i control your code
play

I Control Your Code Attack Vectors through the Eyes of - PowerPoint PPT Presentation

Apr 01, 2023 •401 likes •800 views

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias Payer <mathias.payer@nebelwelt.net> Motivation Current exploits are powerful because Applications run on coarse-grained user-privilege

  1. I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias Payer <mathias.payer@nebelwelt.net>

  2. Motivation  Current exploits are powerful because  Applications run on coarse-grained user-privilege level  Every exploit has full user-privileges  Local privilege escalation through auxiliary attacks  Tight security-models limit privileges on both  A per-application level and  A per-user level  Idea: each application only has access to the data owned by a specific user that is useful for the application 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 2 12/28/10 2

  3. Fahrplan  Introduction  Protection through virtualization  Attack Vectors  Code Injection  Return-oriented programming  Format String Attacks  Arithmetic Overflow  Data Attacks  x86_64 vs. i386 code  Demo  Conclusion 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 3 12/28/10 3

  4. Introduction  Software security is a challenging problem  Both managed and unmanaged languages are prone to attacks  Many different forms of attacks exist  Low-level bugs are omni-present  And high-level languages compile down to low-level code  Hard to eliminate bugs  They are hard to find and hard to fix 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 4 12/28/10 4

  5. Introduction  Programmers rely on too many assumptions  That are not necessarily part of the semantics of the programming language, e.g.,  Memory layout (little vs. big endian)  Type sizes (long is always 4 byte long)  Variable placement (layout of structures)  Goal of this talk:  Understand attack vectors and constraints  Know how to defend yourself against the attacks  Different techniques and security measurements  Security analysis  Know your assumptions (e.g., language, compiler, architecture) 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 5 12/28/10 5

  6. Fahrplan  Introduction  Protection through virtualization  Attack Vectors  Code Injection  Return-oriented programming  Format String Attacks  Arithmetic Overflow  Data Attacks  x86_64 vs. i386 code  Demo  Conclusion 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 6 12/28/10 6

  7. Protection through virtualization  Like many other problems in CS security can be increased through an additional layer of indirection  We propose a user-space virtualization system that secures all program code and authorizes all system calls v i l e i g r p e ( d l v i l e i g e c r p e ( d n o l e c r S F I d a e n o n c e d a e r d p g e k e s ) u k r a ) application e application r s d u s code code 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 7 12/28/10 7

  8. Protection through virtualization  Security principles:  All code is translated before it is executed. Additional guards are added to the translated code  Catches control flow transfers to illegal locations (code injection)  Catches illegal control flow transfers (arc attacks)  Catches jumps into other instructions  Catches switches between i386 and x86_64  All system calls are authorized by a policy  Catches privilege escalation  Catches data bugs that execute unintended system calls 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 8 12/28/10 8

  9. Virtualization in a nutshell Translator ● Translates individual basic blocks ● Verifies code source / destination ● Checks branch targets and origins Original code Code cache Mapping table R RX 1 1' 1 1' 2 2' 3 3' 2 2' Indirect control … ... flow transfers use a dynamic 3 3' check to verify 4 target and origin  See: Generating Low-Overhead Dynamic Binary Translators (Mathias Payer, youtube.com/watch?v=VIxaQeAHIxs) 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 9 12/28/10 9

  10. Static security guards  Check code location  Exported in module / object as code region  Verify permissions of the page according to the module  Check target of static control transfers  Permission check (through GOT – global offset table) for inter-module transfers  Verify valid instructions from the beginning of a function to the target of the jump instruction 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 10 12/28/10 10

  11. Dynamic security guards  Dynamic checks for dynamic control transfers  Return instructions, indirect calls, indirect jumps  Verify that target is valid and translated  Untranslated targets fall back into the static check  Verify return instructions  Validate stack and use a shadow stack 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 11 12/28/10 11

  12. System call authorization  System calls redirect to an authorization framework  Policy based authorization  For wide variety of system calls and parameter combinations  Authorization functions  For redirected system calls  Reimplementations of system calls in user space  Additional validation of dangerous system calls : mmap (overlapping regions); mprotect (make code executable); fork (new processes); clone (new threads)  System calls are allowed, redirected to the authorization function, or the program is terminated with a security exception 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 12 12/28/10 12

  13. Fahrplan  Introduction  Protection through virtualization  Attack Vectors  Code Injection  Return-oriented programming  Format String Attacks  Arithmetic Overflow  Data Attacks  x86_64 vs. i386 code  Demo  Conclusion 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 13 12/28/10 13

  14. Attack vectors  Attacks redirect control flow  New or alternate locations are reached  Execution is different from unaltered run  An attack exploits the fact that the programmer or the runtime system is unable to check  the bounds of a buffer or  to detect a type overflow or  to detect an out-of-bounds access 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 14 12/28/10 14

  15. Code injection  Injects new executable code into the process image of a running process  Into buffer on the stack  Into heap-based data structures  Redirects control flow to the injected code  Overwriting the RIP (return instruction pointer)  Overwriting function pointers, destructors, or data structures of the memory allocator 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 15 12/28/10 15

  16. Code injection: stack-based  Exploits a missing or incomplete bound check on stack-based buffers  Exploit uses two steps:  Buffer on the stack is filled with machine-code  Stack grows downwards and (eventually) overwrites RIP with pointer back into the buffer  Constraints  Executable stack  Missing/faulty bound check  RIP must not be verified/checked  See: Smashing the Stack for Fun & Profit (Aleph1, Phrack #49) 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 16 12/28/10 16

  17. Code injection: stack-based int foobar(char* cmp) { // assert(strlen(cmp)) < MAX_LEN No bound checks char tmp[MAX_LEN]; when data is strcpy(tmp, cmp); copied! return strcmp(tmp, "foobar"); } length of user input 0xe0 0xe0 tmp exploit & nop slide tmp 0xf0 0xf0 saved base pointer saved base pointer don't care return address return address return address 1 st argument: cmp* 1 st argument: cmp* next stack frame next stack frame 0xff 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 17 12/28/10 17

  18. Code injection: heap-based  Exploits a missing or incomplete bound check on heap-based buffers  Very similar to stack-based overflows  Exploit uses two steps:  Buffer on the heap is filled with machine-code  Function pointer, vtable-entry, (GLIBC) destructor, or memory management data-structure altered to redirect control flow  Constraints  Executable heap  Missing/faulty bound check  Successful redirection of the control flow 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 18 12/28/10 18

  19. Code injection: heap-based typedef struct { char buf[MAX_LEN]; int (*cmp)(char*,char*); No bound checks } vstruct; when data is int is_foobar_heap(vstruct* s, char* cmp) { copied! strcpy(s->buf, cmp); return s->cmp(s->buf, "foobar"); } 0xb0 0xb0 length of user input buf exploit & nop slide buf cmp* cmp* cmp* 0xbf 0xbf 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 19 12/28/10 19

  20. Code injection: a tool writers perspect.  The BT would stop the program when the control flow transfer is detected  Before the shellcode is even translated  Two exceptions would be triggered  Code is (about to be) executed in a non-executable area  Function call to an unexported/unknown symbol (heap-based)  RIP mismatch (stack-based)  Use BT to analyze exploits/shellcode  Catch new exploits and security holes  Use debugging info in application to fix bugs  Use BT to audit your own software / test your exploits 2010-12-28 Mathias Payer (ETH Zurich): I Control Your Code 20 12/28/10 20

Recommend

Control Expressions and Statements Control Control is the study of the semantics of

Control Expressions and Statements Control Control is the study of the semantics of

Control Expressions and Statements Control Control is the study of the semantics of execution paths through code. What gets executed, When, and In what order? 2 Control Control is achieved by two major ways: The use of

461 views • 45 slides
Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful?

Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful?

Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful? Key concepts Variations on the basic theme Example version control systems 1/22/2014 (c) 2013 RIT Dept. of Software Engineering 2 Motivation

183 views • 16 slides
Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful?

Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful?

Version (Source Code) Control SWEN-250 Overview Motivation why is version control useful? Key concepts Variations on the basic theme Example version control systems 1/15/2020 (c) 2013 RIT Dept. of Software Engineering 2 Motivation

226 views • 20 slides
Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

418 views • 19 slides
SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING +

SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING +

OUTLINE SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING + Backward Reasoning Weaker vs. Stronger statements Version control VERSION CONTROL CSE 331 Summer 2018 slides borrowed and

763 views • 11 slides
Coding, Applied Control and Mechatronics Wi-Fi Code QR Code Scanner Accessing supports to date

Coding, Applied Control and Mechatronics Wi-Fi Code QR Code Scanner Accessing supports to date

Problem solving through Coding, Applied Control and Mechatronics Wi-Fi Code QR Code Scanner Accessing supports to date Webinar CPD Workshops To keep up-to-date: Join our mailing List This evening we will Appreciate how

665 views • 45 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
The Evolution of IT Applications: Control of computations hidden in code; integration a

The Evolution of IT Applications: Control of computations hidden in code; integration a

Service Engagements The Evolution of IT Applications: Control of computations hidden in code; integration a nightmare Workflows: Control abstracted out; integration still difficult Standards-driven orchestration: Integration improved;

410 views • 10 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
git and Github git git is a version control system Commonly used by large code development

git and Github git git is a version control system Commonly used by large code development

git and Github git git is a version control system Commonly used by large code development projects to track and commit changes/additions to the codebase. Written by Linus Torvalds to manage the Linux kernel project Other version control

152 views • 14 slides
Introducing the 13 th Code of Practice Due Diligence, Risk Assessment and Control May 2015

Introducing the 13 th Code of Practice Due Diligence, Risk Assessment and Control May 2015

Introducing the 13 th Code of Practice Due Diligence, Risk Assessment and Control May 2015 David Levitt Overview of Code 13 seminars Objectives of DDRAC seminar As a refresher for those who are experienced Introduce DDRAC to new

332 views • 20 slides
6. Code Generation 6.1 Overview 6.2 The MicroJava VM 6.3 Code Buffer 6.4 Operands 6.5

6. Code Generation 6.1 Overview 6.2 The MicroJava VM 6.3 Code Buffer 6.4 Operands 6.5

6. Code Generation 6.1 Overview 6.2 The MicroJava VM 6.3 Code Buffer 6.4 Operands 6.5 Expressions 6.6 Assignments 6.7 Jumps 6.8 Control Structures 6.9 Methods 1 Tasks of Code Generation Generation of machine instructions selecting

802 views • 67 slides
Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482

Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482

Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482 (Adds new Code Sections: Civil Code 1946.2, 1947.12 and 1947.13) 1946.2 Restricts Certain Owners of Residential Property as to How They Can

369 views • 26 slides
INF5110 Compiler Construction Code generation Spring 2016 1 / 123 Outline 1. Code

INF5110 Compiler Construction Code generation Spring 2016 1 / 123 Outline 1. Code

INF5110 Compiler Construction Code generation Spring 2016 1 / 123 Outline 1. Code generation Intro 2AC and costs of instructions Basic blocks and control-flow graphs Code generation algo Global analysis Bibs 2 / 123 Outline 1. Code

1.61k views • 123 slides
Californias Statewide Rent Control Overview New Eviction and Rent Control Law AB-1482 (Adds

Californias Statewide Rent Control Overview New Eviction and Rent Control Law AB-1482 (Adds

Californias Statewide Rent Control Overview New Eviction and Rent Control Law AB-1482 (Adds new Code Sections: Civil Code 1946.2, 1947.12 and 1947.13) 1947.12 Restricts Rental Increases for Specific Owners 1947.13 Provides

840 views • 24 slides
Standards (code and otherwise) often talk about code standards, but many teams also use

Standards (code and otherwise) often talk about code standards, but many teams also use

Standards (code and otherwise) often talk about code standards, but many teams also use document standards, version control standards, bug reporting standards, process standards, etc goal is to reduce confusion, errors, omissions in

529 views • 5 slides
Intermediate Representation Abstract syntax tree, control- flow graph, three-address code

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code

Intermediate Representation Abstract syntax tree, control- flow graph, three-address code cs5363 1 Intermediate Code Generation Intermediate language between source and target Multiple machines can be targeted Attaching a

400 views • 19 slides
Unit 7 'while' Loops 2 Control Structures We need ways of making decisions in our program

Unit 7 'while' Loops 2 Control Structures We need ways of making decisions in our program

1 Unit 7 'while' Loops 2 Control Structures We need ways of making decisions in our program To repeat code until we want it to stop To only execute certain code if a condition is true To execute one segment of code or another

487 views • 23 slides
SECTION 1: CODE REASONING + VERSION CONTROL CSE 331 Summer 2018 slides borrowed and adapted

SECTION 1: CODE REASONING + VERSION CONTROL CSE 331 Summer 2018 slides borrowed and adapted

SECTION 1: CODE REASONING + VERSION CONTROL CSE 331 Summer 2018 slides borrowed and adapted from Alex Mariakis and CSE 390a, CSE 331 lecture slides, and Justin Bare and Deric Pang Section 1 slides. OUTLINE Introductions Code

447 views • 41 slides
Introduction One OS function is to control devices significant fraction of code (80-90% of

Introduction One OS function is to control devices significant fraction of code (80-90% of

Introduction One OS function is to control devices significant fraction of code (80-90% of Linux) Want all devices to be simple to use convenient Operating Systems ex: stdin/stdout , pipe, re-direct Want to optimize

376 views • 5 slides
Co Code s e safety ( ty (contd) &amp;&amp; Acce ccess control CS 161: Computer Security

Co Code s e safety ( ty (contd) &amp;&amp; Acce ccess control CS 161: Computer Security

Co Code s e safety ( ty (contd) &amp;&amp; Acce ccess control CS 161: Computer Security Prof. Raluca Ada Popa January 23, 2018 Announcements Homework 1 is out, due in a week Dean approved class expansion, three new discussion

1.05k views • 80 slides
One Person, One Lock Control of Hazardous Energy H&amp;S Program Standard 7-45 Course Code

One Person, One Lock Control of Hazardous Energy H&amp;S Program Standard 7-45 Course Code

One Person, One Lock Control of Hazardous Energy H&amp;S Program Standard 7-45 Course Code 600009 TRACCESS Module - 2017 Control of Hazardous Energy Training BU Specific Group BU Competency Lockout Increasing Competency Group

1.07k views • 37 slides
ASP4100 Introduction to honours computing Version control with git + advanced Fortran 1 Version

ASP4100 Introduction to honours computing Version control with git + advanced Fortran 1 Version

School of Physics and Astronomy ASP4100 2016 ASP4100 Introduction to honours computing Version control with git + advanced Fortran 1 Version control with git It begins with I broke the code, what if I could just go back to how the code was

660 views • 12 slides
Version Control Using Subversion 1 September 2020 OSU CSE 2 Version Control In team

Version Control Using Subversion 1 September 2020 OSU CSE 2 Version Control In team

Version Control Using Subversion 1 September 2020 OSU CSE 2 Version Control In team projects, software engineers: Share and extend a common code base (and comply with standards, coding conventions, comment templates, ) Work

688 views • 20 slides

More recommend