data is flowing in the wind a review of data flow
play

Data is Flowing in the Wind: A Review of Data-Flow Integrity - PowerPoint PPT Presentation

Jan 10, 2023 •226 likes •961 views

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Program

  1. Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Díez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es

  2. Rationale

  3. Rationale Program Control-Data Defences for Control-Data

  4. Rationale Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  5. Rationale Maybe I should switch to attack non-control data? Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  6. Rationale Maybe I should I can sense a storm switch to attack coming…. non-control data? Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  7. Rationale Maybe I should I can sense a storm switch to attack coming…. non-control data? Non-Control-Data Attacks Are Realistic Threats. Chen et al. Usenix Sec’05 Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  8. Control Data VS Non-Control-Data Attacks

  9. Control Data VS Non-Control-Data Attacks Control-Data Attacks Modify the control-flow of a program

  10. Control Data VS Non-Control-Data Attacks Control-Data Attacks Modify the control-flow of a program

  11. Control Data VS Non-Control-Data Attacks Code reuse Code injection Control-Data Attacks Modify the control-flow of a program

  12. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Modify the control-flow of a program

  13. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  14. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  15. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Remain invisible to techniques which only focus on control-data Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  16. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Remain invisible to techniques which only focus on control-data What data do they target? Code injection → decision making data, user input etc. Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  17. Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15

  18. Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15 Configuration User identity Decision-making User input data data data data

  19. Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15 Configuration User identity Decision-making User input data data data data Passwords & private System call Randomised values keys parameters

  20. A sample non-control-data attack

  21. A sample non-control-data attack struct passwd { uid_t pw_uid; ... } *pw; ... int uid = getuid(); pw->pq_uid = uid; // save current uid // [ format string vulnerability ] ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } From wu-ftpd web server. Hu et al. Usenix Sec’15

  22. A sample non-control-data attack struct passwd int uid = getuid(); pw->pq_uid = uid; // save current uid { // [ format string vulnerability ] uid_t pw_uid; // [ exploit it to overwrite ‘uid ’ ] ... // [ pw->pq_uid = 0; ] } *pw; void passive(void) ... { int uid = getuid(); … pw->pq_uid = uid; // save current uid setuid(0); // become root // [ format string vulnerability ] … ... seteuid(pw->pw_uid); // avoid priv. drop void passive(void) } { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } From wu-ftpd web server. Hu et al. Usenix Sec’15

  23. A sample non-control-data attack struct passwd int uid = getuid(); pw->pq_uid = uid; // save current uid { // [ format string vulnerability ] uid_t pw_uid; // [ exploit it to overwrite ‘uid ’ ] ... // [ pw->pq_uid = 0; ] } *pw; void passive(void) ... { int uid = getuid(); … pw->pq_uid = uid; // save current uid setuid(0); // become root // [ format string vulnerability ] … ... seteuid(pw->pw_uid); // avoid priv. drop void passive(void) } { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } Circumvents Control Flow Integrity? From wu-ftpd web server. Hu et al. Usenix Sec’15

  24. Data-Flow Stitching Hu et al. Usenix Sec’15

  25. Data-Flow Stitching Hu et al. Usenix Sec’15 s truct passwd { uid_t pw_uid; ... } *pw; … int uid = getuid(); pw->pq_uid = uid; // [ format string vulnerability ] ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  26. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  27. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  28. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  29. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  30. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw … seteuid(pw->pw_uid); } &uid Stack address of seteuid’s arg time

  31. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 … seteuid(pw->pw_uid); } &uid 20 Stack address of seteuid’s arg time

  32. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack address of seteuid’s arg time

  33. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack 0 address of seteuid’s arg time

  34. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack Privilege 0 address of escalation seteuid’s arg time

  35. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack Privilege 0 address of escalation seteuid’s arg time

  36. Data-Oriented Programming (DOP) Hu et al. Oakland’16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

15 min interval data- shows flow of water to end use 15 min interval data- shows tank top up

15 min interval data- shows flow of water to end use 15 min interval data- shows tank top up

15 min interval data- shows flow of water to end use 15 min interval data- shows tank top up only Base flow represents the constant underlying flow of water. Meaning the water that is always flowing through the pipes at any given time, even

855 views • 25 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Modelling Wind Farm Data and the Short Term Prediction of Wind Speeds An Investigation into Wind

Modelling Wind Farm Data and the Short Term Prediction of Wind Speeds An Investigation into Wind

Data Considerations Current Techniques and Models Data Investigation Conclusion Modelling Wind Farm Data and the Short Term Prediction of Wind Speeds An Investigation into Wind Speed Data Sets Erin Mitchell Lancaster University 6th April

702 views • 29 slides
WWU WIND FEED Software System Review The WWU Wind Feed is a tool to deliver wind information to

WWU WIND FEED Software System Review The WWU Wind Feed is a tool to deliver wind information to

WWU WIND FEED Software System Review The WWU Wind Feed is a tool to deliver wind information to users of the WWU boathouse on Lake Whatcom. Summary The system will collect wind speed data and upload it to the Internet at regular intervals.

89 views • 8 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
Update WSWC Spring 2015 Meeting Tulsa, Oklahoma April 16, 2015 Progress Three states flowing

Update WSWC Spring 2015 Meeting Tulsa, Oklahoma April 16, 2015 Progress Three states flowing

Water Data Exchange (WaDE) Update WSWC Spring 2015 Meeting Tulsa, Oklahoma April 16, 2015 Progress Three states flowing data Three states flowing data Can anybody say beta?! Utah, Wyoming, and Colorado - WGA assistance thank you!

574 views • 5 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
CS293S Iterative Data-Flow Analysis Yufei Ding Review: Computing Available Expressions The Big

CS293S Iterative Data-Flow Analysis Yufei Ding Review: Computing Available Expressions The Big

CS293S Iterative Data-Flow Analysis Yufei Ding Review: Computing Available Expressions The Big Picture 1. Build a control-flow graph 2. Gather the initial data: DEE XPR (b) & E XPR K ILL (b) 3. Propagate information around the graph,

477 views • 37 slides
HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous

HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous

HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous Data Flow (SDF) graphs refer to systems where the number of tokens consumed and produced per actor firing is fixed and constant The term synchronous

734 views • 17 slides
Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by Erik Stenman and Michael Schwartzbach Data-flow analysis Example: liveness Data-flow analysis is a global analysis framework that can be used to

635 views • 11 slides
Flowing for Debaters and Coaches Connecticut Middle School Debate League Sample Flow: General

Flowing for Debaters and Coaches Connecticut Middle School Debate League Sample Flow: General

Flowing for Debaters and Coaches Connecticut Middle School Debate League Sample Flow: General Flowing Tips 1. Keep taglines, warrants, evidence, and impacts on separate lines. a. This allows you to connect responses to specific pieces of

308 views • 7 slides
Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So whats the problem? Lecture 17 Page 1 CS 236 Online Traffic Analysis

532 views • 21 slides
Data Flow Coverage 1 Stuart Anderson Stuart Anderson Data Flow Coverage 1 2011 c 1 Why

Data Flow Coverage 1 Stuart Anderson Stuart Anderson Data Flow Coverage 1 2011 c 1 Why

Data Flow Coverage 1 Stuart Anderson Stuart Anderson Data Flow Coverage 1 2011 c 1 Why Consider Data Flow? Control Flow: Statement and branch coverage criteria are weak. Condition coverage and path coverage are more costly and

831 views • 20 slides
Chasing the wind: Ground-based Wind Field Construction from Mode-S and ADS-B Data with a Novel

Chasing the wind: Ground-based Wind Field Construction from Mode-S and ADS-B Data with a Novel

Chasing the wind: Ground-based Wind Field Construction from Mode-S and ADS-B Data with a Novel Gas Particle Model Junzi Sun, Huy Vu, Joost Ellerbroek, Jacco Hoekstra Control and Simulation, Faculty of Aerospace Engineering Delft University of

550 views • 26 slides
Enhancing Data Sets for Accelerated Wind Energy Development Advancing the state of the art in

Enhancing Data Sets for Accelerated Wind Energy Development Advancing the state of the art in

Enhancing Data Sets for Accelerated Wind Energy Development Advancing the state of the art in data set dissemination Erik Quaeghebeur Wind Energy Group Delft University of Technology OEEC 2017 EUROS for wind energy 11 October 2017

750 views • 27 slides
Geometric flows and gravitational instantons Marios Petropoulos CPHT Ecole Polytechnique

Geometric flows and gravitational instantons Marios Petropoulos CPHT Ecole Polytechnique

Geometric flows and gravitational instantons Marios Petropoulos CPHT Ecole Polytechnique CNRS Galileo Galilei Institute for Theoretical Physics AdS 4 /CFT 3 and the Holographic States of Matter October 2010 Highlights Motivations

935 views • 38 slides
rts qts s ss

rts qts s ss

rts qts s qt ss qt rts qts s

296 views • 28 slides
Sea rch Analysis and Integration of W eb Do cuments A Case Study with FLORID

Sea rch Analysis and Integration of W eb Do cuments A Case Study with FLORID

Sea rch Analysis and Integration of W eb Do cuments A Case Study with FLORID Rainer Himmer oder P aulTh Kandzia Bertram Lud ascher W olfgang Ma y Geo rg Lausen Institut f ur Info

315 views • 14 slides
The hydro-geologic nature of a major The hydro-geologic nature of a major microseismic structure

The hydro-geologic nature of a major The hydro-geologic nature of a major microseismic structure

The hydro-geologic nature of a major The hydro-geologic nature of a major microseismic structure developed during structure developed during microseismic the 1993 stimulation of GPK1 using high- the 1993 stimulation of GPK1 using high-

610 views • 12 slides
Vattenfalls Vattenfalls Schwarze Schwarze Pumpe Schwarze Schwarze Pumpe Pumpe

Vattenfalls Vattenfalls Schwarze Schwarze Pumpe Schwarze Schwarze Pumpe Pumpe

Plenary Session 01: Plenary Session 01: Plenary Session 01: Plenary Session 01: Vattenfalls Vattenfalls Schwarze Schwarze Pumpe Schwarze Schwarze Pumpe Pumpe Experience Pumpe Experience Experience Experience Moderated by: Prof.

256 views • 4 slides
Simulating signaling pathways: the motile photoresponse of H. salinarum as a case study Claudio

Simulating signaling pathways: the motile photoresponse of H. salinarum as a case study Claudio

Why signaling pathways? The approach Why Halobacterium salinarum The models Results Simulating signaling pathways: the motile photoresponse of H. salinarum as a case study Claudio Felicioli BITS 2009 Genova March 18-20 Claudio

626 views • 23 slides
Outline Motivation Seeing the Forest and the Why current placement tools are outdated

Outline Motivation Seeing the Forest and the Why current placement tools are outdated

Outline Motivation Seeing the Forest and the Why current placement tools are outdated Trees: Steiner Wirelength Analysis of placement objectives Optimization in Placement A nave attempt at optimization Our placement

219 views • 8 slides
Matthew Series Lesson #069 March 8, 2015 Dean Bible Ministries www.deanbibleministries.org

Matthew Series Lesson #069 March 8, 2015 Dean Bible Ministries www.deanbibleministries.org

Matthew Series Lesson #069 March 8, 2015 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. Reaction, Rejection, Condemnation Matthew 11:1119 Matt. 4:17, From that time Jesus began to preach and to say,

1.04k views • 14 slides

More recommend