shuffler fast and deployable continuous code re
play

Shuffler: Fast and Deployable Continuous Code Re-Randomization - PowerPoint PPT Presentation

Aug 13, 2022 •257 likes •1.2k views

Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, William Aiello OSDI 2016

  1. Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, William Aiello OSDI 2016 1

  2. Software Remains Vulnerable ● High-profile server breaches are commonplace 2

  3. Software Remains Vulnerable ● High-profile server breaches are commonplace ● 90% of today’s attacks utilize ROP [1] 3

  4. Return-Oriented Programming ● Reuse fragments of legitimate code (gadgets) Program code Stack func_1 func_1 func_2 func_2 ret addr func_3 func_3 4

  5. Return-Oriented Programming ● Reuse fragments of legitimate code (gadgets) Program code Stack ret addr 5

  6. Return-Oriented Programming ● Reuse fragments of legitimate code (gadgets) Program code Stack ret addr data ret addr ret addr ret addr Buffer Overrun 6

  7. Return-Oriented Programming ● Reuse fragments of legitimate code (gadgets) Program code Stack ret addr ROP gadget chain data ret addr ret addr ret addr Buffer Overrun 7

  8. Modern ROP Attacks ● JIT-ROP [2]: iteratively read code at runtime 8

  9. Modern ROP Attacks ● JIT-ROP [2]: iteratively read code at runtime Attacker Target program func_1 func_1 func_2 func_2 func_3 func_3 9

  10. Modern ROP Attacks ● JIT-ROP [2]: iteratively read code at runtime Attacker Target program func_1 func_2 func_3 10

  11. Modern ROP Attacks ● JIT-ROP [2]: iteratively read code at runtime Attacker Target program func_1 func_2 ROP gadget chain func_3 11 Inject exploit

  12. Modern ROP Attacks ● JIT-ROP [2]: iteratively read code at runtime Attacker Target program func_1 func_2 ROP gadget chain func_3 12 Inject exploit

  13. The Shuffler Idea ● What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_1 func_2 func_2 func_3 func_3 13

  14. The Shuffler Idea ● What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_2 func_3 14

  15. The Shuffler Idea ● What if we re-randomize code more rapidly than an attacker discovers gadgets? func_1 func_2 func_2 func_3 func_3 func_1 15

  16. The Shuffler Idea ● What if we re-randomize code more rapidly than an attacker discovers gadgets? ?? func_2 ROP gadget chain func_3 func_1 16 Inject exploit

  17. The Shuffler Idea ● What if we re-randomize code more rapidly than an attacker discovers gadgets? ROP gadget chain 17 Inject exploit

  18. How Is This Possible? ● Re-randomize code before an attacker uses it 18

  19. How Is This Possible? ● Re-randomize code before an attacker uses it – faster than disclosure vulnerability execution time; – faster than gadget chain computation time; – or, faster than network communication time 19

  20. How Is This Possible? ● Re-randomize code before an attacker uses it – faster than disclosure vulnerability execution time; – faster than gadget chain computation time; – or, faster than network communication time 20

  21. How Is This Possible? ● Re-randomize code before an attacker uses it – faster than disclosure vulnerability execution time; – faster than gadget chain computation time; – or, faster than network communication time ● one memory disclosure can only travel 820 miles! 21

  22. What Is Shuffler? ● Defense based on continuous re-randomization – Defeats all known code reuse attacks – 20-50 millisecond shuffling, scales to 24 threads ● Fast: bounds attacker’s available time – Defeats even attackers with zero network latency ● Deployable: – Binary analysis w/o modifying kernel, compiler, ... ● Egalitarian: – Shuffler runs in same address space, defends itself 22

  23. Outline 23

  24. Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 24

  25. Continuous Re-Randomization ● Easy to copy code & fix direct references func_1 func_2 ... call func_2 ... func_2 25

  26. Continuous Re-Randomization ● Easy to copy code & fix direct references func_1 (deleted) ... call func_2 ... func_2 26

  27. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? 27

  28. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? ptr: func_1 func_2 ... mov $func_2, ptr ... call *ptr ... 28

  29. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? ptr: &func_2 func_1 func_2 ... mov $func_2, ptr ... call *ptr ... 29

  30. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? ptr: &func_2 func_1 func_2 (deleted) func_2 ... mov $func_2, ptr ... call *ptr ... 30

  31. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? ptr: &func_2 func_1 (deleted) func_2 ... mov $func_2, ptr ... call *ptr ... 31

  32. Continuous Re-Randomization ● Easy to copy code & fix direct references ● What about code pointers? &func_2 &func_2 &func_2 &func_2 ptr: &func_2 &func_2 &func_2 func_2 (deleted) &func_2 ● How to update all propagated pointers? func_2 32

  33. Continuous Re-Randomization ● Solution: add extra level of indirection f_2_idx f_2_idx f_2_idx f_2_idx ptr: f_2_idx %gs: (table) ... ... &func_2 ... func_2 33

  34. Continuous Re-Randomization ● Solution: add extra level of indirection f_2_idx f_2_idx f_2_idx f_2_idx ptr: f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx ... ... &func_2 ... func_2 34

  35. Continuous Re-Randomization ● Solution: add extra level of indirection f_2_idx f_2_idx f_2_idx f_2_idx ptr: f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx ... ... func_2 &func_2 ... func_2 35

  36. Continuous Re-Randomization ● Solution: add extra level of indirection f_2_idx f_2_idx f_2_idx f_2_idx ptr: f_2_idx f_2_idx f_2_idx %gs: (table) f_2_idx ... ... func_2 &func_2 ... (deleted) 36

  37. Code Pointer Abstraction ● Transforming *code_ptr into **code_ptr – Correctness : pointer updates sound & precise – Disclosure-resilience : code ptr table is hidden 37

  38. Code Pointer Abstraction ● Transforming *code_ptr into **code_ptr – Correctness : pointer updates sound & precise – Disclosure-resilience : code ptr table is hidden ptr: f_2_idx func_2 %gs: ... func_2 ... 38

  39. Code Pointer Abstraction ● Transforming *code_ptr into **code_ptr – Correctness : pointer updates sound & precise – Disclosure-resilience : code ptr table is hidden ptr: f_2_idx func_2 %gs: ... func_2 ... Rewrite call sites Rewrite initialization points callq *%rax mov $0x40054d, %rax => callq * %gs:( %rax ) => mov $ 0x20 , %rax 39

  40. Outline 1. Continuous re-randomization 2. Accelerating our randomization 3. Binary analysis and egalitarianism 4. Results and Demo 40

  41. Return Address Encryption ● Return addresses are code pointers too ● Could use code pointer table, but inefficient – call/ret instructions highly optimized 41

  42. Return Address Encryption ● Return addresses are code pointers too ● Could use code pointer table, but inefficient – call/ret instructions highly optimized ● Alternative mechanism – correct and hidden – Use normal call instructions – Encrypt return addresses with XOR key 42

  43. Return Address Encryption ● Prevent return address disclosure 43

  44. Return Address Encryption ● Prevent return address disclosure Thread Stack func_1 ret addr func_2 ret addr ret addr func_3 44

  45. Return Address Encryption ● Prevent return address disclosure Thread Stack func_1 + (encrypted) func_2 + (encrypted) + (encrypted) func_3 XOR key 45

  46. Return Address Encryption ● Prevent return address disclosure Thread Stack func_1 func: + (encrypted) func_2 + (encrypted) ; original code + (encrypted) ret func_3 XOR key 46

  47. Return Address Encryption ● Prevent return address disclosure ● We use binary rewriting (expand basic blocks) Thread Stack func_1 func: mov %fs:0x28,%r11 + (encrypted) xor %r11,(%rsp) func_2 + (encrypted) ; original code mov %fs:0x28,%r11 xor %r11,(%rsp) + (encrypted) ret func_3 XOR key 47

  48. Return Address Migration ● Unwind stack and re-encrypt new addresses func_1 func_2 Thread Stack func_3 + (encrypted) + (encrypted) + (encrypted) XOR key 48

  49. Return Address Migration ● Unwind stack and re-encrypt new addresses func_1 func_2 Thread Stack func_3 + (encrypted) + (encrypted) func_1 + (encrypted) func_2 func_3 XOR key 49

  50. Return Address Migration ● Unwind stack and re-encrypt new addresses (deleted) (deleted) Thread Stack (deleted) + (encrypted) + (encrypted) func_1 + (encrypted) func_2 func_3 XOR key 50

  51. Asynchronous Randomization 51

  52. Asynchronous Randomization ● Creating new code copies takes time 20ms shuffle period Computations 52

Recommend

Less Pain, Most of the Gain: Incrementally Deployable ICN

Less Pain, Most of the Gain: Incrementally Deployable ICN

Less Pain, Most of the Gain: Incrementally Deployable ICN Seyed K. Fayazbakhsh, Yin Lin, Amin Tootoonchian, Ali Ghodsi, Teemu Koponen, Bruce Maggs,

229 views • 20 slides
Enabling Venus In-Situ Science Deployable Entry System Technology, Adaptive Deployable Entry

Enabling Venus In-Situ Science Deployable Entry System Technology, Adaptive Deployable Entry

DACC Project GAME CHANGING DEVELOPMENT Enabling Venus In-Situ Science Deployable Entry System Technology, Adaptive Deployable Entry and Placement Technology (ADEPT): A Technology Development Project funded by Game Changing Development

354 views • 17 slides
Fred a new GPU-based fast-MC code and its applications in proton beam therapy A. Schiavi Fast

Fred a new GPU-based fast-MC code and its applications in proton beam therapy A. Schiavi Fast

MCMA 2017 - Napoli Fred a new GPU-based fast-MC code and its applications in proton beam therapy A. Schiavi Fast paRticle thErapy Dose evaluator Collaboration A. Schiavi, V. Patera, M. Senzacqua, Univ. La Sapienza Roma /INFN (Italy)

1.67k views • 26 slides
A fast parameter space search for continuous gravitational waves from known binary systems

A fast parameter space search for continuous gravitational waves from known binary systems

Introduction The data analysis challenge Current Solutions A New Solution Conclusions and future work A fast parameter space search for continuous gravitational waves from known binary systems C Messenger University of Glasgow

461 views • 21 slides
Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems

Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems

www.immobilienscout24.de Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems Architect & Open Source Evangelist Ingmar Krusch, Team Lead in Operations License:

552 views • 37 slides
Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and

494 views • 38 slides
Fast Direct Search in an Optimally Compressed Continuous Target Space for Efficient Multi-Label

Fast Direct Search in an Optimally Compressed Continuous Target Space for Efficient Multi-Label

Introduction Methodology Results Fast Direct Search in an Optimally Compressed Continuous Target Space for Efficient Multi-Label Active Learning Weishi Shi and Qi Yu B. Thomas Golisano College of Computing and Information Sciences Rochester

332 views • 12 slides
INFRASTRUCTURE AS CODE kief@thoughtworks.com Cloud Practice Lead (UK) DevOps, Continuous

INFRASTRUCTURE AS CODE kief@thoughtworks.com Cloud Practice Lead (UK) DevOps, Continuous

INFRASTRUCTURE AS CODE kief@thoughtworks.com Cloud Practice Lead (UK) DevOps, Continuous Delivery, Agile Ops Twitter: @kief Book: http://oreil.ly/1JKIBVe Site: http://infrastructure-as-code.com June 2016 AGENDA CONTEXT Motivations

979 views • 39 slides
IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable

IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable

The Straight and Easy Way to Complete IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable Scalable Readily Integrated & Realizable High Web-Based ROI Everest is an End-to-End IT Infrastructure

210 views • 19 slides
Importance of structural damping in the dynamic analysis of compliant deployable structures

Importance of structural damping in the dynamic analysis of compliant deployable structures

I NTRODUCTION O BJECTIVES O NE DOF SYSTEM T APE SPRING C ONCLUSIONS Importance of structural damping in the dynamic analysis of compliant deployable structures Florence Dewalque, Pierre Rochus, Olivier Brls Department of Aerospace and

327 views • 17 slides
A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and

A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and

A FRAMEWORK FOR REDUCING THE COST OF INSTRUMENTED CODE Known from Continuous Path and Edge Profiling Bug Isolation via Remote Program Sampling Low-overhead Memory Leak Detection using Adaptive Statistical Profiling (SWAT)

178 views • 16 slides
Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of

Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of

ANR MetaLibm kick-off meeting Lyon, 22 January, 2014 Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of the CGPE tool Guillaume Revy quipe-projet DALI, Univ. Perpignan Via Domitia LIRMM, CNRS:

570 views • 30 slides
Is This Algorithm Fast? Topic Number 8 op c u be 8 Problem: given a problem, how fast does

Is This Algorithm Fast? Topic Number 8 op c u be 8 Problem: given a problem, how fast does

Is This Algorithm Fast? Topic Number 8 op c u be 8 Problem: given a problem, how fast does this Algorithm Analysis code solve that problem? Could try to measure the time it takes, but " bit twiddling: 1. (pejorative) An exercise

396 views • 15 slides
FluxRank: A Widely-Deployable Framework to Automatically Localizing Root Cause Machines for

FluxRank: A Widely-Deployable Framework to Automatically Localizing Root Cause Machines for

FluxRank: A Widely-Deployable Framework to Automatically Localizing Root Cause Machines for Software Service Failure Mitigation Ping Liu 1 , Yu Chen 2 , Xiaohui Nie 1 , Jing Zhu 1 , Shenglin Zhang 3 , Kaixin Sui 4 Ming Zhang 5 , Dan Pei 1 1 2 3

4.17k views • 82 slides
Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service

Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service

Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service Attacks Felipe Huici and Mark Handley Networks Research Group Department of Computer Science Overview Terminus architecture Protecting

553 views • 27 slides
RESULTS OF THE DEPLOYABLE MEMBRANE & ADEO PASSIVE DE-ORBIT SUBSYSTEM ACTIVITIES LEADING TO A

RESULTS OF THE DEPLOYABLE MEMBRANE & ADEO PASSIVE DE-ORBIT SUBSYSTEM ACTIVITIES LEADING TO A

RESULTS OF THE DEPLOYABLE MEMBRANE & ADEO PASSIVE DE-ORBIT SUBSYSTEM ACTIVITIES LEADING TO A DRAGSAIL DEMONSTRATOR Thomas Sinn (1) , L. Tiedemann (1) , A. Riemer (2) , R. Hahn (2), T. Spwitz (3) , P. Seefeldt (3) , M. Sznajder (3) S.

217 views • 8 slides
Ultra-fast Aliasing Analysis using CLA A Million Lines of C Code in a Second N. Heintze O.

Ultra-fast Aliasing Analysis using CLA A Million Lines of C Code in a Second N. Heintze O.

Ultra-fast Aliasing Analysis using CLA A Million Lines of C Code in a Second N. Heintze O. Tardieu Neel Krishnaswami / 15-745 Optimizing Compilers Paper Presentation Heintze, Tardieu Ultra-fast Aliasing Analysis The Problem Large (1+ MLoc)

352 views • 16 slides
Low Creep/Low Relaxation Thermoplastic Polymer Composites for Deployable Structures Kyle Horn

Low Creep/Low Relaxation Thermoplastic Polymer Composites for Deployable Structures Kyle Horn

Low Creep/Low Relaxation Thermoplastic Polymer Composites for Deployable Structures Kyle Horn (Arizona State University) Mentors: Jin Ho Kang and Keith Gordon 2020 Spring NIFS Research Symposium Problem Key Term Stress Relaxation: the

409 views • 9 slides
SDL Control of the UltraLITE Precision Deployable Test Article Using Adaptive Spatio-Temporal

SDL Control of the UltraLITE Precision Deployable Test Article Using Adaptive Spatio-Temporal

SDL Control of the UltraLITE Precision Deployable Test Article Using Adaptive Spatio-Temporal Filtering Based Control Albert B. Bosse Keith K. Denoyer R. Scott Irwin Thomas D. Sharp Air Force Research Laboratory Stuart J. Shelley Kirtland

933 views • 36 slides
WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER 1 . 2 WRITING FASTER PYTHON @SebaWitowski 1 . 3 PYTHON WAS NOT MADE TO BE FAST... ...BUT TO MAKE DEVELOPERS FAST. 2 . 1 It was nice to

451 views • 43 slides
Mixtasy: Remailing on Existing Infrastructure Anonymized Email Communication Easily Deployable

Mixtasy: Remailing on Existing Infrastructure Anonymized Email Communication Easily Deployable

Mixtasy: Remailing on Existing Infrastructure Anonymized Email Communication Easily Deployable Using SMTP & OpenPGP Masters thesis presentation @Young Researchers Day 2016 St Johann im Pongau (11.10.2016) by Johannes Burk 1st

220 views • 19 slides
An Radical but Incrementally Deployable Vision for Future Internet Architecture James McCauley,

An Radical but Incrementally Deployable Vision for Future Internet Architecture James McCauley,

An Radical but Incrementally Deployable Vision for Future Internet Architecture James McCauley, Yotam Harchol, Aurojit Panda, Barath Raghavan, Scott Shenker (UC Berkeley, NYU, USC, ICSI) The Internet architecture of today Based on IP

477 views • 44 slides
Deployable Boom Arm for a Double Langmuir Probe Presenter: Charles Van Steenwyk Visiting

Deployable Boom Arm for a Double Langmuir Probe Presenter: Charles Van Steenwyk Visiting

Deployable Boom Arm for a Double Langmuir Probe Presenter: Charles Van Steenwyk Visiting Research Student Cal Poly, San Luis Obispo 10/30/2019 1 Table of Contents 1. Introduction 2. Langmuir Probe Considerations 3. Goals 4.

277 views • 27 slides
How to Write Fast Numerical Code Spring 2011 Lecture 22 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 22 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 22 Instructor: Markus Pschel TA: Georg Ofenbeck Schedule Today Lecture Project presentations 10 minutes each random order random speaker 10 Final code and paper due Example

881 views • 18 slides

More recommend