David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 20: Hair Dryer Attacks Image.

Slides:



Advertisements
Similar presentations
1 Exceptions: An OO Way for Handling Errors Rajkumar Buyya Grid Computing and Distributed Systems (GRIDS) Laboratory Dept. of Computer Science and Software.
Advertisements

CS 206 Introduction to Computer Science II 09 / 05 / 2008 Instructor: Michael Eckmann.
Reconfigurable Computing S. Reda, Brown University Reconfigurable Computing (EN2911X, Fall07) Lecture 06: Verilog (2/3) Prof. Sherief Reda Division of.
Cs2220: Engineering Software Class 10: Generic Datatypes Fall 2010 University of Virginia David Evans.
David Evans CS201j: Engineering Software? University of Virginia Computer Science Lecture 2: Java Semantics, Validation.
Cs1120 Fall 2009 David Evans Lecture 16: Power Analysis.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 20: Hair-Dryer Attacks and Introducing x86.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Concurrent Programming.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 21: Garbage Collection.
Joel Winstead CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Pointers and Memory Management.
1 11/8/06CS150 Introduction to Computer Science 1 Arrays Chapter 8 page 477 November 13, 2006.
Презентація за розділом “Гумористичні твори”
Центр атестації педагогічних працівників 2014
Галактики і квазари.
Характеристика ІНДІЇ.
Процюк Н.В. вчитель початкових класів Боярської ЗОШ І – ІІІ ст №4
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 22: Low-Level Programming in.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Cs205: engineering software university of virginia fall 2006 Data Abstraction David Evans
Class 14: Object-Oriented Programming Fall 2010 University of Virginia David Evans cs2220: Engineering Software.
David Evans CS200: Computer Science University of Virginia Computer Science Lecture 18: Think Globally, Mutate Locally.
Cs2220: Engineering Software Class 6: Defensive Programming Fall 2010 University of Virginia David Evans.
Fall 2010 UVa David Evans cs2220: Engineering Software Class 28: Past and Future.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 12: Subtyping Rules What’s the.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 14: Substitution Principle.
Духовні символи Голосіївського району
David Evans CS200: Computer Science University of Virginia Computer Science Lecture 19: Environments.
Cs205: engineering software university of virginia fall 2006 Subtyping and Inheritance David Evans Quiz Friday: classes through.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 23: Snakes Tournament.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
David Evans CS150: Computer Science University of Virginia Computer Science Lecture 4: Programming with Data.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 11: Subtyping and Inheritance.
Cs205: engineering software university of virginia fall 2006 Programming Exceptionally David Evans
David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 7: A Tale of Two Graphs (and.
David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 5: Implementing Data Abstractions.
1.5.3 Walkthrough #4 bouncing_ball.py wrapping_ball.py
Lecture 7: List Recursion CS200: Computer Science
Lecture 15: Using Low-Level Languages CS201j: Engineering Software
CSCE 481 Computer Science & Computer Engineering Update
Óbuda University - Doctoral School on Safety and Security Sciences
Subtyping Rules David Evans cs205: engineering software BlackBear
Lecture 15: Concurring Concurrently CS201j: Engineering Software
Concurring Concurrently
Lecture 21: Inheritance CS200: Computer Science University of Virginia
Lecture 11: All Sorts CS200: Computer Science University of Virginia
Lecture 9: Exceptions in Java CS201j: Engineering Software
Data Abstraction David Evans cs205: engineering software
Lecture 4: Data Abstraction CS201j: Engineering Software
Проф. д-р Васил Цанов, Институт за икономически изследвания при БАН
ЗУТ ПРОЕКТ на Закон за изменение и допълнение на ЗУТ
Електронни услуги на НАП
Боряна Георгиева – директор на
РАЙОНЕН СЪД - БУРГАС РАБОТНА СРЕЩА СЪС СЪДЕБНИТЕ ЗАСЕДАТЕЛИ ПРИ РАЙОНЕН СЪД – БУРГАС 21 ОКТОМВРИ 2016 г.
Съобщение Ръководството на НУ “Христо Ботев“ – гр. Елин Пелин
НАЦИОНАЛНА АГЕНЦИЯ ЗА ПРИХОДИТЕ
ДОБРОВОЛЕН РЕЗЕРВ НА ВЪОРЪЖЕНИТЕ СИЛИ НА РЕПУБЛИКА БЪЛГАРИЯ
Съвременни софтуерни решения
ПО ПЧЕЛАРСТВО ЗА ТРИГОДИШНИЯ
от проучване на общественото мнение,
Програма за развитие на селските райони
ОПЕРАТИВНА ПРОГРАМА “АДМИНИСТРАТИВЕН КАПАЦИТЕТ”
БАЛИСТИКА НА ТЯЛО ПРИ СВОБОДНО ПАДАНЕ В ЗЕМНАТА АТМОСФЕРА
Правна кантора “Джингов, Гугински, Кючуков & Величков”
Безопасност на движението
Lecture 18: Deep C Garbage Collection CS201j: Engineering Software
Lecture 10: Using Object-Oriented Languages
Lecture 13: Subtyping Rules Killer Bear Climber
Lecture 15: Quicker Sorting CS150: Computer Science
Lecture 11: Sorting Grounds and Bubbles
Presentation transcript:

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 20: Hair Dryer Attacks Image from GoldenBlue LLC.

6 November 2003CS 201J Fall Menu Array Subtyping Java Security Review Violating Type Safety with a Hair Dryer

6 November 2003CS 201J Fall Subtyping and Arrays If B <= A, should B[] <= A [] ?

6 November 2003CS 201J Fall Array Subtyping static public Object getFirst (Object [] els) throws NoSuchElementException { if (els == null || els.length == 0) { throw new NoSuchElementException (); } else { return els[0]; } static public void main (String args[]) { try { Object o = getFirst (args); System.err.println ("The first parameter is: " + o); } catch (NoSuchElementException e) { System.err.println ("There are no parameters!"); }

6 November 2003CS 201J Fall Array Store static public void setFirst (Object [] els) throws NoSuchElementException { if (els == null || els.length == 0) { throw new NoSuchElementException (); } else { els[0] = new Object (); } static public void main (String args[]) { try { Object o = getFirst (args); System.err.println ("The first parameter is: " + o); setFirst (args); } catch (NoSuchElementException e) { System.err.println ("There are no parameters!"); } > javac TestArrays.java > java TestArrays test The first parameter is: test Exception in thread "main" java.lang.ArrayStoreException at TestArrays.setFirst(TestArrays.java:16) at TestArrays.main(TestArrays.java:25)

6 November 2003CS 201J Fall ESC/Java and Array Stores > escjava TestArrays.java ESC/Java version 1.2.4, 27 September 2001 TestArrays... TestArrays: getFirst(java.lang.Object[])... [0.199 s] passed TestArrays: setFirst(java.lang.Object[]) TestArrays.java:16: Warning: Type of right-hand side possibly not a subtype of array element type (ArrayStore) els[0] = new Object ();

6 November 2003CS 201J Fall Java Type checking: B <= A  B[] <= A[] Need a run-time check for every array store (to an array where the actual element type is not known) Better rule: no inference of array subtypes

6 November 2003CS 201J Fall Java Security

6 November 2003CS 201J Fall Java javac Compiler malcode.java malcode.class JVML Joe User Java Bytecode Verifier JavaVM “Okay” Invalid STOP Trusted Computing Base

6 November 2003CS 201J Fall Bytecode Verifier Checks JVML code satisfies safety properties –Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once –After code is verified, it is trusted: is not checked for type safety at run time (except for casts, array stores) Key assumption: when a value is written to a memory location, the value in that memory location is the same value when it is read.

6 November 2003CS 201J Fall Violating the Assumption … // The object on top of the stack is a SimObject astore_0 // There is a SimObject in location 0 aload_0 // The value on top of the stack is a SimObject If a cosmic ray hits the right bit of memory, between the store and load, the assumption might be wrong.

6 November 2003CS 201J Fall Improving the Odds Set up memory so that a single bit error is likely to be exploitable Mistreat the hardware memory to increase the odds that bits will flip Following slides adapted (with permission) from Sudhakar Govindavajhala and Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine, July 2003.

6 November 2003CS 201J Fall Making Bit Flips Useful Fill up memory with Filler objects, and one Pointee object: class Filler {class Pointee { Pointee a1; Pointee a2; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a6; Pointee a6; Pointee a7;}

6 November 2003CS 201J Fall Filling Up Memory Pointee p = new Pointee (); Vector fillers = new Vector (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; } a1 a2 a3 a4 a5 a6 a7 Filler Object a1 a2 f b a5 a6 a7 Pointee Object a1 a2 a3 a4 a5 a6 a7 Filler Object

6 November 2003CS 201J Fall Wait for a bit flip… Remember: there are lots of Filler objects (fill up all of memory) If a bit flips, good chance (~70%) it will be in a field of a Filler object and it will now point to a Filler object instead of a Pointee object a1 a2 a3 a4 a5 a6 a7 Filler Object a1 a2 f b a5 a6 a7 Pointee Object a1 a2 a3 a4 a5 a6 a7 Filler Object

6 November 2003CS 201J Fall Type Violation After the bit flip, the value of f.a2 is a Filler object, but f.a2 was declared as a Pointee object! a1 a2 a3 a4 a5 a6 a7 Filler Object a1 a2 f b a5 a6 a7 Pointee Object a1 a2 a3 a4 a5 a6 a7 Filler Object Can we exploit this?

6 November 2003CS 201J Fall Finding the Bit Flip while (true) { for (Enumeration e = fillers.elements (); e.hasMoreElements () ; ) { Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! … } else if (f.a2 != p) { … } Pointee p = new Pointee (); Vector fillers = new Vector (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; }

6 November 2003CS 201J Fall Violating Type Safety Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time class Filler {class Pointee { Pointee a1; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a6; Pointee a7;} Declared Type f.a1Pointee f.a1.bint fr == f.a1Filler fr.a4 == f.a1.bPointee

6 November 2003CS 201J Fall Violating Type Safety Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time f.a1.b = ; // Address of bank balance object fr.a4.a1 = p.a5; // Set it to a new value class Filler {class Pointee { Pointee a1; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a6; Pointee a7;}

6 November 2003CS 201J Fall Violating Type Safety Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time f.a1.b = ; // Address of the SecurityManager fr.a4.a1 = null; // Set it to a null // Do whatever you want! There’s no security policy now… new File (“C:\thesis.doc”).delete (); class Filler {class Pointee { Pointee a1; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a6; Pointee a7;}

6 November 2003CS 201J Fall Getting a Bit Flip Wait for a Cosmic Ray –You have to be really, really patient… (or move machine out of Earth’s atmosphere) X-Rays –Expensive, not enough power to generate bit-flip High energy protons and neutrons –Work great - but, you need a particle accelerator Hmm….

6 November 2003CS 201J Fall Using Heat n 50-watt spotlight bulb n Between 80° - 100°C, memory starts to have a few failures n Attack applet is successful (at least half the time)! n Hairdryer works too, but it fries too many bits at once Picture from Sudhakar Govindavajhala

6 November 2003CS 201J Fall Should Anyone be Worried? Java virtual machine

6 November 2003CS 201J Fall Recap Verifier assumes the value you write is the same value when you read it By flipping bits, we can violate this assumption By violating this assumption, we can violate type safety: get two references to the same storage that have inconsistent types By violating type safety, we can get around all other security measures For details, see paper linked from notes

6 November 2003CS 201J Fall Charge: Problem Set 6 Violate type safety to steal an election No need to open up ITC machines to try to heat up memory –Please don’t try this in lab (but try it at home if you want) Instead, use java –noverify to get around type checking: allows byte codes to run without verifying them