sok sanitizing for security
play

SoK: Sanitizing for Security Dokyung Song , Julian Lettner, Prabhu - PowerPoint PPT Presentation

Jul 30, 2023 •256 likes •658 views

SoK: Sanitizing for Security Dokyung Song , Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, Michael Franz Finding Bugs in C/C++ Manual Analysis Static Analysis Dynamic Analysis AddressSanitizer MemorySanitizer Code

  1. SoK: Sanitizing for Security Dokyung Song , Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, Michael Franz

  2. Finding Bugs in C/C++ Manual Analysis Static Analysis Dynamic Analysis AddressSanitizer MemorySanitizer Code Review/Auditing Clang Static Analyzer C/C++ Source Code Program Inputs Hand-written test suite american fuzzy lop libFuzzer May 2019 2

  3. Finding Bugs in C/C++ Manual Analysis Static Analysis Dynamic Analysis AddressSanitizer MemorySanitizer Code Review/Auditing Clang Static Analyzer C/C++ Source Code Program Inputs Hand-written test suite american fuzzy lop libFuzzer May 2019 3

  4. Dynamic Analysis Tools for C/C++ • More than 35 years of research in Dynamic Analysis Tools – often-called “ Sanitizers ” – that find vulnerabilities specific to C/C++ Oscar Undangle FreeSentry HexType SoftBounds+CETS SGXBounds TySan Dr. Memory CaVer EffectiveSan Purify MSCC LBC TypeSan CUP Electric Fence Memcheck PAriCheck UBSan MSan DangSan Bcc RTCC Safe-C P&F PageHeap CRED D&A BBC ASan DangNull Low-Fat CRCount 1980 1990 1995 2000 2005 2010 2015 2019 May 2019 4

  5. Exploit Mitigation vs. Sanitization (1/2) Attack Flow Heap Overflow Function Pointer Overwrite Integer Overflow + Indirect Call May 2019 5

  6. Exploit Mitigation vs. Sanitization (1/2) Exploit Mitigation Security Policies Sanitization Policies Memory Safety Code Pointer Integrity Control-Flow Integrity Attack Flow Heap Overflow Function Pointer Overwrite Integer Overflow + Indirect Call UndefinedBehaviorSanitizer AddressSanitizer … and many others May 2019 6

  7. Exploit Mitigation vs. Sanitization (1/2) Exploit Mitigation Security Policies Sanitization Policies Memory Safety Code Pointer Integrity Control-Flow Integrity Attack Flow Heap Overflow Function Pointer Overwrite Integer Overflow + Indirect Call UndefinedBehaviorSanitizer AddressSanitizer … and many others May 2019 7

  8. Exploit Mitigation vs. Sanitization (2/2) Exploit Mitigation Sanitization The goal is to … Mitigate attacks Find vulnerabilities Used in … Production Pre-release Performance budget is … Very limited Much higher Policy violation leads to … Program termination Problem diagnosis Violations triggered at location of bug Sometimes Always Tolerance for FPs is … Zero Somewhat higher Surviving benign errors is … Desired Not desired May 2019 8

  9. Undefined Behavior in C/C++ • Buffer overflow J.2 Undefined behavior • Use-after-free The behavior is undefined in the following circumstances: … • Type errors — Addition or subtraction of a pointer into, or just beyond, an • Format string bug array object and an integer type produces a result that does not point into, or just beyond, the same array object (6.5.6). • Signed integer overflow … • Null pointer dereferences — An object is referred to outside of its lifetime (6.2.4). • etc. … — A pointer is used to call a function whose type is not compatible with the referenced type. … — An object has its stored value accessed other than by an lvalue of an allowable type (6.5). … May 2019 9

  10. Undefined Behavior in C/C++ • Buffer overflow J.2 Undefined behavior • Use-after-free The behavior is undefined in the following circumstances: … • Type errors — Addition or subtraction of a pointer into, or just beyond, an • Format string bug array object and an integer type produces a result that does not point into, or just beyond, the same array object (6.5.6). • Signed integer overflow … • Null pointer dereferences — An object is referred to outside of its lifetime (6.2.4). • etc. … — A pointer is used to call a function whose type is not → Well-known Security Vulnerabilities compatible with the referenced type. … — An object has its stored value accessed other than by an lvalue of an allowable type (6.5). … May 2019 10

  11. Security Implications of Undefined Behavior in C/C++ (1/2) 1. Memory and type safety violations vulnerable to memory exploits tun= NULL Null-pointer sk = tun->sk; Dereference Null-pointer mov rsi, QWORDPTR[rdi+8] Dereference Compile Source Code Binary Code May 2019 11

  12. Security Implications of Undefined Behavior in C/C++ (2/2) 2. Compilation of a program having UBs may result in vulnerable code tun= NULL Null-pointer sk = tun->sk; Dereference if (!tun) return POLLERR; ? Compile // privileged code Source Code Binary Code May 2019 12

  13. Security Implications of Undefined Behavior in C/C++ (2/2) 2. Compilation of a program having UBs may result in vulnerable code tun= NULL Null-pointer sk = tun->sk; Dereference if (!tun) return POLLERR; ? Compile // privileged code Source Code Binary Code Null pointer check gets eliminated (akin to CVE-2009-1897) May 2019 13

  14. Security Implications of Undefined Behavior in C/C++ (2/2) 2. Compilation of a program having UBs may result in vulnerable code tun= NULL Null-pointer sk = tun->sk; Dereference Privilege // privileged code Escalation if (!tun) return POLLERR; Compile mov rsi, QWORDPTR[rdi+8] // privileged code Source Code Binary Code Null pointer check gets eliminated (akin to CVE-2009-1897) May 2019 14

  15. Low-Level Vulnerabilities in C/C++ (1/2) Temporal Use of Spatial Memory Pointer Type Variadic Other Memory Safety Uninitialized Safety Violation Errors Function Misuse Vulnerabilities Violation Variables Integer Bad Casting Overflow Other Pointer Other UBs Type Errors • Most of these vulnerabilities can manifest as memory and type safety violations. May 2019 15

  16. Low-Level Vulnerabilities in C/C++ (2/2) Temporal Use of Spatial Memory Pointer Type Variadic Other Memory Safety Uninitialized Safety Violation Errors Function Misuse Vulnerabilities Violation Variables Integer Bad Casting Overflow Other Pointer Other UBs Type Errors • Some UBs may lead to unsafe code generation today. • And, things can change as compiler optimizations evolve – called time- bombs *. * W. Dietz, P. Li, J. Regher, and V. Adve; “Understanding integer overflow in C/C++.” In ICSE , 2012. May 2019 16

  17. Low-Level Vulnerabilities in C/C++ (2/2) Temporal Use of Spatial Memory Pointer Type Variadic Other Memory Safety Uninitialized Safety Violation Errors Function Misuse Vulnerabilities Violation Variables Integer Bad Casting -ftrivial-auto- Overflow var-init=zero -fwrapv -ftrapv Other Pointer Other UBs Type Errors -fno-strict- aliasing -fno-delete-null- pointer-checks • Some UBs may lead to unsafe code generation today. • And, things can change as compiler optimizations evolve – called time- bombs *. * W. Dietz, P. Li, J. Regher, and V. Adve; “Understanding integer overflow in C/C++.” In ICSE , 2012. May 2019 17

  18. Sanitizer Design and Implementation Temporal Use of Spatial Memory Pointer Type Variadic Function Other Memory Safety Uninitialized Safety Violation Errors Misuse Vulnerabilities Violation Variables Red-zone Uninitialized Pointer Dangerous Stateless Insertion Reuse Delay Memory Read Casting Format String Monitoring (Guard Pages) Detection Monitor Detection Per-pointer Uninitialized Argument Pointer Use Bounds Value Use Mismatch Lock-and-key Monitor Tracking Detection Detection Per-object Dangling Bounds Pointer Tracking Tagging Bug Finding Technique Program Instrumentation Metadata Management Embedded (a) Dynamic Metadata (b) Static Metadata 11101110101 0 check(); call check 101010110101 010101011010 *ptr = 3; store ptr Object Pointer Instruction Disjoint … … (a) Language-level (b) IR-level (c) Binary Others Instrumentation Instrumentation Instrumentation May 2019 18

  19. Sanitizer Design and Implementation: Bug Finding Techniques Bug Finding Techniques Temporal Use of Spatial Memory Pointer Type Variadic Function Other Class of Bugs Memory Safety Uninitialized Safety Violation Errors Misuse Vulnerabilities Violation Variables Red-zone Uninitialized Pointer Dangerous Stateless Insertion Reuse Delay Memory Read Casting Format String Monitoring (Guard Pages) Detection Monitor Detection Bug Finding Per-pointer Uninitialized Argument Pointer Use Technique Bounds Lock-and-key Value Use Mismatch Monitor Tracking Detection Detection Per-object Dangling Bounds Pointer Tracking Tagging May 2019 19

  20. Sanitizer Design and Implementation: Program Instrumentation Program Instrumentation Inlined Reference Monitor: Fine-grained run-time monitoring of program behavior to detect bugs as they occur. Source code Intermediate Representation Binary External (C/C++) (e.g., LLVM IR) call Libraries 11101110101 check(); call check 01010101101 (d) Library Interposition store ptr 01010101011 *ptr = 3; Compiler 0101 Compiler LD_PRELOAD for instrumenting only Frontend Backend calls to dynamically-linked external library functions (a) Language-level (b) IR-level (c) Binary-level May 2019 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sanitizing Treatment for Minimally Processed Cucumber Products Fred Breidt and Suzanne

Sanitizing Treatment for Minimally Processed Cucumber Products Fred Breidt and Suzanne

Brief Blanching: An Effective Sanitizing Treatment for Minimally Processed Cucumber Products Fred Breidt and Suzanne Johanningsmeier USDA-ARS Food Science Research Unit Part II. Quality assessment for blanched refrigerated pickles with various

615 views • 24 slides
APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si,

APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si,

APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, Mayur Naik Georgia Institute of Technology 1 APIs in todays software are plentiful yet complex Example: OpenSSL

923 views • 89 slides
A Cryptography-Flavored Method for sanitizing a database Meaningful statistical analysis

A Cryptography-Flavored Method for sanitizing a database Meaningful statistical analysis

Think Census A Cryptography-Flavored Method for sanitizing a database Meaningful statistical analysis Approach to Privacy in Preservation of individuals privacy Public Databases What do we mean? Drineas, Dwork, Goldberg,

277 views • 3 slides
U A new addition to our product line here at back to a great place to live. sanitizers, foggers,

U A new addition to our product line here at back to a great place to live. sanitizers, foggers,

Corporate Sanitizing Solutions U A new addition to our product line here at back to a great place to live. sanitizers, foggers, onsite sanitizing & steam-cleaning crew services, perspex desk We are offering a wide range of products from

283 views • 16 slides
WINONE BIOZONE Nano Engineered Self Sanitizing Anti-Microbial Coating Present Situation and

WINONE BIOZONE Nano Engineered Self Sanitizing Anti-Microbial Coating Present Situation and

WINONE BIOZONE Nano Engineered Self Sanitizing Anti-Microbial Coating Present Situation and Technological Solution In the recent coronavirus outbreak, the world is aware of the acute and increasing need for the advance preventive measures and

591 views • 11 slides
Vehicle Sanitizing Checklist Protecting the workplace from Covid-19 and other contagious illness

Vehicle Sanitizing Checklist Protecting the workplace from Covid-19 and other contagious illness

Vehicle Sanitizing Checklist Protecting the workplace from Covid-19 and other contagious illness outbreaks Indiana LTAP Bryan Hubbard, Purdue Polytechnic Sarah Hubbard, Purdue Polytechnic R eflects guidelines as of August 12, 2020 Vehicle Sa

529 views • 17 slides
ASHEVILLE CARES STAY SAFE PLEDGE RESIDENTS NOT READY FOR TOURISTS Source: SMARInsights Domestic

ASHEVILLE CARES STAY SAFE PLEDGE RESIDENTS NOT READY FOR TOURISTS Source: SMARInsights Domestic

ASHEVILLE CARES STAY SAFE PLEDGE RESIDENTS NOT READY FOR TOURISTS Source: SMARInsights Domestic Leisure Traveler Sentiment COVID SANITIZING MOST IMPORTANT 85% of consumers say that knowing the cleaning and sanitizing protocols for a city and

478 views • 30 slides
Cleaning and Sanitizing 177 The information presented in this section is based on Parts 46 and

Cleaning and Sanitizing 177 The information presented in this section is based on Parts 46 and

Slide 177 Cleaning and Sanitizing 177 The information presented in this section is based on Parts 46 and 47 of the 2005 Food Code. The Food Code is available at: http://www.cfsan.fda.gov/~dms/fc05toc.html Slide 178 Cleaning Cleaning is

305 views • 26 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Automated deployment and customization of routing overlays on PlanetLab C. Freire, A.

Automated deployment and customization of routing overlays on PlanetLab C. Freire, A.

Automated deployment and customization of routing overlays on PlanetLab C. Freire, A. Quereilhac, T. Turletti, W. Dabbous {claudio-daniel.freire,alina.quereilhac,thierry.turletti,walid.dabbous}@inria.fr A primer to PlanetLab A worldwide

869 views • 39 slides
Virtual Private Network 1 Introduction Private network - physically disconnected from the

Virtual Private Network 1 Introduction Private network - physically disconnected from the

Virtual Private Network 1 Introduction Private network - physically disconnected from the outside Internet Users Authenticated Still vulnerable if the internal resources use IP address as the basis for authentication Content

598 views • 39 slides
9/9/19 GAs: What are they used for? Genetic Algorithms Problems can be classified in different

9/9/19 GAs: What are they used for? Genetic Algorithms Problems can be classified in different

9/9/19 GAs: What are they used for? Genetic Algorithms Problems can be classified in different ways: Black box model Search problems CS 419/519 Optimization vs constraint satisfaction NP problems / 20 Black box model

489 views • 9 slides
Hard Problems Tyler Moore CSE 3353, SMU, Dallas, TX April 30, 2013 The many cases of finding

Hard Problems Tyler Moore CSE 3353, SMU, Dallas, TX April 30, 2013 The many cases of finding

Notes Hard Problems Tyler Moore CSE 3353, SMU, Dallas, TX April 30, 2013 The many cases of finding shortest paths Notes Weve already seen how to calculate the shortest path in an unweighted graph (BFS traversal) Well now study how to

634 views • 6 slides
OMNeT++ Community Summit, 2015 Beyond INET 3.0 IBM Research - Zurich, Switzerland September 3

OMNeT++ Community Summit, 2015 Beyond INET 3.0 IBM Research - Zurich, Switzerland September 3

OMNeT++ Community Summit, 2015 Beyond INET 3.0 IBM Research - Zurich, Switzerland September 3 - 4, 2015 Levente Mszros Overview Network node architecture refactoring Cross-layer communication and optimization Mobility refactoring

1.09k views • 38 slides
Private Networks Physically disconnected from the outside Internet. Three properties: Users

Private Networks Physically disconnected from the outside Internet. Three properties: Users

1 Virtual Private Networks Chester Rebeiro IIT Madras 2 Private Networks Physically disconnected from the outside Internet. Three properties: Users Authenticated. Users are authorized and their identities verified. Content Protected.

684 views • 37 slides
Reflections on using C(++) Root Cause Analysis Abstractions Complexity Assumptions Trust hic

Reflections on using C(++) Root Cause Analysis Abstractions Complexity Assumptions Trust hic

Hacking in C Reflections on using C(++) Root Cause Analysis Abstractions Complexity Assumptions Trust hic 1 There are only two kinds of programming languages: the ones people complain about and the ones nobody uses. Bjarne

517 views • 28 slides
FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Toma Muraus (kami@k5-storitve.net /

FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Toma Muraus (kami@k5-storitve.net /

FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Toma Muraus (kami@k5-storitve.net / @KamiSLO) October 2009 1. Table of contents 1. Table of

384 views • 14 slides

More recommend