5/1/2015 5:57:24 PM 5864_ER_WHITE.1 Evaluating Modern Address Space Integrity Protections within the Common Criteria Ashley Fox CSC Australia.

Slides:



Advertisements
Similar presentations
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Advertisements

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Dr. Pedro Mejia Alvarez Software Testing Slide 1 Software Testing: Building Test Cases.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CSCE 548 Secure Software Development Risk-Based Security Testing.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
Computer Security and Penetration Testing
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Detection and Prevention of Buffer Overflow Exploit Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
Software Development Software Testing. Testing Definitions There are many tests going under various names. The following is a general list to get a feel.
Mitigation of Buffer Overflow Attacks
Testing and Debugging Version 1.0. All kinds of things can go wrong when you are developing a program. The compiler discovers syntax errors in your code.
Buffer Overflow Group 7Group 8 Nathaniel CrowellDerek Edwards Punna ChalasaniAxel Abellard Steven Studniarz.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
CSCE 548 Secure Software Development Security Operations.
Operating Systems Security
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Web Security Firewalls, Buffer overflows and proxy servers.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Fuzzing And Oracles By: Thomas Sidoti. Overview Introduction Motivation Fuzzable Exploits Oracles Implementation Fuzzing Results.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Lec. Waleed Bin Shahid.  You might have noticed a lot of issues related to software implementation.  The ultimate requirement of developer(s) is to.
Software Security Q: What does it mean to say that a program is secure? A: There is a sufficient amount of trust that the program maintains _____________,
Free Transactions with Rio Vista Landon Cox April 15, 2016.
Secure Programming Dr. X
Mitigation against Buffer Overflow Attacks
Sabrina Wilkes-Morris CSCE 548 Student Presentation
CSCE 548 Student Presentation By Manasa Suthram
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
CSCE 548 Secure Software Development Risk-Based Security Testing
Protecting Memory What is there to protect in memory?
Free Transactions with Rio Vista
Lecture 1-Part 2: Operating-System Structures
Protecting Memory What is there to protect in memory?
Software Security Testing
Secure Programming Dr. X
Module 30 (Unix/Linux Security Issues II)
Protecting Memory What is there to protect in memory?
Secure Software Development: Theory and Practice
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Free Transactions with Rio Vista
CS5123 Software Validation and Quality Assurance
Presentation transcript:

5/1/2015 5:57:24 PM 5864_ER_WHITE.1 Evaluating Modern Address Space Integrity Protections within the Common Criteria Ashley Fox CSC Australia

5/1/2015 5:57:24 PM 5864_ER_WHITE. 2 Ashley Fox Common Criteria Evaluator within CSC Australia’s Evaluation Facility Background in Vulnerability Assessment and Software Security

5/1/2015 5:57:24 PM 5864_ER_WHITE. 3 Agenda Memory corruption vulnerabilities Identification and Exploitation Mitigations Evaluating mitigations within the CC

5/1/2015 5:57:24 PM 5864_ER_WHITE. 4 Background The Common Criteria is designed to provide a degree of Assurance within a Security Product Assurance gained through evaluation of procedures, processes, development, implementation etc. Evaluations generally include independent testing and penetration testing of the product

5/1/2015 5:57:24 PM 5864_ER_WHITE. 5 Memory Corruption Vulnerabilities Vulnerability introduced into a product during the implementation phase Typically affect software written in C or C++ Generally the result of mismanagement of user input or memory allocation within a piece of software Affects almost all product types indiscriminately –Network services –Client applications –Hardware appliances Long time problem – Morris Worm of 1988

5/1/2015 5:57:24 PM 5864_ER_WHITE. 6 Memory Corruption Vulnerabilities Several classes of memory corruption vulnerabilities Some examples: –Stack Based buffer overflow –Heap Based buffer overflow –Format String issues –Integer Manipulation Issues Allows an attacker to alter the state of a running process Can alter the process to facilitate execution of code of attacker’s choosing

5/1/2015 5:57:24 PM 5864_ER_WHITE. 7 What do memory corruption vulnerabilities look like? For those of you unfamiliar the next few slides show some example vulnerabilities of the types discussed previously

5/1/2015 5:57:24 PM 5864_ER_WHITE. 8 Stack Based Buffer Overflow char password[25]; char good_password[] = “SECRETPASSWORD”; printf(“Please enter the password: “); scanf(“%s”,password); if(!strcmp(password,good_password)) { printf(“You have successfully authenticated”); run_system_menu(); } else { printf(“Error, invalid password!\n”); }

5/1/2015 5:57:24 PM 5864_ER_WHITE. 9 Heap Based Buffer Overflow char *password; char *good_password; password = (char *) malloc(25); good_password = (char *) malloc(15); strcpy(good_password,”SECRETPASSWORD”); printf(“Please enter the password: “); scanf(“%s”,password); if(!strcmp(password,good_password)) { printf(“You have successfully authenticated”); run_system_menu(); } else { printf(“Error, invalid password!\n”); }

5/1/2015 5:57:24 PM 5864_ER_WHITE. 10 Integer Manipulation Errors int number_entries=0; int i; int **userdb; printf("How many users do you wish to add?\n>"); scanf("%d",&number); userdb = malloc(number * (sizeof(int *))); for(i=0; i < number; i++) { userdb[i]=get_user(); }

5/1/2015 5:57:24 PM 5864_ER_WHITE. 11 Format String Vulnerabilities char *password; char *good_password; char response[30]; password = (char *) malloc(25); good_password = (char *) malloc(15); strcpy(good_password,”SECRETPASSWORD”); printf(“Please enter the password: “); scanf(“%s”,password); if(!strcmp(password,good_password)) { printf(“You have successfully authenticated”); run_system_menu(); } else { snprintf(response,sizeof(response),”Password %s is incorrect!”,password); printf(response); } return 0; }

5/1/2015 5:57:24 PM 5864_ER_WHITE. 12 Software Complexity Software is large and complex in nature Projects may have many different developers over long periods of time Projects may experience changes in requirements, goals, methodology over time Assumptions change or are incorrect initially

5/1/2015 5:57:24 PM 5864_ER_WHITE. 13 Identifying Memory Corruption Vulnerabilities Some vulnerabilities are very easy to identify Some vulnerabilities hide for decades Attackers are actively looking for these vulnerabilities Within the realm of low attack potential? Within the realm of an “obvious” vulnerability?

5/1/2015 5:57:24 PM 5864_ER_WHITE. 14 Identifying Memory Corruption Vulnerabilities There are a few simple ways memory corruption vulnerabilities can be discovered Source Code –“Grep” through source for dangerous function calls, strcpy etc. – Static Analysis tools – RATS, splint etc. Automated Tools aka “fuzzers” –Tools that automate vulnerability hunting –Some are as simple as random byte generators –Others are quite complex –Many available freely on the Internet.

5/1/2015 5:57:24 PM 5864_ER_WHITE. 15 Constructing Exploit Code Exploit development can be easy –Many examples to base an exploit can be found on the Internet Generally requires –Reading public domain papers on buffer overflows etc. –Limited understanding of programming principles –Access to a debugger –Access to a compiler Process can be as simple as: –Find input that crashes an application using a fuzzer –Use a debugger to find code and data within a process memory space –Take an exploit off the Internet and modify it to suit

5/1/2015 5:57:24 PM 5864_ER_WHITE. 16 Challenges with Memory Corruption Vulnerabilities An attacker only needs to find one memory corruption vulnerability to be successful Defenders need to eradicate or mitigate them all Developer awareness is increasing Arguably attacker awareness is increasing faster Modern languages such as Java and C# make memory management significantly easier There is a lot of code written in C and C++

5/1/2015 5:57:24 PM 5864_ER_WHITE. 17 Defense in Depth A defense in depth strategy is needed to mitigate this risk It’s proven extremely difficult to eradicate these problems from our source trees completely Developers make mistakes like everybody else Several defenses have been researched and implemented The two investigated in this presentation are: –Address Space Layout Randomisation –Stack and Heap cookies

5/1/2015 5:57:24 PM 5864_ER_WHITE. 18 Address Space Layout Randomisation Exploiting a memory corruption vulnerability usually requires knowledge of how a process exists in memory In order to hijack a process an attacker must know the location in memory of code to execute Address Space Layout Randomisation exploits this requirement and randomises the locations of code and data in memory

5/1/2015 5:57:24 PM 5864_ER_WHITE. 19 Address Space Layout Randomisation In order to redirect execution flow an attacker must be able to find somewhere beneficial to redirect to Failed attempts generally result in an application crash Reduced risk of exploitation Developing an exploit still within the realm of low attack potential? I would argue not

5/1/2015 5:57:24 PM 5864_ER_WHITE. 20 Stack and Heap Cookies Protect important metadata within an application’s address space Place a randomly generated value in front of important metadata Before using the metadata the random value is checked to see if it has been altered The process is terminated before the metadata is used if it has been altered

5/1/2015 5:57:24 PM 5864_ER_WHITE. 21 Stack and Heap Cookies In order to overflow metadata an attacker is required to successfully predict the value of a cookie Failed attempts generally result in program termination Reduced risk of exploitation Again we are moving outside the realm of low attack potential

5/1/2015 5:57:24 PM 5864_ER_WHITE. 22 Several major vendors have implemented these mitigations Open Source and Commercial Implementations These features exist in COTS software Implementation

5/1/2015 5:57:24 PM 5864_ER_WHITE. 23 Implementations Heap Protections –Windows XP SP2 –Windows Vista –GNU Lib C Stack Protections –Stack Guard –GCC ProPolice / Stack-Smashing Protector (SSP) –Visual Studio Address Space Layout Randomisation –Windows Vista –GRSecurity/PAX (3 rd Party Linux kernel patch) –Exec-shield –OpenBSD

5/1/2015 5:57:24 PM 5864_ER_WHITE. 24 How do we evaluate these technologies? First we must note several aspects of their implementation –The mechanisms are there to provide attack resistance not immunity (although they may render some vulnerabilities unexploitable this can never be guaranteed) –Both are inherently probabilistic in nature –There are solid metrics we can use in comparison of implementations (Number of bits of entropy, source of entropy etc.) –There are several works in the literature providing analysis of the effectiveness of these mechanisms –These mechanisms can be described in terms of Security Functional Requirements The functions require a Strength of Function claim Evaluation of Mitigation Technologies

5/1/2015 5:57:24 PM 5864_ER_WHITE. 25 Two approaches to evaluating the technologies SAR –Evaluate the functionality as a development methodology and tool aka ALC_TAT SFR –Evaluate the functionality as a security functional requirement, eg an explicit requirement similar to those in the FPT class I favor the SFR approach –Means other products can use the functionality in the form of an environmental SFR –Strength of Function claims made for the SFR Mitigation Technologies – SFRs or SARs ?

5/1/2015 5:57:24 PM 5864_ER_WHITE. 26 The TSF shall provide [assignment: number of bits ] bits of entropy of address space layout randomization for [selection: heap, stack, text] addresses. The TSF shall generate [selection: stack, heap, other] protection cookies with [assignment: number of bits] bits of entropy. Example Security Functional Requirements

5/1/2015 5:57:24 PM 5864_ER_WHITE. 27 Like all security features these techniques can be used correctly and incorrectly Several attacks and weaknesses discovered when techniques are used in a certain way Assumptions would obviously need to be clearly defined within the Security Target Assumptions for usage

5/1/2015 5:57:24 PM 5864_ER_WHITE. 28 Common Criteria allows vendors to make claims regarding the security attributes of their products that can be independently verified Common Criteria allows consumers to make an informed decision when comparing and selecting similar products Address Space Integrity Protection Mechanisms are finding their way into commodity products It is advantageous for both developers and consumers to have these features evaluated Conclusion

5/1/2015 5:57:24 PM 5864_ER_WHITE. 29 This presentation is based on a white paper produced within our Evaluation Lab If you are interested come up and speak to me Alternatively me (address is on the next slide) White Paper

5/1/2015 5:57:24 PM 5864_ER_WHITE. 30 Information on CSC Evaluations and Pre-Evaluation Consultation Services – Feel free to me – Thanks for listening! Questions, Comments, Thoughts, Suggestions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.