Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania."— Presentation transcript:

1 Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania

2 DISE Return Address Protection -- Marc Corliss2 Overview  Prevent stack-smashing attacks  Old approach, new implementation  Dynamic Instruction Stream Editing (DISE)

3 DISE Return Address Protection -- Marc Corliss3 Stack-Smashing Attacks stack pointer stack strcpy(A, input_string); return address A[64] input_string &input_string

4 DISE Return Address Protection -- Marc Corliss4 Stack-Smashing is a Problem  Some famous stack-smashing attacks  Internet worm, 1987  NCSA HP-UX 1.3 web server breach, 1994  Slammer worm, 2003  Blaster worm, 2003

5 DISE Return Address Protection -- Marc Corliss5 Solutions  Prevent buffer-overflow in general  Safe languages (e.g. Java, ML)  Range checks (e.g., libSafe)  Prevent return address corruption  Canary: padding word (e.g., StackGuard)  Virtual memory: write protect (e.g., StackGuard)  Shadow stack

6 DISE Return Address Protection -- Marc Corliss6 Talk Outline  Introduction  DISE background  DISE return address protection  Evaluation  Conclusion

7 DISE Return Address Protection -- Marc Corliss7 DISE  Programmable instruction macro-expander  Like hardware SED (DISE = dynamic instruction SED) I$executeDISE appapp' srli r9,4,r1 cmp r1,r2,r1 bne r1,Error store r4,8(r9)  Example: memory fault isolation (MFI)

8 DISE Return Address Protection -- Marc Corliss8 DISE Productions  Production: static rewrite rule T.OPCLASS==store =>srli T.RS,4,dr0 cmp dr0,dr1,dr0 bne dr0,Error T.INST srli r9,4,dr0 cmp dr0,dr1,dr0 bne dr0,Error store r4,8(r9)  Expansion: dynamic instantiation of production Pattern Directive DISE Register Parameterized replacement sequence

9 DISE Return Address Protection -- Marc Corliss9 Talk Outline  Introduction  DISE background  DISE return address protection  Evaluation  Conclusion

10 DISE Return Address Protection -- Marc Corliss10 Shadow Stack Approach stackshadow stack RA RA==RA? shadow stack ptr stack ptr main: RA foo: RA strcpy: RA

11 DISE Return Address Protection -- Marc Corliss11 DISE Implementation  At call instructions  Push return address on shadow stack  At return instructions  Pop address from shadow stack  Verify shadow address equals return address

12 DISE Return Address Protection -- Marc Corliss12 Protection Productions T.OPCLASS==call =>add T.PC,4,dr0 # compute RA add dssp,8,dssp # push it on  store dr0,-8(dssp) #  shadow stack T.INST # perform call T.OPCLASS==return =>load dr0,-8(dssp) # pop RA from  add dssp,-8,dssp #  shadow stack cmpne T.RS,dr0,dr0 # cmp to actual RA ccall dr0,Error # diff? then error T.INST # perform return RA1 dssp RA2 RA3 Shadow stack:

13 DISE Return Address Protection -- Marc Corliss13 Implementation Issues  Discussed in this talk  Handling non-local returns  Protecting shadow stack itself  Discussed in the paper  Expanding DISE memory  Protecting DISE productions

14 DISE Return Address Protection -- Marc Corliss14 Non-Local Returns  Problem: Exceptions, setjmp/longjmp  Cut the stack  Previous solution: pop shadow stack until match –Attacker can simulate longjmp  Ours: store stack pointer (SP) on shadow stack +SP is unique in caller stack, not-smashable  Pop shadow stack until RA & SP match RA1 dssp RA2 RA3 New shadow stack: SP1 SP2 SP3

15 DISE Return Address Protection -- Marc Corliss15 New Productions T.OPCLASS==call =>add T.PC,4,dr0 # compute RA add dssp,16,dssp # push it on  store dr0,-8(dssp) #  shadow stack store sp,-16(dssp) #  along w/ stack ptr cmp dssp,darp,dr0 # stack full? ccall dr0,expand # yes, expand stack T.INST # perform call T.OPCLASS==return =>load dr0,-8(dssp) # pop RA from  add dssp,-16,dssp #  shadow stack cmpne T.RS,dr0,dr0 # cmp to actual RA ccall dr0,AddrChk # diff? figure out why T.INST # perform return

16 DISE Return Address Protection -- Marc Corliss16 Protecting the Shadow Stack  What if attack corrupts shadow stack?  One approach: encrypt shadow stack (XOR) T.OPCLASS==call =>add T.PC,4,dr0 # compute RA xor dr0,dxr,dr0 # encrypt address add dssp,16,dssp # push it on  store dr0,-8(dssp) #  shadow stack store sp,-16(dssp) #  along w/ stack ptr T.INST # perform call T.OPCLASS==return =>load dr0,-8(dssp) # pop RA from  add dssp,-16,dssp #  shadow stack xor dr0,dxr,dr0 # decrypt address cmpne T.RS,dr0,dr0 # comp. to actual RA ccall dr0,AddrChk # diff? See what’s up T.INST # perform return

17 DISE Return Address Protection -- Marc Corliss17 Another Approach  Prevent writes to shadow stack (e.g. MFI)  Call/return productions don’t change  New productions for stores T.OPCLASS==store =>srli T.RS,4,dr0 cmp dr0,dr1,dr0 beq dr0,Error T.INST

18 DISE Return Address Protection -- Marc Corliss18 Virtues of Using DISE  Versus dedicated hardware +General-purpose: compression, debug., mfi, etc. +Flexible: new attack, new productions  Versus binary rewriter +Transparent: protect all code inc. DLLs +Declarative interface: security by simplicity +Efficient: in a moment 

19 DISE Return Address Protection -- Marc Corliss19 Talk Outline  Introduction  DISE background  DISE return address protection  Evaluation  Conclusion

20 DISE Return Address Protection -- Marc Corliss20 Evaluation  Correctness  False negatives?  False positives?  Performance  What’s the overhead?  How does it compare to alternatives?

21 DISE Return Address Protection -- Marc Corliss21 Correctness  Attacking inputs detected  overflow1 (micro-benchmark)  sendmail-8.7.5  gzip-1.2.4  No false positives with non-attacking inputs

22 DISE Return Address Protection -- Marc Corliss22 Performance Methodology  SimpleScalar Alpha  Benchmarks  SPEC Int 2000, MiBench, CommBench  Binary rewriter (for comparison)  Statically insert DISE instrumentation code ±No optimization, but not a lot of opportunity either

23 DISE Return Address Protection -- Marc Corliss23 Performance Overhead  DISE overhead reasonable  XOR less than 10%, MFI less than 35%  DISE outperforms BR  BR has additional I$ misses

24 DISE Return Address Protection -- Marc Corliss24 Conclusion  DISE return address protection effective +No false negatives, no false positives  Advantages over binary rewriter +Efficient, transparent, declarative interface  Advantages over custom hardware +General-purpose, flexible  Future work  Other security-related applications using DISE

Download ppt "Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania."

Similar presentations

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Corliss, Lewis, + Roth ISCA-30 DISE: A Programmable Macro Engine for Customizing Applications Marc Corliss, E Lewis, Amir Roth University of Pennsylvania.

Corliss, Lewis, + Roth ISCA-30 DISE: A Programmable Macro Engine for Customizing Applications Marc Corliss, E Lewis, Amir Roth University of Pennsylvania.
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Safeguarding and Charging for Information on the Internet Hector Garcia-Molina, Steven P. Ketchpel, Narayanan Shivakumar Stanford University Presented.

Safeguarding and Charging for Information on the Internet Hector Garcia-Molina, Steven P. Ketchpel, Narayanan Shivakumar Stanford University Presented.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.

A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
1 DISE: A Programmable Macro Engine for Customizing Applications Marc Corliss, E Lewis, Amir Roth (U Penn), ISCA 2003 DISE (Dynamic Instruction Steam Editing)

1 DISE: A Programmable Macro Engine for Customizing Applications Marc Corliss, E Lewis, Amir Roth (U Penn), ISCA 2003 DISE (Dynamic Instruction Steam Editing)
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Low Overhead Debugging with DISE Marc L. CorlissE Christopher LewisAmir Roth Department of Computer and Information Science University of Pennsylvania.

Low Overhead Debugging with DISE Marc L. CorlissE Christopher LewisAmir Roth Department of Computer and Information Science University of Pennsylvania.
Intro to Computer Architecture

Intro to Computer Architecture
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

Similar presentations

Ads by Google