cs527 software security
play

CS527 Software Security Advanced Mitigations Mathias Payer Purdue - PowerPoint PPT Presentation

Jul 26, 2023 •226 likes •504 views

CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Model for Control-Flow Hijack Attacks Figure 1: Mathias Payer CS527 Software Security Advanced mitigations

  1. CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security

  2. Model for Control-Flow Hijack Attacks Figure 1: Mathias Payer CS527 Software Security

  3. Advanced mitigations Stack integrity Control-Flow Integrity (CFI) Code Pointer Integrity Sandboxing Mathias Payer CS527 Software Security

  4. Stack integrity Stack integrity ensures that (i) the return instruction pointer and (ii) the stack base pointer cannot be modified (Note that modifying the base pointer indirectly modifies the return instruction pointer) Stack canaries are a weak form of stack integrity Shadow stacks are a strong form of stack integrity Mathias Payer CS527 Software Security

  5. Shadow stack A shadow stack is a second stack for each thread that keeps track of control data (e.g., return instruction pointer, base pointer, or code pointers) Note that not all implementations protect all types of data Data on the shadow stack is integrity protected Implicitly: as the shadow stack contains only control data, buffer overflows are not possible Explicitly: some shadow stacks are write protected How would you implement shadow stacks? Discuss! Mathias Payer CS527 Software Security

  6. Shadow stack Figure 2: Mathias Payer CS527 Software Security

  7. Safe stack A shadow stack always keeps two allocated stack frames for each function invocation (maybe of different size) Core idea: for each variable in a stack frame decide if its safe Variables are safe if they are only used in a safe context, i.e., they don’t escape the current function and are only used with bounded pointer arithmetic Push any unsafe variables to the unsafe stack Performance benefit: an unsafe stack frame is only allocated for if there are unsafe variables Mathias Payer CS527 Software Security

  8. Safe stack Figure 3: Mathias Payer CS527 Software Security

  9. Control-Flow Integrity CFI is a defense mechanism that protects applications against control-flow hijack attacks. A successful CFI mechanism ensures that the control-flow of the application never leaves the predetermined, valid control-flow that is defined at the source code/application level. This means that an attacker cannot redirect control-flow to alternate or new locations. Figure 4: Mathias Payer CS527 Software Security

  10. Basics of a CFI mechanism Core idea: restrict the dynamic control flow of the application to the control-flow graph of the application. Target set construction Dynamic enforcement mechanism to execute runtime checks Mathias Payer CS527 Software Security

  11. CFI: target set construction How do we infer the control-flow graph (for C/C++ programs)? A static analysis (on source code or binary) can recover an approximation of the control-flow graph. Precision of the analysis is crucial! Valid functions Arity Function prototypes Class hierarchy analysis Mathias Payer CS527 Software Security

  12. CFI: target set construction Trade-off between precision and compatibility. One set of valid functions is highly compatible with other software but may result in imprecision given the large amount of functions. Class hierarchy analysis results in small sets but may be incompatible with other source code and some programmer patterns (e.g., casting to void or not passing all parameters). Mathias Payer CS527 Software Security

  13. CFI: target set construction trade-offs Microsoft chose compatibility over security. LLVM chose security over compatibility. Discuss trade-offs. Mathias Payer CS527 Software Security

  14. CFI: runtime checks The analysis produces target sets for each location of an indirect control-flow transfer. The runtime check leverages the runtime value and the target set to execute a set check. The most efficient implementation uses a set of bit masks. void (*fn)(int) = &func; ... if (!contains(targetset, fn)) { abort("Error: illegal target"); } fn(12); Note that the check and dispatch are atomic as otherwise, this would result in a TOCTTOU vulnerability. Mathias Payer CS527 Software Security

  15. CFI: limitations CFI allows the underlying bug to fire and the memory corruption can be controlled by the attacker. The defense only detects the deviation after the fact, i.e., when a corrupted pointer is used in the program. Over-approximation in the static analysis reduces security guarantees What kind of attacks are possible? An attacker is free to modify the outcome of any JCC An attacker can choose any allowed target at each ICF location For return instructions: one set of return targets is too broad and even localized return sets are too broad for most cases. For indirect calls and jumps, attacks like COOP (Counterfeit Object Oriented Programming) have shown that full functions can be used as gadgets. Mathias Payer CS527 Software Security

  16. Code-Pointer Integrity Memory corruption is abundant. Strong memory-safety-based defenses have not been adopted. Weaker defenses like strong memory allocators also ignored. Only defenses that have negligible overhead are adapted. What if we can have memory safety but only where it matters? Assume we want to protect applications against control-flow hijacking attacks. What data must be protected? Code Pointer Integrity (CPI) ensures that all code pointers are protected at all times Mathias Payer CS527 Software Security

  17. CPI attacker model Attacker can read data, code (includes stack, bss, data, text, heap) Attacker can write data. Attacker cannot modify code Attacker cannot influence the loading process (This is true for most mitigations) Mathias Payer CS527 Software Security

  18. Existing memory safety solutions SoftBound+CETS 116% overhead, only partial support for SPEC CPU2006 CCured: 56% overhead AddressSanitizer: 73% overhead, only partial memory safety (probabilistic spatial) CPI targets protection of subset of data Mathias Payer CS527 Software Security

  19. Checks enforce memory safety! char *buf = malloc(10); // instr: track bounds buf_lo = p; buf_up = p+10; ... char *q = buf + input; // instr: track bounds q_lo = buf_lo; q_up = buf_up; // instr: check bounds if (q < q_lo || q >= q_up) abort(); *q = input2; ... (*func_ptr)(); Checks focus on all data, how can we protect integrity of only code pointers? Mathias Payer CS527 Software Security

  20. Paradigm shift: protect select data Instead of protecting everything a little protect a little completely. Strong protection for a select subset of data. Attacker may modify any unprotected data. By only protecting code pointers, CPI reduces the overhead of memory safety from 116% to 8.4% while still deterministically protecting applications against control-flow hijack attacks. Mathias Payer CS527 Software Security

  21. What data must be protected? Sensitive pointers are code pointers and pointers used to access sensitive pointers We can over-approximate and identify sensitive pointer through their types: all types of sensitive pointers are sensitive Over approximation only affects performance Mathias Payer CS527 Software Security

  22. Memory layout Figure 5: Mathias Payer CS527 Software Security

  23. Memory layout Memory view is split into two views: control and data plane The control plane is a view that only contains code pointers (and transitively all related pointers) The data plane contains only data, code pointers are left empty (void/unused data) The two planes must be separated and data in the control plane must be protected from pointer dereferences in the data plane Mathias Payer CS527 Software Security

  24. Sandboxing Different levels of granularity for sandboxing: Kernel isolates process memory chroot / containers isolate processes from each other seccomp restricts processes from interacting with the kernel Software-based Fault Isolation isolated components in a process Mathias Payer CS527 Software Security

  25. Software-based Fault Isolation (SFI) Application and untrusted code run in the same address space The untrusted code may only read/write the untrusted data segment. How do you implement such a restriction? Segmentation (on x86) Mask memory area: and $0x00ffffff, %rax; mov $0xc0fe0000, (%rax) Challenge for CISC ISAs: jumping to unalaigned instructions: mov $0x80cd01b0, (%rax) contains mov $1, %al; int $0x80 Google’s NaCL solves the challenge by aligning instructions Mathias Payer CS527 Software Security

  26. Summary and conclusion Adopted defenses do not stop all attacks Control-flow hijacking is the most versatile attack vector Stack integrity protects code pointers on the stack CFI restricts targets on the forward edge CPI prohibits control-flow hijacking, key insight: enforce memory safety only for code pointers Sandboxing separates different privilege domains Mathias Payer CS527 Software Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security About me Instructor: Mathias Payer Research area: system/software security Memory/type safety Mitigating control-flow

460 views • 25 slides
CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Basic Principles Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software Security Allow inteded use of software, prevent unintended use that may cause harm. Mathias Payer CS527

470 views • 25 slides
CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018

CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018

CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python:

710 views • 49 slides
CS527 Software Security Mobile Security Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Mobile Security Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Mobile Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Android statistics 1.4 billion users (1) Android generates $31 billion revenue (2) 4,000+ different devices (1)

157 views • 11 slides
CS527 Software Security Attack Vectors Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Attack Vectors Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Attack Vectors Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Exploitation: Disclaimer This section focuses software exploitation We will discuss both basic and advanced

860 views • 49 slides
CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias

CS527 Software Security Program Testing Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Why testing? Testing is the process of executing a program to find errors. An error is a deviation between observed

391 views • 38 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
Procedures and Call Stacks How do I pass arguments to

Procedures and Call Stacks How do I pass arguments to

University of Washington Procedures and Call Stacks How do I pass arguments to a procedure? How do I get a return value from a procedure?

652 views • 38 slides
Abstract Machines What is an abstract machine? - a set of legal states final and initial

Abstract Machines What is an abstract machine? - a set of legal states final and initial

Concepts of Program Design Abstract Machines Gabriele Keller Ron Vanderfeesten Abstract Machines What is an abstract machine? - a set of legal states final and initial states as subset - A set of instructions altering the state of the

334 views • 31 slides
trst t tt tr

trst t tt tr

trst t tt tr trst t tr rtst t r

792 views • 42 slides
Controllability A system is said to be controllable if it is possible to bring the system from any

Controllability A system is said to be controllable if it is possible to bring the system from any

STADIUS - Center for Dynamical Systems, Signal Processing and Data Analytics Controllability A system is said to be controllable if it is possible to bring the system from any initial state to any desired state in a finite time. Condition

260 views • 10 slides
Xen Summit 8 September, 2006 Xen Management API and Control Stack Ewan Mellor

Xen Summit 8 September, 2006 Xen Management API and Control Stack Ewan Mellor

Xen Summit 8 September, 2006 Xen Management API and Control Stack Ewan Mellor ewan@xensource.com Xen Management Architecture Cluster-wide Integration The aim is to integrate Xen-based systems with enterprise-level cluster management

205 views • 19 slides
Stack-based and History-based Access Control for Secure Information Flow Anindya Banerjee and

Stack-based and History-based Access Control for Secure Information Flow Anindya Banerjee and

Stack-based and History-based Access Control for Secure Information Flow Anindya Banerjee and David A. Naumann ab@cis.ksu.edu, naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology CASSIS Workshop 2004-03-11 /

480 views • 29 slides
Midterm #2 Review February 25, 2013 1 / 11 I will provide . . . a list of relevant

Midterm #2 Review February 25, 2013 1 / 11 I will provide . . . a list of relevant

Midterm #2 Review February 25, 2013 1 / 11 I will provide . . . a list of relevant instructions for assembly problems just the keywords and the names! you should know the difference between (and how to use) add , addi , sub ,

688 views • 11 slides
CS 103 Lecture 3 Slides Control Structures Mark Redekopp 2 Announcements Lab 2 Due

CS 103 Lecture 3 Slides Control Structures Mark Redekopp 2 Announcements Lab 2 Due

1 CS 103 Lecture 3 Slides Control Structures Mark Redekopp 2 Announcements Lab 2 Due Friday 3 Review Write a program to ask the user to enter two integers representing hours then minutes. Output the equivalent number of

762 views • 72 slides

More recommend