guarding vulnerable code module 2 mitigation
play

Guarding Vulnerable Code: Module 2: Mitigation Mathias Payer, - PowerPoint PPT Presentation

Sep 29, 2023 •140 likes •586 views

Guarding Vulnerable Code: Module 2: Mitigation Mathias Payer, Purdue University http://hexhive.github.io 1 Defense: Testing vs. Mitigations Software Testing Mitigations Discover bugs Stop exploitation Development tool Always

  1. Guarding Vulnerable Code: Module 2: Mitigation Mathias Payer, Purdue University http://hexhive.github.io 1

  2. Defense: Testing vs. Mitigations Software Testing Mitigations ● Discover bugs ● Stop exploitation ● Development tool ● Always on ● Result oriented ● Low overhead 2

  3. Heartbleed: reactive patching* ● 11% of servers remained vulnerable after 48 hours ● Patching plateaued at 4% ● Only 10% of vulnerable sites replaced certificates ● 15% of replaced cert's used vulnerable keys Heartbleed vulnerable hosts Update process is slow, incomplete, and faulty * The Matter of Heartbleed. Zakir Durumeric, James Kasten, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Bernhard Amann, Jethro Beekman, Mathias Payer, Vern Paxson. In ACM IMC'14 (best paper) 3

  4. Bugs are everywhere? https://en.wikipedia.org/wiki/Pwn2Own 4

  5. Different threat models 5

  6. Problem: broken abstractions? C/C++ void log( int a) { printf("Log: "); printf("%d", a); } void (* fun )( int ) = &log; void init() { fun(15); } ASM log: ... fun : .quad log init: ... movl $15, %edi movq fun(%rip), %rax call *%rax 6

  7. Control-Flow Hijack Attack 7

  8. Attack scenario: code injection ● Force memory corruption to set up attack ● Redirect control-flow to injected code Code Heap Stack 8

  9. Attack scenario: code reuse ● Find addresses of gadgets ● Force memory corruption to set up attack ● Redirect control-flow to gadget chain Code Heap Stack 9

  10. Attacker model: hijacking control-flow Attacker may read/write arbitrary data – Code is read-only, vtables are read-only – Code pointers remain writable! Code RX Heap Stack RW RW vtables R 10

  11. Demo Time! 11

  12. Control-Flow Bending ● Attacker-controlled execution along valid CFG – Generalization of non-control-data attacks ● Each individual control-flow transfer is valid – Execution trace may not match non-exploit case ● Circumvents protection of CFI Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross “Control-Flow Bending”, Usenix SEC'15 12

  13. What does a CFG look like? system() vuln() 13

  14. What does a CFG look like? Really? system() vuln() memcpy() 14

  15. Necessity of shadow stack* ● Defenses without stack integrity are broken – Loop through two calls to the same function – Choose any caller as return location void func() { ● Shadow stack enforces stack integrity … bar(); – Attacker restricted to arbitrary targets on the stack … void bar() { … } – Each target can only be called once, in sequence bar(); … } * Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. In Usenix SEC'15 15

  16. CFB key lessons ● CFI without shadow stack is broken – Stateless defenses insufficient for stack attacks ● Turing-complete programming in most contexts – Bend execution to dispatcher/functional gadgets – In case study CFI not effective for 5/6 vulnerabilities ● Attack is program-dependent, harder to pull off 16

  17. Counterfeit OO Programming ● OO-programs use vtables for inheritance ● Introduce fake objects – Use valid vtables – Functions become gadgets – Chaining functions gives Turing-completeness ● Stateless defenses struggle Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmed-Reza Sadeghi, and Thorsten Holz. Counterfeit Object-Oriented Programming, Oakland'15 17

  18. Mitigation space in a nutshell [SP13] SoftBound [PLDI09, POPL12, Memory/type safety Corruption ISCA12]; CCured [POPL02]; DShield/nC [2x AsiaCCS17] Code Integrity [AMD06]; Integrity C C *C SafeO [FSE03]; WIT [SP08]; CPI [OSDI14]; OTI [NDSS18] ASLR [CCS03, 04, 10, 12]; Confidentiality &C &C DSR [DIMVA08]; PG [SEC03]; Diversity SoK [SP14]; CFI [CCS05]; MCFI [PLDI14]; Flow Integrity *&C *&C FCFI [SEC14]; vTrust [NDSS17]; SoK [CSUR17] Code Control-flow Bad things corruption hijack 18

  19. Attack classification ● Data-only attack – Overwriting arguments to exec() ● Non-control-data attack – Overwriting is_admin flag ● Control-Flow Bending – Modify function pointer to (valid) alternate target 19

  20. Control-Flow Integrity 20

  21. Control-Flow Integrity (CFI)* ● Restrict a program’s dynamic control-flow to the static control-flow graph – Requires static analysis – Dynamic enforcement mechanism * Control-Flow Integrity. Martin Abadi, Mihai Budiu, Ulfar Erlingsson, Jay Ligatti. CCS ‘05 * Control-Flow Integrity: Protection, Security, and Performance. Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, Mathias Payer. ACM CSUR ‘17 21

  22. Control-Flow Integrity (CFI) CHECK(fn); (*fn)(x); CHECK_RET(); return 7; 22

  23. Three directions for CFI Goal: minimize target sets, increase precision 23

  24. Enforce CFI in the kernel* ● Kernel protection crucial for system integrity ● So far, kernel only coarsely protected (if at all) ● Enforce strict pointer propagation rules – Function pointers can only be assigned – Data pointers to function pointers are forbidden ● Compiler enforces type system, instruments ● High compatibility for hypervisors, kernels * Fine-Grained Control-Flow Integrity for Kernel Software. Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger. In EuroS&P'16 24

  25. Lockdown*: enforce CFI for binaries ● Fine-grained CFI relies on source code ● Coarse-grained CFI is imprecise ● Goal: enforce fine-grained CFI for binaries – Support legacy, binary code and modularity (libraries) – Leverage precise, dynamic analysis – Low performance overhead ● Binary translator runs online analysis, adds checks * Fine-Grained Control-Flow Integrity through Binary Hardening Mathias Payer, Antonio Barresi, and Thomas R. Gross. In DIMVA'15 25

  26. Enforce CFI for C++ applications* ● C++ applications are prone to Counterfeit Object-Oriented Programming (COOP) ● Virtual inheritance scatters code pointers ● Protect all virtual function calls – Enforce type check of prototype for virtual calls – Sanitize VTable pointers before use ● Compiler encodes types and enforces checks * VTrust: Regaining Trust on Your Virtual Calls. Chao Zhang, Scott A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, and Dawn Song. In NDSS'16 26

  27. CFI: analysis precision [CSUR17] Greeter *o = new Greeter(); o->sayHi(char *str); // o[0][1](); Valid functions Arity kBouncer [SEC13]; CCFIR [SP13]; binCFI CFI? [CCS05]; FCFI [SEC14] [SEC13]; ROPecker [NDSS14]; DynCFI [DIMVA15] Prototype Class Hierarchy MCFI [CCS13, PLDI14]; RockJIT [CCS14]; ShrinkWrap [ACSAC15]; VTrust PICFI [CCS15]; C-CFI [CCS15]; [NDSS17]; LLVM-CFI [head] PathArmor [CCS15]; KCFI [EuroSP16] 27

  28. CFI: strength of analysis 0xf000b400 int bar1(int b, int c, int d); int bar2(char *str); void bar3(char *str); Greeter *o = new Greeter(); o->sayHi(char *str); void B::foo(char *str); class Greeter :: Base {... }; void Base::bar5(char *str); void Greeter::sayHi(char *str); class Related :: Greeter {... }; void Related::sayHi(char *str); 28

  29. Are we making progress? 2007 2017 29

  30. Class hierarchy depth Impl. Count Chromium Firefox [1-10] 13,751 (99.33%) 4,632 (99.90%) >10 78 (0.57%) 47 (0.10%) Max 78 107 CFI prohibits use of corrupted pointer. Can we do better? 30

  31. Summary: Control-Flow Integrity ● CFI restricts indirect control-flow to target set – Inherently stateless defense – Effectiveness depends on precision of analysis and program functionality – Low performance overhead ● Limitations – Large target sets, statelessness – Backward edge often neglected 31

  32. Object-Type Integrity 32

  33. Two stages of control-flow hijacking ● Stage 1: corrupt a code pointer – Overwrite where with what? ● Stage 2: dereference the code pointer – Guide execution to dispatch 33

  34. Mitigation space in a nutshell [SP13] SoftBound [PLDI09, POPL12, Memory/type safety Corruption ISCA12]; CCured [POPL02]; DShield/nC [2x AsiaCCS17] Code Integrity [AMD06]; Integrity C C *C SafeO [FSE03]; WIT [SP08]; CPI [OSDI14]; OTI [NDSS18] ASLR [CCS03, 04, 10, 12]; Confidentiality &C &C DSR [DIMVA08]; PG [SEC03]; Diversity SoK [SP14]; CFI [CCS05]; MCFI [PLDI14]; Flow Integrity *&C *&C FCFI [SEC14]; vTrust [NDSS17]; SoK [CSUR17] Code Control-flow Bad things corruption hijack 34

  35. Object Type Integrity (OTI)* ● Enforce integrity of vtable pointer – Relocate to safe area – Use protected version for dispatch Safe memory area Code Heap Stack vtables * CFIXX: Object Type Integrity for C++ Virtual Dispatch. Nathan Burow, Derrick McKee, Scott A. Carr, and Mathias Payer. In ISOC NDSS '18 35

  36. CFIXX instrumentation ● C++ dynamic dispatch has single target – Only constructor allowed to write vtable pointer – Deallocation invalidates vtable pointer – Dispatch uses vtable pointer ● Enforcing OTI protects against – VTable injection even with correct method signature – Swap vtable even in the same hierarchy – Fake object creation (COOP) 36

  37. CFIXX performance ● Chromium: 2.03% (Octane), 1.99% (Kraken) 37

  38. Future Directions 38

  39. 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University

Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University

Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University http://hexhive.github.io 1 Vulnerabilities everywhere? 2 Common Languages: TIOBE18 Jul 2018 Jul 2017 Change Language Ratings Change 1 1 Java

689 views • 46 slides
1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

MODULE SPECIFICATION Project Management and Credit Module Title: Level : 5 20 Presentation Techniques Value : Is this a Code of module Module code : ENG543 new NO being replaced : module? Cost Centre : GAME JACS3 code : F311

261 views • 4 slides
Module Title: Broadcasting & Presentation Skills Level : 4 Credit Value : 20 Code of module

Module Title: Broadcasting & Presentation Skills Level : 4 Credit Value : 20 Code of module

MODULE SPECIFICATION PROFORMA Module Title: Broadcasting & Presentation Skills Level : 4 Credit Value : 20 Code of module Being Module Code : HUM475 New Module? No N/A Replaced : GAJM P300 Cost Centre(s) : JACS3 code : With Effect

60 views • 5 slides
Using the Code Review Module Szeged DrupalCon Using the Code Review Module Doug Green Stella

Using the Code Review Module Szeged DrupalCon Using the Code Review Module Doug Green Stella

Using the Code Review Module Szeged DrupalCon Using the Code Review Module Doug Green Stella Power doug@civicactions.com stella@stellapower.net Using the Code Review Module Coder Module Overview History Developer Module, built

566 views • 23 slides
Altitude Terrain Guarding and Guarding Uni-Monotone Polygons Stephan Friedrichs Valentin

Altitude Terrain Guarding and Guarding Uni-Monotone Polygons Stephan Friedrichs Valentin

Altitude Terrain Guarding and Guarding Uni-Monotone Polygons Stephan Friedrichs Valentin Polishchuk Christiane Schmidt image source:

1.66k views • 112 slides
MODULE SPECIFICATION FORM Module Title: Level: 4 Credit Value: 20 Broadcasting & Presentation

MODULE SPECIFICATION FORM Module Title: Level: 4 Credit Value: 20 Broadcasting & Presentation

MODULE SPECIFICATION FORM Module Title: Level: 4 Credit Value: 20 Broadcasting & Presentation Skills Module code: Cost Centre: GAJM JACS3 code: P300/P500 HUM475 Trimester(s) in which to be offered: 2 With effect from: September 2014

523 views • 4 slides
MODULE SPECIFICATION FORM Dissertation and Masters Module Title: Level: 7 Credit Value: 60

MODULE SPECIFICATION FORM Dissertation and Masters Module Title: Level: 7 Credit Value: 60

MODULE SPECIFICATION FORM Dissertation and Masters Module Title: Level: 7 Credit Value: 60 Presentation Module code: ARA702 Cost Centre: GAAA JACS3 code W200 1 & Trimester(s) in which to be offered: 2 With effect from:

413 views • 4 slides
Computational Geometry Triangulations and Guarding Art Galleries Michael T. Goodrich with

Computational Geometry Triangulations and Guarding Art Galleries Michael T. Goodrich with

Computational Geometry Triangulations and Guarding Art Galleries Michael T. Goodrich with slides by Carola Wenk, Tulane Univ., and Subhash Suri, UCSB 1 Guarding an Art Gallery Problem: Given the floor plan of an art gallery, place (a

963 views • 31 slides
Module 2.2.1 Climate change mitigation: proximity and foodmiles Dr. Esther Sany-Mengual

Module 2.2.1 Climate change mitigation: proximity and foodmiles Dr. Esther Sany-Mengual

Module 2.2.1 Climate change mitigation: proximity and foodmiles Dr. Esther Sany-Mengual Department of Agricultural Sciences (Dipsa) Universit di Bologna European greenhouse gas emissions, by sector Source: Barilla Center for Food

771 views • 17 slides
Shakespeare: Themes and Presentation Module Code 4ELIT015X Module Level 4 Length Session One,

Shakespeare: Themes and Presentation Module Code 4ELIT015X Module Level 4 Length Session One,

Shakespeare: Themes and Presentation Module Code 4ELIT015X Module Level 4 Length Session One, Three Weeks Site Central London Host Course London International Summer School Pre-Requisite None Assessment Textual Analysis 40%, Essay 60%

52 views • 4 slides
Edge-guarding Orthogonal Polyhedra Giovanni Viglietta Department of Computer Science, University

Edge-guarding Orthogonal Polyhedra Giovanni Viglietta Department of Computer Science, University

Edge-guarding Orthogonal Polyhedra Giovanni Viglietta Department of Computer Science, University of Pisa, Italy Rome - July 14 th , 2011 We view things not only from different sides, but with different eyes. Blaise Pascal Edge-guarding

569 views • 38 slides
CS6100: Topics in Design and Analysis of Algorithms Guarding and Triangulating Polygons John

CS6100: Topics in Design and Analysis of Algorithms Guarding and Triangulating Polygons John

CS6100: Topics in Design and Analysis of Algorithms Guarding and Triangulating Polygons John Augustine CS6100 (Even 2012): Guarding and Triangulating Polygons The Art Gallery Problem A simple polygon is a region enclosed by a single closed

231 views • 19 slides
Vulnerable Road User Presentation to Transportation LRC 10/14/10 Proposed Ordinance

Vulnerable Road User Presentation to Transportation LRC 10/14/10 Proposed Ordinance

Vulnerable Road User Presentation to Transportation LRC 10/14/10 Proposed Ordinance RESTRICTIONS ON OPERATING A MOTOR VEHICLE NEAR VULNERABLE ROAD USERS; THE PENALTY BEING AS PROVIDED IN SECTION 12.84.010 OF THE EL PASO CITY CODE.

636 views • 21 slides
Linux Device Drivers Modules A piece of code that can be added to the kernel at runtime is

Linux Device Drivers Modules A piece of code that can be added to the kernel at runtime is

Linux Device Drivers Modules A piece of code that can be added to the kernel at runtime is called a module A device driver is one kind of module Each module is made up of object code that can be dynamically linked to the running

388 views • 28 slides
Edge Guarding Plane Graphs March 17, 2020 Paul Jungeblut, Torsten Ueckerdt I NSTITUTE OF T

Edge Guarding Plane Graphs March 17, 2020 Paul Jungeblut, Torsten Ueckerdt I NSTITUTE OF T

Edge Guarding Plane Graphs March 17, 2020 Paul Jungeblut, Torsten Ueckerdt I NSTITUTE OF T HEORETICAL I NFORMATICS A LGORITHMICS G ROUP KIT The Research University in the Helmholtz Association www.kit.edu Edge Guarding G = ( V , E )

666 views • 40 slides
Module-3b: Offset and Flicker Mitigation 01 August 2018 14:29 Modules Page 1 Modules Page 2

Module-3b: Offset and Flicker Mitigation 01 August 2018 14:29 Modules Page 1 Modules Page 2

Module-3b: Offset and Flicker Mitigation 01 August 2018 14:29 Modules Page 1 Modules Page 2 Modules Page 3 If Y(f) is filtered, we get rid of flicker noise. Modules Page 4 Module-3c: Chopping Non-Idealities 06 September 2018 16:45 Open

235 views • 10 slides
Linking 15-213: Introduc;on to Computer Systems 13 th Lecture,

Linking 15-213: Introduc;on to Computer Systems 13 th Lecture,

Carnegie Mellon Linking 15-213: Introduc;on to Computer Systems 13 th Lecture, Oct. 13, 2015 Instructors: Randal E. Bryant and David R. OHallaron 1

643 views • 49 slides
Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1 Outline Introduction to

Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1 Outline Introduction to

Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1 Outline Introduction to assembly programing Introduction to Y86 Y86 instructions, encoding and execution 2 Assembly The CPU uses machine language to perform all its

1.06k views • 48 slides
Constructive Category Theory and Applications in Algebraic Geometry Sebastian Gutsche

Constructive Category Theory and Applications in Algebraic Geometry Sebastian Gutsche

Constructive Category Theory and Applications in Algebraic Geometry Sebastian Gutsche Universitt Siegen Siegen, August 31, 2017 Sebastian Gutsche (Siegen) Constructive Categories August 31, 2017 1 / 23 Outline Constructive category

2.3k views • 190 slides
USER-CENTERED PROGRAMMING LANGUAGE DESIGN Michael Coblenz WHY? Tell me what the following

USER-CENTERED PROGRAMMING LANGUAGE DESIGN Michael Coblenz WHY? Tell me what the following

USER-CENTERED PROGRAMMING LANGUAGE DESIGN Michael Coblenz WHY? Tell me what the following program does WHAT DOES THIS DO? (this is part of Firefox) 0000000100000e30 movq %rdi, %rax 0000000100000eb2 movl $0x400, %ecx 0000000100000e33

739 views • 36 slides
CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1 Mathias Payer CS412 Software Security Widely-adopted defense mechanisms Hundreds of

1.34k views • 57 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (Feb. 3, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (Feb. 3, 2002) I E S R C E O

Systems Design & Programming OS Essentials CMPE 310 Processes and Tasks What comprises the state of a running program (a process or task)? DRAM Address bus Microprocessor OS code Control and data special caches Data bus code/data

543 views • 17 slides
Distributed Mobility Management Protocol for WiFi Users in Fixed Network Behcet

Distributed Mobility Management Protocol for WiFi Users in Fixed Network Behcet

Distributed Mobility Management Protocol for WiFi Users in Fixed Network Behcet Sarikaya(sarikaya@ieee.org) Li Xue (xueliucb@gmail.com) IETF 95 draft-sarikaya-dmm-for-wifi-04 1 DMM for WiFi i2rs Client Netconf i2rs Agent OpenFlow 2

733 views • 6 slides
www-flash.stanford.edu

www-flash.stanford.edu

www-flash.stanford.edu

538 views • 21 slides

More recommend