Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

Slides:

Advertisements

Similar presentations

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Advertisements

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Moving Target Defense in Cyber Security

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

Review: Software Security David Brumley Carnegie Mellon University.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

CS 104 Introduction to Computer Science and Graphics Problems

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

SQL Injection and Buffer overflow

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Lecture 16 Buffer Overflow

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

Address Space Layout Permutation

On the Effectiveness of Address-Space Randomization CS6V Brian Ricks and Vasundhara Chimmad.

A Novel Cache Architecture with Enhanced Performance and Security Zhenghong Wang and Ruby B. Lee.

CMPE 421 Parallel Computer Architecture

1 “Operating System Protection Through Program Evolution” Dr. Frederick B. Cohen “…one of the major reasons attacks succeed is because of the static nature.

Computer Security and Penetration Testing

Hardware Assisted Control Flow Obfuscation for Embedded Processors Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande HIDE: An Infrastructure.

Mitigation of Buffer Overflow Attacks

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Standard Template Library The Standard Template Library was recently added to standard C++. –The STL contains generic template classes. –The STL permits.

CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

Introduction to Information Security ROP – Recitation 5.

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.

Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.

By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Introduction to Information Security

Secure Programming Dr. X

Mitigation against Buffer Overflow Attacks

Remix: On-demand Live Randomization

Protecting Memory What is there to protect in memory?

Secure Programming Dr. X

Protecting Memory What is there to protect in memory?

Introduction to Information Security

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR

CSC 495/583 Topics of Software Security Stack Overflows (2)

CSC 495/583 Topics of Software Security Return-oriented programming

CMSC 414 Computer and Network Security Lecture 21

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

The Von Neumann Machine

Understanding and Preventing Buffer Overflow Attacks in Unix

Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization Nathaniel Enos.

Presentation transcript:

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented by Samuel Suddath

Introduction  Problem: detailed knowledge of code layout is required to execute a code reuse attack, such as what code is in memory, and where in memory the code is located.  In order to provide security, systems diversify code to make such attacks harder: having an element of randomness or change to where code is located, or even what code is used.  These techniques rely on the assumption that since the attacker cannot read the code in memory, then he cannot know what code is there nor where it is located, resulting in the attacker not being able to reliably exploit the code.  Two answers: Entropy Attacks and Memory Disclosure Vulnerabilities

Entropy Attacks  Are brute force attacks  Attempt to exploit diversification techniques that do not introduce enough randomness  Will eventually allow the hacker to guess how code has been diversified  Countered by diversification techniques with high degrees of complexity and randomness

Memory Disclosure Vulnerabilities  Allow a hacker to read contents of memory directly and dynamically during runtime  Allows a hacker to know exactly how code has been diversified without guessing  Requires finding two specialized vulnerabilities: read and writing to unintended memory.

Code Diversification Methods  Address Space Layout Randomization (ASLR) -base address of stack, heap, and libraries are randomized  Replace instructions with other equivalent ones  Virtual Machine that tracks the order instructions are executed, then fetches and decodes them as necessary.  Insert NOP instructions randomly into compiler emitted code  Randomize order of instructions in code

Side Channel Attacks on Cryptography  Timing- execution time can be used to infer a secret key  Fault Analysis- faults can be induced which corrupt memory and allow the secret key to be inferred through analyzing output  Cache- Cache hits and misses can leak information about execution time and allow cryptographic keys to be inferred  Physical- there are many attacks that can only be performed when the hacker has physical access to the target machine, where the hacker uses various physical information streams(power usage, sound output, EM field) to discern the secret key.

How They Work  Hackers choose either a memory address and attempt to locate the gadget there, or choose a gadget and attempt to find its location  Hackers must be able to receive feedback, either through a network or through a scripting environment.  If gadgets can be accessed, they can be used to build an info-leak attack  Most exploits require code that handles crashes by restarting, as invalid memory access faults are caused often by the attack

Fault Analysis Attacks  Works by sending a “payload”, receiving the result of the execution, and then interpret the return. The repeated execution of this attack can be used to reveal where the executed code is located.  Types:  Overwrite Data: overwrite data used as an index to determine where in memory code is located  Overwrite Data Pointer: overwrite a data pointer so that a computation is done on a specific memory location, revealing where and what changes have been made to code.  Overwrite Code Pointer: overwrite a code pointer to cause a computation resulting in a result that could be distinct to a single piece of code.

Timing Attacks  Start a timer, send the “payload”, receive a signal upon completion of execution, stop the timer. The timing can reveal information about the code.  Types:  Crafted Input: similar to timing attacks in cryptography, sends specific series of inputs to execute different code paths  Overwrite Data: allows the hacker to modify certain variables to execute specific pieces of code.  Overwrite Data Pointer: overwrite a data pointer to reveal memory contents through a timed execution  Overwrite Code Pointer: control flow is manipulated by overwriting code pointers like return addresses and function pointers.

Effectiveness  USS – uncertainty set size  Determining the location of distinct gadgets using byte sequences like 0x00 and 0xff  Return Locations- knowing these locations allow the hacker to determine which function they are exploiting  Output can be used to determine what was executed using fault analysis and timing analysis.  Timing is most likely accessible to the hacker, and while it doesn’t provide as much information as other attacks, can still identify executed functions.

Uses of Side Channels  Most commonly used as a stepping stone to other attacks, providing information on executed functions and memory locations making other attacks possible.  Once gadget locations have been found using side channels, those gadgets can be used to find others in Libc

Defenses  Complete Memory Safety  Re-randomizing pages during execution  Data Space Randomization  Instruction Set Randomization  Insertion of dead code that does not modify execution time  Normalizing every measurement to be the same, preventing timing exploits from leaking data.