can dres provide long lasting security
play

Can DREs Provide Long- Lasting Security? The Case of - PowerPoint PPT Presentation

Sep 20, 2023 •228 likes •641 views

Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage Stephen Checkoway, * Ariel J. Feldman, Brian Kantor, * J. Alex Halderman, Edward W. Felten, Hovav Shacham * * UCSD, Princeton,

  1. Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage Stephen Checkoway, * Ariel J. Feldman, † Brian Kantor, * J. Alex Halderman, ‡ Edward W. Felten, † Hovav Shacham * * UCSD, † Princeton, ‡ U Michigan Monday, August 10, 2009 1

  2. Voting System Studies Study Vendors Year Appel et al. Sequoia 2008 EVEREST ES&S, Hart, Premier 2007 California TTBR Hart, Premier, Sequoia 2007 Feldman et al. Diebold 2006 Hursti Diebold 2006 Kohno et al. Diebold 2003 Long Lasting Security: EVT’09 Monday, August 10, 2009 2

  3. Response The proposed 'red team' concept also contemplates giving attackers access to source code, which is unrealistic and dangerous if not strictly controlled by test protocols. It is the considered opinion of election officials and information technology professionals that ANY system can be attacked if source code is made available. We urge the Secretary of State not to engage in any practice that will jeopardize the integrity of our voting systems. – California Association of Clerks and Election Officials, 2007 Long Lasting Security: EVT’09 Monday, August 10, 2009 3

  4. Response Your guidelines suggest that you will provide The proposed 'red team' concept also By any standard – academic or common sense source code to an expert and ask that person contemplates giving attackers access to source – the study is unrealistic and inaccurate. to subvert the system. It is almost certain that code, which is unrealistic and dangerous if not – Diebold Election Systems, 2006 In short, the Red Team was able to, using a financial would be possible under these conditions. strictly controlled by test protocols. It is the Letting the hackers have the source codes, operating institution as an example, take away the locked However, these are extreme circumstances, not considered opinion of election officials and manuals and unlimited access to the voting machines “is No computer system could pass the assault made by front door of the bank branch, remove the security taking into consideration real world use cases. information technology professionals that ANY like giving a burglar the keys to your house.” your team of computer scientists. In fact, I think my – Hart InterCivic, 2007 guard, remove the bank tellers, remove the panic system can be attacked if source code is made – Contra Costa County Clerk-recorder and head of 9 and 12-year-old kids could find ways to break into alarm that notifies law enforcement, and have only available. We urge the Secretary of State not the state Association of Clerks and Election Officials the voting equipment if they had unfettered access. slightly limited resources (particularly time and to engage in any practice that will jeopardize Steve Weir, quoted by sfgate.com, 2007 – Santa Cruz County Clerk Gail Pellerin, 2007 knowledge) to pick the lock on the bank vault. the integrity of our voting systems. Putting isolated technology in the hands of computer Company officials have said the researchers – California Association of Clerks and – Sequoia Voting Systems, 2007 experts in order to engage in unrestricted, calculated, were given unusual access to the machines that Election Officials, 2007 advanced and malicious attacks is highly improbable real-world hackers could never gain. in a real-world election. – Mercury News, 2007 – Hart InterCivic, 2007 Long Lasting Security: EVT’09 Monday, August 10, 2009 3

  5. Is it practical to hack a voting machine without “unreasonable” access? Hint: Yes Long Lasting Security: EVT’09 Monday, August 10, 2009 4

  6. AVC Advantage Best-case to study Only does one thing: count votes Defenses against code injection Long Lasting Security: EVT’09 Monday, August 10, 2009 5

  7. Challenges 1. Understand how the machine works without source code or documentation by reverse- engineering 2. Find an exploitable bug 3. Defeat code-injection defense using recently developed techniques from system security Long Lasting Security: EVT’09 Monday, August 10, 2009 6

  8. Reverse-Engineering Z80 ROMs Long Lasting Security: EVT’09 Monday, August 10, 2009 7

  9. Artifacts Produced Hardware Functional Specifications Hardware Simulator Initial version by Joshua Herbach Exploit developed on the simulator — tested on machine, worked first try Long Lasting Security: EVT’09 Monday, August 10, 2009 8

  10. Exploit Classic stack-smashing buffer overflow Roughly a dozen bytes overwritten Exploit code needs to be in memory For now, assume we can inject code Long Lasting Security: EVT’09 Monday, August 10, 2009 9

  11. Vote-Stealing Attack Gain physical access Malicious auxiliary cartridge Trigger exploitable bug Follow instructions Long Lasting Security: EVT’09 Monday, August 10, 2009 10

  12. Vote-Stealing Attack Gain physical access Malicious auxiliary cartridge Trigger exploitable bug Follow instructions Long Lasting Security: EVT’09 Monday, August 10, 2009 10

  13. Vote-Stealing Program Survives turning power switch to off Runs election as normal Silently shifts votes Long Lasting Security: EVT’09 Monday, August 10, 2009 11

  14. Vote-Stealing Program Survives turning power switch to off Runs election as normal Silently shifts votes Long Lasting Security: EVT’09 Monday, August 10, 2009 11

  15. Code Injection? Earlier, we assumed we could inject code Hardware interlock prevents fetching instructions from RAM Program code in read-only memory Long Lasting Security: EVT’09 Monday, August 10, 2009 12

  16. Harvard Architecture + Program in Nonexecutable, read-only writable data memory memory No code injection Long Lasting Security: EVT’09 Monday, August 10, 2009 13

  17. Return-Oriented Programming Long Lasting Security: EVT’09 Monday, August 10, 2009 14

  18. Return-Oriented Programming Arbitrary behavior without code injection Combine snippets of existing code Requires control of the call stack Processor/program specific Long Lasting Security: EVT’09 Monday, August 10, 2009 15

  19. Return-Oriented Programming Instructions movl $0x006f6d2e,(%eax,%ebx) movl 0xd4(%ebp),%eax movl %eax,(%esp) calll 0x0008ba11 Arbitrary behavior without code injection addl $0x1f,%eax andl $0xf0,%eax subl %eax,%esp leal 0x20(%esp),%edx movl %edx,0xb4(%ebp) jmp 0x0006d8b4 incl 0xd4(%ebp) movl 0xd4(%ebp),%eax movzbl (%eax),%ecx cmpb $0x3a,%cl je 0x0006d8b1 testb %cl,%cl Combine snippets of existing code movl 0xb4(%ebp),%ebx jne 0x0006d8db movb $0x43,(%ebx) movb $0x00,0x01(%ebx) jmp 0x0006d90d movb %cl,(%ebx) incl %ebx incl 0xd4(%ebp) movl 0xd4(%ebp),%eax movzbl (%eax),%ecx testb %cl,%cl Requires control of the call stack setne %dl cmpb $0x3a,%cl setne %al testb %al,%dl jne 0x0006d8cf movb $0x00,(%ebx) cmpl $0x01,0x0008a780 jne 0x0006d90d movl 0xb4(%ebp),%edx movl $0x0000002f,0x04(%esp) movl %edx,(%esp) calll 0x0008b9e9 Processor/program specific testl %eax,%eax jne 0x0006d8b4 movl 0xb4(%ebp),%esi movl $0x00000002,%ecx movl $0x0007e270,%edi cld repz/cmpsb (%esi),(%edi) movl $0x00000000,%eax je 0x0006d92e movzbl 0xff(%esi),%eax movzbl 0xff(%edi),%ecx subl %ecx,%eax testl %eax,%eax jel 0x0006da53 movl 0xb4(%ebp),%esi movl $0x00070bbb,%edi movl $0x00000006,%ecx repz/cmpsb (%esi),(%edi) movl $0x00000000,%edx je 0x0006d956 movzbl 0xff(%esi),%edx movzbl 0xff(%edi),%ecx subl %ecx,%edx testl %edx,%edx Long Lasting Security: EVT’09 Monday, August 10, 2009 15

  20. Return-Oriented Programming Instructions movl $0x006f6d2e,(%eax,%ebx) movl 0xd4(%ebp),%eax movl %eax,(%esp) calll 0x0008ba11 Arbitrary behavior without code injection addl $0x1f,%eax andl $0xf0,%eax subl %eax,%esp leal 0x20(%esp),%edx movl %edx,0xb4(%ebp) jmp 0x0006d8b4 incl 0xd4(%ebp) movl 0xd4(%ebp),%eax movzbl (%eax),%ecx cmpb $0x3a,%cl je 0x0006d8b1 testb %cl,%cl Combine snippets of existing code movl 0xb4(%ebp),%ebx jne 0x0006d8db movb $0x43,(%ebx) movb $0x00,0x01(%ebx) jmp 0x0006d90d movb %cl,(%ebx) incl %ebx incl 0xd4(%ebp) movl 0xd4(%ebp),%eax movzbl (%eax),%ecx testb %cl,%cl Requires control of the call stack setne %dl cmpb $0x3a,%cl setne %al testb %al,%dl jne 0x0006d8cf movb $0x00,(%ebx) cmpl $0x01,0x0008a780 jne 0x0006d90d movl 0xb4(%ebp),%edx movl $0x0000002f,0x04(%esp) movl %edx,(%esp) calll 0x0008b9e9 Processor/program specific testl %eax,%eax jne 0x0006d8b4 movl 0xb4(%ebp),%esi movl $0x00000002,%ecx movl $0x0007e270,%edi cld repz/cmpsb (%esi),(%edi) movl $0x00000000,%eax je 0x0006d92e movzbl 0xff(%esi),%eax movzbl 0xff(%edi),%ecx subl %ecx,%eax testl %eax,%eax jel 0x0006da53 movl 0xb4(%ebp),%esi movl $0x00070bbb,%edi movl $0x00000006,%ecx repz/cmpsb (%esi),(%edi) movl $0x00000000,%edx je 0x0006d956 movzbl 0xff(%esi),%edx movzbl 0xff(%edi),%ecx subl %ecx,%edx testl %edx,%edx Long Lasting Security: EVT’09 Monday, August 10, 2009 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INTRODUCING ULTRA-LONG-LASTING + GOOD-FOR-YOU COMFORT COLOR Finally, you CAN have it all!

INTRODUCING ULTRA-LONG-LASTING + GOOD-FOR-YOU COMFORT COLOR Finally, you CAN have it all!

INTRODUCING ULTRA-LONG-LASTING + GOOD-FOR-YOU COMFORT COLOR Finally, you CAN have it all! Ultra-Long-Lasting Lip Color BE SELFIE-READY ALL DAY Smudge-resistant. Drink-resistant. Kiss-resistant. Food-friendly. Less

355 views • 14 slides
WOUND D DR DRES ESSI SING A FAST ST HEA EALING ING PR PROJEC ECT WOUND D DR DRES ESSI

WOUND D DR DRES ESSI SING A FAST ST HEA EALING ING PR PROJEC ECT WOUND D DR DRES ESSI

WOUND D DR DRES ESSI SING A FAST ST HEA EALING ING PR PROJEC ECT WOUND D DR DRES ESSI SING A FAST ST HEA EALING ING PR PROJEC ECT OUTLINE INE Intr troducti oduction to Wound nd Dr Dressin ing Mechan anism isms

900 views • 31 slides
Practical Wisdom Eudaemonia: long-lasting happiness that is Eleanor Stewart, PhD the goal of

Practical Wisdom Eudaemonia: long-lasting happiness that is Eleanor Stewart, PhD the goal of

15/12/2011 Aristotle Phronesis: wisdom to know what to do in particular circumstances Practical Wisdom Eudaemonia: long-lasting happiness that is Eleanor Stewart, PhD the goal of life; human flourishing John Dossetor Health Ethics Centre

36 views • 3 slides
Long Lasting Asphalt Binder Systems and Evolving Binder Specifications Shane Underwood, Ph.D.

Long Lasting Asphalt Binder Systems and Evolving Binder Specifications Shane Underwood, Ph.D.

transportationstudies.asu.edu Long Lasting Asphalt Binder Systems and Evolving Binder Specifications Shane Underwood, Ph.D. Assistant Professor, School of Sustainable Engineering and the Built Environment Co-Director, The National Center of

311 views • 27 slides
Pnyx.DRE Redundancy, Enhanced Auditability and Voter-Verifiability for DREs Annapolis

Pnyx.DRE Redundancy, Enhanced Auditability and Voter-Verifiability for DREs Annapolis

Pnyx.DRE Redundancy, Enhanced Auditability and Voter-Verifiability for DREs Annapolis (Maryland), March 18 2005 Contents Contents Presenting Scytl DREs: Benefits and Drawbacks Our solution: Pnyx.DRE Conclusions Contents

419 views • 16 slides
Santa Sets Seating High quality, long lasting seating serves as the centerpiece to your holiday

Santa Sets Seating High quality, long lasting seating serves as the centerpiece to your holiday

Santa Sets Seating High quality, long lasting seating serves as the centerpiece to your holiday landscape. Contact us for pricing, dimensions, and other color Grand Scale High Back options available for each design. Giant Gold Throne

105 views • 6 slides
I nnovative Materials and I nnovative Materials and Methods for Long Lasting, Methods for Long

I nnovative Materials and I nnovative Materials and Methods for Long Lasting, Methods for Long

I nnovative Materials and I nnovative Materials and Methods for Long Lasting, Methods for Long Lasting, Rapid Renewal of Aging Rapid Renewal of Aging I nfrastructure I nfrastructure Director Kirk T. Steudle, P.E. Director Kirk T. Steudle,

896 views • 28 slides
Managing long lasting, healty cows in a large scale environment Bakos Gbor Director of dairy

Managing long lasting, healty cows in a large scale environment Bakos Gbor Director of dairy

Managing long lasting, healty cows in a large scale environment Bakos Gbor Director of dairy breeding Bos-Frucht AG EHRC Budapest, 2017.09.18 About us briefly 1200 ha Vertical integration 11.300 kg 305 (10.400 1st lact.)

613 views • 19 slides
IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
Emergence of Cooperative Long-lasting Loyalty in Double Auction Markets Aleksandra Aloric

Emergence of Cooperative Long-lasting Loyalty in Double Auction Markets Aleksandra Aloric

Emergence of Cooperative Long-lasting Loyalty in Double Auction Markets Aleksandra Aloric Kings College London Motivation Always buy from the same merchants? Loyalty by design Motivation Always buy from the same merchants?

350 views • 20 slides
Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations IT Security Evaluation To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

70 views • 4 slides
Fermi observations of long-lasting GRB emission at high energies Frdric Piron (IN2P3/LPTA,

Fermi observations of long-lasting GRB emission at high energies Frdric Piron (IN2P3/LPTA,

Fermi observations of long-lasting GRB emission at high energies Frdric Piron (IN2P3/LPTA, Montpellier) on behalf of the Fermi LAT and GBM Collaborations The Fermi Fermi -LAT March bursts -LAT March bursts The Detections as of 090904

531 views • 19 slides
The Battle for Principles & concepts Trust and DREs Accountable Voting Voter

The Battle for Principles & concepts Trust and DREs Accountable Voting Voter

Outline The Battle for Principles & concepts Trust and DREs Accountable Voting Voter verifiable audit trail Systems Future Conclusion Prof. David L. Dill Department of Computer Science Stanford University

298 views • 7 slides
Security Summer 2013 Cornell University 1 Today How does the OS provide security?

Security Summer 2013 Cornell University 1 Today How does the OS provide security?

CS 4410 Operating Systems Security Summer 2013 Cornell University 1 Today How does the OS provide security? Secure System Security Violations Security Measures Threats User Authentication Protection 2 Secure

381 views • 14 slides
Perpetual Access: Myth and Reality CRL webinar 20 January 2016 What is perpetuity?

Perpetual Access: Myth and Reality CRL webinar 20 January 2016 What is perpetuity?

Perpetual Access: Myth and Reality CRL webinar 20 January 2016 What is perpetuity? Definitions of Perpetual Lasting for eternity Lasting for an indefinitely long time In effect or having tenure for an unlimited duration Continuing

719 views • 50 slides
in in ad addr dres essin ing g the e ris isk of reta etalia iati tion on Victor oria

in in ad addr dres essin ing g the e ris isk of reta etalia iati tion on Victor oria

The Ri e Righ ght t to Voic ice e Concer erns: s: the e role e of IAMS in in ad addr dres essin ing g the e ris isk of reta etalia iati tion on Victor oria ia Marqu quez ez-Mees es, Chief ef Ac Acco coun unta

653 views • 8 slides
Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany IMDEA Software Institute,

Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany IMDEA Software Institute,

Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany IMDEA Software Institute, Spain Computer-aided cryptography Develop tool-assisted methodologies for helping the design, analysis, and implementation of cryptographic

533 views • 26 slides
OpenVMS Security Update OpenVMS Security Update OpenVMS Security Update Helmut Ammer Helmut

OpenVMS Security Update OpenVMS Security Update OpenVMS Security Update Helmut Ammer Helmut

OpenVMS Security Update OpenVMS Security Update OpenVMS Security Update Helmut Ammer Helmut Ammer CSSC Mnchen CSSC Mnchen 1F06 1F06 25. DECUS Mnchen Symposium Bonn 2002 1 berblick berblick berblick OpenVMS Security

754 views • 31 slides
Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption Standardization Consortium HomomorphicEncryption.org 0.1 Presenters Roger A. Hallman (SPAWAR Systems Center Pacific; Thayer School of

1.36k views • 91 slides
Cyber Command and Control with CyberBML Mr. Bo Vargas Raytheon 4601 North Fairfax Drive Suite

Cyber Command and Control with CyberBML Mr. Bo Vargas Raytheon 4601 North Fairfax Drive Suite

2/4/09 Cyber Command and Control with CyberBML Mr. Bo Vargas Raytheon 4601 North Fairfax Drive Suite 1200 Arlington, VA 22203 bvargas@hai.com Outline Overview CyberBML Visualization Summary Page 2 1 2/4/09 Integrated

286 views • 7 slides
Transport Layer Security Chester Rebeiro IIT Madras Some of the slides borrowed from the book

Transport Layer Security Chester Rebeiro IIT Madras Some of the slides borrowed from the book

Transport Layer Security Chester Rebeiro IIT Madras Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du TLS: Protocol to achieve secure communication TLS provides secure communication channel

834 views • 66 slides
Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain December 1,

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain December 1,

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain December 1, 2015 Introduction Two models of cryptography: Computational: strong guarantees but complex proofs Symbolic: automated proofs but weak

1.42k views • 26 slides
Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com

Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com

Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com Oops!!!! 2 Setting the record straight Example Policy - > Reference Policy Base policies package used by distributions to build shipping

561 views • 12 slides
Economics and computer security Hal R. Varian UC Berkeley http://www.sims.berkeley.edu/~hal

Economics and computer security Hal R. Varian UC Berkeley http://www.sims.berkeley.edu/~hal

Economics and computer security Hal R. Varian UC Berkeley http://www.sims.berkeley.edu/~hal Outline Assignment of liability Role of insurance Efficiency and coordination costs Implications of weakest link technology

304 views • 18 slides

More recommend