feel me flow a review of control flow integrity methods
play

Feel me Flow: A Review of Control-Flow Integrity Methods for User - PowerPoint PPT Presentation

May 06, 2023 •250 likes •865 views

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code

  1. Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Díez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es

  2. Rationale

  3. Rationale

  4. Code injection attacks

  5. Code injection attacks Control Flow Graph Intended flow Memory error

  6. Code injection attacks Control Flow Graph Intended flow Memory error Attacker

  7. Code injection attacks Control Flow Graph Intended flow Memory error Injected code Actual flow Attacker

  8. Code injection attacks Code injection Control Flow Graph Intended flow Memory error Injected code Actual flow Attacker

  9. Code injection attacks Code injection Data Execution Prevention (DEP) / Write XOR Execute (W ⊕ E) Canaries Control Flow Graph Intended flow Memory error Injected code Actual flow Attacker

  10. Code reuse attacks

  11. Code reuse attacks Control Flow Graph Intended flow Memory error

  12. Code reuse attacks x0fo86 x0e58b Control Flow Graph Intended flow Memory error Attacker

  13. Code reuse attacks x0fo86 x0e58b x0e58b x0fo86 Control Flow Graph Intended flow Memory error Attacker

  14. Code reuse attacks x0fo86 x0e58b x0e58b Code reuse G G x0fo86 Control Flow Graph Intended flow Memory error G Gadget Actual flow Attacker

  15. Code reuse attacks x0fo86 x0e58b x0e58b Code reuse G ASLR Kernel ASLR G → Statistical x0fo86 Control Flow Graph Intended flow Memory error G Gadget Actual flow Attacker

  16. Code reuse attacks x0fo86 x0e58b x0e58b Code reuse G ASLR Kernel ASLR G → Statistical x0fo86 Control Flow Integrity (CFI) Control Flow Graph Intended flow Memory error G Gadget Actual flow Attacker

  17. Control-Flow Integrity (CFI) Abadi et al. CCS’05

  18. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 - Offline: CFG computation

  19. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 - Offline: CFG computation

  20. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 2 3 4 5 6 7 Control Flow Graph (CFG) 1 - Offline: CFG computation

  21. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 2 3 4 5 6 7 Control Flow Graph (CFG) 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  22. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 5 → {7} 4 5 6 6 → {7} 7 → { ∅ } 7 Control Flow Graph (CFG) Enforced CFG 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  23. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 3 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 6 Execution 1 5 → {7} 4 5 6 6 → {7} 7 7 → { ∅ } 7 Control Flow Graph (CFG) Enforced CFG 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  24. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 3 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 6 Execution 1 5 → {7} 4 5 6 6 → {7} 7 7 → { ∅ } 7 Control Flow Graph (CFG) Enforced CFG 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  25. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 3 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 6 Execution 1 5 → {7} 4 5 6 6 → {7} 7 7 → { ∅ } 7 1 Control Flow Graph (CFG) Enforced CFG 2 Execution 2 5 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  26. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 3 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 6 Execution 1 5 → {7} 4 5 6 6 → {7} 7 7 → { ∅ } 7 1 Control Flow Graph (CFG) Enforced CFG 2 Execution 2 5 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  27. Control-Flow Integrity (CFI) Abadi et al. CCS’05 1 1 3 1 → {2, 3} 2 → {4, 5} 2 3 3 → {6} 4 → {2} 6 Execution 1 5 → {7} 4 5 6 6 → {7} 7 7 → { ∅ } 7 1 Control Flow Graph (CFG) Enforced CFG 2 Execution 2 5 2 - Runtime: CFG enforcement 1 - Offline: CFG computation

  28. Control-Flow Integrity (CFI) - II x0fo86 x0e58b x0e58b Code reuse G G x0fo86 Attacker’s goal execution Original CFG Intended flow Memory error Gadget G Actual flow Attacker

  29. Control-Flow Integrity (CFI) - II x0e58b G G x0fo86 Original CFG Intended flow Memory error Gadget G Actual flow Attacker

  30. Control-Flow Integrity (CFI) - II x0fo86 x0e58b x0e58b Code reuse G G x0fo86 Abort execution Original CFG Intended flow Memory error Gadget G Actual flow Attacker

  31. CFI Internals

  32. CFI Internals Computation phase Flow sensitive VS flow insensitive

  33. CFI Internals Computation phase Flow sensitive VS flow insensitive 1 | obj = &x; 2 | 3 | obj = &y;

  34. CFI Internals Computation phase Flow sensitive VS flow insensitive obj at 1 → {x} obj → {x, y} 1 | obj = &x; obj at 2→ {y} 2 | 3 | obj = &y; Insensitive Sensitive

  35. CFI Internals Computation phase Flow sensitive VS flow insensitive obj at 1 → {x} obj → {x, y} 1 | obj = &x; obj at 2→ {y} 2 | 3 | obj = &y; Insensitive Sensitive Context sensitive VS context insensitive

  36. CFI Internals Computation phase Flow sensitive VS flow insensitive obj at 1 → {x} obj → {x, y} 1 | obj = &x; obj at 2→ {y} 2 | 3 | obj = &y; Insensitive Sensitive Context sensitive VS context insensitive A B C D E Where can we return to from function C?

  37. CFI Internals Computation phase Flow sensitive VS flow insensitive obj at 1 → {x} obj → {x, y} 1 | obj = &x; obj at 2→ {y} 2 | 3 | obj = &y; Insensitive Sensitive Context sensitive VS context insensitive → B & E A B C Insensitive → B if called from B, D E E if called from E: Sensitive Where can we return to from function C?

  38. CFI Internals Computation phase Enforcement phase Flow sensitive VS flow insensitive Forward vs backward control-flow transfers obj at 1 → {x} obj → {x, y} 1 | obj = &x; obj at 2→ {y} 2 | 3 | obj = &y; Insensitive Sensitive Context sensitive VS context insensitive → B & E A B C Insensitive → B if called from B, D E E if called from E: Sensitive Where can we return to from function C?

  39. CFI Internals Computation phase Enforcement phase Flow sensitive VS flow insensitive Forward vs backward control-flow transfers obj at 1 → {x} obj → {x, y} 1 | obj = &x; Forward Backward obj at 2→ {y} 2 | 3 | obj = &y; A B A B Insensitive Sensitive Both Context sensitive VS context insensitive A B → B & E A B C Insensitive → B if called from B, D E E if called from E: Sensitive Where can we return to from function C?

  40. CFI Internals Computation phase Enforcement phase Flow sensitive VS flow insensitive Forward vs backward control-flow transfers obj at 1 → {x} obj → {x, y} 1 | obj = &x; Forward Backward obj at 2→ {y} 2 | 3 | obj = &y; A B A B Insensitive Sensitive Both Context sensitive VS context insensitive A B → B & E A B C Insensitive Which control-flow → B if called from B, D E transfers do we E if called from E: take into account? Sensitive Where can we return to from function C?

  41. Comparison fields

  42. Comparison fields Control Flow Transfers Less secure Backward Forward More secure

  43. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed More secure

  44. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed Makes the assumption that two destinations Equivalent classes are equivalent if they come from the same source More secure

  45. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed Makes the assumption that two destinations Equivalent classes are equivalent if they come from the same source May or may not work on specially crafted Heuristics cases More secure

  46. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed Makes the assumption that two destinations Equivalent classes are equivalent if they come from the same source May or may not work on specially crafted Heuristics cases More secure

  47. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed Makes the assumption that two destinations Equivalent classes are equivalent if they come from the same source May or may not work on specially crafted Heuristics cases ( Hardware) Limited There is some restriction on full CS Context Sensitivity More secure

  48. Comparison fields Control Flow Transfers Less secure Backward Forward ∅ Every control flow transfer is allowed Makes the assumption that two destinations Equivalent classes are equivalent if they come from the same source May or may not work on specially crafted Heuristics cases (Hardware) Limited There is some restriction on full CS Context Sensitivity Context Sensitive More secure

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University -- Summarized by Navid Emamdoost University of Minnesota Outline Background Control Flow attacks Control Flow Integrity Control Flow

795 views • 33 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Program

961 views • 72 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications 2634 2528 2690 CFI: Goal Provably correct mechanisms

540 views • 26 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY & RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer Science, University of Crete

584 views • 42 slides
Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP Return-to-libc RoP (Return-oriented Programming) StackGuard (insert canaries on stack) PointGuard (encrypt the pointers) ASLR CFI

809 views • 42 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides
ProtoDUNE-DP WA105 - 640 channels Signal Feedthrough Chimney configuration Overpressure check

ProtoDUNE-DP WA105 - 640 channels Signal Feedthrough Chimney configuration Overpressure check

ProtoDUNE-DP WA105 - 640 channels Signal Feedthrough Chimney configuration Overpressure check valve (~1.1-1.2 absolute bar) Preliminary vacuum valve Pressure Transducer Temperature FT Gas N 2 IN line A2D + DAQ LAr OUT SS line (thermal

81 views • 5 slides
Foundations and Theoretical Aspects of Propositional Satisfiability John Franco

Foundations and Theoretical Aspects of Propositional Satisfiability John Franco

Foundations and Theoretical Aspects of Propositional Satisfiability John Franco franco@gauss.ececs.uc.edu presentation to SMT/SAT Summer School, Helsinki, 2013 July, 2013 Outline Objective: Introduce SAT and SMT Show SAT and SMT

2.4k views • 155 slides
Hierarchical Dirichlet Processes Presenters: Micah Hodosh, Yizhou Sun 4/7/2010 1 Content

Hierarchical Dirichlet Processes Presenters: Micah Hodosh, Yizhou Sun 4/7/2010 1 Content

Hierarchical Dirichlet Processes Presenters: Micah Hodosh, Yizhou Sun 4/7/2010 1 Content Introduction and Motivation Dirichlet Processes Hierarchical Dirichlet Processes Definition Three Analogs Inference Three

863 views • 44 slides
WISCONSIN TAX UPDATE Passthrough entities Corporations Withholding Sales and use

WISCONSIN TAX UPDATE Passthrough entities Corporations Withholding Sales and use

10/28/2019 Topics Income/franchise tax law changes, updates, and reminders Individual income tax WISCONSIN TAX UPDATE Passthrough entities Corporations Withholding Sales and use tax Vapor products tax Presented by

419 views • 27 slides
Dynamical Supersymmetry Breaking from D-branes at Singularities Angel M. Uranga TH Division,

Dynamical Supersymmetry Breaking from D-branes at Singularities Angel M. Uranga TH Division,

Dynamical Supersymmetry Breaking from D-branes at Singularities Angel M. Uranga TH Division, CERN and IFT-UAM/CSIC, Madrid S.Franco, A.U, hep-th/0604136 I. Garc a-Etxebarria, F. Saad, A. U, hep-th/0605166 GGI, Florence, June 2006

371 views • 13 slides
Kurdyka- Lojasiewicz inequality and Kurdyka- Lojasiewicz inequality and subgradient

Kurdyka- Lojasiewicz inequality and Kurdyka- Lojasiewicz inequality and subgradient

Kurdyka- Lojasiewicz inequality and Kurdyka- Lojasiewicz inequality and subgradient trajectories : the convex case subgradient trajectories: the convex case Olivier Ley Olivier Ley Journ ees Universit e de Tours Franco-

290 views • 16 slides
A minimal dynamical model of North Atlantic Oscillation regimes Franco Molteni ( ECMWF, Reading,

A minimal dynamical model of North Atlantic Oscillation regimes Franco Molteni ( ECMWF, Reading,

A minimal dynamical model of North Atlantic Oscillation regimes Franco Molteni ( ECMWF, Reading, U.K.) Fred Kucharski (ICTP, Trieste, Italy) F. Molteni and F. Kucharski: A heuristic dynamical model of the North Atlantic Oscillation with a

304 views • 18 slides
Spectral inequality for the Schr odinger equation g + V ( x ) in R d Gilles Lebeau ,

Spectral inequality for the Schr odinger equation g + V ( x ) in R d Gilles Lebeau ,

Spectral inequality for the Schr odinger equation g + V ( x ) in R d Gilles Lebeau , IvanMoyano D epartementdeMath ematiques , Universit e Nice Sophia Antipolis, lebeau@unice.fr CenterforMathematicalSciences , im

323 views • 20 slides

More recommend