data is flowing in the wind a review of data flow
play

Data is Flowing in the Wind: A Review of Data-Flow Integrity - PowerPoint PPT Presentation

Jan 10, 2023 •226 likes •961 views

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Program

  1. Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Díez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es

  2. Rationale

  3. Rationale Program Control-Data Defences for Control-Data

  4. Rationale Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  5. Rationale Maybe I should switch to attack non-control data? Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  6. Rationale Maybe I should I can sense a storm switch to attack coming…. non-control data? Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  7. Rationale Maybe I should I can sense a storm switch to attack coming…. non-control data? Non-Control-Data Attacks Are Realistic Threats. Chen et al. Usenix Sec’05 Defences for Program Non-Control-Data Control-Data Program Defences for Non-Control-Data Control-Data

  8. Control Data VS Non-Control-Data Attacks

  9. Control Data VS Non-Control-Data Attacks Control-Data Attacks Modify the control-flow of a program

  10. Control Data VS Non-Control-Data Attacks Control-Data Attacks Modify the control-flow of a program

  11. Control Data VS Non-Control-Data Attacks Code reuse Code injection Control-Data Attacks Modify the control-flow of a program

  12. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Modify the control-flow of a program

  13. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  14. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  15. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Remain invisible to techniques which only focus on control-data Code injection Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  16. Control Data VS Non-Control-Data Attacks Code reuse Modify the values of ret, call, jmp instructions Remain invisible to techniques which only focus on control-data What data do they target? Code injection → decision making data, user input etc. Control-Data Attacks Non-Control-Data Attacks Do not affect the control-flow of a Modify the control-flow of a program program

  17. Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15

  18. Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15 Configuration User identity Decision-making User input data data data data

  19. Security-Critical Non-Control Data Chen et al. Usenix Sec’05 Hu et al. Usenix Sec’15 Configuration User identity Decision-making User input data data data data Passwords & private System call Randomised values keys parameters

  20. A sample non-control-data attack

  21. A sample non-control-data attack struct passwd { uid_t pw_uid; ... } *pw; ... int uid = getuid(); pw->pq_uid = uid; // save current uid // [ format string vulnerability ] ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } From wu-ftpd web server. Hu et al. Usenix Sec’15

  22. A sample non-control-data attack struct passwd int uid = getuid(); pw->pq_uid = uid; // save current uid { // [ format string vulnerability ] uid_t pw_uid; // [ exploit it to overwrite ‘uid ’ ] ... // [ pw->pq_uid = 0; ] } *pw; void passive(void) ... { int uid = getuid(); … pw->pq_uid = uid; // save current uid setuid(0); // become root // [ format string vulnerability ] … ... seteuid(pw->pw_uid); // avoid priv. drop void passive(void) } { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } From wu-ftpd web server. Hu et al. Usenix Sec’15

  23. A sample non-control-data attack struct passwd int uid = getuid(); pw->pq_uid = uid; // save current uid { // [ format string vulnerability ] uid_t pw_uid; // [ exploit it to overwrite ‘uid ’ ] ... // [ pw->pq_uid = 0; ] } *pw; void passive(void) ... { int uid = getuid(); … pw->pq_uid = uid; // save current uid setuid(0); // become root // [ format string vulnerability ] … ... seteuid(pw->pw_uid); // avoid priv. drop void passive(void) } { … setuid(0); // become root … seteuid(pw->pw_uid); // drop root priv } Circumvents Control Flow Integrity? From wu-ftpd web server. Hu et al. Usenix Sec’15

  24. Data-Flow Stitching Hu et al. Usenix Sec’15

  25. Data-Flow Stitching Hu et al. Usenix Sec’15 s truct passwd { uid_t pw_uid; ... } *pw; … int uid = getuid(); pw->pq_uid = uid; // [ format string vulnerability ] ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  26. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  27. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  28. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  29. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) { … setuid(0); // become root … seteuid(pw->pw_uid); }

  30. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw … seteuid(pw->pw_uid); } &uid Stack address of seteuid’s arg time

  31. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 … seteuid(pw->pw_uid); } &uid 20 Stack address of seteuid’s arg time

  32. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack address of seteuid’s arg time

  33. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack 0 address of seteuid’s arg time

  34. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack Privilege 0 address of escalation seteuid’s arg time

  35. Data-Flow Stitching Hu et al. Usenix Sec’15 Addresses s truct passwd { pw 20 uid_t pw_uid; ... } *pw; &uid 20 … Stack 20 int uid = getuid(); address of pw->pq_uid = uid; seteuid’s arg // [ format string vulnerability ] time ... void passive(void) Addresses { … setuid(0); // become root pw 20 0 … seteuid(pw->pw_uid); } &uid 20 Stack Privilege 0 address of escalation seteuid’s arg time

  36. Data-Oriented Programming (DOP) Hu et al. Oakland’16

Recommend

15 min interval data- shows flow of water to end use 15 min interval data- shows tank top up

15 min interval data- shows flow of water to end use 15 min interval data- shows tank top up

15 min interval data- shows flow of water to end use 15 min interval data- shows tank top up only Base flow represents the constant underlying flow of water. Meaning the water that is always flowing through the pipes at any given time, even

855 views • 25 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Modelling Wind Farm Data and the Short Term Prediction of Wind Speeds An Investigation into Wind

Modelling Wind Farm Data and the Short Term Prediction of Wind Speeds An Investigation into Wind

Data Considerations Current Techniques and Models Data Investigation Conclusion Modelling Wind Farm Data and the Short Term Prediction of Wind Speeds An Investigation into Wind Speed Data Sets Erin Mitchell Lancaster University 6th April

702 views • 29 slides
WWU WIND FEED Software System Review The WWU Wind Feed is a tool to deliver wind information to

WWU WIND FEED Software System Review The WWU Wind Feed is a tool to deliver wind information to

WWU WIND FEED Software System Review The WWU Wind Feed is a tool to deliver wind information to users of the WWU boathouse on Lake Whatcom. Summary The system will collect wind speed data and upload it to the Internet at regular intervals.

89 views • 8 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
Update WSWC Spring 2015 Meeting Tulsa, Oklahoma April 16, 2015 Progress Three states flowing

Update WSWC Spring 2015 Meeting Tulsa, Oklahoma April 16, 2015 Progress Three states flowing

Water Data Exchange (WaDE) Update WSWC Spring 2015 Meeting Tulsa, Oklahoma April 16, 2015 Progress Three states flowing data Three states flowing data Can anybody say beta?! Utah, Wyoming, and Colorado - WGA assistance thank you!

574 views • 5 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
CS293S Iterative Data-Flow Analysis Yufei Ding Review: Computing Available Expressions The Big

CS293S Iterative Data-Flow Analysis Yufei Ding Review: Computing Available Expressions The Big

CS293S Iterative Data-Flow Analysis Yufei Ding Review: Computing Available Expressions The Big Picture 1. Build a control-flow graph 2. Gather the initial data: DEE XPR (b) & E XPR K ILL (b) 3. Propagate information around the graph,

477 views • 37 slides
HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous

HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous

HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous Data Flow (SDF) graphs refer to systems where the number of tokens consumed and produced per actor firing is fixed and constant The term synchronous

734 views • 17 slides
Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by Erik Stenman and Michael Schwartzbach Data-flow analysis Example: liveness Data-flow analysis is a global analysis framework that can be used to

635 views • 11 slides
Flowing for Debaters and Coaches Connecticut Middle School Debate League Sample Flow: General

Flowing for Debaters and Coaches Connecticut Middle School Debate League Sample Flow: General

Flowing for Debaters and Coaches Connecticut Middle School Debate League Sample Flow: General Flowing Tips 1. Keep taglines, warrants, evidence, and impacts on separate lines. a. This allows you to connect responses to specific pieces of

308 views • 7 slides
Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So whats the problem? Lecture 17 Page 1 CS 236 Online Traffic Analysis

532 views • 21 slides
Data Flow Coverage 1 Stuart Anderson Stuart Anderson Data Flow Coverage 1 2011 c 1 Why

Data Flow Coverage 1 Stuart Anderson Stuart Anderson Data Flow Coverage 1 2011 c 1 Why

Data Flow Coverage 1 Stuart Anderson Stuart Anderson Data Flow Coverage 1 2011 c 1 Why Consider Data Flow? Control Flow: Statement and branch coverage criteria are weak. Condition coverage and path coverage are more costly and

831 views • 20 slides
Chasing the wind: Ground-based Wind Field Construction from Mode-S and ADS-B Data with a Novel

Chasing the wind: Ground-based Wind Field Construction from Mode-S and ADS-B Data with a Novel

Chasing the wind: Ground-based Wind Field Construction from Mode-S and ADS-B Data with a Novel Gas Particle Model Junzi Sun, Huy Vu, Joost Ellerbroek, Jacco Hoekstra Control and Simulation, Faculty of Aerospace Engineering Delft University of

550 views • 26 slides
Enhancing Data Sets for Accelerated Wind Energy Development Advancing the state of the art in

Enhancing Data Sets for Accelerated Wind Energy Development Advancing the state of the art in

Enhancing Data Sets for Accelerated Wind Energy Development Advancing the state of the art in data set dissemination Erik Quaeghebeur Wind Energy Group Delft University of Technology OEEC 2017 EUROS for wind energy 11 October 2017

750 views • 27 slides
HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware

HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware

HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware is parallel while software is sequential We need concurrent high-level models to allow designers to describe systems that are independent of

574 views • 12 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow St d ti d d t fl Direct vs. indirect flow

957 views • 92 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow Direct vs. indirect flow visualization Experimental flow

1.18k views • 92 slides
Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan

Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan

Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan detection goals and objectives A review of Threshold Random Walk Real time vs. Flow based approaches Bi-flows and Oracles Extensions

522 views • 18 slides
Caches Samira Khan March 23, 2017 Agenda Review from last lecture Data flow model

Caches Samira Khan March 23, 2017 Agenda Review from last lecture Data flow model

Caches Samira Khan March 23, 2017 Agenda Review from last lecture Data flow model Memory hierarchy More Caches The Dataflow Model (of a Computer) Von Neumann model: An instruction is fetched and executed in control flow

729 views • 41 slides
Introduction to Data-flow analysis Last Time Implementing a Mark and Sweep GC Today

Introduction to Data-flow analysis Last Time Implementing a Mark and Sweep GC Today

Introduction to Data-flow analysis Last Time Implementing a Mark and Sweep GC Today Control flow graphs Liveness analysis Register allocation CS553 Lecture Introduction to Data-flow Analysis 1 Data-flow

435 views • 15 slides
Introduction to Big-data Management Review and next steps 1 What We Covered Storage (HDFS)

Introduction to Big-data Management Review and next steps 1 What We Covered Storage (HDFS)

Introduction to Big-data Management Review and next steps 1 What We Covered Storage (HDFS) Query processing (MapReduce, RDD, Hyracks) Higher-level data flow engines (Pig, SparkSQL) Storage formats (row, column, Parquet, LSM indexing) Document

1.12k views • 33 slides
!System(on(Chip!Design! Data!Flow!Modeling! (Based!on!slides!at!ECE!522!at!UNM)! Hao$Zheng$

!System(on(Chip!Design! Data!Flow!Modeling! (Based!on!slides!at!ECE!522!at!UNM)! Hao$Zheng$

!System(on(Chip!Design! Data!Flow!Modeling! (Based!on!slides!at!ECE!522!at!UNM)! Hao$Zheng$ Comp$Sci$&$Eng$ U$of$South$Florida$$ 1 HW/SW Codesign w/ FPGAs Data-Flow Modeling ECE 522 Data-Flow Modeling (A Practical Introduction to HW/SW

771 views • 29 slides

More recommend