Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
|
|
- Stephen Wiggins
- 6 years ago
- Views:
Transcription
1 CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29
2 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker gets control of program flow (urn address) Stack (buffer), heap, format string vulnerability Second -- attacker uses control of program flow to launch attacks Code injection Defense: NX, W (xor) X urn-to-libc Defense: remove unwanted functions (e.g., system) How to overcome these limitations??? Return-oriented programming 30
3 Return-Oriented Programming Arbitrary exploitation without code injection or whole-function reuse (urn-to-libc) 31
4 Return-Oriented Programming 32
5 ROP Thesis 33
6 Return-to-libc 34
7 ROP vs urn-to-libc 35
8 ROP Attacks 36
9 Machine Instructions 37
10 ROP Execution 38
11 Building ROP Functionality 39
12 Building ROP Functionality 40
13 Building ROP Functionality 41
14 Creating Programs 42
15 Finding Gadgets 43
16 ROP Conclusions 44
17 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) Registers %eax$= %ebx$= G1 5 jmp G2 0x jump G3... Memory 0x $= Return Address buf
18 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) Registers %eax$= %ebx$= G1 5 jmp G2 0x jump G3... Memory 0x $= Return Address buf
19 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) Registers %eax$= %ebx$= G1 5 jmp G2 0x jump G3... Memory 0x $= Return Address buf
20 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax$= %ebx$= 5... Memory 0x $=
21 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax$= %ebx$= 5... Memory 0x $=
22 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax$= %ebx$= 5 0x Memory 0x $=
23 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x jump G3 Return Address buf Registers %eax$= %ebx$= 5 0x Memory 0x $=
24 ROP$Example Use$ESP$as$program$counter E.g.,$Store$5$at$address$0x $(without$introducing$ new$code) Code Stack pop$%eax pop$%eax movl$%eax,$(%ebx) G1 5 jmp G2 0x jump G3 Return Address buf... Registers Memory %eax$= 5 0x $= 5 %ebx$= 0x
25 Advanced Defenses Control-flow attack defenses operate at two stages Prevent attacker from getting control StackGuard, heap sanity checks, ASLR, shadow stacks,... Prevent attacker from using control for malice NX, W (xor) X, ASLR, Control Flow Integrity (CFI),... For maximum security, a system should use a combination of these defenses Q. Is subverting control-flow the only goal of an attacker? 47
26 Control-Flow Integrity Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow sequences Build a model from source code that describes control flow E.g., control-flow graph Enforce the model on program execution Instrument control-flow code Jumps, calls, urns,... Challenges Building accurate model Efficient enforcement 48
27 Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi 49
28 Our Mechanism F A F B nop IMM 1 if(*fp!= nop IMM 1 ) halt call fp nop IMM 2 if(**esp!= nop IMM 2 ) halt urn CFG excerpt NB: Need to ensure bit patterns for nops appear nowhere else in code memory A call A call+1 50 B 1 B
29 More Complex CFGs Maybe statically all we know is that F A can call any int int function F A CFG excerpt A call B 1 C 1 F B succ(a call ) = {B 1, C 1 } if(*fp!= nop IMM 1 ) halt call fp nop IMM 1 F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 51
30 Imprecise Return Information F A call F B nop IMM 2 Q: What if F B can urn to many functions? A: Imprecise CFG F B CFG excerpt A call+1 D B call+1 succ(b ) = {A call+1, D call+1 } F D call F B nop IMM 2 if(**esp!= nop IMM 2 ) halt urn CFG Integrity: Changes to the PC are only to valid successor PCs, per succ(). 52
31 No Zig-Zag Imprecision Solution I: Allow the imprecision CFG excerpt A call B 1 Solution II: Duplicate code to remove zig-zags CFG excerpt A call B 1 C 1 C 1A E call E call C 1E 53
32 More Challenges Returns used as jumps E.g., signal handling Exceptions Runtime generation of indirect jumps E.g., dynamic shared libraries Indirect jumps using arithmetic operators E.g., assembly Take away: CFI is a principled approach to stop control flow attacks, but challenges remain 54
33 ASLR For control-flow attacks, attacker needs absolute addresses Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program Attacker cannot predict absolute addresses Heap, stack, data, text, mmap,...????????? Stack Heap Data??? Text 55
34 ASLR Implementations Linux Introduced in Linux (June 2005) Shacham et al. [2004]:16 bits of randomization defeated by a (remote) brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used Windows Only few programs in Linux use PIE Enough gadgets for ROP can be found in unrandomized code [Schwartz 2011] Introduced from Vista onwards (Jan 2007) Reality: Only few programs opt in for ASLR E.g., Oracle s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or one of their libraries) are not marked ASLR-compatible ASLR can be bypassed by information leaks about memory layout E.g., format string vulnerabilities 56
35 Conclusion Defense against control-flow and data attacks is an ongoing arms race Principled approaches such as CFI and ASLR are promising Significantly raised bar for attackers However, they have implementation limitations Active area of research 57
Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationAdvanced Systems Security: Control-Flow Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCMPSC 497 Execution Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Execution Integrity
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationStephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA
Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy ACM CCS 2010, Chicago, USA Ad hoc defense against code injection: W X DEP Code injection unnecessary
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationVulnerability Analysis I:
Vulnerability Analysis I: Exploit Hardening Made Easy Surgically Returning to Randomized Lib(c) Mitchell Adair September 9 th, 2011 Outline 1 Background 2 Surgically Returning to Randomized lib(c) 3 Exploit
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationAdvanced Systems Security: Program Diversity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationDefeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationSecuring Untrusted Code
Securing Untrusted Code Untrusted Code May be untrustworthy Intended to be benign, but may be full of vulnerabilities These vulnerabilities may be exploited by attackers (or other malicious processes)
More informationMitigating Code-Reuse Attacks with. Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011
Mitigating Code-Reuse Attacks with Control-Flow Locking Tyler Bletsch, Xuxian Jiang, Vince Freeh Dec. 9, 2011 Introduction Computer systems run complicated software, which is vulnerable We keep finding
More informationRuntime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include
2 Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationSoftware Security: Buffer Overflow Defenses and Miscellaneous
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses and Miscellaneous Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationLecture 10 Code Reuse
Lecture 10 Code Reuse Computer and Network Security 4th of December 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 10, Code Reuse 1/23 Defense Mechanisms static & dynamic analysis
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationInline Reference Monitoring Techniques
Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationCODE reuse attacks (CRAs) emerged as a powerful attack, HCIC: Hardware-assisted Control-flow Integrity Checking
This article has been accepted for publication in a future issue of this journal, but has not been fully edited Content may change prior to final publication Citation information: DOI 101109/JIOT20182866164,
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationExploit Mitigation - PIE
Exploit Mitigation - PIE Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch ASCII Armor Arbitrary Write Overflow Local
More informationReturn-Oriented Rootkits
Return-Oriented Rootkits Ralf Hund Troopers March 10, 2010 What is Return-Oriented Programming? New emerging attack technique, pretty hyped topic Gained awareness in 2007 in Hovav Shacham s paper The Geometry
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow Integrity Reza Mirzazade farkhani, Saman Jafari, Sajjad Arshad, William Robertson, Engin Kirda, Hamed Okhravi DISTRIBUTION STATEMENT A. Approved for public
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationControl Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University
Control Flow Integrity & Software Fault Isolation David Brumley Carnegie Mellon University Our story so far Unauthorized Control Information Tampering http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html
More informationCS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan
CS 6V81-05 Control-Flow Integrity Principles, Implementations, and Applications Sureshbabu Murugesan Department of Computer Science University of Texas at Dallas February 29 th, 2012 Outline 1 Overview
More informationMidterm 1 Review. Memory Safety & Web Attacks
Midterm 1 Review Memory Safety & Web Attacks What s on the midterm? Lecture material through Feb 9 Lecture notes ("Notes on..." on the course site) Section material, per "Handout w/ solutions" Concepts
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationControl Flow Integrity
Control Flow Integrity Outline CFI Control Flow Integrity at Source Code Level BinCFI CFI for Binary Executables BinCC Binary Code Continent vfguard CFI Policy for Virtual Function Calls 1 M. Abadi, M.
More informationDefeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)
Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationPractical and Efficient Exploit Mitigation for Embedded Devices
Practical and Efficient Exploit Mitigation for Embedded Devices Matthias Neugschwandtner IBM Research, Zurich Collin Mulliner Northeastern University, Boston Qualcomm Mobile Security Summit 2015 1 Embedded
More informationDefending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science
Defending Computer Networks Lecture 4: Exploit Defenses Stuart Staniford Adjunct Professor of Computer Science Logis;cs Course is now official Expect an email from Stephanie Meik with your PIN Need to
More informationCSE Spring Assignment 3: Return-oriented Programming
CSE 543 - Spring 2015 - Assignment 3: Return-oriented Programming 1 Dates Out: March 26, 2015 Due: April 22, 2015 2 Introduction In this assignment, you will produce return-oriented programming (ROP) attacks.
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.
More informationReturn-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling University of Mannheim Page 1 Motivation (1) Operating systems separate system
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationDefense against Code-injection, and Code-reuse Attack
Operating Systems Security Defense against Code-injection, and Code-reuse Attack Computer Security & OS lab. Cho, Seong-je ( 조성제 ) sjcho at dankook.ac.kr Fall, 2018 Contents Buffer Overflows: Stack Smashing,
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationControl Flow Integrity for COTS Binaries Report
Control Flow Integrity for COTS Binaries Report Zhang and Sekar (2013) January 2, 2015 Partners: Instructor: Evangelos Ladakis Michalis Diamantaris Giorgos Tsirantonakis Dimitris Kiosterakis Elias Athanasopoulos
More informationStatic Analysis. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationThis exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.
Computer Science 5271 Fall 2015 Midterm exam October 19th, 2015 Time Limit: 75 minutes, 4:00pm-5:15pm This exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start,
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationJust-in-Time Code Reuse
Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & A. Dmitrienko 2 C. Liebchen 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science University
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationLow Level Software Security: Attacks and Defenses; Control Flow Integrity. System Security Seminar Presenter: Cătălin Hrițcu
Low Level Software Security: Attacks and Defenses; Control Flow Integrity System Security Seminar Presenter: Cătălin Hrițcu References Low Level Software Security: Attacks and Defenses, by Úlfar Erlingsson
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 5 Low Level Software Security III: Integers, ROP, & CFI Integer Arithmetic in C Quiz time! What does this code produce? 100 200 300 100 200
More informationCode with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function
1 Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function IsPasswordOK(), and compares it with the correct password.
More informationROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks
ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy ABSTRACT System Security Lab Technische Universität Darmstadt Darmstadt,
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationCMPSC 497: Midterm Review
CMPSC 497: Midterm Review Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Midterm Format True/False
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationBypassing SEHOP. Stéfan Le Berre Damien Cauquil
Bypassing SEHOP Stéfan Le Berre s.leberre@sysdream.com Damien Cauquil d.cauquil@sysdream.com Table of contents 0. Introduction...3 1. SEHOP specifications (short version)...3 2. Dealing with SEHOP when
More information