delta pointers buffer overflow checks without the checks
play

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us - PowerPoint PPT Presentation

Nov 18, 2022 •193 likes •936 views

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning Erik van der Kouwe Herbert Bos Cristiano Giuffrida June 19, 2018 Preview buffer[10] secret 2 Preview buffer[10] secret buffer[5] 2 Preview

  1. Delta Pointers: Buffer Overflow Checks Without the Checks Tadde¨ us Kroes & Koen Koning Erik van der Kouwe Herbert Bos Cristiano Giuffrida June 19, 2018

  2. Preview buffer[10] secret 2

  3. Preview buffer[10] secret buffer[5] 2

  4. Preview buffer[10] secret buffer[5] buffer[11] 2

  5. Preview buffer[10] secret secret buffer[5] buffer[11] 2

  6. Preview buffer[10] secret buffer[5] buffer[11] 2

  7. Preview buffer[10] secret buffer[5] buffer[11] Automatic! FAST! - no branches - no mem access 2

  8. Buffer overflows still very common today 3

  9. Bounds checking is slow � % overhead 150 139% 100 94% 80% 72% 64% 50 0 SGXBounds ASan BaggyBounds Low-Fat Pointers MPX 4

  10. What is bounds checking? void foo(char *buffer, size_t n) { buffer[n] = 10; } 5

  11. What is bounds checking? void foo(char *buffer, size_t n) { buffer[n] = 10; Attacker-controlled? } 5

  12. What is bounds checking? void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); buffer[n] = 10; } y a l l c a t i m o u t A d e e r t s i n 5

  13. What is bounds checking? void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); buffer[n] = 10; Needs metadata } 5

  14. What is bounds checking? void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); Branching buffer[n] = 10; Needs check metadata } 5

  15. What is bounds checking? void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); Branching buffer[n] = 10; Needs check metadata } Overhead! 5

  16. What is bounds checking? void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); Branching buffer[n] = 10; Needs check metadata } E ffi cient solution: Overhead! pointer tagging 5

  17. What is bounds checking? void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); Branching buffer[n] = 10; Needs check metadata } Still slow E ffi cient solution: Overhead! pointer tagging 5

  18. Our approach: Delta Pointers ◮ Use pointer tagging ◮ No memory access for metadata lookup ◮ No need for branches ◮ Delegate checks to (off-the-shelf) hardware instead ◮ Focus on common case: upper bound on x86 64 ◮ Mitigates all CVEs reported by related work 6

  19. Our approach: Delta Pointers ◮ Use pointer tagging ◮ No memory access for metadata lookup ◮ No need for branches ◮ Delegate checks to (off-the-shelf) hardware instead ◮ Focus on common case: upper bound on x86 64 ◮ Mitigates all CVEs reported by related work 6

  20. Our approach: Delta Pointers ◮ Use pointer tagging ◮ No memory access for metadata lookup ◮ No need for branches ◮ Delegate checks to (off-the-shelf) hardware instead ◮ Focus on common case: upper bound on x86 64 ◮ Mitigates all CVEs reported by related work 6

  21. Our approach: Delta Pointers % overhead 150 139% 100 94% 80% 72% 64% 50 35% 0 SGXBounds ASan BaggyBounds Low-Fat Pointers Delta Pointers MPX 7

  22. Regular pointers ext virtual address 16 bit 48 bit 00 00 00 e8 02 0c 40 10 8

  23. Regular pointers ext virtual address 16 bit 48 bit 00 00 00 e8 02 0c 40 10 b i t s 1 6 e r p p U r o e z e b u s t m 8

  24. Regular pointers ext ext virtual address virtual address 16 bit 16 bit 48 bit 48 bit 00 00 00 01 00 e8 02 0c 40 10 00 e8 02 0c 40 10 Non-canonical, MMU faults! 8

  25. Tagged pointers tag virtual address 16 bit 48 bit 12 34 00 e8 02 0c 40 10 o n m a t i o r n f d e i c o E n t s ! d b i s e u n u n i 9

  26. Tagged pointers tag virtual address 32 bit 32 bit 12 34 56 78 02 0c 40 10 Shrink address space for bigger tags 9

  27. Delta Pointers tag virtual address 32 bit 32 bit 00 00 00 18 02 0c 40 10 size Size=24 10

  28. Delta Pointers tag virtual address 32 bit 32 bit 00 00 00 18 02 0c 40 1c size W h a Size=24 t a b i n o u t e t r n a l p o i n t e r s ? 10

  29. Delta Pointers tag virtual address 32 bit 32 bit 00 00 00 0c 02 0c 40 1c distance Check upper bound Distance=12 for any pointer 10

  30. Delta Pointers tag virtual address 32 bit 32 bit ff ff ff f4 02 0c 40 1c -distance 10

  31. Delta Pointers tag virtual address 32 bit 32 bit 0 7f ff ff f4 02 0c 40 1c -distance over fl ow bit Set to 1 if out-of-bounds 10

  32. Delta Pointers delta tag virtual address 32 bit 32 bit 0 7f ff ff f4 02 0c 40 1c -distance over fl ow bit Set to 1 if out-of-bounds 10

  33. Instrumentation char *p = malloc(24); 0 00 00 00 00 02 0c 40 10 11

  34. Instrumentation char *p = malloc(24); 0 00 00 00 00 02 0c 40 10 Distance=24 11

  35. Instrumentation char *p = malloc(24); 0 00 00 00 00 0 00 00 00 00 02 0c 40 10 -distance Distance=24 11

  36. Instrumentation char *p = malloc(24); | (-24 << 32); 0 00 00 00 00 0 7f ff ff e8 02 0c 40 10 -24 Distance=24 11

  37. Instrumentation p += 23; +23 0 7f ff ff e8 02 0c 40 27 11

  38. Instrumentation p += 23; +23 0 7f ff ff e8 02 0c 40 27 Replicate arithmetic on tag 11

  39. Instrumentation p += 23; + (23 << 32); +23 +23 0 7f ff ff e8 0 7f ff ff ff 02 0c 40 27 a n c e = 1 D i s t 11

  40. Instrumentation p += 1 + (1 << 32); carry +1 +1 1 00 00 00 00 02 0c 40 28 Distance=0, over fl owed! 11

  41. Instrumentation p += -1 + (-1 << 32); carry -1 -1 0 7f ff ff ff 02 0c 40 27 Distance=1, in-bounds again 11

  42. Instrumentation p += -1 + (-1 << 32); one operation! carry -1 -1 0 7f ff ff ff 02 0c 40 27 Distance=1, in-bounds again 11

  43. Dereferencing an in-bounds pointer 0 7f ff ff ff 02 0c 40 27 12

  44. Dereferencing an in-bounds pointer 0 7f ff ff ff 02 0c 40 27 & 1 00 00 00 00 ff ff ff ff Strips away distance 12

  45. Dereferencing an in-bounds pointer 0 7f ff ff ff 02 0c 40 27 & 1 00 00 00 00 ff ff ff ff 0 00 00 00 00 02 0c 40 27 12

  46. Dereferencing an in-bounds pointer 0 7f ff ff ff 02 0c 40 27 & 1 00 00 00 00 ff ff ff ff 0 00 00 00 00 02 0c 40 27 Normal (in-bounds) pointer, access OK! 12

  47. Dereferencing an out-of-bounds pointer 1 00 00 00 04 02 0c 40 2c 13

  48. Dereferencing an out-of-bounds pointer 1 00 00 00 04 02 0c 40 2c & 1 00 00 00 00 ff ff ff ff 13

  49. Dereferencing an out-of-bounds pointer 1 00 00 00 04 02 0c 40 2c & 1 00 00 00 00 ff ff ff ff 1 00 00 00 00 02 0c 40 2c 13

  50. Dereferencing an out-of-bounds pointer 1 00 00 00 04 02 0c 40 2c & 1 00 00 00 00 ff ff ff ff 1 00 00 00 00 02 0c 40 2c Non-canonical pointer, MMU faults ! 13

  51. Implementation ◮ LLVM based prototype for C/C++ ◮ Stack + heap + globals ◮ 32-bit address → 4GB address space ◮ 31-bit distance → 2GB allocations ◮ Instrument NULL pointer with distance = − 1 ◮ Optimizations: omit instrumentation on in-bounds pointers 14

  52. Pointer tagging breaks things ◮ Uninstrumented libraries // strdup(ptr); TAG(strdup(MASK(ptr))); ◮ Non-zero NULL pointer ◮ Subtraction, addition, multiplication, vectors, etc. ◮ Incomplete type information (e.g., unions) ◮ Compiler quirks ◮ . . . and more ◮ Solved with TBAA + def-use chain analysis ◮ Details in paper 15

  53. Pointer tagging breaks things ◮ Uninstrumented libraries // strdup(ptr); TAG(strdup(MASK(ptr))); ◮ Non-zero NULL pointer ◮ Subtraction, addition, multiplication, vectors, etc. ◮ Incomplete type information (e.g., unions) ◮ Compiler quirks ◮ . . . and more ◮ Solved with TBAA + def-use chain analysis ◮ Details in paper 15

  54. Pointer tagging breaks things ◮ Uninstrumented libraries // strdup(ptr); TAG(strdup(MASK(ptr))); ◮ Non-zero NULL pointer ◮ Subtraction, addition, multiplication, vectors, etc. ◮ Incomplete type information (e.g., unions) ◮ Compiler quirks ◮ . . . and more ◮ Solved with TBAA + def-use chain analysis ◮ Details in paper 15

  55. Pointer tagging breaks things ◮ Uninstrumented libraries // strdup(ptr); TAG(strdup(MASK(ptr))); ◮ Non-zero NULL pointer ◮ Subtraction, addition, multiplication, vectors, etc. ◮ Incomplete type information (e.g., unions) ◮ Compiler quirks ◮ . . . and more ◮ Solved with TBAA + def-use chain analysis ◮ Details in paper 15

  56. Pointer tagging breaks things ◮ Uninstrumented libraries // strdup(ptr); TAG(strdup(MASK(ptr))); ◮ Non-zero NULL pointer ◮ Subtraction, addition, multiplication, vectors, etc. ◮ Incomplete type information (e.g., unions) ◮ Compiler quirks ◮ . . . and more ◮ Solved with TBAA + def-use chain analysis ◮ Details in paper 15

  57. Pointer tagging breaks things ◮ Uninstrumented libraries // strdup(ptr); TAG(strdup(MASK(ptr))); ◮ Non-zero NULL pointer ◮ Subtraction, addition, multiplication, vectors, etc. ◮ Incomplete type information (e.g., unions) ◮ Compiler quirks ◮ . . . and more ◮ Solved with TBAA + def-use chain analysis ◮ Details in paper 15

  58. Evaluation 16

  59. Nginx 0.6 Baseline 0.5 Delta Pointers Latency (ms) 0.4 0.3 0.2 0.1 0 5 10 15 20 25 30 35 40 45 50 55 60 Throughput (x1000 reqs/s) 3-6% (I/O bound) 17

Recommend

SQL vs PostgreSQL 1 Checks in PostgreSQL Tuple-based checks may only refer to attributes of

SQL vs PostgreSQL 1 Checks in PostgreSQL Tuple-based checks may only refer to attributes of

SQL vs PostgreSQL 1 Checks in PostgreSQL Tuple-based checks may only refer to attributes of that relation Attribute-based checks may only refer to the name of the attribute No subqueries allowed! Use triggers for more elaborate

1k views • 72 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary Software is not perfect Bugs in kernel (File system, VM, Device Driver code) Hardware is not perfect Disk errors Memory errors File

613 views • 24 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP Return-to-libc RoP (Return-oriented Programming) StackGuard (insert canaries on stack) PointGuard (encrypt the pointers) ASLR CFI

809 views • 42 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking &amp; Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references &amp; buffer overflow K&amp;R:

775 views • 43 slides
Current Frozen Food Industry FDA Regulates Temperatures Temperature Checks: 4-hour

Current Frozen Food Industry FDA Regulates Temperatures Temperature Checks: 4-hour

F REEZE S AFE T EMPERATURE A CTIVATED S AFETY L ABEL Team Blue A Current Frozen Food Industry FDA Regulates Temperatures Temperature Checks: 4-hour interval checks Bi-daily inspection at packing plants Our Solution: FreezeSafe

286 views • 5 slides
Check 1 Check 2 What an Employer Needs to Know About Employee Background Checks James R.

Check 1 Check 2 What an Employer Needs to Know About Employee Background Checks James R.

Check 1 Check 2 What an Employer Needs to Know About Employee Background Checks James R. Hammerschmidt, Esq. Ethan L. Don, Esq. 1 Overview Introduction to criminal background and credit checks and the benefits and concerns they

561 views • 23 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
PERSONNEL CHECKS Streamlining the Licensing Function (Taxis) Offering Seamless Service and

PERSONNEL CHECKS Streamlining the Licensing Function (Taxis) Offering Seamless Service and

PERSONNEL CHECKS Streamlining the Licensing Function (Taxis) Offering Seamless Service and Online payments Automatic system reducing errors Ensuring Compliance with Immigration and Document Checks Reducing the overall risk to

734 views • 6 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
The Lurch Project A word processor that checks your math Past, Present, and Future Nathan Carter

The Lurch Project A word processor that checks your math Past, Present, and Future Nathan Carter

The Lurch Project A word processor that checks your math Past, Present, and Future Nathan Carter Bentley University Category: Software for Experiencing Rules Not computational Maple does math for you. Lurch checks your work. Not a

482 views • 23 slides
Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format layout Buffer Overflow theory Example code Initial Investigation / Assembly Registers Tooling Fuzzing Shellcode /

700 views • 16 slides
Horn Formulas 1 Efficient satisfiability checks In the following: A very efficient

Horn Formulas 1 Efficient satisfiability checks In the following: A very efficient

Propositional Logic Horn Formulas 1 Efficient satisfiability checks In the following: A very efficient satisfiability check for the special class of Horn formulas. Efficient satisfiability checks for arbitrary formulas in CNF:

459 views • 6 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks &amp; other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Buffer Overflow? Writing data outside of the intended buffer (memory space) SWEN-331:

298 views • 6 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
Evolving the Root Zone technical checks Kim Davies Director, Technical Services ICANN 53,

Evolving the Root Zone technical checks Kim Davies Director, Technical Services ICANN 53,

Evolving the Root Zone technical checks Kim Davies Director, Technical Services ICANN 53, Buenos Aires, Argentina The basics ICANN conducts a set of technical checks for each zone change (e.g. root zone) These are repeated at

446 views • 23 slides
Children and Young People Scrutiny Panel Public Health Update 2 -2 year Health Checks Tooth

Children and Young People Scrutiny Panel Public Health Update 2 -2 year Health Checks Tooth

28/09/17 Children and Young People Scrutiny Panel Public Health Update 2 -2 year Health Checks Tooth decay Immunisation Dr Imran Choudury Director of Public Health 2 -2 year Health Checks Assessing a childs skills and

293 views • 7 slides
Sequence Based 100,071 genomes 96,985 pass quality checks (96.9%)

Sequence Based 100,071 genomes 96,985 pass quality checks (96.9%)

TOPMed Sequencing as of December 2017* http://nhlbi.sph.umich.edu/ Sequence Based 100,071 genomes 96,985 pass quality checks (96.9%) 1,689 flagged for low coverage

671 views • 16 slides

More recommend