return address integrity
play

Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. - PowerPoint PPT Presentation

Jan 11, 2023 •484 likes •852 views

RAI : Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. Clements 3 Saurabh Bagchi 1 Mathias Payer 2 1 2 3 4 Sandia National Laboratories is a multimission laboratory managed and operated by National

  1. μRAI : Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. Clements 3 Saurabh Bagchi 1 Mathias Payer 2 1 2 3 4 Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned 1 subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND-XXXX

  2. Current State of Security [1] [2] [3] Target: Embedded and IoT devices Running Microcontroller Systems (MCUS) Attack: Control-flow Hijacking [1] https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/ [2] https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/ [3] https://www.securityweek.com/rise-ics-malware-how-industrial-security-threats-are-becoming-more-surgical 2

  3. MCUS Challenges Desktop MCUS ✓ Large virtual memory  Small physical memory … … (GBs) (MBs Flash, KBs RAM) 0x08055555 0x08999555 … Stack (code) Flash … … … … ✓ Basic defenses  Basic defenses 0x08000000 … Code (e.g., ASLR) (e.g., ASLR) Memory 0x08777222 0x08022222 Heap … 0x02050000 Stack … ✓ Smaller code Larger code … (Data) 0x08555111 0x08011111 Data RAM Heap … … Code ✓ DEP  DEP 0x08111000 0x08000000 0x02000000 Data (Disabled → Fixable) 3

  4. MCUS Defenses for Return Addresses (Conceptual) Special hardware required Without extra hardware Safe Stack Overhead Shadow Shadow + Stack Stack High Software Runtime Overhead + + Fault MPU TEE Isolation 10% Randomized CFI μ RAI Safe Stack Limited Security Guarantees Usage Location Integrity Security Return Address Integrity + Low runtime overhead + No special hardware 4

  5. MCUS Defenses for Return Addresses (Related Work) Special hardware required Without extra hardware Overhead CFI CaRE (Shadow stack) High Runtime Overhead [RAID17] RECFISH ACES [ECRTS19] [SEC18] 10% LR 2 [NDSS16] SCFP [EuroS&P18] Minion EPOXY C-FLAT μ Armor uXOM Symbiote [NDSS18] LiteHAX (SafeStack ) [CCS16] μ RAI [SEC19] [RAID11] [EuroS&P19] [ICCAD18] [S&P17] Limited Security Guarantees Usage Integrity Location Security Return Address Integrity + Low runtime overhead + No special hardware 5

  6. Return Address Integrity (RAI) • Every attack requires corrupting a return addresses by overwriting it • Main limitation of defenses → return addresses are in writable memory RAI Property: • Example: Information hiding 1. Ensure the return address is never writable except by an authorized instruction 2. Return addresses are never pushed to the stack or any writable memory by an adversary • Key solution is to prevent an attacker from corrupting return addresses 6

  7. Threat Model & μ RAI Protection μ RAI Normal application main main Unprivileged • Reads from memory • Writes to memory • Knows the code layout Func1 Func2 Func1 Func2 • Targets backward-edges Corrupt Func3 Func3 return address Func4 Func4 Privileged Func5 Func6 MPU, VTOR Func5 Func6 MPU, VTOR Corrupt return address Func7 Func7 or corrupt sensitive Memory Mapped IO (MMIO) : Normal function : Callable within exception handler : MMIO : State register encoding : Software-Fault Isolation (SFI) 7

  8. μ RAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Low runtime overhead Relative jump target lookup routine 8

  9. μ RAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Low runtime overhead Relative jump target lookup routine 9

  10. μ RAI and the State Register • State Register (SR): • Can be any general-purpose register → exclusively used by μ RAI • Never spilled → cannot be overwritten through a memory corruption • Does not contain a return address → encoded values to resolve the return location • Example call graph: 1 • Each edge → call SR Func2 reads the SR to resolve main Func1 Func2 the correct return location • How encode SR? 2 SR • An XOR chain 10

  11. μ RAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … • Function Keys (FKs): Hard-coded keys used to encode the SR 11

  12. μ RAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • Function IDs (FIDs): Possible values of the SR for the function 12

  13. μ RAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • Function Lookup Table (FLT): List of FIDs for the function 13

  14. μ RAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • Encode the SR and call Func2 14

  15. μ RAI: Transformation SR [Recursive] SR [Encoded] C ⊕ key1 0 Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • Func2 reads the SR and executes the corresponding direct jump 15

  16. μ RAI: Transformation SR [Recursive] SR [Encoded] C ⊕ key1 0 Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • Func2 returns correctly and the SR is decoded 16

  17. μ RAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • The previous SR value is restored 17

  18. μ RAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … … … SR[Enc] = SR[Enc] ⊕ key1 … … … Call Func2 … … SR[Enc] = SR[Enc] ⊕ key1 Func1_1 … … … … … … … SR[Enc] = SR[Enc] ⊕ key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] ⊕ key2 … … … … Function ID (FID) Return Target Function ID (FID) Return Target C ⊕ key1 C Jump return_location1 Jump Func1_1 ELSE Jump ERROR C ⊕ key2 Jump Func1_2 ELSE Jump ERROR • The same happens for other calls. Func1 can then return correctly 18

  19. μ RAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Low runtime overhead Relative jump target lookup routine 19

Recommend

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 1 2 3 4 5 6 Sandia National Laboratories is a multimission laboratory managed and

771 views • 59 slides
KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY Blockchain &amp; Security Ruth Crowell, Chief Executive Asia Pacific Precious Metals

460 views • 10 slides
Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP

Control Flow Integrity Recap Buffer overflow Mitigation techniques WOX/DEP Return-to-libc RoP (Return-oriented Programming) StackGuard (insert canaries on stack) PointGuard (encrypt the pointers) ASLR CFI

809 views • 42 slides
Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer

Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer

Outline Return address protections ASLR and counterattacks CSci 5271 Introduction to Computer Security W X (DEP) Low-level defenses and counterattacks Announcements (combined lecture) Return-oriented programming (ROP) Stephen McCamant

699 views • 12 slides
Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern

Outline Return-oriented programming (ROP) Control-flow integrity (CFI) CSci 5271 More modern exploit techniques Introduction to Computer Security Announcements intermission Day 7: Defensive programming and design, part 1 Saltzer &amp;

579 views • 15 slides
Outline Exploiting other vulnerabilities Return address protections CSci 5271 Introduction to

Outline Exploiting other vulnerabilities Return address protections CSci 5271 Introduction to

Outline Exploiting other vulnerabilities Return address protections CSci 5271 Introduction to Computer Security Announcements intermission Day 5: Low-level defenses and BCECHO demo counterattacks ASLR and counterattacks Stephen McCamant

528 views • 10 slides
Return to Learn Forw rward WJCC Sch chools Jun June 16, 2020 INDIVIDUALISM | INTEGRITY |

Return to Learn Forw rward WJCC Sch chools Jun June 16, 2020 INDIVIDUALISM | INTEGRITY |

Return to Learn Forw rward WJCC Sch chools Jun June 16, 2020 INDIVIDUALISM | INTEGRITY | INNOVATION | ACCOUNTABILITY | COLLABORATION Closure of f Schools TIME March 13 March 23 April 6 - 10 April 13 - 17 April 20 1 2 3 4 5 WJCC

114 views • 7 slides
1 The problem Address the problem of stopping determined attackers from exploiting our

1 The problem Address the problem of stopping determined attackers from exploiting our

1 The problem Address the problem of stopping determined attackers from exploiting our software Interest in Control Flow Integrity(CFI) Data execution prevention (DEP), stack smashing protection (SSP), address space layout

673 views • 34 slides
Allow me to first express genuine appreciation for your invitation to address the staff this

Allow me to first express genuine appreciation for your invitation to address the staff this

ADDRESS TO THE STAFF OF CAMPION COLLEGE ON THE IMPORTANCE OF CHARACTER FORMATION IN 21 ST CENTURY EDUCATION OCTOBER 14, 2015 PRESENTATION BY PROFESSOR TREVOR MUNROE, EXECUTIVE DIRECTOR, NATIONAL INTEGRITY ACTION (Please Check Against Delivery)

466 views • 15 slides
Outline Return address protections CSci 5271 Introduction to Computer Security Announcements

Outline Return address protections CSci 5271 Introduction to Computer Security Announcements

Outline Return address protections CSci 5271 Introduction to Computer Security Announcements intermission Day 5: Low-level defenses and counterattacks ASLR and counterattacks Stephen McCamant University of Minnesota, Computer Science &amp;

616 views • 7 slides
Outline Return address protections CSci 5271 Introduction to Computer Security Announcements

Outline Return address protections CSci 5271 Introduction to Computer Security Announcements

Outline Return address protections CSci 5271 Introduction to Computer Security Announcements intermission Day 5: Low-level defenses and counterattacks ASLR and counterattacks Stephen McCamant University of Minnesota, Computer Science &amp;

269 views • 5 slides
STAY HEALTHY | RETURN SMARTER | RETURN STRONGER THANK YOU STAY HEALTHY | RETURN SMARTER | RETURN

STAY HEALTHY | RETURN SMARTER | RETURN STRONGER THANK YOU STAY HEALTHY | RETURN SMARTER | RETURN

STAY HEALTHY | RETURN SMARTER | RETURN STRONGER THANK YOU STAY HEALTHY | RETURN SMARTER | RETURN STRONGER STAY HEALTHY. RETURN SMARTER. RETURN STRONGER. CALM &amp; STEADY URGENT ACTION TO PROTECT PUBLIC HEALTH APPROACH LATER TIMING AND

499 views • 37 slides
Iteration Announcements Return Return Statements A return statement completes the evaluation of

Iteration Announcements Return Return Statements A return statement completes the evaluation of

Iteration Announcements Return Return Statements A return statement completes the evaluation of a call expression and provides its value f(x) for user-defined function f : switch to a new environment; execute f's body return statement within f :

234 views • 8 slides
Professional Integrity to Testing &amp; Certification Practitioners Integrity Training for PCSTP

Professional Integrity to Testing &amp; Certification Practitioners Integrity Training for PCSTP

Professional Integrity to Testing &amp; Certification Practitioners Integrity Training for PCSTP Applicants Hong Kong Ethics Development Centre Independent Commission Against Corruption Competence Requirement Integrity Management

574 views • 23 slides
LESSONS LEARNED Research Integrity Some Thoughts Integrity is doing the right thing when

LESSONS LEARNED Research Integrity Some Thoughts Integrity is doing the right thing when

Mr. Gianfranco Scipione, M.Sc., J.D./M.B.A. Manager, Research Integrity UHN Research Ms. Katie Roposa, BScN, MEd, RN, CMQ/OE Director, Research Quality Integration UHN Research LESSONS LEARNED Research Integrity Some Thoughts Integrity

623 views • 21 slides
Going Remote with Integrity 3.0: Your Academic Integrity Policy Gone Virtual Dr. James Earl Orr,

Going Remote with Integrity 3.0: Your Academic Integrity Policy Gone Virtual Dr. James Earl Orr,

Going Remote with Integrity 3.0: Your Academic Integrity Policy Gone Virtual Dr. James Earl Orr, Jr. April 9, 2020 Caveat to Presentation True Promotion of Academic Integrity Involves a Coordinated Campus Conversation Faculty, Students,

464 views • 44 slides
Standard I.C Institutional Integrity I.C: Institutional Integrity How define institutional

Standard I.C Institutional Integrity I.C: Institutional Integrity How define institutional

Standard I.C Institutional Integrity I.C: Institutional Integrity How define institutional integrity? What evidence shows BC is trustworthy? I.C: Institutional Integrity Standard #1: We make sure the information we give is

227 views • 6 slides
Integrity 1. Perspective Five Steps to Decision Integrity Dialogue grows perspective about

Integrity 1. Perspective Five Steps to Decision Integrity Dialogue grows perspective about

GOOD DECISION 5. Connection 4. Alignment 3. Priority 2. Importance Integrity 1. Perspective Five Steps to Decision Integrity Dialogue grows perspective about stakeholders and values. Integrity is rooted in open, honest examination of stakeholder

431 views • 15 slides
Returns Optimization 101 Episode 7: Examining Return Reasons Power of Return Reasons Return

Returns Optimization 101 Episode 7: Examining Return Reasons Power of Return Reasons Return

Returns Optimization 101 Episode 7: Examining Return Reasons Power of Return Reasons Return rates are great for identifying products to check out Return reasons allow you to dive into those returns and summarize them very quickly Proportion

326 views • 10 slides
Return Return Statements A return statement completes the evaluation of a call expression and

Return Return Statements A return statement completes the evaluation of a call expression and

Return Return Statements A return statement completes the evaluation of a call expression and provides its value f(x) for user-defined function f : switch to a new environment; execute f's body return statement within f : switch back to the

432 views • 32 slides
Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer Security BCECHO Day 6: Low-level defenses and counterattacks, part 2 Stephen McCamant Control-flow integrity (CFI) University of Minnesota, Computer

907 views • 6 slides
Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer

Outline Return-oriented programming (ROP) CSci 5271 Announcements Introduction to Computer Security Day 6: Low-level defenses and BCECHO counterattacks, part 2 Control-flow integrity (CFI) Stephen McCamant University of Minnesota, Computer

348 views • 8 slides
Corporate integrity in turbulent times EY Forensic &amp; Integrity Services 9 July 2020

Corporate integrity in turbulent times EY Forensic &amp; Integrity Services 9 July 2020

Corporate integrity in turbulent times EY Forensic &amp; Integrity Services 9 July 2020 Restriction of use and liability EY Global Integrity Report 2020 Spotlight on India The COVID-19 crisis has magnified the risk of unethical conduct in

985 views • 7 slides
PROGRAM INTEGRITY 101 Program Integrity Kimberly Sullivan, JD DHH Deputy General Counsel

PROGRAM INTEGRITY 101 Program Integrity Kimberly Sullivan, JD DHH Deputy General Counsel

PROGRAM INTEGRITY 101 Program Integrity Kimberly Sullivan, JD DHH Deputy General Counsel PURPOSE 2 Assure the Programmatic and Fiscal Integrity of the Louisiana Medical Assistance Program (Medicaid). In order for DHH to receive the federal

448 views • 25 slides

More recommend