code pointer integrity
play

Code-Pointer Integrity Volodmyr Kuzentsov, Lszl Szekeres, Mathias - PowerPoint PPT Presentation

Sep 26, 2023 •327 likes •673 views

Code-Pointer Integrity Volodmyr Kuzentsov, Lszl Szekeres, Mathias Payer , George Candea, R. Sekar, and Dawn Song (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997 Memory Corruption is Abundant! Acrobat Firefox IE OS X Linux

  1. Code-Pointer Integrity Volodmyr Kuzentsov, László Szekeres, Mathias Payer , George Candea, R. Sekar, and Dawn Song

  2. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  3. Memory Corruption is Abundant! Acrobat Firefox IE OS X Linux Average 150 Control-Flow Hijack CVEs 120 90 60 30 0 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

  4. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  5. Memory safety: invalid dereference ● Violation iff Dangling pointer: – Pointer is read (temporal) – Pointer is written – Pointer is freed ● No violation – Otherwise Out-of-bounds pointer: (spatial)

  6. Threat Model ● Attacker can read/write data, read code ● Attacker cannot – Modify program code – Influence program loading Code Heap Stack RX RW RW

  7. Control-Flow Hijack Attack Memory 1 void *(func_ptr)(); q int *q = buf + input; 1 … buf func_ptr = &foo; … *q = input2; 2 func_ptr func_ptr … 2 (*func_ptr)(); 3 gadget

  8. What about existing defenses? Data Execution Prevention ('06) Address Space Layout Randomization ('05) Image: http://www.computing.co.uk Canaries ('06) Image: Ted Atchley, http://torwars.com Image: http://socialcanary.com

  9. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997 Presented at 30c3 http://youtu.be/CQbXevkR4us

  10. Memory Safety to the Rescue Swift Python code ~3 kloc MEMORY ! e SAFETY Python runtime ~500 kloc f FIRST a s libc ~2,500 kloc n U Linux kernel ~15,803 kloc

  11. SAFE LANGUAGES (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  12. Retrofit Memory Safety C/C++ Overhead SoftBound+CETS 116% MEMORY SAFETY CCured 56% FIRST AddressSanitizer 73%

  13. Memory Safety 1. Assign meta-data char *buf = malloc(10); buf_lo = p; buf_up = p+10; 116% performance overhead … 2. Propagate meta-data char *q = buf + input; q_lo = buf_lo; q_up = buf_up; (Nagarakatte et al., PLDI'09 and ISMM'10) if (q < q_lo || q >= q_up) abort(); 3. Check meta-data *q = input2; … (*func_ptr)();

  14. Safety vs. Flexibility and Performance (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  15. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997 Presented at 30c3 http://youtu.be/2ybcByjNlq8

  16. New Approach: Protect Select Data Code Heap Stack Safe Instead of Stack protecting everything a little protect a little completely Strong protection for a select subset of data Attacker may modify any unprotected data

  17. Memory Safety (116% performance overhead) Protect only ? Code Pointers Control-Flow Hijack Protection (1.9% or 8.4% performance overhead)

  18. Code-Pointer Separation: Heap Safe Memory Memory Regular Memory All other q q Code data Pointers Separate only buf buf Program memory func_ptr func_ptr func_ptr func_ptr Control plane: Memory either code Layout pointer or NULL unchanged

  19. Locals Safely Code-Pointer Separation: Stack accessed Accessed through locals pointers Safe Stack Regular Stack int foo() { char buf[16]; r int r; ret address r = scanf(“%s”, buf); buf return r; Any location } may be corrupted

  20. CPS Memory Layout Accesses are safe Accesses are fast Safe Memory Regular Memory (code pointers) (non-code-pointer data) Safe Heap Regular Heap Safe Safe Regular Regular Stack Stack ... Stack Stack ... (Thread 1) (Thread 2) (Thread 1) (Thread 2) Code (Read-Only) Hardware-based instruction-level isolation

  21. Attacking Code-Pointer Separation Memory void *(func_ptr)(); func_ptr int *q = buf + input; int *q = buf + input; *q = input2; *q = input2; … struct_ptr struct_ptr' func_ptr = struct_ptr->f; … func_ptr' (*func_ptr)(); NULL or a ptr to another function

  22. Code-Pointer Separation ● Identify Code-Pointer accesses using static type-based analysis ● Separate using instruction-level isolation (e.g., segmentation) ● CPS security guarantees – An attacker cannot forge new code pointers – Code-Pointer is either immediate or assigned from code pointer – An attacker can only replace existing functions through indirection: e.g., foo->bar->func() vs. foo->baz->func2()

  23. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  24. Code-Pointer Integrity (CPI) Sensitive Pointers = code pointers and pointers used to access sensitive pointers ● CPI identifies all sensitive pointers using an over-approximate type-based static analysis: is_sensitive(v) = is_sensitive_type(type of v) ● Over-approximation only affects performance On SPEC2006 <= 6.5% accesses are sensitive

  25. Attacking Code-Pointer Integrity void *(func_ptr)(); int *q = buf + input; q_lo = buf_lo; q_up = buf_up; Exception if (q < q_lo || q >= q_up) abort(); when *q = input2; dereferenced func_ptr = struct_ptr->f; … (*func_ptr)();

  26. Code-Pointer Integrity vs. Separation ● Separate sensitive pointers from regular data – Type-based static analysis – Sensitive pointers = code pointers + pointers to sensitive pointers ● Accessing sensitive pointers is safe – Separation + runtime (bounds) checks ● Accessing regular data is fast – Instruction-level safe region isolation

  27. Security Guarantees ● Code-Pointer Integrity: formally guaranteed protection – 8.4% to 10.5% overhead (~6.5% of memory accesses) ● Code-Pointer Separation: strong protection in practice – 0.5% to 1.9% overhead (~2.5% of memory accesses) ● Safe Stack: full ROP protection – Negligible overhead

  28. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  29. Implementation ● LLVM-based prototype – Front end (clang): collect type information – Back-end (llvm): CPI/CPS/SafeStack instrumentation pass – Runtime support: safe heap and stack management – Supported ISA's: x64 and x86 (partial) – Supported systems: Mac OSX, FreeBSD, Linux

  30. Current status ● Great support for CPI on Mac OSX and FreeBSD on x64 ● Upstreaming in progress Safe Stack coming to LLVM soon – Fork it on GitHub now: https://github.com/cpi-llvm – ● Code-review of CPS/CPI in process Play with the prototype: http://levee.epfl.ch/levee-early-preview-0.2.tgz – Will release more packages soon – ● Some changes to super complex build systems needed Adapt Makefiles for FreeBSD –

  31. Is It Practical? hardened ● Recompiled entire FreeBSD userpsace ● … and more than 100 packages OpenSSL PostgreSQL

  32. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997

  33. Conclusion ● CPI/CPS offers strong control-flow hijack protection – Key insight: memory safety for code pointers only ● Working prototype – Supports unmodified C/C++, low overhead in practice – Upstreaming patches in progress, SafeStack available soon! – Homepage: http://levee.epfl.ch – GitHub: https://github.com/cpi-llvm

  34. (c) TriStar Pictures, Inc. & Touchstone Pictures, 1997 ? http://levee.epfl.ch http://nebelwelt.net/publications/14OSDI/

Recommend

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&amp;A 2 What is a

543 views • 28 slides
CS 241 Data Organization More List and Tree Fun April 3, 2018 Pointer Changing Code What do we

CS 241 Data Organization More List and Tree Fun April 3, 2018 Pointer Changing Code What do we

CS 241 Data Organization More List and Tree Fun April 3, 2018 Pointer Changing Code What do we do if a function needs to change one of the pointer parameters passed to it? Assume we have struct Node* root that points to a tree. We could

431 views • 10 slides
2016 Gail Williams Research Integrity at UQ Research Integrity at UQ Australian Code for the

2016 Gail Williams Research Integrity at UQ Research Integrity at UQ Australian Code for the

SoM Induction 2016 Gail Williams Research Integrity at UQ Research Integrity at UQ Australian Code for the Responsible Conduct of Research (NHMRC et al., 2007) http://www.nhmrc.gov.au/_files_nhmrc/file/ publications/synopses/r39.pdf

312 views • 16 slides
Review Running a program requires the code &amp; stack segments in memory. Context = memory

Review Running a program requires the code &amp; stack segments in memory. Context = memory

Review Running a program requires the code &amp; stack segments in memory. Context = memory address space + stack pointer + instruction pointer A CPU is in the context of a program if its instruction pointer and stack pointer registers

797 views • 40 slides
The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach Model

371 views • 34 slides
KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY Blockchain &amp; Security Ruth Crowell, Chief Executive Asia Pacific Precious Metals

460 views • 10 slides
Code Completion with Neural Attention and Pointer Networks Jian Li, Yue Wang, Irwin King, and

Code Completion with Neural Attention and Pointer Networks Jian Li, Yue Wang, Irwin King, and

Code Completion with Neural Attention and Pointer Networks Jian Li, Yue Wang, Irwin King, and Michael R. Lyu The Chinese University of Hong Kong Presented by Ondrej Skopek Goal: Predict out-of-vocabulary words using local context

607 views • 25 slides
Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an

Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an

Pointer arithmetic arrays only arrays only Pointer arithmetic Can add or subtract an integer as long as result is still within the bounds of the array Can subtract a pointer from another pointer iff both point to

140 views • 9 slides
KNOW THE CODE OF STUDENT ACADEMIC INTEGRITY Presented By: Amy Kelso, Office of Legal Affairs

KNOW THE CODE OF STUDENT ACADEMIC INTEGRITY Presented By: Amy Kelso, Office of Legal Affairs

KNOW THE CODE OF STUDENT ACADEMIC INTEGRITY Presented By: Amy Kelso, Office of Legal Affairs Bruce Long, Chair of the Academic Integrity Board Laura Bizzell, Student Conduct &amp; Academic Integrity Kaela Lindquist, Student Conduct &amp;

552 views • 22 slides
Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer

Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer

Pointer Basics Lecture 13 COP 3014 Fall 2019 November 7, 2019 What is a Pointer? A pointer is a variable that stores a memory address. Pointers are used to store the addresses of other variables or memory items. Pointers are very

742 views • 23 slides
Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University

Pointer Analysis in the Presence of Dynamic Class Loading Martin Hirzel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center 1 Pointer analysis motivation Code a = new C( ); // G What does it do? b =

439 views • 30 slides
Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer

Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer

Pointers The Pointer Defined int *x; Read as: declare x as a pointer to a 32-bit integer Interpretation: declare x as a variable on the stack that holds the numeric address of the location in memory at which are 32 bits that we intend

359 views • 15 slides
Student Code of Conduct- Academic Integrity Slides for Faculty Members &amp; Instructors to cover

Student Code of Conduct- Academic Integrity Slides for Faculty Members &amp; Instructors to cover

Student Code of Conduct- Academic Integrity Slides for Faculty Members &amp; Instructors to cover with their students Where to find the Code 1. Student Life Page 2. Policies &amp; Procedures Library Course Syllabus Statement A breach of

88 views • 7 slides
HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National

HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National

Medical WG Technology session APAN 32 nd meeting at New Delhi HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Chairpersons: Ti-Chaung Chiang, National Taiwan University Torata N and Cao Duc Minh, Kyushu University Hospital. 1 HD-SCR:

347 views • 10 slides
HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University

HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University

The 5 th ATS at Fukuoka HD- -SCR and Tele SCR and Tele- -Pointer Pointer HD Nobuhiro Torata, Kyushu University Hospital. 2 HD-SCR: High Definition Streaming Combined Remote conference system Concepts of New system Hi quality HD image

108 views • 7 slides
Academic Integrity Collaboration Encouraged! Groups of up to 5 per assignment (you + 4)

Academic Integrity Collaboration Encouraged! Groups of up to 5 per assignment (you + 4)

Academic Integrity Collaboration Encouraged! Groups of up to 5 per assignment (you + 4) List your collaborators (by UVA computing ID) Write-ups/code written independently DO NOT share written notes / pictures / code DO NOT

813 views • 35 slides
Corporate Integrity Dialogue This presentation may not be circulated, quoted or reproduced for

Corporate Integrity Dialogue This presentation may not be circulated, quoted or reproduced for

Corporate Integrity Dialogue This presentation may not be circulated, quoted or reproduced for distribution. GE Code of Conduct Be honest, fair and trustworthy Obey applicable laws and regulations Be the voice of integrity and

160 views • 5 slides
Pointers and Memory 1 Pointer values Pointer values are memory addresses

Pointers and Memory 1 Pointer values Pointer values are memory addresses

Pointers and Memory 1 Pointer values Pointer values are memory addresses Think of them as a kind of integer values The first byte of memory is 0, the next 1, and so on A pointer p can hold the address of a memory

1.01k views • 31 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? METADATA ADDRESS PTR Typically

FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? METADATA ADDRESS PTR Typically

FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? METADATA ADDRESS PTR Typically metadata contains the base and bounds of the pointer which is essentially the valid accessible memory region by the pointer if(

511 views • 49 slides
Pointers II 1 Outline Pointers arithmetic and others Functions &amp; pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions &amp; pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions &amp; pointers 2 Pointer Arithmetic When you add to or subtract from a pointer, the amount by which you do that is multiplied by the size of the type the pointer points

689 views • 33 slides
Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller,

Precision-Guided Context Sensitivity for Pointer Analysis Yue Li, Tian Tan, Anders Mller, Yannis Smaragdakis OOPSLA 2018 1 A New Pointer Analysis T echnique for Object-Oriented Programs 2 Pointer Analysis Determines which

841 views • 64 slides
Opaque Pointer Types To a world without pointer to pointer bitcasts Motivation Proximal

Opaque Pointer Types To a world without pointer to pointer bitcasts Motivation Proximal

Opaque Pointer Types To a world without pointer to pointer bitcasts Motivation Proximal Motivation 222748: Canonicalize store (cast V), P -&gt; store V, (cast P) 220138: Canonicalize cast (load P) -&gt; load (cast P)

649 views • 25 slides
Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State

Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State

Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State Univ. At International Workshop on Modularity Across the System Stack (MASS) Mar 14 th , 2016, Malaga, Spain Cyber Insecurity 2 Blame the

804 views • 54 slides

More recommend