Non-Control-Data Attacks and Securing software by enforcing data- flow integrity Zhiqiang Lin Mar 28, 2007 CS590 paper presentation.

Slides:



Advertisements
Similar presentations
USENIX Security Symposium, Baltimore, MD, Non-Control-Data Attacks Are Realistic Threats Shuo Chen *, Jun Xu, Emre Sezer, Prachi Gauriar, Ravi Iyer.
Advertisements

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Defeating Memory Corruption Attacks via Pointer Taintedness Detection Shuo Chen †, Jun Xu ‡, Nithin Nakka †, Zbigniew Kalbarczyk † and Ravi K. Iyer † ‡
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
SQL Injection and Buffer overflow
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
CS252: Systems Programming Ninghui Li Final Exam Review.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Computer Security and Penetration Testing
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
1 Enhancing Security of Real-World Systems with a Better Understanding of Threats Shuo Chen Candidate of Ph.D. in Computer Science Center for Reliable.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
Attacking Applications: SQL Injection & Buffer Overflows.
1 Enhancing Security of Real-World Systems with a Better Understanding of Threats Shuo Chen Candidate of Ph.D. in Computer Science Center for Reliable.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Mitigation of Buffer Overflow Attacks
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
1 Enhancing Security of Real-World Systems with a Better Understanding of Threats Shuo Chen Ph.D. Candidate in Computer Science Center for Reliable and.
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.
Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.
Identification and Protection of Security-Critical Data Nora Sovarel University of Virginia Computer Science June 6, 2006 MCS Project Presentation.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
1 Enhancing Security of Real-World Systems with a Better Understanding of the Threats Shuo Chen Candidate of Ph.D. in Computer Science Center for Reliable.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
1 Enhancing Security of Real-World Systems with a Better Understanding of Threats Shuo Chen Ph.D. Candidate in Computer Science Center for Reliable and.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
Language-Based Security: Overview of Types Deepak Garg Foundations of Security and Privacy October 27, 2009.
Mitigation against Buffer Overflow Attacks
Introduction to Operating Systems
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Module 30 (Unix/Linux Security Issues II)
Secure Software Development: Theory and Practice
Exam Review.
Security mechanisms and vulnerabilities in .NET
High Coverage Detection of Input-Related Security Faults
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Security in Java Real or Decaf? cs205: engineering software
Software Security Lesson Introduction
Format String.
Operating System Concepts
Understanding and Preventing Buffer Overflow Attacks in Unix
Presentation transcript:

Non-Control-Data Attacks and Securing software by enforcing data- flow integrity Zhiqiang Lin Mar 28, 2007 CS590 paper presentation

Non-Control-Data Attacks Are Realistic Threats Overview Examples Discussions Data flow Integrity Conclusions Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer USENIX Security’05 Credit: most slides of this presentation come from Shuo Chen’s

3 Control Data Attack: Well-Known, Dominant Control data attack: corrupt function pointers, jump targets and return addresses to run malicious code –E.g., code injection, mimicry attack and return-to-LibC Currently the most dominant form of memory corruption attacks [CERT and Microsoft Security Bulletin] –By exploiting many vulnerabilities such as buffer overflow, format string bug, integer overflow, double free, etc.

4 Current defense techniques Enforce control data integrity to provide security. Legal Control flow ?

5 Non-Control-Data Attack Non-control-data attacks: attacks not corrupting any control data –i.e., attacks preserving the integrity of control flow of the victim process Currently very rare in reality –Very few instances documented in literature. –Several papers: theoretically possible to construct non- control-data attacks against synthetic programs. –Not yet considered as a serious threat How applicable are such attacks against real-world software? –Why rare  attackers ’ incapability or lack of incentives? –No focused investigation yet.

6 Motivating Facts Random hardware memory errors could subvert the security of real-world systems. –Boneh and DeMillo: random errors allow deriving secret keys in CRT-based RSA implementation. [Eurocrypt ’ 97] –Our previous work: authentication of SSH and FTP servers, packet filtering of Linux firewalls can be compromised. [DSN ’ 01 and DSN ’ 02] –Govindavajhala and Appel: Java type system can be subverted. [S&P ’ 03] –None of them is control-data attack. A wide range of real-world software susceptible. Software vulnerabilities are more deterministic and more amenable to attacks. Many software vulnerabilities are essentially “ memory fault injectors ” : overwriting an arbitrary memory location –Heap overflow –Double free –Format string bug –Integer overflow

7 General Applicability of Non-Control-Data Attacks The claim: –Many real-world software applications are susceptible to non- control-data attacks. –The severity of the attack consequences is equivalent to that due to control data attacks. Goal of their paper –Experimentally validate the claim Construct non-control-data attacks to compromise the security of “ representative ” applications –Discuss the implications of the claim on current defensive techniques –Call for comprehensive defensive techniques

Realistic Non-Control-Data Attacks Overview Examples Discussions Data flow Integrity Conclusions

9 Selection of Target Applications Real-world applications, not synthetic applications. Leading application categories –CERT advisories (2000 – 2004) 84% are server vulnerabilities HTTP service (18%), database service (10%), 6 remote login service (8%), mail service (5%), FTP service (4%). Selection criteria –Different types of vulnerabilities should be covered –Different types of server applications should be studied Practical constraints for our selection –Uncertainties in many vulnerability reports: really exploitable? –Proprietary source code –Limited information about details of many vulnerabilities Eventually, they selected –Open-source FTP, SSH, Telnet, HTTP servers –Stack buffer overflow, format string, heap corruption, integer overflow.

10 1. Non-Control-Data Attack against WU-FTPD Server (via a format string bug) int x; FTP_service(...) { authenticate(); x = user ID of the authenticated user; seteuid(x); while (1) { get_FTP_command(...); if (a data command?) getdatasock(...); } getdatasock(... ) { seteuid(0); setsockopt(... ); seteuid(x); } x=109, run as EUID 0 x uninitialized, run as EUID 0 x=109, run as EUID 109. Lose the root privilege! x=0, run as EUID 0 When return to service loop, still runs as EUID 0 (root). Allow us to upload /etc/passwd We can grant ourselves the root privilege! Only corrupt an integer, not a control data attack. Get a data command (e.g., PUT) Get a special SITE EXEC command. Exploit a format string vulnerability. x= 0, still run as EUID 109.

11 /usr/local/httpd/exe 2. Non-Control-Data Attack against NULL-HTTP Server (via a heap overflow bug) Attack the configuration string of CGI-BIN path. Mechanism of CGI –suppose server name = CGI-BIN = –Requested URL = –The server executes Our attack –Exploit the vulnerability to overwrite CGI-BIN to /bin –Request URL –The server executes The server gives me a root shell! Only overwrite four characters in the CGI-BIN string. /usr/local/httpd/exe /bin /sh /bar /bar

12 3. Non-Control-Data Attack against SSH Communications SSH Server (via an integer overflow bug) void do_authentication(char *user,...) { int auth = 0;... while (!auth) { /* Get a packet from the client */ type = packet_read(); switch (type) {... case SSH_CMSG_AUTH_PASSWORD: if (auth_password(user, password)) auth =1; case... } if (auth) break; } /* Perform session preparation. */ do_authenticated(…); } auth = 0 Password incorrect, but auth = 1 auth = 1 Logged in without correct password auth = 1

13 4. More Non-Control-Data Attacks Against NetKit Telnet server (default Telnet server of Redhat Linux) –Exploit a heap overflow bug –Overwrite two strings: /bin/login – h foo.com -p (normal scenario) /bin/sh – h – p -p (attack scenario) –The server runs /bin/sh when it tries to authenticate the user. Against GazTek HTTP server –Exploit a stack buffer overflow bug Send a legitimate URL The server checks that “ /.. ” is not embedded in the URL Exploit the bug to change the URL to The server executes /bin/sh

14 What Non-Control-Data Attacks Imply? Control flow integrity is not a sufficiently accurate approximation to software security. Many types of non-control data critical to security –User identify data –configuration data –user input data –decision-making data Once attackers have the incentive, they are likely to succeed in non-control-data attacks.

Securing software by enforcing data-flow integrity Overview Examples Discussions Data flow Integrity Conclusions Miguel Castro, Microsoft Research; Manuel Costa, Microsoft Research Cambridge; Tim Harris, Microsoft Research OSDI’06

16 Motivation Most of the software in use today is written in C++. This body of software has a large amount of defects and there exists many ways to exploit these defects such as corrupting control data. Removing or avoiding all defects is hard and that although it is possible to prevent attacks based on control-data exploits, certain attacks can succeed without compromising control-flow, in particular the non-control data attack.

17 Basic Idea – Data Flow Integrity (DFI) A technique that computes a dataflow graph for a vulnerable program, and instruments the program to ensure that the flow of data at runtime is allowed by the data-flow graph. It can be applied to existing C and C++ programs automatically, because it requires no modifications and it does not generate false positives.

18 DFI – High level Overview (1/2) Analysis Part –Using reaching definition analysis to compute a data-flow graph at compile time. –For every load, compute the set of stores that may produce the loaded data. –An ID is assigned to every store operation and for each load, the set of allowed IDs is computed. In compiler theory, a reaching definition for a given instruction is another instruction, the target variable of which may reach the given instruction without an intervening assignment. d1 : y := 3 d2 : x := y d1 : y := 3 d2 : y := 4 d3 : x := y

19 DFI – High level Overview (2/2) Enforcing Part (The results of the analysis is used to add run-time checks that will enforce data-flow integrity) –Stores are instrumented to write their ID into the runtime definition table (RDT). The RDT keeps track of the last store to write to each memory location. – Loads are instrumented to check if the store in the RDT is in their set of allowed writes. If a store ID is not in the set during a check, a exception is raised.

20 Example vulnerable code in C and their high-level intermediate representation Phoenix compiler infrastructure

21 Static Analysis Compute reaching definitions using a combination of two analyses: –flow-sensitive intra-procedural analysis –flow-insensitive and context-insensitive inter- procedural analysis. They operate on Phoenix's high level intermediate representation The set of reaching definitions is {1,8} for both uses of authenticated (in lines 2 and 10).

22 Instrumentation SETDEF opnd id CHECKDEF opnd setName. –The first instruction sets the RDT entry for opnd to id. –The second retrieves the runtime definition identifier for opnd from the RDT and checks if the identifier is in the reaching definitions set with name setName. –The compiler maintains a map from set names to set values that is used when lowering CHECKDEF instructions to the assembly of the target machine.

23 Instrumented Example code SETDEF opnd id CHECKDEF opnd setName. Note: Every Store is instrumented for the check

24 Optimizations Renaming equivalent definitions Removing bounds checks on writes Removing SETDEFs and CHECKDEFs Optimizing membership checks Removing SETDEFs for safe definitions

25 Evaluation - Performance

26 Evaluation – space overhead

27 Evaluation - Performance

28 Evaluation – effectiveness against attacks Synthetic attacks –Wilander’s buffer overflowtestbed NullHttpd –Corrupting cgi-bin configuration string SSH –Overwrite a stack variable Stunnel –A format string attack == control data attack No false positive

Overview Examples Discussions Data flow Integrity Conclusions

30 Discussions on Current Defensive Techniques Defenses based on control flow integrity –Monitor system call sequences –Protect control data –Non-executable stack and heap Pointer encryption PointGuard –Identifying pointers in low level code is really challenging Address space randomization –Challenge: need to randomize every program segment –Limitation: 32-bit address space cannot provide sufficient entropy Memory safety enforcement –Promising direction, e.g., CCured, Cyclone, CRED –Currently difficult to migrate existing large code bases to memory safe version. Incur runtime overhead. Difficult to ensure memory safety for low-level code. Data flow integrity –Efficient –High performance overhead 1.5X-2.7 –Points-to-analysis in inter-procedure analysis? Still open: to design a generic and secure defense?

31 Mitigating Factors Requiring application-specific semantic knowledge –Control-data attack  unrelated to the semantics of the victim process (hijack the control flow, do whatever you like) –Non-control-data attack  rely on the semantics of the victim process –Not a fundamental constraint Semantics of widely used applications will be well understood, if attackers have strong incentives The more instances attackers see, the easier they can clone new ones. A matter of experiences. Lifetime of security-critical data –Attacks are not possible if the vulnerabilities exist outside the lifetime of the target data. –Programs can be modified to reduce data lifetime to enhance security.

32 Reducing Data Lifetime for Security Original WU-FTPD lifetime of x is global siteexec() { } getdatasock() { seteuid(0); setsockopt(... ); seteuid(x); } Modified WU-FTPD siteexec() { } getdatasock() { tmp = geteuid(); seteuid(0); setsockopt(... ); seteuid(tmp); } Lifetime of seteuid() argument

33 Reducing Data Lifetime for Security Original SSHD do_authentication() { int auth = 0; while (!auth) { type = packet_read(); switch (type) { case CMSG_AUTH_PASSWORD: if (auth_password(passwd)) auth = 1; case... } if (auth) break; } do_authenticated(pw); } Modified SSHD do_authentication() { int auth = 0; while (!auth) { type = packet_read(); auth = 0; switch (type) { case CMSG_AUTH_PASSWORD: if (auth_password(passwd)) auth = 1; case... } if (auth) break; } do_authenticated(pw); } Lifetime of auth flag

Overview Examples Discussions Data flow Integrity Conclusions

35 Conclusions Many real-world software applications are susceptible to attacks that do not hijack program control flow. Constructing a generic and secure defensive technique to defeat both control-data attacks and non-control- data attacks is still an open problem? (DFI is the best so far?)

36 Conclusions Other possible methods: –“ Reducing data lifetime is a secure programming practice to increase software resilience to attacks. “ –…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.