Undermining Information Hiding (And What to do About it)
|
|
- David Bailey
- 6 years ago
- Views:
Transcription
1 Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos
2 Overview Mitigating code-reuse attacks Hiding code pointers in sensitive regions (information hiding) Sensitive region per thread Thread Spraying Reveal SafeStack (LLVM) in seconds Authenticating Page Mapper: harden information hiding 2
3 0x ROP attack HEAP = dynamic data STACK = program code execution context (contains code pointers) CODE DATA HEAP STACK 0xFF..FF 3
4 0x ROP attack HEAP = dynamic data STACK = program code execution context (contains code pointers) CODE DATA Inject FAKE STACK through normal data input HEAP FAKE STACK STACK 0xFF..FF 4
5 0x ROP attack HEAP = dynamic data STACK = program code execution context (contains code pointers) CODE DATA Inject FAKE STACK through normal data input Hijack control flow trough mem. vuln. RSP HEAP FAKE STACK STACK 0xFF..FF 5
6 0x ROP attack HEAP = dynamic data STACK = program code execution context (contains code pointers) CODE DATA Inject FAKE STACK through normal data input Hijack control flow trough mem. vuln. How does the attacker get to know the code pointers? RSP HEAP FAKE STACK STACK 0xFF..FF 6
7 0x ROP attack HEAP = dynamic data STACK = program code execution context (contains code pointers) CODE DATA Inject FAKE STACK through normal data input Hijack control flow trough mem. vuln. How does the attacker get to know the code pointers? - Fingerprint app version RSP HEAP STACK FAKE STACK 0xFF..FF 7
8 Protect code pointers Random address Address Space Layout Randomization Leak pointer to CODE or DATA CODE DATA 8
9 Protect code pointers Random address Address Space Layout Randomization Leak pointer to CODE or DATA CODE DATA Function / Instruction Level Randomization JIT-ROP Random address CODE DATA 9
10 Protect code pointers Random address Address Space Layout Randomization Leak pointer to CODE or DATA CODE DATA Function / Instruction Level Randomization JIT-ROP Isolate code pointers to a safe area Hardware Segmentation Software-Fault Isolation Information Hiding Random address Random address CODE DATA CODE DATA 10
11 Isolating code pointers ASLR-Guard and Code Pointer Integrity Two types of safe areas Safe Stack : code pointers located on the stack (like return addresses) Safe Region : all other code pointers (like function addresses) Safe Stack is in production compiler LLVM Our focus 11
12 Information Hiding Preferred model because Hardware Segmentation not available on 64 bit Information Hiding lower perf. overhead than Software-Fault Isolation Information Hiding idea: Separate Code Pointers to safe area Assumes no pointers to safe area Assumes high entropy of safe area See paper Our focus 12
13 Entropy Sens. data: 2 bytes (2 1 ) 000 Degree of randomness Given in bits Example: 3 bit address space 8 blocks of 1 byte Entropy: bits Hide sensitive data Hit chance: 1 = Worst case #probes : 2 2 = 4 13
14 Entropy Sens. data: 2 bytes 4 bytes (2 1 ) (2 2 ) 000 Degree of randomness Given in bits Example: 3 bit address space 8 blocks of 1 byte Entropy: bits 1 bit Hide sensitive data Hit chance: 1 = = Worst case #probes : 2 2 = = 2 14
15 Hide: 1 byte 64 bit address space Entropy: 64 bits 15
16 Hide: 1 byte 64 bit address space Linux user space only uses 47 bit Entropy: 47 bits 16
17 Hide: 4096 bytes 64 bit address space Linux user space only uses 47 bit 1 page: 4096 bytes = 2 12 bytes Entropy: 35 bits 17
18 Hide: 2 23 bytes 64 bit address space Linux user space only uses 47 bit 1 page: 4096 bytes = 2 12 bytes Safe Stack of 8 MB = 2 23 bytes = 2 11 pages Entropy: 24 bits 18
19 Hide: 2 23 bytes 64 bit address space Linux user space only uses 47 bit 1 page: 4096 bytes = 2 12 bytes Safe Stack of 8 MB = 2 23 bytes = 2 11 pages Thread Spraying Legitimately spawn as many threads as possible Entropy: 24 bits 19
20 Hide: 2 24 bytes 64 bit address space Linux user space only uses 47 bit 1 page: 4096 bytes = 2 12 bytes Safe Stack of 8 MB = 2 23 bytes = 2 11 pages Thread Spraying Legitimately spawn as many threads as possible Spawn a new thread Entropy: 23 bits 20
21 Hide: 2 25 bytes 64 bit address space Linux user space only uses 47 bit 1 page: 4096 bytes = 2 12 bytes Safe Stack of 8 MB = 2 23 bytes = 2 11 pages Thread Spraying Legitimately spawn as many threads as possible Spawn a new thread Spawn 2 more threads Entropy: 22 bits 21
22 Hide: 2 40 bytes 64 bit address space Linux user space only uses 47 bit 1 page: 4096 bytes = 2 12 bytes Safe Stack of 8 MB = 2 23 bytes = 2 11 pages Thread Spraying Legitimately spawn as many threads as possible Spawn a new thread Spawn 2 more threads Spawn 128k threads = 2 17 stacks Entropy: 7 bits 22
23 Hide: 2 40 bytes 64 bit address space Linux user space only uses 47 bit 1 page: 4096 bytes = 2 12 bytes Safe Stack of 8 MB = 2 23 bytes = 2 11 pages Thread Spraying Legitimately spawn as many threads as possible Spawn a new thread Spawn 2 more threads Spawn 128k threads = 2 17 stacks Drops worst case #probes to 128 Entropy: 7 bits 23
24 Hide: 2 40 bytes 64 bit address space Linux user space only uses 47 bit Mmap entropy is 40 bit => worst case #probes is 1 (2 0 ) 1 page: 4096 bytes = 2 12 bytes Safe Stack of 8 MB = 2 23 bytes = 2 11 pages Thread Spraying Legitimately spawn as many threads as possible Spawn a new thread Spawn 2 more threads Spawn 128k threads = 2 17 stacks Drops worst case #probes to 128 Entropy: 7 bits 24
25 Thread Spraying Firefox: unbounded JS web worker threads Chrome: about 250 JS web workers threads MySQL: about 1000 connection threads 25
26 Thread Spraying Firefox: unbounded JS web worker threads Chrome: about 250 JS web workers threads MySQL: about 1000 connection threads FF is going to look at it and put a limit 26
27 Thread Spraying Firefox: unbounded JS web worker threads Chrome: about 250 JS web workers threads MySQL: about 1000 connection threads FF is going to look at it and put a limit Proof-of-Concept in Firefox: Spawn 2k threads Crash-less memory probing Find safe stack < 3 seconds 27
28 Authenticating Page Mapper Based on observations: Active stack space is smaller than its actual size Well defined access pattern Authenticates first access to registered pages Installs user-level page-fault handler 28
29 Authenticating Page Mapper Stack (8MB) low addr Inactive RSP stack_base Active high addr 29
30 Authenticating Page Mapper Stack (8MB) low addr sub 0x80, %rsp Inactive RSP stack_base Active high addr 30
31 Authenticating Page Mapper Stack (8MB) low addr sub 0x80, %rsp mov 0x1000, (%rsp) Inactive RSP stack_base Active high addr 31
32 Authenticating Page Mapper Stack (8MB) low addr sub 0x80, %rsp mov 0x1000, (%rsp) Inactive RSP stack_base Active high addr page-fault handler checks: RSP <= page-fault addr < stack_base 32
33 Authenticating Page Mapper Stack (8MB) low addr sub 0x80, %rsp mov 0x1000, (%rsp) Inactive RSP Active stack_base high addr page-fault handler checks: RSP <= page-fault addr < stack_base OK 33
34 Authenticating Page Mapper sub 0x80, %rsp mov 0x1000, (%rsp) probe Stack (8MB) Inactive low addr RSP Active stack_base high addr page-fault handler checks: RSP <= page-fault addr < stack_base 34
35 Authenticating Page Mapper sub 0x80, %rsp mov 0x1000, (%rsp) probe Stack (8MB) Inactive low addr RSP Active stack_base high addr page-fault handler checks: RSP <= page-fault addr < stack_base NOT OK 35
36 Authenticating Page Mapper Attacker can follow pointers and get to the base, or get to active region by probing from the high addr Stack (8MB) Inactive low addr RSP stack_base Active high addr 36
37 Authenticating Page Mapper Attacker can follow pointers and get to the base, or get to active region by probing from the high addr => Inflate stack and move stack into inflated area Stack (8MB) Inactive low addr RSP stack_base Active high addr 37
38 Authenticating Page Mapper Attacker can follow pointers and get to the base, or get to active region by probing from the high addr => Inflate stack and move stack into inflated area RSP Stack (80MB) Trap Inactive Active low addr Trap stack_base high addr 38
39 Authenticating Page Mapper Attacker can follow pointers and get to the base, or get to active region by probing from the high addr => Inflate stack and move stack into inflated area Stack (80MB) Trap Inactive low addr => Check remains the same => Trap has different handler and access is never allowed RSP Active Trap stack_base high addr 39
40 Authenticating Page Mapper Attacker can follow pointers and get to the base, or get to active region by probing from the high addr => Inflate stack and move stack into inflated area Stack (80MB) Trap Inactive low addr => Check remains the same => Trap has different handler and access is never allowed RSP Active => Increases detection rate Trap stack_base high addr 40
41 Overhead APM Ran SPEC CPU Safe Stack without and with APM 0.0% overhead* Ran browser benchmarks in Chrome and Firefox without and with APM Chrome: 0.0% overhead* Firefox: 0.5% overhead* * = geometric mean 41
42 Worst case Detection Guarantees with APM Assumes attacker fills up Active Mem Active mem == Stack Size Detection Guarantees = (1 Inflation factor Active Mem Stack Size inflation factor ) 100 Detection Guarantees 1x 0% Stack Trap Inactive Active 2x 50% 4x 75% 8x 87.5% Trap 10x 90% 42
43 APM limitations Stack Application implementation issues Pointer to active region of stack Determine active region through side channel attacks Trap Inactive Active Trap 43
44 Conclusion Demonstrated an efficient way to locate the Safe Stack through a new attack vector named Thread Spraying Stronger isolation techniques should be preferred over Information Hiding APM is a possible solution to harden Information Hiding until SFI is or can be widely deployed 44
PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES
PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationSubversive-C: Abusing and Protecting Dynamic Message Dispatch
Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationQPSI. Qualcomm Technologies Countermeasures Update
QPSI Qualcomm Technologies Countermeasures Update 1 Introduction Sometime back in 2010 Let s have exploit countermeasures on our products Why? Hard to fix all bugs. We might as well make them more fun
More informationHDFI: Hardware-Assisted Data-flow Isolation
HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia
More informationarxiv: v1 [cs.cr] 25 Jun 2018
A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow Integrity arxiv:1806.09496v1 [cs.cr] 25 Jun 2018 ABSTRACT Philipp Zieris Fraunhofer AISEC philipp.zieris@aisec.fraunhofer.de Manipulations
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationCFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer
CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationOut Of Control: Overcoming Control-Flow Integrity
Out Of Control: Overcoming Control-Flow Integrity Enes Göktaş Vrije Universiteit Amsterdam, The Netherlands Email: enes.goktas@vu.nl Elias Athanasopoulos FORTH-ICS Heraklion, Crete, Greece Email: elathan@ics.forth.gr
More informationFingerprinting Information in JavaScript Implementations. Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham
Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham Authentication Usernames and Passwords weakening Third-party data loss can compromise
More informationExploiting and Protecting Dynamic Code Generation
Exploiting and Protecting Dynamic Code Generation Chengyu Song Georgia Institute of Technology csong84@gatech.edu Chao Zhang UC Berkeley chaoz@berkeley.edu Tielei Wang, Wenke Lee Georgia Institute of Technology
More informationWhat Cannot be Read, Cannot be Leveraged?
What Cannot be Read, Cannot be Leveraged? Revisiting Assumptions of JIT-ROP Defenses Giorgi Maisuradze, Michael Backes, Christian Rossow CISPA, Saarland University, Germany Overview Code Reuse Attacks/Defenses
More informationHideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities
HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities Jason Gionta, William Enck, Peng Ning 1 JIT-ROP 2 Two Attack Categories Injection Attacks Code Integrity Data
More informationDigital Forensics Lecture 02 PDF Structure
Digital Forensics Lecture 02 PDF Structure PDF Files Structure Akbar S. Namin Texas Tech University Spring 2017 PDF Format and Structure Tools used Text editor (e.g., vi) ClamAV antivirus (http://www.clamav.net/lang/en/download/
More informationSecure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design. Todd Austin University of Michigan
Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design Todd Austin University of Michigan The Security Arms Race Question: Why are systems never safe? We deploy our designs
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationBypassing Different Defense Schemes via Crash-Resistant Probing of Address Space
Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Görtz Institute for IT-Security Bochum, Germany About me Playing with InfoSec
More informationASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks
ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee School of Computer Science, Georgia Institute of Technology
More informationDnmaloc: a more secure memory allocator
Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
More informationFrom Assembly to JavaScript and Back
From Assembly to JavaScript and Back Robert Gawlik Ruhr-University Bochum August 30th 2018 Singapore About me IT Security since 2010 PostDoc Systems Security Group @ Horst Görtz Institute / Ruhr-University
More informationControl Flow Integrity for COTS Binaries Report
Control Flow Integrity for COTS Binaries Report Zhang and Sekar (2013) January 2, 2015 Partners: Instructor: Evangelos Ladakis Michalis Diamantaris Giorgos Tsirantonakis Dimitris Kiosterakis Elias Athanasopoulos
More informationSandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018
Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!
More informationBypassing Mitigations by Attacking JIT Server in Microsoft Edge
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing
More informationPreventing Use-after-free with Dangling Pointers Nullification
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationShreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S
Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units
More informationDefeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)
Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science
More informationMemory Deduplication: The Curse that Keeps on Giving
Memory Deduplication: The Curse that Keeps on Giving Breaking ASLR Cross-process leak Cross-VM leak Side-channel Covert-channel Erik Bosman, Ben Gras, Kaveh Razavi Antonio Barresi Who we are Erik Bosman
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationDedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector
2016 IEEE Symposium on Security and Privacy Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector Erik Bosman Vrije Universiteit Amsterdam erik@minemu.org Kaveh Razavi Vrije Universiteit
More informationType Confusion: Discovery, Abuse, Protection. Mathias
Type Confusion: Discovery, Abuse, Protection Mathias Payer, @gannimo http://hexhive.github.io Type confusion leads to RCE Attack surface is huge Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: glibc: Linux
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationReversed Buffer Overflow Cross Stack Attacks. Kris Kaspersky Endeavor Security, Inc.
Reversed Buffer Overflow Cross Stack Attacks Kris Kaspersky Endeavor Security, Inc. Who am I? journalist, reversing as a hobby; currently working for: XAKEP magazine (www.xakep.ru) Endeavor Security, Inc
More informationMissing the Point(er): On the Effectiveness of Code Pointer Integrity 1
2015 IEEE Symposium on Security and Privacy Missing the Point(er): On the Effectiveness of Code Pointer Integrity 1 Isaac Evans, Sam Fingeret, Julián González, Ulziibayar Otgonbaatar, Tiffany Tang, Howard
More informationCS 161 Computer Security
Paxson Spring 2013 CS 161 Computer Security Discussion 2 January 30, 2013 Question 1 Buffer Overflow Mitigations (10 min) Buffer overflow mitigations generally fall into two categories: (i) eliminating
More informationEfficient Software Based Fault Isolation. Software Extensibility
Efficient Software Based Fault Isolation Robert Wahbe, Steven Lucco Thomas E. Anderson, Susan L. Graham Software Extensibility Operating Systems Kernel modules Device drivers Unix vnodes Application Software
More informationARMv8.3 Pointer Authentication
ARMv8.3 Pointer Authentication Mark Rutland Linux Security Summit September 14, 2017 ARM 2017 Background Memory protections are commonly deployed today... largely prevents code injection
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationInformation Leaks. Kyriakos Kyriakou
Information Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Just-in-time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationDongseok Jang Zachary Tatlock. UC San Diego Washington
Dongseok Jang Zachary Tatlock UC San Diego University of Washington Sorin Lerner UC San Diego e l b a r e n l Vu Control Flow Hijacking Lead Program to Jump to Unexpected Code That does what a7acker wants
More informationCSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g
CSE 227 Computer Security Spring 2010 Software Df Defenses I Stefan Savage Kinds of defenses Eliminate violation of runtime model Better languages, code analysis Don t allow bad input Input validation
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationThe benefits and costs of writing a POSIX kernel in a high-level language
1 / 38 The benefits and costs of writing a POSIX kernel in a high-level language Cody Cutler, M. Frans Kaashoek, Robert T. Morris MIT CSAIL Should we use high-level languages to build OS kernels? 2 / 38
More informationControl Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University
Control Flow Integrity & Software Fault Isolation David Brumley Carnegie Mellon University Our story so far Unauthorized Control Information Tampering http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationShuffler: Fast and Deployable Continuous Code Re-Randomization
Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis,
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationProdDiagNode - Version: 1. Production Diagnostics for Node Applications
ProdDiagNode - Version: 1 Production Diagnostics for Node Applications Production Diagnostics for Node Applications ProdDiagNode - Version: 1 2 days Course Description: Node.js, the popular cross-platform
More informationChangelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part
1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems
More informationDetile: Fine-Grained Information Leak Detection in Script Engines
Detile: Fine-Grained Information Leak Detection in Script Engines Robert Gawlik, Philipp Koppe, Benjamin Kollenda, Andre Pawlowski, Behrad Garmany and Thorsten Holz Horst Görtz Institute for IT-Security
More informationIsomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming
Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,
More informationFraming Signals A Return to Portable Shellcode
Framing Signals A Return to Portable Shellcode Erik Bosman Vrije Universiteit Amsterdam erik@minemu.org Herbert Bos Vrije Universiteit Amsterdam herbertb@cs.vu.nl Abstract Signal handling has been an integral
More informationSpectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
More informationComputer Science. ! Other approaches:! Special systems designed for extensibility
Application-Specific Service Technologies for Commodity OSes in Real-Time Environments Richard West and Gabriel Parmer Boston University Boston, MA {richwest,gabep1}@cs.bu.edu Introduction! Leverage commodity
More informationCS 471 Operating Systems. Yue Cheng. George Mason University Fall 2017
CS 471 Operating Systems Yue Cheng George Mason University Fall 2017 Review: Segmentation 2 Virtual Memory Accesses o Approaches: Static Relocation Dynamic Relocation Base Base-and-Bounds Segmentation
More informationLeakage-Resilient Layout Randomization for Mobile Devices
Leakage-Resilient Layout Randomization for Mobile Devices Kjell Braden, Stephen Crane, Lucas Davi, Michael Franz Per Larsen, Christopher Liebchen, Ahmad-Reza Sadeghi, CASED/Technische Universität Darmstadt,
More informationMemory Allocator Security
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationAttacking Next- Generation Firewalls
Attacking Next- Generation Firewalls Breaking PAN-OS Felix Wilhelm #whoami Security Researcher @ ERNW Research Application and Virtualization Security Recent Research Hypervisors (Xen) Security Appliances
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationIsomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming
Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,
More informationMarx Uncovering Class Hierarchies in C++ Programs
Marx Uncovering Class Hierarchies in C++ Programs NDSS 2017, San Diego Andre Pawlowski, Moritz Contag, Victor van der Veen, Chris Ouwehand, Thorsten Holz, Herbert Bos, Elias Anthonasopoulos, Cristiano
More informationMeltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
More informationBack To The Epilogue
Back To The Epilogue How to Evade Windows' Control Flow Guard with Less than 16 Bytes Andrea Biondo * Prof. Mauro Conti Daniele Lain * SPRITZ Group University of Padua, IT GOALS - Return to function epilogue
More informationVirtual Memory. Today. Segmentation Paging A good, if common example
Virtual Memory Today Segmentation Paging A good, if common example Virtual memory system Goals Transparency Programs should not know that memory is virtualized; the OS +HW multiplex memory among processes
More informationSGXBounds Memory Safety for Shielded Execution
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,
More informationOutline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution
Outline V22.0202-001 Computer Systems Organization II (Honors) (Introductory Operating Systems) Lecture 21 Language-Based Protection Security April 29, 2002 Announcements Lab 6 due back on May 6th Final
More informationChrome/OS Security 2014
Chrome/OS Security 2014 New and future hotness Sumit Gwalani (sumit@chromium.org) Senior Product Manager, Google What do we do? Member of Chrome Security Team Everything Chrome/Chromium: Chrome Browser
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationCSE 120 Principles of Operating Systems
CSE 120 Principles of Operating Systems Spring 2018 Lecture 10: Paging Geoffrey M. Voelker Lecture Overview Today we ll cover more paging mechanisms: Optimizations Managing page tables (space) Efficient
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationCS399 New Beginnings. Jonathan Walpole
CS399 New Beginnings Jonathan Walpole Memory Management Memory Management Memory a linear array of bytes - Holds O.S. and programs (processes) - Each cell (byte) is named by a unique memory address Recall,
More informationPatching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps
SESSION ID: EXP-R01 Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps James Lyne Global Head of Security Research Sophos / SANS Institute @jameslyne Stephen Sims Security Researcher
More informationAdvanced Systems Security: Program Diversity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAnalysis of Defenses Against Code Reuse Attacks on Modern and New Architectures. Isaac Noah Evans
Analysis of Defenses Against Code Reuse Attacks on Modern and New Architectures by Isaac Noah Evans Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationToday. Process Memory Layout. CSCI 4061 Introduction to Operating Systems. Where does the memory come from?
Today CSCI 4061 Introduction to Operating Systems OS Management Virtual Paging and Swapping Instructor: Abhishek Chandra 2 Process Layout Where does the memory come from? High Address Args, environment
More informationOverhead Evaluation about Kprobes and Djprobe (Direct Jump Probe)
Overhead Evaluation about Kprobes and Djprobe (Direct Jump Probe) Masami Hiramatsu Hitachi, Ltd., SDL Jul. 13. 25 1. Abstract To implement flight recorder system, the overhead
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More information