how to make aslr win the clone wars runtime re
play

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization - PowerPoint PPT Presentation

Jan 06, 2024 •379 likes •833 views

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger, Michael Backes, and Wenke Lee Georgia Tech, CISPA, Saarland University, MPI-SWS, DFKI RuntimeASLR 1 What did we do? We re-randomize the memory

  1. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nürnberger, Michael Backes, and Wenke Lee Georgia Tech, CISPA, Saarland University, MPI-SWS, DFKI RuntimeASLR 1

  2. What did we do? • We re-randomize the memory layout of the cloned ( i.e. , forked) processes at runtime fork() Parent Child code data code data RuntimeASLR 2

  3. In this talk, I will explain… • Why we need to re-randomize cloned processes? – To prevent clone-probing attacks • How to re-randomize them? – A semantic-preserving and runtime-based approach • What are the results? – Defeated clone-probing, e.g., Blind ROP attack – No performance overhead to cloned processes RuntimeASLR 3

  4. Background - ASLR • Address Space Layout Randomization (ASLR) – Mitigating code reuses attacks, privilege escalation, and information leaks Run 1 Run 2 Run 3 code data code code data data RuntimeASLR 4

  5. Background - ASLR • Address Space Layout Randomization (ASLR) – Mitigating code reuses attacks, privilege escalation, and information leaks Run 1 Run 2 Run 3 code data code code data data – One time, per-process, load-time RuntimeASLR 5

  6. Background – Daemon Servers • Web services are powered by daemon servers, e.g., Nginx web server RuntimeASLR 6

  7. Designs of Daemon Server Worker processes (with same layout) Worker code Daemon process data HTTP/HTTPS fork() Master code Worker fork() code data HTTP/HTTPS data fork() Worker code data HTTP/HTTPS 1) The daemon process pre-forks multiple worker processes that handle users requests RuntimeASLR 7

  8. Designs of Daemon Server Worker processes (with same layout) Worker code Daemon process data HTTP/HTTPS fork() Master code Worker fork() code data HTTP/HTTPS data fork() Worker code data HTTP/HTTPS 1) The daemon process pre-forks multiple worker processes that handle users requests 2) The daemon will re-fork a new worker process if it crashes, to be robust RuntimeASLR 8

  9. Designs of Daemon Server Worker processes (with same layout) Worker code Daemon process data HTTP/HTTPS fork() Master code Worker fork() code data HTTP/HTTPS All forked worker processes share the same data fork() memory layout as the daemon process Worker code data HTTP/HTTPS 1) The daemon process pre-forks multiple worker processes that handle users requests 2) The daemon will re-fork a new worker process if it crashes, to be robust RuntimeASLR 9

  10. When ASLR meets daemon servers… RuntimeASLR 10

  11. Clone-Probing Attack • Attack goal: guess the randomized address (e.g., return address), say a web server with a stack buffer overflow vulnerability Stack in remote server return address buffer 12 34 56 78 9a bc ed f0 RuntimeASLR 11

  12. Clone-Probing Attack • Attack goal: guess the randomized address (e.g., return address), say a web server with a stack buffer overflow vulnerability Stack in remote server return address buffer 12 34 56 78 9a bc ed f0 Crash, try another one AAAAAAA 00 34 56 78 9a bc ed f0 Attack payload RuntimeASLR 12

  13. Clone-Probing Attack • Attack goal: guess the randomized address (e.g., return address), say a web server with a stack buffer overflow vulnerability Stack in remote server return address buffer 12 34 56 78 9a bc ed f0 Crash, try another one AAAAAAA 00 34 56 78 9a bc ed f0 Attack AAAAAAA 01 34 56 78 9a bc ed f0 Crash, try another one payload RuntimeASLR 13

  14. Clone-Probing Attack • Attack goal: guess the randomized address (e.g., return address), say a web server with a stack buffer overflow vulnerability Stack in remote server return address buffer 12 34 56 78 9a bc ed f0 Crash, try another one AAAAAAA 00 34 56 78 9a bc ed f0 Attack AAAAAAA 01 34 56 78 9a bc ed f0 Crash, try another one payload … … Bingo, continue to AAAAAAA 12 34 56 78 9a bc ed f0 guess next byte RuntimeASLR 14

  15. Clone-Probing Attack • Attack goal: guess the randomized address (e.g., return address), say a web server with a stack buffer overflow vulnerability Stack in remote server return address buffer 12 34 56 78 9a bc ed f0 Crash, try another one AAAAAAA 00 34 56 78 9a bc ed f0 Attack AAAAAAA 01 34 56 78 9a bc ed f0 Crash, try another one payload … … Bingo, continue to AAAAAAA 12 34 56 78 9a bc ed f0 guess next byte … … … AAAAAAA 12 00 56 78 9a bc ed f0 RuntimeASLR 15

  16. Clone-Probing Attack • Attack goal: guess the randomized address (e.g., return address), say a web server with a stack buffer overflow vulnerability Stack in remote server return address buffer 12 34 56 78 9a bc ed f0 Crash, try another one AAAAAAA 00 34 56 78 9a bc ed f0 Attack AAAAAAA 01 34 56 78 9a bc ed f0 Crash, try another one payload … … Bingo, continue to AAAAAAA 12 34 56 78 9a bc ed f0 guess next byte … … … AAAAAAA 12 00 56 78 9a bc ed f0 … … Finally, get all bytes AAAAAAA 12 34 56 78 9a bc ed f0 RuntimeASLR 16

  17. Clone-Probing Attack • Attack goal: guess the randomized address (e.g., return address), say a web server with a stack buffer overflow vulnerability Stack in remote server return address Brute-forcing complexity is reduced from 2 64 to 8*2 8 buffer 12 34 56 78 9a bc ed f0 (From thousands of years to 2 minutes J ) Crash, try another one AAAAAAA 00 34 56 78 9a bc ed f0 Attack AAAAAAA 01 34 56 78 9a bc ed f0 Crash, try another one payload … … Bingo, continue to AAAAAAA 12 34 56 78 9a bc ed f0 guess next byte … … … AAAAAAA 12 00 56 78 9a bc ed f0 … … Finally, get all bytes AAAAAAA 12 34 56 78 9a bc ed f0 RuntimeASLR 17

  18. This Attack is Critical! A simple buffer overflow à bypass ASLR (two minutes) à control daemon server L RuntimeASLR 18

  19. Preventing clone-probing with RuntimeASLR Solution: re-randomizing the memory layout of cloned processes RuntimeASLR 19

  20. Challenge • Remapping memory à dangling pointers • How to track all pointers on the fly and update them? – Accuracy – Efficiency RuntimeASLR 20

  21. Pointer Tracking Problem • Treat it as a taint tracking problem Pointer All Source tracking tracked pointers policy pointers RuntimeASLR 21

  22. Source Pointers Pointer All Source tracking tracked pointers policy pointers • Kernel routinely loads program – Easy to find source pointers • Only in stack and registers RuntimeASLR 22

  23. Pointer Tracking Policy Pointer All Source tracking tracked pointers policy pointers RuntimeASLR 23

  24. Pointer Tracking Policy Pointer All Source tracking tracked pointers policy pointers • Read 1,513- pages Intel ISA manual and manually define them?? RuntimeASLR 24

  25. Automatic Tracking Policy Generation • Automatically identifying instructions behaviors Execution snapshot Process Memory and registers status Instruction instruction behaviors snapshot Process compare status • This way, we know if it generates or destroys some “values” RuntimeASLR 25

  26. How to Determine a Pointer? • Without type info, how do we know if a value is a pointer? • Example: mov rdi, rsp – Before: rsp =0xcafebabe, and know it is a pointer – After: rdi =0xcafebabe, memory is unchanged – How to know if rdi is a pointer? RuntimeASLR 26

  27. Multi-Run Pointer Verification • Observation: rdi is likely a pointer if it points to mapped memory on 64-bits platform, why? • Run program n times with ASLR, if rdi always points to mapped memory, rdi is more and more likely a pointer – Mapping n runs with instruction execution sequence rdi Multi-runs with … ASLR-enabled Run n Run 1 Run 2 RuntimeASLR

  28. Accuracy of Multi-Run Verification • Assume size of mapped memory is b bytes, run n times on 64-bits platform, false positive rate for one value is: n b . . b b 2 -64 n P fpr 2 64 2 64 RuntimeASLR 28

  29. Accuracy of Multi-Run Verification • Assume size of mapped memory is b bytes, run n times on 64-bits platform, false positive rate for one value is: n b . . b b 2 -64 n P fpr 2 64 2 64 • Say b is 22MB (Nginx) and run 2 times. This will result in FPR=2 −103 RuntimeASLR 29

  30. Export Policy • Given mov reg1, reg2 – if reg2 is a 64-bits register and tainted (i.e., a pointer) à taint reg1 after execution RuntimeASLR 30

  31. Track All Pointers Pointer All Source tracking tracked pointers policy pointers RuntimeASLR 31

  32. Implementation • Intel’s PIN—a dynamic instrumentation tool • Three modules Policy Pointer Randomizer generator tracker (shared lib) (pintool) (pintool) • Source code – Coming soon RuntimeASLR 32

  33. Evaluation • Correctness – Applied to Nginx web server – Memory snapshot analysis to find all pointers – RuntimeASLR correctly finds all pointers RuntimeASLR 33

  34. Evaluation • Security – Blind ROP is a clone-probing attack – Addresses of all modules are re-randomized – RuntimeASLR successfully defeats it Without RuntimeASLR With RuntimeASLR RuntimeASLR 34

  35. Evaluation • Performance – Pointer tracking is extremely expensive: >10,000 times on SPEC CPU2006 • One time overhead at startup; 35 seconds for Nginx – However, no overhead on cloned worker processes RuntimeASLR 35

  36. Discussions and Limitations • Ambiguous policy • Completeness of tracking policy • Applicability for general programs • Supporting pointer obfuscation RuntimeASLR 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Clone Objectives Describe how to make a copy of a reference type ICloneable interface

Clone Objectives Describe how to make a copy of a reference type ICloneable interface

Clone Objectives Describe how to make a copy of a reference type ICloneable interface Clone method Object.MemberwiseClone method Discuss special cases string field reference field inheritance 2 Motivation:

640 views • 24 slides
1 Research Goal Proposed tool: Chained clone detection tool Detection of clone sets connected

1 Research Goal Proposed tool: Chained clone detection tool Detection of clone sets connected

Overview of my presentation Introduction of chained clone detection Detection of Chained Clone and Its Application N.Yoshida, et al.: "On Refactoring Support Based on Code Clone Dependency Relation", Proc. of METRICS 2005.

316 views • 4 slides
Fault-Proneness of Clone Mutation and Clone Migration Shuai Xie, Foutse Khomh, Ying Zou

Fault-Proneness of Clone Mutation and Clone Migration Shuai Xie, Foutse Khomh, Ying Zou

An Empirical Study of the Fault-Proneness of Clone Mutation and Clone Migration Shuai Xie, Foutse Khomh, Ying Zou Department of Electrical and Computing Engineering Clone Genealogies Revision i Revision i+1 Revision i+2 Type-1 Clone Clone

224 views • 21 slides
Trade Wars or Territorial Wars - The next global battle Trade Wars or Territorial Wars - The Next

Trade Wars or Territorial Wars - The next global battle Trade Wars or Territorial Wars - The Next

Trade Wars or Territorial Wars - The next global battle Trade Wars or Territorial Wars - The Next Global Battle The traditional understanding about the term WAR is that it involves a situation where there is state of armed conflict between

672 views • 18 slides
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
Setup Log in to Salomon Update (or clone) the git repository $ git clone

Setup Log in to Salomon Update (or clone) the git repository $ git clone

Setup Log in to Salomon Update (or clone) the git repository $ git clone https://code.it4i.cz/jansik/SummerOfHPC.git $ git pull Get interactive allocation on Salomon $ qsub -A DD-17-18 -q R10752[89-94] -l select=1:ncpus=8,place=scatter -I $

1.03k views • 9 slides
San Diego Comic-Con 2011 San Diego Comic-Con 2011 THANK YOU! THANK YOU! o State of the Galaxy

San Diego Comic-Con 2011 San Diego Comic-Con 2011 THANK YOU! THANK YOU! o State of the Galaxy

San Diego Comic-Con 2011 San Diego Comic-Con 2011 THANK YOU! THANK YOU! o State of the Galaxy o Vintage is out for REVENGE REVENGE! o Fall 2011 o 2012 Sneak Peak 3 Clone Wars Figures (Wave 4 on-shelf September) Stealth Ops Clone

688 views • 48 slides
When is a Clone not a Clone? (and vice-versa) Contextualized Analysis of Web Services Douglas

When is a Clone not a Clone? (and vice-versa) Contextualized Analysis of Web Services Douglas

When is a Clone not a Clone? (and vice-versa) Contextualized Analysis of Web Services Douglas Martin James R. Cordy Scott Grant David B. Skillicorn School of Computing Kingston, Canada Motivation The Personal Web Rapidly growing

631 views • 38 slides
Another tree example Phylogenetic tree Patient 1 Plan Clone Phylogeny B C RFTA16 Om1

Another tree example Phylogenetic tree Patient 1 Plan Clone Phylogeny B C RFTA16 Om1

Another tree example Phylogenetic tree Patient 1 Plan Clone Phylogeny B C RFTA16 Om1 Tree ADT A E ROv1 SBwl D G Tree recursion F H I Tree traversal ROv2 SBwlE4 Search and score n Search runtime O(2 ) Pass message

311 views • 9 slides
Tar Wars 2 What is Tar Wars? A tobacco-free education program for 4th- and 5th-grade

Tar Wars 2 What is Tar Wars? A tobacco-free education program for 4th- and 5th-grade

Tar Wars 2 What is Tar Wars? A tobacco-free education program for 4th- and 5th-grade students A way to learn interesting facts on staying healthy An interactive and fun curriculum Abby Tennessee 2014 Poster 3 Whats in a

1k views • 30 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
Herodotus and the Persian Wars Herodotus and the Persian Wars Herodotus is the first true

Herodotus and the Persian Wars Herodotus and the Persian Wars Herodotus is the first true

Herodotus and the Persian Wars Herodotus and the Persian Wars Herodotus is the first true historian known in Western Civilization he lived during the Classical Age of Greece (the fifth century BCE) Herodotus and the Persian Wars

439 views • 28 slides
GOLD GOLD WARS WARS A Golden Renaissance A Tribute to Ferdinand Lips (1931 2005) WHAT ARE

GOLD GOLD WARS WARS A Golden Renaissance A Tribute to Ferdinand Lips (1931 2005) WHAT ARE

THE THE GOLD GOLD WARS WARS A Golden Renaissance A Tribute to Ferdinand Lips (1931 2005) WHAT ARE GOLD WARS? Gold Wars are between governments and gold. This ultimately restricts the constitutional rights of the people. Gold is the

522 views • 41 slides
How to Make Profit: Exploiting Fluctuating Electricity Prices with Albatross, A Runtime System

How to Make Profit: Exploiting Fluctuating Electricity Prices with Albatross, A Runtime System

How to Make Profit: Exploiting Fluctuating Electricity Prices with Albatross, A Runtime System for Heterogeneous HPC Clusters Timo Hnig, Christopher Eibel, Adam Wagenhuser, Maximilian Wagner, and Wolfgang Schrder-Preikschat 8th

1.21k views • 35 slides
Data recovery using pg_filedump Aleksander Alekseev git clone

Data recovery using pg_filedump Aleksander Alekseev git clone

Data recovery using pg_filedump Aleksander Alekseev git clone git://git.postgresql.org/git/pg_filedump.git cd pg_filedump make ./pg_filedump --help Usage: pg_filedump [-abcdfhikxy] [-R startblock [endblock]] [-D attrlist] [-S blocksize] [-s

278 views • 25 slides
Lecture 26 Empirical Studies of Clone Evolution Clone Genealogies EE 382V Spring 2009 Software

Lecture 26 Empirical Studies of Clone Evolution Clone Genealogies EE 382V Spring 2009 Software

Lecture 26 Empirical Studies of Clone Evolution Clone Genealogies EE 382V Spring 2009 Software Evolution - Instructor Miryung Kim Todays Agenda (1) Class Presentation Meiru Che Amal Banerjee Course Evaluation I

531 views • 26 slides
Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks Matthew Van Gundy and Hao Chen University of California, Davis 16th Annual Network & Distributed System Security Symposium

1.08k views • 80 slides
8. Average-Case Analysis of Algorithms + Randomized Algorithms 1 insertion sort Array A[1]

8. Average-Case Analysis of Algorithms + Randomized Algorithms 1 insertion sort Array A[1]

CSE 312, Autumn 2012, W.L.Ruzzo 8. Average-Case Analysis of Algorithms + Randomized Algorithms 1 insertion sort Array A[1] A[n] Sorted for i = 2 n-1 { T = A[i] j j = i-1 compare i Unsorted while j >= 0 && T

638 views • 17 slides
Verifiable Elections That Scale for Free Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR

Verifiable Elections That Scale for Free Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR

Verifiable Elections That Scale for Free Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR Cambridge) Anna Lysyanskaya (Brown University) Sarah Meiklejohn (UC San Diego) 1 10,000-foot view of cryptographic voting 2 10,000-foot view of

2.01k views • 146 slides
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security notion: chosen-ciphertext security

1.16k views • 83 slides
under Modular Updates Shachar Lovett (UCSD) Kaave Hosseini (UCSD CMU), Grigory Yaroslavtsev

under Modular Updates Shachar Lovett (UCSD) Kaave Hosseini (UCSD CMU), Grigory Yaroslavtsev

Optimality of Linear Sketching under Modular Updates Shachar Lovett (UCSD) Kaave Hosseini (UCSD CMU), Grigory Yaroslavtsev (Indiana) Streaming and sketching Streaming with binary updates Counters 1 , , 2

610 views • 28 slides
To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as

To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as

Fully Personalized PageRank Similarity Search To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as Sarl os, E otv os University and Computer and Automation Institute, Hungarian Academy of

571 views • 22 slides
Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016

Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016

Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016 http://tinyurl.com/randomized-practical Some random examples Building atomic bombs Truncated SVD Dimensionality reduction Kernel methods for big data Nonlinear

970 views • 81 slides
(Still) Exploiting TCP Timestamps Veit N. Hailperin 1 1 scip AG Hack in Paris, June 2015 Veit N.

(Still) Exploiting TCP Timestamps Veit N. Hailperin 1 1 scip AG Hack in Paris, June 2015 Veit N.

(Still) Exploiting TCP Timestamps Veit N. Hailperin 1 1 scip AG Hack in Paris, June 2015 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 1 / 47 About Me Security Consultant & Researcher @ scip AG @fenceposterror

623 views • 47 slides

More recommend