real world buffer overflow protection in user kernel space
play

Real-World Buffer Overflow Protection in User & Kernel Space - PowerPoint PPT Presentation

Mar 08, 2023 •277 likes •506 views

Real-World Buffer Overflow Protection in User & Kernel Space Michael Dalton , Hari Kannan, Christos Kozyrakis Computer Systems Laboratory Stanford University http: / / raksha.stanford.edu Forum 1 Motivation Buffer overflows remain a

  1. Real-World Buffer Overflow Protection in User & Kernel Space Michael Dalton , Hari Kannan, Christos Kozyrakis Computer Systems Laboratory Stanford University http: / / raksha.stanford.edu Forum 1

  2. Motivation � Buffer overflows remain a critical security threat � Deployed solutions are insufficient • Provide limited protection (NX bit) • Require recompilation (Stackguard, /GS) • Break backwards compatibility (ASLR) � Need an approach to software security that is • Robust - no false positives on real-world code • Practical - works on unmodified binaries • Safe - few false negatives • Fast Forum 2

  3. DIFT: Dynamic Information Flow Tracking � DIFT taints data from untrusted sources • Extra tag bit per word marks if untrusted � Propagate taint during program execution • Operations with tainted data produce tainted results � Check for suspicious uses of tainted data • Tainted code execution • Tainted pointer dereference (code & data) • Tainted SQL command � Potential: protection from low-level & high-level threats Forum 3

  4. DIFT Example: Buffer Overflow Vulnerable C Code int buf[8]; for (i = 0; i < len; i++) buf[i] = u; return; T Data load r2 ← M[u] u: &evil store M[buf+0] ← r2 buf[0]: 0 buf[0]: &evil … buf[7]: &evil buf[7]: 0 store M[buf+7] ← r2 ra: &evil ra: &foo store M[ra] ← r2 jmp *M[ra] TRAP � Tainted pointer dereference ⇒ security trap Forum 4

  5. Hardware DIFT Overview � The basic idea [Suh’04, Crandall’04, Chen’05] • Extend HW state to include taint bits • Extend HW instructions to check & propagate taint bits � Hardware advantages • Negligible runtime overhead � Software DIFT overheads range from 3-37x • Works with multithreaded and self-modifying binaries • Apply tag policies to OS Forum 5

  6. Raksha Overview & Features Unmodified binaries User 1 User 2 User 3 App App App Binary Binary Binary Cross-process info flow Tag Operating System Save/restore tags Aware Set security policies Security Monitor Control HW check/propagate 4 tag bits per word HW Architecture HW check/propagate Tags User-level security traps Forum 6

  7. Outline � Motivation & DIFT overview � Preventing buffer overflows with DIFT • Previous work • Novel BOF prevention policy � Evaluation • Prototype • Security experiments • Lessons learned � Conclusions Forum 7

  8. Naïve Buffer Overflow Detection � Previous DIFT approaches recognize bounds checks • Must bounds check untrusted info before dereference � Example: if (u < len) print buf[u]; � Taint untrusted input � OR Propagate taint on load,store,arithmetic,logical ops � Clear taint on bounds checks • Comparisons against untainted info � Check for tainted code, load/store/jump addresses • Forbid tainted pointer deref, code execution Forum 8

  9. Problems with Naïve Approach � Not all bounds checks are comparisons • Example : *str++ = digits[val % 10] • GCC, glibc, gzip… � Not all comparisons are bounds checks • Example: if (sz < fastbin_size) insert_fastbin(chunk); • Resulted in false negative during traceroute/malloc exploit � Bounds checks are not required for safety! • Example: return isdigit[(unsigned char)x] � isdigit array is 256 entries! Don’t need any bounds check � But stripped binary doesn’t tell us array sizes…. End result: unacceptable false positives in real code Forum 9

  10. Building a Better Security Model for BOF � Buffer overflow attacks rely on injecting pointers • Code pointers � Return address, Global Offset Table (GOT), function ptr • Data pointers [Chen 05] � Filenames, permission/access control structures, etc � Why pointers? • They’re everywhere! � Every stack frame (local pointers, frame pointer, ret addr) � Every free heap object (glibc) � Global Offset Table, constructors, destructors, … • Security-critical � Control pointers - arbitrary code execution � Data Pointers – subvert logic using tainted data structures Forum 10

  11. Preventing Pointer Injection with DIFT � Buffer overflows exploits overwrite pointers • But should never receive pointer from network! • Tainted data used as pointer index , never as pointer address � New DIFT BOF Policy • Tainted data cannot be dereferenced directly • Must be combined with application pointer to be safe • Pointer bit – tag legitimate application pointers • Taint bit – tag untrusted data � But how do we identify legitimate application pointers? Forum 11

  12. New BOF Policy – Taint bit � Goal: conservatively track untrusted information • Do not try to clear taint by recognizing bounds checks • Only clear taint when reg/mem word overwritten � Taint untrusted input � OR Propagate on load, store, arithmetic, logical ops � Check for tainted code � Check if code/data ptr is tainted and not a valid ptr • Security exception if Taint bit set & Pointer bit clear Forum 12

  13. New BOF Policy – Pointer bit � Propagate Pointer bit during valid pointer ops • Load/Store Pointer • Pointer +,-,OR,AND Non-Pointer • Pointer +,- Pointer � Encountered in real-world, byte of pointer used as array index � Clear P-bit on all other operations • Multiply, logical negation, etc � Check for untrusted pointer dereferences • Security exception if T-bit set, P-bit clear Forum 13

  14. Identifying Userspace Pointers � Initialize P-bit for all local variable references • Set P-Bit for stack pointer � Initialize P-bit for all dynamically allocated memory references • Set P-bit for return value of mmap, brk syscalls � Initialize P-Bit for static/global variable references • Scan all executable, library objects for these references � Scan both code, data regions � Set P-bit for potential any potential valid pointers • ABI (ELF, PE) restricts such references � Must be valid relocation entry type Forum 14

  15. BOF Protection in Kernel Space � OS dereferences untrusted pointers! • System call arguments come from untrusted userspace • Example: int unlink(const char * pathname) � Why is this safe? • All user pointers must be checked by access_ok() • Ensures user pointer is in userspace, not kernelspace � What instructions may access userspace? • Any instruction accessing userspace may cause MMU fault • All modern Unix OSes build tables of these instructions! � Any MMU fault not found in the table is an OS bug � Safe untrusted pointer dereference in Linux: • Tainted pointer must point to userspace • PC must be in MMU fault list Forum 15

  16. Raksha Prototype System � Full-featured Linux system � HW: modified Leon-3 processor • Open-source, Sparc V8 processor • Single-issue, in-order, 7-stage pipeline • Modified RTL for processor & system • Mapped to FPGA board (65Mhz workstation) � SW: ported Gentoo Linux distribution • Based on 2.6 kernel (modified to be tag aware) • Kernel preloads security manager into each process • Over 14,000 packages in repository (GNU toolchain, apache, sendmail, …) Forum 16

  17. Experiments (Userspace) � Successfully running Gentoo without false positives • Every program, even init, has BOF protection enabled • Run gcc, OpenSSH, sendmail, etc. � Prevented attacks on real-world applications Program Attack Detection Polymorph Stack overflow Tainted code ptr Atphttpd Stack overflow Tainted code ptr Sendmail BSS overflow Tainted data ptr Traceroute Double free Tainted data ptr Nullhttpd Heap overflow Tainted data ptr All userspace programs are unmodified binaries Forum 17

  18. Experiments (Kernelspace) � Protect entire Linux kernel from BOF • First comprehensive kernel buffer overflow protection • Even protect assembly code, device drivers, ctx switch � Only observed one potential false positive • Caused by previously undiscovered security hole! � Prevented real-world attacks on Linux kernel Subsystem Vulnerability quota system call User/Kernel pointer deref i2o driver ioctl User/Kernel pointer deref moxa driver BSS overflow cm4040 driver Heap overflow sendmsg system call Stack, Heap overflow Forum 18

  19. Comprehensive BOF protection � Can some BOF vulnerabilities still be exploited? • Yes, if BOF doesn’t rely on pointer corruption � Authentication flag, user IDs, array/pointer offsets… • Rare, but possible – depends on application data structure layout, etc � Combine multiple BOF protection policies for safety! • Attacker must evade all active policies to succeed � But must ensure all policies have no real-world false positives… • Policy #1: Bounds check BOF protection for control pointer only � Bounds check false positives only observed for data pointers � Prevents control pointer array offset overwites • Policy #2: Red Zone bounds checking for heap � Tag begin/end of each heap object with Sandbox bit � Raise error if user attempts to load/store to sandbox’d address � Detects heap buffer overflows � Use Raksha to run all policies concurrently (w/ Pointer BOF) • No false positives – tested in userspace and kernelspace • Verified new policies stop control pointer overwrites, heap overflows (resp.) Forum 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
Real-time video streaming performance: DMA (Linux) kernel buffer queueing dynamics

Real-time video streaming performance: DMA (Linux) kernel buffer queueing dynamics

CS 503 Park Real-time video streaming performance: DMA (Linux) kernel buffer queueing dynamics Isochronous DV FireWire over Linux: Kernel Buffer Size 4.5e+06 4e+06 kernel buffer size (bytes) 3.5e+06 3e+06 2.5e+06 2e+06 1.5e+06

440 views • 5 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

Memory Protection Memory Protection Paging Virtual memory provides protection by: Each process (user or OS) has different virtual memory space. Machines and Virtualization Machines and Virtualization The OS maintain the page tables

83 views • 5 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Buffer Overflow? Writing data outside of the intended buffer (memory space) SWEN-331:

298 views • 6 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking &amp; Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references &amp; buffer overflow K&amp;R:

775 views • 43 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
CSCI 350 Ch. 2 - Kernel and User Mode Mark Redekopp 2 USER VS. KERNEL MODE 3 Exceptions

CSCI 350 Ch. 2 - Kernel and User Mode Mark Redekopp 2 USER VS. KERNEL MODE 3 Exceptions

1 CSCI 350 Ch. 2 - Kernel and User Mode Mark Redekopp 2 USER VS. KERNEL MODE 3 Exceptions Any event that causes a break in normal execution Error Conditions Invalid address, Arithmetic/FP overflow/error Hardware Interrupts /

440 views • 20 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
Security Overview Different aspects of security User authentication Protection mechanisms

Security Overview Different aspects of security User authentication Protection mechanisms

CS399 New Beginnings Jonathan Walpole Security Overview Different aspects of security User authentication Protection mechanisms Attacks: - trojan horses, spoofing, logic bombs, trap doors, buffer overflow attacks, viruses, worms, mobile

825 views • 59 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and

Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and

Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and Context Mode, Space, and Context Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data

614 views • 50 slides
Buffer Overflow Attacks &amp; Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks &amp; Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks &amp; Defenses Slides are borrowed from Franziska Roesner @UW and Dawn Song @Berkeley Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000

994 views • 85 slides
Operating Systems Julian Bradfield jcb+os@inf.ed.ac.uk JCMB-2610 Course Aims general

Operating Systems Julian Bradfield jcb+os@inf.ed.ac.uk JCMB-2610 Course Aims general

Operating Systems Julian Bradfield jcb+os@inf.ed.ac.uk JCMB-2610 Course Aims general understanding of structure of modern computers purpose, structure and functions of operating systems illustration of key OS aspects by example

2.31k views • 191 slides
Modeling Wi-Fi Traffic in Hot-Spots &amp; Video over Wireless (demo) Amitabha Ghosh

Modeling Wi-Fi Traffic in Hot-Spots &amp; Video over Wireless (demo) Amitabha Ghosh

Modeling Wi-Fi Traffic in Hot-Spots &amp; Video over Wireless (demo) Amitabha Ghosh amitabhg@princeton.edu with: V. Ramaswami, Rittwik Jana (AT&amp;T Labs Research) Jiasi Chen, Mung Chiang (EE, Princeton University) 1 Modeling Wi-Fi

338 views • 32 slides
4+1 View of Architecture What does Linux have? Linux subsystems Process Scheduler (PS)

4+1 View of Architecture What does Linux have? Linux subsystems Process Scheduler (PS)

4+1 View of Architecture What does Linux have? Linux subsystems Process Scheduler (PS) responsible for supporting multitasking by deciding which user process executes. Memory Manager (MM) provides a separate memory space for

208 views • 17 slides
Chapter 3 Section 3 MA1020 Quantitative Literacy Sidney Butler Michigan Technological University

Chapter 3 Section 3 MA1020 Quantitative Literacy Sidney Butler Michigan Technological University

Chapter 3 Section 3 MA1020 Quantitative Literacy Sidney Butler Michigan Technological University September 22, 2006 S Butler (Michigan Tech) Chapter 3 Section 3 September 22, 2006 1 / 11 Weighted Voting Systems Notation: P n and W n .

582 views • 11 slides
THE UNIVERSAL TRANSACTIONAL MEMORY CONSTRUCTION Jons-Tobias Wamhoff and Christof Fetzer Dresden

THE UNIVERSAL TRANSACTIONAL MEMORY CONSTRUCTION Jons-Tobias Wamhoff and Christof Fetzer Dresden

THE UNIVERSAL TRANSACTIONAL MEMORY CONSTRUCTION Jons-Tobias Wamhoff and Christof Fetzer Dresden University of Technology, Germany 1 MOTIVATION Universal construction Shows how to convert sequential algorithm into concurrent wait-free

331 views • 20 slides
LIU-PSB MD S AND S TUDIES : 2018 Simon Albright BE-RF-BR February 19, 2018 S IMON A LBRIGHT

LIU-PSB MD S AND S TUDIES : 2018 Simon Albright BE-RF-BR February 19, 2018 S IMON A LBRIGHT

LIU-PSB MD S AND S TUDIES : 2018 Simon Albright BE-RF-BR February 19, 2018 S IMON A LBRIGHT (BE-RF-BR) LIU-PSB MD S F EBRUARY 19, 2018 1 / 16 I NJECTION 1 L ONGITUDINAL 2 Highest Priorities T RANSVERSE 3 Highest Priorities E XTRACTION AND T

346 views • 16 slides
Lecture 6: Representing Words Kai-Wei Chang CS @ UCLA kw@kwchang.net Couse webpage:

Lecture 6: Representing Words Kai-Wei Chang CS @ UCLA kw@kwchang.net Couse webpage:

Lecture 6: Representing Words Kai-Wei Chang CS @ UCLA kw@kwchang.net Couse webpage: https://uclanlp.github.io/CS269-17/ ML in NLP 1 Bag-of-Words with N-grams v N-grams: a contiguous sequence of n tokens from a given piece of text

595 views • 25 slides
How to Make a Presentation SWEN-261 Introduction to Software Engineering Department of Software

How to Make a Presentation SWEN-261 Introduction to Software Engineering Department of Software

How to Make a Presentation SWEN-261 Introduction to Software Engineering Department of Software Engineering Rochester Institute of Technology Making a presentation can be a frightening experience for some people. How to deliver an

349 views • 10 slides

More recommend