rop gadget prevalence and survival under compiler based
play

ROP Gadget Prevalence and Survival under Compiler-based Binary - PowerPoint PPT Presentation

Aug 24, 2023 •808 likes •1.28k views

Background Evaluation Conclusion ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel Coffman Daniel M. Kelly Christopher C. Wellons Andrew S. Gearhart Johns Hopkins University Applied Physics

  1. Background Evaluation Conclusion ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel Coffman Daniel M. Kelly Christopher C. Wellons Andrew S. Gearhart Johns Hopkins University Applied Physics Laboratory 2nd International Workshop on Software Protection SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 1 / 22

  2. Background Evaluation Software Diversity Conclusion Cybersecurity Current Landscape Compromise once, compromise everywhere SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 2 / 22

  3. Background Evaluation Software Diversity Conclusion Cybersecurity Current Landscape Compromise once, compromise everywhere ◮ Systems are homogeneous and share vulnerabilities SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 2 / 22

  4. Background Evaluation Software Diversity Conclusion Cybersecurity Current Landscape Compromise once, compromise everywhere ◮ Systems are homogeneous and share vulnerabilities ◮ Single exploit reused to compromise all systems ◮ e.g., Morris, Nimda, Conficker, and Heartbleed Exploit SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 2 / 22

  5. Background Evaluation Software Diversity Conclusion Cybersecurity Current Landscape Compromise once, compromise everywhere ◮ Systems are homogeneous and share vulnerabilities ◮ Single exploit reused to compromise all systems ◮ e.g., Morris, Nimda, Conficker, and Heartbleed Exploit Exploit Exploit SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 2 / 22

  6. Background Evaluation Software Diversity Conclusion Cybersecurity (continued) Diversity Software diversity breaks the assumption of consistency in operational environments SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 3 / 22

  7. Background Evaluation Software Diversity Conclusion Cybersecurity (continued) Diversity Software diversity breaks the assumption of consistency in operational environments SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 3 / 22

  8. Background Evaluation Software Diversity Conclusion Cybersecurity (continued) Diversity Software diversity breaks the assumption of consistency in operational environments Exploit SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 3 / 22

  9. Background Evaluation Software Diversity Conclusion Cybersecurity (continued) Diversity Software diversity breaks the assumption of consistency in operational environments Exploit Exploit Exploit SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 3 / 22

  10. Background Evaluation Software Diversity Conclusion Cybersecurity (continued) Diversity Software diversity breaks the assumption of consistency in operational environments ◮ Increases attacker cost by reducing exploit reuse Exploit Exploit Exploit SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 3 / 22

  11. Background Evaluation Software Diversity Conclusion Software Diversity Opportunities Techniques exist to introduce diversity throughout the software development process ◮ Design diversity ◮ N -version programming ◮ Diversifying compilers ◮ Instruction set architecture (ISA) randomization SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 4 / 22

  12. Background Evaluation Software Diversity Conclusion Software Diversity Opportunities Techniques exist to introduce diversity throughout the software development process ◮ Design diversity ◮ N -version programming ◮ Diversifying compilers ◮ Instruction set architecture (ISA) randomization Our focus: diversifying compilers ◮ Allows transformation and optimization using existing tools ◮ Several open source projects exist SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 4 / 22

  13. Background Evaluation Software Diversity Conclusion Reducing Exploit Reuse Code reuse attacks are increasingly common ◮ Response to preventing execution of code in data segments ◮ Return-oriented programming (ROP) is a class of code reuse attacks ← Increasing Address pop %rdx ret pop %rdx add %rsi, %rdx ret ret . . . mov %rsi, %rdx mov %rsi, %rdx ret ret SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 5 / 22

  14. Background Evaluation Software Diversity Conclusion Prior Work Little work evaluates the effectiveness of the proposed techniques ◮ Many security evaluations are based on logical arguments or concrete attacks The study of how diversity affects the adversary’s effort is in its infancy. [. . . ] Numerous papers have been published on how to perform sound performance evaluations; [. . . ] a similar effort should be undertaken with respect to efficacy metrics for diversified software. [Larsen et al., 2014] SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 6 / 22

  15. Background Evaluation Software Diversity Conclusion Prior Work (continued) Few studies consider how diversity interferes with exploit reuse ◮ Testing against concrete attacks does not demonstrate effectiveness against alternative tactics ◮ e.g., the transition from code injection to code reuse attacks ◮ Attack-specific analyses should consider an attacker’s learning ◮ e.g., invariance among diversified variants SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 7 / 22

  16. Background Evaluation Software Diversity Conclusion Prior Work (continued) Few studies consider how diversity interferes with exploit reuse ◮ Testing against concrete attacks does not demonstrate effectiveness against alternative tactics ◮ e.g., the transition from code injection to code reuse attacks ◮ Attack-specific analyses should consider an attacker’s learning ◮ e.g., invariance among diversified variants Today Tomorrow Software Monoculture Diversified Software SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 7 / 22

  17. Background Evaluation Software Diversity Conclusion Gadget Survival Figure: Gadget locations in two variants (red, blue) of dirname with common gadgets circled in green. SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 8 / 22

  18. Diversity Techniques Background Data Sets Evaluation Gadget Counting Conclusion Gadget Survival Outline Background Evaluation Diversity Techniques Data Sets Gadget Counting Gadget Survival Conclusion SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 9 / 22

  19. Diversity Techniques Background Data Sets Evaluation Gadget Counting Conclusion Gadget Survival Diversity Techniques Techniques implemented by the multicompiler [Homescu et al., 2013] and Obfuscator-LLVM [Junod et al., 2015] NOP insertion Changes address of ROP gadgets Instruction substitution Replaces instructions with arithmetic identities ◮ e.g., b + c = b − ( − c ) = − ( − b + ( − c )) Schedule randomization Reorders independent instructions Bogus control flow Inserts a basic block with an opaque predicate to hinder reverse engineering Control flow flattening Obfuscates the control flow graph via indirect jumps using “jump tables” Function shuffling Reorders functions in the executable SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 10 / 22

  20. Diversity Techniques Background Data Sets Evaluation Gadget Counting Conclusion Gadget Survival Data Sets GNU core utilities ◮ 103 different binaries ( ≈ 60 KLOC) ◮ Many binaries limits the impact of outliers on analysis ◮ Open source for reproducibility and amenable to compiler-based diversity schemes SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 11 / 22

  21. Diversity Techniques Background Data Sets Evaluation Gadget Counting Conclusion Gadget Survival Data Sets GNU core utilities ◮ 103 different binaries ( ≈ 60 KLOC) ◮ Many binaries limits the impact of outliers on analysis ◮ Open source for reproducibility and amenable to compiler-based diversity schemes Variants ◮ Generate 100 unique variants for each diversity technique � 100 ◮ Select 4000 unique combinations from the � possibilities k � 100 � ◮ 4000 ≈ max k k ∈{ 2 ,..., 16 } SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 11 / 22

  22. Diversity Techniques Background Data Sets Evaluation Gadget Counting Conclusion Gadget Survival Metrics Statically identify all gadgets in binaries ◮ Disassemble a sliding window of 25 bytes looking for a valid sequence that terminates in a return instruction SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 12 / 22

  23. Diversity Techniques Background Data Sets Evaluation Gadget Counting Conclusion Gadget Survival Metrics Statically identify all gadgets in binaries ◮ Disassemble a sliding window of 25 bytes looking for a valid sequence that terminates in a return instruction Survivor [Homescu et al., 2013] Identical gadgets have the same sequence of bytes and same offset in binary SPRO ’16 ROP Gadgets under Binary Diversity Schemes Coffman et al. 12 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB Linux USB Terminology Brief history of USB gadget subsystem Other filesystem-based gadget interfaces Using USB gadget configfs

439 views • 21 slides
CWD Advisory Group Meeting 3 Revisiting the CWD Prevalence Threshold Discussion Thresholds for

CWD Advisory Group Meeting 3 Revisiting the CWD Prevalence Threshold Discussion Thresholds for

CWD Advisory Group Meeting 3 Revisiting the CWD Prevalence Threshold Discussion Thresholds for chronic wasting disease management Estimating CWD Impacts on Doe Survival Simple calculation (back of envelope literally)* Based on

445 views • 17 slides
Entropy and Survival-based Weights to Combine Affymetrix Array Types in the Analysis of

Entropy and Survival-based Weights to Combine Affymetrix Array Types in the Analysis of

Entropy and Survival-based Weights to Combine Affymetrix Array Types in the Analysis of Differential Expression and Survival Jianhua Hu Department of Biostatistics University of North Carolina at Chapel Hill Outline Introduction

465 views • 30 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides
Comparing adult antenatal adult antenatal- -clinic based clinic based Comparing HIV prevalence

Comparing adult antenatal adult antenatal- -clinic based clinic based Comparing HIV prevalence

Comparing adult antenatal adult antenatal- -clinic based clinic based Comparing HIV prevalence with with prevalence prevalence HIV prevalence from national population based surveys from national population based surveys in Sub- -Saharan

362 views • 19 slides
Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020 https://tinyurl.com/fosdem-gadget Hi, Im Alban Alban Crequy CTO, Kinvolk Github: alban Twitter: albcr Email: alban@kinvolk.io Kinvolk Driving

426 views • 30 slides
Subject Matter Compiler-based code improvement techniques > Sometimes called

Subject Matter Compiler-based code improvement techniques > Sometimes called

C OMP 512 This is C OMP 512 Advanced Compiler Construction Subject Matter Compiler-based code improvement techniques > Sometimes called optimization Analysis required to support them > No vector or multiprocessor

438 views • 20 slides
Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler Perhaps a new source language Perhaps a new target for an existing compiler Perhaps both 2 Compiler Construction Compiler Construction

661 views • 18 slides
Estimating survival from Grays Outline flexible model I. Introduction II. Semiparametric

Estimating survival from Grays Outline flexible model I. Introduction II. Semiparametric

Estimating survival from Grays Outline flexible model I. Introduction II. Semiparametric survival models III. Grays model introduction Zdenek Valenta IV. Survival estimates based on semi-parametric models V. Estimating survival from

638 views • 9 slides
Missing data and net survival analysis Bernard Rachet General context Population-based, routine

Missing data and net survival analysis Bernard Rachet General context Population-based, routine

Workshop on Flexible Models for Longitudinal and Survival Data with Applications in Biostatistics Warwick, 27 - 29 July 2015 Missing data and net survival analysis Bernard Rachet General context Population-based, routine data Cancer registry

808 views • 39 slides
Use of Microarray Data via Model- Based Classification in the Study and Prediction of Survival

Use of Microarray Data via Model- Based Classification in the Study and Prediction of Survival

Use of Microarray Data via Model- Based Classification in the Study and Prediction of Survival from Lung Cancer Liat Jones * , Angus Ng * , Chris Ambroise ** , Katrina Monico* and Geoff McLachlan * * Institute for Molecular Bioscience **

1.06k views • 71 slides
Prevention of Cerebral Palsy in Pre-Term Labour (PReCePT) Clinical Background The

Prevention of Cerebral Palsy in Pre-Term Labour (PReCePT) Clinical Background The

Prevention of Cerebral Palsy in Pre-Term Labour (PReCePT) Clinical Background The prevalence of preterm birth is increasing While the survival of infants born preterm has improved, the prevalence of cerebral palsy has risen

565 views • 38 slides
Differences in TBI Prevalence, Outcomes, and Symptoms in Colorado CB Eagye TBI Prevalence

Differences in TBI Prevalence, Outcomes, and Symptoms in Colorado CB Eagye TBI Prevalence

Differences in TBI Prevalence, Outcomes, and Symptoms in Colorado CB Eagye TBI Prevalence Research Studies Initial Research Project Colorado Study of TBI Prevalence and Associated Outcomes - 2007 Funded by the CDC Statewide

1.1k views • 81 slides
CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations,

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations,

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations, Variables Owen Arden UC Santa Cruz Based on course materials developed by Ranjit Jhala Lets Write a Compiler! Our goal is to write a compiler which

658 views • 18 slides
RcmdrPlugin.survival : An R Commander Plug-in Package for Survival Analysis John Fox McMaster

RcmdrPlugin.survival : An R Commander Plug-in Package for Survival Analysis John Fox McMaster

Basic Capabilities Survival Data Diagnostics Additional Summaries RcmdrPlugin.survival : An R Commander Plug-in Package for Survival Analysis John Fox McMaster University Hamilton, Ontario, Canada useR! 2010 John Fox McMaster

221 views • 5 slides
Recent Advances in Associate Professor Director, Mechanical Lots of medications, devices

Recent Advances in Associate Professor Director, Mechanical Lots of medications, devices

6/20/2016 Heart Failure in 2016 Only CVD with stagnant/ increasing incidence, prevalence, morbidity (hospitalizations), mortality 20+ mil patients worldwide (6 mil in US) One and 5 years survival: 90% and 50% One year

273 views • 12 slides
Concurrent Binary Search Tree Nathan Bronson, Jared Casper, Hassan Chafi, and Kunle Olukotun

Concurrent Binary Search Tree Nathan Bronson, Jared Casper, Hassan Chafi, and Kunle Olukotun

A Practical Concurrent Binary Search Tree Nathan Bronson, Jared Casper, Hassan Chafi, and Kunle Olukotun Stanford University PPoPP 2010 1 SnapTree Optimistically concurrent Linearizable reads and writes, invisible readers Good

970 views • 29 slides
The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601.

The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601.

The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601. Its a very neat implementation of the binary tree idea, using an array. We can use the binary heap to sort an array, and we can use it to make a

304 views • 15 slides
Econ 2148, fall 2017 Instrumental variables I, origins and binary treatment case Maximilian Kasy

Econ 2148, fall 2017 Instrumental variables I, origins and binary treatment case Maximilian Kasy

Instrumental variables Econ 2148, fall 2017 Instrumental variables I, origins and binary treatment case Maximilian Kasy Department of Economics, Harvard University 1 / 40 Instrumental variables Agenda instrumental variables part I

531 views • 40 slides
Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn State University * Some slides adapted from those by Toms Snchez Lpez at http://www.tomassanchez.com/material/ELF.ppt 1 Executable File

465 views • 20 slides
Binary Search Trees Data Structures and Algorithms CSE 373 SP 18 - KASEY CHAMPION 1 Warm Up

Binary Search Trees Data Structures and Algorithms CSE 373 SP 18 - KASEY CHAMPION 1 Warm Up

Binary Search Trees Data Structures and Algorithms CSE 373 SP 18 - KASEY CHAMPION 1 Warm Up From CS CSE 143 43: - what is a binary tree - how do you write code to build a tree from scratch? - how do you write code to traverse an

340 views • 9 slides
Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary

Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary

Principles Of Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary Arithmetic Same basic methodology as decimal arithmetic Important to know number representation Unsigned Signed

704 views • 11 slides
Scalable Name-Based Packet Forwarding: From Millions to Billions Tian Song , songtian@bit.edu.cn,

Scalable Name-Based Packet Forwarding: From Millions to Billions Tian Song , songtian@bit.edu.cn,

Scalable Name-Based Packet Forwarding: From Millions to Billions Tian Song , songtian@bit.edu.cn, Beijing Institute of Technology Haowei Yuan, Patrick Crowley, Washington University Beichuan Zhang, The University of Arizona 1 A

391 views • 28 slides
CS 241 Data Organization Binary Trees March 29, 2018 Binary Tree: Kernighan and Ritchie 6.5

CS 241 Data Organization Binary Trees March 29, 2018 Binary Tree: Kernighan and Ritchie 6.5

CS 241 Data Organization Binary Trees March 29, 2018 Binary Tree: Kernighan and Ritchie 6.5 Read a file and count the occurrences of each word. now is the time for all good men to come to the aid of their party now is the for men of

660 views • 19 slides

More recommend