Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

Published byDavin Tarbell Modified over 9 years ago

Similar presentations

Presentation on theme: "CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos"— Presentation transcript:

1 CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos elathan@ics.forth.gr

2 Defending ROP  Randomization - Address Space Layout Randomization (ASLR) - Fine-grained Randomization (Smashing the gadgets, Binary Stirring)  Control Flow Integrity (CFI)  Run-time Detection - Based on H/W features (kBouncer) CS-457Elias Athanasopoulos2

3 Control-flow Graph CS-457Elias Athanasopoulos3 Direct call of sort() Indirect call of lt()/gt() All ret instructions are indirect branches! Can you spot other indirect branches?

4 Enforcing CFI (1) Things we don’t care about CS-457Elias Athanasopoulos4 Direct call of sort() Direct calls: cannot controlled by attacker (fixed targets) Do nothing!

5 Enforcing CFI (2) Forward Edges CS-457Elias Athanasopoulos5 Indirect call of lt()/gt() R: target Legitimate targets: lt(),gt() CFI: make sure only legitimate targets are exercised Attack: redirect R to a Gadget R: target Legitimate targets: lt(),gt() CFI: make sure only legitimate targets are exercised Attack: redirect R to a Gadget Attach label to indirect call: l7 Check label on function entry points Result: R is coupled only with legitimate targets, lt(),gt() - The call in sort() can only reach lt(),gt() - lt(),gt() can only be reached by the call in sort() Result: R is coupled only with legitimate targets, lt(),gt() - The call in sort() can only reach lt(),gt() - lt(),gt() can only be reached by the call in sort()

6 Implementation Example CS-457Elias Athanasopoulos6

7 Enforcing CFI (3) Backward Edges CS-457Elias Athanasopoulos7 All ret instructions are indirect branches! Call site (instruction after a call) (1) Add labels to call sites (2) check if we return from the correct returns (1) Add labels to call sites (2) check if we return from the correct returns Call site (instruction after a call)

8 Ideal CFI CS-457Elias Athanasopoulos8 Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks Two problems: 1)CFG discovery (especially in legacy apps) 2)Performance in checks

9 Coarse-grained (loose) CFI CS-457Elias Athanasopoulos9 Two labels only: 1)One for ensuring an indirect call enters a function entry point 2)One for ensuring a ret returns to a call site Two labels only: 1)One for ensuring an indirect call enters a function entry point 2)One for ensuring a ret returns to a call site

10 Gadgets under coarse-grained CFI CS-457Elias Athanasopoulos10

11 Linking Gadgets under CFI CS-457Elias Athanasopoulos11

12 Exploitation under CFI CS-457Elias Athanasopoulos12

13 CS-457Elias Athanasopoulos13

14 Last Branch Record (LBR)  16 pairs of H/W registers  Used for debugging  They store the last occurred branches  Can be configured to store only indirect branches CS-457Elias Athanasopoulos14

15 kBouncer CS-457Elias Athanasopoulos15

16 Normal vs ROP CS-457Elias Athanasopoulos16

17 kBouncer Checks  call-ret pairing - Coarse-grained CFI  Heuristics - Up to 20 instructions is considered a gadget - 6 gadgets in a row is considered an attack CS-457Elias Athanasopoulos17

18 kBouncer Heuristics CS-457Elias Athanasopoulos18

19 Bypassing kBouncer CS-457Elias Athanasopoulos19

20 kBouncer bypass PoC CS-457Elias Athanasopoulos20

21 Other Software Vulnerabilities  Use-after-free and dangling pointers  Integer overflows CS-457Elias Athanasopoulos21

22 Use-after-free CS-457Elias Athanasopoulos22 P1 P2 Object A t0: P1 and P2 point to A t1: P1 is freed Free space NULL P2 still points to, it is a dangling pointer New Object t2: attacker allocates space New Object t3: P2 now points to a new Object! New Object 1) New object is of different type 2) P2->foo() can execute attacker’s code in the new object 1) New object is of different type 2) P2->foo() can execute attacker’s code in the new object

23 Integer Overflows off_t j, pg_start = /* from user space */; size_t i, page_count =... ; int num_entries =... ; if (pg_start + page_count > num_entries) return –EINVAL;... for (i = 0, j = pg_start; i<page_count; i++,j++) /* write to some address with offset j */; CS-457Elias Athanasopoulos23

24 Integer Overflows (fix) off_t j, pg_start = /* from user space */; size_t i, page_count =... ; int num_entries =... ; if ((pg_start + page_count > num_entries) || (pg_start + page_count < pg_start)) return –EINVAL;... for (i = 0, j = pg_start; i<page_count; i++,j++) /* write to some address with offset j */; CS-457Elias Athanasopoulos24

Download ppt "CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos"

Similar presentations

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
CS457 – Introduction to Information Systems Security Software 2 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 2 Elias Athanasopoulos
Intermediate Code Generation

Intermediate Code Generation
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Framing Signals— A Return to Portable Shellcode

Framing Signals— A Return to Portable Shellcode
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
1 Day 03 Introduction to C. 2 Memory layout and addresses 5 10 12.5 9. 8 r s int x = 5, y = 10; float f = 12.5, g = 9.8; char c = ‘r’, d = ‘s’; 430043044308431243164317.

1 Day 03 Introduction to C. 2 Memory layout and addresses r s int x = 5, y = 10; float f = 12.5, g = 9.8; char c = ‘r’, d = ‘s’;
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays 2005-06-22.

CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Similar presentations

Ads by Google