1 cs205: engineering software university of virginia fall 2006 Image from GoldenBlue LLC. Hair-Dryer Attacks

2 cs205: engineering software Project Design Documents A description of your project: what it will do and why it is useful, fun, or interesting. A high-level description of your design, including a module dependency diagram showing the most important modules. A description of your implementation and testing strategy including: –how you will divide the work amongst your team –how you will order the work to support incremental development –how you will do unit testing and integration testing –a list of milestones and a schedule for achieving them, leading to a completed project on December 4 A list of questions

3 cs205: engineering software Friday’s Class Project Design Documents due at beginning of class Class will be at Undergraduate Research Symposium – Harrison Special Collections Library –1:00pm Adrienne Felt, “Disk-Level Malware Detection” –other talks: “Candomblé and Healthcare in Bahia”, “An Investigation of the Medical Atmosphere in South Africa: the Role of Community Home-Based Caregivers”

4 cs205: engineering software Quiz Everyone got 0xCAFEBABE 3 people sort of got question 6 (full credit if your answer convinced me you’d looked at the ps5 comments) –I’ll ask a question on the final (open notes) about this same question, so make sure you understand it before then.

5 cs205: engineering software Teammate Assessment Your answers: –Mostly: fair share of work, quality of work –“Did anybody make a huge breakthrough with some great idea that made everything else go smoother/faster?” Being a good teammate is more... –Responsibility: takes responsibility for parts of the project and follows through –Reliability: comes to meetings on time –Cooperative: listens to teammates, willing to discuss things respectfully and come to a shared decision

6 cs205: engineering software Future Topics write-ins: –GUI programming and design (4 people) –network programming (2 people) –“I think I have seen enough. :)” Famous Software Disasters (everyone ranked, ) Web Programming ( ) C# ( ), Different Programming Languages ( ) Performance ( )

7 cs205: engineering software checkcast No one had a good answer to the checkcast question –“Explain what the checkcast instruction does?” vs “Write a specification for the checkcast instruction”

8 cs205: engineering software Pseudo-method Specification instruction checkcast (Stack s, Type t) throws CheckCastException REQUIRES s must contain at least one element, and the top of s must be an object reference MODIFIES nothing EFFECTS If the object on the top of the stack could be used where a type t is expected, no effects. Otherwise, throws CheckCastException.

9 cs205: engineering software Java VM Specification checkcast Operation Check whether object is of given type Format checkcast indexbyte1 indexbyte2 checkcast Operation Check whether object is of given type Format checkcast indexbyte1 indexbyte2 Forms checkcast = 192 (0xc0) Operand Stack..., objectref ..., objectref Description The objectref must be of type reference. The unsigned indexbyte1 and indexbyte2 are used to construct an index into the runtime constant pool of the current class (§3.6), where the value of the index is (indexbyte1 << 8) | indexbyte2. The runtime constant pool item at the index must be a symbolic reference to a class, array, or interface type. The named class, array, or interface type is resolved (§ ).(§3.6)(§ )

10 cs205: engineering software If objectref is null or can be cast to the resolved class, array, or interface type, the operand stack is unchanged; otherwise, the checkcast instruction throws a ClassCastException. The following rules are used to determine whether an objectref that is not null can be cast to the resolved type: if S is the class of the object referred to by objectref and T is the resolved class, array, or interface type, checkcast determines whether objectref can be cast to type T as follows: If S is an ordinary (nonarray) class, then: If T is a class type, then S must be the same class (§2.8.1) as T, or a subclass of T.(§2.8.1) If T is an interface type, then S must implement (§2.13) interface T.(§2.13) If S is an interface type, then: If T is a class type, then T must be Object (§2.4.7). (§2.4.7) If T is an interface type, then T must be the same interface as S or a superinterface of S (§2.13.2).(§2.13.2) If S is a class representing the array type SC[], that is, an array of components of type SC, then:...

11 cs205: engineering software If S is a class representing the array type SC[], that is, an array of components of type SC, then: If T is a class type, then T must be Object (§2.4.7).(§2.4.7) If T is an array type TC[], that is, an array of components of type TC, then one of the following must be true: TC and SC are the same primitive type (§2.4.1).(§2.4.1) TC and SC are reference types (§2.4.6), and type SC can be cast to TC by recursive application of these rules.(§2.4.6) If T is an interface type, T must be one of the interfaces implemented by arrays (§2.15). (§2.15) Linking Exceptions During resolution of the symbolic reference to the class, array, or interface type, any of the exceptions documented in Section can be thrown.Section Runtime Exception Otherwise, if objectref cannot be cast to the resolved class, array, or interface type, the checkcast instruction throws a ClassCastException. Notes The checkcast instruction is very similar to the instanceof instruction. It differs in its treatment of null, its behavior when its test fails (checkcast throws an exception, instanceof pushes a result code), and its effect on the operand stack.

12 cs205: engineering software Quiz 3 Which of these components are part of the trusted computing base when a user runs a Java applet in a web page? Components: applet source code, applet class file, Java compiler, Java bytecode verifier, Java VM.

13 cs205: engineering software Java Security javac Compiler malcode.java malcode.class JVML Java Bytecode Verifier JavaVM “Okay” Invalid STOP Trusted Computing Base

14 cs205: engineering software Simulating All Paths The bytecode verifier verifies type safety for all possible executions of the program Since there are infinitely many paths through the program, how is this possible?

15 cs205: engineering software Verifier (should be) Conservative JVML programs Safe programs Verifiable programs (Slide from Nate Paul’s ACSAC talk)

16 cs205: engineering software Complexity Increases Risk JVML programs Safe programs Verifiable programs Bug (Slide from Nate Paul’s ACSAC talk)

17 cs205: engineering software Vulnerabilities in JavaVM Vulnerabilities Reported Years Since First Release July 1996 July 2005

18 cs205: engineering software Where are They? Verification12 API bugs10 Class loading8 Other or unknown2 Missing policy checks 3 Configuration4 DoS attacks (crash, consumption)5 several of these were because of jsr complexity

19 cs205: engineering software Summary: Low-level vs. Policy Security Low-level Code Safety: –Type safety, memory safety, control flow safety –Needed to prevent malcode from circumventing any policy mechanism Policy Security: –Control access and use of resources (files, network, display, etc.) –Enforced by Java class –Hard part is deciding on a good policy

20 cs205: engineering software Bytecode Verifier Checks JVML code satisfies safety properties –Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once –After code is verified, it is trusted: is not checked for type safety at run time (except for casts, array stores) Key assumption: when a value is written to a memory location, the value in that memory location is the same value when it is read.

21 cs205: engineering software Violating the Assumption … // The object on top of the stack is a SimObject astore_0 // There is a SimObject in location 0 aload_0 // The value on top of the stack is a SimObject If a cosmic ray hits the right bit of memory, between the store and load, the assumption might be wrong.

22 cs205: engineering software Improving the Odds Set up memory so that a single bit error is likely to be exploitable Mistreat the hardware memory to increase the odds that bits will flip Following slides adapted (with permission) from Sudhakar Govindavajhala and Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine, July 2003.

23 cs205: engineering software Making Bit Flips Useful Fill up memory with Filler objects, and one Pointee object: class Filler {class Pointee { Pointee a1; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a6; Pointee a7;}

24 cs205: engineering software Filling Up Memory Pointee p = new Pointee (); Vector fillers = new Vector (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; } a1 a2 a3 a4 a5 a6 a7 Filler Object a1 a2 f b a5 a6 a7 Pointee Object a1 a2 a3 a4 a5 a6 a7a7 Filler Object

25 cs205: engineering software Wait for a bit flip… Remember: there are lots of Filler objects (fill up all of memory) If a bit flips, good chance (~70%) it will be in a field of a Filler object and it will now point to a Filler object instead of a Pointee object a1 a2 a3 a4 a5 a6 a7 Filler Object a1 a2 f b a5 a6 a7 Pointee Object a1 a2 a3 a4 a5 a6 a7a7 Filler Object

26 cs205: engineering software Type Violation After the bit flip, the value of f.a2 is a Filler object, but f.a2 was declared as a Pointee object! a1 a2 a3 a4 a5 a6 a7 Filler Object a1 a2 f b a5 a6 a7 Pointee Object a1 a2 a3 a4 a5 a6 a7a7 Filler Object Can an attacker exploit this?

27 cs205: engineering software Finding the Bit Flip while (true) { for (Enumeration e = fillers.elements (); e.hasMoreElements () ; ) { Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! … } else if (f.a2 != p) { … } Pointee p = new Pointee (); Vector fillers = new Vector (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; }

28 cs205: engineering software Violating Type Safety Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time Declared Type f.a1Pointee f.a1.bint fr == f.a1Filler fr.a4 == f.a1.bPointee class Filler {class Pointee { Pointee a1; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a6; Pointee a7;}

29 cs205: engineering software Violating Type Safety Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time f.a1.b = ; // Address of the SecurityManager fr.a4.a1 = null; // Set it to a null // Do whatever you want! No security policy now… new File (“C:\thesis.doc”).delete (); class Filler {class Pointee { Pointee a1; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a6; Pointee a7;}

30 cs205: engineering software Getting a Bit Flip Wait for a Cosmic Ray –You have to be really, really patient… (or move machine out of Earth’s atmosphere) X-Rays –Expensive, not enough power to generate bit-flip High energy protons and neutrons –Work great - but, you need a particle accelerator Hmm….

31 cs205: engineering software Using Heat 50-watt spotlight bulb Between 80° - 100°C, memory starts to have a few failures Attack applet is successful (at least half the time)! Hairdryer works too, but it fries too many bits at once Picture from Sudhakar Govindavajhala

32 cs205: engineering software Should Anyone be Worried? Java virtual machine

33 cs205: engineering software Recap Verifier assumes the value you write is the same value when you read it By flipping bits, we can violate this assumption By violating this assumption, we can violate type safety: get two references to the same storage that have inconsistent types By violating type safety, we can get around all other security measures For details, see paper linked from notes

34 cs205: engineering software Charge Project design documents due Friday Class will be at URN in Harrison Special Collections Library