Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSS 548 Dan Chock.  What are some ways that compilers can affect application security? ◦ Improving Application Security  Checking for and preventing.

Published byAlexandra Shemwell Modified over 9 years ago

Similar presentations

Presentation on theme: "CSS 548 Dan Chock.  What are some ways that compilers can affect application security? ◦ Improving Application Security  Checking for and preventing."— Presentation transcript:

1 CSS 548 Dan Chock

2  What are some ways that compilers can affect application security? ◦ Improving Application Security  Checking for and preventing potential vulnerabilities ◦ Additional Effects on Security  Understanding compiler optimization for binary obfuscation ◦ Reducing Application Security  Compiler vulnerabilities and backdoors

3  More Secure Code ◦ Preventing stack buffer overflow exploitation via canaries “Anatomy of a Stack Smashing Attack and How GCC Prevents It”, Dr. Dobbs, Oliver Mueller, June 19, 2012

4  GCC Options ◦ -fstack-protector ; -fstack-protector-all  Adds a guard variable (aka canary) to functions that are initialized when a function is entered and checked when exited. If a guard check fails the program exits.  Visual Studio Switches ◦ /GS  Shadowing to protect class member definitions, stack data reordering to protect function pointers

5 ◦ /sdl – Superset of /GS, expands scope and treats select security warnings as errors “Compiler Security Enhancements in Visual Studio 11”, SDL Team, MSDN, Dec. 2, 2011

6  Binary Obfuscation ◦ volatile keyword “Binary Obfuscation from the Top Down”, Sean Taylor

7  Binary Obfuscation ◦ volatile keyword

8  Compiler Vulnerabilities ◦ Insecure Compiler Optimization  Improperly removing sensitive data from memory  Dead store removal - code that is used to overwrite memory is removed by the compiler  Compiler backdoors ◦ Modifying compiler to recognize specific code while compiling and include a backdoor in the output  Ken Thompson - “Reflections on Trusting Trust” describes modified C compiler that would backdoor the login command to accept backdoor password

9  Compiler/hardware approaches to embedded systems security [1] ◦ Secure compiler inserts hidden code into the compiled code that is validated during run-time by hardware  Security-preserving compiler for distributed programs [2] ◦ Four stages: slicing, control flow protection (to keep track of state), replication (implement distributed program variables as local replicas), and cryptography (insert crypto operations to protect variable changes)

10  [1] “Performance Study of a Compiler/Hardware Approach to Embedded Systems Security”, Kripashankar Mohan, Bhagi Narahari, Rahul Simha, Paul Ott1,Alok Choudhary, and Joe Zambreno  [2] “A Security-Preserving Compiler for Distributed Programs From Information-Flow Policies to Cryptographic Mechanisms”, Cédric Fournet, Gurvan Le Guernic, Tamara Rezk

11

Download ppt "CSS 548 Dan Chock.  What are some ways that compilers can affect application security? ◦ Improving Application Security  Checking for and preventing."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation.

1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Reflections on Trusting Trust Ken Thompson. Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763. Copyright 1984, Association for Computing.

Reflections on Trusting Trust Ken Thompson. Communication of the ACM, Vol. 27, No. 8, August 1984, pp Copyright 1984, Association for Computing.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Similar presentations

Ads by Google