memory corruption why we can t have nice things
play

Memory corruption: Why we cant have nice things Mathias Payer - PowerPoint PPT Presentation

Jul 15, 2023 •193 likes •602 views

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

  1. Memory corruption: Why we can’t have nice things Mathias Payer (@gannimo) http://hexhive.github.io

  2. Software is unsafe and insecure ● Low-level languages (C/C++) trade type safety and memory safety for performance – Programmer responsible for all checks ● Large set of legacy and new applications written in C / C++ prone to memory bugs ● Too many bugs to find and fix manually – Protect integrity through safe runtime system

  3. Heartbleed: patching observations ● 11% of servers remained vulnerable after 48 hours ● Patching plateaued at 4% ● Only 10% of vulnerable sites replaced certificates ● 15% of replaced cert's used vulnerable cryptographic keys Heartbleed vulnerable hosts Zakir Durumeric, James Kasten, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Bernhard Amann, Jethro Beekman, Mathias Payer, Vern Paxson, "The Matter of Heartbleed", ACM IMC'14 (best paper)

  4. Heartbleed: patching observations ● 11% of servers remained vulnerable after 48 hours ● Patching plateaued at 4% ● Only 10% of vulnerable sites replaced certificates ● 15% of replaced cert's used vulnerable cryptographic keys Heartbleed vulnerable hosts Update process is slow, incomplete, and incorrect Zakir Durumeric, James Kasten, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Bernhard Amann, Jethro Beekman, Mathias Payer, Vern Paxson, "The Matter of Heartbleed", ACM IMC'14 (best paper)

  5. Memory (Un-)safety

  6. Memory (un-)safety: invalid dereference Dangling pointer: free (foo); (temporal) *foo = 23; Out-of-bounds pointer: char foo[ 40 ]; (spatial) foo[ 42 ] = 23; Violation iff: pointer is read, written, or freed

  7. Memory (un-)safety: type confusion class P { p_data int p_data; c_data c_data }; class C: public P { int c_data; }; P *Pptr = new P; C *Cptr = static_cast < C* >( Pptr ); Cptr->c_data ; // Type confusion!

  8. Two types of attack ● Control-flow hijack attack – Execute Code ● Data-only attack – Change some data used along the way Let’s focus on code execution

  9. Control-flow hijack attack ● Attacker modifies code pointer – Return address on the stack 1 – Function pointer in C – Object’s VTable pointer in C++ 2 3 ● Control-flow leaves valid graph ● Reuse existing code 4 4' – Return-oriented programming – Jump-oriented programming

  10. Control-Flow Hijack Attack int vuln( int usr, int usr2){ Memory 1 void *(func_ptr)(); q int *q = buf + usr; 1 … buf func_ptr = &foo; … *q = usr2; 2 func_ptr func_ptr … 2 (*func_ptr)(); 3 } gadget code

  11. Status of deployed defenses Memory ● Data Execution Prevention (DEP) 0x4 R X 0x ?? - ● Address Space Layout Randomization text (ASLR) ● Stack canaries 0x8?? RW- ● Safe exception handlers data 0xf?? RW- stack

  12. Status of deployed defenses ● ASLR and DEP only effective in combination ● Breaking ASLR enables code reuse – On desktops, information leaks are common – On servers, code reuse attacks have decreased – For clouds: CAIN attack at WOOT'15 – For OS: Dedup Est Machine at S&P’16 – For browsers: Flip Feng Shui at SEC’16

  13. Type Safety, Stack Integrity, and Control-Flow Integrity

  14. Type Safety Object Type class P { int p_data; Pptr P }; (& of object) class C: public P { int c_data; p_data }; P *Pptr = new P; C *Cptr = static_cast < C* >( Pptr ); check // ^- Type confusion detected Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Cristiano Giuffrida, Herbert Bos, Erik van der Kouwe “TypeSan: Practical Type Confusion Detection”. In CCS’16

  15. Stack integrity ● Enforce dynamic restrictions on return instructions ● Protect return instructions through shadow/safe stack void a() { foo(); A B } void b() { foo(); foo } void foo(); Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, Dawn Song, R. Sekar “Code Pointer Integrity”. In OSDI’14

  16. Control-Flow Integrity (CFI) CHECK(fn); (*fn)(x); CHECK_RET(); return 7;

  17. Control-Flow Integrity (CFI) CHECK(fn); (*fn)(x); Attacker may write to memory, CHECK_RET(); code ptrs. verified when used return 7;

  18. CFI on the stack void a() { A B foo(); } void b() { foo foo(); } void foo();

  19. Novel Code Reuse Attacks

  20. Control-Flow Bending ● Attacker-controlled execution along “ valid ” CFG – Generalization of non-control-data attacks ● Each individual control-flow transfer is valid – Execution trace may not match non-exploit case ● Circumvents static, fully-precise CFI Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross “Control-Flow Bending”, Usenix SEC'15

  21. CFI's limitation: statelessness ● Each state is verified without context – Unaware of constraints between states ● Bending CF along valid states undetectable – Search path in CFG that matches desired behavior

  22. Weak CFI is broken ● Out of Control: Overcoming CFI Goektas et al., Oakland '14 ● ROP is still dangerous: breaking modern defenses Carlini et al., Usenix SEC '14 ● Stitching the gadgets: on the effectiveness of coarse- grained CFI protection Davi et al., Usenix SEC '14 ● Size does matter: why using gadget-chain length to prevent code-reuse is hard Goektas et al., Usenix SEC '14

  23. Weak CFI is broken ● Out of Control: Overcoming CFI Goektas et al., Oakland '14 Microsoft's Control-Flow Guard is an ● ROP is still dangerous: breaking modern defenses Carlini et al., Usenix SEC '14 instance of a weak CFI mechanism ● Stitching the gadgets: on the effectiveness of coarse- grained CFI protection Davi et al., Usenix SEC '14 ● Size does matter: why using gadget-chain length to prevent code-reuse is hard Goektas et al., Usenix SEC '14

  24. Strong CFI ● Precise CFG: no over-approximation ● Stack integrity (through shadow stack) ● Fully-precise static CFI: a transfer is only allowed if some benign execution uses it ● How secure is CFI? – With and without stack integrity

  25. CFI, no stack integrity: ROP challenges ● Find path to system() in CFG. ● Divert control-flow along this path – Constrained through memory vulnerability ● Control arguments to system()

  26. What does a CFG look like? system() vuln()

  27. What does a CFG look like? Really? system() vuln() memcpy()

  28. Dispatcher functions ● Frequently called ● Arguments are under attacker's control ● May overwrite their own return address Caller Stack memcpy(dst, src, 8) Frame Attacker Data Return memcpy() Address Stack Local Frame Data

  29. Control-Flow Bending, no stack integrity ● CFI without stack integrity is broken – Stateless defenses insufficient for stack attacks – Arbitrary code execution in all cases ● Attack is program-dependent, harder than w/o CFI

  30. Remember CFI? Indirect CF transfers Equivalence classes … 0xa jmpl *%eax 0xb 0xc … call *(0xb) 0xd … 0xd call *(0xc) 0xe call *4(0xc) 0x2 Size of a class 0xf

  31. Existing CFI mechanisms CFI mechanism Forward Edge Backward Edge CFB Google IFCC ~  MS CFG  ~ LLVM-CFI   MCFI/piCFI  ~ Lockdown ~+ 

  32. What if we have stack integrity? ● ROP no longer an option ● Attack becomes harder – Need to find a path through virtual calls – Resort to “restricted COOP” ● An interpreter would make attacks much simpler… – Lets automate!

  33. printf() -oriented programming* ● Translate program to format string – Memory reads: %s – Memory writes: %n – Conditional: %.*d ● Program counter becomes format string counter – Loops? Overwrite the format specific counter ● Turing-complete domain-specific language * Direct fame towards Nicholas Carlini, blame to me

  34. Ever heard of brainfuck? ● > == dataptr++ %1$65535d%1$.*1$d%2$hn ● < == dataptr-- %1$.*1$d %2$hn ● + == *dataptr++ %3$.*3$d %4$hhn ● - == *datapr-- %3$255d%3$.*3$d%4$hhn ● . == putchar(*dataptr) %3$.*3$d%5$hn ● , == getchar(dataptr) %13$.*13$d%4$hn ● [ == if (*dataptr == 0) goto ']' %1$.*1$d%10$.*10$d%2$hn ● ] == if (*dataptr != 0) goto '[' %1$.*1$d%10$.*10$d%2$hn

  35. void loop() { char* last = output; int* rpc = &progn[pc]; while (*rpc != 0) { // fetch -- decode next instruction sprintf(buf, "%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%1$.*1$d%2$hn", *rpc, (short*)(&real_syms)); // execute -- execute instruction sprintf(buf, *real_syms, ((long long int)array)&0xFFFF, &array, // 1, 2 *array, array, output, // 3, 4, 5 ((long long int)output)&0xFFFF, &output, // 6, 7 &cond, &bf_CGOTO_fmt3[0], // 8, 9 rpc[1], &rpc, 0, *input, // 10, 11, 12, 13 ((long long int)input)&0xFFFF, &input // 14, 15 ); // retire -- update PC sprintf(buf, "12345678%.*d%hn", (int)(((long long int)rpc)&0xFFFF), 0, (short*)&rpc); // for debug: do we need to print? if (output != last) { putchar(output[-1]); last = output; } } }

  36. Presenting: printbf* ● Turing complete interpreter ● Relies on format strings ● Allows you to execute “stuff” http://github.com/HexHive/printbf * Direct fame to Nicholas Carlini, blame to me

  37. Conclusion

Recommend

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and Nicholas Carlini http://hexhive.github.io (c) Castro Theatre and Spoke Art, 2013 DR. STRANGELOVE DR. STRANGELOVE OR: HOW I LEARNED TO STOP OR: HOW I

549 views • 42 slides
All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to

All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to

www.allthingsnice.in All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to introduce the Indian consumer to all things nice ranging from wines, cognacs ,single malts and beer to cheese, charcuterie

576 views • 42 slides
All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to

All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to

www.allthingsnice.in All Things Nice Company Presentation Company Profile All Things Nice (ATN) is a platform to introduce the Indian consumer to all things nice ranging from wines, cognacs ,single malts and beer to cheese, charcuterie

441 views • 40 slides
Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and expensive problem Impractical to manually review code for it Corruption can easily be introduced by unwary changes (again with the

702 views • 45 slides
Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song Georgia Tech Agenda Memory corruption vulnerability Thesis Statement Approaches SDCG Kenali HDFI Conclusion Memory

737 views • 72 slides
Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Enhancing Server Availability and Security Through Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow Out of Bounds Array Accesses Invalid Pointer Accesses Importance Martin Rinard,

341 views • 4 slides
This is why we can(t) have nice things Timo van der Kuil 16/11/2019 Meeting C++ 1 Who am I

This is why we can(t) have nice things Timo van der Kuil 16/11/2019 Meeting C++ 1 Who am I

This is why we can(t) have nice things Timo van der Kuil 16/11/2019 Meeting C++ 1 Who am I Student Student assistant Research intern Saxion University of Applied Sciences 2 Disclaimer First talk at a conference

1.02k views • 66 slides
Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption measured Complex issue without an exact answer Perception of corruption vs. corruption What can be done? Policy measures Preventive

702 views • 12 slides
Nice Pairing Or, How To Maximise Pair Programming Value Or, How To Make Things Easier On The

Nice Pairing Or, How To Maximise Pair Programming Value Or, How To Make Things Easier On The

Nice Pairing Or, How To Maximise Pair Programming Value Or, How To Make Things Easier On The People Who Work With You Me Former programming teacher Now developing software at Lonely Planet @adelsmee adel.smee@lonelyplanet.com.au Amateur

178 views • 17 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource Centre Anti-Corruption in development: Evolution of practice 1 st generation: the principal-agent problem Corruption = Monopoly + Discretion

417 views • 7 slides
Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &amp;

750 views • 45 slides
Speeding things up: Getting sloooower The TLB Memory Exception Every new level of paging no p

Speeding things up: Getting sloooower The TLB Memory Exception Every new level of paging no p

Speeding things up: Getting sloooower The TLB Memory Exception Every new level of paging no p o CPU reduces the memory overhead for computing yes page # frame # Access the mapping function f but increases the time necessary

201 views • 4 slides
COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr.

COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr.

COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr. T.M.Bhasin Vigilance Commissioner, CVC at National Judicial Academy, Bhopal on 04.09.2016 1 Corruption Definition and Cause World Bank

473 views • 43 slides
Memory and Recall: Sticky Revision for Tricky Exams! Our Aim: Teach students things so that

Memory and Recall: Sticky Revision for Tricky Exams! Our Aim: Teach students things so that

Memory and Recall: Sticky Revision for Tricky Exams! Our Aim: Teach students things so that they remember them FOREVER . Develop student skill so they can APPLY knowledge independently. ? Short Term Memory Long Term Memory (Working

993 views • 53 slides
Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer |

Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer |

Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer | haroon@thinkst.com Who ? haroon meer thinkst ? some papers, some books, some talks academic wannabe Why? Why? Why? Why? Why? twitter made me do it!

959 views • 92 slides
Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption Introduction Gender and Corruption Women are often perceived as less susceptable to corruption than men. In Mexico City traffic officers all

768 views • 33 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides
We Can Have Nice Things Neovim and the state of text editor art in 2019 Neovim

We Can Have Nice Things Neovim and the state of text editor art in 2019 Neovim

We Can Have Nice Things Neovim and the state of text editor art in 2019 Neovim https://neovim.io/ VimConf 2019 https://vimconf.org Presenter Justin M. Keyes https://sink.io/ Previous talks Nvim maintainer. 2016:

1.4k views • 123 slides
Against Corruption Andrii Kukharuk Resident Advisor OECD Anti-Corruption Project for Ukraine

Against Corruption Andrii Kukharuk Resident Advisor OECD Anti-Corruption Project for Ukraine

International Legal Framework Against Corruption Andrii Kukharuk Resident Advisor OECD Anti-Corruption Project for Ukraine Anti-Corruption Workshop for Legal Professionals 19 March, 2015 Kyiv, Ukraine Defining corruption Definition of

407 views • 14 slides
POLI 437: International Relations of Latin America This week Corruption and the Odebrecht

POLI 437: International Relations of Latin America This week Corruption and the Odebrecht

POLI 437: International Relations of Latin America This week Corruption and the Odebrecht Scandal Can transparency reduce corruption? Corruption is an everywhere problem Roasted at Mardi Gras But what is it, exactly? Corruption is

980 views • 68 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
PRESENTATION TO THE 2 ND SESSION OF THE ANTI- CORRUPTION LEARNING NETWORK DETECTING CORRUPTION

PRESENTATION TO THE 2 ND SESSION OF THE ANTI- CORRUPTION LEARNING NETWORK DETECTING CORRUPTION

PRESENTATION TO THE 2 ND SESSION OF THE ANTI- CORRUPTION LEARNING NETWORK DETECTING CORRUPTION THROUGH THE USE OF WHISTLEBLOWING MECHANISMS PRESENTER: MR J. MUDAU DIRECTOR: NACH DATE: 30 JULY 2009 VENUE: SUMMERSTRAND, PORT

231 views • 20 slides
Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Transparency and

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Transparency and

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Transparency and Corruption Introduction Tansparency and corruption In theory, transparency in public spending and bureaucratic activities should reduce corruption:

232 views • 12 slides

More recommend