cs412 software security
play

CS412 Software Security Mitigations Mathias Payer EPFL, Spring - PowerPoint PPT Presentation

Oct 05, 2022 •749 likes •1.34k views

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1 Mathias Payer CS412 Software Security Widely-adopted defense mechanisms Hundreds of

  1. CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security

  2. Model for Control-Flow Hijack Attacks Figure 1 Mathias Payer CS412 Software Security

  3. Widely-adopted defense mechanisms Hundreds of defense mechanisms were proposed. Only few mitigations were adopted. What factors increase chances of adoption? Mitigation of the most imminent problem. (Very) low performance overhead. Fits into the development cycle. Mathias Payer CS412 Software Security

  4. Attack vector: code injection Simplest form of code execution. Generally consists of two steps: Inject code somewhere into the process Redirect control-flow to injected code Mathias Payer CS412 Software Security

  5. Data Execution Prevention (DEP) ISAs (e.g., x86, ARM) did not distinguish between code and data. Any data in the process could be interpreted as code (code injection: an attacker redirects control-flow to a buffer that contains attacker-controlled data as shellcode). Defense assumption: if an attacker cannot inject code (as data), then a code execution attack is not possible. Mathias Payer CS412 Software Security

  6. DEP: process layout Figure 2 Mathias Payer CS412 Software Security

  7. DEP Page table extension, introduce NX-bit (No eXecute bit). Intel calls this per-page bit XD (eXecute Disable) AMD calls it Enhanced Virus Protection ARM calls it XN (eXecute Never). This is an additional bit for every mapped virtual page. If the bit is set, then data on that page cannot be interpreted as code and the processor will trap if control flow reaches that page. Mathias Payer CS412 Software Security

  8. Old school page table Figure 3 Mathias Payer CS412 Software Security

  9. Old school page table entry Bit Interpretation 0 (P) Present; must be 1 to map a 4-KB page 1 (R/W) Read/write; if 0, writes may not be allowed 2 (U/S) User/supervisor; if 0 access with CPL=3 not allowed 3 (PWT) Page-level write-through 4 (PCD) Page-level cache disable 5 (A) Accessed 6 (D) Dirty 7 (PAT) Page Attribute Table (PAT) indicator or reserved (0) 8 (G) Global 11:9 Ignored 31:12 Physical address of the 4-KB page According to Intel 64 and IA-32 manual 3A, Table 4-6. See, no distinction between code and data! Mathias Payer CS412 Software Security

  10. Physical Address Extension (PAE) page table Figure 4 Mathias Payer CS412 Software Security 3 RokerHRO, Wikimedia

  11. PAE page table entry Bit Interpretation 0 (P) Present; must be 1 to map a 4-KB page 1 (R/W) Read/write; if 0, writes may not be allowed 2 (U/S) User/supervisor; if 0 access with CPL=3 not allowed 3 (PWT) Page-level write-through 4 (PCD) Page-level cache disable 5 (A) Accessed 6 (D) Dirty 7 (PAT) Page Attribute Table (PAT) indicator or reserved (0) 8 (G) Global 11:9 Ignored (M-1):12 Physical address of the 4-KB page 62:M Reserved (0) 63 (XD) If IA32_EFER.NXE = 1, execute-disable if 1 According to Intel 64 and IA-32 manual 3A, Table 4-11. Mathias Payer CS412 Software Security

  12. x86-64 page table Figure 5 Mathias Payer CS412 Software Security (Intel Manual 3A, Table 4-8.)

  13. x86-64 page table entry Bit Interpretation 0 (P) Present; must be 1 to map a 4-KB page 1 (R/W) Read/write; if 0, writes may not be allowed 2 (U/S) User/supervisor; if 0 access with CPL=3 not allowed 3 (PWT) Page-level write-through 4 (PCD) Page-level cache disable 5 (A) Accessed 6 (D) Dirty 7 (PAT) Page Attribute Table (PAT) indicator or reserved (0) 8 (G) Global 11:9 Ignored (M-1):12 Physical address of the 4-KB page 51:M Reserved (0) 62:52 Ignored 63 (XD) If IA32_EFER.NXE = 1, execute-disable if 1 According to Intel 64 and IA-32 manual 3A, Table 4-19. Mathias Payer CS412 Software Security

  14. Alternate approaches Not all hardware supports PAE ExecShield by Ingo Molnar used code segment restrictions to limit code execution on x86 for Linux. OpenBSD’s WˆX follows the same idea. PaX, also for Linux, is ExecShield on steroids with significant remapping of code region (and may break applications). Mathias Payer CS412 Software Security

  15. DEP summary DEP is now enabled widely by default (whenever a hardware support is available such as for x86 and ARM) Stops all code injection. Check for DEP with checksec.sh DEP may be disabled through gcc flags: -z execstack Mathias Payer CS412 Software Security

  16. Attacks evolve: from code injection to reuse Did DEP solve all code execution attacks? Mathias Payer CS412 Software Security

  17. Attacks evolve: from code injection to reuse Did DEP solve all code execution attacks? Unfortunately not! Attacks got (much?) harder though. A code injection attack consists of two stages: 1 redirecting control flow to 2 injected code. DEP stops the second stage. Attackers can still redirect control flow to existing code Mathias Payer CS412 Software Security

  18. Code reuse The attacker can overwrite a code pointer (e.g., a function pointer, a return pointer on the stack, the vtable pointer to an array of code pointers of a C++ object, or an exception frame for C++) Prepare the right parameters on the stack, reuse a full function (or part of a function) Mathias Payer CS412 Software Security

  19. From Code Reuse to full ROP Instead of targeting a simple function, we can target a gadget. Gadgets are a sequence of instructions ending in an indirect control-flow transfer (e.g., return, indirect call, indirect jump) Prepare data and environment so that, e.g., pop instructions load data into registers A gadget invocation frame consists of a sequence of 0 to n data values and an pointer to the next gadget. The gadget uses the data values and transfers control to the next gadget Simple ROP tutorial Mathias Payer CS412 Software Security

  20. Understanding ROP: gadgets galore! ROPgadget --binary /bin/bash ROPGadget ... 0x00000000004fe8a9 : xor edi, esp ; call rsi 0x00000000004692ec : xor edx, edx ; jmp 0x4692dd 0x0000000000432960 : xor edx, edx ; mov dword ptr [rax + 8], 0x0000000000460b61 : xor edx, edx ; mov esi, r13d ; call 0x46ce57 0x000000000047bbc0 : xor edx, edx ; test esi, esi ; sete dl 0x00000000004ea831 : xor esi, ebp ; call qword ptr [rbx] 0x00000000004747ee : xor esi, esi ; call 0x470a94 0x00000000004ee0b9 : xor esi, esi ; call qword ptr [rax] 0x00000000004caa49 : xor esi, esi ; call qword ptr [rdi] 0x0000000000485634 : xor esi, esi ; sub rsp, 8 ; call 0x4318b8 0x00000000004c890d : xor esp, dword ptr [rax + rax] ; ret 0x00000000004b3920 : xor esp, esp ; call 0x47ef29 Unique gadgets found: 11699 Mathias Payer CS412 Software Security

  21. Understanding ROP: shellcode translation Shellcode can generally be translated to ROP sequences xor eax , eax xor ebx , ebx inc eax int $0x80 Find gadgets for each instruction: xor eax , eax ; ret xor ebx , ebx ; ret inc eax ; ret int $0x80 Overwrite the stack with these addresses so that they are called in sequence. Mathias Payer CS412 Software Security

  22. Understanding ROP: stack pivots Often, a buffer overflow allows only control of one single RIP Idea: overwrite RIP and stack pointer, relocate to some area controlled by the attacker Search for esp gadgets, e.g., add esp, 0x40c; ret Mathias Payer CS412 Software Security

  23. How to stop code reuse? Enforce control-flow integrity? Mathias Payer CS412 Software Security

  24. How to stop code reuse? Enforce control-flow integrity? Nah, that’s too easy! (hard?) Mathias Payer CS412 Software Security

  25. Address Space Randomization (ASR) Successful control-flow hijack attacks depend on the attacker overwriting a code pointer with a known alternate target. ASR changes (randomizes) the process memory layout. If the attacker does not know where a piece of code (or data) is, then it cannot be reused in an attack. Attacker must first learn or recover the address layout. Mathias Payer CS412 Software Security

  26. ASR effectiveness The security improvement of ASR depends on (i) the entropy available for each randomized location, (ii) the completeness of randomization (i.e., are all objects randomized), and (iii) the absence of any information leaks. Mathias Payer CS412 Software Security

  27. Candidates for randomization Trade-off between overhead, complexity, and security benefit. Randomize start of heap Randomize start of stack Randomize start of code (PIE for executable, PIC each library) Randomize mmap allocated regions Randomize individual allocations (malloc) Randomize the code itself, e.g., gap between functions, order of functions, basic blocks, . . . Randomize members of structs, e.g., padding, order. Different forms of fine-grained randomization exist. Software diversity is a related concept. Mathias Payer CS412 Software Security

  28. Address Space Layout Randomization (ASLR) ASLR is a practical form of ASR ASLR focuses on blocks of memory Heap, stack, code, executable, mmap regions ASLR is inherently page-based Mathias Payer CS412 Software Security

  29. ASLR entropy Entropy of each section is key to security (if all sections are randomized). Attacker follows path of least resistance, i.e., targets the object with the lowest entropy. Early ASLR implementations had low entropy on the stack and no entropy on x86 for the main executable (non-PIE executables). Linux (through Exec Shield) uses 19 bits of entropy for the stack (on 16 byte period) and 8 bits of mmap entropy (on 4096 byte period). Mathias Payer CS412 Software Security

  30. ASLR changes to the address space Figure 6 Mathias Payer CS412 Software Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a

532 views • 41 slides
CS412 Software Security Basic Principles Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Basic Principles Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Basic Principles Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software Security Allow intended use of software, prevent unintended use that may cause harm. Mathias Payer CS412 Software

735 views • 36 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1: Mathias Payer CS412 Software Security Advanced mitigations Stack integrity

298 views • 26 slides
CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Mobile computing You are tasked in developing a mobile computing system. What features do you need? How do you ensure device

383 views • 24 slides
CS412 Software Security Attack Vectors Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Attack Vectors Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Attack Vectors Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Exploitation: Disclaimer This section introduces software exploitation We will discuss both basic and advanced exploitation

831 views • 48 slides
CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python: hex(int('00111000', 2))

696 views • 54 slides
CS412 Software Security Software Bugs Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Software Bugs Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Software Bugs Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security From Software Bugs to Attack Primitives Attack primitives are exploit building blocks Software bugs map to attack primitives , i.e.,

512 views • 23 slides
CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias

CS412 Software Security Program Testing Fuzzing Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed

657 views • 39 slides
CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019

CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019

CS412 Software Security Program Testing Sanitization Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between

503 views • 28 slides
deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Guarding Vulnerable Code: Module 2: Mitigation Mathias Payer, Purdue University

Guarding Vulnerable Code: Module 2: Mitigation Mathias Payer, Purdue University

Guarding Vulnerable Code: Module 2: Mitigation Mathias Payer, Purdue University http://hexhive.github.io 1 Defense: Testing vs. Mitigations Software Testing Mitigations Discover bugs Stop exploitation Development tool Always

586 views • 44 slides
Linking 15-213: Introduc;on to Computer Systems 13 th Lecture,

Linking 15-213: Introduc;on to Computer Systems 13 th Lecture,

Carnegie Mellon Linking 15-213: Introduc;on to Computer Systems 13 th Lecture, Oct. 13, 2015 Instructors: Randal E. Bryant and David R. OHallaron 1

643 views • 49 slides
Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1 Outline Introduction to

Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1 Outline Introduction to

Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1 Outline Introduction to assembly programing Introduction to Y86 Y86 instructions, encoding and execution 2 Assembly The CPU uses machine language to perform all its

1.06k views • 48 slides
Constructive Category Theory and Applications in Algebraic Geometry Sebastian Gutsche

Constructive Category Theory and Applications in Algebraic Geometry Sebastian Gutsche

Constructive Category Theory and Applications in Algebraic Geometry Sebastian Gutsche Universitt Siegen Siegen, August 31, 2017 Sebastian Gutsche (Siegen) Constructive Categories August 31, 2017 1 / 23 Outline Constructive category

2.3k views • 190 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (Feb. 3, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (Feb. 3, 2002) I E S R C E O

Systems Design & Programming OS Essentials CMPE 310 Processes and Tasks What comprises the state of a running program (a process or task)? DRAM Address bus Microprocessor OS code Control and data special caches Data bus code/data

543 views • 17 slides
Distributed Mobility Management Protocol for WiFi Users in Fixed Network Behcet

Distributed Mobility Management Protocol for WiFi Users in Fixed Network Behcet

Distributed Mobility Management Protocol for WiFi Users in Fixed Network Behcet Sarikaya(sarikaya@ieee.org) Li Xue (xueliucb@gmail.com) IETF 95 draft-sarikaya-dmm-for-wifi-04 1 DMM for WiFi i2rs Client Netconf i2rs Agent OpenFlow 2

733 views • 6 slides
www-flash.stanford.edu

www-flash.stanford.edu

www-flash.stanford.edu

538 views • 21 slides
JAVASCRIPT PROGRAMMING Functions Examples Homework assignment

JAVASCRIPT PROGRAMMING Functions Examples Homework assignment

Assignment statements Variables JAVASCRIPT PROGRAMMING Functions Examples Homework assignment denisesd@email.sc.edu JavaScript equal sign stands for the assignment operator: left hand right hand = ASSIGNMENT

579 views • 16 slides

More recommend