compiler design
play

Compiler Design Spring 2018 Thomas R. Gross Computer Science - PowerPoint PPT Presentation

Jan 17, 2024 •508 likes •850 views

Compiler Design Spring 2018 Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1 What I hope you learned in this class 1. Compiler design: Structure of a simple compiler Simple: 2-3K lines of Java code (maybe a bit more)

  1. Compiler Design Spring 2018 Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1

  2. What I hope you learned in this class 1. Compiler design: Structure of a simple compiler § Simple: 2-3K lines of Java code (maybe a bit more) § Industry: C1 compiler in HotSpot VM is considered “simple” § 30K lines of C/C++/assembly code 2. Software engineering: How to design a large(r) software system § Sometimes there is no “right” or ”wrong” § Sometimes there is 3. Programming § What the programming language design document should tell you § How to use that information 2

  3. Beyond (basic) "Compiler Design" Many possible extensions § Optimizations § Intermediate representations § Program transformations § Tool support § System security § New language concepts, new languages 6

  4. Compilers and system security 7

  5. Attack types § Code corruption attack § Control-flow hijack attack § Data-only attack § Information leak Attack model according to: „sok: eternal war in memory“ laszlo szekeres, mathias payer, tao wei, dawn song Http://www.cs.berkeley.edu/~dawnsong/papers/oakland13-sok-cr.pdf

  6. Control-flow hijack attacks § Most powerful attack § Hijack control-flow § To attacker-supplied arbitrary machine code § To existing code (code-reuse attack) § Corrupt code pointers § Return addresses, function pointers, vtable entries, exception handlers, jmp_bufs

  7. Control-flow hijack attacks § Most ISAs support indirect branch instructions § E.g., x86 “ret“, indirect “jmp“, indirect “call“ § fptr is a value in memory fptr: 0x8056b30 0xafe08044 at 0xafe08044 Code § branch *fptr 0x08056b30 good_func:

  8. Control-flow hijack attacks § fptr is a value in memory at 0xafe08044 § branch *fptr § fptr was corrupted by an attacker fptr: Corrupted 0xafe08044 Code § Attacker goal: hijack control-flow to evil_code: injected machine code or to “evil functions“

  9. State of the art defenses § Non-executable data § NX bit § Data Execution Prevention (DEP) § OS support 14

  10. Bypassing NX / DEP 0xffffffff § Only use existing code Stack attacker code & rw- § Code-reuse attack data § ret2libc, ret2bin, ret2* attacks Heap § Return-oriented programming (ROP) attacker code & rw- data § Jump/Call-oriented programming r-x Code § Use code-reuse technique to change protection flags § Alllocate or make memory executable § mprotect/VirtualProtect 0x00000000 § mmap/VirtualAlloc

  11. Return-oriented programming (ROP) %ebp address gadget4 § Use available code snippets ending address gadget3 with ret instruction dummy value address § Called gadgets or ROP chain Stack address gadget2 § E.g., write primitive value address gadget1 %esp arguments saved ebp dummy ebp pop %edx; 1 return address ret; buf[1024] rw- pop %eax; 2 pop %ebx; ret; r-x Code mov %edx, (%eax); 3 mov $0x0, %eax; ret;

  12. ASLR § Today most operating systems implement Address Space Layout Randomization (ASLR) § Mapping program addresses to hardware addresses § What can be randomized? § OS: Stack, heap and memory mapping base addresses § OS, compiler, linker: Exectuables and libraries § Position-independent or relocatable code

  13. Generic defense: DEP & ASLR § DEP: Data Execution Protection § ASLR: Address Space Layout Randomization § Exploitation becomes harder for all vulnerability classes & attack techniques § Together quite effective § If implemented correctly and used continuously § But DEP and ASLR not enough

  14. Compile-time protection Usually require source code changes (annotations) and/or recompilation of the application § § To add run-time checks § Stack canaries / Cookies Pointer obfuscation § /GS (buffer security check) § /SAFESEH (link-time, provide list of valid handlers) § SEHOP (run-time, walk down SEH chain to final handler before dispatching / integrity check) § Virtual Table Verification (VTV) & vtguard § Control-Flow Guard (new in Visual Studio 2015) §

  15. Stack canary / cookie Stack during vulnFunc() main() stack frame void vulnFunc() { return address arguments <copy canary> saved ebp saved ebp char buf[1024]; %ebp stack canary read(STDIN, buf, 2048); return address <verify canary> } buf[1024] copy canary rw- %esp stack canary Stack at function exit verify canary overwritten frame overwritten retaddr arguments saved ebp overwritten ebp %ebp overwritten canary return address buf[1024] rw- %esp

  16. Stack canary / cookie § Detects linear buffer overflows on stack § At function exit § Corruption of local stack not detected § Only if canary / cookie value is overwritten § Incurs runtime overhead § Effectiveness relies on secret § Leaking, predicting, guessing or brute-forcing might work in special cases

  17. Attacker model § Let's assume a powerful attacker § Can arbitrarily corrupt data and pointers § Can read entire address space of a process § Only restriction on attacker: § No data execution and no code corruption (NX/DEP/W^X)

  18. Question § Can we still prevent arbitrary code execution and code-reuse attacks?

  19. Observations § Attacker needs to hijack control-flow § To injected or existing code § VM/runtime system must ensure that control-flow stays on the intended legitimate path § As allowed by compiler resp. control-flow graph (CFG)

  20. Control-flow integrity (CFI) § Construct a control-flow graph (CFG) § Should be as strict as possible § Ensure that control-flow stays within CFG

  21. Control-flow integrity (CFI) § Original publication in 2005 § “Control-Flow Integrity – Principles, Implementations, and Applications“ § M. Abadi, M. Budiu, U. Erlingsson, J. Ligatti CCS'05 (ACM Trans. on Information and System Security (TISSEC) 13(1) Oct 2009) § § Many CFI implementations were proposed during recent years § Compiler-based § Binary-only (static rewriting)

  22. Control-flow integrity (CFI) § Construct a control-flow graph (CFG) § Should be as strict as possible § Ensure that control-flow stays within CFG § If no path within the CFG can be misused by an attacker then the CFI policy can be considered secure

  23. Control-flow integrity (CFI) Basic block Direct branch Indirect branch

  24. Hijacked control-flow ret Basic block Direct branch Indirect branch

  25. Control-flow integrity (CFI) Basic block Direct branch Indirect branch

  26. Control-flow integrity (CFI) Basic block Direct branch Indirect branch under CFI

  27. Control-flow integrity (CFI) Basic block Direct branch Indirect branch under CFI

  28. Control-flow integrity (CFI) CFI VIOLATION Basic block Direct branch Indirect branch under CFI

  29. Control-flow integrity (CFI) § Drawbacks of proposed solutions § Too permissive CFG due to over-approximation § Need to recompile § No support for shared libraries § Most solutions shown to be ineffective § “Hardened” exploits still worked under CFI

  30. Control-flow integrity (CFI) § Static CFI not enough: Dynamic approach necessary § Dynamic CFI 41

  31. Lockdown – dynamic CFI § Enforces a strict CFI policy for binaries § Supports shared libraries & dynamic loading § Constructs and enforces CFG at runtime § Using static and dynamic information

  32. Lockdown – dynamic CFI Lockdown Lockdown Loader Binary Translator CFT Verifier Domain translate() Loads ELF DSOs Code Cache /bin/<exe> libc.so.6 printf() main' main() Application Run-time ICF func1() func2' ELF validation Domain Files func2() printf' lib* ... func*() User Kernel System Call Interface read only readable + executable CFT: Control-Flow Transfer, ICF: Indirect Control-Flow, ELF: Executable and Linkable Format, DSO: Dynamic Shared Object

  33. Beyond basic compilers § Many interesting problems exist § Opportunities for projects (BS, MS, research) § Contact me or the TAs for further information 44

Recommend

252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2 Admin issues Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1.1

1.27k views • 46 slides
15-411 Compiler Design Fall 2014 / Frank Pfenning 1 15-411/611 Compiler Design Fall 2014

15-411 Compiler Design Fall 2014 / Frank Pfenning 1 15-411/611 Compiler Design Fall 2014

15-411 Compiler Design Fall 2014 / Frank Pfenning 1 15-411/611 Compiler Design Fall 2014 Teaching Staff Instructor Frank Pfenning, GHC 7019 Office hour: Thu 10:30-12:00 Teaching Assistants (GHC 5205 for now) Flvio Cruz,

378 views • 17 slides
CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations,

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations,

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Numbers, Unary Operations, Variables Owen Arden UC Santa Cruz Based on course materials developed by Ranjit Jhala Lets Write a Compiler! Our goal is to write a compiler which

658 views • 18 slides
252-210: Compiler Design 9.2 Points and paths 9.3

252-210: Compiler Design 9.2 Points and paths 9.3

252-210: Compiler Design 9.2 Points and paths 9.3 Transfer func6ons Thomas R. Gross Computer Science Department ETH Zurich, Switzerland Outline

758 views • 57 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides
252-210: Compiler Design 3.2 Lexical analysis 3.3

252-210: Compiler Design 3.2 Lexical analysis 3.3

252-210: Compiler Design 3.2 Lexical analysis 3.3 Top-down parsing Thomas R. Gross Computer Science Department ETH Zurich, Switzerland

392 views • 37 slides
CSE 110A: Winter 2020 Fundamentals of Compiler Design I Introduction and Overview Owen

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Introduction and Overview Owen

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Introduction and Overview Owen Arden UC Santa Cruz Based on course materials developed by Ranjit Jhala What is a Compiler? A function that maps an input string to an output

79 views • 5 slides
Compiler Design 1 Introduction to Programming Language Design and to Compilation Administrivia

Compiler Design 1 Introduction to Programming Language Design and to Compilation Administrivia

Compiler Design 1 Introduction to Programming Language Design and to Compilation Administrivia Lecturer: Kostis Sagonas (Hus 1, 352) Course home page: http://user.it.uu.se/~kostis/Teaching/KT1-11 If you want to be

423 views • 40 slides
Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler Perhaps a new source language Perhaps a new target for an existing compiler Perhaps both 2 Compiler Construction Compiler Construction

661 views • 18 slides
Compiler Design and Construction Syntax Analysis Slides modified from Louden Book and Dr.

Compiler Design and Construction Syntax Analysis Slides modified from Louden Book and Dr.

Compiler Design and Construction Syntax Analysis Slides modified from Louden Book and Dr. Scherger The Role of the Parser The following figure shows the position of the parser in a compiler: Basically it asks the lexical analyzer for a

1.02k views • 68 slides
CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural

CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural

Synthesis and Place &amp; Route Synopsys design compiler Cadence Encounter Digital Implementation System (EDI) CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural Verilog Cadence Your EDI Library

580 views • 46 slides
CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural

CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural

Synthesis and Place &amp; Route Synopsys design compiler Cadence Encounter Digital Implementation System (EDI) CS/ECE 6710 Tool Suite Verilog sim Synopsys Behavioral Design Compiler Verilog Structural Verilog Cadence Your EDI Library

511 views • 36 slides
1DL321: Kompilatorteknik I (Compiler Design 1) Introduction to Programming Language Design and

1DL321: Kompilatorteknik I (Compiler Design 1) Introduction to Programming Language Design and

1DL321: Kompilatorteknik I (Compiler Design 1) Introduction to Programming Language Design and to Compilation Administrivia Lecturer: Kostis Sagonas ( kostis@it.uu.se ) Course home page:

609 views • 40 slides
1DL321: Kompilatorteknik I (Compiler Design 1) Course home page:

1DL321: Kompilatorteknik I (Compiler Design 1) Course home page:

Administrivia Lecturer: Kostis Sagonas ( kostis@it.uu.se ) 1DL321: Kompilatorteknik I (Compiler Design 1) Course home page: http://user.it.uu.se/~kostis/Teaching/KT1-12/ Introduction to Programming Assistants: Language Design

365 views • 10 slides
Principles of Compiler Design - The Brainf*ck Compiler - Clifford Wolf - www.clifford.at

Principles of Compiler Design - The Brainf*ck Compiler - Clifford Wolf - www.clifford.at

Principles of Compiler Design - The Brainf*ck Compiler - Clifford Wolf - www.clifford.at http://www.clifford.at/papers/2004/compiler/ Clifford Wolf, December 22, 2004 http://www.clifford.at/papers/2004/compiler/ p. 1/56 Introduction

847 views • 56 slides
Compiler Construction Christian Rinderknecht 31 October 2008 1 Why study compiler construction?

Compiler Construction Christian Rinderknecht 31 October 2008 1 Why study compiler construction?

Compiler Construction Christian Rinderknecht 31 October 2008 1 Why study compiler construction? Few professionals design and write compilers. So why teach how to make compilers? A good software/telecom engineer understands the high-level

1.27k views • 80 slides
252-210: Compiler Design Fall 2015 Thomas R. Gross

252-210: Compiler Design Fall 2015 Thomas R. Gross

252-210: Compiler Design Fall 2015 Thomas R. Gross Computer Science Department ETH Zurich, Switzerland Rule 1 Peace in the lecture hall

524 views • 21 slides
LR Parsing Compiler Design CSE 504 Shift-Reduce Parsing 1 LR Parsers 2 SLR and LR(1) Parsers

LR Parsing Compiler Design CSE 504 Shift-Reduce Parsing 1 LR Parsers 2 SLR and LR(1) Parsers

LR Parsing Compiler Design CSE 504 Shift-Reduce Parsing 1 LR Parsers 2 SLR and LR(1) Parsers 3 Last modifled: Fri Mar 06 2015 at 13:50:06 EST Version: 1.7 16:58:46 2016/01/29 Compiled at 12:57 on 2016/02/26 Compiler Design LR Parsing

418 views • 16 slides
CS6710 Tool Suite Verilog-XL Synopsys Behavioral Design Compiler Verilog Structural Verilog

CS6710 Tool Suite Verilog-XL Synopsys Behavioral Design Compiler Verilog Structural Verilog

Synthesis and Place &amp; Route Synopsys design compiler Cadence SOC Encounter CS6710 Tool Suite Verilog-XL Synopsys Behavioral Design Compiler Verilog Structural Verilog Cadence Your SOC Library Encounter Circuit Verilog-XL CSI

598 views • 30 slides
An Overview of a Compiler Y.N. Srikant Department of Computer Science and Automation Indian

An Overview of a Compiler Y.N. Srikant Department of Computer Science and Automation Indian

An Overview of a Compiler Y.N. Srikant Department of Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Principles of Compiler Design Y.N. Srikant Compiler Overview Outline of the Lecture About the

498 views • 26 slides
15-411/15-611 Compiler Design Robert Simmons, Instructor Fall

15-411/15-611 Compiler Design Robert Simmons, Instructor Fall

15-411/15-611 Compiler Design Robert Simmons, Instructor Fall 2015 hAps://www.cs.cmu.edu/~rjsimmon/15411-f15 1 Whos here? Me: Rob Simmons, GHC 9101

752 views • 25 slides
Compiler Construction of Idempotent Regions and Applications in Architecture Design Marc de

Compiler Construction of Idempotent Regions and Applications in Architecture Design Marc de

Compiler Construction of Idempotent Regions and Applications in Architecture Design Marc de Kruijf Advisor: Karthikeyan Sankaralingam PhD Defense 07/20/2012 Example source code int int sum(int int *array, int int len) { int int x = 0;

1.21k views • 118 slides
Automated Synthesis from HDL models Design Compiler (Synopsys) Leonardo (Mentor Graphics)

Automated Synthesis from HDL models Design Compiler (Synopsys) Leonardo (Mentor Graphics)

Automated Synthesis from HDL models Design Compiler (Synopsys) Leonardo (Mentor Graphics) Front-End Design &amp; Verification VHDL VHDL-AMS Create Behavioral/RTL Verilog HDL Model(s) Verilog-A SystemC ModelSim ADVance MS Simulate to

618 views • 41 slides
Compiler Design Spring 2018 8.0 Data-Flow Analysis Thomas R. Gross Computer Science Department

Compiler Design Spring 2018 8.0 Data-Flow Analysis Thomas R. Gross Computer Science Department

Compiler Design Spring 2018 8.0 Data-Flow Analysis Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1 Properties of program analysis Analysis must be correct Depends on use Do not mislead the compiler Analysis

449 views • 41 slides

More recommend