Security Bugs in Embedded Interpreters
|
|
- Silvester Cummings
- 6 years ago
- Views:
Transcription
1 Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL
2 Embedded interpreters Host system Bytecode Input Embedded interpreter Output
3 Embedded interpreters Host system Bytecode Input Embedded interpreter Output Define an instruction set in the form of bytecode
4 Embedded interpreters Host system Bytecode Input Embedded interpreter Output Define an instruction set in the form of bytecode Interpret and execute bytecode on a virtual machine
5 Embedded interpreters Host system Bytecode Input Embedded interpreter Output Define an instruction set in the form of bytecode Interpret and execute bytecode on a virtual machine Usually light-weight, and no process-level sandboxing
6 Prevalence of embedded interpreters and related vulnerabilities
7 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities
8 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML CVE CVE CVE CVE CVE CVE
9 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE
10 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE Bitcoin bitcoin CVE
11 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE Bitcoin bitcoin CVE Python Pickle CVE CVE
12 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE Bitcoin bitcoin CVE Python Pickle CVE CVE FreeType TrueType / Type 1 Charstring CVE CVE
13 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE Bitcoin bitcoin CVE Python Pickle CVE CVE FreeType TrueType / Type 1 Charstring CVE CVE
14 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE Bitcoin bitcoin CVE Python Pickle CVE CVE FreeType TrueType / Type 1 Charstring CVE CVE
15 Our contributions Studies of 10 widely-used embedded interpreters in real world Studies of known vulnerabilities Security guidelines Research opportunities
16 Why do people use embedded interpreter?
17 A packet filtering example Monitor all packets that do not originate from * or * $"tcpdump" ip"src"net"not"( /24"or" /24)
18 A packet filtering example Monitor all packets that do not originate from * or * $"tcpdump" ip"src"net"not"( /24"or" /24) Strawman 1: user space filtering The kernel passes all packets to tcpdump ip*src*net*not* ( /24*or* /24) tcpdump filtered packets kernel ***** ***** packets
19 A packet filtering example Monitor all packets that do not originate from * or * $"tcpdump" ip"src"net"not"( /24"or" /24) Strawman 1: user space filtering The kernel passes all packets to tcpdump Flexibility Security Performance ip*src*net*not* ( /24*or* /24) tcpdump filtered packets kernel ***** ***** packets
20 A packet filtering example
21 A packet filtering example Strawman II: extensible kernel module
22 A packet filtering example Strawman II: extensible kernel module tcpdump uploads compiled native code to the kernel ip*src*net*not* ( /24*or* /24) tcpdump kernel Native code ld*****12(%ebx),*%eax* test***%eax,*$0x800 jeq****l3 ld*****26(%ebx),*%eax and****%eax,*$0xffffff00 ********... filtered packets ***** ***** packets Kernel module
23 A packet filtering example Strawman II: extensible kernel module tcpdump uploads compiled native code to the kernel Flexibility Performance Security ip*src*net*not* ( /24*or* /24) tcpdump kernel Native code ld*****12(%ebx),*%eax* test***%eax,*$0x800 jeq****l3 ld*****26(%ebx),*%eax and****%eax,*$0xffffff00 ********... filtered packets ***** ***** packets Kernel module
24 Solution: Berkeley Packet Filter (BPF)
25 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump
26 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program
27 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program
28 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program BPF interpreter
29 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter
30 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter Filtered packets
31 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter Filtered packets Flexibility
32 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter Filtered packets Flexibility Performance no IPC & context switch overhead
33 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter Filtered packets Flexibility Performance no IPC & context switch overhead Security no direct control of the real machine
34 Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter Filtered packets
35 Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* ( /24*or* /24) kernel Inputs to bytecode Host system tcpdump ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 *********$&$s****#934dead L1:*****ld*****[26] ********and****#0xffffff00 ********kill****[xxx] ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L2:*****... L3:*****ret****#TRUE ********ret*****#deadbeaf L4:*****ret****#0 Untrusted bytecode Bytecode program ***** ***** packets BPF interpreter Filtered packets
36 Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* ( /24*or* /24) kernel Untrusted input Inputs to bytecode Host system tcpdump ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 *********$&$s****#934dead L1:*****ld*****[26] ********and****#0xffffff00 ********kill****[xxx] ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L2:*****... L3:*****ret****#TRUE ********ret*****#deadbeaf L4:*****ret****#0 Untrusted bytecode Bytecode program ***** packets ***** BPF interpreter Filtered packets
37 Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* ( /24*or* /24) kernel Untrusted input Inputs to bytecode Host system tcpdump ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 *********$&$s****#934dead L1:*****ld*****[26] ********and****#0xffffff00 ********kill****[xxx] ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L2:*****... L3:*****ret****#TRUE ********ret*****#deadbeaf L4:*****ret****#0 Untrusted bytecode Bytecode program ***** packets ***** BPF interpreter Filtered packets
38 Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* ( /24*or* /24) kernel Untrusted input Inputs to bytecode Host system tcpdump ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 *********$&$s****#934dead L1:*****ld*****[26] ********and****#0xffffff00 ********kill****[xxx] ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L2:*****... L3:*****ret****#TRUE ********ret*****#deadbeaf L4:*****ret****#0 Untrusted bytecode Bytecode program ***** packets ***** BPF interpreter Filtered packets
39 Security of embedded interpreters
40 Security of embedded interpreters Untrusted bytecode Must validate the bytecode before execution
41 Security of embedded interpreters Untrusted bytecode Must validate the bytecode before execution Untrusted input Must execute the bytecode defensively
42 Security of embedded interpreters Untrusted bytecode Must validate the bytecode before execution Untrusted input Must execute the bytecode defensively No strict isolation Must prevent bugs in embedded interpreters from affecting the host system
43 Security of embedded interpreters Untrusted bytecode Must validate the bytecode before execution Untrusted input Must execute the bytecode defensively No strict isolation Must prevent bugs in embedded interpreters from affecting the host system Embedded interpreters that fail to do so (correctly) will be vulnerable
44 Vulnerability case studies Untrusted bytecode INET_DIAG infinite loop vulnerability (CVE ) Untrusted input ClamAV signed division vulnerability No strict isolation FreeType arbitrary code execution vulnerability (CVE )
45 INET DIAG infinite loop vulnerability
46 INET DIAG infinite loop vulnerability $*ss*...
47 INET DIAG infinite loop vulnerability $*ss*... Userspace filter code """""sge""""21,"l1,"rej""";"02"04"... L1:""sge""1024,"L2,"acc""";"02"04"... L2:""jmp""rej""""""""""""";"01"04"... acc:"nop"""""""""""""""""";"00"04 rej:
48 INET DIAG infinite loop vulnerability $*ss*... Userspace filter code """""sge""""21,"l1,"rej""";"02"04"... L1:""sge""1024,"L2,"acc""";"02"04"... L2:""jmp""rej""""""""""""";"01"04"... acc:"nop"""""""""""""""""";"00"04 rej: suspicious Socket suspicious files state (trusted) files
49 INET DIAG infinite loop vulnerability $*ss*... Userspace filter code """""sge""""21,"l1,"rej""";"02"04"... L1:""sge""1024,"L2,"acc""";"02"04"... L2:""jmp""rej""""""""""""";"01"04"... acc:"nop"""""""""""""""""";"00"04 rej: struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; suspicious Socket suspicious files state (trusted) files
50 INET DIAG infinite loop vulnerability $*ss*... Userspace filter code """""sge""""21,"l1,"rej""";"02"04"... L1:""sge""1024,"L2,"acc""";"02"04"... L2:""jmp""rej""""""""""""";"01"04"... acc:"nop"""""""""""""""""";"00"04 rej: struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; suspicious Socket suspicious files state (trusted) files
51 INET DIAG infinite loop vulnerability $*ss*... Userspace filter code """""sge""""21,"l1,"rej""";"02"04"... L1:""sge""1024,"L2,"acc""";"02"04"... L2:""jmp""rej""""""""""""";"01"04"... acc:"nop"""""""""""""""""";"00"04 rej: struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; //"validate"bytecode const"void"*bc"="bytecode; while"(len">"0)"{ """"struct"inet_diag_bc_op"*op"="bc; """"... suspicious Socket suspicious files state (trusted) files """"bc"+="opp>oplen; """"len"p="opp>oplen; }
52 INET DIAG infinite loop vulnerability $*ss*... """""sge""""21,"l1,"rej""";"02"04"... 02"00 L1:""sge""1024,"L2,"acc""";"02"04"... 02"00 L2:""jmp""rej""""""""""""";"01"04"... 01"00 acc:"nop"""""""""""""""""";"00"04 00"00 rej: Userspace filter code struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; //"validate"bytecode const"void"*bc"="bytecode; while"(len">"0)"{ """"struct"inet_diag_bc_op"*op"="bc; """"... suspicious Socket suspicious files state (trusted) files """"bc"+="opp>oplen; """"len"p="opp>oplen; } Infinite loop when op^>oplen is zero
53 INET DIAG infinite loop vulnerability $*ss*... """""sge""""21,"l1,"rej""";"02"04"... 02"00 L1:""sge""1024,"L2,"acc""";"02"04"... 02"00 L2:""jmp""rej""""""""""""";"01"04"... 01"00 acc:"nop"""""""""""""""""";"00"04 00"00 rej: Userspace filter code struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; //"validate"bytecode const"void"*bc"="bytecode; while"(len">"0)"{ """"struct"inet_diag_bc_op"*op"="bc; """"... suspicious Socket suspicious files state (trusted) files """"bc"+="opp>oplen; """"len"p="opp>oplen; } Infinite loop when op^>oplen is zero
54 INET DIAG infinite loop vulnerability $*ss*... """""sge""""21,"l1,"rej""";"02"04"... 02"00 L1:""sge""1024,"L2,"acc""";"02"04"... 02"00 L2:""jmp""rej""""""""""""";"01"04"... 01"00 acc:"nop"""""""""""""""""";"00"04 00"00 rej: Userspace filter code suspicious Socket suspicious files state (trusted) files struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; //"validate"bytecode const"void"*bc"="bytecode; while"(len">"0)"{ """"struct"inet_diag_bc_op"*op"="bc; """"... +"""if"(opp>oplen"<"min_len)"//"min_len"is"at"least"4 +"""""""return"peinval; """"bc"+="opp>oplen; """"len"p="opp>oplen; } Infinite loop when op^>oplen is zero
55 Vulnerability case studies Untrusted bytecode INET_DIAG infinite loop vulnerability (CVE ) Untrusted input ClamAV signed division vulnerability No strict isolation FreeType arbitrary code execution vulnerability (CVE )
56 ClamAV signed division vulnerability
57 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b...
58 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b... suspicious suspicious Suspicious files local files file " " "...
59 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b... suspicious suspicious Suspicious files local files file " " "... switch"(opcode)"{ Interpreter code... case"op_sdiv: { """"int64_t"a"="binops(0);"//"dividend """"int64_t"b"="binops(1);"//"divisor """"if"(b"=="0" "(a"=="p1"&&"b"=="int64_min)) """"""""return"cl_ebytecode; """"valuep>v"="a"/"b; } }
60 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b... suspicious suspicious Suspicious files local files file " " "... switch"(opcode)"{ Interpreter code... case"op_sdiv: { """"int64_t"a"="binops(0);"//"dividend """"int64_t"b"="binops(1);"//"divisor """"if"(b"=="0" "(a"=="p1"&&"b"=="int64_min)) """"""""return"cl_ebytecode; """"valuep>v"="a"/"b; } }
61 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b... suspicious suspicious Suspicious files local files file " " "... Interpreter code switch"(opcode)"{... case"op_sdiv: { """"int64_t"a"="binops(0);"//"dividend """"int64_t"b"="binops(1);"//"divisor """"if"(b"=="0" "(a"=="p1"&&"b"=="int64_min)) """"""""return"cl_ebytecode; """"valuep>v"="a"/"b; } } Might trap on a/0 and INT64_MIN*/*^1
62 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b... suspicious suspicious Suspicious files local files file " " "... WRONG! Should swap a and b Interpreter code switch"(opcode)"{... case"op_sdiv: { """"int64_t"a"="binops(0);"//"dividend """"int64_t"b"="binops(1);"//"divisor """"if"(b"=="0" "(a"=="p1"&&"b"=="int64_min)) """"""""return"cl_ebytecode; """"valuep>v"="a"/"b; } } Might trap on a/0 and INT64_MIN*/*^1
63 Vulnerability case studies Untrusted bytecode INET_DIAG infinite loop vulnerability (CVE ) Untrusted input ClamAV signed division vulnerability No strict isolation FreeType arbitrary code execution vulnerability (CVE )
64 FreeType arbitrary code execution JailbreakMe CVE
65 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font JailbreakMe CVE
66 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font JailbreakMe CVE
67 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE
68 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE
69 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE
70 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE //"execute"callothersubr case"call_other_subr: """"//"dispatch"and"call"subroutines """"... """"//"pop"out"arguments"from"the"stack """"decoderp>top"p="nargs;
71 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE //"execute"callothersubr case"call_other_subr: """"//"dispatch"and"call"subroutines """"... """"//"pop"out"arguments"from"the"stack """"decoderp>top"p="nargs; Did not validate nargs is in range
72 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE //"execute"callothersubr case"call_other_subr: """"//"dispatch"and"call"subroutines """"... """"//"pop"out"arguments"from"the"stack """"decoderp>top"p="nargs; Did not validate nargs is in range
73 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer JailbreakMe }; CVE //"execute"callothersubr case"call_other_subr: """"//"dispatch"and"call"subroutines """"... """"//"pop"out"arguments"from"the"stack """"decoderp>top"p="nargs; Overwrite function pointer Did not validate nargs is in range
74 Security guidelines
75 Security guidelines A better solution: process isolation Running interpreter in a separate OS process Can prevent bugs in the interpreter from affecting the host system Example: Chrome browser
76 Security guidelines A better solution: process isolation Running interpreter in a separate OS process Can prevent bugs in the interpreter from affecting the host system Example: Chrome browser Exceptions Application requires extreme performance No processes (e.g. OS kernels)
77 Pitfall 1: complex feature sets
78 Pitfall 1: complex feature sets Feature vs. vulnerability checklist The more expressive a bytecode is, the wider range of attack vectors there could be
79 Pitfall 1: complex feature sets Feature vs. vulnerability checklist The more expressive a bytecode is, the wider range of attack vectors there could be Feature set Arithmetic operations Loops (backward jumps) Function calls External calls to the host Register file or scratch memory Potential attack vectors Div-by-zero, integer overflow Infinite loops, DoS Infinite recursion, stack overflow Arbitrary code execution Information leak
80 Pitfall 1: complex feature sets Feature vs. vulnerability checklist The more expressive a bytecode is, the wider range of attack vectors there could be Feature set Arithmetic operations Loops (backward jumps) Function calls External calls to the host Register file or scratch memory Potential attack vectors Div-by-zero, integer overflow Infinite loops, DoS Infinite recursion, stack overflow Arbitrary code execution Information leak Advices Do not over-design Example: bitcoin disabled many unused opcodes
81 Pitfall 2: resource consumption
82 Pitfall 2: resource consumption Unconstrained resource consumption can cause DoS attack to the host system
83 Pitfall 2: resource consumption Unconstrained resource consumption can cause DoS attack to the host system Advices Limit execution time or total number of instructions Limit stack growth and depth of nested calls Terminate the bytecode and reclaim resources when necessary
84 Pitfall 3: calls to the host system Allowing calling external functions from the bytecode is a bad idea Break interpreter / host isolation Examples: python s pickle library Easily leads to arbitrary code execution
85 Pitfall 3: calls to the host system Allowing calling external functions from the bytecode is a bad idea Break interpreter / host isolation Easily leads to arbitrary code execution Examples: python s pickle library Advices Need a clean and explicit interface Ideally, all interaction with external world should be limit to input and output
86 Research Opportunities
87 Research Opportunities Testing embedded interpreters
88 Research Opportunities Testing embedded interpreters Static analysis (or formal verification) Challenge: many invariants are dynamic and complicated
89 Research Opportunities Testing embedded interpreters Static analysis (or formal verification) Challenge: many invariants are dynamic and complicated Symbolic testing Challenge: control flow highly depends on the bytecode
90 Research Opportunities Testing embedded interpreters Static analysis (or formal verification) Challenge: many invariants are dynamic and complicated Symbolic testing Challenge: control flow highly depends on the bytecode Building reusable embedded interpreter Embedded interpreter? General-purpose bytecode (e.g. Java)
91 Research Opportunities Testing embedded interpreters Static analysis (or formal verification) Challenge: many invariants are dynamic and complicated Symbolic testing Challenge: control flow highly depends on the bytecode Building reusable embedded interpreter Challenge: trade-off between complexity and generality Embedded interpreter Size of runtime? Performance Portability General-purpose bytecode (e.g. Java)
92 References BPF: S. McCanne and V. Jacobson. The BSD packet filter: A new architecture for userlevel packet capture. USENIX ATC 93. ClamAV: A. Wu. Bytecode signatures for polymorphic malware. RarVM: T. Ormandy. Fun with constrained programming. FreeType: J. Sigwald. Analysis of the jailbreakme v3 font exploit. Pickles: M. Slaviero. Sour pickles: Shellcoding in Python s serialization format. media.blackhat.com/bh-us-11/slaviero/bh_us_11_slaviero_sour_pickles_wp.pdf. DWARF: J. Oakley and S. Bratus. Exploiting the hard-working DWARF: Trojan and exploit techniques with no native executable code. USENIX WOOT 11. JIT: C. Rohlf and Y. Ivnitskiy. The security challenges of client-side Just-in-Time engines. IEEE S&P 12.
93 Conclusion Embedded interpreters and their vulnerabilities are prevalent in real world Pitfalls and security guidelines Research opportunities Testing embedded interpreters Building reusable embedded interpreters
94 Q & A Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL
ISOLATION DEFENSES GRAD SEC OCT
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:
More information6.828: OS/Language Co-design. Adam Belay
6.828: OS/Language Co-design Adam Belay Singularity An experimental research OS at Microsoft in the early 2000s Many people and papers, high profile project Influenced by experiences at
More informationWEB BROWSER SANDBOXING: SECURITY AGAINST WEB ATTACKS
WEB BROWSER SANDBOXING: SECURITY AGAINST WEB ATTACKS AVAR 2011 by Rajesh Nikam Security Simplified CONTENTS Rise of Web Attacks Application Vulnerabilities Existing Protection Mechanisms Need for Effective
More informationARMlock: Hardware-based Fault Isolation for ARM
ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou, Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xi an Jiaotong University Florida State University Software is Complicated
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationSystem Administration and Network Security
System Administration and Network Security Master SSCI, M2P subject Duration: up to 3 hours. All answers should be justified. Clear and concise answers will be rewarded. 1 Network Administration To keep
More informationJIT Code Generator for NetBSD. Alexander Nasonov EuroBSDCon 2014, Sofia
JIT Code Generator for NetBSD Alexander Nasonov EuroBSDCon 2014, Sofia BPF JIT Project Started on Dec 26, 2011 as external project https:// github.com/alnsn/bpfjit. Added to the NetBSD
More informationJitk: A Trustworthy In-Kernel Interpreter Infrastructure
Jitk: A Trustworthy In-Kernel Interpreter Infrastructure Xi Wang, David Lazar, Nickolai Zeldovich, and Adam Chlipala, MIT CSAIL; Zachary Tatlock, University of Washington https://www.usenix.org/conference/osdi14/technical-sessions/presentation/wang_xi
More informationSECURING SOFTWARE AGAINST LIBRARY ATTACKS
SECURING SOFTWARE AGAINST LIBRARY ATTACKS Roland Yap School of Computing National University of Singapore ryap@comp.nus.edu.sg Session ID: DAS W05 Session Classification: Advanced Untrusted Libraries Software
More information19.1. Security must consider external environment of the system, and protect it from:
Module 19: Security The Security Problem Authentication Program Threats System Threats Securing Systems Intrusion Detection Encryption Windows NT 19.1 The Security Problem Security must consider external
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationTowards Optimization-Safe Systems
Dude, where s my code? Towards Optimization-Safe Systems Analyzing the Impact of Undefined Behavior Xi Wang, Nickolai Zeldovich, M. Frans Kaashoek, and Armando Solar-Lezama MIT CSAIL Belief: compiler ==
More informationProtection. Thierry Sans
Protection Thierry Sans Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems Build Better Programs Why are
More informationSandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018
Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!
More informationImproving Integer Security for Systems with KINT. Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS
Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS Integer error Expected result goes out of bounds Math ( -
More informationAdaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
More informationPreventing Use-after-free with Dangling Pointers Nullification
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationIntroduction. CS 2210 Compiler Design Wonsun Ahn
Introduction CS 2210 Compiler Design Wonsun Ahn What is a Compiler? Compiler: A program that translates source code written in one language to a target code written in another language Source code: Input
More informationJava Security HotJava to Netscape and Beyond
Java Security HotJava to Netscape and Beyond Drew Dean Ed Felten Dan Wallach Department of Computer Science Princeton University 4/5/96 Introduction Q Remote Code is Everywhere Q Java - A new language
More informationA Bytecode Interpreter for Secure Program Execution in Untrusted Main Memory
A Bytecode Interpreter for Secure Program Execution in Untrusted Main Memory Maximilian Seitzer, Michael Gruhn, Tilo Müller Friedrich Alexander Universität Erlangen-Nürnberg https://www1.cs.fau.de Introduction
More informationSpectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
More informationBlackBox. Lightweight Security Monitoring for COTS Binaries. Byron Hawkins and Brian Demsky University of California, Irvine, USA
BlackBox Lightweight Security Monitoring for COTS Binaries Byron Hawkins and Brian Demsky University of California, Irvine, USA Michael B. Taylor University of California, San Diego, USA Why Security Monitoring?
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationPflua. Filtering packets with LuaJIT FOSDEM 2015 Andy Wingo. https://github.com/igalia/pflua
Pflua Filtering packets with LuaJIT FOSDEM 2015 Andy Wingo wingo@igalia.com https://github.com/igalia/pflua Agenda Story time High-performance packet filtering in software Pflua Forward-looking statements
More informationSugar: Secure GPU Acceleration in Web Browsers
Sugar: Secure GPU Acceleration in Web Browsers Zhihao Yao, Zongheng Ma, Yingtong Liu, Ardalan Amiri Sani, Aparna Chandramowlishwaran Trustworthy Systems Lab, UC Irvine 1 WebGL was released in 2011 2 Source:
More informationLast week. Data on the stack is allocated automatically when we do a function call, and removed when we return
Last week Data can be allocated on the stack or on the heap (aka dynamic memory) Data on the stack is allocated automatically when we do a function call, and removed when we return f() {... int table[len];...
More informationPlan for Today. Safe Programming Languages. What is a secure programming language?
cs2220: Engineering Software Class 19: Java Security Java Security Plan for Today Java Byte s () and Verification Fall 2010 UVa David Evans Reminder: Project Team Requests are due before midnight tomorrow
More informationThe Java Language Implementation
CS 242 2012 The Java Language Implementation Reading Chapter 13, sections 13.4 and 13.5 Optimizing Dynamically-Typed Object-Oriented Languages With Polymorphic Inline Caches, pages 1 5. Outline Java virtual
More informationEfficient Software Based Fault Isolation. Software Extensibility
Efficient Software Based Fault Isolation Robert Wahbe, Steven Lucco Thomas E. Anderson, Susan L. Graham Software Extensibility Operating Systems Kernel modules Device drivers Unix vnodes Application Software
More informationEnhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,
More informationSecurity Architecture
Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many applications, running on separate machines We need
More informationT-SGX: Eradicating Controlled-Channel
T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee Taesoo Kim Marcus Peinado Georgia Institute of Technology Microsoft Research 2 3 Intel SGX aims to secure
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationAdvanced Systems Security: New Threats
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationSoftware and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1
Software and Web Security 1 Reflections on using C(++) Root Cause Analysis Abstractions Assumptions Trust sws1 1 There are only two kinds of programming languages: the ones people complain about and the
More informationExplicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières
Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Too much trusted software Untrustworthy code a huge problem Users willingly run malicious
More informationReturn-Oriented Rootkits
Return-Oriented Rootkits Ralf Hund Troopers March 10, 2010 What is Return-Oriented Programming? New emerging attack technique, pretty hyped topic Gained awareness in 2007 in Hovav Shacham s paper The Geometry
More informationCSE 544 Advanced Systems Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
NET3420BU Introducing VMware s Transformative Data Center Endpoint Security Solution Vijay Ganti Director, Product Management VMware Christopher Frenz Director of Infrastructure Interfaith Medical Center
More informationLimitations of the stack
The heap hic 1 Limitations of the stack int *table_of(int num, int len) { int table[len+1]; for (int i=0; i
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationIntFlow: Integer Error Handling With Information Flow Tracking
mpomonis@cs.columbia.edu IntFlow Columbia University 1 / 29 IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D.
More informationBringing Android to Secure SDRs
Bringing Android to Secure SDRs David Kleidermacher Frank Vandenberg SDR 11 WinnComm - Europe Agenda Overview Why Android in SDR? Android Security Proposed Architecture Typical red-black architecture for
More informationUsing Java for Scientific Computing. Mark Bul EPCC, University of Edinburgh
Using Java for Scientific Computing Mark Bul EPCC, University of Edinburgh markb@epcc.ed.ac.uk Java and Scientific Computing? Benefits of Java for Scientific Computing Portability Network centricity Software
More informationReturn-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling University of Mannheim Page 1 Motivation (1) Operating systems separate system
More informationAN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE
AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers
More informationSECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM
1 SRIFY: A COMPOSITIONAL APPROACH OF BUILDING SRITY VERIFIED SYSTEM Liu Yang, Associate Professor, NTU SG-CRC 2018 28 March 2018 2 Securify Approach Compositional Security Reasoning with Untrusted Components
More informationControl Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University
Control Flow Integrity & Software Fault Isolation David Brumley Carnegie Mellon University Our story so far Unauthorized Control Information Tampering http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html
More informationTolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich
XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,...
More information6.858 Quiz 2 Review. Android Security. Haogang Chen Nov 24, 2014
6.858 Quiz 2 Review Android Security Haogang Chen Nov 24, 2014 1 Security layers Layer Role Reference Monitor Mandatory Access Control (MAC) for RPC: enforce access control policy for shared resources
More informationManaged. Code Rootkits. Hooking. into Runtime. Environments. Erez Metula ELSEVIER. Syngress is an imprint of Elsevier SYNGRESS
Managed Code Rootkits Hooking into Runtime Environments Erez Metula ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEWYORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an imprint
More informationHigh-Level Language VMs
High-Level Language VMs Outline Motivation What is the need for HLL VMs? How are these different from System or Process VMs? Approach to HLL VMs Evolutionary history Pascal P-code Object oriented HLL VMs
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationCSc 453 Interpreters & Interpretation
CSc 453 Interpreters & Interpretation Saumya Debray The University of Arizona Tucson Interpreters An interpreter is a program that executes another program. An interpreter implements a virtual machine,
More informationLearning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels
Learning Outcomes Extended OS An appreciation that the abstract interface to the system can be at different levels. Virtual machine monitors (VMMs) provide a lowlevel interface An understanding of trap
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationContainer Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He
Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He Containers are amazing! Year 2013: Docker Inc. released its container engine Million downloads and about 8,000 docker
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationComputer Security Course. Midterm Review
Computer Security Course. Dawn Song Midterm Review In class: Logistics On time: 4:10-5:30pm Wed 1 8x11 page cheat sheet allowed Special requirements: see TA Part I, II, III Scope Software Security Secure
More informationIdentity-based Access Control
Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationLast time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationCS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 9 Week of March 19, 2018 Question 1 Warmup: SOP (15 min) The Same Origin Policy (SOP) helps browsers maintain a sandboxed model by preventing
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationPacket Sniffing and Spoofing
Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Packet Sniffing and Spoofing Chester Rebeiro IIT Madras Shared Networks Every network packet reaches every
More informationVeil: Private Browsing Semantics without Browser-side Assistance. Frank Wang (MIT CSAIL), James Mickens (Harvard), Nickolai Zeldovich (MIT CSAIL)
Veil: Private Browsing Semantics without Browser-side Assistance Frank Wang (MIT CSAIL), James Mickens (Harvard), Nickolai Zeldovich (MIT CSAIL) 1 All popular browsers offer private browsing In private
More informationTapir: a language for verified OS kernel probes
Tapir: a language for verified OS kernel probes Ilya Yanok, Nathaniel Nystrom 4 Oct 2015 Motivation System debugging and tuning Systems are large and complex Problems often occur only after deployment
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More information18-642: Code Style for Compilers
18-642: Code Style for Compilers 9/6/2018 2017-2018 Philip Koopman Programming can be fun, so can cryptography; however they should not be combined. Kreitzberg and Shneiderman 2017-2018 Philip Koopman
More informationSecurity Research at Harvard SEAS. Stephen Chong Asst. Prof. of Computer Science Harvard SEAS Cybersecurity Awareness Day Oct
Security Research at Harvard SEAS Stephen Chong Asst. Prof. of Computer Science Harvard SEAS Cybersecurity Awareness Day Oct 17 2012 What Must You Trust? Bank Browser User-level libraries EVERYTHING Operating
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.893 Fall 2009 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationSurvey of Cyber Moving Targets. Presented By Sharani Sankaran
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of
More informationCeedo Client Family Products Security
ABOUT THIS DOCUMENT Ceedo Client Family Products Security NOTE: This document DOES NOT apply to Ceedo Desktop family of products. ABOUT THIS DOCUMENT The purpose of this document is to define how a company
More informationThe benefits and costs of writing a POSIX kernel in a high-level language
1 / 38 The benefits and costs of writing a POSIX kernel in a high-level language Cody Cutler, M. Frans Kaashoek, Robert T. Morris MIT CSAIL Should we use high-level languages to build OS kernels? 2 / 38
More informationSymantec Ransomware Protection
Symantec Ransomware Protection Protection Against Ransomware Defense in depth across all control points is required to stop ransomware @ Email Symantec Email Security.cloud, Symantec Messaging Gateway
More informationNail. A Practical Tool for Parsing and Generating Data Formats. Julian Bangert, Nickolai Zeldovich MIT CSAIL. OSDI 14 October 2014
Nail A Practical Tool for Parsing and Generating Data Formats Julian Bangert, Nickolai Zeldovich MIT CSAIL OSDI 14 October 2014 1 / 12 Motivation Parsing Vulnerabilities hand-crafted input parsing and
More informationAdvanced Programming & C++ Language
Advanced Programming & C++ Language ~6~ Introduction to Memory Management Ariel University 2018 Dr. Miri (Kopel) Ben-Nissan Stack & Heap 2 The memory a program uses is typically divided into four different
More informationPlatPal: Detecting Malicious Documents with Platform Diversity
PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia Institute of Technology 1 Malicious Documents On the Rise 2 3 4 Adobe Components Exploited Element parser JavaScript
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationOutline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction
Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationSpectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
More informationMWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents
Contents MWR InfoSecurity Security Advisory IBM Lotus Domino Accept- Language Stack Overflow 20 th May 2008 2008-05-20 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5
More informationWe will see how this Android SDK class. public class OpenSSLX509Certificate extends X509Certificate {
We will see how this Android SDK class public class OpenSSLX509Certificate extends X509Certificate { } private MISSING MODIFIER BEFORE OUR DISCLOSURE! (NOW PATCHED) final long mcontext; One Class to Rule
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationProgrammable Dataplane
Programmable Dataplane THE NEXT STEP IN SDN? S I M O N J O U E T S I M O N. J O U E T @ G L A S G O W. A C. U K H T T P : / / N E T L A B. D C S.G L A. A C. U K GTS TECH+FUTURES WORKSHOP - SIMON JOUET
More informationControl Flow Hijacking Attacks. Prof. Dr. Michael Backes
Control Flow Hijacking Attacks Prof. Dr. Michael Backes Control Flow Hijacking malicious.pdf Contains bug in PDF parser Control of viewer can be hijacked Control Flow Hijacking Principles Normal Control
More informationhbpf: A Library and Embedded DSL for BPF Assembly Generation
hbpf: A Library and Embedded DSL for BPF Assembly Generation Andrew Duffy agd@cs.stanford.edu Matt Denton mdenton@cs.stanford.edu ABSTRACT The contribution presented by the authors is two-fold. First,
More informationInfluential OS Research Security. Michael Raitza
Influential OS Research Security Michael Raitza raitza@os.inf.tu-dresden.de 1 Security recap Various layers of security Application System Communication Aspects of security Access control / authorization
More informationAn introduction to the Katsuni theorem and its application to sandboxing and software emulation. Jonathan Brossard (Toucan System)
An introduction to the Katsuni theorem and its application to sandboxing and software emulation Jonathan Brossard (Toucan System) 25/09/2013 Who am I? - Security researcher, publishing since 2005. - Past
More informationVirtual machines (e.g., VMware)
Case studies : Introduction to operating systems principles Abstraction Management of shared resources Indirection Concurrency Atomicity Protection Naming Security Reliability Scheduling Fairness Performance
More information