Presentation is loading. Please wait.

Presentation is loading. Please wait.

5/1/2015 5:57:24 PM 5864_ER_WHITE.1 Evaluating Modern Address Space Integrity Protections within the Common Criteria Ashley Fox CSC Australia.

Published byBeau Napper Modified over 9 years ago

Similar presentations

Presentation on theme: "5/1/2015 5:57:24 PM 5864_ER_WHITE.1 Evaluating Modern Address Space Integrity Protections within the Common Criteria Ashley Fox CSC Australia."— Presentation transcript:

1 5/1/2015 5:57:24 PM 5864_ER_WHITE.1 Evaluating Modern Address Space Integrity Protections within the Common Criteria Ashley Fox CSC Australia

2 5/1/2015 5:57:24 PM 5864_ER_WHITE. 2 Ashley Fox Common Criteria Evaluator within CSC Australia’s Evaluation Facility Background in Vulnerability Assessment and Software Security

3 5/1/2015 5:57:24 PM 5864_ER_WHITE. 3 Agenda Memory corruption vulnerabilities Identification and Exploitation Mitigations Evaluating mitigations within the CC

4 5/1/2015 5:57:24 PM 5864_ER_WHITE. 4 Background The Common Criteria is designed to provide a degree of Assurance within a Security Product Assurance gained through evaluation of procedures, processes, development, implementation etc. Evaluations generally include independent testing and penetration testing of the product

5 5/1/2015 5:57:24 PM 5864_ER_WHITE. 5 Memory Corruption Vulnerabilities Vulnerability introduced into a product during the implementation phase Typically affect software written in C or C++ Generally the result of mismanagement of user input or memory allocation within a piece of software Affects almost all product types indiscriminately –Network services –Client applications –Hardware appliances Long time problem – Morris Worm of 1988

6 5/1/2015 5:57:24 PM 5864_ER_WHITE. 6 Memory Corruption Vulnerabilities Several classes of memory corruption vulnerabilities Some examples: –Stack Based buffer overflow –Heap Based buffer overflow –Format String issues –Integer Manipulation Issues Allows an attacker to alter the state of a running process Can alter the process to facilitate execution of code of attacker’s choosing

7 5/1/2015 5:57:24 PM 5864_ER_WHITE. 7 What do memory corruption vulnerabilities look like? For those of you unfamiliar the next few slides show some example vulnerabilities of the types discussed previously

8 5/1/2015 5:57:24 PM 5864_ER_WHITE. 8 Stack Based Buffer Overflow char password[25]; char good_password[] = “SECRETPASSWORD”; printf(“Please enter the password: “); scanf(“%s”,password); if(!strcmp(password,good_password)) { printf(“You have successfully authenticated”); run_system_menu(); } else { printf(“Error, invalid password!\n”); }

9 5/1/2015 5:57:24 PM 5864_ER_WHITE. 9 Heap Based Buffer Overflow char *password; char *good_password; password = (char *) malloc(25); good_password = (char *) malloc(15); strcpy(good_password,”SECRETPASSWORD”); printf(“Please enter the password: “); scanf(“%s”,password); if(!strcmp(password,good_password)) { printf(“You have successfully authenticated”); run_system_menu(); } else { printf(“Error, invalid password!\n”); }

10 5/1/2015 5:57:24 PM 5864_ER_WHITE. 10 Integer Manipulation Errors int number_entries=0; int i; int **userdb; printf("How many users do you wish to add?\n>"); scanf("%d",&number); userdb = malloc(number * (sizeof(int *))); for(i=0; i < number; i++) { userdb[i]=get_user(); }

11 5/1/2015 5:57:24 PM 5864_ER_WHITE. 11 Format String Vulnerabilities char *password; char *good_password; char response[30]; password = (char *) malloc(25); good_password = (char *) malloc(15); strcpy(good_password,”SECRETPASSWORD”); printf(“Please enter the password: “); scanf(“%s”,password); if(!strcmp(password,good_password)) { printf(“You have successfully authenticated”); run_system_menu(); } else { snprintf(response,sizeof(response),”Password %s is incorrect!”,password); printf(response); } return 0; }

12 5/1/2015 5:57:24 PM 5864_ER_WHITE. 12 Software Complexity Software is large and complex in nature Projects may have many different developers over long periods of time Projects may experience changes in requirements, goals, methodology over time Assumptions change or are incorrect initially

13 5/1/2015 5:57:24 PM 5864_ER_WHITE. 13 Identifying Memory Corruption Vulnerabilities Some vulnerabilities are very easy to identify Some vulnerabilities hide for decades Attackers are actively looking for these vulnerabilities Within the realm of low attack potential? Within the realm of an “obvious” vulnerability?

14 5/1/2015 5:57:24 PM 5864_ER_WHITE. 14 Identifying Memory Corruption Vulnerabilities There are a few simple ways memory corruption vulnerabilities can be discovered Source Code –“Grep” through source for dangerous function calls, strcpy etc. – Static Analysis tools – RATS, splint etc. Automated Tools aka “fuzzers” –Tools that automate vulnerability hunting –Some are as simple as random byte generators –Others are quite complex –Many available freely on the Internet.

15 5/1/2015 5:57:24 PM 5864_ER_WHITE. 15 Constructing Exploit Code Exploit development can be easy –Many examples to base an exploit can be found on the Internet Generally requires –Reading public domain papers on buffer overflows etc. –Limited understanding of programming principles –Access to a debugger –Access to a compiler Process can be as simple as: –Find input that crashes an application using a fuzzer –Use a debugger to find code and data within a process memory space –Take an exploit off the Internet and modify it to suit

16 5/1/2015 5:57:24 PM 5864_ER_WHITE. 16 Challenges with Memory Corruption Vulnerabilities An attacker only needs to find one memory corruption vulnerability to be successful Defenders need to eradicate or mitigate them all Developer awareness is increasing Arguably attacker awareness is increasing faster Modern languages such as Java and C# make memory management significantly easier There is a lot of code written in C and C++

17 5/1/2015 5:57:24 PM 5864_ER_WHITE. 17 Defense in Depth A defense in depth strategy is needed to mitigate this risk It’s proven extremely difficult to eradicate these problems from our source trees completely Developers make mistakes like everybody else Several defenses have been researched and implemented The two investigated in this presentation are: –Address Space Layout Randomisation –Stack and Heap cookies

18 5/1/2015 5:57:24 PM 5864_ER_WHITE. 18 Address Space Layout Randomisation Exploiting a memory corruption vulnerability usually requires knowledge of how a process exists in memory In order to hijack a process an attacker must know the location in memory of code to execute Address Space Layout Randomisation exploits this requirement and randomises the locations of code and data in memory

19 5/1/2015 5:57:24 PM 5864_ER_WHITE. 19 Address Space Layout Randomisation In order to redirect execution flow an attacker must be able to find somewhere beneficial to redirect to Failed attempts generally result in an application crash Reduced risk of exploitation Developing an exploit still within the realm of low attack potential? I would argue not

20 5/1/2015 5:57:24 PM 5864_ER_WHITE. 20 Stack and Heap Cookies Protect important metadata within an application’s address space Place a randomly generated value in front of important metadata Before using the metadata the random value is checked to see if it has been altered The process is terminated before the metadata is used if it has been altered

21 5/1/2015 5:57:24 PM 5864_ER_WHITE. 21 Stack and Heap Cookies In order to overflow metadata an attacker is required to successfully predict the value of a cookie Failed attempts generally result in program termination Reduced risk of exploitation Again we are moving outside the realm of low attack potential

22 5/1/2015 5:57:24 PM 5864_ER_WHITE. 22 Several major vendors have implemented these mitigations Open Source and Commercial Implementations These features exist in COTS software Implementation

23 5/1/2015 5:57:24 PM 5864_ER_WHITE. 23 Implementations Heap Protections –Windows XP SP2 –Windows Vista –GNU Lib C Stack Protections –Stack Guard –GCC ProPolice / Stack-Smashing Protector (SSP) –Visual Studio Address Space Layout Randomisation –Windows Vista –GRSecurity/PAX (3 rd Party Linux kernel patch) –Exec-shield –OpenBSD

24 5/1/2015 5:57:24 PM 5864_ER_WHITE. 24 How do we evaluate these technologies? First we must note several aspects of their implementation –The mechanisms are there to provide attack resistance not immunity (although they may render some vulnerabilities unexploitable this can never be guaranteed) –Both are inherently probabilistic in nature –There are solid metrics we can use in comparison of implementations (Number of bits of entropy, source of entropy etc.) –There are several works in the literature providing analysis of the effectiveness of these mechanisms –These mechanisms can be described in terms of Security Functional Requirements The functions require a Strength of Function claim Evaluation of Mitigation Technologies

25 5/1/2015 5:57:24 PM 5864_ER_WHITE. 25 Two approaches to evaluating the technologies SAR –Evaluate the functionality as a development methodology and tool aka ALC_TAT SFR –Evaluate the functionality as a security functional requirement, eg an explicit requirement similar to those in the FPT class I favor the SFR approach –Means other products can use the functionality in the form of an environmental SFR –Strength of Function claims made for the SFR Mitigation Technologies – SFRs or SARs ?

26 5/1/2015 5:57:24 PM 5864_ER_WHITE. 26 The TSF shall provide [assignment: number of bits ] bits of entropy of address space layout randomization for [selection: heap, stack, text] addresses. The TSF shall generate [selection: stack, heap, other] protection cookies with [assignment: number of bits] bits of entropy. Example Security Functional Requirements

27 5/1/2015 5:57:24 PM 5864_ER_WHITE. 27 Like all security features these techniques can be used correctly and incorrectly Several attacks and weaknesses discovered when techniques are used in a certain way Assumptions would obviously need to be clearly defined within the Security Target Assumptions for usage

28 5/1/2015 5:57:24 PM 5864_ER_WHITE. 28 Common Criteria allows vendors to make claims regarding the security attributes of their products that can be independently verified Common Criteria allows consumers to make an informed decision when comparing and selecting similar products Address Space Integrity Protection Mechanisms are finding their way into commodity products It is advantageous for both developers and consumers to have these features evaluated Conclusion

29 5/1/2015 5:57:24 PM 5864_ER_WHITE. 29 This presentation is based on a white paper produced within our Evaluation Lab If you are interested come up and speak to me Alternatively email me (address is on the next slide) White Paper

30 5/1/2015 5:57:24 PM 5864_ER_WHITE. 30 Information on CSC Evaluations and Pre-Evaluation Consultation Services – aisef@csc.comaisef@csc.com Feel free to email me – ashley.fox@csc.comashley.fox@csc.com Thanks for listening! Questions, Comments, Thoughts, Suggestions?

Download ppt "5/1/2015 5:57:24 PM 5864_ER_WHITE.1 Evaluating Modern Address Space Integrity Protections within the Common Criteria Ashley Fox CSC Australia."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Dr. Pedro Mejia Alvarez Software Testing Slide 1 Software Testing: Building Test Cases.

Dr. Pedro Mejia Alvarez Software Testing Slide 1 Software Testing: Building Test Cases.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Address Space Layout Permutation

Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CSCE 548 Secure Software Development Risk-Based Security Testing.

CSCE 548 Secure Software Development Risk-Based Security Testing.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google