Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.

Slides:



Advertisements
Similar presentations
Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.
Advertisements

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Corliss, Lewis, + Roth ISCA-30 DISE: A Programmable Macro Engine for Customizing Applications Marc Corliss, E Lewis, Amir Roth University of Pennsylvania.
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Safeguarding and Charging for Information on the Internet Hector Garcia-Molina, Steven P. Ketchpel, Narayanan Shivakumar Stanford University Presented.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
1 DISE: A Programmable Macro Engine for Customizing Applications Marc Corliss, E Lewis, Amir Roth (U Penn), ISCA 2003 DISE (Dynamic Instruction Steam Editing)
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Low Overhead Debugging with DISE Marc L. CorlissE Christopher LewisAmir Roth Department of Computer and Information Science University of Pennsylvania.
Intro to Computer Architecture
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Run time vs. Compile time
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
MemTracker Efficient and Programmable Support for Memory Access Monitoring and Debugging Guru Venkataramani, Brandyn Roemer, Yan Solihin, Milos Prvulovic.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
CS533 Concepts of Operating Systems Jonathan Walpole.
Chapter 3.5 Memory and I/O Systems. 2 Memory Management Memory problems are one of the leading causes of bugs in programs (60-80%) MUCH worse in languages.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
CPRG 215 Introduction to Object-Oriented Programming with Java Module 1-Introduction to Java Topic 1.1 Basics of Java Produced by Harvey Peters, 2008 Copyright.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Objective At the conclusion of this chapter you will be able to:
COP4020 Programming Languages Subroutines and Parameter Passing Prof. Xin Yuan.
Colorama: Architectural Support for Data-Centric Synchronization Luis Ceze, Pablo Montesinos, Christoph von Praun, and Josep Torrellas, HPCA 2007 Shimin.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Microprocessors The ia32 User Instruction Set Jan 31st, 2002.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.
CSS446 Spring 2014 Nan Wang.  To understand the implementation of linked lists and array lists  To analyze the efficiency of fundamental operations.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.
ITEC 352 Lecture 19 Functions in Assembly. Functions + Assembly Review Questions? Project due on Friday Stacks Function activation / deactivation.
Buffer overflow and stack smashing attacks Principles of application software security.
Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
CS703 - Advanced Operating Systems By Mr. Farhan Zaidi.
LECTURE 19 Subroutines and Parameter Passing. ABSTRACTION Recall: Abstraction is the process by which we can hide larger or more complex code fragments.
A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.
HDFI: Hardware-Assisted Data-flow Isolation
Storage Classes There are three places in memory where data may be placed: In Data section declared with .data in assembly language in C - Static) On the.
Chapter 7 Subroutines Dr. A.P. Preethy
CMSC 414 Computer and Network Security Lecture 21
Chapter 9 :: Subroutines and Control Abstraction
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Defending against Stack Smashing attacks
by Richard P. Paul, 2nd edition, 2000.
Code-Pointer Integrity
Presentation transcript:

Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania

DISE Return Address Protection -- Marc Corliss2 Overview  Prevent stack-smashing attacks  Old approach, new implementation  Dynamic Instruction Stream Editing (DISE)

DISE Return Address Protection -- Marc Corliss3 Stack-Smashing Attacks stack pointer stack strcpy(A, input_string); return address A[64] input_string &input_string

DISE Return Address Protection -- Marc Corliss4 Stack-Smashing is a Problem  Some famous stack-smashing attacks  Internet worm, 1987  NCSA HP-UX 1.3 web server breach, 1994  Slammer worm, 2003  Blaster worm, 2003

DISE Return Address Protection -- Marc Corliss5 Solutions  Prevent buffer-overflow in general  Safe languages (e.g. Java, ML)  Range checks (e.g., libSafe)  Prevent return address corruption  Canary: padding word (e.g., StackGuard)  Virtual memory: write protect (e.g., StackGuard)  Shadow stack

DISE Return Address Protection -- Marc Corliss6 Talk Outline  Introduction  DISE background  DISE return address protection  Evaluation  Conclusion

DISE Return Address Protection -- Marc Corliss7 DISE  Programmable instruction macro-expander  Like hardware SED (DISE = dynamic instruction SED) I$executeDISE appapp' srli r9,4,r1 cmp r1,r2,r1 bne r1,Error store r4,8(r9)  Example: memory fault isolation (MFI)

DISE Return Address Protection -- Marc Corliss8 DISE Productions  Production: static rewrite rule T.OPCLASS==store =>srli T.RS,4,dr0 cmp dr0,dr1,dr0 bne dr0,Error T.INST srli r9,4,dr0 cmp dr0,dr1,dr0 bne dr0,Error store r4,8(r9)  Expansion: dynamic instantiation of production Pattern Directive DISE Register Parameterized replacement sequence

DISE Return Address Protection -- Marc Corliss9 Talk Outline  Introduction  DISE background  DISE return address protection  Evaluation  Conclusion

DISE Return Address Protection -- Marc Corliss10 Shadow Stack Approach stackshadow stack RA RA==RA? shadow stack ptr stack ptr main: RA foo: RA strcpy: RA

DISE Return Address Protection -- Marc Corliss11 DISE Implementation  At call instructions  Push return address on shadow stack  At return instructions  Pop address from shadow stack  Verify shadow address equals return address

DISE Return Address Protection -- Marc Corliss12 Protection Productions T.OPCLASS==call =>add T.PC,4,dr0 # compute RA add dssp,8,dssp # push it on  store dr0,-8(dssp) #  shadow stack T.INST # perform call T.OPCLASS==return =>load dr0,-8(dssp) # pop RA from  add dssp,-8,dssp #  shadow stack cmpne T.RS,dr0,dr0 # cmp to actual RA ccall dr0,Error # diff? then error T.INST # perform return RA1 dssp RA2 RA3 Shadow stack:

DISE Return Address Protection -- Marc Corliss13 Implementation Issues  Discussed in this talk  Handling non-local returns  Protecting shadow stack itself  Discussed in the paper  Expanding DISE memory  Protecting DISE productions

DISE Return Address Protection -- Marc Corliss14 Non-Local Returns  Problem: Exceptions, setjmp/longjmp  Cut the stack  Previous solution: pop shadow stack until match –Attacker can simulate longjmp  Ours: store stack pointer (SP) on shadow stack +SP is unique in caller stack, not-smashable  Pop shadow stack until RA & SP match RA1 dssp RA2 RA3 New shadow stack: SP1 SP2 SP3

DISE Return Address Protection -- Marc Corliss15 New Productions T.OPCLASS==call =>add T.PC,4,dr0 # compute RA add dssp,16,dssp # push it on  store dr0,-8(dssp) #  shadow stack store sp,-16(dssp) #  along w/ stack ptr cmp dssp,darp,dr0 # stack full? ccall dr0,expand # yes, expand stack T.INST # perform call T.OPCLASS==return =>load dr0,-8(dssp) # pop RA from  add dssp,-16,dssp #  shadow stack cmpne T.RS,dr0,dr0 # cmp to actual RA ccall dr0,AddrChk # diff? figure out why T.INST # perform return

DISE Return Address Protection -- Marc Corliss16 Protecting the Shadow Stack  What if attack corrupts shadow stack?  One approach: encrypt shadow stack (XOR) T.OPCLASS==call =>add T.PC,4,dr0 # compute RA xor dr0,dxr,dr0 # encrypt address add dssp,16,dssp # push it on  store dr0,-8(dssp) #  shadow stack store sp,-16(dssp) #  along w/ stack ptr T.INST # perform call T.OPCLASS==return =>load dr0,-8(dssp) # pop RA from  add dssp,-16,dssp #  shadow stack xor dr0,dxr,dr0 # decrypt address cmpne T.RS,dr0,dr0 # comp. to actual RA ccall dr0,AddrChk # diff? See what’s up T.INST # perform return

DISE Return Address Protection -- Marc Corliss17 Another Approach  Prevent writes to shadow stack (e.g. MFI)  Call/return productions don’t change  New productions for stores T.OPCLASS==store =>srli T.RS,4,dr0 cmp dr0,dr1,dr0 beq dr0,Error T.INST

DISE Return Address Protection -- Marc Corliss18 Virtues of Using DISE  Versus dedicated hardware +General-purpose: compression, debug., mfi, etc. +Flexible: new attack, new productions  Versus binary rewriter +Transparent: protect all code inc. DLLs +Declarative interface: security by simplicity +Efficient: in a moment 

DISE Return Address Protection -- Marc Corliss19 Talk Outline  Introduction  DISE background  DISE return address protection  Evaluation  Conclusion

DISE Return Address Protection -- Marc Corliss20 Evaluation  Correctness  False negatives?  False positives?  Performance  What’s the overhead?  How does it compare to alternatives?

DISE Return Address Protection -- Marc Corliss21 Correctness  Attacking inputs detected  overflow1 (micro-benchmark)  sendmail  gzip  No false positives with non-attacking inputs

DISE Return Address Protection -- Marc Corliss22 Performance Methodology  SimpleScalar Alpha  Benchmarks  SPEC Int 2000, MiBench, CommBench  Binary rewriter (for comparison)  Statically insert DISE instrumentation code ±No optimization, but not a lot of opportunity either

DISE Return Address Protection -- Marc Corliss23 Performance Overhead  DISE overhead reasonable  XOR less than 10%, MFI less than 35%  DISE outperforms BR  BR has additional I$ misses

DISE Return Address Protection -- Marc Corliss24 Conclusion  DISE return address protection effective +No false negatives, no false positives  Advantages over binary rewriter +Efficient, transparent, declarative interface  Advantages over custom hardware +General-purpose, flexible  Future work  Other security-related applications using DISE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.