patharmor practical context sensitive cfi
play

PathArmor : Practical Context-Sensitive CFI Dennis Andriesse , - PowerPoint PPT Presentation

Jun 20, 2023 •159 likes •588 views

PathArmor : Practical Context-Sensitive CFI Dennis Andriesse , Victor van der Veen , s , Ben Gras , Lionel Sambuc , Asia Slowinska , Enes G okta Herbert Bos , Cristiano Giuffrida Joint first authorship

  1. PathArmor : Practical Context-Sensitive CFI Dennis Andriesse †‡ , Victor van der Veen †‡ , s ‡ , Ben Gras ‡ , Lionel Sambuc ‡ , Asia Slowinska § , Enes G¨ okta¸ Herbert Bos ‡ , Cristiano Giuffrida ‡ † Joint first authorship ‡ Vrije Universiteit Amsterdam § Lastline, Inc. CCS 2015

  2. Introduction Control-Flow Integrity • CFI introduced over 10 years ago (Abadi et al.) • Still struggling to balance security vs. performance! Context-Sensitive CFI • Context-Insensitive CFI ( C CFI) enforces valid target per edge • C CFI exploitable, e.g. call-site gadgets and entry-point gadgets • Context-Sensitive CFI (CCFI) considers context of prior edges • CCFI proposed in original CFI paper, dismissed as impractical • We implement CCFI efficiently on commodity hardware PathArmor : Practical Context-Sensitive CFI 1 of 17

  3. { } channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; void channel_prepare_select(fd_set **readsetp, fd_set **writesetp) { void channel_after_select(fd_set * readset, fd_set * writeset) { channel_handler(channel_pre, *readsetp, *writesetp); channel_handler(channel_post, readset, writeset); } } void channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset) { Channel *c; for(int i = 0; i < channels_alloc; i++) { c = channels[i]; (*ftab[c->type])(c, readset, writeset); } }

  4. { } channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; void channel_prepare_select(fd_set **readsetp, fd_set **writesetp) { void channel_after_select(fd_set * readset, fd_set * writeset) { channel_handler(channel_pre, *readsetp, *writesetp); channel_handler(channel_post, readset, writeset); } } void channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset) { Channel *c; for(int i = 0; i < channels_alloc; i++) { c = channels[i]; (*ftab[c->type])(c, readset, writeset); } }

  5. { } channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; void channel_prepare_select(fd_set **readsetp, fd_set **writesetp) { void channel_after_select(fd_set * readset, fd_set * writeset) { channel_handler(channel_pre, *readsetp, *writesetp); channel_handler(channel_post, readset, writeset); } } void channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset) { Channel *c; for(int i = 0; i < channels_alloc; i++) { c = channels[i]; (*ftab[c->type])(c, readset, writeset); } }

  6. PathArmor Overview • Kernel module verifies paths leading up to system calls • Upon system call, check validity of edges in LBR • JIT analyzer validates paths using interprocedural CFG PathArmor : Practical Context-Sensitive CFI 5 of 17

  7. PathArmor Challenges • Path monitoring: continuous path tracking is expensive • Key obstacle in original CFI proposal by Abadi et al. • PathArmor uses LBR to efficiently track control transfers • Path verification: cannot scale to validate every program state • Aggregate verification at security-sensitive system calls • (Persistently) cache results for future lookups • Path analysis: static analysis of all paths leads to explosion • PathArmor uses on-demand JIT analysis on normalized CFG PathArmor : Practical Context-Sensitive CFI 6 of 17

  8. Path Monitoring Kernel module Branch Record core (Intel LBR API) • Circular buffer which tracks last 16 (indirect) branches per process-thread • Instrumentation uses ioctl() interface to safely toggle LBR tracking (avoid in-library LBR pollution) LBR pollution • Library calls may pollute LBR with library-internal edges • Temporarily disabling LBR tracking prevents this PathArmor : Practical Context-Sensitive CFI 7 of 17

  9. Path Verification System call interceptor • Alternative syscall handler validates paths to dangerous syscalls (policy driven) using JIT analyzer • mprotect , mmap , exec , sigaction , signal , raise , kill • Turing-completeness without syscalls does not allow system compromise • Cache MD4 hash of valid paths (second-preimage resistance prevents path crafting attacks) PathArmor : Practical Context-Sensitive CFI 8 of 17

  10. Path Analysis JIT analyzer • Lazily validate LBR paths in static interprocedural CFG • Modular indirect call resolution component • Collapse direct intraprocedural edges (prevent path explosion) • Policy-driven context sensitivity (default policy below) • Backward edge context sensitivity: call/return matching • Forward edge context sensitivity: code pointer tracking PathArmor : Practical Context-Sensitive CFI 9 of 17

  11. Evaluation – Performance Practical CFI: low overhead Normalized Run Time Server + LInstr + PathVer vsftpd 1.000 1.000 proftpd 1.000 1.000 pure-ftpd 1.053 1.074 lighttpd 1.236 1.275 nginx 1.178 1.174 openssh 1.003 1.020 exim 1.019 1.079 1.066 1.085 geomean PathArmor : Practical Context-Sensitive CFI 10 of 17

  12. Evaluation – Performance Practical CFI: low overhead Normalized Run Time Server + LInstr + PathVer vsftpd 1.000 1.000 proftpd 1.000 1.000 pure-ftpd 1.053 1.074 lighttpd 1.236 1.275 nginx 1.178 1.174 openssh 1.003 1.020 exim 1.019 1.079 1.066 1.085 geomean PathArmor : Practical Context-Sensitive CFI 10 of 17

  13. Evaluation – Performance Practical CFI: low overhead Normalized Run Time Server + LInstr + PathVer vsftpd 1.000 1.000 proftpd 1.000 1.000 pure-ftpd 1.053 1.074 lighttpd 1.236 1.275 Many library calls nginx 1.178 1.174 1 , 209 , 081 openssh 1.003 1.020 exim 1.019 1.079 1.066 1.085 geomean PathArmor : Practical Context-Sensitive CFI 10 of 17

  14. Evaluation – Performance Practical CFI: low overhead Normalized Run Time Not so many library calls Server + LInstr + PathVer 35 , 883 vsftpd 1.000 1.000 171 , 440 proftpd 1.000 1.000 pure-ftpd 1.053 1.074 lighttpd 1.236 1.275 Many library calls nginx 1.178 1.174 1 , 209 , 081 openssh 1.003 1.020 exim 1.019 1.079 1.066 1.085 geomean PathArmor : Practical Context-Sensitive CFI 10 of 17

  15. Evaluation – Performance Practical CFI: low overhead Normalized Run Time Server + LInstr + PathVer vsftpd 1.000 1.000 proftpd 1.000 1.000 pure-ftpd 1.053 1.074 Verification is fast lighttpd 1.236 1.275 • Few lookups ( ∼ 231 ) nginx 1.178 1.174 openssh 1.003 1.020 • Cache hits ( ∼ 90% ) exim 1.019 1.079 1.066 1.085 geomean PathArmor : Practical Context-Sensitive CFI 10 of 17

  16. Evaluation – Performance Practical CFI: low overhead Normalized Run Time Server + LInstr + PathVer vsftpd 1.000 1.000 proftpd 1.000 1.000 pure-ftpd 1.053 1.074 lighttpd 1.236 1.275 nginx 1.178 1.174 openssh 1.003 1.020 exim 1.019 1.079 1.066 1.085 geomean More benchmark details in the paper SPEC CPU2006: ∼ 3% overhead PathArmor : Practical Context-Sensitive CFI 10 of 17

  17. Evaluation Security coarse-grained fine-grained PathArmor Server | G | [ G Len ] | G | [ G Len ] | G | [ G Len ] vsftpd 543.26 3.5 3.17 8.0 1.27 13.1 proftpd 3249.55 2.2 19.96 4.0 6.11 7.5 pure-ftpd 403.57 2.2 5.37 4.5 1.94 5.1 lighttpd 561.00 2.0 2.77 4.8 1.00 5.5 nginx 1482.08 2.8 23.40 9.3 14.90 9.9 openssh 1725.20 2.1 16.02 3.9 4.37 7.2 exim 2588.53 2.2 25.10 4.4 11.05 11.1 Statistics captured at run-time PathArmor : Practical Context-Sensitive CFI 11 of 17

  18. Evaluation | G | decreases Security Less gadgets available coarse-grained fine-grained PathArmor Server | G | [ G Len ] | G | [ G Len ] | G | [ G Len ] vsftpd 543.26 3.5 3.17 8.0 1.27 13.1 proftpd 3249.55 2.2 19.96 4.0 6.11 7.5 pure-ftpd 403.57 2.2 5.37 4.5 1.94 5.1 lighttpd 561.00 2.0 2.77 4.8 1.00 5.5 nginx 1482.08 2.8 23.40 9.3 14.90 9.9 openssh 1725.20 2.1 16.02 3.9 4.37 7.2 exim 2588.53 2.2 25.10 4.4 11.05 11.1 Statistics captured at run-time PathArmor : Practical Context-Sensitive CFI 11 of 17

  19. Evaluation | G | decreases Security Less gadgets available coarse-grained fine-grained PathArmor Server | G | [ G Len ] | G | [ G Len ] | G | [ G Len ] vsftpd 543.26 3.5 3.17 8.0 1.27 13.1 proftpd 3249.55 2.2 19.96 4.0 6.11 7.5 pure-ftpd 403.57 2.2 5.37 4.5 1.94 5.1 lighttpd 561.00 2.0 2.77 4.8 1.00 5.5 nginx 1482.08 2.8 23.40 9.3 14.90 9.9 openssh 1725.20 2.1 16.02 3.9 4.37 7.2 exim 2588.53 2.2 25.10 4.4 11.05 11.1 Geometric means Statistics captured at run-time − 99 . 7% (coarse-grained) / − 61 . 6% (fine-grained) PathArmor : Practical Context-Sensitive CFI 11 of 17

  20. Evaluation [ G Len ] increases Security Leftover gadgets are longer, more complex coarse-grained fine-grained PathArmor Server | G | [ G Len ] | G | [ G Len ] | G | [ G Len ] vsftpd 543.26 3.5 3.17 8.0 1.27 13.1 proftpd 3249.55 2.2 19.96 4.0 6.11 7.5 pure-ftpd 403.57 2.2 5.37 4.5 1.94 5.1 lighttpd 561.00 2.0 2.77 4.8 1.00 5.5 nginx 1482.08 2.8 23.40 9.3 14.90 9.9 openssh 1725.20 2.1 16.02 3.9 4.37 7.2 exim 2588.53 2.2 25.10 4.4 11.05 11.1 Statistics captured at run-time PathArmor : Practical Context-Sensitive CFI 11 of 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

June 17, 2014 Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach to transportation facility design and engineering that involves all stakeholders in the process of developing a solution that is

193 views • 3 slides
Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris Lattner Andrew Lenharth Vikram Adve Apple UIUC UIUC What is Heap Cloning? Distinguish objects by acyclic call path void foo() { list*

556 views • 28 slides
Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive Analysis To understand the input computation, a compiler/interpreter need to discover The types of values stored in each variable The types

576 views • 39 slides
Oak Hill Parkway Oak Hill Parkway Context Sensitive Solutions CSS Workshop No. 1 October 9,

Oak Hill Parkway Oak Hill Parkway Context Sensitive Solutions CSS Workshop No. 1 October 9,

Oak Hill Parkway Oak Hill Parkway Context Sensitive Solutions CSS Workshop No. 1 October 9, 2014 Context Sensitive Solutions Context Sensitive Solutions Project Team TxDOT James Williams Jon Geiselbrecht Shirley Nichols CTRMA Melissa

485 views • 46 slides
Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitive Grammars Context Sensitive Grammars Context in Programming Languages Context in Programming Languages Context in Natural Languages Context in Natural Languages 1 Context Sensitive Grammars Chomsky Hierarchy Context

160 views • 5 slides
Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Showing a language isnt context-free Context-sensitive languages Context-sensitivity in PLs Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics University of Edinburgh jrl@inf.ed.ac.uk 26 November

611 views • 24 slides
Project Background Designing Walkable Urban Thoroughfares: A Context Sensitive Approach

Project Background Designing Walkable Urban Thoroughfares: A Context Sensitive Approach

Project Background Designing Walkable Urban Thoroughfares: A Context Sensitive Approach (2010) Produced by FHWA/EPA/CNU/ ITE Recommended Practice, focus on new ideas and needs @CompleteStreets Implementing Context Sensitive Design

1.54k views • 124 slides
Context-sensitive languages Informatics 2A: Lecture 28 Alex Simpson School of Informatics

Context-sensitive languages Informatics 2A: Lecture 28 Alex Simpson School of Informatics

Showing a language isnt context-free Context-sensitive languages Context-sensitivity in natural language Context-sensitivity in PLs Context-sensitive languages Informatics 2A: Lecture 28 Alex Simpson School of Informatics University of

360 views • 25 slides
Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics

Showing a language isnt context-free Context-sensitive languages Context-sensitivity in PLs Context-sensitivity in natural language Context-sensitive languages Informatics 2A: Lecture 28 John Longley School of Informatics University of

472 views • 16 slides
Context Sensitive Grammar Habeeb and Alvin ATC Seminar 30 NOV 2018 Habeeb and Alvin CSG 30

Context Sensitive Grammar Habeeb and Alvin ATC Seminar 30 NOV 2018 Habeeb and Alvin CSG 30

Context Sensitive Grammar Habeeb and Alvin ATC Seminar 30 NOV 2018 Habeeb and Alvin CSG 30 NOV 2018 1 / 15 Overview Introduction 1 Formal definition 2 Context Sensitive Language 3 Examples Closure properties 4 Relation Between

196 views • 15 slides
Compiler Construction Lecture 9: Practical parsing issues and yacc intro 2020-02-04 Michael

Compiler Construction Lecture 9: Practical parsing issues and yacc intro 2020-02-04 Michael

Compiler Construction Lecture 9: Practical parsing issues and yacc intro 2020-02-04 Michael Engel Overview Practical parsing issues Error recovery Unary operators Handling context-sensitive ambiguity Left versus right

476 views • 28 slides
CONTEXT SENSITIVE UTILITIES SUCCESS STORIES PRESENTED BY: DISTRICT 3: Joseph Plunk, Stewart

CONTEXT SENSITIVE UTILITIES SUCCESS STORIES PRESENTED BY: DISTRICT 3: Joseph Plunk, Stewart

CONTEXT SENSITIVE UTILITIES SUCCESS STORIES PRESENTED BY: DISTRICT 3: Joseph Plunk, Stewart Lich &amp; DISTRICT 6: Nikki Boden CONTEXT SENSITIVE UTILITIES SUCCESS STORIES Telephone duct is completely inside KYTC Right of Way.

550 views • 19 slides
Towards More Security in Data Exchange Defining Unparsers with Context-Sensitive Encoders for

Towards More Security in Data Exchange Defining Unparsers with Context-Sensitive Encoders for

Towards More Security in Data Exchange Defining Unparsers with Context-Sensitive Encoders for Context-Free Grammars Lars Hermerschmidt, Stephan Kugelmann, Bernhard Rumpe Software Engineering RWTH Aachen http://www.se-rwth.de/ Lars

240 views • 13 slides
From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira

From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira

From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira Albert (1) , Puri Arenas (1) , Samir Genaim (1) , an Puebla (2) and Diana Ram rez (2) Germ (1) Complutense University of Madrid (2) Technical

1.27k views • 77 slides
Compiler Construction Lecture 10: Context-sensitive analysis 2020-02-11 Michael Engel Overview

Compiler Construction Lecture 10: Context-sensitive analysis 2020-02-11 Michael Engel Overview

Compiler Construction Lecture 10: Context-sensitive analysis 2020-02-11 Michael Engel Overview Where are we standing now? Theres more to languages than context-free grammars can describe From syntax to semantics

485 views • 23 slides
A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted insecurely Failure to protect all sensitive data Usernames, passwords, password hashes, credit-card information, identity info Session

415 views • 17 slides
Overview of Indeterminate Cytology Scott Boerner MD FRCPC Head Cytopathology, University Health

Overview of Indeterminate Cytology Scott Boerner MD FRCPC Head Cytopathology, University Health

83 rd Annual Meeting American Thyroid Association Overview of Indeterminate Cytology Scott Boerner MD FRCPC Head Cytopathology, University Health Network University of Toronto PRESENTATION FROM THE 83rd ANNUAL MEETING OF THE AMERICAN THYROID

662 views • 26 slides
Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in my patient pathogenic or benign? &quot;The Doctor&quot; by Sir Luke Fildes (1891) Drop in genome price drives increase in patient variant

500 views • 22 slides
Possible &amp; Impossible Infinities Michael Huemer owl232@earthlink.net Problem When is an

Possible &amp; Impossible Infinities Michael Huemer owl232@earthlink.net Problem When is an

Possible &amp; Impossible Infinities Michael Huemer owl232@earthlink.net Problem When is an infinite series impossible? 6 Infinite 3 False A Better Series Theories Theory Six Infinities The Truth Regress Series: P. Its true that P.

464 views • 30 slides
Forensic Markers of Elder Abuse Laura Mosqueda, M.D. Chair and Professor of Family Medicine and

Forensic Markers of Elder Abuse Laura Mosqueda, M.D. Chair and Professor of Family Medicine and

Forensic Markers of Elder Abuse Laura Mosqueda, M.D. Chair and Professor of Family Medicine and Geriatrics Keck School of Medicine of USC University of Southern California The Game Plan Introductory comments Age-related changes and how

417 views • 27 slides
Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource

Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource

Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage Kevin Leach 1 , Fengwei Zhang 2 , and Westley Weimer 1 1 University of Michigan, 2 Wayne State University Leach, Zhang, &amp; Weimer 1 / 19

704 views • 47 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Traffic Pattern-based C Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah, Xin Yuan Mike Lang Florida State University Los Alamos National Laboratory Motivation Dragonfly has been known as a

491 views • 33 slides
Ranking and classifying the VUS for family counseling: Using a model from cancer researchers

Ranking and classifying the VUS for family counseling: Using a model from cancer researchers

Ranking and classifying the VUS for family counseling: Using a model from cancer researchers Martin Tristani-Firouzi, MD Division of Pediatric Cardiology Nora Eccles Harrison CVRTI University of Utah School of Medicine Disclosure The speaker

883 views • 33 slides

More recommend