CSS 548 Dan Chock.  What are some ways that compilers can affect application security? ◦ Improving Application Security  Checking for and preventing.

Slides:



Advertisements
Similar presentations
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Advertisements

1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Reflections on Trusting Trust Ken Thompson. Communication of the ACM, Vol. 27, No. 8, August 1984, pp Copyright 1984, Association for Computing.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Lecture 16 Buffer Overflow
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Computer Security and Penetration Testing
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
Protecting Software Code By Guards The George Washington University Cs297 YU-HAO HU.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Java Security Session 19. Java Security / 2 of 23 Objectives Discuss Java cryptography Explain the Java Security Model Discuss each of the components.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Dilip Dwarakanath.  The topic I’m about to present was taken from a paper titled “Apple iOS 4 Security Evaluation” written by Dino A Dai Zovi.  Dino.
A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Language-Based Information- Flow Security (Sabelfeld and Myers) “Practical methods for controlling information flow have eluded researchers for some time.”
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Insecure PCs virus malware phishing spam spyware botnets DNS spoofing identity theft Trojan horse buffer overflow DoS attack worm keyloggers cross-site.
CSC 482/582: Computer Security
Shellcode COSC 480 Presentation Alison Buben.
SE-1021 Software Engineering II
HDFI: Hardware-Assisted Data-flow Isolation
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Chapter 7: Identifying Advanced Attacks
CSC 495/583 Topics of Software Security Stack Overflows
Module 30 (Unix/Linux Security Issues II)
CSC 495/583 Topics of Software Security Stack Overflows (2)
Exam Review.
Security mechanisms and vulnerabilities in .NET
Countering Trusting Trust through Diverse Double-Compiling
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Security in Java Real or Decaf? cs205: engineering software
/GS Switch in Visual Studio
Smashing the Stack for Fun and Profit
TPM, UEFI, Trusted Boot, Secure Boot
Understanding and Preventing Buffer Overflow Attacks in Unix
Format String Vulnerability
Return-to-libc Attacks
Presentation transcript:

CSS 548 Dan Chock

 What are some ways that compilers can affect application security? ◦ Improving Application Security  Checking for and preventing potential vulnerabilities ◦ Additional Effects on Security  Understanding compiler optimization for binary obfuscation ◦ Reducing Application Security  Compiler vulnerabilities and backdoors

 More Secure Code ◦ Preventing stack buffer overflow exploitation via canaries “Anatomy of a Stack Smashing Attack and How GCC Prevents It”, Dr. Dobbs, Oliver Mueller, June 19, 2012

 GCC Options ◦ -fstack-protector ; -fstack-protector-all  Adds a guard variable (aka canary) to functions that are initialized when a function is entered and checked when exited. If a guard check fails the program exits.  Visual Studio Switches ◦ /GS  Shadowing to protect class member definitions, stack data reordering to protect function pointers

◦ /sdl – Superset of /GS, expands scope and treats select security warnings as errors “Compiler Security Enhancements in Visual Studio 11”, SDL Team, MSDN, Dec. 2, 2011

 Binary Obfuscation ◦ volatile keyword “Binary Obfuscation from the Top Down”, Sean Taylor

 Binary Obfuscation ◦ volatile keyword

 Compiler Vulnerabilities ◦ Insecure Compiler Optimization  Improperly removing sensitive data from memory  Dead store removal - code that is used to overwrite memory is removed by the compiler  Compiler backdoors ◦ Modifying compiler to recognize specific code while compiling and include a backdoor in the output  Ken Thompson - “Reflections on Trusting Trust” describes modified C compiler that would backdoor the login command to accept backdoor password

 Compiler/hardware approaches to embedded systems security [1] ◦ Secure compiler inserts hidden code into the compiled code that is validated during run-time by hardware  Security-preserving compiler for distributed programs [2] ◦ Four stages: slicing, control flow protection (to keep track of state), replication (implement distributed program variables as local replicas), and cryptography (insert crypto operations to protect variable changes)

 [1] “Performance Study of a Compiler/Hardware Approach to Embedded Systems Security”, Kripashankar Mohan, Bhagi Narahari, Rahul Simha, Paul Ott1,Alok Choudhary, and Joe Zambreno  [2] “A Security-Preserving Compiler for Distributed Programs From Information-Flow Policies to Cryptographic Mechanisms”, Cédric Fournet, Gurvan Le Guernic, Tamara Rezk

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.