a tough call
play

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary - PowerPoint PPT Presentation

Aug 15, 2022 •320 likes •587 views

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen, Enes Gkta (joint first author) (VU) Moritz Contag, Andre Pawlowski, Thorsten Holz (RUB) Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos,

  1. A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen, Enes Göktaş (joint first author) (VU) Moritz Contag, Andre Pawlowski, Thorsten Holz (RUB) Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos, Cristiano Giuffrida (VU)

  2. Control-Flow Integrity • Promising way to stop code-reuse attacks • Hard to enforce in practice • Existing binary-level CFI cannot prevent function-reuse attacks (COOP) 2

  3. Control-Flow Integrity • Promising way to stop code-reuse attacks • Hard to enforce in practice • Existing binary-level CFI cannot prevent function-reuse attacks (COOP) TypeArmor • A more precise binary-level CFI solution • Acceptable overhead (3% on SPEC) • Stops all published code-reuse attacks 3

  4. Running example: normal execution Func1() { ... processor() { } ... while (condition) { ... Func2() { ... call fptr } ... } ... Func3() { } ... } 4

  5. Running example: advanced code-reuse Func1() { ... processor() { } ... while (condition) { ... Func2() { ... call fptr } ... } ... Func3() { } ... } 5

  6. Running example: advanced code-reuse Func1() { ... processor() { } ... while (condition) { ... Func2() { ... call fptr } Gadget ... } ... Func3() { } ... Attacker controlled ‘loop gadget’ } Gadget Function-oriented programming 6

  7. Running example: binary-level CFI • Unable to resolve indirect call targets Func1() { ... • Indirect calls may go to any function } processor() { Func2() { ... ... } Gadget while (condition) { ... call fptr Func3() { ... ... } } Gadget ... } Loop gadget 7

  8. Running example: binary-level CFI • Unable to resolve indirect call targets Func1() { ... • Indirect calls may go to any function } processor() { Func2() { ... ... } Gadget while (condition) { ... call fptr Func3() { ... ... } Binary -level } Gadget ... solutions } Loop gadget 8

  9. Running example: source-level CFI • Enforce class hierarchy (VTV) Func1() { ... • Match function argument types (IFCC) } processor() { Func2() { ... ... } Gadget while (condition) { ... call fptr Func3() { ... ... } Source -level } Gadget ... solutions } Loop gadget 9

  10. Running example: TypeArmor • Approximate source-level accuracy Func1() { ... } processor() { Func2() { ... ... } Gadget while (condition) { ... call fptr Func3() { ... ... } } Gadget TypeArmor ... } Loop gadget 10

  11. Running example: TypeArmor • Approximate source-level accuracy Func1() { ... } Not as accurate as source processor() { Func2() { ... ... } Gadget while (condition) { ... call fptr Func3() { ... ... } } Gadget TypeArmor ... } Loop gadget 11

  12. Running example: TypeArmor • Approximate source-level accuracy Func1() { ... } Not as accurate as source processor() { Func2() { ... ... } Gadget while (condition) { ... call fptr Func3() { ... … But still breaking exploits } } Gadget TypeArmor ... } Loop gadget 12

  13. Approximate source-level invariants? Function signature matching by argcount • Extract argument count at callsite • Extract argument usage at callee • Allow only targets with matching function types 13

  14. Approximate source-level invariants? Function signature matching by argcount • Extract argument count at callsite • Extract argument usage at callee • Allow only targets with matching function types Callsites preparing two args should never call functions expecting three or more 14

  15. Approximate source-level invariants? Function signature matching by argcount • Extract argument count at callsite • Extract argument usage at callee • Allow only targets with matching function types Callsites preparing two args should never call functions expecting three or more Implemented for the x86-64 architecture: • Calling convention: pass arguments via registers • Search for write instructions at the callsite • Search for read-before-write instructions at the callee 15

  16. Running example: TypeArmor • Match argument count expectations Func1(arg1,arg2){ return arg1+arg2 } processor() { Func2(arg1,arg2){ return arg1*arg2 ... } while (condition){ arg1 = x arg2 = y Func3(arg1,arg2,arg3){ call fptr( arg1,arg2 ) return arg3-arg1+arg2 ... } } ... } Loop gadget 16

  17. Running example: TypeArmor Expects 2 arguments • Match argument count expectations Func1( arg1,arg2 ){ return arg1+arg2 } processor() { Func2(arg1,arg2){ return arg1*arg2 ... } while (condition){ arg1 = x Prepares 2 arguments arg2 = y Func3(arg1,arg2,arg3){ call fptr( arg1,arg2 ) return arg3-arg1+arg2 ... } } ... } Loop gadget 17

  18. Running example: TypeArmor Expects 2 arguments • Match argument count expectations Func1(arg1,arg2){ return arg1+arg2 } Expects 2 arguments processor() { Func2( arg1,arg2 ){ return arg1*arg2 ... } while (condition){ Working Gadget arg1 = x Prepares 2 arguments arg2 = y Func3(arg1,arg2,arg3){ call fptr( arg1,arg2 ) return arg3-arg1+arg2 ... } } ... } Loop gadget 18

  19. Running example: TypeArmor Expects 2 arguments • Match argument count expectations Func1(arg1,arg2){ return arg1+arg2 } Expects 2 arguments processor() { Func2(arg1,arg2){ return arg1*arg2 ... } while (condition){ Working Gadget arg1 = x Prepares 2 arguments Expects 3 arguments arg2 = y Func3( arg1,arg2,arg3 ){ call fptr( arg1,arg2 ) return arg3-arg1+arg2 ... } Broken Gadget } ... } Loop gadget 19

  20. Precision How accurate can we determine the prepared and used argument count? Callsites Functions Server # As in source # As in source Memcached 48 41 (86%) 236 210 (89%) lighttpd 54 47 (87%) 353 311 (88%) Nginx 218 161 (74%) 1,111 869 (78%) MySQL 7,532 5,771 (77%) 9,961 6,977 (70%) 20

  21. Precision How accurate can we determine the prepared and used argument count? Callsites Functions Server # As in source # As in source Memcached 48 41 (86%) 236 210 (89%) lighttpd 54 47 (87%) 353 311 (88%) Nginx 218 161 (74%) 1,111 869 (78%) MySQL 7,532 5,771 (77%) 9,961 6,977 (70%) 21

  22. Precision How accurate can we determine the prepared and used argument count? Callsites Functions Server # As in source # As in source Memcached 48 41 (86%) 236 210 (89%) lighttpd 54 47 (87%) 353 311 (88%) Nginx 218 161 (74%) 1,111 869 (78%) MySQL 7,532 5,771 (77%) 9,961 6,977 (70%) 22

  23. Running example: TypeArmor • Runtime enforcement ID: 2 Func1(arg1,arg2){ return arg1+arg2 } processor() { ID: 2 Func2(arg1,arg2){ ... return arg1*arg2 while (condition){ } Working Gadget arg1 = x arg2 = y CHECK TARGET: ID <= 2 call fptr(arg1,arg2) ID: 3 ... Func3(arg1,arg2,arg3){ return arg3-arg1+arg2 } } Broken Gadget ... } Loop gadget 23

  24. Performance SPEC CPU2006: less than 3% (geometric mean) 24

  25. Performance SPEC CPU2006: less than 3% (geometric mean) Server Overhead Language Memcached 1.4% C lighttpd 11.6% C Nginx 13.2% C MySQL 23.9% C++ 25

  26. Conclusion • Extract new invariants from binaries • Enforce strictest security policy at binary-level to date • Binary-level CFI solutions can mitigate sophisticated code-reuse attacks • Keep an eye on http://www.vusec.net 26

Recommend

When%the%going%gets%tough% % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%the%tough%get%branding%%

When%the%going%gets%tough% % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%the%tough%get%branding%%

When%the%going%gets%tough% % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%the%tough%get%branding%% Who:%William%Kes5n% % The%CEO%of%the%Australasian%Promo5onal%Product%Associa5on%(APPA)%and%%

463 views • 43 slides
Tough Arches, Tough Access, and Alternate Access Sasko Kedev University Clinic of Cardiology-

Tough Arches, Tough Access, and Alternate Access Sasko Kedev University Clinic of Cardiology-

Carotid Stenting Technique: Tough Arches, Tough Access, and Alternate Access Sasko Kedev University Clinic of Cardiology- Skopje Macedonia Disclosure Statement of Financial Interest Within the past 12 months, I or my spouse/partner have had a

1.1k views • 80 slides
Core message of the MTBPS Tough times require tough decisions. We are committed to making them.

Core message of the MTBPS Tough times require tough decisions. We are committed to making them.

Core message of the MTBPS Tough times require tough decisions. We are committed to making them. Working together, we can grow the economy for the benefit of all Radical economic transformation is required to change the economy to include

443 views • 21 slides
UK Anti-Bribery Act: Meeting the Tough New Requirements Tough New Requirements Minimizing

UK Anti-Bribery Act: Meeting the Tough New Requirements Tough New Requirements Minimizing

presents presents UK Anti-Bribery Act: Meeting the Tough New Requirements Tough New Requirements Minimizing Corruption Risks Under Both the FCPA and UK Law A Live 90-Minute Teleconference/Webinar with Interactive Q&amp;A A Live 90-Minute

1.16k views • 52 slides
SMALL, LARGE, TOUGH, AND UGLY: STRATEGIES FOR BUILDING DEMAND IN TOUGH MARKETS Michael Taylor,

SMALL, LARGE, TOUGH, AND UGLY: STRATEGIES FOR BUILDING DEMAND IN TOUGH MARKETS Michael Taylor,

SMALL, LARGE, TOUGH, AND UGLY: STRATEGIES FOR BUILDING DEMAND IN TOUGH MARKETS Michael Taylor, President, Vita Nuova LLC &amp; Neil Pariser, Vice President and Community Development, Vita Nuova LLC Relevant Sites: Vitanuova.net |

435 views • 28 slides
zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA The Going Gets Tough: State Capacity To

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA The Going Gets Tough: State Capacity To

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA The Going Gets Tough: State Capacity To Support Federal School Turnaround Principles Caitlin Scott and Nora Ostler AERA 2015 On September 23, 2011, who said: I am writing to offer you

249 views • 24 slides
EASM 2014 increased physical activity, in general), education and health policy. It became clear

EASM 2014 increased physical activity, in general), education and health policy. It became clear

TOUGH LOVE OR TOUGH LUCK? ENGLISH NATIONAL GOVERNING BODIES OF SPORT AND THE ONGOING CHALLENGE OF DRIVING UP PARTICIPATION Submitting author: Dr Marc Keech University of Brighton, School of Sport and Service Management Eastbourne, BN20

986 views • 3 slides
Sometimes its tough to get everyone in your company on the same page when it come to content,

Sometimes its tough to get everyone in your company on the same page when it come to content,

Sometimes its tough to get everyone in your company on the same page when it come to content, but even your I.T. professionals can benefit from sharing and knowing whats happening with the blog Create a Channel for Blog Posts to Discuss

468 views • 4 slides
Quarterly Investor Conference Call - September2013 Louis-Vincent Gave and Alfred Ho A brief

Quarterly Investor Conference Call - September2013 Louis-Vincent Gave and Alfred Ho A brief

Quarterly Investor Conference Call - September2013 Louis-Vincent Gave and Alfred Ho A brief review of the year in Asian markets It has been a tough year for Asian investors first, almost every equity market in the region is down Source:

767 views • 60 slides
When the going gets tough, Get TUF going! Riyaz Faizullabhoy - @riyazdf Motivation What is TUF?

When the going gets tough, Get TUF going! Riyaz Faizullabhoy - @riyazdf Motivation What is TUF?

When the going gets tough, Get TUF going! Riyaz Faizullabhoy - @riyazdf Motivation What is TUF? Using TUF Hermetic Builds Where does software come from? $&gt; _ $&gt;curl | sudo bash $&gt;apt-get install authenticity $&gt;apt-get

1.53k views • 114 slides
Fired Up Fundraising: Engage Your Board and Find New Opportunities in a Tough Economy Sioux

Fired Up Fundraising: Engage Your Board and Find New Opportunities in a Tough Economy Sioux

Fired Up Fundraising: Engage Your Board and Find New Opportunities in a Tough Economy Sioux Falls Community Foundation May 11, 2009 CRISIS Danger + Opportunity Engage Your Board and Find New . Opportunities in a Tough Economy OUR AGENDA

819 views • 59 slides
- For tough users in rough environments Background The environment is not always

- For tough users in rough environments Background The environment is not always

- For tough users in rough environments Background The environment is not always predictable and you need to prepare The Panel What is Sirius? -A very rugged touch screen that remote controls a Motorola MotoTrbo radio The

354 views • 17 slides
Tough Question: What will it take to identify the mechanism for baryogenesis or leptogenesis?

Tough Question: What will it take to identify the mechanism for baryogenesis or leptogenesis?

Tough Question: What will it take to identify the mechanism for baryogenesis or leptogenesis? Are there scenarios that could conceivably be considered to be established by experimental data in the next 20 years? What experiments are required

392 views • 6 slides
How do you chew? I need to eat I need to break I want to eat down hard grains tough foods that

How do you chew? I need to eat I need to break I want to eat down hard grains tough foods that

How do you chew? I need to eat I need to break I want to eat down hard grains tough foods that EVERYTHING! and seeds... but I other animals cant dont have any teeth! digest. How does a cow eat? They have special stomachs with four

341 views • 4 slides
Control and Tough -Movement Carl Pollard Department of Linguistics Ohio State University

Control and Tough -Movement Carl Pollard Department of Linguistics Ohio State University

Control and Tough -Movement Carl Pollard Department of Linguistics Ohio State University February 2, 2012 Carl Pollard Control and Tough -Movement Control (1/5) We saw that PRO is used for the unrealized subject of nonfinite

430 views • 28 slides
Reading Life Between the Lines: Using Childrens Literature for Tough Conversations about

Reading Life Between the Lines: Using Childrens Literature for Tough Conversations about

Reading Life Between the Lines: Using Childrens Literature for Tough Conversations about Diversity Michelle H. Martin, Beverly Cleary Professor for Children &amp; Youth Services &amp; MLIS Chair, UW iSchool Created with J. Elizabeth Mills,

730 views • 30 slides
Religion, Sex &amp; Politics, Oh My! Handling Tough Situations While Encouraging Diversity &amp;

Religion, Sex &amp; Politics, Oh My! Handling Tough Situations While Encouraging Diversity &amp;

Religion, Sex &amp; Politics, Oh My! Handling Tough Situations While Encouraging Diversity &amp; Inclusion Presented By: Anne T. McKnight &amp; Beverly Watts Where Are We? Conflicting Perspectives Intensified Political Environment

820 views • 32 slides
When the going gets tough, the Dutch get going Edwin Spaans, PharmD Clinical

When the going gets tough, the Dutch get going Edwin Spaans, PharmD Clinical

When the going gets tough, the Dutch get going Edwin Spaans, PharmD Clinical Pharmacologist, ErasmusMC Sophia Childrens Hospital Director Clinical Research, Kinesis-Pharma Development Officer, Dutch MCRN Past Different

286 views • 13 slides
Answering some tough questions tool 1. Relationship and value of PAP 2013 20 Fe Feb. 2019

Answering some tough questions tool 1. Relationship and value of PAP 2013 20 Fe Feb. 2019

Kelli Retallick, Angus Genetics Inc. June 19, 2019 Navigating a new frontier: Pulmonary Arterial Pressure Kelli Retallick, M.S. AGI Genetic Service Director Saint Joseph, Missouri Path to a genetic selection Answering some tough questions

42 views • 3 slides
Serve the Caregiver - Jack Caregiving is Tough . Were here to help. Progress, not

Serve the Caregiver - Jack Caregiving is Tough . Were here to help. Progress, not

Serve the Caregiver - Jack Caregiving is Tough . Were here to help. Progress, not perfection. These men arent broken, Give them access to the best ideas. we arent trying to fix them. Bold enough to build a team, confident

279 views • 14 slides
MESSAGE FROM THE CHAIRMAN AND PRESIDENT Isidro A. Consunji 2016 was a tough year for our

MESSAGE FROM THE CHAIRMAN AND PRESIDENT Isidro A. Consunji 2016 was a tough year for our

MESSAGE FROM THE CHAIRMAN AND PRESIDENT Isidro A. Consunji 2016 was a tough year for our Company. Flat earnings due to accounting and taxation issues, weak commodity prices and regulatory uncertainty. Our resilient business model We were

375 views • 33 slides
Visits 10 November 2015 The environment It remains ns tough gh out there re! South Africa

Visits 10 November 2015 The environment It remains ns tough gh out there re! South Africa

Analyst Store Visits 10 November 2015 The environment It remains ns tough gh out there re! South Africa Negative consumer confidence CPI range-bound but Food inflation soon to increase exacerbated by SAs worst drought

302 views • 12 slides
Presentation for 26 weeks ended 28 June 2015 The Environment Its tough gh out ther ere!

Presentation for 26 weeks ended 28 June 2015 The Environment Its tough gh out ther ere!

Results Presentation for 26 weeks ended 28 June 2015 The Environment Its tough gh out ther ere! South Africa: Consumer confidence at 14-year low CPI range-bound but Food inflation soon to increase Manufacturing sector in

521 views • 41 slides
Tough Choices: Values, Costs &amp; Efficient Allocation to Improve Quality Welcome Value and

Tough Choices: Values, Costs &amp; Efficient Allocation to Improve Quality Welcome Value and

Tough Choices: Values, Costs &amp; Efficient Allocation to Improve Quality Welcome Value and efficiency in health care: defining what we mean Stirling Bryan, PhD Director, Centre for Clinical Epidemiology &amp; Evaluation, VCHRI Professor,

1.27k views • 97 slides

More recommend