Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.

Slides:

Advertisements

Similar presentations

Chapter 2: Data Manipulation

Advertisements

Central Processing Unit

1 ITCS 3181 Logic and Computer Systems B. Wilkinson Slides9.ppt Modification date: March 30, 2015 Processor Design.

Moving Target Defense in Cyber Security

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec

1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++

Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Object Code.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.

1 Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel.

Memory Management (II)

Securing Software Systems Gaurav S. Kc Programming Systems Lab 9 th April, 2003.

Chapter 3.2 : Virtual Memory

Chapter 4 Processor Technology and Architecture. Chapter goals Describe CPU instruction and execution cycles Explain how primitive CPU instructions are.

Computer Organization and Architecture

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Part II: Addressing Modes

Layers and Views of a Computer System Operating System Services Program creation Program execution Access to I/O devices Controlled access to files System.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Shell and Flashing Images Commands and upgrades. RS-232 Driver chip – ST3232C Driver chip is ST3232C Provides electrical interface between UART port and.

Intro to Java The Java Virtual Machine. What is the JVM  a software emulation of a hypothetical computing machine that runs Java bytecodes (Java compiler.

G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.

System Calls 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Review of Memory Management, Virtual Memory CS448.

Computer Systems Organization CS 1428 Foundations of Computer Science.

Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.

Introduction 1-1 Introduction to Virtual Machines From “Virtual Machines” Smith and Nair Chapter 1.

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

1 Chapter 3.2 : Virtual Memory What is virtual memory? What is virtual memory? Virtual memory management schemes Virtual memory management schemes Paging.

Mitigation of Buffer Overflow Attacks

Rensselaer Polytechnic Institute CSC 432 – Operating Systems David Goldschmidt, Ph.D.

Chapter 8 CPU and Memory: Design, Implementation, and Enhancement The Architecture of Computer Hardware and Systems Software: An Information Technology.

Microprogrammed Control Unit Control Memory Sequencing Microinstructions Microprogram Example Design of Control Unit Microinstruction Format.

Important Concepts  Parts of the CPU  Arithmetic/Logic Unit  Control Unit  Registers  Program Counter  Instruction Register  Fetch/Decode/Execute.

MICROPROGRAMMED CONTROL CH 17 Team # 2 Members: Wilmer Saint-Hilaire Alberto Mollinedo Vinicius Schuina Luis Perez.

Virtual Machines, Interpretation Techniques, and Just-In-Time Compilers Kostis Sagonas

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.

Operating Systems Security

Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.

Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-

Page Replacement Implementation Issues Text: –Tanenbaum ch. 4.7.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Memory Management Chapter 5 Advanced Operating System.

Operating Systems A Biswas, Dept. of Information Technology.

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

Mitigation against Buffer Overflow Attacks

Introduction to Operating Systems

EnGarde: Mutually Trusted Inspection of SGX Enclaves

OS Virtualization.

Lecture 28: Virtual Memory-Address Translation

Introduction to Operating Systems

Page Replacement.

Control Unit Introduction Types Comparison Control Memory

Lecture Topics: 11/1 General Operating System Concepts Processes

CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs

Introduction to Computer Systems

CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs

Introduction to Virtual Machines

Introduction to Virtual Machines

CPU Structure CPU must:

Understanding and Preventing Buffer Overflow Attacks in Unix

Program Assembly.

Instruction execution and ALU

Return-to-libc Attacks

Presentation transcript:

Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October 2003 “Randomized instruction set emulation to disrupt binary code injection attacks” E. Barrantes, D. Ackley, S. Forrest, T. Palmer, D. Stefanovic and D. Zovi CCS October 2003 Presented by: David Allen November 02, 2005

Concept Population diversity. Every running program has a different instruction set. Ideally there is a large instruction space. Prevent all network code-injection attacks. “Self-Destruct” Exploits reduced to DoS vulnerability.

Threats Stack- and Heap-based buffer overflow attacks. Format string attacks. CGI scripts SQL scripts Perl

Weaknesses No protection against logic attacks. No protection against data attacks. Designed to protect against external attacks. May be very weak against internal attack.

Method Encode: –During Build. –During Load. Decode: –Hardware. (Transmeta Crusoe) –Emulator. –Binary-binary translation. (Valgrind)

Platform Implemented on x86 systems due to prevalence. Dense instruction space of x86 is an issue. Variable instruction size is an issue. RISC is easier. Equal size instructions. 64-bit RISC is great. Large instruction space.

Method 1: Encoding Build code with branches aligned to even addresses. 16-bit key. (8-bit too small) Executable and Linking Format (ELF) separates program text from read only data. Use modified objcopy to transform ELF files. XOR key with program text. Key is stored in modified executable.

Method 1: Decoding New read-only register in process control block (PCB) to hold key. Set by privileged instruction. Modified Bochs open-source x86 emulator. Instructions decoded on fetch.

Method 1: Results Emulation is very slow. Should be done in hardware. Vulnerable to local attacks on the key. Larger keys, small instructions can be used to attack the key piecemeal. Requires access to code. Libraries must be statically linked. Effective against code-injection attacks.

Method 2: Encoding Generate a XOR mask same size as text. Uses /dev/urandom (SHA1 feedback seeded from true randomness) ELF file is encoded during load.

Method 2: Decoding Modified Valgrind binary-binary translation program. Instructions decoded on fetch.

Method 2: Results Valgrind is very slow due to memory checks. Should be replaced. Does not need access to code. Not sensitive to variable instruction size. Imposes only a modest performance hit. Libraries can’t be shared. Encoded on loading. Emulation itself prevents some attacks. Effective against code-injection attacks.

Method 3: Encoding Perl scripting. Randomized tag added to all: –Keywords –Operators –Function calls Tag is Perl with a command line argument.

Method 3: Decoding Tag is given to Perl with a command line argument. Modification of Perl’s lexical analzer.

Method 3: Results Script size greatly increased. No real performance penalty. Effective against code-injection attacks. Result should apply to other scripting systems as well.

Conclusions Performance issues with additional layers. Binary-binary translation method appears superior.