Control Flow Integrity for COTS Binaries Report
|
|
- Adela Wilkinson
- 6 years ago
- Views:
Transcription
1 Control Flow Integrity for COTS Binaries Report Zhang and Sekar (2013) January 2, 2015 Partners: Instructor: Evangelos Ladakis Michalis Diamantaris Giorgos Tsirantonakis Dimitris Kiosterakis Elias Athanasopoulos 1 Introduction One of the most powerful defence technique against control flow hijacking is the Control Flow Integrity. The first proposal of CFI was made by Abadi et al. on 2005 which propose exploring the Control Flow Graph of a program and prevent Indirect Control Flow Transfers change the Indirect control flow to targets that are violating the CFG was produced. This was achieved by adding labels among targets and checks for these labels before an Indirect Control Flow Instruction. The main difference of this work from the original CFI work of Abadi is the, that the analysis and the instrumentation is based on the binary itself instead on the original code. Therefore with the proposing technique we can apply the CFI on Commercial Of The Self binaries. 2 Static Analysis In order to apply the CFI technique, first we have to disassembly the binary in order to find the complete assembly code. The x86 is based on RISC architecture and therefore, has a big instruction set which makes almost every byte a possible opcode. Also the instruction sizes vary and there are not align on 4 bytes. An assembly instruction of the x86 architecture can be from 1 to 15 bytes. Furthermore, often compilers emit data inside the text section among functions for alignment and therefore linear disassembly can inaccurate translate data into code. According to the facts above, the disassembly of an x86 binary is not an easy task. In this paper, they propose a technique in order to find the gaps among functions. In the first step they disassemble linearly the whole binary and record the errors. As errors are consider to be bytes that do not correspond to an opcode. Also 1
2 instructions that overlap with targets of control flow instructions. The error would be either the control flow instruction either the target. Finding more errors nearby will make as more confident of deciding which is the erroneous instruction. Also, errors are considered to be control flow instructions that the target falls outside the text section. After the error recognition which signifies a gap between functions, we need to identify the beginning and the end of the gap. In order to find the beginning of the gap we go backwards from the error until the first unconditional control flow instruction. The end of the gap is a control flow target which is the most close to the error instruction. After identifying the gaps we re-disassemble the binary by avoiding the gaps. If more errors occur we repeat the procedure. Code Pointers Constants In order to fix the assembly and construct the Control Flow Graph we need to all the code pointers. Code pointers live inside the data section. In order to find them we parse the data and code segment with a 4 byte window and for each one we examine if it falls inside the text section and if it points to a valid instruction boundary. If these conditions are satisfied we can assume that is a valid target. Computed Code Pointers These pointers are mostly used on switch case tables. They use a base pointer which they apply some arithmetic operations in order to find the final target. Due to the fact that these targets are computed at run time we can t be sure of what the targets would be. Therefore we can safely apply use a fixed size window of 50 instructions as possible targets. Exported Symbols Exported symbols are the exported functions entry points of a library that other programs may use. These pointers can be used for identifying functions inside the library and also for constructing the CFG graph. Interrupt Handlers The interrupt handlers pointers can be found in the headers of the ELF format. These pointers are also needed for completing the cfg graph. Return addresses Return addresses are being collected by the linear disassembly analysis. These pointers correspond to the instruction which are after a call. These targets are being used by the return address of a callee function. 3 Implementation The implementation of this CFI, targets 32-bit x86 processors running Linux. After disassembly, the resulting code is instrumented to enforce CFI. Instrumentation is performed on assembly representation. This simplifies the implementation since it does not need to be concerned with details such as encoding 2
3 and decoding of instructions. Moreover, it can use labels instead of addresses. In particular, for each instruction location A in the disassembler output of objdump, we associate a symbolic label L A as follows: L :movl %ecx, %eax These symbolic labels are used as targets of direct branch instructions, which means that the assembler will take care of fixing up the branch offsets. After rewriting, the instrumented assembly file is processed using the system assembler to produce an object file. We extract the code from this object file and then use the objcopy tool to inject it into the original ELF file. The final step prepares the ELF file produced by objcopy for execution. This step requires relocation actions on the newly added segment, and updating the ELF header to set its entry point to the segment containing instrumented code. The original code segments are made unexecutable. For shared libraries, it is also necessary to update the dynamic symbol sections. 4 Instrumentation Since instrumented code resides in a different code segment, function pointer values, which will typically appear in the code as constants, will have incorrect values. The typical way to deal with this uncertainty, employed in dynamic binary translation (DBT), is to wait until a value is used as the target of an ICF transfer. At that point, this target value is translated into the corresponding location in the instrumented code. This translation is performed using a table that consists of pairs of the form (original address, new address) At runtime, addr trans, a piece of trampoline code, performs address translation. For each Indirect branch, a check is performed against a table of (statically computed) valid targets. Intra-Module(indirect branch within the module) Addr trans performs an address range check to determine if the target is within the current module. After the range check, addr trans performs address translation. If no translation is found for the target address in the translation table, addr trans will set an error and terminate the program. Inter-Module(indirect branch outside the module) 1st stage: A global translation table (GTT) is used to map an ICF target to the translation routine address in the target module of a shared library. This array is made read-only in order to protect it. If the entry in the GTT is not null proceed to stage 2. 2nd stage: Performs a lookup in the destination module(shared library), using the address translation table for that module(intra- Module). 3
4 5 Basic Version Of CFI In this paper they named various methods of cfi and created a way to compare them. They named Abadi s cfi reloc cfi because it works with relocation information. Indirect calls and jumps target the addresses provided by the rellocation table, returns target an address right after a call. This technique can t work in cots binaries in unix based systems because they dont use relocation tables. So in this paper they used static analysis as described before and named it strict cfi. Then they implemented the more relaxed bin cfi policy compared with strict cfi to deal with some issues. 6 bincfi Policy They used the same policy for returns and indirect jumps, because the compiler will translate the return to pop and jump. Also they could not tell apart normal returns from returns used for stack unwinding, longjmp and thread context switch. Also they used the same policy for PLT jumps (used for library calls) and indirect calls, because both of them call binaries and libraries. Also they relaxed the policy and included code pointers because when there are many implementations for a function a library will export a chooser function that chooses which of the implementations will be used. 7 Average Indirect target Reduction AIR = 1 n n (1 T i S ) (1) i=1 They introduced AIR (average indirect reduction) which is a way to compare different cfi implementations. I1...In are all the possible icf transfers inside a program and S all the valid targets(size of the binary). Tj is the number of possible paths with cfi enabled. Then they also named bundle cfi as the cfi that instructions are separated in bundles and the icf must target the begining of a bundle. Instr cfi is the most basic version of cfi, it restrics the icf to valid instruction boundaries and prevents the jump to the middle of an instruction. They compared all the cfi they mentioned with AIR and concluded that the loss between reloc cfi and sctrict cfi due to the static analysis is very small and by comparing bin cfi with reloc cfi it is obvious that the costs of the relaxation policy is very small. 8 Evaluation As for evaluation results,assembly code produced by recompiling some large programs(firefox 5,GIMP-2.6 etc.) was compared with disassembly and no error found. 4
5 They also tested many real world programs and ensured that they worked correctly. They used a tool,an ROP gadget generator/compiler that scans binaries to find useful gadgets for ROP attacks and it was proved that CFI enforcement is effective, as it eliminates about 93% gadgets in the original program. In addition,the tool was able to find only a little variety of gadgets without being able to build even a single exploit. The original program had an 27% CPU overhead and they managed to bring it down after some optimizations(branch,jump table,etc. optimizations) to 4%. 9 Conclusion In conlusion, bincfi technique is robust against large and complex libraries and executables, effective against ROP/JOP gadgets and has a good perfomance (see optimization results above), although it does not support obfuscated binaries,runtime code generation,is implemented only for 32-bit Linux and tested with gcc and LLVM compilers and can not defeat all return-to-libc attacks. References Zhang, M. and Sekar, R. (2013). Control flow integrity for cots binaries. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages , Washington, D.C. USENIX. 5
Control Flow Integrity
Control Flow Integrity Outline CFI Control Flow Integrity at Source Code Level BinCFI CFI for Binary Executables BinCC Binary Code Continent vfguard CFI Policy for Virtual Function Calls 1 M. Abadi, M.
More informationStatic Binary Instrumentation with Applications to COTS Software Security
Static Binary Instrumentation with Applications to COTS Software Security A Dissertation presented by Mingwei Zhang to The Graduate School in Partial Fulfillment of the Requirements for the Degree of Doctor
More informationInline Reference Monitoring Techniques
Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code
More informationPRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES
PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationRuntime Integrity Checking for Exploit Mitigation on Embedded Devices
Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationA Platform for Secure Static Binary Instrumentation
A Platform for Secure Static Binary Instrumentation Mingwei Zhang, Rui Qiao, Niranjan Hasabnis and R. Sekar Stony Brook University VEE 2014 Work supported in part by grants from AFOSR, NSF and ONR Motivation
More informationDefeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationDigital Forensics Lecture 3 - Reverse Engineering
Digital Forensics Lecture 3 - Reverse Engineering Low-Level Software Akbar S. Namin Texas Tech University Spring 2017 Reverse Engineering High-Level Software Low-level aspects of software are often the
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationProtecting Against Unexpected System Calls
Protecting Against Unexpected System Calls C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman Department of Computer Science University of Arizona Presented By: Mohamed Hassan
More informationSecuring Untrusted Code
Securing Untrusted Code Untrusted Code May be untrustworthy Intended to be benign, but may be full of vulnerabilities These vulnerabilities may be exploited by attackers (or other malicious processes)
More informationBaggy bounds with LLVM
Baggy bounds with LLVM Anton Anastasov Chirantan Ekbote Travis Hance 6.858 Project Final Report 1 Introduction Buffer overflows are a well-known security problem; a simple buffer-overflow bug can often
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationProtecting COTS Binaries from Disclosure-guided Code Reuse Attacks
Protecting COTS Binaries from Disclosure-guided Code Reuse Attacks Mingwei Zhang Intel Labs Hillsboro, OR, USA mingwei.zhang@intel.com Michalis Polychronakis Stony Brook University Stony Brook, NY, USA
More informationFixing/Making Holes in Binaries
Fixing/Making Holes in Binaries The Easy, The Hard, The Time Consuming Shaun Clowes Ð shaun@securereality.com.au What are we doing? Changing the behaviour of programs Directly modifying the program in
More informationBinary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code
University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationA generic approach to the definition of low-level components for multi-architecture binary analysis
A generic approach to the definition of low-level components for multi-architecture binary analysis Cédric Valensi PhD advisor: William Jalby University of Versailles Saint-Quentin-en-Yvelines, France
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationReadactor: Practical Code Randomization Resilient to Memory Disclosure
2015 IEEE Symposium on Security and Privacy Readactor: Practical Code Randomization Resilient to Memory Disclosure Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationPractical and Efficient Exploit Mitigation for Embedded Devices
Practical and Efficient Exploit Mitigation for Embedded Devices Matthias Neugschwandtner IBM Research, Zurich Collin Mulliner Northeastern University, Boston Qualcomm Mobile Security Summit 2015 1 Embedded
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationModule: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation
More informationStephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA
Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy ACM CCS 2010, Chicago, USA Ad hoc defense against code injection: W X DEP Code injection unnecessary
More informationHideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities
HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities Jason Gionta, William Enck, Peng Ning 1 JIT-ROP 2 Two Attack Categories Injection Attacks Code Integrity Data
More informationReassembleable Disassembling
Reassembleable Disassembling Shuai Wang, Pei Wang, and Dinghao Wu, The Pennsylvania State University https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/wang-shuai This paper
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationLec 13: Linking and Memory. Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University. Announcements
Lec 13: Linking and Memory Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University PA 2 is out Due on Oct 22 nd Announcements Prelim Oct 23 rd, 7:30-9:30/10:00 All content up to Lecture on Oct
More informationWhen an instruction is initially read from memory it goes to the Instruction register.
CS 320 Ch. 12 Instruction Sets Computer instructions are written in mnemonics. Mnemonics typically have a 1 to 1 correspondence between a mnemonic and the machine code. Mnemonics are the assembly language
More informationCS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan
CS 6V81-05 Control-Flow Integrity Principles, Implementations, and Applications Sureshbabu Murugesan Department of Computer Science University of Texas at Dallas February 29 th, 2012 Outline 1 Overview
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley Florida State University {ychen,zwang,whalley}@cs.fsu.edu Long Lu Stony Brook University long@cs.stonybrook.edu ABSTRACT Code randomization
More informationInstruction Set Architectures
Instruction Set Architectures! ISAs! Brief history of processors and architectures! C, assembly, machine code! Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface
More informationInstruction Set Architectures
Instruction Set Architectures ISAs Brief history of processors and architectures C, assembly, machine code Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface contain?
More informationChapter 4. The Processor
Chapter 4 The Processor Introduction CPU performance factors Instruction count Determined by ISA and compiler CPI and Cycle time Determined by CPU hardware We will examine two MIPS implementations A simplified
More informationCPU Structure and Function. Chapter 12, William Stallings Computer Organization and Architecture 7 th Edition
CPU Structure and Function Chapter 12, William Stallings Computer Organization and Architecture 7 th Edition CPU must: CPU Function Fetch instructions Interpret/decode instructions Fetch data Process data
More informationCODE reuse attacks (CRAs) emerged as a powerful attack, HCIC: Hardware-assisted Control-flow Integrity Checking
This article has been accepted for publication in a future issue of this journal, but has not been fully edited Content may change prior to final publication Citation information: DOI 101109/JIOT20182866164,
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationMachine Language, Assemblers and Linkers"
Machine Language, Assemblers and Linkers 1 Goals for this Lecture Help you to learn about: IA-32 machine language The assembly and linking processes 2 1 Why Learn Machine Language Last stop on the language
More informationShuffler: Fast and Deployable Continuous Code Re-Randomization
Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis,
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationGenerating Low-Overhead Dynamic Binary Translators. Mathias Payer and Thomas R. Gross Department of Computer Science ETH Zürich
Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department of Computer Science ETH Zürich Motivation Binary Translation (BT) well known technique for late transformations
More informationOut Of Control: Overcoming Control-Flow Integrity
Out Of Control: Overcoming Control-Flow Integrity Enes Göktaş Vrije Universiteit Amsterdam, The Netherlands Email: enes.goktas@vu.nl Elias Athanasopoulos FORTH-ICS Heraklion, Crete, Greece Email: elathan@ics.forth.gr
More informationAdvanced Computer Architecture
ECE 563 Advanced Computer Architecture Fall 2007 Lecture 14: Virtual Machines 563 L14.1 Fall 2009 Outline Types of Virtual Machine User-level (or Process VMs) System-level Techniques for implementing all
More informationUNIT- 5. Chapter 12 Processor Structure and Function
UNIT- 5 Chapter 12 Processor Structure and Function CPU Structure CPU must: Fetch instructions Interpret instructions Fetch data Process data Write data CPU With Systems Bus CPU Internal Structure Registers
More informationMonitor Integrity Protection with Space Efficiency and Separate Compilation
Monitor Integrity Protection with Space Efficiency and Separate Compilation ABSTRACT Ben Niu Lehigh University 19 Memorial Drive West Bethlehem, PA, 18015 ben210@lehigh.edu Low-level inlined reference
More informationRUHR-UNIVERSITÄT BOCHUM. Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs
RUHR-UNIVERSITÄT BOCHUM Horst Görtz Institute for IT Security Technical Report TR-HGI-2014-004 Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs Robert Gawlik and
More informationControl-flow Enforcement Technology H.J. Lu. Intel November, 2018
Control-flow Enforcement Technology H.J. Lu Intel November, 2018 Introduction Control-flow Enforcement Technology (CET) An upcoming Intel processor family feature that blocks return/jumporiented programming
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationHow Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Programming
More informationUndermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationDefeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)
Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationHandling Self Modifying Code Using Software Dynamic Translation
Handling Self Modifying Code Using Software Dynamic Translation Joy W. Kamunyori University of Virginia jkamunyori@cs.virginia.edu 1. Problem and Motivation The term self modifying code refers to code
More informationComputer Science and Engineering 331. Midterm Examination #1. Fall Name: Solutions S.S.#:
Computer Science and Engineering 331 Midterm Examination #1 Fall 2000 Name: Solutions S.S.#: 1 41 2 13 3 18 4 28 Total 100 Instructions: This exam contains 4 questions. It is closed book and notes. Calculators
More informationBinary Code Analysis: Concepts and Perspectives
Binary Code Analysis: Concepts and Perspectives Emmanuel Fleury LaBRI, Université de Bordeaux, France May 12, 2016 E. Fleury (LaBRI, France) Binary Code Analysis: Concepts
More informationCOSC 6385 Computer Architecture. Instruction Set Architectures
COSC 6385 Computer Architecture Instruction Set Architectures Spring 2012 Instruction Set Architecture (ISA) Definition on Wikipedia: Part of the Computer Architecture related to programming Defines set
More informationx86 architecture et similia
x86 architecture et similia 1 FREELY INSPIRED FROM CLASS 6.828, MIT A full PC has: PC architecture 2 an x86 CPU with registers, execution unit, and memory management CPU chip pins include address and data
More informationSmashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization
2012 IEEE Symposium on Security and Privacy Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis
More informationVirtual Machines and Dynamic Translation: Implementing ISAs in Software
Virtual Machines and Dynamic Translation: Implementing ISAs in Software Krste Asanovic Laboratory for Computer Science Massachusetts Institute of Technology Software Applications How is a software application
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationToday s Big Adventure
Today s Big Adventure - How to name and refer to things that don t exist yet - How to merge separate name spaces into a cohesive whole Readings - man a.out & elf on a Solaris machine - run nm or objdump
More informationToday s Big Adventure
1/34 Today s Big Adventure - How to name and refer to things that don t exist yet - How to merge separate name spaces into a cohesive whole Readings - man a.out & elf on a Solaris machine - run nm or objdump
More informationAssembly Language Programming Linkers
Assembly Language Programming Linkers November 14, 2017 Placement problem (relocation) Because there can be more than one program in the memory, during compilation it is impossible to forecast their real
More informationFrom Debugging-Information Based Binary-Level Type Inference to CFG Generation
From Debugging-Information Based Binary-Level Type Inference to CFG Generation ABSTRACT Dongrui Zeng Pennsylvania State University State Collge, PA, USA dongrui.zeng@gmail.com Binary-level Control-Flow
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationBranch Regulation: Low-Overhead Protection from Code Reuse Attacks
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer Science State University of New York at Binghamton
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationsecubt Hacking the Hackers with User Space Virtualization
secubt Hacking the Hackers with User Space Virtualization Mathias Payer Mathias Payer: secubt User Space Virtualization 1 Motivation Virtualizing and encapsulating running programs
More informationModule 5 - CPU Design
Module 5 - CPU Design Lecture 1 - Introduction to CPU The operation or task that must perform by CPU is: Fetch Instruction: The CPU reads an instruction from memory. Interpret Instruction: The instruction
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationSystem V Application Binary Interface Linux Extensions Version 0.1
System V Application Binary Interface Linux Extensions Version 0.1 Edited by H.J. Lu 1 November 28, 2018 1 hongjiu.lu@intel.com Contents 1 About this Document 4 1.1 Related Information.........................
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationPractical Control Flow Integrity & Randomization for Binary Executables
2013 IEEE Symposium on Security and Privacy Practical Control Flow Integrity & Randomization for Binary Executables Chao Zhang 1, Tao Wei 1,2, Zhaofeng Chen 1, Lei Duan 1, László Szekeres 2,3+, Stephen
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationMechanisms and constructs for System Virtualization
Mechanisms and constructs for System Virtualization Content Outline Design goals for virtualization General Constructs for virtualization Virtualization for: System VMs Process VMs Prevalent trends: Pros
More informationStitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. Accepted at USENIX Security 2014
Technical Report Nr. TUD-CS-2014-0800 May 8, 2014 Latest Revision: August 26, 2014 Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection Accepted at USENIX Security
More informationA survey of Hardware-based Control Flow Integrity (CFI)
A survey of Hardware-based Control Flow Integrity (CFI) RUAN DE CLERCQ and INGRID VERBAUWHEDE, KU Leuven Control Flow Integrity (CFI) is a computer security technique that detects runtime attacks by monitoring
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationCPU Structure and Function
CPU Structure and Function Chapter 12 Lesson 17 Slide 1/36 Processor Organization CPU must: Fetch instructions Interpret instructions Fetch data Process data Write data Lesson 17 Slide 2/36 CPU With Systems
More informationInstruction Set Principles and Examples. Appendix B
Instruction Set Principles and Examples Appendix B Outline What is Instruction Set Architecture? Classifying ISA Elements of ISA Programming Registers Type and Size of Operands Addressing Modes Types of
More informationFunction Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)
Function Calls COS 217 Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) 1 Goals of Today s Lecture Finishing introduction to assembly language o EFLAGS register
More information238P: Operating Systems. Lecture 7: Basic Architecture of a Program. Anton Burtsev January, 2018
238P: Operating Systems Lecture 7: Basic Architecture of a Program Anton Burtsev January, 2018 What is a program? What parts do we need to run code? Parts needed to run a program Code itself By convention
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationAn Assembler for the MSSP Distiller Eric Zimmerman University of Illinois, Urbana Champaign
An Assembler for the MSSP Distiller Eric Zimmerman University of Illinois, Urbana Champaign Abstract It is important to have a means of manually testing a potential optimization before laboring to fully
More information