protecting computer systems
play

Protecting Computer Systems through Eli liminating or Analyzing - PowerPoint PPT Presentation

Nov 24, 2023 •264 likes •2.02k views

Protecting Computer Systems through Eli liminating or Analyzing Vulnerabilities Byoungyoung Lee Georgia Institute of Technology 1 Computers are every rywhere 2 Computers are every rywhere Affecting every aspect of our life 2

  1. Understanding use-after-free (i (in detail) Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; Attacker freed controlled *child *body object Use a dangling pointer doc->child->getAlign(); 18

  2. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Body *body = new Body(); doc->child = body; delete body; doc->child->getAlign(); 19

  3. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Body *body = new Body(); doc->child = body; delete body; doc->child->getAlign(); 19

  4. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Body *body = new Body(); Body *body = new Body(); doc->child = body; delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); 19

  5. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Body *body = new Body(); Body *body = new Body(); doc->child = body; delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); 19

  6. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Static analysis: inter-procedural and points-to analysis Body *body = new Body(); Body *body = new Body(); doc->child = body; Dynamic analysis: precise pointer semantic tracking delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); 19

  7. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Static analysis: inter-procedural and points-to analysis Body *body = new Body(); Body *body = new Body(); doc->child = body; Dynamic analysis: precise pointer semantic tracking delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); Difficult to scale for complex systems 19

  8. DangNull • DangNull: Eliminating the root cause of use-after-free • Design • Tracking Object Relationships • Nullifying dangling pointers 20

  9. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair 21

  10. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); 21

  11. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); 21

  12. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc 21

  13. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc delete body; 21

  14. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Remove shadow obj : - Using base address (body) Insert shadow obj: - Base address of allocation - Size of Doc delete body; 21

  15. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; back fwd Doc *doc *child Shadow obj. of Body back fwd Body *body 22

  16. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Doc *doc *child Shadow obj. of Body back fwd Body *body 22

  17. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body *body 22

  18. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body Backward *body 22

  19. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body Backward *body 22

  20. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc This is heavily abstracted pointer semantic tracking, *doc *child Shadow obj. of Body but it is enough to identify all dangling pointers back fwd Body Backward *body 22

  21. Nullify fying dangling pointers • Nullify all backward pointers once the target object is freed • All backward pointers are dangling pointers • Dangling pointers have no semantics Doc *doc *child Body Freed *body 23

  22. Im Implementation • Prototype of DangNull • Instrumentation: LLVM pass, +389 LoC • Runtime: compiler-rt, +3,955 LoC • Target applications • SPEC CPU 2006: one extra compiler and linker flag • Chromium: +27 LoC to .gyp build configuration file 24

  23. Evaluation on Chromium • Runtime overheads • 4.8% and 53.1% overheads in JavaScript and rendering benchmarks, respectively • 7% increased page loading time for Alexa top 100 websites • Safely prevented 7 real-world use-after-free exploits in Chrome 25

  24. 1. Eliminating vulnerabilities DangNull [NDSS 15]: Eliminating use-after-free vulnerabilities CaVer [Security 15]: Eliminating bad-casting vulnerabilities 2. Analyzing vulnerabilities SideFinder: Analyzing timing-channel vulnerabilties 26

  25. Vulnerabilities in Microsoft products Bad-casting Use-after-free Heap-corruption Exploitation Trends: From Potential Risk to Actual Risk, Microsoft 27

  26. Type conversions in C++ ++ • static_cast • Compile-time conversions • Fast: no extra type verification in run-time • dynamic_cast • Run-time conversions • Requires Runtime Type Information (RTTI) • Slow: Extra verification by parsing RTTI • Typically prohibited in performance critical applications 28

  27. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes 29

  28. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes 29

  29. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Element HTMLElement SVGElement 29

  30. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Upcasting Element HTMLElement SVGElement 29

  31. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Downcasting Upcasting Element HTMLElement SVGElement 29

  32. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Downcasting Upcasting Element HTMLElement SVGElement Upcasting is always safe, but downcasting is not! 29

  33. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; 30

  34. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for P int m_P Access scope of P* 30

  35. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for P int m_P Access scope of P* 30

  36. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for D vftptr for P int m_P int m_P int m_D Access scope of P* Access scope of D* 30

Recommend

Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111

Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111

Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 Operating Systems Peter Reiher Lecture 18 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for

1.06k views • 62 slides
Protecting Your Property: Protecting Your Property: How How Well Do You Know Your Well Do You Know

Protecting Your Property: Protecting Your Property: How How Well Do You Know Your Well Do You Know

Protecting Your Property: Protecting Your Property: How How Well Do You Know Your Well Do You Know Your Fire Fire Systems Systems Joe Szewczyk, Risk Control Consultant Joe Szewczyk, Risk Control Consultant Objectives Where regulations related

477 views • 29 slides
Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents

Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents

Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents Against DoS Mobile Agents Against DoS Biljana Cubaleska 1 , Markus Schneider 2 1 University of Hagen, Dept. Of Communication Systems, Germany 2

511 views • 21 slides
GreenFS: Making Enterprise Computers Greener by Protecting Them Better Nikolai Joukov and Josef

GreenFS: Making Enterprise Computers Greener by Protecting Them Better Nikolai Joukov and Josef

Department of Computer Science, Institute for System Architecture, Operating Systems Group GreenFS: Making Enterprise Computers Greener by Protecting Them Better Nikolai Joukov and Josef Sipek Presented by Carsten Weinhold Paper Reading Group,

304 views • 18 slides
Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k

Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k

6/2/20 HealthMatters in our Homes Pr Protecting Ourselves, Pr Protecting Ot Other hers Pa Part 1: Wha What to Wear at Work k and nd Wh Why 1 During this presentation, we will: Summarize what COVID-19 is, how it spreads, and who

463 views • 19 slides
Protecting Interprocess Communications Operating systems provide various kinds of

Protecting Interprocess Communications Operating systems provide various kinds of

Protecting Interprocess Communications Operating systems provide various kinds of interprocess communications Messages Semaphores Shared memory Sockets How can we be sure theyre used properly? Lecture 8 Page 1 CS 236

266 views • 25 slides
IT Security Summary 1. Protecting your equipment from theft 2. Securing access to your computer

IT Security Summary 1. Protecting your equipment from theft 2. Securing access to your computer

IT Security Summary 1. Protecting your equipment from theft 2. Securing access to your computer and to your documents 3. Saving your documents 4. Protection from computer viruses, Spyware or Malware 5. Protection from Phishing 6. How to

700 views • 22 slides
A Case for Protecting Computer Games With SGX Erick Bauman and Zhiqiang Lin System and Software

A Case for Protecting Computer Games With SGX Erick Bauman and Zhiqiang Lin System and Software

Background Overview Detailed Design Case Study Conclusion A Case for Protecting Computer Games With SGX Erick Bauman and Zhiqiang Lin System and Software Security (S 3 ) Lab The University of Texas at Dallas December 12 th , 2016 Background

646 views • 62 slides
Protecting Our Protecting Our Introduction Family Family Globally HIV/AIDS has left its

Protecting Our Protecting Our Introduction Family Family Globally HIV/AIDS has left its

Protecting Our Protecting Our Introduction Family Family Globally HIV/AIDS has left its mark on every continent, with its highest prevalence being in sub Saharan Africa 10% of the worlds population An Assessment of In 2008,

353 views • 6 slides
Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So

Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So

Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So Hospitals will be paid less unless: Good scores on Incentive payments Meeting 17 clinical processes Funded by 1% cut in base (aspirin,

614 views • 7 slides
Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So

Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So

Peer Review: Protecting Your Investment Peer Review: Protecting Your Investment So Hospitals will be paid less unless: Good scores on Incentive payments Meeting 17 clinical processes Funded by 1% cut in base (aspirin,

418 views • 8 slides
Introduc>on 2 A Modern Computer Computer Systems and

Introduc>on 2 A Modern Computer Computer Systems and

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Introduc>on 2 A Modern Computer Computer Systems and

820 views • 62 slides
Computer Systems Lab Stefan M. Freudenberger Computer Systems, ETH Zrich Introduction

Computer Systems Lab Stefan M. Freudenberger Computer Systems, ETH Zrich Introduction

Computer Systems Lab Stefan M. Freudenberger Computer Systems, ETH Zrich Introduction Course Schedule Lecture: Monday 4:15 5:00 p.m. (RZ F21) Recitation: TBD Assignments: in teams, time to be arranged individually

463 views • 31 slides
Distributed HPC Systems ASD Distributed Memory HPC Workshop Computer Systems Group Research

Distributed HPC Systems ASD Distributed Memory HPC Workshop Computer Systems Group Research

Distributed HPC Systems ASD Distributed Memory HPC Workshop Computer Systems Group Research School of Computer Science Australian National University Canberra, Australia November 03, 2017 Day 5 Schedule Computer Systems (ANU)

753 views • 40 slides
Protecting the Nations Critical Assets in the 21st Century Dr. Ron Ross Computer Security

Protecting the Nations Critical Assets in the 21st Century Dr. Ron Ross Computer Security

Protecting the Nations Critical Assets in the 21st Century Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY OPM. Anthem BCBS. Ashley Madison. NATIONAL INSTITUTE OF

506 views • 23 slides
Protecting Steel By Mr. Christopher L. Gibbons Protecting Steel Who are Teamac? 3 rd generation.

Protecting Steel By Mr. Christopher L. Gibbons Protecting Steel Who are Teamac? 3 rd generation.

Protecting Steel By Mr. Christopher L. Gibbons Protecting Steel Who are Teamac? 3 rd generation. Privately owned company. Based in Hull. Weve been making paint since 1908. Who am I? Chris Gibbons. L2 Icorr Paint inspector. 40 years

603 views • 14 slides
Protecting Your Respiratory Health Protecting Your Respiratory Health Tips to Help You Breathe

Protecting Your Respiratory Health Protecting Your Respiratory Health Tips to Help You Breathe

Breathe In, Breathe Out: Protecting Your Respiratory Health Protecting Your Respiratory Health Tips to Help You Breathe Easier The American Lung Association suggests taking these steps to help keep your lungs healthy and reduce the risk of

90 views • 6 slides
Computer Systems Research Ardalan Amiri Sani Computer systems research Finding the right

Computer Systems Research Ardalan Amiri Sani Computer systems research Finding the right

Computer Systems Research Ardalan Amiri Sani Computer systems research Finding the right way to build systems 2 What does it take? Systems programming Programming (i.e., hacking) the OS kernel, hypervisor, core system services,

582 views • 18 slides
Cyber Security in Marine Nuclear Transport Systems Contents: 1. What are we protecting? 2.

Cyber Security in Marine Nuclear Transport Systems Contents: 1. What are we protecting? 2.

Cyber Security in Marine Nuclear Transport Systems Contents: 1. What are we protecting? 2. Why do we need Cyber Security? 3. How do they do it? 4. Cyber incidents and threats why it should be important to you 5. The dangers of

450 views • 18 slides
Protecting Against Unexpected System Calls C. M. Linn, M. Rajagopalan, S. Baker, C.

Protecting Against Unexpected System Calls C. M. Linn, M. Rajagopalan, S. Baker, C.

Protecting Against Unexpected System Calls C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman Department of Computer Science University of Arizona Presented By: Mohamed Hassan Code Injection What

227 views • 12 slides
Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software Jeffrey Knockel, Jedidiah Crandall Computer Science Department University of New Mexico Recent News Iran: forged SSL

569 views • 27 slides
PROTECTING DIGITAL INFORMATION Roadmap: Fall 2018 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2018 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2018 But First, An Aside: This is Misleading This is More Like It Inside the Computer: Gates AND Gate 0 0 Input Wires 1 Output Wire 0's & 1's represent low & high voltage,

616 views • 59 slides
PROTECTING DIGITAL INFORMATION Roadmap: Fall 2017 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2017 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2017 But First, An Aside: This is Misleading This is More Like It Inside the Computer: Gates AND Gate 0 0 Input Wires 1 Output Wire 0's & 1's represent low & high voltage,

1.13k views • 59 slides
61A Lecture 36 Announcements Unix Computer Systems 4 Computer Systems Systems research

61A Lecture 36 Announcements Unix Computer Systems 4 Computer Systems Systems research

61A Lecture 36 Announcements Unix Computer Systems 4 Computer Systems Systems research enables application development by defining and implementing abstractions: 4 Computer Systems Systems research enables application development by

1.65k views • 126 slides

More recommend