CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

Slides:



Advertisements
Similar presentations
Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.
Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
CS457 – Introduction to Information Systems Security Software 2 Elias Athanasopoulos
Intermediate Code Generation
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Moving Target Defense in Cyber Security
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Framing Signals— A Return to Portable Shellcode
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
1 Day 03 Introduction to C. 2 Memory layout and addresses r s int x = 5, y = 10; float f = 12.5, g = 9.8; char c = ‘r’, d = ‘s’;
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Computer Security and Penetration Testing
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.
CS457 – Introduction to Information Systems Security Projects Elias Athanasopoulos
1 Writing a Good Program 8. Elementary Data Structure.
Exploitation possibilities of memory related vulnerabilities
CSCE 548 Integer Overflows Format String Problem.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.
Dynamic White-Box Testing What is code coverage? What are the different types of code coverage? How to derive test cases from control flows?
Remix: On-demand Live Randomization
Jump-Oriented Programming
Protecting Memory What is there to protect in memory?
Introduction to Information Security
Protecting Memory What is there to protect in memory?
Review Deleting an Element from a Linked List Deletion involves:
Protecting Memory What is there to protect in memory?
Pinpointing Vulnerabilities
Dynamic Memory Allocation
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
CSC 495/583 Topics of Software Security Stack Overflows (2)
C++ Interlude 2 Pointers, Polymorphism, and Memory Allocation
Chapter 10: Pointers Starting Out with C++ Early Objects Ninth Edition
Continuous, Low Overhead, Run-Time Validation of Program Executions
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Advanced Buffer Overflow: Pointer subterfuge
Software Security Lesson Introduction
by Richard P. Paul, 2nd edition, 2000.
Code-Pointer Integrity
Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization Nathaniel Enos.
Bubble Sort begin; int A[10]; main(){ int i,j; Do 10 i = 0, 9, 1
Return-to-libc Attacks
Presentation transcript:

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

Defending ROP  Randomization - Address Space Layout Randomization (ASLR) - Fine-grained Randomization (Smashing the gadgets, Binary Stirring)  Control Flow Integrity (CFI)  Run-time Detection - Based on H/W features (kBouncer) CS-457Elias Athanasopoulos2

Control-flow Graph CS-457Elias Athanasopoulos3 Direct call of sort() Indirect call of lt()/gt() All ret instructions are indirect branches! Can you spot other indirect branches?

Enforcing CFI (1) Things we don’t care about CS-457Elias Athanasopoulos4 Direct call of sort() Direct calls: cannot controlled by attacker (fixed targets) Do nothing!

Enforcing CFI (2) Forward Edges CS-457Elias Athanasopoulos5 Indirect call of lt()/gt() R: target Legitimate targets: lt(),gt() CFI: make sure only legitimate targets are exercised Attack: redirect R to a Gadget R: target Legitimate targets: lt(),gt() CFI: make sure only legitimate targets are exercised Attack: redirect R to a Gadget Attach label to indirect call: l7 Check label on function entry points Result: R is coupled only with legitimate targets, lt(),gt() - The call in sort() can only reach lt(),gt() - lt(),gt() can only be reached by the call in sort() Result: R is coupled only with legitimate targets, lt(),gt() - The call in sort() can only reach lt(),gt() - lt(),gt() can only be reached by the call in sort()

Implementation Example CS-457Elias Athanasopoulos6

Enforcing CFI (3) Backward Edges CS-457Elias Athanasopoulos7 All ret instructions are indirect branches! Call site (instruction after a call) (1) Add labels to call sites (2) check if we return from the correct returns (1) Add labels to call sites (2) check if we return from the correct returns Call site (instruction after a call)

Ideal CFI CS-457Elias Athanasopoulos8 Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks

Coarse-grained (loose) CFI CS-457Elias Athanasopoulos9 Two labels only: 1)One for ensuring an indirect call enters a function entry point 2)One for ensuring a ret returns to a call site Two labels only: 1)One for ensuring an indirect call enters a function entry point 2)One for ensuring a ret returns to a call site

Gadgets under coarse-grained CFI CS-457Elias Athanasopoulos10

Linking Gadgets under CFI CS-457Elias Athanasopoulos11

Exploitation under CFI CS-457Elias Athanasopoulos12

CS-457Elias Athanasopoulos13

Last Branch Record (LBR)  16 pairs of H/W registers  Used for debugging  They store the last occurred branches  Can be configured to store only indirect branches CS-457Elias Athanasopoulos14

kBouncer CS-457Elias Athanasopoulos15

Normal vs ROP CS-457Elias Athanasopoulos16

kBouncer Checks  call-ret pairing - Coarse-grained CFI  Heuristics - Up to 20 instructions is considered a gadget - 6 gadgets in a row is considered an attack CS-457Elias Athanasopoulos17

kBouncer Heuristics CS-457Elias Athanasopoulos18

Bypassing kBouncer CS-457Elias Athanasopoulos19

kBouncer bypass PoC CS-457Elias Athanasopoulos20

Other Software Vulnerabilities  Use-after-free and dangling pointers  Integer overflows CS-457Elias Athanasopoulos21

Use-after-free CS-457Elias Athanasopoulos22 P1 P2 Object A t0: P1 and P2 point to A t1: P1 is freed Free space NULL P2 still points to, it is a dangling pointer New Object t2: attacker allocates space New Object t3: P2 now points to a new Object! New Object 1) New object is of different type 2) P2->foo() can execute attacker’s code in the new object 1) New object is of different type 2) P2->foo() can execute attacker’s code in the new object

Integer Overflows off_t j, pg_start = /* from user space */; size_t i, page_count =... ; int num_entries =... ; if (pg_start + page_count > num_entries) return –EINVAL;... for (i = 0, j = pg_start; i<page_count; i++,j++) /* write to some address with offset j */; CS-457Elias Athanasopoulos23

Integer Overflows (fix) off_t j, pg_start = /* from user space */; size_t i, page_count =... ; int num_entries =... ; if ((pg_start + page_count > num_entries) || (pg_start + page_count < pg_start)) return –EINVAL;... for (i = 0, j = pg_start; i<page_count; i++,j++) /* write to some address with offset j */; CS-457Elias Athanasopoulos24

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.