software security
play

Software Security Prof. Dr. Jean-Pierre Seifert - PowerPoint PPT Presentation

Jan 27, 2024 •149 likes •851 views

Software Security Prof. Dr. Jean-Pierre Seifert jpseifert@sec.t-labs.tu-berlin.de http://www.sec.t-labs.tu-berlin.de/ 1 Defenses against Memory Corruption 2 Preventing Buffer Overflows Use safe programming languages, e.g., Java

  1. Software Security Prof. Dr. Jean-Pierre Seifert jpseifert@sec.t-labs.tu-berlin.de http://www.sec.t-labs.tu-berlin.de/ 1

  2. Defenses against Memory Corruption 2

  3. Preventing Buffer Overflows  Use safe programming languages, e.g., Java  Legacy C code? Native-code library implementations?  Black-box testing with long strings  Mark stack as non-executable  Randomize memory layout or encrypt return address on stack by XORing with random string  Attacker won’t know what address to use in his string  Run-time checking of array and buffer bounds  StackGuard, libsafe, many other tools  Static analysis of source code to find overflows 3

  4. Reading  Cowan et al. “Buffer overflows: Attacks and defenses for the vulnerability of the decade” (DISCEX 2000).  Avijit, Gupta, Gupta. “TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection” (Usenix Security 2004).  Dhurjati, Adve. “Backwards -compatible array bounds checking for C with very low overhead” (ICSE 2006). 4

  5. Run-Time Checking: StackGuard  Embed “canaries” (stack cookies) in stack frames and verify their integrity prior to function return  Any overflow of local variables will damage the canary ret Frame of the Top of canary buf sfp addr calling function stack Pointer to Return Local variables previous execution to frame this address  Choose random canary string on program start  Attacker can’t guess what the value of canary will be  Terminator canary: “ \ 0”, newline, linefeed, EOF  String functions like strcpy won’t copy beyond “ \ 0” 5

  6. StackGuard Implementation  StackGuard requires code recompilation  Checking canary integrity prior to every function return causes a performance penalty  For example, 8% for Apache Web server  StackGuard can be defeated  A single memory copy where the attacker controls both the source and the destination is sufficient 6 slide 6

  7. Defeating StackGuard  Suppose program contains strcpy(dst,buf) where attacker controls both dst and buf  Example: dst is a local pointer variable canary buf dst sfp RET Return execution to this address canary sfp BadPointer, attack code &RET RET Overwrite destination of strcpy with RET position strcpy will copy BadPointer here 7

  8. ProPolice / SSP [IBM, used in gcc 3.4.1; also MS compilers]  Rerrange stack layout (requires compiler mod) args No arrays or pointers String return address growth exception handler records SFP CANARY Cannot overwrite any pointers by overflowing an array arrays Stack growth Ptrs, but no arrays local variables 8

  9. What Can Still Be Overwritten?  Other string buffers in the vulnerable function  Exception handling records  Any stack data in functions up the call stack  Example: call to a vulnerable member function passes as an argument this pointer to an object up the stack  Stack overflow can overwrite this object’s vtable pointer and make it point into an attacker-controlled area  When a virtual function is called (how?), control is transferred to attack code (why?)  Do canaries help in this case? • Hint: when is the integrity of the canary checked? 9

  10. Litchfield’s Attack  Microsoft Windows 2003 server implements several defenses against stack overflow  Random canary (with /GS option in the .NET compiler)  When canary is damaged, exception handler is called  Address of exception handler stored on stack above RET  Litchfield’s attack (see paper)  Smashes the canary AND overwrites the pointer to the exception handler with the address of the attack code • Attack code must be on the heap and outside the module, or else Windows won’t execute the fake “handler”  Similar exploit used by CodeRed worm 10

  11. Safe Exception Handling  Exception handler record must be on the stack of the current thread (why?)  Must point outside the stack (why?)  Must point to a valid handler  Microsoft’s /SafeSEH linker option: header of the binary lists all valid handlers  Exception handler records must form a linked list, terminating in FinalExceptionHandler  Windows Server 2008: SEH chain validation  Address of FinalExceptionHandler is randomized (why?) 11

  12. When SafeSEH Is Incomplete  If DEP is disabled, handler is allowed to be on any non-image page except stack  Put attack code on the heap, overwrite exception handler record on the stack to point to it  If any module is linked without /SafeSEH, handler is allowed to be anywhere in this module  Overwrite exception handler record on the stack to point to a suitable place in the module  Used to exploit Microsoft DNS RPC vulnerability in Windows Server 2003 12

  13. PointGuard  Attack: overflow a function pointer so that it points to attack code  Idea: encrypt all pointers while in memory  Generate a random key when program is executed  Each pointer is XORed with this key when loaded from memory to registers or stored back into memory • Pointers cannot be overflown while in registers  Attacker cannot predict the target program’s key  Even if pointer is overwritten, after XORing with key it will dereference to a “random” memory address 13

  14. Normal Pointer Dereference [Cowan] CPU 2. Access data referenced by pointer 1. Fetch pointer value Memory Pointer Data 0x1234 0x1234 CPU 2. Access attack code referenced by corrupted pointer 1. Fetch pointer value Corrupted pointer Attack Memory Data 0x1234 code 0x1340 0x1234 0x1340 14

  15. PointGuard Dereference [Cowan] CPU 0x1234 2. Access data referenced by pointer 1. Fetch pointer Decrypt value Memory Encrypted pointer Data 0x7239 0x1234 CPU Decrypts to random value 2. Access random address; segmentation fault and crash 0x9786 1. Fetch pointer Decrypt value Corrupted pointer Attack Memory Data 0x7239 code 0x1340 0x9786 0x1234 0x1340 15

  16. PointGuard Issues  Must be very fast  Pointer dereferences are very common  Compiler issues  Must encrypt and decrypt only pointers  If compiler “spills” registers, unencrypted pointer values end up in memory and can be overwritten there  Attacker should not be able to modify the key  Store key in its own non-writable memory page  PG’d code doesn’t mix well with normal code  What if PG’d code needs to pass a pointer to OS kernel? 16

  17. Run-Time Checking: Libsafe  Dynamically loaded library  Intercepts calls to strcpy(dest,src)  Checks if there is sufficient space in current stack frame |frame-pointer – dest| > strlen(src)  If yes, does strcpy; else terminates application top of sfp ret-addr dest src buf sfp ret-addr stack main libsafe 17

  18. Limitations of Libsafe  Protects frame pointer and return address from being overwritten by a stack overflow  Does not prevent sensitive local variables below the buffer from being overwritten  Does not prevent overflows on global and dynamically allocated buffers 18

  19. TIED / LibsafePlus [Avijit et al.]  TIED: augments the executable with size information for global and automatic buffers  LibsafePlus: intercepts calls to unsafe C library functions and performs more accurate and extensive bounds checking 19

  20. Overall Approach Executable Augmented compiled with TIED executable -g option Preload LibsafePlus.so Run Normal execution Aborts if buffer otherwise overflow 20

  21. TIED: The Binary Rewriter  Extracts type information from the executable  Executable must be compiled with -g option  Determines location and size for automatic and global character arrays  Organizes the information as tables and puts it back into the binary as a loadable, read-only section 21

  22. Type Information Data Structure Global Variable Table Type info header pointer Starting address Size No. of global variables Ptr to global var table No. of functions Local Variable Table Offset from Ptr to function table frame pointer Size Function Table Starting address End address No. of vars Ptr to var table Local Variable Table … 22

  23. Rewriting ELF Executables  Constraint: the virtual addresses of existing code and data should not change  Extend the executable towards lower virtual addresses by a multiple of page size  Serialize, relocate, and dump type information as a new loadable section in the gap created  Provide a pointer to the new section as a symbol in the dynamic symbol table 23

  24. Before and After Rewriting ELF Header Program headers .dynsym ( new ) .dynstr ( new ) .dynstr is modified ELF Header .hash ( new ) to hold the name of Data structure containing Program headers type information the symbolic pointer .hash .oldhash .dynsym .olddynsym .hash is modified .dynstr .olddynstr to hold the hash .dynamic .dynamic value of the symbol added to .dynsym Section header table Section header table 24

  25. Bounds Checking by LibsafePlus  Intercept unsafe C library functions  strcpy, memcpy, gets …  Determine the size of destination buffer  Determine the size of source string  If destination buffer is large enough, perform the operation using actual C library function  Terminate the program otherwise 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
Network Layer network layer services virtual circuit and datagram Goals: networks

Network Layer network layer services virtual circuit and datagram Goals: networks

Overview: Network Layer network layer services virtual circuit and datagram Goals: networks whats inside a router? understand principles behind network layer IP: Internet Protocol services: IPv4 datagram format

396 views • 23 slides
Understanding DNSCurve D. J. Bernstein University of Illinois at Chicago & Technische

Understanding DNSCurve D. J. Bernstein University of Illinois at Chicago & Technische

Understanding DNSCurve D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Disclaimer: I havent released DNSCurve software yet. But you can try prototypes: @mdempsky s DNSCurve cache, @hhavt s

890 views • 40 slides
Eliciting Informative Feedback: The Peer-Prediction Method Nolan Miller, Paul Resnick, &

Eliciting Informative Feedback: The Peer-Prediction Method Nolan Miller, Paul Resnick, &

Problem and Setup Initial Game Extensions Further Work Conclusion Experiment Eliciting Informative Feedback: The Peer-Prediction Method Nolan Miller, Paul Resnick, & Richard Zeckhauser Thomas Steinke & David Rezza Baqaee Problem

764 views • 17 slides
The Entropy Rounding Method in Approximation Algorithms Thomas Rothvo Department of

The Entropy Rounding Method in Approximation Algorithms Thomas Rothvo Department of

The Entropy Rounding Method in Approximation Algorithms Thomas Rothvo Department of Mathematics, M.I.T. Carg` ese 2011 A general rounding problem Problem: Given: A R n m , fractional solution x [0 , 1] m Find: y { 0 ,

1.55k views • 126 slides
Integration of Routing and Switching Label Switching & IP switching The goal is to avoid

Integration of Routing and Switching Label Switching & IP switching The goal is to avoid

Integration of Routing and Switching Label Switching & IP switching The goal is to avoid executing packet forwarding algorithm for each and every packet and replace it with switching in hardware. The result is faster and less expensive IP

440 views • 23 slides
LAN FRAME FORMATS www.sorin-schwartz.com IEEE 802.2 - LLC (Logical link Control) ----- 1 -----

LAN FRAME FORMATS www.sorin-schwartz.com IEEE 802.2 - LLC (Logical link Control) ----- 1 -----

LAN FRAME FORMATS www.sorin-schwartz.com IEEE 802.2 - LLC (Logical link Control) ----- 1 ----- DSAP field (1byte) SSAP field (1byte) M DA 6 A X X X X X X U I X X X X X X U C SA 6 C LSB LSB ----- 2 L DSAP=P.ID 1

305 views • 6 slides
What is new? WSS MVP since 2006 Speaker, writer, consultant, Aquarius, President of the Ames

What is new? WSS MVP since 2006 Speaker, writer, consultant, Aquarius, President of the Ames

What is new? WSS MVP since 2006 Speaker, writer, consultant, Aquarius, President of the Ames Iowa chapter of the Mark Rhodes fan club Personal Blog www.toddklindt.com/blog Company web site www.sharepoint911.com E-mail

201 views • 16 slides
ML.NET Presented by: Markus Weimer Markus.Weimer@Microsoft.com https://dot.net/ml Brought to

ML.NET Presented by: Markus Weimer Markus.Weimer@Microsoft.com https://dot.net/ml Brought to

ML.NET Presented by: Markus Weimer Markus.Weimer@Microsoft.com https://dot.net/ml Brought to you by (amongst others) Zeeshan Ahmed (Microsoft) zeahmed@microsoft.com, Saeed Amizadeh (Microsoft) <saamizad@microsoft.com>, Mikhail Bilenko

394 views • 10 slides

More recommend