memory corruption why we can t have nice things
play

Memory corruption: Why we cant have nice things Mathias Payer - PowerPoint PPT Presentation

Jul 15, 2023 •193 likes •602 views

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

  1. Memory corruption: Why we can’t have nice things Mathias Payer (@gannimo) http://hexhive.github.io

  2. Software is unsafe and insecure ● Low-level languages (C/C++) trade type safety and memory safety for performance – Programmer responsible for all checks ● Large set of legacy and new applications written in C / C++ prone to memory bugs ● Too many bugs to find and fix manually – Protect integrity through safe runtime system

  3. Heartbleed: patching observations ● 11% of servers remained vulnerable after 48 hours ● Patching plateaued at 4% ● Only 10% of vulnerable sites replaced certificates ● 15% of replaced cert's used vulnerable cryptographic keys Heartbleed vulnerable hosts Zakir Durumeric, James Kasten, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Bernhard Amann, Jethro Beekman, Mathias Payer, Vern Paxson, "The Matter of Heartbleed", ACM IMC'14 (best paper)

  4. Heartbleed: patching observations ● 11% of servers remained vulnerable after 48 hours ● Patching plateaued at 4% ● Only 10% of vulnerable sites replaced certificates ● 15% of replaced cert's used vulnerable cryptographic keys Heartbleed vulnerable hosts Update process is slow, incomplete, and incorrect Zakir Durumeric, James Kasten, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Bernhard Amann, Jethro Beekman, Mathias Payer, Vern Paxson, "The Matter of Heartbleed", ACM IMC'14 (best paper)

  5. Memory (Un-)safety

  6. Memory (un-)safety: invalid dereference Dangling pointer: free (foo); (temporal) *foo = 23; Out-of-bounds pointer: char foo[ 40 ]; (spatial) foo[ 42 ] = 23; Violation iff: pointer is read, written, or freed

  7. Memory (un-)safety: type confusion class P { p_data int p_data; c_data c_data }; class C: public P { int c_data; }; P *Pptr = new P; C *Cptr = static_cast < C* >( Pptr ); Cptr->c_data ; // Type confusion!

  8. Two types of attack ● Control-flow hijack attack – Execute Code ● Data-only attack – Change some data used along the way Let’s focus on code execution

  9. Control-flow hijack attack ● Attacker modifies code pointer – Return address on the stack 1 – Function pointer in C – Object’s VTable pointer in C++ 2 3 ● Control-flow leaves valid graph ● Reuse existing code 4 4' – Return-oriented programming – Jump-oriented programming

  10. Control-Flow Hijack Attack int vuln( int usr, int usr2){ Memory 1 void *(func_ptr)(); q int *q = buf + usr; 1 … buf func_ptr = &foo; … *q = usr2; 2 func_ptr func_ptr … 2 (*func_ptr)(); 3 } gadget code

  11. Status of deployed defenses Memory ● Data Execution Prevention (DEP) 0x4 R X 0x ?? - ● Address Space Layout Randomization text (ASLR) ● Stack canaries 0x8?? RW- ● Safe exception handlers data 0xf?? RW- stack

  12. Status of deployed defenses ● ASLR and DEP only effective in combination ● Breaking ASLR enables code reuse – On desktops, information leaks are common – On servers, code reuse attacks have decreased – For clouds: CAIN attack at WOOT'15 – For OS: Dedup Est Machine at S&P’16 – For browsers: Flip Feng Shui at SEC’16

  13. Type Safety, Stack Integrity, and Control-Flow Integrity

  14. Type Safety Object Type class P { int p_data; Pptr P }; (& of object) class C: public P { int c_data; p_data }; P *Pptr = new P; C *Cptr = static_cast < C* >( Pptr ); check // ^- Type confusion detected Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Cristiano Giuffrida, Herbert Bos, Erik van der Kouwe “TypeSan: Practical Type Confusion Detection”. In CCS’16

  15. Stack integrity ● Enforce dynamic restrictions on return instructions ● Protect return instructions through shadow/safe stack void a() { foo(); A B } void b() { foo(); foo } void foo(); Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, Dawn Song, R. Sekar “Code Pointer Integrity”. In OSDI’14

  16. Control-Flow Integrity (CFI) CHECK(fn); (*fn)(x); CHECK_RET(); return 7;

  17. Control-Flow Integrity (CFI) CHECK(fn); (*fn)(x); Attacker may write to memory, CHECK_RET(); code ptrs. verified when used return 7;

  18. CFI on the stack void a() { A B foo(); } void b() { foo foo(); } void foo();

  19. Novel Code Reuse Attacks

  20. Control-Flow Bending ● Attacker-controlled execution along “ valid ” CFG – Generalization of non-control-data attacks ● Each individual control-flow transfer is valid – Execution trace may not match non-exploit case ● Circumvents static, fully-precise CFI Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross “Control-Flow Bending”, Usenix SEC'15

  21. CFI's limitation: statelessness ● Each state is verified without context – Unaware of constraints between states ● Bending CF along valid states undetectable – Search path in CFG that matches desired behavior

  22. Weak CFI is broken ● Out of Control: Overcoming CFI Goektas et al., Oakland '14 ● ROP is still dangerous: breaking modern defenses Carlini et al., Usenix SEC '14 ● Stitching the gadgets: on the effectiveness of coarse- grained CFI protection Davi et al., Usenix SEC '14 ● Size does matter: why using gadget-chain length to prevent code-reuse is hard Goektas et al., Usenix SEC '14

  23. Weak CFI is broken ● Out of Control: Overcoming CFI Goektas et al., Oakland '14 Microsoft's Control-Flow Guard is an ● ROP is still dangerous: breaking modern defenses Carlini et al., Usenix SEC '14 instance of a weak CFI mechanism ● Stitching the gadgets: on the effectiveness of coarse- grained CFI protection Davi et al., Usenix SEC '14 ● Size does matter: why using gadget-chain length to prevent code-reuse is hard Goektas et al., Usenix SEC '14

  24. Strong CFI ● Precise CFG: no over-approximation ● Stack integrity (through shadow stack) ● Fully-precise static CFI: a transfer is only allowed if some benign execution uses it ● How secure is CFI? – With and without stack integrity

  25. CFI, no stack integrity: ROP challenges ● Find path to system() in CFG. ● Divert control-flow along this path – Constrained through memory vulnerability ● Control arguments to system()

  26. What does a CFG look like? system() vuln()

  27. What does a CFG look like? Really? system() vuln() memcpy()

  28. Dispatcher functions ● Frequently called ● Arguments are under attacker's control ● May overwrite their own return address Caller Stack memcpy(dst, src, 8) Frame Attacker Data Return memcpy() Address Stack Local Frame Data

  29. Control-Flow Bending, no stack integrity ● CFI without stack integrity is broken – Stateless defenses insufficient for stack attacks – Arbitrary code execution in all cases ● Attack is program-dependent, harder than w/o CFI

  30. Remember CFI? Indirect CF transfers Equivalence classes … 0xa jmpl *%eax 0xb 0xc … call *(0xb) 0xd … 0xd call *(0xc) 0xe call *4(0xc) 0x2 Size of a class 0xf

  31. Existing CFI mechanisms CFI mechanism Forward Edge Backward Edge CFB Google IFCC ~  MS CFG  ~ LLVM-CFI   MCFI/piCFI  ~ Lockdown ~+ 

  32. What if we have stack integrity? ● ROP no longer an option ● Attack becomes harder – Need to find a path through virtual calls – Resort to “restricted COOP” ● An interpreter would make attacks much simpler… – Lets automate!

  33. printf() -oriented programming* ● Translate program to format string – Memory reads: %s – Memory writes: %n – Conditional: %.*d ● Program counter becomes format string counter – Loops? Overwrite the format specific counter ● Turing-complete domain-specific language * Direct fame towards Nicholas Carlini, blame to me

  34. Ever heard of brainfuck? ● > == dataptr++ %1$65535d%1$.*1$d%2$hn ● < == dataptr-- %1$.*1$d %2$hn ● + == *dataptr++ %3$.*3$d %4$hhn ● - == *datapr-- %3$255d%3$.*3$d%4$hhn ● . == putchar(*dataptr) %3$.*3$d%5$hn ● , == getchar(dataptr) %13$.*13$d%4$hn ● [ == if (*dataptr == 0) goto ']' %1$.*1$d%10$.*10$d%2$hn ● ] == if (*dataptr != 0) goto '[' %1$.*1$d%10$.*10$d%2$hn

  35. void loop() { char* last = output; int* rpc = &progn[pc]; while (*rpc != 0) { // fetch -- decode next instruction sprintf(buf, "%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%2$hn", *rpc, (short*)(&real_syms)); // execute -- execute instruction sprintf(buf, *real_syms, ((long long int)array)&0xFFFF, &array, // 1, 2 *array, array, output, // 3, 4, 5 ((long long int)output)&0xFFFF, &output, // 6, 7 &cond, &bf_CGOTO_fmt3[0], // 8, 9 rpc[1], &rpc, 0, *input, // 10, 11, 12, 13 ((long long int)input)&0xFFFF, &input // 14, 15 ); // retire -- update PC sprintf(buf, "12345678%.*d%hn", (int)(((long long int)rpc)&0xFFFF), 0, (short*)&rpc); // for debug: do we need to print? if (output != last) { putchar(output[-1]); last = output; } } }

  36. Presenting: printbf* ● Turing complete interpreter ● Relies on format strings ● Allows you to execute “stuff” http://github.com/HexHive/printbf * Direct fame to Nicholas Carlini, blame to me

  37. Conclusion

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and Nicholas Carlini http://hexhive.github.io (c) Castro Theatre and Spoke Art, 2013 DR. STRANGELOVE DR. STRANGELOVE OR: HOW I LEARNED TO STOP OR: HOW I

549 views • 42 slides
All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to

All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to

www.allthingsnice.in All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to introduce the Indian consumer to all things nice ranging from wines, cognacs ,single malts and beer to cheese, charcuterie

576 views • 42 slides
All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to

All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to

www.allthingsnice.in All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to introduce the Indian consumer to all things nice ranging from wines, cognacs ,single malts and beer to cheese, charcuterie

441 views • 40 slides
Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and expensive problem Impractical to manually review code for it Corruption can easily be introduced by unwary changes (again with the

702 views • 45 slides
Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song Georgia Tech Agenda Memory corruption vulnerability Thesis Statement Approaches SDCG Kenali HDFI Conclusion Memory

737 views • 72 slides
Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Enhancing Server Availability and Security Through Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow Out of Bounds Array Accesses Invalid Pointer Accesses Importance Martin Rinard,

340 views • 4 slides
This is why we can(t) have nice things Timo van der Kuil 16/11/2019 Meeting C++ 1 Who am I

This is why we can(t) have nice things Timo van der Kuil 16/11/2019 Meeting C++ 1 Who am I

This is why we can(t) have nice things Timo van der Kuil 16/11/2019 Meeting C++ 1 Who am I Student Student assistant Research intern Saxion University of Applied Sciences 2 Disclaimer First talk at a conference

1.02k views • 66 slides
Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption measured Complex issue without an exact answer Perception of corruption vs. corruption What can be done? Policy measures Preventive

702 views • 12 slides
Nice Pairing Or, How To Maximise Pair Programming Value Or, How To Make Things Easier On The

Nice Pairing Or, How To Maximise Pair Programming Value Or, How To Make Things Easier On The

Nice Pairing Or, How To Maximise Pair Programming Value Or, How To Make Things Easier On The People Who Work With You Me Former programming teacher Now developing software at Lonely Planet @adelsmee adel.smee@lonelyplanet.com.au Amateur

178 views • 17 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource Centre Anti-Corruption in development: Evolution of practice 1 st generation: the principal-agent problem Corruption = Monopoly + Discretion

417 views • 7 slides
Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &amp;

750 views • 45 slides
Speeding things up: Getting sloooower The TLB Memory Exception Every new level of paging no p

Speeding things up: Getting sloooower The TLB Memory Exception Every new level of paging no p

Speeding things up: Getting sloooower The TLB Memory Exception Every new level of paging no p o CPU reduces the memory overhead for computing yes page # frame # Access the mapping function f but increases the time necessary

201 views • 4 slides
COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr.

COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr.

COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr. T.M.Bhasin Vigilance Commissioner, CVC at National Judicial Academy, Bhopal on 04.09.2016 1 Corruption Definition and Cause World Bank

473 views • 43 slides
Memory and Recall: Sticky Revision for Tricky Exams! Our Aim: Teach students things so that

Memory and Recall: Sticky Revision for Tricky Exams! Our Aim: Teach students things so that

Memory and Recall: Sticky Revision for Tricky Exams! Our Aim: Teach students things so that they remember them FOREVER . Develop student skill so they can APPLY knowledge independently. ? Short Term Memory Long Term Memory (Working

993 views • 53 slides
Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer |

Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer |

Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer | haroon@thinkst.com Who ? haroon meer thinkst ? some papers, some books, some talks academic wannabe Why? Why? Why? Why? Why? twitter made me do it!

959 views • 92 slides
Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc Juarez 3 1 Royal Holloway University of London 2 University College London 3 KU Leuven, ESAT/COSIC and imec (to appear in PoPETS 2017) Talk in the

532 views • 20 slides
EPOXY: Shielding Bare-Metal Embedded Systems Mathias Payer (@gannimo), Purdue University Jointly

EPOXY: Shielding Bare-Metal Embedded Systems Mathias Payer (@gannimo), Purdue University Jointly

EPOXY: Shielding Bare-Metal Embedded Systems Mathias Payer (@gannimo), Purdue University Jointly with Abraham Clements and Saurabh Bagchi http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/Pwn2Own 2 Trends in

769 views • 39 slides
The Rising Tide of Terrorism- Related Civil Litigation What the Justice Against Sponsors of

The Rising Tide of Terrorism- Related Civil Litigation What the Justice Against Sponsors of

The Rising Tide of Terrorism- Related Civil Litigation What the Justice Against Sponsors of Terrorism Act (JASTA) may mean for your company. Daniel L. Stein Charles S. Hallab Alex C. Lakatos Partner Partner Partner +1 212 506 2646

453 views • 20 slides
RLUIPA Defense: Avoiding and Defending RLUIPA Claims Land Use &amp; Sustainable Development Law

RLUIPA Defense: Avoiding and Defending RLUIPA Claims Land Use &amp; Sustainable Development Law

RLUIPA Defense: Avoiding and Defending RLUIPA Claims Land Use &amp; Sustainable Development Law Institute Bagels with the Boards CLEs Thanks for having us Ted Carey (Boston) Karla Chaffee (Boston) Evan Seeman (Hartford)

329 views • 31 slides
Federal Information Systems Security Education Association Spear Phishing Agenda Definition

Federal Information Systems Security Education Association Spear Phishing Agenda Definition

Federal Information Systems Security Education Association Spear Phishing Agenda Definition of spear phishing Why is spear phishing so valuable to attackers Spear phishing defenses / countermeasures Training concepts and delivery

434 views • 8 slides
Litigation, Regulation, &amp; Reform Track B: The Defense Perspective George Talarico, Esq.

Litigation, Regulation, &amp; Reform Track B: The Defense Perspective George Talarico, Esq.

Responding to the Opioid Crisis: Litigation, Regulation, &amp; Reform Track B: The Defense Perspective George Talarico, Esq. Partner (973) 643-5566 | gtalarico@sillscummis.com One Riverfront Plaza Newark, NJ 07102 Giovanni Ciavarra, PhD

973 views • 44 slides
DUTY OF DISCLOSURE AND INEQUITABLE CONDUCT RAISED AS AN AFFIRMATIVE DEFENSE Abraham J. Rosner and

DUTY OF DISCLOSURE AND INEQUITABLE CONDUCT RAISED AS AN AFFIRMATIVE DEFENSE Abraham J. Rosner and

DUTY OF DISCLOSURE AND INEQUITABLE CONDUCT RAISED AS AN AFFIRMATIVE DEFENSE Abraham J. Rosner and Grant Shackelford Sughrue Mion, PLLC In addition to the defenses of non-infringement and invalidity, an alleged infringer may also raise

413 views • 40 slides
Defending Critical Assets with Deception Contact Us: https://www.illusivenetworks.com/contact

Defending Critical Assets with Deception Contact Us: https://www.illusivenetworks.com/contact

Defending Critical Assets with Deception Contact Us: https://www.illusivenetworks.com/contact sales@illusivenetworks.com Appearanes can be deceiving Confidential Confidential Who am I A Sr. Solutions Architect for Illusive Networks

392 views • 21 slides

More recommend