guarding vulnerable code module 1 sanitization
play

Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, - PowerPoint PPT Presentation

Jan 26, 2023 •213 likes •689 views

Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University http://hexhive.github.io 1 Vulnerabilities everywhere? 2 Common Languages: TIOBE18 Jul 2018 Jul 2017 Change Language Ratings Change 1 1 Java

  1. Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University http://hexhive.github.io 1

  2. Vulnerabilities everywhere? 2

  3. Common Languages: TIOBE’18 Jul 2018 Jul 2017 Change Language Ratings Change 1 1 Java 16.139% +2.37% 2 2 C 14.662% +7.34% 3 3 C++ 7.615% +2.04% 4 4 Python 6.361% +2.82% 5 7 + VB .NET 4.247% +1.20% 6 5 - C# 3.795% +0.28% 7 6 - PHP 2.832% -0.26% 8 8 JavaScript 2.831% +0.22% 9 - ++ SQL 2.334% +2.33% 10 18 ++ Objective-C 1.453% -0.44% 3

  4. Software is highly complex Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: 1 MLoC glibc: 2 MLoC Linux kernel: 17 MLoC Low-level languages (C/C++) trade type safety and memory safety for performance 4

  5. Defense: Testing vs. Mitigations Software Testing Mitigations ● Discover bugs ● Stop exploitation ● Development tool ● Always on ● Result oriented ● Low overhead 5

  6. Memory Corruption 6

  7. Memory error: invalid dereference Dangling pointer: free (foo); (temporal) *foo = 23; Out-of-bounds pointer: char foo[ 40 ]; (spatial) foo[ 42 ] = 23; Violation iff: pointer is read, written, or freed 7

  8. Type Confusion 8

  9. Type confusion through downcasts Base Greeter Exec Greeter *g = new Greeter(); Exec *e = static_cast<Exec*>(b); √ Base *b = static_cast<Base*>(g); X 9

  10. C++ casting operations ● static_cast<ToClass>(Object) – Compile time check – No runtime type information ● dynamic_cast<ToClass>(Object) – Runtime check – Requires Runtime Type Information (RTTI) – Not used in performance critical code 10

  11. Static cast Base *b = …; a = static_cast<Greeter*>(b); movq -24(%rbp), %rax # Load pointer # Type “check” movq %rax, -40(%rbp) # Store pointer 11

  12. Dynamic cast (O2) Base *b = …; a = dynamic_cast<Greeter*>(b); leaq _ZTI7Greeter(%rip), %rdx leaq _ZTI4Base(%rip), %rsi xorl %ecx, %ecx movq %rbp, %rdi # Load pointer call __dynamic_cast@PLT # Type check 12

  13. Type confusion Gptr vtable*? class Base { Bptr x int x; }; y? class Greeter: Base { int y; vtable* virtual void Hi(); }; B G x … y Base *Bptr = new Base(); Greeter *Gptr; Gptr = static_cast<Greeter*>Gptr; // Type Conf Gptr->y = 0x43; // Memory safety violation! Gptr->Hi(); // Control-flow hijacking 13

  14. Type Confusion Demo 14

  15. C++ virtual dispatch class Base { … }; class Exec: public Base { Base public : virtual void exec( char *prg) { system(prg) ; } Greater Exec }; class Greeter: public Base { public : virtual void sayHi( char *str) { std::cout << str << std::endl; } }; Greeter *greeter = new Greeter(); greeter->sayHi("Oh, hello there!"); 15

  16. Simple exploitation demo GreeterT int main() { Base *b1 = new Greeter(); Base *b2 = new Exec(); Greeter *g; b1 vtable* g = static_cast <Greeter*>(b1); g->sayHi( "Greeter says hi!" ); // g[0][0](str); g = static_cast <Greeter*>(b2); g->sayHi( "/usr/bin/xcalc" ); // g[0][0](str); delete b1; delete b2; b2 vtable* return 0; } ExecT 16

  17. Sanitization 17

  18. Problem: broken abstractions? C/C++ void log( int a) { printf("Log: "); printf("%d", a); } void (* fun )( int ) = &log; void init() { fun(15); } ASM log: ... fun : .quad log init: ... movl $15, %edi movq fun(%rip), %rax call *%rax 18

  19. LLVM Sanitization ● Test cases detect bugs through assertions, segmentation faults, traps, exceptions ● Enforce stronger policies during testing! – Address Sanitizer: memory safety – Leak Sanitizer: memory leaks – Memory Sanitizer: uninitialized memory – UBSan: undefined behavior – Thread Sanitizer: data races – HexVASAN: variadic argument checker – HexType: type safety 19

  20. Type Safety 20

  21. Type confusion detection* ● A static cast is checked only at compile time – Fast but no runtime guarantees ● Dynamic casts are checked at runtime – High overhead, limited to polymorphic classes ● HexType design: – Conceptually check all casts dynamically – Aggressively optimize design and implementation * TypeSanitizer: Practical Type Confusion Detection. Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Herbert Bos, Cristiano Giuffrida, Erik van der Kouwe. In CCS'16 * HexType: Efficient Detection of Type Confusion Errors for C++. Yuseok Jeon, Priyam Biswas, Scott A. Carr, Byoungyoung Lee, and Mathias Payer. In CCS'17 21

  22. Making type checks explicit ● Enforce runtime check at all cast sites – static_cast<ToClass>(Object) – dynamic_cast<ToClass>(Object) – reinterpret_cast<ToClass>(Object) – (ToClass)(Object) ● Build global type hierarchy ● Keep track of the allocation type of each object – Must instrument all forms of allocation – Requires disjoint metadata 22

  23. HexType: design Source Instrumentation code (Type casting verification) HexType Clang Binary HexType Type Hierarchy Runtime Information Library LLVM Pass Link 23

  24. HexType: aggressive optimization ● Limit tracing to unsafe types – Remove tracing of types that are never cast ● Limit checking to unsafe casts – Remove statically verifiable casts ● No more RTTI for dynamic casts – Replace dynamic casts with fast lookup 24

  25. Demo Time! 25

  26. HexType coverage 26

  27. Newly discovered bugs ● Discovered seven new vulnerabilities: Apache Xerces C++ Qt base library DOMNode QMapNode Base DOM DOM Character Element Data QMapNode DOM DOM Text ElementImpl Type DOM Confusion! TextImpl 27

  28. Sanitizer Summary: Type Safety ● Type confusion fundamental in today’s exploits ● Existing sanitizers are incomplete, partial, slow ● HexType – (Almost) full coverage (2-6x increase) – Reasonable overhead (SPEC CPU: 0-32x improvement, Firefox: 0-0.5x slowdown) – Future work: remaining coverage, optimizations 28

  29. T-Fuzz 29

  30. Fuzzing Challenges ● Challenges Shallow code paths Shallow code paths – Shallow coverage start – Hard to find “deep” bugs Deep code paths Deep code paths check1 ● Root cause check2 – Fuzzer-generated inputs cannot bypass complex check3 sanity checks in the target program bug – Existing work limits itself to input generation end 30

  31. T-Fuzz: Fuzz the Program! ● Option 1: generate input to bypass checks by heavy-weight program analysis techniques – Driller (concolic analysis) – VUzzer (dynamic taint analysis) ● Our idea: remove program’s sanity checks – Checks filter orthogonal input, e.g., magic values, checksum, or hashes (Non-Critical Check, NCC) – Insight: removing NCCs is safe if ( strncmp (hdr, “ELF", 3) == 0) { // main program logic } else { error (); } 31

  32. Design and Implementation ● Fuzzer generates inputs Transformed Programs ● When “stuck” – Detect NCCs* Inputs Fuzzer Program ● Transform program (e.g. AFL) Transformer Crashing ● Verify crashes inputs Bug Reports Crash Analyzer False Positjves *Approximation of NCCs: edged in the CFG connecting covered/uncovered nodes 32

  33. Detecting NCC’s ● Approximate NCCs as edges connecting covered and uncovered nodes in CFG – Over approximate, may contain false positives – Lightweight and simple to implement 33 Covered Node Uncovered Node NCC Candidates 33

  34. Program Transformation start ● Our approach: negate NCCs – Simple: static binary rewriting A == B – Zero runtime overhead in True branch False branch resulting target program – Unchanged CFG end – Trace in transformed program maps to original program start Negated Check – Path constraints of original A != B program can be recovered True branch False branch 34 end 34

  35. Comparison to Symbolic Executoion ● Explores all code paths, tracks constraints ● Path explosion, e.g., loops ● Each branch doubles the number of code paths ... ... ... ... ● Resource requirement ... ● Theoretically beautiful, limited scalability ( Path 1 , ( Path n , ... constraint set 1 ) constraint set n ) 35

  36. Comparison to Concolic Execution ● Guided by concrete inputs input ● Follows single code path, Not C1 C1 collects constraints for new code paths ● Reduced resource requirements ... ... ... ... ● Still an exponential number ... of paths to explore! 36

  37. Comparison to Driller (Fuzz & CE) ● Fuzzing until coverage wall ● When fuzzing gets “stuck”, Fuzzer concolic execution explores mutating SE & constraint solving new code paths using fuzzer generated inputs Inputs ● Limitations target – “SE & constraints solving” slows program down fuzzing – Not able to bypass “hard” checks Crashes 37

  38. T-Fuzz: fuzz first, solve only crashes ● Fuzzing/SE decoupled ● SE only applied to T-Fuzz detected crashes Program ● For “hard” checks, Fuzzer Transformation T-Fuzz detects the guarded bug, but program cannot verify it SE & constraints solving Crashes T-Fuzz in action 38

  39. Evaluation ● Implementation – Fuzzer: shellphish fuzzer (python wrapper of AFL) – Program Transformer: angr tracer, radare2 – Crash Analyzer: 2k LoC Python hackery ● Evaluation – DARPA CGC dataset – LAVA-M dataset – 4 real-world programs 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Guarding Vulnerable Code: Module 2: Mitigation Mathias Payer, Purdue University

Guarding Vulnerable Code: Module 2: Mitigation Mathias Payer, Purdue University

Guarding Vulnerable Code: Module 2: Mitigation Mathias Payer, Purdue University http://hexhive.github.io 1 Defense: Testing vs. Mitigations Software Testing Mitigations Discover bugs Stop exploitation Development tool Always

586 views • 44 slides
1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

MODULE SPECIFICATION Project Management and Credit Module Title: Level : 5 20 Presentation Techniques Value : Is this a Code of module Module code : ENG543 new NO being replaced : module? Cost Centre : GAME JACS3 code : F311

261 views • 4 slides
Module Title: Broadcasting &amp; Presentation Skills Level : 4 Credit Value : 20 Code of module

Module Title: Broadcasting &amp; Presentation Skills Level : 4 Credit Value : 20 Code of module

MODULE SPECIFICATION PROFORMA Module Title: Broadcasting &amp; Presentation Skills Level : 4 Credit Value : 20 Code of module Being Module Code : HUM475 New Module? No N/A Replaced : GAJM P300 Cost Centre(s) : JACS3 code : With Effect

60 views • 5 slides
Using the Code Review Module Szeged DrupalCon Using the Code Review Module Doug Green Stella

Using the Code Review Module Szeged DrupalCon Using the Code Review Module Doug Green Stella

Using the Code Review Module Szeged DrupalCon Using the Code Review Module Doug Green Stella Power doug@civicactions.com stella@stellapower.net Using the Code Review Module Coder Module Overview History Developer Module, built

566 views • 23 slides
Altitude Terrain Guarding and Guarding Uni-Monotone Polygons Stephan Friedrichs Valentin

Altitude Terrain Guarding and Guarding Uni-Monotone Polygons Stephan Friedrichs Valentin

Altitude Terrain Guarding and Guarding Uni-Monotone Polygons Stephan Friedrichs Valentin Polishchuk Christiane Schmidt image source:

1.66k views • 112 slides
MODULE SPECIFICATION FORM Module Title: Level: 4 Credit Value: 20 Broadcasting &amp; Presentation

MODULE SPECIFICATION FORM Module Title: Level: 4 Credit Value: 20 Broadcasting &amp; Presentation

MODULE SPECIFICATION FORM Module Title: Level: 4 Credit Value: 20 Broadcasting &amp; Presentation Skills Module code: Cost Centre: GAJM JACS3 code: P300/P500 HUM475 Trimester(s) in which to be offered: 2 With effect from: September 2014

523 views • 4 slides
MODULE SPECIFICATION FORM Dissertation and Masters Module Title: Level: 7 Credit Value: 60

MODULE SPECIFICATION FORM Dissertation and Masters Module Title: Level: 7 Credit Value: 60

MODULE SPECIFICATION FORM Dissertation and Masters Module Title: Level: 7 Credit Value: 60 Presentation Module code: ARA702 Cost Centre: GAAA JACS3 code W200 1 &amp; Trimester(s) in which to be offered: 2 With effect from:

413 views • 4 slides
Computational Geometry Triangulations and Guarding Art Galleries Michael T. Goodrich with

Computational Geometry Triangulations and Guarding Art Galleries Michael T. Goodrich with

Computational Geometry Triangulations and Guarding Art Galleries Michael T. Goodrich with slides by Carola Wenk, Tulane Univ., and Subhash Suri, UCSB 1 Guarding an Art Gallery Problem: Given the floor plan of an art gallery, place (a

963 views • 31 slides
I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

This time Continuing with Software Getting insane with Security I n p u t sanitization); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web architecture Client

1.22k views • 102 slides
Shakespeare: Themes and Presentation Module Code 4ELIT015X Module Level 4 Length Session One,

Shakespeare: Themes and Presentation Module Code 4ELIT015X Module Level 4 Length Session One,

Shakespeare: Themes and Presentation Module Code 4ELIT015X Module Level 4 Length Session One, Three Weeks Site Central London Host Course London International Summer School Pre-Requisite None Assessment Textual Analysis 40%, Essay 60%

52 views • 4 slides
Edge-guarding Orthogonal Polyhedra Giovanni Viglietta Department of Computer Science, University

Edge-guarding Orthogonal Polyhedra Giovanni Viglietta Department of Computer Science, University

Edge-guarding Orthogonal Polyhedra Giovanni Viglietta Department of Computer Science, University of Pisa, Italy Rome - July 14 th , 2011 We view things not only from different sides, but with different eyes. Blaise Pascal Edge-guarding

569 views • 38 slides
CS6100: Topics in Design and Analysis of Algorithms Guarding and Triangulating Polygons John

CS6100: Topics in Design and Analysis of Algorithms Guarding and Triangulating Polygons John

CS6100: Topics in Design and Analysis of Algorithms Guarding and Triangulating Polygons John Augustine CS6100 (Even 2012): Guarding and Triangulating Polygons The Art Gallery Problem A simple polygon is a region enclosed by a single closed

231 views • 19 slides
Vulnerable Road User Presentation to Transportation LRC 10/14/10 Proposed Ordinance

Vulnerable Road User Presentation to Transportation LRC 10/14/10 Proposed Ordinance

Vulnerable Road User Presentation to Transportation LRC 10/14/10 Proposed Ordinance RESTRICTIONS ON OPERATING A MOTOR VEHICLE NEAR VULNERABLE ROAD USERS; THE PENALTY BEING AS PROVIDED IN SECTION 12.84.010 OF THE EL PASO CITY CODE.

636 views • 21 slides
Linux Device Drivers Modules A piece of code that can be added to the kernel at runtime is

Linux Device Drivers Modules A piece of code that can be added to the kernel at runtime is

Linux Device Drivers Modules A piece of code that can be added to the kernel at runtime is called a module A device driver is one kind of module Each module is made up of object code that can be dynamically linked to the running

388 views • 28 slides
Edge Guarding Plane Graphs March 17, 2020 Paul Jungeblut, Torsten Ueckerdt I NSTITUTE OF T

Edge Guarding Plane Graphs March 17, 2020 Paul Jungeblut, Torsten Ueckerdt I NSTITUTE OF T

Edge Guarding Plane Graphs March 17, 2020 Paul Jungeblut, Torsten Ueckerdt I NSTITUTE OF T HEORETICAL I NFORMATICS A LGORITHMICS G ROUP KIT The Research University in the Helmholtz Association www.kit.edu Edge Guarding G = ( V , E )

666 views • 40 slides
BURBERRY Module: Luxury Brand Management Module Code: MGT6B2 Burberry Brand History 1856

BURBERRY Module: Luxury Brand Management Module Code: MGT6B2 Burberry Brand History 1856

BURBERRY Module: Luxury Brand Management Module Code: MGT6B2 Burberry Brand History 1856 Brand established by Thomas Burberry 1880 Developed a waterproof material called Gabardine 1901 Introduced the Equestrian

348 views • 7 slides
Plugins and Filters and Data Science: Displaying R Markdown in Drupal Today we are going to talk

Plugins and Filters and Data Science: Displaying R Markdown in Drupal Today we are going to talk

Plugins and Filters and Data Science: Displaying R Markdown in Drupal Today we are going to talk about how we render dynamic data documents in Drupal 8. We are going to talk about this because R Markdown (with the help of knitr and pandoc) is

546 views • 9 slides
Security Testing Hard to Reach Code Mathias Payer &lt;mathias.payer@epfl.ch&gt;

Security Testing Hard to Reach Code Mathias Payer &lt;mathias.payer@epfl.ch&gt;

Security Testing Hard to Reach Code Mathias Payer &lt;mathias.payer@epfl.ch&gt; https://hexhive.github.io 1 Vulnerabilities everywhere? 2 Challenge: broken abstractions C/C++ void log( int a) { printf(&quot;A: %d&quot;, a); } void vuln(

535 views • 39 slides
Jessica McCarty-Kern MICHIGAN TECH Jessica L. . McCarty , jmccarty@mtu.edu RESEARCH FORUM

Jessica McCarty-Kern MICHIGAN TECH Jessica L. . McCarty , jmccarty@mtu.edu RESEARCH FORUM

MICHIGAN TECH RESEARCH FORUM TECHTALKS Jessica McCarty-Kern MICHIGAN TECH Jessica L. . McCarty , jmccarty@mtu.edu RESEARCH FORUM TECHTALKS Mapping Small(holder) Farms Using Big Data Globally sub-hectare fields/food production critical to

217 views • 3 slides
D-F -FACTOR OR: : A Quant Quantit itativ ive e Per erfor ormance mance Model odel of

D-F -FACTOR OR: : A Quant Quantit itativ ive e Per erfor ormance mance Model odel of

D-F -FACTOR OR: : A Quant Quantit itativ ive e Per erfor ormance mance Model odel of of Applica pplication ion Slo low-do -down n in in Mult ulti- i- Res esour ource ce Shar hared ed Systems ems Presenter: Youngjae Kim

951 views • 35 slides
The Titan Tools Experience Michael J. Brim, Ph.D. Computer Science Research, CSMD/NCCS Petascale

The Titan Tools Experience Michael J. Brim, Ph.D. Computer Science Research, CSMD/NCCS Petascale

The Titan Tools Experience Michael J. Brim, Ph.D. Computer Science Research, CSMD/NCCS Petascale Tools Workshop 2013 Madison, WI July 15, 2013 Overview of Titan Cray XK7 18,688+ compute nodes 16-core AMD Opteron 6274 @ 2.2GHz

857 views • 18 slides
Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00

Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00

Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00 a.m. CT. While you wait: 1. Download PDFs of the slides and handout under the Handouts tab of your control bar. 2. Confirm that your

540 views • 36 slides
Accelerator Modeling Through High Performance Computing Z. Li NERSC,LBNL Advanced Computations

Accelerator Modeling Through High Performance Computing Z. Li NERSC,LBNL Advanced Computations

Accelerator Modeling Through High Performance Computing Z. Li NERSC,LBNL Advanced Computations Department Stanford Linear Accelerator Center NCCS, ORNL Presented at Jefferson Lab, 9-24-2007 Work supported by U.S. DOE ASCR, BES &amp; HEP

734 views • 55 slides
B U I L D I N G &amp; C O O L I N G S I N G A P O R E I N A N E R A O F C L I M AT E C H A

B U I L D I N G &amp; C O O L I N G S I N G A P O R E I N A N E R A O F C L I M AT E C H A

B U I L D I N G &amp; C O O L I N G S I N G A P O R E I N A N E R A O F C L I M AT E C H A N G E Panellist Panellist Panellist Panellist Panellist Dr Gerhard Schmitt Ms Adele Tan Ms Yan Yan Dr Winston Chow Michael Leong Professor

498 views • 48 slides

More recommend