i control your code
play

I Control Your Code Attack Vectors through the Eyes of - PowerPoint PPT Presentation

Apr 01, 2023 •401 likes •800 views

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias Payer <mathias.payer@nebelwelt.net> Motivation Current exploits are powerful because Applications run on coarse-grained user-privilege

  1. I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias Payer <mathias.payer@nebelwelt.net>

  2. Motivation  Current exploits are powerful because  Applications run on coarse-grained user-privilege level  Every exploit has full user-privileges  Local privilege escalation through auxiliary attacks  Tight security-models limit privileges on both  A per-application level and  A per-user level  Idea: each application only has access to the data owned by a specific user that is useful for the application 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 2 12/28/10 2

  3. Fahrplan  Introduction  Protection through virtualization  Attack Vectors  Code Injection  Return-oriented programming  Format String Attacks  Arithmetic Overflow  Data Attacks  x86_64 vs. i386 code  Demo  Conclusion 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 3 12/28/10 3

  4. Introduction  Software security is a challenging problem  Both managed and unmanaged languages are prone to attacks  Many different forms of attacks exist  Low-level bugs are omni-present  And high-level languages compile down to low-level code  Hard to eliminate bugs  They are hard to find and hard to fix 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 4 12/28/10 4

  5. Introduction  Programmers rely on too many assumptions  That are not necessarily part of the semantics of the programming language, e.g.,  Memory layout (little vs. big endian)  Type sizes (long is always 4 byte long)  Variable placement (layout of structures)  Goal of this talk:  Understand attack vectors and constraints  Know how to defend yourself against the attacks  Different techniques and security measurements  Security analysis  Know your assumptions (e.g., language, compiler, architecture) 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 5 12/28/10 5

  6. Fahrplan  Introduction  Protection through virtualization  Attack Vectors  Code Injection  Return-oriented programming  Format String Attacks  Arithmetic Overflow  Data Attacks  x86_64 vs. i386 code  Demo  Conclusion 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 6 12/28/10 6

  7. Protection through virtualization  Like many other problems in CS security can be increased through an additional layer of indirection  We propose a user-space virtualization system that secures all program code and authorizes all system calls v i l e i g r p e ( d l v i l e i g e c r p e ( d n o l e c r S F I d a e n o n c e d a e r d p g e k e s ) u k r a ) application e application r s d u s code code 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 7 12/28/10 7

  8. Protection through virtualization  Security principles:  All code is translated before it is executed. Additional guards are added to the translated code  Catches control flow transfers to illegal locations (code injection)  Catches illegal control flow transfers (arc attacks)  Catches jumps into other instructions  Catches switches between i386 and x86_64  All system calls are authorized by a policy  Catches privilege escalation  Catches data bugs that execute unintended system calls 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 8 12/28/10 8

  9. Virtualization in a nutshell Translator ● Translates individual basic blocks ● Verifies code source / destination ● Checks branch targets and origins Original code Code cache Mapping table R RX 1 1' 1 1' 2 2' 3 3' 2 2' Indirect control … ... flow transfers use a dynamic 3 3' check to verify 4 target and origin  See: Generating Low-Overhead Dynamic Binary Translators (Mathias Payer, youtube.com/watch?v=VIxaQeAHIxs) 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 9 12/28/10 9

  10. Static security guards  Check code location  Exported in module / object as code region  Verify permissions of the page according to the module  Check target of static control transfers  Permission check (through GOT – global offset table) for inter-module transfers  Verify valid instructions from the beginning of a function to the target of the jump instruction 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 10 12/28/10 10

  11. Dynamic security guards  Dynamic checks for dynamic control transfers  Return instructions, indirect calls, indirect jumps  Verify that target is valid and translated  Untranslated targets fall back into the static check  Verify return instructions  Validate stack and use a shadow stack 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 11 12/28/10 11

  12. System call authorization  System calls redirect to an authorization framework  Policy based authorization  For wide variety of system calls and parameter combinations  Authorization functions  For redirected system calls  Reimplementations of system calls in user space  Additional validation of dangerous system calls : mmap (overlapping regions); mprotect (make code executable); fork (new processes); clone (new threads)  System calls are allowed, redirected to the authorization function, or the program is terminated with a security exception 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 12 12/28/10 12

  13. Fahrplan  Introduction  Protection through virtualization  Attack Vectors  Code Injection  Return-oriented programming  Format String Attacks  Arithmetic Overflow  Data Attacks  x86_64 vs. i386 code  Demo  Conclusion 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 13 12/28/10 13

  14. Attack vectors  Attacks redirect control flow  New or alternate locations are reached  Execution is different from unaltered run  An attack exploits the fact that the programmer or the runtime system is unable to check  the bounds of a buffer or  to detect a type overflow or  to detect an out-of-bounds access 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 14 12/28/10 14

  15. Code injection  Injects new executable code into the process image of a running process  Into buffer on the stack  Into heap-based data structures  Redirects control flow to the injected code  Overwriting the RIP (return instruction pointer)  Overwriting function pointers, destructors, or data structures of the memory allocator 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 15 12/28/10 15

  16. Code injection: stack-based  Exploits a missing or incomplete bound check on stack-based buffers  Exploit uses two steps:  Buffer on the stack is filled with machine-code  Stack grows downwards and (eventually) overwrites RIP with pointer back into the buffer  Constraints  Executable stack  Missing/faulty bound check  RIP must not be verified/checked  See: Smashing the Stack for Fun & Profit (Aleph1, Phrack #49) 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 16 12/28/10 16

  17. Code injection: stack-based int foobar(char* cmp) { // assert(strlen(cmp)) < MAX_LEN No bound checks char tmp[MAX_LEN]; when data is strcpy(tmp, cmp); copied! return strcmp(tmp, "foobar"); } length of user input 0xe0 0xe0 tmp exploit & nop slide tmp 0xf0 0xf0 saved base pointer saved base pointer don't care return address return address return address 1 st argument: cmp* 1 st argument: cmp* next stack frame next stack frame 0xff 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 17 12/28/10 17

  18. Code injection: heap-based  Exploits a missing or incomplete bound check on heap-based buffers  Very similar to stack-based overflows  Exploit uses two steps:  Buffer on the heap is filled with machine-code  Function pointer, vtable-entry, (GLIBC) destructor, or memory management data-structure altered to redirect control flow  Constraints  Executable heap  Missing/faulty bound check  Successful redirection of the control flow 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 18 12/28/10 18

  19. Code injection: heap-based typedef struct { char buf[MAX_LEN]; int (*cmp)(char*,char*); No bound checks } vstruct; when data is int is_foobar_heap(vstruct* s, char* cmp) { copied! strcpy(s->buf, cmp); return s->cmp(s->buf, "foobar"); } 0xb0 0xb0 length of user input buf exploit & nop slide buf cmp* cmp* cmp* 0xbf 0xbf 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 19 12/28/10 19

  20. Code injection: a tool writers perspect.  The BT would stop the program when the control flow transfer is detected  Before the shellcode is even translated  Two exceptions would be triggered  Code is (about to be) executed in a non-executable area  Function call to an unexported/unknown symbol (heap-based)  RIP mismatch (stack-based)  Use BT to analyze exploits/shellcode  Catch new exploits and security holes  Use debugging info in application to fix bugs  Use BT to audit your own software / test your exploits 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 20 12/28/10 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Control Expressions and Statements Control Control is the study of the semantics of

Control Expressions and Statements Control Control is the study of the semantics of

Control Expressions and Statements Control Control is the study of the semantics of execution paths through code. What gets executed, When, and In what order? 2 Control Control is achieved by two major ways: The use of

461 views • 45 slides
Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful?

Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful?

Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful? Key concepts Variations on the basic theme Example version control systems 1/22/2014 (c) 2013 RIT Dept. of Software Engineering 2 Motivation

183 views • 16 slides
Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful?

Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful?

Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful? Key concepts Variations on the basic theme Example version control systems 1/15/2020 (c) 2013 RIT Dept. of Software Engineering 2 Motivation

226 views • 20 slides
Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

418 views • 19 slides
SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING +

SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING +

OUTLINE SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING + Backward Reasoning Weaker vs. Stronger statements Version control VERSION CONTROL CSE 331 Summer 2018 slides borrowed and

763 views • 11 slides
Coding, Applied Control and Mechatronics Wi-Fi Code QR Code Scanner Accessing supports to date

Coding, Applied Control and Mechatronics Wi-Fi Code QR Code Scanner Accessing supports to date

Problem solving through Coding, Applied Control and Mechatronics Wi-Fi Code QR Code Scanner Accessing supports to date Webinar CPD Workshops To keep up-to-date: Join our mailing List This evening we will Appreciate how

665 views • 45 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
The Evolution of IT Applications: Control of computations hidden in code; integration a

The Evolution of IT Applications: Control of computations hidden in code; integration a

Service Engagements The Evolution of IT Applications: Control of computations hidden in code; integration a nightmare Workflows: Control abstracted out; integration still difficult Standards-driven orchestration: Integration improved;

410 views • 10 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
git and Github git git is a version control system Commonly used by large code development

git and Github git git is a version control system Commonly used by large code development

git and Github git git is a version control system Commonly used by large code development projects to track and commit changes/additions to the codebase. Written by Linus Torvalds to manage the Linux kernel project Other version control

152 views • 14 slides
Introducing the 13 th Code of Practice Due Diligence, Risk Assessment and Control May 2015

Introducing the 13 th Code of Practice Due Diligence, Risk Assessment and Control May 2015

Introducing the 13 th Code of Practice Due Diligence, Risk Assessment and Control May 2015 David Levitt Overview of Code 13 seminars Objectives of DDRAC seminar As a refresher for those who are experienced Introduce DDRAC to new

332 views • 20 slides
6. Code Generation 6.1 Overview 6.2 The MicroJava VM 6.3 Code Buffer 6.4 Operands 6.5

6. Code Generation 6.1 Overview 6.2 The MicroJava VM 6.3 Code Buffer 6.4 Operands 6.5

6. Code Generation 6.1 Overview 6.2 The MicroJava VM 6.3 Code Buffer 6.4 Operands 6.5 Expressions 6.6 Assignments 6.7 Jumps 6.8 Control Structures 6.9 Methods 1 Tasks of Code Generation Generation of machine instructions selecting

802 views • 67 slides
Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482

Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482

Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482 (Adds new Code Sections: Civil Code 1946.2, 1947.12 and 1947.13) 1946.2 Restricts Certain Owners of Residential Property as to How They Can

369 views • 26 slides
INF5110 Compiler Construction Code generation Spring 2016 1 / 123 Outline 1. Code

INF5110 Compiler Construction Code generation Spring 2016 1 / 123 Outline 1. Code

INF5110 Compiler Construction Code generation Spring 2016 1 / 123 Outline 1. Code generation Intro 2AC and costs of instructions Basic blocks and control-flow graphs Code generation algo Global analysis Bibs 2 / 123 Outline 1. Code

1.61k views • 123 slides
Californias Statewide Rent Control Overview New Eviction and Rent Control Law AB-1482 (Adds

Californias Statewide Rent Control Overview New Eviction and Rent Control Law AB-1482 (Adds

Californias Statewide Rent Control Overview New Eviction and Rent Control Law AB-1482 (Adds new Code Sections: Civil Code 1946.2, 1947.12 and 1947.13) 1947.12 Restricts Rental Increases for Specific Owners 1947.13 Provides

840 views • 24 slides
Standards (code and otherwise) often talk about code standards, but many teams also use

Standards (code and otherwise) often talk about code standards, but many teams also use

Standards (code and otherwise) often talk about code standards, but many teams also use document standards, version control standards, bug reporting standards, process standards, etc goal is to reduce confusion, errors, omissions in

529 views • 5 slides
SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length output. H(m) = h Cryptographic Hash Functions Preimage resistance Collision resistance Applications of Cryptographic Hash Functions

672 views • 38 slides
The Power of SUSE Linux for POWER [FUT1144] Jay Kruemcke Sr. Product Manager Linux for IBM Power

The Power of SUSE Linux for POWER [FUT1144] Jay Kruemcke Sr. Product Manager Linux for IBM Power

The Power of SUSE Linux for POWER [FUT1144] Jay Kruemcke Sr. Product Manager Linux for IBM Power Systems jayk@suse.com @mr_sles Enabling Advanced Data Center Solutions for More Than 20 Years 2000 2002 2004 2008 2010 2012 2014 2015

361 views • 32 slides
Bits and Bytes Topics Topics Why bits? Representing information as bits

Bits and Bytes Topics Topics Why bits? Representing information as bits

Systems I Bits and Bytes Topics Topics Why bits? Representing information as bits Binary/Hexadecimal Byte representations numbers characters and strings Instructions Bit-level manipulations Boolean algebra

614 views • 33 slides
Stock Management: helping customers find their books Natasha Viner (Stock Projects Team Leader)

Stock Management: helping customers find their books Natasha Viner (Stock Projects Team Leader)

Stock Management: helping customers find their books Natasha Viner (Stock Projects Team Leader) The University of Manchester Library Important disclaimer !!!!! Projects: Find a Book Big Book Move Find A Book 19% of students were

655 views • 31 slides
IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX) elisa.boschi@hitachi-eu.com {boschi, zseby, mark, hirsch}@fokus.fraunhofer.de Outline Outline IPFIX Terminology Applicability Initial Goals

212 views • 19 slides
Exploring vulnerabilities in Android 6.0 fingerprint authentication Thom Does &amp; Mike Maarse

Exploring vulnerabilities in Android 6.0 fingerprint authentication Thom Does &amp; Mike Maarse

Exploring vulnerabilities in Android 6.0 fingerprint authentication Thom Does &amp; Mike Maarse KPMG 02-02-2016 Thom Does &amp; Mike Maarse (KPMG) RP1 Presentation 02-02-2016 1 / 34 Introduction Motivation/relevance Preferred

586 views • 34 slides
Lecture 23 Reminders: Programming Project 5 (reassigned Homework Problem 5.48) due on

Lecture 23 Reminders: Programming Project 5 (reassigned Homework Problem 5.48) due on

Lecture 23 Reminders: Programming Project 5 (reassigned Homework Problem 5.48) due on Thursday. Homework 7 due next Tuesday. Questions? Tuesday, November 15 CS 475 Networks - Lecture 23 1 Outline Chapter 7 - End-to-End Data 7.1

602 views • 20 slides
Parallel Nonnegative Matrix Factorization Algorithms for Hyperspectral Images A Masters Thesis

Parallel Nonnegative Matrix Factorization Algorithms for Hyperspectral Images A Masters Thesis

Parallel Nonnegative Matrix Factorization Algorithms for Hyperspectral Images A Masters Thesis Lukasz Grzegorz Maciak Montclair State University Department of Computer Science 1 Objectives 1. Background 2. Investigate Novel Feature Extraction

887 views • 61 slides

More recommend