IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE
|
|
- Jocelyn Nash
- 5 years ago
- Views:
Transcription
1 IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE Stephen Checkoway and Hovav Shacham March 19,
2 A vulnerable program #include <stdlib.h> int main() { void *p = malloc(100); } 2 2
3 Problem setting Trusted application: Untrusted operating system: 3 3
4 Problem motivation 4 4
5 Problem motivation 4 4
6 Problem motivation 4 4
7 Problem motivation 4 4
8 Possible solutions Reimplement in a secure environment (e.g., µkernel) Hardware-based solutions (e.g., XOM processor) Multiple virtual machines (e.g., Proxos) Hypervisor-assisted (e.g., Overshadow) 5 5
9 Possible solutions Reimplement in a secure environment (e.g., µkernel) Hardware-based solutions (e.g., XOM processor) Multiple virtual machines (e.g., Proxos) Hypervisor-assisted (e.g., Overshadow) 6 6
10 The Overshadow approach Application Operating system Chen et al. Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems. ASPLOS
11 The Overshadow approach Application Shim Operating system Hypervisor Chen et al. Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems. ASPLOS
12 The Overshadow approach Application Shim Operating system Hypervisor Chen et al. Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems. ASPLOS
13 Cloaking: Two views of application memory 8 8
14 The shim Marshals arguments and return values for system calls Communicates directly with the hypervisor A majority of system calls can be passed through to the OS with no special handling. These include calls with scalar arguments that have no interesting side effects, such as getpid, nice, and sync. Chen et al. ASPLOS
15 Warmup: A thought experiment Main Apache process Entropy pool 10 10
16 Warmup: A thought experiment Main Apache process getpid() getpid() Entropy pool Workers Workers entropy pools 10 10
17 Technical goals Abstract away details of Overshadow Develop a malicious operating system kernel to attack protected applications Cause the protected application to act against its interests 11 11
18 Threat model Trusted, legacy application Unmodified system libraries Kernel cannot read or modify application state Kernel responds to system calls normally except for return values 12 12
19 Threat model: example asmlinkage long sys_read(unsigned int fd, char user *buf, size_t count); count User Kernel buf 13 13
20 Threat model: example asmlinkage long sys_read(unsigned int fd, char user *buf, size_t count); count User Kernel buf Write arbitrary data, but only inside the supplied buffer Arbitrary return value 14 14
21 Abstraction Malicious kernel (modified Linux) No reading/writing application memory Handle all unsafe system calls correctly Can handle safe system calls maliciously Unmodified user space 15 15
22 Recall our vulnerable program #include <stdlib.h> int main() { void *p = malloc(100); } 16 16
23 Step 1: mmap(2)/read(2); normal behavior stack void *p; p = mmap(4096); read(0,p,4096); heap 17 17
24 Step 1: mmap(2)/read(2); normal behavior stack stack void *p; p = mmap(4096); read(0,p,4096); mmap() p heap heap 17 17
25 Step 1: mmap(2)/read(2); normal behavior stack stack stack void *p; p = mmap(4096); read(0,p,4096); mmap() p read() p heap heap heap 17 17
26 Step 1: mmap(2)/read(2); malicious behavior stack void *p; p = mmap(4096); read(0,p,4096); heap 18
27 Step 1: mmap(2)/read(2); malicious behavior stack stack void *p; p = mmap(4096); read(0,p,4096); p mmap() heap heap 18
28 Step 1: mmap(2)/read(2); malicious behavior stack stack stack void *p; p = mmap(4096); read(0,p,4096); p mmap() p read() heap heap heap 18
29 Step 2: Standard I/O; normal behavior fgetc() fgets() fread() fscanf() getc() getchar() getdelim() getline() gets() scanf() vfscanf() vscanf() stack heap mmap() stack buf heap read() stack buf heap 19 19
30 Step 2: Standard I/O; malicious behavior fgetc() fgets() fread() fscanf() getc() getchar() getdelim() getline() gets() scanf() vfscanf() vscanf() stack heap stack stack buf buf mmap() read() heap heap 20 20
31 Step 3: LibC s malloc top size+1 Split into upper and lower halves Upper half: manages chunks, free lists, handles malloc() and free() Lower half: requests memory from the OS Maintains a top region of unallocated memory from the OS Metadata (including size) inline 21 21
32 The lower half algorithm First call to malloc(n) [creating the top chunk]: 1. nb n + 4 rounded up to a multiple of 8 bytes 2. Determine the start of the heap via brk system call 3. Increase the size of the heap via brk 4. Increase the size again to maintain 8-byte alignment via brk (updates the start S of the heap) 5. If step 4 failed, determine the end E of the heap (last brk s return value) 6. Carve off a chunk of size nb 7. Write the size E - S - nb of the remaining top chunk at S + nb
33 malloc(n) example 1. nb n + 4 rounded up to a multiple of 8 bytes 23 23
34 malloc(n) example 2. Determine the start of the heap via brk system call ❷ S,E 24 24
35 malloc(n) example 3. Increase the size of the heap via brk S E ❸ ❷ S,E 25 25
36 malloc(n) example 4. Increase the size again to maintain 8-byte alignment via brk ❹ S? E S E ❸ ❷ S,E 26 26
37 malloc(n) example 5. If step 4 failed, determine the end E of the heap (last brk s return value) E ❺ S ❹ S? E S E ❸ ❷ S,E 27 27
38 malloc(n) example 6. Carve off a chunk of size nb nb E - S - nb E S ❻ E ❺ S ❹ S? E ❷ S E ❸ 28 28
39 malloc(n) example 7. Write the size E - S - nb of the remaining top chunk at S + nb + 4 E S nb E - S - nb ❻ ❼ E ❺ S ❹ S? E ❷ S E ❸ 29 29
40 Attacking the lower half nb E - S - nb E S 30 30
41 Attacking the lower half application code/data libc application stack nb E - S - nb E E - S - nb + 1 S 1. Choose S such that S + nb + 4 is the address of a saved return address 30 30
42 Attacking the lower half gets() application code/data libc application stack nb E - S - nb E E - S - nb + 1 S 1. Choose S such that S + nb + 4 is the address of a saved return address 2. Choose E such that E - S - nb + 1 is the address of gets() 30 30
43 Step 3: Putting it all together; Iago attack 1. Malicious kernel responds to brk 2. malloc() writes address of gets() over saved return address 3. gets() allocates a buffer via mmap() 4. Kernel returns an address on the stack 5. gets() fills the buffer with read() 6. Kernel responds with a return-oriented program 31 31
44 Conclusions The system call interface is a bad RPC mechanism Malicious kernels can take control of protected applications Options: 1. Design a new system call interface 2. Enable the hypervisor to check the validity of all system calls 3. Paraverification (see the next talk!) 32 32
45 Thank you Fin33 33
CSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationDynamic Memory Allocation. Zhaoguo Wang
Dynamic Memory Allocation Zhaoguo Wang Why dynamic memory allocation? Do not know the size until the program runs (at runtime). #define MAXN 15213 int array[maxn]; int main(void) { int i, n; scanf("%d",
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationMemory management. Johan Montelius KTH
Memory management Johan Montelius KTH 2017 1 / 22 C program # include int global = 42; int main ( int argc, char * argv []) { if( argc < 2) return -1; int n = atoi ( argv [1]); int on_stack
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationProcesses often need to communicate. CSCB09: Software Tools and Systems Programming. Solution: Pipes. Recall: I/O mechanisms in C
2017-03-06 Processes often need to communicate CSCB09: Software Tools and Systems Programming E.g. consider a shell pipeline: ps wc l ps needs to send its output to wc E.g. the different worker processes
More informationInkTag: Secure Applications on an Untrusted Operating System. Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin
InkTag: Secure lications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your... should you? The is the software root of trust on most
More informationLecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago
Lecture 07 Heap control data Stephen Checkoway University of Illinois at Chicago Layout of program memory Heap is managed by malloc - Many different malloc implementations - glibc uses a modified version
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 X. Chen, T, Garfinkel, E. Lewis, P. Subrahmanyam, C. Waldspurger, D. Boneh, J. Dwoskin,
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationReflections on using C(++) Root Cause Analysis
Hacking in C Reflections on using C(++) Root Cause Analysis Abstractions Complexity Assumptions Trust hic 1 There are only two kinds of programming languages: the ones people complain about and the ones
More informationSoftware and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1
Software and Web Security 1 Reflections on using C(++) Root Cause Analysis Abstractions Assumptions Trust sws1 1 There are only two kinds of programming languages: the ones people complain about and the
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis Host Based Attacks Pavel Laskov Wilhelm Schickard Institute for Computer Science Software security threats Modification of program code viruses and self-replicating
More informationOvershadow: Retrofitting Protection in Commodity Operating Systems
Overshadow: Retrofitting Protection in Commodity Operating Systems Mike Chen Tal Garfinkel E. Christopher Lewis Pratap Subrahmanyam Carl Waldspurger VMware, Inc. Dan Boneh Jeffrey Dwoskin Dan R.K. Ports
More informationPrinceton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management
Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Goals of this Lecture Help you learn about: The need for dynamic* memory mgmt (DMM) Implementing
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationLinux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.
Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used
More informationDynamic Memory Allocation I Nov 5, 2002
15-213 The course that gives CMU its Zip! Dynamic Memory Allocation I Nov 5, 2002 Topics Simple explicit allocators Data structures Mechanisms Policies class21.ppt Harsh Reality Memory is not unbounded
More informationMemory Allocation. Copyright : University of Illinois CS 241 Staff 1
Memory Allocation Copyright : University of Illinois CS 241 Staff 1 Memory allocation within a process What happens when you declare a variable? Allocating a page for every variable wouldn t be efficient
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu x86-64/linux Memory Layout Stack Runtime stack (8MB limit) Heap Dynamically allocated
More informationDynamic Memory Allocation I
Dynamic Memory Allocation I William J. Taffe Plymouth State University Using the Slides of Randall E. Bryant Carnegie Mellon University Topics Simple explicit allocators Data structures Mechanisms Policies
More informationWhat Is Operating System? Operating Systems, System Calls, and Buffered I/O. Academic Computers in 1983 and Operating System
What Is Operating System? Operating Systems, System Calls, and Buffered I/O emacs gcc Browser DVD Player Operating System CS 217 1 Abstraction of hardware Virtualization Protection and security 2 Academic
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationTolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich
XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,...
More informationSecure Coding in C and C++
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Sept 21, 2017 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationBuffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)
More informationBuffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout 0x00007fffffffffff not drawn to scale Stack... Caller
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationOperating System Labs. Yuanbin Wu
Operating System Labs Yuanbin Wu CS@ECNU Operating System Labs Project 2 Due 21:00, Oct. 24 Project 3 Group of 3 If you can not find a partner, drop us an email You now have 3 late days, but start early!
More informationBUFFER OVERFLOW. Jo, Heeseung
BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationIntroduction to Computer Systems /18 243, fall th Lecture, Oct. 22 th
Introduction to Computer Systems 15 213/18 243, fall 2009 16 th Lecture, Oct. 22 th Instructors: Gregory Kesden and Markus Püschel Today Dynamic memory allocation Process Memory Image %esp kernel virtual
More informationOutline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction
Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp
More informationBuffer Overflow. Jo, Heeseung
Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Heap Buffer Overflows and Format String Vulnerabilities Secure Software
More informationSecure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage
More informationOperating systems offer processes running in User Mode a set of interfaces to interact with hardware devices such as
System call Overview 2 Operating systems offer processes running in User Mode a set of interfaces to interact with hardware devices such as the CPU disks printers Unix systems implement most interfaces
More informationCategory (see the category tab) Comment and rationale Proposed new text Record of Response. Initials #
ISO/IEC JTC 1/SC 22/WG 14 N1662 - Commenting Template To submit your comments, submit this spreadsheet using a filename with the following format: FML-yymmdd.xls where "FML" is your Commen Com Rule Subsectio
More informationNaked C Lecture 6. File Operations and System Calls
Naked C Lecture 6 File Operations and System Calls 20 August 2012 Libc and Linking Libc is the standard C library Provides most of the basic functionality that we've been using String functions, fork,
More informationDynamic Memory Allocation: Basic Concepts
Dynamic Memory Allocation: Basic Concepts 15-213: Introduction to Computer Systems 19 th Lecture, March 30, 2017 Instructor: Franz Franchetti & Seth Copen Goldstein 1 Today Basic concepts Implicit free
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationChangelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part
1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems
More informationLecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago
Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe functions in libc strcpy strcat gets scanf family (fscanf, sscanf, etc.) (rare) printffamily (more about these later)
More information전공핵심실습 1: 운영체제론 Chapter 11. Accessing Files
1 전공핵심실습 1: 운영체제론 Chapter 11. Accessing Files Sungkyunkwan University Dongkun Shin Announcement 2 Tizen Z3 기기반납 일시 : 2016 년 6 월 14 일화요일오후 6:15~ (15 주차수업시간 ) 구성품 Samsung Z3(SM-Z300HZDDINS) 1 대 Micro-USB
More informationOverflows, Injection, & Memory Safety
Overflows, Injection, & Memory Safety 1 Announcements... Computer Science 161 Fall 2018 Project 1 is now live! Due Friday September 14th Start it early: The add/drop deadline got reduced to September 12th
More informationDynamic Memory Allocation
Dynamic Memory Allocation CS61, Lecture 10 Prof. Stephen Chong October 4, 2011 Announcements 1/2 Assignment 4: Malloc Will be released today May work in groups of one or two Please go to website and enter
More informationAdvanced System Security: Vulnerabilities
Advanced System Security: Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University CSE544 -Advanced
More informationCSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018 Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationAnne Bracy CS 3410 Computer Science Cornell University
Anne Bracy CS 3410 Computer Science Cornell University The slides were originally created by Deniz ALTINBUKEN. P&H Chapter 4.9, pages 445 452, appendix A.7 Manages all of the software and hardware on the
More informationCSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Software Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationHA2lloc: Hardware-Assisted Secure Allocator
HA2lloc: Hardware-Assisted Secure Allocator Orlando Arias, Dean Sullivan, Yier Jin {oarias,dean.sullivan}@knights.ucf.edu yier.jin@ece.ufl.edu University of Central Florida University of Florida June 25,
More informationHeap Off by 1 Overflow Illustrated. Eric Conrad October 2007
Heap Off by 1 Overflow Illustrated Eric Conrad October 2007 1 The Attack Older CVS versions are vulnerable to an Off by 1 attack, where an attacker may insert one additional character into the heap CVS
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationSystems Programming. 08. Standard I/O Library. Alexander Holupirek
Systems Programming 08. Standard I/O Library Alexander Holupirek Database and Information Systems Group Department of Computer & Information Science University of Konstanz Summer Term 2008 Last lecture:
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationPROJECT 2 - MEMORY ALLOCATOR Computer Systems Principles. October 1, 2010
PROJECT 2 - MEMORY ALLOCATOR Computer Systems Principles Emery Berger Mark Corner October 1, 2010 1 Overview The purpose of this project is to acquaint you with how memory allocators provide virtual memory
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationPrinceton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management
Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Agenda The need for DMM DMM using the heap section DMMgr 1: Minimal implementation DMMgr 2: Pad
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationECE 598 Advanced Operating Systems Lecture 10
ECE 598 Advanced Operating Systems Lecture 10 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 17 February 2015 Announcements Homework #1 and #2 grades, HW#3 Coming soon 1 Various
More informationDynamic Memory Allocation
Dynamic Memory Allocation Computer Systems Organization (Spring 2017) CSCI-UA 201, Section 3 Instructor: Joanna Klukowska Slides adapted from Randal E. Bryant and David R. O Hallaron (CMU) Mohamed Zahran
More informationFile (1A) Young Won Lim 11/25/16
File (1A) Copyright (c) 2010-2016 Young W. Lim. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationSoftware Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen
Software Security Buffer Overflows more countermeasures Erik Poll Digital Security Radboud University Nijmegen Recap last week Recurring security problems in C(++) code buffer overflows bugs with pointers
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationToday. Dynamic Memory Allocation: Basic Concepts. Dynamic Memory Allocation. Dynamic Memory Allocation. malloc Example. The malloc Package
Today Dynamic Memory Allocation: Basic Concepts Basic concepts Performance concerns Approach 1: implicit free lists CSci 01: Machine Architecture and Organization October 17th-nd, 018 Your instructor:
More informationDynamic Memory Allocation. Gerson Robboy Portland State University. class20.ppt
Dynamic Memory Allocation Gerson Robboy Portland State University class20.ppt Harsh Reality Memory is not unbounded It must be allocated and managed Many applications are memory dominated Especially those
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationHakim Weatherspoon CS 3410 Computer Science Cornell University
Hakim Weatherspoon CS 3410 Computer Science Cornell University The slides are the product of many rounds of teaching CS 3410 by Deniz Altinbuken, Professors Weatherspoon, Bala, Bracy, and Sirer. C practice
More informationCS 5460/6460 Operating Systems
CS 5460/6460 Operating Systems Fall 2009 Instructor: Matthew Flatt Lecturer: Kevin Tew TAs: Bigyan Mukherjee, Amrish Kapoor 1 Join the Mailing List! Reminders Make sure you can log into the CADE machines
More informationMemory Corruption Vulnerabilities, Part II
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows
More informationHeap Arrays. Steven R. Bagley
Heap Arrays Steven R. Bagley Recap Data is stored in variables Can be accessed by the variable name Or in an array, accessed by name and index a[42] = 35; Variables and arrays have a type int, char, double,
More informationAnne Bracy CS 3410 Computer Science Cornell University
Anne Bracy CS 3410 Computer Science Cornell University The slides were originally created by Deniz ALTINBUKEN. P&H Chapter 4.9, pages 445 452, appendix A.7 Manages all of the software and hardware on the
More informationSoftware Security: Buffer Overflow Defenses and Miscellaneous
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses and Miscellaneous Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationApplications of. Virtual Memory in. OS Design
Applications of Virtual Memory in OS Design Nima Honarmand Introduction Virtual memory is a powerful level of indirection Indirection: IMO, the most powerful concept in Computer Science Fundamental Theorem
More informationReal-World Buffer Overflow Protection in User & Kernel Space
Real-World Buffer Overflow Protection in User & Kernel Space Michael Dalton, Hari Kannan, Christos Kozyrakis Computer Systems Laboratory Stanford University http://raksha.stanford.edu 1 Motivation Buffer
More informationPESIT Bangalore South Campus Hosur road, 1km before Electronic City, Bengaluru -100 Department of Information Sciences and Engineering
INTERNAL ASSESSMENT TEST 2 Solutions 1. Explain the working of the waitpid() API with the help of a program. The program needs to take 2 command line arguments: the first argument should be used as the
More informationTowards Application Security on Untrusted Operating Systems
Towards Application Security on Untrusted Operating Systems Dan R. K. Ports MIT CSAIL & VMware Tal Garfinkel VMware Motivation Many applications handle sensitive data financial, medical, insurance, military...
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.893 Fall 2009 Quiz I Solutions All problems are open-ended questions. In order to receive credit you must
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationSECURING SOFTWARE AGAINST LIBRARY ATTACKS
SECURING SOFTWARE AGAINST LIBRARY ATTACKS Roland Yap School of Computing National University of Singapore ryap@comp.nus.edu.sg Session ID: DAS W05 Session Classification: Advanced Untrusted Libraries Software
More informationMemory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory.
Memory Management Page 1 Memory Management Wednesday, October 27, 2004 4:54 AM Memory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory. Two kinds
More informationThe Art and Science of Memory Allocation
Logical Diagram The Art and Science of Memory Allocation Don Porter CSE 506 Binary Formats RCU Memory Management Memory Allocators CPU Scheduler User System Calls Kernel Today s Lecture File System Networking
More informationToday. Dynamic Memory Allocation: Basic Concepts. Dynamic Memory Allocation. Dynamic Memory Allocation. malloc Example. The malloc Package
Today Dynamic Memory Allocation: Basic Concepts Basic concepts Performance concerns Approach 1: implicit free lists CSci 01: Machine Architecture and Organization Lecture #9, April th, 016 Your instructor:
More informationECE 598 Advanced Operating Systems Lecture 12
ECE 598 Advanced Operating Systems Lecture 12 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 1 March 2018 Announcements Next homework will be due after break. Midterm next Thursday
More informationProcess Address Spaces and Binary Formats
Process Address Spaces and Binary Formats Don Porter Background We ve talked some about processes This lecture: discuss overall virtual memory organizafon Key abstracfon: Address space We will learn about
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationCSE / / 60567: Computer Security. Software Security 4
CSE 40567 / 44567 / 60567: Computer Security Software Security 4 91 Homework #5 Due: Tonight at 11:59PM Eastern Time (ND) / Pacific Time (SV) See Assignments Page on the course website for details 92 Notes
More informationBaggy bounds with LLVM
Baggy bounds with LLVM Anton Anastasov Chirantan Ekbote Travis Hance 6.858 Project Final Report 1 Introduction Buffer overflows are a well-known security problem; a simple buffer-overflow bug can often
More informationAgenda. Dynamic Memory Management. Robert C. Seacord. Secure Coding in C and C++
Dynamic Memory Management Secure Coding in C and C++ Robert C. Seacord CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination
More information