type casting verification stopping an emerging attack
play

Type Casting Verification: Stopping an Emerging Attack Vector - PowerPoint PPT Presentation

Oct 31, 2023 •448 likes •1.14k views

Type Casting Verification: Stopping an Emerging Attack Vector Byoungyoung Lee, Chengyu Song, Taesoo Kim, and Wenke Lee Georgia Institute of Technology 1 Vulnerability Trends Microsoft vulnerability trends (2013) Use-after-free Stack

  1. Type Casting Verification: Stopping an Emerging Attack Vector Byoungyoung Lee, Chengyu Song, Taesoo Kim, and Wenke Lee Georgia Institute of Technology 1

  2. Vulnerability Trends Microsoft vulnerability trends (2013) Use-after-free Stack overflow Heap overflow Bad casting (or type confusion) 2

  3. Stack Overflows Microsoft vulnerability trends (2013) # of Stack overflows is decreasing

  4. Use-After-Free # of Use-after-free is increasing  Preventing Use-after-free with Dangling Pointers Nullification [NDSS ’15] Microsoft vulnerability trends (2013)

  5. Bad-casting Bad-casting (or type confusion) is still not solved. 5

  6. Type Conversions in C++ • static_cast – Compile-time conversions – Fast : no extra verification in run-time – No information on actually allocated types in runtime. • dynamic_cast – Run-time conversions – Requires Runtime Type Information (RTTI) – Slow : Extra verification by parsing RTTI – Typically prohibited in performance critical applications 6

  7. Upcasting and Downcasting • Upcasting – From a derived class to its parent class • Downcasting – From a parent class to one of its derived classes 7

  8. Upcasting and Downcasting • Upcasting – From a derived class to its parent class • Downcasting – From a parent class to one of its derived classes Element HTMLElement SVGElement 7

  9. Upcasting and Downcasting • Upcasting – From a derived class to its parent class • Downcasting – From a parent class to one of its derived classes Upcasting Element HTMLElement SVGElement 7

  10. Upcasting and Downcasting • Upcasting – From a derived class to its parent class • Downcasting – From a parent class to one of its derived classes Downcasting Upcasting Element HTMLElement SVGElement 7

  11. Upcasting and Downcasting • Upcasting – From a derived class to its parent class • Downcasting – From a parent class to one of its derived classes Downcasting Upcasting Element HTMLElement SVGElement Upcasting is always safe, but downcasting is not! 7

  12. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; 8

  13. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for P int m_P Access scope of P* 8

  14. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for D vftptr for P int m_P int m_P Access scope of P* int m_D Access scope of D* 8

  15. Downcasting can be Bad-casting P *pS = new P(); D *pD = static_cast<D*>(pS); pD->m_D; 9

  16. Downcasting can be Bad-casting Bad-casting occurs: D is not a sub-object of P  Undefined behavior P *pS = new P(); D *pD = static_cast<D*>(pS); D *pD = static_cast<D*>(pS); pD->m_D; 9

  17. Downcasting can be Bad-casting P *pS = new P(); D *pD = static_cast<D*>(pS); pD->m_D; pD->m_D; Memory corruptions 9

  18. Downcasting can be Bad-casting vftptr for P P *pS = new P(); int m_P D *pD = static_cast<D*>(pS); pD->m_D; pD->m_D; Memory corruptions 9

  19. Downcasting can be Bad-casting &(pD->m_D) vftptr for P P *pS = new P(); int m_P D *pD = static_cast<D*>(pS); pD->m_D; pD->m_D; Memory corruptions 9

  20. Downcasting can be Bad-casting &(pD->m_D) vftptr for P P *pS = new P(); int m_P D *pD = static_cast<D*>(pS); int m_D pD->m_D; pD->m_D; Memory corruptions 9

  21. Downcasting can be Bad-casting &(pD->m_D) vftptr for P P *pS = new P(); int m_P D *pD = static_cast<D*>(pS); int m_D pD->m_D; pD->m_D; Memory corruptions 9

  22. Real-world Exploits on Bad-casting • CVE-2013-0912 – A bad-casting vulnerability in Chrome – Used in 2013 Pwn2Own ContainerNode Element HTMLElement SVGElement HTMLUnknownElement 10

  23. Real-world Exploits on Bad-casting • CVE-2013-0912 – A bad-casting vulnerability in Chrome – Used in 2013 Pwn2Own ContainerNode Element HTMLElement SVGElement HTMLUnknownElement 1. Allocated 10

  24. Real-world Exploits on Bad-casting • CVE-2013-0912 – A bad-casting vulnerability in Chrome – Used in 2013 Pwn2Own ContainerNode 2. Upcasting Element HTMLElement SVGElement HTMLUnknownElement 1. Allocated 10

  25. Real-world Exploits on Bad-casting • CVE-2013-0912 – A bad-casting vulnerability in Chrome – Used in 2013 Pwn2Own ContainerNode 2. Upcasting 3. Downcasting Element HTMLElement SVGElement HTMLUnknownElement 1. Allocated 10

  26. Real-world Exploits on Bad-casting • CVE-2013-0912 – A bad-casting vulnerability in Chrome – Used in 2013 Pwn2Own ContainerNode 2. Upcasting 3. Downcasting Element HTMLElement SVGElement 160 bytes HTMLUnknownElement 1. Allocated 96 bytes 10

  27. Real-world Exploits on Bad-casting ScriptWrapperble NoBaseWillBeGarbageCollectedFinalized<> EventTarget TreeShared<Node> Node ContainerNode Element HTMLElement PseudoElement VTTElement VTTElement SVGElement LabelableElement HtmlTableElement HTMLRubyElement HTMLFontElement 57 classes! HTMLMenuElement HTMLLabelElement … HTMLUnknownElement 11

  28. Real-world Exploits on Bad-casting ScriptWrapperble NoBaseWillBeGarbageCollectedFinalized<> EventTarget TreeShared<Node> Node ContainerNode Very complex class hierarchies Element  Error-prone type casting operations HTMLElement PseudoElement VTTElement VTTElement SVGElement LabelableElement HtmlTableElement HTMLRubyElement HTMLFontElement 57 classes! HTMLMenuElement HTMLLabelElement … HTMLUnknownElement 11

  29. Existing Solutions and Challenges • Replace all static_cast into dynamic_cast • dynamic_cast on a polymorphic class (with RTTI) – A pointer points to a virtual function table pointer – Traversing a virtual function table leads to RTTI Offset to the top ptr &std::type_info A class name vftptr 1 st virtual function … … 12

  30. Existing Solutions and Challenges • dynamic_cast on a non-polymorphic class – A pointer points to the first member variable – Simply traversing such a variable leads to a runtime crash ptr … ... 13

  31. Existing Solutions and Challenges • dynamic_cast on a non-polymorphic class – A pointer points to the first member variable – Simply traversing such a variable leads to a runtime crash ptr … ... C++ supports no reliable methods to resolve whether a pointer points to polymorphic or non-polymorphic classes. 13

  32. Existing Solutions and Challenges • dynamic_cast on a non-polymorphic class – A pointer points to the first member variable – Simply traversing such a variable leads to a runtime crash ptr … ... C++ supports no reliable methods to resolve whether a pointer points to polymorphic or non-polymorphic classes. Previous solutions including Undefined Behavior Sanitizer relies on blacklists. 13

  33. CaVer: CastVerifier • CaVer : CastVerifier – A bad-casting detection tool • Design goals – Easy-to-deploy: no blacklists – Reasonable runtime performance 14

  34. CaVer Overview Emit THTable Source code Instrumentation Compile 15

  35. CaVer Overview Emit THTable Source code Instrumentation CaVer Runtime Compile Link 15

  36. CaVer Overview Emit THTable Source Secured code executable Instrumentation CaVer Runtime Compile Link 15

  37. Technical Goal of CaVer P *ptr = new P ; static_cast< D *>( ptr ); 16

  38. Technical Goal of CaVer P *ptr = new P ; Allocated static_cast< D *>( ptr ); 16

  39. Technical Goal of CaVer P *ptr = new P ; Allocated static_cast< D *>( ptr ); To be casted 16

  40. Technical Goal of CaVer P *ptr = new P ; Allocated static_cast< D *>( ptr ); To be casted ptr Object (P) 16

  41. Technical Goal of CaVer P *ptr = new P ; Allocated static_cast< D *>( ptr ); To be casted Q. What are the class relationships b/w P and D?  THTable ptr Object (P) 16

  42. Technical Goal of CaVer P *ptr = new P ; Allocated static_cast< D *>( ptr ); To be casted Q. What are the class relationships b/w P and D?  THTable ptr Object (P) Q. Is ptr points to P or D?  Runtime type tracing 16

  43. Type Hierarchy Table (THTable) • A set of all legitimate classes to be converted – Class names are hashed for fast comparison – Hierarchies are unrolled to avoid recursive traversal THTable (P) THTable (D) h ash(“P”) h ash(“D”) … hash(“P”) … 17

  44. Type Hierarchy Table (THTable) • A set of all legitimate classes to be converted – Class names are hashed for fast comparison – Hierarchies are unrolled to avoid recursive traversal THTable (P) THTable (D) h ash(“P”) h ash(“D”) … hash(“P”) … Hashed class names 17

  45. Type Hierarchy Table (THTable) • A set of all legitimate classes to be converted – Class names are hashed for fast comparison – Hierarchies are unrolled to avoid recursive traversal Unrolled linearly THTable (P) THTable (D) h ash(“P”) h ash(“D”) … hash(“P”) … 17

  46. Runtime Type Tracing P *ptr = new P; P *ptr = new P; trace(ptr, &THTable(P)); 18

  47. Runtime Type Tracing P *ptr = new P; P *ptr = new P; trace(ptr, &THTable(P)); THTable (P) h ash(“P”) … ptr Object (P) 18

Recommend

ML through Streaming at Sherin Thomas @doodlesmt Stopping a Phishing Attack Hello Alex, Im

ML through Streaming at Sherin Thomas @doodlesmt Stopping a Phishing Attack Hello Alex, Im

QCON LONDON 2020 ML through Streaming at Sherin Thomas @doodlesmt Stopping a Phishing Attack Hello Alex, Im Tracy calling from Lyft HQ. This month were awarding $200 to all 4.7+ star drivers. Congratulations! Hey Tracy, thanks! Np!

769 views • 60 slides
Casting Simulation Technology Julian Gnz Application Specialist Casting, CD-adapco Casting

Casting Simulation Technology Julian Gnz Application Specialist Casting, CD-adapco Casting

Casting Simulation Technology Julian Gnz Application Specialist Casting, CD-adapco Casting materials Market Overview [Mio tons] Grey Iron 13,6 38,16 9 Ductile Iron Steel 19,4 Non Ferrous alloys From Modern Casting 2010 world

377 views • 15 slides
Casting Simulations with STAR-Cast Julian Gnz, CD-adapco Need for Casting Simulation

Casting Simulations with STAR-Cast Julian Gnz, CD-adapco Need for Casting Simulation

Casting Simulations with STAR-Cast Julian Gnz, CD-adapco Need for Casting Simulation Processes Market Overview [Mio tons] Permanent Mold Tilt Casting 13,6 38,16 Grey Iron 9 Low Pressure-Casting Ductile Iron High

301 views • 27 slides
SLIP-CASTING a ceramic forming technique WHAT IS SLIP-CASTING?

SLIP-CASTING a ceramic forming technique WHAT IS SLIP-CASTING?

SLIP-CASTING a ceramic forming technique WHAT IS SLIP-CASTING? http://www.sightunseen.com/2012/06/josh-bitellis-forfars-bakery-and-roadworkers-projects/ http://www.joshbitelli.co.uk/ Slip-casting is a technique for small-scale production runs,

382 views • 12 slides
CSE 333 Section 6 HW3 Overview, Casting 1 Section Plan Casting HW 3 Overview 3

CSE 333 Section 6 HW3 Overview, Casting 1 Section Plan Casting HW 3 Overview 3

CSE 333 Section 6 HW3 Overview, Casting 1 Section Plan Casting HW 3 Overview 3 Casting! 4 Casting in C++ Four different casts that are more explicit: 1. static_cast&lt;to_type&gt;(expression) 2.

919 views • 33 slides
Minimization strategy for choice of the stopping index in conjugate gradient type methods for

Minimization strategy for choice of the stopping index in conjugate gradient type methods for

Introduction Other rules Numerical examples Minimization strategy for choice of the stopping index in conjugate gradient type methods for ill-posed problems Uno Hmarik, Reimo Palm, Toomas Raus Vienna, July 20, 2009 Uno Hmarik, Reimo

283 views • 14 slides
Macro Scale Casting Simulation with STAR-Cast J.Gnz CD-adapco Casting Systems Product

Macro Scale Casting Simulation with STAR-Cast J.Gnz CD-adapco Casting Systems Product

Macro Scale Casting Simulation with STAR-Cast J.Gnz CD-adapco Casting Systems Product requirements increase: Less weight Higher efficiency Time to market decreases Casting processes must be adopted Simulation to

318 views • 21 slides
Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and

Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and

Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and Gaussian Back-end Fusion Massimiliano Todisco 1 , H ector Delgado 1 , Kong Aik Lee 2 , Md Sahidullah 3 , Nicholas Evans 1 , Tomi Kinnunen 4 and

292 views • 5 slides
14/ 04/ 2020 Are we in a Crisis? Communic ation A c r isis is a pe ople - stopping,

14/ 04/ 2020 Are we in a Crisis? Communic ation A c r isis is a pe ople - stopping,

14/ 04/ 2020 Are we in a Crisis? Communic ation A c r isis is a pe ople - stopping, show-stopping, pr oduc t stopping, r e putation de fining, and tr ust-busting e ve nt that c r e ate s vic tims and/ or e xplosive visibility. ~

180 views • 6 slides
lecture 18 Recall Ray Casting (lectures 7, 8) Ray tracing is like ray casting, but now mirror

lecture 18 Recall Ray Casting (lectures 7, 8) Ray tracing is like ray casting, but now mirror

lecture 18 Recall Ray Casting (lectures 7, 8) Ray tracing is like ray casting, but now mirror reflections are allowed. - ray tracing for each pixel (x,y) { - environment mapping cast a ray through that pixel into the scene, and find the

380 views • 6 slides
Evolution of the Aluminium High Pressure Die Casting in India CONTENTS INDIA - A VIBRANT ECONOMY

Evolution of the Aluminium High Pressure Die Casting in India CONTENTS INDIA - A VIBRANT ECONOMY

Evolution of the Aluminium High Pressure Die Casting in India CONTENTS INDIA - A VIBRANT ECONOMY HISTORY OF INDIAN DIE CASTING INDUSTRY PRESENT STATUS OF INDIAN DIE CASTING INDUSTRY AUTOMOTIVE - THE LARGEST CUSTOMER OF DIE CASTING IN INDIA

701 views • 33 slides
Casting Process in which molten metal flows by gravity or other force into a mold or die

Casting Process in which molten metal flows by gravity or other force into a mold or die

Casting Process in which molten metal flows by gravity or other force into a mold or die where it solidifies in the shape of the mold cavity. The term casting also applies to the part made in the process. 1 Steps of Casting Process

1.22k views • 69 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
via STAR-Cast Santhanu Jana, Access e.V., Aachen Talk overview Centrifugal casting

via STAR-Cast Santhanu Jana, Access e.V., Aachen Talk overview Centrifugal casting

Simulation of Centrifugal Casting via STAR-Cast Santhanu Jana, Access e.V., Aachen Talk overview Centrifugal casting STAR-Casts modelling basis Motivation for centrifugal investment casting Centrifugal investment casting of

590 views • 31 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Join Indias First Indigenous Investment Casting foundry exclusively for Aerospace, Defence

Join Indias First Indigenous Investment Casting foundry exclusively for Aerospace, Defence

Join Indias First Indigenous Investment Casting foundry exclusively for Aerospace, Defence &amp; M edical application Aerospace Defense Medical A World Class Investment Casting Foundry AS9100D &amp; Nadcap Certified Investment Casting

416 views • 40 slides
Functional Correctness Specification Formal Verification 15-214 Unit Testing Type

Functional Correctness Specification Formal Verification 15-214 Unit Testing Type

Functional Correctness Specification Formal Verification 15-214 Unit Testing Type Checking Statistic Analysis Requirements definition Inspections, Reviews 15-313 Integration/System/Acceptance/Regression/GUI/Bl

608 views • 45 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Conclusion and review Domain-specific search (DSS) 2 3 Emerging opportunities for DSS Fighting

Conclusion and review Domain-specific search (DSS) 2 3 Emerging opportunities for DSS Fighting

Conclusion and review Domain-specific search (DSS) 2 3 Emerging opportunities for DSS Fighting human Predicting trafficking cyberattacks Accurate Stopping geopolitical Penny Stock forecasting Fraud 3 General Search Google Knowledge

949 views • 31 slides
higher-order type theory and Coq Vladimir Komendantsky University of St Andrews, UK 18

higher-order type theory and Coq Vladimir Komendantsky University of St Andrews, UK 18

Verification of functional programs in higher-order type theory and Coq Vladimir Komendantsky University of St Andrews, UK 18 November 2011 @ Roys Festschrift Outline Notational conventions 1 Program verification in the interactive

457 views • 25 slides
Preventing errors before they happen: Lightweight verification via pluggable type-checking

Preventing errors before they happen: Lightweight verification via pluggable type-checking

print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Preventing errors before they happen: Lightweight verification via pluggable type-checking Michael D. Ernst University of Washington (Seattle, WA, USA) University of Buenos

600 views • 48 slides
Speaker Verification Systems Haizhou Li Institute for Infocomm Research (I 2 R), Singapore

Speaker Verification Systems Haizhou Li Institute for Infocomm Research (I 2 R), Singapore

Voice Conversion and Spoofing Attack on Speaker Verification Systems Haizhou Li Institute for Infocomm Research (I 2 R), Singapore Acknowledgements: Zhizheng Wu, Eng Siong Chng, NTU Singapore Outline Introduction Speaker verification

466 views • 34 slides
Join Indias First Indigenous Investment Casting foundry exclusively for Aerospace, Defence

Join Indias First Indigenous Investment Casting foundry exclusively for Aerospace, Defence

Join Indias First Indigenous Investment Casting foundry exclusively for Aerospace, Defence &amp; Medical application Aerospace Defense Medical A World Class Investment Casting Foundry AS9100 Certified Investment Casting Foundry History

482 views • 34 slides
Emerging Trends in Real Estate 2018 Navigating at Altitude We are in a long cycle, not in

Emerging Trends in Real Estate 2018 Navigating at Altitude We are in a long cycle, not in

Emerging Trends in Real Estate 2018 Navigating at Altitude We are in a long cycle, not in boom/bust. The key to the next few years is to expand horizons, market by market, property type by property type. Emerging Trends in Real Estate

672 views • 40 slides

More recommend