cse543 introduction to computer and network security

CSE543 - Introduction to Computer and Network Security Module: - PowerPoint PPT Presentation

Dec 14, 2022 •159 likes •524 views

  1. �������฀฀���฀฀�������� ��������������฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 CSE543 - Introduction to Computer and Network Security Page

  2. Anatomy of Control-Flow Exploits • Two steps in control-flow exploitation • First -- attacker gets control of program flow (return address) Stack (buffer), heap, format string vulnerability ‣ • Second -- attacker uses control of program flow to launch attacks Code injection ‣ Defense: NX, W (xor) X • return-to-libc ‣ Defense: remove unwanted functions (e.g., system) • How to overcome these limitations??? ‣ Return-oriented programming • 30 CSE543 - Introduction to Computer and Network Security Page

  3. Return-Oriented Programming • Arbitrary exploitation without code injection or whole-function reuse (return-to-libc) 31 CSE543 - Introduction to Computer and Network Security Page

  4. Return-Oriented Programming 32 CSE543 - Introduction to Computer and Network Security Page

  5. ROP Thesis 33 CSE543 - Introduction to Computer and Network Security Page

  6. Return-to-libc 34 CSE543 - Introduction to Computer and Network Security Page

  7. ROP vs return-to-libc 35 CSE543 - Introduction to Computer and Network Security Page

  8. ROP Attacks 36 CSE543 - Introduction to Computer and Network Security Page

  9. Machine Instructions 37 CSE543 - Introduction to Computer and Network Security Page

  10. ROP Execution 38 CSE543 - Introduction to Computer and Network Security Page

  11. Building ROP Functionality 39 CSE543 - Introduction to Computer and Network Security Page

  12. Building ROP Functionality 40 CSE543 - Introduction to Computer and Network Security Page

  13. Building ROP Functionality 41 CSE543 - Introduction to Computer and Network Security Page

  14. Creating Programs 42 CSE543 - Introduction to Computer and Network Security Page

  15. Finding Gadgets 43 CSE543 - Introduction to Computer and Network Security Page

  16. ROP Conclusions 44 CSE543 - Introduction to Computer and Network Security Page

  17. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 0x8048000$= %ebx$=

  18. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 0x8048000$= %ebx$=

  19. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 0x8048000$= %ebx$=

  20. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 5 0x8048000$= %ebx$=

  21. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 5 0x8048000$= %ebx$=

  22. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 5 0x8048000$= %ebx$= 0x8048000

  23. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 5 0x8048000$= %ebx$= 0x8048000

  24. ROP$Example • Use$ESP$as$program$counter – E.g.,$Store$5$at$address$0x8048000$(without$introducing$ new$code) Code Stack pop$%eax G1 Return Address ret 5 pop$%eax jmp G2 ret buf 0x8048000 movl$%eax,$(%ebx) ret jump G3 . . . Memory Registers %eax$= 5 0x8048000$= 5 %ebx$= 0x8048000

  25. Advanced Defenses • Control-flow attack defenses operate at two stages Prevent attacker from getting control ‣ StackGuard, heap sanity checks, ASLR, shadow stacks, ... • Prevent attacker from using control for malice ‣ NX, W (xor) X, ASLR, Control Flow Integrity (CFI), ... • • For maximum security, a system should use a combination of these defenses • Q. Is subverting control-flow the only goal of an attacker? 47 CSE543 - Introduction to Computer and Network Security Page

  26. Control-Flow Integrity • Goal: Ensure that process control follows source code Adversary can only choose authorized control-flow ‣ sequences • Build a model from source code that describes control flow E.g., control-flow graph ‣ • Enforce the model on program execution Instrument control-flow code ‣ Jumps, calls, returns, ... • • Challenges Building accurate model ‣ Efficient enforcement ‣ 48 CSE543 - Introduction to Computer and Network Security Page

  27. Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi 49

  28. Our Mechanism F A F B nop IMM 1 if(*fp != nop IMM 1 ) halt if(**esp != nop IMM 2 ) halt call fp return nop IMM 2 CFG excerpt B 1 A call NB: Need to ensure bit patterns for nops B ret A call+1 appear nowhere else in code memory 50

  29. More Complex CFGs CFG excerpt Maybe statically all we know is that F A can call any int int function B 1 A call F A C 1 succ(A call ) = {B 1 , C 1 } F B nop IMM 1 if(*fp != nop IMM 1 ) halt call fp F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 51

  30. Imprecise Return Information Q: What if F B can return CFG excerpt F A to many functions ? A call+1 A: Imprecise CFG B ret D call+1 call F B F B succ(B ret ) = {A call+1 , D call+1 } nop IMM 2 CFG Integrity: F D if(**esp != nop IMM 2 ) halt Changes to the return PC are only to valid successor call F B PCs, per succ(). nop IMM 2 52

  31. No “Zig-Zag” Imprecision Solution I: Allow the imprecision Solution II: Duplicate code to remove zig-zags CFG excerpt CFG excerpt B 1 B 1 A call A call C 1 C 1A E call E call C 1E 53

  32. More Challenges • Returns used as jumps E.g., signal handling ‣ • Exceptions • Runtime generation of indirect jumps E.g., dynamic shared libraries ‣ • Indirect jumps using arithmetic operators E.g., assembly ‣ • Take away: CFI is a principled approach to stop control flow attacks, but challenges remain 54 CSE543 - Introduction to Computer and Network Security Page

  33. ASLR • For control-flow attacks, attacker needs absolute addresses Stack ??? • Address-space Layout Randomization (ASLR) randomizes base addresses of memory segments on each invocation of the program ‣ Attacker cannot predict absolute ??? Heap addresses • Heap, stack, data, text, mmap, ... ??? Data ??? Text 55 CSE543 - Introduction to Computer and Network Security Page

  34. ASLR Implementations Linux • Introduced in Linux 2.6.12 (June 2005) ‣ Shacham et al. [2004]:16 bits of randomization defeated by a (remote) ‣ brute force attack in minutes Reality: ASLR for text segment (PIE) is rarely used ‣ Only few programs in Linux use PIE • Enough gadgets for ROP can be found in unrandomized code [Schwartz 2011] • Windows • Introduced from Vista onwards (Jan 2007) ‣ Reality: Only few programs opt in for ASLR ‣ E.g., Oracle’s Java JRE, Adobe Reader, Mozilla Firefox, and Apple Quicktime (or • one of their libraries) are not marked ASLR-compatible ASLR can be bypassed by information leaks about memory layout • E.g., format string vulnerabilities ‣ 56 CSE543 - Introduction to Computer and Network Security Page

  35. Conclusion • Defense against control-flow and data attacks is an ongoing arms race • Principled approaches such as CFI and ASLR are promising Significantly raised bar for attackers ‣ However, they have implementation limitations ‣ Active area of research ‣ 57 CSE543 - Introduction to Computer and Network Security Page

Recommend

CSE543 Computer and Network Security Module: Network Security Professor Patrick McDaniel Fall

CSE543 Computer and Network Security Module: Network Security Professor Patrick McDaniel Fall

CSE543 Computer and Network Security Module: Network Security Professor Patrick McDaniel Fall 204 1 CSE543 - Introduction to Computer and Network Security Page Networking Fundamentally about transmitting information between two (or more)

636 views • 47 slides
CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06 CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger 1 Midterm Grades 85-100 -- A

1.41k views • 26 slides
CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger 1 Denial of Service Intentional

406 views • 18 slides
CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL:

CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL:

CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 OS Security An secure OS should provide the

873 views • 28 slides
DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

860 views • 71 slides
CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mobile Phones Networked device

302 views • 11 slides
CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL:

CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL:

CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mandatory Access Control Is about administration

462 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

644 views • 36 slides
CSE 543 - Computer Security (Fall 2007) Lecture 1 - Introduction Professor: Trent Jaeger URL:

CSE 543 - Computer Security (Fall 2007) Lecture 1 - Introduction Professor: Trent Jaeger URL:

CSE 543 - Computer Security (Fall 2007) Lecture 1 - Introduction Professor: Trent Jaeger URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Some bedtime stories

534 views • 24 slides
CSE 543 - Computer Security Lecture 2 - Introduction August 30, 2007 URL:

CSE 543 - Computer Security Lecture 2 - Introduction August 30, 2007 URL:

CSE 543 - Computer Security Lecture 2 - Introduction August 30, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 A historical moment Mary Queen of Scots is

631 views • 29 slides
CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL:

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL:

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Midterm Grades (High is 83) 77-94 -- A (4)

930 views • 29 slides
CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL:

CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL:

CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Denial of Service Intentional prevention

663 views • 25 slides
CSE 543 - Computer Security Lecture 4 - Cryptography September 6, 2007 URL:

CSE 543 - Computer Security Lecture 4 - Cryptography September 6, 2007 URL:

CSE 543 - Computer Security Lecture 4 - Cryptography September 6, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Hash Algorithms Hash algorithm

358 views • 22 slides
CSE 543 - Computer Security Lecture 14 - Access Control October 11, 2007 URL:

CSE 543 - Computer Security Lecture 14 - Access Control October 11, 2007 URL:

CSE 543 - Computer Security Lecture 14 - Access Control October 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Control System Protection Domain

663 views • 25 slides
CSE 543 - Computer Security Lecture 27 - Wrapup December 13, 2007 URL:

CSE 543 - Computer Security Lecture 27 - Wrapup December 13, 2007 URL:

CSE 543 - Computer Security Lecture 27 - Wrapup December 13, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Final Tuesday, December 18, 8:00am-9:50am in 102

167 views • 12 slides
CSE 543 - Computer Security Lecture 3 - Principles September 4, 2007 URL:

CSE 543 - Computer Security Lecture 3 - Principles September 4, 2007 URL:

CSE 543 - Computer Security Lecture 3 - Principles September 4, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Data Encryption Standard (DES) Introduced by the

384 views • 17 slides
Programming Mesh Decomposition: Basic Concepts and Decomposition Algorithms David Henty EPCC,

Programming Mesh Decomposition: Basic Concepts and Decomposition Algorithms David Henty EPCC,

Advanced Parallel Programming Mesh Decomposition: Basic Concepts and Decomposition Algorithms David Henty EPCC, University of Edinburgh d.henty@epcc.ed.ac.uk Structured Meshes Many problems can be solved on a regular grid eg Game of

868 views • 43 slides
MultiScalar Your questions How does register allocation work? How bad is latency to and

MultiScalar Your questions How does register allocation work? How bad is latency to and

MultiScalar Your questions How does register allocation work? How bad is latency to and from the ARB? How scalable is the ARB? The quest for parallelism Single threads have a little bit of ILP We want MORE! Multithreaded

344 views • 15 slides
A Practical Construction for Decomposing Numerical Abstract Domains Gagandeep Singh Markus

A Practical Construction for Decomposing Numerical Abstract Domains Gagandeep Singh Markus

A Practical Construction for Decomposing Numerical Abstract Domains Gagandeep Singh Markus Pschel Martin Vechev Department of Computer Science 1 Numerical abstract domains ( ) Cost and Numerical Domain

572 views • 19 slides
Algorithms for Graphs of Bounded Treewidth Made by Moshe Sebag CS department, Technion The

Algorithms for Graphs of Bounded Treewidth Made by Moshe Sebag CS department, Technion The

Algorithms for Graphs of Bounded Treewidth Made by Moshe Sebag CS department, Technion The material for all parts of this lecture appears in Chapter 7 of the book "Parameterized Algorithms", by Cygan et al. Table of Content Into:

661 views • 54 slides
Chapter 2 Processes and Threads 2.1 Processes 2.2 Threads 2.3 Interprocess communication 2.4

Chapter 2 Processes and Threads 2.1 Processes 2.2 Threads 2.3 Interprocess communication 2.4

Chapter 2 Processes and Threads 2.1 Processes 2.2 Threads 2.3 Interprocess communication 2.4 Classical IPC problems 2.5 Scheduling Processes The Process Model One program counter Four program counters Process A switch D Process

834 views • 56 slides
CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23,

CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23,

CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23, 2016 Reminders Late policy: you do not have to send me an email to inform me of a late submission before the deadline you have to send me an

683 views • 44 slides
Signals and Jumps CSAPP2e, Chapter 8 Recall: Running a New Program int execl(char *path, char

Signals and Jumps CSAPP2e, Chapter 8 Recall: Running a New Program int execl(char *path, char

Signals and Jumps CSAPP2e, Chapter 8 Recall: Running a New Program int execl(char *path, char *arg0, , char *argn, char *null) Loads & runs executable: path is the complete path of an executable arg0 becomes the name of the

810 views • 43 slides
Threaded Programming Lecture 1: Concepts Overview Shared memory systems Basic Concepts

Threaded Programming Lecture 1: Concepts Overview Shared memory systems Basic Concepts

Threaded Programming Lecture 1: Concepts Overview Shared memory systems Basic Concepts in Threaded Programming 2 Shared memory systems Threaded programming is most often used on shared memory parallel computers. A shared memory

319 views • 15 slides

More recommend