvements Use more transistors to make
More informationEnhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,
More informationWish Branch: A New Control Flow Instruction Combining Conditional Branching and Predicated Execution
Wish Branch: A New Control Flow Instruction Combining Conditional Branching and Predicated Execution Hyesoon Kim Onur Mutlu Jared Stark David N. Armstrong Yale N. Patt High Performance Systems Group Department
More informationCS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan
CS 6V81-05 Control-Flow Integrity Principles, Implementations, and Applications Sureshbabu Murugesan Department of Computer Science University of Texas at Dallas February 29 th, 2012 Outline 1 Overview
More informationRandomized Stress-Testing of Link-Time Optimizers
Randomized Stress-Testing of Link-Time Optimizers Vu Le, Chengnian Sun, Zhendong Su University of California, Davis 1 General Software Build Process r Linker 2 General Software Build Process r r Optimizations
More informationDongseok Jang Zachary Tatlock. UC San Diego Washington
Dongseok Jang Zachary Tatlock UC San Diego University of Washington Sorin Lerner UC San Diego e l b a r e n l Vu Control Flow Hijacking Lead Program to Jump to Unexpected Code That does what a7acker wants
More informationA Cross-Architectural Interface for Code Cache Manipulation. Kim Hazelwood and Robert Cohn
A Cross-Architectural Interface for Code Cache Manipulation Kim Hazelwood and Robert Cohn Software-Managed Code Caches Software-managed code caches store transformed code at run time to amortize overhead
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationInlining Java Native Calls at Runtime
Inlining Java Native Calls at Runtime (CASCON 2005 4 th Workshop on Compiler Driven Performance) Levon Stepanian, Angela Demke Brown Computer Systems Group Department of Computer Science, University of
More informationExtended protection against stack smashing attacks without performance loss
Extended protection against stack smashing attacks without performance loss Yves Younan 1 Davide Pozza 2 Frank Piessens 1 Wouter Joosen 1 1 DistriNet, Dept. of Computer Science 2 Dip. di Automatica e Informatica
More informationKoji Inoue Department of Informatics, Kyushu University Japan Science and Technology Agency
Lock and Unlock: A Data Management Algorithm for A Security-Aware Cache Department of Informatics, Japan Science and Technology Agency ICECS'06 1 Background (1/2) Trusted Program Malicious Program Branch
More informationHyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity
31 st IEEE Symposium on Security & Privacy, Oakland CA, May 16-19 2010 HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State
More informationTraceBack: First Fault Diagnosis by Reconstruction of Distributed Control Flow
TraceBack: First Fault Diagnosis by Reconstruction of Distributed Control Flow Andrew Ayers Chris Metcalf Junghwan Rhee Richard Schooler VERITAS Emmett Witchel Microsoft Anant Agarwal UT Austin MIT Software
More informationControl-Flow Integrity
Control-Flow Integrity Martín Abadi Computer Science Department University of California, Santa Cruz Mihai Budiu Microsoft Research Silicon Valley Úlfar Erlingsson Microsoft Research Silicon Valley Jay
More informationLow-Complexity Reorder Buffer Architecture*
Low-Complexity Reorder Buffer Architecture* Gurhan Kucuk, Dmitry Ponomarev, Kanad Ghose Department of Computer Science State University of New York Binghamton, NY 13902-6000 http://www.cs.binghamton.edu/~lowpower
More informationMany Cores, One Thread: Dean Tullsen University of California, San Diego
Many Cores, One Thread: The Search for Nontraditional Parallelism University of California, San Diego There are some domains that feature nearly unlimited parallelism. Others, not so much Moore s Law and
More informationBumyong Choi Leo Porter Dean Tullsen University of California, San Diego ASPLOS
Bumyong Choi Leo Porter Dean Tullsen University of California, San Diego ASPLOS 2008 1 Multi-core proposals take advantage of additional cores to improve performance, power, and/or reliability Moving towards
More informationEvaluating SFI for a CISC Architecture
Evaluating SFI for a CISC Architecture Stephen McCamant Massachusetts Institute of Technology Computer Science and AI Lab Cambridge, MA 02139 smcc@csail.mit.edu Greg Morrisett Harvard University Division
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationCSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g
CSE 227 Computer Security Spring 2010 Software Df Defenses I Stefan Savage Kinds of defenses Eliminate violation of runtime model Better languages, code analysis Don t allow bad input Input validation
More informationExecution-based Prediction Using Speculative Slices
Execution-based Prediction Using Speculative Slices Craig Zilles and Guri Sohi University of Wisconsin - Madison International Symposium on Computer Architecture July, 2001 The Problem Two major barriers
More informationEfficient protection against heap-based buffer overflows without resorting to magic 1
Efficient protection against heap-based buffer overflows without resorting to magic 1 Yves Younan, Wouter Joosen, and Frank Piessens DistriNet, Dept. of Computer Science, Katholieke Universiteit Leuven
More informationChapter 10. Improving the Runtime Type Checker Type-Flow Analysis
122 Chapter 10 Improving the Runtime Type Checker The runtime overhead of the unoptimized RTC is quite high, because it instruments every use of a memory location in the program and tags every user-defined
More informationPortable Software Fault Isolation
Portable Software Fault Isolation Joshua A. Kroll Computer Science Department Princeton University Princeton, NJ kroll@cs.princeton.edu Gordon Stewart Computer Science Department Princeton University Princeton,
More informationBuffer Overflow Attacks
Buffer Overflow Attacks 1. Smashing the Stack 2. Other Buffer Overflow Attacks 3. Work on Preventing Buffer Overflow Attacks Smashing the Stack An Evil Function void func(char* inp){ } char buffer[16];
More informationBit Flips in Memory Rowhammer Attacks and Defenses
Bit Flips in Memory Rowhammer Attacks and Defenses Memory Corruption Attacks Software code injection return-oriented programming Data Code Hardware Memory Corruption Attacks Software code injection return-oriented
More informationMicroarchitecture Overview. Performance
Microarchitecture Overview Prof. Scott Rixner Duncan Hall 3028 rixner@rice.edu January 15, 2007 Performance 4 Make operations faster Process improvements Circuit improvements Use more transistors to make
More informationProtection. Thierry Sans
Protection Thierry Sans Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems Build Better Programs Why are
More informationBinary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code
University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis
More information15-740/ Computer Architecture Lecture 10: Runahead and MLP. Prof. Onur Mutlu Carnegie Mellon University
15-740/18-740 Computer Architecture Lecture 10: Runahead and MLP Prof. Onur Mutlu Carnegie Mellon University Last Time Issues in Out-of-order execution Buffer decoupling Register alias tables Physical
More informationMemory Allocator Security
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be
More informationFlexible Instrumentation for Software Dynamic Translation
Flexible Instrumentation for Software Dynamic Translation Naveen Kumar and Bruce Childers Department of Computer Science University of Pittsburgh {naveen, childers}@cs.pitt.edu http://www.cs.pitt.edu/copa
More informationSandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018
Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More information2D-Profiling: Detecting Input-Dependent Branches with a Single Input Data Set
2D-Profiling: Detecting Input-Dependent Branches with a Single Input Data Set Hyesoon Kim M. Aater Suleman Onur Mutlu Yale N. Patt Department of Electrical and Computer Engineering University of Texas
More informationControl Flow Integrity for COTS Binaries Report
Control Flow Integrity for COTS Binaries Report Zhang and Sekar (2013) January 2, 2015 Partners: Instructor: Evangelos Ladakis Michalis Diamantaris Giorgos Tsirantonakis Dimitris Kiosterakis Elias Athanasopoulos
More informationExtended Linear Scan: an Alternate Foundation for Global Register Allocation
Extended Linear Scan: an Alternate Foundation for Global Register Allocation Vivek Sarkar 1 and Rajkishore Barik 2 1 IBM T.J. Watson Research Center, Email: vsarkar@us.ibm.com 2 IBM India Research Laboratory,
More informationImpact of Cache Coherence Protocols on the Processing of Network Traffic
Impact of Cache Coherence Protocols on the Processing of Network Traffic Amit Kumar and Ram Huggahalli Communication Technology Lab Corporate Technology Group Intel Corporation 12/3/2007 Outline Background
More informationArchitecture Support for Defending Against Buffer Overflow Attacks
Architecture Support for Defending Against uffer Overflow Attacks Jun Xu, Zbigniew Kalbarczyk, Sanjay Patel and Ravishankar K. Iyer Center for Reliable and High-Performance Computing Coordinated Science
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationHigh System-Code Security with Low Overhead
High System-Code Security with Low Overhead Jonas Wagner, Volodymyr Kuznetsov, George Candea, and Johannes Kinder École Polytechnique Fédérale de Lausanne Royal Holloway, University of London High System-Code
More informationImproving memory management security for C and C++
Improving memory management security for C and C++ Yves Younan, Wouter Joosen, Frank Piessens, Hans Van den Eynden DistriNet, Katholieke Universiteit Leuven, Belgium Abstract Memory managers are an important
More informationA Framework For Trusted Instruction Execution Via Basic Block Signature Verification
A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenkovi, Aleksandar Milenkovi, Emil Jovanov Electrical and Computer Engineering ept. The University of Alabama
More informationMobile and Wireless Compu2ng CITS4419 Week 4: LoRa
Mobile and Wireless Compu2ng CITS4419 Week 4: LoRa Associate Professor Rachel Cardell-Oliver School of Computer Science & So;ware Engineering semester-2 2018 Low Power Wide Area Networks LPWAN Short range
More informationATOS introduction ST/Linaro Collaboration Context
ATOS introduction ST/Linaro Collaboration Context Presenter: Christian Bertin Development team: Rémi Duraffort, Christophe Guillon, François de Ferrière, Hervé Knochel, Antoine Moynault Consumer Product
More informationLockdown: Dynamic Control-Flow Integrity
Lockdown: Dynamic Control-Flow Integrity Mathias Payer Purdue University, USA Antonio Barresi ETH Zurich, Switzerland Thomas R. Gross ETH Zurich, Switzerland ABSTRACT Applications written in low-level
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationInserting Data Prefetches into Loops in Dynamically Translated Code in IA-32EL. Inserting Prefetches IA-32 Execution Layer - 1
I Inserting Data Prefetches into Loops in Dynamically Translated Code in IA-32EL Inserting Prefetches IA-32 Execution Layer - 1 Agenda IA-32EL Brief Overview Prefetching in Loops IA-32EL Prefetching in
More informationSpeculative Multithreaded Processors
Guri Sohi and Amir Roth Computer Sciences Department University of Wisconsin-Madison utline Trends and their implications Workloads for future processors Program parallelization and speculative threads
More informationKruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring
NDSS 2012 Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring Donghai Tian 1,2, Qiang Zeng 2, Dinghao Wu 2, Peng Liu 2 and Changzhen Hu 1 1 Beijing Institute of Technology
More informationCS261 Scribe Notes: Secure Computation 1
CS261 Scribe Notes: Secure Computation 1 Scriber: Cameron Rasmussen October 24, 2018 1 Introduction It is often the case that code is being run locally on our system that isn t completely trusted, a prime
More informationExercise 6: Buffer Overflow and return-into-libc Attacks
Technische Universität Darmstadt Fachbereich Informatik System Security Lab Prof. Dr.-Ing. Ahmad-Reza Sadeghi M.Sc. David Gens Exercise 6: Buffer Overflow and return-into-libc Attacks Course Secure, Trusted
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationSVF: Static Value-Flow Analysis in LLVM
SVF: Static Value-Flow Analysis in LLVM Yulei Sui, Peng Di, Ding Ye, Hua Yan and Jingling Xue School of Computer Science and Engineering The University of New South Wales 2052 Sydney Australia March 18,
More informationsecubt Hacking the Hackers with User Space Virtualization
secubt Hacking the Hackers with User Space Virtualization Mathias Payer Mathias Payer: secubt User Space Virtualization 1 Motivation Virtualizing and encapsulating running programs
More informationLow-Overhead Software Dynamic Translation
Low-Overhead Software Dynamic Translation Technical Report CS-2001-18 Kevin Scott, Jack W. Davidson, and Kevin Skadron Department of Computer Science University of Virginia Charlottesville, Virginia 22904
More informationAn Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code
An Abstract Stack Based Approach to Verified Compositional Compilation to Machine Code Yuting Wang 1, Pierre Wilke 1,2, Zhong Shao 1 Yale University 1, CentraleSupélec 2 POPL 19 January 18 th, 2019 Yuting
More informationPractical Control-Flow Integrity
Practical Control-Flow Integrity by Ben Niu Presented to the Graduate and Research Committee of Lehigh University in Candidacy for the Degree of Doctor of Philosophy in Computer Science Lehigh University
More informationOutline. Speculative Register Promotion Using Advanced Load Address Table (ALAT) Motivation. Motivation Example. Motivation
Speculative Register Promotion Using Advanced Load Address Table (ALAT Jin Lin, Tong Chen, Wei-Chung Hsu, Pen-Chung Yew http://www.cs.umn.edu/agassiz Motivation Outline Scheme of speculative register promotion
More informationCombining program verification with component-based architectures. Alexander Senier BOB 2018 Berlin, February 23rd, 2018
Combining program verification with component-based architectures Alexander Senier BOB 2018 Berlin, February 23rd, 2018 About Componolit 2 What happens when we use what's best? 3 What s Best? Mid-90ies:
More informationISOLATION DEFENSES GRAD SEC OCT
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:
More informationEfficient protection against heap-based buffer overflows without resorting to magic
Efficient protection against heap-based buffer overflows without resorting to magic Yves Younan, Wouter Joosen, and Frank Piessens DistriNet, Dept. of Computer Science, Katholieke Universiteit Leuven Celestijnenlaan
More informationA Cost Effective Spatial Redundancy with Data-Path Partitioning. Shigeharu Matsusaka and Koji Inoue Fukuoka University Kyushu University/PREST
A Cost Effective Spatial Redundancy with Data-Path Partitioning Shigeharu Matsusaka and Koji Inoue Fukuoka University Kyushu University/PREST 1 Outline Introduction Data-path Partitioning for a dependable
More informationQPSI. Qualcomm Technologies Countermeasures Update
QPSI Qualcomm Technologies Countermeasures Update 1 Introduction Sometime back in 2010 Let s have exploit countermeasures on our products Why? Hard to fix all bugs. We might as well make them more fun
More informationMotivation. Overview. Scalable Dynamic Analysis for Automated Fault Location and Avoidance. Rajiv Gupta. Program Execution
Motivation Scalable Dynamic Analysis for Automated Fault Location and Avoidance Rajiv Gupta Funded by NSF grants from CPA, CSR, & CRI programs and grants from Microsoft Research Software bugs cost the
More informationEfficient Program Power Behavior Characterization
Efficient Program Power Behavior Characterization Chunling Hu Daniel A. Jiménez Ulrich Kremer Department of Computer Science {chunling, djimenez, uli}@cs.rutgers.edu Rutgers University, Piscataway, NJ
More informationLecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2016 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) HW3 submitted Course Admin Being graded Solution
More information