control flow hijacking are we making progress
play

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, - PowerPoint PPT Presentation

Dec 23, 2022 •115 likes •517 views

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/Pwn2Own 2 Trends in Memory Errors* * Victor van der Veen,

  1. Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1

  2. Bugs are everywhere? https://en.wikipedia.org/wiki/Pwn2Own 2

  3. Trends in Memory Errors* * Victor van der Veen, https://www.vvdveen.com/memory-errors/, updated Feb. 2017 3

  4. Software is unsafe and insecure* ● Low-level languages (C/C++) trade type safety and memory safety for performance – Our systems are implemented in C/C++ – Too many bugs to find and fix manually Google Chrome: 76 MLoC glibc: 2 MLoC Linux kernel: 14 MLoC * SoK: Eternal War in Memory. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. In IEEE S&P'13 4

  5. 5

  6. Control-Flow Hijack Attack 6

  7. Control-flow hijack attack ● Attacker modifies code pointer 1 – Information leak: target address – Memory safety violation: write 2 3 ● Control-flow leaves valid graph 4 4' – Inject/modify code – Reuse existing code 7

  8. Attack scenario: code injection ● Force memory corruption to set up attack ● Redirect control-flow to injected code Code Heap Stack 8

  9. Attack scenario: code injection ● Force memory corruption to set up attack ● Redirect control-flow to injected code Code Heap Stack 9

  10. Attack scenario: code reuse ● Find addresses of gadgets ● Force memory corruption to set up attack ● Redirect control-flow to gadget chain Code Heap Stack 10

  11. Control-Flow Integrity 11

  12. Control-Flow Integrity (CFI)* ● Restrict a program’s dynamic control-flow to the static control-flow graph – Requires static analysis – Dynamic enforcement mechanism ● Forward edge: virtual calls, function pointers ● Backward edge: function returns * Control-Flow Integrity. Martin Abadi, Mihai Budiu, Ulfar Erlingsson, Jay Ligatti. CCS ‘05 Control-Flow Integrity: Protection, Security, and Performance. Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, Mathias Payer. ACM CSUR ‘18, preprint: https://nebelwelt.net/publications/files/18CSUR.pdf 12

  13. Control-Flow Integrity (CFI) CHECK(fn); (*fn)(x); CHECK_RET(); return 7 13

  14. Control-Flow Integrity (CFI) CHECK(fn); (*fn)(x); CHECK_RET(); Attacker may corrupt memory, return 7 code ptrs. verified when used 14

  15. CFI: Limitations ● CFI provides incremental security ● Strength of CFI mechanism depends on the power of the analysis – Coarse-grained: all functions are allowed – Fine-grained: better than coarse-grained 15

  16. Qualitative Analysis ● Classes of analysis precision for forward edges 1) Ad hoc algorithms, labeling 2) Class-hierarchy analysis 3) Flow- or context-sensitive analysis 4) Devirtualize through dynamic analysis 16

  17. CFI: Strength of Analysis 0xf000b400 int bar1(int b, int c, int d); void bar2(int b, int c); A *obj = new A(); int bar3(int b, int c); obj->foo(int b, int c); int B::foo(int b, int c); class A :: B {... }; int B::bar5(int b, int c); int A::foo(int b, int c); 17

  18. Qualitative Analysis ● Backward edge best protected orthogonally – Shadow stacks – Safe stacks ● In practice: – Backward edge excluded (“assume shadow stack”) – Reuse forward-edge analysis 18

  19. Existing Quantitative Metrics ● Average Indirect-target Reduction (AIR) – AIR is defined as: n ( 1 −| T j | 1 n ∑ S ) j = 1 ● Allowing any libc function has 99.9% AIR – 2,102 exported functions – 1,864,888 bytes of text ● All mechanisms have AIR of 99.9+% 19

  20. Qualitative Analysis Control-flows (CF), quantitative security (Q), reported performance (RP), static analysis precision: forward (SAP.F) and backward (SAP.B) 20

  21. Quantitative Security Analysis ● Compare 5 open-source mechanisms – on the same machine – with the same benchmarks ● Define quantitative metrics – Number of equivalence classes – Size of largest class ● Dynamic profiling bounds required targets 21

  22. Size of Equivalence Classes 22

  23. Number of Equivalence Classes 23

  24. Necessity of shadow stack* ● Defenses without stack integrity are broken – Loop through two calls to the same function – Choose any caller as return location void func() { … bar(); … void bar() { … } bar(); … } * Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. In Usenix SEC'15 24

  25. Necessity of shadow stack* ● Defenses without stack integrity are broken – Loop through two calls to the same function – Choose any caller as return location ● Shadow stack enforces stack integrity – Attacker restricted to arbitrary targets on the stack – Each target can only be called once, in sequence * Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. In Usenix SEC'15 25

  26. Code-Pointer Integrity, SafeStack* ● Memory safety stops control-flow hijack attacks – … but memory safety has high overhead (250%) ● Enforce memory safety for code pointers only – Partition code pointers, check all loads and stores ● Efficient prototype: 5.82% for C/C++ on SPEC – (Partially) upstreamed to LLVM – HardenedBSD relies on SafeStack (11/28/16) * Code-Pointer Integrity. Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, Dawn Song, R. Sekar. In Usenix OSDI'14 26

  27. CFI Summary ● CFI is available and makes attacks harder – Microsoft Visual Studio, GCC, LLVM – Deployed in Microsoft Edge, Google Chrome ● Potential limitations – Large equivalence classes are attack targets – Backward edge protection is crucial ● Ongoing work: precision and metrics – CFI should use context and flow sensitivity 27

  28. Type Safety 28

  29. Type Confusion ● Type confusion arises through illegal downcasts – Converting a base class pointer to a derived class ● This problem is common in large software – Adobe Flash (CVE-2015-3077) – Microsoft Internet Explorer (CVE-2015-6184) – PHP (CVE-2016-3185) – Google Chrome (CVE-2013-0912) * TypeSanitizer: Practical Type Confusion Detection. Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Herbert Bos, Cristiano Giuffrida, Erik van der Kouwe. In CCS'16 29

  30. Type Confusion Dptr vtable*? class B { Bptr b int b; }; c? class D: B { int c; vtable* virtual void d() {} B D b }; … c B *Bptr = new B; D *Dptr = static_cast<D*>B; Dptr->c = 0x43; // Type confusion! Dptr->d(); // Type confusion! 30

  31. Type Confusion Detection ● static_cast<type> uses compile-time check – Fast but no runtime guarantees ● dynamic_cast<type> uses runtime check – High overhead – Only possible for polymorphic classes ● TypeSan approach: – Make type verification explicit, check all cast – Challenge: low overhead 31

  32. Conclusion 32

  33. Are we making progress? 2007 2017 33

  34. Conclusion ● We are making progress! – Attacks are much harder – Require teams, not just single players ● CFI makes attacks harder – Some attack surface remains – Stack integrity, X ⊕ W, ASLR complementary ● Ongoing work: – Precision, type safety, memory safety 34

  35. Thank you! Questions? Mathias Payer, Purdue University http://hexhive.github.io 35

  36. Qualitative Analysis ● Classes of analysis precision for forward edges 1) Ad hoc algorithms, labeling 2) Class-hierarchy analysis 3) Rapid-type analysis 4) Flow or context sensitive analysis 5) Context and flow sensitive analysis 6) Devirtualize through dynamic analysis 36

  37. Flow and Context Sensitivity Flow insensitive: Flow sensitive: Object *o; o = new A(); o → A … o = new B(); o → { A, B } o → B 37

  38. Flow and Context Sensitivity Object *id(Object *o) { return o; } Object *x, *y, *a, *b; Context insensitive: Context sensitive: x = new A(); x → A x → A y = new B(); y → B y → B a = id(x); a → id, id → A a → A, id1 → A b = id(y); b → id, id → { A, B } b → B, id2 → B 38

  39. Trends in Memory Errors* * Victor van der Veen, https://www.vvdveen.com/memory-errors/, updated Feb. 2017 39

Recommend

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation shellcode (aka payload)

652 views • 36 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Lecture 11 Control-flow Hijacking Defenses Stephen Checkoway Oberlin College Slides adapted

Lecture 11 Control-flow Hijacking Defenses Stephen Checkoway Oberlin College Slides adapted

Lecture 11 Control-flow Hijacking Defenses Stephen Checkoway Oberlin College Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation shellcode (aka payload) padding &amp;buf computation +

688 views • 36 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, Mathias Payer Control-Flow

SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, Mathias Payer Control-Flow

SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, Mathias Payer Control-Flow Hijacking (CFH) Microsoft: 70% of bugs are memory corruptions Control and Data Planes are interleaved Memory corruption Control-Flow

576 views • 34 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Control-Flow-Only Abstract Syntax Trees for Analyzing Students' Programming Progress David

Control-Flow-Only Abstract Syntax Trees for Analyzing Students' Programming Progress David

Control-Flow-Only Abstract Syntax Trees for Analyzing Students' Programming Progress David Hovemeyer, York College of Pennsylvania Arto Hellas, University of Helsinki Andrew Petersen, University of Toronto Mississauga Jaime Spacco, Knox

480 views • 19 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
IC220 MIPS conditional branch instructions (I type): SlideSet #3: Control Flow bne $t0,

IC220 MIPS conditional branch instructions (I type): SlideSet #3: Control Flow bne $t0,

Conditional Control Decision making instructions alter the control flow, i.e., change the &quot;next&quot; instruction to be executed IC220 MIPS conditional branch instructions (I type): SlideSet #3: Control Flow bne $t0,

190 views • 4 slides
ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

Conditionals and Control Flow Two key pieces 1. Comparisons and tests: check conditions 2. Transfer control: choose next instruction Control flow Processor Control-Flow State Familiar C constructs Condition codes (a.k.a. flags ) if else l

191 views • 8 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
Overview/Questions How do we control the flow of execution within our programs? How can

Overview/Questions How do we control the flow of execution within our programs? How can

CS101 Lecture 24: Python: Decision Making Aaron Stevens 25 March 2009 1 Overview/Questions How do we control the flow of execution within our programs? How can a programs input alter the instructions that get executed? How

226 views • 12 slides
Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay Mumbai, India FOSSEE Team (FOSSEE IITB) Control flow 1 / 32 Outline Control flow 1 Basic Conditional flow Control flow 2 Basic Looping

560 views • 37 slides
Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J.

Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J.

Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J. Mckernan , J.F .Whidborne , G.Papadakis Cranfield University, U.K. Kings College, London, U.K. Optimal Control of

572 views • 22 slides
Information Flow Control by Program Analysis Markus Mller-Olm Westflische

Information Flow Control by Program Analysis Markus Mller-Olm Westflische

Information Flow Control by Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Bordeaux, September 18-20, 2017 Context Work in progress from a joint project with Gregor Snelting

313 views • 19 slides
1. Making SpaceFor Reflection 2. NavigatingAndCommunicatingConstantChange 3. Making Progress

1. Making SpaceFor Reflection 2. NavigatingAndCommunicatingConstantChange 3. Making Progress

1. Making SpaceFor Reflection 2. NavigatingAndCommunicatingConstantChange 3. Making Progress AmidstChaos 4. StayingAheadOfTheCompetition 5. FindingT alentInAGoodEconomy 6. Overwhelm 7. Retaining T opT alent 8. BuildingAStrongManagementT

669 views • 63 slides
Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow

Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow

CIS330, Week 9 Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow Exceptions Process context switches Creating and destroying processes CIS330 Week 9 Control Flow Computers do Only One Thing

1.08k views • 85 slides

More recommend