securing software by enforcing data flow integrity
play

Securing software by enforcing data-flow integrity Manuel Costa - PowerPoint PPT Presentation

Mar 27, 2024 •38 likes •288 views

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge Software is vulnerable use of unsafe languages is prevalent most

  1. Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge

  2. Software is vulnerable • use of unsafe languages is prevalent – most “packaged” software written in C/C++ • many software defects – buffer overflows, format strings, double frees • many ways to exploit defects – corrupt control-data: stack, function pointers – corrupt non-control-data: function arguments, security variables defects are routinely exploited

  3. Approaches to securing software • remove/avoid all defects is hard • prevent control-data exploits – protect specific control-data StackGuard, PointGuard – detect control-flow anomalies Program Shepherding, CFI – attacks can succeed without corrupting control-flow • prevent non-control-data exploits – bounds checking on all pointer dereferences CRED – detect unsafe uses of network data Vigilante, [Suh04], Minos, TaintCheck, [Chen05], Argos, [Ho06] – expensive in software no good solutions to prevent non-control-data exploits

  4. Data-flow integrity enforcement • compute data-flow in the program statically – for every load, compute the set of stores that may produce the loaded data • enforce data-flow at runtime – when loading data, check that it came from an allowed store • optimize enforcement with static analysis

  5. Data-flow integrity: advantages • broad coverage – detects control-data and non-control-data attacks • automatic – extracts policy from unmodified programs • no false positives – only detects real errors (malicious or not) • good performance – low runtime overhead

  6. Outline • data-flow integrity enforcement • optimizations • results

  7. Data-flow integrity • at compile time, compute reaching definitions – assign an id to every store instruction – assign a set of allowed source ids to every load • at runtime, check actual definition that reaches a load – runtime definitions table (RDT) records id of last store to each address – on store(value,address): set RDT[address] to store’s id – on load(address): check if RDT[address] is one of the allowed source ids • protect RDT with software-based fault isolation

  8. Example vulnerable program int authenticated = 0; buffer overflow in char packet[1000]; this function allows while (!authenticated) { the attacker to set PacketRead(packet); authenticated to 1 if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); • non-control-data attack • very similar to a real attack on a SSH server

  9. Static analysis • computes data flows conservatively – flow-sensitive intraprocedural analysis – flow-insensitive interprocedural analysis • uses Andersen’s points-to algorithm • scales to very large programs • same assumptions as analysis for optimization – pointer arithmetic cannot navigate between independent objects – these are the assumptions that attacks violate

  10. Instrumentation SETDEF authenticated 1 int authenticated = 0; char packet[1000]; check that authenticated while (CHECKDEF authenticated in {1,8} was written here !authenticated) { or here PacketRead(packet); if (Authenticate(packet)){ SETDEF authenticated 8 authenticated = 1; } } CHECKDEF authenticated in {1,8} if (authenticated) ProcessPacket(packet);

  11. Runtime: detecting the attack Vulnerable program Memory layout SETDEF authenticated 1 int authenticated = 0; RDT slot for char packet[1000]; 7 1 authenticated while (CHECKDEF authenticated in {1,8} stores disallowed !authenticated) { above 0x40000000 PacketRead(packet); Attack detected! if (Authenticate(packet)){ definition 7 not SETDEF authenticated 8 in {1,8} authenticated = 1; authenticated } stored here 1 0 } CHECKDEF authenticated in {1,8} if (authenticated) ProcessPacket(packet);

  12. Also prevents control-data attacks • user-visible control-data (function pointers,…) – handled as any other data • compiler-generated control-data – instrument definitions and uses of this new data – e.g., enforce that the definition reaching a ret is generated by the corresponding call

  13. Efficient instrumentation: SETDEF • SETDEF _authenticated 1 is compiled to: get address of variable lea ecx,[_authenticated] prevent RDT tampering test ecx,0C0000000h set RDT[address] to 1 je L int 3 L: shr ecx,2 mov word ptr [ecx*2+40001000h],1

  14. Efficient instrumentation: CHECKDEF • CHECKDEF _authenticated {1,8} is compiled to: get address of variable lea ecx,[_authenticated] shr ecx,2 mov cx, word ptr [ecx*2+40001000h] cmp cx, 1 je L get definition id from RDT[address] cmp cx,8 je L check definition in {1,8} int 3 L:

  15. Optimization: renaming definitions • definitions with the same set of uses share one id SETDEF authenticated 1 SETDEF authenticated 1 int authenticated = 0; int authenticated = 0; char packet[1000]; char packet[1000]; while ( while ( CHECKDEF authenticated in {1,8} CHECKDEF authenticated in {1} !authenticated) { !authenticated) { PacketRead(packet); PacketRead(packet); if (Authenticate(packet)){ if (Authenticate(packet)){ SETDEF authenticated 8 SETDEF authenticated 1 authenticated = 1; authenticated = 1; } } } } CHECKDEF authenticated in {1} CHECKDEF authenticated in {1,8} if (authenticated) if (authenticated) ProcessPacket(packet); ProcessPacket(packet);

  16. Other optimizations • removing SETDEFs and CHECKDEFs – eliminate CHECKDEFs that always succeed – eliminate redundant SETDEFs – uses static analysis, but does not rely on any assumptions that may be violated by attacks • remove bounds checks on safe writes • optimize set membership checks – check consecutive ids using a single comparison

  17. Evaluation • overhead on SPEC CPU and Web benchmarks • contributions of optimizations • ability to prevent attacks on real programs

  18. Runtime overhead

  19. Memory overhead

  20. Contribution of optimizations

  21. Overhead on SPEC Web maximum overhead of 23%

  22. Preventing real attacks Application Vulnerability Exploit Detected? NullHttpd heap-based buffer overwrite cgi-bin yes overflow configuration data SSH integer overflow and overwrite yes heap-based buffer authenticated overflow variable STunnel format string overwrite return yes address Ghttpd stack-based buffer overwrite return yes overflow address

  23. Conclusion • enforcing data-flow integrity protects software from attacks – handles non-control-data and control-data attacks – works with unmodified C/C++ programs – no false positives – low runtime and memory overhead

  24. Overhead breakdown

  25. Contribution of optimizations

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
Module 5: Implementing Data Integrity Overview Types of Data Integrity Enforcing Data

Module 5: Implementing Data Integrity Overview Types of Data Integrity Enforcing Data

Module 5: Implementing Data Integrity Overview Types of Data Integrity Enforcing Data Integrity Defining Constraints Types of Constraints Disabling Constraints Using Defaults and Rules Deciding Which Enforcement Method

260 views • 23 slides
Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: lfar Erlingsson and Martn Abadi 1 Motivation I: Bad things happen DoS Weak authentication Insecure

465 views • 22 slides
CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

C ON FIRM: EVALUATING COMPATIBILITY AND RELEVANCE OF CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z HIQIANG L IN W ENHAO W ANG , AND K EVIN W. H AMLEN T HE O HIO S TATE U NIVERSITY T HE U NIVERSITY

514 views • 15 slides
Securing NFN-style data flow processing NDN retreat, UCSD, Feb 5+6, 2015 Christian Tschudin with

Securing NFN-style data flow processing NDN retreat, UCSD, Feb 5+6, 2015 Christian Tschudin with

Securing NFN-style data flow processing NDN retreat, UCSD, Feb 5+6, 2015 Christian Tschudin with contributions from Claudio Marxer, University of Basel Overview 1. Named Function Networking (NFN) in two slides 2. Problem statement (NDNex) 3.

350 views • 16 slides
ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION FLOW Prof. R.K Shyamasundar CONTROL Todays Talk Background and Motivation. Possible attack in a system without IFC. Our solution using

381 views • 16 slides
Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Program

961 views • 72 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
DIF, DIX and Linux Data Integrity Martin K. Petersen Consulting Software Developer, Linux

DIF, DIX and Linux Data Integrity Martin K. Petersen Consulting Software Developer, Linux

<Insert Picture Here> DIF, DIX and Linux Data Integrity Martin K. Petersen Consulting Software Developer, Linux Engineering Topics Data Integrity Technologies <Insert Picture Here> Data Corruption T10 DIF Data

752 views • 25 slides
Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti ,

Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti ,

Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti , University of Padua Slides prepared with the support of Daniele Lain and Moreno Ambrosin SCy-Phy Systems Week 2017 Panel IV: Defences June 6, 2017,

794 views • 25 slides
RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 1 2 3 4 5 6 Sandia National Laboratories is a multimission laboratory managed and

771 views • 59 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
More Data Flow Analyses Reading: NNH 2.1 17-654/17-765 Analysis of Software Artifacts Jonathan

More Data Flow Analyses Reading: NNH 2.1 17-654/17-765 Analysis of Software Artifacts Jonathan

More Data Flow Analyses Reading: NNH 2.1 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich General Monotonicity Proofs We proved RD was monotone for data flow equations for a specific program Heres a more general

580 views • 23 slides
Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University -- Summarized by Navid Emamdoost University of Minnesota Outline Background Control Flow attacks Control Flow Integrity Control Flow

795 views • 33 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Systems: A ZFS Case Study Yupu Zhang , Abhishek Rajimwale Andrea C. Arpaci-Dusseau, Remzi H.

Systems: A ZFS Case Study Yupu Zhang , Abhishek Rajimwale Andrea C. Arpaci-Dusseau, Remzi H.

End-to-end Data Integrity for File Systems: A ZFS Case Study Yupu Zhang , Abhishek Rajimwale Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau University of Wisconsin - Madison 2/26/2010 1 End-to-end Argument Ideally, applications should

759 views • 29 slides
Reliable Byte-Stream (TCP) re-orders messages delivers duplicate copies of a given

Reliable Byte-Stream (TCP) re-orders messages delivers duplicate copies of a given

End-to-End Protocols Underlying best-effort network drop messages Reliable Byte-Stream (TCP) re-orders messages delivers duplicate copies of a given message limits messages to some finite size delivers messages after

303 views • 5 slides
PAYE Modernisation Thesaurus Webinar December 2019 Overview PAYE Modernisation Update

PAYE Modernisation Thesaurus Webinar December 2019 Overview PAYE Modernisation Update

PAYE Modernisation Thesaurus Webinar December 2019 Overview PAYE Modernisation Update Data Integrity Project myAccount Enhancements 2019 Employment Detail Summary Employee Statement of Liability Transition 2019/2020

707 views • 70 slides
Lecture 07: Race Conditions, Deadlock, Data Integrity The job - list - broken and job - list -

Lecture 07: Race Conditions, Deadlock, Data Integrity The job - list - broken and job - list -

Lecture 07: Race Conditions, Deadlock, Data Integrity The job - list - broken and job - list - fixed examples from the prior slide deck highlight a key issue that comes with the introduction of signals and signal handling. Neither job -

377 views • 10 slides
Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity

Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity

Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity Cryptographic Hash Function: Provides assurance of data integrity Let h be a hash function and x some data. The hash creates a fingerprint of the data,

564 views • 31 slides
AN INFORMATICS FRAMEWORK FOR TESTING DATA INTEGRITY AND CORRECTNESS OF FEDERATED BIOMEDICAL

AN INFORMATICS FRAMEWORK FOR TESTING DATA INTEGRITY AND CORRECTNESS OF FEDERATED BIOMEDICAL

AN INFORMATICS FRAMEWORK FOR TESTING DATA INTEGRITY AND CORRECTNESS OF FEDERATED BIOMEDICAL DATABASES Mijung Kim , 1 Tahsin Kurc, 2 Alessandro Orso, 1 Jake Cobb, 1 David Gutman, 2 Mary Jean Harrold, 1 Andrew Post, 2 Ashish Sharma, 2 Tony Pan, 2

303 views • 7 slides
Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January 2013 Key Wrapping Key wrap problem Multi-user system (e.g., industrial VPN): Many keys in use; Need of regular update; New session key

578 views • 29 slides

More recommend