enabling client side crash resistance to overcome
play

Enabling Client-Side Crash-Resistance to Overcome Diversification - PowerPoint PPT Presentation

Mar 01, 2024 •30 likes •660 views

Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding Robert Gawlik , Benjamin Kollenda, Philipp Koppe, Behrad Garmany, Thorsten Holz Ruhr University Bochum Horst Grtz Institute for IT-Security Bochum,

  1. Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding Robert Gawlik , Benjamin Kollenda, Philipp Koppe, Behrad Garmany, Thorsten Holz Ruhr University Bochum Horst Görtz Institute for IT-Security Bochum, Germany

  2. Crash-Resistance

  3. Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  4. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  5. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  6. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  7. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } Program should int main(){ MSG msg; terminate abnormally SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  8. NDSS 2016 | San Diego | 02/24/2016

  9. NDSS 2016 | San Diego | 02/24/2016

  10. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } Program should int main(){ MSG msg; terminate abnormally SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  11. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } Instead: int main(){ MSG msg; Program runs endlessly SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  12. Crash-Resistance char* addr = 0; • Set timer callback crash() void crash(){ • Dispatch crash() each ms addr++; printf("reading %x", addr); • crash() generates a fault on char content = *(addr); first execution printf("read done"); } int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  13. Crash-Resistance Behind the Scenes char* addr = 0; DispatchMessage: void crash(){ __try addr++; { printf("reading %x", addr); crash() char content = *(addr); } printf("read done"); __except( expr ) } { int main(){ MSG msg; } SetTimer(0, 0, 1, crash); while (1){ return GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  14. Crash-Resistance Behind the Scenes char* addr = 0; DispatchMessage: void crash(){ __try addr++; { printf("reading %x", addr); crash() char content = *(addr); Access violation } printf("read done"); __except( expr ) } { int main(){ MSG msg; } SetTimer(0, 0, 1, crash); while (1){ return GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  15. Crash-Resistance Behind the Scenes char* addr = 0; DispatchMessage: void crash(){ __try addr++; { printf("reading %x", addr); crash() char content = *(addr); Access violation } printf("read done"); __except( expr ) } expr returns 1 { int main(){ MSG msg; } SetTimer(0, 0, 1, crash); while (1){ return GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  16. Crash-Resistance Behind the Scenes char* addr = 0; DispatchMessage: void crash(){ __try addr++; { printf("reading %x", addr); crash() char content = *(addr); Access violation } printf("read done"); __except( expr ) } expr returns 1 { int main(){ execute handler MSG msg; } SetTimer(0, 0, 1, crash); while (1){ return GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  17. Crash-Resistance Behind the Scenes char* addr = 0; DispatchMessage: void crash(){ __try addr++; { printf("reading %x", addr); crash() char content = *(addr); Access violation } printf("read done"); __except( expr ) } expr returns 1 { int main(){ execute handler MSG msg; } SetTimer(0, 0, 1, crash); continue execution while (1){ return GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  18. Crash-Resistance Behind the Scenes char* addr = 0; DispatchMessage: void crash(){ __try addr++; { printf("reading %x", addr); crash() char content = *(addr); } printf("read done"); __except( expr ) } { int main(){ MSG msg; } SetTimer(0, 0, 1, crash); while (1){ return GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  19. Crash-Resistance Behind the Scenes char* addr = 0; void crash(){ addr++; printf("reading %x", addr); If a fault is generated, char content = *(addr); execution is printf("read done"); transferred to the end } of the loop int main(){ MSG msg; SetTimer(0, 0, 1, crash); while (1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  20. Crash-Resistance Behind the Scenes char* addr = 0; void crash(){ addr++; printf("reading %x", addr); If a fault is generated, char content = *(addr); execution is printf("read done"); transferred to the end } of the loop int main(){ MSG msg; SetTimer(0, 0, 1, crash); Program continues while (1){ running despite GetMessage(&msg, NULL, 0, 0); producing faults DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  21. Crash-Resistance Behind the Scenes char* addr = 0; void crash(){ addr++; printf("reading %x", addr); If a fault is generated, char content = *(addr); execution is printf("read done"); transferred to the end } of the loop int main(){ MSG msg; SetTimer(0, 0, 1, crash); Program continues while (1){ running despite GetMessage(&msg, NULL, 0, 0); producing faults DispatchMessage(&msg); } } NDSS 2016 | San Diego | 02/24/2016

  22. Client-Side Crash-Resistance

  23. Client-Side Crash-Resistance • Server applications respawn upon abnormal termination NDSS 2016 | San Diego | 02/24/2016

  24. Client-Side Crash-Resistance • Server applications respawn upon abnormal termination → Attacks: ASLR de-randomization [1]; Hacking Blind [2]; Missing the Point(er) [3] NDSS 2016 | San Diego | 02/24/2016

  25. Client-Side Crash-Resistance • Server applications respawn upon abnormal termination → Attacks: ASLR de-randomization [1]; Hacking Blind [2]; Missing the Point(er) [3] • Client programs do not restart upon a crash (e.g., web browsers ) NDSS 2016 | San Diego | 02/24/2016

  26. Client-Side Crash-Resistance • Server applications respawn upon abnormal termination → Attacks: ASLR de-randomization [1]; Hacking Blind [2]; Missing the Point(er) [3] • Client programs do not restart upon a crash (e.g., web browsers ) • Crash-resistant code constructs are available in browsers NDSS 2016 | San Diego | 02/24/2016

  27. Client-Side Crash-Resistance • Server applications respawn upon abnormal termination → Attacks: ASLR de-randomization [1]; Hacking Blind [2]; Missing the Point(er) [3] • Client programs do not restart upon a crash (e.g., web browsers ) • Crash-resistant code constructs are available in browsers • Crash-resistant code prevents abnormal termination of browsers NDSS 2016 | San Diego | 02/24/2016

  28. Client-Side Crash-Resistance • Server applications respawn upon abnormal termination → Attacks: ASLR de-randomization [1]; Hacking Blind [2]; Missing the Point(er) [3] • Client programs do not restart upon a crash (e.g., web browsers ) • Crash-resistant code constructs are available in browsers • Crash-resistant code prevents abnormal termination of browsers • It is possible to access memory more than once with wrong permissions NDSS 2016 | San Diego | 02/24/2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TCP ECN Experience with enabling ECN on the Internet Padma Bhooma Apple 1 ECN deployment

TCP ECN Experience with enabling ECN on the Internet Padma Bhooma Apple 1 ECN deployment

TCP ECN Experience with enabling ECN on the Internet Padma Bhooma Apple 1 ECN deployment Padma Bhooma MAPRG 98th IETF Chicago March 2017 Using ECN from client side Apple enabled negotiation of TCP ECN (RFC 3168) from the client-side

467 views • 20 slides
An Investigation of Antibiotic g Derivatives to Overcome Resistance Ji Jim Birrell i ll Ezgi

An Investigation of Antibiotic g Derivatives to Overcome Resistance Ji Jim Birrell i ll Ezgi

An Investigation of Antibiotic g Derivatives to Overcome Resistance Ji Jim Birrell i ll Ezgi Hacisuleyman Ting Huang Daniel Johnson Zhiyong Poon Susan Zawaski December 4 th , 2008 Agenda Agenda Background of antibiotic resistance

316 views • 19 slides
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side

Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side

Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side Rear Other 39% N=32,335 Source: 2002 FARS Side-impact Crashes (non-rollover) by Crash Partner Passenger Cars Other 19% 21% Narrow Objects

708 views • 4 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Replicated Client-Server Execution to Overcome Unpredictability in Mobile Environment Bing You

Replicated Client-Server Execution to Overcome Unpredictability in Mobile Environment Bing You

Replicated Client-Server Execution to Overcome Unpredictability in Mobile Environment Bing You and Hao Chu Intelligent Space Lab National Taiwan University Outline Problem Related Work Replicated Client-Server Model

546 views • 17 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
New Client Puzzle Outsourcing Techniques for DoS Resistance Paper by Waters, Juels,

New Client Puzzle Outsourcing Techniques for DoS Resistance Paper by Waters, Juels,

New Client Puzzle Outsourcing Techniques for DoS Resistance Paper by Waters, Juels, Halderman, and Felten Presenter: Michael Peck Outline Need for client puzzles Basic idea of client puzzles Related ideas Juels/Brainard

551 views • 39 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

709 views • 57 slides
DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DEFCON DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute.

428 views • 15 slides
Categories of Client Resistance Chamberlin, Patterson, Reid, Kavanaugh, and Forgatch (1984)

Categories of Client Resistance Chamberlin, Patterson, Reid, Kavanaugh, and Forgatch (1984)

Categories of Client Resistance Chamberlin, Patterson, Reid, Kavanaugh, and Forgatch (1984) Arguing-client contests the accuracy, integrity, or expertise of the therapist Interrupting- client breaks in and interrupts the therapist in a

328 views • 13 slides
Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side Direct I/O for NFS Connectathon 1997 Disclaimer This is not a product announcement. 2 Client-Side Direct I/O for NFS Connectathon 1997

311 views • 16 slides
Reducing Social Isolation and Loneliness by enabling and empowering people with dementia ntia

Reducing Social Isolation and Loneliness by enabling and empowering people with dementia ntia

Exploring opportunities Building communities Changing lives Side by Side Reducing Social Isolation and Loneliness by enabling and empowering people with dementia ntia Side by Side 2 Reducing Social Isolation and Loneliness by enabling and

494 views • 10 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
resistance IN THE MATERIALS You cant have art without resistance in the material. ANYTHING

resistance IN THE MATERIALS You cant have art without resistance in the material. ANYTHING

resistance IN THE MATERIALS You cant have art without resistance in the material. ANYTHING that gets between a mans hand and his work, you more or less see, is bad for him. Theres a pleasant feel in the paper under ones hand

594 views • 25 slides
Diversity, Stability, and Resilience of the Human Microbiome David A. Relman, Stanford University

Diversity, Stability, and Resilience of the Human Microbiome David A. Relman, Stanford University

Diversity, Stability, and Resilience of the Human Microbiome David A. Relman, Stanford University Human Microbiome Science: Vision for the Future Bethesda / July 24, 2013 Microbes as threats

856 views • 57 slides
Functional resilience in neural networks Mediterranean School of Complex Networks Edward

Functional resilience in neural networks Mediterranean School of Complex Networks Edward

Functional resilience in neural networks Mediterranean School of Complex Networks Edward Laurence September 5, 2017 Dpartement de physique, de gnie physique, et doptique Universit Laval, Qubec, Canada 0 Resilience Ability to

317 views • 31 slides
Downgrade Resilience in Key-Exchange Protocols Ruth Ng TLS Crypto Seminar, Winter 2019, UC San

Downgrade Resilience in Key-Exchange Protocols Ruth Ng TLS Crypto Seminar, Winter 2019, UC San

Downgrade Resilience in Key-Exchange Protocols Ruth Ng TLS Crypto Seminar, Winter 2019, UC San Diego Overview High-level summary of the whole paper: Motivate the study of downgrade resilience (Very) brief discussion on modelling

604 views • 24 slides
Electric Currents B 4 & DC Circuits C 1/2 D 1/4 E 1 Slide 3 / 70 Slide 4 / 70 2 A

Electric Currents B 4 & DC Circuits C 1/2 D 1/4 E 1 Slide 3 / 70 Slide 4 / 70 2 A

Slide 1 / 70 Slide 2 / 70 1 The length of an aluminum wire is quadrupled and the radius is doubled. By which factor does the resistance change? A 2 Electric Currents B 4 & DC Circuits C 1/2 D 1/4 E 1 Slide 3 / 70 Slide 4 / 70

266 views • 12 slides
Research, Resistance and Sisterhood The Res-Sisters The Res-Sisters Documenting pains and

Research, Resistance and Sisterhood The Res-Sisters The Res-Sisters Documenting pains and

Research, Resistance and Sisterhood The Res-Sisters The Res-Sisters Documenting pains and pleasures Re search, resist ance, and sister hood Range of positions A collective endeavour Challenge and change The Res-Sister

853 views • 15 slides
Kirchhoffs Laws II & Kirchhoffs Laws Examples Current law, KCL Equivalent

Kirchhoffs Laws II & Kirchhoffs Laws Examples Current law, KCL Equivalent

2/3/20 Class Concepts Open & short circuits Series and parallel elements Kirchhoffs Laws II & Kirchhoffs Laws Examples Current law, KCL Equivalent Resistance Voltage law, KVL Equivalent resistance Series

703 views • 10 slides
Herbicide Resistance: Herbicide Resistance: Protecting the PPOs Protecting the PPOs Eric

Herbicide Resistance: Herbicide Resistance: Protecting the PPOs Protecting the PPOs Eric

Herbicide Resistance: Herbicide Resistance: Protecting the PPOs Protecting the PPOs Eric P. Prostko Eric P. Prostko Extension Weed Specialist Extension Weed Specialist Dept. of Crop & Soil Sciences Dept. of Crop & Soil

362 views • 14 slides

More recommend