cs 527 software security
play

CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer - PowerPoint PPT Presentation

Mar 04, 2024 •263 likes •658 views

CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Eternal War in Memory Table of Contents

  1. CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017

  2. Eternal War in Memory Table of Contents Eternal War in Memory 1 Memory safety 2 Spatial memory safety Temporal memory safety Towards a definition Enforcing memory safety 3 SoftBound 4 CETS 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 38

  3. Eternal War in Memory The Eternal War in Memory Memory corruption is as old as operating systems and networks. First viruses, worms, and trojan horses appeared with the creation of operating systems. All malware abuses a security violation, either user-based, hardware-based, or software-based. Early malware tricked users into running code (e.g., as part of the boot process on a floppy disk). The Morris worm abused stack-based buffer overflows in sendmail, finger, and rsh/exec to gain code execution on a large part of the Internet in 1988. A plethora of other software vulnerabilities continued to allow malware writers to gain code execution on systems. Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 38

  4. Eternal War in Memory Control-flow hijack attack The attacker wants to control the execution of a program by redirecting control-flow to an attacker-controlled location. First, the attacker must overwrite a code pointer (return instruction pointer on the stack, target of an indirect jump, or target of an indirect call). Second, the attacker forces the program to follow the modified code pointer (this can be explicit or implicit). Third, the attacker keeps modifying code pointers so that the process now executes the attacker’s code. Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 38

  5. Eternal War in Memory Control-flow hijack attack Memory Safety 1 void vuln ( char ∗ u1 ) { / ∗ a s s e r t ( s t r l e n ( u1 ) < MAX) ; ∗ / 2 Integrity char tmp [MAX] ; 3 Randomization s t r c p y (tmp , u1 ) ; 4 r e t u r n strcmp (tmp , ” foo ” ) ; 5 Flow Integrity 6 } Successful Attack! 7 vuln ( e x p l o i t ) ; Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 38

  6. Eternal War in Memory Quick attack overview Code corruption. Code injection and control-flow hijacking. Code reuse and control-flow hijacking. Control-flow bending. Controlling a Turing-complete interpreter inside an application (constrained execution). Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 38

  7. Eternal War in Memory Attacks: Escalate Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 38

  8. Memory safety Table of Contents Eternal War in Memory 1 Memory safety 2 Spatial memory safety Temporal memory safety Towards a definition Enforcing memory safety 3 SoftBound 4 CETS 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 38

  9. Memory safety Memory safety Definition: Memory safety Memory safety is a property that ensures that all memory accesses adhere to the semantics defined by the source programming language. The gap between the operational semantics of the programming language and the underlying instructions provided by the hardware allow an attacker to step out of the restrictions imposed by the programming language and access memory out of context. Memory unsafe languages like C/C++ do not enforce memory safety and data accesses can occur through stale/illegal pointers. Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 38

  10. Memory safety Memory safety Memory safety is a general property that can apply to a program, a runtime environment, or a programming language 1 . A program is memory safe, if all possible executions of that program are memory safe. A runtime environment is memory safe, if all possible programs that can run in the environment are memory safe. A programming language is memory safe, if all possible programs that can be expressed in that language are memory safe. If memory safety is enforced, then a list of bad things can never happen. This list includes buffer overflows, NULL pointer dereferences, use after free, use of uninitialized memory, or illegal frees. 1 See Mike Hicks definition of memory safety http://www.pl-enthusiast.net/2014/07/21/memory-safety/ . Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 38

  11. Memory safety Memory safety Memory safety violations rely on two conditions that must both be fulfilled: A pointer either goes out of bounds or becomes dangling. This pointer is used to either read or write. Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 38

  12. Memory safety Spatial memory safety Spatial memory safety Definition: Spatial memory safety Spatial memory safety is a property that ensures that all memory dereferences are within bounds of their pointer’s valid objects. An object’s bounds are defined when the object is allocated. Any computed pointer to that object inherits the bounds of the object. Any pointer arithmetic can only result in a pointer inside the same object. Pointers that point outside of their associated object may not be dereferenced. Dereferencing such illegal pointers results in a spatial memory safety error and undefined behavior. Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 38

  13. Memory safety Spatial memory safety Spatial memory safety 1 char ∗ ptr = malloc (24) ; 2 f o r ( i n t i = 0; i < 26; ++i ) { ptr [ i ] = i +0x41 ; 3 4 } Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 38

  14. Memory safety Temporal memory safety Temporal memory safety Definition: Temporal memory safety Temporal memory safety is a property that ensures that all memory dereferences are valid at the time of the dereference, i.e., the pointed-to object is the same as when the pointer was created. When an object is freed, the underlying memory is no longer associated to the object and the pointer is no longer valid. Dereferencing such an invalid pointer results in a temporal memory safety error and undefined behavior. Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 38

  15. Memory safety Temporal memory safety Temporal memory safety 1 char ∗ ptr = malloc (24) ; 2 f r e e ( ptr ) ; 3 f o r ( i n t i = 0; i < 24; ++i ) { ptr [ i ] = i +0x41 ; 4 5 } Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 38

  16. Memory safety Towards a definition Memory safety Assume we have defined (allocated) and undefined memory. Assume that deallocated memory is never reused. Memory safety is violated if undefined memory is accessed. Pointers can be seen as capabilities, they allow access to a certain region of (allocated) memory. Each pointer consists of the pointer itself, a base pointer, and bounds for the pointer. When creating a pointer, capabilities are initialized. When updating a pointer, the base and bounds remain the same. When copying a pointer, the capabilities are propagated. When dereferencing a pointer, the capabilities are checked. Capabilities cannot be forged or constructed by the programmer but are inherently added and enforced by the compiler. Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 38

  17. Memory safety Towards a definition Memory safety Capability-based memory safety is a form of type safety with two types: pointer-types and scalars. Pointers (and their capabilities) are only created in a safe way. The capabilities are created as a side-effect of creating the pointer. Pointers can only be dereferenced if they point to their assigned memory region and that region is still valid. Mathias Payer (Purdue University) CS-527 Software Security 2017 17 / 38

  18. Memory safety Towards a definition Memory unsafety? Super Mario arbitrary code execution In short: I manipulate where the moving objects (sprites) are located or where they despawn, then I swap the item in Yoshi’s mouth with a flying ?-block (thus the yellow glitched shell) and using a glitch (stunning) to spawn a sprite which isn’t used by SMW and since it tries to jump to the sprite routine location, it indexes everything wrong and jumps to a place I manipulated earlier with the sprites (OAM) and because of the P-Switch it jumps to controller registers and from there the arbitrary code execution is started. Even shorter: Magic. (by Masterjun3) https://www.youtube.com/watch?v=OPcV9uIY5i4 Mathias Payer (Purdue University) CS-527 Software Security 2017 18 / 38

  19. Memory safety Towards a definition Memory Safety: Attack Paths Memory safety Memory corruption Integrity C *C D *D Confidentiality &C &D Flow Integrity *&C *&D Code Control-flow Bad things Data-only corruption hijack Mathias Payer (Purdue University) CS-527 Software Security 2017 19 / 38

  20. Enforcing memory safety Table of Contents Eternal War in Memory 1 Memory safety 2 Spatial memory safety Temporal memory safety Towards a definition Enforcing memory safety 3 SoftBound 4 CETS 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 20 / 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
A Computational Model of A Computational Model of Routine Procedural Memory Routine Procedural

A Computational Model of A Computational Model of Routine Procedural Memory Routine Procedural

A Computational Model of A Computational Model of Routine Procedural Memory Routine Procedural Memory Frank Tamborello Frank Tamborello Department of Psychology Department of Psychology Rice University Rice University Houston, TX 77005

560 views • 30 slides
A Different Kind of KR COMP34512 Sebastian Brandt brandt@cs.manchester.ac.uk Friday, 2 May 2014

A Different Kind of KR COMP34512 Sebastian Brandt brandt@cs.manchester.ac.uk Friday, 2 May 2014

A Different Kind of KR COMP34512 Sebastian Brandt brandt@cs.manchester.ac.uk Friday, 2 May 2014 Varieties of KR Weve been looking at a fairly narrow set Mostly (first order) logic based Ontology languages Primarily

581 views • 24 slides
Speculations on possible brain substrates of symbolic processing and structured I/O from memory

Speculations on possible brain substrates of symbolic processing and structured I/O from memory

Speculations on possible brain substrates of symbolic processing and structured I/O from memory Adam Marblestone CS 379c Stanford 2019 (slides based on pre-DeepMind work, much of it with Ken Hayworth) A tentative high-level template for AI

542 views • 33 slides
Pervasive Activation: Applying the mechanism to declarative and procedural memory Ronald S. Chong

Pervasive Activation: Applying the mechanism to declarative and procedural memory Ronald S. Chong

SOAR WORKSHOP XXIII JUNE 27, 2003 Pervasive Activation: Applying the mechanism to declarative and procedural memory Ronald S. Chong (rchong@gmu.edu) Humans Factors and Applied Cognition Department of Psychology George Mason University

317 views • 15 slides
Understanding Complex Developmental Trauma in Children and Adolescents Rashmi Sabu, MD October

Understanding Complex Developmental Trauma in Children and Adolescents Rashmi Sabu, MD October

Understanding Complex Developmental Trauma in Children and Adolescents Rashmi Sabu, MD October , 2015 COMPLEX DEVELOPMENTAL TRAUMA THE TWO CASES OF TRAUMA I. A child of eight is badly mauled by a neighbors pet. The initial attack is

333 views • 30 slides
Class Six Object oriented programming the world is full of objects think of oop as

Class Six Object oriented programming the world is full of objects think of oop as

The Code Liberation Foundation Lecture 5 Structs, classes, the heap and the stack Class Six Object oriented programming the world is full of objects think of oop as defjning and creating objects and relationships between them

384 views • 27 slides
Behaviour and Reasoning Description Language (BRDL) Antonio Cerone Department of Computer

Behaviour and Reasoning Description Language (BRDL) Antonio Cerone Department of Computer

Behaviour and Reasoning Description Language (BRDL) Antonio Cerone Department of Computer Science School of Science and Technology Nazarbayev University Nur-Sultan, Kazakhstan email: antonio.cerone@nu.edu.kz A. Cerone, Nazarbayev University

602 views • 56 slides
An Adaptive Tutor to Promote Learners Skills Acquisition during Procedural Learning Joanna

An Adaptive Tutor to Promote Learners Skills Acquisition during Procedural Learning Joanna

An Adaptive Tutor to Promote Learners Skills Acquisition during Procedural Learning Joanna TAOUM Workshop eliciting Adaptive Sequences for Learning ITS, Montral ( Canada ) , June 2018 CONTEXT Actions and Procedures on ECA Positive

401 views • 28 slides

More recommend