Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.

Published byGarry Hodge Modified over 8 years ago

Similar presentations

Presentation on theme: "Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense."— Presentation transcript:

1

2 Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense Laboratory Department of Computer Science North Carolina State University Presenter: Radha Maldhure for CDA 6133 Spring’08

3 Overview Memory Corruption Address Space Randomization System Overview System Architecture State Transition of Program Diagnosis Signature Generation Experimental Evaluation Contribution Weakness Suggestions References

4 Memory Corruption Memory Location are unintentionally modified due to programming errors Attack: –Successful attack allows a remote code execution –Unsuccessful attack causes program crash or strange program behavior Most popular means to take control of target system Type: Buffer Overflow, Integer overflow

5 Memory Corruption: Example Memory Corruption by Buffer Overflow Code Ret Addr Local Var Local Buffer Attacker’s codeRet Add Process Memory layout for X Attacker’s Packet Stack frame for User_input() For example: User_input( ) is some routine in X Local Var Ret Addr

6 Address Space Randomization Code Ret Addr Argument Local Var Local Buffer 2000 4000 Normal Memory Layout Memory layout with Randomizati on-on

7 Example: Memory corruption with ASR Memory Corruption by Buffer Overflow The return address points to wrong Memory location CRASH!!! Code Ret Addr Argument Local Var Local Buffer Ret Addr Stack frame

8 System Overview

9 System Architecture

10 Terms needed for Model Some definitions: Memory attack = multiple corrupting instruction Corrupting Instruction( c ) = tricked to overwrite critical program data Initial Corrupting Instruction( i ) = Corrupting program data based on network input Take over Instruction( t ) = Control flow transfer Instruction Faulting Instruction( f ) = Cause process to crash

11 State Transition of a randomized program under memory corruption attack initial corrupting instr c Normal Crash Security Compromise Inconsistent Execution Critical Data Corruption initial corrupting instr c (c=f) faulting instr f t with correct addr prediction Case 2 : K= Non-takeover instr i with incorrect addr prediction( i=f ) k t with incorrect addr prediction(t = f) Case 1 Case 3Case 4

12 Case1 buf Input to GetUserName( ) is large This causes buffer overflow and accesses illegal memory location and hence the system crashes!!!! hhhwdhw vhdvhvdhj hdhvdhvd dsadjvdvh vdqwdgg gdggdggg dwgfbfns Sample program int foo( int b, int *c ) { buf[10]; GetUserName(buf) (*c)++; return *c } b b c c Corrupting Instruction is the Faulting instruction( c = f )

13 Case 2 The attack corrupts some critical data without crash. However, process crashes when executing non-takeover instruction int foo( int b, int *c ) { buf[10]; GetUserName(buf) (*c)++; return *c } 0000 c b buf Stack frame Program crashes as third statement executes!!

14 Case 3 0000 20 c b Ret addr buf Jmp 4000 4000 Invalid memory Stack frame Take-over instruction is the faulting instruction

15 Case 4 0000 20 c b Ret addr buf Jmp 4000 4000 Invalid memory Stack frame Successfully executes take-over instruction, and continues to execute for some time before crash

16 Diagnosis Who? By monitor & Diagnosis engine on memory access violation exception How? –Identifying faulting instruction –Converting case 4 crashes –Tracing corrupting instruction

17 Identifying faulting Instruction Goal: Find address of faulting Instruction ‘f’ Two cases: Simple case: f = preceding instruction of current PC Complex case: f = indirect control flow transfer instruction PC = invalid memory address that causes access violation If not Complex case then its Simple case !!

18 Complex case C = { m } = indirect control flow instructions in program Decode and compute target addr(a) for m Instr a X x Y y a = Current PC registerUse break points Keep the instruction f = last instr before memory access violation

19 Converting Case 4 Eliminate the possibility of Case 4 crash –No way to differentiate cases –Uses random re-execution –Convert to other cases

20 Converting Case 4( condt.) Jmp 4000 Case4 Case3 Case 1 or Case 2 OR Jmp 4000 t Make invalid 4000 Memory access violation exception Converted Memory Layout-A Memory Layout-B

21 Tracing Corrupting Instruction Basic Idea Trace back to the instruction that writes corrupted data until network input data Not Sure How it works!!

22 Signature Generation Two types Pure Message Signature Use critical byte sequence from attack Unacceptable false positive rate Correlate Message Signature with program execution state Low false positive rate Speeds up message filtering High detection rate

23 Experimental Evaluation Effectiveness of Diagnosis

24 Contribution Automation improves the efficiency of problem diagnosis Model for defense and analysis of memory corruption attacks

25 Weaknesses Address Space Randomization is susceptible to brute- force attacks Implementation of the suggested prototype requires extensions Gives little information about the type of occurred memory corruption At some points, the explanation is difficult to understand

26 How To Improve Explanation and Diagrams must be accompanied with examples Few terms like memory corruption, address space randomization must be elaborated

27 References Wikipedia Address Space Layout Permutation, by Chongkyung Kil

28 QUESTIONS????

Download ppt "Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense."

Similar presentations

Computer Architecture

Computer Architecture
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.
Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.
Exceptions Don’t Frustrate Your User – Handle Errors KR – CS 1401 Spring 2005 Picture – sysprog.net.

Exceptions Don’t Frustrate Your User – Handle Errors KR – CS 1401 Spring 2005 Picture – sysprog.net.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

Similar presentations

Ads by Google