injection and a proven countermeasure
play

Injection and a Proven Countermeasure PROOFS2015, Saint Malo, France - PowerPoint PPT Presentation

Sep 10, 2023 •253 likes •535 views

17 September 2015 Buffer Overflow Attack with Multiple Fault Injection and a Proven Countermeasure PROOFS2015, Saint Malo, France Shoei Nashimoto, Naofumi Homma, Yu-ichi Hayashi and Takafumi Aoki Tohoku University, Japan GSIS, TOHOKU

  1. 17 September 2015 Buffer Overflow Attack with Multiple Fault Injection and a Proven Countermeasure PROOFS2015, Saint Malo, France Shoei Nashimoto, Naofumi Homma, Yu-ichi Hayashi and Takafumi Aoki Tohoku University, Japan GSIS, TOHOKU UNIVERSITY

  2. Embedded devices become attractive  Increase attractions to attack embedded systems  Many devices connect to networks (Internet-of-Things)  Worth paying high cost, e.g., attacks to cryptographic hardware  Fault injection attacks  Inject fault (s) in cryptographic operation, and obtain secret key from faulty output (s)  Fault injection into microcontrollers often brings bit inversion or instruction skip [Agoyan 2010], [Endo 2014] It is possible to apply fault injection techniques to general-purpose software 2/27

  3. Fault injection attacks to general-purpose software  Previous works  Execute arbitrary code in Java Virtual Machine by inverting bits [Govindavajhala 2003], [Bouffard 2011]  Cause effect like buffer overflow (BOF) using instruction skip [Fouque 2012]  Not only cryptographic software  Fault injection attacks are also threat to general-purpose software 3/27

  4. This work  Propose buffer overflow attack with multiple fault injection  Instruction skips are not considered in most software  Can invalidate countermeasures by secure coding  Overcome typical software countermeasure and perform general buffer overflow (BOF) attack  Propose effective countermeasure and prove its validity Attacks to hardware Attacks to software DoS attacks, Side-channel attacks, + BOF attacks, Fault injection attacks Injection attacks 4/27

  5. Outline  Background  Buffer overflow attacks  Proposed attack & experiment  Countermeasure  Conclusion 5/27

  6. What are BOF attacks?  Buffer overflow (BOF)  Invalid memory overwrite caused by input that exceeds assigned memory size  Commonly happen when using flexible languages that can finely handle a memory region, such as C/C++  strcpy() , scanf() , gets() are dangerous  BOF attacks  Use BOF vulnerability to execute malicious operations  Abnormal stop of OS or applications  Gaining administrator rights 6/27

  7. How to perform BOF attack (e.g., strcpy()) int main(int argc, char *argv[]) { void sub_function(char *data) { sub_function(data); char buf[20]; ① ② return 0; strcpy(buf, data); ③ } return; } ③ String-copy operation ② Memory allocation ① Function call 0x0000 Input data buf [20] empty Stack Pointer Stack Pointer Stack Pointer Return Address Return Address Return Address 0xFFFF 7/27

  8. How to perform BOF attack (e.g., strcpy()) int main(int argc, char *argv[]) { void sub_function(char *data) { sub_function(data); char buf[20]; ① ② return 0; strcpy(buf, data); ③ } return; } ③ String-copy operation ② Memory allocation ① Function call 0x0000 buf [20] Data Attack Stack Pointer Stack Pointer Stack Pointer Code Return Address Return Address Return Address 0xFFFF Shell Code 8/27

  9. Countermeasure against BOF attacks Name Method Layer ASLR Change stack address for OS (Address Space Layout every execution. (Operating System) Randomization) SG Add random numbers and check them at the end of function. Compiler (Stack Guard) DEP (Data Execution Prohibit execution of all code Prevention), OS, CPU, Compiler in the stack. ES (Exec Shield) ISL Use function that can limit input Program (Input Size Limitation) size.  Input Size Limitation (ISL)  Only need standard C library  Simply change function to use  strcpy(dest, src) → strncpy(dest, src, size) 9/27

  10. Outline  Background  Buffer Overflow Attacks  Proposed attack & Experiment  Countermeasure  Conclusion 10/27

  11. Concept of the proposed attack  Assumption  Feeding glitchy clock signal into CPU enables instruction skip(s). Glitchy clock signal Skip multiple and arbitrary instructions  Attack method  Skip a few instructions while input attack code, and invalidate boundary check to make buffers overflowed  Take control of CPU like common attacks 11/27

  12. BOF using instruction skips  Target function START  strncpy(dst, src, size) cnt -- 1  Limit input size up to size Yes 2 cnt < 0  Target instructions No ① Subtract (update) instruction Copy 1 character Continue the loop without update No → Increase input size by 1 character null ? Yes ② Branch instruction END Continue the loop unconditionally → Over the assigned size Simplified flow of strncpy() 12/27

  13. Experimental setup Smart card (AVR ATmega163)  Equipments  SASEBO-W (Side-channel Attack Standard Evaluation BOard)  Smart card (AVR ATmega163) Clock glitch  PC generator Communicate (on FPGA) with PC  Conditions Microcontroller AVR ATmega163 (8 bit) Clock frequency of microcontroller Up to 8 MHz Compiler avr gcc (4.3.3) (Not optimized by -o0) FPGA Xilinx XC6SLX150-FGG484 Attack condition Program is known 13/27

  14. Experimental outline  Procedure  Invalidate the countermeasure of strncpy() and perform BOF attack  Overwrite return address to call function in the program  Control flow PC Smart card 1. User input ( 32 byte ) 2. Handle input data 1 ’. Fault injection command Store 19 byte into char msg[20] by using 3. Memory dump strncpy() Time 14/27

  15. Result char msg[20]  No fault, “A...A” (20 byte) Stack Pointer + Return Address  5 faults, “A...A (0x38) (0x04) (0x04) (0x08)” (24 byte) void hello_world() { memcpy ((char*)0x120, “hello world!”, 12); } Function maliciously called by BOF attack (The address is got by the object dump of the program) 15/27

  16. Result char msg[20]  No fault, “A...A” (20 byte) Stack Pointer + Return Address  5 faults, “A...A (0x38) (0x04) (0x04) (0x08)” (24 byte) 16/27

  17. Possibility of proposed attack  Target functions START  User functions that have iteration Loop 1 2  strncpy(), fgets(), strncmp(), Load data from memory memcpy() 3 CERT/CC Top 10 Secure Coding Practices [1] Store data into memory No1: Validate input.  Attack conditions continue end  Physically accessible judgement end (fault injection) END  Program is known Vulnerable structure (BOF attack) 17/27 [1] https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices

  18. Example of attack scenario  Malicious firmware update in M2M network master 1. Sign update program by private key Internet 2. Check validity of the program by public key node  Send malicious update program, and perform BOF attack  Directly call update function Machine To Machine (M2M) sensor network 18/27

  19. Outline  Background  Buffer Overflow Attacks  Proposed attack & Experiment  Countermeasure  Conclusion 19/27

  20. How to protect branch instruction  Locate branch instruction at the bottom of loop “Skip branch → The loop is finished” START START cnt -- Copy 1 character Yes Yes cnt < 0 null ? No No Copy 1 character cnt -- No No null ? cnt < 0 Yes Yes END END 20/27

  21. How to protect branch instruction  Locate branch instruction at the bottom of loop “Skip branch → The loop is finished” START START cnt -- Copy 1 character Yes null ? No Copy 1 character cnt -- No null ? Yes END END 21/27

  22. How to protect update instruction  Associate loop counter with store address “Skip update → Data is stored into same address” INIT: str = init str = init INIT: 0 finish size end = size + str cnt init + size = init + size end finish init init str str init init+size a b c d e - - a b c d e - - Skip the update Skip the update BOF a b c d e f - a b c d f - - 22/27

  23. Application to AVR microcontroller 1 my_strncpy: 1 strncpy: 2 INIT: 2 INIT: 3 movw r30, r22 3 movw r30, r22 4 movw r26, r24 4 movw r26, r24 5 add r20, r26 5 LOOP: 6 adc r21, r27 6 subi r20, 0x01 7 rjmp CMP 7 sbci r21, 0x00 8 LOOP: 8 brcs END 9 ld r0, Z+ 9 ld r0, Z+ 10 st X, r0 10 st X+, r0 11 adiw r26, 0x01 11 and r0, r0 12 and r0, r0 12 brne LOOP 13 breq Z_CMP 13 rjmp Z_CMP 14 CMP: … 15 cp r26, r20 Protected instructions 16 cpc r27, r21 Update instructions 17 brlo LOOP 18 ret Branch instruction 23/27 …

  24. Security evaluation my_strncpy: # 20 inst  Assumptions of attackers INIT: movw r30, r22 1. Skip multiple and arbitrary instructions movw r26, r24 add r20, r26 1 2. Use BOF adc r21, r27 2 3. All flags are reset when my_strncpy() rjmp CMP is called LOOP: ld r0, Z+ st X, r0  Evaluation method adiw r26, 0x01 and r0, r0  Examine all the possible instruction breq Z_CMP skips (2 20 patterns) CMP: cp r26, r20 3  Consider all the combinations of four cpc r27, r21 4 instructions by above assumptions brlo LOOP ret 24/27 …

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Confusion / dilution countermeasure #UDT2019 Objective Two types of anti torpedo countermeasure

Confusion / dilution countermeasure #UDT2019 Objective Two types of anti torpedo countermeasure

Confusion / dilution countermeasure #UDT2019 Objective Two types of anti torpedo countermeasure exist : Hard kill countermeasure The aim is to home in, on torpedo and to destroy or disabling torpedo by blast or physically smashing into.

168 views • 14 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
Return-to-libc Attacks Outline Non-executable Stack countermeasure How to defeat the

Return-to-libc Attacks Outline Non-executable Stack countermeasure How to defeat the

Return-to-libc Attacks Outline Non-executable Stack countermeasure How to defeat the countermeasure Tasks involved in the attack Function Prologue and Epilogue Launching attack Non-executable Stack Running shellcode in C

516 views • 27 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
PROVEN BASIN PROVEN STRATEGY PROVEN TEAM Acquisition of a Prized Acreage Position in the

PROVEN BASIN PROVEN STRATEGY PROVEN TEAM Acquisition of a Prized Acreage Position in the

PROVEN BASIN PROVEN STRATEGY PROVEN TEAM Acquisition of a Prized Acreage Position in the Cooper-Eromanga Basin February 2020 Disclaimer Summary of information: This presentation contains general and background information about Doriemuss

366 views • 22 slides
Spill Prevention Control &amp; Spill Prevention Control &amp; Countermeasure Countermeasure

Spill Prevention Control &amp; Spill Prevention Control &amp; Countermeasure Countermeasure

Spill Prevention Control &amp; Spill Prevention Control &amp; Countermeasure Countermeasure (SPCC) Presentation (SPCC) Presentation Prepared by: Environmental Advisors and Engineers, Inc. Environmental Advisors and Engineers 19211 W. 64 th

616 views • 36 slides
Approach to Stress Reduction and Exercise Countermeasure Effectiveness Before, During &amp; in

Approach to Stress Reduction and Exercise Countermeasure Effectiveness Before, During &amp; in

Yoga Therapy as a Complementary Approach to Stress Reduction and Exercise Countermeasure Effectiveness Before, During &amp; in Post-flight Rehabilitation Joan Vernikos CEO, Third Age LLC Dilip Sarkar Chair, School of Integrative Medicine

490 views • 15 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
A PROVEN TEAM WITH A PROVEN EN STRAT ATEG EGY March rch 2016 NYSE MKT: T: PZG This

A PROVEN TEAM WITH A PROVEN EN STRAT ATEG EGY March rch 2016 NYSE MKT: T: PZG This

A PROVEN TEAM WITH A PROVEN EN STRAT ATEG EGY March rch 2016 NYSE MKT: T: PZG This Presentation contains forward - looking statements within the meaning of applicable securities laws relating to Paramount Gold Nevada Corp.

498 views • 33 slides
Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and Formal Verification work co-funded by the PRINCE project Sabine Azzi, Bruno Barras, Maria Christofi , David Vigilant PROOFS workshop 2015, September

493 views • 45 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
Using the Linux Tracing Infrastructure Jan Altenberg Linutronix GmbH Jan Altenberg Linutronix

Using the Linux Tracing Infrastructure Jan Altenberg Linutronix GmbH Jan Altenberg Linutronix

Using the Linux Tracing Infrastructure Jan Altenberg Linutronix GmbH Jan Altenberg Linutronix GmbH 1 Overview . Linutronix GmbH Jan Altenberg 9 Tracecompass . . 8 Kernelshark . . 7 trace-cmd . . 6 uprobes . 5 kprobes . . . 4

944 views • 52 slides
Capacity Access Review Transmission Workgroup 9 th January 2020 CAR Plan for todays Workgroup

Capacity Access Review Transmission Workgroup 9 th January 2020 CAR Plan for todays Workgroup

Capacity Access Review Transmission Workgroup 9 th January 2020 CAR Plan for todays Workgroup December Workgroups aims; - Long-term ambition - Specific issues caused by the short-term problems - Agree Workplan January

656 views • 14 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
vMPCP: A Synchronization Framework for Multi-Core Virtual Machines Hyoseung Kim * Shige Wang

vMPCP: A Synchronization Framework for Multi-Core Virtual Machines Hyoseung Kim * Shige Wang

RTSS 2014 vMPCP: A Synchronization Framework for Multi-Core Virtual Machines Hyoseung Kim * Shige Wang Raj Rajkumar * shige.wang@gm.com raj@ece.cmu.edu hyoseung@cmu.edu * General Motors R&amp;D RTSS 2014 Benefits of Multi-Core

538 views • 24 slides
C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens (Frank.Piessens@cs.kuleuven.be) These slides are based on the paper: Low-level Software Security by Example by Erlingsson, Younan and Piessens KATHOLIEKE Secappdev

1.03k views • 77 slides
Preservation of Timing Properties with the Ada Ravenscar Profile Enrico Mezzetti, Marco Panunzio,

Preservation of Timing Properties with the Ada Ravenscar Profile Enrico Mezzetti, Marco Panunzio,

Preservation of Timing Properties with the Ada Ravenscar Profile Enrico Mezzetti, Marco Panunzio, Tullio Vardanega Department of Pure and Applied Mathematics University of Padova, Italy {emezzett, panunzio, tullio.vardanega}@math.unipd.it 15th

470 views • 17 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
The Rio File Cache: Surviving Operating System Crashes Peter M. Chen, Wee Teck Ng, Subhachandra

The Rio File Cache: Surviving Operating System Crashes Peter M. Chen, Wee Teck Ng, Subhachandra

The Rio File Cache: Surviving Operating System Crashes Peter M. Chen, Wee Teck Ng, Subhachandra Chandra, Christopher Aycock, Gurushankar Rajamani, David Lowell Computer Science and Engineering Division Electrical Engineering and Computer

311 views • 10 slides

More recommend