memory corruption
play

Memory corruption public enemy number 1 Erik Poll Digital Security - PowerPoint PPT Presentation

Sep 18, 2023 •342 likes •1.82k views

Software Security Memory corruption public enemy number 1 Erik Poll Digital Security Radboud University Nijmegen 1 Security in the development lifecycle 2.1 week 3: exercise week4: group project Security in the development lifecycle

  1. Spot all (potential) defects … 1000 1001 void f (){ possible null dereference char* buf, buf1; (if malloc failed) 1002 buf = malloc(100); 1003 buf [0] = ’a’; 1004 ... free(buf1); 2001 buf [0] = ’b’; 2002 use-after-free; buf[0] points ... to de-allocated memory free(buf); 3001 buf [0] = ’c’; 3002 buf1 = malloc(100); 3003 buf [0] = ’d’ 3004 use-after-free, but now buf[0] 3005 } might point to memory that has now been re-allocated 15.4

  2. Spot all (potential) defects … 1000 1001 void f (){ possible null dereference char* buf, buf1; (if malloc failed) 1002 buf = malloc(100); 1003 buf[0] = ’ a ’ ; 1004 potential use-after-free ... if buf & buf1 are aliased free(buf1); 2001 buf[0] = ’ b ’ ; 2002 use-after-free; buf[0] points ... to de-allocated memory free(buf); 3001 buf[0] = ’ c ’ ; 3002 buf1 = malloc(100); 3003 buf[0] = ’ d ’ 3004 use-after-free, but now buf[0] 3005 } might point to memory that has now been re-allocated 15.5

  3. Spot all (potential) defects … 1000 1001 void f (){ possible null dereference char* buf, buf1; (if malloc failed) 1002 buf = malloc(100); 1003 buf[0] = ’ a ’ ; 1004 potential use-after-free ... if buf & buf1 are aliased free(buf1); 2001 buf[0] = ’ b ’ ; 2002 use-after-free; buf[0] points ... to de-allocated memory free(buf); 3001 memory leak; pointer buf1 buf[0] = ’ c ’ ; 3002 to this memory is lost & buf1 = malloc(100); 3003 memory is never freed buf[0] = ’ d ’ 3004 use-after-free, but now buf[0] 3005 } might point to memory that has now been re-allocated 15.6

  4. How does classic buffer overflow work? aka smashing the stack 16

  5. Process memory layout High Arguments/ Environment Stack grows addresses down, by procedure Stack calls Unused Memory Heap grows Heap (dynamic data) up, eg. by malloc .data Static Data and new Low Program Code .text addresses 17

  6. Stack layout The stack consists of Activation Records: AR main() void f(int x) { Stack grows char[8] buf; downwards gets(buf); } void main() { f(…); … } void format_hard_disk(){…} 18.1

  7. Stack layout The stack consists of Activation Records: AR main() AR f() void f(int x) { Stack grows char[8] buf; downwards gets(buf); } void main() { f(…); … } void format_hard_disk(){…} 18.2

  8. Stack layout The stack consists of Activation Records: x AR main() return address AR f() buf[4..7] buf[0..3] void f(int x) { Stack grows char[8] buf; downwards gets(buf); } void main() { f(…); … } void format_hard_disk(){…} 18.3

  9. Stack layout The stack consists of Activation Records: x AR main() return address AR f() buf[4..7] buf[0..3] void f(int x) { Stack grows char[8] buf; downwards gets(buf); } void main() { f( … ); … } void format_hard_disk(){ … } 18.4

  10. Stack layout The stack consists of Activation Records: x AR main() return address AR f() buf[4..7] buf[0..3] void f(int x) { Stack grows Buffer grows char[8] buf; downwards upwards gets(buf); } void main() { f(…); … } void format_hard_disk(){…} 18.5

  11. Stack overflow attack - case 1 What if gets() reads more than 8 bytes ? x AR main() return address AR f() buf[4..7] buf[0..3] void f(int x) { char[8] buf; gets(buf); } void main() { f( … ); … } void format_hard_disk(){ … } 19.1

  12. Stack overflow attack - case 1 What if gets() reads more than 8 bytes ? Attacker can jump to arbitrary point in the code! x AR main() return address AR f() buf[4..7] buf[0..3] void f(int x) { char[8] buf; gets(buf); } void main() { f(…); … } void format_hard_disk(){…} 19.2

  13. Stack overflow attack - case 2 What if gets() reads more than 8 bytes ? Attacker can jump to his own code (aka shell code) x AR main() return address AR f() /bin/sh exec void f(int x) { char[8] buf; gets(buf); } void main() { f( … ); … } void format_hard_disk(){ … } 20

  14. Stack overflow attack - case 2 What if gets() reads more than 8 bytes ? Attacker can jump to his own code (aka shell code) x AR main() return address AR f() /bin/sh exec never use gets! void f(int x) { char[8] buf; gets(buf); gets has been removed from } the C standard in 2011 void main() { f( … ); … } void format_hard_disk(){ … } 21

  15. Code injection vs code reuse The two attack scenarios in these examples (2) is a code injection attack attacker inserts his own shell code in a buffer and corrupts return addresss to point to this code In the example, exec('/bin/sh') This is the classic buffer overflow attack [Smashing the stack for fun and profit, Aleph One, 1996] (1) is a code reuse attack attacker corrupts return address to point to existing code In the example, format_hard_disk Lots of details to get right! knowing precise location of return address and other data on • stack, knowing address of code to jump to, .... 22

  16. What to attack? More fun on the stack void f(void(*error_handler)(int),...) { int diskquota = 200; bool is_super_user = false; char* filename = "/tmp/scratchpad"; char[8] username; int j = 12; ... } Suppose the attacker can overflow username 23.1

  17. What to attack? More fun on the stack void f(void(*error_handler)(int),...) { int diskquota = 200; bool is_super_user = false; char* filename = "/tmp/scratchpad"; char[8] username; int j = 12; ... } Suppose the attacker can overflow username In addition to corrupting the return address, this might corrupt pointers, eg filename • other data on the stack, eg is_super_user,diskquota • function pointers, eg error_handler • But not j , unless the compiler chooses to allocate variables in a different order, which the compiler is free to do. 23.2

  18. What to attack? Fun on the heap struct BankAccount { int number; char username[20]; int balance; } Suppose attacker can overflow username 24.1

  19. What to attack? Fun on the heap struct BankAccount { int number; char username[20]; int balance; } Suppose attacker can overflow username This can corrupt other fields in the struct. Which field(s) can be corrupted depends on the order of the fields in memory, which the compiler is free to choose . 24.2

  20. Spotting the problem

  21. Reminder: C chars & strings A char in C is always exactly one byte • A string is a sequence of char s terminated by a NULL byte • String variables are pointers of type char* • char* str = "hello"; // a string str strlen(str) = 5 str h e l l o \0 26

  22. Example: gets char buf[20]; gets(buf); // read user input until // first EoL or EoF character • Never use gets • gets has been removed from the C library • Use fgets(buf, size, file) instead 27

  23. Example: strcpy char dest[20]; strcpy(dest, src); // copies string src to dest • strcpy assumes dest is long enough and src is null-terminated • Use strncpy(dest, src, size) instead 28.1

  24. Example: strcpy char dest[20]; strcpy(dest, src); // copies string src to dest • strcpy assumes dest is long enough and src is null-terminated • Use strncpy(dest, src, size) instead Beware of difference between sizeof and strlen sizeof(dest) = 20 // size of an array strlen(dest) = number of chars up to first null byte // length of a string 28.2

  25. Spot the defect! char buf[20]; char prefix[] = "http://"; char* path; ... strcpy(buf, prefix); // copies the string prefix to buf strncat(buf, path, sizeof(buf)); // concatenates path to the string buf 29

  26. Spot the defect! (1) char buf[20]; char prefix[] = "http://"; char* path; ... strcpy(buf, prefix); // copies the string prefix to buf strncat(buf, path, sizeof(buf)); // concatenates path to the string buf 30.1

  27. Spot the defect! (1) char buf[20]; char prefix[] = "http://"; char* path; ... strcpy(buf, prefix); // copies the string prefix to buf strncat(buf, path, sizeof(buf)); // concatenates path to the string buf strncat ’ s 3rd parameter is number of chars to copy, not the buffer size So this should be sizeof(buf)-7 30.2

  28. Spot the defect! (2) char src[9]; char dest[9]; char* base_url = "www.ru.nl"; strncpy(src, base_url, 9); // copies base_url to src strcpy(dest, src); // copies src to dest 31

  29. Spot the defect! (2) char src[9]; base_url is 10 chars long, incl. char dest[9]; its null terminator, so src will not be null-terminated char* base_url = "www.ru.nl"; strncpy(src, base_url, 9); // copies base_url to src strcpy(dest, src); // copies src to dest 32

  30. Spot the defect! (2) char src[9]; base_url is 10 chars long, incl. char dest[9]; its null terminator, so src is now not null-terminated char* base_url = ” www.ru.nl ” ; strncpy(src, base_url, 9); // copies base_url to src strcpy(dest, src); // copies src to dest so strcpy will overrun the buffer dest, because src is not null-terminated 33

  31. Example: strcpy and strncpy Don ’ t replace strcpy(dest, src) with strncpy(dest, src, sizeof(dest)) but with strncpy(dest, src, sizeof(dest)-1) dst[sizeof(dest)-1] = '\0'; if dest should be null-terminated! NB: a strongly typed programming language would guarantee that strings are always null-terminated, without the programmer having to worry about this... 34

  32. Spot the defect! (3) char *buf; int len; ... buf = malloc(MAX(len,1024)); // allocate buffer read(fd,buf,len); // read len bytes into buf 35

  33. Spot the defect! (3) char *buf; int len; ... buf = malloc(MAX(len,1024)); // allocate buffer read(fd,buf,len); // read len bytes into buf What happens if len is negative? The length parameter of read is unsigned! So negative len is interpreted as a big positive one! (At the exam, you ’ re not expected to remember that read treats its 3 rd argument as an unsigned int) 36

  34. Spot the defect! (3) char *buf; int len; ... if (len < 0) {error ("negative length"); return; } buf = malloc(MAX(len,1024)); read(fd,buf,len); Note that buf is not guaranteed to be null-terminated; we ignore this for now. 37

  35. Spot the defect! (3) char *buf; int len; ... if (len < 0) {error ("negative length"); return; } buf = malloc(MAX(len,1024)); read(fd,buf,len); 38.1

  36. Spot the defect! (3) char *buf; What if the malloc() fails, int len; because we ran out of memory ? ... if (len < 0) {error ("negative length"); return; } buf = malloc(MAX(len,1024)); read(fd,buf,len); 38.2

  37. Spot the defect! (3) char *buf; int len; ... if (len < 0) {error ("negative length"); return; } buf = malloc(MAX(len,1024)); if (buf==NULL) { exit(-1);} // or something a bit more graceful read(fd,buf,len); 39

  38. Better still char *buf; int len; ... if (len < 0) {error ("negative length"); return; } buf = calloc(MAX(len,1024)); //to initialise allocate memory to 0 if (buf==NULL) { exit(-1);} // or something a bit more graceful read(fd,buf,len); 40

  39. Spot the defect! #define MAX_BUF 256 void BadCode (char* in) { short len; char buf[MAX_BUF]; len = strlen(in); if (len < MAX_BUF) strcpy(buf,in); } 41

  40. Spot the defect! #define MAX_BUF 256 void BadCode (char* in) { short len; char buf[MAX_BUF]; len = strlen(in); if (len < MAX_BUF) strcpy(buf,in); } 42.1

  41. Spot the defect! #define MAX_BUF 256 What if in is longer than 32K ? void BadCode (char* in) { short len; char buf[MAX_BUF]; len = strlen(in); if (len < MAX_BUF) strcpy(buf,in); } 42.2

  42. Spot the defect! #define MAX_BUF 256 What if in is longer than 32K ? void BadCode (char* in) { short len; len may be a negative number, char buf[MAX_BUF]; due to integer overflow len = strlen(in); if (len < MAX_BUF) strcpy(buf,in); } 42.3

  43. Spot the defect! #define MAX_BUF 256 What if in is longer than 32K ? void BadCode (char* in) { short len; len may be a negative number, char buf[MAX_BUF]; due to integer overflow len = strlen(in); hence: potential buffer overflow if (len < MAX_BUF) strcpy(buf,in); } 42.4

  44. Spot the defect! #define MAX_BUF 256 What if in is longer than 32K ? void BadCode (char* in) { short len; len may be a negative number, char buf[MAX_BUF]; due to integer overflow len = strlen(in); hence: potential buffer overflow if (len < MAX_BUF) strcpy(buf,in); } The integer overflow is the root problem, the (heap) buffer overflow it causes makes it exploitable See https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=integer+overflow 42.5

  45. Spot the defect! bool CopyStructs(InputFile* f, long count) { structs = new Structs[count]; for (long i = 0; i < count; i++) { if !(ReadFromFile(f,&structs[i]))) break; } } 43.1

  46. Spot the defect! bool CopyStructs(InputFile* f, long count) { structs = new Structs[count]; for (long i = 0; i < count; i++) { if !(ReadFromFile(f,&structs[i]))) break; } } effectively does a malloc(count*sizeof(type)) which may cause integer overflow 43.2

  47. Spot the defect! bool CopyStructs(InputFile* f, long count) { structs = new Structs[count]; for (long i = 0; i < count; i++) { if !(ReadFromFile(f,&structs[i]))) break; } } effectively does a malloc(count*sizeof(type)) which may cause integer overflow And this integer overflow can lead to a (heap) buffer overflow Since 2005 Visual Studio C++ compiler adds check to prevent this 43.3

  48. NB absence of language-level security In a safer programming language than C/C++, the programmer would not have to worry about writing past array bounds • (because you'd get an IndexOutOfBoundsException instead) implicit conversions from signed to unsigned integers • (because the type system/compiler would forbid this or warn) malloc possibly returning null • (because you'd get an OutOfMemoryException instead) malloc not initialising memory • (because language could always ensure default initialisation) integer overflow • (because you'd get an IntegerOverflowException instead) ... • 44

  49. Spot the defect! 1. void* f(int start) 2. if (start+100 < start) return SOME_ERROR; 3. // checks for overflow 4. for (int i=start; i < start+100; i++) { 5. . . . // i will not overflow 6. } } 45.1

  50. Spot the defect! 1. void* f(int start) 2. if (start+100 < start) return SOME_ERROR; 3. // checks for overflow 4. for (int i=start; i < start+100; i++) { 5. . . . // i will not overflow 6. } } Integer overflow is undefined behaviour! This means 45.2

  51. Spot the defect! 1. void* f(int start) 2. if (start+100 < start) return SOME_ERROR; 3. // checks for overflow 4. for (int i=start; i < start+100; i++) { 5. . . . // i will not overflow 6. } } Integer overflow is undefined behaviour! This means You cannot assume that overflow produces a negative number; • so line 2 is not a good check for integer overflow. 45.3

  52. Spot the defect! 1. void* f(int start) 2. if (start+100 < start) return SOME_ERROR; 3. // checks for overflow 4. for (int i=start; i < start+100; i++) { 5. . . . // i will not overflow 6. } } Integer overflow is undefined behaviour! This means You cannot assume that overflow produces a negative number; • so line 2 is not a good check for integer overflow. Worse still, if integer overflow occurs, behaviour is undefined, and • ANY compilation is ok 45.4

  53. Spot the defect! 1. void* f(int start) 2. if (start+100 < start) return SOME_ERROR; 3. // checks for overflow 4. for (int i=start; i < start+100; i++) { 5. . . . // i will not overflow 6. } } Integer overflow is undefined behaviour! This means You cannot assume that overflow produces a negative number; • so line 2 is not a good check for integer overflow. Worse still, if integer overflow occurs, behaviour is undefined, and • ANY compilation is ok So compiled code can do anything if start+100 overflows • 45.5

  54. Spot the defect! 1. void* f(int start) 2. if (start+100 < start) return SOME_ERROR; 3. // checks for overflow 4. for (int i=start; i < start+100; i++) { 5. . . . // i will not overflow 6. } } Integer overflow is undefined behaviour! This means You cannot assume that overflow produces a negative number; • so line 2 is not a good check for integer overflow. Worse still, if integer overflow occurs, behaviour is undefined, and • ANY compilation is ok So compiled code can do anything if start+100 overflows • So compiled code can do nothing if start+100 overflows • 45.6

  55. Spot the defect! 1. void* f(int start) 2. if (start+100 < start) return SOME_ERROR; 3. // checks for overflow 4. for (int i=start; i < start+100; i++) { 5. . . . // i will not overflow 6. } } Integer overflow is undefined behaviour! This means You cannot assume that overflow produces a negative number; • so line 2 is not a good check for integer overflow. Worse still, if integer overflow occurs, behaviour is undefined, and • ANY compilation is ok So compiled code can do anything if start+100 overflows • So compiled code can do nothing if start+100 overflows • This means the compiler may remove line 2 • 45.7

  56. Spot the defect! 1. void* f(int start) 2. if (start+100 < start) return SOME_ERROR; 3. // checks for overflow 4. for (int i=start; i < start+100; i++) { 5. . . . // i will not overflow 6. } } Integer overflow is undefined behaviour! This means You cannot assume that overflow produces a negative number; • so line 2 is not a good check for integer overflow. Worse still, if integer overflow occurs, behaviour is undefined, and • ANY compilation is ok So compiled code can do anything if start+100 overflows • So compiled code can do nothing if start+100 overflows • This means the compiler may remove line 2 • Modern C compilers are clever enough to know x+100 < x is always false, and optimise code accordingly 45.8

  57. Spot the defect! (code from Linux kernel) 1. unsigned int tun_chr_poll( struct file *file, 2. poll_table *wait) 3. { ... 4. struct sock *sk = tun->sk; // take sk field of tun 5. if (!tun) return POLLERR; // return if tun is NULL 6. ... 7. } 46.1

  58. Spot the defect! (code from Linux kernel) 1. unsigned int tun_chr_poll( struct file *file, 2. poll_table *wait) 3. { ... 4. struct sock *sk = tun->sk; // take sk field of tun 5. if (!tun) return POLLERR; // return if tun is NULL 6. ... 7. } If tun is a null pointer, then tun->sk is undefined 46.2

  59. Spot the defect! (code from Linux kernel) 1. unsigned int tun_chr_poll( struct file *file, 2. poll_table *wait) 3. { ... 4. struct sock *sk = tun->sk; // take sk field of tun 5. if (!tun) return POLLERR; // return if tun is NULL 6. ... 7. } If tun is a null pointer, then tun->sk is undefined What this function does if tun is null is undefined: ANYTHING may happen then. 46.3

  60. Spot the defect! (code from Linux kernel) 1. unsigned int tun_chr_poll( struct file *file, 2. poll_table *wait) 3. { ... 4. struct sock *sk = tun->sk; // take sk field of tun 5. if (!tun) return POLLERR; // return if tun is NULL 6. ... 7. } If tun is a null pointer, then tun->sk is undefined What this function does if tun is null is undefined: ANYTHING may happen then. So compiler can remove line 5, as the behaviour when tun is NULL is undefined anyway, so this check is 'redundant'. 46.4

  61. Spot the defect! (code from Linux kernel) 1. unsigned int tun_chr_poll( struct file *file, 2. poll_table *wait) 3. { ... 4. struct sock *sk = tun->sk; // take sk field of tun 5. if (!tun) return POLLERR; // return if tun is NULL 6. ... 7. } If tun is a null pointer, then tun->sk is undefined What this function does if tun is null is undefined: ANYTHING may happen then. So compiler can remove line 5, as the behaviour when tun is NULL is undefined anyway, so this check is 'redundant'. Standard compilers (gcc, clang) do this 'optimalisation' ! This is actually code from the Linux kernel, and removing line 5 led to a security vulnerability [CVE-2009-1897] 46.5

  62. Spot the defect! (code from Windows kernel) // TCHAR is 1 byte ASCII or multiple byte UNICODE #ifdef UNICODE # define TCHAR wchar_t # define _sntprintf _snwprintf #else # define TCHAR char # define _sntprintf _snprintf #endif TCHAR buf[MAX_SIZE]; _sntprintf(buf, sizeof(buf), input); For code handling ASCI: 1 character is one byte For code handling UNICODE: 1 character is several bytes [slide from presentation by Jon Pincus] 47.1

  63. Spot the defect! (code from Windows kernel) // TCHAR is 1 byte ASCII or multiple byte UNICODE #ifdef UNICODE # define TCHAR wchar_t # define _sntprintf _snwprintf #else # define TCHAR char sizeof(buf) is the size in bytes , # define _sntprintf _snprintf but this parameter gives the number #endif of characters that will be copied TCHAR buf[MAX_SIZE]; _sntprintf(buf, sizeof(buf), input); For code handling ASCI: 1 character is one byte For code handling UNICODE: 1 character is several bytes Lots of code written under the assumption that characters are one byte contained overflows after switch from ASCI to Unicode The CodeRed worm exploited such an mismatch. [slide from presentation by Jon Pincus] 47.2

  64. Spot the defect! #include <stdio.h> int main(int argc, char* argv[]) { if (argc > 1) printf(argv[1]); return 0; } 48.1

  65. Spot the defect! #include <stdio.h> int main(int argc, char* argv[]) { if (argc > 1) printf(argv[1]); return 0; } This program is vulnerable to format string attacks, where calling the program with strings containing special characters can result in a buffer overflow attack. 48.2

  66. Format string attacks New type of memory corruption discovered in 2000 • Strings can contain special characters, eg %s in printf("Cannot find file %s", filename); Such strings are called format strings • What happens if we execute the code below? printf("Cannot find file %s"); • What can happen if we execute printf(string) where string is user-supplied ? Esp. if it contains special characters, eg %s, %x, %n, %hn? 49

  67. Format string attacks Suppose attacker can feed malicious input string s to printf(s) . This can 50.1

  68. Format string attacks Suppose attacker can feed malicious input string s to printf(s) . This can read the stack • % x reads and prints bytes from stack so the input % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x... dumps the stack ,including passwords, keys, … stored on the stack 50.2

  69. Format string attacks Suppose attacker can feed malicious input string s to printf(s) . This can read the stack • % x reads and prints bytes from stack so the input % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x... dumps the stack ,including passwords, keys, … stored on the stack corrupt the stack • % n writes the number of characters printed to the stack, so input 12345678 % n writes value 8 to the stack 50.3

  70. Format string attacks Suppose attacker can feed malicious input string s to printf(s) . This can read the stack • % x reads and prints bytes from stack so the input % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x % x... dumps the stack ,including passwords, keys, … stored on the stack corrupt the stack • % n writes the number of characters printed to the stack, so input 12345678 % n writes value 8 to the stack read arbitrary memory • a carefully crafted format string of the form \xEF\xCD\xCD\xAB %x%x...%x%s print the string at memory address ABCDCDEF 50.4

  71. -Wformat-overflow Preventing format string attacks is EASY Always replace printf(str) • with printf("%s", str) Compiler or static analysis tool could warn if the number of • arguments does not match the format string, eg in printf ("x is %i and y is %i", x); Eg gcc has (far too many?) command line options for this: -Wformat – Wformat-no-literal – Wformat-security ... Check https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string to see how depressingly common format strings still are 51.1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and expensive problem Impractical to manually review code for it Corruption can easily be introduced by unwary changes (again with the

702 views • 45 slides
Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song Georgia Tech Agenda Memory corruption vulnerability Thesis Statement Approaches SDCG Kenali HDFI Conclusion Memory

737 views • 72 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Enhancing Server Availability and Security Through Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow Out of Bounds Array Accesses Invalid Pointer Accesses Importance Martin Rinard,

340 views • 4 slides
New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and Nicholas Carlini http://hexhive.github.io (c) Castro Theatre and Spoke Art, 2013 DR. STRANGELOVE DR. STRANGELOVE OR: HOW I LEARNED TO STOP OR: HOW I

549 views • 42 slides
Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption measured Complex issue without an exact answer Perception of corruption vs. corruption What can be done? Policy measures Preventive

702 views • 12 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource Centre Anti-Corruption in development: Evolution of practice 1 st generation: the principal-agent problem Corruption = Monopoly + Discretion

417 views • 7 slides
Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &amp;

750 views • 45 slides
COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr.

COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr.

COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr. T.M.Bhasin Vigilance Commissioner, CVC at National Judicial Academy, Bhopal on 04.09.2016 1 Corruption Definition and Cause World Bank

473 views • 43 slides
Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer |

Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer |

Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer | haroon@thinkst.com Who ? haroon meer thinkst ? some papers, some books, some talks academic wannabe Why? Why? Why? Why? Why? twitter made me do it!

959 views • 92 slides
Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption Introduction Gender and Corruption Women are often perceived as less susceptable to corruption than men. In Mexico City traffic officers all

768 views • 33 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides
Against Corruption Andrii Kukharuk Resident Advisor OECD Anti-Corruption Project for Ukraine

Against Corruption Andrii Kukharuk Resident Advisor OECD Anti-Corruption Project for Ukraine

International Legal Framework Against Corruption Andrii Kukharuk Resident Advisor OECD Anti-Corruption Project for Ukraine Anti-Corruption Workshop for Legal Professionals 19 March, 2015 Kyiv, Ukraine Defining corruption Definition of

407 views • 14 slides
POLI 437: International Relations of Latin America This week Corruption and the Odebrecht

POLI 437: International Relations of Latin America This week Corruption and the Odebrecht

POLI 437: International Relations of Latin America This week Corruption and the Odebrecht Scandal Can transparency reduce corruption? Corruption is an everywhere problem Roasted at Mardi Gras But what is it, exactly? Corruption is

980 views • 68 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
Secure Computation using Leaky Correlations (Asymptotically Optimal Constructions) Alexander R.

Secure Computation using Leaky Correlations (Asymptotically Optimal Constructions) Alexander R.

Secure Computation using Leaky Correlations (Asymptotically Optimal Constructions) Alexander R. Block 1 , Divya Gupta 2 , Hemanta K. Maji 1 , Hai H. Nguyen 1 1 Purdue University, {block9,hmaji,nguye245}@purdue.edu 2 Microsoft Research, Banaglore,

960 views • 76 slides
Political Market Failures and Corruption November 2008 () Political Market Failures and

Political Market Failures and Corruption November 2008 () Political Market Failures and

Political Market Failures and Corruption November 2008 () Political Market Failures and Corruption November 2008 1 / 9 When Does Political Competition Lead to Optimal Provision of Public Goods? Political economy models predict that policy in

103 views • 9 slides
The Bribery Act Adequate Procedures Susannah Cogman, Herbert Smith LLP February 2011 1 The

The Bribery Act Adequate Procedures Susannah Cogman, Herbert Smith LLP February 2011 1 The

The Bribery Act Adequate Procedures Susannah Cogman, Herbert Smith LLP February 2011 1 The Bribery Act - Background The Bribery Act 2010 The Bribery Act will repeal the common law offence of bribery, the 1889, 1906 and 1916 Acts

588 views • 33 slides
Reinforcement Learning with a Corrupted Reward Channel Tom Everitt, Victoria Krakovna, Laurent

Reinforcement Learning with a Corrupted Reward Channel Tom Everitt, Victoria Krakovna, Laurent

Reinforcement Learning with a Corrupted Reward Channel Tom Everitt, Victoria Krakovna, Laurent Orseau, Marcus Hutter, Shane Legg IJCAI 2017 and arXiv (slides adapted from Tom's IJCAI talk) Motivation Want to give RL agents good incentives

390 views • 20 slides
3.26pt Randomized Projections for Corrupted Linear Systems Jamie Haddock 1 , Deanna Needell 2 1

3.26pt Randomized Projections for Corrupted Linear Systems Jamie Haddock 1 , Deanna Needell 2 1

3.26pt Randomized Projections for Corrupted Linear Systems Jamie Haddock 1 , Deanna Needell 2 1 Graduate Group in Applied Mathematics, University of California, Davis 2 Department of Mathematics, University of California, Los Angeles

608 views • 43 slides
By Tom Caulfield Our Discussion Two Questions: What do we, as a group, believe an

By Tom Caulfield Our Discussion Two Questions: What do we, as a group, believe an

Protecting Your Contracts from Procurement Fraud and Abuse with Procurement Integrity Controls By Tom Caulfield Our Discussion Two Questions: What do we, as a group, believe an organization needs (i.e. policies, procedures, and

397 views • 28 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain TPMPC 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

925 views • 69 slides
Applying ex-post harmonization of cross-national survey data in corruption research Ilona

Applying ex-post harmonization of cross-national survey data in corruption research Ilona

CSDI WORKSHOP March 16-18, 2017, Mannheim, Germany Applying ex-post harmonization of cross-national survey data in corruption research Ilona Wysmulek iwysmulek@ifispan.waw.pl Polish Academy of Sciences in Warsaw PhD candidate in Sociology

491 views • 17 slides

More recommend