Security through Multi-Layer Diversity
|
|
- Julius Shields
- 5 years ago
- Views:
Transcription
1 Security through Multi-Layer Diversity Meng Xu (Qualifying Examination Presentation) 1
2 Bringing Diversity to Computing Monoculture Current computing monoculture leaves our infrastructure vulnerable to massive and rapid attacks. Knowing that victim systems run on a specific software stack, an attacker can compromise them deterministically. 2
3 3
4 4
5 Response from Security Community W R, ASLR, CFI, CPI, MPX Softbound, CETS Address Sanitizer, Memory Sanitizer, Thread Sanitizer 5
6 Limitations of Existing Schemes Widely-deployed security schemes: W R, ASLR, CFI Not hard to by-pass 6
7 Limitations of Existing Schemes Widely-deployed security schemes: W R, ASLR, CFI Not hard to by-pass More sophisticated schemes: LLVM sanitizers Offer protection against only specific vulnerabilities Refuse to be combined due to conflicts in design 7
8 Limitations of Existing Schemes Widely-deployed security schemes: W R, ASLR, CFI Not hard to by-pass More sophisticated schemes: LLVM sanitizers Offer protection against only specific vulnerabilities Refuse to be combined due to conflicts in design Accumulated overhead: Softbound + CETS 110% slowdown 8
9 A Biological Inspiration Even the deadliest virus cannot kill all species because of gene diversity 9
10 Enhance System Security Through Diversity Input Software Stack Output 10
11 Enhance System Security Through Diversity Input Input Virtualization Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 11 Output
12 Enhance System Security Through Diversity Input (benign) Input Virtualization Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 12 Output (consensus)
13 Enhance System Security Through Diversity Input (malicious) Input Virtualization Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 13 No output (divergence)
14 Enhance System Security Through Diversity Input (malicious) Input Virtualization An attacker has to simultaneously compromise all variants in order to to compromise the whole system Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 14 No output (divergence)
15 Enhance System Security Through Diversity Input Process Zend Linux Software Stack Implementation Platform Output 15
16 Enhance System Security Through Diversity Input Input Virtualization Process ASan MSan UBSan Zend Linux Software Stack Zend Zend Zend Linux Linux Linux Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 16 Output
17 Enhance System Security Through Diversity Input Input Virtualization ASan MSan UBSan Zend Implementation Zend HHVM JPHP Linux Software Stack Linux Linux Linux Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 17 Output
18 Enhance System Security Through Diversity Input Input Virtualization ASan MSan UBSan Zend Zend HHVM JPHP Linux Platform Linux Windows MacOS Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 18 Output
19 Enhance System Security Through Diversity Input Input Virtualization Bunshin (ATC 17) ASan MSan UBSan Zend Future work Zend HHVM JPHP Linux PlatPal (Security 17) Linux Windows MacOS Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 19 Output
20 Bunshin: Compositing Security Mechanisms through Diversification Meng Xu, Kangjie Lu, Taesoo Kim, Wenke Lee Georgia Tech Presented at the 2017 USENIX Annual Technical Conference (ATC 17) 20
21 Battle against Memory Errors Protect dangerous operation using sanity checks: Auto-applied at compile time void foo(t *a) { *a = 0x1234; } Sanitize void foo(t *a) { if(!is_valid_address(a) { report_and_abort(); } *a = 0x1234; } 21
22 Battle against Memory Errors Memory Error Main Causes Defenses Lack of length check Out-of-bound read/write Use-after-free Uninitialized read Undefined behaviors Integer overflow Format string bug Bad type casting Dangling pointer Double free Lack of initialization Data structure alignment Subword copying Divide-by-zero Pointer misalignment Null-pointer dereference Softbound AddressSanitizer CETS AddressSanitizer MemorySanitizer UndefinedBehaviorSanitizer 22
23 Comprehensive Protection with Bunshin Accumulated execution slowdown Example: Softbound + CETS 110% slowdown Bunshin: Reduce to 60% or 40% (depends on the config) Implementation conflicts Example: AddressSanitizer and MemorySanitizer Bunshin: Seamlessly enforce conflicting sanitizers 23
24 Challenges for Bunshin How to generate these variants? What properties they should have? How to make them appear as one to outsiders? What is a behavior and what is a divergence? What if the sanitizers introduces new behaviors? Multi-threading support? 24
25 Variant Generation Principles Check distribution Sanitizer distribution 25
26 Check Distribution Input Input Virtualization Partition 1 Partition 1 Partition 2 Partition 3 Program Partition 2 Partition 3 Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs Output 26
27 Sanitizer Distribution Input Input Virtualization A D D R E S S M E M O R Y U N D E F Program A D D R E S S M E M O R Y Variant 1 Variant 2 Variant 3 U N D E F Output Synchronize Execution & Consolidate Outputs Output 27
28 Cost Profiling Calculate the slowdown caused by the sanity checks void foo(t *a) { timing_start(); *a = 0x1234; timing_end(); } void foo(t *a) { timing_start(); if(!is_valid_address(a) { report_and_abort(); } *a = 0x1234; timing_end(); } 28
29 Cost Distribution Equally distribute overhead to variants so that they execute at the same speed Foo Bar 17% 28% Foo Baz 17% 35% Variant 1 (52% overhead) Baz Qux 35% 20% Bar Qux 28% 20% Variant 2 (48% overhead) 29
30 Variant Generation Process Source code Security mechanisms (e.g., ASan, MSan, UBSan) Variant generator Costs profiling opt. Overhead distribution opt. Variant compiling Variants full w/ MSan w/ ASan... w/ UBSan w/ ASan... selective 30
31 System Call Synchronization Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel Syscall number Arguments Execution result sync slot 31
32 System Call Synchronization Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel 1 Leader enters syscall Syscall number Arguments Execution result sync slot 32
33 System Call Synchronization Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel Syscall number Arguments Execution result sync slot 2 Followers enter syscall 33
34 System Call Synchronization Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel Syscall number Arguments Execution result 3 Kernel execute the syscall only once sync slot 34
35 System Call Synchronization Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel 4 Leader fetches syscall result Syscall number Arguments Execution result sync slot 4 Followers fetch syscall result 35
36 Strict and Selective Lockstep Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel Leader writes at the next available slot Followers read at their own speed sync ring buffer 36
37 Strict and Selective Lockstep Partition 1 Partition 2 Userspace Partition 3 Leader Follower 1 Follower 2 Kernel Always strictly synchronized for write related system calls sync ring buffer 37
38 Multi-threading Support Before fork Original Execution group After fork New Execution group Leader New ring buffer Follower 1 Follower 2 38
39 Multi-threading Support Before fork Original Execution group Works if there is no interleaving After fork between threads New Execution group Leader New ring buffer Follower 1 Follower 2 39
40 Multi-threading Support Leader Follower 1 Follower 2 Userspace Kernel Record Enforce Enforce Total order of lock acquisition and releases 40
41 Multi-threading Support Leader Follower 1 Follower 2 Userspace Kernel Works under Record weak determinism Enforce Enforce (data race-free programs) Implementation specific (pthread APIs only) Total order of lock acquisition and releases 41
42 Evaluate Bunshin Robustness and Security Efficiency and Scalability Protection Distribution Case Studies 42
43 Robustness Benchmark Single/Multi-thread Featuer Pass? SPEC CPU2006 Single SPLASH-2x Multi CPU Intensive PARSEC Multi 6 out of 13 lighttpd Single I/O Intensive nginx Multi python, php Single Interpreter 43
44 Security RIPE Benchmark Config Succeed Probabilistic Failed Not possible Default AddressSanitizer Bunshin Real-world CVEs Config CVE Exploits Sanitizer Detect nginx Blind ROP AddressSanitizer cpython Integer overflow AddressSanitizer php Type confusion AddressSanitizer openssl-1.0.1a Heartbleed AddressSanitizer httpd Null dereference UndefinedBehaviorSanitizer 44
45 Performance Benchmark Items Strict-Lockstep Selective-Lockstep Max 17.5% 14.7% SPEC CPU2006 (19 Programs) Min 1.6% 1.0% Ave 8.6% 5.6% Max 21.4% 18.9% SPLASH-2X / PARSEC (19 Programs) Min 10.7% 6.6% Ave 16.6% 14.5% lighttpd 1MB File Request nginx 1MB File Request Ave 1.44% 1.21% Ave 1.71% 1.41% 45
46 Performance Highlights Low overhead (5% - 16%) for standard benchmarks Negligible overhead (<= 2%) for server programs Extra cost of ensuring weak determinism is 8% Selective-lockstep saves around 3% overhead 46
47 Scalability - Number of Variants Ave Max Min 37.6 Sync Overhead (%) Number of variants 47
48 Scalability - Number of Variants Ave Max Min 37.6 Sync Overhead (%) The number of variants Bunshin can support with a reasonable 17.2 overhead depends on machine configurations and program characteristics Number of variants 48
49 Scalability - System Load Ave Max Min 13 Sync Overhead (%) % 50% 99% Number of variants 49
50 Scalability - System Load Ave Max Min 13 Sync Overhead (%) 6.4 Bunshin works well in all levels of system load (i.e., Bunshin does not require exclusive cores) % 50% 99% Number of variants 50
51 Check Distribution - ASan Overhead (%) Overhead (%) Whole V1 V2 Bunshin Whole V1 V2 V3 Bunshin 51
52 Sanitizer Distribution - UBSan Overhead (%) Overhead (%) Whole V1 V2 Bunshin Whole V1 V2 V3 Bunshin 52
53 Unifying LLVM Sanitizers ASan MSan UBSan Bunshin Overhead (%) gobmk povray h264ref average 53
54 Unifying LLVM Sanitizers ASan MSan UBSan Bunshin Overhead (%) With 165 an average of 5% more slowdown, 141 Bunshin can seamlessly unify all three LLVM sanitizers gobmk povray h264ref average 54
55 Limitations and Future Work Finer-grained check distribution Sanitizer integration Record-and-replay 55
56 Conclusion It is feasible to achieve both comprehensive protection and high throughput with an N-version system Bunshin is effective in reducing slowdown caused by sanitizers 107% 47.1% for ASan, 228% 94.5% for UBSan Bunshin can seamlessly unify three LLVM sanitizers with 5% extra slowdown (Source code will be released soon) 56
57 Enhance System Security Through Diversity Input Input Virtualization Bunshin (ATC 17) ASan MSan UBSan Zend Future work Zend HHVM JPHP Linux PlatPal (Security 17) Linux Windows MacOS Software Stack Variant 1 Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs 57 Output
58 PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia Tech Presented at the 2017 USENIX Security Symposium (Security 17) 58
59 Malicious Documents On the Rise 59
60 60
61 61
62 Adobe Components Exploited Element parser JavaScript engine 137 CVEs in 2015 Font manager 227 CVEs in 2016 System dependencies 62
63 Maldoc Formula Flexibility of doc spec A large attack surface More opportunities to profit Less caution from users 63
64 Battle against Maldoc - A Survey Category Focus Work Year Detection JavaScript PJScan 2011 Lexical analysis JavaScript Vatamanu et al Token clustering JavaScript Lux0r 2014 API reference classification Static JavaScript MPScan 2013 Shellcode and opcode sig Metadata PDF Malware Slayer 2012 Linearized object path Metadata Srndic et al Hierarchical structure Metadata PDFrate 2012 Content meta-features Both Maiorca et al Many heuristics combined JavaScript MDScan 2011 Shellcode and opcode sig JavaScript PDF Scrutinizer 2012 Known attack patterns Dynamic JavaScript ShellOS 2011 Memory access patterns JavaScript Liu et al Common attack behaviors Memory CWXDetector 2012 Violation of invariants 64
65 Reliance on External PDF Parser Category Focus Work Year Detection External Parser? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Metadata Srndic et al Hierarchical structure Yes Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig Yes JavaScript PDF Scrutinizer 2012 Known attack patterns Yes Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors No Memory CWXDetector 2012 Violation of invariants No 65
66 Reliance on External PDF Parser Category Focus Work Year Detection External Parser? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Parser-confusion attacks Metadata Srndic et al Hierarchical structure Yes (Carmony et al., NDSS 16) Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig Yes JavaScript PDF Scrutinizer 2012 Known attack patterns Yes Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors No Memory CWXDetector 2012 Violation of invariants No 66
67 Reliance on Machine Learning Category Focus Work Year Detection Machine Learning? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Metadata Srndic et al Hierarchical structure Yes Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig No JavaScript PDF Scrutinizer 2012 Known attack patterns No Dynamic JavaScript ShellOS 2011 Memory access patterns No JavaScript Liu et al Common attack behaviors No Memory CWXDetector 2012 Violation of invariants No 67
68 Reliance on Machine Learning Category Focus Work Year Detection Machine Learning? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Automatic classifier evasions Metadata Srndic et al Hierarchical structure Yes (Xu et al., NDSS 16) Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig No JavaScript PDF Scrutinizer 2012 Known attack patterns No Dynamic JavaScript ShellOS 2011 Memory access patterns No JavaScript Liu et al Common attack behaviors No Memory CWXDetector 2012 Violation of invariants No 68
69 Reliance on Known Attacks Category Focus Work Year Detection Known Attacks? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig Yes Metadata PDF Malware Slayer 2012 Linearized object path Yes Metadata Srndic et al Hierarchical structure Yes Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig Yes JavaScript PDF Scrutinizer 2012 Known attack patterns Yes Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors Yes Memory CWXDetector 2012 Violation of invariants No 69
70 Reliance on Known Attacks Category Focus Work Year Detection Known Attacks? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig Yes Metadata PDF Malware Slayer 2012 Linearized object path Yes Metadata Srndic et al Hierarchical structure Yes How about zero-day attacks? Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig Yes JavaScript PDF Scrutinizer 2012 Known attack patterns Yes Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors Yes Memory CWXDetector 2012 Violation of invariants No 70
71 Reliance on Detectable Discrepancy (between benign and malicious docs) Category Focus Work Year Detection Discrepancy? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Metadata Srndic et al Hierarchical structure Yes Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig No JavaScript PDF Scrutinizer 2012 Known attack patterns No Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors Yes Memory CWXDetector 2012 Violation of invariants No 71
72 Reliance on Detectable Discrepancy (between benign and malicious docs) Category Focus Work Year Detection Discrepancy? JavaScript PJScan 2011 Lexical analysis Yes JavaScript Vatamanu et al Token clustering Yes JavaScript Lux0r 2014 API reference classification Yes Static JavaScript MPScan 2013 Shellcode and opcode sig No Metadata PDF Malware Slayer 2012 Linearized object path Yes Mimicry and reverse mimicry attacks Metadata Srndic et al Hierarchical structure Yes (Srndic et al., Oakland 14 and Maiorca et al, AsiaCCS 13) Metadata PDFrate 2012 Content meta-features Yes Both Maiorca et al Many heuristics combined Yes JavaScript MDScan 2011 Shellcode and opcode sig No JavaScript PDF Scrutinizer 2012 Known attack patterns No Dynamic JavaScript ShellOS 2011 Memory access patterns Yes JavaScript Liu et al Common attack behaviors Yes Memory CWXDetector 2012 Violation of invariants No 72
73 Highlights of the Survey Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy Parser-confusion attacks Automatic classifier evasion Zero-day attacks Mimicry and reverse mimicry 73
74 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 74
75 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 75
76 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 76
77 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 77
78 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 78
79 Motivations for PlatPal Prior works rely on External PDF parsers Machine learning Known attack signatures Detectable discrepancy What PlatPal aims to achieve Using Adobe s parser Using only simple heuristics Capable to detect zero-days Do not assume discrepancy Complementary to prior works 79
80 A Motivating Example A CVE PoC against Adobe Reader SHA-1: d cb0b4bfcc73fc007bfeb6d84 80
81 81
82 82
83 Platform Diversity as A Heuristic When the same document is opened across different platforms: A benign document behaves the same A malicious document behaves differently 83
84 Questions for PlatPal What is a behavior? What is a divergence? How to trace them? How to compare them? 84
85 PlatPal Basic Setup Virtual Machine 1? Virtual Machine 2 Adobe Reader Adobe Reader Windows Host MacOS Host 85
86 PlatPal Dual-Level Tracing Virtual Machine 1? Virtual Machine 2 Adobe Reader Internal Tracer Traces of PDF processing Adobe Reader Internal Tracer Windows Host MacOS Host 86
87 PlatPal Dual-Level Tracing Virtual Machine 1? Virtual Machine 2 Adobe Reader Internal Tracer Traces of PDF processing Adobe Reader Internal Tracer Syscalls External Tracer Windows Host Impacts on host platform Syscalls External Tracer MacOS Host 87
88 PlatPal Internal Tracer Adobe Reader Internal Tracer COS object parsing PD tree construction Script execution Other actions Element rendering Implemented as an Adobe Reader plugin. Hooks critical functions and callbacks during the PDF processing lifecycle. Very fast and stable across Adobe Reader versions. 88
89 PlatPal External Tracer Virtual Machine Adobe Reader Filesystem Operations Network Activities Syscalls External Tracer Program Executions Normal Exit or Crash Host Platform Implemented based on NtTrace (for Windows) and Dtrace (for MacOS). Resembles high-level system impacts in the same manner as Cuckoo guest agent. Starts tracing only after the document is loaded into Adobe Reader. 89
90 PlatPal Automated Workflow PlatPal <file-to-check> Restore Clean Snapshot Restore Clean Snapshot Launch Adobe Reader Launch Adobe Reader Attach External Tracer Attach External Tracer Open PDF Open PDF Drive PDF by Internal Tracer Drive PDF by Internal Tracer Dump Traces Dump Traces Windows VM Compare Traces MacOS VM 90
91 Evaluate PlatPal Robustness against benign samples A benign document behaves the same? Effectiveness against malicious samples A malicious document behaves differently? Speed and resource usages 91
92 Robustness 1000 samples from Google search. 30 samples that use advanced features in PDF standards from PDF learning sites. Sample Type Number of Samples Divergence Detected? (i.e., False Positive) Plain PDF 966 No Embedded fonts 34 No JavaScript code 32 No AcroForm 17 No 3D objects 2 No 92
93 Effectiveness 320 malicious samples from VirusTotal with CVE labels. Restricted to analyze CVEs published after Use the most recent version of Adobe Reader when the CVE is published. 93
94 Effectiveness Analysis Results of 320 Maldoc Samples 24% 65% 11% No Divergence Both Crash Divergence 94
95 Effectiveness Analysis Results of 320 Maldoc Samples Breakdown of 77 potentially false positives 24% 25% 65% 11% 47% 3% 26% No Divergence 95 Targets old versions Mis-classified by AV vendor No malicious activity trigerred Unknown
96 Time and Resource Usages Average Analysis Time Breakdown (unit. Seconds) Item Windows MacOS Snapshot restore Document parsing Script execution Element rendering Total Resource Usages 2GB memory per running virtual machine. 60GB disk space for Windows and MacOS snapshots that each corresponds to one of the 6 Adobe Readers versions. 96
97 Evaluation Highlights Confirms our fundamental assumption in general: benign document behaves the same malicious document behaves differently PlatPal is subject to the pitfalls of dynamic analysis i.e., prepare the environment to lure the malicious behaviors Incurs reasonable analysis time to make PlatPal practical 97
98 Further Analysis What could be the root causes of these divergences? 98
99 Diversified Factors across Platforms Category Factor Windows MacOS Shellcode Creation Memory Management Platform Features 99
100 Diversified Factors across Platforms Category Factor Windows MacOS Shellcode Creation Syscall semantics Both the syscall number and the register set used to hold syscall arguments are different Calling convention rcx, rdx, r8 for first 3 args rdi, rsi, rdx for first 3 args Library dependencies e.g., LoadLibraryA e.g. dlopen Memory Management Platform Features 100
101 Diversified Factors across Platforms Category Factor Windows MacOS Shellcode Creation Syscall semantics Both the syscall number and the register set used to hold syscall arguments are different Calling convention rcx, rdx, r8 for first 3 args rdi, rsi, rdx for first 3 args Library dependencies e.g., LoadLibraryA e.g. dlopen Memory Management Memory layout Offset from attack point (e.g., overflowed buffer) to target address (e.g., vtable entries) are different Heap management Segment heap Magazine malloc Platform Features 101
102 Diversified Factors across Platforms Category Factor Windows MacOS Shellcode Creation Syscall semantics Both the syscall number and the register set used to hold syscall arguments are different Calling convention rcx, rdx, r8 for first 3 args rdi, rsi, rdx for first 3 args Library dependencies e.g., LoadLibraryA e.g. dlopen Memory Management Memory layout Offset from attack point (e.g., overflowed buffer) to target address (e.g., vtable entries) are different Heap management Segment heap Magazine malloc Executable format COM, PE, NE Mach-O Platform Features Filesystem semantics \ as separator, prefixed drive letter C:\ / as separator, no prefixed drive letter Config and info hub registry proc Expected programs MS Office, IE, etc Safari, etc 102
103 Back to The Motivating Example 1. Allocate bytes chunks 2. Free 1 in every Load a 300-byte malicious BMP image 4. Corrupt heap metadata due to a buffer overflow 5. Free BMP image, but what is actually freed is slot 9 6. A vtable of 300-byte is allocated on slot 9, which is attacker controlled 103
104 Another Case Study CVE PoC Example 104
105 Bypass PlatPal? An attacker has to simultaneously compromise all platforms in order to bypass PlatPal. 105
106 Limitations of PlatPal User-interaction driven attacks Social engineering attacks e.g., fake password prompt Other none-determinism to cause divergences e.g., JavaScript gettime or RNG functions 106
107 Potential Deployment of PlatPal Not suitable for on-device analysis. Best suited for cloud storage providers which can scan for maldocs among existing files or new uploads. Also fits the model of online malware scanning services like VirusTotal. As a complementary scheme, PlatPal can be integrated with prior works to provide better prediction accuracy. 107
108 Conclusion It is feasible to harvest platform diversity for malicious document detection. PlatPal raises no false alarms in benign samples and detects a variety of behavioral discrepancies in malicious samples. PlatPal is scalable with various ways to deploy and integrate. (Source code will be released soon) 108
109 Future Works on Diversity Framework Implementation diversity Case study: PHP interpreters: Zend vs HHVM Integration with fuzzing Divergence as an indicator of exception, in addition to crashes and failed assertions Integration with symbolic execution Test whether two functionally similar modules enforce the same sequence and types of checks 109
110 Future Works on Diversity Framework Implementation diversity Case study: PHP interpreters: Zend vs HHVM Integration with fuzzing Divergence as an indicator of exception, in addition to crashes and failed assertions Integration with symbolic execution Test whether two functionally similar modules enforce the same sequence and types of checks 110
111 Future Works on Diversity Framework Implementation diversity Case study: PHP interpreters: Zend vs HHVM Integration with fuzzing Divergence as an indicator of exception, in addition to crashes and failed assertions Integration with symbolic execution Test whether two functionally similar modules enforce the same sequence and types of checks 111
112 Publications 1. Checking Open-Source License Violation and 1-day Security Risk at Large Scale Ruian Duan, Ashish Bijlani, Meng Xu, Taesoo Kim, and Wenke Lee In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS'17) 2. PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu, and Taesoo Kim In Proceedings of the 26th USENIX Security Symposium (Security'17) 3. Bunshin: Compositing Security Mechanisms through Diversification Meng Xu, Kangjie Lu, Taesoo Kim, and Wenke Lee In Proceedings of the 2017 USENIX Annual Technical Conference (ATC'17) 4. Toward Engineering a Secure Android Ecosystem: A Survey of Existing Techniques Meng Xu, Chengyu Song, Yang ji, Ming-Wei Shih, Kangjie Lu, Cong Zheng, Ruian Duan, Yeongjin Jang, Byoungyoung Lee, Chenxiong Qian, Sangho Lee, and Taesoo Kim In ACM Computing Surveys (CSUR) Volume 49, Issue 2, August UCognito: Private Browsing without Tears Meng Xu, Yeongjin Jang, Xinyu Xing, Taesoo Kim, and Wenke Lee. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS'15) 112
PlatPal: Detecting Malicious Documents with Platform Diversity
PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia Institute of Technology 1 Malicious Documents On the Rise 2 3 4 Adobe Components Exploited Element parser JavaScript
More informationPreventing Use-after-free with Dangling Pointers Nullification
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University
More informationBunshin: Compositing Security Mechanisms through Diversification
Bunshin: Compositing Security Mechanisms through Diversification Meng Xu, Kangjie Lu, Taesoo Kim, and Wenke Lee, Georgia Institute of Technology https://www.usenix.org/conference/atc17/technical-sessions/presentation/xu-meng
More informationBUNSHIN: Compositing Security Mechanisms through Diversification (with Appendix)
BUNSHIN: Compositing Security Mechanisms through Diversification (with Appendix) Meng Xu, Kangjie Lu, Taesoo Kim, Wenke Lee Georgia Institute of Technology in practice. One reason is that the slowdown
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationUniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationSGXBounds Memory Safety for Shielded Execution
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,
More informationHDFI: Hardware-Assisted Data-flow Isolation
HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia
More informationKruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring
NDSS 2012 Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring Donghai Tian 1,2, Qiang Zeng 2, Dinghao Wu 2, Peng Liu 2 and Changzhen Hu 1 1 Beijing Institute of Technology
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationSoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14
SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationAdvanced Systems Security: Program Diversity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationCSC 405 Introduction to Computer Security Fuzzing
CSC 405 Introduction to Computer Security Fuzzing Alexandros Kapravelos akaprav@ncsu.edu Let s find some bugs (again) We have a potentially vulnerable program The program has some inputs which can be controlled
More informationBlackBox. Lightweight Security Monitoring for COTS Binaries. Byron Hawkins and Brian Demsky University of California, Irvine, USA
BlackBox Lightweight Security Monitoring for COTS Binaries Byron Hawkins and Brian Demsky University of California, Irvine, USA Michael B. Taylor University of California, San Diego, USA Why Security Monitoring?
More informationAdaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationk-depth Mimicry Attack to Secretly Embed Shellcode into PDF Files
k-depth Mimicry Attack to Secretly Embed Shellcode into PDF Files Jaewoo Park and Hyoungshick Kim Department of Software, Sungkyunkwan University 2066 Seobu-ro, Suwon, Republic of Korea {bluereaper,hyoung}@skku.edu
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More informationBlack Hat Webcast Series. C/C++ AppSec in 2014
Black Hat Webcast Series C/C++ AppSec in 2014 Who Am I Chris Rohlf Leaf SR (Security Research) - Founder / Consultant BlackHat Speaker { 2009, 2011, 2012 } BlackHat Review Board Member http://leafsr.com
More informationCS-527 Software Security
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017 Eternal
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationMemory Safety for Low- Level Software/Hardware Interactions
Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Montreal or Bust! Vikram Adve Safety Future is Bright User-space memory safety is improving Safe languages SAFECode,
More informationCS527 Software Security
Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and
More informationEnhancing Memory Error Detection for Large-Scale Applications and Fuzz testing
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, Chengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock
More informationLimitations of the stack
The heap hic 1 Limitations of the stack int *table_of(int num, int len) { int table[len+1]; for (int i=0; i
More informationSecure Coding Techniques
Secure Coding Techniques "... the world outside your function should be treated as hostile and bent upon your destruction" [Writing Secure Code, Howard and LeBlanc] "Distrust and caution are the parents
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationNew features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany
New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany Agenda AddressSanitizer (ASan): a quick reminder New features: Initialization-order-fiasco Stack-use-after-scope
More informationGuarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University
Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University http://hexhive.github.io 1 Vulnerabilities everywhere? 2 Common Languages: TIOBE 18 Jul 2018 Jul 2017 Change Language 1
More informationSecurity Bugs in Embedded Interpreters
Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL Embedded interpreters Host system Bytecode Input Embedded
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationAdvanced Systems Security: New Threats
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationSECURING SOFTWARE SYSTEMS BY PREVENTING INFORMATION LEAKS
SECURING SOFTWARE SYSTEMS BY PREVENTING INFORMATION LEAKS A Thesis Presented to The Academic Faculty by Kangjie Lu In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationDigital Forensics Lecture 02 PDF Structure
Digital Forensics Lecture 02 PDF Structure PDF Files Structure Akbar S. Namin Texas Tech University Spring 2017 PDF Format and Structure Tools used Text editor (e.g., vi) ClamAV antivirus (http://www.clamav.net/lang/en/download/
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationCopyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis
Finding security vulnerabilities by fuzzing and dynamic code analysis Security Vulnerabilities Top code security vulnerabilities don t change much: Security Vulnerabilities Top code security vulnerabilities
More informationCNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated
CNIT 127: Exploit Development Ch 18: Source Code Auditing Updated 4-10-17 Why Audit Source Code? Best way to discover vulnerabilities Can be done with just source code and grep Specialized tools make it
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationDeep instinct For MSSPs
Deep instinct For MSSPs Deep Instinct Solution Deep Instinct is the first and only Endpoint & Mobile Cybersecurity solution that is based on a proprietary deep learning framework that was specifically
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationOSSPolice - Identifying Open-Source License Violation and 1-day Security Risk at Large Scale
OSSPolice - Identifying Open-Source License Violation and 1-day Security Risk at Large Scale Ruian Duan, Ashish Bijlani, Meng Xu Taesoo Kim, Wenke Lee ACM CCS 2017 1 Background Open Source Software (OSS)
More informationStack Bounds Protection with Low Fat Pointers
Stack Bounds Protection with Low Fat Pointers Gregory J. Duck, Roland H.C. Yap, and Lorenzo Cavallaro NDSS 2017 Overview Heap Bounds Protection with Low Fat Pointers, CC 2016 Stack New method for detecting
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationGraphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij
Graphene-SGX A Practical Library OS for Unmodified Applications on SGX Chia-Che Tsai Donald E. Porter Mona Vij Intel SGX: Trusted Execution on Untrusted Hosts Processing Sensitive Data (Ex: Medical Records)
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationSandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees
SandBlast Agent FAQ What is Check Point SandBlast Agent? Check Point SandBlast Agent defends endpoints and web browsers with a complete set of realtime advanced browser and endpoint protection technologies,
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationOS Security IV: Virtualization and Trusted Computing
1 OS Security IV: Virtualization and Trusted Computing Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 More questions? 3 Virtual machine monitor +-----------+----------------+-------------+
More informationFuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team
Fuzzing AOSP For the Masses AOSP for the Masses Attack Android Right Out of the Box Dan Austin, Google Dan Austin Google Android SDL Research Team Exploitation: Find the Needle Needles are Interesting
More informationCore GraphicsMemory Corruption CVE PDF Indexed colorspace buffer overflow
security research Core GraphicsMemory Corruption CVE-2014-4377 PDF Indexed colorspace buffer overflow Apple CoreGraphics library fails to validate the input when parsing the colorspace specification of
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationLast week. Data on the stack is allocated automatically when we do a function call, and removed when we return
Last week Data can be allocated on the stack or on the heap (aka dynamic memory) Data on the stack is allocated automatically when we do a function call, and removed when we return f() {... int table[len];...
More informationA Data Driven Approach to Designing Adaptive Trustworthy Systems
A Data Driven Approach to Designing Adaptive Trustworthy Systems Ravishankar K. Iyer (with A. Sharma, K. Pattabiraman, Z. Kalbarczyk, Center for Reliable and High-Performance Computing Department of Electrical
More informationChangelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part
1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems
More informationEnhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationSoftware security, secure programming
Software security, secure programming Lecture 4: Protecting your code against software vulnerabilities? (overview) Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Preamble Bad news several
More informationInkTag: Secure Applications on an Untrusted Operating System. Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin
InkTag: Secure lications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your... should you? The is the software root of trust on most
More informationHow to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis
White paper How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis AhnLab, Inc. Table of Contents Introduction... 1 Multidimensional Analysis... 1 Cloud-based Analysis...
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationLINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL. Saar Amar Recon brx 2018
LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018 WHO AM I? Saar Amar Security Researcher @AmarSaar Pasten CTF team member saaramar OUTLINE World s quickest
More informationSurvey of Cyber Moving Targets. Presented By Sharani Sankaran
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of
More informationCS510 Operating System Foundations. Jonathan Walpole
CS510 Operating System Foundations Jonathan Walpole File System Performance File System Performance Memory mapped files - Avoid system call overhead Buffer cache - Avoid disk I/O overhead Careful data
More informationProcess Dump Analyses
Process Dump Analyses 1 Process Dump Analyses Forensical acquisition and analyses of volatile data Tobias Klein tk@trapkit.de Version 1.0, 2006/07/22. Process Dump Analyses 2 1 Overview There is a general
More informationCode with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function
1 Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function IsPasswordOK(), and compares it with the correct password.
More informationHA2lloc: Hardware-Assisted Secure Allocator
HA2lloc: Hardware-Assisted Secure Allocator Orlando Arias, Dean Sullivan, Yier Jin {oarias,dean.sullivan}@knights.ucf.edu yier.jin@ece.ufl.edu University of Central Florida University of Florida June 25,
More informationISA564 SECURITY LAB. Code Injection Attacks
ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationHacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University
Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University Hacking 101 Exploit GET /0xDEAD HTTP/1.0 shell $ cat /etc/passwd root:x:0:0:::/bin/sh sorbo:x:6:9:pac:/bin/sh
More informationSTING: Finding Name Resolution Vulnerabilities in Programs
STING: Finding Name Resolution ulnerabilities in Programs Hayawardh ijayakumar, Joshua Schiffman, Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationCyber Moving Targets. Yashar Dehkan Asl
Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target techniques, their threat models, and their technical details. Cyber moving target technique: Defend a system
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationAPISan: Sanitizing API Usages through Semantic Cross-checking
APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, Mayur Naik Georgia Institute of Technology 1 APIs in today s software are plentiful
More informationVerification & Validation of Open Source
Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc Open Source is Ubiquitous Most commercial and proprietary software systems have some open
More informationJSgraph Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions
JSgraph Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions Bo Li, Phani Vadrevu, Kyu Hyung Lee, and Roberto Perdisci Dept. of Computer Science - University
More informationRelease Notes McAfee Application Control 6.1.0
Release Notes McAfee Application Control 6.1.0 About this document New features Known issues Resolved issues Installation instructions Find product documentation About this document Thank you for choosing
More informationHeaps of Heap-based Memory Attacks
Heaps of Heap-based Memory Attacks Kevin Leach kleach2@gmu.edu Center for Secure Information Systems 3 October 2012 K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October 2012 1 / 23 Goals During
More informationSecure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design. Todd Austin University of Michigan
Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design Todd Austin University of Michigan The Security Arms Race Question: Why are systems never safe? We deploy our designs
More informationAdon'tbe an Adobe victim
Adon'tbe an Adobe victim An overview of how recent Adobe-related flaws affect your web application Joshua Stabiner EY Agenda Introductions Background Cross-site scripting (PDF) Overview Exploit Mitigation
More informationTales from cloud nine. Mihai Chiriac, BitDefender
Tales from cloud nine Mihai Chiriac, BitDefender Talk outline Motivation Technical challenges Implementation results Future ideas Conclusions Reasons Malware numbers have grown at exponential rates 5000000
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationPractical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
More information