preventing brute force attacks against stack canary
play

Preventing brute force attacks against stack canary protector on - PowerPoint PPT Presentation

Jul 01, 2023 •276 likes •721 views

Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit`

  1. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica de Val` encia (Spain) 2013 IEEE 12th International Symposium on Network Computing and Applications August 22-24, 2013

  2. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Table of contents Introduction 1 The problem: Network servers and their threats 2 How we solve it: RAF SSP 3 Conclusions 4

  3. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Introduction Overview Buffer overflows are still a major software threat. [Top 25] One of the most effective protection technique is the stack canary protector (SSP) . Currently employed in most servers: Apache, Lighthttp, etc. Unfortunately, the SSP on network servers is prone to brute force attacks. We have extended the SSP technique to prevent brute force attacks at zero cost: temporal, spacial and implementational!

  4. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Introduction How the Stack Canary Protector works The canary is a random value placed on the stack to detect buffer overflows. When a overflows the canary is corrupted. If the verification of the canary fails → abort() �

  5. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Introduction How the Stack Canary Protector works The canary is a random value placed on the stack to detect buffer overflows. When a overflows the canary is corrupted. If the verification of the canary fails → abort() �

  6. Preventing brute force attacks against stack canary protector on networking servers Hector Marco Introduction How the Stack Canary Protector works The canary is a random value placed on the stack to detect buffer overflows. When a overflows the canary is corrupted. If the verification of the canary fails → abort() �

  7. Preventing brute force attacks against stack canary protector on networking servers Hector Marco The problem: Network servers and their threats Forking servers Processes created with fork() inherit most of its father state. Father and children have the same canary-reference value. Server group of processes child server child child fork() Clients

  8. Preventing brute force attacks against stack canary protector on networking servers Hector Marco The problem: Network servers and their threats Forking servers Processes created with fork() inherit most of its father state. Father and children have the same canary-reference value. Server group of processes child server child child fork() Clients When the attacker guesses an incorrect value, the child is killed by the SSP and a new child with the same canary is started. The attack is modelled as sampling without replacement .

  9. Preventing brute force attacks against stack canary protector on networking servers Hector Marco The problem: Network servers and their threats Brute force attacks Sampling without replacement allows to build brute force attacks . Full search attack: The frame-canary word is overwritten on each trial. If the guessed word is not correct → abort() . 100% success on 93 hours and 46 hours on average. Byte for byte attack: Attackers control the number of overwritten bytes. Overwrite only the first stack canary byte until child does not crash. (same for following bytes). 100% success on 15 sec. and 7 sec. on average. Note: Some systems (i.e x86) set to zero most significant byte.

  10. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Observations and facts Facts: There is only one single reference-canary per process. The canary integrity check is done at the end of each function before returning. Upon return, only the current frame-canary is checked. Each child process of a network server is an error confinement region .

  11. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Observations and facts Facts: There is only one single reference-canary per process. The canary integrity check is done at the end of each function before returning. Upon return, only the current frame-canary is checked. Each child process of a network server is an error confinement region . Observation: After a fork(), the child process terminates by calling exit().

  12. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Core idea “Renew the reference-canary of the child right after the fork() ” RANDOM Server group of processes child server child child fork() Clients

  13. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Core idea “Renew the reference-canary of the child right after the fork() ” RANDOM Server group of processes child server child child fork() Clients When the attacker guesses an incorrect value, the child is killed by the SSP and a new child with a new canary is started. As a result, brute force attacks can not be built .

  14. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Stack evolution example: 1/21 ������������� � ���������������� ����� ������������ ���������������������� �������������������� �������������������� ������������������� ����� ��� �������� ����� ��������� ������������������ �� �������� ����!����� � ����� �������� ��"����� � �����"����� ��#$!��� � � � �����#$!������

  15. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Stack evolution example: 2/21 �����%�������� ���������������� ����� ������������ ��������� ������������ � �������������������� �������������������� ������������������� ����� ��� �������� ����� ��������� ������������������ �� �������� ����!����� � ����� �������� ��"����� � �����"����� ��#$!��� � � � �����#$!������

  16. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Stack evolution example: 3/21 �����%�������� ���������������� ����� ������������ �� ������ �������������� �������������������� �������������������� ������������������� ����� ��� �������� ����� ��������� ������������������ �� �������� ����!����� � ����� �������� ��"����� � �����"����� ��#$!��� � � � �����#$!������

  17. Preventing brute force attacks against stack canary protector on networking servers Hector Marco How we solve it: RAF SSP Stack evolution example: 4/21 �����%�������� ���������������� ����� ������������ ���������������������� �������� ������ ������ �������������������� ������������������� ����� ��� �������� ����� ��������� ������������������ �� �������� ����!����� � ����� �������� ��"����� � �����"����� ��#$!��� � � � �����#$!������

Recommend

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios,

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios,

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios, Vasileios P. Kemerlis Michalis Polychronakis Angelos D. Keromytis Columbia University Stony Brook University Brown University 2015 Annual Computer

736 views • 36 slides
Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128 Andrey Bogdanov*, Elif Bilge Kavun**, Christof Paar**, Christian Rechberger***, Tolga Yalcin** * KU Leuven, Belgium, ** HGI-RUB, Germany, ***

467 views • 22 slides
eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks SQL Injections Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) 2 Common Security Risks Brute-Force Attacks SQL

1.66k views • 141 slides
Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M. Cao 1 , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National

421 views • 14 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions Brute force algorithms Divide and Conquer What is the brute force approach to Calculate the n th Fibonacci number? 1. Compute the n th power

387 views • 14 slides
Jetpack supercharges your self-hosted WordPress site with cool functionality from WordPress.com.

Jetpack supercharges your self-hosted WordPress site with cool functionality from WordPress.com.

Jetpack supercharges your self-hosted WordPress site with cool functionality from WordPress.com. WordPress.com Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that

395 views • 27 slides
A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three segments are: code , read-only data and global data for the running process gurka. Then there is a segment for the heap . The segment marked with

399 views • 10 slides
Preview question What two methods are mentioned in the StackGuard paper to prevent canary

Preview question What two methods are mentioned in the StackGuard paper to prevent canary

Preview question What two methods are mentioned in the StackGuard paper to prevent canary forgery? CSci 5271 A. terminator canary and random canary Introduction to Computer Security Low-level attacks and defenses B.

320 views • 7 slides
s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require: Hardware

360 views • 24 slides
Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of

Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of

Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of Mathematical and Geospatial Sciences RMIT University Melbourne, Australia Benjamin Burton (RMIT) Theorems, Algorithms and Brute Force November

444 views • 21 slides
MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE

MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE

MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE 473 Day 11 Questions? Donald Knuth Interview Amortization Brute force (if time) Decrease and conquer intro Q1 2 1 Donald

511 views • 11 slides
Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and

Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and

One-Slide Summary Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and the and analysis to break the Lorenz cipher. Guessed wheel settings were likely to be correct if they resulted in a Story So Far

112 views • 9 slides
Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of

Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of

Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of Computer Science James Madison University Oct 16, 2015 CS: Just do it! Complete search = try every possibility Should never give you Wrong Answer

399 views • 15 slides
Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity algorithms by abusing beam search Mark Fishel, T ATI Feb. 5, 2011, Theory Days at Nelijrve Outline Approaches to MT evaluation Automatic analysis

418 views • 18 slides
Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein

Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein

Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein (0). given AES Thanks to: He builds an attack machine. University of Illinois at Chicago NSF CCR9983950 Machine 1: His

428 views • 11 slides
Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken

Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken

Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken Authentication Brute Force Session Spotting Emmanuel Benoist Session Fixation Attack Session Hijacking Fall Term 2020/2021 Session Expiration

638 views • 10 slides
Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data

Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data

Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data Text Lower Addresses Stack and Base Pointers Stack is made up of stack frames Stack frames contain: parameters, local variables, return

604 views • 45 slides
1 Problem with Brute force Nave Bayes ( ) ( ) ( ) It cannot generalize to unseen

1 Problem with Brute force Nave Bayes ( ) ( ) ( ) It cannot generalize to unseen

Outline Bayes theorem Discrete Bayesian classifiers Maximum likelihood classification Brute force Bayesian learning Nave Bayes Lecture 5 Bayesian Belief Networks Bayes theorem Maximum likelihood ( ) ( ) ( ) P x

72 views • 4 slides
Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that

Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that

[Week 9] Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that finds a solution by trying all possibilities (usually VERY SLOW) - sometimes can be remedied by storing pre-computed values: called

116 views • 7 slides
MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force,

MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force,

MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force, Horspool, Boyer Moore STRING SEARCH 1 Brute Force String Search Example The problem: Search for the first occurrence of a pattern of length m in a

326 views • 10 slides
Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all

Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all

[Week 3] Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all possibilities - related data structures - pruning to eliminate certain possibilities from the search - time complexity: usually really

662 views • 6 slides
Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

WLCG Group Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security Workshop, Taiwan. 1 Overview Underground market The main motive behind most security attacks: money. 3 Exposure and motivation Grids

434 views • 25 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III:

Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III:

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III: Symbolic Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ... Binary Decision Diagrams -

1k views • 61 slides

More recommend