e nexsh os fortification nexsh os fortification e
play

e- -NeXSh: OS Fortification NeXSh: OS Fortification e Protecting - PowerPoint PPT Presentation

Feb 20, 2024 •290 likes •581 views

e- -NeXSh: OS Fortification NeXSh: OS Fortification e Protecting Software from Internet Malware Protecting Software from Internet Malware Gaurav S. Kc Kc, , Angelos Angelos D. D. Keromytis Keromytis Gaurav S. Columbia University

  1. e- -NeXSh: OS Fortification NeXSh: OS Fortification e Protecting Software from Internet Malware Protecting Software from Internet Malware Gaurav S. Kc Kc, , Angelos Angelos D. D. Keromytis Keromytis Gaurav S. Columbia University Columbia University

  2. Bane of the Internet Bane of the Internet � Internet Malware Internet Malware � � Internet worms and Internet Internet worms and Internet- -cracking tools cracking tools � � Override program control to execute malcode Override program control to execute malcode � � Internet Worms Internet Worms � � Morris '88, Code Red II '01, Nimda '01, Morris '88, Code Red II '01, Nimda '01, � Slapper '02, Blaster '03, MS- -SQL Slammer '03, SQL Slammer '03, Slapper '02, Blaster '03, MS Sasser '04 Sasser '04 � Automatic propagation Automatic propagation � � Internet Crackers Internet Crackers � � “ “ j00 j00 got got h4x0r3d h4x0r3d !!” !!” � � After breaking in, malware will: After breaking in, malware will: � � Create backdoors, install Create backdoors, install rootkits rootkits (conceal (conceal � malcode existence), join a bot bot- -net, generate net, generate malcode existence), join a spam spam � e e- -NeXSh NeXSh can thwart such can thwart such malware malware � 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 2

  3. Outline Outline � Software Run Software Run- -Time Environments (x86/Linux) Time Environments (x86/Linux) � � Bugs, and Breaches: Anatomy of Attacks Bugs, and Breaches: Anatomy of Attacks � � e e- -NeXSh NeXSh: OS Fortification : OS Fortification � � Related Work Related Work � � Conclusions Conclusions � 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 3

  4. Process Run- -Time Time Process Run � Linux: Multi Linux: Multi- -processor OS processor OS � � Resource manager and scheduler Resource manager and scheduler � � Inter Inter- -process communication (IPC) process communication (IPC) � � Access: network, persistent storage devices Access: network, persistent storage devices � � Process scheduling and context Process scheduling and context- -switching switching � � Process Process: abstraction of : abstraction of � program in execution program in execution � 4GB of virtual memory 4GB of virtual memory � � Code + data segments Code + data segments � .stack segment segment � .stack � � Activation records Activation records � 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 4

  5. Process Run- -Time Time Process Run � Activation records Activation records � Activation Frame Header Activation Frame Header return_address, old_frame_pointer return_address, old_frame_pointer PC SP void function(char *s, float y, int x) { FP int a; int b; char buffer[SIZE]; int c; strcpy(buffer, s); return; } 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 5

  6. Invoking System Calls Invoking System Calls � Applications access Applications access � 0xffffffff KERNEL MEMORY system_call: kernel resources kernel resources sys_socket: system-call stack frames sock_create: sock_alloc: Machine instruction in .text section socki_lookup program.c bar() { 0xbfffffff USERSPACE MEMORY ... int $0x80 ; trap instr. ... main: } program stack frames foo: foo() { bar(); } bar: main() { foo(); } kernel system_call() { call *0x0(,%eax,4) ; } sys_socket() { sock_create(); } sock_create() { sock_alloc(); } sock_alloc() { socki_lookup(); } socki_lookup() { ... } 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 6

  7. System Calls via LIBC System Calls via LIBC program.c 0xffffffff KERNEL MEMORY system_call: bar() { socket(...); sys_socket: } system-call stack frames sock_create: foo() { bar(); } sock_alloc: main() { foo(); } socki_lookup libc.so 0xbfffffff USERSPACE MEMORY socket() { ... main: int $0x80 ; trap instr. program stack frames ... foo: } bar: Machine instruction in libc stack frames LIBC .text section socket: kernel system_call() { call *0x0(,%eax,4) ; } sys_socket() { sock_create(); } sock_create() { sock_alloc(); } sock_alloc() { socki_lookup(); } socki_lookup() { ... } 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 7

  8. Security Vulnerabilities Security Vulnerabilities � C: A low-level, systems language with unsafe features � No bounds-checking. Not strongly typed. � Arbitrary memory overwrites � Common security vulnerabilities � Buffer overflows � Format-string vulnerability � Integer overflows � Double-free vulnerability 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 8

  9. Anatomy of a Process- -Subversion Subversion Anatomy of a Process Attack Attack Analysis of common attack techniques Analysis of common attack techniques � � Phrack magazine, BugTraq, worms in “the wild” Phrack magazine, BugTraq, worms in “the wild” � � Stages of a process- -subversion attack subversion attack Stages of a process � � Trigger vulnerability vulnerability in software in software Trigger 1. 1. Overwrite code Overwrite code pointer pointer 2. 2. Execute malcode malcode of the attacker’s choosing, and invoke system calls of the attacker’s choosing, and invoke system calls Execute 3. 3. 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 9

  10. Process- -Subversion Attacks Subversion Attacks Process contd. contd. Component Elements (C.E.) of an attack (C.E.) of an attack Component Elements � � exploitable vulnerability exploitable vulnerability 1. 1. e.g., buffer overflows, format- -string vulnerabilities string vulnerabilities e.g., buffer overflows, format overwritable code pointer overwritable code pointer 2. 2. e.g., return address, function pointer variables e.g., return address, function pointer variables executable malcode executable malcode 3. 3. e.g., machine code injected into data memory, e.g., machine code injected into data memory, existing application or LIBC code existing application or LIBC code Focus of e-NeXSh! 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 10

  11. Methods of Attack Methods of Attack void function(char *s, float y, int x) { int a; int b; char buffer[SIZE]; int c; strcpy(buffer, s); int x ... ... return; float y ... ... } char *s PC &buffer &buffer ret. addr: &buffer &buffer 0x0abcdef0 &buffer &buffer old fp: Buffer-overflow 0x4fedcba8 ... ... vulnerability call &system ... int a int b push “/bin/sh” int $0x80 nop nop Stacksmashing (LIBC-Based) Stacksmashing (Code Injection) nop nop char buffer[SIZE] nop nop int c Overrun buffer Overrun buffer Overwrite return address Overwrite return address Injected code invokes LIBC function Injected code invokes system call 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 11

  12. Outline Outline � Software Run Software Run- -Time Environments (x86/Linux) Time Environments (x86/Linux) � � Bugs, and Breaches: Anatomy of Attacks Bugs, and Breaches: Anatomy of Attacks � � e e- -NeXSh NeXSh: OS Fortification : OS Fortification � � Related Work Related Work � � Conclusions Conclusions � 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 12

  13. e- -NeXSh: Monitoring Processes for NeXSh: Monitoring Processes for e Anomalous and Malicious Behaviour Anomalous and Malicious Behaviour � Monitor LIBC function invocations Monitor LIBC function invocations � If ( call stack call stack doesn’t match doesn’t match call graph call graph ) ) If ( LIBC- -based attack based attack ); exit ( LIBC exit ( ); � Monitor system Monitor system- -call invocations call invocations � If ( system call system call invoked from invoked from data memory data memory ) ) If ( exit ( injected code execution injected code execution ); ); exit ( � Explicit policy definitions required! Explicit policy definitions required! � � Use program disassembly information and memory layout. Use program disassembly information and memory layout. � � Code can still execute on stack/heap, just cannot Code can still execute on stack/heap, just cannot � invoke system calls directly or via LIBC functions invoke system calls directly or via LIBC functions 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 13

  14. e- -NeXSh: System Calls via LIBC NeXSh: System Calls via LIBC e program.c bar() { 0xffffffff KERNEL MEMORY system_call: socket(...); } sys_socket: foo() { bar(); } system-call stack frames sock_create: main() { foo(); } sock_alloc: socki_lookup e-NeXSh.so socket() { 0xbfffffff USERSPACE MEMORY Valid call stack // validate call stack libc.so :: socket(); } main: libc.so program stack frames foo: socket() { bar: int $0x80 ; trap instr. } e-NeXSh.so socket: kernel libc stack frames socket: system_call() { Valid return address // validate “return address” call *0x0(,%eax,4) ; } sys_socket() { sock_create(); } sock_create() { sock_alloc(); } 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 14

  15. e- -NeXSh: Validating the Call Stack NeXSh: Validating the Call Stack e 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NAMIBIA STAPLE FOODS FORTIFICATION PRODUCTS FORTIFIED Maize meal since 2001 Bread Flour

NAMIBIA STAPLE FOODS FORTIFICATION PRODUCTS FORTIFIED Maize meal since 2001 Bread Flour

NAMIBIA STAPLE FOODS FORTIFICATION PRODUCTS FORTIFIED Maize meal since 2001 Bread Flour since 2009 Fortification on Maize meal and Bread Flour is carried out as per SA fortification regulations. FORTICATION NUTRIENTS Vitamin A

927 views • 10 slides
Maize flour fortification in Africa: markets, feasibility, coverage, and costs Afidra O. Ronald

Maize flour fortification in Africa: markets, feasibility, coverage, and costs Afidra O. Ronald

Maize flour fortification in Africa: markets, feasibility, coverage, and costs Afidra O. Ronald Oct, 3 ,2016 Dar- Tanzania What is Mass food Fortification Is the addition of one or more micronutrients to foods consumed by a large proportion

568 views • 20 slides
Bio fortification of Leek with Selenium Laboratory of Analytical Chemistry & Applied

Bio fortification of Leek with Selenium Laboratory of Analytical Chemistry & Applied

Bio fortification of Leek with Selenium Laboratory of Analytical Chemistry & Applied Ecochemistry GHENT UNIVERSITY [In cooperation with ILVO] Promoter: Prof. Filip Tack Co-promoter: Prof. Gijs du Laing By R.V.SRIKANTH.LAVU

439 views • 23 slides
Moving Fast and Slow Healthy Neighborhood Fund February 2015 Fortification of Oil in Kenya

Moving Fast and Slow Healthy Neighborhood Fund February 2015 Fortification of Oil in Kenya

Moving Fast and Slow Healthy Neighborhood Fund February 2015 Fortification of Oil in Kenya Feel-good Workshops for 3 years 15% of cooking oil on market compliant with certification standards Answering the Call Rapid Results Housing Boot

244 views • 21 slides
corn meal fortification in public health: a joint consultation Maria Nieves Garcia-Casal Senior

corn meal fortification in public health: a joint consultation Maria Nieves Garcia-Casal Senior

Technical considerations for maize flour and corn meal fortification in public health: a joint consultation Maria Nieves Garcia-Casal Senior Consultant Evidence and Programme Guidance Unit World Health Organization October 2016 Flours

1.18k views • 33 slides
Food First Fortification Approach in Residential Aged Care Julie Glyde APD/AN Title of

Food First Fortification Approach in Residential Aged Care Julie Glyde APD/AN Title of

Food First Fortification Approach in Residential Aged Care Julie Glyde APD/AN Title of presentation | 1 Introductions Julie Glyde Consultant Dietitian 0404 084 723 julie.glyde @leadingnutrition.com.au Title of presentation | 2 Background

492 views • 21 slides
* RESTAURANT/CAFE/BAKERY VOC FORTIFICATION BAILEYS COTTAGE RELIGIOUS RUST EN VREDE

* RESTAURANT/CAFE/BAKERY VOC FORTIFICATION BAILEYS COTTAGE RELIGIOUS RUST EN VREDE

M U I Z E N B E R G P E D E S T R I A N T O U R I S M R O U T E S N O V E M B E R 2 0 1 2 FALSE BAY STATION MASQUE THEATRE BLUEBIRD CAFE * BLUEBIRD BAILEYS GARAGE SURFSHACK MARKET * THE GOOD BAKERY SHRIMPTONS MANOR INN KOSIES

70 views • 5 slides
Comments and concerns regarding the proposed justification/approach The document provides

Comments and concerns regarding the proposed justification/approach The document provides

R EGIONAL H ARMONIZATION OF S TANDARDS FOR FORTIFIED FOODS Dr. Baseer Khan Achakzai National Fortification Alliance Pakistan Comments and concerns regarding the proposed justification/approach The document provides comprehensive analysis by

212 views • 7 slides
Partners of the international milling industry We make good flours even better! Marvin

Partners of the international milling industry We make good flours even better! Marvin

Partners of the international milling industry We make good flours even better! Marvin Jaeger Area Sales Manager East and Southern Africa Annette Bter Technical Application Manager Flour fortification Agenda: 1. Introduction to

372 views • 26 slides
RICE AND IODIZATION OF SALT SOLD IN SOME CITIES IN PNG V J TEMPLE , N KYAKAS, S GRANT, J BAUTAU, H.

RICE AND IODIZATION OF SALT SOLD IN SOME CITIES IN PNG V J TEMPLE , N KYAKAS, S GRANT, J BAUTAU, H.

ASSESSMENT OF IRON FORTIFICATION OF RICE AND IODIZATION OF SALT SOLD IN SOME CITIES IN PNG V J TEMPLE , N KYAKAS, S GRANT, J BAUTAU, H. KAI, D SIRI, Micronutrient Research Laboratory BMS SMHS UPNG JAMES TEIO & DIANA KAVE Environmental Health

546 views • 35 slides
COUNTRY : TOGO/WEST AFRICA By : Albert K.M. TCHAMDJA CEO, QUALITY SERVICE

COUNTRY : TOGO/WEST AFRICA By : Albert K.M. TCHAMDJA CEO, QUALITY SERVICE

MAIZE FORTIFICATION STRATEGY WORKSHOP 3 7 OCTOBER 2016 DAR ES SALAAM TANZANIA Maize Milling Structure COUNTRY : TOGO/WEST AFRICA By : Albert K.M. TCHAMDJA CEO, QUALITY SERVICE INTERNATIONAL(QSI)/TOGO- www.maivit.com MAIZE MILLING INDUSTRY

1.09k views • 4 slides
MAIZE MILLING INDUSTRY OF BENIN SOCIA BENIN S.A. Firmin LOKO MAIZE MILLING INDUSTRY

MAIZE MILLING INDUSTRY OF BENIN SOCIA BENIN S.A. Firmin LOKO MAIZE MILLING INDUSTRY

MAIZE FORTIFICATION STRATEGY WORKSHOP 3 7 October 2016 Dar es Salaam, Tanzania MAIZE MILLING INDUSTRY OF BENIN SOCIA BENIN S.A. Firmin LOKO MAIZE MILLING INDUSTRY STRUCTURE Number : One Location : Bohicon (130 Km from Cotonou)

1.23k views • 8 slides
2019 Pre-conference tour of Scotland Discover the varied facets of Scotland that make it so

2019 Pre-conference tour of Scotland Discover the varied facets of Scotland that make it so

2019 Pre-conference tour of Scotland Discover the varied facets of Scotland that make it so unique, beautiful, and interesting. March 14-19, 2019 Stirling Castle Stirling Castle has been a fortification upon its volcanic crag since the 1100s.

503 views • 21 slides
Mofota Shomari Manager-Food and Nutrition Security Harmonization Workshop for wheat and maize

Mofota Shomari Manager-Food and Nutrition Security Harmonization Workshop for wheat and maize

East Central and Southern African Health Community (ECSA-HC) Flour fortification in the ECSA region and an overview of ECSA standards Mofota Shomari Manager-Food and Nutrition Security Harmonization Workshop for wheat and maize flour

791 views • 21 slides
Preterm Dietary Supplements Dr Umesh Vaidya IAP Neocon, Mumbai 2015 Preterm VLBW Nutrition :

Preterm Dietary Supplements Dr Umesh Vaidya IAP Neocon, Mumbai 2015 Preterm VLBW Nutrition :

Preterm Dietary Supplements Dr Umesh Vaidya IAP Neocon, Mumbai 2015 Preterm VLBW Nutrition : Ideal practice Minimal enteral feeds (10 ml / kg / day) Human breast milk Feed advancement @ 20 ml / kg / day Human milk fortification 100 ml / kg

695 views • 55 slides
Alesia Scribes Chernihova : Ankur Bambharoliya Problem * Models Motivating Hidden Manha

Alesia Scribes Chernihova : Ankur Bambharoliya Problem * Models Motivating Hidden Manha

Lecture 8 Monte Sequential ( cont ) Carlo : Sampling Gibbs Alesia Scribes Chernihova : Ankur Bambharoliya Problem * Models Motivating Hidden Manha : fT# Yt yt t & zz Z z . , , Et Posterior Parameters al :

863 views • 22 slides
CS534: Machine Learning CS534: Machine Learning Thomas G. Dietterich Thomas G. Dietterich 221C

CS534: Machine Learning CS534: Machine Learning Thomas G. Dietterich Thomas G. Dietterich 221C

CS534: Machine Learning CS534: Machine Learning Thomas G. Dietterich Thomas G. Dietterich 221C Dearborn Hall 221C Dearborn Hall tgd@cs.orst.edu tgd@cs.orst.edu http://www.cs.orst.edu/~tgd/classes/534 http://www.cs.orst.edu/~tgd/classes/534

950 views • 79 slides
A Stereo-Panoramic Telepresence System for Construction Machines Paolo

A Stereo-Panoramic Telepresence System for Construction Machines Paolo

A Stereo-Panoramic Telepresence System for Construction Machines Paolo Tripicchio, Scuola Superiore SantAnna, Pisa Emanuele Ruffaldi, Paolo Gasparello, Shingo Eguchi, Junya Kusuno,

375 views • 19 slides
Advisory Panel on Communication and Dissemination Research << Develop infrastructure for

Advisory Panel on Communication and Dissemination Research << Develop infrastructure for

Advisory Panel on Communication and Dissemination Research << Develop infrastructure for D&I >> May 28, 2015 8:30 AM to 5:00 PM ET Welcome Jean Slutsky, PA, MSPH Chief Engagement and Dissemination Officer Program Director,

847 views • 52 slides
Fortify your MySQL data security in AWS using ProxySQL and Firewalling Marco Tusa Percona About

Fortify your MySQL data security in AWS using ProxySQL and Firewalling Marco Tusa Percona About

Fortify your MySQL data security in AWS using ProxySQL and Firewalling Marco Tusa Percona About Me Open source enthusiast Principal Consultant Working in DB world over 25 years Open source developer and community contributor

979 views • 48 slides
How risky is the Cyber Independent Testing Lab software you use? { Sarah Zatko , Tim Carstens ,

How risky is the Cyber Independent Testing Lab software you use? { Sarah Zatko , Tim Carstens ,

How risky is the Cyber Independent Testing Lab software you use? { Sarah Zatko , Tim Carstens , Patrick Stach , Parker Thompson , mudge } @ CITL https://shmoo18.cyber-itl.org A non-profit organization based in USA Founded by Sarah

609 views • 33 slides
Natural Language Processing Lecture 3: About the Project Build a Question/Answer System

Natural Language Processing Lecture 3: About the Project Build a Question/Answer System

Natural Language Processing Lecture 3: About the Project Build a Question/Answer System Given a Wikipedia article Generate N good questions Given a Wikipedia article Answer N questions generated from that article What is a

800 views • 20 slides
Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik Matuschke Tom McCormick Gianpaolo Oriolo TU Berlin UBC Vancouver Tor Vergata Britta Peis Martin Skutella RWTH Aachen TU Berlin Robust flows

531 views • 28 slides
Techniques Used for Optimizing 3D Techniques Used for Optimizing 3D Geovisualization of Terez n

Techniques Used for Optimizing 3D Techniques Used for Optimizing 3D Geovisualization of Terez n

Techniques Used for Optimizing 3D Techniques Used for Optimizing 3D Geovisualization of Terez n n Geovisualization of Terez Memorial Memorial Karel Jedli ka, Vclav ada, Radek Fiala, Pavel Hjek, Karel Jane ka, Jan Jeek, Jan

453 views • 20 slides

More recommend