dynaguard armoring canary based protections against brute
play

DynaGuard: Armoring Canary-Based Protections against Brute-force - PowerPoint PPT Presentation

Oct 25, 2023 •364 likes •736 views

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios, Vasileios P. Kemerlis Michalis Polychronakis Angelos D. Keromytis Columbia University Stony Brook University Brown University 2015 Annual Computer

  1. DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios, Vasileios P. Kemerlis Michalis Polychronakis Angelos D. Keromytis Columbia University Stony Brook University Brown University 2015 Annual Computer Security Applications Conference (ACSAC) Los Angeles, California, USA

  2. Background: Stack Smashing Protection •Prevents the overwrite of the return address by a stack buffer overflow •Places a random value after critical data in the stack -Random value: ➡ “Canary” or “Canary Cookie” -Critical data ➡ Return address, Frame pointer, etc. -The canary is 4 bytes long in x86, 8 bytes in x86-64 •Generated dynamically at the creation of each thread, and stored in the Thread-Local Storage (TLS) area •Checked upon function epilogue •Supported in GCC, Microsoft VS (/GS) and LLVM Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 2 /36

  3. Background: Stack Smashing Protection Higher Addresses canary end byte 0x7 Return Address int vuln(int n, char *str) Frame Pointer { Canary int i; ... char buffer[] int *x = NULL; byte 0x0 canary char bu fg er [8]; start int *x byte 0x7 ... int i copy of n /* unbounded copy */ Overflow Direction memcpy(bu fg er , str , n); copy of str ... ... byte 0x1 } byte 0x0 buffer start Lower Addresses Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 3 /36

  4. Canary Brute-force An attacker may brute-force the canary byte-by-byte in very few attempts if they are able to perform the following steps: - Force child processes to be forked by the same parent process - Verify if these child processes crashed or not - Overwrite a single byte of the canary each time until all the bytes are recovered Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 4 /36

  5. Canary Brute-force • Possible due to the current process creation mechanism: 
 • Certain data is inherited from the parent process, although it should be different (other examples include VM side channel attacks and the PRNG state in forked processes) Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 5 /36

  6. Canary Brute-force Higher Addresses canary end byte 0x7 Return Address Frame Pointer Canary ... char buffer[] byte 0x0 canary start int *x byte 0x7 int i copy of n Overflow Direction copy of str ... byte 0x1 byte 0x0 buffer start Lower Addresses Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 6 /36

  7. Canary Brute-force Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 7 /36

  8. Canary Brute-force Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 8 /36

  9. Canary Brute-force Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 9 /36

  10. Canary Brute-force Higher Addresses canary end Return Address Frame Pointer Canary char buffer[] canary start int *x byte 0x7 int i copy of n Overflow Direction copy of str ... byte 0x1 byte 0x0 buffer start Lower Addresses Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 10 /36

  11. A byte-by-byte brute-force requires 4*256 = 1024 attempts on average on x86 and 2048 on x86-64, assuming a fully random canary Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 11 /36

  12. Canary Brute-force Guessing Timeline Ben Hawkes introduced the technique in RUXCON 2006 
 2006 (Title: "Exploiting OpenBSD”) Adam Zabrocki (pi3) discussed remote stack exploitation 2010 techniques in Linux, FreeBSD and OpenBSD and among other things, revisited Ben's attack in Phrack #67 Nikolaos Rangos (Kingcope) released an exploit for 2013 the Nginx web-server that builds upon the previous attack(s) to construct a remote exploit Andrea Bittau et al. introduced the BROP technique, which among other 2014 things, uses a generalized version of the above to leak/bypass stack canaries

  13. DynaGuard Design Key idea: Upon each fork() update the inherited (old) canaries in the child process • Update the canary in the TLS of the new (child) process • Update the canaries in all inherited stack frames (from the parent process) with the new canary value Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 13 /36

  14. Simply updating the canary in the TLS* for new (child) processes is not enough as it will cause a false abort if execution reaches one of the parent’s inherited frames *as proposed in a recent paper

  15. TLS canary ...... } previous ...... frames } a } b

  16. Parent Process Child Process TLS TLS ...... } } ...... ...... } } a a } } b b

  17. Parent Process Child Process TLS TLS ...... } } ...... ...... } } a a } } b b } } c c

  18. Parent Process Child Process TLS TLS ...... } } ...... ...... ? ? = = } } a a } } b b } } c c

  19. canary push canary TLS reference ? canary = canary check ...... } previous ...... frames canary } address a bu fg er ...... } b &(canary a) &(canary b) Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 19 /36

  20. Parent Process Child Process TLS TLS } } ...... ...... } } a a canary canary address address } } b b bu fg er bu fg er ...... ...... &(can. a) &(can. a) &(can. b) &(can. b) Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 20 /36

  21. Parent Process Child Process TLS TLS ...... } } ...... ...... } } a a canary canary address address } } b b bu fg er bu fg er ...... ...... } } &(can. a) &(can. a) c c &(can. b) &(can. b) &(can. c) &(can. c) Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 21 /36

  22. Parent Process Child Process TLS TLS ...... } } ...... ...... ? ? = = } } a a canary canary address address } } b b bu fg er bu fg er ...... ...... } } &(can. a) &(can. a) c c &(can. b) &(can. b) &(can. c) &(can. c) Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 22 /36

  23. Implementation Two flavors: Compiler-based and DBI-based

  24. Implementation: Compiler-based Version Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 24 /36

  25. Implementation: Compiler-based Version •Two components: -GCC plugin -Runtime library -Total of ~1250 LOC •Maintain two canaries at runtime: -DynaGuard-compiled code uses DynaGuard canaries - legacy code/libraries use the glibc canaries Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 25 /36

  26. Implementation: Compiler-based Version •Both canaries have same entropy but are stored in different TLS offsets •GCC plugin replaces the glibc canaries with the DynaGuard canaries •DynaGuard’s runtime library: -allocates Canary Address Buffer (CAB) in the heap for each thread, before it starts executing and deallocates it when terminating -performs CAB bookkeeping -updates all canaries in the child process’s stack, as well as its TLS upon a fork() Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 26 /36

  27. Compiler-based Version: DynaGuard GCC Plugin • Reserve 4 out of 8 __padding entries of the tcbhead_t struct in the TLS. 
 Reserved TLS offsets range from 0x2a0 to 0x2b8: -CAB address stored at %fs:0x2a0 -CAB current index: %fs:0x2a8 -CAB size: %fs:0x2b0 -DynaGuard canary: %fs:0x2b8 •Insert code to push/pop canary addresses in CAB upon a canary push/pop Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 27 /36

  28. Compiler-based Version: DynaGuard GCC Plugin Original DynaGuard push %rbp ;function prologue mov %rsp,%rbp push %rbp sub $0x40,%rsp mov %rsp,%rbp push %r14 (1) sub $0x40,%rsp push %r15 ;canary stack placement lea -0x8(%rbp),%rax (2) mov %fs:0x28,%rax mov %fs:0x2a0,%r14 (3) mov %rax,-0x8(%rbp) mov %fs:0x2a8,%r15 (4) xor %eax,%eax mov %rax,(%r14,%r15,8) (5) incq %fs:0x2a8 (6) pop %r15 (7) pop %r14 mov %fs:0x2b8,%rax (8) mov %rax,-0x8(%rbp) xor %eax,%eax ... ... ;canary check decq %fs:0x2a8 (9) mov -0x8(%rbp),%rcx mov -0x8(%rbp),%rcx xor %fs:0x28,%rcx xor %fs:0x2b8,%rcx (10) je <exit> je <exit> callq <__stack_chk_fail@plt> callq <__stack_chk_fail@plt> Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 28 /36

  29. Compiler-based Version: DynaGuard Runtime Library • PIC module loaded via LD_PRELOAD • Invoked only for CAB setup and resize operations, as well as for canary updates. •All push/pop operations of canary addresses are implemented by the GCC plugin Theofilos Petsios (theofilos@cs.columbia.edu) DynaGuard ACSAC 2015 29 /36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit`

721 views • 44 slides
Preview question What two methods are mentioned in the StackGuard paper to prevent canary

Preview question What two methods are mentioned in the StackGuard paper to prevent canary

Preview question What two methods are mentioned in the StackGuard paper to prevent canary forgery? CSci 5271 A. terminator canary and random canary Introduction to Computer Security Low-level attacks and defenses B.

320 views • 7 slides
RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

www.elvac.eu Marian Kuruc RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control, protection, data acquisition and communication Content Redesigned block of protections Global setting of measurement ranges

409 views • 10 slides
Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law Lise Johnson ljj2107@columbia.edu T-TIP Stakeholder Briefing May 21, 2014 US Law: When will a court find that the government has given an

236 views • 4 slides
Uranium Investor Road Show BGF Equities and Canary Events BGF Equities and Canary Events Melbourne

Uranium Investor Road Show BGF Equities and Canary Events BGF Equities and Canary Events Melbourne

Uranium Investor Road Show BGF Equities and Canary Events BGF Equities and Canary Events Melbourne to Sydney 29 30 June 2010 Patrick Mutz Managing Director ASX Code: DYL ASX Code: DYL www.deepyellow.com.au Disclaimer Forward Looking

529 views • 41 slides
Canary Wharf Consulting IO3 Brussels May 2018 PROMYSE Canary Wharf Consulting in the Project

Canary Wharf Consulting IO3 Brussels May 2018 PROMYSE Canary Wharf Consulting in the Project

Canary Wharf Consulting IO3 Brussels May 2018 PROMYSE Canary Wharf Consulting in the Project Coordination of A3.1 Coordination of A3.4 Coordination of Use case scenarios drafting and Testing and evaluation of the e- Output 3 HTML design

205 views • 17 slides
MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions Brute force algorithms Divide and Conquer What is the brute force approach to Calculate the n th Fibonacci number? 1. Compute the n th power

387 views • 14 slides
A Java Based Component Identification Tool for Measuring Circuit Protections James D. Parham J.

A Java Based Component Identification Tool for Measuring Circuit Protections James D. Parham J.

A Java Based Component Identification Tool for Measuring Circuit Protections James D. Parham J. Todd McDonald Michael R. Grimaila Yong C. Kim 1 Background Program Protection Software (programs) are the 1s and 0s representing language

216 views • 19 slides
1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

INTRODUCTORY GUIDE 1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS SERVICE B A C K G R O U N D The Financial Protections Service was instigated following a recommendation of the Inquiry into the

184 views • 17 slides
The case for puberty as the canary in the coal mine Frank M Biro On behalf of the BCERC and

The case for puberty as the canary in the coal mine Frank M Biro On behalf of the BCERC and

The case for puberty as the canary in the coal mine Frank M Biro On behalf of the BCERC and BCERP CCTST Grand Rounds A canary in the coal mine Early coal mines did not feature ventilation systems, so miners would routinely bring a

510 views • 21 slides
Covert Debugging Circumventing Software Armoring Techniques Offensive Computing, LLC Danny

Covert Debugging Circumventing Software Armoring Techniques Offensive Computing, LLC Danny

Covert Debugging Circumventing Software Armoring Techniques Offensive Computing, LLC Danny Quist Valsmith dquist@offensivecomputing.net valsmith@offensivecomputing.net Offensive Computing - Malware Intelligence Danny Quist Offensive

984 views • 57 slides
Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC,

Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC,

Side channel protections for CSIDH Luca De Feo IBM Research Zrich October 16, 2019, PHISIC, Gardanne based on joint work with D. Cervantes-Vzquez, M. Chenu, J.J. Chi-Domnguez, F. Rodrguez-Henrquez, B. Smith Slides online at

944 views • 90 slides
Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

821 views • 25 slides
TODAY Substring search Brute force Knuth-Morris-Pratt Boyer-Moore Rabin-Karp

TODAY Substring search Brute force Knuth-Morris-Pratt Boyer-Moore Rabin-Karp

BBM 202 - ALGORITHMS D EPT . OF C OMPUTER E NGINEERING S UBSTRING S EARCH Acknowledgement: The course slides are adapted from the slides prepared by R. Sedgewick and K. Wayne of Princeton University. TODAY Substring search Brute

993 views • 83 slides
Know Your Rights: COVID-19 Tenant Protections Bet Tzedek Legal Services May 28, 2020 Rent

Know Your Rights: COVID-19 Tenant Protections Bet Tzedek Legal Services May 28, 2020 Rent

Know Your Rights: COVID-19 Tenant Protections Bet Tzedek Legal Services May 28, 2020 Rent Deferral and Eviction Protections Applies to tenants unable to pay rent due to COVID-19, including: Loss of income due to workplace closure

616 views • 15 slides
Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory

Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory

Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory GDR SoC17, Bordeaux Summary Introduction &amp; Cryptographic Background Side Channel Attacks Fault Injection Attacks Protections

1.87k views • 166 slides
Canary Numbers: Design for Light-weight Online Testability of True Random Number Generators

Canary Numbers: Design for Light-weight Online Testability of True Random Number Generators

Canary Numbers: Design for Light-weight Online Testability of True Random Number Generators Vladimir Roi, Bohan Yang, Nele Mentens and Ingrid Verbauwhede Acknowledgment This work is supported in part by the European Commission through the

348 views • 19 slides
BUDGET PRESENTATION AGENDA Introductions/Sign In Sheet Water Usage in Calendar Year 2014

BUDGET PRESENTATION AGENDA Introductions/Sign In Sheet Water Usage in Calendar Year 2014

CASTLEWOOD FY 2015/16 BUDGET PRESENTATION AGENDA Introductions/Sign In Sheet Water Usage in Calendar Year 2014 SFPUC Water Costs &amp; Drought Update State Funds &amp; Redwood Tank 2014/15 Program Specific Expenses 2015/16

427 views • 32 slides
Vallejo Interagency Partnership (VIP) City of Vallejo Caltrans California Maritime Academy

Vallejo Interagency Partnership (VIP) City of Vallejo Caltrans California Maritime Academy

Vallejo Interagency Partnership (VIP) City of Vallejo Caltrans California Maritime Academy GVRD Vallejo Sanitation Flood Control District Vallejo City Unified School District Solano County Sheriffs Office Six Flags Discovery Kingdom

596 views • 31 slides
ZERO NET ENERGY AFFORDABLE HOUSING IN CALIFORNIA By SEAN ARMSTRONG of REDWOOD ENERGY

ZERO NET ENERGY AFFORDABLE HOUSING IN CALIFORNIA By SEAN ARMSTRONG of REDWOOD ENERGY

ZERO NET ENERGY AFFORDABLE HOUSING IN CALIFORNIA By SEAN ARMSTRONG of REDWOOD ENERGY sean@redwoodenergy.net 707.826.1450 (o) PROJECT MANAGER SEAN ARMSTRONG Founded Redwood Energy in 2011 to provide consulting for Zero Net Energy design

290 views • 18 slides
CANARY IN THE INTERNET MINE WHO IS THIS TALK FOR? FOLKS WHO: make applications or websites

CANARY IN THE INTERNET MINE WHO IS THIS TALK FOR? FOLKS WHO: make applications or websites

BROOK SHELLEY CANARY IN THE INTERNET MINE WHO IS THIS TALK FOR? FOLKS WHO: make applications or websites that you visit in a browser. launch a new versions - even a minor one. need to respond to a downtime page. ever make

464 views • 17 slides
GRAN CANARIA A great natural film set gran canaria, Why? A great natural film set A

GRAN CANARIA A great natural film set gran canaria, Why? A great natural film set A

GRAN CANARIA A great natural film set gran canaria, Why? A great natural film set A Paradise of filming locations Superb tax benefits for audiovisual productions Experienced and qualified crew An island ... full of

591 views • 24 slides
Gran Canaria July 2015 Sally Ievers UCB works closely with the University of Las Palmas in Gran

Gran Canaria July 2015 Sally Ievers UCB works closely with the University of Las Palmas in Gran

User Voice University of Las Palmas Gran Canaria July 2015 Sally Ievers UCB works closely with the University of Las Palmas in Gran Canaria, Canary Islands on a number of tourism projects. When visiting UCB in May, Dr Lidia Hernandez ,

518 views • 16 slides
INRES INsular regions cooperation for maximising the environmental and economic benefits from the

INRES INsular regions cooperation for maximising the environmental and economic benefits from the

INRES INsular regions cooperation for maximising the environmental and economic benefits from the research in Renewable Energy Sources Presentation of R&amp;D activities in Canary Islands Julin Monedero (Dobons Technology, S.L.) BEST PRACTICES:

289 views • 16 slides

More recommend