code pointer integrity
play

Code-Pointer Integrity Volodmyr Kuzentsov, Lszl Szekeres, Mathias - PowerPoint PPT Presentation

Sep 26, 2023 •327 likes •673 views

Code-Pointer Integrity Volodmyr Kuzentsov, Lszl Szekeres, Mathias Payer , George Candea, R. Sekar, and Dawn Song (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997 Memory Corruption is Abundant! Acrobat Firefox IE OS X Linux

  1. Code-Pointer Integrity Volodmyr Kuzentsov, László Szekeres, Mathias Payer , George Candea, R. Sekar, and Dawn Song

  2. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  3. Memory Corruption is Abundant! Acrobat Firefox IE OS X Linux Average 150 Control-Flow Hijack CVEs 120 90 60 30 0 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

  4. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  5. Memory safety: invalid dereference ● Violation iff Dangling pointer: – Pointer is read (temporal) – Pointer is written – Pointer is freed ● No violation – Otherwise Out-of-bounds pointer: (spatial)

  6. Threat Model ● Attacker can read/write data, read code ● Attacker cannot – Modify program code – Influence program loading Code Heap Stack RX RW RW

  7. Control-Flow Hijack Attack Memory 1 void *(func_ptr)(); q int *q = buf + input; 1 … buf func_ptr = &foo; … *q = input2; 2 func_ptr func_ptr … 2 (*func_ptr)(); 3 gadget

  8. What about existing defenses? Data Execution Prevention ('06) Address Space Layout Randomization ('05) Image: http://www.computing.co.uk Canaries ('06) Image: Ted Atchley, http://torwars.com Image: http://socialcanary.com

  9. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997 Presented at 30c3 http://youtu.be/CQbXevkR4us

  10. Memory Safety to the Rescue Swift Python code ~3 kloc MEMORY ! e SAFETY Python runtime ~500 kloc f FIRST a s libc ~2,500 kloc n U Linux kernel ~15,803 kloc

  11. SAFE LANGUAGES (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  12. Retrofit Memory Safety C/C++ Overhead SoftBound+CETS 116% MEMORY SAFETY CCured 56% FIRST AddressSanitizer 73%

  13. Memory Safety 1. Assign meta-data char *buf = malloc(10); buf_lo = p; buf_up = p+10; 116% performance overhead … 2. Propagate meta-data char *q = buf + input; q_lo = buf_lo; q_up = buf_up; (Nagarakatte et al., PLDI'09 and ISMM'10) if (q < q_lo || q >= q_up) abort(); 3. Check meta-data *q = input2; … (*func_ptr)();

  14. Safety vs. Flexibility and Performance (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  15. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997 Presented at 30c3 http://youtu.be/2ybcByjNlq8

  16. New Approach: Protect Select Data Code Heap Stack Safe Instead of Stack protecting everything a little protect a little completely Strong protection for a select subset of data Attacker may modify any unprotected data

  17. Memory Safety (116% performance overhead) Protect only ? Code Pointers Control-Flow Hijack Protection (1.9% or 8.4% performance overhead)

  18. Code-Pointer Separation: Heap Safe Memory Memory Regular Memory All other q q Code data Pointers Separate only buf buf Program memory func_ptr func_ptr func_ptr func_ptr Control plane: Memory either code Layout pointer or NULL unchanged

  19. Locals Safely Code-Pointer Separation: Stack accessed Accessed through locals pointers Safe Stack Regular Stack int foo() { char buf[16]; r int r; ret address r = scanf(“%s”, buf); buf return r; Any location } may be corrupted

  20. CPS Memory Layout Accesses are safe Accesses are fast Safe Memory Regular Memory (code pointers) (non-code-pointer data) Safe Heap Regular Heap Safe Safe Regular Regular Stack Stack ... Stack Stack ... (Thread 1) (Thread 2) (Thread 1) (Thread 2) Code (Read-Only) Hardware-based instruction-level isolation

  21. Attacking Code-Pointer Separation Memory void *(func_ptr)(); func_ptr int *q = buf + input; int *q = buf + input; *q = input2; *q = input2; … struct_ptr struct_ptr' func_ptr = struct_ptr->f; … func_ptr' (*func_ptr)(); NULL or a ptr to another function

  22. Code-Pointer Separation ● Identify Code-Pointer accesses using static type-based analysis ● Separate using instruction-level isolation (e.g., segmentation) ● CPS security guarantees – An attacker cannot forge new code pointers – Code-Pointer is either immediate or assigned from code pointer – An attacker can only replace existing functions through indirection: e.g., foo->bar->func() vs. foo->baz->func2()

  23. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  24. Code-Pointer Integrity (CPI) Sensitive Pointers = code pointers and pointers used to access sensitive pointers ● CPI identifies all sensitive pointers using an over-approximate type-based static analysis: is_sensitive(v) = is_sensitive_type(type of v) ● Over-approximation only affects performance On SPEC2006 <= 6.5% accesses are sensitive

  25. Attacking Code-Pointer Integrity void *(func_ptr)(); int *q = buf + input; q_lo = buf_lo; q_up = buf_up; Exception if (q < q_lo || q >= q_up) abort(); when *q = input2; dereferenced func_ptr = struct_ptr->f; … (*func_ptr)();

  26. Code-Pointer Integrity vs. Separation ● Separate sensitive pointers from regular data – Type-based static analysis – Sensitive pointers = code pointers + pointers to sensitive pointers ● Accessing sensitive pointers is safe – Separation + runtime (bounds) checks ● Accessing regular data is fast – Instruction-level safe region isolation

  27. Security Guarantees ● Code-Pointer Integrity: formally guaranteed protection – 8.4% to 10.5% overhead (~6.5% of memory accesses) ● Code-Pointer Separation: strong protection in practice – 0.5% to 1.9% overhead (~2.5% of memory accesses) ● Safe Stack: full ROP protection – Negligible overhead

  28. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  29. Implementation ● LLVM-based prototype – Front end (clang): collect type information – Back-end (llvm): CPI/CPS/SafeStack instrumentation pass – Runtime support: safe heap and stack management – Supported ISA's: x64 and x86 (partial) – Supported systems: Mac OSX, FreeBSD, Linux

  30. Current status ● Great support for CPI on Mac OSX and FreeBSD on x64 ● Upstreaming in progress Safe Stack coming to LLVM soon – Fork it on GitHub now: https://github.com/cpi-llvm – ● Code-review of CPS/CPI in process Play with the prototype: http://levee.epfl.ch/levee-early-preview-0.2.tgz – Will release more packages soon – ● Some changes to super complex build systems needed Adapt Makefiles for FreeBSD –

  31. Is It Practical? hardened ● Recompiled entire FreeBSD userpsace ● … and more than 100 packages OpenSSL PostgreSQL

  32. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  33. Conclusion ● CPI/CPS offers strong control-flow hijack protection – Key insight: memory safety for code pointers only ● Working prototype – Supports unmodified C/C++, low overhead in practice – Upstreaming patches in progress, SafeStack available soon! – Homepage: http://levee.epfl.ch – GitHub: https://github.com/cpi-llvm

  34. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997 ? http://levee.epfl.ch http://nebelwelt.net/publications/14OSDI/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&amp;A 2 What is a

543 views • 28 slides
CS 241 Data Organization More List and Tree Fun April 3, 2018 Pointer Changing Code What do we

CS 241 Data Organization More List and Tree Fun April 3, 2018 Pointer Changing Code What do we

CS 241 Data Organization More List and Tree Fun April 3, 2018 Pointer Changing Code What do we do if a function needs to change one of the pointer parameters passed to it? Assume we have struct Node* root that points to a tree. We could

431 views • 10 slides
2016 Gail Williams Research Integrity at UQ Research Integrity at UQ Australian Code for the

2016 Gail Williams Research Integrity at UQ Research Integrity at UQ Australian Code for the

SoM Induction 2016 Gail Williams Research Integrity at UQ Research Integrity at UQ Australian Code for the Responsible Conduct of Research (NHMRC et al., 2007) http://www.nhmrc.gov.au/_files_nhmrc/file/ publications/synopses/r39.pdf

312 views • 16 slides
Review Running a program requires the code &amp; stack segments in memory. Context = memory

Review Running a program requires the code &amp; stack segments in memory. Context = memory

Review Running a program requires the code &amp; stack segments in memory. Context = memory address space + stack pointer + instruction pointer A CPU is in the context of a program if its instruction pointer and stack pointer registers

797 views • 40 slides
The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach Model

371 views • 34 slides
KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY Blockchain &amp; Security Ruth Crowell, Chief Executive Asia Pacific Precious Metals

460 views • 10 slides
Code Completion with Neural Attention and Pointer Networks Jian Li, Yue Wang, Irwin King, and

Code Completion with Neural Attention and Pointer Networks Jian Li, Yue Wang, Irwin King, and

Code Completion with Neural Attention and Pointer Networks Jian Li, Yue Wang, Irwin King, and Michael R. Lyu The Chinese University of Hong Kong Presented by Ondrej Skopek Goal: Predict out-of-vocabulary words using local context

607 views • 25 slides
Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an

Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an

Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an integer as long as result is still within the bounds of the array Can subtract a pointer from another pointer iff both point to

140 views • 9 slides
KNOW THE CODE OF STUDENT ACADEMIC INTEGRITY Presented By: Amy Kelso, Office of Legal Affairs

KNOW THE CODE OF STUDENT ACADEMIC INTEGRITY Presented By: Amy Kelso, Office of Legal Affairs

KNOW THE CODE OF STUDENT ACADEMIC INTEGRITY Presented By: Amy Kelso, Office of Legal Affairs Bruce Long, Chair of the Academic Integrity Board Laura Bizzell, Student Conduct &amp; Academic Integrity Kaela Lindquist, Student Conduct &amp;

552 views • 22 slides
Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer

Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer

Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer is a variable that stores a memory address. Pointers are used to store the addresses of other variables or memory items. Pointers are very

742 views • 23 slides
Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center 1 Pointer analysis motivation Code a = new C( ); // G What does it do? b =

439 views • 30 slides
Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer

Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer

Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer Interpretation: declare x as a variable on the stack that holds the numeric address of the location in memory at which are 32 bits that we intend

359 views • 15 slides
Student Code of Conduct- Academic Integrity Slides for Faculty Members &amp; Instructors to cover

Student Code of Conduct- Academic Integrity Slides for Faculty Members &amp; Instructors to cover

Student Code of Conduct- Academic Integrity Slides for Faculty Members &amp; Instructors to cover with their students Where to find the Code 1. Student Life Page 2. Policies &amp; Procedures Library Course Syllabus Statement A breach of

88 views • 7 slides
HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National

HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National

Medical WG Technology session APAN 32 nd meeting at New Delhi HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National Taiwan University Torata N and Cao Duc Minh, Kyushu University Hospital. 1 HD-SCR:

347 views • 10 slides
HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University

HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University

The 5 th ATS at Fukuoka HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University Hospital. 2 HD-SCR: High Definition Streaming Combined Remote conference system Concepts of New system Hi quality HD image

108 views • 7 slides
Academic Integrity Collaboration Encouraged! Groups of up to 5 per assignment (you + 4)

Academic Integrity Collaboration Encouraged! Groups of up to 5 per assignment (you + 4)

Academic Integrity Collaboration Encouraged! Groups of up to 5 per assignment (you + 4) List your collaborators (by UVA computing ID) Write-ups/code written independently DO NOT share written notes / pictures / code DO NOT

813 views • 35 slides
LINUX PRESENTATION DAY 2016.2 in Lige (Belgium) Main organization steps and feedback LPD 2016.2

LINUX PRESENTATION DAY 2016.2 in Lige (Belgium) Main organization steps and feedback LPD 2016.2

LINUX PRESENTATION DAY 2016.2 in Lige (Belgium) Main organization steps and feedback LINUX PRESENTATION DAY 2016.2 in Lige (Belgium) Main organization steps and feedback LPD 2016.2 06/03/2017

195 views • 17 slides
S7349: Getting Started with GPUs for Linux Virtual Desktops on VMware Horizon Trey Johnson

S7349: Getting Started with GPUs for Linux Virtual Desktops on VMware Horizon Trey Johnson

S7349: Getting Started with GPUs for Linux Virtual Desktops on VMware Horizon Trey Johnson Sr. Architect, Lincare, Inc. Tony Foster Sr. Advisor, Technical Marketing, Dell Technologies NVIDIA GRID Community Advisor 1 #GTC #S7349 Agenda

863 views • 51 slides
2020 Census Update &amp; 2020 Census Redistricting Data Program California Redistricting

2020 Census Update &amp; 2020 Census Redistricting Data Program California Redistricting

2020 Census Update &amp; 2020 Census Redistricting Data Program California Redistricting Committee Sacramento, CA April 22, 2019 James Whitehorne Chief Census Redistricting &amp; Voting Rights Data Office 1 Topics Covered The 2020

732 views • 58 slides
BP Acquisition of BHP US Onshore Assets - Investor Call Friday 27 July 2018 This transcript

BP Acquisition of BHP US Onshore Assets - Investor Call Friday 27 July 2018 This transcript

BP Acquisition of BHP US Onshore Assets - Investor Call Friday 27 July 2018 This transcript contains minor modifications from the original for accuracy or clarification, none of which change the substance of the original. Please refer to the

424 views • 16 slides
IBM Cloud Private on Linux on IBM Z &amp; LinuxONE Presentation for Vicom Infinity Kershaw Mehta -

IBM Cloud Private on Linux on IBM Z &amp; LinuxONE Presentation for Vicom Infinity Kershaw Mehta -

IBM Cloud Private on Linux on IBM Z &amp; LinuxONE Presentation for Vicom Infinity Kershaw Mehta - Chief Architect for Cloud Computing for IBM Z (kershaw@us.ibm.com) December 14, 2017 Evolution of how workloads are built &amp; delivered

624 views • 23 slides
Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group Goals 1. Learn what to protect 2. Know some strategies 3. Learn tooling Focus

912 views • 60 slides
Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
RHEL 6 and 7 gotchas Gotchas in RHEL6 and expectations for RHEL7 Robin Long Department of

RHEL 6 and 7 gotchas Gotchas in RHEL6 and expectations for RHEL7 Robin Long Department of

RHEL 6 and 7 gotchas Gotchas in RHEL6 and expectations for RHEL7 Robin Long Department of Physics, Lancaster University November 8, 2012 Changes for Scientific Linux 6 ext4 now default file system. upstart replaced SysVinit (allows

62 views • 4 slides

More recommend