CS-527 Software Security

Similar documents
CS527 Software Security

SoK: Eternal War in Memory

SoftBound: Highly Compatible and Complete Spatial Safety for C

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14

A program execution is memory safe so long as memory access errors never occur:

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Ironclad C++ A Library-Augmented Type-Safe Subset of C++

in memory: an evolution of attacks Mathias Payer Purdue University

Buffer overflow background

Secure Low-Level Programming via Hardware-Assisted Memory-Safe C

SoftBound: Highly Compatible and Complete Spatial Memory Safety for C

SoK: Eternal War in Memory

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

Memory Safety for Embedded Devices with nescheck

SoftBound: Highly Compatible and Complete Spatial Memory Safety for C

[0569] p 0318 garbage

Lecture 4 September Required reading materials for this class

Memory Corruption 101 From Primitives to Exploit

Heriot-Watt University

HardBound: Architectural Support for Spatial Safety of the C Programming Language

Preventing Use-after-free with Dangling Pointers Nullification

(Early) Memory Corruption Attacks

Runtime Defenses against Memory Corruption

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

CS558 Programming Languages

SoK: Sanitizing for Security

SoK: Sanitizing for Security

Advances in Programming Languages: Regions

Buffer overflow prevention, and other attacks

HA2lloc: Hardware-Assisted Secure Allocator

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

CPSC 3740 Programming Languages University of Lethbridge. Data Types

Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack

CS558 Programming Languages

Secure Programming I. Steven M. Bellovin September 28,

Memory Corruption: Why Protection is Hard. Mathias Payer, Purdue University

Java and C CSE 351 Spring

Fast, precise dynamic checking of types and bounds in C

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

Advanced Systems Security: New Threats

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

SAFECODE: A PLATFORM FOR DEVELOPING RELIABLE SOFTWARE IN UNSAFE LANGUAGES DINAKAR DHURJATI

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Memory Safety for Low- Level Software/Hardware Interactions

Language-Based Protection

Programming Languages Third Edition. Chapter 7 Basic Semantics

0x1A Great Papers in Computer Security

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

Fast Byte-Granularity Software Fault Isolation

CS 430 Spring Mike Lam, Professor. Data Types and Type Checking

20: Exploits and Containment

CS107 Handout 08 Spring 2007 April 9, 2007 The Ins and Outs of C Arrays

o Code, executable, and process o Main memory vs. virtual memory

Stack Bounds Protection with Low Fat Pointers

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Language Security. Lecture 40

HardBound: Architectural Support for Spatial Safety of the C Programming Language

String Oriented Programming Exploring Format String Attacks. Mathias Payer

ECS 153 Discussion Section. April 6, 2015

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Short Notes of CS201

Guarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University

Outline. Java Models for variables Types and type checking, type safety Interpretation vs. compilation. Reasoning about code. CSCI 2600 Spring

Heap Management. Heap Allocation

CS 161 Computer Security

CS201 - Introduction to Programming Glossary By

Limitations of the stack

Verification & Validation of Open Source

CS527 Software Security

How to Sandbox IIS Automatically without 0 False Positive and Negative

Undefined Behaviour in C

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

Lecture 20 C s Memory Model

Buffer Overflow Defenses

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

Code Injection Attacks Buffer Overflows

CS 536 Introduction to Programming Languages and Compilers Charles N. Fischer Lecture 11

Lecture 14. No in-class files today. Homework 7 (due on Wednesday) and Project 3 (due in 10 days) posted. Questions?

6.828: OS/Language Co-design. Adam Belay

Lecture 3: C Programm

CS527 Software Security

Type Confusion: Discovery, Abuse, Protection. Mathias

CS 330 Lecture 18. Symbol table. C scope rules. Declarations. Chapter 5 Louden Outline

Java and C I. CSE 351 Spring Instructor: Ruth Anderson

CS2141 Software Development using C/C++ Debugging

Object-Oriented Programming

Lecture 8 Dynamic Memory Allocation

Vector and Free Store (Pointers and Memory Allocation)

Low level security. Andrew Ruef

Understanding Undefined Behavior

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Lecture Notes on Garbage Collection

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Secure Software Development: Theory and Practice

Binding and Storage. COMP 524: Programming Language Concepts Björn B. Brandenburg. The University of North Carolina at Chapel Hill

Lecture 20 Notes C s Memory Model

Transcription:

CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017

Eternal War in Memory Table of Contents 1 Eternal War in Memory 2 Memory safety Spatial memory safety Temporal memory safety Towards a definition 3 Enforcing memory safety 4 SoftBound 5 CETS 6 Summary and conclusion Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 38

Eternal War in Memory The Eternal War in Memory Memory corruption is as old as operating systems and networks. First viruses, worms, and trojan horses appeared with the creation of operating systems. All malware abuses a security violation, either user-based, hardware-based, or software-based. Early malware tricked users into running code (e.g., as part of the boot process on a floppy disk). The Morris worm abused stack-based buffer overflows in sendmail, finger, and rsh/exec to gain code execution on a large part of the Internet in 1988. A plethora of other software vulnerabilities continued to allow malware writers to gain code execution on systems. Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 38

Eternal War in Memory Control-flow hijack attack The attacker wants to control the execution of a program by redirecting control-flow to an attacker-controlled location. First, the attacker must overwrite a code pointer (return instruction pointer on the stack, target of an indirect jump, or target of an indirect call). Second, the attacker forces the program to follow the modified code pointer (this can be explicit or implicit). Third, the attacker keeps modifying code pointers so that the process now executes the attacker s code. Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 38

Eternal War in Memory Control-flow hijack attack Memory Safety Integrity Randomization Flow Integrity Successful Attack! 1 v o i d v u l n ( char u1 ) { 2 / a s s e r t ( s t r l e n ( u1 ) < MAX) ; / 3 char tmp [MAX] ; 4 s t r c p y ( tmp, u1 ) ; 5 r e t u r n strcmp ( tmp, foo ) ; 6 } 7 v u l n ( e x p l o i t ) ; Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 38

Eternal War in Memory Quick attack overview Code corruption. Code injection and control-flow hijacking. Code reuse and control-flow hijacking. Control-flow bending. Controlling a Turing-complete interpreter inside an application (constrained execution). Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 38

Eternal War in Memory Attacks: Escalate Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 38

Memory safety Table of Contents 1 Eternal War in Memory 2 Memory safety Spatial memory safety Temporal memory safety Towards a definition 3 Enforcing memory safety 4 SoftBound 5 CETS 6 Summary and conclusion Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 38

Memory safety Memory safety Definition: Memory safety Memory safety is a property that ensures that all memory accesses adhere to the semantics defined by the source programming language. The gap between the operational semantics of the programming language and the underlying instructions provided by the hardware allow an attacker to step out of the restrictions imposed by the programming language and access memory out of context. Memory unsafe languages like C/C++ do not enforce memory safety and data accesses can occur through stale/illegal pointers. Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 38

Memory safety Memory safety Memory safety is a general property that can apply to a program, a runtime environment, or a programming language 1. A program is memory safe, if all possible executions of that program are memory safe. A runtime environment is memory safe, if all possible programs that can run in the environment are memory safe. A programming language is memory safe, if all possible programs that can be expressed in that language are memory safe. If memory safety is enforced, then a list of bad things can never happen. This list includes buffer overflows, NULL pointer dereferences, use after free, use of uninitialized memory, or illegal frees. 1 See Mike Hicks definition of memory safety http://www.pl-enthusiast.net/2014/07/21/memory-safety/. Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 38

Memory safety Memory safety Memory safety violations rely on two conditions that must both be fulfilled: A pointer either goes out of bounds or becomes dangling. This pointer is used to either read or write. Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 38

Memory safety Spatial memory safety Spatial memory safety Definition: Spatial memory safety Spatial memory safety is a property that ensures that all memory dereferences are within bounds of their pointer s valid objects. An object s bounds are defined when the object is allocated. Any computed pointer to that object inherits the bounds of the object. Any pointer arithmetic can only result in a pointer inside the same object. Pointers that point outside of their associated object may not be dereferenced. Dereferencing such illegal pointers results in a spatial memory safety error and undefined behavior. Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 38

Memory safety Spatial memory safety Spatial memory safety 1 char p t r = m a l l o c (24) ; 2 f o r ( i n t i = 0 ; i < 2 6 ; ++i ) { 3 p t r [ i ] = i +0x41 ; 4 } Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 38

Memory safety Temporal memory safety Temporal memory safety Definition: Temporal memory safety Temporal memory safety is a property that ensures that all memory dereferences are valid at the time of the dereference, i.e., the pointed-to object is the same as when the pointer was created. When an object is freed, the underlying memory is no longer associated to the object and the pointer is no longer valid. Dereferencing such an invalid pointer results in a temporal memory safety error and undefined behavior. Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 38

Memory safety Temporal memory safety Temporal memory safety 1 char p t r = m a l l o c (24) ; 2 f r e e ( p t r ) ; 3 f o r ( i n t i = 0 ; i < 2 4 ; ++i ) { 4 p t r [ i ] = i +0x41 ; 5 } Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 38

Memory safety Memory safety Towards a definition Assume we have defined (allocated) and undefined memory. Assume that deallocated memory is never reused. Memory safety is violated if undefined memory is accessed. Pointers can be seen as capabilities, they allow access to a certain region of (allocated) memory. Each pointer consists of the pointer itself, a base pointer, and bounds for the pointer. When creating a pointer, capabilities are initialized. When updating a pointer, the base and bounds remain the same. When copying a pointer, the capabilities are propagated. When dereferencing a pointer, the capabilities are checked. Capabilities cannot be forged or constructed by the programmer but are inherently added and enforced by the compiler. Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 38

Memory safety Memory safety Towards a definition Capability-based memory safety is a form of type safety with two types: pointer-types and scalars. Pointers (and their capabilities) are only created in a safe way. The capabilities are created as a side-effect of creating the pointer. Pointers can only be dereferenced if they point to their assigned memory region and that region is still valid. Mathias Payer (Purdue University) CS-527 Software Security 2017 17 / 38

Memory unsafety? Memory safety Towards a definition Super Mario arbitrary code execution In short: I manipulate where the moving objects (sprites) are located or where they despawn, then I swap the item in Yoshi s mouth with a flying?-block (thus the yellow glitched shell) and using a glitch (stunning) to spawn a sprite which isn t used by SMW and since it tries to jump to the sprite routine location, it indexes everything wrong and jumps to a place I manipulated earlier with the sprites (OAM) and because of the P-Switch it jumps to controller registers and from there the arbitrary code execution is started. Even shorter: Magic. (by Masterjun3) https://www.youtube.com/watch?v=opcv9uiy5i4 Mathias Payer (Purdue University) CS-527 Software Security 2017 18 / 38

Memory safety Towards a definition Memory Safety: Attack Paths Memory safety Memory corruption Integrity C *C D *D Confidentiality &C &D Flow Integrity *&C *&D Bad things Code corruption Control-flow hijack Data-only Mathias Payer (Purdue University) CS-527 Software Security 2017 19 / 38

Enforcing memory safety Table of Contents 1 Eternal War in Memory 2 Memory safety Spatial memory safety Temporal memory safety Towards a definition 3 Enforcing memory safety 4 SoftBound 5 CETS 6 Summary and conclusion Mathias Payer (Purdue University) CS-527 Software Security 2017 20 / 38

Enforcing memory safety Memory safety enforcement We know how memory safety violations look like. How can we protect against them? Verification? Testing? Fuzzing? Symbolic Execution? Yes, these are all correct but will either not find all bugs, are not complete, or have high overhead. We need to enforce memory safety at runtime by checking the security property at strategic locations. Mathias Payer (Purdue University) CS-527 Software Security 2017 21 / 38

Enforcing memory safety Bounds checking approaches in C/C++ Tripwire: use few bits of state for each byte of memory, place red-zones between blocks (e.g., Valgrind s memory checker, Google s AddressSanitizer) Pointer based: fat pointers are used to check dereferences (e.g., Cyclone, CCured) Object based: must point within same object, check pointer manipulations (e.g., SafeCode) All mechanisms are challenged by (i) high runtime overheads, (ii) incompleteness handling casts, (iii) incompatible pointer representations (e.g., syscalls), (iv) code incompatibilities. Mathias Payer (Purdue University) CS-527 Software Security 2017 22 / 38

Table of Contents SoftBound 1 Eternal War in Memory 2 Memory safety Spatial memory safety Temporal memory safety Towards a definition 3 Enforcing memory safety 4 SoftBound 5 CETS 6 Summary and conclusion Mathias Payer (Purdue University) CS-527 Software Security 2017 23 / 38

SoftBound SoftBound Compiler-based transformation that enforces spatial memory safety 2 No source code changes necessary, compiler-based No memory layout changes necessary, disjoint meta data (fat pointers) Simple, intra-procedural analysis Effective, no false positives/negatives Low(-ish) overhead of 67% for SPEC CPU2006 2 SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. Santosh Nagarakatte et al, PLDI 09. Mathias Payer (Purdue University) CS-527 Software Security 2017 24 / 38

SoftBound Alternative approaches Object based: Cannot detect sub-object overflows, overhead for range lookups. But meta data is disjoint, therefore high compatibility. Fat pointers: Low compatibility through inline meta data. Can detect sub-object overflows. Both fail to protect against arbitrary casts (across incompatible types). Notable exception is CCured with pointer classification. Mathias Payer (Purdue University) CS-527 Software Security 2017 25 / 38

SoftBound SoftBound approach 1 s t r u c t BankAccount { 2 char acctid [ 3 ] ; i n t b a l a n c e ; 3 } b ; 4 b. b a l a n c e = 0 ; 5 char i d = &(b. acctid ) ; 6 lookup (& i d ) >bse = &(b. acctid ) ; 7 lookup (& i d ) >bnd = &(b. acctid ) +3; 8 char p = i d ; // l o c a l, r e m a i n s i n r e g i s t e r 9 char p b s e = lookup (& i d ) >bse ; 10 char p bnd = lookup (& i d ) >bnd ; 11 do { 12 char ch = r e a d c h a r ( ) ; 13 check ( p, p bse, p bnd ) ; 14 p = ch ; 15 p++; 16 } w h i l e ( ch ) ; Mathias Payer (Purdue University) CS-527 Software Security 2017 26 / 38

SoftBound SoftBound instrumentation Initialize (disjoint) metadata for pointer when it is assigned. Assignment covers both creation of pointers and propagation. Check bounds whenever pointer is dereferenced. 1 i f ( p < p b s e ) a b o r t ( ) ; 2 i f ( p + s i z e > p bnd ) a b o r t ( ) ; 3 v a l u e = p Check results in five x86 instructions: cmp, br, add, cmp, br. Mathias Payer (Purdue University) CS-527 Software Security 2017 27 / 38

SoftBound details SoftBound Many small nits requires so that it works out. Separate compilation and library code are issues. Function pointers and variadic arguments are problematic. memcpy needs to be handled in a special way. Illegal (but working ) casts can be problematic. Mathias Payer (Purdue University) CS-527 Software Security 2017 28 / 38

Table of Contents CETS 1 Eternal War in Memory 2 Memory safety Spatial memory safety Temporal memory safety Towards a definition 3 Enforcing memory safety 4 SoftBound 5 CETS 6 Summary and conclusion Mathias Payer (Purdue University) CS-527 Software Security 2017 29 / 38

CETS Compiler-Enforced Temporal Safety for C Temporal memory safety is an orthogonal problem to spatial memory safety. The same memory area can be allocated to new object. Mathias Payer (Purdue University) CS-527 Software Security 2017 30 / 38

CETS Heap-based temporal safety error 1 i n t p, q, r ; 2 p = m a l l o c ( 8 ) ; 3... 4 q = p ; 5... 6 f r e e ( p ) ; 7 r = m a l l o c ( 8 ) ; 8... 9... = q ; Mathias Payer (Purdue University) CS-527 Software Security 2017 31 / 38

CETS Stack-based temporal safety error 1 i n t q ; 2 v o i d foo ( ) { 3 i n t a ; 4 q = &a ; 5 } 6 i n t main ( ) { 7 foo ( ) ; 8... = q ; 9 } Mathias Payer (Purdue University) CS-527 Software Security 2017 32 / 38

CETS Compiler-Enforced Temporal Safety (CETS) for C How do you ensure that a pointer references the new object and not the old object? How do you detect stale pointers? One solution is garbage collection (free is noop but periodically scan for unused memory areas with no pointers to them). Another is to not reuse memory. A third is to use versioning. Each allocated memory object and pointer is assigned a unique version. Upon dereference, check if the pointer version is equal to the version of the memory object. Two failure conditions: area was deallocated and version is smaller (0) or area was reallocated to new object and the version is bigger. Mathias Payer (Purdue University) CS-527 Software Security 2017 33 / 38

CETS Existing approaches and drawbacks Simple approaches track validity based on the location of memory objects. Unfortunately, these approaches cannot distinguish between a reference to a reallocated object and the original object. SafeC used a global set for memory objects and fat pointers to store validity data with the drawback of high overhead due to the set lookups. Follow up work introduced specific lock addresses and lock tables that stored validity information, removing the need for a potentially high overhead hash lookup to find the target address. Mathias Payer (Purdue University) CS-527 Software Security 2017 34 / 38

CETS mechanism CETS 1 Identify all memory allocation functions and assign a unique version to the memory area. Assign the same version to the initial pointer that is returned from the allocation function. 2 Identify all memory deallocation functions and destroy (zero out) the version of the associated memory area. 3 When a pointer is assigned, propagate the version from the rhs. 4 When a pointer is dereferenced, check if the version of the pointer and pointed-to object match. Mathias Payer (Purdue University) CS-527 Software Security 2017 35 / 38

Summary and conclusion Table of Contents 1 Eternal War in Memory 2 Memory safety Spatial memory safety Temporal memory safety Towards a definition 3 Enforcing memory safety 4 SoftBound 5 CETS 6 Summary and conclusion Mathias Payer (Purdue University) CS-527 Software Security 2017 36 / 38

Summary Summary and conclusion Memory safety has been an issue for generations of programmers and has severe security implications. Distinguish between spatial and temporal memory safety violations. SoftBound protects against spatial memory safety errors, CETS against temporal memory safety errors. Reading assignments: Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. SoK: Eternal war in memory. IEEE S&P 13. http: //nebelwelt.net/publications/files/13oakland.pdf. Santosh Nagarakatte, Milo M. K. Martin, Steve Zdancewic. Everything You Want to Know About Pointer-Based Checking. http://drops.dagstuhl.de/opus/volltexte/2015/5026/ pdf/16.pdf. Mathias Payer (Purdue University) CS-527 Software Security 2017 37 / 38

Questions? Summary and conclusion? Mathias Payer (Purdue University) CS-527 Software Security 2017 38 / 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback