protecting computer systems
play

Protecting Computer Systems through Eli liminating or Analyzing - PowerPoint PPT Presentation

Protecting Computer Systems through Eli liminating or Analyzing Vulnerabilities Byoungyoung Lee Georgia Institute of Technology 1 Computers are every rywhere 2 Computers are every rywhere Affecting every aspect of our life 2


  1. Understanding use-after-free (i (in detail) Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; Attacker freed controlled *child *body object Use a dangling pointer doc->child->getAlign(); 18

  2. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Body *body = new Body(); doc->child = body; delete body; doc->child->getAlign(); 19

  3. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Body *body = new Body(); doc->child = body; delete body; doc->child->getAlign(); 19

  4. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Body *body = new Body(); Body *body = new Body(); doc->child = body; delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); 19

  5. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Body *body = new Body(); Body *body = new Body(); doc->child = body; delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); 19

  6. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Static analysis: inter-procedural and points-to analysis Body *body = new Body(); Body *body = new Body(); doc->child = body; Dynamic analysis: precise pointer semantic tracking delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); 19

  7. Challenges in identify fying dangling pointers Doc *doc = new Doc(); Doc *doc = new Doc(); Static analysis: inter-procedural and points-to analysis Body *body = new Body(); Body *body = new Body(); doc->child = body; Dynamic analysis: precise pointer semantic tracking delete body; doc->child = body; delete body; doc->child->getAlign(); doc->child->getAlign(); Difficult to scale for complex systems 19

  8. DangNull • DangNull: Eliminating the root cause of use-after-free • Design • Tracking Object Relationships • Nullifying dangling pointers 20

  9. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair 21

  10. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); 21

  11. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); 21

  12. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc 21

  13. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc delete body; 21

  14. Tracking object relationships • Intercept allocations/deallocations in runtime • Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Remove shadow obj : - Using base address (body) Insert shadow obj: - Base address of allocation - Size of Doc delete body; 21

  15. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; back fwd Doc *doc *child Shadow obj. of Body back fwd Body *body 22

  16. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Doc *doc *child Shadow obj. of Body back fwd Body *body 22

  17. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body *body 22

  18. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body Backward *body 22

  19. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body Backward *body 22

  20. Tracking object relationships • Instrument pointer propagations • Maintain backward/forward pointer trees for a shadow obj Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc This is heavily abstracted pointer semantic tracking, *doc *child Shadow obj. of Body but it is enough to identify all dangling pointers back fwd Body Backward *body 22

  21. Nullify fying dangling pointers • Nullify all backward pointers once the target object is freed • All backward pointers are dangling pointers • Dangling pointers have no semantics Doc *doc *child Body Freed *body 23

  22. Im Implementation • Prototype of DangNull • Instrumentation: LLVM pass, +389 LoC • Runtime: compiler-rt, +3,955 LoC • Target applications • SPEC CPU 2006: one extra compiler and linker flag • Chromium: +27 LoC to .gyp build configuration file 24

  23. Evaluation on Chromium • Runtime overheads • 4.8% and 53.1% overheads in JavaScript and rendering benchmarks, respectively • 7% increased page loading time for Alexa top 100 websites • Safely prevented 7 real-world use-after-free exploits in Chrome 25

  24. 1. Eliminating vulnerabilities DangNull [NDSS 15]: Eliminating use-after-free vulnerabilities CaVer [Security 15]: Eliminating bad-casting vulnerabilities 2. Analyzing vulnerabilities SideFinder: Analyzing timing-channel vulnerabilties 26

  25. Vulnerabilities in Microsoft products Bad-casting Use-after-free Heap-corruption Exploitation Trends: From Potential Risk to Actual Risk, Microsoft 27

  26. Type conversions in C++ ++ • static_cast • Compile-time conversions • Fast: no extra type verification in run-time • dynamic_cast • Run-time conversions • Requires Runtime Type Information (RTTI) • Slow: Extra verification by parsing RTTI • Typically prohibited in performance critical applications 28

  27. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes 29

  28. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes 29

  29. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Element HTMLElement SVGElement 29

  30. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Upcasting Element HTMLElement SVGElement 29

  31. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Downcasting Upcasting Element HTMLElement SVGElement 29

  32. Upcasting and Downcasting • Upcasting • From a derived class to its parent class • Downcasting • From a parent class to one of its derived classes Downcasting Upcasting Element HTMLElement SVGElement Upcasting is always safe, but downcasting is not! 29

  33. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; 30

  34. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for P int m_P Access scope of P* 30

  35. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for P int m_P Access scope of P* 30

  36. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for D vftptr for P int m_P int m_P int m_D Access scope of P* Access scope of D* 30

Recommend


More recommend