Presentation is loading. Please wait.

Presentation is loading. Please wait.

Code-Pointer Integrity

Published byJody Long Modified over 5 years ago

Similar presentations

Presentation on theme: "Code-Pointer Integrity"— Presentation transcript:

1 Code-Pointer Integrity
Team member: Po-Jen Lai, Timmy Lin, Chun-Yu Hsiung, Hung-Lin Wu Instructor: Scott Mahlke Our team is planning on implementing code pointer integrity, which in short is to guarantee the integrity of all code pointer in the program. Thereby is able to prevent control flow hijacking. I will explain what control flow hijacking in the following slides

2 What is Control flow hijack?
Attacker corrupts a data pointer Overwrite the code pointer Control-flow transferred to undesired code segment Attacker’s shell code Gadgets (Undesired functions) Is a way for the attacker to gain remote control of victim’s systems How does the attacker achieve that? First corrupt the code pointer Give attacker control of the instruction pointer The attackers are able to divert the program flow to where they desire

3 Control flow hijack Memory q buf char * buf = malloc(10) ...
func_ptr gadget Control flow hijack char * buf = malloc(10) ... void * (func_ptr) (); char *q = buf + input1 func_ptr = &foo *q = input2 (*func_ptr)() Define a funtion pointer Assign q as buf + some attacker control input, where attacker can carefully control to input to make it points to its desired location Later on function ptr is assign to function foo Then in the end, attacker controlled pointer q is overwrite with some input2 Then it points to some attacker control gadget. The attacker can then soon to gain advantage once the pointer is dereference. As soon as that happen, attack can run whatever they want.

4 Control flow hijack protect (Softbound)
Metadata Memory q buf func_ptr gadget char * buf = malloc(10) buf_lo = p; buf_hi = p + 10; ... void * (func_ptr) (); char *q = buf + input1 q_lo = buf_lo; q_hi = buf_hi; func_ptr = &foo if ((q < q_lo) || (q >= q_hi)) abort() *q = input2 (*func_ptr)() Propagate Metadata Check Metadata Softbound (119%) overhead, and where it comes from A lot even from this small program. It adds a lot of additional checks in the background and execute at runtime. Allocate memory, add lower and upper bound Assign meta-data to all the pointers Assignment across pointers Propagate meta-data Can be use for further protection Check meta data whenever use Protect us from having the data pointing to undesired location

5 Motivation Memory safety method Overhead SoftBound 116% CCured 56%
Existing code safety methods are with high overhead. Memory safety method Overhead SoftBound 116% CCured 56% AddressSanitizer 73% From the previous example you are able to see the high overhead even with such a short C program, which is 116% overhead in general when you have a sufficient amount of code bases. CCured: Retrofit memory safety also has stronger type systems. 56% price tag. AddressSanitizer: A great tool for debugging, it’s only probabilistic. But still 73% of price tag.

6 New approach Protect all data → protect selected data
116 % overhead → 2% - 8% overhead We no longer want to protect all the datas, otherwise we are going to run into the same problem with high overhead We are only going to focus on a small subset of data and protect it completely Couple code pointers on the heap, couple pointers on the stack we deemed protection worthy Therefore we offer strong protection for a select subset of data

7 Threat Model (Attackers’ capabilities)
Read / Write on process image (Memory) Read code but not write code No control over the program loading process Attacker can read/write data in the process image Can read the written code, yet can not modify the code as it’s being executed Input data contain executable code would not be executed Attacker could only use existing code to hijack. If attacker has the ability to control the program loading process, If they are able to gain control the program before we set up the defense mechanism, then there’s nothing we can do In the following slides, we are gonna explain how we do our defense mechanism.

8 Safe Region vs Regular Region
Protected vs unprotected Safe vs fast Hardware-based instruction-level isolation The mechanism for the isolation is architecture-dependent. Safe Memory Regular Memory Hardware-based isolation

9 Safe Region vs Regular Region
Safe_ptr 2 Safe_ptr 1 Regular region Regular_ptr 2 Regular_ptr 1

10 Safe Region vs Regular Region
Safe_ptr 2 Safe_ptr 1 Regular region Regular_ptr 2 Regular_ptr 1 Check!

11 Safe Region vs Regular Region
User modified data Safe Region vs Regular Region Safe region Safe_ptr 2 Safe_ptr 1 Regular region Regular_ptr 2 Regular_ptr 1 Check!

12 Safe Stack Safely access local Guaranteed safe variables int foo(){
char buf[10]; int r = scanf(“%s”, buf); return r; } Safe Stack r return address Regular Stack buf

13 arrays or objects whose address is passed to other functions
Safe Stack Safely access local Guaranteed safe variables int foo(){ char buf[10]; int r = scanf(“%s”, buf); return r; } Safe Stack r return address Regular Stack buf

14 arrays or objects whose address is passed to other functions
Safe Stack Safely access local Guaranteed safe variables int foo(){ char buf[10]; int r = scanf(“%s”, buf); return r; } Anything might be corrupted Safe Stack r return address Regular Stack buf

15 Safe Stack All return instruction pointers are protected
No ROP (return oriented programming) Zero performance overhead

16 Code-Pointer Integrity
Sensitive pointer: code ptrs and ptrs that may later be used to access sensitive ptrs Only a small subset of all pointers are responsible for making control-flow transfers Enforcing memory safety only for control-sensitive data Over approximation at compile time Sensitive types are: pointers to functions, pointers to sensitive types, pointers to composite types (such as struct or array) that contains one or more members of sensitive types, or universal pointers (i.e., void*, char* and opaque pointers to forward-declared structs or classes). All code pointers that a compiler or runtime creates implicitly (such as return addresses, C++ virtual table pointers, and setjmp buffers) are sensitive as well.

17 Sensitive Pointers

18 Instrumentation Ensure all sensitive pointers are stored in a safe region Create and propagate metadata at runtime Check the metadata on dereferences Metadata: bound, temporal ID Load/store → CPI intrinsic instructions Instructions that explicitly take addresses of a statically allocated memory object or a function, allocate a new object on the heap, or take an address of a sub-object are instrumented to create metadata that describe the corresponding object. Instructions that compute pointer expressions are instrumented to propagate the metadata accordingly. Instructions that load or store sensitive pointers to memory are replaced with CPI intrinsic instructions (§3.2.3) that load or store both the pointer values and their metadata from/to the safe pointer store.

19 Memory Layout Hardware-based instruction level isolation

20 Code-Pointer Separation (CPS)
Simplified version of Code-Pointer Integrity Main Difference Sensitive pointer = code pointer only No need to store metadata No runtime check Fewer security guarantees Lower performance overhead Basically, code-pointer separation is a simplified version of code-pointer integrity. There are some differences between CPS and CPI. The first one is, for sensitive pointer, CPS only stores code pointer into safe region. The second one is no metadata information. Control-flow destinations do not have bound, because the pointer value must always match the destination exactly. And the last one is, CPS does not have runtime check. The code pointer will be based only on a control flow destination. This restriction prevents attackers from “forging” a code pointer from a value of another type, but still allows them to trick the program into reading or updating wrong code pointers. (redirecting existing function) This is particularly relevant to C++ programs with many virtual functions, where the fraction of sensitive pointers instrumented by CPI can become high, since every pointer to an object that contains virtual functions is sensitive.

21 Redirect object pointer
Safe Memory func_ptr2 func_ptr1 Regular Memory obj1.pointer Point_to_obj2 obj2.pointer

22 Redirect object pointer
Safe Memory func_ptr2 func_ptr1 Regular Memory obj1.pointer Rewrite Point to obj1 obj2.pointer

23 Security Guarantee Code-Pointer Integrity: formally guaranteed protection, 8.4% % overhead (~6.5% of memory access) Code-Pointer Separation: strong protection in practice, 0.5% - 1.9% overhead (~2.5% of memory access) Safe Stack: Full ROP protection, negligible overhead

24 Current Status The latest version of LLVM only integrates Safe Stack
Our proposed goals CPS sensitive pointer detections CPI sensitive pointer detections Memory separation Code generation code generation is not the main focus of the class and it is platform dependant, so we do not plan to implement it.

25 Thank you code generation is not the main focus of the class and it is platform dependant, so we do not plan to implement it.

Download ppt "Code-Pointer Integrity"

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
C Structures and Memory Allocation There is no class in C, but we may still want non- homogenous structures –So, we use the struct construct struct for.

C Structures and Memory Allocation There is no class in C, but we may still want non- homogenous structures –So, we use the struct construct struct for.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...

Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.

Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.

Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.

Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.

Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.
Buffer overflow and stack smashing attacks Principles of application software security.

Buffer overflow and stack smashing attacks Principles of application software security.
1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.

1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.

Similar presentations

Ads by Google