Securing software by enforcing data-flow integrity

Similar documents
I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Software Vulnerabilities

SoK: Eternal War in Memory

Transparent Monitoring of a Process Self in a Virtual Environment

Fine-Grained User-Space Security Through Virtualization. Mathias Payer and Thomas R. Gross ETH Zurich

Chapter 15 Operating System Security

CSC 405 Introduction to Computer Security

90% of data breaches are caused by software vulnerabilities.

AutoPaG: Towards Automated Software Patch Generation with Source Code Root Cause Identification and Repair

Return-oriented programming without returns

Technical Report. Practical memory safety for C. Periklis Akritidis. Number 798. June Computer Laboratory UCAM-CL-TR-798 ISSN

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

TOOL EVALUATION REPORT: FORTIFY

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

Bypassing Browser Memory Protections in Windows Vista

Off-by-One exploitation tutorial

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Buffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

MSc Computer Science Dissertation

Týr: a dependent type system for spatial memory safety in LLVM

Linux Kernel. Security Report

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Counterfeit Object-oriented Programming

Vigilante: End-to-End Containment of Internet Worms

Visualizing Information Flow through C Programs

Automatically Patching Errors in Deployed Software

Source Code Security Analysis Tool Functional Specification Version 1.0

Introduction. Figure 1 Schema of DarunGrim2

Intrusion Detection via Static Analysis

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Dynamic Behavior Analysis Using Binary Instrumentation

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

Stack Overflows. Mitchell Adair

Bypassing Windows Hardware-enforced Data Execution Prevention

Control-Flow Integrity

Static Techniques for Vulnerability Detection

Automating Mimicry Attacks Using Static Binary Analysis

Securing Network Software using Static Analysis

Violating Database - Enforced Security Mechanisms

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Application Intrusion Detection

Defense in Depth: Protecting Against Zero-Day Attacks

How to Sandbox IIS Automatically without 0 False Positive and Negative

esrever gnireenigne tfosorcim seiranib

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine

CS 392/681 - Computer Security. Module 16 Vulnerability Analysis

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

How To Detect A Buffer Overflow Vulnerability In Binary Code

Discovering passwords in the memory

Windows XP SP3 Registry Handling Buffer Overflow

MPLAB TM C30 Managed PSV Pointers. Beta support included with MPLAB C30 V3.00

Building accurate intrusion detection systems. Diego Zamboni Global Security Analysis Lab IBM Zürich Research Laboratory

How To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux (Windows 3.5) On A Pc

The software model checker BLAST

Malicious Code on Java Card Smartcards: Attacks and Countermeasures

Framework for Injecting the Attacks and Analyzing the Behaviour of Vulnerability on Server s

SQL Injection Protection by Variable Normalization of SQL Statement

Comprehensive Static Analysis Using Polyspace Products. A Solution to Today s Embedded Software Verification Challenges WHITE PAPER

Address Taken FIAlias, which is equivalent to Steensgaard. CS553 Lecture Alias Analysis II 2

Bypassing Memory Protections: The Future of Exploitation

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

The Advantages of Block-Based Protocol Analysis for Security Testing

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems

X86-64 Architecture Guide

How To Develop A Static Analysis System For Large Programs

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov.

- Table of Contents -

Passing PCI Compliance How to Address the Application Security Mandates

Secure Software Programming and Vulnerability Analysis

Introduction. What is an Operating System?

CS52600: Information Security

Transcription:

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge

Software is vulnerable use of unsafe languages is prevalent most packaged software written in C/C++ many software defects buffer overflows, format strings, double frees many ways to exploit defects corrupt control-data: stack, function pointers corrupt non-control-data: function arguments, security variables defects are routinely exploited

Approaches to securing software remove/avoid all defects is hard prevent control-data exploits protect specific control-data StackGuard, PointGuard detect control-flow anomalies Program Shepherding, CFI attacks can succeed without corrupting control-flow prevent non-control-data exploits bounds checking on all pointer dereferences CRED detect unsafe uses of network data Vigilante, [Suh04], Minos, TaintCheck, [Chen05], Argos, [Ho06] expensive in software no good solutions to prevent non-control-data exploits

Data-flow integrity enforcement compute data-flow in the program statically for every load, compute the set of stores that may produce the loaded data enforce data-flow at runtime when loading data, check that it came from an allowed store optimize enforcement with static analysis

Data-flow integrity: advantages broad coverage detects control-data and non-control-data attacks automatic extracts policy from unmodified programs no false positives only detects real errors (malicious or not) good performance low runtime overhead

Outline data-flow integrity enforcement optimizations results

Data-flow integrity at compile time, compute reaching definitions assign an id to every store instruction assign a set of allowed source ids to every load at runtime, check actual definition that reaches a load runtime definitions table (RDT) records id of last store to each address on store(value,address): set RDT[address] to store s id on load(address): check if RDT[address] is one of the allowed source ids protect RDT with software-based fault isolation

Example vulnerable program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); } if (Authenticate(packet)) authenticated = 1; buffer overflow in this function allows the attacker to set authenticated to 1 if (authenticated) ProcessPacket(packet); non-control-data attack very similar to a real attack on a SSH server

Static analysis computes data flows conservatively flow-sensitive intraprocedural analysis flow-insensitive interprocedural analysis uses Andersen s points-to algorithm scales to very large programs same assumptions as analysis for optimization pointer arithmetic cannot navigate between independent objects these are the assumptions that attacks violate

Instrumentation SETDEF authenticated 1 int authenticated = 0; char packet[1000]; while (CHECKDEF authenticated in {1,8}!authenticated) { PacketRead(packet); check that authenticated was written here or here if (Authenticate(packet)){ SETDEF authenticated 8 authenticated = 1; } } CHECKDEF authenticated in {1,8} if (authenticated) ProcessPacket(packet);

Runtime: detecting the attack Vulnerable program SETDEF authenticated 1 int authenticated = 0; char packet[1000]; while (CHECKDEF authenticated in {1,8}!authenticated) { PacketRead(packet); Memory layout RDT slot for authenticated stores disallowed above 0x40000000 17 if (Authenticate(packet)){ Attack detected! SETDEF authenticated definition 8 7 not authenticated = 1; in {1,8} } } CHECKDEF authenticated in {1,8} if (authenticated) ProcessPacket(packet); authenticated stored here 10

Also prevents control-data attacks user-visible control-data (function pointers, ) handled as any other data compiler-generated control-data instrument definitions and uses of this new data e.g., enforce that the definition reaching a ret is generated by the corresponding call

Efficient instrumentation: SETDEF SETDEF _authenticated 1 is compiled to: get address of variable lea ecx,[_authenticated] prevent RDT tampering test ecx,0c0000000h je L set RDT[address] to 1 int 3 L: shr ecx,2 mov word ptr [ecx*2+40001000h],1

Efficient instrumentation: CHECKDEF CHECKDEF _authenticated {1,8} is compiled to: L: get address of variable lea ecx,[_authenticated] shr ecx,2 mov cx, word ptr [ecx*2+40001000h] cmp cx, 1 je L get definition id from RDT[address] cmp cx,8 je L check definition in {1,8} int 3

Optimization: renaming definitions definitions with the same set of uses share one id SETDEF authenticated 1 int authenticated = 0; char packet[1000]; while ( CHECKDEF authenticated in {1,8} {1}!authenticated) { PacketRead(packet); if (Authenticate(packet)){ SETDEF authenticated 81 authenticated = 1; } } CHECKDEF authenticated in {1,8} {1} if (authenticated) ProcessPacket(packet);

Other optimizations removing SETDEFs and CHECKDEFs eliminate CHECKDEFs that always succeed eliminate redundant SETDEFs uses static analysis, but does not rely on any assumptions that may be violated by attacks remove bounds checks on safe writes optimize set membership checks check consecutive ids using a single comparison

Evaluation overhead on SPEC CPU and Web benchmarks contributions of optimizations ability to prevent attacks on real programs

Runtime overhead

Memory overhead

Contribution of optimizations

Overhead on SPEC Web maximum overhead of 23%

Preventing real attacks Application Vulnerability Exploit Detected? NullHttpd heap-based buffer overflow overwrite cgi-bin configuration data yes SSH integer overflow and heap-based buffer overflow overwrite authenticated variable STunnel format string overwrite return address yes yes Ghttpd stack-based buffer overflow overwrite return address yes

Conclusion enforcing data-flow integrity protects software from attacks handles non-control-data and control-data attacks works with unmodified C/C++ programs no false positives low runtime and memory overhead

Overhead breakdown

Contribution of optimizations

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information