compiler design
play

Compiler Design Spring 2018 Thomas R. Gross Computer Science - PowerPoint PPT Presentation

Jan 17, 2024 •508 likes •849 views

Compiler Design Spring 2018 Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1 What I hope you learned in this class 1. Compiler design: Structure of a simple compiler Simple: 2-3K lines of Java code (maybe a bit more)

  1. Compiler Design Spring 2018 Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1

  2. What I hope you learned in this class 1. Compiler design: Structure of a simple compiler § Simple: 2-3K lines of Java code (maybe a bit more) § Industry: C1 compiler in HotSpot VM is considered “simple” § 30K lines of C/C++/assembly code 2. Software engineering: How to design a large(r) software system § Sometimes there is no “right” or ”wrong” § Sometimes there is 3. Programming § What the programming language design document should tell you § How to use that information 2

  3. Beyond (basic) "Compiler Design" Many possible extensions § Optimizations § Intermediate representations § Program transformations § Tool support § System security § New language concepts, new languages 6

  4. Compilers and system security 7

  5. Attack types § Code corruption attack § Control-flow hijack attack § Data-only attack § Information leak Attack model according to: „sok: eternal war in memory“ laszlo szekeres, mathias payer, tao wei, dawn song Http://www.cs.berkeley.edu/~dawnsong/papers/oakland13-sok-cr.pdf

  6. Control-flow hijack attacks § Most powerful attack § Hijack control-flow § To attacker-supplied arbitrary machine code § To existing code (code-reuse attack) § Corrupt code pointers § Return addresses, function pointers, vtable entries, exception handlers, jmp_bufs

  7. Control-flow hijack attacks § Most ISAs support indirect branch instructions § E.g., x86 “ret“, indirect “jmp“, indirect “call“ § fptr is a value in memory fptr: 0x8056b30 0xafe08044 at 0xafe08044 Code § branch *fptr 0x08056b30 good_func:

  8. Control-flow hijack attacks § fptr is a value in memory at 0xafe08044 § branch *fptr § fptr was corrupted by an attacker fptr: Corrupted 0xafe08044 Code § Attacker goal: hijack control-flow to evil_code: injected machine code or to “evil functions“

  9. State of the art defenses § Non-executable data § NX bit § Data Execution Prevention (DEP) § OS support 14

  10. Bypassing NX / DEP 0xffffffff § Only use existing code Stack attacker code & rw- § Code-reuse attack data § ret2libc, ret2bin, ret2* attacks Heap § Return-oriented programming (ROP) attacker code & rw- data § Jump/Call-oriented programming r-x Code § Use code-reuse technique to change protection flags § Alllocate or make memory executable § mprotect/VirtualProtect 0x00000000 § mmap/VirtualAlloc

  11. Return-oriented programming (ROP) %ebp address gadget4 § Use available code snippets ending address gadget3 with ret instruction dummy value address § Called gadgets or ROP chain Stack address gadget2 § E.g., write primitive value address gadget1 %esp arguments saved ebp dummy ebp pop %edx; 1 return address ret; buf[1024] rw- pop %eax; 2 pop %ebx; ret; r-x Code mov %edx, (%eax); 3 mov $0x0, %eax; ret;

  12. ASLR § Today most operating systems implement Address Space Layout Randomization (ASLR) § Mapping program addresses to hardware addresses § What can be randomized? § OS: Stack, heap and memory mapping base addresses § OS, compiler, linker: Exectuables and libraries § Position-independent or relocatable code

  13. Generic defense: DEP & ASLR § DEP: Data Execution Protection § ASLR: Address Space Layout Randomization § Exploitation becomes harder for all vulnerability classes & attack techniques § Together quite effective § If implemented correctly and used continuously § But DEP and ASLR not enough

  14. Compile-time protection Usually require source code changes (annotations) and/or recompilation of the application § § To add run-time checks § Stack canaries / Cookies Pointer obfuscation § /GS (buffer security check) § /SAFESEH (link-time, provide list of valid handlers) § SEHOP (run-time, walk down SEH chain to final handler before dispatching / integrity check) § Virtual Table Verification (VTV) & vtguard § Control-Flow Guard (new in Visual Studio 2015) §

  15. Stack canary / cookie Stack during vulnFunc() main() stack frame void vulnFunc() { return address arguments <copy canary> saved ebp saved ebp char buf[1024]; %ebp stack canary read(STDIN, buf, 2048); return address <verify canary> } buf[1024] copy canary rw- %esp stack canary Stack at function exit verify canary overwritten frame overwritten retaddr arguments saved ebp overwritten ebp %ebp overwritten canary return address buf[1024] rw- %esp

  16. Stack canary / cookie § Detects linear buffer overflows on stack § At function exit § Corruption of local stack not detected § Only if canary / cookie value is overwritten § Incurs runtime overhead § Effectiveness relies on secret § Leaking, predicting, guessing or brute-forcing might work in special cases

  17. Attacker model § Let's assume a powerful attacker § Can arbitrarily corrupt data and pointers § Can read entire address space of a process § Only restriction on attacker: § No data execution and no code corruption (NX/DEP/W^X)

  18. Question § Can we still prevent arbitrary code execution and code-reuse attacks?

  19. Observations § Attacker needs to hijack control-flow § To injected or existing code § VM/runtime system must ensure that control-flow stays on the intended legitimate path § As allowed by compiler resp. control-flow graph (CFG)

  20. Control-flow integrity (CFI) § Construct a control-flow graph (CFG) § Should be as strict as possible § Ensure that control-flow stays within CFG

  21. Control-flow integrity (CFI) § Original publication in 2005 § “Control-Flow Integrity – Principles, Implementations, and Applications“ § M. Abadi, M. Budiu, U. Erlingsson, J. Ligatti CCS'05 (ACM Trans. on Information and System Security (TISSEC) 13(1) Oct 2009) § § Many CFI implementations were proposed during recent years § Compiler-based § Binary-only (static rewriting)

  22. Control-flow integrity (CFI) § Construct a control-flow graph (CFG) § Should be as strict as possible § Ensure that control-flow stays within CFG § If no path within the CFG can be misused by an attacker then the CFI policy can be considered secure

  23. Control-flow integrity (CFI) Basic block Direct branch Indirect branch

  24. Hijacked control-flow ret Basic block Direct branch Indirect branch

  25. Control-flow integrity (CFI) Basic block Direct branch Indirect branch

  26. Control-flow integrity (CFI) Basic block Direct branch Indirect branch under CFI

  27. Control-flow integrity (CFI) Basic block Direct branch Indirect branch under CFI

  28. Control-flow integrity (CFI) CFI VIOLATION Basic block Direct branch Indirect branch under CFI

  29. Control-flow integrity (CFI) § Drawbacks of proposed solutions § Too permissive CFG due to over-approximation § Need to recompile § No support for shared libraries § Most solutions shown to be ineffective § “Hardened” exploits still worked under CFI

  30. Control-flow integrity (CFI) § Static CFI not enough: Dynamic approach necessary § Dynamic CFI 41

  31. Lockdown – dynamic CFI § Enforces a strict CFI policy for binaries § Supports shared libraries & dynamic loading § Constructs and enforces CFG at runtime § Using static and dynamic information

  32. Lockdown – dynamic CFI Lockdown Lockdown Loader Binary Translator CFT Verifier Domain translate() Loads ELF DSOs Code Cache /bin/<exe> libc.so.6 printf() main' main() Application Run-time ICF func1() func2' ELF validation Domain Files func2() printf' lib* ... func*() User Kernel System Call Interface read only readable + executable CFT: Control-Flow Transfer, ICF: Indirect Control-Flow, ELF: Executable and Linkable Format, DSO: Dynamic Shared Object

  33. Beyond basic compilers § Many interesting problems exist § Opportunities for projects (BS, MS, research) § Contact me or the TAs for further information 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2 Admin issues Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1.1

1.27k views • 46 slides
15-411 Compiler Design Fall 2014 / Frank Pfenning 1 15-411/611 Compiler Design Fall 2014

15-411 Compiler Design Fall 2014 / Frank Pfenning 1 15-411/611 Compiler Design Fall 2014

15-411 Compiler Design Fall 2014 / Frank Pfenning 1 15-411/611 Compiler Design Fall 2014 Teaching Staff Instructor Frank Pfenning, GHC 7019 Office hour: Thu 10:30-12:00 Teaching Assistants (GHC 5205 for now) Flvio Cruz,

378 views • 17 slides
CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations,

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations,

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations, Variables Owen Arden UC Santa Cruz Based on course materials developed by Ranjit Jhala Lets Write a Compiler! Our goal is to write a compiler which

658 views • 18 slides
252-210: Compiler Design 9.2 Points and paths 9.3

252-210: Compiler Design 9.2 Points and paths 9.3

252-210: Compiler Design 9.2 Points and paths 9.3 Transfer func6ons Thomas R. Gross Computer Science Department ETH Zurich, Switzerland Outline

758 views • 57 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides
252-210: Compiler Design 3.2 Lexical analysis 3.3

252-210: Compiler Design 3.2 Lexical analysis 3.3

252-210: Compiler Design 3.2 Lexical analysis 3.3 Top-down parsing Thomas R. Gross Computer Science Department ETH Zurich, Switzerland

392 views • 37 slides
CSE 110A: Winter 2020 Fundamentals of Compiler Design I Introduction and Overview Owen

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Introduction and Overview Owen

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Introduction and Overview Owen Arden UC Santa Cruz Based on course materials developed by Ranjit Jhala What is a Compiler? A function that maps an input string to an output

79 views • 5 slides
Compiler Design 1 Introduction to Programming Language Design and to Compilation Administrivia

Compiler Design 1 Introduction to Programming Language Design and to Compilation Administrivia

Compiler Design 1 Introduction to Programming Language Design and to Compilation Administrivia Lecturer: Kostis Sagonas (Hus 1, 352) Course home page: http://user.it.uu.se/~kostis/Teaching/KT1-11 If you want to be

423 views • 40 slides
Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler Perhaps a new source language Perhaps a new target for an existing compiler Perhaps both 2 Compiler Construction Compiler Construction

661 views • 18 slides
Compiler Design and Construction Syntax Analysis Slides modified from Louden Book and Dr.

Compiler Design and Construction Syntax Analysis Slides modified from Louden Book and Dr.

Compiler Design and Construction Syntax Analysis Slides modified from Louden Book and Dr. Scherger The Role of the Parser The following figure shows the position of the parser in a compiler: Basically it asks the lexical analyzer for a

1.02k views • 68 slides
CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural

CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural

Synthesis and Place &amp; Route Synopsys design compiler Cadence Encounter Digital Implementation System (EDI) CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural Verilog Cadence Your EDI Library

580 views • 46 slides
CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural

CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural

Synthesis and Place &amp; Route Synopsys design compiler Cadence Encounter Digital Implementation System (EDI) CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural Verilog Cadence Your EDI Library

511 views • 36 slides
1DL321: Kompilatorteknik I (Compiler Design 1) Introduction to Programming Language Design and

1DL321: Kompilatorteknik I (Compiler Design 1) Introduction to Programming Language Design and

1DL321: Kompilatorteknik I (Compiler Design 1) Introduction to Programming Language Design and to Compilation Administrivia Lecturer: Kostis Sagonas ( kostis@it.uu.se ) Course home page:

609 views • 40 slides
1DL321: Kompilatorteknik I (Compiler Design 1) Course home page:

1DL321: Kompilatorteknik I (Compiler Design 1) Course home page:

Administrivia Lecturer: Kostis Sagonas ( kostis@it.uu.se ) 1DL321: Kompilatorteknik I (Compiler Design 1) Course home page: http://user.it.uu.se/~kostis/Teaching/KT1-12/ Introduction to Programming Assistants: Language Design

365 views • 10 slides
Principles of Compiler Design - The Brainf*ck Compiler - Clifford Wolf - www.clifford.at

Principles of Compiler Design - The Brainf*ck Compiler - Clifford Wolf - www.clifford.at

Principles of Compiler Design - The Brainf*ck Compiler - Clifford Wolf - www.clifford.at http://www.clifford.at/papers/2004/compiler/ Clifford Wolf, December 22, 2004 http://www.clifford.at/papers/2004/compiler/ p. 1/56 Introduction

847 views • 56 slides
Compiler Construction Christian Rinderknecht 31 October 2008 1 Why study compiler construction?

Compiler Construction Christian Rinderknecht 31 October 2008 1 Why study compiler construction?

Compiler Construction Christian Rinderknecht 31 October 2008 1 Why study compiler construction? Few professionals design and write compilers. So why teach how to make compilers? A good software/telecom engineer understands the high-level

1.27k views • 80 slides
1st Graduate Students Conference Computer Science Department October 25th, 2019 PhD Candidate

1st Graduate Students Conference Computer Science Department October 25th, 2019 PhD Candidate

Senior Software Security Engineer sad Sphynx Technology Solutions AG (CH,CY) Email: smyrlis@sphynx.ch 1st Graduate Students Conference Computer Science Department October 25th, 2019 PhD Candidate School of Mathematics, Computer Science and

923 views • 32 slides
CSCI 127 Introduction to Database Systems Integrity Constraints and Functional Dependencies

CSCI 127 Introduction to Database Systems Integrity Constraints and Functional Dependencies

CSCI 127 Introduction to Database Systems Integrity Constraints and Functional Dependencies CSCI 127: Introduction to Database Systems Integrity Constraints Purpose: Prevent semantic inconsistencies in data total savings + checking

1.01k views • 64 slides
Sig ignal In Integrity Checks Ba Babak Abi 30 August 2018 1 DPM Design simply includes :

Sig ignal In Integrity Checks Ba Babak Abi 30 August 2018 1 DPM Design simply includes :

DPM Status update Sig ignal In Integrity Checks Ba Babak Abi 30 August 2018 1 DPM Design simply includes : ZYNQ: XCZU15EG-1FFVB1156E samtec M2 NMVe DDR4 : MT40A1G16WBU-083(twin die) in two separate banks 1. 4x DDR4 (8 GB)

369 views • 23 slides
L o g g ing Syste m fo r L o ng - life time Da ta Va lida tio n Ying di Yu UCL A 1 L

L o g g ing Syste m fo r L o ng - life time Da ta Va lida tio n Ying di Yu UCL A 1 L

L o g g ing Syste m fo r L o ng - life time Da ta Va lida tio n Ying di Yu UCL A 1 L ife time o f da ta vs. sig ning ke y L ife time o f a da ta pa c ke t de pe nds o n da ta usa g e ma y e xist fo r a lo ng time

498 views • 46 slides
Developing a Standards-Based Localiza6on Service Bus at Intel

Developing a Standards-Based Localiza6on Service Bus at Intel

Developing a Standards-Based Localiza6on Service Bus at Intel David Filip CNGL / ADAPT Loc Dufresne de Virel Intel Intro Intels in-house

436 views • 8 slides
Parameter efficient training of deep convolutional neural networks by dynamic sparse

Parameter efficient training of deep convolutional neural networks by dynamic sparse

Parameter efficient training of deep convolutional neural networks by dynamic sparse reparameterization Hesham Mostafa (Intel AI) Xin Wang (Intel AI, Cerebras Systems) Easy : post-training (sparse) compression Hard : direct training of sparse

727 views • 9 slides
Introduction to Artificial Intelligence Kalev Kask ICS 271 Fall 2017

Introduction to Artificial Intelligence Kalev Kask ICS 271 Fall 2017

Introduction to Artificial Intelligence Kalev Kask ICS 271 Fall 2017 http://www.ics.uci.edu/~kkask/Fall-2017 CS271/ 271-fall 2017 Course requirements Assignments: There will be weekly homework assignments, a project, a final.

1.11k views • 52 slides
Intelligent Agents Chapter 2 Outline Agents and environments Rationality Task

Intelligent Agents Chapter 2 Outline Agents and environments Rationality Task

Intelligent Agents Chapter 2 Outline Agents and environments Rationality Task environment: PEAS: Performance measure Environment Actuators Sensors Environment types Agent types Agents and Environments An

579 views • 47 slides

More recommend