Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.

Published byAshley Booker Modified over 8 years ago

Similar presentations

Presentation on theme: "Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science."— Presentation transcript:

1 Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans http://www.cs.virginia.edu/evans University of Virginia Computer Science

2 2 www.cs.virginia.edu/evans/mit05

3 3 Jefferson’s plan for the University of Virginia, 1817 Rotunda 10 Pavilions

4 4 www.cs.virginia.edu/evans/mit05 Rotunda Pavilions   Pavilions

5 5 www.cs.virginia.edu/evans/mit05 Pavilion V

6 6 www.cs.virginia.edu/evans/mit05 Jefferson’s plan for the University of Virginia, Rockfish Gap Report 1818 (Note: 3 years before Electrical Engineering existed)

7 7 www.cs.virginia.edu/evans/mit05 Jefferson’s plan for the University of Virginia, Rockfish Gap Report 1818

8 8 www.cs.virginia.edu/evans/mit05 Course V Professors Charles Bonnycastle (1825-1832) –Switched to Mathematics Robert Patterson (~1833-1835) –Resigned (went to direct U.S. Mint) Board selected Joseph Henry –Declined position

9 9 www.cs.virginia.edu/evans/mit05 William Barton Rogers 1835: appointed Professor of Natural Philosophy (Course V) 1840s: students riot and kill professor 1853: Resigns position 1861: Founds MIT Quote from teaching evaluation at end!

10 Where’s the FEEB? Effectiveness of Instruction Set Randomization To appear in USENIX Security Symposium, August 2005. Ana Nora Sovarel, David Evans and Nathanael Paul.

11 11 www.cs.virginia.edu/evans/mit05 Security Through Diversity Today’s Computing Monoculture –Exploit can compromise billions of machines since they are all running the same software Biological Diversity –All successful species use very expensive mechanism (i.e., sex) to maintain diversity Computer security research: [Cohen 92], [Forrest + 97], [Cowan + 2003], [Barrantes + 2003], [Kc + 2003], [Bhatkar + 2003], [Just + 2004]

12 12 www.cs.virginia.edu/evans/mit05 Instruction Set Randomization [Barrantes+, CCS 03] [Kc+, CCS 03] Code injection attacks depend on knowing the victim machine’s instruction set Defuse them all by making instruction sets different and secret –Its expensive to design new ISAs and build new microprocessors

13 13 www.cs.virginia.edu/evans/mit05 Derandomizer Processor Automating ISR Randomizer Secret Key Original Code Original Executable Randomized Executable

14 14 www.cs.virginia.edu/evans/mit05 Derandomizer Processor ISR Defuses Attacks Randomizer Secret Key Original Executable Randomized Executable Malicious Injected Code Broken Malicious Code

15 15 www.cs.virginia.edu/evans/mit05 ISR Designs Columbia [Kc 03]RISE [Barrantes 03] Randomization Function XOR or 32-bit transposition XOR Key Size 32 bits (same key used for all locations) program length (each location XORed with different byte) Transformation Time Compile TimeLoad Time DerandomizationHardwareSoftware (Valgrind)

16 16 www.cs.virginia.edu/evans/mit05 How secure is ISR? Slows down an attack about 6 minutes! Under the right circumstances…

17 17 www.cs.virginia.edu/evans/mit05 ISR Attack Attack Client ISR-protected Server Incorrect Guess Crash! Attack Client Correct Guess ISR-protected Server Observable Behavior

18 18 www.cs.virginia.edu/evans/mit05 Server Requirements Vulnerable: buffer overflow is fine Able to make repeated guesses –No rerandomization after crash –Likely if server forks requests (Apache) Observable: notice server crashes Cryptanalyzable –Learn key from one ciphertext-plaintext pair –Easy with XOR

19 19 www.cs.virginia.edu/evans/mit05 Two Attack Ideas RET (0xC3): return from procedure –1-byte instruction: up to 256 guesses –Returns, leaves stack inconsistent Only works if server does something observable before crashing JMP -2 (0xEBFE): jump offset -2 –2-byte instruction: up to 2 16 guesses –Produces infinite loop Incorrect guess usually crashes server

20 20 www.cs.virginia.edu/evans/mit05 Jump Attack Vulnerable Buffer Overwritten Return Address 0xEB (JMP) 0xFE (-2) Unknown Masks Correct guess produces infinite loop 2 16 possible guesses for 2-byte instruction

21 21 www.cs.virginia.edu/evans/mit05 Incremental Jump Attack Guessing next byte: < 256 attempts Vulnerable Buffer Overwritten Return Address 0xEB (JMP) 0xFE (-2) Unknown Masks Guessing first 2 byte masks Overwritten Return Address 0xEB (JMP) 0xFE (-2) Unknown Masks 0xCD (INT) Guessed Masks

22 22 www.cs.virginia.edu/evans/mit05 Guess Outcomes Observe “Correct” Behavior Observe “Incorrect” Behavior Correct GuessSuccessFalse Negative Incorrect GuessFalse PositiveProgress

23 23 www.cs.virginia.edu/evans/mit05 False Positives Injected bytes produce an infinite loop: –JMP -4 –JNZ -2 Injected bytes are “harmless”, later executed instruction causes infinite loop Injected guess causes crash, but timeout expires before remote attacker observes

24 24 www.cs.virginia.edu/evans/mit05 False Positives – Good News Can distinguish correct mask using other instructions Try injecting a “harmless” one-byte instruction –Correct: get loop –Incorrect: usually crashes Difficulty: dense opcodes –No pair that differs in only last bit are reliably different in harmfullness Overwritten Return Address 0x90 (NOOP) 0xEB (JMP) Unknown Masks 0xFE (-2) Guessed Masks

25 25 www.cs.virginia.edu/evans/mit05 False Positives – Better News False positives are not random –Conditional jump instructions –Opcodes 01110000-0111111 All are complementary pairs: 0111 xyz a not taken  0111 xyz ā is! 32 guesses always find an infinite loop About 8 additional guesses to determine correct mask

26 26 www.cs.virginia.edu/evans/mit05 Extended Attack “Crash Zone” Overwritten Return Address 0xCD (INT) 0xE9 (Near Jump) 32-bit offset (to jump to original return address) 0xCD (INT) 0x06 (offset) 0xEB (JMP) Near jump to return location –Execution continues normally –No infinite loops 0xCD 0xCD is interrupt instruction guaranteed to crash

27 27 www.cs.virginia.edu/evans/mit05 Expected Attempts ~ 15½ to find first jumping instruction + ~ 8 to determine correct mask 23½ expected attempts per byte “Crash Zone” Overwritten Return Address 0xCD (INT) 0xE9 (Near Jump) 32-bit offset (to jump to original return address) 0xCD (INT) 0x06 (offset) 0xEB (JMP)

28 28 www.cs.virginia.edu/evans/mit05 Experiments Implemented attack against constructed vulnerable server protected with RISE [Barrantes et. al, 2003] –Memory space randomization works! Turned of Fedora’s address space randomization –Needed to modify RISE Ensure forked processes use same randomization key (other proposed ISR implementations wouldn’t need this) Obtain correct key over 95% of the time –Sometimes can’t because unable to inject NULLs

29 29 www.cs.virginia.edu/evans/mit05 Attempts Required 4339 attempts to get first 2 bytes 101,651 attempts to get 4096 bytes

30 30 www.cs.virginia.edu/evans/mit05 Total Time 4-byte key (Columbia implementation) in < 3½ minutes 4096-byte key in 48 minutes Attacker: “Is this good enough?” Defender: “Is this bad enough?”

31 31 www.cs.virginia.edu/evans/mit05 How many key bytes needed? Inject malcode in one ISR-protected host –Sapphire worm = 376 bytes Create a worm that spreads on a network of ISR-protected servers –Space for FEEB attack code: 34,723 bytes –Need to crash server ~800K times

32 32 www.cs.virginia.edu/evans/mit05 Maybe less…? VMWare: 3,530,821 bytes Java VM: 135,328 bytes Minsky’s UTM: 7 states, 4 colors MicroVM: 100 bytes

33 33 www.cs.virginia.edu/evans/mit05 Entire MicroVM Code push dword ebpmov ebp, WORM_ADDRESS + WORM_REG_OFFSET pop dword [ebp + WORM_DATA_OFFSET] xor eax, eax ; WormIP = 0 (load from ebp + eax) read_more_worm: ; read NUM_BYTES at a time until worm is done cld xor ecx, ecx mov byte cl, NUM_BYTES mov dword esi, WORM_ADDRESS ; get saved WormIP add dword esi, eax mov edi, begin_worm_exec rep movsb; copies next Worm block into execution buffer add eax, NUM_BYTES ; change WormIP pushad ; save register vals mov edi, dword [ebp] ; restore worm registers mov esi, dword [ebp + ESI_OFFSET] mov ebx, dword [ebp + EBX_OFFSET] mov edx, dword [ebp + EDX_OFFSET] mov ecx, dword [ebp + ECX_OFFSET] mov eax, dword [ebp + EAX_OFFSET] begin_worm_exec: ; this is the worm execution buffer nop nop nop nop nop nop nop nop nop nop nop nop mov [ebp], edi; save worm registers mov [ebp + ESI_OFFSET], esi mov [ebp + EBX_OFFSET], ebx mov [ebp + EDX_OFFSET], edx mov [ebp + ECX_OFFSET], ecx mov [ebp + EAX_OFFSET], eax popad ; restore microVM register vals jmp read_more_worm

34 34 www.cs.virginia.edu/evans/mit05 save worm address in ebp move stack frame pointer WormIP  0 copy worm code into buffer update WormIP save MicroVM registers load worm registers 22-byte worm execution buffer save worm registers load MicroVM registers jmp to read next block saved registers worm code host key masks guessed (target) masks other worm data Learned Key Bytes 76 bytes of code + 22 bytes for execution + 2 bytes to avoid NULL = 100 bytes is enough > 99% of the time MicroVM Worm code must be coded in blocks that fit into execution buffer (pad with noops so instructions do not cross block boundaries)

35 35 www.cs.virginia.edu/evans/mit05 Making Jumps Within a block - short relative jump is fine Between worm blocks –From end of block, to beginning of block –Update the WormIP stored on the stack –Code conditional jump, JZ target in worm as: JNZ +5 ; if opposite condition, skip MOV [ebp + WORMIP_OFFSET] target

36 36 www.cs.virginia.edu/evans/mit05 Deploying a Worm Learn 100 key bytes to inject MicroVM –Median time: 311 seconds, 8422 attempts –Fast enough for a worm to spread effectively Inject pre-encrypted worm code –XORed with the known key at location –Insert NOOPs when necessary to avoid NULLs Inject key bytes –Needed to propagate worm

37 37 www.cs.virginia.edu/evans/mit05 Preventing Attack: Break Attack Requirements Vulnerable: eliminate vulnerabilities –Rewrite all your code in a type safe language Able to make repeated guesses –Rerandomize after crash Observable: notice server crashes –Maintain client socket after crash? Cryptanalyzable –Use a strong cipher like AES instead of XOR

38 38 www.cs.virginia.edu/evans/mit05 Better Solution Avoid secrets! –Keeping them is hard –They can be broken or stolen Prove security properties without relying on assumptions about secrets or probabilistic arguments

39 39 www.cs.virginia.edu/evans/mit05 Polygraphing Processes: N ‑ Variant Systems for Secretless Security Jefferson’s Polygraph Hoover’s Polygraph work with Ben Cox, Jack Davidson, Adrian Filipi, Jason Hiser, Wei Hu, John Knight, Anh Nguyen ‑ Tuong, Jonathan Rowanhill

40 40 www.cs.virginia.edu/evans/mit05 2-Variant System Input (Possibly Malicious) Server Variant 0 Server Variant 1 Monitor Output Polygrapher

41 41 www.cs.virginia.edu/evans/mit05 Disjoint Variants Normal Equivalence Property Under normal inputs, the variants stay in equivalent states: A 0 (S 0 )  A 1 (S 1 ) Detection Property Any attack that compromises Variant 0 causes Variant 1 to “crash” Variant 0 Variant 1 Monitor Poly- grapher Monitor –Must delay effects of one variant until other is synchronized –Must observe crash of one variant and recover

42 42 www.cs.virginia.edu/evans/mit05 Memory Partitioning Variation –Variant 0: addresses all start with 0 –Variant 1: addresses all start with 1 Normal Equivalence –Map addresses to same address space Detection Property –Any absolute load/store is invalid on one of the variants

43 43 www.cs.virginia.edu/evans/mit05 Instruction Set Tagging Variation: add an extra bit to all opcodes –Variation 0: tag bit is a 0 –Variation 1: tag bit is a 1 Run-time emulator checks bit and removes it (software dynamic translation using Strata) Normal Equivalence: Remove the tag bits Detection Property –Any (tagged) opcode is invalid on one variant –Injected code (identical on both) cannot run on both

44 44 www.cs.virginia.edu/evans/mit05 010 Composing Variations Must preserve normal equivalence property P1P1 P2P2 P3P3 Memory Space Instruction Tags 110 Detect memory attack Detect code injection

45 45 www.cs.virginia.edu/evans/mit05 Implementation: Kernel Modification [Ben Cox] Modify process table to record variants Create new fork routine to launch variants Intercept system calls: –Check parameters are the same for all variants –Make call once –Send same result to all Low overhead, lack of isolation

46 46 www.cs.virginia.edu/evans/mit05 Implementation: Divert Sockets [Adrian Filipi] Process intercepts traffic (nvpd) Uses divert sockets to send copies to isolated variants (can be on different machines) Waits until all variants respond to request before returning to client Adjusts TCP sequence numbers to each variant appears to have normal connection

47 47 www.cs.virginia.edu/evans/mit05 3-Variant System P1P1P1P1 P2P2P2P2 Server P3P3P3P3 nvpd Input from Client Polygrapher Monitor Output to Client

48 48 www.cs.virginia.edu/evans/mit05 Results Open problems: dealing with non- determinism, persistent state Cost (nvpd implementation, https) –4x machines –Latency multiplied by 2.3 (cf. sex) Security properties –Detects (and thwarts) any attack that: Depends on referencing an absolute address Depends on executing injected code

49 49 www.cs.virginia.edu/evans/mit05 Jaws Diversity depends on your perspective Slide from my USENIX Security 2004 Talk, What Biology Can (and Can’t) Teach us about Security

50 50 www.cs.virginia.edu/evans/mit05 Summary Producing artificial diversity is easy –Defeats undetermined adversaries Keeping secrets is hard –Remote attacker can break ISR-protected server in < 6 minutes N-variant systems framework offers provable (but expensive) defense –Effectiveness depends on whether variations vary things that matter to attack

51 51 www.cs.virginia.edu/evans/mit05 Prof. Rogers’ Teaching Evaluation

52 52 www.cs.virginia.edu/evans/mit05 “Who can forget that stream of English undefiled, so smooth, so deep, and yet so clear, that passed from point to point with gentle touch, that commonly flowed along with the quiet of conscious power, yet sometimes became tumultuous with feeling, and then came the music of the cataract and the glory of the rainbow!” Francis H. Smith, in History of the University of Virginia, 1819-1919, Vol. 2 Prof. Rogers’ Teaching Evaluation

53 53 www.cs.virginia.edu/evans/mit05 Questions?

54 54 www.cs.virginia.edu/evans/mit05

55 55 www.cs.virginia.edu/evans/mit05 JO JNO JB JNB JZ JNZ JMP CALL … Variant AVariant B JNO JNB JNZ CALL JO JB JZ JMP Instruction Set Partitioning

56 56 www.cs.virginia.edu/evans/mit05 Tuition Schedule, 1819 1 Professor$50/year 2 Professors$70/year 3 Professors$75/year

57 57 www.cs.virginia.edu/evans/mit05 Attempts per Byte Drops to below 24 average attempts per byte ~2 12 attempts for first 2 bytes

58 58 www.cs.virginia.edu/evans/mit05 Memory Randomization Attack Brute force attack on memory address space randomization (Shacham et. al. [CCS 2004]): 24-bit effective key space Can a similar attack work against ISR? –Larger key space: must attack in fragments –Need to tell if partial guess is correct

Download ppt "Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
University of VirginiaDARPA SRS - 27 Jan 20051 Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.

University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.

Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.

Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.

G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.
Address Space Layout Permutation

Address Space Layout Permutation
5-Stage Pipelining Fetch Instruction (FI) Fetch Operand (FO) Decode Instruction (DI) Write Operand (WO) Execution Instruction (EI) S3S3 S4S4 S1S1 S2S2.

5-Stage Pipelining Fetch Instruction (FI) Fetch Operand (FO) Decode Instruction (DI) Write Operand (WO) Execution Instruction (EI) S3S3 S4S4 S1S1 S2S2.

Similar presentations

Ads by Google