binary level software security
play

Binary-Level Software Security Gang Tan Department of CSE, Lehigh - PowerPoint PPT Presentation

Jan 13, 2024 •553 likes •1.54k views

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer Schools on Cryptography and Principles of Software Security @ Penn State; Jun 1st, 2012 High-Level Languages for Safety/Security 2 Java, C#,

  1. Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer Schools on Cryptography and Principles of Software Security @ Penn State; Jun 1st, 2012

  2. High-Level Languages for Safety/Security 2 � Java, C#, Haskell, F*… � JavaScript for web applications � Benefits � Better support for safety and security � Portability � Better programming abstractions � … So why bother enforcing security at the binary level?

  3. Why Binary-Level Software Security? 3 � Programming language agnostic � Eventually all software is turned into native code � Apply to all languages: C, C++, OCaml, assembly … � Accommodate legacy code/libraries written in C/C++ � E.g., zlib, codec, image libraries (JPEG), fast FFT libraries … � Apply to applications that are developed in multiple languages � Native code is an unifying representation

  4. Why Binary-Level Software Security? 4 � Low-level languages (i.e. C/C++) have better Performance � Compilers for high-level languages still not as good as you might hope � Example: Box2D physics engine for games (C++) � Java: 3x slowdown � Javascript V8: 15-25x slowdown

  5. C vs. Java vs. JavaScript Speed Comparison 5 Source: The Computer Language Benchmarks Game

  6. Why Binary-Level Software Security? 6 � Buggy compilers and language runtimes � May invalidate the guarantees provided by source-level techniques � Example [Howard 2002]: Compiler dead- code elimination … memset(password, 0, len); // zeroing out the password … // password never used again � Csmith discovered 325 compiler bugs [Yang et al. PLDI 2011]

  7. Yet the Binary Level is Challenging 7 � High-level abstractions disappear � No notion of variables, classes, objects, functions, … � Relevant concepts: registers, memory, … � Security policies can use only low-level concepts � E.g., can’t use pre- and post-conditions of functions � Semantic gap between what’s expressible at high level and at low level

  8. Challenges at the Binary Level 8 � No guarantee of basic safety � Lack of control-flow graph: a computed jump can jump to any byte offset � Enable return-oriented programming (ROP) � A memory op can access any memory in the address space � Modifiable code � Can invoke OS syscalls to cause damages Much harder to perform analysis and enforce security at the binary level

  9. Two Extremes of Dealing With Native Code 9 � Allow native code � With some code-signing mechanism � Examples: Microsoft ActiveX controls; browser plug- ins � Disallow native code � By default, Java applet cannot include native libraries

  10. Approaches for Obtaining Safe Native Code 10 � Certifying compilers � Proof-carrying code (PCC) [Necula & Lee 1996] � Typed assembly languages (TAL) [Morrisett et al. 1999] � … � However, producing proofs (annotations) in code is nontrivial � Certified compilers: proving compiler correctness � CompCert [Leroy POPL 06] � An alternative approach: use reference monitors to implement a sandbox in which to execute the native code

  11. 11 Reference Monitors

  12. Reference Monitor 12 � Observe the execution of a program and halt the program if it’s going to violate the security policy. system events Program Reference being Monitor (RM) allowed monitored or denied

  13. Common Examples of RM 13 � Operating system: syscall interface � Interpreters, language virtual machines, software- based fault isolation � Firewalls � … � Claim: majority of today’s enforcement mechanisms are instances of reference monitors.

  14. What Policies Can be Enforced? 14 � Some liberal assumptions: � Monitor can have infinite state � Monitor can have access to entire history of computation � But monitor can’t guess the future – the predicate it uses to determine whether to halt a program must be computable � Under these assumptions: � There is a nice class of policies that reference monitors can enforce: safety properties � There are desirable policies that no reference monitor can enforce precisely

  15. Classification of Policies 15 � “Enforceable Security Policies” [Schneider 00] Security policies Security properties liveness liveness safety safety properties properties properties properties

  16. Classification of Policies 16 � A system is modeled as traces of system events � E.g., A trace of memory operations (reads and writes) � Events: read(addr); write(addr, v) � A security policy: a predicate on sets of allowable traces � A security policy is a property if its predicate specifies whether an individual trace is legal � E.g., a trace is legal is all its memory access is within address range [1,1000]

  17. What is a Non-Property? 17 � A policy that may depend on multiple execution traces � Information flow polices � Sensitive information should not flow to unauthorized person implicitly � Example: a system protected by passwords � Suppose the password checking time correlates closely to the length of the prefix that matches the true password � Then there is a timing channel � To rule this out, a policy should say: no matter what the input is, the password checking time should be the same in all traces

  18. Safety and Liveness Properties [Alpern & Schneider 85,87] 18 � Safety: Some “bad thing” doesn’t happen. � Proscribes traces that contain some “bad” prefix � Example: the program won’t read memory outside of range [1,1000] � Liveness: Some “good thing” does happen � Example: program will terminate � Example: program will eventually release the lock � Theorem: Every security property is the conjunction of a safety property and a liveness property

  19. Policies Enforceable by Reference Monitors 19 � Reference monitor can enforce any safety property � Intuitively, the monitor can inspect the history of computation and prevent bad things from happening � Reference monitor cannot enforce liveness properties � The monitor cannot predict the future of computation � Reference monitor cannot enforce non-properties � The monitor inspects one trace at a time

  20. 20 Inlined Reference Monitors (IRM)

  21. Reference Monitor, Inlined 21 Program being monitored Integrate reference RM monitor into program code � Lower performance overhead � Enforcement doesn’t require context switches � Policies can depend on application semantics � Environment independent---portable

  22. IRM via Program Rewriting 22 Program Program Rewrite RM � The rewritten program should satisfy the desired security policy � Examples: � Source-code level � CCured [Necula et al. 02] � [Ganapathy Jaeger Jha 06, 07] � Java bytecode-level rewriting: PoET [Erlingsson and Schneider 99]; Naccio [Evans and Twyman 99]

  23. This Lecture: Binary-Level IRM 23 � Software-based Fault Isolation (SFI) � Control-Flow Integrity (CFI) � Data-Flow Integrity (DFI) � [Castro et al. 06] � Fine-grained data integrity and confidentiality � Protecting small buffers � [Castro et al. SOSP 09]; [Akritidis et al. Security 09] � …

  24. Enforceable Policies via IRM 24 � Clearly, it can enforce any safety property � Surprisingly, it goes beyond safety properties [Hamlen et al. TOPLAS 2006] � Intuition: the rewriter can statically analyze all possible executions of programs and rewrite accordingly � Timing channels could be removed [Agat POPL 2000]

  25. A Separate Verifier 25 OK Program Program Rewrite Verifier RM � Verifier: checking the reference monitor is inlined correctly (so that the proper policy is enforced) � Benefit: no need to trust the RM-insertion phase

  26. 26 Software-Based Fault Isolation (SFI)

  27. Software-Based Fault Isolation (SFI) 27 � Originally proposed for MISP [Wahbe et al. SOSP 93] � PittSFIeld [McCamant & Morrisett 06] extended it to x86 � Use an IRM to isolate components into “logical” address spaces in a process � Conceptually: check each read, write, & jump to make sure it’s within the component’s logical address space

  28. SFI Policy 28 Fault Domain CB 1) All jumps remain in CR Code Region 2) Reference monitor not (readable, bypassed by jumps executable) CL DB Data Region All R/W remain in DR (readable, writable) DL [DB, DL]

  29. Enforcing SFI Policy 29 � Insert monitor code into the target program before unsafe instructions (reads, writes, jumps, …) [r3+12] := r4 //unsafe mem write r10 := r3 + 12 if r10 < DB then goto error if r10 > DL then goto error [r10] := r4

  30. Optimizations for Better Performance 30 � Naïve SFI is OK for security � But the runtime overhead is too high � Performance can be improved through a set of optimizations

  31. Optimization: Special Address Pattern 31 � Both code and data regions form contiguous segments � Upper bits are all the same and form a region ID � Address validity checking: only one check is necessary � Example: DB = 0x12340000 ; DL = 0x1234FFFF � The region ID is 0x1234 � “[r3+12]:= r4” becomes r10 := r3 + 12 r10 := r10 >> 16 // right shift 16 bits to get the region ID if r10 <> 0x1234 then goto error [r10] := r4

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work with Richard Bonichon, Robin David, Adel Djoudi &amp; many other people Sbastien Bardin -- ISSISP 2017 | 1 ABOUT MY LAB @CEA Sbastien Bardin

1.11k views • 87 slides
FOSAD07 Low-level Software Security: Attacks and Defenses lfar Erlingsson Microsoft

FOSAD07 Low-level Software Security: Attacks and Defenses lfar Erlingsson Microsoft

FOSAD07 Low-level Software Security: Attacks and Defenses lfar Erlingsson Microsoft Research, Silicon Valley and Reykjavk University, Iceland An example of a real-world attack Exploits a vulnerability in the GDI+ rendering of

1.26k views • 113 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
CSE 127 Computer Security Deian Stefan, Stefan Savage, Winter 2018, Lecture 3 Low Level Software

CSE 127 Computer Security Deian Stefan, Stefan Savage, Winter 2018, Lecture 3 Low Level Software

CSE 127 Computer Security Deian Stefan, Stefan Savage, Winter 2018, Lecture 3 Low Level Software Security I: Buffer Overflows and Stack Smashing When is a program secure? When it does exactly what it should? Not more. Not less.

821 views • 45 slides
Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

1. Introduction 2. Binary Representation Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5. Standard input and output Hardware has been defined as 6. Operators, expression and statem ents the

238 views • 3 slides
Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software

Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software

Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software protections Binary and malware analysis Fuzzing Network security Hardware and OS security 2 Assuming secure software, what is

984 views • 72 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Assembly code and binary formats (ELF)

630 views • 23 slides
Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Asm2Vec : Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization Steven H. H. Ding Benjamin C. M. Fung Philippe Charland Data Mining and Security Lab Mission Critical Cyber Security

625 views • 23 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Binary Tree Traversal Methods Preorder Inorder Postorder Level order Preorder

Binary Tree Traversal Methods Preorder Inorder Postorder Level order Preorder

Binary Tree Traversal Methods In a traversal of a binary tree, each element of the binary tree is visited exactly once. During the visit of an element, all action (make a clone, display, evaluate the operator, etc.) with respect to this

305 views • 14 slides
Why Components? Software components are binary units of independent production, acquisition,

Why Components? Software components are binary units of independent production, acquisition,

Why Components? Software components are binary units of independent production, acquisition, and deployment that interact to form a functioning system (Szyperski 1997) The rationale behind component software: Largely pushed by desktop

475 views • 13 slides
End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About RISC-V RISC-V is an Open Instruction Set Architecture (ISA) Can be freely used for any purpose Many implementations are available from

677 views • 22 slides
LA-UR-17-23592 Approved for public release; distribution is unlimited. Title: Survey of Neutron

LA-UR-17-23592 Approved for public release; distribution is unlimited. Title: Survey of Neutron

LA-UR-17-23592 Approved for public release; distribution is unlimited. Title: Survey of Neutron Generators for Active Interrogation Author(s): Moss, Calvin Elroy Myers, William L. Sundby, Gary M. Chichester, David L Johnson, James P

603 views • 13 slides
Integration Considerations of the PNS System Jingbo Wang University of California, Davis,

Integration Considerations of the PNS System Jingbo Wang University of California, Davis,

Integration Considerations of the PNS System Jingbo Wang University of California, Davis, Department of Physics PNS System Location Plan for DUNE single phase far detector: Two corner manholes + one possible middle feedthrough Two

557 views • 12 slides
OUR 4 YEARS IN ARCHVIZ INDUSTRY Ondra Karlk Render Legion | Chaos Group Hi, I am Ondra, and I

OUR 4 YEARS IN ARCHVIZ INDUSTRY Ondra Karlk Render Legion | Chaos Group Hi, I am Ondra, and I

OUR 4 YEARS IN ARCHVIZ INDUSTRY Ondra Karlk Render Legion | Chaos Group Hi, I am Ondra, and I am the creator of the Corona Renderer. My part of this course is about what changed in the archviz industry in the last 4 years. 0 WHAT IS CORONA?

572 views • 41 slides
NATIONAL ACTION PLAN OF THE FRENCH NUCLEAR SAFETY AUTHORITY December 2012 TABLE OF CONTENTS

NATIONAL ACTION PLAN OF THE FRENCH NUCLEAR SAFETY AUTHORITY December 2012 TABLE OF CONTENTS

COMPLEMENTARY SAFETY ASSESSMENTS FOLLOW-UP TO THE FRENCH NUCLEAR POWER PLANT STRESS TESTS NATIONAL ACTION PLAN OF THE FRENCH NUCLEAR SAFETY AUTHORITY December 2012 TABLE OF CONTENTS Introductio n

1.06k views • 65 slides
Embedding SQL Engine to Your Application Iwo Panowicz Percona Whats an Embedded Database?

Embedding SQL Engine to Your Application Iwo Panowicz Percona Whats an Embedded Database?

Embedding SQL Engine to Your Application Iwo Panowicz Percona Whats an Embedded Database? A library embedded in the application, that implements methods to access and manipulate data. A database running on an embedded computer mostly

795 views • 53 slides
Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International COSIC Course Leuven, Belgium, 18 June 2015 Acknowledgements: Benedikt Gierlichs, Ingrid Verbauwhede, Patrick Schaumont, Kris Tiri, Bart Preneel,

920 views • 62 slides
Rapid Prototyping of Avionic Applications Using P4 Dominik Scholz , Fabien Geyer, Sebastian

Rapid Prototyping of Avionic Applications Using P4 Dominik Scholz , Fabien Geyer, Sebastian

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Rapid Prototyping of Avionic Applications Using P4 Dominik Scholz , Fabien Geyer, Sebastian Gallenmller, Georg Carle german-french academy

573 views • 16 slides

More recommend