Real-World Buffer Overflow Protection in User & Kernel Space

Similar documents
Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Raksha: A Flexible Information Flow Architecture for Software Security

Runtime Defenses against Memory Corruption

Tainting is Not Pointless

A program execution is memory safe so long as memory access errors never occur:

Lecture 4 September Required reading materials for this class

Analysis of Security Vulnerabilities

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Software Security: Buffer Overflow Defenses

Bypassing Browser Memory Protections

Software Security: Buffer Overflow Attacks

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

How to Sandbox IIS Automatically without 0 False Positive and Negative

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

Code Injection Attacks Buffer Overflows

0x1A Great Papers in Computer Security

CS 161 Computer Security

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems

20: Exploits and Containment

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Dnmaloc: a more secure memory allocator

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

CSE 509: Computer Security

LibsafeXP: A Practical & Transparent Tool for Run-time Buffer Overflow Preventions

Thwarting unknown bugs: hardening features in the mainline Linux kernel

String Oriented Programming Exploring Format String Attacks. Mathias Payer

CSE 565 Computer Security Fall 2018

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Offensive Security My First Buffer Overflow: Tutorial

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Software Security II: Memory Errors - Attacks & Defenses

Software Security: Buffer Overflow Attacks (continued)

Secure Systems Engineering

Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut

ECE 471 Embedded Systems Lecture 4

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

ECE 498 Linux Assembly Language Lecture 1

Program Security and Vulnerabilities Class 2

HDFI: Hardware-Assisted Data-flow Isolation

Language Security. Lecture 40

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE

I run a Linux server, so we re secure

CMPSC 497 Buffer Overflow Vulnerabilities

One-Slide Summary. Lecture Outline. Language Security

DBT Tool. DBT Framework

1/31/2007 C. Edward Chow. CS591 Page 1

ECE 471 Embedded Systems Lecture 22

Outline. Heap meta-data. Non-control data overwrite

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

A Data Driven Approach to Designing Adaptive Trustworthy Systems

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

6.828: OS/Language Co-design. Adam Belay

Lab 2: Buffer Overflows

Secure Programming I. Steven M. Bellovin September 28,

Is Exploitation Over? Bypassing Memory Protections in Windows 7

ECE 598 Advanced Operating Systems Lecture 10

Outline. Format string attack layout. Null pointer dereference

CYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge

Buffer overflow background

Topics in Software Security Vulnerability

Prototyping Architectural Support for Program Rollback Using FPGAs

Basic Buffer Overflows

Porting Linux to x86-64

Secure Coding Topics. Readings. CYSE 411/AIT681 Secure Software Engineering. Pointer Subterfuge. Outline. Data Locations (cont d) Data Locations

Secure Coding Topics. CYSE 411/AIT681 Secure Software Engineering. Readings. Outline. This lecture: Topic #8. Secure Coding: Pointer Subterfuge

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

Static Vulnerability Analysis

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Buffer overflow prevention, and other attacks

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

Advanced Systems Security: Ordinary Operating Systems

Transparent Runtime Randomization for Security

Memory Safety (cont d) Software Security

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

SoK: Eternal War in Memory

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

ISA564 SECURITY LAB. Code Injection Attacks

16 Sharing Main Memory Segmentation and Paging

15 Sharing Main Memory Segmentation and Paging

CSE509 Spring 2007 Midterm Exam. Electronic devices, including calculators, cell phones, mp3 players, and laptops are all prohibited.

Practical Memory Safety with REST

The Geometry of Innocent Flesh on the Bone

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Argos Emulator. Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

Secure Software Development: Theory and Practice

New features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

ECE 598 Advanced Operating Systems Lecture 12

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Finding User/Kernel Pointer Bugs with Type Inference p.1

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Transcription:

Real-World Buffer Overflow Protection in User & Kernel Space Michael Dalton, Hari Kannan, Christos Kozyrakis Computer Systems Laboratory Stanford University http://raksha.stanford.edu 1

Motivation Buffer overflows remain a critical security threat Deployed solutions are insufficient Provide limited protection (NX bit) Require recompilation (Stackguard, /GS) Break backwards compatibility (ASLR) Need an approach to software security that is Robust - no false positives on real-world code Practical - works on unmodified binaries Safe - few false negatives Fast 2

DIFT: Dynamic Information Flow Tracking DIFT taints data from untrusted sources Extra tag bit per word marks if untrusted Propagate taint during program execution Operations with tainted data produce tainted results Check for suspicious uses of tainted data Tainted code execution Tainted pointer dereference (code & data) Tainted SQL command Potential: protection from low-level & high-level threats 3

DIFT Example: Buffer Overflow int buf[8]; Vulnerable C Code for (i = 0; i < len; i++) buf[i] = u; return; T Data load r2 M[u] u: &evil store M[buf+0] r2 buf[0]: 0&evil buf[7]: 0&evil store M[buf+7] r2 ra: &evil &foo store M[ra] r2 jmp *M[ra] TRAP Tainted pointer dereference security trap 4

Hardware DIFT Overview The basic idea [Suh 04, Crandall 04, Chen 05] Extend HW state to include taint bits Extend HW instructions to check & propagate taint bits Hardware advantages Negligible runtime overhead Software DIFT overheads range from 3-37x Works with multithreaded and self-modifying binaries Apply tag policies to OS 5

Raksha Overview & Features Unmodified binaries User 1 User 2 User 3 App Binary App Binary App Binary Operating System Tag Aware Cross-process info flow Save/restore tags Security Monitor Set security policies Control HW check/propagate 4 tag bits per word HW Architecture Tags HW check/propagate User-level security traps 6

Outline Motivation & DIFT overview Preventing buffer overflows with DIFT Previous work Novel BOF prevention policy Evaluation Prototype Security experiments Lessons learned Conclusions 7

Naïve Buffer Overflow Detection Previous DIFT approaches recognize bounds checks Must bounds check untrusted info before dereference Example: if (u < len) print buf[u]; Taint untrusted input OR Propagate taint on load,store,arithmetic,logical ops Clear taint on bounds checks Comparisons against untainted info Check for tainted code, load/store/jump addresses Forbid tainted pointer deref, code execution 8

Problems with Naïve Approach Not all bounds checks are comparisons Example : *str++ = digits[val % 10] GCC, glibc, gzip Not all comparisons are bounds checks Example: if (sz < fastbin_size) insert_fastbin(chunk); Resulted in false negative during traceroute/malloc exploit Bounds checks are not required for safety! Example: return isdigit[(unsigned char)x] isdigit array is 256 entries! Don t need any bounds check But stripped binary doesn t tell us array sizes. End result: unacceptable false positives in real code 9

Building a Better Security Model for BOF Buffer overflow attacks rely on injecting pointers Code pointers Return address, Global Offset Table (GOT), function ptr Data pointers [Chen 05] Filenames, permission/access control structures, etc Why pointers? They re everywhere! Every stack frame (local pointers, frame pointer, ret addr) Every free heap object (glibc) Global Offset Table, constructors, destructors, Security-critical Control pointers - arbitrary code execution Data Pointers subvert logic using tainted data structures 10

Preventing Pointer Injection with DIFT Buffer overflows exploits overwrite pointers But should never receive pointer from network! Tainted data used as pointer index, never as pointer address New DIFT BOF Policy Tainted data cannot be dereferenced directly Must be combined with application pointer to be safe Pointer bit tag legitimate application pointers Taint bit tag untrusted data But how do we identify legitimate application pointers? 11

New BOF Policy Taint bit Goal: conservatively track untrusted information Do not try to clear taint by recognizing bounds checks Only clear taint when reg/mem word overwritten Taint untrusted input OR Propagate on load, store, arithmetic, logical ops Check for tainted code Check if code/data ptr is tainted and not a valid ptr Security exception if Taint bit set & Pointer bit clear 12

New BOF Policy Pointer bit Propagate Pointer bit during valid pointer ops Load/Store Pointer Pointer +,-,OR,AND Non-Pointer Pointer +,- Pointer Encountered in real-world, byte of pointer used as array index Clear P-bit on all other operations Multiply, logical negation, etc Check for untrusted pointer dereferences Security exception if T-bit set, P-bit clear 13

Identifying Userspace Pointers Initialize P-bit for all local variable references Set P-Bit for stack pointer Initialize P-bit for all dynamically allocated memory references Set P-bit for return value of mmap, brk syscalls Initialize P-Bit for static/global variable references Scan all executable, library objects for these references Scan both code, data regions Set P-bit for potential any potential valid pointers ABI (ELF, PE) restricts such references Must be valid relocation entry type 14

BOF Protection in Kernel Space OS dereferences untrusted pointers! System call arguments come from untrusted userspace Example: int unlink(const char * pathname) Why is this safe? All user pointers must be checked by access_ok() Ensures user pointer is in userspace, not kernelspace What instructions may access userspace? Any instruction accessing userspace may cause MMU fault All modern Unix OSes build tables of these instructions! Any MMU fault not found in the table is an OS bug Safe untrusted pointer dereference in Linux: Tainted pointer must point to userspace PC must be in MMU fault list 15

Raksha Prototype System Full-featured Linux system HW: modified Leon-3 processor Open-source, Sparc V8 processor Single-issue, in-order, 7-stage pipeline Modified RTL for processor & system Mapped to FPGA board (65Mhz workstation) SW: ported Gentoo Linux distribution Based on 2.6 kernel (modified to be tag aware) Kernel preloads security manager into each process Over 14,000 packages in repository (GNU toolchain, apache, sendmail, ) 16

Experiments (Userspace) Successfully running Gentoo without false positives Every program, even init, has BOF protection enabled Run gcc, OpenSSH, sendmail, etc. Prevented attacks on real-world applications Program Attack Detection Polymorph Stack overflow Tainted code ptr Atphttpd Stack overflow Tainted code ptr Sendmail BSS overflow Tainted data ptr Traceroute Double free Tainted data ptr Nullhttpd Heap overflow Tainted data ptr All userspace programs are unmodified binaries 17

Experiments (Kernelspace) Protect entire Linux kernel from BOF First comprehensive kernel buffer overflow protection Even protect assembly code, device drivers, ctx switch Only observed one potential false positive Caused by previously undiscovered security hole! Prevented real-world attacks on Linux kernel Subsystem quota system call i2o driver ioctl moxa driver cm4040 driver sendmsg system call Vulnerability User/Kernel pointer deref User/Kernel pointer deref BSS overflow Heap overflow Stack, Heap overflow 18

Comprehensive BOF protection Can some BOF vulnerabilities still be exploited? Yes, if BOF doesn t rely on pointer corruption Authentication flag, user IDs, array/pointer offsets Rare, but possible depends on application data structure layout, etc Combine multiple BOF protection policies for safety! Attacker must evade all active policies to succeed But must ensure all policies have no real-world false positives Policy #1: Bounds check BOF protection for control pointer only Bounds check false positives only observed for data pointers Prevents control pointer array offset overwites Policy #2: Red Zone bounds checking for heap Tag begin/end of each heap object with Sandbox bit Raise error if user attempts to load/store to sandbox d address Detects heap buffer overflows Use Raksha to run all policies concurrently (w/ Pointer BOF) No false positives tested in userspace and kernelspace Verified new policies stop control pointer overwrites, heap overflows (resp.) 19

Conclusions Pointer-based BOF protection is practical Prevents real-world buffer overflows code/data pointer No source code access, debugging info, etc required No observed false positives Tested GCC, Apache, OpenSSH, etc Protection can even be extended to OS Full OS - FS, MM, device drivers, context switch, etc Only potential false positive was a real security hole Compose multiple policies for best protection Only miss an attack if it can evade all active policies 20

Questions? Want to use Raksha? Go to http://raksha.stanford.edu Raksha port to Xilinx XUP board $300 for academics $1500 for industry Full RTL + Linux distribution coming soon 21

Bonus round: Why not bounds checking? Compatibility C was never meant to be bounds checked Ex: optimized glibc() memchr() reads out of bounds Context sensitive- Apache ap_alloc => malloc=>brk Inline assembly, Multithreading Dynamically loaded plugins, dynamically gen d code Closed-source libraries, objects in other languages Cost recompiling is expensive Global recompilation of all system libs is not happening Just ask MS to recompile MFC Performance Overheads must be low (single digit) to drive adoption 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback