Defending against Return-Oriented Programming

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.
Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
A Portable Virtual Machine for Program Debugging and Directing Camil Demetrescu University of Rome “La Sapienza” Irene Finocchi University of Rome “Tor.
SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael.
University of Maryland Compiler-Assisted Binary Parsing Tugrul Ince PD Week – 27 March 2012.
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:
Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.
Mitigation of Buffer Overflow Attacks
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Detecting Code Reuse Attacks with a Model of Conformant Program Execution Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller Computer.
CS457 – Introduction to Information Systems Security Projects Elias Athanasopoulos
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.
Exploitation possibilities of memory related vulnerabilities
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
CNIT 127: Exploit Development Ch 1: Before you begin.
Introduction to Information Security ROP – Recitation 5.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Full and Para Virtualization
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.
A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Correct RelocationMarch 20, 2016 Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat
Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.
Introduction to Information Security
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
Return Oriented Programming
Instruction Set Architecture
EnGarde: Mutually Trusted Inspection of SGX Enclaves
Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry*
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Introduction to Compilers Tim Teitelbaum
CSC 495/583 Topics of Software Security Return-oriented programming
CMSC 414 Computer and Network Security Lecture 21
Q: Exploit Hardening Made Easy
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Information Security - 2
Hiding Malware Rootkits
Week 2: Buffer Overflow Part 2.
CSE451 Virtual Memory Paging Autumn 2002
Dynamic Binary Translators and Instrumenters
Return-to-libc Attacks
Presentation transcript:

Defending against Return-Oriented Programming Vasilis Pappas Columbia University

Machine code level attacks DEP/NX Code injection Code reuse code static data dynamic data (stack/heap) code static data dynamic data (stack/heap) R-X ✖ R-X ✖ R-X R-- RWX RW- exec. code ctrl. data Attacker controlled ✖ Control flow vulnerability Control transfer Indirect use of data 6/4/2014 Vasilis Pappas - Columbia University

Invariants & characteristics Knowledge of code layout Need to know in order to re-use Unrestricted indirect branches Use them to synthesize code fragments Goal: Break them! 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Overview Background In-place code randomization Indirect branch tracing Combination Summary 6/4/2014 Vasilis Pappas - Columbia University

History of code-reuse attacks 2007, Shacham* Return-oriented programming 1997, Solar Designer First ret2lib exploit 2001, Nergal Advanced ret2lib 1995 2000 2005 2010 1999, McDonald ret2lib on Sparc 2005, Stealth Borrowed code chunks 2010, Shacham* ROP without returns * Academic work 6/4/2014 Vasilis Pappas - Columbia University

Return-Oriented Programming Stack Code Actions 0xb8800000 0x00000001 0xb8800010 0x00000002 0xb8800020 0x00400000 0xb8800030 0xb8800000: pop eax ret ... 0xb8800010: pop ebx 0xb8800020: add eax, ebx 0xb8800030: mov [ebx], eax esp eax = 1 ebx = 2 eax += ebx ebx = 0x400000 *ebx = eax Define gadgets. Attackers can use them, may correspond to intended or unintended instruction sequences. Turing complete! Emphasis on invariants/characteristics. 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University ROP Defenses ROPdefender [DSW11] DROP [CXS+09] DROP++ [CXH+11] Bin. Stirring [WMH+12] Orp [PPK12] ILR [HTC+12] CCFIR [ZWC+13] CFI-COTS [ZS13] Low High Performance Overhead G-Free [OBL+10] Return-less [LWJ+10] CFL [BJF11] Source code Disassembly No modification Requires Program binary Source code Requires 6/4/2014 Vasilis Pappas - Columbia University

In-Place Code Randomization [S&P ’12] Extend ASLR to a finer-grained level Applicable on third-party applications (Practically) Zero performance overhead Source code (Python): http://nsl.cs.columbia.edu/projects/orp 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Why in-place? Randomization usually changes the code size Need to update the control-flow graph (CFG) But, accurate static disassembly of stripped binaries is hard Incomplete CFG (data vs. code) Code resize not an option Must randomize in-place! 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Randomizations Instruction Substitution Instruction Reordering Intra Basic Block Register Preservation Code Register Reassignment 6/4/2014 Vasilis Pappas - Columbia University

Instruction Substitution add [edx],edi ret B0 01 3A C3 8D 45 80 50 68 mov al,0x1 cmp al,bl lea eax,[ebp-0x80] add [eax],edi Mention that this is part of the original code! fmul [ebp+0x68508045] B0 01 38 D8 8D 45 80 50 68 mov al,0x1 cmp bl,al lea eax,[ebp-0x80] 6/4/2014 Vasilis Pappas - Columbia University

Instruction Reordering (Intra BBL) 8B 41 10 mov eax,[ecx+0x10] 53 push ebx 8B 59 0C mov ebx,[ecx+0xC] 59 push ebx 0C 3B or al,0x3B C3 ret 3B C3 cmp eax,ebx 89 41 08 mov [ecx+0x8],eax 7E 4E jle 0x5c 6/4/2014 Vasilis Pappas - Columbia University

Instruction Reordering (Intra BBL) 8B 41 10 mov eax,[ecx+0x10] 53 push ebx 8B 59 0C mov ebx,[ecx+0xC] 3B C3 cmp eax,ebx 41 inc ecx 10 89 41 08 3B C3 adc [ecx-0x3CC4F7BF],cl 89 41 08 mov [ecx+0x8],eax 7E 4E jle 0x5c 6/4/2014 Vasilis Pappas - Columbia University

Register Preservation Code Reordering push ebx push esi mov ebx,ecx push edi mov esi,edx . pop edi pop esi pop ebx ret push edi push ebx push esi mov ebx,ecx mov esi,edx . pop esi pop ebx pop edi ret Prolog Epilog 6/4/2014 Vasilis Pappas - Columbia University

Register reassignment Live regions function: push esi push edi mov edi,[ebp+0x8] mov eax,[edi+0x14] test eax,eax jz 0x4A80640B mov ebx,[ebp+0x10] push ebx lea ecx,[ebp-0x4] push ecx call eax ... eax edi function: push esi push edi mov eax,[ebp+0x8] mov edi,[edi+0x14] test edi,edi jz 0x4A80640B mov ebx,[ebp+0x10] push ebx lea ecx,[ebp-0x4] push ecx push eax call edi ... 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Evaluation Correctness and performance Execute Wine’s test suite using randomized versions of Windows DLLs Randomization coverage Effectiveness against real-world exploits Robustness against ROP compilers After explaining wine test, mention that this is where we also measured performance 6/4/2014 Vasilis Pappas - Columbia University

Randomization Coverage Dataset: 5,235 PE files (~0.5GB code) from Windows, Firefox, iTunes and Reader 6/4/2014 Vasilis Pappas - Columbia University

Exploit/Reusable Payload Real-World Exploits Exploit/Reusable Payload Unique Gadgets Modifiable Adobe Reader v9.3.4 11 6 Integard Pro v2.2.0 16 10 Mplayer Lite r33064 18 7 msvcr71.dll (White Phosphorus) 14 9 msvcr71.dll (Corelan) 8 mscorie.dll (White Phosphorus) 4 mfc71u.dll (Corelan) Modifiable gadgets were not always directly replaceable! 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University ROP Compilers Is it possible to create a randomization-resistant payload? mona.py constructs DEP+ASLR bypassing code Allocate a WX buffer, copy shellcode and jump Q is the state-of-the-art ROP compiler [SAB11] Designed to be robust against small gadget sets 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University ROP Compilers Results Non-ASLR Code Base Mona Orig. Rand. Q Orig. Rand. Adobe Reader v9.3.4 ✓ ✗ Integard Pro v2.2.0 Mplayer Lite r33064 msvcr71.dll mscorie.dll mfc71u.dll Both failed to construct payloads from non-randomized code! 6/4/2014 Vasilis Pappas - Columbia University

Indirect branch tracing [Usenix S. ’13] Detect and prevent ROP code execution by monitoring executed indirect branches Transparent Applicable on third-party applications Compatible with code signing, self-modifying code, JIT, … Lightweight Up to 4% overhead when artificially stressed, practically zero Effective Prevents real-world exploits 6/4/2014 Vasilis Pappas - Columbia University

ROP Code Runtime Properties Illegal ret instructions that target locations not preceded by call sites Abnormal condition for legitimate program code Sequences of relatively short code fragments “chained” through any kind of indirect branch Always holds for any kind of ROP code 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Illegal Returns Legitimate code: ret transfers control to the instruction right after the corresponding call  legitimate call site ROP code: ret transfers control to the first instruction of the next gadget  arbitrary locations Main idea: Runtime monitoring of ret instructions’ targets 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Gadget Chaining Advanced ROP code may avoid illegal returns Rely only on call-preceded gadgets (just 6% of all ret gadgets in our experiments) “Jump-Oriented” Programming (non-ret gadgets) Look for a second ROP attribute: Several short instruction sequences chained through (any kind of) indirect branches 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Gadget Chaining mov eax,ebx add ebx,100 ret Look for consecutive indirect branch targets that point to gadget locations Conservative gadget definition: up to 20 instructions Typically 1-5 pop edi mov esi,edi ret sub esi,8 push esi call esi pop edi pop esi ret 6/4/2014 Vasilis Pappas - Columbia University

Last Branch Record (LBR) Introduced in the Intel Nehalem architecture Stores the last 16 executed branches in a set of model-specific registers (MSR) Can filter certain types of branches (relative/indirect calls/jumps, returns, ...) Multiple advantages Zero overhead for recording the branches Fully transparent to the running application Does not require source code or debug symbols Can be dynamically enabled for any running application 6/4/2014 Vasilis Pappas - Columbia University

Monitoring Granularity Non-zero overhead for reading the LBR stack (accessible only from kernel level) Lower frequency  lower overhead ROP code can run at any point Higher frequency  higher accuracy 6/4/2014 Vasilis Pappas - Columbia University

Monitoring Granularity Meaningful ROP code will eventually interact with the OS through system calls Check for abnormal control transfers on system call entry 6/4/2014 Vasilis Pappas - Columbia University

Gadget Chaining: Legitimate Code detection threshold Relevant for JOP/ call-preceded ROP (if any gadget is ret, that’s it) Large dataset using common applications 80K vs. 100M * Dataset from: Internet Explorer, Adobe Reader, Flash Player, Microsoft Office (Word, Excel and PowerPoint) 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Runtime Overhead 1% avg. 4% max 100K vs. 80K for all the other programs Wine test suite 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Effectiveness Successfully prevented real-world exploits in Adobe Reader XI (zero-day!) Adobe Reader 9 Mplayer Lite Internet Explorer 9 Adobe Flash 11.3 … 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Limitations In-place code randomization misses ~20% of the gadgets Still possible to construct a ROP payload Indirect branch tracing only checks the last 16 gadgets, up to 20 instructions Still possible to find longer call-preceded or non-return gadgets 6/4/2014 Vasilis Pappas - Columbia University

Combination + = In-place code randomization breaks Knowledge of code layout Indirect branch tracing breaks Unrestricted indirect branches + = Break longer gadgets more easily Detect non-randomized gadgets 6/4/2014 Vasilis Pappas - Columbia University

Randomizing long gadgets Software 1-5 Instr. Gadgets Total Modifiable (%) 20-50 Instr. Gadgets Adobe Reader 1,207K 943K (78.1) 101K 99K (98.1) Firefox 455K 381K (83.7) 46K 45K (98.7) iTunes 373K 293K (78.5) 43K 42K (97.4) Windows XP 7,897K 6,452K (81.7) 636K 627K (98.5) Windows 7 15,703K 12,970K (82.6) 1,583K 1,551K (98.0) Total 25,636K 21,041K (82.1) 2,412K 2,366K (98.1) 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Summary Designed, developed and evaluated techniques against ROP Their combination maximizes protection coverage, while complementing each other Although not perfect, significantly raise the bar at almost no cost! 6/4/2014 Vasilis Pappas - Columbia University

Backup

Vasilis Pappas - Columbia University Publications Vasilis Pappas, Fernando Krell, Binh Vo, Vladimir Kolesnikov, Tal Malkin, Seung Geol Choi, Wesley George, Angelos D. Keromytis, and Steven M. Bellovin. Blind Seer: A scalable private DBMS. In Proceedings of the 35rd IEEE Symposium on Security & Privacy (S&P), May 2014. Vasilis Pappas, Vasileios P. Kemerlis, Angeliki Zavou, Michalis Polychronakis, and Angelos D. Keromytis. CloudFence: Data flow tracking as a cloud service. In Proceedings of the 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), October 2013. Marco V. Barbera, Vasileios P. Kemerlis, Vasilis Pappas, and Angelos D. Keromytis. CellFlood: Attacking tor onion routers on the cheap. In Proceedings of the 18th European Symposium on Research in Computer Security (ESORICS), September 2013. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Security Symposium, August 2013. Angeliki Zavou, Vasilis Pappas, Vasileios P. Kemerlis, Michalis Polychronakis, Georgios Portokalidis, and Angelos D. Keromytis. Cloudopsy: an autopsy of data flows in the cloud. In Proceedings of the 15th International Conference on Human-Computer Interaction (HCI), July 2013. Eleni Gessiou, Vasilis Pappas, Elias Athanasopoulos, Angelos D. Keromytis, and Sotiris Ioannidis. Towards a universal data provenance framework using dynamic instrumentation. In Proceedings of the 27th IFIP International Information Security and Privacy Conference (SEC), June 2012. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 33rd IEEE Symposium on Security & Privacy (S&P), May 2012. Vasilis Pappas, Mariana Raykova, Binh Vo, Steven M. Bellovin, and Tal Malkin. Private search in the real world. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), December 2011. Vasilis Pappas and Angelos D. Keromytis. Measuring the deployment hiccups of dnssec. In Proceedings of the 1st International Conference on Advances in Computing and Communications (ACC), July 2011. Vasilis Pappas, Brian M. Bowen, and Angelos D. Keromytis. Evaluation of a spyware detection system using thin client computing. In Proceedings of the 13th International Conference on Information Security and Cryptology (ICISC), November 2010. Vasilis Pappas, Brian M. Bowen, and Angelos D. Keromytis. Crimeware swindling without virtual machines. In Proceedings of the 13th Information Security Conference (ISC), October 2010. Vasileios P. Kemerlis, Vasilis Pappas, Georgios Portokalidis, and Angelos D. Keromytis. iLeak: A lightweight system for detecting inadvertent information leaks. In Proceedings of the 6th European Conference on Computer Network Defense (EC2ND), October 2010. 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Future directions Extend work to other architectures ARM, MIPS, etc. Add more randomization schemes E.g., basic block shuffling Restrict and add more indirect branching rules Check ret targets of directly-only called functions Check indirect call/jump targets 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Illegal Returns Ensure that ret instructions target valid call sites Even those of non-intended call instructions More relaxed constraint compared to call-ret pairing (e.g., using a shadow stack) Compatible with constructs that break call-ret pairing setjmp/longjmp PIE call/pop getPC code Tail call optimizations Windows fibers Simple implementation Just check whether the target is preceded by a call instruction No need to track call instructions or keep state 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Implementation Working prototype for Windows 7 x64 SP1 API interception using Detours instead of syscall interposition Uses only the Windows SDK and DDK (no third-party code) 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Flow chart 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Allowed ret gadgets 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University System vs. API Call 6/4/2014 Vasilis Pappas - Columbia University

Vasilis Pappas - Columbia University Refined Checking 6/4/2014 Vasilis Pappas - Columbia University

Jump-Oriented Programming * Figure copied from: Tyler Bletsch et al., Jump-oriented programming: a new class of code-reuse attack. 6/4/2014 Vasilis Pappas - Columbia University

Dynamic relocations reconstruction Binaries without relocation information can only be loaded in their preferred base Relocations enable address space layout randomization and improve disassembly accuracy 0xc0000000 New Handle accesses and branches transparently at runtime by manipulating the page table 0x00400000 Original Original 0x00000000 6/4/2014 Vasilis Pappas - Columbia University

LBR example: Adobe Flash exploit 5/14/2013 Vasilis Pappas - Columbia University

Extending the LBR: “Push Back” The LBR size is limited (currently, 16 entries) Virtually extend the LBR stack Whenever a checkpoint is triggered, add a new one as far back on the execution path as possible Prevents the reuse of long execution paths that lead to system calls Validate “known” execution paths 5/14/2013 Vasilis Pappas - Columbia University

Pushing Back Checkpoints ✓ = LBR = branch ✓ = checkpoint ✓ ✓ ✓ ✓ ✓ Extend LBR, or validate execution paths. The new mode of LBR might be helpful here. ✓ ✓ ✓ kernel ✓ 5/14/2013 Vasilis Pappas - Columbia University

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.