protecting computer systems
play

Protecting Computer Systems through Eli liminating or Analyzing - PowerPoint PPT Presentation

Nov 24, 2023 •264 likes •2.02k views

Protecting Computer Systems through Eli liminating or Analyzing Vulnerabilities Byoungyoung Lee Georgia Institute of Technology 1 Computers are every rywhere 2 Computers are every rywhere Affecting every aspect of our life 2

  1. Understanding use-after-free (i (in detail) Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; Attacker freed controlled *child *body object Use a dangling pointer doc->child->getAlign(); 18

  2. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Body *body = new Body(); doc->child = body; delete body; doc->child->getAlign(); 19

  3. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Body *body = new Body(); doc->child = body; delete body; doc->child->getAlign(); 19

  4. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Body *body = new Body(); Body *body = new Body(); doc->child = body; delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); 19

  5. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Body *body = new Body(); Body *body = new Body(); doc->child = body; delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); 19

  6. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Static analysis: inter-procedural and points-to analysis Body *body = new Body(); Body *body = new Body(); doc->child = body; Dynamic analysis: precise pointer semantic tracking delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); 19

  7. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Static analysis: inter-procedural and points-to analysis Body *body = new Body(); Body *body = new Body(); doc->child = body; Dynamic analysis: precise pointer semantic tracking delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); Difficult to scale for complex systems 19

  8. DangNull • DangNull: Eliminating the root cause of use-after-free • Design • Tracking Object Relationships • Nullifying dangling pointers 20

  9. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair 21

  10. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); 21

  11. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); 21

  12. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc 21

  13. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc delete body; 21

  14. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Remove shadow obj : - Using base address (body) Insert shadow obj: - Base address of allocation - Size of Doc delete body; 21

  15. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; back fwd Doc *doc *child Shadow obj. of Body back fwd Body *body 22

  16. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Doc *doc *child Shadow obj. of Body back fwd Body *body 22

  17. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body *body 22

  18. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body Backward *body 22

  19. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body Backward *body 22

  20. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc This is heavily abstracted pointer semantic tracking, *doc *child Shadow obj. of Body but it is enough to identify all dangling pointers back fwd Body Backward *body 22

  21. Nullify fying dangling pointers • Nullify all backward pointers once the target object is freed • All backward pointers are dangling pointers • Dangling pointers have no semantics Doc *doc *child Body Freed *body 23

  22. Im Implementation • Prototype of DangNull • Instrumentation: LLVM pass, +389 LoC • Runtime: compiler-rt, +3,955 LoC • Target applications • SPEC CPU 2006: one extra compiler and linker flag • Chromium: +27 LoC to .gyp build configuration file 24

  23. Evaluation on Chromium • Runtime overheads • 4.8% and 53.1% overheads in JavaScript and rendering benchmarks, respectively • 7% increased page loading time for Alexa top 100 websites • Safely prevented 7 real-world use-after-free exploits in Chrome 25

  24. 1. Eliminating vulnerabilities DangNull [NDSS 15]: Eliminating use-after-free vulnerabilities CaVer [Security 15]: Eliminating bad-casting vulnerabilities 2. Analyzing vulnerabilities SideFinder: Analyzing timing-channel vulnerabilties 26

  25. Vulnerabilities in Microsoft products Bad-casting Use-after-free Heap-corruption Exploitation Trends: From Potential Risk to Actual Risk, Microsoft 27

  26. Type conversions in C++ ++ • static_cast • Compile-time conversions • Fast: no extra type verification in run-time • dynamic_cast • Run-time conversions • Requires Runtime Type Information (RTTI) • Slow: Extra verification by parsing RTTI • Typically prohibited in performance critical applications 28

  27. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes 29

  28. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes 29

  29. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Element HTMLElement SVGElement 29

  30. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Upcasting Element HTMLElement SVGElement 29

  31. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Downcasting Upcasting Element HTMLElement SVGElement 29

  32. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Downcasting Upcasting Element HTMLElement SVGElement Upcasting is always safe, but downcasting is not! 29

  33. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; 30

  34. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for P int m_P Access scope of P* 30

  35. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for P int m_P Access scope of P* 30

  36. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for D vftptr for P int m_P int m_P int m_D Access scope of P* Access scope of D* 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111

Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111

Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 Operating Systems Peter Reiher Lecture 18 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for

1.06k views • 62 slides
Protecting Your Property: Protecting Your Property: How How Well Do You Know Your Well Do You Know

Protecting Your Property: Protecting Your Property: How How Well Do You Know Your Well Do You Know

Protecting Your Property: Protecting Your Property: How How Well Do You Know Your Well Do You Know Your Fire Fire Systems Systems Joe Szewczyk, Risk Control Consultant Joe Szewczyk, Risk Control Consultant Objectives Where regulations related

477 views • 29 slides
Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents

Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents

Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents Against DoS Mobile Agents Against DoS Biljana Cubaleska 1 , Markus Schneider 2 1 University of Hagen, Dept. Of Communication Systems, Germany 2

511 views • 21 slides
GreenFS: Making Enterprise Computers Greener by Protecting Them Better Nikolai Joukov and Josef

GreenFS: Making Enterprise Computers Greener by Protecting Them Better Nikolai Joukov and Josef

Department of Computer Science, Institute for System Architecture, Operating Systems Group GreenFS: Making Enterprise Computers Greener by Protecting Them Better Nikolai Joukov and Josef Sipek Presented by Carsten Weinhold Paper Reading Group,

304 views • 18 slides
Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k

Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k

6/2/20 HealthMatters in our Homes Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k and nd Wh Why 1 During this presentation, we will: Summarize what COVID-19 is, how it spreads, and who

463 views • 19 slides
Protecting Interprocess Communications Operating systems provide various kinds of

Protecting Interprocess Communications Operating systems provide various kinds of

Protecting Interprocess Communications Operating systems provide various kinds of interprocess communications Messages Semaphores Shared memory Sockets How can we be sure theyre used properly? Lecture 8 Page 1 CS 236

266 views • 25 slides
IT Security Summary 1. Protecting your equipment from theft 2. Securing access to your computer

IT Security Summary 1. Protecting your equipment from theft 2. Securing access to your computer

IT Security Summary 1. Protecting your equipment from theft 2. Securing access to your computer and to your documents 3. Saving your documents 4. Protection from computer viruses, Spyware or Malware 5. Protection from Phishing 6. How to

700 views • 22 slides
A Case for Protecting Computer Games With SGX Erick Bauman and Zhiqiang Lin System and Software

A Case for Protecting Computer Games With SGX Erick Bauman and Zhiqiang Lin System and Software

Background Overview Detailed Design Case Study Conclusion A Case for Protecting Computer Games With SGX Erick Bauman and Zhiqiang Lin System and Software Security (S 3 ) Lab The University of Texas at Dallas December 12 th , 2016 Background

646 views • 62 slides
Protecting Our Protecting Our Introduction Family Family Globally HIV/AIDS has left its

Protecting Our Protecting Our Introduction Family Family Globally HIV/AIDS has left its

Protecting Our Protecting Our Introduction Family Family Globally HIV/AIDS has left its mark on every continent, with its highest prevalence being in sub Saharan Africa 10% of the worlds population An Assessment of In 2008,

353 views • 6 slides
Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So

Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So

Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So Hospitals will be paid less unless: Good scores on Incentive payments Meeting 17 clinical processes Funded by 1% cut in base (aspirin,

614 views • 7 slides
Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So

Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So

Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So Hospitals will be paid less unless: Good scores on Incentive payments Meeting 17 clinical processes Funded by 1% cut in base (aspirin,

418 views • 8 slides
Introduc>on 2 A Modern Computer Computer Systems and

Introduc>on 2 A Modern Computer Computer Systems and

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Introduc>on 2 A Modern Computer Computer Systems and

820 views • 62 slides
Computer Systems Lab Stefan M. Freudenberger Computer Systems, ETH Zrich Introduction

Computer Systems Lab Stefan M. Freudenberger Computer Systems, ETH Zrich Introduction

Computer Systems Lab Stefan M. Freudenberger Computer Systems, ETH Zrich Introduction Course Schedule Lecture: Monday 4:15 5:00 p.m. (RZ F21) Recitation: TBD Assignments: in teams, time to be arranged individually

463 views • 31 slides
Distributed HPC Systems ASD Distributed Memory HPC Workshop Computer Systems Group Research

Distributed HPC Systems ASD Distributed Memory HPC Workshop Computer Systems Group Research

Distributed HPC Systems ASD Distributed Memory HPC Workshop Computer Systems Group Research School of Computer Science Australian National University Canberra, Australia November 03, 2017 Day 5 Schedule Computer Systems (ANU)

753 views • 40 slides
Protecting the Nations Critical Assets in the 21st Century Dr. Ron Ross Computer Security

Protecting the Nations Critical Assets in the 21st Century Dr. Ron Ross Computer Security

Protecting the Nations Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY OPM. Anthem BCBS. Ashley Madison. NATIONAL INSTITUTE OF

506 views • 23 slides
Protecting Steel By Mr. Christopher L. Gibbons Protecting Steel Who are Teamac? 3 rd generation.

Protecting Steel By Mr. Christopher L. Gibbons Protecting Steel Who are Teamac? 3 rd generation.

Protecting Steel By Mr. Christopher L. Gibbons Protecting Steel Who are Teamac? 3 rd generation. Privately owned company. Based in Hull. Weve been making paint since 1908. Who am I? Chris Gibbons. L2 Icorr Paint inspector. 40 years

603 views • 14 slides
Accessing cosmological simulations A. Klypin (NMSU) Friday, December 17, 2010 Groups: NMSU:

Accessing cosmological simulations A. Klypin (NMSU) Friday, December 17, 2010 Groups: NMSU:

Accessing cosmological simulations A. Klypin (NMSU) Friday, December 17, 2010 Groups: NMSU: Klypin UCSC: Primack Stanford: Wechsler AIP: Gottlober Madrid: Yepes, Knebe Jerusalem: Dekel, Hoffman, Ceverino Chicago:

478 views • 18 slides
Maximum Entropy Models for y Realization Ranking yz Erik Velldal

Maximum Entropy Models for y Realization Ranking yz Erik Velldal

Maximum Entropy Models for y Realization Ranking yz Erik Velldal <erik.velldal@iln.uio.no> y Department of Linguistics and Scandinavian Studies, Stephan Oepen <oe@csli.stanford.edu> z Center for the Study of Language and

440 views • 30 slides
Study caf hours Lis ists List syntax List operations copy.deepcopy range

Study caf hours Lis ists List syntax List operations copy.deepcopy range

Study caf hours Lis ists List syntax List operations copy.deepcopy range while-else for for-break-continue-else Lis ist operatio ions List syntax [ value 1 , value 2 , ..., value k ] List indexing L[ index

527 views • 23 slides
ERISAO and MAORY-NGS Control Systems Gianluca Di Rico INAF Osservatorio Astronomico di

ERISAO and MAORY-NGS Control Systems Gianluca Di Rico INAF Osservatorio Astronomico di

Update on the ERISAO and MAORY-NGS Control Systems Gianluca Di Rico INAF Osservatorio Astronomico di Teramo ADONI 2017 - PADOVA Extending Collaborations within INAF Attivit di collaborazione: ERIS Elettronica AO (NGS+LGS)

664 views • 18 slides
The Smoking Gun of BNV Colour Topologies and String Hadronization in Baryon Number Violating

The Smoking Gun of BNV Colour Topologies and String Hadronization in Baryon Number Violating

ECFA LC Workshop 2003 The Smoking Gun of BNV Colour Topologies and String Hadronization in Baryon Number Violating Supersymmetry P . Skands (speaker) & T. Sjstrand, Lund University. Nucl.Phys.B659:243,2003 ; hep-ph/0209199 The Smoking

580 views • 20 slides
Today Mind and Body Some philosophical issues about AI One of the oldest philosophical problems

Today Mind and Body Some philosophical issues about AI One of the oldest philosophical problems

1 2 Today Mind and Body Some philosophical issues about AI One of the oldest philosophical problems is that of the relationship between human minds and the physical universe. Mind and Body The topic has been enlivened recently with the

85 views • 7 slides
Colour & Precision Top Physics Peter Skands (Monash University) Perturbative aspects of top

Colour & Precision Top Physics Peter Skands (Monash University) Perturbative aspects of top

Colour & Precision Top Physics Peter Skands (Monash University) Perturbative aspects of top physics The top quark mass Top quark modelling at colliders A new approach to coherence Non-perturbative aspects of top physics Collective effects

543 views • 38 slides
When? Investigating the temporal entities in a corpus Max Kemman University of Luxembourg

When? Investigating the temporal entities in a corpus Max Kemman University of Luxembourg

When? Investigating the temporal entities in a corpus Max Kemman University of Luxembourg November 8, 2015 Doing Digital History: Introduction to Tools and Technology Recap - Assignment How did the assignment go? What did you think of the

537 views • 36 slides

More recommend