memory un safety
play

Memory (un)safety Deian Stefan Some slides adopted from Nadia - PowerPoint PPT Presentation

Apr 07, 2024 •376 likes •1.16k views

CSE 127: Computer Security Memory (un)safety Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, Stephen Checkoway, Hovav Shacham, Raluca Popal, and David Wagner Today Return oriented programming (ROP)

  1. CSE 127: Computer Security Memory (un)safety Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, Stephen Checkoway, Hovav Shacham, Raluca Popal, and David Wagner

  2. Today • Return oriented programming (ROP) • Control flow integrity

  3. Last time: return-to-libc • Defense: W^X makes the stack not executable ➤ Prevents attacker data from being interpreted as code • What can we do (as the attacker)? ➤ Reuse existing code (either program or libc) ➤ E.g., use system(“/bin/sh”) ➤ E.g., use mprotect () to mark stack executable

  4. Return-to-libc is great, but…. what if there is no function that does what we want?

  6. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham ∗ hovav@cs.ucsd.edu

  7. Return-Oriented Programming

  8. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc.

  9. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. ret Steve Checkoway ret Dino Dai Zovi

  10. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc.

  11. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. • Where do you often find ret instructions?

  12. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. • Where do you often find ret instructions? ➤ End of function (inserted by compiler)

  13. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. • Where do you often find ret instructions? ➤ End of function (inserted by compiler) ➤ Any sequence of executable memory ending in 0xc3

  15. x86 instructions • Variable length! • Can begin on any byte boundary!

  16. One ret, multiple gadgets mov $0x1,%eax pop %ebx = b8 01 00 00 00 5b c9 c3 leave ret

  17. One ret, multiple gadgets add %al,(%eax) pop %ebx = b8 01 00 00 00 5b c9 c3 leave ret

  18. One ret, multiple gadgets add %bl,-0x37(%eax) = b8 01 00 00 00 5b c9 c3 ret

  19. One ret, multiple gadgets pop %ebx = b8 01 00 00 00 5b c9 c3 leave ret

  20. One ret, multiple gadgets leave = b8 01 00 00 00 5b c9 c3 ret

  21. One ret, multiple gadgets = b8 01 00 00 00 5b c9 c3 ret

  22. Why is ret ? • Attacker overflows stack allocated buffer • What happens when function returns? ➤ Restore stack frame ➤ leave = movl %ebp, %esp; pop %ebp ➤ Return ➤ ret = pop %eip • If instruction sequence at %eip ends in ret 
 what do we do?

  23. What happens if this is what we overflow the stack with? v 1 pop %edx %esp ret

  24. relevant register(s): %edx = 0x00000000 relevant stack: 0xdeadbeef 0x08049bbc %esp relevant code: 0x08049b62: nop %eip 0x08049b63: ret ... 0x08049bbc: pop %edx 0x08049bbd: ret

  25. relevant register(s): %edx = 0x00000000 relevant stack: 0xdeadbeef 0x08049bbc %esp relevant code: 0x08049b62: nop 0x08049b63: ret %eip ... 0x08049bbc: pop %edx 0x08049bbd: ret

  26. relevant register(s): %edx = 0x00000000 relevant stack: 0xdeadbeef %esp 0x08049bbc relevant code: 0x08049b62: nop 0x08049b63: ret ... 0x08049bbc: pop %edx %eip 0x08049bbd: ret

  27. relevant register(s): %edx = 0xdeadbeef relevant stack: %esp 0xdeadbeef 0x08049bbc relevant code: 0x08049b62: nop 0x08049b63: ret ... 0x08049bbc: pop %edx %eip 0x08049bbd: ret

  28. This is a ROP gadget! v 1 pop %edx %esp ret movl v 1, %edx

  29. 
 
 
 How dow you use this as an attacker? • Overflow the stack with values and addresses to such gadgets to express your program • E.g., if shellcode needs to write a value to %edx , use the previous gadget 
 v 1 pop %edx %esp ret

  30. Let’s look at another gadget mov %eax, %(ebx) ret v 2 pop %ebx ret v 1 pop %eax %esp ret

  31. relevant register(s): %eax = 0x00000000 %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret %eip ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc %esp 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  32. relevant register(s): %eax = 0x00000000 %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef %esp 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... %eip 0x08049bbc: pop %eax 0x08049bbd: ret

  33. relevant register(s): %eax = 0xdeadbeef %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret %esp ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret %eip

  34. relevant register(s): %eax = 0xdeadbeef %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe %esp 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx %eip 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  35. relevant register(s): %eax = 0xdeadbeef %ebx = 0xbadcaffe relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: %esp 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc %eip 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  36. relevant register(s): %eax = 0xdeadbeef %ebx = 0xbadcaffe relevant stack: relevant memory: 0xbadcaffe: 0x00000000 %esp 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) %eip 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  37. relevant register(s): %eax = 0xdeadbeef %ebx = 0xbadcaffe relevant stack: relevant memory: 0xbadcaffe: 0xdeadbeef %esp 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret %eip ... 0x08049bbc: pop %eax 0x08049bbd: ret

  38. What does this gadget do? mov %eax, %(ebx) ret v 2 pop %ebx ret v 1 pop %eax %esp ret movl v 2, %ebx movl v 1, %(%ebx)

  39. What does this gadget do? pop %esp %esp ret

  40. Can express arbitrary programs

  41. Can find gadgets automatically

  42. Return-oriented programming not even really about “returns”…

  43. What the heck do we do? Observation: In almost all the attacks we looked at, the attacker is overwriting jump targets that are in memory (return addresses and function pointers)

  44. Control Flow Integrity • Idea: don’t try to stop the memory writes. Instead: restrict control flow to legitimate paths ➤ I.e., ensure that jumps, calls, and returns can only go to allowed target destinations

  45. Restrict indirect transfers of control

  46. Restrict indirect transfers of control • Why do we not need to do anything about direct transfer of control flow (i.e., direct jumps/calls)?

  47. Restrict indirect transfers of control • Why do we not need to do anything about direct transfer of control flow (i.e., direct jumps/calls)? ➤ Address is hard-coded in instruction. Not under attacker control

  48. Restrict indirect transfers of control

  49. Restrict indirect transfers of control • What are the ways to transfer control indirectly?

  50. Restrict indirect transfers of control • What are the ways to transfer control indirectly? • Forward path: jumping to (or calling function at) an address in register or memory ➤ E.g., qsort, interrupt handlers, virtual calls, etc. • Reverse path: returning from function (uses address on stack)

  51. 
 
 What’s a legitimate target? Look at the program control-flow graph (CFG)! void sort2(int a[],int b[], int len { 
 sort(a, len, lt); 
 sort(b, len, gt); 
 } 
 bool lt(int x, int y) { return x < y; } 
 bool gt(int x, int y) { return x > y; }

  52. 
 
 What’s a legitimate target? Look at the program control-flow graph (CFG)! void sort2(int a[],int b[], int len { 
 sort(a, len, lt); 
 sort(b, len, gt); 
 } 
 sort2() bool lt(int x, int y) { return x < y; call sort } 
 bool gt(int x, int y) { call sort return x > y; ret }

Recommend

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust! Memory Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy

556 views • 53 slides
Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA &amp; SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors Is memory safety relevant? Yes!

827 views • 47 slides
Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

r e l i p e m v o i t c c Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler perspective. Kostya Serebryany , Evgenii Stepanov, Vlad Tsyrklevich (Google) Oct 2018 1 Agenda ARM v8.5

504 views • 29 slides
Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated? Where does memory live? What kinds of pointers does Rust have? Memory management goal: Allocate memory when you need it, and free it when

614 views • 24 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure

Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure

Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure Software Systems Day 2: Memory Safety Introduction Reversing the stack Stephen McCamant University of Minnesota, Computer Science &amp; Engineering

440 views • 4 slides
Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Main Focus I. Memory as a process Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory the process by which I. Sensory Memory information is - acquired, II. Short -Term Memory - stored,

169 views • 5 slides
Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained Contracts Preprocessor Safety Whimsical execution Garbage collection Explicit memory management Memory initialization

967 views • 63 slides
1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC Computing Computing + Fabric SoC Memory HYPERCONVERGED Exascale EDGE DEVICE SYSTEM Eliminate data movement via shared

400 views • 11 slides
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Eternal War in Memory Table of Contents

658 views • 38 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Safety of Transactions in Transactional Memory: TMS is Necessary and Sufficient Hagit Attiya,

Safety of Transactions in Transactional Memory: TMS is Necessary and Sufficient Hagit Attiya,

Safety of Transactions in Transactional Memory: TMS is Necessary and Sufficient Hagit Attiya, Technion Sandeep Hans, Technion Alexey Gotsman, IMDEA Noam Rinetzky, Tel-Aviv University TM Consistency Conditions VWC TMS1 Opacity [Guerraoui

183 views • 16 slides
Language-Based Access Control and Safety Language-based access control is impossible in a

Language-Based Access Control and Safety Language-based access control is impossible in a

Language-Based Access Control and Safety Language-based access control is impossible in a programming language that is not memory safe. Without memory safety, there is no way to guarantee separation of memory used by different program

413 views • 30 slides
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko ,

SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko ,

SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko , Sergei Arnautov , Bohdan Trach , Pramod Bhatotia * , Pascal Felber , Christof Fetzer TU Dresden, * The University of Edinburgh,

1.51k views • 87 slides
UMBC M A L F T U M B C I O M Y O T R 1 (April 10, 2000 12:36 pm) I E S R C

UMBC M A L F T U M B C I O M Y O T R 1 (April 10, 2000 12:36 pm) I E S R C

Systems Programming 8086/88 Memory Interface II CMPE 310 Memory Address Decoding The processor can usually address a memory space that is much larger than the memory space covered by an individual memory chip. In order to splice a memory device

713 views • 21 slides
Numbers in C Balance Sheet so far Lost Gained Contracts Preprocessor Safety

Numbers in C Balance Sheet so far Lost Gained Contracts Preprocessor Safety

Numbers in C Balance Sheet so far Lost Gained Contracts Preprocessor Safety Undefined behavior Garbage collection Explicit memory management Memory initialization Separate compilation Well-behaved arrays

826 views • 45 slides
1 Brenda Milner 1918 There are Two Major Forms of Long Term Memory Explicit (Declarative)

1 Brenda Milner 1918 There are Two Major Forms of Long Term Memory Explicit (Declarative)

The Study of Memory Has Two Parts: Cellular Mechanisms of Learning (1) The Systems Problem of Memory: Where in the brain is memory stored? and the Biological Basis of Individuality (2) The Molecular Problem of Memory: How is memory stored at

536 views • 8 slides
Memory Safety (contd) Software Security CS 161: Computer Security Prof. Raluca Ada Popa

Memory Safety (contd) Software Security CS 161: Computer Security Prof. Raluca Ada Popa

Memory Safety (contd) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office hours start next week Join

816 views • 54 slides
CheriABI Hardware enforced memory safety for FreeBSD Brooks Davis , Robert N. M. Watson,

CheriABI Hardware enforced memory safety for FreeBSD Brooks Davis , Robert N. M. Watson,

CheriABI Hardware enforced memory safety for FreeBSD Brooks Davis , Robert N. M. Watson, Alexander Richardson, Peter G. Neumann, Simon W. Moore, John Baldwin, David Chisnall, James Clarke, Nathaniel Wesley Filardo, Khilan Gudka, Alexandre

430 views • 29 slides
Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory protection Special security issues for memory Buffer overflows Lecture 8 Page 1 CS 236 Online What Is In Memory? Executable code

401 views • 24 slides
Memory &amp; Game Content 1 Memory is precious Memory is precious, especially on simpler

Memory &amp; Game Content 1 Memory is precious Memory is precious, especially on simpler

Memory &amp; Game Content 1 Memory is precious Memory is precious, especially on simpler devices. Even on PCs need to be cautious, using too much memory tends to drive you off a performance cliff Memory fragmentation (or address space

700 views • 13 slides

More recommend