1 Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi.

Slides:

Advertisements

Similar presentations

Simplifications of Context-Free Grammars

Advertisements

Copyright © 2013 Elsevier Inc. All rights reserved.

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

ECE 495: Integrated System Design I

1 Refactoring with Contracts Shmuel Tyszberowicz School of Computer Science The Academic College of Tel Aviv Yaffo Maayan Goldstein School of Computer.

Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.

David Luebke 1 6/7/2014 ITCS 6114 Skip Lists Hashing.

Chapter 4 Memory Management Basic memory management Swapping

Eiffel: Analysis, Design and Programming Bertrand Meyer (Nadia Polikarpova) Chair of Software Engineering.

1 University of Utah – School of Computing Computer Science 1021 "Thinking Like a Computer"

Addition 1’s to 20.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

1 Symbolic Execution Kevin Wallace, CSE

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Securing Software Systems Gaurav S. Kc Programming Systems Lab 9 th April, 2003.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

On-Chip Control Flow Integrity Check for Real Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

5-Stage Pipelining Fetch Instruction (FI) Fetch Operand (FO) Decode Instruction (DI) Write Operand (WO) Execution Instruction (EI) S3S3 S4S4 S1S1 S2S2.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.

1 Specialization Tools and Techniques for Systematic Optimization of System Software McNamee, Walpole, Pu, Cowan, Krasic, Goel, Wagle, Consel, Muller,

Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Mitigation of Buffer Overflow Attacks

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.

Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:

Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.

Control-Flow Integrity

Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.

1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Introduction to Information Security

Jay Ligatti summer 2004 intern work with:

Mitigation against Buffer Overflow Attacks

Suman Jana *Original slides from Vitaly Shmatikov

Introduction to Information Security

Security in Java Real or Decaf? cs205: engineering software

Defending against Stack Smashing attacks

New Research in Software Security

CSC 495/583 Topics of Software Security Format String Bug (2) & Heap

CS5123 Software Validation and Quality Assurance

Carmine Abate Rob Blanco Deepak Garg Cătălin Hrițcu Jérémy Thibault

Return-to-libc Attacks

Presentation transcript:

1 Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: Úlfar Erlingsson and Martín Abadi

2 Motivation I: Bad things happen DoS Weak authentication Insecure defaults Trojan horse Back door Particularly common: buffer overflows and machine-code injection attacks Source:

3 Motivation II: Lots of bad things happen Source: (only Q1 and Q2 of 2004) **

4 Motivation III: “Bad Thing” is usually UCIT About 60% of CERT/CC advisories deal with Unauthorized Control Information Tampering [XKI03] Previous function’s stack frame Return address Local Buffer Local Garbage Can be anything Attack Code Hijacked PC pointer Attack Code E.g.: Overflow buffer to overwrite return address Other bugs can also divert control

5 Motivation IV: Previous Work Ambitious goals, Informal reasoning, Flawed results StackGuard of Cowan et al. [CPM+98] (used in SP2) “Programs compiled with StackGuard are safe from buffer overflow attack, regardless of the software engineering quality of the program.” Why can’t an attacker learn/guess the canary? What about function args? [CPM+98]

6 Goal: Provably correct mechanisms that prevent powerful attackers from succeeding by protecting against all UCIT attacks Part of new project: Gleipnir This Research …in Norse mythology, is a magic chord used to bind the monstrous wolf Fenrir, thinner than a silken ribbon yet stronger than the strongest chains of steel. These chains were crafted for the Norse gods by the dwarves from “the sound of a cat's footfall and the woman's beard and the mountain's roots and the bear's sinews and the fish's breath and bird's spittle.”

7 Attack Model Powerful Attacker: Can at any time arbitrarily overwrite any data memory and (most) registers –Attacker cannot directly modify the PC –Attacker cannot modify our reserved registers (in the handful of places where we need them) Few Assumptions: Data memory is Non-Executable * Code memory is Non-Writable * Also… currently limited to whole-program guarantees (still figuring out how to do dynamic loading of DLLs)

8 Our Mechanism FAFA FBFB return call fp A call A call+1 B1B1 B ret CFG excerpt nop IMM 1 if(*fp != nop IMM 1 ) halt nop IMM 2 if(**esp != nop IMM 2 ) halt NB: Need to ensure bit patterns for nops appear nowhere else in code memory

9 More Complex CFGs Maybe statically all we know is that F A can call any int int function FAFA FBFB call fp A call B1B1 CFG excerpt C1C1 FCFC nop IMM 1 if(*fp != nop IMM 1 ) halt nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction succ(A call ) = {B 1, C 1 }

10 Imprecise Return Information Q: What if F B can return to many functions ? B ret A call+1 CFG excerpt D call+1 FBFB FAFA return call F B FDFD nop IMM 2 if(**esp != nop IMM 2 ) halt nop IMM 2 succ(B ret ) = {A call+1, D call+1 } CFG Integrity: Changes to the PC are only to valid successor PCs, per succ(). A: Imprecise CFG

11 No “Zig-Zag” Imprecision A call B1B1 CFG excerpt C1C1 E call Solution I: Allow the imprecisionSolution II: Duplicate code to remove zig-zags A call B1B1 CFG excerpt C 1A E call C 1E

12 Security Proof Outline Define machine code semantics Model a powerful attacker Define instrumentation algorithm Prove security theorem

13 Security Proof I: Semantics (an extension of [HST+02]) “Normal” steps: Attack step: General steps:

14 Security Proof II: Instrumentation Algorithm (1)Insert new illegal instruction at the end of code memory (2)For all computed jump destinations d with destination id X, insert “nop X” before d (3)Change every jmp r s into: addir 0,r s, 0 ldr 1,r 0 [0] movi r 2, IMM X bgt r 1, r 2, HALT bgt r 2, r 1, HALT jmp r 0 Where IMM X is the bit pattern that decodes into “nop X” s.t. X is the destination id of all targets of the jmp r s instruction.

15 Security Proof III: Properties Instrumentation algorithm immediately leads to constraints on code memory, e.g.: Using such constraints + the semantics,

16 SMAC Extensions In general, our CFG integrity property implies uncircumventable sandboxing (i.e., safety checks inserted by instrumentation before instruction X will always be executed before reaching X). Can remove NX data and NW code assumptions from language (can do SFI and more!): NW code addi r 0, r d, 0 bgt r 0, max(dom(M D )) - w, HALT bgt min(dom(M D )) - w, r 0, HALT st r 0 (w), r s NX data addi r 0, r s, 0 bgt r 0, max(dom(M C )), HALT bgt min(dom(M C )), r 0, HALT [checks from orig. algorithm] jmp r 0

17 Runtime Precision Increase Can use SMAC to increase precision Set up protected memory for dynamic information and query it before jumps E.g., returns from functions –When A calls B, B should return to A not D –Maintain return-address stack untouchable by original program

18 Efficient Implementation ? Should be fast (make good use of caches): +Checks & IDs same locality as code –Static pressure on unified caches and top-level iCache –Dynamic pressure on top-level dTLB and dCache How to do checks on x86  Can implement NOPs using x86 prefetching etc.  Alternatively add 32-bit id and SKIP over it How to get CFG and how to instrument?  Use magic of MSR Vulcan and PDB files

19 Microbenchmarks Program calls pointer to “null function” repeatedly Preliminary x86 instrumentation sequences PIIIP4 NOP IMM Forward 11% Return 11% Both 33% Forward 55% Return 54% Both111% SKIP IMM Forward 11% Return221% Both276% Forward 19% Return181% Both195% Normalized Overheads PIII = XP SP2, Safe Mode w/CMD, Mobile Pentium III, 1.2GHz P4 = XP SP2, Safe Mode w/CMD, Pentium 4, no HT, 2.4GHz

20 Future Work Practical issues:  Real-world implementation & testing  Dynamically loaded code  Partial instrumentation Formal work:  Finish proof of security for extended instrumentation  Proofs of transparency (semantic equivalence) of instrumented code  Move to proof for x86 code

21 References [CPM+98] Cowan, Pu, Maier, Walpole, Bakke, Beattie, Grier, Wagle, Zhang, Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. of the 7 th Unsenix Security Symposium, [HST+02] Hamid, Shao, Trifonov, Monnier, Ni. A Syntactic Approach to Foundational Proof-Carrying Code. Technical Report YALEU/DCS/TR-1224, Yale Univ., [XKI03] Xu, Kalbarczyk, Iyer. Transparent runtime randomization. In Proc. of the Symposium on Reliable and Distributed Systems, 2003.

22 End