cs 527 software security
play

CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias - PowerPoint PPT Presentation

Apr 03, 2023 •246 likes •673 views

CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 A model for Control-Flow Hijack attacks

  1. CS-527 Software Security Defense Mechanisms Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017

  2. A model for Control-Flow Hijack attacks Memory safety Memory corruption Integrity C *C D *D Location &C &D Usage *&C *&D Code Control-flow Attack Data-only corruption hijack Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 41

  3. Widely-adopted defense mechanisms Table of Contents Widely-adopted defense mechanisms 1 Data Execution Prevention 2 Address Space Randomization 3 Stack Canaries 4 Safe Exception Handling 5 Fortify source 6 Summary and conclusion 7 Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 41

  4. Widely-adopted defense mechanisms Widely-adopted defense mechanisms Hundreds of defense mechanisms were proposed. Only few defense mechanisms have been adapted in practice. What increases the chances of adaption? Mitigation of the most imminent problem. (Very) low performance overhead. Fits into the development cycle. Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 41

  5. Widely-adopted defense mechanisms How not to get your defense mechanism adapted Require source code changes. Have complicated dependencies. Result in large slowdown or have terrible worst-case outliers. Patent your defense mechanism and try to sell it. Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 41

  6. Data Execution Prevention Table of Contents Widely-adopted defense mechanisms 1 Data Execution Prevention 2 Address Space Randomization 3 Stack Canaries 4 Safe Exception Handling 5 Fortify source 6 Summary and conclusion 7 Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 41

  7. Data Execution Prevention Data Execution Prevention (DEP) x86 did not originally distinguish between code and data. Any data in the process could be interpreted as code. Attacker tries to redirect control flow to injected data. Defense assumption : if an attacker cannot inject code (as data), then a code execution attack is not possible. Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 41

  8. Data Execution Prevention DEP Intel, AMD, and ARM extended page tables and introduced the NX-bit (No eXecute bit). Thanks to the joy of marketing, Intel calls this per-page bit XD (eXecute Disable), AMD calls it Enhanced Virus Protection, and ARM calls it XN (eXecute Never). This is an additional bit for every mapped virtual page. If the bit is set, then data on that page cannot be interpreted as code and the processor will trap if control flow reaches that page. Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 41

  9. Data Execution Prevention “Old-school” Page Tables Linear address: 31 24 23 16 15 8 7 0 10 10 12 page directory page table ... ... 4K memory page 32 bit PD ... entry 32 bit PT ... entry ... ... 32* CR3 *) 32 bits aligned to a 4-KByte boundary (c) RokerHRO, Wikimedia. Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 41

  10. Data Execution Prevention “Old-school” Page Table Entry Bit Position Content 0 (P) Present; must be 1 to map a 4-KB page 1 (R/W) Read/write; if 0, writes may not be allowed 2 (U/S) User/supervisor; if 0 access with CPL=3 not allowed 3 (PWT) Page-level write-through 4 (PCD) Page-level cache disable 5 (A) Accessed 6 (D) Dirty 7 (PAT) Page Attribute Table (PAT) indicator or reserved (0) 8 (G) Global 11:9 Ignored 31:12 Physical address of the 4-KB page According to Intel 64 and IA-32 manual 3A, Table 4-6. Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 41

  11. Data Execution Prevention Physical Address Extension (PAE) Page Tables Linear address: 31 24 23 16 15 8 7 0 9 9 12 page-directory- pointer table page directory Dir.Pointer ... entry page table ... Dir.Pointer 64 bit PD 4K memory page entry entry Dir.Pointer ... entry Dir.Pointer entry 64 bit PT ... entry 32* ... ... CR3 *) 32 bits aligned to a 32-Byte boundary (c) RokerHRO, Wikimedia. Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 41

  12. Data Execution Prevention PAE Page Table Entry Bit Position Content 0 (P) Present; must be 1 to map a 4-KB page 1 (R/W) Read/write; if 0, writes may not be allowed 2 (U/S) User/supervisor; if 0 access with CPL=3 not allowed 3 (PWT) Page-level write-through 4 (PCD) Page-level cache disable 5 (A) Accessed 6 (D) Dirty 7 (PAT) Page Attribute Table (PAT) indicator or reserved (0) 8 (G) Global 11:9 Ignored (M-1):12 Physical address of the 4-KB page 62:M Reserved (0) 63 (XD) If IA32 EFER.NXE = 1, execute-disable if 1 According to Intel 64 and IA-32 manual 3A, Table 4-11. Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 41

  13. Data Execution Prevention x86-64 Page Tables (c) Intel 64 and IA-32 manual 3A, Table 4-8. Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 41

  14. Data Execution Prevention x86-64 Page Table Entry Bit Position Content 0 (P) Present; must be 1 to map a 4-KB page 1 (R/W) Read/write; if 0, writes may not be allowed 2 (U/S) User/supervisor; if 0 access with CPL=3 not allowed 3 (PWT) Page-level write-through 4 (PCD) Page-level cache disable 5 (A) Accessed 6 (D) Dirty 7 (PAT) Page Attribute Table (PAT) indicator or reserved (0) 8 (G) Global 11:9 Ignored (M-1):12 Physical address of the 4-KB page 51:M Reserved (0) 62:52 Ignored 63 (XD) If IA32 EFER.NXE = 1, execute-disable if 1 Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 41 According to Intel 64 and IA-32 manual 3A, Table 4-19.

  15. Data Execution Prevention Alternate approaches Not all hardware supports PAE. ExecShield by Ingo Molnar used code segment restrictions to limit code execution on x86 for Linux. OpenBSD’s WˆX follows the same idea. PaX, also for Linux, is ExecShield on steroids with significant remapping of code region (and may break applications). Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 41

  16. Address Space Randomization Table of Contents Widely-adopted defense mechanisms 1 Data Execution Prevention 2 Address Space Randomization 3 Stack Canaries 4 Safe Exception Handling 5 Fortify source 6 Summary and conclusion 7 Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 41

  17. Address Space Randomization Address Space Randomization (ASR) Successful control-flow hijack attacks depend on the attacker overwriting a code pointer with a known alternate target. ASR changes (randomizes) the process memory layout. If the attacker does not know where a piece of code (or data) is, then it cannot be reused in an attack. Attacker must first “learn” or recover the address layout. Mathias Payer (Purdue University) CS-527 Software Security 2017 17 / 41

  18. Address Space Randomization Challenges for ASR Information leakage (e.g., through side channels) Brute forcing a secret value Rerandomization (for “long” running processes) Mathias Payer (Purdue University) CS-527 Software Security 2017 18 / 41

  19. Address Space Randomization ASLR effectiveness ASLR effectiveness The security improvement of ASLR depends on (i) the entropy available for each randomized location, (ii) the completeness of randomization (i.e., are all objects randomized), and (iii) the lack of any information leaks. Mathias Payer (Purdue University) CS-527 Software Security 2017 19 / 41

  20. Address Space Randomization Candidates for randomization Trade-off between overhead, complexity, and security benefit of randomization. Randomize start of heap Randomize start of stack Randomize start of code (for executable – PIE and for each library – PIC) Randomize mmap allocated regions Randomize individual allocations (malloc) Randomize the code itself, e.g., gap between functions, order of functions, basic blocks Randomize members of structs, e.g., padding, order Related concept: software diversity Mathias Payer (Purdue University) CS-527 Software Security 2017 20 / 41

  21. Address Space Randomization ASLR entropy Assuming all objects are randomized, entropy of each section is key to security. Attacker will follow path of least resistance, i.e., target the object with the lowest entropy. Early ASLR implementations had low entropy on the stack and no entropy on x86 for the main executable. Linux (through Exec Shield) uses 19 bits of entropy for the stack (on 16 byte period) and 8 bits of mmap entropy (on 4096 byte period). Mathias Payer (Purdue University) CS-527 Software Security 2017 21 / 41

  22. Stack Canaries Table of Contents Widely-adopted defense mechanisms 1 Data Execution Prevention 2 Address Space Randomization 3 Stack Canaries 4 Safe Exception Handling 5 Fortify source 6 Summary and conclusion 7 Mathias Payer (Purdue University) CS-527 Software Security 2017 22 / 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS

Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS

Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS Tutorial June 2004 Security protocols Protocols: distributed programs Goal: maintain prescribed behavior in adversarial execution environment

1.34k views • 51 slides
802.1 Plenary - 03/2012 Hawaii Opening Agenda General information... See:

802.1 Plenary - 03/2012 Hawaii Opening Agenda General information... See:

802.1 Plenary - 03/2012 Hawaii Opening Agenda General information... See: http://www.ieee802.org/1/files/public/minutes /802-1-general-info-v3.pdf Decorum Press (i.e., anyone reporting publicly on this meeting) are to announce

393 views • 27 slides
Modeling and Analysis of Real -Time Systems with Mutex Components APDCM10 Guoqiang Li 1 ,

Modeling and Analysis of Real -Time Systems with Mutex Components APDCM10 Guoqiang Li 1 ,

Modeling and Analysis of Real -Time Systems with Mutex Components APDCM10 Guoqiang Li 1 , Xiaojuan Cai 1 ,Shoji Yuen 2 1 BASICS, Shanghai Jiao Tong University 2 Graduate School of Information Science, Nagoya University 19th, April. 2010

418 views • 19 slides
Regular Expressions Pattern and Match objects Genome 559: Introduction to Statistical and

Regular Expressions Pattern and Match objects Genome 559: Introduction to Statistical and

Regular Expressions Pattern and Match objects Genome 559: Introduction to Statistical and Computational Genomics Elhanan Borenstein A quick review Strings: abc vs. abc vs. abc vs. rabc String

336 views • 20 slides
Tecto to AMR and translation Ond rej Bojar, Silvie Cinkov a, Ond rej Du sek, Tim

Tecto to AMR and translation Ond rej Bojar, Silvie Cinkov a, Ond rej Du sek, Tim

Tecto to AMR and translation Ond rej Bojar, Silvie Cinkov a, Ond rej Du sek, Tim OGorman, Martin Popel, Roman Sudarikov, Zde nka Ure sov a August 1, 2014 1 / 24 Introduction 2 / 24 Motivation We are

371 views • 24 slides
Data Mining the eCriminals: Interesting things lurking in APWG statistics Patrick Cain APWG We

Data Mining the eCriminals: Interesting things lurking in APWG statistics Patrick Cain APWG We

Data Mining the eCriminals: Interesting things lurking in APWG statistics Patrick Cain APWG We Publish Statistics Why Publish Stats? To gauge how bad (or good) things are And, were not trying to sell you something Vendor

628 views • 27 slides
The infrared regime of SU(2) with one adjoint Dirac Fermion Ed Bennett with Andreas

The infrared regime of SU(2) with one adjoint Dirac Fermion Ed Bennett with Andreas

The infrared regime of SU(2) with one adjoint Dirac Fermion Ed Bennett with Andreas Athenodorou, Georg Bergner, and Biagio Lucini Outline Introduction Motivation and background Chiral symmetry breaking Aims and predictions Results Phase

1.09k views • 70 slides
High Yield Screening Neurological Examination Mental Status Language: fluency, three-step command

High Yield Screening Neurological Examination Mental Status Language: fluency, three-step command

High Yield Screening Neurological Examination Mental Status Language: fluency, three-step command (comprehension), repetition Orientation and Attention: orientation to place and date, forward digit span Cranial Nerves Visual fields Eye

313 views • 3 slides

More recommend