advanced systems security control flow integrity
play

Advanced Systems Security: Control-Flow Integrity Trent Jaeger - PowerPoint PPT Presentation

Dec 30, 2022 •1.13k likes •1.55k views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Control-Flow Integrity Trent

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: � Control-Flow Integrity Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Vulnerability • How do you define computer ‘ vulnerability ’ ? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Bu ff er Overflow • First and most common way to take control of a process • Attack code Call the victim with inputs necessary to overflow ‣ buffer Overwrites the return address on the stack ‣ • Exploit Jump to attacker chosen code ‣ Run that code ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Determine what to attack • Local variable that is a char buffer BEFORE picture of stack 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 Called buf ‣ 0xbfa3b857: 0x0 buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 0xbfa3b85e: 0x0 ... printf("BEFORE picture of stack\n"); 0xbfa3b85f: 0x0 for ( i=((unsigned) buf-8); i<((unsigned) ((char *)&ct)+8); i++ ) 0xbfa3b860: 0x0 printf("%p: 0x%x\n", (void *)i, *(unsigned char *) i); 0xbfa3b861: 0x0 0xbfa3b862: 0x0 /* run overflow */ 0xbfa3b863: 0x0 for ( i=1; i<tmp; i++ ){ 0xbfa3b864: 0x0 printf("i = %d; tmp= %d; ct = %d; &tmp = %p\n", i, tmp, ct, (void *)&tmp); 0xbfa3b865: 0x0 strcpy(p, inputs[i]); 0xbfa3b866: 0x0 0xbfa3b867: 0x0 /* print stack after the fact */ 0xbfa3b868: 0xa8 printf("AFTER iteration %d\n", i); 0xbfa3b869: 0xb8 ebp for ( j=((unsigned) buf-8); j<((unsigned) ((char *)&ct)+8); j++ ) 0xbfa3b86a: 0xa3 printf("%p: 0x%x\n", (void *)j, *(unsigned char *) j); 0xbfa3b86b: 0xbf p += strlen(inputs[i]); 0xbfa3b86c: 0x71 if ( i+1 != tmp ) 0xbfa3b86d: 0x84 rtn addr *p++ = ' '; 0xbfa3b86e: 0x4 } 0xbfa3b86f: 0x8 printf("buf = %s\n", buf); 0xbfa3b870: 0x3 printf("victim: %p\n", (void *)&victim); 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 return 0; 0xbfa3b873: 0x0 } Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Configure Attack • Configure following Distance to return address from buffer ‣ Where to write? • Location of start of attacker’s code ‣ Where to take control? • What to write on stack ‣ How to invoke code (jump-to existing function)? • How to launch the attack ‣ How to send the malicious buffer to the victim? • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Return Address BEFORE picture of stack • x86 Architecture 0xbfa3b854: 0x3 0xbfa3b855: 0x0 0xbfa3b856: 0x0 0xbfa3b857: 0x0 Build 32-bit code for Linux environment ‣ buf 0xbfa3b858: 0x3 0xbfa3b859: 0x0 0xbfa3b85a: 0x0 • Remember integers are represented in 0xbfa3b85b: 0x0 0xbfa3b85c: 0x0 0xbfa3b85d: 0x0 “ little endian ” format 0xbfa3b85e: 0x0 0xbfa3b85f: 0x0 0xbfa3b860: 0x0 0xbfa3b861: 0x0 • Take address 0x8048471 0xbfa3b862: 0x0 0xbfa3b863: 0x0 0xbfa3b864: 0x0 0xbfa3b865: 0x0 See trace at right ‣ 0xbfa3b866: 0x0 0xbfa3b867: 0x0 0xbfa3b868: 0xa8 0xbfa3b869: 0xb8 ebp 0xbfa3b86a: 0xa3 0xbfa3b86b: 0xbf 0xbfa3b86c: 0x71 0xbfa3b86d: 0x84 rtn addr 0xbfa3b86e: 0x4 0xbfa3b86f: 0x8 0xbfa3b870: 0x3 0xbfa3b871: 0x0 ct 0xbfa3b872: 0x0 0xbfa3b873: 0x0 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. Anatomy of Control Flow Attacks • Two steps • First, the attacker changes the control flow of the program In buffer overflow, overwrite the return ‣ address on the stack What are the ways that this can be done? ‣ • Second, the attacker uses this change to run code of their choice In buffer overflow, inject code on stack ‣ What are the ways that this can be done? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  8. Return-oriented Programming • General approach to control flow attacks • Demonstrates how general the two steps of a control flow attack can be • First, change program control flow In any way ‣ • Then, run any code of attackers’ choosing - code in the existing program From starting address (gadget) to ret ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  9. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack pop %eax G1 Return Address ret 5 pop %ebx jmp G2 ret buf 0x8048000 movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 0x8048000 = %ebx = Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  10. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 0x8048000 = %ebx = Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  11. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 0x8048000 = %ebx = Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  12. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  13. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  14. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = 0x8048000 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  15. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 5 0x8048000 = %ebx = 0x8048000 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  16. ROP • Use ESP as program counter E.g., Store 5 at address 0x8048000 ‣ without introducing new code • Code Stack G!: pop %eax G1 Return Address ret 5 G2: pop %ebx jmp G2 ret buf 0x8048000 G3: movl %eax, (%ebx) ret jump G3 . . . Memory Registers %eax = 5 0x8048000 = 5 %ebx = 0x8048000 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  17. Prevent ROP Attacks • How would you prevent a program from executing gadgets rather than the expected code? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 19

  18. Prevent ROP Attacks • How would you prevent a program from executing gadgets rather than the expected code? Control-flow integrity ‣ Force the program to execute according to an expected CFG • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 20

  19. Control-Flow Integrity Our Mechanism F A F B nop IMM 1 if(*fp != nop IMM 1 ) halt if(**esp != nop IMM 2 ) halt call fp return nop IMM 2 CFG excerpt B 1 A call NB: Need to ensure bit patterns for nops B ret A call+1 appear nowhere else in code memory Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  20. Control-Flow Integrity More Complex CFGs CFG excerpt Maybe statically all we know is that F A can call any int int function B 1 A call F A C 1 succ(A call ) = {B 1 , C 1 } F B nop IMM 1 if(*fp != nop IMM 1 ) halt call fp F C nop IMM 1 Construction: All targets of a computed jump must have the same destination id (IMM) in their nop instruction 9 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  21. Control-Flow Integrity Imprecise Return Information Q: What if F B can return CFG excerpt to many functions ? F A A call+1 A: Imprecise CFG B ret D call+1 call F B F B succ(B ret ) = {A call+1 , D call+1 } nop IMM 2 CFG Integrity: F D if(**esp != nop IMM 2 ) halt Changes to the return PC are only to valid successor call F B PCs, per succ(). nop IMM 2 10 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

Recommend

Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple fault attacks on embedded systems Thierno Barry PhD Candidate in security of Embedded Systems at CEA ( the French Atomic Energy Commission )

681 views • 18 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, &amp; Security Applications Jay Ligatti summer 2004 intern work with: lfar Erlingsson and Martn Abadi 1 Motivation I: Bad things happen DoS Weak authentication Insecure

465 views • 22 slides
Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University -- Summarized by Navid Emamdoost University of Minnesota Outline Background Control Flow attacks Control Flow Integrity Control Flow

795 views • 33 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern exploit techniques Introduction to Computer Security Announcements intermission Day 7: Defensive programming and design, part 1 Saltzer &amp;

579 views • 15 slides
Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State University Outline

Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State University Outline

31 st IEEE Symposium on Security &amp; Privacy, Oakland CA, May 16-19 2010 HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State University Outline Motivation

328 views • 29 slides
Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh

Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh

Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh Shankar (UC Berkeley) Trent Jaeger (Penn State / IBM) Reiner Sailer (IBM) The goal, with an example Integrity property: Trusted processes dont

317 views • 20 slides
CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Advanced Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1: Mathias Payer CS412 Software Security Advanced mitigations Stack integrity

298 views • 26 slides
Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications 2634 2528 2690 CFI: Goal Provably correct mechanisms

540 views • 26 slides
Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands June 21, 2018 Outline 1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection 2 / 22 Rotating S-box Masking

540 views • 22 slides
Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security &amp; Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory

The 19th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016) Taming Transactions: Towards Hardware-Assisted Control Flow Integrity using Transactional Memory Marius Muench, Fabio Pagani, Yan Shoshitaishvili,

559 views • 25 slides
PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas,

PRACTICAL CONTROL FLOW INTEGRITY &amp; RANDOMIZATION FOR BINARY EXECUTABLES Christos Tselas, AM:875 Elisjana Ymeralli, AM:801 Ioanna Ramoutsaki, AM: 812 Vasilis Glabedakis, AM: 2921 cs-457 Department: Computer Science, University of Crete

584 views • 42 slides
Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP Return-to-libc RoP (Return-oriented Programming) StackGuard (insert canaries on stack) PointGuard (encrypt the pointers) ASLR CFI

809 views • 42 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene

Feel me Flow: A Review of Control-Flow Integrity Methods for User and Kernel Space Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Code injection attacks Code

865 views • 61 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
CSCE 790 Computer Systems Security Security Policy Models Professor Qiang Zeng Spring

CSCE 790 Computer Systems Security Security Policy Models Professor Qiang Zeng Spring

CSCE 790 Computer Systems Security Security Policy Models Professor Qiang Zeng Spring 2020 Previous Class Concepts Access Control, Subject, Object Goals of Access Control Confidentiality, Integrity Access Matrix

702 views • 26 slides
CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

C ON FIRM: EVALUATING COMPATIBILITY AND RELEVANCE OF CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z HIQIANG L IN W ENHAO W ANG , AND K EVIN W. H AMLEN T HE O HIO S TATE U NIVERSITY T HE U NIVERSITY

514 views • 15 slides
Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Hardware Security Trent Jaeger

703 views • 46 slides
Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election Security = Physical Security + Cybersecurity Physical Security Security plans Secure storage of voting machines and electronic pollbooks

341 views • 13 slides

More recommend