stephen checkoway lucas davi alexandra dmitrienko ahmad
play

Stephen Checkoway , Lucas Davi , Alexandra Dmitrienko, Ahmad-Reza - PowerPoint PPT Presentation

Feb 05, 2024 •341 likes •525 views

Stephen Checkoway , Lucas Davi , Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy ACM CCS 2010, Chicago, USA System Security Lab Ruhr-University Bochum Ad hoc defense against code injection: W X DEP

  1. Stephen Checkoway , Lucas Davi , Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy ACM CCS 2010, Chicago, USA System Security Lab Ruhr-University Bochum

  2.  Ad hoc defense against code injection: ◆ W ⊕ X ◆ DEP  Code injection unnecessary for arbitrary computation  Use existing code to synthesize new behavior 2 System Security Lab Ruhr-University Bochum

  3. (data)  Stack is the program insns…ret ◆ Pointers to code (data) ◆ Data insns…ret  Execution proceeds insns…ret by changing the (data) (data) stack pointer insns…ret  Turing-complete esp 3 System Security Lab Ruhr-University Bochum

  4.  Control-flow integrity [Abadi et al. CCS’05, Erlingsson et al. OSDI’06] ◆ Defends against an entire class of memory error vulnerabilities  Count frequency of ret instructions  Use LIFO invariant of the call stack ◆ Maintain shadow call stack  Modify compiler to avoid emitting ret instructions 4 System Security Lab Ruhr-University Bochum

  5.  Copy top of stack to instruction pointer Transfers control  Increment stack pointer Updates processor state 5 System Security Lab Ruhr-University Bochum

  6. pop %eax add $4,%eax jmp *%eax jmp *(%eax) pop %eax inc %eax jmp *(%eax) jmp *(%ebx,%eax,4) 6 System Security Lab Ruhr-University Bochum

  7. add %eax, %ecx add %eax, %ecx ret pop %ebx jmp *%ebx 7 System Security Lab Ruhr-University Bochum

  8. add %eax, %ecx  Only need one jmp *%edx update-load-branch sequence pop %ebx  edx points to ULB jmp *%ebx 8 System Security Lab Ruhr-University Bochum

  9. • ARM stands for Advanced RISC Machine • Application area: Embedded systems ◆ Mobile phones, smartphones (Apple iPhone, Google Android), music players, tablets, netbooks • Advantage: Low power consumption • ARM features XN (eXecute Never) Bit • Follows RISC design ◆ Mostly single-cycle execution ◆ Dedicated load and store instructions ◆ Fixed instruction length System Security Lab Ruhr-University Bochum

  10. • ARM‘s 32 Bit processor features 16 registers • In contrast to Intel x86, each register is directly accessible ◆ E.g., it is possible to directly change the program counter (r15) Scratch Register Function r0 � r4 � r12 � arguments Stack Pointer r1 � r5 � r13/sp � and results Link Register r2 � r6 � r14/lr � from function Register Program Counter r3 � r7 � r15/pc � variables (callee saved) r8 � r9 � r10 � Control Program r11 � cpsr � Status Register 10 System Security Lab Ruhr-University Bochum

  11. • AAPCS - ARM Architecture Procedure Call Standard • No dedicated call and return instructions ◆ Instead any jump instruction can be used as call and return resp. • Function Call ◆ BL – Branch with Link ◆ BLX – Branch with Link and Exchange (allows indirect calls) ◆ BL and BLX load the return address into the link register (r14) • Function Return ◆ Loading return address into program counter 11 System Security Lab Ruhr-University Bochum

  12. • Candidates for an attack on ARM ◆ All indirect jump instructions not part of a function epilogue » Instructions where pc is used as destination register » Indirect branch instructions, e.g., BLX • We inspected libc and libwebcore on Android 2.0 ◆ Result: Many sequences end with a BLX instruction Branch to register Store return address BLX register � in link register Instruction set exchange 12 System Security Lab Ruhr-University Bochum

  13. • Trampoline sequence for ARM ◆ Unfortunately no POP-BLX sequence in our libraries ◆ Update-Load-Branch sequence » Initialize a register (r j ) so that it points to injected jump addresses » Update the state of r j after each sequence » Load a second register (r s ) with the address of the next sequence pointed by r j » Branch with BLX to the address stored in r s Sequence 1 Register r s Jump instruction � Jump Address 1 instruction � Addresses BLX Trampoline � Jump Address 1 Trampoline r j – points to jump … addresses � ADDS r6,#4 � r j � r s – address of next Memory under LDR r5,[r6,#124] � sequence � control of adversary BLX r5 � 13 System Security Lab Ruhr-University Bochum

  14. GADGET 2 Trampoline Sequence 1 Jump Addresses instruction � 8 9 10 instruction � Jump Address 3 BLX Trampoline � 5 Jump Address 2 GADGET 1 Jump Address 1 r j � 6 Sequence 2 2 Setup Argument 1 r a � instruction � Argument 2 • Take control over instruction � 7 pc 3 BLX Trampoline � • Setup r a , and r j Arguments Sequence 1 1 Memory under instruction � instruction � 4 control of adversary Adversary BLX Trampoline � r a – Pointer to arguments (sp) � r j - Pointer to jump addresses � 14 System Security Lab Ruhr-University Bochum

  15. • Our results ◆ Return address checkers can be bypassed ◆ Showed return-oriented programming without returns ◆ We derived a Turing-complete gadget set for x86 and ARM ◆ Attack instantiation on Debian (x86) and Android (ARM) • Implications ◆ Return-oriented programming (without returns) is a serious problem ◆ Will become crucial attack technique in future and effective countermeasures are needed ◆ We show how to use it to mount a privilege escalation attack on Android (upcoming paper at ISC 2010) 15 System Security Lab Ruhr-University Bochum

  16. 16 System Security Lab Ruhr-University Bochum

  17. 2007 Intel x86 2008 SPARC Atmel AVR Z80 PowerPc 2009 ARM Internet Adobe Explorer Reader 2010 Apple Quicktime Jailbreak Player 17 System Security Lab Ruhr-University Bochum

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Infection for Breaking mTAN-based Online Banking Authentication Alexandra Dmitrienko Fraunhofer

Infection for Breaking mTAN-based Online Banking Authentication Alexandra Dmitrienko Fraunhofer

Over-the-Air Cross-platform Infection for Breaking mTAN-based Online Banking Authentication Alexandra Dmitrienko Fraunhofer Institute for Secure Information Technology/CASED, Germany Joint work with Lucas Davi Ahmad-Reza Sadeghi Christopher

482 views • 33 slides
Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H.

Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H.

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without returns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy Dresden, 2010-10-20 Fundamental

792 views • 31 slides
The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko Julius-Maximilians-Universitt Wrzburg alexandra.dmitrienko@uni-wuerzburg.de SEPTEMBER 9 13, 2019 CROSSING Summer School on Sustainable Security & Privacy

2.37k views • 187 slides
Its a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane,

Its a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane,

Its a TRaP: Table Randomization and Protection against Function-Reuse Attacks Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi,Thorsten Holz, Bjorn De Sutter, Michael Franz

772 views • 62 slides
LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi

578 views • 38 slides
Fi Fix x the the leak: k: Side de-Cha Channe nnel Protect ction for SGX using Data

Fi Fix x the the leak: k: Side de-Cha Channe nnel Protect ction for SGX using Data

Fi Fix x the the leak: k: Side de-Cha Channe nnel Protect ction for SGX using Data Locatio Lo ion Ran andomiz izatio ion Alexandra Dmitrienko Julius-Maximilians-Universitt Wrzburg alexandra.dmitrienko@uni-wuerzburg.de MARCH 4,

402 views • 27 slides
In n this his p pic icture: Lu Lucas, Da Davi vid, Quento ton, D , Dennis is, , Sa

In n this his p pic icture: Lu Lucas, Da Davi vid, Quento ton, D , Dennis is, , Sa

In n this his p pic icture: Lu Lucas, Da Davi vid, Quento ton, D , Dennis is, , Sa Savannah, O Oliv livia, K Kelly ly & & Ril iley Sinc Since t this his p pic icture w we ha have Eaden en, Abby Abby, Paige,

473 views • 23 slides
CS 301 Lecture 01 Introduction Stephen Checkoway January 17, 2018 1 / 49 What is CS 301

CS 301 Lecture 01 Introduction Stephen Checkoway January 17, 2018 1 / 49 What is CS 301

CS 301 Lecture 01 Introduction Stephen Checkoway January 17, 2018 1 / 49 What is CS 301 all about? This is a very mathematical course with a lot of practical applications The overarching theme is computation Three parts to the course 1

1.2k views • 91 slides
CS 301 Lecture 17 ChurchTuring thesis Stephen Checkoway March 19, 2018 1 / 17 An

CS 301 Lecture 17 ChurchTuring thesis Stephen Checkoway March 19, 2018 1 / 17 An

CS 301 Lecture 17 ChurchTuring thesis Stephen Checkoway March 19, 2018 1 / 17 An abridged modern history of formalizing algorithms An algorithm is a finite, unambiguous sequence of steps for solving a problem 1 Polynomial equation with

698 views • 38 slides
Lecture 20 Public key Crypto Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 20 Public key Crypto Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 20 Public key Crypto Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Review: Integrity Problem: Sending a message over an untrusted channel without being changed

756 views • 43 slides
Lecture 01 The Security Mindset Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 01 The Security Mindset Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 01 The Security Mindset Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Adapted from Michael Baileys ECE 422 About Me 2012 Ph.D. from UC San Diego in CS 20122015 Assistant Research Professor

417 views • 29 slides
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Baileys ECE 422 Cryptography is the study/practice of techniques for s ecure communication , even in the

732 views • 33 slides
Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS

Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS

Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Certificates Make use of trusted Certificate Authorities (CA) This public

472 views • 29 slides
CS 301 Lecture 12 Pushdown automata Stephen Checkoway February 28, 2018 1 / 14 A new type

CS 301 Lecture 12 Pushdown automata Stephen Checkoway February 28, 2018 1 / 14 A new type

CS 301 Lecture 12 Pushdown automata Stephen Checkoway February 28, 2018 1 / 14 A new type of machine DFAs and NFAs are finite and that turns out to be too limiting Even simple languages like { a n b n n 0 } are too complicated What

780 views • 32 slides
Putting out a HIT Putting out a HIT Crowdsourcing Malware Installs Stephen Checkoway Keaton

Putting out a HIT Putting out a HIT Crowdsourcing Malware Installs Stephen Checkoway Keaton

Putting out a HIT Putting out a HIT Crowdsourcing Malware Installs Stephen Checkoway Keaton Mowery Chris Kanich UC San Diego 1 Mechanical Turk Crowdsourcing platform Requesters post tasks paying 1 $10 Workers perform HITs

381 views • 18 slides
Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Randomness and Pseudorandomness Review Problem:

1.69k views • 33 slides
Uprobes: User-Space Probes Jim Keniston: jkenisto@us.ibm.com Srikar Dronamraju:

Uprobes: User-Space Probes Jim Keniston: jkenisto@us.ibm.com Srikar Dronamraju:

Uprobes: User-Space Probes Jim Keniston: jkenisto@us.ibm.com Srikar Dronamraju: srikar@linux.vnet.ibm.com April 15, 2010 Linux is a registered trademark of Linus Torvalds. Topics Overview What and why? Two versions of uprobes

690 views • 22 slides
Dense Encoding for Video-to-Text Matching Jianfeng Dong 1 , Xirong Li 2 , Chaoxi Xu 2 , Jing Cao 2

Dense Encoding for Video-to-Text Matching Jianfeng Dong 1 , Xirong Li 2 , Chaoxi Xu 2 , Jing Cao 2

Dense Encoding for Video-to-Text Matching Jianfeng Dong 1 , Xirong Li 2 , Chaoxi Xu 2 , Jing Cao 2 , Xun Wang 1 , Gang Yang 2 1 Zhejiang Gongshang University 2 AI & Media Computing Lab, Renmin University of China Video to Text (VTT) Task @

341 views • 18 slides
7. What Is Joint Action Shared Agency? butterfillS@ceu.hu butterfillS@ceu.hu Outline 1. The

7. What Is Joint Action Shared Agency? butterfillS@ceu.hu butterfillS@ceu.hu Outline 1. The

7. What Is Joint Action Shared Agency? butterfillS@ceu.hu butterfillS@ceu.hu Outline 1. The leading philosophical approach to shared agency 2. Limits of this approach 3. (Building blocks for) an alternative approach 4. Motor representation

1.15k views • 73 slides
Lecture 04: Understanding System Calls System calls are functions that user programs use to

Lecture 04: Understanding System Calls System calls are functions that user programs use to

Lecture 04: Understanding System Calls System calls are functions that user programs use to interact with the OS and request some core service be executed on their behalf. Examples of system calls we've already seen this quarter: open ,

108 views • 8 slides
Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory

Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki

170 views • 13 slides
Tail-Call Optimization Principles of Programming Languages Colorado School of Mines

Tail-Call Optimization Principles of Programming Languages Colorado School of Mines

Tail-Call Optimization Principles of Programming Languages Colorado School of Mines https://lambda.mines.edu CSCI-400 1 Recursion is a beautiful way to express many algorithms, as it typically makes our algorithm easier to prove. 2 Calling a

618 views • 16 slides
The Layers of Larcenys FFI Felix S Klock II pnkfelix@ccs.neu.edu Northeastern University 1

The Layers of Larcenys FFI Felix S Klock II pnkfelix@ccs.neu.edu Northeastern University 1

The Layers of Larcenys FFI Felix S Klock II pnkfelix@ccs.neu.edu Northeastern University 1 Larcenys Foreign Function Interface Larceny GC, compiler research FFI cannot constrain system design Experience report For implementors . .

1k views • 98 slides
Optimizing Scheme, part I cons should not cons its arguments, part I a Lazy Alloc is a Smart Alloc

Optimizing Scheme, part I cons should not cons its arguments, part I a Lazy Alloc is a Smart Alloc

Optimizing Scheme, part I cons should not cons its arguments, part I a Lazy Alloc is a Smart Alloc Alex Gal COMP 621 cancelled Samuel G elineau stack-storage optimization for short-lived data a one slide summary most object are

395 views • 28 slides

More recommend