eth z rich
play

ETH Zrich FFmpeg and a thousand fixes >1,000 bugs found and - PowerPoint PPT Presentation

Jan 09, 2023 •128 likes •366 views

Fine-Grained Control-Flow Integrity through Binary Hardening Mathias Payer, Antonio Barresi, Thomas R. Gross ETH Zrich FFmpeg and a thousand fixes >1,000 bugs found and fixed 2 person-years & fuzzing on large cluster

  1. Fine-Grained Control-Flow Integrity through Binary Hardening Mathias Payer, Antonio Barresi, Thomas R. Gross ETH Zürich

  2. FFmpeg and a thousand fixes >1,000 bugs found and fixed 2 person-years & fuzzing on large cluster http://j00ru.vexillium.org/?p=2211 Jan-10, 2014

  3. Software is unsafe and insecure ● Low-level languages (C/C++) trade type safety and memory safety for performance – Programmer responsible for all checks ● Large set of legacy and new applications written in C / C++ prone to memory bugs ● Too many bugs to find and fix manually – Protect integrity through safe runtime system

  5. Code Reuse Attacks

  6. Attack scenario: code reuse ● Find addresses of gadgets ● Force memory corruption to set up attack ● Leverage gadgets for code-reuse attack Code Heap Stack

  7. Control-flow hijack attack ● Attacker modifies code pointer 1 – Function return – Indirect jump 2 3 – Indirect call 4 ● Control-flow leaves valid graph 4' ● Reuse existing code – Return-oriented programming – Jump-oriented programming

  8. Control-Flow Integrity

  9. Control-Flow Integrity (CFI) ● CFI enforces that each dynamic indirect control flow transfer must target a statically determined set of locations ● Three sources of indirect transfers – Indirect jump – Indirect call – Function returns

  10. Control-Flow Integrity (CFI) 1 ● Statically construct Control-Flow Graph 2 3 – Find set of allowed targets for each location 4 ● Online set check 0xa … 0xb jmpl *%eax 0xc … 0xd 0xd call *(0xb) 0xe … 0x2 call *(0xc) 0xf

  11. Control-Flow Integrity (CFI) 1 ● Statically construct Control-Flow Graph 2 3 – Find set of allowed targets for each location 4 ● Online set check 0xa … 0xb jmpl *%eax Attacker may write to memory, 0xc … 0xd 0xd call *(0xb) code pointers verified if used 0xe … 0x2 call *(0xc) 0xf

  12. Fine-grained CFI for binaries ● Fine-grained CFI relies on source code ● Coarse-grained CFI is imprecise ● Goal: enforce fine-grained CFI for binaries – Support legacy, binary code – Support modularity (libraries) – Leverage precise, dynamic analysis – Low performance overhead

  13. Lockdown design Shadow stack Shadow stack Shadow stack Lockdown Domain Loader Binary Translator CFT Verifier Loads translate() ELF files /bin/<exe> libc.so.6 Code Cache App. Domain printf () main' main () Run-time ELF func1 () func2' ICT Files func2 () lib* validation printf' ... func* () User Kernel System Call Interface System Call Interface read only readable + executable

  14. Dynamic CFI analysis ● Leverage program's modularity through loader /bin/<exec> /lib/libc.so.6 /lib/lib* exported imported exported imported exported imported puts - _dl* ifunc* puts funcA scanf ... funcB ... scanf funcA mprotect ... ... ... .text .text .text call puts puts: funcA: ... ... ... lea fptr, %eax mprotect: funcB: ... ... ... call *%eax ... symbol table of ELF DSO allowed Control Flow transfer illegal Control Flow transfer .text section of DSO

  15. Dynamic CFI analysis ● Leverage program's modularity through loader /bin/<exec> /lib/libc.so.6 /lib/lib* Modularity increases precision. exported imported exported imported exported imported puts - _dl* ifunc* puts funcA No source needed. scanf ... funcB ... scanf funcA mprotect ... ... ... Leverage context of transfers. .text .text .text call puts puts: funcA: ... ... ... lea fptr, %eax mprotect: funcB: ... ... ... call *%eax ... symbol table of ELF DSO allowed Control Flow transfer illegal Control Flow transfer .text section of DSO

  16. Lockdown CFI rules ● Return instructions must return to the caller – Precise due to shadow stack ● Call instructions must target valid functions – Imported in the current module (context) ● Jump instructions must target valid instructions inside the current symbol (or functions)

  17. Performance: Apache 2.2 ● 15,000,000 requests ● 56 kB HTML file, 1054 kB image ● Apache 2.2 runs under default configuration Configuration Small file Image Combined Single threaded 30.41% 1.94% 7.87% Concurrent 6.27% 1.09% 1.83% Concurrent with 15.80% 3.00% 4.36% keep-alive

  18. Security evaluation ● CVE 2013-2028 compromises nginx – Both ROP (ret) or COP (icall) exploitation possible Length RET CALL/JMP/ SYS ROP attack 30 7 0 COP attack 30 0 (487*) 99 * reachable, but protected by shadow stack

  19. Necessity of shadow stack ● Defenses without stack integrity are broken – Loop through two calls to the same function – Choose any caller as return location ● Lockdown enforces a protected shadow stack – Attacker restricted to arbitrary targets on the stack – Each target can only be called once, in sequence

  20. Conclusion

  21. Conclusion ● Protect in the presence of bugs ● Supports legacy and binary code ● Control-flow hijack protection – Shadow stack, dynamic CFI, and locality – System call policy as secondary protection ● Reasonably low overhead

  22. Thank you! Questions? Mathias Payer, Antonio Barresi, Thomas R. Gross

  23. Performance: SPEC CPU2006 160 Performance overhead 140 120 100 80 60 40 20 0 BT Lockdown

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

THE GOOD Nutritional value of seafood: Rich source of vitamins Rich source of minerals Rich

THE GOOD Nutritional value of seafood: Rich source of vitamins Rich source of minerals Rich

Mr. Vernell Kea Seafood safety/inspection presentation outline THE GOOD Nutritional value of seafood: Rich source of vitamins Rich source of minerals Rich source of unsaturated fat Benefits of seafood: Reduce risk of heart disease omega 3

301 views • 4 slides
THE POOR RICH [ P A R T T W O ] 1 Come now, you rich, weep and howl for your miseries which are

THE POOR RICH [ P A R T T W O ] 1 Come now, you rich, weep and howl for your miseries which are

1 THE POOR RICH [ P A R T T W O ] 1 Come now, you rich, weep and howl for your miseries which are coming upon you. 2 Your riches have rotted and your garments have become moth-eaten. 3 Your gold and your JAMES 5:1-6 silver have rusted; and

524 views • 25 slides
POOR RICH P A R T O N E 1 Come now, you rich, weep and howl for your miseries which are coming

POOR RICH P A R T O N E 1 Come now, you rich, weep and howl for your miseries which are coming

1 THE POOR RICH P A R T O N E 1 Come now, you rich, weep and howl for your miseries which are coming upon you. 2 Your riches have rotted and your garments have become moth-eaten. 3 Your gold and your JAMES 5:1-6 silver have rusted; and

380 views • 21 slides
PRESENTATION BY ALYKHAN SATCHU CEO Rich Management Limited http://www.rich.co.ke CUSTOMER

PRESENTATION BY ALYKHAN SATCHU CEO Rich Management Limited http://www.rich.co.ke CUSTOMER

PRESENTATION BY ALYKHAN SATCHU CEO Rich Management Limited http://www.rich.co.ke CUSTOMER EXPERIENCE THE BUSINESS CASE 10 th March 2017 7.5 billion people live on the white dot on the upper left. (view of Earth from Mars)

547 views • 27 slides
Rich Dietz TriSummit Solutions @RichDietz Linkedin.com/in/RichDietz 3 Rich has over 20 years'

Rich Dietz TriSummit Solutions @RichDietz Linkedin.com/in/RichDietz 3 Rich has over 20 years'

Rich Dietz TriSummit Solutions @RichDietz Linkedin.com/in/RichDietz 3 Rich has over 20 years' experience working in and with a wide variety of nonprofit, political, and government organizations and holds a Masters in Social Welfare (MSW)

511 views • 30 slides
Status of the CBM- and HADES RICH projects at FAIR C. Pauly, Wuppertal University for the CBM

Status of the CBM- and HADES RICH projects at FAIR C. Pauly, Wuppertal University for the CBM

Status of the CBM- and HADES RICH projects at FAIR C. Pauly, Wuppertal University for the CBM RICH and HADES collaboration Contents: Status of the FAIR facility The CBM RICH detector The HADES RICH upgrade R&amp;D work - Hamamatsu H12700

543 views • 27 slides
iRUI - The Rich Client and i iRUI - The Rich Client and i Pluta Brothers Design, Inc. Joe Pluta

iRUI - The Rich Client and i iRUI - The Rich Client and i Pluta Brothers Design, Inc. Joe Pluta

iRUI - The Rich Client and i iRUI - The Rich Client and i Pluta Brothers Design, Inc. Joe Pluta Agenda Who is PBD? Multi-Tiered Application Design The Tiers of a Rich Client The Messages Creating a Business Logic Library Function Creating

779 views • 49 slides
CAL CALCIUM RICH RICH FOOD FOOD WA WASTES BA BASED CA CATALYSTS STS FOR FOR BI BIODI ODIESEL

CAL CALCIUM RICH RICH FOOD FOOD WA WASTES BA BASED CA CATALYSTS STS FOR FOR BI BIODI ODIESEL

4th 4th In Internatio ional Conf nfer erence ence on on Sus Sustainab ainable Sol Solid Wa Waste Ma Manag nagemen ment 24th June 2016 CAL CALCIUM RICH RICH FOOD FOOD WA WASTES BA BASED CA CATALYSTS STS FOR FOR BI BIODI ODIESEL SEL PR

579 views • 16 slides
modelling rich interaction sensor-based systems statusevent analysis rich set of

modelling rich interaction sensor-based systems statusevent analysis rich set of

Modelling Rich Interaction statusevent analysis chapter 18 rich environments in task analysis modelling rich interaction sensor-based systems statusevent analysis rich set of phenomena events status events

661 views • 9 slides
USE OF GEANT4 FOR LHCB RICH SIMULATION S. Easo, RAL, 5-7-2001 LHCB AND ITS RICH DETECTORS.

USE OF GEANT4 FOR LHCB RICH SIMULATION S. Easo, RAL, 5-7-2001 LHCB AND ITS RICH DETECTORS.

USE OF GEANT4 FOR LHCB RICH SIMULATION S. Easo, RAL, 5-7-2001 LHCB AND ITS RICH DETECTORS. TESTBEAM DATA FOR LHCB-RICH. OVERVIEW OF GEANT4 SIMULATION. DESCRIPTION AND VERIFICATION OF SIMULATION. RESULTS ON PHOTOELECTRON

340 views • 17 slides
HI Rich Galaxies Probing Gas Accretion Joo Heon Yoon Jacqueline van Gorkom Virgo HI-rich

HI Rich Galaxies Probing Gas Accretion Joo Heon Yoon Jacqueline van Gorkom Virgo HI-rich

HI Rich Galaxies Probing Gas Accretion Joo Heon Yoon Jacqueline van Gorkom Virgo HI-rich Galaxies N4713 N4383 N4772 N4561 N4808 Samples Image Credit: Aeree Chung Faint Tail of NGC4808 15~90kpc V-band Imaging To find extended

542 views • 17 slides
Living a Rich and Intentional Life Stan Gibson Life Becomes Rich When Death Becomes Certain

Living a Rich and Intentional Life Stan Gibson Life Becomes Rich When Death Becomes Certain

Living a Rich and Intentional Life Stan Gibson Life Becomes Rich When Death Becomes Certain Yales Most Popular Class Ever: Happiness 101 Oxygen Plus The Process Living with Self Purpose Energy Awareness Intention Living with

796 views • 44 slides
Netbeans Platform For Rich Client Development Rich Client Platform Jaroslav Tulach Luk

Netbeans Platform For Rich Client Development Rich Client Platform Jaroslav Tulach Luk

Netbeans Platform For Rich Client Development Rich Client Platform Jaroslav Tulach Luk Barto Sun Microsystems Hewlett-Packard The Need for NetBeans and/or Eclipse Don't write yet another framework, please! Rest in piece to home made

687 views • 49 slides
The RICH detector for CLAS12 at Jefferson Lab L.L. Pappalardo 1 (on behalf of the CLAS12-RICH

The RICH detector for CLAS12 at Jefferson Lab L.L. Pappalardo 1 (on behalf of the CLAS12-RICH

The Journals name will be set by the publisher DOI: will be set by the publisher Owned by the authors, published by EDP Sciences, 2014 c The RICH detector for CLAS12 at Jefferson Lab L.L. Pappalardo 1 (on behalf of the CLAS12-RICH

722 views • 4 slides
Agenda Topics: Presenter: Introduction - Rich Miram/Roy Kuga CHP Settlement Overview -

Agenda Topics: Presenter: Introduction - Rich Miram/Roy Kuga CHP Settlement Overview -

Combined Heat and Power (CHP) Request for Offers Participants Conference January 12, 2012 Agenda Topics: Presenter: Introduction - Rich Miram/Roy Kuga CHP Settlement Overview - Rich Miram Solicitation Overview - Rich

1.17k views • 78 slides
Rich Communications with Kamailio &amp; IMS What is he talking about? Timetravel: The 90s

Rich Communications with Kamailio &amp; IMS What is he talking about? Timetravel: The 90s

Rich Communications with Kamailio &amp; IMS What is he talking about? Timetravel: The 90s till today IMS on Kamailio Definition: Rich Communications Rich Communications in SIP and Kamailio Practical example: Be surprised...

518 views • 23 slides
No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace &amp; @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents on Fun Facts Why 10 digits? Because and the 0 represents off people typically have 10 fingers and 10 toes, making it easy for counting! 2

119 views • 10 slides
Recycling 101 Webster Groves Presbyterian Church March 17, 2019 J.R. Walters The Problem

Recycling 101 Webster Groves Presbyterian Church March 17, 2019 J.R. Walters The Problem

Recycling 101 Webster Groves Presbyterian Church March 17, 2019 J.R. Walters The Problem One Day We make, use, and throw away a lot of stuff! On average a person in the U.S. produces

454 views • 28 slides
Non-Silicon Non-Binary Computing: Why Not? Elena Dubrova, Yusuf Jamal, Jimson Mathew Royal

Non-Silicon Non-Binary Computing: Why Not? Elena Dubrova, Yusuf Jamal, Jimson Mathew Royal

Non-Silicon Non-Binary Computing: Why Not? Elena Dubrova, Yusuf Jamal, Jimson Mathew Royal Institute of Technology Stockholm, Sweden Overview Motivation Introduction to multiple-valued computing Implementation of multiple-valued

489 views • 24 slides
On Target Coun-ng by Sequen-al Snapshots of Binary Proximity

On Target Coun-ng by Sequen-al Snapshots of Binary Proximity

On Target Coun-ng by Sequen-al Snapshots of Binary Proximity Sensors Tongyang Li, Yongcai Wang, Lei Song Ins-tute for Interdisciplinary Informa-on Sciences (IIIS),

303 views • 26 slides
Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown

Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown

Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown Zhenlin Wang jshiebel@mtu.edu lebrown@mtu.edu zlwang@mtu.edu Department of Computer Science Michigan Technological University International

544 views • 31 slides
Beyond Binary Labels: Political Ideology Prediction of Twitter Users Daniel Preot iuc-Pietro

Beyond Binary Labels: Political Ideology Prediction of Twitter Users Daniel Preot iuc-Pietro

Beyond Binary Labels: Political Ideology Prediction of Twitter Users Daniel Preot iuc-Pietro Joint work with Ye Liu (NUS), Daniel J Hopkins (Political Science), Lyle Ungar (CS) 2 August 2017 Motivation User attribute prediction from text

534 views • 32 slides

More recommend