memory un safety
play

Memory (un)safety Deian Stefan Some slides adopted from Nadia - PowerPoint PPT Presentation

Apr 07, 2024 •376 likes •1.16k views

CSE 127: Computer Security Memory (un)safety Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, Stephen Checkoway, Hovav Shacham, Raluca Popal, and David Wagner Today Return oriented programming (ROP)

  1. CSE 127: Computer Security Memory (un)safety Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, Stephen Checkoway, Hovav Shacham, Raluca Popal, and David Wagner

  2. Today • Return oriented programming (ROP) • Control flow integrity

  3. Last time: return-to-libc • Defense: W^X makes the stack not executable ➤ Prevents attacker data from being interpreted as code • What can we do (as the attacker)? ➤ Reuse existing code (either program or libc) ➤ E.g., use system(“/bin/sh”) ➤ E.g., use mprotect () to mark stack executable

  4. Return-to-libc is great, but…. what if there is no function that does what we want?

  6. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham ∗ hovav@cs.ucsd.edu

  7. Return-Oriented Programming

  8. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc.

  9. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. ret Steve Checkoway ret Dino Dai Zovi

  10. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc.

  11. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. • Where do you often find ret instructions?

  12. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. • Where do you often find ret instructions? ➤ End of function (inserted by compiler)

  13. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. • Where do you often find ret instructions? ➤ End of function (inserted by compiler) ➤ Any sequence of executable memory ending in 0xc3

  15. x86 instructions • Variable length! • Can begin on any byte boundary!

  16. One ret, multiple gadgets mov $0x1,%eax pop %ebx = b8 01 00 00 00 5b c9 c3 leave ret

  17. One ret, multiple gadgets add %al,(%eax) pop %ebx = b8 01 00 00 00 5b c9 c3 leave ret

  18. One ret, multiple gadgets add %bl,-0x37(%eax) = b8 01 00 00 00 5b c9 c3 ret

  19. One ret, multiple gadgets pop %ebx = b8 01 00 00 00 5b c9 c3 leave ret

  20. One ret, multiple gadgets leave = b8 01 00 00 00 5b c9 c3 ret

  21. One ret, multiple gadgets = b8 01 00 00 00 5b c9 c3 ret

  22. Why is ret ? • Attacker overflows stack allocated buffer • What happens when function returns? ➤ Restore stack frame ➤ leave = movl %ebp, %esp; pop %ebp ➤ Return ➤ ret = pop %eip • If instruction sequence at %eip ends in ret 
 what do we do?

  23. What happens if this is what we overflow the stack with? v 1 pop %edx %esp ret

  24. relevant register(s): %edx = 0x00000000 relevant stack: 0xdeadbeef 0x08049bbc %esp relevant code: 0x08049b62: nop %eip 0x08049b63: ret ... 0x08049bbc: pop %edx 0x08049bbd: ret

  25. relevant register(s): %edx = 0x00000000 relevant stack: 0xdeadbeef 0x08049bbc %esp relevant code: 0x08049b62: nop 0x08049b63: ret %eip ... 0x08049bbc: pop %edx 0x08049bbd: ret

  26. relevant register(s): %edx = 0x00000000 relevant stack: 0xdeadbeef %esp 0x08049bbc relevant code: 0x08049b62: nop 0x08049b63: ret ... 0x08049bbc: pop %edx %eip 0x08049bbd: ret

  27. relevant register(s): %edx = 0xdeadbeef relevant stack: %esp 0xdeadbeef 0x08049bbc relevant code: 0x08049b62: nop 0x08049b63: ret ... 0x08049bbc: pop %edx %eip 0x08049bbd: ret

  28. This is a ROP gadget! v 1 pop %edx %esp ret movl v 1, %edx

  29. 
 
 
 How dow you use this as an attacker? • Overflow the stack with values and addresses to such gadgets to express your program • E.g., if shellcode needs to write a value to %edx , use the previous gadget 
 v 1 pop %edx %esp ret

  30. Let’s look at another gadget mov %eax, %(ebx) ret v 2 pop %ebx ret v 1 pop %eax %esp ret

  31. relevant register(s): %eax = 0x00000000 %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret %eip ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc %esp 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  32. relevant register(s): %eax = 0x00000000 %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef %esp 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... %eip 0x08049bbc: pop %eax 0x08049bbd: ret

  33. relevant register(s): %eax = 0xdeadbeef %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret %esp ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret %eip

  34. relevant register(s): %eax = 0xdeadbeef %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe %esp 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx %eip 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  35. relevant register(s): %eax = 0xdeadbeef %ebx = 0xbadcaffe relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: %esp 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc %eip 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  36. relevant register(s): %eax = 0xdeadbeef %ebx = 0xbadcaffe relevant stack: relevant memory: 0xbadcaffe: 0x00000000 %esp 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) %eip 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  37. relevant register(s): %eax = 0xdeadbeef %ebx = 0xbadcaffe relevant stack: relevant memory: 0xbadcaffe: 0xdeadbeef %esp 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret %eip ... 0x08049bbc: pop %eax 0x08049bbd: ret

  38. What does this gadget do? mov %eax, %(ebx) ret v 2 pop %ebx ret v 1 pop %eax %esp ret movl v 2, %ebx movl v 1, %(%ebx)

  39. What does this gadget do? pop %esp %esp ret

  40. Can express arbitrary programs

  41. Can find gadgets automatically

  42. Return-oriented programming not even really about “returns”…

  43. What the heck do we do? Observation: In almost all the attacks we looked at, the attacker is overwriting jump targets that are in memory (return addresses and function pointers)

  44. Control Flow Integrity • Idea: don’t try to stop the memory writes. Instead: restrict control flow to legitimate paths ➤ I.e., ensure that jumps, calls, and returns can only go to allowed target destinations

  45. Restrict indirect transfers of control

  46. Restrict indirect transfers of control • Why do we not need to do anything about direct transfer of control flow (i.e., direct jumps/calls)?

  47. Restrict indirect transfers of control • Why do we not need to do anything about direct transfer of control flow (i.e., direct jumps/calls)? ➤ Address is hard-coded in instruction. Not under attacker control

  48. Restrict indirect transfers of control

  49. Restrict indirect transfers of control • What are the ways to transfer control indirectly?

  50. Restrict indirect transfers of control • What are the ways to transfer control indirectly? • Forward path: jumping to (or calling function at) an address in register or memory ➤ E.g., qsort, interrupt handlers, virtual calls, etc. • Reverse path: returning from function (uses address on stack)

  51. 
 
 What’s a legitimate target? Look at the program control-flow graph (CFG)! void sort2(int a[],int b[], int len { 
 sort(a, len, lt); 
 sort(b, len, gt); 
 } 
 bool lt(int x, int y) { return x < y; } 
 bool gt(int x, int y) { return x > y; }

  52. 
 
 What’s a legitimate target? Look at the program control-flow graph (CFG)! void sort2(int a[],int b[], int len { 
 sort(a, len, lt); 
 sort(b, len, gt); 
 } 
 sort2() bool lt(int x, int y) { return x < y; call sort } 
 bool gt(int x, int y) { call sort return x > y; ret }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust! Memory Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy

556 views • 53 slides
Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors Is memory safety relevant? Yes!

827 views • 47 slides
Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

r e l i p e m v o i t c c Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler perspective. Kostya Serebryany , Evgenii Stepanov, Vlad Tsyrklevich (Google) Oct 2018 1 Agenda ARM v8.5

504 views • 29 slides
Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated? Where does memory live? What kinds of pointers does Rust have? Memory management goal: Allocate memory when you need it, and free it when

614 views • 24 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure

Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure

Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure Software Systems Day 2: Memory Safety Introduction Reversing the stack Stephen McCamant University of Minnesota, Computer Science &amp; Engineering

440 views • 4 slides
Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Main Focus I. Memory as a process Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory the process by which I. Sensory Memory information is - acquired, II. Short -Term Memory - stored,

169 views • 5 slides
Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained Contracts Preprocessor Safety Whimsical execution Garbage collection Explicit memory management Memory initialization

967 views • 63 slides
1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC Computing Computing + Fabric SoC Memory HYPERCONVERGED Exascale EDGE DEVICE SYSTEM Eliminate data movement via shared

400 views • 11 slides
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Eternal War in Memory Table of Contents

658 views • 38 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Safety of Transactions in Transactional Memory: TMS is Necessary and Sufficient Hagit Attiya,

Safety of Transactions in Transactional Memory: TMS is Necessary and Sufficient Hagit Attiya,

Safety of Transactions in Transactional Memory: TMS is Necessary and Sufficient Hagit Attiya, Technion Sandeep Hans, Technion Alexey Gotsman, IMDEA Noam Rinetzky, Tel-Aviv University TM Consistency Conditions VWC TMS1 Opacity [Guerraoui

183 views • 16 slides
Language-Based Access Control and Safety Language-based access control is impossible in a

Language-Based Access Control and Safety Language-based access control is impossible in a

Language-Based Access Control and Safety Language-based access control is impossible in a programming language that is not memory safe. Without memory safety, there is no way to guarantee separation of memory used by different program

413 views • 30 slides
Certain representations with unique models Yuanqing Cai Kyoto University November 2020 New York

Certain representations with unique models Yuanqing Cai Kyoto University November 2020 New York

Certain representations with unique models Yuanqing Cai Kyoto University November 2020 New York H : the quaternion algebra over R : H R &gt; 0 tr : H R : R C nontrivial additive character 1

740 views • 35 slides
2019 Linkping, Sweden TMALL 0145 Presentation Widescreen v 1.0 Daniel Jakobsson Source: World

2019 Linkping, Sweden TMALL 0145 Presentation Widescreen v 1.0 Daniel Jakobsson Source: World

Fourth Stream Reasoning Workshop 17 April 2019 Linkping, Sweden TMALL 0145 Presentation Widescreen v 1.0 Daniel Jakobsson Source: World Travel &amp; Tourism Council https://www.hotelbusiness.com/delo itte-hoteliers-should-plan-ahead/ We

626 views • 20 slides
1.4 Qualification of 525 kV DC extruded cables Technologies for Global Energy Grid 27.06.2019

1.4 Qualification of 525 kV DC extruded cables Technologies for Global Energy Grid 27.06.2019

1.4 Qualification of 525 kV DC extruded cables Technologies for Global Energy Grid 27.06.2019 Dr. Roland D. Zhang Topics Introduction GTSO PQ tests for HVDC underground cable systems Qualification of DC submarine cable systems

349 views • 11 slides
INF4140 - Models of concurrency Hsten 2015 November 2, 2015 Abstract This is the

INF4140 - Models of concurrency Hsten 2015 November 2, 2015 Abstract This is the

INF4140 - Models of concurrency Hsten 2015 November 2, 2015 Abstract This is the handout version of the slides for the lecture (i.e., its a rendering of the content of the slides in a way that does not waste so much paper when

526 views • 17 slides
Combining ModelCheckin g and Abstra ct Interpret a t ion P arallel Combina tio n

Combining ModelCheckin g and Abstra ct Interpret a t ion P arallel Combina tio n

Combining ModelCheckin g and Abstra ct Interpret a t ion P arallel Combina tio n of Abstra ct Interpret a ti on Ho w and ModelBased A utoma tic Anal ysis of Softw are Abstract symb olic metho

287 views • 5 slides
High Performance Systems EuroMPI 2015 Objectives Yet another performance analysis tool

High Performance Systems EuroMPI 2015 Objectives Yet another performance analysis tool

Tutorial 1: Performance analysis for High Performance Systems EuroMPI 2015 Objectives Yet another performance analysis tool Developping performance analysis features for your application/library 2 EuroMPI 2015 Performance analysis for

632 views • 30 slides
European Energy Regulation A Bridge to 2025 Retail Markets Patricia de Suzzoni Chair of the

European Energy Regulation A Bridge to 2025 Retail Markets Patricia de Suzzoni Chair of the

European Energy Regulation A Bridge to 2025 Retail Markets Patricia de Suzzoni Chair of the Customer and Retail Markets Working Group Brussels, 29 April 2014 The 2025 Bridge and its pillars Green Paper: Energy Regulation: A bridge to

207 views • 7 slides
UNFCCC COP22 Mini Side Event: Eco Village Development: A Low-carbon Adaptation and Mitigation

UNFCCC COP22 Mini Side Event: Eco Village Development: A Low-carbon Adaptation and Mitigation

UNFCCC COP22 Mini Side Event: Eco Village Development: A Low-carbon Adaptation and Mitigation Strategy for Development in South Asia UN Climate Change Studio 8/11/2016 Marrakech, Morocco Link to Publication:

529 views • 4 slides

More recommend