securing software by enforcing data flow integrity
play

Securing software by enforcing data-flow integrity Manuel Costa - PowerPoint PPT Presentation

Mar 27, 2024 •38 likes •288 views

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge Software is vulnerable use of unsafe languages is prevalent most

  1. Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge

  2. Software is vulnerable • use of unsafe languages is prevalent – most “packaged” software written in C/C++ • many software defects – buffer overflows, format strings, double frees • many ways to exploit defects – corrupt control-data: stack, function pointers – corrupt non-control-data: function arguments, security variables defects are routinely exploited

  3. Approaches to securing software • remove/avoid all defects is hard • prevent control-data exploits – protect specific control-data StackGuard, PointGuard – detect control-flow anomalies Program Shepherding, CFI – attacks can succeed without corrupting control-flow • prevent non-control-data exploits – bounds checking on all pointer dereferences CRED – detect unsafe uses of network data Vigilante, [Suh04], Minos, TaintCheck, [Chen05], Argos, [Ho06] – expensive in software no good solutions to prevent non-control-data exploits

  4. Data-flow integrity enforcement • compute data-flow in the program statically – for every load, compute the set of stores that may produce the loaded data • enforce data-flow at runtime – when loading data, check that it came from an allowed store • optimize enforcement with static analysis

  5. Data-flow integrity: advantages • broad coverage – detects control-data and non-control-data attacks • automatic – extracts policy from unmodified programs • no false positives – only detects real errors (malicious or not) • good performance – low runtime overhead

  6. Outline • data-flow integrity enforcement • optimizations • results

  7. Data-flow integrity • at compile time, compute reaching definitions – assign an id to every store instruction – assign a set of allowed source ids to every load • at runtime, check actual definition that reaches a load – runtime definitions table (RDT) records id of last store to each address – on store(value,address): set RDT[address] to store’s id – on load(address): check if RDT[address] is one of the allowed source ids • protect RDT with software-based fault isolation

  8. Example vulnerable program int authenticated = 0; buffer overflow in char packet[1000]; this function allows while (!authenticated) { the attacker to set PacketRead(packet); authenticated to 1 if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); • non-control-data attack • very similar to a real attack on a SSH server

  9. Static analysis • computes data flows conservatively – flow-sensitive intraprocedural analysis – flow-insensitive interprocedural analysis • uses Andersen’s points-to algorithm • scales to very large programs • same assumptions as analysis for optimization – pointer arithmetic cannot navigate between independent objects – these are the assumptions that attacks violate

  10. Instrumentation SETDEF authenticated 1 int authenticated = 0; char packet[1000]; check that authenticated while (CHECKDEF authenticated in {1,8} was written here !authenticated) { or here PacketRead(packet); if (Authenticate(packet)){ SETDEF authenticated 8 authenticated = 1; } } CHECKDEF authenticated in {1,8} if (authenticated) ProcessPacket(packet);

  11. Runtime: detecting the attack Vulnerable program Memory layout SETDEF authenticated 1 int authenticated = 0; RDT slot for char packet[1000]; 7 1 authenticated while (CHECKDEF authenticated in {1,8} stores disallowed !authenticated) { above 0x40000000 PacketRead(packet); Attack detected! if (Authenticate(packet)){ definition 7 not SETDEF authenticated 8 in {1,8} authenticated = 1; authenticated } stored here 1 0 } CHECKDEF authenticated in {1,8} if (authenticated) ProcessPacket(packet);

  12. Also prevents control-data attacks • user-visible control-data (function pointers,…) – handled as any other data • compiler-generated control-data – instrument definitions and uses of this new data – e.g., enforce that the definition reaching a ret is generated by the corresponding call

  13. Efficient instrumentation: SETDEF • SETDEF _authenticated 1 is compiled to: get address of variable lea ecx,[_authenticated] prevent RDT tampering test ecx,0C0000000h set RDT[address] to 1 je L int 3 L: shr ecx,2 mov word ptr [ecx*2+40001000h],1

  14. Efficient instrumentation: CHECKDEF • CHECKDEF _authenticated {1,8} is compiled to: get address of variable lea ecx,[_authenticated] shr ecx,2 mov cx, word ptr [ecx*2+40001000h] cmp cx, 1 je L get definition id from RDT[address] cmp cx,8 je L check definition in {1,8} int 3 L:

  15. Optimization: renaming definitions • definitions with the same set of uses share one id SETDEF authenticated 1 SETDEF authenticated 1 int authenticated = 0; int authenticated = 0; char packet[1000]; char packet[1000]; while ( while ( CHECKDEF authenticated in {1,8} CHECKDEF authenticated in {1} !authenticated) { !authenticated) { PacketRead(packet); PacketRead(packet); if (Authenticate(packet)){ if (Authenticate(packet)){ SETDEF authenticated 8 SETDEF authenticated 1 authenticated = 1; authenticated = 1; } } } } CHECKDEF authenticated in {1} CHECKDEF authenticated in {1,8} if (authenticated) if (authenticated) ProcessPacket(packet); ProcessPacket(packet);

  16. Other optimizations • removing SETDEFs and CHECKDEFs – eliminate CHECKDEFs that always succeed – eliminate redundant SETDEFs – uses static analysis, but does not rely on any assumptions that may be violated by attacks • remove bounds checks on safe writes • optimize set membership checks – check consecutive ids using a single comparison

  17. Evaluation • overhead on SPEC CPU and Web benchmarks • contributions of optimizations • ability to prevent attacks on real programs

  18. Runtime overhead

  19. Memory overhead

  20. Contribution of optimizations

  21. Overhead on SPEC Web maximum overhead of 23%

  22. Preventing real attacks Application Vulnerability Exploit Detected? NullHttpd heap-based buffer overwrite cgi-bin yes overflow configuration data SSH integer overflow and overwrite yes heap-based buffer authenticated overflow variable STunnel format string overwrite return yes address Ghttpd stack-based buffer overwrite return yes overflow address

  23. Conclusion • enforcing data-flow integrity protects software from attacks – handles non-control-data and control-data attacks – works with unmodified C/C++ programs – no false positives – low runtime and memory overhead

  24. Overhead breakdown

  25. Contribution of optimizations

Recommend

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
Module 5: Implementing Data Integrity Overview Types of Data Integrity Enforcing Data

Module 5: Implementing Data Integrity Overview Types of Data Integrity Enforcing Data

Module 5: Implementing Data Integrity Overview Types of Data Integrity Enforcing Data Integrity Defining Constraints Types of Constraints Disabling Constraints Using Defaults and Rules Deciding Which Enforcement Method

260 views • 23 slides
Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer

Software Control Flow Integrity Techniques, Proofs, & Security Applications Jay Ligatti summer 2004 intern work with: lfar Erlingsson and Martn Abadi 1 Motivation I: Bad things happen DoS Weak authentication Insecure

465 views • 22 slides
CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z

C ON FIRM: EVALUATING COMPATIBILITY AND RELEVANCE OF CONTROL-FLOW INTEGRITY PROTECTIONS FOR MODERN SOFTWARE X IAOYANG X U , M ASOUD G HAFFARINIA , Z HIQIANG L IN W ENHAO W ANG , AND K EVIN W. H AMLEN T HE O HIO S TATE U NIVERSITY T HE U NIVERSITY

514 views • 15 slides
Securing NFN-style data flow processing NDN retreat, UCSD, Feb 5+6, 2015 Christian Tschudin with

Securing NFN-style data flow processing NDN retreat, UCSD, Feb 5+6, 2015 Christian Tschudin with

Securing NFN-style data flow processing NDN retreat, UCSD, Feb 5+6, 2015 Christian Tschudin with contributions from Claudio Marxer, University of Basel Overview 1. Named Function Networking (NFN) in two slides 2. Problem statement (NDNex) 3.

350 views • 16 slides
ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION

ENFORCING SECURE DATA SHARING IN WEB APP FRAMEWORKS Susheel S, Naren N and THROUGH INFORMATION FLOW Prof. R.K Shyamasundar CONTROL Todays Talk Background and Motivation. Possible attack in a system without IFC. Our solution using

381 views • 16 slides
Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome

Data is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks Irene Dez-Franco, Igor Santos DeustoTech, University of Deusto irene.diez@deusto.es isantos@deusto.es Rationale Rationale Program

961 views • 72 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
DIF, DIX and Linux Data Integrity Martin K. Petersen Consulting Software Developer, Linux

DIF, DIX and Linux Data Integrity Martin K. Petersen Consulting Software Developer, Linux

<Insert Picture Here> DIF, DIX and Linux Data Integrity Martin K. Petersen Consulting Software Developer, Linux Engineering Topics Data Integrity Technologies <Insert Picture Here> Data Corruption T10 DIF Data

752 views • 25 slides
Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti ,

Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti ,

Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti , University of Padua Slides prepared with the support of Daniele Lain and Moreno Ambrosin SCy-Phy Systems Week 2017 Panel IV: Defences June 6, 2017,

794 views • 25 slides
RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 1 2 3 4 5 6 Sandia National Laboratories is a multimission laboratory managed and

771 views • 59 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
More Data Flow Analyses Reading: NNH 2.1 17-654/17-765 Analysis of Software Artifacts Jonathan

More Data Flow Analyses Reading: NNH 2.1 17-654/17-765 Analysis of Software Artifacts Jonathan

More Data Flow Analyses Reading: NNH 2.1 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich General Monotonicity Proofs We proved RD was monotone for data flow equations for a specific program Heres a more general

580 views • 23 slides
Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University -- Summarized by Navid Emamdoost University of Minnesota Outline Background Control Flow attacks Control Flow Integrity Control Flow

795 views • 33 slides
Control Flow Integrity Behavior-based detection Stack canaries, non-executable data, and ASLR

Control Flow Integrity Behavior-based detection Stack canaries, non-executable data, and ASLR

Control Flow Integrity Behavior-based detection Stack canaries, non-executable data, and ASLR aim to complicate various steps in a standard attack But they still may not stop it Idea: observe the programs behavior is it doing

314 views • 17 slides
Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken

Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken

Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken Wai-Kin Au School of Computing Science University of Glasgow Zhaohui Tang School of Infocomm Republic Polytechnic, Singapore 1 Introduction

576 views • 21 slides
Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing [Reading assignment:

Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing [Reading assignment:

Topics in Software Dynamic White-box Testing Part 2: Data-flow Testing [Reading assignment: Chapter 7, pp. 105-122 plus many things in slides that are not in the book ] Data-Flow Testing Data-flow testing uses the control flowgraph to

1.09k views • 43 slides
HW/SW Codesign Data Flow Software Implementation I ECE 522 Mapping DFGs to Software There are a

HW/SW Codesign Data Flow Software Implementation I ECE 522 Mapping DFGs to Software There are a

HW/SW Codesign Data Flow Software Implementation I ECE 522 Mapping DFGs to Software There are a wide variety of approaches of mapping DFGs to software Software Mapping of SDF Sequential Parallel single-processor multi-processor *Processor

351 views • 18 slides
HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware

HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware

HW/SW Codesign w/ FPGAs Data Flow Modeling I ECE 522 Data Flow Models As we discussed, hardware is parallel while software is sequential We need concurrent high-level models to allow designers to describe systems that are independent of

574 views • 12 slides
The new The eBASH data flow SHA-3 software shootout One computer, hydra6 , D. J. Bernstein

The new The eBASH data flow SHA-3 software shootout One computer, hydra6 , D. J. Bernstein

The new The eBASH data flow SHA-3 software shootout One computer, hydra6 , D. J. Bernstein tries hashing data with University of Illinois at Chicago the sphlib implementation of sha256 , compiled with Tanja Lange gcc -O3 -fomit-frame-pointer .

870 views • 54 slides
CDS, SDMS and LIMS considerations for Compliance, Data Integrity and Data Security Darren

CDS, SDMS and LIMS considerations for Compliance, Data Integrity and Data Security Darren

CDS, SDMS and LIMS considerations for Compliance, Data Integrity and Data Security Darren Barrington-Light Senior Manager - Product Marketing Chromatography & Mass Spectrometry Software The world leader in serving science Record Management

829 views • 53 slides
Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh

Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh

Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh Shankar (UC Berkeley) Trent Jaeger (Penn State / IBM) Reiner Sailer (IBM) The goal, with an example Integrity property: Trusted processes dont

317 views • 20 slides

More recommend