advanced systems security control flow integrity
play

Advanced Systems Security: Control-Flow Integrity Trent Jaeger - PowerPoint PPT Presentation

Dec 30, 2022 •1.13k likes •1.55k views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Control-Flow Integrity Trent

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: � Control-Flow Integrity Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Vulnerability • How do you define computer ‘ vulnerability ’ ? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Bu ff er Overflow • First and most common way to take control of a process • Attack code Call the victim with inputs necessary to overflow ‣ buffer Overwrites the return address on the stack ‣ • Exploit Jump to attacker chosen code ‣ Run that code ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Determine what to attack • Local variable that is a char buffer BEFORE picture of stack 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 Called buf ‣ 0xbfa3b857: 0x0 buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 0xbfa3b85e: 0x0 ... printf("BEFORE picture of stack\n"); 0xbfa3b85f: 0x0 for ( i=((unsigned) buf-8); i<((unsigned) ((char *)&ct)+8); i++ ) 0xbfa3b860: 0x0 printf("%p: 0x%x\n", (void *)i, *(unsigned char *) i); 0xbfa3b861: 0x0 0xbfa3b862: 0x0 /* run overflow */ 0xbfa3b863: 0x0 for ( i=1; i<tmp; i++ ){ 0xbfa3b864: 0x0 printf("i = %d; tmp= %d; ct = %d; &tmp = %p\n", i, tmp, ct, (void *)&tmp); 0xbfa3b865: 0x0 strcpy(p, inputs[i]); 0xbfa3b866: 0x0 0xbfa3b867: 0x0 /* print stack after the fact */ 0xbfa3b868: 0xa8 printf("AFTER iteration %d\n", i); 0xbfa3b869: 0xb8 ebp for ( j=((unsigned) buf-8); j<((unsigned) ((char *)&ct)+8); j++ ) 0xbfa3b86a: 0xa3 printf("%p: 0x%x\n", (void *)j, *(unsigned char *) j); 0xbfa3b86b: 0xbf p += strlen(inputs[i]); 0xbfa3b86c: 0x71 if ( i+1 != tmp ) 0xbfa3b86d: 0x84 rtn addr *p++ = ' '; 0xbfa3b86e: 0x4 } 0xbfa3b86f: 0x8 printf("buf = %s\n", buf); 0xbfa3b870: 0x3 printf("victim: %p\n", (void *)&victim); 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 return 0; 0xbfa3b873: 0x0 } Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Configure Attack • Configure following Distance to return address from buffer ‣ Where to write? • Location of start of attacker’s code ‣ Where to take control? • What to write on stack ‣ How to invoke code (jump-to existing function)? • How to launch the attack ‣ How to send the malicious buffer to the victim? • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Return Address BEFORE picture of stack • x86 Architecture 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 0xbfa3b857: 0x0 Build 32-bit code for Linux environment ‣ buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 • Remember integers are represented in 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 “ little endian ” format 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 0xbfa3b861: 0x0 • Take address 0x8048471 0xbfa3b862: 0x0 0xbfa3b863: 0x0 0xbfa3b864: 0x0 0xbfa3b865: 0x0 See trace at right ‣ 0xbfa3b866: 0x0 0xbfa3b867: 0x0 0xbfa3b868: 0xa8 0xbfa3b869: 0xb8 ebp 0xbfa3b86a: 0xa3 0xbfa3b86b: 0xbf 0xbfa3b86c: 0x71 0xbfa3b86d: 0x84 rtn addr 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 0xbfa3b870: 0x3 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. Anatomy of Control Flow Attacks • Two steps • First, the attacker changes the control flow of the program In buffer overflow, overwrite the return ‣ address on the stack What are the ways that this can be done? ‣ • Second, the attacker uses this change to run code of their choice In buffer overflow, inject code on stack ‣ What are the ways that this can be done? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  8. Return-oriented Programming • General approach to control flow attacks • Demonstrates how general the two steps of a control flow attack can be • First, change program control flow In any way ‣ • Then, run any code of attackers’ choosing - code in the existing program From starting address (gadget) to ret ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  9. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack pop %eax G1 Return Address ret 5 pop %ebx jmp G2 ret buf 0x8048000 movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 0x8048000 = %ebx = Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  10. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 0x8048000 = %ebx = Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  11. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 0x8048000 = %ebx = Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  12. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  13. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  14. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = 0x8048000 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  15. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = 0x8048000 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  16. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 5 0x8048000 = 5 %ebx = 0x8048000 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  17. Prevent ROP Attacks • How would you prevent a program from executing gadgets rather than the expected code? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 19

  18. Prevent ROP Attacks • How would you prevent a program from executing gadgets rather than the expected code? Control-flow integrity ‣ Force the program to execute according to an expected CFG • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 20

  19. Control-Flow Integrity Our Mechanism F A F B nop IMM 1 if(*fp != nop IMM 1 ) halt if(**esp != nop IMM 2 ) halt call fp return nop IMM 2 CFG excerpt B 1 A call NB: Need to ensure bit patterns for nops B ret A call+1 appear nowhere else in code memory Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  20. Control-Flow Integrity More Complex CFGs CFG excerpt Maybe statically all we know is that F A can call any int int function B 1 A call F A C 1 succ(A call ) = {B 1 , C 1 } F B nop IMM 1 if(*fp != nop IMM 1 ) halt call fp F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 9 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  21. Control-Flow Integrity Imprecise Return Information Q: What if F B can return CFG excerpt to many functions ? F A A call+1 A: Imprecise CFG B ret D call+1 call F B F B succ(B ret ) = {A call+1 , D call+1 } nop IMM 2 CFG Integrity: F D if(**esp != nop IMM 2 ) halt Changes to the return PC are only to valid successor call F B PCs, per succ(). nop IMM 2 10 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple fault attacks on embedded systems Thierno Barry PhD Candidate in security of Embedded Systems at CEA ( the French Atomic Energy Commission )

681 views • 18 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer 2004 intern work with: lfar Erlingsson and Martn Abadi 1 Motivation I: Bad things happen DoS Weak authentication Insecure

465 views • 22 slides
Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University -- Summarized by Navid Emamdoost University of Minnesota Outline Background Control Flow attacks Control Flow Integrity Control Flow

795 views • 33 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern exploit techniques Introduction to Computer Security Announcements intermission Day 7: Defensive programming and design, part 1 Saltzer &amp;

579 views • 15 slides
Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State University Outline

Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State University Outline

31 st IEEE Symposium on Security &amp; Privacy, Oakland CA, May 16-19 2010 HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State University Outline Motivation

328 views • 29 slides
Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh

Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh

Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh Shankar (UC Berkeley) Trent Jaeger (Penn State / IBM) Reiner Sailer (IBM) The goal, with an example Integrity property: Trusted processes dont

317 views • 20 slides
CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1: Mathias Payer CS412 Software Security Advanced mitigations Stack integrity

298 views • 26 slides
Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications 2634 2528 2690 CFI: Goal Provably correct mechanisms

540 views • 26 slides
Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands June 21, 2018 Outline 1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection 2 / 22 Rotating S-box Masking

540 views • 22 slides
Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security &amp; Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer Science, University of Crete

584 views • 42 slides
Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP Return-to-libc RoP (Return-oriented Programming) StackGuard (insert canaries on stack) PointGuard (encrypt the pointers) ASLR CFI

809 views • 42 slides
Bimanual Haptic Interaction with Virtual Environments Anthony Talvas INSA, IRISA and Inria Rennes

Bimanual Haptic Interaction with Virtual Environments Anthony Talvas INSA, IRISA and Inria Rennes

Bimanual Haptic Interaction with Virtual Environments Anthony Talvas INSA, IRISA and Inria Rennes Hybrid Team Advisors: Maud Marchal Anatole Lcuyer Virtual Reality and Haptics Virtual Reality (VR) : Immersion of a user in a Virtual

706 views • 45 slides
Anthromorphic Underactuated Hand with 15 Joints M E S R O B 2 0 1 5 A U T H O R S : E . M A T

Anthromorphic Underactuated Hand with 15 Joints M E S R O B 2 0 1 5 A U T H O R S : E . M A T

Anthromorphic Underactuated Hand with 15 Joints M E S R O B 2 0 1 5 A U T H O R S : E . M A T H E S O N , Y . A O U S T I N , E . L E C A R P E N T I E R , A . L E O N , J . P E R R I N T H A N K S T O B E N J A M I N G A U T I E

584 views • 25 slides
Principles of Atomic-Structure-Based Modeling Maxim Petoukhov EMBL, Hamburg Outstation Outline

Principles of Atomic-Structure-Based Modeling Maxim Petoukhov EMBL, Hamburg Outstation Outline

Principles of Atomic-Structure-Based Modeling Maxim Petoukhov EMBL, Hamburg Outstation Outline Outline Introduction Computation of SAS patterns from atomic models Incorporation of structural information from other methods

834 views • 60 slides
Image segmentation, a historical and mathematical perspective Olivier Faugeras Olivier Faugeras

Image segmentation, a historical and mathematical perspective Olivier Faugeras Olivier Faugeras

Image segmentation, a historical and mathematical perspective Olivier Faugeras Olivier Faugeras Outline Introduction Pre-history: the non-variational approach Mumford-Shah Snakes and variations thereof Active regions More

700 views • 59 slides
GRVI Phalanx Update: A Massively Parallel RISC-V FPGA Accelerator Framework Jan Gray |

GRVI Phalanx Update: A Massively Parallel RISC-V FPGA Accelerator Framework Jan Gray |

GRVI Phalanx Update: A Massively Parallel RISC-V FPGA Accelerator Framework Jan Gray | jan@fpga.org | http://fpga.org CARRV2017: 2017/10/14 FPGA Datacenter Accelerators Are Almost Mainstream Catapult v2. Intel += Altera. OpenPOWER CAPI. AWS

508 views • 28 slides
Paulo Souza, Leonardo Borges, Piotr Luszczek, Stanimire Tomov, Jack Dongarra, Hartwig Anzt, Mark

Paulo Souza, Leonardo Borges, Piotr Luszczek, Stanimire Tomov, Jack Dongarra, Hartwig Anzt, Mark

Chris J. Newburn, Gaurav Bansal, Michael Wood, Luis Crivelli, Judit Planas, Alejandro Duran Paulo Souza, Leonardo Borges, Piotr Luszczek, Stanimire Tomov, Jack Dongarra, Hartwig Anzt, Mark Gates, Azzam Haidar, Yulu Jia, Khairul Kabir, Ichitaro

719 views • 23 slides
Ancient Greece Geography of Greece Adv. World History World History Chapter 4 Chapter 5

Ancient Greece Geography of Greece Adv. World History World History Chapter 4 Chapter 5

Ancient Greece Geography of Greece Adv. World History World History Chapter 4 Chapter 5 Geography epic poems: the Iliad &amp; the Homer !&quot;#$%&amp;$'())*+,$ Odyssey (each 28,000 lines) -*.$/%0,'*+,%0.$ set of values: courage &amp;

389 views • 13 slides
Fingertips motion planning and force computation for dextrous manipulation N.Daoud, J.P.Gazeau,

Fingertips motion planning and force computation for dextrous manipulation N.Daoud, J.P.Gazeau,

IROS 2010 IROS 2010 Workshop On Workshop On Grasp Planning and Task Grasp Planning and Task Learning by Imitation Learning by Imitation Fingertips motion planning and force computation for dextrous manipulation N.Daoud, J.P.Gazeau,

287 views • 16 slides

More recommend