lr 2 lr le leakage re resilient
play

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra - PowerPoint PPT Presentation

Feb 13, 2023 •182 likes •578 views

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi

  1. LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden † § , Stephen Crane‡, Lucas Davi †, Michael Franz ∗ , Per Larsen ∗ ‡, Christopher Liebchen †, Ahmad- Reza Sadeghi† †TU Darmstadt §EURECOM *UC Irvine ‡ Immunant, Inc.

  3. Today’s Explo loits & Mit itig igations Application Code call *ptr Function A Data Code Pointer

  4. Today’s Explo loits & Mit itig igations Application Code call *ptr Function A Data Overwrite Code Pointer Code Pointer

  5. Today’s Explo loits & Mit itig igations Application Code ? call *ptr • Address Space Layout Function A Randomization Data Overwrite Code Pointer Code Pointer

  6. Today’s Explo loits & Mit itig igations Application Code • Code-Pointer Disclosure call *ptr • Address Space [Serna BH USA’12 ] Layout Function A Randomization Data Read then Overwrite Code Pointer Code Pointer

  7. Today’s Explo loits & Mit itig igations Application ? ? Code ? ? • Code-Pointer Disclosure call *ptr • Address Space [Serna BH USA’12 ] Layout Function A ? ? Randomization ? • Fine-grained Code Randomization Data Read then Overwrite Code Pointer Code Pointer

  8. Today’s Explo loits & Mit itig igations Application Code • Code-Pointer Disclosure call *ptr • Address Space [Serna BH USA’12 ] Layout Function A Randomization • JIT-ROP [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Randomization Data Read then Overwrite Code Pointer Code Pointer

  9. Today’s Explo loits & Mit itig igations Application ? ? Code ? ? • Code-Pointer Disclosure call *ptr Execute • Address Space [Serna BH USA’12 ] Layout Function A only ? ? Randomization • JIT-ROP ? [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Randomization • Execute-only Data Memory Read then Overwrite Code Pointer Code Pointer

  10. Today’s Explo loits & Mit itig igations Application ? ? Code ? ? Code • Code-Pointer Disclosure call *ptr Execute • Address Space Fragment [Serna BH USA’12 ] Layout Function A only ? Code ? Randomization • JIT-ROP ? Fragment [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Randomization • Isomeron (Attack) • Execute-only [Davi et al. NDSS’15] Data Memory Code Pointer Read then Overwrite Code Pointer Code Pointer

  11. Today’s Explo loits & Mit itig igations Application ? ? Code ? ? • Code-Pointer Disclosure call *ptr Execute • Address Space [Serna BH USA’12 ] Layout Function A only ? ? Randomization • JIT-ROP ? [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Code-Pointer Randomization Execute only • Isomeron (Attack) Hiding • Execute-only [Davi et al. NDSS’15] Data Memory Code Pointer Read then Overwrite • Code-Pointer Hiding Code Pointer Code Pointer

  12. Today’s Explo loits & Mit itig igations Application Readactor [IEEE S&P’15] ? ? Readactor++ [CCS’15] Code ? ? • Code-Pointer Disclosure call *ptr Execute • Address Space [Serna BH USA’12 ] Layout Function A only ? ? Randomization • JIT-ROP ? [ Snow et al. IEEE S&P’13 ] • Fine-grained Code Code-Pointer Randomization Execute only • Isomeron (Attack) Hiding • Execute-only [Davi et al. NDSS’15] Data Memory Code Pointer Read then Overwrite • Code-Pointer Hiding Code Pointer Code Pointer

  13. Ex Exec ecut ute-only Memory ry Application Application Execute-Only Memory Support Readactor XnR HideM Desktop/ [IEEE S&P’15] [CCS’14] [CODASPY’15] Server Memory MMU TLB-Splitting Virtualization

  14. Ex Exec ecut ute-only Memory ry Application Application Execute-Only Memory Support Desktop/ Mobile Server

  15. Ex Exec ecut ute-only Memory ry Application Application Execute-Only Memory Support This Talk: Desktop/ Mobile Execute-only Memory without Server Hardware Support

  16. Th Threat Model Read Memory (Information Disclosure) Write Memory (Memory Corruption Vulnerability) Perform Computations (Scripting Engine or Locally) Cannot Inject New Code (DEP, W^X)

  17. LR 2 : LR : Leakage-Re Resilient La Layout t Randomization

  18. LR 2 2 Ov LR Overview • Fine-grained Code Randomization • Software eXecute-only Memory (XoM) • Code-Pointer Hiding • Return Addresses • Forward Pointers

  19. LR 2 2 Ov LR Overview • Software eXecute-only Memory (XoM) • Code-Pointer Hiding • Return Addresses

  20. Sof Software e Xo XoM: Id Idea Application Randomized Code Read [address] Data A

  21. Sof Software e Xo XoM: Id Idea Application Sandboxing Randomized Code Read [address] Data A

  22. Sof Software e Xo XoM: Desig ign Application Kernel Stack Heap Code A Data A Code B Data B

  23. Sof Software e Xo XoM: Desig ign Application Kernel Sandboxing Read Instructions Code B r1 <- addr Code A r1 <- r1 & 0x7FFFFFFF Code Trampolines r0 <- [r1] 2 GB Data Guard Data A Data B Stack Heap

  24. Co Code de-Po Pointer Hiding: Re Return Addresses

  25. Cod Code-Pointer Hid iding: Re Return Addresses Function B Stack … PUSH LR Caller RA CALL Function C B1 POP LR Return LR Caller Return Address Address B1

  26. Cod Code-Pointer Hid iding: Re Return Addresses Function B Stack … Enc(LR, Key B ) PUSH LR Enc(LR, Key B ) Caller RA CALL Function C B1 POP LR Dec(LR, Key B ) Return LR Caller Return Address Address B1

  27. San Sandboxing Read eads: Op Optimizations

  28. Optim imizations: Loops r0 <- address For i <- 0 ; i < X ; ++i Mask r0 r1 <- [r0]

  29. Optim imizations: Loops r0 <- address Mask r0 For i <- 0 ; i < X ; ++i r1 <- [r0]

  30. Optim imizations: Loops r0 <- address Mask r0 For i <- 0 ; i < X ; ++i r1 <- [r0 + i] r1 <- [r0]

  31. Optim imizations: Loops r0 <- address Mask r0 2 GBCode For i <- 0 ; i < X ; ++i Data Guard Region r1 <- [r0 + i] r1 <- [r0] [r0]

  32. Im Implementation

  33. Im Implementatio ion Application • Kernel Kernel • Stack and Heap Allocations • Loader Code B Code A • Code and Data Sections 2 GBCode • Compiler Data • Sandbox Read Instructions Data A Data B Stack Heap

  34. Evalu luation • Security: • Code-Reuse Attacks: Function Permutation • Direct disclosure: Execute-only Memory • Indirect disclosure: • Code-pointer Hiding • Code/Data section decoupling • CPU: Nvidia Tegra Logan K1 • Performance: • 6.6% run-time overhead • 5.6% space overhead

  35. SP SPEC CPU 2006 15 5 -5 -15 -25 Pointer Hiding Restricted Register-Register Addressing Software XoM Code and Data Section Decoupling Full LR2

  36. SP SPEC C CP CPU 2006 Geometric ic Mean 6.63% 6.62% 7 5 2.27% 3 1.45% 1 -1 -3 -3.96% -5 Pointer Hiding Restricted Register-Register Addressing Software XoM Code and Data Section Decoupling Full LR2

  37. LR 2 and LR and Software Fault Is Isolation (SFI) • Different Threat Models • SFI isolates untrusted code • LR 2 protects trusted code • LR 2 can protect multiple load instructions by masking one address • SFI sandboxes write and branch instructions

  38. Co Conclusion • First pure software execute-only memory technique • Optimized return address protection scheme • Performance and security matches state-of-the-art solutions requiring special, high-end hardware

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient Cryptography Traditional Cryptography: adv has only black-box access to a cryptosystem I O LR-Cryptography: open the black-box more

279 views • 25 slides
LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

1.05k views • 102 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy Dodis, Daniel Wichs New York University Speaker: Daniel Wichs CRYPTO 09 Goal of Leakage-Resilient Crypto Model of Leakage Resilience

303 views • 29 slides
Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann Groschdl 3 , Zhe Liu 3 , Praveen K. Vadnala 3 , Srinivas Vivek 3 1 CNRS/Loria, France 2 SCYTL Secure Electronic Voting, Spain 3 University of

712 views • 33 slides
Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Key-Evolution Schemes Resilient to Space Bounded Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure scheme for deterministic key-evolution Properties: leakage-resilient in the random oracle

668 views • 27 slides
Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 55 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

1.29k views • 116 slides
Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 51 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

1.2k views • 104 slides
Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan Dziembowski, Tomasz Kazana, Micha Zaj c , Maciej Zdanowicz Estonian Computer Science Theory Days Jekla 2-4.10.2015 Computers can be

542 views • 32 slides
Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 , F. De Santis 2 , 3 , J. Heyszl 4 , S. Mangard 3 , S. Bela M. Medwed 5 , J.-M. Schmidt 6 , F.-X. Standaert 7 , S. Tillich 8 1 Ecole Normale Sup

754 views • 29 slides
Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April 20th, 2018 1 / 41 Yu Chen 1 Baodong Qin 2 Haiyang Xue 1 1 SKLOIS, IIE, Chinese Academy of Sciences 2 Xian University of Posts and Telecommunication

1.92k views • 115 slides
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of Science Israel Foundations of Cryptography Rigorous analysis of the security of cryptographic schemes Adversarial model Notion of security

428 views • 20 slides
Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

284 views • 24 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India B. Qin and S. Liu LR-CCA Secure

580 views • 47 slides
Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on Physical Attacks, Graz, November 28, 2012 Krzysztof Pietrzak Challenges in Leakage-ResilientSymmetric Cryptography Krzysztof Pietrzak Challenges

994 views • 96 slides
Understanding Sparse JL for Feature Hashing Meena Jagadeesan Harvard University (Class of 2020)

Understanding Sparse JL for Feature Hashing Meena Jagadeesan Harvard University (Class of 2020)

Understanding Sparse JL for Feature Hashing Meena Jagadeesan Harvard University (Class of 2020) NeurIPS 2019 (Poster #59) Understanding Sparse JL for Feature Hashing Meena Jagadeesan Dimensionality reduction ( 2 -to- 2 ) A randomized

1.05k views • 43 slides
Ongoing developments in IEEE 802.11 WLAN standardisation A study group on randomized and changing

Ongoing developments in IEEE 802.11 WLAN standardisation A study group on randomized and changing

. . . . . . . . . . . . . . . . Ongoing developments in IEEE 802.11 WLAN standardisation A study group on randomized and changing MAC addresses Amelia Andersdotter (Chair, RCM TIG, IEEE 802.11) 1 HotPETS, Stockholm, July 2019 .

498 views • 16 slides
Introduction to Randomized Algorithms Arijit Bishnu ( arijit@isical.ac.in ) Advanced Computing

Introduction to Randomized Algorithms Arijit Bishnu ( arijit@isical.ac.in ) Advanced Computing

Introduction Quick Sort Minimum Enclosing Disk Min Cut Introduction to Randomized Algorithms Arijit Bishnu ( arijit@isical.ac.in ) Advanced Computing and Microelectronics Unit Indian Statistical Institute Kolkata 700108, India. Introduction

1.24k views • 93 slides
Causality: Explanation versus Prediction Department of Government London School of Economics and

Causality: Explanation versus Prediction Department of Government London School of Economics and

MT Causality Counterfactuals Randomized Experiments Causality: Explanation versus Prediction Department of Government London School of Economics and Political Science MT Causality Counterfactuals Randomized Experiments 1 Brief Review of

1.27k views • 77 slides
Chapter 7: Quicksort Quicksort is a divide-and-conquer sorting algorithm in which division is

Chapter 7: Quicksort Quicksort is a divide-and-conquer sorting algorithm in which division is

Chapter 7: Quicksort Quicksort is a divide-and-conquer sorting algorithm in which division is dynamically carried out (as opposed to static division in Mergesort). The three steps of Quicksort are as follows: Divide: Rearrange the elements and

354 views • 18 slides
Counting Basic-Irreducible Factors Mod p k in Deterministic Poly-Time and p -Adic Applications

Counting Basic-Irreducible Factors Mod p k in Deterministic Poly-Time and p -Adic Applications

Counting Basic-Irreducible Factors Mod p k in Deterministic Poly-Time and p -Adic Applications Ashish Dwivedi IIT Kanpur, India Joint work with Rajat Mittal ( IIT Kanpur, India) and Nitin Saxena (IIT Kanpur, India) 34TH COMPUTATIONAL COMPLEXITY

1.49k views • 144 slides
Linear and Sublinear Linear Algebra Algorithms: Preconditioning Stochastic Gradient Algorithms

Linear and Sublinear Linear Algebra Algorithms: Preconditioning Stochastic Gradient Algorithms

Linear and Sublinear Linear Algebra Algorithms: Preconditioning Stochastic Gradient Algorithms with Randomized Linear Algebra Michael W. Mahoney ICSI and Dept of Statistics, UC Berkeley ( For more info, see: http: // www. stat. berkeley. edu/

506 views • 36 slides
Transfer and Multi-Task Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Class

Transfer and Multi-Task Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Class

Transfer and Multi-Task Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Class Notes 1. The project milestone is next week! 2. HW4 due tonight! 3. HW5 releases shortly (Wed or Fri) Three different options: maximum entropy

773 views • 50 slides

More recommend