University of VirginiaDARPA SRS - 27 Jan 20051 Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 36 Virtual Memory Read.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.
CSC1016 Coursework Clarification Derek Mortimer March 2010.
G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptanalysis. The Speaker  Chuck Easttom  
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.
Address Space Layout Permutation
On the Effectiveness of Address-Space Randomization CS6V Brian Ricks and Vasundhara Chimmad.
5-Stage Pipelining Fetch Instruction (FI) Fetch Operand (FO) Decode Instruction (DI) Write Operand (WO) Execution Instruction (EI) S3S3 S4S4 S1S1 S2S2.
The Steganographic File System Ross Anderson, Roger Needlham, Adi Shamir Presented by: Pan Meng Presented by: Pan Meng.
Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
N-Variant Systems A Secretless Framework for Security through Diversity Institute of Software Chinese Academy of Sciences 29 May 2006 David Evans
Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.
IT253: Computer Organization
The N-Variant Systems Framework Polygraphing Processes for Secretless Security University of Texas at San Antonio 4 October 2005 David Evans
Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.
Where’s the FEEB? Effectiveness of Instruction Set Randomization CERIAS Security Seminar Purdue University 9 March 2005 David Evans University of Virginia.
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.
CS333 Intro to Operating Systems Jonathan Walpole.
1 Chapter Seven. 2 Users want large and fast memories! SRAM access times are ns at cost of $100 to $250 per Mbyte. DRAM access times are ns.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
University of Maryland Instrumentation with Relocatable Program Code Tugrul Ince Department of Computer Science University of Maryland, College Park, MD.
Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.
On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.
G ENESIS: Security Through Software Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi Wang Carnegie.
CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.
N-Variant Systems A Secretless Framework for Security through Diversity Benjamin Cox David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson,
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Constructive Computer Architecture Realistic Memories and Caches Arvind Computer Science & Artificial Intelligence Lab. Massachusetts Institute of Technology.
Where Testing Fails …. Problem Areas Stack Overflow Race Conditions Deadlock Timing Reentrancy.
Lecture 5 Page 1 CS 111 Summer 2013 Bounded Buffers A higher level abstraction than shared domains or simple messages But not quite as high level as RPC.
Computer System Structures
Secure Programming Dr. X
Remix: On-demand Live Randomization
Jonathan Walpole Computer Science Portland State University
Secure Programming Dr. X
University of Virginia
System Programming and administration
New Cache Designs for Thwarting Cache-based Side Channel Attacks
CSC 495/583 Topics of Software Security Stack Overflows (2)
The Effectiveness of Instruction Set Randomization
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Defeating Instruction Set Randomization Nora Sovarel
Stealing Secrets and Secretless Security Structures
        Jefferson’s Polygraph
Presentation transcript:

University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project University of Virginia Department of Computer Science Where’s the FEEB?

University of VirginiaDARPA SRS - 27 Jan How secure is ISR? Shacham et. al. [CCS 2004] presented a brute force attack on memory address space randomization –24-bit effective key space Can a similar attack be constructed against instruction set randomization? –Larger key space (32 bits - 4K bytes) –Need to attack in fragments –Need a way to tell if fragment guess is correct

University of VirginiaDARPA SRS - 27 Jan Answer: Slows down an attack about 26 minutes Under the right circumstances…

University of VirginiaDARPA SRS - 27 Jan Requirements Need a vulnerability –Any buffer overflow vulnerability will do –Must know the exact memory location Must be able to crash server (lots of times) without re-randomization –Possible if server handles requests by forking processes (e.g., Apache) Need to know if server crashes –Socket open between attack client and server

University of VirginiaDARPA SRS - 27 Jan Jump Attack: Make Infinite Loop Vulnerable Buffer Overwritten Return Address 0xEB (Jump) 0xFE (-2) Unknown Masks Correct Guess Guessing first 2 byte masks 2 16 Possibilities Need about 2 12 guesses to learn first 2 bytes

University of VirginiaDARPA SRS - 27 Jan Incremental Jump Attack Vulnerable Buffer Overwritten Return Address 0xEB (Jump) 0xFE (-2) Unknown Masks Correct Guess Guessing first 2 byte masks Overwritten Return Address 0xEB (Jump) 0xFE (-2) Guessed Masks Guessing additional byte masks: < 256 attempts 0xCD (INT)

University of VirginiaDARPA SRS - 27 Jan False Positives – Bad News Incorrect guesses might produce same behavior as correct guess –Injected bytes demask to instruction that produces indistinguishable behavior e.g., conditional jump inst often behaves like jump –Injected bytes demask to “harmless” instruction, and subsequently executed instruction is (or behaves like) correct guess One incorrect mask guess will probably disrupt attack code

University of VirginiaDARPA SRS - 27 Jan False Positives – Good News Can distinguish correct mask using other instructions Try using guessed mask to inject a harmless one-byte instruction Overwritten Return Address 0x90 (NOP) 0xEB (Jump) 0xFE (-2) Guessed Masks

University of VirginiaDARPA SRS - 27 Jan False Positives – Better News Structure of false positives can be used to make guessing more efficient –Conditional jump instructions (e.g., JP/JNP) –Opcodes 0x70-0x7E are all conditional jumps –All are complementary pairs: 0x7 0b xyz  not taken  0x7 0b xyz  is taken! 32 guesses that try all values of first 4 bits and last bit always find an infinite loop –Need more guesses to determine correct mask Need up to guesses to get first 2 bytes

University of VirginiaDARPA SRS - 27 Jan Scaling the Attack Once we have learned enough masks: –Use near jump to return location instead of creating infinite loops –Fill subsequent instructions with 0xCD bytes 0xCD 0xCD is interrupt instruction guaranteed to crash Package attack code: don’t need to obtain enough masks to hold entire worm, just enough to hold decrypting micro-VM

University of VirginiaDARPA SRS - 27 Jan Extended Attack Overwritten Return Address Guessed Masks 0xE9 (Near Jump) 0xCD (INT) 0xEB (Jump) 0x06 32-bit offset (to jump to original return address) “Crash Zone” Expected work: < 16 attempts to find first jumping instruction ~ 8 attempts to determine correct mask

University of VirginiaDARPA SRS - 27 Jan Experiments Implemented attack against constructed vulnerable server protected with RISE [Barrantes et. al, 2003] –Memory space randomization works! Turned of Fedora’s address space randomization –Needed to modify RISE Ensure separate processes use same randomization key (other proposed ISR implementations wouldn’t need this) Able to obtain correct key most of the time 8 bytes: 99%1024 bytes: 85%

University of VirginiaDARPA SRS - 27 Jan Results Average Number of Attempts Key Bytes Acquired (log scale) Jump Attack Return Attack < 31,000 attempts (26 minutes) to acquire 1024 key bytes 255 attempts (50 seconds) to get first byte 1 Jump Attack First 2 bytes: 2027 attempts / byte Next 14 bytes: 222 attempts / bytes Next 1008 bytes: attempts / byte

University of VirginiaDARPA SRS - 27 Jan Solutions Attack depends on being able to determine key from one known ciphertext-(likely) plaintext pair (trivial with XOR) –Use block cipher or permute ISA to make this hard –Strata’s fragment cache makes this possible Attack depends on being able to launch multiple attack attempts against the same key –Re-randomize and restart after any process crash (enables easy denial-of-service) –Re-randomize frequently (without restarting)

G ENESIS : A Framework For Achieving Component Diversity John Knight, Jack Davidson, David Evans, Anh Nguyen-Tuong; Adrian Filipi, Jonathan Rowanhill, Michael Crane, Wei Hu, Jeffrey Shirley, Ana Nora Sovarel, Dan Williams University of Virginia Chenxi Wang Carnegie Mellon University

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.