securing software systems by preventing information leaks
play

Securing Software Systems by Preventing Information Leaks Kangjie - PowerPoint PPT Presentation

Aug 08, 2023 •34 likes •774 views

Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of Technology Computer devices are everywhere 2 Foundational software systems 3 Inherent insecurity: Vulnerabilities and insecure designs Implemented in

  1. Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of Technology

  2. Computer devices are everywhere 2

  3. Foundational software systems 3

  4. Inherent insecurity: Vulnerabilities and insecure designs Implemented in unsafe languages (e.g., C/C++) – Increasing vulnerabilities Number of reported vulnerabilities in Linux 400 350 300 250 200 150 100 50 0 Data source: U.S. National Vulnerability Database System designers prioritize performance over security – Many insecure designs 4

  5. Critical system attacks exploiting vulnerabilities and insecure designs System attacks are evolving: More and more advanced, harder and harder to defend against 5

  6. Two typical goals of system attacks Control attacks To control victim systems To leak sensitive data Data leaks 6

  7. Defeating both data leaks and control attacks by preventing information leaks 7

  8. A fundamental requirement of control attacks Attackers have to replace a code pointer with a malicious one to gain control Memory Memory Code pointer Malicious pointer Malicious Overwriting code pieces control data 8

  9. A fundamental requirement of control attacks Attackers have to replace a code pointer with a malicious one to gain control Memory Memory Address of Address of a code malicious pointer code Code pointer Malicious pointer Malicious Overwriting code pieces control data Have to know the addresses of both a code pointer and malicious code 9

  10. A widely deployed defense---ASLR ASLR: Address Space Layout Randomization – Preventing attackers from knowing addresses 2 40 Memory Memory Memory possibilities Code/data Code/data Code/data … 1 st run 2 nd run 3 rd run n run 10

  11. In principle, ASLR is “perfect” Memory Randomized addresses ASLR is efficient, easy to deploy, and effective as long as there is no information leak 11

  12. In practice, ASLR is weak Number of reported information-leak vulnerabilities 2500 2000 1500 1000 500 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Data source: U.S. National Vulnerability Database Control attacks still work because of information leaks 12

  13. ASLR re-defines the prevention problem in modern systems Control attack Address prevention ASLR leak prevention problem problem Preventing address leaks can defeat control attacks 13

  14. Information leak is inevitable for both attacks Exploiting information leaks Bypassing ASLR Data leaks Control attacks 14

  15. Research goal: Preventing information leaks Exploiting information leaks Bypassing ASLR Data leaks Control attacks 15

  16. Root causes of known information leaks Uninitialized Memory error read Logic error Missing check Vulnerabilities Hardware error Row hammer Root causes Specification Uninitialized issue padding Organization Refork-on-crash issue Design flaws Mechanism Deduplication + issue COW Side channels AnC on MMU Category Type Example 16

  17. Three ways to prevent information leaks Eliminating information-leak vulnerabilities • UniSan : Eliminating uninitialized data leaks [ CCS’16 ] • PointSan : Eliminating uninitialized pointers [ NDSS’17 ] Securing system designs against information leaks • Runtime re-randomization for process forking [ NDSS'16 ] Protecting sensitive data from information leaks • ASLR-Guard : Preventing code pointer leaks [ CCS’15 ] • Buddy : Detecting memory disclosures for COTS 17

  18. Motivation of UniSan OS kernels are the trusted computing base – Contain sensitive data like crypto keys – Deploy security mechanisms like ASLR Hundreds of information-leak vulnerabilities – Data leaks – ASLR bypass 18

  19. UniSan: To eliminate (the most common) information-leak vulnerabilities in OS kernels à Mitigate data leaks, code-reuse and privilege-escalation attacks 19

  20. Main contributions of UniSan • Automatically secure the Linux and Android kernels with negligible runtime overhead • Reported and patched 19 kernel vulnerabilities – CVE-2016-5243, CVE-2016-5244, CVE- 2016-4569, CVE-2016-4578, CVE-2016-4569, CVE-2016-4485, CVE-2016-4486, CVE-2016-4482, …… • Found and fixed a critical security problem in compilers • Porting UniSan to GCC for adoption 20

  21. The main cause of information leaks: Uninitialized data read Logic error (e.g., missing check) 14% Uninitialized data read 29% 57% Out-of-bound read & use- UniSan after-free Data source: U.S. National Vulnerability Database (kernel information leaks reported between 2013 and 2016) 21

  22. How an uninitialized data read leads to an information leak Kernel space Kernel space User space Kernel space Object B Object B Object A sensitive sensitive sensitive sensitive 1 2 3 4 We call such information leaks User A allocates User A deallocates User B allocates User B reads “ uninitialized data leaks ” object A and object A; object B without Object B; writes “ sensitive ” “ sensitive ” is not Initialization; “ sensitive ” into it cleared “ sensitive ” kept leaked ! 22

  23. Troublemaker: Developer Missing field initialization: Blame the developers? Difficult to avoid inconsistency – Too complex Object Data struct < / > use/init definition 23

  24. Troublemaker: Compiler Data structure padding: A fundamental feature for improving CPU efficiency /* both fields (5 bytes) are initialized*/ struct test { struct test t = { unsigned int a; .a = 0, unsigned char b; A critical and prevalent security problem: .b = 0 /* 3-bytes padding */ Programs are built by compilers! /* 3 uninitialized padding bytes */ }; }; /* leaking uninitialized 3-byte padding*/ copy_to_user(dest, &t, sizeof(t)); 24

  25. The root cause: C specifications (C11) Chapter §6.2.6.1/6 “When a value is stored in an object of structure or union type, including in a member object, the bytes of the object representation that correspond to any padding bytes take unspecified values.” 25

  26. UniSan: A compiler-based solution Simply initialize all allocated objects? Too expensive! Kernel The UniSan Approach source code Detecting Initializing Hardened unsafe unsafe LLVM IR LLVM IR allocations allocations Secured kernel image 26

  27. Unsafe allocation detection Byte-level and flow-, context-, and field-sensitive taint tracking Reachability analysis Sinks Sources (e.g., (i.e., Data flow copy_to_user) allocations) Initialization analysis 27

  28. Technical challenges in detection • Global call-graph construction – Conservative type analysis for indirect calls • Byte-level tracking – Maintaining offsets of fields • Eliminating false negatives Be conservative! Assume it is unsafe for unhandled special cases! 28

  29. Zero-initializing all unsafe allocations Stack Heap obj = 0 kmalloc(size, flags| __GFP_ZERO ) memset (obj, 0 , sizeof(obj)) Zero initialization is semantic preserving – Robust – Tolerant of false positives 29

  30. LLVM-based implementation An analysis pass + an instrumentation pass How to use UniSan: $ unisan @bitcode.list 30

  31. UniSan is performant and effective Applied to the latest Linux kernel and Android kernel 10% (2K) of allocations are detected as Accuracy unsafe Negligible runtime overhead: • System operations: 1.36% UniSan Performant Web servers: <0.1% • • User programs: 0.54% Prevented known and new vulnerabilities Effective 19 have been confirmed and fixed by Google • and Linux 31

  32. Three ways to prevent information leaks Eliminating information-leak vulnerabilities • UniSan : Eliminating uninitialized data leaks [ CCS’16 ] • PointSan : Eliminating uninitialized pointers [ NDSS’17 ] Securing system designs against information leaks • Runtime re-randomization for process forking [ NDSS'16 ] Protecting sensitive data from information leaks • ASLR-Guard : Preventing code pointer leaks [ CCS’15 ] • Buddy : Detecting memory disclosures for COTS 32

  33. Three ways to prevent information leaks Eliminating information-leak vulnerabilities • UniSan : Eliminating uninitialized data leaks [ CCS’16 ] • PointSan : Eliminating uninitialized pointers [ NDSS’17 ] Securing system designs against information leaks • Runtime re-randomization for process forking [ NDSS'16 ] Protecting sensitive data from information leaks • ASLR-Guard : Preventing code pointer leaks [ CCS’15 ] • Buddy : Detecting memory disclosures for COTS 33

  34. The insecure process forking violates ASLR A common design of web servers: Worker HTTP(S) Code/data fork() Master Worker fork() HTTP(S) Code/data Code/data Worker fork() HTTP(S) Code/data Exactly same memory layout. Re-fork upon worker crashes 34

  35. The clone-probing attack Attack goal: To guess sensitive data (say randomized return address) with a simple buffer overflow Stack of a web server return address Buffer 12 34 56 78 9a bc ed f0 overflow Crash, try another one 00 34 56 78 9a bc ed f0 AAAAAAA Crash, try another one 01 34 56 78 9a bc ed f0 AAAAAAA Brute-forcing complexity is reduced from 2 64 to 8*2 8 … … Attack Bingo, continue to 12 34 56 78 9a bc ed f0 AAAAAAA payload guess next byte … … Usually can be done within two minutes. … … 12 34 56 78 9a bc ed f0 AAAAAAA … … Finally, get all bytes 12 34 56 78 9a bc ed f0 AAAAAAA 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IC OFF THE RECORD: Direct access to leaked information related to the surveillance activities of

IC OFF THE RECORD: Direct access to leaked information related to the surveillance activities of

NSA PRISM Slides - IC OFF THE RECORD 11.06.18 14:18 2013 LEAKS 2014 LEAKS 2015 LEAKS 2016 LEAKS 2017 LEAKS 2018 LEAKS IC OFF THE RECORD: Direct access to leaked information related to the

480 views • 18 slides
Automatically quantifying information leaks in software CREST January 2012 Pasquale Malacaria

Automatically quantifying information leaks in software CREST January 2012 Pasquale Malacaria

Automatically quantifying information leaks in software CREST January 2012 Pasquale Malacaria Queen Mary University of London 1 The problem An attacker has some a priori knowledge of the secret which is improved by observing the system

234 views • 21 slides
The value of leak testing in preventing hydraulic fluid leaks NFPA Milwaukee Regional Meeting

The value of leak testing in preventing hydraulic fluid leaks NFPA Milwaukee Regional Meeting

The value of leak testing in preventing hydraulic fluid leaks NFPA Milwaukee Regional Meeting Milwaukee School Of Engineering (MSOE) September 27, 2016 Thomas Braun, VP Product Development Fastest Incorporated www.fastestinc.com 2015 NFPA

379 views • 17 slides
Preventing Route Leaks using a Decentralized Approach: An experimental Evaluation Miquel

Preventing Route Leaks using a Decentralized Approach: An experimental Evaluation Miquel

Preventing Route Leaks using a Decentralized Approach: An experimental Evaluation Miquel Ferriol Galms (mferriol@ac.upc.edu) Albert Cabellos-Aparicio (acabello@ac.upc.edu) Roger Coll Aumatell (roger.coll.aumatell@est.fib.upc.edu) Shoushou

581 views • 30 slides
Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety

Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety

Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety Trust Conference New Orleans, LA Leak Detection Best Defense is Preventing Leaks from Occurring in First Place Proactive pipeline integrity

258 views • 7 slides
Public Service Broadcasting in the UK PROMOTING CHOICE SECURING STANDARDS

Public Service Broadcasting in the UK PROMOTING CHOICE SECURING STANDARDS

Public Service Broadcasting in the UK PROMOTING CHOICE SECURING STANDARDS PREVENTING HARM How has the TV landscape changed since 2014? PROMOTING CHOICE SECURING STANDARDS PREVENTING HARM 2 Time spent watching

398 views • 27 slides
Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software

Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software

Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software protections Binary and malware analysis Fuzzing Network security Hardware and OS security 2 Assuming secure software, what is

984 views • 72 slides
Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15 Presentation licensed CC-By-SA-4.0 Why Secure Boot? How can we prevent running malware at boot? With Secure Boot! What if the machine is a VM in

303 views • 15 slides
Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

10/29/2014 Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach; using old security practices Solution: Initiative to use minimal up-to-date industry practices, for example, salting passwords

540 views • 28 slides
Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach; using old security practices Solution: Initiative to use minimal up-to-date industry practices, for example, salting passwords Illustrates

1.38k views • 56 slides
Securing distributed systems with information flow control Nickolai Zeldovich Silas

Securing distributed systems with information flow control Nickolai Zeldovich Silas

Securing distributed systems with information flow control Nickolai Zeldovich Silas Boyd-Wickizer David Mazires Traditional web applications: lots of trusted (yellow) code HTTP User's Application User's browser front Database User's

1.16k views • 66 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Securing Information Systems Reading: Laudon &amp; Laudon chapter 7 Additional Reading: Brien

Securing Information Systems Reading: Laudon &amp; Laudon chapter 7 Additional Reading: Brien

Securing Information Systems Reading: Laudon &amp; Laudon chapter 7 Additional Reading: Brien &amp; Marakas chapter 11 COMP 5131 1 Outline System Vulnerability and Abuse Business Value of Security and Control Establishing

734 views • 40 slides
Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti ,

Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti ,

Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti , University of Padua Slides prepared with the support of Daniele Lain and Moreno Ambrosin SCy-Phy Systems Week 2017 Panel IV: Defences June 6, 2017,

794 views • 25 slides
Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches

Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches

10/16/2013 Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches are on the rise Understand the potentially damaging impact of security breaches Security must be made a top organizational

610 views • 20 slides
Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches, Fixes, Revisions Antivirus Software Post-Install Security Checklist: Windows/UNIX File System Security Issues Chapter 10 User

361 views • 8 slides
Divorce Cases: Uncovering Critical Information in Tax Returns and Financial Statements Discovery

Divorce Cases: Uncovering Critical Information in Tax Returns and Financial Statements Discovery

Presenting a live 90-minute webinar with interactive Q&amp;A Divorce Cases: Uncovering Critical Information in Tax Returns and Financial Statements Discovery Strategies, Analyzing Tax Returns and Financial Documents, and Using Financial Experts

940 views • 90 slides
Object Oriented and Typing Outline General Introduction Why the O.O. paradigm?

Object Oriented and Typing Outline General Introduction Why the O.O. paradigm?

By: Nicholas Merizzi January 2005 Classes, Objects, Inheritance, Object Oriented and Typing Outline General Introduction Why the O.O. paradigm? Classes &amp; Objects Properties, differences, Code Examples Design

768 views • 73 slides
POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos

POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos

POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos Cristiano Giuffrida Vrije Universiteit Amsterdam Teaser Break ideal information hiding in seconds Few probes, typically no crashes

854 views • 33 slides
Welcome to the Faculty of Engineering, Architecture and Information Technology: Essential

Welcome to the Faculty of Engineering, Architecture and Information Technology: Essential

Welcome to the Faculty of Engineering, Architecture and Information Technology: Essential Information and Getting Started Professor Vicki Chen, Executive Dean, Faculty of EAIT Dr Liza OMoore, Associate Dean Academic, Faculty of EAIT

435 views • 27 slides
Welcome Wireless Water Leak Detection &amp; Monitoring For HOAs The Problem Water damage is

Welcome Wireless Water Leak Detection &amp; Monitoring For HOAs The Problem Water damage is

Welcome Wireless Water Leak Detection &amp; Monitoring For HOAs The Problem Water damage is the #1 cause of insurance claims Larger than fire and theft combined Total water damage claims in US equal $8-10 billion/yr.

733 views • 14 slides
Knowledge transfer and information leakage in protocols Abdullah Abdul Khadir, Madhavan Mukund, S P

Knowledge transfer and information leakage in protocols Abdullah Abdul Khadir, Madhavan Mukund, S P

Knowledge transfer and information leakage in protocols Abdullah Abdul Khadir, Madhavan Mukund, S P Suresh Chennai Mathematical Institute {abdullah,madhavan, spsuresh }@cmi.ac.in Formal Methods Update Meeting IIT Mandi July 18, 2017 Abdullah,

795 views • 60 slides
2019 Annual Water Distribution Leak Repairs, Packages V-VIII Adam Aranda, P .E. Operations

2019 Annual Water Distribution Leak Repairs, Packages V-VIII Adam Aranda, P .E. Operations

2019 Annual Water Distribution Leak Repairs, Packages V-VIII Adam Aranda, P .E. Operations Support - Engineering Stella Manzello Contract Administrator Diana Woltersdorf Manager Contract Administration Marisol Robles Non- Mandatory

453 views • 24 slides
&amp; I NTAKE P ROCESS 03/04/2019 Agenda MITDP Q UALIFICATIONS I NTAKE P ROCESS Q

&amp; I NTAKE P ROCESS 03/04/2019 Agenda MITDP Q UALIFICATIONS I NTAKE P ROCESS Q

MITDP Q UALIFICATIONS &amp; I NTAKE P ROCESS 03/04/2019 Agenda MITDP Q UALIFICATIONS I NTAKE P ROCESS Q UESTIONS MITDP Q UALIFICATIONS MITDP D EFININITION Annotated Code of Maryland (since 2008) &gt; STATE FINANCE AND PROCUREMENT

426 views • 17 slides

More recommend