Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge."— Presentation transcript:

1 Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge

2 Software is vulnerable use of unsafe languages is prevalent –most “packaged” software written in C/C++ many software defects –buffer overflows, format strings, double frees many ways to exploit defects –corrupt control-data: stack, function pointers –corrupt non-control-data: function arguments, security variables defects are routinely exploited

3 Approaches to securing software remove/avoid all defects is hard prevent control-data exploits –protect specific control-data StackGuard, PointGuard –detect control-flow anomalies Program Shepherding, CFI –attacks can succeed without corrupting control-flow prevent non-control-data exploits –bounds checking on all pointer dereferences CRED –detect unsafe uses of network data Vigilante, [Suh04], Minos, TaintCheck, [Chen05], Argos, [Ho06] –expensive in software no good solutions to prevent non-control-data exploits

4 Data-flow integrity enforcement compute data-flow in the program statically –for every load, compute the set of stores that may produce the loaded data enforce data-flow at runtime –when loading data, check that it came from an allowed store optimize enforcement with static analysis

5 Data-flow integrity: advantages broad coverage –detects control-data and non-control-data attacks automatic –extracts policy from unmodified programs no false positives –only detects real errors (malicious or not) good performance –low runtime overhead

6 Outline data-flow integrity enforcement optimizations results

7 Data-flow integrity at compile time, compute reaching definitions –assign an id to every store instruction –assign a set of allowed source ids to every load at runtime, check actual definition that reaches a load –runtime definitions table (RDT) records id of last store to each address –on store(value,address): set RDT[address] to store’s id –on load(address): check if RDT[address] is one of the allowed source ids protect RDT with software-based fault isolation

8 Example vulnerable program non-control-data attack very similar to a real attack on a SSH server buffer overflow in this function allows the attacker to set authenticated to 1 int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet);

9 Static analysis computes data flows conservatively –flow-sensitive intraprocedural analysis –flow-insensitive interprocedural analysis uses Andersen’s points-to algorithm scales to very large programs same assumptions as analysis for optimization –pointer arithmetic cannot navigate between independent objects –these are the assumptions that attacks violate

10 Instrumentation check that authenticated was written here or here SETDEF authenticated 1 int authenticated = 0; char packet[1000]; while (CHECKDEF authenticated in {1,8} !authenticated) { PacketRead(packet); if (Authenticate(packet)){ SETDEF authenticated 8 authenticated = 1; } CHECKDEF authenticated in {1,8} if (authenticated) ProcessPacket(packet);

11 SETDEF authenticated 1 int authenticated = 0; char packet[1000]; while (CHECKDEF authenticated in {1,8} !authenticated) { PacketRead(packet); if (Authenticate(packet)){ SETDEF authenticated 8 authenticated = 1; } CHECKDEF authenticated in {1,8} if (authenticated) ProcessPacket(packet); Runtime: detecting the attack RDT slot for authenticated authenticated stored here stores disallowed above 0x40000000 10 Memory layout 17 Vulnerable program Attack detected! definition 7 not in {1,8}

12 Also prevents control-data attacks user-visible control-data (function pointers,…) –handled as any other data compiler-generated control-data –instrument definitions and uses of this new data –e.g., enforce that the definition reaching a ret is generated by the corresponding call

13 Efficient instrumentation: SETDEF lea ecx,[_authenticated] test ecx,0C0000000h je L int 3 L: shr ecx,2 mov word ptr [ecx*2+40001000h],1 SETDEF _authenticated 1 is compiled to: get address of variable prevent RDT tampering set RDT[address] to 1

14 Efficient instrumentation: CHECKDEF lea ecx,[_authenticated] shr ecx,2 mov cx, word ptr [ecx*2+40001000h] cmp cx, 1 je L cmp cx,8 je L int 3 L: CHECKDEF _authenticated {1,8} is compiled to: get address of variable get definition id from RDT[address] check definition in {1,8}

15 SETDEF authenticated 1 int authenticated = 0; char packet[1000]; while ( CHECKDEF authenticated in {1,8} !authenticated) { PacketRead(packet); if (Authenticate(packet)){ SETDEF authenticated 8 authenticated = 1; } CHECKDEF authenticated in {1,8} if (authenticated) ProcessPacket(packet); SETDEF authenticated 1 int authenticated = 0; char packet[1000]; while ( CHECKDEF authenticated in {1} !authenticated) { PacketRead(packet); if (Authenticate(packet)){ SETDEF authenticated 1 authenticated = 1; } CHECKDEF authenticated in {1} if (authenticated) ProcessPacket(packet); Optimization: renaming definitions definitions with the same set of uses share one id

16 Other optimizations removing SETDEFs and CHECKDEFs –eliminate CHECKDEFs that always succeed –eliminate redundant SETDEFs –uses static analysis, but does not rely on any assumptions that may be violated by attacks remove bounds checks on safe writes optimize set membership checks –check consecutive ids using a single comparison

17 Evaluation overhead on SPEC CPU and Web benchmarks contributions of optimizations ability to prevent attacks on real programs

18 Runtime overhead

19 Memory overhead

20 Contribution of optimizations

21 Overhead on SPEC Web maximum overhead of 23%

22 Preventing real attacks ApplicationVulnerabilityExploitDetected? NullHttpdheap-based buffer overflow overwrite cgi-bin configuration data yes SSHinteger overflow and heap-based buffer overflow overwrite authenticated variable yes STunnelformat stringoverwrite return address yes Ghttpdstack-based buffer overflow overwrite return address yes

23 Conclusion enforcing data-flow integrity protects software from attacks –handles non-control-data and control-data attacks –works with unmodified C/C++ programs –no false positives –low runtime and memory overhead

24 Overhead breakdown

25 Contribution of optimizations

Download ppt "Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.

Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.

A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Memory Safety Through Runtime Analysis Justin Samuel for CSE 504, Spring ‘10 Instructor: Ben Livshits.

Memory Safety Through Runtime Analysis Justin Samuel for CSE 504, Spring ‘10 Instructor: Ben Livshits.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.

Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Non-Control-Data Attacks and Securing software by enforcing data- flow integrity Zhiqiang Lin Mar 28, 2007 CS590 paper presentation.

Non-Control-Data Attacks and Securing software by enforcing data- flow integrity Zhiqiang Lin Mar 28, 2007 CS590 paper presentation.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Similar presentations

Ads by Google