1 the problem
play

1 The problem Address the problem of stopping determined - PowerPoint PPT Presentation

Jul 08, 2023 •330 likes •673 views

1 The problem Address the problem of stopping determined attackers from exploiting our software Interest in Control Flow Integrity(CFI) Data execution prevention (DEP), stack smashing protection (SSP), address space layout

  1. 1 ¡

  2. The problem — Address the problem of stopping determined attackers from exploiting our software — Interest in Control Flow Integrity(CFI) — Data execution prevention (DEP), stack smashing protection (SSP), address space layout randomization (ASLR) 2 ¡

  3. Data execution prevention (DEP) — Hardware-enforced DEP — Marks all memory locations in a process as non- executable unless the location explicitly contains executable code(NX bit term) — Software-enforced DEP — Software-enforced DEP performs additional checks on exception handling mechanisms in Windows. 3 ¡

  4. Stack smashing protection (SSP) — Prevents changes to return addresses: — detecting the change of the return address before the function returns — preventing the write to the return address — Checks the canary word is intact before jumping to the address — The return address is read-only (invariant)while the function is active 4 ¡

  5. Address space layout randomization (ASLR) — Randomly arranging the positions — The base of the executable — Position of libraries — Heap and stack — Only guessing with brute force — Program crashes at wrong guessing 5 ¡

  6. Attacks — Guessing attacks — Brute force attacks — Information leakage — An information leak occurs when system data or debugging information leaves the program through an output stream or logging function. — Control flow hijacking — Return-to-libc — ROP — JOP 6 ¡

  7. Contributions — Evaluate fast, state-of-the-art CFI techniques and show that they do not protect against advanced ROP exploits — Develop a methodology for performing code-reuse attacks against CFI-protected software — Demonstrate the chaining of gadgets using function calls to perform useful actions, i.e., call-oriented programming (COP) — Construct a working exploit for Internet Explorer 8 on Windows 7 with DEP and ASLR on, and assuming CCFIR is in place; — Assess the availability of gadgets required to launch such attacks against other popular software on Windows 7, such as Internet Explorer 9, Acrobat Reader XI, the Microsoft Office 2013 suite of programs, and Firefox 24. 7 ¡

  8. Control flow integrity (Ideal CFI) — CFI thwarts control-hijacking attacks by keeping control flow in the control-flow graph (CFG) — All programs usually contain two types of control-flow transfers: direct and indirect — For every control-flow transfer is assigned a ID and checks are inserted before control-flow instructions to ensure that only valid targets are allowed. 8 ¡

  9. Control flow integrity (Ideal CFI) — There are two major challenges for the adoption of CFI in its ideal form. — it requires a complete and precise CFG of the protected application in order to accurately identify all indirect transfer targets and assign IDs. — it incurs a non-negligible performance overhead caused by the introduced checks before indirect control-flow instructions 9 ¡

  10. Compact Control Flow Integrity and Randomization (CCFIR) — Distinguishes between calls and returns, and prevents unauthorized returns into sensitive functions — Directing indirect control transfers through a dedicated “Springboard section” that encodes target restrictions via code alignment 10 ¡

  11. CFI approaches 11 ¡

  12. Gadgets in CFI — Two types of gadgets: — Call – site gadgets(CS) — Blocks of instructions right after a call instruction that terminate with a return instruction. — Entry – point gadgets (EP) — Blocks of instructions starting at a function’s entry point and ending with an indirect call or jump — Begin at an allowable control-transfer pointer. — Their length is large and may contain instructions unrelated to the ones performing the desire functionality. — In larger gadgets may include code branches within them. — Generally we prioritize gadgets based on their size, examining smaller ones first. 12 ¡

  13. Locating the Gadgets — There is two – stage attacks. Learn information about the layout of the target 1. application. Use that information to locate the gadget in the 2. payload. — ASLR becomes a key component in modern systems. — CFI checking for the three different targets supported. — Each entry is 8 or 16 bytes long and their location within the spring board is randomized at load time. — In CCFIR the attacker has to identify the location of the appropriate entries in the springboard. 13 ¡

  14. Calling Functions — Options under CFI : — Through Indirect Calls : Indirect call instructions are always to jump to a certain function. — Calling through Gadgets : Look for gadgets that include an indirect or fixed functions call in their body 14 ¡

  15. Linking Gadgets — We cannot link the gadgets available to us in arbitrary ways, since not all control flows are permitted. — Different ways to link the gadgets. — Transfer control to CS gadget and set up the stack to chain multiple gadgets of the same type together. Receive control with a call instruction, we can only — link EP gadgets. 15 ¡

  16. — Moving from EP – to CS – gadget linking. — Moving from CS – to EP – gadget linking. — Link CS gadget to a CS – IC gadget, where we control the operand of an indirect call. Use that to redirect control to an EP gadget. — Gadget uses data: one of its instructions uses the data before it is set. 16 ¡

  17. — Gadget set data : any data un registers or memory that are set by the gadget before exiting. — Calling a function in a gadget chain depends on our ability to set up its arguments on the stack. — Achieve it by linking available gadgets to move arguments from the controlled buffer to the appropriate registers or memory location. From Code – reuse to Code - injection — Goal is to link the gadgets and bypass DEP. — Find a vulnerable function and put our injection code to the stack. 17 ¡

  18. Proof-of-Concept Exploitation — System protected with CCFIR (strictest of the loose CFI frameworks) — Generic exploit, applicable to similar frameworks (bin- CFI) — Heap overflow in Internet Explorer, gives control to an indirect jump. — The vulnerability is triggered by accessing the span and width attributes of a column, in an HTML table, through JavaScript . ¡ 18 ¡

  19. <html> <body> <table style="table-layout:fixed" > <col id="132" width="41" span="1" >&nbsp </col> </table> <script> function over_trigger() { var obj_col = document.getElementById("132"); obj_col.width = "42765"; obj_col.span = 1000; } setTimeout("over_trigger();",1); </script> </body> </html> — Overwrite a virtual function table (VFT) pointer in a button, leading to the control of an indirect jump instruction. — Overwrite the size of a string object (add reference to the object and manipulate size, for memory disclosure). — Trigger it multiple times, as long as the process does not crush. 19 ¡

  20. Gadgets Location in CCFIR — CCFIR replaces the function pointers in the binary with pointers to the function stubs. — Replaces indirect calls with direct jump to the springboard. — Information flow is enforced by aligning the call and return stubs, and by checking that the function’s address and the return address follow the alignment (emulate 2 IDs). — Only for non-sensitive functions. Returns from sensitive functions are omitted. 20 ¡

  21. Gadgets Location in CCFIR CCFIR checks indirect control-flow transfers through its springboard section (special memory layout) call function stub return address stub placed in springboard. 21 ¡

  22. To succesfully Perform the Explotation — Heap Feng Shui à Positioning the vulnerable buffer, the string object and button object, in the right order in the heap. — 1 st buffer overflow: string object’s size property is overwritten to build the memory disclosure — 2 nd buffer overflow: the button object’s VTF pointer is overwritten. — Heap Spraying à injects multiple instances of a specially crafted buffer in memory. — Copies of the buffer are allocated at reliable addresses. — One is written to the VTF pointer of the button. — The buffer guides the chaining of gadgets, from the initial indirect transfer instruction to code injection. 22 ¡

  23. Memory Disclosure — Constraints to bypass: — ASLR is used — need to find the base address of modules of interest (DLLs containing the gadgets) — CCFIR springboard for indirect transfers — need to find the addresses of function call and return stubs, for the used gadgets. If not, CFI check fails. 23 ¡

  24. Memory Disclosure ¡ — Find base address gadgets from mshtml.dll and ieframe.dll — — mshtml.dll: revealed by the VFT pointer within the button. — pointer at constant relative offset from string the object. — pointer at a constant known offset in mshtml.dll (base) — ieframe.dll: read the address of a function that is contained in ieframe.dll and imported in mshtml.dll . — button object, fixed relative distance to the string object. — after knowing string’s address, relative distance from string to the imported address 24 ¡

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Problem-Solving with Only 28% of employers classify college graduates Think-Alouds problem

Problem-Solving with Only 28% of employers classify college graduates Think-Alouds problem

12/5/14 Analysis of the situation Problem-solving is viewed as necessary for success in STEM fields, with the American Chemical Society (ACS) going so far as to refer to problem-solving as the ultimate goal. Problem-Solving with

316 views • 4 slides
Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability)

Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability)

Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability) OpenBSD Higher Availability IDS M:Tier A.R.S.S (Security) DNS Reshaping DNS Local Resolver NTP DMZ A.R.S.S (Stability) Packet

415 views • 16 slides
THE BIG PROBLEM Getting to know your team, the Big Problem and its Systemic Root Causes Dorica

THE BIG PROBLEM Getting to know your team, the Big Problem and its Systemic Root Causes Dorica

PHASE 1: SYSTEM CHANGE JOURNEY THE BIG PROBLEM Getting to know your team, the Big Problem and its Systemic Root Causes Dorica Dans team working for rare diseases CLARIFYING THE BIG PROBLEM 2. Consequences if problem is not solved (relevance)

179 views • 7 slides
BUFFERDeBLOAT A SURVEY OF DIFFERENT WAYS TO COUNTER-BUFFERBLOAT Problem Problem Problem

BUFFERDeBLOAT A SURVEY OF DIFFERENT WAYS TO COUNTER-BUFFERBLOAT Problem Problem Problem

BUFFERDeBLOAT A SURVEY OF DIFFERENT WAYS TO COUNTER-BUFFERBLOAT Problem Problem Problem Simulation Setup Result Analysis Suggestion Bufferbloat is the existence of excessively large (bloated) buffers in systems, AFFECTED

369 views • 26 slides
Statement Problem A: Bijection In this problem, you have to establish a bijection between

Statement Problem A: Bijection In this problem, you have to establish a bijection between

Problem A: Bijection Statement Statement Problem A: Bijection In this problem, you have to establish a bijection between combinations and pairs of a regular bracket sequence and an integer. Ivan Kazmenko (SPb SU) Problem Analysis 28.01.2020

2.1k views • 181 slides
Chapter Two Problem Solving Using Search Defining the Problem How do you represent a problem

Chapter Two Problem Solving Using Search Defining the Problem How do you represent a problem

Chapter Two Problem Solving Using Search Defining the Problem How do you represent a problem so that the computer can solve it? Even before that, how do you define the problem with enough precision so that you can figure out how to

498 views • 30 slides
Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Revised by Hankui Zhuo, March 7, 2018 Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem types Problem formulation Example problems Basic search algorithms Chapter 3 2 Problem-solving

934 views • 70 slides
Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B

Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B

Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B can be used to solve the problem A . Computability and Complexity This means that solving A cannot be more difficult than solving B . Lecture 5 In

187 views • 3 slides
Problem Definition Techniques 4. 1. K-T Problem Critical Analysis Thinking Problem

Problem Definition Techniques 4. 1. K-T Problem Critical Analysis Thinking Problem

Problem Definition Techniques 4. 1. K-T Problem Critical Analysis Thinking Problem Definition Techniques 3. 2. Statement Present / Desired Restatement State Duncker Diagram Slides mainly adapted from Dr. Foglers Strategies for

763 views • 33 slides
Last time: Problem-Solving Problem solving: Goal formulation Problem formulation

Last time: Problem-Solving Problem solving: Goal formulation Problem formulation

Last time: Problem-Solving Problem solving: Goal formulation Problem formulation (states, operators) Search for solution Problem formulation: Initial state ? ? ? ? 1 Last time: Problem-Solving Problem

361 views • 18 slides
Consciousness (cont.) Phil 255 The hard problem The hard problem is the mind - body problem

Consciousness (cont.) Phil 255 The hard problem The hard problem is the mind - body problem

Consciousness (cont.) Phil 255 The hard problem The hard problem is the mind - body problem Terminology due to renewed interest in Nagel s concerns from David Chalmers The easy problem ( which isn t so easy ) giving a scienti

411 views • 19 slides
with classical methods Visualisations Introduction The first problem Problem

with classical methods Visualisations Introduction The first problem Problem

with classical methods Visualisations Introduction The first problem Problem The second problem Given Problems Analysis Simplification Classification Discussion Complex Handling Lagrangian

689 views • 20 slides
Problem Sets E-M Reading: Problem Set 3 Forsyth &amp; Ponce 16.1, 16.2

Problem Sets E-M Reading: Problem Set 3 Forsyth &amp; Ponce 16.1, 16.2

Problem Sets E-M Reading: Problem Set 3 Forsyth &amp; Ponce 16.1, 16.2 Distributed Tuesday, 3/18. Forsyth &amp; Ponce 16.3 for challenge Due Thursday, 4/3 problem. Problem Set 4 Yair Weiss: Motion

197 views • 5 slides
Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem types Problem formulation Example problems Basic search algorithms Chapter 3 3 Problem-solving agents Restricted form of general

973 views • 64 slides
Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem types Problem formulation Example problems Basic search algorithms Chapter 3 2 Problem-solving agents Restricted form of general

1k views • 74 slides
Professor Sheena Asthana Outline Problem: what problem? Resource allocation: a brief

Professor Sheena Asthana Outline Problem: what problem? Resource allocation: a brief

Professor Sheena Asthana Outline Problem: what problem? Resource allocation: a brief overview So, are rural areas underfunded? Problem: what problem? Widespread perception that urban deprived areas have the highest needs for

1.03k views • 19 slides
Countering Terrorism through Information and Privacy Protection Technologies Robert Popp, John

Countering Terrorism through Information and Privacy Protection Technologies Robert Popp, John

Terrorism Information Technology Privacy Countering Terrorism through Information and Privacy Protection Technologies Robert Popp, John Poindexter IEEE Security &amp; Privacy, vol. 4, no. 6, Nov.-Dec. 2006 1 / 10 Terrorism Information

376 views • 14 slides
R EVOLUTION &amp; P OLITICAL V IOLENCE Is violence random? Mapiripn massacre in Colombia

R EVOLUTION &amp; P OLITICAL V IOLENCE Is violence random? Mapiripn massacre in Colombia

Poli-416: R EVOLUTION &amp; P OLITICAL V IOLENCE Is violence random? Mapiripn massacre in Colombia Is violence random? Public discourse on violence as chaotic or random Rwandan genocide Logic of Violence in Civil Wars Why

870 views • 32 slides
AI Security and Insecurity Joel Brynielsson, 15 May 2019 joel.brynielsson@foi.se Foto:

AI Security and Insecurity Joel Brynielsson, 15 May 2019 joel.brynielsson@foi.se Foto:

AI Security and Insecurity Joel Brynielsson, 15 May 2019 joel.brynielsson@foi.se Foto: iStockPhoto December 2018: 32 nd Conference on Neural Information Processing Systems 8500 participants (ten from Sweden) 4500 submissions

141 views • 13 slides
Optimistic Assumptions in Polyhedral Compilation Johannes Doerfert 1 Tobias Grosser 2 1 Saarland

Optimistic Assumptions in Polyhedral Compilation Johannes Doerfert 1 Tobias Grosser 2 1 Saarland

Optimistic Assumptions in Polyhedral Compilation Johannes Doerfert 1 Tobias Grosser 2 1 Saarland University Saarbrcken, Germany 2 ETH Zrich Zrich, Switzerland October 29, 2015 saarland university computer science Be Optimistic! Programs

846 views • 45 slides
Course Summary &amp; Review CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Course Summary &amp; Review CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Course Summary &amp; Review CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ May 2, 2013 Know Your TA Mobin Javed

992 views • 86 slides
Application-level sandboxing Erik Poll 1 Overview 1. Compartmentalisation 2. Classic OS access

Application-level sandboxing Erik Poll 1 Overview 1. Compartmentalisation 2. Classic OS access

Software Security Application-level sandboxing Erik Poll 1 Overview 1. Compartmentalisation 2. Classic OS access control compartmentalisation between processes Chapter 2 of lecture notes 3. Language-level access control

909 views • 69 slides
Upcoming Wireless Networks and New Challenges Generalities Mesh networks Vehicular

Upcoming Wireless Networks and New Challenges Generalities Mesh networks Vehicular

Upcoming Wireless Networks and New Challenges Generalities Mesh networks Vehicular networks Security and Cooperation in Wireless Networks Georg-August University Gttingen Introduction Upcoming wireless networks: Personal

904 views • 42 slides
Debugging From Theoretical/Concept Considerations to Weapons for Efficient Coding Carlos J.

Debugging From Theoretical/Concept Considerations to Weapons for Efficient Coding Carlos J.

Debugging From Theoretical/Concept Considerations to Weapons for Efficient Coding Carlos J. Barrios H. PhD. cbarrios@uis.edu.co Sources of This Presentation: Guest lecture DR. R o b e r t O a t e s Icos R esearch Group University o f

1.14k views • 67 slides

More recommend