SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14

Similar documents
in memory: an evolution of attacks Mathias Payer Purdue University

Memory Corruption: Why Protection is Hard. Mathias Payer, Purdue University

SoK: Eternal War in Memory

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

CS-527 Software Security

Memory corruption: Why we can t have nice things. Mathias Payer

Software Security II: Memory Errors - Attacks & Defenses

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

String Oriented Programming Exploring Format String Attacks. Mathias Payer

SoK: Eternal War in Memory

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer

Guarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University

Buffer overflow background

CS527 Software Security

Black Hat Webcast Series. C/C++ AppSec in 2014

CS527 Software Security

On Compilers, Memory Errors and Control-Flow Integrity

CS161 Midterm 1 Review

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Ironclad C++ A Library-Augmented Type-Safe Subset of C++

Secure Software Development: Theory and Practice

Advanced Systems Security: Program Diversity

Type Confusion: Discovery, Abuse, Protection. Mathias

Software Security: Buffer Overflow Defenses

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

CS 161 Computer Security

A program execution is memory safe so long as memory access errors never occur:

Code: analysis, bugs, and security

Software Security: Buffer Overflow Attacks

Buffer overflow prevention, and other attacks

Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables

Memory Safety (cont d) Software Security

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Buffer Overflow Defenses

Code Injection Attacks Buffer Overflows

It s a TRaP: Table Randomization and Protection against Function-Reuse Attacks

Memory safety, continued

Runtime Defenses against Memory Corruption

CMPSC 497 Other Memory Vulnerabilities

Inject malicious code Call any library functions Modify the original code

Copyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

Remix: On-demand Live Randomization

Computer Security Course. Midterm Review

DieHard: Probabilistic Memory Safety for Unsafe Programming Languages

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CS 161 Computer Security

Software security, secure programming

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Introduction to software exploitation ISSISP 2017

Preventing Use-after-free with Dangling Pointers Nullification

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

Building Safe and Secure Systems in Rust. Mingshen Sun Baidu X-Lab, USA December 2018 RustRush, Moscow

CS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Lecture 10 Code Reuse

Taxi: Defeating Code Reuse Attacks with Tagged Memory. Julián Armando González

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

SoftBound: Highly Compatible and Complete Spatial Safety for C

Lecture 08 Control-flow Hijacking Defenses

Memory Corruption 101 From Primitives to Exploit

Adaptive Android Kernel Live Patching

Lecture 4 September Required reading materials for this class

PREVENTING EXPLOITS AGAINST MEMORY CORRUPTION VULNERABILITIES

Jonathan Afek, 1/8/07, BlackHat USA

CMPT 473 Software Quality Assurance. Security. Nick Sumner - Fall 2014

Exploits and gdb. Tutorial 5

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

CSE509 Spring 2007 Midterm Exam. Electronic devices, including calculators, cell phones, mp3 players, and laptops are all prohibited.

CIS 4360 Secure Computer Systems. Integers

EURECOM 6/2/2012 SYSTEM SECURITY Σ

CMPSC 497 Buffer Overflow Vulnerabilities

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin

CS558 Programming Languages

Subversive-C: Abusing and Protecting Dynamic Message Dispatch

"Secure" Coding Practices Nicholas Weaver

Memory corruption countermeasures

Using static analysis to detect use-after-free on binary code

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Memory Safety for Embedded Devices with nescheck

Buffer Overflow Attacks

Strict Virtual Call Integrity Checking for C++ Binaries

How to Impress Girls with Browser Memory Protection Bypasses

CS 161 Computer Security

Advanced Buffer Overflow

Buffer Overflows. Buffers. Administrative. COMP 435 Fall 2017 Prof. Cynthia Sturton. Buffers

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Security and Exploit Mitigation. CMSC Spring 2016 Lawrence Sebald

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Back To The Epilogue

Understanding and Automatically Preventing Injection Attacks on Node.js

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel

Transcription:

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1

Memory attacks: an ongoing war Vulnerability classes according to CVE 2

FFmpeg and a thousand fixes >1,000 bugs found and fixed 2 person-years & fuzzing on large cluster http://j00ru.vexillium.org/?p=2211 Jan-10, 2014 3

Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible for all checks Large set of legacy and new applications written in C / C++ prone to memory bugs Too many bugs to find and fix manually Protect integrity through safe runtime system 4

A Model for Memory Corruption 5

Memory (un-)safety: invalid deref. Dangling pointer: (temporal) free(foo); *foo = 23; Out-of-bounds pointer: (spatial) char foo[40]; foo[42] = 23; Violation iff: pointer is read, written, or freed 6

Type Confusion vtable*? Bptr class B { b int b; c? }; class D: B { int c; vtable* virtual void d() {} }; B b B *Bptr = new B; c D *Dptr = static_cast<d*>b; Dptr->c = 0x43; // Type confusion! Dptr->d(); // Type confusion! Dptr D 7

Attack scenario: code reuse Find addresses of gadgets Force memory corruption to set up attack Leverage gadgets for code-reuse attack (Fall back to code injection) Code Heap Stack 8

Benign control-flow void vuln(char *u1) { // strlen(u1) < MAX? char tmp[max]; strcpy(tmp, u1);... } vuln(&exploit); tmp[max] Saved base pointer Return address 1st argument: *u1 Next stack frame 9

Control-flow hijack attack void vuln(char *u1) { // strlen(u1) < MAX? char tmp[max]; strcpy(tmp, u1);... } vuln(&exploit); Don't tmp[max] care Memory safety Integrity Location Violation *C &C Saved Don't base care pointer Points Return to &system() address Base 1st pointer argument: after system() *u1 1st argument Next stack to frame system() Usage Attack *&C Control-flow hijack 10

Model for memory attacks Memory safety Memory corruption Integrity C *C D *D Location &C &D Usage *&C *&D Attack Code corruption Control-flow hijack Data-only 11

Data execution prevention Memory safety Memory corruption Integrity C *C D *D Location &C &D Usage *&C *&D Attack Code corruption Control-flow hijack Data-only 12

Stack canaries and SEH Memory safety Memory corruption Integrity C *C D *D Location &C &D Usage *&C *&D Attack Code corruption Control-flow hijack Data-only 13

Address space layout random. Memory safety Memory corruption Integrity C *C D *D Location &C &D Usage *&C *&D Attack Code corruption Control-flow hijack Data-only 14

ASLR: Performance overhead ASLR uses one register for PIC / ASLR code Performance degradation on x86 15

Widely deployed defenses Deployed defenses Memory safety incomplete and not effective Memory corruption Integrity C *C D *D Location &C &D Usage *&C *&D Attack Code corruption Control-flow hijack Data-only 16

Defense strategies Stop memory corruption Safe dialects of C/C++: CCured, Cyclone Retrofit on C/C++: SoftBounds+CETS Rewrite in safe language: Java/C# Memory safety Integrity Randomization Flow Integrity Violation *C &C *&C Attack Control-flow hijack 17

Defense strategies Enforce integrity of reads/writes Write Integrity Testing (DEP and W^X for code) Memory safety Integrity Randomization Violation *C &C Flow Integrity *&C Attack Control-flow hijack 18

Defense strategies Probabilistic defenses Randomize locations, code, data, or pointer values Memory safety Integrity Randomization Violation *C &C Flow Integrity *&C Attack Control-flow hijack 19

Defense strategies Protect control transfers Data-flow integrity Control-flow integrity Memory safety Integrity Violation *C Randomization &C Flow Integrity *&C Attack Control-flow hijack 20

Model for memory attacks Model allows reasoning and classification Classify security policies and defense mechanisms Reason about power of attacks Identify properties that enable wide adoption Low overhead is key (<10%) Compatibility with legacy code and source code Protection against class(es) of attacks SoK: Eternal War in Memory, IEEE Symposium on Security and Privacy'13 (Oakland) Eternal War in Memory, IEEE Security and Privacy'14 Magazine 21

Conclusion 22

Conclusion Low level languages are here to stay We need protection against memory vulnerabilities Enforce performance, protection, compatibility Mitigate control-flow hijack attacks Secure execution platform for legacy code Code-pointer integrity for source code Future directions: strong policies for data Protect from other attack vectors 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback