shuffler fast and deployable continuous code re
play

Shuffler: Fast and Deployable Continuous Code Re-Randomization - PowerPoint PPT Presentation

Aug 13, 2022 •257 likes •1.2k views

Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, William Aiello OSDI 2016

  1. Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, William Aiello OSDI 2016 1

  2. Software Remains Vulnerable ● High-profile server breaches are commonplace 2

  3. Software Remains Vulnerable ● High-profile server breaches are commonplace ● 90% of today’s attacks utilize ROP [1] 3

  4. Return-Oriented Programming ● Reuse fragments of legitimate code (gadgets) Program code Stack func_1 func_1 func_2 func_2 ret addr func_3 func_3 4

  5. Return-Oriented Programming ● Reuse fragments of legitimate code (gadgets) Program code Stack ret addr 5

  6. Return-Oriented Programming ● Reuse fragments of legitimate code (gadgets) Program code Stack ret addr data ret addr ret addr ret addr Buffer Overrun 6

  7. Return-Oriented Programming ● Reuse fragments of legitimate code (gadgets) Program code Stack ret addr ROP gadget chain data ret addr ret addr ret addr Buffer Overrun 7

  8. Modern ROP Attacks ● JIT-ROP [2]: iteratively read code at runtime 8

  9. Modern ROP Attacks ● JIT-ROP [2]: iteratively read code at runtime Attacker Target program func_1 func_1 func_2 func_2 func_3 func_3 9

  10. Modern ROP Attacks ● JIT-ROP [2]: iteratively read code at runtime Attacker Target program func_1 func_2 func_3 10

  11. Modern ROP Attacks ● JIT-ROP [2]: iteratively read code at runtime Attacker Target program func_1 func_2 ROP gadget chain func_3 11 Inject exploit

  12. Modern ROP Attacks ● JIT-ROP [2]: iteratively read code at runtime Attacker Target program func_1 func_2 ROP gadget chain func_3 12 Inject exploit

  13. The Shuffler Idea ● What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_1 func_2 func_2 func_3 func_3 13

  14. The Shuffler Idea ● What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_2 func_3 14

  15. The Shuffler Idea ● What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_2 func_2 func_3 func_3 func_1 15

  16. The Shuffler Idea ● What if we re-randomize code more rapidly than an attacker discovers gadgets? ?? func_2 ROP gadget chain func_3 func_1 16 Inject exploit

  17. The Shuffler Idea ● What if we re-randomize code more rapidly than an attacker discovers gadgets? ROP gadget chain 17 Inject exploit

  18. How Is This Possible? ● Re-randomize code before an attacker uses it 18

  19. How Is This Possible? ● Re-randomize code before an attacker uses it – faster than disclosure vulnerability execution time; – faster than gadget chain computation time; – or, faster than network communication time 19

  20. How Is This Possible? ● Re-randomize code before an attacker uses it – faster than disclosure vulnerability execution time; – faster than gadget chain computation time; – or, faster than network communication time 20

  21. How Is This Possible? ● Re-randomize code before an attacker uses it – faster than disclosure vulnerability execution time; – faster than gadget chain computation time; – or, faster than network communication time ● one memory disclosure can only travel 820 miles! 21

  22. What Is Shuffler? ● Defense based on continuous re-randomization – Defeats all known code reuse attacks – 20-50 millisecond shuffling, scales to 24 threads ● Fast: bounds attacker’s available time – Defeats even attackers with zero network latency ● Deployable: – Binary analysis w/o modifying kernel, compiler, ... ● Egalitarian: – Shuffler runs in same address space, defends itself 22

  23. Outline 23

  24. Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 24

  25. Continuous Re-Randomization ● Easy to copy code & fix direct references func_1 func_2 ... call func_2 ... func_2 25

  26. Continuous Re-Randomization ● Easy to copy code & fix direct references func_1 (deleted) ... call func_2 ... func_2 26

  27. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? 27

  28. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? ptr: func_1 func_2 ... mov $func_2, ptr ... call *ptr ... 28

  29. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? ptr: &func_2 func_1 func_2 ... mov $func_2, ptr ... call *ptr ... 29

  30. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? ptr: &func_2 func_1 func_2 (deleted) func_2 ... mov $func_2, ptr ... call *ptr ... 30

  31. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? ptr: &func_2 func_1 (deleted) func_2 ... mov $func_2, ptr ... call *ptr ... 31

  32. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? &func_2 &func_2 &func_2 &func_2 ptr: &func_2 &func_2 &func_2 func_2 (deleted) &func_2 ● How to update all propagated pointers? func_2 32

  33. Continuous Re-Randomization ● Solution: add extra level of indirection f_2_idx f_2_idx f_2_idx f_2_idx ptr: f_2_idx %gs: (table) ... ... &func_2 ... func_2 33

  34. Continuous Re-Randomization ● Solution: add extra level of indirection f_2_idx f_2_idx f_2_idx f_2_idx ptr: f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx ... ... &func_2 ... func_2 34

  35. Continuous Re-Randomization ● Solution: add extra level of indirection f_2_idx f_2_idx f_2_idx f_2_idx ptr: f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx ... ... func_2 &func_2 ... func_2 35

  36. Continuous Re-Randomization ● Solution: add extra level of indirection f_2_idx f_2_idx f_2_idx f_2_idx ptr: f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx ... ... func_2 &func_2 ... (deleted) 36

  37. Code Pointer Abstraction ● Transforming *code_ptr into **code_ptr – Correctness : pointer updates sound & precise – Disclosure-resilience : code ptr table is hidden 37

  38. Code Pointer Abstraction ● Transforming *code_ptr into **code_ptr – Correctness : pointer updates sound & precise – Disclosure-resilience : code ptr table is hidden ptr: f_2_idx func_2 %gs: ... func_2 ... 38

  39. Code Pointer Abstraction ● Transforming *code_ptr into **code_ptr – Correctness : pointer updates sound & precise – Disclosure-resilience : code ptr table is hidden ptr: f_2_idx func_2 %gs: ... func_2 ... Rewrite call sites Rewrite initialization points callq *%rax mov $0x40054d, %rax => callq * %gs:( %rax ) => mov $ 0x20 , %rax 39

  40. Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 40

  41. Return Address Encryption ● Return addresses are code pointers too ● Could use code pointer table, but inefficient – call/ret instructions highly optimized 41

  42. Return Address Encryption ● Return addresses are code pointers too ● Could use code pointer table, but inefficient – call/ret instructions highly optimized ● Alternative mechanism – correct and hidden – Use normal call instructions – Encrypt return addresses with XOR key 42

  43. Return Address Encryption ● Prevent return address disclosure 43

  44. Return Address Encryption ● Prevent return address disclosure Thread Stack func_1 ret addr func_2 ret addr ret addr func_3 44

  45. Return Address Encryption ● Prevent return address disclosure Thread Stack func_1 + (encrypted) func_2 + (encrypted) + (encrypted) func_3 XOR key 45

  46. Return Address Encryption ● Prevent return address disclosure Thread Stack func_1 func: + (encrypted) func_2 + (encrypted) ; original code + (encrypted) ret func_3 XOR key 46

  47. Return Address Encryption ● Prevent return address disclosure ● We use binary rewriting (expand basic blocks) Thread Stack func_1 func: mov %fs:0x28,%r11 + (encrypted) xor %r11,(%rsp) func_2 + (encrypted) ; original code mov %fs:0x28,%r11 xor %r11,(%rsp) + (encrypted) ret func_3 XOR key 47

  48. Return Address Migration ● Unwind stack and re-encrypt new addresses func_1 func_2 Thread Stack func_3 + (encrypted) + (encrypted) + (encrypted) XOR key 48

  49. Return Address Migration ● Unwind stack and re-encrypt new addresses func_1 func_2 Thread Stack func_3 + (encrypted) + (encrypted) func_1 + (encrypted) func_2 func_3 XOR key 49

  50. Return Address Migration ● Unwind stack and re-encrypt new addresses (deleted) (deleted) Thread Stack (deleted) + (encrypted) + (encrypted) func_1 + (encrypted) func_2 func_3 XOR key 50

  51. Asynchronous Randomization 51

  52. Asynchronous Randomization ● Creating new code copies takes time 20ms shuffle period Computations 52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Less Pain, Most of the Gain: Incrementally Deployable ICN

Less Pain, Most of the Gain: Incrementally Deployable ICN

Less Pain, Most of the Gain: Incrementally Deployable ICN Seyed K. Fayazbakhsh, Yin Lin, Amin Tootoonchian, Ali Ghodsi, Teemu Koponen, Bruce Maggs,

229 views • 20 slides
Enabling Venus In-Situ Science Deployable Entry System Technology, Adaptive Deployable Entry

Enabling Venus In-Situ Science Deployable Entry System Technology, Adaptive Deployable Entry

DACC Project GAME CHANGING DEVELOPMENT Enabling Venus In-Situ Science Deployable Entry System Technology, Adaptive Deployable Entry and Placement Technology (ADEPT): A Technology Development Project funded by Game Changing Development

354 views • 17 slides
Fred a new GPU-based fast-MC code and its applications in proton beam therapy A. Schiavi Fast

Fred a new GPU-based fast-MC code and its applications in proton beam therapy A. Schiavi Fast

MCMA 2017 - Napoli Fred a new GPU-based fast-MC code and its applications in proton beam therapy A. Schiavi Fast paRticle thErapy Dose evaluator Collaboration A. Schiavi, V. Patera, M. Senzacqua, Univ. La Sapienza Roma /INFN (Italy)

1.67k views • 26 slides
A fast parameter space search for continuous gravitational waves from known binary systems

A fast parameter space search for continuous gravitational waves from known binary systems

Introduction The data analysis challenge Current Solutions A New Solution Conclusions and future work A fast parameter space search for continuous gravitational waves from known binary systems C Messenger University of Glasgow

461 views • 21 slides
Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems

Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems

www.immobilienscout24.de Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems Architect & Open Source Evangelist Ingmar Krusch, Team Lead in Operations License:

552 views • 37 slides
Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and

494 views • 38 slides
Fast Direct Search in an Optimally Compressed Continuous Target Space for Efficient Multi-Label

Fast Direct Search in an Optimally Compressed Continuous Target Space for Efficient Multi-Label

Introduction Methodology Results Fast Direct Search in an Optimally Compressed Continuous Target Space for Efficient Multi-Label Active Learning Weishi Shi and Qi Yu B. Thomas Golisano College of Computing and Information Sciences Rochester

332 views • 12 slides
INFRASTRUCTURE AS CODE kief@thoughtworks.com Cloud Practice Lead (UK) DevOps, Continuous

INFRASTRUCTURE AS CODE kief@thoughtworks.com Cloud Practice Lead (UK) DevOps, Continuous

INFRASTRUCTURE AS CODE kief@thoughtworks.com Cloud Practice Lead (UK) DevOps, Continuous Delivery, Agile Ops Twitter: @kief Book: http://oreil.ly/1JKIBVe Site: http://infrastructure-as-code.com June 2016 AGENDA CONTEXT Motivations

979 views • 39 slides
IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable

IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable

The Straight and Easy Way to Complete IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable Scalable Readily Integrated & Realizable High Web-Based ROI Everest is an End-to-End IT Infrastructure

210 views • 19 slides
Importance of structural damping in the dynamic analysis of compliant deployable structures

Importance of structural damping in the dynamic analysis of compliant deployable structures

I NTRODUCTION O BJECTIVES O NE DOF SYSTEM T APE SPRING C ONCLUSIONS Importance of structural damping in the dynamic analysis of compliant deployable structures Florence Dewalque, Pierre Rochus, Olivier Brls Department of Aerospace and

327 views • 17 slides
A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and

A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and

A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and Edge Profiling Bug Isolation via Remote Program Sampling Low-overhead Memory Leak Detection using Adaptive Statistical Profiling (SWAT)

178 views • 16 slides
Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of

Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of

ANR MetaLibm kick-off meeting Lyon, 22 January, 2014 Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of the CGPE tool Guillaume Revy quipe-projet DALI, Univ. Perpignan Via Domitia LIRMM, CNRS:

570 views • 30 slides
Is This Algorithm Fast? Topic Number 8 op c u be 8 Problem: given a problem, how fast does

Is This Algorithm Fast? Topic Number 8 op c u be 8 Problem: given a problem, how fast does

Is This Algorithm Fast? Topic Number 8 op c u be 8 Problem: given a problem, how fast does this Algorithm Analysis code solve that problem? Could try to measure the time it takes, but " bit twiddling: 1. (pejorative) An exercise

396 views • 15 slides
FluxRank: A Widely-Deployable Framework to Automatically Localizing Root Cause Machines for

FluxRank: A Widely-Deployable Framework to Automatically Localizing Root Cause Machines for

FluxRank: A Widely-Deployable Framework to Automatically Localizing Root Cause Machines for Software Service Failure Mitigation Ping Liu 1 , Yu Chen 2 , Xiaohui Nie 1 , Jing Zhu 1 , Shenglin Zhang 3 , Kaixin Sui 4 Ming Zhang 5 , Dan Pei 1 1 2 3

4.17k views • 82 slides
Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service

Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service

Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service Attacks Felipe Huici and Mark Handley Networks Research Group Department of Computer Science Overview Terminus architecture Protecting

553 views • 27 slides
RESULTS OF THE DEPLOYABLE MEMBRANE & ADEO PASSIVE DE-ORBIT SUBSYSTEM ACTIVITIES LEADING TO A

RESULTS OF THE DEPLOYABLE MEMBRANE & ADEO PASSIVE DE-ORBIT SUBSYSTEM ACTIVITIES LEADING TO A

RESULTS OF THE DEPLOYABLE MEMBRANE & ADEO PASSIVE DE-ORBIT SUBSYSTEM ACTIVITIES LEADING TO A DRAGSAIL DEMONSTRATOR Thomas Sinn (1) , L. Tiedemann (1) , A. Riemer (2) , R. Hahn (2), T. Spwitz (3) , P. Seefeldt (3) , M. Sznajder (3) S.

217 views • 8 slides
stakeholder Think Tank Meeting Trevor Lentz, PhD, PT, MPH Lesley Curtis, PhD Frank Rockhold, PhD

stakeholder Think Tank Meeting Trevor Lentz, PhD, PT, MPH Lesley Curtis, PhD Frank Rockhold, PhD

Designing, Conducting, Monitoring, and Analyzing Data from Pragmatic Randomized Clinical Trials: Proceedings from a Multi- stakeholder Think Tank Meeting Trevor Lentz, PhD, PT, MPH Lesley Curtis, PhD Frank Rockhold, PhD Pragmatic Clinical

816 views • 23 slides
RANSAC 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University Up to now, weve

RANSAC 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University Up to now, weve

RANSAC 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University Up to now, weve assumed correct correspondences What if there are mismatches? outlier How would you find just the inliers? RANSAC RAN dom SA mple C onsensus [Fischler

399 views • 28 slides
ECON 626: Applied Microeconomics Lecture 8: Permutations and Bootstraps Professors: Pamela

ECON 626: Applied Microeconomics Lecture 8: Permutations and Bootstraps Professors: Pamela

ECON 626: Applied Microeconomics Lecture 8: Permutations and Bootstraps Professors: Pamela Jakiela and Owen Ozier Part I: Randomization Inference Randomization Inference vs Confidence Intervals See Imbens and Rubin, Causal Inference , first

924 views • 69 slides
Summary Structures for Massive Data Graham Cormode G.Cormode@warwick.ac.uk 7 6 4 1 Massive

Summary Structures for Massive Data Graham Cormode G.Cormode@warwick.ac.uk 7 6 4 1 Massive

Summary Structures for Massive Data Graham Cormode G.Cormode@warwick.ac.uk 7 6 4 1 Massive Data Big data arises in many forms: Physical Measurements: from science (physics, astronomy) Medical data: genetic measurements,

601 views • 22 slides
Detecting Network Effects Randomizing Over Randomized Experiments Martin Saveski (@msaveski)

Detecting Network Effects Randomizing Over Randomized Experiments Martin Saveski (@msaveski)

Detecting Network Effects Randomizing Over Randomized Experiments Martin Saveski (@msaveski) MIT Detecting Network Effects Randomizing Over Randomized Experiments Guillaume Saint Jacques Martin Saveski Jean Pouget-Abadie MIT MIT

1.16k views • 89 slides
Improving the Randomization Step in Feasibility Pump using WalkSAT Santanu S. Dey Joint work

Improving the Randomization Step in Feasibility Pump using WalkSAT Santanu S. Dey Joint work

Improving the Randomization Step in Feasibility Pump using WalkSAT Santanu S. Dey Joint work with: Andres Iroume, Marco Molinaro, Domenico Salvagnin Discrepancy & IP workshop, 2018 Feasibility Pump using Sparsity in real" Integer

1.79k views • 54 slides
Randomization DS-GA 1013 / MATH-GA 2824 Mathematical Tools for Data Science

Randomization DS-GA 1013 / MATH-GA 2824 Mathematical Tools for Data Science

Randomization DS-GA 1013 / MATH-GA 2824 Mathematical Tools for Data Science https://cims.nyu.edu/~cfgranda/pages/MTDS_spring19/index.html Carlos Fernandez-Granda Motivating applications Gaussian random variables Randomized dimensionality

1.97k views • 178 slides
MARDU: Efficient and Scalable Code Re-Randomization SYSTOR '20: Proceedings of the 13th ACM

MARDU: Efficient and Scalable Code Re-Randomization SYSTOR '20: Proceedings of the 13th ACM

MARDU: Efficient and Scalable Code Re-Randomization SYSTOR '20: Proceedings of the 13th ACM International Systems and Storage Conference Christopher Jelesnianski (Virginia Tech), Jinwoo Yom (Virginia Tech), Changwoo Min (Virginia Tech), Yeongjin

630 views • 29 slides

More recommend