Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.

Published byAvice Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer."— Presentation transcript:

1 Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be

2 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 2 Overview  Introduction  Code Injection Attacks  Model-based countermeasure design  Metamodel and methodology  Conclusion

3 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 3 Introduction  Code injection attacks: foreign code injected into application  Still a major security problem: 24/28 CERT advisories in 2003 related to code injection  Attackers are using more advanced techniques to bypass countermeasures  Current countermeasures are often built in an ad hoc manner  A more structured approach to designing countermeasures is needed

4 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 4 Overview  Introduction  Code Injection Attacks  First wave  Second wave  Third wave  Model-based countermeasure design  Metamodel and methodology  Conclusion

5 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 5 First wave: stack-based buffer overflows  An attacker inserts gives code as input to the program, the program stores it as data.  The attacker then overflows the bounds of a stack- allocated array and overwrites the return address  When the function returns the injected code is executed  Countermeasure: StackGuard (Cowan et al), places random 32-bit value before the return address and checks it before returning  Attackers developed indirect pointer overwriting (IPO) to bypass the countermeasure

6 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 6 Second wave: Heap-based attacks  Dynamically allocated memory  No return addresses  IPO or function pointer overwriting  Overwrite memory management information to perform indirect pointer overwrite  Exploitable with heap-overflow and dangling pointer reference (double free)  Some allocators can be misused by overflowing just 1 byte

7 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 7 Doug Lea’s malloc Size of prev chunk Size of chunk1 Chunk1 Chunk2 User data Size of chunk1 Size of chunk2 Old user data Forward Pointer Backward Pointer High addr Size of chunk1 Size of chunk2 Old user data Forward Pointer Backward Pointer Size of chunk1 Size of chunk2 Old user data Forward Pointer Backward Pointer Chunk3 Chunk4

8 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 8 Backward Pointer Return address Heap-based buffer overflows Size of prev chunk Size of chunk1 Chunk1 Chunk2 User data Size of chunk1 Size of chunk2 Old user data Forward Pointer Size of chunk1 Size of chunk2 Old user data Forward Pointer Backward Pointer Size of chunk1 Size of chunk2 Old user data Forward Pointer Backward Pointer Chunk3 Chunk4 Stack Injected code

9 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 9 Heap-vulnerabilities  Attacks for heap-based buffer overflows and double frees exist for other memory allocators as well:  CSRI (overflow)  Quickfit (overflow)  Phkmalloc (overflow)  Boehm’s Garbage Collector (overflow, double free)

10 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 10 Second Wave  Second wave:  Overflows in Data section (contains global and static compile-time initialized data)  Overflows in bss section (contains global and static uninitialized data)  Can be used to overwrite execution abstractions that the runtime environment relies on

11 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 11 Third wave  Third wave:  Integer errors  Integer signedness errors  Integer overflows  Format string vulnerabilities  Fourth wave?

12 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 12 Overview  Introduction  Code Injection Attacks  Model-based countermeasure design  Machinemodel  A partial machinemodel of dlmalloc  Countermeasure based on the machine model  A countermeasure for dlmalloc  Metamodel and methodology  Conclusion

13 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 13 Model-based countermeasure design  Most countermeasures use an ad-hoc approach when protecting applications  Attackers are using more advanced techniques to bypass them.  A more methodical approach is needed to combat code injection attacks  Building a model of the execution environment allows us to evaluate which memory locations to protect.

14 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 14 Machinemodel  Addresses and abstractions of control flow  Addresses that could lead to IPO  Contextual information:  What is used when  What operations are performed

15 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 15 Countermeasures based on the machinemodel  Most architectures separate code from data  Apply a similar approach to data  Separate control-flow information from regular data  Requires several far reaching changes to the memory of the process  Design is aided by the machine model

16 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 16 Countermeasures based on the machine model  Built a machine model for Linux on Intel architecture  Designed a modified machine model for the memory allocator  Implemented the separation of management information from chunk data  Implementation was named DistriNet malloc (dnmalloc)

17 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 17 Machinemodel for dlmalloc

18 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 18 Machinemodel for dnmalloc

19 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 19 Dlmalloc - Dnmalloc performance overhead ProgramDlmalloc runtime (± stderr)Dnmalloc runtime (± stderr)Overhead percentage gzip253 (± 0)255.98 (± 0.01) 1.18% vpr360.93 (± 0.16)360.55 (± 0.13) -0.11% gcc153.93 (± 0.05)154.76 (± 0.04) 0.54% mcf287.19 (± 0.07)290.09 (± 0.07) 1.01% crafty253 (± 0)254 (± 0) 0.40% parser346.95 (± 0.02)346.61 (± 0.05) -0.10% eon771.05 (± 0.13)766.55 (± 0.11) -0.58% perlbmk243.20 (± 0.04)253.51 (± 0.05) 4.24% (highest) gap184.07 (± 0.02)184 (± 0) -0.04% vortex250 (± 0)258.79 (± 0.04) 3.52% bzip2361.64 (± 0.05)363.26 (± 0.07) 0.45% twolf522.48 (± 0.43)513.27 (± 0.41) -1.76% (lowest) Spec CPU2000 results for dlmalloc and dnmalloc (13 runs on 8 identical PCs (P4 2.8ghz, 512mb) = 104 runs)

20 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 20 Countermeasures based on the machinemodel  Modify the way the stack is organized: 3 stacks  Control information: return address, frame pointer, pointers and arrays of pointers (bounds checked)  Integers and floating types  Regular data  Work in progress  Prototype running with 3 stacks  Preliminary performance results look promising

21 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 21 Countermeasure based on the machinemodel  Reorganize the data segment  Memory in the data segment must be reorganized

22 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 22 Overview  Introduction  Attacks  Model-based countermeasure design  Metamodel and methodology  Conclusion

23 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 23 Metamodel and methodology  A machine model is strongly linked to an architecture: limited usefulness  Metamodel is built as an abstraction of several machine models  Accompanied by a methodology for building machine models  Allows reasoning about countermeasures at a very high level of abstraction  Platform expert: metamodel + methodology: build a machinemodel  Security expert: design countermeasure on a machinemodel

24 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 24 Overview  Introduction  Attacks  Model-based countermeasure design  Metamodel and methodology  Conclusion

25 Yves Younan - Protecting C and C++ programs from current and future code injection attacks October 25, 2005 - 25 Conclusion  Many countermeasures can be bypassed using one of the techniques described earlier.  A more structured approach is needed at a higher level of abstraction  By using machine models and a metamodel  Supports collaboration (platform/security expert)  Less prone to porting errors (uniform representation)  Better design (easier to notice shortcomings)  Platform for comparing and evaluating countermeasures  For more information: papers are available SoBeNet user group website

Download ppt "Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Chapter 17 vector and Free Store John Keyser’s Modifications of Slides By Bjarne Stroustrup www.stroustrup.com/Programming.

Chapter 17 vector and Free Store John Keyser’s Modifications of Slides By Bjarne Stroustrup
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Dynamic Memory Allocation I Topics Basic representation and alignment (mainly for static memory allocation, main concepts carry over to dynamic memory.

Dynamic Memory Allocation I Topics Basic representation and alignment (mainly for static memory allocation, main concepts carry over to dynamic memory.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit.

Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit.
Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.

Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Security of Memory Allocators for C and C++ Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science.

Security of Memory Allocators for C and C++ Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.

A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

Similar presentations

Ads by Google