N-Variant Systems A Secretless Framework for Security through Diversity Institute of Software Chinese Academy of Sciences 29 May 2006 David Evans

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
1 Operating Systems and Protection CS Goals of Today’s Lecture How multiple programs can run at once  Processes  Context switching  Process.
PC hardware and x86 3/3/08 Frans Kaashoek MIT
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
User-Level Interprocess Communication for Shared Memory Multiprocessors Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.
David Evans University of Virginia Computer Security Research CS696 Fall September 2007.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
System Calls 1.
Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
6.828: PC hardware and x86 Frans Kaashoek
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
Promising Breaks and Breaking Promises David Evans University of Virginia Program Analysis in Theory and Practice.
CS533 Concepts of Operating Systems Jonathan Walpole.
Mitigation of Buffer Overflow Attacks
Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.
The N-Variant Systems Framework Polygraphing Processes for Secretless Security University of Texas at San Antonio 4 October 2005 David Evans
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
1 Redundant Computing for Security David Evans University of Virginia TRUST Seminar UC Berkeley 25 September 2008 Work with Ben Cox, Anh Nguyen-Tuong,
CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.
Where’s the FEEB? Effectiveness of Instruction Set Randomization CERIAS Security Seminar Purdue University 9 March 2005 David Evans University of Virginia.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.
Processes and Virtual Memory
Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.
G ENESIS: Security Through Software Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi Wang Carnegie.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
N-Variant Systems A Secretless Framework for Security through Diversity Benjamin Cox David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson,
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
1 Redundant Computing for Security David Evans University of Virginia Yahoo! Tech Talk 16 October 2008 Work with Ben Cox, Anh Nguyen-Tuong, Jonathan Rowanhill,
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Chapter 8 String Operations. 8.1 Using String Instructions.
Introduction to Information Security
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Introduction to Information Security
The Hardware/Software Interface CSE351 Winter 2013
University of Virginia
The Effectiveness of Instruction Set Randomization
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Defeating Instruction Set Randomization Nora Sovarel
Stealing Secrets and Secretless Security Structures
Fundamentals of Computer Organisation & Architecture
        Jefferson’s Polygraph
Practical Session 4.
CSE 451: Operating Systems Autumn 2005 Memory Management
System Calls David Ferry CSCI 3500 – Operating Systems
CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management
CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management
Foundations and Definitions
Computer Architecture and System Programming Laboratory
Presentation transcript:

N-Variant Systems A Secretless Framework for Security through Diversity Institute of Software Chinese Academy of Sciences 29 May 2006 David Evans University of Virginia Computer Science

2 Security Through Diversity Today’s Computing Monoculture –Exploit can compromise billions of machines since they are all running the same software Biology’s Solution: Diversity –Members of a species are different enough that some are immune Computer security research: [Cohen 92], [Forrest + 97], [Cowan ], [Barrantes ], [Kc ], [Bhatkar ], [Just ], [Bhatkar, Sekar, DuVarney 2005]

3 Instruction Set Randomization [Barrantes+, CCS 03] [Kc+, CCS 03] Code injection attacks depend on knowing the victim machine’s instruction set Defuse them all by making instruction sets different and secret –It is expensive to design new ISAs and build new microprocessors

4 Derandomizer Processor Automating ISR Randomizer Secret Key Original Code Original Executable Randomized Executable

5 Derandomizer Processor ISR Defuses Attacks Randomizer Secret Key Original Executable Randomized Executable Malicious Injected Code Broken Malicious Code

How secure is ISR? Where’s the FEEB? Effectiveness of Instruction Set Randomization. Ana Nora Sovarel, David Evans and Nathanael Paul. USENIX Security Symposium, August Serpentine Wall, Charlottesville, USA Great Wall Beijing

7 ISR Attack Attack Client ISR-protected Server Incorrect Guess Crash! Attack Client Correct Guess ISR-protected Server Observable Behavior

8 Server Requirements Vulnerable: buffer overflow is fine Able to make repeated guesses –No rerandomization after crash –Likely if server forks requests (Apache) Observable: notice server crashes Cryptanalyzable –Learn key from one ciphertext-plaintext pair –Easy with XOR

9 Jump Attack JMP -2 (0xEBFE): jump offset -2 –2-byte instruction: up to 2 16 guesses –Produces infinite loop Incorrect guess usually crashes server

10 Jump Attack Vulnerable Buffer Overwritten Return Address 0xEB (JMP) 0xFE (-2) Unknown Masks Correct guess produces infinite loop 2 16 possible guesses for 2-byte instruction

11 Incremental Jump Attack Guessing next byte: < 256 attempts Vulnerable Buffer Overwritten Return Address 0xEB (JMP) 0xFE (-2) Unknown Masks Guessing first 2 byte masks Overwritten Return Address 0xEB (JMP) 0xFE (-2) Unknown Masks 0xCD (INT) Guessed Masks

12 Guess Outcomes Observe “Correct” Behavior Observe “Incorrect” Behavior Correct GuessSuccessFalse Negative Incorrect Guess False PositiveProgress

13 False Positives Injected bytes produce an infinite loop: –JMP -4 –JNZ -2 Injected bytes are “harmless”, later instruction causes infinite loop

14 False Positives – Good News Can distinguish correct mask using other instructions Try injecting a “harmless” one-byte instruction –Correct: get loop –Incorrect: usually crashes Difficulty: dense opcodes Overwritten Return Address 0x90 (NOOP) 0xEB (JMP) Unknown Masks 0xFE (-2) Guessed Masks

15 False Positives – Better News False positives are not random –Conditional jump instructions –Opcodes All are complementary pairs: 0111 xyz a not taken  0111 xyz ā is! 32 guesses must find an infinite loop, about 8 more guesses to learn correct mask

16 Extended Attack “Crash Zone” Overwritten Return Address 0xCD (INT) 0xE9 (Near Jump) 32-bit offset (to jump to original return address) 0xCD (INT) 0x06 (offset) 0xEB (JMP) Near jump to return location –Execution continues normally –No infinite loops 0xCD 0xCD is interrupt instruction guaranteed to crash

17 Expected Attempts ~ 15½ to find first jumping instruction + ~ 8 to determine correct mask 23½ expected attempts per byte “Crash Zone” Overwritten Return Address 0xCD (INT) 0xE9 ( Near Jump ) 32-bit offset (to jump to original return address) 0xCD (INT) 0x06 (offset) 0xEB (JMP)

18 Experiments Implemented attack against constructed vulnerable server protected with RISE [Barrantes et. al, 2003] –Need to modify RISE to ensure child processes have same key Obtain correct key over 95% of the time –4 byte key in 3½ minutes –4096 bytes in 48 minutes (>100,000 guess attempts) Is this good enough?

19 How many key bytes needed? Inject malcode in one ISR- protected host –Sapphire worm = 376 bytes Create a worm that spreads on a network of ISR-protected servers –Space for our code: 34,723 bytes –Need to crash server ~800K times

20 Maybe less…? VMWare: 3,530,821 bytes Java VM: 135,328 bytes MicroVM: 100 bytes

21 Entire MicroVM Code push dword ebpmov ebp, WORM_ADDRESS + WORM_REG_OFFSET pop dword [ebp + WORM_DATA_OFFSET] xor eax, eax ; WormIP = 0 (load from ebp + eax) read_more_worm: ; read NUM_BYTES at a time until worm is done cld xor ecx, ecx mov byte cl, NUM_BYTES mov dword esi, WORM_ADDRESS ; get saved WormIP add dword esi, eax mov edi, begin_worm_exec rep movsb; copies next Worm block into execution buffer add eax, NUM_BYTES ; change WormIP pushad ; save register vals mov edi, dword [ebp] ; restore worm registers mov esi, dword [ebp + ESI_OFFSET] mov ebx, dword [ebp + EBX_OFFSET] mov edx, dword [ebp + EDX_OFFSET] mov ecx, dword [ebp + ECX_OFFSET] mov eax, dword [ebp + EAX_OFFSET] begin_worm_exec: ; this is the worm execution buffer nop nop nop nop nop nop nop nop nop nop nop nop mov [ebp], edi; save worm registers mov [ebp + ESI_OFFSET], esi mov [ebp + EBX_OFFSET], ebx mov [ebp + EDX_OFFSET], edx mov [ebp + ECX_OFFSET], ecx mov [ebp + EAX_OFFSET], eax popad ; restore microVM register vals jmp read_more_worm

22 save worm address in ebp move stack frame pointer WormIP  0 copy worm code into buffer update WormIP save MicroVM registers load worm registers 22-byte worm execution buffer save worm registers load MicroVM registers jmp to read next block saved registers worm code host key masks guessed (target) masks other worm data Learned Key Bytes 76 bytes of code + 22 bytes for execution + 2 bytes to avoid NULL = 100 bytes is enough > 99% of the time MicroVM Worm code must be coded in blocks that fit into execution buffer (pad with noops so instructions do not cross block boundaries)

23 Deploying a Worm Learn 100 key bytes to inject MicroVM –Median time: 311 seconds, 8422 attempts –Fast enough for a worm to spread effectively Inject pre-encrypted worm code –XORed with the known key at location –Insert NOOPs to avoid NULLs Inject key bytes –Needed to propagate worm

24 Preventing Attack: Break Attack Requirements Vulnerable: eliminate vulnerabilities –Rewrite all your code in a type safe language Able to make repeated guesses –Rerandomize after crash Observable: notice server crashes –Maintain client socket after crash? Cryptanalyzable –Use a strong cipher like AES instead of XOR

25 Better Solution Avoid secrets! –Keeping them is hard –They can be broken or stolen Prove security properties without relying on assumptions about secrets or probabilistic arguments

26 N-Variant Systems: A Secretless Framework for Security through Diversity To appear in USENIX Security Symposium, August Benjamin Cox, David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson, John Knight, Anh Nguyen-Tuong, and Jason Hiser.

27 Thomas Jefferson’s Polygraph Lie Detector Polygraph

28 Thomas Jefferson Author of “Declaration of Independence” 3 rd President of United States Cryptographer, scientist, architect

29 University of Virginia Charlottesville, Virginia, USA Founded by Thomas Jefferson, 1819

30 Computer Science at UVa Strong research groups in: –Security (me, Jack Davidson, Anita Jones, Alf Weaver) –Software Engineering (me, Mary Lou Soffa, John Knight) –Architecture (Gurumurthi, Skadron) –Sensor Networks (Stankovic) –Theory (Mishra) –Graphics (Humphreys) 75 PhD students

Variant System Input (Possibly Malicious) Server Variant 0 Server Variant 1 Monitor Output Polygrapher

32 N-Version N-Variant Programming Systems Multiple teams of programmers implement same spec Voter compares results and selects most common No guarantees: teams may make same mistake Transformer automatically produces diverse variants Monitor compares results and detects attack Guarantees: variants behave differently on particular input classes [Avizienis & Chen, 1977]

33 N-Variant System Framework Polygrapher –Replicates input to all variants Variants –N processes implement the same service –Vary property you hope attack depends on: memory locations, instruction set, file names, system call numbers, scheduler, calling convention, … Variant 0 Variant 1 Monitor Poly- grapher Monitor –Observes variants –Delays effects until all variants agree –Starts recovery if variants diverge

34 Variants Requirements Detection Property Any attack that compromises Variant 0 causes Variant 1 to “crash” (behave in a way that is noticeably different to the monitor) Normal Equivalence Property Under normal inputs, the variants stay in equivalent states: A 0 (S 0 )  A 1 (S 1 ) Actual states are different, but abstract states are equivalent

35 Memory Partitioning Variation –Variant 0: addresses all start with 0 –Variant 1: addresses all start with 1 Normal Equivalence –Map addresses to same address space Detection Property –Any absolute load/store is invalid on one of the variants

36 Instruction Set Tagging Variation: add an extra bit to all opcodes –Variation 0: tag bit is a 0 –Variation 1: tag bit is a 1 –At run-time check bit and remove it Low-overhead software dynamic translation using Strata [Scott, et al., CGO 2003] Normal Equivalence: Remove the tag bits Detection Property –Any (tagged) opcode is invalid on one variant –Injected code (identical on both) cannot run on both

37 Implementing N-Variant Systems Competing goals: –Isolation: of monitor, polygrapher, variants –Synchronization: variants must maintain normal equivalence (nondeterminism) –Performance: latency (wait for all variants to finish) and throughput (increased load) Two implementations: –Divert Sockets (prioritizes isolation over others) –Kernel modification (sacrifices isolation for others)

38 Kernel Modification Implementation Modify process table to record variants Create new fork routine to launch variants Intercept system calls: –289 calls in Linux –Check parameters are the same for all variants –Make call once

39 Wrapping System Calls I/O system calls (process interacts with external state) (e.g., open, read, write) –Make call once, send same result to all variants Process system calls (e.g, fork, execve, wait) –Make call once per variant, adjusted accordingly Dangerous: –mmap: each variant maps segment into own address space, only allow MAP_ANONYMOUS (shared segment not mapped to a file) and MAP_PRIVATE (writes do not go back to file) –execve: cannot allow

40 System Call Wrapper Example ssize_t sys_read(int fd, const void *buf, size_t count) { if (hasSibling (current)) { record that this variant process entered call if (!inSystemCall (current->sibling)) { // this variant is first save parameters sleep // sibling will wake us up get result and copy *buf data back into address space return result; } else if (currentSystemCall (current->sibling) == SYS_READ) { // I’m second variant, sibling is waiting if (parameters match) { // match depends on variation perform system call save result and data in kernel buffer wake up sibling return result; } else { DIVERGENCE ERROR! DIVERGENCE ERROR! } } else { // sibling is in a different system call! DIVERGENCE ERROR! } }... }

41 Overhead Description Unmodified Apache, unmodified kernel 2-variant system, address space partitioning 2-variant system, instruction tagging Unloaded Throughput (MB/s) Latency (ms) Loaded Throughput (MB/s) Latency (ms) Results for Apache running WebBench 5.0 benchmark Latency increases ~18% Throughput 36% of original

42 Summary Producing artificial diversity is easy –Defeats undetermined adversaries Keeping secrets is hard –Remote attacker can break ISR-protected server in < 6 minutes N-variant systems framework offers provable (but expensive) defense –Effectiveness depends on whether variations vary things that matter to attack

43 Diversity depends on your perspective From my USENIX Security 2004 Talk, What Biology Can (and Can’t) Teach us about Security

44 Questions? Links: Contributors: Ben Cox, Jack Davidson, Adrian Filipi, Jason Hiser, Wei Hu, John Knight, Ana Nora Sovarel, Anh Nguyen ‑ Tuong, Nate Paul, Jonathan Rowanhill Funding: National Science Foundation, DARPA