Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
|
|
- Aubrey Eaton
- 5 years ago
- Views:
Transcription
1 Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1
2 Motivation Buffer overflow attacks modify the control flow of a program Exploit unsafe writes to overwrite the stack pointers Function returns to the location specified by the attacker Numerous security measures proposed to counteract: No execute (NX) page bit - prevents non-code memory pages from being executed Address space location randomization (ASLR) - Randomizes some bits in virtual addresses If we can recover the randomized ASLR bits, may make this less difficult Can we exploit a hardware side-channel to do this? 2
3 Goals of the Attack Recover the randomized (ASLR) bits of the virtual memory address by exploiting (and measuring) collision delays in the Branch Target Buffer (BTB) Do so to recover both userland ASLR and kernel ASLR (KASLR) bits Then attacker can proceed with the buffer overflow attack However, attacker needs to be able to do this using an unprivileged process No special privileges No memory disclosures 3
4 Branch Target Buffer (BTB) 4
5 The Attack in a Nutshell Multiple addresses can map to the same location in the BTB On Intel Haswell processors, cache tag is only a portion of the upper-order address bits, while virtual addresses are 48 bits Attacker process causes collisions in the BTB using branch instructions This increases latency of the attacker process, as its previously-loaded BTB entries were overwritten by the victim From these latency measurements, we can significantly narrow down (or guess outright) the ASLR bits of the victim process or the kernel 5
6 Attacking Other Userland Processes Attacker loads some code into memory at a location where the upper order address bits of the attacker code match targeted code in the victim Send signal to victim process to execute targeted code Victim will execute, overwriting attacker s entry in the BTB When attacker resumes, it will execute its branch and measure execution time If branch took longer than usual to run, likely indicates a BTB collision Only causes slowdown if target addresses of branches in attacker and victim differ Intel states incorrect BTB prediction causes 8 cycle IF bubble Average measured time over multiple attempts for increased accuracy Spy T2 Spy T1 Victim T cycles (+11.12) cycles Victim T (+9.17) cycles
7 Attacking the Kernel Kernel utilizes same virtual address space as attacker process We know that the first 18 bits of the kernel address (out of 48) are fixed Can t utilize same virtual address as the kernel, but using only the upper-order portions of the last 31 bits for the BTB tag gets around this issue (at least on Intel Haswell processors) Therefore, the attack can be done in a manner similar to userland processes However, it s easier to run targeted code in the kernel due to syscalls 7
8 KASLR in Linux KASLR generates random bits during boot Determines offset for physical memory location of kernel Same offset is applied to virtual memory Only 9 bits randomized 8
9 Recovering KASLR Bits Locate branch instruction in kernel to execute List potential addresses for branch, and at each one Allocate buffer Load with code containing branch and time-measurement instruction Activate kernel branch Activate spy branch Measure time taken to execute spy branch 9
10 KASLR Recovery Results Experiment performed using open system call Intentionally provide incorrect file name Increases speed Reduces noise 512 possible addresses for branch 50 measurements collected at each address Attack done in 60 milliseconds 10
11 Recovering Userland ASLR Bits Similar to KASLR bit recovery Targets victim process with branch instruction Makes list of potential addresses Allocates buffer at address Forces victim to call branch and use BTB Spy runs jump multiple times and measures time Measures again with spy branching to different target 11
12 ASLR Co-residency For KASLR, every process has kernel For userland ASLR, attack needs to ensure co-residency to get BTB collisions Two methods to ensure co-residency Load all cores with dummy processes, except core with victim and spy Have spy run on every core 12
13 Experimental Results Not all ASLR bits retrieved Bits 12 to 40 randomized Only 18 bits used in BTB Checking 100 addresses took about 1 second Further optimizations could improve performance 13
14 Technical Insights ASLR vulnerability exposed Potential mitigation techniques proposed Software solutions Finer grained ASLR Fuzzing timing measurements For KASLR, randomize higher order bits for every process launch Hardware Solutions Full virtual address for accessing BTB For kernel, add secret value to BTB hash function Use different hash value for each process Flush BTB on context switches Each BTB could be marked with process ID 14
15 Related Work Other side channel attacks Cache side channels (many works) Branch predictor attack to get secret keys (Aciicmez et al) Branch predictor attack to build inter-process communication channel (Evtyushkin et al) Other ASLR work Brute-force attacks (Shacham et al) Memory disclosure attacks (Roglia et al) Attacking KASLR by causing cache collisions b/w kernel and userland processes (Hund et al) TLB manipulation attack to reveal kernel memory pages (Hund et al) BTB attacks are simpler and do not rely on noisy cache measurements 15
16 Conclusion By causing collisions in the Branch Target Buffer (BTB), we can recover (or at least narrow down) ASLR bits This mechanism is extremely effective for both userland processes and the kernel The authors proposed multiple mechanisms, both in software and hardware, to close this side channel and prevent ASLR bits from being recovered 16
17 Discussion Points For userland ASLR attack, not all random bits are known by end of attack. Is this acceptable? Essentially reduces difficulty of a brute force attack Is the method of maximizing process calls on all cores but one sufficiently stealthy? Is there a software mechanism that could be developed to detect this attack? This would be useful on older systems designed before this side channel was discovered. One of the mitigations the authors propose is finer-grained randomization of ASLR, even going as far as to do this at an instruction-level granularity. Would this cause any difficulties for developers? Particularly during debugging? 17
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationSpectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
More informationIntel Analysis of Speculative Execution Side Channels
Intel Analysis of Speculative Execution Side Channels White Paper Revision 1.0 January 2018 Document Number: 336983-001 Intel technologies features and benefits depend on system configuration and may require
More informationMeltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
More informationSpectre Returns! Speculation Attacks Using Return Stack Buffer
Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA
More informationSpectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationLAZARUS: Practical Side-channel Resilient Kernel-Space Randomization
LAZARUS: Practical Side-channel Resilient Kernel-Space Randomization David Gens 1, Orlando Arias 2, Dean Sullivan 2, Christopher Liebchen 1, Yier Jin 2, and Ahmad-Reza Sadeghi 1 1 CYSEC/Technische Universität
More informationMicro-Architectural Attacks and Countermeasures
Micro-Architectural Attacks and Countermeasures Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 25 Contents Micro-Architectural Attacks Cache Attacks Branch Prediction Attack
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationMeltdown and Spectre - understanding and mitigating the threats
Meltdown and Spectre - understanding and mitigating the threats Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @RenditionSec The sky isn t falling!
More informationVersion:1.1. Overview of speculation-based cache timing side-channels
Author: Richard Grisenthwaite Date: January 2018 Version 1.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationBranch Prediction & Speculative Execution. Branch Penalties in Modern Pipelines
6.823, L15--1 Branch Prediction & Speculative Execution Asanovic Laboratory for Computer Science M.I.T. http://www.csg.lcs.mit.edu/6.823 6.823, L15--2 Branch Penalties in Modern Pipelines UltraSPARC-III
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationVersion:2.1. Overview of speculation-based cache timing side-channels
Date: May 2018 Version 2.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers at Google on new potential cache
More informationFirst order of Business
First order of Business First order of Business You probably feel like this MBE TA s Hardware Enforced Model 0: Privileged, Kernelspace 3: Restricted, Userspace Hardware Enforced Model 0: Privileged,
More informationWhite Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS
White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS INTRODUCTION Speculative execution is a basic principle of all modern processor designs and is critical to support high performance
More informationarxiv: v2 [cs.cr] 16 Jun 2018
SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation Khaled N. Khasawneh Department of Computer Science and Engineering University of California, Riverside Email: kkhas1@ucr.edu
More informationInstruction Level Parallelism (Branch Prediction)
Instruction Level Parallelism (Branch Prediction) Branch Types Type Direction at fetch time Number of possible next fetch addresses? When is next fetch address resolved? Conditional Unknown 2 Execution
More informationInferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing
Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, and Hyesoon Kim, Georgia Institute of Technology; Marcus Peinado, Microsoft
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationThe Story of Meltdown and Spectre. Jann Horn & Daniel Gruss May 17, 2018
The Story of Meltdown and Spectre Jann Horn & Daniel Gruss May 17, 2018 1 Who are we Jann Horn Google Project Zero jannh@google.com 2 Who are we Daniel Gruss Post-Doc @ Graz University Of Technology @lavados
More informationDan Noé University of New Hampshire / VeloBit
Dan Noé University of New Hampshire / VeloBit A review of how the CPU works The operating system kernel and when it runs User and kernel mode Device drivers Virtualization of memory Virtual memory Paging
More informationLeaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017 Motivation Intel
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationSecure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design. Todd Austin University of Michigan
Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design Todd Austin University of Michigan The Security Arms Race Question: Why are systems never safe? We deploy our designs
More informationMicro-architectural Attacks. Chester Rebeiro IIT Madras
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript and HTML5 (due to restricted
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More informationLecture 13: Branch Prediction
S 09 L13-1 18-447 Lecture 13: Branch Prediction James C. Hoe Dept of ECE, CMU March 4, 2009 Announcements: Spring break!! Spring break next week!! Project 2 due the week after spring break HW3 due Monday
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationHardware Enclave Attacks CS261
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Service (IAS) Process Enclave Untrusted Trusted Enclave Code Enclave Data Process Process Other Enclave OS and/or Hypervisor
More informationAddress Translation. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Address Translation Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today s Topics How to reduce the size of page tables? How to reduce the time for
More informationRooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018
Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationProtection. Thierry Sans
Protection Thierry Sans Protecting Programs How to lower the risk of a program security flaw resulting from a bug? 1. Build better programs 2. Build better operating systems Build Better Programs Why are
More informationCNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated
CNIT 127: Exploit Development Ch 18: Source Code Auditing Updated 4-10-17 Why Audit Source Code? Best way to discover vulnerabilities Can be done with just source code and grep Specialized tools make it
More informationDocumentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit about a generic way to exploit Linux targets written by Kingcope Introduction In May 2013 a security advisory was announced
More informationDefense against the AnC Attack on BOOM Rui Hou, Xiaoxin Li, Wei Song, Dan Meng
Defense against the AnC Attack on BOOM Rui Hou, Xiaoxin Li, Wei Song, Dan Meng 单击此处编辑母版标题样式 Outline Security vulnerabilities due to resource sharing AnC attack Solution RCL PTE-isolation Security vulnerabilities
More informationPredicting Program Phases and Defending against Side-Channel Attacks using Hardware Performance Counters
Predicting Program Phases and Defending against Side-Channel Attacks using Hardware Performance Counters Junaid Nomani and Jakub Szefer Computer Architecture and Security Laboratory Yale University junaid.nomani@yale.edu
More informationCOS 318: Operating Systems. Virtual Memory and Address Translation
COS 318: Operating Systems Virtual Memory and Address Translation Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Today s Topics
More informationAdvanced Systems Security: Program Diversity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationTo accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh
To accelerate our learnings, we brought in an expert in CPU side channel attacks Anders Fogh Virtualization-based isolation Microsoft Azure, Hyper-V Affected Kernel-user separation Windows Affected Process-based
More informationVirtual Memory. Motivation:
Virtual Memory Motivation:! Each process would like to see its own, full, address space! Clearly impossible to provide full physical memory for all processes! Processes may define a large address space
More informationLec 22: Interrupts. Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University. Announcements
Lec 22: Interrupts Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University HW 3 HW4: due this Friday Announcements PA 3 out Nov 14 th Due Nov 25 th (feel free to turn it in early) Demos and
More informationMulti-level Translation. CS 537 Lecture 9 Paging. Example two-level page table. Multi-level Translation Analysis
Multi-level Translation CS 57 Lecture 9 Paging Michael Swift Problem: what if you have a sparse address space e.g. out of GB, you use MB spread out need one PTE per page in virtual address space bit AS
More informationLast 2 Classes: Introduction to Operating Systems & C++ tutorial. Today: OS and Computer Architecture
Last 2 Classes: Introduction to Operating Systems & C++ tutorial User apps OS Virtual machine interface hardware physical machine interface An operating system is the interface between the user and the
More informationSecuring High-performance RISC-V Processors from Time Speculation Christopher Celio, Jose Renau Esperanto Technologies {christopher.
Securing High-performance RISC-V Processors from Time Speculation Christopher Celio, Jose Renau Esperanto Technologies {christopher.celio, jose.renau} @esperantotech.com 8th RISC-V Workshop Barcelona,
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More information6.004 Tutorial Problems L22 Branch Prediction
6.004 Tutorial Problems L22 Branch Prediction Branch target buffer (BTB): Direct-mapped cache (can also be set-associative) that stores the target address of jumps and taken branches. The BTB is searched
More informationAn Introduction to Platform Security
presented by An Introduction to Platform Security Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Brent Holtsclaw and John Loucaides (Intel) Legal Notice No computer system can be
More informationCSE 4/521 Introduction to Operating Systems. Lecture 15 Virtual Memory I (Background, Demand Paging) Summer 2018
CSE 4/521 Introduction to Operating Systems Lecture 15 Virtual Memory I (Background, Demand Paging) Summer 2018 Overview Objective: To describe the benefits of a virtual memory system. To explain the concept
More informationVirtual Memory. Lecture for CPSC 5155 Edward Bosworth, Ph.D. Computer Science Department Columbus State University
Virtual Memory Lecture for CPSC 5155 Edward Bosworth, Ph.D. Computer Science Department Columbus State University Precise Definition of Virtual Memory Virtual memory is a mechanism for translating logical
More informationVIRTUAL MEMORY II. Jo, Heeseung
VIRTUAL MEMORY II Jo, Heeseung TODAY'S TOPICS How to reduce the size of page tables? How to reduce the time for address translation? 2 PAGE TABLES Space overhead of page tables The size of the page table
More informationXen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016
Xen and the Art of Virtualization CSE-291 (Cloud Computing) Fall 2016 Why Virtualization? Share resources among many uses Allow heterogeneity in environments Allow differences in host and guest Provide
More informationCIS Operating Systems Memory Management Address Translation. Professor Qiang Zeng Fall 2017
CIS 5512 - Operating Systems Memory Management Address Translation Professor Qiang Zeng Fall 2017 Outline Fixed partitions Dynamic partitions Con$guous alloca$on: Each process occupies a con$guous memory
More informationPROCESS VIRTUAL MEMORY. CS124 Operating Systems Winter , Lecture 18
PROCESS VIRTUAL MEMORY CS124 Operating Systems Winter 2015-2016, Lecture 18 2 Programs and Memory Programs perform many interactions with memory Accessing variables stored at specific memory locations
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationPangu 9 Internals. Tielei Wang and Hao Xu
Pangu 9 Internals Tielei Wang and Hao Xu Team Pangu Agenda ios Security Overview Pangu 9 Overview Userland Exploits Kernel Patching in Kernel Patch Protections Persistent Code Signing Bypass Conclusion
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationComputer Architecture: Branch Prediction. Prof. Onur Mutlu Carnegie Mellon University
Computer Architecture: Branch Prediction Prof. Onur Mutlu Carnegie Mellon University A Note on This Lecture These slides are partly from 18-447 Spring 2013, Computer Architecture, Lecture 11: Branch Prediction
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationCacheZoom: How SGX Amplifies The Power of Cache Attacks
CacheZoom: How SGX Amplifies The Power of Cache Attacks Ahmad Moghimi, Gorka Irazoqui, and Thomas Eisenbarth Worcester Polytechnic Institute, Worcester, MA, USA {amoghimi,girazoki,teisenbarth}@wpi.edu
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationlpengfei Ding & Chenfu Bao lsecurity Researcher & Baidu X-Lab lfocused on Mobile, IoT and Linux kernel security
lpengfei Ding & Chenfu Bao lsecurity Researcher & Developer @ Baidu X-Lab lfocused on Mobile, IoT and Linux kernel security l Introduction l Past Compat Vulnerabilities l Newly Identified Compat Vulnerabilities
More informationUG4 Honours project selection: Talk to Vijay or Boris if interested in computer architecture projects
Announcements UG4 Honours project selection: Talk to Vijay or Boris if interested in computer architecture projects Inf3 Computer Architecture - 2017-2018 1 Last time: Tomasulo s Algorithm Inf3 Computer
More informationSpeculative Execution Side Channel Mitigations
Speculative Execution Side Channel Mitigations Revision 3.0 May 2018 Any future revisions to this content can be found at https://software.intel.com/security-software-guidance/ when new information is
More informationChapter 8 Main Memory
COP 4610: Introduction to Operating Systems (Spring 2014) Chapter 8 Main Memory Zhi Wang Florida State University Contents Background Swapping Contiguous memory allocation Paging Segmentation OS examples
More informationCSCI 8530 Advanced Operating Systems. Part 8 High-level Memory Management
CSCI 8530 Advanced Operating Systems Part 8 High-level Memory Management Updated 9/27/2016 Location of High-level Memory Management in the Hierarchy Our Approach to Memory Management (Review) Divide memory
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationS$A: A Shared Cache Attack that Works Across Cores and Defies VM Sandboxing and its Application to AES
2015 IEEE Symposium on Security and Privacy S$A: A Shared Cache Attack that Works Across Cores and Defies VM Sandboxing and its Application to AES Gorka Irazoqui Worcester Polytechnic Institute Worcester,USA
More informationCS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!
CS 642 Homework #4 Due Date: 11:59 p.m. on Tuesday, May 1, 2007 Warning! In this assignment, you will construct and launch attacks against a vulnerable computer on the CS network. The network administrators
More informationFaRM: Fast Remote Memory
FaRM: Fast Remote Memory Problem Context DRAM prices have decreased significantly Cost effective to build commodity servers w/hundreds of GBs E.g. - cluster with 100 machines can hold tens of TBs of main
More information6.858 Lecture 3. char *p = malloc(256); char *q = p + 256; char ch = *q; //Does this raise an exception? //Hint: How big is the baggy bound for p?
Baggy bounds continued: Example code (assume that slot_size=16) 6.858 Lecture 3 char *p = malloc(44); //Note that the nearest power of 2 (i.e., //64 bytes) are allocated. So, there are //64/(slot_size)
More informationMWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents
Contents MWR InfoSecurity Security Advisory IBM Lotus Domino Accept- Language Stack Overflow 20 th May 2008 2008-05-20 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5
More informationWedge: Splitting Applications into Reduced-Privilege Compartments
Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008 Vulnerabilities threaten sensitive data Exploits
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationarxiv: v1 [cs.cr] 3 Jan 2018
Meltdown arxiv:1801.01207v1 [cs.cr] 3 Jan 2018 Abstract Moritz Lipp 1, Michael Schwarz 1, Daniel Gruss 1, Thomas Prescher 2, Werner Haas 2, Stefan Mangard 1, Paul Kocher 3, Daniel Genkin 4, Yuval Yarom
More informationMultithreaded Processors. Department of Electrical Engineering Stanford University
Lecture 12: Multithreaded Processors Department of Electrical Engineering Stanford University http://eeclass.stanford.edu/ee382a Lecture 12-1 The Big Picture Previous lectures: Core design for single-thread
More informationBack To The Future: A Radical Insecure Design of KVM on ARM
Back To The Future: A Radical Insecure Design of KVM on ARM Abstract In ARM, there are certain instructions that generate exceptions. Such instructions are typically executed to request a service from
More informationComputer Systems Architecture
Computer Systems Architecture Lecture 12 Mahadevan Gomathisankaran March 4, 2010 03/04/2010 Lecture 12 CSCE 4610/5610 1 Discussion: Assignment 2 03/04/2010 Lecture 12 CSCE 4610/5610 2 Increasing Fetch
More informationSpectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
More informationTruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices
TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices Ning Zhang, Kun Sun, Deborah Shands Wenjing Lou, Y. Thomas Hou Virginia Polytechnic Institute and State University, VA
More informationCOMPUTER ORGANIZATION AND DESI
COMPUTER ORGANIZATION AND DESIGN 5 Edition th The Hardware/Software Interface Chapter 4 The Processor 4.1 Introduction Introduction CPU performance factors Instruction count Determined by ISA and compiler
More informationExploiting Branch Target Injection. Jann Horn, Google Project Zero
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I
More informationENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks
ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow
More informationSOLUTION. Midterm #1 February 26th, 2018 Professor Krste Asanovic Name:
SOLUTION Notes: CS 152 Computer Architecture and Engineering CS 252 Graduate Computer Architecture Midterm #1 February 26th, 2018 Professor Krste Asanovic Name: I am taking CS152 / CS252 This is a closed
More informationIntroduction to Operating Systems. Chapter Chapter
Introduction to Operating Systems Chapter 1 1.3 Chapter 1.5 1.9 Learning Outcomes High-level understand what is an operating system and the role it plays A high-level understanding of the structure of
More information