Korset: Code-based Intrusion Detection for Linux
|
|
- Doris Mills
- 8 years ago
- Views:
Transcription
1 Problem Korset Theory Implementation Evaluation Epilogue Korset: Code-based Intrusion Detection for Linux Ohad Ben-Cohen Avishai Wool Tel Aviv University
2 Problem Korset Theory Implementation Evaluation Epilogue Table of Contents why what how demo! evaluate
3 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Section 1: The Problem
4 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Exploit this void sayhi(char param) { char buf[96]; gets(buf); printf("hi %s, please don t hurt me!\n", buf); }
5 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Buffer Overflow
6 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Buffer Overflow
7 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Buffer Overflow
8 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Buffer Overflow
9 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Buffer Overflow
10 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Code Injection
11 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Defense
12 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Host-based Intrusion Detection Systems (HIDS s) To Identify Malicious Activities Pre-construct a model of normal behavior Monitor running processes Compare data to model Alarm when deviates
13 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Host-based Intrusion Detection Systems (HIDS s) To Identify Malicious Activities Pre-construct a model of normal behavior Monitor running processes Compare data to model Alarm when deviates Terms False Positives ( usability) False Negatives ( precision)
14 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Models of normal behavior
15 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Models of normal behavior 1. Machine Learning Automated Capable of detecting a wide range of attacks Statistical Have False Alarms
16 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Models of normal behavior 1. Machine Learning Automated Capable of detecting a wide range of attacks Statistical Have False Alarms False Alarms are inherent and inevitable if(time() < YEAR2009) read(...); else write(...);
17 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Models of normal behavior 1. Machine Learning Automated Capable of detecting a wide range of attacks Statistical Have False Alarms False Alarms are inherent and inevitable if(time() < YEAR2009) read(...); else write(...); 2. Program Policies Can be very accurate Eliminate False Alarms Tedious and demanding
18 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Models of normal behavior 1. Machine Learning Automated Capable of detecting a wide range of attacks Statistical Have False Alarms False Alarms are inherent and inevitable if(time() < YEAR2009) read(...); else write(...); 2. Program Policies Can be very accurate Eliminate False Alarms Tedious and demanding
19 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Section 2: Korset
20 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo General Architecture
21 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Model of Normal Behavior Control Flow Graph (CFG)
22 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo General Architecture
23 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo General Architecture
24 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Stage #1: Model Preconstruction
25 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
26 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Assumption: System calls are the only way to inflict damage (Not entirely true...)
27 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
28 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
29 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
30 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
31 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
32 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
33 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
34 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
35 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
36 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me
37 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Model of Normal Behavior System call sequences Paths in the graph
38 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Model of Normal Behavior System call sequences Paths in the graph No path in the graph Invalid system call sequence
39 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Stage #2: Runtime Monitoring
40 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
41 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
42 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
43 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
44 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
45 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
46 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
47 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
48 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
49 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
50 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
51 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting
52 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo In words Model of Normal Behavior Control Flow Graphs (CFG) Only System Calls Statically Preconstructed Once for every app Runtime Monitoring Monitor system calls emitted in run-time Simulate observed system calls on automata Always maintain a current node Terminate diverging processes
53 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Code-based Intrusion Detection
54 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Code-based Intrusion Detection First work by David Wagner and Drew Dean, 2001
55 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Intrusion Detection via Static Analysis Pros Automated Provable zero false positives (assuming that code isn t self modifying)
56 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Intrusion Detection via Static Analysis Pros Automated Provable zero false positives (assuming that code isn t self modifying) Cons Limited to code injection attacks High precision comes with a cost
57 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Action!
58 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Section 3: Not so simple
59 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions
60 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions - Link CFGs
61 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism And... Simplify
62 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Simplification Process Simple and Smooth u w u w v y z y z
63 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Challenge #1
64 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions Redux - Context Insensitivity Before linking
65 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions Redux - Context Insensitivity After linking
66 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions Redux - Context Insensitivity After linking... So?
67 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions Redux - Context Insensitivity After linking... So? Impossible execution paths are allowed E.g.: open-read-write
68 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Context Insensitivity A Function after linking... So? Impossible execution paths are allowed E.g.: open-read-write
69 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Hey before you link Not all functions emit/lead to system calls
70 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Unlinking Do not link them
71 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Unlinking Just ditch their calling nodes...
72 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Inline CFGs of functions that issue system calls
73 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Create Private Copies
74 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Link Private Copies
75 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Simplify Result
76 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining After Simplifying
77 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Inlining Depth?
78 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Inlining Depth? (currently - depth 1)
79 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Challenge #2
80 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Non Determinism Which write is it?
81 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism %EIP?
82 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism %EIP does not help
83 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Solution: Merge Nodes Solution: Merge nodes
84 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Non Determinism Solution: Merge nodes
85 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Merging cost Graph now allows impossible paths! b g o b g o r r r y g y g accepting: gry, grg, bry, org accepting: gry, grg, bry, org, brg, ory
86 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Minimizing Merging cost Don t merge, add
87 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism the Deterministic Callgraph Automaton (DCA)
88 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism the Deterministic Callgraph Automaton (DCA) Only system call nodes There are no ɛ-edges Need to check only direct descendants No control flow ambiguity No more than a single match Current state is always a single node Complexity Time: O( ) Space: O(1) ( - set of system calls)
89 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Section 4: Implementation
90 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction General Architecture
91 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction General Architecture
92 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction General Architecture
93 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Kernel guts The Monitoring Agent User Space example ELF executable System Calls Kernel Space Korset Monitoring Agent Kernel System Call Handler example.korset write read close read write close
94 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Per process state sched.h struct task struct {... char korset graph; u32 korset node;... };
95 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Monitoring Agent - via a new LSM hook entry.s ENTRY(system call)... GET THREAD INFO(%rcx) SAVE ARGS movq %rax,%rsi movq %rcx,%rdi call security system call cmpl $0, %eax jnz syscall noperm RESTORE ARGS... call sys call table(,%rax,8)...
96 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Monitoring Agent - via a new LSM hook entry.s ENTRY(system call)... GET THREAD INFO(%rcx) SAVE ARGS movq %rax,%rsi movq %rcx,%rdi call security system call cmpl $0, %eax jnz syscall noperm RESTORE ARGS... call sys call table(,%rax,8)...
97 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Monitoring Agent - via a new LSM hook entry.s ENTRY(system call)... GET THREAD INFO(%rcx) SAVE ARGS movq %rax,%rsi movq %rcx,%rdi call security system call cmpl $0, %eax jnz syscall noperm RESTORE ARGS... call sys call table(,%rax,8)...
98 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Monitoring Agent - via a new LSM hook entry.s ENTRY(system call)... GET THREAD INFO(%rcx) SAVE ARGS movq %rax,%rsi movq %rcx,%rdi call security system call cmpl $0, %eax jnz syscall noperm RESTORE ARGS... call sys call table(,%rax,8)...
99 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ korset runtime monitor start
100 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ korset runtime monitor stop
101 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Monitoring Agent Sum up Integrated into the Kernel s system call handler Uses and extends the Linux Security Module (LSM) interface Simulate automaton on observed system calls Terminate subverted applications Can dynamically update in-memory DCA Can dump updated DCA back to disk
102 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Userland The Static Analyzer User Space example.c i = read(fd, buf, n); if (i == n) { write(fd, buf, n); } close(fd); gcc, ld,... Korset Static Analyzer System Calls example ELF executable example.korset read write close Kernel Space
103 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ korset static analyzer start
104 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ gcc -c foo.c -o foo.o
105 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ gcc -c bar.s -o bar.o
106 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ ar c foobar.a foo.o bar.o
107 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ gcc foo.o bar.o -o foobar
108 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction foo.o.kvcg
109 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction bar.o.kvcg
110 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction foobar.a.kvcg
111 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction foobar.korset
112 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ korset static analyzer stop
113 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Static Analyzer Sum up Wraps the Linux build tools Transparently runs whenever user compiles, links or ar(chives) Creates DCAs for objects, libraries and executables
114 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Constructing the Graphs
115 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day
116 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day
117 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day
118 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day
119 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day
120 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day
121 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day GCC Plugins?
122 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day $ gcc -dv -fdump-rtl-pass
123 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Visualization of Compiler Graphs (VCG) Just parse and the CFG is yours graph: { title: "hack digit"... node: { title: "hack digit.0" }... edge: { sourcename: "hack digit.0" targetname: "hack digit.7" color: blue } node: { title: "hack digit.7" label: "note 7" }...
124 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for C files foo.0 note 6 insn 40 insn 41 insn 42 insn 8 jump_insn 9 code_label 11 insn 14 insn 16 insn 17 insn 18 call_insn 19 insn 21 code_label 22 insn 24 jump_insn 25 insn 45 note 47 jump_insn 46 END Use gcc s VCG output $ gcc -dv -fdump-rtl-pass -c foo.c void foo(void) { int i; for (i = 0; i < 10; i++) fwrite("hello!\n", 7, 1, stdout); } basic block 7
125 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Simplification Process Simple and Smooth u w u w v y z y z
126 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for C files After simplifying VCG output void foo(void) { int i; for (i = 0; i < 10; i++) fwrite("hello!\n", 7, 1, stdout); } vcg-demo.o call fwrite foo.0 END
127 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction VCG Summary Neat.
128 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction VCG Summary Neat. Does not apply for Assembly files...
129 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for Assembly files Lots of Macros... #include <sysdep cancel.h> PSEUDO ( libc read, read, 3) ret PSEUDO END( libc read) libc hidden def ( libc read) weak alias ( libc read, read) libc hidden weak ( read) weak alias ( libc read, read) libc hidden weak (read)
130 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for Assembly files Disassemble corresponding object file: mov %rdx,0x18(%rsp) callq 35 < write nocancel+0x2c> R X86 64 PC32 libc enable asynccancel mov 0x8(%rsp),%rdi mov 0x10(%rsp),%rsi mov 0x18(%rsp),%rdx mov %rax,(%rsp) mov $0x1,%eax syscall
131 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for Assembly files Look for system and function calls: mov %rdx,0x18(%rsp) callq 35 < write nocancel+0x2c> R X86 64 PC32 libc enable asynccancel mov 0x8(%rsp),%rdi mov 0x10(%rsp),%rsi mov 0x18(%rsp),%rdx mov %rax,(%rsp) mov $0x1,%eax syscall
132 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for Assembly files Create a simplified matching graph Crude, ok for simple files Sound solution Requires a better flow analysis
133 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for stdin files something like this: $ gcc -x c++ -o output.o - redundant?
134 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for stdin files common glibc build: (echo #include <sysdep cancel.h> ; \ echo PSEUDO ( libc read, read, 3) ; \ echo ret ; \ echo PSEUDO END( libc read) ; \ echo libc hidden def ( libc read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak ( read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak (read) ; \ ) gcc c x assembler with cpp o read.o
135 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for stdin files Disassemble output file and build graph: (echo #include <sysdep cancel.h> ; \ echo PSEUDO ( libc read, read, 3) ; \ echo ret ; \ echo PSEUDO END( libc read) ; \ echo libc hidden def ( libc read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak ( read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak (read) ; \ ) gcc c x assembler with cpp o read.o
136 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for stdin files Result: a simplified matching graph
137 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Is it enough? common glibc build: (echo #include <sysdep cancel.h> ; \ echo PSEUDO ( libc read, read, 3) ; \ echo ret ; \ echo PSEUDO END( libc read) ; \ echo libc hidden def ( libc read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak ( read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak (read) ; \ ) gcc c x assembler with cpp o read.o
138 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Pay attention to symbol aliases common glibc build: (echo #include <sysdep cancel.h> ; \ echo PSEUDO ( libc read, read, 3) ; \ echo ret ; \ echo PSEUDO END( libc read) ; \ echo libc hidden def ( libc read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak ( read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak (read) ; \ ) gcc c x assembler with cpp o read.o
139 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Collect symbol information objdump syms read.o: file format elf64 x86 64 SYMBOL TABLE: g F.text libc read g F.text read nocancel w F.text read w F.text read
140 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Collect symbol information objdump syms read.o: file format elf64 x86 64 SYMBOL TABLE: g F.text libc read g F.text read nocancel w F.text read w F.text read
141 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Add symbol aliases Before
142 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Add symbol aliases After
143 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Linking issues Not all functions are equal malloc.o: file format elf64 x86 64 SYMBOL TABLE: e4 l F.text f malloc check 00001c46 l F.text f2 free check w UND dso handle e g F.text calloc e w F.text calloc 00001b79 g F.text cd cfree 00001b79 w F.text cd cfree 00003e41 g F.text cf malloc
144 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Linking issues Not all functions are equal malloc.o: file format elf64 x86 64 SYMBOL TABLE: e4 l F.text f malloc check 00001c46 l F.text f2 free check w UND dso handle e g F.text calloc e w F.text calloc 00001b79 g F.text cd cfree 00001b79 w F.text cd cfree 00003e41 g F.text cf malloc
145 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Linking issues Not all functions are equal malloc.o: file format elf64 x86 64 SYMBOL TABLE: e4 l F.text f malloc check 00001c46 l F.text f2 free check w UND dso handle e g F.text calloc e w F.text calloc 00001b79 g F.text cd cfree 00001b79 w F.text cd cfree 00003e41 g F.text cf malloc
146 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Linking issues Not all functions are equal malloc.o: file format elf64 x86 64 SYMBOL TABLE: e4 l F.text f malloc check 00001c46 l F.text f2 free check w UND dso handle e g F.text calloc e w F.text calloc 00001b79 g F.text cd cfree 00001b79 w F.text cd cfree 00003e41 g F.text cf malloc
147 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Section 4: Evaluation
148 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Micro-Benchmarks Overhead Percentage Micro-Benchmarks write read write > /dev/null setuid BestCase BadCase WorstCase
149 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Core-utils Benchmarks Overhead (%) Core-Utils Benchmark cp ls cat
150 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Precision Analysis The Branching Factor
151 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Graphs Analysis Glibc Graph Branching average branch degree э-less CFG basic DCA Final DCA glibc DCA branching open read write execve malloc gets fopen fread fwrite printf empty main
152 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision malloc() malloc() syscall 45 syscall 90 syscall 125 syscall 91
153 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision fwrite() syscall 90 syscall 197 syscall 54 syscall 45 syscall 108 syscall 140 syscall 4 syscall 125 fwrite() syscall 91
154 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Empty main void main(void) { }
155 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Empty main empty.c.49.stack
156 Problem Korset Theory Implementation Evaluation Epilogue Section 5: Sum up
157 Problem Korset Theory Implementation Evaluation Epilogue Sum up Summary Zero False Positives Intrusion Detection Negligible (/Bounded) Runtime Overhead Linux Kernel Prototype Automatic Analysis of the GNU C library Free Software (GPL ed) Status Proof of concept! Very limited, e.g.: only static linking
158 Problem Korset Theory Implementation Evaluation Epilogue
159 Problem Korset Theory Implementation Evaluation Epilogue THE END
160 Problem Korset Theory Implementation Evaluation Epilogue Thank You
Korset: Automated, Zero False-Alarm Intrusion Detection for Linux
Korset: Automated, Zero False-Alarm Intrusion Detection for Linux Ohad Ben-Cohen Tel-Aviv University ohad@bencohen.org Avishai Wool Tel-Aviv University yash@acm.org Abstract Host-based Intrusion Detection
More informationTransparent Monitoring of a Process Self in a Virtual Environment
Transparent Monitoring of a Process Self in a Virtual Environment PhD Lunchtime Seminar Università di Pisa 24 Giugno 2008 Outline Background Process Self Attacks Against the Self Dynamic and Static Analysis
More informationIntrusion Detection via Static Analysis
Intrusion Detection via Static Analysis IEEE Symposium on Security & Privacy 01 David Wagner Drew Dean Presented by Yongjian Hu Outline Introduction Motivation Models Trivial model Callgraph model Abstract
More informationAutomating Mimicry Attacks Using Static Binary Analysis
Automating Mimicry Attacks Using Static Binary Analysis Christopher Kruegel and Engin Kirda Technical University Vienna chris@auto.tuwien.ac.at, engin@infosys.tuwien.ac.at Darren Mutz, William Robertson,
More informationAutomatic Extraction of Accurate Application-Specific Sandboxing Policy
Automatic Extraction of Accurate Application-Specific Sandboxing Policy Lap-chung Lam and Tzi-cker Chiueh Rether Networks, Inc. 99 Mark Tree RD Suite 301, Centereach NY 11720, USA lclam@cs.sunysb.edu http://www.rether.com
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 2/8/06 Blackhat Federal 2006 1 Big
More informationBuilding accurate intrusion detection systems. Diego Zamboni Global Security Analysis Lab IBM Zürich Research Laboratory
Building accurate intrusion detection systems Diego Zamboni Global Security Analysis Lab IBM Zürich Research Laboratory Outline Brief introduction to intrusion detection The MAFTIA project Accurate intrusion
More informationVisualizing Information Flow through C Programs
Visualizing Information Flow through C Programs Joe Hurd, Aaron Tomb and David Burke Galois, Inc. {joe,atomb,davidb}@galois.com Systems Software Verification Workshop 7 October 2010 Joe Hurd, Aaron Tomb
More informationPERFORMANCE TOOLS DEVELOPMENTS
PERFORMANCE TOOLS DEVELOPMENTS Roberto A. Vitillo presented by Paolo Calafiura & Wim Lavrijsen Lawrence Berkeley National Laboratory Future computing in particle physics, 16 June 2011 1 LINUX PERFORMANCE
More informationSoftware Vulnerabilities
Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in
More informationApplying Clang Static Analyzer to Linux Kernel
Applying Clang Static Analyzer to Linux Kernel 2012/6/7 FUJITSU COMPUTER TECHNOLOGIES LIMITED Hiroo MATSUMOTO 管 理 番 号 1154ka1 Copyright 2012 FUJITSU COMPUTER TECHNOLOGIES LIMITED Abstract Now there are
More informationFor a 64-bit system. I - Presentation Of The Shellcode
#How To Create Your Own Shellcode On Arch Linux? #Author : N3td3v!l #Contact-mail : 4nonymouse@usa.com #Website : Nopotm.ir #Spcial tnx to : C0nn3ct0r And All Honest Hackerz and Security Managers I - Presentation
More informationCompiler-Assisted Binary Parsing
Compiler-Assisted Binary Parsing Tugrul Ince tugrul@cs.umd.edu PD Week 2012 26 27 March 2012 Parsing Binary Files Binary analysis is common for o Performance modeling o Computer security o Maintenance
More informationKernel Intrusion Detection System
Kernel Intrusion Detection System Rodrigo Rubira Branco rodrigo@kernelhacking.com rodrigo@risesecurity.org Monica's Team!! Brazilian famous H.Q. story Amazon Forest Yeah, Brazilian country! Soccer Brazilian
More informationRISC-V Software Ecosystem. Andrew Waterman UC Berkeley waterman@eecs.berkeley.edu!
RISC-V Software Ecosystem Andrew Waterman UC Berkeley waterman@eecs.berkeley.edu! 2 Tethered vs. Standalone Systems Tethered systems are those that cannot stand alone - They depend on a host system to
More informationCarlos Villavieja, Nacho Navarro {cvillavi,nacho}@ac.upc.edu. Arati Baliga, Liviu Iftode {aratib,liviu}@cs.rutgers.edu
Continuous Monitoring using MultiCores Carlos Villavieja, Nacho Navarro {cvillavi,nacho}@ac.upc.edu Arati Baliga, Liviu Iftode {aratib,liviu}@cs.rutgers.edu Motivation Intrusion detection Intruder gets
More informationNext, the driver runs the C compiler (cc1), which translates main.i into an ASCII assembly language file main.s.
Chapter 7 Linking Linking is the process of collecting and combining various pieces of code and data into a single file that can be loaded (copied) into memory and executed. Linking can be performed at
More informationSequential Performance Analysis with Callgrind and KCachegrind
Sequential Performance Analysis with Callgrind and KCachegrind 4 th Parallel Tools Workshop, HLRS, Stuttgart, September 7/8, 2010 Josef Weidendorfer Lehrstuhl für Rechnertechnik und Rechnerorganisation
More informationBug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit
Bug hunting Vulnerability finding methods in Windows 32 environments compared FX of Phenoelit The goal: 0day What we are looking for: Handles network side input Runs on a remote system Is complex enough
More informationBetween Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications
Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications Jun Wang, Xi Xiong, Peng Liu Penn State Cyber Security Lab 1 An inherent security limitation
More informationAttacking Obfuscated Code with IDA Pro. Chris Eagle
Attacking Obfuscated Code with IDA Pro Chris Eagle Outline Introduction Operation Demos Summary 2 First Order Of Business MOVE UP AND IN! There is plenty of room up front I can't increase the font size
More informationIdea: Measuring the Effect of Code Complexity on Static Analysis Results
Idea: Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, and Alex Kuhl Department of Computer Science Northern Kentucky University Highland Heights, KY 41099
More informationReturn-oriented programming without returns
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without urns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy
More informationStatic Checking of C Programs for Vulnerabilities. Aaron Brown
Static Checking of C Programs for Vulnerabilities Aaron Brown Problems 300% increase in reported software vulnerabilities SetUID programs Run with full access to the system Required to gain access to certain
More informationEECS 354 Network Security. Introduction
EECS 354 Network Security Introduction Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how to think like an attacker Defense then becomes second-nature
More informationI Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich
I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application
More informationumps software development
Laboratorio di Sistemi Operativi Anno Accademico 2006-2007 Software Development with umps Part 2 Mauro Morsiani Software development with umps architecture: Assembly language development is cumbersome:
More informationLaboratorio di Sistemi Operativi Anno Accademico 2009-2010
Laboratorio di Sistemi Operativi Anno Accademico 2009-2010 Software Development with umps Part 2 Mauro Morsiani Copyright Permission is granted to copy, distribute and/or modify this document under the
More informationSoft-Timer Driven Transient Kernel Control Flow Attacks and Defense
Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense Jinpeng Wei, Bryan D. Payne, Jonathon Giffin, Calton Pu Georgia Institute of Technology Annual Computer Security Applications Conference
More informationHacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license http://creativecommonsorg/licenses/by-sa/30/ # whoami Ali
More informationOperating Systems and Networks
recap Operating Systems and Networks How OS manages multiple tasks Virtual memory Brief Linux demo Lecture 04: Introduction to OS-part 3 Behzad Bordbar 47 48 Contents Dual mode API to wrap system calls
More informationHow to make the computer understand? Lecture 15: Putting it all together. Example (Output assembly code) Example (input program) Anatomy of a Computer
How to make the computer understand? Fall 2005 Lecture 15: Putting it all together From parsing to code generation Write a program using a programming language Microprocessors talk in assembly language
More informationStatic Analysis of Virtualization- Obfuscated Binaries
Static Analysis of Virtualization- Obfuscated Binaries Johannes Kinder School of Computer and Communication Sciences École Polytechnique Fédérale de Lausanne (EPFL), Switzerland Virtualization Obfuscation
More informationSequential Performance Analysis with Callgrind and KCachegrind
Sequential Performance Analysis with Callgrind and KCachegrind 2 nd Parallel Tools Workshop, HLRS, Stuttgart, July 7/8, 2008 Josef Weidendorfer Lehrstuhl für Rechnertechnik und Rechnerorganisation Institut
More informationScanner. tokens scanner parser IR. source code. errors
Scanner source code tokens scanner parser IR errors maps characters into tokens the basic unit of syntax x = x + y; becomes = + ; character string value for a token is a lexeme
More informationX86-64 Architecture Guide
X86-64 Architecture Guide For the code-generation project, we shall expose you to a simplified version of the x86-64 platform. Example Consider the following Decaf program: class Program { int foo(int
More informationMeasuring the Effect of Code Complexity on Static Analysis Results
Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, and Alex Kuhl Department of Computer Science Northern Kentucky University Highland Heights, KY 41099 Abstract.
More informationSystem Calls and Standard I/O
System Calls and Standard I/O Professor Jennifer Rexford http://www.cs.princeton.edu/~jrex 1 Goals of Today s Class System calls o How a user process contacts the Operating System o For advanced services
More informationIntroduction. What is an Operating System?
Introduction What is an Operating System? 1 What is an Operating System? 2 Why is an Operating System Needed? 3 How Did They Develop? Historical Approach Affect of Architecture 4 Efficient Utilization
More informationData Structure Reverse Engineering
Data Structure Reverse Engineering Digging for Data Structures Polymorphic Software with DSLR Scott Hand October 28 th, 2011 Outline 1 Digging for Data Structures Motivations Introduction Laika Details
More informationOperating Systems. Privileged Instructions
Operating Systems Operating systems manage processes and resources Processes are executing instances of programs may be the same or different programs process 1 code data process 2 code data process 3
More informationFlexible Intrusion Detection Systems for Memory-Constrained Embedded Systems
Flexible Intrusion Detection Systems for Memory-Constrained Embedded Systems Farid Molazem, Karthik Pattabiraman University of British Columbia 2 Embedded Systems 3 Attacks spreading Attacks spreading
More informationGENERIC and GIMPLE: A New Tree Representation for Entire Functions
GENERIC and GIMPLE: A New Tree Representation for Entire Functions Jason Merrill Red Hat, Inc. jason@redhat.com 1 Abstract The tree SSA project requires a tree representation of functions for the optimizers
More informationThe C Programming Language course syllabus associate level
TECHNOLOGIES The C Programming Language course syllabus associate level Course description The course fully covers the basics of programming in the C programming language and demonstrates fundamental programming
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Testing and Source Code Auditing Secure Software Programming 2 Overview
More informationEmbedded Software Development
Linköpings Tekniska Högskola Institutionen för Datavetanskap (IDA), Software and Systems (SaS) TDDI11, Embedded Software 2010-04-22 Embedded Software Development Host and Target Machine Typical embedded
More informationLibmonitor: A Tool for First-Party Monitoring
Libmonitor: A Tool for First-Party Monitoring Mark W. Krentel Dept. of Computer Science Rice University 6100 Main St., Houston, TX 77005 krentel@rice.edu ABSTRACT Libmonitor is a library that provides
More informationThe Plan Today... System Calls and API's Basics of OS design Virtual Machines
System Calls + The Plan Today... System Calls and API's Basics of OS design Virtual Machines System Calls System programs interact with the OS (and ultimately hardware) through system calls. Called when
More informationIOActive Security Advisory
IOActive Security Advisory Title Severity Discovered by Admin ACL Bypass and Double Fetch Issue in F-Secure Internet Security 2015 High/Important Ilja van Sprundel Advisory Date September 3, 2015 Affected
More informationCompilers and Tools for Software Stack Optimisation
Compilers and Tools for Software Stack Optimisation EJCP 2014 2014/06/20 christophe.guillon@st.com Outline Compilers for a Set-Top-Box Compilers Potential Auto Tuning Tools Dynamic Program instrumentation
More informationLecture 27 C and Assembly
Ananda Gunawardena Lecture 27 C and Assembly This is a quick introduction to working with x86 assembly. Some of the instructions and register names must be check for latest commands and register names.
More informationIntroduction. Compiler Design CSE 504. Overview. Programming problems are easier to solve in high-level languages
Introduction Compiler esign CSE 504 1 Overview 2 3 Phases of Translation ast modifled: Mon Jan 28 2013 at 17:19:57 EST Version: 1.5 23:45:54 2013/01/28 Compiled at 11:48 on 2015/01/28 Compiler esign Introduction
More informationMulti-Threading Performance on Commodity Multi-Core Processors
Multi-Threading Performance on Commodity Multi-Core Processors Jie Chen and William Watson III Scientific Computing Group Jefferson Lab 12000 Jefferson Ave. Newport News, VA 23606 Organization Introduction
More informationHow to Automatically and Accurately Sandbox Microsoft IIS
How to Automatically and Accurately Sandbox Microsoft IIS Wei Li Lap-chung Lam Tzi-cker Chiueh Computer Science Department Stony Brook University Abstract Comparing the system call sequence of a network
More informationMPLAB TM C30 Managed PSV Pointers. Beta support included with MPLAB C30 V3.00
MPLAB TM C30 Managed PSV Pointers Beta support included with MPLAB C30 V3.00 Contents 1 Overview 2 1.1 Why Beta?.............................. 2 1.2 Other Sources of Reference..................... 2 2
More informationAttacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com
Attacking Host Intrusion Prevention Systems Eugene Tsyrklevich eugene@securityarchitects.com Agenda Introduction to HIPS Buffer Overflow Protection Operating System Protection Conclusions Demonstration
More informationTHE VELOX STACK Patrick Marlier (UniNE)
THE VELOX STACK Patrick Marlier (UniNE) 06.09.20101 THE VELOX STACK / OUTLINE 2 APPLICATIONS Real applications QuakeTM Game server C code with OpenMP Globulation 2 Real-Time Strategy Game C++ code using
More informationEncryption Wrapper. on OSX
Encryption Wrapper on OSX Overview OSX Kernel What is an Encryption Wrapper? Project Implementation OSX s Origins and Design NeXTSTEP Legacy NextStep v1 NextStep v3.3 Mac OS X Jobs creates NeXT Apple acquisition
More informationAutomated Faultinjection Series - Risk Management and Implementation
HEALERS: A Toolkit for Enhancing the Robustness and Security of Existing Applications Christof Fetzer, Zhen Xiao AT&T Labs Research 180 Park Avenue Florham Park, N.J. 07932 christof, xiao @research.att.com
More informationOff-by-One exploitation tutorial
Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend
More informationLinux Distributed Security Module 1
Linux Distributed Security Module 1 By Miroslaw Zakrzewski and Ibrahim Haddad This article describes the implementation of Mandatory Access Control through a Linux kernel module that is targeted for Linux
More informationN-Variant Systems. Slides extracted from talk by David Evans. (provenance in footer) http://www.cs.virginia.edu/evans/sdwest
1 N-Variant Systems Slides extracted from talk by David Evans (provenance in footer) 2 Inevitability of Failure Despite all the best efforts to build secure software, we will still fail (or have to run
More informationOperating System Structure
Operating System Structure Lecture 3 Disclaimer: some slides are adopted from the book authors slides with permission Recap Computer architecture CPU, memory, disk, I/O devices Memory hierarchy Architectural
More informationSoftware Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland
Software Testing & Analysis (F22ST3) Static Analysis Techniques Andrew Ireland School of Mathematical and Computer Science Heriot-Watt University Edinburgh Software Testing & Analysis (F22ST3): Static
More informationLecture 16: System-Level I/O
CSCI-UA.0201-003 Computer Systems Organization Lecture 16: System-Level I/O Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Some slides adapted (and slightly modified) from: Clark Barrett
More informationInternational Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849
WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore
More informationContinuous Integration/Testing and why you should assume every change breaks your code
MÜNSTER Continuous Integration/Testing and why you should assume every change breaks your code René Milk 4th November 2015 MÜNSTER Continuous Integration/Testing 2 /16 Not talking about C functions Continuous
More informationHunting Vulnerabilities with Graph Databases
Hunting Vulnerabilities with Graph Databases Fabian fabs Yamaguchi Nico Golde (Qualcomm) INBOT 14 GEORG-AUGUST-UNIVERSITÄT GÖTTINGEN CVE-2013-6381: qeth buffer overflow in snmp ioctl 2 CVE-2013-6381: qeth
More information8.5. <summary>...26 9. Cppcheck addons...27 9.1. Using Cppcheck addons...27 9.1.1. Where to find some Cppcheck addons...27 9.2.
Cppcheck 1.72 Cppcheck 1.72 Table of Contents 1. Introduction...1 2. Getting started...2 2.1. First test...2 2.2. Checking all files in a folder...2 2.3. Excluding a file or folder from checking...2 2.4.
More informationLinux Kernel Rootkit : Virtual Terminal Key Logger
Linux Kernel Rootkit : Virtual Terminal Key Logger Jeena Kleenankandy Roll No. P140066CS Depatment of Computer Science and Engineering National Institute of Technology Calicut jeena p140066cs@nitc.ac.in
More informationSoftware Testing. Definition: Testing is a process of executing a program with data, with the sole intention of finding errors in the program.
Software Testing Definition: Testing is a process of executing a program with data, with the sole intention of finding errors in the program. Testing can only reveal the presence of errors and not the
More informationDynamic Spyware Analysis
Dynamic Spyware Analysis Manuel Egele, Christopher Kruegel, Engin Kirda, Heng Yin, and Dawn Song Secure Systems Lab Technical University Vienna {pizzaman,chris,ek}@seclab.tuwien.ac.at Carnegie Mellon University
More informationDefense in Depth: Protecting Against Zero-Day Attacks
Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth
More informationUsing Code Coverage Tools in the Linux Kernel
Using Code Coverage Tools in the Linux Kernel Nigel Hinds Paul Larson Hubertus Franke Marty Ridgeway { nhinds, plars, frankeh, mridge } @ us.ibm.com Defining software reliability is hard enough, let alone
More informationSystem Calls Related to File Manipulation
KING FAHD UNIVERSITY OF PETROLEUM AND MINERALS Information and Computer Science Department ICS 431 Operating Systems Lab # 12 System Calls Related to File Manipulation Objective: In this lab we will be
More informationUnix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>
Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make
More informationAutomated Validation & Verification of Software Paper Presentation
Regression Test Selection for Java Software Salvador Valencia Rodríguez Automated Validation & Verification of Software Paper Presentation Paper authors Mary Jean Harrold James A. Jones Tongyu Li Donglin
More informationAUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS
TKK Reports in Information and Computer Science Espoo 2009 TKK-ICS-R26 AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS Kari Kähkönen ABTEKNILLINEN KORKEAKOULU TEKNISKA HÖGSKOLAN HELSINKI UNIVERSITY OF
More informationLecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com
CSCI-UA.0201-003 Computer Systems Organization Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Some slides adapted (and slightly modified)
More informationAutomated Repair of Binary and Assembly Programs for Cooperating Embedded Devices
Automated Repair of Binary and Assembly Programs for Cooperating Embedded Devices Eric Schulte 1 Jonathan DiLorenzo 2 Westley Weimer 2 Stephanie Forrest 1 1 Department of Computer Science University of
More informationCS 33. Multithreaded Programming V. CS33 Intro to Computer Systems XXXVII 1 Copyright 2015 Thomas W. Doeppner. All rights reserved.
CS 33 Multithreaded Programming V CS33 Intro to Computer Systems XXXVII 1 Copyright 2015 Thomas W. Doeppner. All rights reserved. Alternatives to Mutexes: Atomic Instructions Read-modify-write performed
More information6.828 Operating System Engineering: Fall 2003. Quiz II Solutions THIS IS AN OPEN BOOK, OPEN NOTES QUIZ.
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.828 Operating System Engineering: Fall 2003 Quiz II Solutions All problems are open-ended questions. In
More informationMSc Computer Science Dissertation
University of Oxford Computing Laboratory MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities Author: Sean Heelan Supervisor: Dr. Daniel
More informationBypassing Browser Memory Protections in Windows Vista
Bypassing Browser Memory Protections in Windows Vista Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Thesis Introduction
More informationRapid Prototyping of Intrusion Detection Systems
Rapid Prototyping of Intrusion Detection Systems Fabrice Kordon and Jean-Baptiste Voron Université Pierre & Marie Curie, Laboratoire d Informatique de Paris 6/MoVe 4, place Jussieu, F-75252 Paris CEDEX
More informationThis is DEEPerent: Tracking App behaviors with (Nothing changed) phone for Evasive android malware
This is DEEPerent: Tracking App behaviors with (Nothing changed) phone for Evasive android malware What I will talk about.. Challenges we faced on android malware analysis: Fast code analysis (Reversing)
More informationXen and XenServer Storage Performance
Xen and XenServer Storage Performance Low Latency Virtualisation Challenges Dr Felipe Franciosi XenServer Engineering Performance Team e-mail: felipe.franciosi@citrix.com freenode: felipef #xen-api twitter:
More informationHow To Trace
CS510 Software Engineering Dynamic Program Analysis Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Scott A. Carr Slides inspired by Xiangyu Zhang http://nebelwelt.net/teaching/15-cs510-se
More informationCOS 318: Operating Systems
COS 318: Operating Systems OS Structures and System Calls Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Outline Protection mechanisms
More informationLanguage Processing Systems
Language Processing Systems Evaluation Active sheets 10 % Exercise reports 30 % Midterm Exam 20 % Final Exam 40 % Contact Send e-mail to hamada@u-aizu.ac.jp Course materials at www.u-aizu.ac.jp/~hamada/education.html
More informationSandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
More informationCS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study
CS 377: Operating Systems Lecture 25 - Linux Case Study Guest Lecturer: Tim Wood Outline Linux History Design Principles System Overview Process Scheduling Memory Management File Systems A review of what
More informationEXPLODE: a Lightweight, General System for Finding Serious Storage System Errors
EXPLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang Joint work with Can Sar, Paul Twohey, Ben Pfaff, Dawson Engler and Madan Musuvathi Mom, Google Ate My GMail!
More informationCapability-Based Access Control
Lecture Notes (Syracuse University) Capability: 1 Capability-Based Access Control 1 An Analogy: Bank Analogy We would like to use an example to illustrate the need for capabilities. In the following bank
More informationReturn-oriented Programming: Exploitation without Code Injection
Return-oriented Programming: Exploitation without Code Injection Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham University of California, San Diego Bad code versus bad behavior Bad Bad behavior
More informationQEMU, a Fast and Portable Dynamic Translator
QEMU, a Fast and Portable Dynamic Translator Fabrice Bellard Abstract We present the internals of QEMU, a fast machine emulator using an original portable dynamic translator. It emulates several CPUs (x86,
More informationDynamic Behavior Analysis Using Binary Instrumentation
Dynamic Behavior Analysis Using Binary Instrumentation Jonathan Salwan jsalwan@quarkslab.com St'Hack Bordeaux France March 27 2015 Keywords: program analysis, DBI, DBA, Pin, concrete execution, symbolic
More informationUsing the CoreSight ITM for debug and testing in RTX applications
Using the CoreSight ITM for debug and testing in RTX applications Outline This document outlines a basic scheme for detecting runtime errors during development of an RTX application and an approach to
More informationData Structure with C
Subject: Data Structure with C Topic : Tree Tree A tree is a set of nodes that either:is empty or has a designated node, called the root, from which hierarchically descend zero or more subtrees, which
More information