data oriented programming
play

Data-Oriented Programming On the Expressiveness of Non-Control Data - PowerPoint PPT Presentation

Jan 08, 2023 •275 likes •1.32k views

Data-Oriented Programming On the Expressiveness of Non-Control Data Attacks Hong Hu , Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, Zhenkai Liang Department of Computer Science National University of Singapore Control

  1. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max addend list heap next prop next prop 27

  2. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max addend list heap next prop next prop 28

  3. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max addend list heap next prop next prop 29

  4. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max addend list heap next prop next prop 30

  5. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max cur_ total typ max addend list heap next prop next prop 31

  6. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max addend list heap next prop next prop 32

  7. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max addend list cur_ total typ max heap next prop next prop 33

  8. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max addend list cur_ total typ max heap next prop next prop 34

  9. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max addend list heap next prop next prop 35

  10. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max STREAM addend list heap next prop next prop 36

  11. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max STREAM addend list heap next prop next prop 37

  12. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max STREAM addend list heap next prop next prop 38

  13. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max STREAM addend list cur_ cur_ total typ max max heap next prop next prop 39

  14. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { ? 12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max STREAM addend list heap next prop next prop 40

  15. Motivating Example (cont.) 6 while (quota--) { 4 for (; list != NULL; list = list->next) 7 readData(sockfd, buf); 5 list->prop += addend; 8 if(*type == NONE ) break; malicious computation 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else {  12 srv->typ = *type; simulate 13 srv->total += *size; 14 } vulnerable program 15 } Memory space stack buf[] type size quota srv cur_ total typ max STREAM addend list heap next prop next prop 41

  16. Data-Oriented Programming A Generic Technique 42

  17. Data-Oriented Programming (DOP) • General construction – w/o dependency on specific data / functions 43

  18. Data-Oriented Programming (DOP) • General construction – w/o dependency on specific data / functions • Expressive attacks – towards Turing-complete computation 44

  19. Data-Oriented Programming (DOP) • General construction – w/o dependency on specific data / functions • Expressive attacks – towards Turing-complete computation • Elements – data-oriented gadgets – gadget dispatchers 45

  20. Data-Oriented Gadgets • x86 instruction sequence CFG 6 – show in normal execution (CFI) 14 7 13 10 8 12 9 46

  21. Data-Oriented Gadgets • x86 instruction sequence CFG 6 – show in normal execution (CFI) 14 7 13 10 8 12 9 Addition : srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op 47

  22. Data-Oriented Gadgets • x86 instruction sequence CFG 6 – show in normal execution (CFI) 14 7 13 – save results in memory 10 8 12 – load micro-op --> semantics micro-op --> store micro-op 9 Addition : srv->total += *size; 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op 48

  23. Data-Oriented Gadgets • x86 instruction sequence CFG 6 – show in normal execution (CFI) 14 7 13 – save results in memory 10 8 12 – load micro-op --> semantics micro-op --> store micro-op 9 Addition : srv->total += *size; Memory space 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op 49

  24. Data-Oriented Gadgets • x86 instruction sequence CFG 6 – show in normal execution (CFI) 14 7 13 – save results in memory 10 8 12 – load micro-op --> semantics micro-op --> store micro-op 9 Addition : srv->total += *size; Memory space 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op Load: *size = *(srv ->cur_max); 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 mov 0xb(%ebx), %eax //load 4 mov %eax, (%edx) //store micro-op 50

  25. Data-Oriented Gadgets • x86 instruction sequence CFG 6 – show in normal execution (CFI) 14 7 13 – save results in memory 10 8 12 – load micro-op --> semantics micro-op --> store micro-op 9 Addition : srv->total += *size; Memory space 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 add %ebx, %eax //addition 4 mov %eax, (%edi) //store micro-op Load: *size = *(srv ->cur_max); 1 mov (%esi), %ebx //load micro-op 2 mov (%edi), %eax //load micro-op 3 mov 0xb(%ebx), %eax //load 4 mov %eax, (%edx) //store micro-op 51

  26. Gadget Dispatcher round1 corruptible by mem-err round2 loop selector round3 …… roundN 52

  27. Gadget Dispatcher round1 corruptible by mem-err round2 loop selector round3 …… roundN • Chain data-oriented gadgets “ legitimately” – loop ---> repeatedly invoke gadgets – selector ---> selectively activate gadgets 53

  28. Gadget Dispatcher round1 1 2 3 4 corruptible by mem-err round2 loop selector round3 …… roundN • Chain data-oriented gadgets “ legitimately” – loop ---> repeatedly invoke gadgets – selector ---> selectively activate gadgets 54

  29. Gadget Dispatcher round1 1 2 3 4 corruptible by mem-err round2 5 6 7 loop selector round3 …… roundN • Chain data-oriented gadgets “ legitimately” – loop ---> repeatedly invoke gadgets – selector ---> selectively activate gadgets 55

  30. Gadget Dispatcher round1 1 2 3 4 corruptible by mem-err round2 5 6 7 loop selector 1 2 3 4 round3 …… roundN • Chain data-oriented gadgets “ legitimately” – loop ---> repeatedly invoke gadgets – selector ---> selectively activate gadgets 56

  31. Gadget Dispatcher round1 1 2 3 4 corruptible by mem-err round2 5 6 7 loop selector 1 2 3 4 round3 …… roundN • Chain data-oriented gadgets “ legitimately” – loop ---> repeatedly invoke gadgets – selector ---> selectively activate gadgets 57

  32. Gadget Dispatcher round1 1 2 3 4 corruptible by mem-err round2 5 6 7 loop selector 1 2 3 4 round3 …… roundN • Chain data-oriented gadgets “ legitimately” – loop ---> repeatedly invoke gadgets – selector ---> selectively activate gadgets 6 while (quota--) { // loop 7 readData(sockfd, buf); // selector 8 if(*type == NONE ) break; 9 if(*type == STREAM) *size = *(srv->cur_max); 10 else{ srv->typ = *type; srv->total += *size; } 14 } 58

  33. Turing-completeness • DOP emulates a minimal language MINDOP – MINDOP is Turing-complete Statements Data-Oriented Semantics In C Gadgets in DOP arithmetic / logical a op b *p op *q assignment a = b *p = *q load a = *b *p = **q store *a = b **p = *q jump goto L vpc = &input conditional jump if (a) goto L vpc = &input if *p p – &a; q – &b; op – any arithmetic / logical operation 59

  34. Attack Construction 6 while (quota--) { 7 readData(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped)... 15 } 60

  35. Attack Construction 6 while (quota--) { 7 readData(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped)... 15 } • Gadget identification – statically identify load-semantics-store chain from LLVM IR 61

  36. Attack Construction 6 while (quota--) { 7 readData(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped)... 15 } • Gadget identification – statically identify load-semantics-store chain from LLVM IR • Dispatcher identification – static identify loops with gadgets from LLVM IR 62

  37. Attack Construction 6 while (quota--) { 7 readData(sockfd, buf); 8 if(*type == NONE ) break; 9 if(*type == STREAM) 10 *size = *(srv->cur_max); 11 else { 12 srv->typ = *type; 13 srv->total += *size; 14 } //...(code skipped)... 15 } • Gadget identification – statically identify load-semantics-store chain from LLVM IR • Dispatcher identification – static identify loops with gadgets from LLVM IR • Gadget stitching – select gadgets and dispatchers (manual) – check stitchability (manual) 63

  38. Evaluation 64

  39. Evaluation – Feasibility 9 x86 programs with 9 vulnerabilities – Nginx, ProFTPD, Wu-FTPD, sshd, Bitcoind, – Wireshark, sudo, musl libc, mcrypt 65

  40. Evaluation – Feasibility 9 x86 programs with 9 vulnerabilities – Nginx, ProFTPD, Wu-FTPD, sshd, Bitcoind, – Wireshark, sudo, musl libc, mcrypt • x86 Gadgets – 7518 in total, 1273 reachable via selected CVEs – 8 programs can simulate all MINDOP operations • x86 Dispatchers – 1443 in total, 110 reachable from selected CVEs 66

  41. Evaluation – Feasibility 9 x86 programs with 9 vulnerabilities – Nginx, ProFTPD, Wu-FTPD, sshd, Bitcoind, – Wireshark, sudo, musl libc, mcrypt • x86 Gadgets – 7518 in total, 1273 reachable via selected CVEs – 8 programs can simulate all MINDOP operations • x86 Dispatchers – 1443 in total, 110 reachable from selected CVEs • 2 programs can build Turing-complete attack • 3 end-to-end attacks 67

  42. Case Study: Bypassing Randomization • Previous methods – information leakage to network • Defeat ASLR w/o address leakage to network? 68

  43. Case Study: Bypassing Randomization • Previous methods – information leakage to network • Defeat ASLR w/o address leakage to network? • Vulnerable ProFTPD – use OpenSSL for authentication – a dereference chain to the private key 69

  44. Case Study: Bypassing Randomization • Previous methods – information leakage to network • Defeat ASLR w/o address leakage to network? • Vulnerable ProFTPD – use OpenSSL for authentication – a dereference chain to the private key @ 0x080dbc28 SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 Private Key struct cert_st * cert struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 70

  45. Case Study: Bypassing Randomization • Gadgets MOV * p = * q ADD *X = *X + offset LOAD *Z = **Y @ 0x080dbc28 SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 Private Key struct cert_st * cert struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 71

  46. Case Study: Bypassing Randomization • Gadgets MOV * p = * q ADD *X = *X + offset LOAD *Z = **Y • Dispatcher while (1) { user_request = get_user_request(); func1() { memory_error; MOV;} dispatch(user_request); func2() { ADD; } } func3() { LOAD; } @ 0x080dbc28 SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 Private Key struct cert_st * cert struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 72

  47. Case Study: Bypassing Randomization MOV *X = *0x080dbc28 ( ssl_ctx ) ADD *X = *X + offset1 MOV *Y = *X LOAD *Z = **Y MOV *0x080dbc28 = *Z ( cert ) @ 0x080dbc28 SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 Private Key struct cert_st * cert struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 73

  48. Case Study: Bypassing Randomization @ 0x080dbc28 MOV *X = *0x080dbc28 ( ssl_ctx ) ssl_ctx ADD *X = *X + offset1 MOV *Y = *X LOAD *Z = **Y cert MOV *0x080dbc28 = *Z ( cert ) @ 0x080dbc28 SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 Private Key struct cert_st * cert struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 74

  49. Case Study: Bypassing Randomization @ 0x080dbc28 MOV *X = *0x080dbc28 ( ssl_ctx ) d2 ADD *X = *X + offset1 MOV *Y = *X LOAD *Z = **Y MOV *0x080dbc28 = *Z ( cert ) @ 0x080dbc28 SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 Private Key struct cert_st * cert struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 75

  50. Case Study: Bypassing Randomization @ 0x080dbc28 MOV *X = *0x080dbc28 ( ssl_ctx ) d2 ADD *X = *X + offset1 MOV *Y = *X buf LOAD *Z = **Y MOV *0x080dbc28 = *Z ( cert ) write(outsock, buf, strlen(buf)) ; @ 0x080dbc28 SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 Private Key struct cert_st * cert struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 76

  51. Case Study: Bypassing Randomization @ 0x080dbc28 MOV *X = *0x080dbc28 ( ssl_ctx ) d2 ADD *X = *X + offset1 MOV *Y = *X buf LOAD *Z = **Y MOV *0x080dbc28 = *Z ( cert ) write(outsock, buf, strlen(buf)) ; @ 0x080dbc28 SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 Private Key struct cert_st * cert struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 77

  52. Case Study: Bypassing Randomization @ 0x080dbc28 MOV *X = *0x080dbc28 ( ssl_ctx ) d2 ADD *X = *X + offset1 MOV *Y = *X buf LOAD *Z = **Y MOV *0x080dbc28 = *Z ( cert ) write(outsock, buf, strlen(buf)) ; leak private key to network @ 0x080dbc28 SSL_CTX * ssl_ctx BN_ULONG * d2 BIGNUM * d1 Private Key struct cert_st * cert struct rsa_st * rsa CERT_PKEY * key EVP_PKEY*privatekey 78

  53. dlopen () – Dynamic Linking Interface • Load the dynamic library into memory space – resolve symbols based on binary metadata – patch program due to relocation – like LoadLibrary () on Windows 79

  54. dlopen () – Dynamic Linking Interface • Load the dynamic library into memory space – resolve symbols based on binary metadata – patch program due to relocation – like LoadLibrary () on Windows • Dynamic loader can do arbitrary computation * RTLD_ _start() exec() sysexec ld.so bin START() file access bin ld.so libc.so libc.so before run * R. Shapiro, S. Bratus, and S. W. Smith, ““Weird Machines” in ELF: A Spotlight on the Underappreciated Metadata,” in WOOT 2013. 80

  55. dlopen () – Dynamic Linking Interface • Load the dynamic library into memory space – resolve symbols based on binary metadata – patch program due to relocation – like LoadLibrary () on Windows • Dynamic loader can do arbitrary computation * RTLD_ _start() exec() sysexec ld.so bin START() file access bin ld.so libc.so libc.so before run • The same to dlopen () * R. Shapiro, S. Bratus, and S. W. Smith, ““Weird Machines” in ELF: A Spotlight on the Underappreciated Metadata,” in WOOT 2013. 81

  56. Case Study: Simulating A Network Bot • Attacks with dlopen dynamic library list link_map …… dlopen() { } head 82

  57. Case Study: Simulating A Network Bot • Attacks with dlopen – send malicious payload dynamic library list link_map …… dlopen() { } head ProFTPD ’s memory Malicious payload 83

  58. Case Study: Simulating A Network Bot • Attacks with dlopen – send malicious payload – corrupt link list & call dlopen dynamic library list link_map …… dlopen() { } head ProFTPD ’s memory Malicious payload 84

  59. Case Study: Simulating A Network Bot • Attacks with dlopen – send malicious payload invalid input – corrupt link list & call dlopen dynamic library list link_map …… dlopen() { } head ProFTPD ’s memory Malicious payload 85

  60. Case Study: Simulating A Network Bot • Attacks with dlopen – send malicious payload invalid input – corrupt link list & call dlopen no call to dlopen dynamic library list link_map …… dlopen() { } head ProFTPD ’s memory Malicious payload 86

  61. Case Study: Simulating A Network Bot • dlopen allows arbitrary computation • DOP attack addresses the problems – send malicious payload invalid input – corrupt link list & call dlopen no call to dlopen dynamic library list link_map …… dlopen() { } head ProFTPD ’s memory Malicious payload 87

  62. Case Study: Simulating A Network Bot • dlopen allows arbitrary computation • DOP attack addresses the problems – send malicious payload invalid input – construct payload in memory – corrupt link list & call dlopen no call to dlopen dynamic library list link_map …… dlopen() { } head ProFTPD ’s memory (1) Payload Malicious payload prepare MOV MOV 88

  63. Case Study: Simulating A Network Bot • dlopen allows arbitrary computation • DOP attack addresses the problems – send malicious payload invalid input – construct payload in memory – corrupt link list & call dlopen no call to dlopen dynamic library list link_map …… dlopen() { } head ProFTPD ’s memory (1) Payload Malicious payload prepare MOV MOV 89

  64. Case Study: Simulating A Network Bot • DOP attack addresses the problems • dlopen allows arbitrary computation – send malicious payload invalid input – construct payload in memory – corrupt link list & call dlopen no call to dlopen – force call to dlopen dynamic library list link_map if (flag) { …… dlopen() { } head } ProFTPD ’s memory (1) Payload Malicious payload prepare MOV MOV 90

  65. Case Study: Simulating A Network Bot • DOP attack addresses the problems • dlopen allows arbitrary computation – send malicious payload invalid input – construct payload in memory – corrupt link list & call dlopen no call to dlopen – force call to dlopen dynamic library list link_map if (flag) { …… dlopen() { } head } (2) Trigger MOV ProFTPD ’s STORE memory (1) Payload Malicious payload prepare MOV MOV 91

  66. Case Study: Simulating A Network Bot • DOP attack addresses the problems • dlopen allows arbitrary computation – send malicious payload invalid input – construct payload in memory – corrupt link list & call dlopen no call to dlopen – force call to dlopen dynamic library list link_map if (flag) { …… dlopen() { } head } > 700 (2) Trigger MOV requests ProFTPD ’s STORE memory (1) Payload Malicious payload prepare MOV MOV 92

  67. Case Study: Altering Memory Permissions • Defenses based on memory permissions – DEP: non-writable code – CFI: non-writable jump tags 93

  68. Case Study: Altering Memory Permissions • Defenses based on memory permissions – DEP: non-writable code – CFI: non-writable jump tags • dlopen(): relocation – change any page permission to writable – update page content – change the permission back 94

  69. Case Study: Altering Memory Permissions • Defenses based on memory permissions – DEP: non-writable code – CFI: non-writable jump tags • dlopen(): relocation – change any page permission to writable – update page content – change the permission back • DOP attacks – dlopen (code_addr, shellcode) 95

  70. Case Study: Altering Memory Permissions • Defenses based on memory permissions – DEP: non-writable code – CFI: non-writable jump tags • dlopen(): relocation – change any page permission to writable – update page content – change the permission back • DOP attacks – dlopen (code_addr, shellcode) • Code injection is back! 96

  71. Related Work Independent Turing Preserve Techniques of specific Complete? CFI? data / funcs? Non-control Data Attacks  (Chen et al. 2005)   COOP (Schuster et al. 2015)  FlowStitch (Hu et al. 2015) Printf-Oriented Programming   (Carlini et al. 2015)  Control Jujustu (Evans et al. 2015)    Data-Oriented Programming 97

  72. Potential Defenses • Memory Safety – e.g., Cyclone (Jim et al. 2002) , CCured (Necula et al. 2002) , SoftBounds+CETS (Nagarakatte et al. 2009, 2010) – high performance overhead (> 100%) • Data-flow Integrity – e.g, DFI (Castro et al. 2006) , kernel DFI (Song et al. 2016) • Fined-grained randomization in data space – e.g., DSR (Bhatkar et al. 2008) • Hardware & software fault isolation – e.g., HDFI (Song et al. 2016) , MPX 98

  73. Potential Defenses • Memory Safety – e.g., Cyclone (Jim et al. 2002) , CCured (Necula et al. 2002) , SoftBounds+CETS (Nagarakatte et al. 2009, 2010) – high performance overhead (> 100%) • Data-flow Integrity – e.g, DFI (Castro et al. 2006) , kernel DFI (Song et al. 2016) • Fined-grained randomization in data space – e.g., DSR (Bhatkar et al. 2008) • Hardware & software fault isolation – e.g., HDFI (Song et al. 2016) , MPX No practical defenses yet ! 99

  74. Conclusion • Non-control data attacks can be Turing-complete 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming A method for organizing programs Data abstraction John's Apply for Account Bundling together information and related behavior a loan! A metaphor

207 views • 18 slides
16Object-Oriented Programming CS1101S: Programming Methodology Martin Henz October 17, 2012

16Object-Oriented Programming CS1101S: Programming Methodology Martin Henz October 17, 2012

JavaScripts Native Data Structures Recap: Programming Techniques for Data Representation Object-Oriented Programming 16Object-Oriented Programming CS1101S: Programming Methodology Martin Henz October 17, 2012 Generated on Wednesday 17

798 views • 40 slides
Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been

Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been

Object-Oriented Programming in Processing Object-Oriented Programming Weve (kinda) been doing this since Day 1: Python is a deeply object oriented language Most of the data types we were using (strings, list, dictionaries) were

463 views • 21 slides
Chapter 3 Objects and Classes Object Oriented Object Oriented Programming Programming OOP

Chapter 3 Objects and Classes Object Oriented Object Oriented Programming Programming OOP

Chapter 3 Objects and Classes Object Oriented Object Oriented Programming Programming OOP is a relatively new approach to programming which supports the creation of new data types and operations to manipulate those types. 2 What is

563 views • 15 slides
C Programming for Engineers Data Structure & Object Oriented Programming ICEN 200 Spring

C Programming for Engineers Data Structure & Object Oriented Programming ICEN 200 Spring

C Programming for Engineers Data Structure & Object Oriented Programming ICEN 200 Spring 2018 Prof. Dola Saha 1 Data Structures Weve studied fixed-size data structures such as single- subscripted arrays, double-subscripted

648 views • 33 slides
CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of

CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of

CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of Computer Science University of Maryland, College Park Object-Oriented Programming (OOP) Approach to improving software View software as a

593 views • 18 slides
Intro to Object Oriented Programming in P y thon W OR K IN G W ITH TH E C L ASS SYSTE M IN P

Intro to Object Oriented Programming in P y thon W OR K IN G W ITH TH E C L ASS SYSTE M IN P

Intro to Object Oriented Programming in P y thon W OR K IN G W ITH TH E C L ASS SYSTE M IN P YTH ON Vicki Bo y kis Senior Data Scientist WORKING WITH THE CLASS SYSTEM IN PYTHON What ' s Object - Oriented Programming ? ( OOP ) A w a y to b u

419 views • 19 slides
61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming 4

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming 4

61A Lecture 15 Announcements Object-Oriented Programming Object-Oriented Programming 4 Object-Oriented Programming A method for organizing programs 4 Object-Oriented Programming A method for organizing programs Data abstraction 4

1.46k views • 142 slides
From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier

From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier

Introduction OOP OOP2MAOP MAOP Conclusion From Organisation Oriented Programming to Multi-Agent Oriented Programming Olivier Boissier ISCOD/Henri Fayol Institute & LSTI ENS Mines Saint-Etienne - France boissier@emse.fr MATES,

1.22k views • 73 slides
Introduction to Object-Oriented Programming Review 2: Object-Oriented Programming Christopher

Introduction to Object-Oriented Programming Review 2: Object-Oriented Programming Christopher

Introduction to Object-Oriented Programming Review 2: Object-Oriented Programming Christopher Simpkins chris.simpkins@gatech.edu CS 1331 (Georgia Tech) Review 2: Object-Oriented Programming 1 / 14 Topics in the OOP Block Inheritance

612 views • 14 slides
The Joint Effort for Data assimilation Integration Object Oriented Programming Joint Center for

The Joint Effort for Data assimilation Integration Object Oriented Programming Joint Center for

The Joint Effort for Data assimilation Integration Object Oriented Programming Joint Center for Satellite Data Assimilation (JCSDA) Very brief introduction to object oriented programming Concepts that are the most useful to work with JEDI

673 views • 11 slides
CSC 1800 Organization of Programming Languages Object Oriented Languages 1 Introduction

CSC 1800 Organization of Programming Languages Object Oriented Languages 1 Introduction

CSC 1800 Organization of Programming Languages Object Oriented Languages 1 Introduction Many object-oriented programming (OOP) languages Some support procedural and data-oriented programming (e.g., Ada 95, C++, Python) Some

364 views • 24 slides
Polymorphism 1 / 19 Introduction to Object-Oriented Programming Today well learn how to

Polymorphism 1 / 19 Introduction to Object-Oriented Programming Today well learn how to

Polymorphism 1 / 19 Introduction to Object-Oriented Programming Today well learn how to combine all the elements of object-oriented programming in the design of a program that handles a company payroll. Object-oriented programming requires

437 views • 19 slides
Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The

Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The

Lecture 18: object-oriented programming Review of Object-Oriented Programming in Python The primary characteristics associated with object-oriented programming are inheritance; encapsulation; and polymorphism Inheritance class Shape: class

252 views • 9 slides
Introduction to Object- Kuan-Ting Lai Oriented Programming 2020/2/29 What is Object-Oriented

Introduction to Object- Kuan-Ting Lai Oriented Programming 2020/2/29 What is Object-Oriented

Poly- mor- phism Abstra ction Class OOP Inheri -tance En- capsu- lation Introduction to Object- Kuan-Ting Lai Oriented Programming 2020/2/29 What is Object-Oriented Programming (OOP)? A program paradigm based on the concept of

531 views • 30 slides
Object Oriented Programming COP3330 / CGS5409 Intro to Data Structures Vectors Linked

Object Oriented Programming COP3330 / CGS5409 Intro to Data Structures Vectors Linked

Object Oriented Programming COP3330 / CGS5409 Intro to Data Structures Vectors Linked Lists Queues Stacks C++ has some built-in methods of storing compound data in useful ways, like arrays and structs. Collectively

464 views • 28 slides
CephFS as a service with OpenStack Manila John Spray john.spray@redhat.com jcsp on #ceph-devel

CephFS as a service with OpenStack Manila John Spray john.spray@redhat.com jcsp on #ceph-devel

CephFS as a service with OpenStack Manila John Spray john.spray@redhat.com jcsp on #ceph-devel Agenda Brief introductions: Ceph, Manila Mapping Manila concepts to CephFS Experience implementing native driver How to use the

757 views • 38 slides
Mellow Writes: Extending Lifetime in Resistive Memories through Selective Slow Write Backs

Mellow Writes: Extending Lifetime in Resistive Memories through Selective Slow Write Backs

Mellow Writes: Extending Lifetime in Resistive Memories through Selective Slow Write Backs Lunkai Zhang, Brian Neely, Diana Franklin, Dmitri Strukov, Yuan Xie, Frederic T. Chong Presented at ISCA 2016 EECS 573, University of Michigan, Ann

543 views • 28 slides
Stability, Popularity, and Lower Quotas Meghana Nasre IIT Madras CAALM 2019 Chennai

Stability, Popularity, and Lower Quotas Meghana Nasre IIT Madras CAALM 2019 Chennai

Stability, Popularity, and Lower Quotas Stability, Popularity, and Lower Quotas Meghana Nasre IIT Madras CAALM 2019 Chennai Mathematical Institute Jan 22, 2019 1 / 31 Stability, Popularity, and Lower Quotas Problem Setup 2 / 31 Stability,

1.64k views • 132 slides
Rucio DaTRi replacement Thomas Beermann (on behalf of the Rucio team) Overview Web

Rucio DaTRi replacement Thomas Beermann (on behalf of the Rucio team) Overview Web

Rucio DaTRi replacement Thomas Beermann (on behalf of the Rucio team) Overview Web Interface for Rucio Replication Rules Currently under active development Only for selected users Not open for public use yet (if interested please

138 views • 11 slides
t rst

t rst

t rst rs Ptr r rtt s

877 views • 56 slides
Section 4.4: The Basics of Apportionment MATH 105: Contemporary Mathematics University of

Section 4.4: The Basics of Apportionment MATH 105: Contemporary Mathematics University of

Section 4.4: The Basics of Apportionment MATH 105: Contemporary Mathematics University of Louisville October 31, 2017 Apportionment, Introduced 2 / 14 What is apportionment? Most democracies are not direct democracies, where the electorate at

463 views • 7 slides
Filesystem Maintenance Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica

Filesystem Maintenance Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica

Filesystem Maintenance Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica de Catalunya (UPC) May 26, 2014 Introduction Filesystems Disk verification LVM Backups Lectures System administration introduction 1

659 views • 33 slides
USER COMPUTING FOR DUNE Heidi Schellman, Oregon State University 3/31/19 Our disks are full and

USER COMPUTING FOR DUNE Heidi Schellman, Oregon State University 3/31/19 Our disks are full and

1 USER COMPUTING FOR DUNE Heidi Schellman, Oregon State University 3/31/19 Our disks are full and we are sad 2 dune persistent storage usage by user 2 User Group Name Space used (GiB) # Files Justo Martin-Albo jmalbos dune 17,865

97 views • 9 slides

More recommend