Memory Deduplication: The Curse that Keeps on Giving
|
|
- Amice Summers
- 5 years ago
- Views:
Transcription
1 Memory Deduplication: The Curse that Keeps on Giving Breaking ASLR Cross-process leak Cross-VM leak Side-channel Covert-channel Erik Bosman, Ben Gras, Kaveh Razavi Antonio Barresi
2 Who we are Erik PhD candidate at Antonio Co-founder of Research on building reliable and secure computing systems. Interested in software and systems security topics.
3 Acknowledgments Cristiano Giuffrida Herbert Bos Bart Preneel Mathias Payer Thomas R. Gross
4 Our message today
5 Lord of the Rings: The Fellowship of the Ring, 2001, New Line Cinema
6 Outline
7 > Memory deduplication Outline
8 > Memory deduplication > Side-channel Outline
9
10 CAIN
11 CAIN Cross-VM leak, break ASLR Memory deduplication
12 Dedup Est Machina
13 Dedup Est Machina Intra-process read + write (Browser + JS) Memory deduplication + Rowhammer
14 Flip- Feng Shui
15 Flip- Feng Shui Cross-VM leak + write, system compromise Memory deduplication + Rowhammer
16 Outline > Memory deduplication > Side-channel > CAIN attack (2015) > Dedup Est Machina (2016) > Flip-Feng Shui (2016)
17 Outline > Memory deduplication > Side-channel > CAIN attack (2015) > Dedup Est Machina (2016) > Flip-Feng Shui (2016) > Conclusion
18 Memory deduplication
19 Memory deduplication A method of reducing memory usage.
20 Memory deduplication A method of reducing memory usage. Used in virtualization environments,
21 Memory deduplication A method of reducing memory usage. Used in virtualization environments, (was) also enabled by default on Windows 8.1 and 10.
22 Memory deduplication In virtualized environments it allows to reclaim memory and supports overcommitment of memory.
23 Memory deduplication In virtualized environments it allows to reclaim memory and supports overcommitment of memory. = run more VMs
24 Now we can sell even more VMs $$$ Austin Powers: International Man of Mistery, 1997, New Line Cinema
25 Memory deduplication physical memory virtual machine A virtual machine B
26 Memory deduplication physical memory virtual machine A virtual machine B
27 Memory deduplication physical memory virtual machine A virtual machine B
28 Memory deduplication physical memory virtual machine A virtual machine B
29 Memory deduplication physical memory virtual machine A virtual machine B
30 Memory deduplication physical memory virtual machine A * * * * * * * * * * * * * * * * * * virtual machine B * * * * * * * * *
31 Kernel Same-page Merging (KSM) > Enabled by default for KVM (Ubuntu Server) > Out-of-band Content Based Page Sharing (CBPS)
32 Kernel Same-page Merging (KSM) > Enabled by default for KVM (Ubuntu Server) > Out-of-band Content Based Page Sharing (CBPS) /sys/kernel/mm/ksm/run 1 or 0 /sys/kernel/mm/ksm/sleep_millisecs e.g., 200 ms /sys/kernel/mm/ksm/pages_to_scan e.g., /sleep_millisecs * pages_to_scan = pages per second e.g., (1000/200ms) * 100 = 500 pages/sec
33 Memory deduplication: The Problem Deduplicated memory does not need to have the same security domain. (unlike fork(), file-backed memory) An attacker can use deduplication as a side-channel.
34 Deduplication side-channel attack normal write
35 Deduplication side-channel attack normal write write
36 Deduplication side-channel attack normal write write copy on write (due to deduplication) *
37 Deduplication side-channel attack normal write write copy on write (due to deduplication) * trap
38 Deduplication side-channel attack normal write write copy on write (due to deduplication) * copy trap whole page
39 Deduplication side-channel attack normal write write copy on write (due to deduplication) * copy update trap whole page page tables
40 Deduplication side-channel attack normal write write copy on write (due to deduplication) * trap copy whole page update page tables resume process
41 Deduplication side-channel attack normal write write copy on write (due to deduplication) * copy update trap whole page resume process write page tables
42 Deduplication side-channel attack A 1-bit side channel which is able to leak data across security boundaries
43 Deduplication side-channel attack A 1-bit side channel which is able to leak data across security boundaries > Cross-VM
44 Deduplication side-channel attack A 1-bit side channel which is able to leak data across security boundaries > Cross-VM > Cross-process
45 Deduplication side-channel attack A 1-bit side channel which is able to leak data across security boundaries > Cross-VM > Cross-process > Intra-process, leak process data from JavaScript
46 Exploitation of the side-channel
47 Exploitation of the side-channel attacker memory victim memory
48 Exploitation of the side-channel secret page attacker memory victim memory
49 Exploitation of the side-channel guess page? secret page attacker memory victim memory
50 Exploitation of the side-channel guess page secret page attacker memory victim memory
51 Exploitation of the side-channel wait(t) secret page attacker memory victim memory
52 Exploitation of the side-channel? write secret page attacker memory victim memory
53 Exploitation of the side-channel write time > threshold secret page attacker memory victim memory
54 Exploitation of the side-channel write time > threshold secret page attacker memory victim memory
55 Exploitation of the side-channel write time threshold secret page attacker memory victim memory
56 Exploitation of the side-channel write time threshold secret page attacker memory victim memory
57 Exploitation of the side-channel write time threshold secret page attacker memory victim memory
58 CAIN Dedup Est Machina Flip- Feng Shui
59 CAIN: Cross-VM Address Space Layout Introspection Deduplication (software side-channel)
60 CAIN: Cross-VM Address Space Layout Introspection Deduplication (software side-channel) Cross-VM leak / ASLR bypass CVE / VU# (
61 CAIN
62 CAIN > Page contents to leak ASLR? Secret page?
63 CAIN > Page contents to leak ASLR? Secret page? > How long to wait?
64 CAIN > Page contents to leak ASLR? Secret page? > How long to wait? > How to detect a merged page? Noise?
65 Suitable pages to break ASLR Suitable page to break ASLR Page aligned > Mostly static > Read-only in victim VM > Known to exist
66 Suitable pages to break ASLR 0x7f9ffaa0000 Page aligned Known offset within the page Contains base address of an executable image
67 Suitable pages to break ASLR 0x7f9ffaabeef Page aligned 0x7f9ffaa0000 0x7f9ffaa0123 Known offsets within the page Contains values derived from the base address of an executable image
68 Suitable page under Windows
69 Guessing the right address > Well you still have to guess
70 Guessing the right address > Well you still have to guess > 2 19 base addresses for Windows x64
71 Guessing the right address > Well you still have to guess > 2 19 base addresses for Windows x64 > guesses
72 Guessing the right address > Well you still have to guess > 2 19 base addresses for Windows x64 > guesses > One guess requires 1 page of memory
73 Based on
74 Guessing the right address > Attacker VM has much more memory
75 Guessing the right address > Attacker VM has much more memory > Fill up memory with all guesses
76 Guessing the right address > Attacker VM has much more memory > Fill up memory with all guesses > 2 19 * 1 page of 4 KB = 2 GB
77 Brute-force all addresses <Page with RBA guess> 0x7f9ffa x7f9ffa x7f9ffa x7f9ffaa0000 0x7f9ffab0000 0x7f9ffac0000 0x7f9ffad
78 Brute-force all addresses <Page with RBA guess> 0x7f9ffa x7f9ffa x7f9ffa x7f9ffaa0000 0x7f9ffab0000 0x7f9ffac0000 0x7f9ffad detect_shared_pages() 0x7f9ffaa0000
79 Wait for how long?
80 Wait for how long? > Depends on the memory deduplication implementation
81 Wait for how long? > Depends on the memory deduplication implementation > Varies depending on amount of memory used
82 Wait for how long? > Depends on the memory deduplication implementation > Varies depending on amount of memory used > Attacker trade-off > Waiting too little obstructs the attack > Waiting too long increases attack time
83 Adaptive sleep-time detection > Try to automatically detect sleep time
84 Adaptive sleep-time detection > Try to automatically detect sleep time
85 Adaptive sleep-time detection > Try to automatically detect sleep time > After buffer creation, wait e.g. t = 10min
86 Adaptive sleep-time detection > Try to automatically detect sleep time > After buffer creation, wait e.g. t = 10min > Detect how many pages were merged
87 Adaptive sleep-time detection > Try to automatically detect sleep time > After buffer creation, wait e.g. t = 10min > Detect how many pages were merged > If detection rate > threshold (e.g. 90%)
88 Adaptive sleep-time detection > Try to automatically detect sleep time > After buffer creation, wait e.g. t = 10min > Detect how many pages were merged > If detection rate > threshold (e.g. 90%) > Use t
89 Adaptive sleep-time detection > Try to automatically detect sleep time > After buffer creation, wait e.g. t = 10min > Detect how many pages were merged > If detection rate > threshold (e.g. 90%) > Use t > Else, increase t and try again
90 Detect merged pages Non-shared Merged Non-shared
91 Detect merged pages t Non-shared Merged Non-shared 29
92 Detect merged pages t t Non-shared Merged Non-shared
93 Detect merged pages Measure write time with rdtsc (Read Time Stamp Counter) t t t Non-shared Merged Non-shared
94 Detect merged pages Measure write time with rdtsc (Read Time Stamp Counter) t t t Non-shared Merged Non-shared t 2 > 2 * (t 1 +t 3 )/2 t 1,3 < M = 1000 t 1 < t 3, (t 3 -t 1 ) < t 3 /3
95 Detect merged pages Measure write time with rdtsc (Read Time Stamp Counter) t t t Non-shared Merged Non-shared t 2 > 2 * (t 1 +t 3 )/2 t 1,3 < M = 1000 t 1 < t 3, (t 3 -t 1 ) < t 3 /3
96 Handling noise > Be conservative and perform multiple rounds
97 Handling noise > Be conservative and perform multiple rounds > Probability that same guess is affected by noise in different rounds is low
98 Windows x64 ASLR > High Entropy ASLR > 33 bits for stacks > 24 bits for heaps > 17 bits for executables > 19 bits for DLLS System-wide at boot-time for certain images
99 Attacking a single Windows VM
100 Attacking multiple Windows VM sleep_millisecs = 20
101
102
103 Speed improvements > Many ways to increase speed of attack
104 Speed improvements > Many ways to increase speed of attack > Allocate more random pages in-between
105 Speed improvements > Many ways to increase speed of attack > Allocate more random pages in-between > Use more than one guess page (redundancy)
106 Speed improvements > Many ways to increase speed of attack > Allocate more random pages in-between > Use more than one guess page (redundancy) > Different guess pages for same secret e.g. relocated code pages
107 Big limitation > No control over victim memory layout
108 Big limitation > No control over victim memory layout > Some control would help a lot
109 Big limitation > No control over victim memory layout > Some control would help a lot > No write primitive
110 Big limitation > No control over victim memory layout > Some control would help a lot > No write primitive > Rowhammer
111 memdedup for Windows > MS enabled memory deduplication for Windows
112 memdedup for Windows > MS enabled memory deduplication for Windows
113 CAIN Dedup Est Machina Flip- Feng Shui
114 Dedup est Machina Deduplication (software side-channel)
115 Dedup est Machina Deduplication (software side-channel) + Rowhammer (hardware bug)
116 Dedup est Machina Deduplication (software side-channel) + Rowhammer (hardware bug) Exploit MS Edge without software bugs (from JavaScript)
117 Outline: Deduplication - leak heap & code addresses JavaScript Array NaN
118 Outline: Deduplication - leak heap & code addresses JavaScript Array chakra.dll NaN
119 Outline: Deduplication - leak heap & code addresses - create a fake object
120 Outline: Deduplication - leak heap & code addresses - create a fake object Rowhammer - create reference to our fake object
121 Outline: Deduplication - leak heap & code addresses - create a fake object Rowhammer - create reference to our fake object
122 Leaking existing pages is slow and the gained information is limited. What if we can manipulate the contents of the victim's memory to leak secrets hand-picked by the attacker.
123 Challenge 1: The secret we want to leak does not span an entire page.
124 Turning a secret into a page secret
125 Turning a secret into a page known data secret secret page
126 Challenge 2: The secret we want to leak has too much entropy to leak all at once.
127 Primitive #1: alignment probing known data secret secret page
128 Primitive #1: alignment probing known data secret secret page
129 Primitive #2: partial reuse known data secret secret page
130 Primitive #2: partial reuse known data secret secret page
131 Outline: Deduplication - leak heap & code addresses chakra.dll
132 JIT function epilogue (MS Edge) secret mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap... known data
133 JIT function epilogue (MS Edge) page mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap
134 JIT function epilogue (MS Edge) page mov RCX,0x1c20 mov RAX, [code address] jmp RAX trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap
135 Outline: Deduplication - leak heap & code addresses chakra.dll
136 Outline: Deduplication - leak heap & code addresses JavaScript Array chakra.dll NaN
137 What if leaking a heap pointer in stages is not possible... We need to guess a page containing the complete pointer.
138 Heap pointer entropy in Edge 0x5F
139 Heap pointer entropy in Edge 64G advertised ASLR (24 bit) * redundancy 0x5F
140 Heap pointer entropy in Edge 64G advertised ASLR (24 bit) * redundancy 0x5F T non-deterministic bits * redundancy (+/- 36 bit)
141 Slab allocator for JavaScript objects array object array data
142 Slab allocator for JavaScript objects... 1M VirtualAlloc()
143 Slab allocator for JavaScript objects 1st after VirtualAlloc() call... 1M VirtualAlloc()
144 Slab allocator for JavaScript objects 1st after VirtualAlloc() call Timing side-channel :-D... 1M VirtualAlloc()
145 Heap pointer entropy in Edge 64G advertised ASLR (24 bit) * redundancy 0x5F T non-deterministic bits * redundancy (+/- 36 bit)
146 Heap pointer entropy in Edge 64G advertised ASLR (24 bit) * redundancy 0x5F G entropy after 1MB alignment * redundancy (20 bit)
147 Birthday problem
148 Birthday problem
149 Birthday problem
150 Birthday problem
151 Birthday problem
152 Birthday problem
153 Birthday problem
154 Birthday problem
155 Birthday problem
156 Birthday problem
157 Birthday problem
158 Birthday problem
159 Birthday problem
160 Primitive #3: birthday heapspray physical memory attacker memory victim memory
161 Primitive #3: birthday heapspray physical memory attacker memory victim memory
162 Primitive #3: birthday heapspray physical memory attacker memory victim memory
163 Primitive #3: birthday heapspray physical memory attacker memory victim memory
164 Primitive #3: birthday heapspray physical memory attacker memory victim memory
165 Primitive #3: birthday heapspray physical memory attacker memory victim memory
166 Primitive #3: birthday heapspray physical memory attacker memory victim memory
167 Primitive #3: birthday heapspray physical memory attacker memory victim memory
168 Primitive #3: birthday heapspray physical memory attacker memory victim memory
169 Primitive #3: birthday heapspray physical memory attacker memory victim memory
170 Primitive #3: birthday heapspray physical memory attacker memory * * victim memory
171 Creating Secret Pages 1M Aligned... objects
172 Creating Secret Pages array data... 1M Aligned objects
173 Creating Secret Pages page page page... 1M Aligned objects page
174 Creating Secret Pages page page page... 1M Aligned objects page
175 Creating Secret Pages page secret A secret B... 1M Aligned objects secret C
176 Creating Guess Pages typed array data
177 Creating Guess Pages?????? guessed??? aligned addresses, 128M apart??????... typed array data???
178 Creating Guess Pages??? guess X??? guessed??? aligned addresses, 128M apart??????... guess Y guess Z??? guess Q
179 Birthday heap spray +1M, +1M, +1M, M, +128M, +128M,...
180 Birthday heap spray +1M, +1M, +1M, M, +128M, +128M,... secret pages (allocated addresses)
181 Birthday heap spray +1M, +1M, +1M, M, +128M, +128M,... secret pages (allocated addresses) guess pages (containing guessed addresses)
182 Birthday heap spray +1M, +1M, +1M, M, +128M, +128M,... secret pages (allocated addresses) guess pages (containing guessed addresses)
183 Outline: Deduplication - leak heap & code addresses - create a fake object Rowhammer - create reference to our fake object
184 Fake Uint8Array object array data
185 Pointer pivotting array data
186 Pointer pivotting array header array data JavaScript Array
187 Pointer pivotting array array array array header data header data JavaScript Array JavaScript Array
188 Pointer pivotting array array array array header data header data JavaScript Array JavaScript Array
189 Pointer pivotting array array array array header data header data JavaScript Array JavaScript Array
190 Rowhammer attack banks ranks channels DDR memory
191 Rowhammer attack
192 Rowhammer attack rows
193 Rowhammer attack rows row buffer cache
194 Rowhammer attack rows row buffer cache
195 Rowhammer attack rows row buffer cache
196 Rowhammer attack rows row buffer cache
197 Rowhammer attack rows row buffer cache
198 Rowhammer attack rows row buffer cache
199 Rowhammer attack rows row buffer cache
200 Rowhammer attack rows row buffer cache
201 Pointer pivotting array array array array header data header data JavaScript Array JavaScript Array
202 Pointer pivotting array array array array header data header data JavaScript Array JavaScript Array
203 CAIN Dedup Est Machina Flip- Feng Shui
204 Flip Feng Shui Rowhammer (hardware bug)
205 Flip Feng Shui Rowhammer (hardware bug) + Deduplication (more than a software side-channel)
206 Flip Feng Shui Rowhammer (hardware bug) + Deduplication (more than a software side-channel) Cross-VM compromise
207 Rowhammer bit flips: 1) Unpredictable on which (virtual) page 2) Unpredictable where in the page 3) Repeatable once you've found a flip
208 Flip Feng Shui goal: > Find victim pages with known content which allow for exploitation when certain bits are flipped > Land this victim page in a physical memory location where this bit is flippable
209 Deduplication implementation: Windows 10 physical memory attacker memory victim memory
210 Deduplication implementation: Windows 10 physical memory attacker memory victim memory
211 Deduplication implementation: KVM on Linux (KSM) physical memory attacker memory victim memory
212 Deduplication implementation: KVM on Linux (KSM) physical memory attacker memory victim memory
213 Deduplication implementation: KVM on Linux (KSM) physical memory attacker memory victim memory
214 Deduplication implementation: KVM on Linux (KSM) physical memory attacker memory victim memory
215 Deduplication implementation: KVM on Linux (KSM) physical memory attacker memory victim memory
216 Deduplication implementation: KVM on Linux (KSM) physical memory attacker memory victim memory
217 Deduplication implementation: KVM on Linux (KSM) physical memory attacker memory victim memory
218 Deduplication implementation: KVM on Linux (KSM) physical memory attacker memory victim memory
219 Deduplication implementation: KVM on Linux (KSM) physical memory attacker memory victim memory
220 Example 1: OpenSSH Target: ~/.ssh/authorized_keys
221 OpenSSH ~/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC52/Uk84iUm m ic el7e S r+ / D/P W Z6Lj k hlu 8 yv35be EoT wxm9 e G x Jyz V +1s68 tr yzpd 3VQ v wsh i KqDnCg+OtaA o 0 K v C qzc o BQ F B9X a wif J I 5 dsegtcu B uo k U v +TlmAZ+D9 MNNA xjusbbh0shbaih65 i mlauisfr3vzw FE 7 uy6s B 26j 52LhWG5 B R w SkM nmr N2E2f q HaP96J 9 RO F lhuy k w8 jwux Jwl4kJ 8 v Ro1uhX0SV u8z 9 wg rk R 5 b + GQ WJ3P h7 vjomvu/koab Wn NnY KR 8IT B nkp D 0 L r E yakrygefi7g wc ixovqr79by8 l L6yp J4 km5 ey obs B sn C jmg hxqj 8 RR zgu td1 victim@laptop Exponent Modulus (p * q)
222 OpenSSH ~/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC52/Uk84iUm m ic el7e S r+ / D/P W Z6Lj k hlu 8 yv35be EoT wxm9 e G x Jyz V +1s68 tr yzpd 3VQ v wsh i KqDnCg+OtaA o 0 K v C qzc o BQ F B9X a wif J I 5 dsegtcu B uo k U v +TlmAZ+D9 MNNA xjusbbh0shbaih65 i mlauisfr3vzw FE 7 uy6s B 26j 52LhWG5 B R w SkM nmr N2E2f q HaP96J 9 RO F lhuy k w8 jwux Jwl4kJ 8 v Ro1uhX0SV u8z 9 wg rk R 5 b + GQ WJ3P h7 vjomvu/koab Wn NnY KR 8IT B nkp D 0 L r E yakrygefi7g wc ixovqr79by8 l L6yp J4 km5 ey obs B sn C jmg hxqj 8 RR zgu td1 victim@laptop Exponent Modulus (p' * q' * r'...)
223 Example 1: OpenSSH Target: ~/.ssh/authorized_keys > Flip a bit in the RSA modulus > Factorize it > Reconstruct the new private key
224 Example 2: GPG & apt-get Targets: sources.list flip package repository domain name eg. ubuntu.com -> ubunvu.com
225 Example 2: GPG & apt-get Targets: sources.list + GPG keyring corrupt signing key
226 Conclusion
227 Conclusion > Memory deduplication is dangerous
228 Conclusion > Memory deduplication is dangerous > Be aware of the security implications
229 Conclusion > Memory deduplication is dangerous > Be aware of the security implications > Well, or just disable it
230 Erik Antonio
231 Rowhammer (seaborn attack) physical memory sprayed page tables
POC Flip Feng Shui: Hammering a Needle in the Software Stack
POC2016 - Flip Feng Shui: Hammering a Needle in the Software Stack Kaveh Razavi Ben Gras Erik Bosman Bart Preneel Cristiano Giuffrida Herbert Bos November 10, 2016 Who am I Security researcher in academia
More informationDedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector
2016 IEEE Symposium on Security and Privacy Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector Erik Bosman Vrije Universiteit Amsterdam erik@minemu.org Kaveh Razavi Vrije Universiteit
More informationSecure Page Fusion with VUsion
https://www.vusec.net/projects/vusion ABSTRACT Marco Oliverio Vrije Universiteit Amsterdam Università della Calabria Herbert Bos Vrije Universiteit Amsterdam To reduce memory pressure, modern operating
More informationFlip Feng Shui: Hammering a Needle in the Software Stack
Flip Feng Shui: Hammering a Needle in the Software Stack Kaveh Razavi Vrije Universiteit Amsterdam Ben Gras Vrije Universiteit Amsterdam Cristiano Giuffrida Vrije Universiteit Amsterdam Erik Bosman Vrije
More informationUndermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationUse virtualisation wisely
Use virtualisation wisely Ensure you know the neighbours of your sensitive virtual systems Factsheet FS-2016-05 version 1.0 10 August 2016 Virtualisation of ICT services ensures more efficient and flexible
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationFrom bottom to top: Exploiting hardware side channels in web browsers
From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France Rennes Graz Clémentine Maurice PhD since
More informationRowhammer.js: A Remote Software- Induced Fault Attack in Javascript
Rowhammer.js: A Remote Software- Induced Fault Attack in Javascript Daniel Gruss, Clementine Maurice and Stefan Mangard Graz University of Technology, Austria Rowhammer bug (I) Different DRAM cells can
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 CPU management Roadmap Process, thread, synchronization, scheduling Memory management Virtual memory Disk
More informationKernel Self Protection
Kernel Self Protection Kernel Summit 2016, Santa Fe Kees ( Case ) Cook keescook@chromium.org @kees_cook http://kernsec.org/wiki/index.php/kernel_self_protection_project http://www.openwall.com/lists/kernel-hardening/
More informationHypervisor security. Evgeny Yakovlev, DEFCON NN, 2017
Hypervisor security Evgeny Yakovlev, DEFCON NN, 2017 whoami Low-level development in C and C++ on x86 UEFI, virtualization, security Jetico, Kaspersky Lab QEMU/KVM developer at Virtuozzo 2 Agenda Why hypervisor
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 19 Hardware Security: Meltdown, Spectre, Rowhammer Vulnerabilities and Abstractions Abstraction Reality Vulnerability Review: ISA and µarchitecture
More informationRowhammer.js: Root privileges for web apps?
Rowhammer.js: Root privileges for web apps? Daniel Gruss (@lavados) 1, Clémentine Maurice (@BloodyTangerine) 2 1 IAIK, Graz University of Technology / 2 Technicolor and Eurecom 1 Rennes Graz Clémentine
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 Recap Paged MMU: Two main Issues Translation speed can be slow TLB Table size is big Multi-level page table
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationChapter 3 - Memory Management
Chapter 3 - Memory Management Luis Tarrataca luis.tarrataca@gmail.com CEFET-RJ L. Tarrataca Chapter 3 - Memory Management 1 / 222 1 A Memory Abstraction: Address Spaces The Notion of an Address Space Swapping
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationOn Feasibility and Performance of Rowhammmer Attack
On Feasibility and Performance of Rowhammmer Attack Varnavas Papaioannou A dissertation submitted in partial fulfillment of the requirements for the degree of MSc Information Security of University College
More information143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018
143A: Principles of Operating Systems Lecture 5: Address translation Anton Burtsev October, 2018 Two programs one memory Or more like renting a set of rooms in an office building Or more like renting a
More informationJump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow
More informationCS 134: Operating Systems
CS 134: Operating Systems More Memory Management CS 134: Operating Systems More Memory Management 1 / 27 2 / 27 Overview Overview Overview Segmentation Recap Segmentation Recap Segmentation Recap Segmentation
More informationAttacking Next- Generation Firewalls
Attacking Next- Generation Firewalls Breaking PAN-OS Felix Wilhelm #whoami Security Researcher @ ERNW Research Application and Virtualization Security Recent Research Hypervisors (Xen) Security Appliances
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationFrom Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel
From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, Dawu Gu Group of Software Security In
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationBypassing Mitigations by Attacking JIT Server in Microsoft Edge
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing
More informationSpectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationMemory corruption: Why we can t have nice things. Mathias Payer
Memory corruption: Why we can t have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance
More informationNew Mapping Interface
New Mapping Interface Mike Bauer NVIDIA Research 1 Why Have A Mapping Interface? Legion Program Legion Legion Mapper Scheduling is hard Lots of runtimes have heuristics What do you do when they are wrong?
More informationHow to Break Software by James Whittaker
How to Break Software by James Whittaker CS 470 Practical Guide to Testing Consider the system as a whole and their interactions File System, Operating System API Application Under Test UI Human invokes
More information238P: Operating Systems. Lecture 5: Address translation. Anton Burtsev January, 2018
238P: Operating Systems Lecture 5: Address translation Anton Burtsev January, 2018 Two programs one memory Very much like car sharing What are we aiming for? Illusion of a private address space Identical
More informationSecure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design. Todd Austin University of Michigan
Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design Todd Austin University of Michigan The Security Arms Race Question: Why are systems never safe? We deploy our designs
More informationCS 31: Intro to Systems Virtual Memory. Kevin Webb Swarthmore College November 15, 2018
CS 31: Intro to Systems Virtual Memory Kevin Webb Swarthmore College November 15, 2018 Reading Quiz Memory Abstraction goal: make every process think it has the same memory layout. MUCH simpler for compiler
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 CPU management Roadmap Process, thread, synchronization, scheduling Memory management Virtual memory Disk
More informationMemory management. Requirements. Relocation: program loading. Terms. Relocation. Protection. Sharing. Logical organization. Physical organization
Requirements Relocation Memory management ability to change process image position Protection ability to avoid unwanted memory accesses Sharing ability to share memory portions among processes Logical
More informationDigital Forensics Lecture 02 PDF Structure
Digital Forensics Lecture 02 PDF Structure PDF Files Structure Akbar S. Namin Texas Tech University Spring 2017 PDF Format and Structure Tools used Text editor (e.g., vi) ClamAV antivirus (http://www.clamav.net/lang/en/download/
More informationSmartMD: A High Performance Deduplication Engine with Mixed Pages
SmartMD: A High Performance Deduplication Engine with Mixed Pages Fan Guo 1, Yongkun Li 1, Yinlong Xu 1, Song Jiang 2, John C. S. Lui 3 1 University of Science and Technology of China 2 University of Texas,
More informationVirtual Memory III. Jo, Heeseung
Virtual Memory III Jo, Heeseung Today's Topics What if the physical memory becomes full? Page replacement algorithms How to manage memory among competing processes? Advanced virtual memory techniques Shared
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationCIS Operating Systems Memory Management Cache. Professor Qiang Zeng Fall 2017
CIS 5512 - Operating Systems Memory Management Cache Professor Qiang Zeng Fall 2017 Previous class What is logical address? Who use it? Describes a location in the logical memory address space Compiler
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 Demand paging Concepts to Learn 2 Abstraction Virtual Memory (VM) 4GB linear address space for each process
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationHeap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks
Heap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks Yu Ding 1, Tao Wei 1, Tielei Wang 1, Zhenkai Liang 2, Wei Zou 1 1 Peking University, 2 National University of Singapore A
More informationVirtual Memory. Today. Segmentation Paging A good, if common example
Virtual Memory Today Segmentation Paging A good, if common example Virtual memory system Goals Transparency Programs should not know that memory is virtualized; the OS +HW multiplex memory among processes
More informationCurious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis
Curious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis Sarani Bhattacharya 1 and Debdeep Mukhopadhyay 1 Department of Computer Science and Engineering Indian Institute of Technology,
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationPAGE REPLACEMENT. Operating Systems 2015 Spring by Euiseong Seo
PAGE REPLACEMENT Operating Systems 2015 Spring by Euiseong Seo Today s Topics What if the physical memory becomes full? Page replacement algorithms How to manage memory among competing processes? Advanced
More informationCIS Operating Systems Memory Management Cache and Demand Paging. Professor Qiang Zeng Spring 2018
CIS 3207 - Operating Systems Memory Management Cache and Demand Paging Professor Qiang Zeng Spring 2018 Process switch Upon process switch what is updated in order to assist address translation? Contiguous
More informationVirtual Memory 1. To do. q Segmentation q Paging q A hybrid system
Virtual Memory 1 To do q Segmentation q Paging q A hybrid system Address spaces and multiple processes IBM OS/360 Split memory in n parts (possible!= sizes) A process per partition Program Code Heap Operating
More informationHello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud
Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, Kay Römer
More informationBit Flips in Memory Rowhammer Attacks and Defenses
Bit Flips in Memory Rowhammer Attacks and Defenses Memory Corruption Attacks Software code injection return-oriented programming Data Code Hardware Memory Corruption Attacks Software code injection return-oriented
More information21 Lecture: More VM Announcements From last time: Virtual Memory (Fotheringham, 1961)
21 Lecture: More VM Outline: Announcements From last time: Virtual Memory (Fotheringham, 1961) What it s all about Translation Logistics(HERE) Where to keep the page table? Possible approaches to dealing
More informationBasic Memory Management
Basic Memory Management CS 256/456 Dept. of Computer Science, University of Rochester 10/15/14 CSC 2/456 1 Basic Memory Management Program must be brought into memory and placed within a process for it
More informationCourse Outline. Processes CPU Scheduling Synchronization & Deadlock Memory Management File Systems & I/O Distributed Systems
Course Outline Processes CPU Scheduling Synchronization & Deadlock Memory Management File Systems & I/O Distributed Systems 1 Today: Memory Management Terminology Uniprogramming Multiprogramming Contiguous
More informationECE 598 Advanced Operating Systems Lecture 12
ECE 598 Advanced Operating Systems Lecture 12 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 1 March 2018 Announcements Next homework will be due after break. Midterm next Thursday
More informationMeltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
More informationAttacking the Linux PRNG on Android. David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems
Attacking the Linux PRNG on Android David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems MOTIVATION motivation_keystore_buffer_overflow We discovered CVE-2014-3100, a stack-based Buffer
More informationGet the (Spider)monkey off your back
Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda and bkth from phoenhex Who are we? Security enthusiasts who dabble in vulnerability research on their free
More informationChapter 10: Case Studies. So what happens in a real operating system?
Chapter 10: Case Studies So what happens in a real operating system? Operating systems in the real world Studied mechanisms used by operating systems Processes & scheduling Memory management File systems
More informationFantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript
Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript Michael Schwarz, Clémentine Maurice, Daniel Gruss, Stefan Mangard Graz University of Technology April 2017
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationSorting integer arrays: security, speed, and verification. D. J. Bernstein
Sorting integer arrays: security, speed, and verification 1 D. J. Bernstein Bob s laptop screen: 2 From: Alice Thank you for your submission. We received many interesting papers, and unfortunately your
More informationSEER: Practical Memory Virus Scanning-as-a-Service for Virtualized Environments
SEER: Practical Memory Virus Scanning-as-a-Service for Virtualized Environments Jason Gionta, Ahmed Azab, William Enck, Peng Ning, Xiaolan Zhang Data Centers and Security Software Anti-Virus Storms 2 Offload
More informationBasic Memory Management. Basic Memory Management. Address Binding. Running a user program. Operating Systems 10/14/2018 CSC 256/456 1
Basic Memory Management Program must be brought into memory and placed within a process for it to be run Basic Memory Management CS 256/456 Dept. of Computer Science, University of Rochester Mono-programming
More information! What is main memory? ! What is static and dynamic allocation? ! What is segmentation? Maria Hybinette, UGA. High Address (0x7fffffff) !
Memory Questions? CSCI [4 6]730 Operating Systems Main Memory! What is main memory?! How does multiple processes share memory space?» Key is how do they refer to memory addresses?! What is static and dynamic
More informationMulti-level Translation. CS 537 Lecture 9 Paging. Example two-level page table. Multi-level Translation Analysis
Multi-level Translation CS 57 Lecture 9 Paging Michael Swift Problem: what if you have a sparse address space e.g. out of GB, you use MB spread out need one PTE per page in virtual address space bit AS
More informationHacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University
Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University Hacking 101 Exploit GET /0xDEAD HTTP/1.0 shell $ cat /etc/passwd root:x:0:0:::/bin/sh sorbo:x:6:9:pac:/bin/sh
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationCS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES
CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES Your name: SUNet ID: In accordance with both the letter and the spirit of the Stanford Honor Code, I did not cheat on this exam. Furthermore,
More informationJavaScript Zero. Real JavaScript and Zero Side-Channel Attacks. Michael Schwarz, Moritz Lipp, Daniel Gruss
JavaScript Zero Real JavaScript and Zero Side-Channel Attacks Michael Schwarz, Moritz Lipp, Daniel Gruss 20.02.2018 www.iaik.tugraz.at 1 Michael Schwarz, Moritz Lipp, Daniel Gruss www.iaik.tugraz.at Outline
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationCOS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy
Topics COS 318: Operating Systems File Systems hierarchy File system abstraction File system operations File system protection 2 Traditional Data Center Hierarchy Evolved Data Center Hierarchy Clients
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationStorage hierarchy. Textbook: chapters 11, 12, and 13
Storage hierarchy Cache Main memory Disk Tape Very fast Fast Slower Slow Very small Small Bigger Very big (KB) (MB) (GB) (TB) Built-in Expensive Cheap Dirt cheap Disks: data is stored on concentric circular
More informationComputer Systems A Programmer s Perspective 1 (Beta Draft)
Computer Systems A Programmer s Perspective 1 (Beta Draft) Randal E. Bryant David R. O Hallaron August 1, 2001 1 Copyright c 2001, R. E. Bryant, D. R. O Hallaron. All rights reserved. 2 Contents Preface
More informationQiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016
Qiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016 Who are we Security researcher in Qihoo 360 Inc(Gear Team) Vulnerability discovery and analysis Specialize in QEMU currently 50+ security issues, 33
More informationCurious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis
Curious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur CHES 2016 August 19, 2016 Objective
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationSpectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
More informationLocking Down the Processor via the Rowhammer Attack
SGX-BOMB: Locking Down the Processor via the Rowhammer Attack Yeongjin Jang*, Jaehyuk Lee, Sangho Lee, and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationCSE 120 Principles of Operating Systems
CSE 120 Principles of Operating Systems Spring 2018 Lecture 10: Paging Geoffrey M. Voelker Lecture Overview Today we ll cover more paging mechanisms: Optimizations Managing page tables (space) Efficient
More informationIBM PSSC Montpellier Customer Center. Blue Gene/P ASIC IBM Corporation
Blue Gene/P ASIC Memory Overview/Considerations No virtual Paging only the physical memory (2-4 GBytes/node) In C, C++, and Fortran, the malloc routine returns a NULL pointer when users request more memory
More informationCIS Operating Systems Memory Management Cache. Professor Qiang Zeng Fall 2015
CIS 5512 - Operating Systems Memory Management Cache Professor Qiang Zeng Fall 2015 Previous class What is logical address? Who use it? Describes a location in the logical address space Compiler and CPU
More informationStorage and File System
COS 318: Operating Systems Storage and File System Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Topics Storage hierarchy File
More informationSpectre Returns! Speculation Attacks Using Return Stack Buffer
Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationVirtual Memory 1. Virtual Memory
Virtual Memory 1 Virtual Memory key concepts virtual memory, physical memory, address translation, MMU, TLB, relocation, paging, segmentation, executable file, swapping, page fault, locality, page replacement
More informationSecure Development After Security Bugs
Secure Development After Security Bugs Jeremy Epstein Program Manager Presentation to 1 st IEEE Cybersecurity Development Conference (SecDev) 11/03/16 Distribution Statement A. Approved for public release:
More informationVirtual Memory 1. Virtual Memory
Virtual Memory 1 Virtual Memory key concepts virtual memory, physical memory, address translation, MMU, TLB, relocation, paging, segmentation, executable file, swapping, page fault, locality, page replacement
More informationLeveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus
Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1 Who We Are Nadav Markus, Gal De-Leon Security researchers @ PaloAltoNetworks Vulnerability research and exploitation Reverse
More informationDynamic Memory Management
Dynamic Memory Management 1 Goals of this Lecture Help you learn about: Dynamic memory management techniques Garbage collection by the run-time system (Java) Manual deallocation by the programmer (C, C++)
More informationDistributed Systems Operation System Support
Hajussüsteemid MTAT.08.009 Distributed Systems Operation System Support slides are adopted from: lecture: Operating System(OS) support (years 2016, 2017) book: Distributed Systems: Concepts and Design,
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More information