where is the feeb the effectiveness of instruction set
play

Where is the FEEB? The Effectiveness of Instruction Set - PowerPoint PPT Presentation

Feb 07, 2024 •46 likes •246 views

Where is the FEEB? The Effectiveness of Instruction Set Randomization Ana Sovarel, David Evans and Nathanael Paul Presented by Sandra Rueda CSE 598A - Spring 2007 - Sandra Rueda Page 1 Code Injection Attacks High level description:

  1. Where is the FEEB? The Effectiveness of Instruction Set Randomization Ana Sovarel, David Evans and Nathanael Paul Presented by Sandra Rueda CSE 598A - Spring 2007 - Sandra Rueda Page 1

  2. Code Injection Attacks • High level description: – Look for an input – Insert code – Alter (Transfer) control flow • Main target: – Buffer overflow vulnerabilities • Threat to: – C Programs – CGI Scripts • The attacker needs to know the instruction set to succeed CSE 598A - Spring 2007 - Sandra Rueda Page 2

  3. ISR • If the attacker needs to know the instruction set … • Let’s obscure that set: – Instruction Set Randomization (ISR) Original opcode: 0x3c 0011 1100 Encoding Key: 0x33 0011 0011 XOR New opcode: 0x0F 0000 1111 Original opcode: 1100 Transposing Key: 2103 1001 0011 New opcode: 0110 CSE 598A - Spring 2007 - Sandra Rueda Page 3

  4. ISR Overview • Threat model: – ISR is a defense against external users – It is designed to protect remote servers – (It is not designed as a defense against internal users) • Architecture Loading: Executing: PCB Decoding Register PID, PC, … Key Key Memory e Key (Instruct) Executable: e Key (Instruct) + Key CSE 598A - Spring 2007 - Sandra Rueda Page 4

  5. Proof of Concept • Emulation 1 [Kc et al. CCS’03] – Two ways of randomizing: xor, transposition – 32 bit keys – Mechanisms to randomize binary and perl code • Emulation 2 [Barrantes et al. CCS’03] – Randomizing with xor – Keys as long as the program: they are generated from a seed and a pseudorandom sequence – Mechanism to randomize binary code • Performance: ISR does not considerably slows down I/O intensive processes CSE 598A - Spring 2007 - Sandra Rueda Page 5

  6. How secure is it? • Key length (XOR): – Key as long as the instructions • 32 bits instructions lead to 32 bits keys 2 32 options – Key as long as the program • s = length of the seed 2 s options • Key length (Transposition): – nb = #bits per instruction l = nb * log 2 (nb) – < log 2 (l!) permutations (not all permutations are valid) • It is supposed that injected code will raise an exception after de- randomization: – Invalid opcode – Invalid address access – In some cases the de-randomized instructions may work (tested with real attacks it is a low percentage) [Barrantes et al.] CSE 598A - Spring 2007 - Sandra Rueda Page 6

  7. ISR Drawbacks • Requires special support – Hardware based support | binary to binary translators • Applications must be statically linked – Alternatives: encrypting everything at the beginning or on-demand – Alternatives slow down response time • It can not handle self-modifying code • Vulnerable to denial of service attacks CSE 598A - Spring 2007 - Sandra Rueda Page 7

  8. Effectiveness of ISR • Is it possible to guess the randomization key(s) given time and resource constraints ? CSE 598A - Spring 2007 - Sandra Rueda Page 8

  9. Proposed Attack • Strategy: incrementally break the key • Mechanism: – Trial and error – Select a random key – Inject an identifiable sequence of instructions • Identifiable means … being able to detect if a partial key is right or wrong Socket connection satisfies this requirement • And being able to determine the correct key from the guess XOR satisfies this requirement – Options: • Return attack • Jump attack CSE 598A - Spring 2007 - Sandra Rueda Page 9

  10. Return Attack Stack Layout: 1 byte local buffer local buffer encrypted ret instruction … … saved base pointer saved base pointer saved ret address overwritten ret address saved ret address … … Before After • The stack is compromised the attack can only be used if observable activity occurs before the crash • “We suspect situations where the return attack can be used are rare, but an attacker who is fortunate enough to find such vulnerability can use it …” CSE 598A - Spring 2007 - Sandra Rueda Page 10

  11. Jump Attack The FEEB! Stack Layout: 1 byte local buffer local buffer short jump (eb) offset -2 (fe) … … saved ret address overwritten ret address … … Before After • It produces infinite loops • If the guess is correct the socket remains open • If it is not correct the server crashes and the socket is closed CSE 598A - Spring 2007 - Sandra Rueda Page 11

  12. Incremental Key Breaking • If the key used is as long as the program … – Two keys (from a successful jump attack) are not enough – Repeat the attack using the two already known keys • When the same 32-bit key is used – max_attempts_return = 1024 (4 * 2 8 ) – max_attemps_jump = 66048 (2 16 + 2 * 2 8 ) – Extra attempts may be needed because of false positives • “This can not be done with the described approach” CSE 598A - Spring 2007 - Sandra Rueda Page 12

  13. Eliminating False Positives • Return Attack: • False positives may happen because – The injected guess is decrypted to a instruction similar to near return – The injected guess is decrypted to a harmless instruction and a subsequent instruction behaves like a near return • Options: – Try all 255 possibilities • If none behaves like a return then the mask is the actual instruction (0xc3) • If more than one produce the expected behavior : … use the guess harmless instruction use previous knowledge near return behavior … overwritten ret address CSE 598A - Spring 2007 - Sandra Rueda Page 13

  14. Eliminating False Positives • Jump Attack: • False positives may happen because: – The injected guess is decrypted to a instruction that causes an infinite loop – The injected guess is decrypted to a harmless instruction and a subsequent instruction causes the infinite loop – The injected guess cause a crash but there is a delay that is interpreted as an infinite loop (it is longer than the threshold) • Options: – Only near conditional jumps may generate the same behavior, all of them share the same first four bits 2 13 = 2 5 (opcode) * 2 8 (offset) – It happens when the first byte decrypts to a harmless instruction, the second to a jump instruction and the third to -2 or -3 change the sign to the third byte – Increase the threshold CSE 598A - Spring 2007 - Sandra Rueda Page 14

  15. Extended Attack • ISR with short repeated key the proposed attack is enough • ISR with long keys a larger number of keys is required – Problematic in the case of Jump attacks because they leave active infinite loops causing degradation in service – However after learning some keys it is possible to improve the attack by using additional instructions CSE 598A - Spring 2007 - Sandra Rueda Page 15

  16. Deployment • Inject a micro-VM in the region of memory where masks are known • The micro-VM has a buffer to load the worm code • The micro-VM loads worm code in chunks • The worm code is encrypted with the known keys • To propagate the worm the VM uses the same techniques already described (return and jump attacks) • It requires the old keys thus they are included in the worm code CSE 598A - Spring 2007 - Sandra Rueda Page 16

  17. Evaluation • Client: – Opens a socket to the server – Builds an attack string and sends it – Waits for the acknowledgment – Detects the result • Target: – Echo server with a buffer overflow vulnerability – They modified an ISR implementation so the attack would succeed (?) – Address space layout randomization disabled to test the attack • Results: – After breaking the first bytes, fewer attempts per byte are required to guess the new keys CSE 598A - Spring 2007 - Sandra Rueda Page 17

  18. Results Time to acquire key bytes Jump o Return x 1000 o o x o o o Time x 100 (sec) x x x 10 4 16 64 256 1024 Key Bytes Acquired “On average we can break a 100-byte key in just over 6 minutes with the jump attack .” CSE 598A - Spring 2007 - Sandra Rueda Page 18

  19. Attack Limitations • The attack works for applications that use the same randomization key several times • It will crash a system multiple times – An administrator might notice the attack • It does not work for transposition – It needs to be able to determine the key based on plaintext-ciphertext comparison • It is heavily dependent on x86 architecture – RISC: too long instructions to realistically guess using a brute-force attack • It does not work for higher-level languages as SQL and Perl CSE 598A - Spring 2007 - Sandra Rueda Page 19

  20. Take Away • ISR with short repetitive keys are Security vs. susceptible to the attack. ISR with long Performance fresh keys are not • Long fresh keys mean re-randomizing Is that bad? after crashes. It might cause denial-of- service problems • Like other tools ISR technique requires tuning and constant monitoring! CSE 598A - Spring 2007 - Sandra Rueda Page 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Better Start The effectiveness of phonological awareness instruction to enhance early literacy

A Better Start The effectiveness of phonological awareness instruction to enhance early literacy

A Better Start The effectiveness of phonological awareness instruction to enhance early literacy success for young children most at risk. Presenter: Prof Gail Gillon, PhD, ASHA Fellow College of Education Health and Human Development

1.02k views • 63 slides
Effectiveness of Interactive Distance Instruction: Experimental Evidence from Ghanaian Primary

Effectiveness of Interactive Distance Instruction: Experimental Evidence from Ghanaian Primary

Photo Credit: Varkey Foundation Effectiveness of Interactive Distance Instruction: Experimental Evidence from Ghanaian Primary Schools Ghana Education Evidence Summit 2017 J A M I E J O H N S TO N S TA N F O R D U N I V E R S I T Y C H R

252 views • 22 slides
Instruction Set 2 Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 3 Instruction

Instruction Set 2 Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 3 Instruction

1 EE 109 Unit 13 MIPS Instruction Set 2 Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 3 Instruction Set Architecture (ISA) Defines the software interface of the processor and memory system Instruction set is the

915 views • 52 slides
Summer School and Summer Programs 2014 District Effectiveness Report Summer School Locations:

Summer School and Summer Programs 2014 District Effectiveness Report Summer School Locations:

Summer School and Summer Programs 2014 District Effectiveness Report Summer School Locations: To provide high To provide high qual quality cu y curricul rriculum, instruction, and m, instruction, and assessme assessment To support

342 views • 16 slides
Strategies for Measuring the Effectiveness of District &amp; Regional Initiatives Michelle

Strategies for Measuring the Effectiveness of District &amp; Regional Initiatives Michelle

Strategies for Measuring the Effectiveness of District &amp; Regional Initiatives Michelle Robinette Director of Curriculum, Red Creek CSD Sarah Vakkas Assistant Superintendent for Instruction, GST BOCES Session Objectives Participants will

368 views • 23 slides
Enrollment Management: Why Instruction Matters to Us Presented by: Dr. Anna Badalyan Dean of

Enrollment Management: Why Instruction Matters to Us Presented by: Dr. Anna Badalyan Dean of

ACBO Fall Conference 2013 Enrollment Management: Why Instruction Matters to Us Presented by: Dr. Anna Badalyan Dean of Institutional Effectiveness Dr. Mary Gallagher Vice President Administrative Services Professor Joseph Ratcliff

240 views • 13 slides
EE 109 Unit 8 MIPS Instruction Set Architecting a vocabulary for the HW INSTRUCTION SET

EE 109 Unit 8 MIPS Instruction Set Architecting a vocabulary for the HW INSTRUCTION SET

8.1 8.2 EE 109 Unit 8 MIPS Instruction Set Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 8.3 8.4 Instruction Set Architecture (ISA) Components of an ISA 1. ________ and Address Size Defines the _________________ of

449 views • 12 slides
Determining the Determining the Effectiveness &amp; ROI Effectiveness &amp; ROI of Your GRC

Determining the Determining the Effectiveness &amp; ROI Effectiveness &amp; ROI of Your GRC

6/18/2012 Effectiveness &amp; ROI of GRC June 22, 2012 1 Determining the Determining the Effectiveness &amp; ROI Effectiveness &amp; ROI of Your GRC Program of Your GRC Program Bob Conlin, Chief Products Officer SCCE Regional Conference June

503 views • 9 slides
Pipelining Instruction Pipelining is the use of pipelining to allow more than one instruction to

Pipelining Instruction Pipelining is the use of pipelining to allow more than one instruction to

Pipelining Instruction Pipelining is the use of pipelining to allow more than one instruction to be in some stage of execution at the same time. Ferranti ATLAS (1963): Pipelining reduced the average time per instruction by

1.85k views • 147 slides
Contextual factors of the external effectiveness of the university effectiveness of the

Contextual factors of the external effectiveness of the university effectiveness of the

19th International Conference on Computational Statistics Paris - France, August 22-27 Contextual factors of the external effectiveness of the university effectiveness of the university education: a multilevel approach Matilde Bini European

823 views • 14 slides
Educator Effectiveness Grant New Teacher S upport and Development Educator Effectiveness Grant

Educator Effectiveness Grant New Teacher S upport and Development Educator Effectiveness Grant

Educator Effectiveness Grant New Teacher S upport and Development Educator Effectiveness Grant In June 2015, Governor Jerry Brown and the state Legislature allocated $500 million dollars to support educator effectiveness, primarily for our

562 views • 17 slides
Instruction Scheduling cs5363 1 Instruction scheduling Reordered Original Instruction code

Instruction Scheduling cs5363 1 Instruction scheduling Reordered Original Instruction code

Instruction Scheduling cs5363 1 Instruction scheduling Reordered Original Instruction code code Scheduler Reorder operations to reduce running time Different operations take different number of cycles Referencing values not yet

728 views • 17 slides
Office of Institutional Effectiveness Overview Institutional Effectiveness Overview The Office of

Office of Institutional Effectiveness Overview Institutional Effectiveness Overview The Office of

Office of Institutional Effectiveness Overview Institutional Effectiveness Overview The Office of Institutional Effectiveness functions as the foundation of assessment and evaluation District wide. IE ensures that all stated strategic goals,

335 views • 15 slides
EE 109 Unit 10 MIPS Instruction Set MIPS INSTRUCTION OVERVIEW 10.3 10.4 Instruction Set

EE 109 Unit 10 MIPS Instruction Set MIPS INSTRUCTION OVERVIEW 10.3 10.4 Instruction Set

10.1 10.2 EE 109 Unit 10 MIPS Instruction Set MIPS INSTRUCTION OVERVIEW 10.3 10.4 Instruction Set Architecture (ISA) MIPS Processor and Bus Interface The MIPS processor can execute software instructions that will Defines the

225 views • 18 slides
Basic Steps for Execution Fetch an instruction from the instruction store Decode it

Basic Steps for Execution Fetch an instruction from the instruction store Decode it

Basic Steps for Execution Fetch an instruction from the instruction store Decode it What does this instruction do? Gather inputs From the register file From memory Perform the operation Write back the outputs To

176 views • 16 slides
Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction

Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction

Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction overlap in a pipeline executing instructions in parallel (later, with multiple instruction issue) ILP hindered by: data dependence : arises

340 views • 21 slides
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion Detection Security Intrusion &amp; Detection Security Intrusion a security event, or combination of multiple security events, that constitutes a security

710 views • 47 slides
How Important Are Terms of Trade Shocks? Stephanie Schmitt-Groh e Mart n Uribe

How Important Are Terms of Trade Shocks? Stephanie Schmitt-Groh e Mart n Uribe

How Important Are Terms of Trade Shocks? Stephanie Schmitt-Groh e Mart n Uribe Columbia University October 28, 2015 1 Conventional View: Terms-of-trade shocks are a major source of business-cycle fluctuations in poor and emerging

693 views • 51 slides
An HTTP-Based Versioning Mechanism for Linked Data Herbert Van de Sompel Robert Sanderson

An HTTP-Based Versioning Mechanism for Linked Data Herbert Van de Sompel Robert Sanderson

An HTTP-Based Versioning Mechanism for Linked Data Herbert Van de Sompel Robert Sanderson Michael L. Nelson Lyudmila Balakireva Harihar Shankar Scott Ainsworth Memento is partially funded by the Library of Congress Presentation at

811 views • 55 slides
The QR algorithm is a method for calculating all eigenvalues We will see that the pure QR

The QR algorithm is a method for calculating all eigenvalues We will see that the pure QR

Lesson 22 QR A LGORITHM The QR algorithm is a method for calculating all eigenvalues We will see that the pure QR algorithm is equivalent to power iteration applied to multiple vectors at once It therefore suffers the same problems as

922 views • 55 slides
Network Security Protocols: Analysis methods and standards John Mitchell Stanford University

Network Security Protocols: Analysis methods and standards John Mitchell Stanford University

Network Security Protocols: Analysis methods and standards John Mitchell Stanford University Joint work with many students, postdocs, collaborators TRUST : Team for Research in Ubiquitous Secure Technologies NSF Science and Technology Center

536 views • 40 slides
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

T-79.194 Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner presentation by Maarit Hietalahti Helsinki University of Technology Laboratory for Theoretical Computer Science

298 views • 14 slides
Time Synchronization Security Chaudhry Tanmay Agenda Time Synchronization Protocols?

Time Synchronization Security Chaudhry Tanmay Agenda Time Synchronization Protocols?

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Time Synchronization Security Chaudhry Tanmay Agenda Time Synchronization Protocols? Security Concerns Network Time Protocol

413 views • 13 slides
High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J. Bernstein University of Illinois at Chicago wget -m -k -I / \ secspider.cs.ucla.edu cd secspider.cs.ucla.edu awk /GREEN.*GREEN.*GREEN.*Yes/

1.48k views • 94 slides

More recommend