preventing brute force attacks against stack canary
play

Preventing brute force attacks against stack canary protector on - PowerPoint PPT Presentation

Jul 01, 2023 •276 likes •721 views

Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit`

  1. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica de Val` encia (Spain) 2013 IEEE 12th International Symposium on Network Computing and Applications August 22-24, 2013

  2. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Table of contents Introduction 1 The problem: Network servers and their threats 2 How we solve it: RAF SSP 3 Conclusions 4

  3. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Introduction Overview Buffer overflows are still a major software threat. [Top 25] One of the most effective protection technique is the stack canary protector (SSP) . Currently employed in most servers: Apache, Lighthttp, etc. Unfortunately, the SSP on network servers is prone to brute force attacks. We have extended the SSP technique to prevent brute force attacks at zero cost: temporal, spacial and implementational!

  4. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Introduction How the Stack Canary Protector works The canary is a random value placed on the stack to detect buffer overflows. When a overflows the canary is corrupted. If the verification of the canary fails → abort() �

  5. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Introduction How the Stack Canary Protector works The canary is a random value placed on the stack to detect buffer overflows. When a overflows the canary is corrupted. If the verification of the canary fails → abort() �

  6. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Introduction How the Stack Canary Protector works The canary is a random value placed on the stack to detect buffer overflows. When a overflows the canary is corrupted. If the verification of the canary fails → abort() �

  7. Preventing brute force attacks against stack canary protector on networking servers Hector Marco The problem: Network servers and their threats Forking servers Processes created with fork() inherit most of its father state. Father and children have the same canary-reference value. Server group of processes child server child child fork() Clients

  8. Preventing brute force attacks against stack canary protector on networking servers Hector Marco The problem: Network servers and their threats Forking servers Processes created with fork() inherit most of its father state. Father and children have the same canary-reference value. Server group of processes child server child child fork() Clients When the attacker guesses an incorrect value, the child is killed by the SSP and a new child with the same canary is started. The attack is modelled as sampling without replacement .

  9. Preventing brute force attacks against stack canary protector on networking servers Hector Marco The problem: Network servers and their threats Brute force attacks Sampling without replacement allows to build brute force attacks . Full search attack: The frame-canary word is overwritten on each trial. If the guessed word is not correct → abort() . 100% success on 93 hours and 46 hours on average. Byte for byte attack: Attackers control the number of overwritten bytes. Overwrite only the first stack canary byte until child does not crash. (same for following bytes). 100% success on 15 sec. and 7 sec. on average. Note: Some systems (i.e x86) set to zero most significant byte.

  10. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Observations and facts Facts: There is only one single reference-canary per process. The canary integrity check is done at the end of each function before returning. Upon return, only the current frame-canary is checked. Each child process of a network server is an error confinement region .

  11. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Observations and facts Facts: There is only one single reference-canary per process. The canary integrity check is done at the end of each function before returning. Upon return, only the current frame-canary is checked. Each child process of a network server is an error confinement region . Observation: After a fork(), the child process terminates by calling exit().

  12. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Core idea “Renew the reference-canary of the child right after the fork() ” RANDOM Server group of processes child server child child fork() Clients

  13. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Core idea “Renew the reference-canary of the child right after the fork() ” RANDOM Server group of processes child server child child fork() Clients When the attacker guesses an incorrect value, the child is killed by the SSP and a new child with a new canary is started. As a result, brute force attacks can not be built .

  14. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Stack evolution example: 1/21 ������������� � ���������������� ����� ������������ ���������������������� �������������������� �������������������� ������������������� ����� ��� �������� ����� ��������� ������������������ �� �������� ����!����� � ����� �������� ��"����� � �����"����� ��#$!��� � � � �����#$!������

  15. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Stack evolution example: 2/21 �����%�������� ���������������� ����� ������������ ��������� ������������ � �������������������� �������������������� ������������������� ����� ��� �������� ����� ��������� ������������������ �� �������� ����!����� � ����� �������� ��"����� � �����"����� ��#$!��� � � � �����#$!������

  16. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Stack evolution example: 3/21 �����%�������� ���������������� ����� ������������ �� ������ �������������� �������������������� �������������������� ������������������� ����� ��� �������� ����� ��������� ������������������ �� �������� ����!����� � ����� �������� ��"����� � �����"����� ��#$!��� � � � �����#$!������

  17. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Stack evolution example: 4/21 �����%�������� ���������������� ����� ������������ ���������������������� �������� ������ ������ �������������������� ������������������� ����� ��� �������� ����� ��������� ������������������ �� �������� ����!����� � ����� �������� ��"����� � �����"����� ��#$!��� � � � �����#$!������

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios,

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios,

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios, Vasileios P. Kemerlis Michalis Polychronakis Angelos D. Keromytis Columbia University Stony Brook University Brown University 2015 Annual Computer

736 views • 36 slides
Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128 Andrey Bogdanov*, Elif Bilge Kavun**, Christof Paar**, Christian Rechberger***, Tolga Yalcin** * KU Leuven, Belgium, ** HGI-RUB, Germany, ***

467 views • 22 slides
eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks SQL Injections Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) 2 Common Security Risks Brute-Force Attacks SQL

1.66k views • 141 slides
Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M. Cao 1 , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National

421 views • 14 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions Brute force algorithms Divide and Conquer What is the brute force approach to Calculate the n th Fibonacci number? 1. Compute the n th power

387 views • 14 slides
Jetpack supercharges your self-hosted WordPress site with cool functionality from WordPress.com.

Jetpack supercharges your self-hosted WordPress site with cool functionality from WordPress.com.

Jetpack supercharges your self-hosted WordPress site with cool functionality from WordPress.com. WordPress.com Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that

395 views • 27 slides
A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three segments are: code , read-only data and global data for the running process gurka. Then there is a segment for the heap . The segment marked with

399 views • 10 slides
Preview question What two methods are mentioned in the StackGuard paper to prevent canary

Preview question What two methods are mentioned in the StackGuard paper to prevent canary

Preview question What two methods are mentioned in the StackGuard paper to prevent canary forgery? CSci 5271 A. terminator canary and random canary Introduction to Computer Security Low-level attacks and defenses B.

320 views • 7 slides
s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require: Hardware

360 views • 24 slides
Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of

Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of

Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of Mathematical and Geospatial Sciences RMIT University Melbourne, Australia Benjamin Burton (RMIT) Theorems, Algorithms and Brute Force November

444 views • 21 slides
MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE

MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE

MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE 473 Day 11 Questions? Donald Knuth Interview Amortization Brute force (if time) Decrease and conquer intro Q1 2 1 Donald

511 views • 11 slides
Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and

Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and

One-Slide Summary Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and the and analysis to break the Lorenz cipher. Guessed wheel settings were likely to be correct if they resulted in a Story So Far

112 views • 9 slides
Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of

Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of

Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of Computer Science James Madison University Oct 16, 2015 CS: Just do it! Complete search = try every possibility Should never give you Wrong Answer

399 views • 15 slides
Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity algorithms by abusing beam search Mark Fishel, T ATI Feb. 5, 2011, Theory Days at Nelijrve Outline Approaches to MT evaluation Automatic analysis

418 views • 18 slides
Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein

Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein

Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein (0). given AES Thanks to: He builds an attack machine. University of Illinois at Chicago NSF CCR9983950 Machine 1: His

428 views • 11 slides
Computer and Information Security Fall 2020 Cryptography Tyler Bletsch Duke University Some

Computer and Information Security Fall 2020 Cryptography Tyler Bletsch Duke University Some

ECE560 Computer and Information Security Fall 2020 Cryptography Tyler Bletsch Duke University Some slides adapted from slideware accompanying Computer Security: Principles and Practice by William Stallings and Lawrie Brown REAL advice

1.12k views • 79 slides
P

P

P Prr ss rt rst t

824 views • 24 slides
s n i k n e J h t i w n o i t a r g e t n I s u o u n i t n o C n

s n i k n e J h t i w n o i t a r g e t n I s u o u n i t n o C n

s n i k n e J h t i w n o i t a r g e t n I s u o u n i t n o C n o h t y P n o s u c o f . . . & M i k a J e n k i n s G r m l . o r g P r o j e c t D a i l y b u

781 views • 49 slides
In Introducing Cyber Effects in C2 Simulation Dr. B. Boltjes 1 , Dr. M. Pullen 2 , Dr. K. L.

In Introducing Cyber Effects in C2 Simulation Dr. B. Boltjes 1 , Dr. M. Pullen 2 , Dr. K. L.

In Introducing Cyber Effects in C2 Simulation Dr. B. Boltjes 1 , Dr. M. Pullen 2 , Dr. K. L. Morse 3 1 TNO Defence Research, The Netherlands 2 George Mason University, C4I Centre. 3 Johns Hopkins University / Applied Physics Laboratory APPROVED

559 views • 30 slides
Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model encryption as a key alternating cipher: k 1 k 2 k 3 m c F 1 F 2 F 3 2 / 17 Symmetric Encryption (2) Two main constructions for practical

603 views • 17 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication How Passwords are

512 views • 32 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Importance of checking every step of the process Simple ways to defend against this attack Data from an analysis of

368 views • 19 slides
CS CS 683 683 - Se Securi rity and Pri rivacy Sp Spri ring 2018 2018 Instr Ins truc

CS CS 683 683 - Se Securi rity and Pri rivacy Sp Spri ring 2018 2018 Instr Ins truc

CS CS 683 683 - Se Securi rity and Pri rivacy Sp Spri ring 2018 2018 Instr Ins truc uctor: Ka Karim El Elde defr frawy http://www.cs.usfca.edu/~keldefrawy/teaching/spring20 18/cs683/cs683_main.htm (https://goo.gl/t396Fw) 1 Ou

543 views • 51 slides

More recommend