Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Improving Software Security with Dynamic Binary Instrumentation Richard Johnson Principal Research Engineer Sourcefire VRT.

Published byKarlee Wilcoxson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Improving Software Security with Dynamic Binary Instrumentation Richard Johnson Principal Research Engineer Sourcefire VRT."— Presentation transcript:

1 1 Improving Software Security with Dynamic Binary Instrumentation Richard Johnson (rjohnson@sourcefire.com) Principal Research Engineer Sourcefire VRT

2 2 The Good ● Software vulnerability mitigations are an effective approach at making exploitation more { difficult | expensive | ineffective } ● Mitigations have been developed for most major memory-related vulnerability classes

3 3 The Bad ● Due to the difficulty of development, mitigations are almost exclusively developed by vendors (with a few short-lived exceptions) ▸ OverflowGuard ▸ WehnTrust ● Vendors supply mitigation technologies but do not enforce their use by 3 rd party developers. ● Good papers from academia but no code

4 4 The Ugly ● Understanding and defeating mitigations are a top priority for vulnerability researchers regardless of domain ● Current vendor mitigations are defeated by modern exploitation techniques

5 5 The Challenge ● Determine if current binary instrumentation frameworks provide the required technology to develop one-off custom mitigations ● Criteria ▸ Stability ▸ Speed ▸ Ease of implementation

6 6 Why me? ● 2004 - A Comparison of Buffer Overflow Prevention Implementations and Weaknesses ● 2005 - WehnTrust ASLR Review ● 2006 - Windows Vista: Exploitation Countermeasures ● 2007 - Memory Allocator Attack and Defense ● 2011 - A Castle Made of Sand ● 2009 - Now: DBA tool development

7 7 DYNAMIC BINARY INSTRUMENTATION

8 8 Dynamic Binary Instrumentation ● Dynamic Binary Instrumentation (DBI) is a process control and analysis technique that involves injecting instrumentation code into a running process ● DBI can be achieved through various means ▸ System debugging APIs ▸ Binary code caching ▸ Virtualization / Emulation

9 9 DBI Frameworks ● A DBI Framework facilitates the development of Dynamic Binary Analysis (DBA) tools ● DBI Frameworks provide an API for binary loading, process control, and instrumentation ▸ DynamoRIO ▸ PIN ▸ Valgrind

10 10 DBI Framework DBI Architecture TransformCacheExecuteProfile Executing Process Plugins Analysis & Mitigations Operating System / Hardware Instrumentation APIs

11 11 PIN Architecture

12 12 Program Loading ● DBI Frameworks parse program binaries and create a code cache or hooks in order for further instrumentation to occur ● Code cache is typically executed rather than original binary mapping TransformCacheExecuteProfile

13 13 Program Instrumentation ● Frameworks allow the registration of callbacks to handle events and insert instrumentation code ● Callbacks are considered instrumentation routines and injected code is considered analysis routines

14 14 Program Instrumentation ● Instrumentation hooks occur at varying granularity ▸ Image Load ▸ Trace ▸ Function / Routine ▸ Block ▸ Instruction

15 15 Process Execution Events ● Callbacks for process execution events can be registered in addition to code loading events ▸ Exceptions ▸ Process attach ▸ Process detach ▸ Process exit ▸ Thread start ▸ Thread exit ▸ System Calls

16 16 DBA Plugins ● Existing tools have shown several uses for DBI frameworks ▸ Execution tracing ● Call graph ● Code coverage ● Dataflow tracing ● I/O enumeration ▸ Heap profiling and validation ● Think Application Verifier ▸ Cache profiling

17 17 DBA Plugins ● Existing research has shown several uses for DBI frameworks ▸ Mitigations ● “Secure Execution Via Program Shepherding” ● Control Flow Integrity ● Existing mitigations are not available or do not apply to modern Windows operating systems

18 18 Useless Benchmarks ● Benchmarking DBI frameworks is difficult ● The best benchmarks should measure CPU and memory efficiency against a shared analysis core ● We do not have this but lets look at some numbers anyway

19 19 Useless Benchmarks Fibonacci Sequence Benchmark 100000250000500000 Native1.4207.37928.143 DynamoRIO1.6077.47228.891 PIN2.4028.37729.219 C:\tools>yafu\yafu64 06/15/11 13:52:20 v1.20.2 @ BLACKHAWK, System/Build Info: Using GMP-ECM 6.3, Powered by MPIR 2.1.1 detected Intel(R) Core(TM)2 Duo CPU T9900 @ 3.06GHz detected L1 = 32768 bytes, L2 = 6291456 bytes, CL = 64 bytes measured cpu frequency ~= 3035.702040 =============================================================== ======= Welcome to YAFU (Yet Another Factoring Utility) ======= ======= bbuhrow@gmail.com ======= ======= Type help at any time, or quit to quit ======= =============================================================== cached 664581 primes. pmax = 10000079

20 20 Useless Benchmarks C:\tools>ramspeed\ramspeed-win32.exe RAMspeed (Win32) v1.1.1 by Rhett M. Hollander and Paul V. Bolotoff, 2002-09 USAGE: ramspeed-win32 -b ID [-g size] [-m size] [-l runs] -b runs a specified benchmark (by an ID number): 1 -- INTmark [writing] 4 -- FLOATmark [writing] 2 -- INTmark [reading] 5 -- FLOATmark [reading] 3 -- INTmem 6 – FLOATmem … Integer Benchmark (MB/sec) CopyScaleAddTriadAVGTime Native3451.853350.214022.763990.993703.9523.182 DynamoRIO3493.263335.903919.363839.933647.1123.635 PIN3382.533331.373767.523752.163558.3924.633

21 21 Useful Benchmarks ● Benchmarks for security use are going to be highly subjective ● Criteria ▸ Speed – Is the performance hit tolerable ▸ Reliability – Does the tool limit false positives and not cause crashes on its own ▸ Ease of Implementation – How long does it take to implement a tool under a particular DBI

22 22 RETURN ORIENTED PROGRAMMING

23 23 Return Oriented Programming ● Return Oriented Programming (ROP) is the modern term for “return-to-libc” method of shellcode execution ● ROP can be used to bypass DEP ▸ VirtualProtect() ▸ VirtualAlloc() ▸ HeapCreate() ▸ WriteProcessMemory()

24 24 Gadget Shellcode ● Gadgets are a series of assembly instructions ending in a return instruction ● Shellcode is executed by creating a fake call stack that will chain a series of instruction blocks together ## Generic Write-4 Gadget ## rop += "\xD2\x9F\x10\x10“ # 0x10109FD2 : # POP EAX # RET rop += "\xD0\x64\x03\x10“ # 0x100364D0 : # POP ECX # RET rop += "\x33\x29\x0E\x10“ # 0x100E2933 : # MOV DWORD PTR DS:[ECX], EAX # RET

25 25 Gadget Shellcode ● Gadgets are a series of assembly instructions ending in a return instruction ● Shellcode is executed by creating a fake call stack that will chain a series of instruction blocks together ## Grab kernel32 pointer from the stack, place it in EAX ## rop += "\x5D\x1C\x12\x10" * 6 # 0x10121C5D : # SUB EAX,30 # RETN rop += "\xF6\xBC\x11\x10" # 0x1011BCF6 : # MOV EAX, DWORD PTR DS:[EAX] # POP ESI # RETN rop += rop_align

26 26 Gadget Shellcode ● Gadgets are a series of assembly instructions ending in a return instruction ● Shellcode is executed by creating a fake call stack that will chain a series of instruction blocks together ## EAX = kernel32 base, get pointer to VirtualProtect() ## rop += ("\x76\xE5\x12\x10" + rop_align) * 4 # 0x1012E576 : # ADD EAX,100 # POP EBP # RETN rop += "\x40\xD6\x12\x10“ # 0x1012D640 : # ADD EAX,20 # RETN rop += "\xB1\xB6\x11\x10“ # 0x1011B6B1 : # ADD EAX,0C # RETN rop += "\xD0\x64\x03\x10“ # 0x100364D0 : # ADD EAX,8 # RETN rop += "\x33\x29\x0E\x10" # 0x100E2933 : # DEC EAX # RETN rop += "\x01\x2B\x0D\x10" # 0x100D2B01 : # MOV ECX,EAX # RETN rop += "\xC8\x1B\x12\x10" # 0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN

27 27 Gadget Shellcode Small section of shellcode showing several gadgets chained together to locate kernel32!VirtualProtect() ########## VirtualProtect call placeholder ########## rop += "\x41\x41\x41\x41" #&Kernel32.VirtualProtect() placeholder rop += "WWWW" #Return address param placeholder rop += "XXXX" #lpAddress param placeholder rop += "YYYY" #Size param placeholder rop += "ZZZZ" #flNewProtect param placeholder rop += "\x60\xFC\x18\x10" #lpflOldProtect param placeholder 0x1018FC60 {PAGE_WRITECOPY} rop += rop_align * 2 ########## Grab kernel32 pointer from the stack, place it in EAX ########## rop += "\x5D\x1C\x12\x10" * 6 #0x10121C5D : # SUB EAX,30 # RETN rop += "\xF6\xBC\x11\x10" #0x1011BCF6 : # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # RETN rop += rop_align ########## EAX = kernel pointer, now retrieve pointer to VirtualProtect() ########## rop += ("\x76\xE5\x12\x10" + rop_align) * 4 #0x1012E576 : # ADD EAX,100 # POP EBP # RETN rop += "\x40\xD6\x12\x10" #0x1012D640 : # ADD EAX,20 # RETN rop += "\xB1\xB6\x11\x10" #0x1011B6B1 : # ADD EAX,0C # RETN rop += "\xD0\x64\x03\x10" #0x100364D0 : # ADD EAX,8 # RETN rop += "\x33\x29\x0E\x10" #0x100E2933 : # DEC EAX # RETN rop += "\x01\x2B\x0D\x10" #0x100D2B01 : # MOV ECX,EAX # RETN rop += "\xC8\x1B\x12\x10" #0x10121BC8 : # MOV EAX,EDI # POP ESI # RETN

28 28 Finding Gadgets ● Useful gadgets typically modify a pointer or cause a load or store operation ▸ ADD, SUB, DEC, INC, DEC, PUSH, POP, XCHG, XOR ● Tools now exist for finding gadgets ▸ msfpescan ▸ Pvefindaddr – PyCommand for ImmunityDbg

29 29 ROP Mitigations ● ROPDefender ▸ Shadow stack ● Hook before CALL to store return address ● Hook before RET to determine if returning to address stored before CALL ● SHAN ▸ Branch monitoring ● Store each valid basic block in a list before execution ● At runtime verify branch destination is in list

30 30 ROP Mitigations ● SafeRET ▸ Compiler based ▸ Uses exception handling to activate validation ● Windows 8 ▸ Kernel based ▸ Check trap frame during VirtualProtect/VirtualAlloc to ensure stack is within the TEB

31 31 Detecting ROP ● ROP requires the use of sub-sections of program blocks to create Gadgets ● Gadgets end in a RET, CALL or JMP instruction ● Normal program semantics generate call stacks that return to a code location immediately after a CALL or JMP instruction

32 32 Detecting ROP ● Shadow Stack Algorithm INSTRUMENT_PROGRAM for each IMAGE for each INSTRUCTION in IMAGE if INSTRUCTION is CALL push BRANCH_TARGET on SHADOW_STACK if INSRUCTION is RET insert code to retrieve SAVED_EIP from stack insert CALL to ROP_VALIDATE(SAVED_EIP) before INSTRUCTION ROP_VALIDATE if SAVED_EIP not top of SHADOW_STACK exit with error warning else pop top of SHADOW_STACK

33 33 Detecting ROP ● SHAN Algorithm INSTRUMENT_PROGRAM for each IMAGE for each BLOCK in IMAGE insert BLOCK in BLOCKLIST for each INSTRUCTION in BLOCK if INSTRUCTION is RETURN or BRANCH insert code to retrieve SAVED_EIP from stack insert CALL to ROP_VALIDATE(SAVED_EIP) before INSTRUCTION ROP_VALIDATE if SAVED_EIP not in BLOCKLIST exit with error warning

34 34 Detecting ROP ● The initialization for our pintool is as simple as opening a log file and adding a couple hooks int main(int argc, char *argv[]) { PIN_InitSymbols(); if(PIN_Init(argc,argv)) { return Usage(); } outfile = fopen("c:\\tools\\antirop.txt", "w"); if(!outfile) { LOG("Error opening log file\n"); return 1; } PIN_AddFiniFunction(Fini, 0); TRACE_AddInstrumentFunction(Trace, 0); LOG("[+] AntiROP instrumentation hooks installed\n"); PIN_StartProgram(); return 0; }

35 35 Detecting ROP ● Shadow Stack Implementation ▸ This function implements the callback function when PIN loads a trace of basic blocks the first time and instruments RET instructions VOID Trace(TRACE trace, VOID *v) { ADDRINT addr = TRACE_Address(trace); // Visit every basic block in the trace for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for(INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins=INS_Next(ins)) { ADDRINT va = INS_Address(ins); if(INS_IsCall(ins)) { INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(AntiROPShadowStack), IARG_INST_PTR, IARG_BRANCH_TARGET_ADDR, IARG_END); } if(INS_IsRet(ins)) { INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(AntiROPRetCheck), IARG_INST_PTR, IARG_REG_VALUE, REG_STACK_PTR, IARG_END); }

36 36 Detecting ROP ● Shadow Stack Implementation ▸ This function executes before every RET to validate the current stack matches the shadow stack VOID AntiROPShadowStack(ADDRINT va, ADDRINT target) { ropShadowStack.push(target); } VOID AntiROPRetCheck(ADDRINT va, ADDRINT esp) { UINT32 *ptr = (UINT32 *)esp; UINT32 savedEIP = *ptr; if(ropShadowStack.top != savedEIP) ROP_EXIT(); else ropShadowStack.pop(); }

37 37 Detecting ROP ● SHAN Implementation ▸ This function implements the callback function when PIN loads a trace of basic blocks the first time and instruments RET instructions VOID Trace(TRACE trace, VOID *v) { ADDRINT addr = TRACE_Address(trace); // Visit every basic block in the trace for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for(INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins=INS_Next(ins)) { ADDRINT va = INS_Address(ins); if(INS_IsBranchOrCall(ins)) { ropBlockList.insert(va); } if(INS_IsRet(ins)) { INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(AntiROPRetCheck), IARG_INST_PTR, IARG_REG_VALUE, REG_STACK_PTR, IARG_END); }

38 38 Detecting ROP ● SHAN Implementation ▸ This function executes before every RET or indirect branch is executed to validate the saved return value points to an instruction after a call VOID AntiROPRetCheck(ADDRINT va, ADDRINT esp) { UINT32 *ptr = (UINT32 *)esp; UINT32 savedEIP = *ptr; if(!ropBlockList.find(savedEIP) ROP_EXIT(); fflush(outfile); }

39 39 Weakness in detecting ROP ● RET instructions can be found by jumping into the middle of an instruction KERNEL32.DLL Executable segment -> 7c901000 - 7c97d400 Searching 508928 bytes STATS Normal RET (0xC3) instructions: 416 RET found in 1 byte of instruction: 798 RET found in 2 byte of instruction: 107 RET found in 3 byte of instruction: 19 RET found in 4 byte of instruction: 0 RET found in 5 byte of instruction: 1 RET found in 6 byte of instruction: 0 RET found in 7 byte of instruction: 0 RET found in 8 byte of instruction: 1 RET found in 9 byte of instruction: 1 RET found in 10 byte of instruction: 0 RET found in 11 byte of instruction: 0 RET found in 12 byte of instruction: 0 RET found in 13 byte of instruction: 1

40 40 JUST-IN-TIME SHELLCODE

41 41 Just-In-Time Shellcode ● Just-in-Time (JIT) Shellcode is emitted by a JIT compiler while converting bytecode of an interpreted language to native machine code ● Scripting code such as ActionScript or Javascript is supplied by the user and therefore creates potential for control of native code in the process address space

42 42 Just-In-Time Shellcode ● The JIT process creates a writable and executable page with user controlled data ● If an attacker can manipulate the emitted machine code, it can be used to the advantage of the attacker to bypass mitigations

43 43 VS Just-In-Time Shellcode ● Published research has shown that using math operators, specifically XOR, leads to controllable machine code output Operator ADD (+): [ b8 90 90 90 3c ] mov eax,03 c909090h [ f2 0f 2a c0 ] cvtsi2sd xmm0, eax [ 66 0f 28 c8 ] movapd xmm1, xmm0 [ f2 0f 58 c8 ] addsd xmm1, xmm0 Operator XOR (^): [ b8 90 90 90 3c ] mov eax, 3c909090h [ 35 90 90 90 3c ] xor eax, 3c909090h

44 44 Just-In-Time Shellcode ● Published research has shown that using math operators, specifically XOR, leads to controllable machine code output var y=(0x11223344^0x44332211^0x44332211…); Compiles as: 0x909090: 35 44 33 22 11 XOR EAX, 11223344 0x909095: 35 44 33 22 11 XOR EAX, 11223344 0x90909A: 35 44 33 22 11 XOR EAX, 11223344

45 45 Just-In-Time Shellcode ● Published research has shown that using math operators, specifically XOR, leads to controllable machine code output Disassemble at a byte offset to get useful code: 0x909091: 44 INC ESP 0x909092: 33 22 XOR ESP, [EDX] 0x909094: 11 35 44 33 22 11 ADC [11223344], ESI 0x90909A: 35 44 33 22 11 XOR EAX, 11223344

46 46 Just-In-Time Shellcode ● The native behavior of the JIT compiler results in an automatic DEP bypass ● Once a usable payload is constructed using specialized arguments around the XOR operator the executable payload must be found ● Heapspray or memory leak ▸ See Dion Blazakis’s paper “Interpreter Exploitation”

47 47 Detecting JIT Shellcode ● The ActionScript and JavaScript JIT compilers change memory permissions of compiled machine code to R-E rather than RWE before execution ● We have seen that currently known JIT shellcode relies heavily on the XOR operator

48 48 Detecting JIT Shellcode ● We can use a simple heuristic by hooking kernel32!VirtualProtect and checking the disassembly for an unusual number of XORs ● Piotr Bania also pointed out a primitive that can be used to identify operators mov reg, IMM32 operation reg, IMM32 …

49 49 Detecting JIT Shellcode ● Algorithm INSTRUMENT_PROGRAM Insert CALL to JIT_VALIDATE at prologue to VirtualProtect JIT_VALIDATE Disassemble BUFFER passed to VirtualProtect for each INSTRUCTION if INSTRUCTION is MOV_REG_IMM32 then while NEXT_INSTRUCTION uses IMM32 increase COUNT if COUNT > THRESHOLD then exit with error warning

50 50 Detecting JIT Shellcode ● Implementation ▸ The initialization for our pintool is as simple as opening a log file and adding a couple hooks int main(int argc, char *argv[]) { PIN_InitSymbols(); if(PIN_Init(argc,argv)) { return Usage(); } outfile = fopen("c:\\tools\\antijit.txt", "w"); if(!outfile) { LOG("Error opening log file\n"); return 1; } IMG_AddInstrumentFunction(ModuleLoad, NULL); LOG("[+] AntiJIT instrumentation hooks installed\n"); PIN_StartProgram(); return 0; }

51 51 Detecting JIT Shellcode ● Implementation ▸ This function implements the callback function when PIN loads a module so that VirtualProtect may be hooked void ModuleLoad(IMG img, VOID *v) { RTN rtn; rtn = RTN_FindByName(img, "VirtualProtect"); if (RTN_Valid(rtn)) { RTN_Open(rtn); RTN_InsertCall(rtn, IPOINT_BEFORE, AFUNPTR(VirtualProtectHook), IARG_FUNCARG_ENTRYPOINT_VALUE, 0, // lpAddress IARG_FUNCARG_ENTRYPOINT_VALUE, 1, // dwSize IARG_END); RTN_Close(rtn); }

52 52 Detecting JIT Shellcode ● Implementation ▸ This function executes before calls to VirtualProtect to disassemble the target buffer and determine if a JIT shellcode is probable void VirtualProtectHook(VOID *address, SIZE_T dwSize) { // Disassemble buffer into linked list... while(insn && !MOV_IMM32(insn)) insn = insn->next; while(insn) { if(OP_IMM32(insn) count++; if(count > threshold) ReportAntiJIT(); insn = insn->next; }

53 53 Conclusion ● Criteria ▸ Stability ▸ Speed ▸ Ease of implementation

54 54 QUESTIONS

55 55 Q & A ● VRT information: ▸ Web – http://www.snort.org/vrthttp://www.snort.org/vrt ▸ Blog – http://vrt-sourcefire.blogspot.com/http://vrt-sourcefire.blogspot.com/ ▸ Twitter – @VRT_sourcefireVRT_sourcefire ▸ Videos – http://vimeo.com/vrthttp://vimeo.com/vrt ▸ Labs – http://labs.snort.orghttp://labs.snort.org Richard Johnson rjohnson@sourcefire.com rjohnson@uninformed.org @richinseattle

Download ppt "1 Improving Software Security with Dynamic Binary Instrumentation Richard Johnson Principal Research Engineer Sourcefire VRT."

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
1 Improving Software Security with Dynamic Binary Instrumentation Richard Johnson Principal Research Engineer Sourcefire VRT.

1 Improving Software Security with Dynamic Binary Instrumentation Richard Johnson Principal Research Engineer Sourcefire VRT.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.

Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.
Experimental Computer Systems Lab A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks Manish Prasad, Tzi-cker Chiueh SUNY Stony Brook.

Experimental Computer Systems Lab A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks Manish Prasad, Tzi-cker Chiueh SUNY Stony Brook.

Similar presentations

Ads by Google