Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
memory un safety

Memory (un)safety Deian Stefan Some slides adopted from Nadia - PowerPoint PPT Presentation

Apr 07, 2024 •376 likes •1.17k views

CSE 127: Computer Security Memory (un)safety Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, Stephen Checkoway, Hovav Shacham, Raluca Popal, and David Wagner Today Return oriented programming (ROP)

  1. CSE 127: Computer Security Memory (un)safety Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, Stephen Checkoway, Hovav Shacham, Raluca Popal, and David Wagner

  2. Today • Return oriented programming (ROP) • Control flow integrity

  3. Last time: return-to-libc • Defense: W^X makes the stack not executable ➤ Prevents attacker data from being interpreted as code • What can we do (as the attacker)? ➤ Reuse existing code (either program or libc) ➤ E.g., use system(“/bin/sh”) ➤ E.g., use mprotect () to mark stack executable

  4. Return-to-libc is great, but…. what if there is no function that does what we want?

  6. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham ∗ hovav@cs.ucsd.edu

  7. Return-Oriented Programming

  8. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc.

  9. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. ret Steve Checkoway ret Dino Dai Zovi

  10. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc.

  11. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. • Where do you often find ret instructions?

  12. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. • Where do you often find ret instructions? ➤ End of function (inserted by compiler)

  13. Return-Oriented Programming • Idea: make shellcode out of existing code • Gadgets: code sequences ending in ret instruction ➤ Overwrite saved %eip on stack to pointer to first gadget, then second gadget, etc. • Where do you often find ret instructions? ➤ End of function (inserted by compiler) ➤ Any sequence of executable memory ending in 0xc3

  15. x86 instructions • Variable length! • Can begin on any byte boundary!

  16. One ret, multiple gadgets mov $0x1,%eax pop %ebx = b8 01 00 00 00 5b c9 c3 leave ret

  17. One ret, multiple gadgets add %al,(%eax) pop %ebx = b8 01 00 00 00 5b c9 c3 leave ret

  18. One ret, multiple gadgets add %bl,-0x37(%eax) = b8 01 00 00 00 5b c9 c3 ret

  19. One ret, multiple gadgets pop %ebx = b8 01 00 00 00 5b c9 c3 leave ret

  20. One ret, multiple gadgets leave = b8 01 00 00 00 5b c9 c3 ret

  21. One ret, multiple gadgets = b8 01 00 00 00 5b c9 c3 ret

  22. Why is ret ? • Attacker overflows stack allocated buffer • What happens when function returns? ➤ Restore stack frame ➤ leave = movl %ebp, %esp; pop %ebp ➤ Return ➤ ret = pop %eip • If instruction sequence at %eip ends in ret 
 what do we do?

  23. What happens if this is what we overflow the stack with? v 1 pop %edx %esp ret

  24. relevant register(s): %edx = 0x00000000 relevant stack: 0xdeadbeef 0x08049bbc %esp relevant code: 0x08049b62: nop %eip 0x08049b63: ret ... 0x08049bbc: pop %edx 0x08049bbd: ret

  25. relevant register(s): %edx = 0x00000000 relevant stack: 0xdeadbeef 0x08049bbc %esp relevant code: 0x08049b62: nop 0x08049b63: ret %eip ... 0x08049bbc: pop %edx 0x08049bbd: ret

  26. relevant register(s): %edx = 0x00000000 relevant stack: 0xdeadbeef %esp 0x08049bbc relevant code: 0x08049b62: nop 0x08049b63: ret ... 0x08049bbc: pop %edx %eip 0x08049bbd: ret

  27. relevant register(s): %edx = 0xdeadbeef relevant stack: %esp 0xdeadbeef 0x08049bbc relevant code: 0x08049b62: nop 0x08049b63: ret ... 0x08049bbc: pop %edx %eip 0x08049bbd: ret

  28. This is a ROP gadget! v 1 pop %edx %esp ret movl v 1, %edx

  29. 
 
 
 How dow you use this as an attacker? • Overflow the stack with values and addresses to such gadgets to express your program • E.g., if shellcode needs to write a value to %edx , use the previous gadget 
 v 1 pop %edx %esp ret

  30. Let’s look at another gadget mov %eax, %(ebx) ret v 2 pop %ebx ret v 1 pop %eax %esp ret

  31. relevant register(s): %eax = 0x00000000 %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret %eip ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc %esp 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  32. relevant register(s): %eax = 0x00000000 %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef %esp 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... %eip 0x08049bbc: pop %eax 0x08049bbd: ret

  33. relevant register(s): %eax = 0xdeadbeef %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret %esp ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret %eip

  34. relevant register(s): %eax = 0xdeadbeef %ebx = 0x00000000 relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: 0xbadcaffe %esp 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx %eip 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  35. relevant register(s): %eax = 0xdeadbeef %ebx = 0xbadcaffe relevant stack: relevant memory: 0xbadcaffe: 0x00000000 0x08049b90 relevant code: %esp 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc %eip 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  36. relevant register(s): %eax = 0xdeadbeef %ebx = 0xbadcaffe relevant stack: relevant memory: 0xbadcaffe: 0x00000000 %esp 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) %eip 0x08049b91: ret ... 0x08049bbc: pop %eax 0x08049bbd: ret

  37. relevant register(s): %eax = 0xdeadbeef %ebx = 0xbadcaffe relevant stack: relevant memory: 0xbadcaffe: 0xdeadbeef %esp 0x08049b90 relevant code: 0xbadcaffe 0x08049b63 0x08049b00: ret ... 0xdeadbeef 0x08049b63: pop %ebx 0x08049bbc 0x08049b64: ret ... 0x08049b90: mov %eax, %(ebx) 0x08049b91: ret %eip ... 0x08049bbc: pop %eax 0x08049bbd: ret

  38. What does this gadget do? mov %eax, %(ebx) ret v 2 pop %ebx ret v 1 pop %eax %esp ret movl v 2, %ebx movl v 1, %(%ebx)

  39. What does this gadget do? pop %esp %esp ret

  40. Can express arbitrary programs

  41. Can find gadgets automatically

  42. Return-oriented programming not even really about “returns”…

  43. What the heck do we do? Observation: In almost all the attacks we looked at, the attacker is overwriting jump targets that are in memory (return addresses and function pointers)

  44. Control Flow Integrity • Idea: don’t try to stop the memory writes. Instead: restrict control flow to legitimate paths ➤ I.e., ensure that jumps, calls, and returns can only go to allowed target destinations

  45. Restrict indirect transfers of control

  46. Restrict indirect transfers of control • Why do we not need to do anything about direct transfer of control flow (i.e., direct jumps/calls)?

  47. Restrict indirect transfers of control • Why do we not need to do anything about direct transfer of control flow (i.e., direct jumps/calls)? ➤ Address is hard-coded in instruction. Not under attacker control

  48. Restrict indirect transfers of control

  49. Restrict indirect transfers of control • What are the ways to transfer control indirectly?

  50. Restrict indirect transfers of control • What are the ways to transfer control indirectly? • Forward path: jumping to (or calling function at) an address in register or memory ➤ E.g., qsort, interrupt handlers, virtual calls, etc. • Reverse path: returning from function (uses address on stack)

  51. 
 
 What’s a legitimate target? Look at the program control-flow graph (CFG)! void sort2(int a[],int b[], int len { 
 sort(a, len, lt); 
 sort(b, len, gt); 
 } 
 bool lt(int x, int y) { return x < y; } 
 bool gt(int x, int y) { return x > y; }

  52. 
 
 What’s a legitimate target? Look at the program control-flow graph (CFG)! void sort2(int a[],int b[], int len { 
 sort(a, len, lt); 
 sort(b, len, gt); 
 } 
 sort2() bool lt(int x, int y) { return x < y; call sort } 
 bool gt(int x, int y) { call sort return x > y; ret }

Recommend

Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Main Focus I. Memory as a process Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory the process by which I. Sensory Memory information is - acquired, II. Short -Term Memory - stored,

171 views • 5 slides
1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC Computing Computing + Fabric SoC Memory HYPERCONVERGED Exascale EDGE DEVICE SYSTEM Eliminate data movement via shared

406 views • 11 slides
Networks Computer-Computer Comm CPU CPU CPU CPU Memory Device Device Memory Memory

Networks Computer-Computer Comm CPU CPU CPU CPU Memory Device Device Memory Memory

Networks Computer-Computer Comm CPU CPU CPU CPU Memory Device Device Memory Memory Device Device Memory Computer-Computer Comm CPU CPU CPU CPU Comm Comm Comm Comm Memory Memory Memory Memory Device Device Device Device

632 views • 36 slides
Intersection Safety Intersection Safety Intersection Safety FHWA Safety Focus Areas FHWA Safety

Intersection Safety Intersection Safety Intersection Safety FHWA Safety Focus Areas FHWA Safety

Intersection Safety Intersection Safety Intersection Safety FHWA Safety Focus Areas FHWA Safety Focus Areas Intersection Safety Intersection Safety 2 Intersections Intersections Intersection Safety Intersection Safety 3 Intersections

507 views • 36 slides
Virtual Memory 1 Memory Hierarchy Memory 4GB Cache 1M Registers 1K Question: What if

Virtual Memory 1 Memory Hierarchy Memory 4GB Cache 1M Registers 1K Question: What if

Virtual Memory 1 Memory Hierarchy Memory 4GB Cache 1M Registers 1K Question: What if we want to run a process that requires 10GB memory? 2 Memory Hierarchy Virtual Memory Memory Cache Registers Answer: Pretend we had something

740 views • 45 slides
Personal SE Computer Memory Addresses C Pointers Computer Memory Organization Memory is a

Personal SE Computer Memory Addresses C Pointers Computer Memory Organization Memory is a

Personal SE Computer Memory Addresses C Pointers Computer Memory Organization Memory is a bucket of bytes . Computer Memory Organization Memory is a bucket of bytes. Each byte is 8 bits wide. Computer Memory Organization Memory

994 views • 42 slides
Memory Memory processing is the ability to: Acquire (Short term memory) Manipulate

Memory Memory processing is the ability to: Acquire (Short term memory) Manipulate

Memory Memory processing is the ability to: Acquire (Short term memory) Manipulate (Working memory) Retain (Long term memory) Memory Retrieve (Long term memory) processing A difficulty with any one or more of these skills

362 views • 6 slides
Memory Management Memory Manager Requirements Minimize primary memory access time

Memory Management Memory Manager Requirements Minimize primary memory access time

Memory Management Memory Manager Requirements Minimize primary memory access time Maximize primary memory size Primary memory must be cost-effective Todays memory manager: Allocates primary memory to processes Maps

638 views • 27 slides
UNIFIED MEMORY IN CUDA 6 MARK HARRIS NVIDIA CONFIDENTIAL Unified Memory Dramatically Lower

UNIFIED MEMORY IN CUDA 6 MARK HARRIS NVIDIA CONFIDENTIAL Unified Memory Dramatically Lower

UNIFIED MEMORY IN CUDA 6 MARK HARRIS NVIDIA CONFIDENTIAL Unified Memory Dramatically Lower Developer Effort Developer View Today Developer View With Unified Memory System GPU Memory Unified Memory Memory Super Simplified Memory Management

774 views • 22 slides
Virtual Memory and Virtual Memory and Demand Paging Demand Paging Virtual Memory Illustrated

Virtual Memory and Virtual Memory and Demand Paging Demand Paging Virtual Memory Illustrated

Virtual Memory and Virtual Memory and Demand Paging Demand Paging Virtual Memory Illustrated Virtual Memory Illustrated virtual physical backing executable memory memory file storage (big) (small) header text pageout/eviction text

486 views • 12 slides
Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory Layout (1) Each Linux process runs within its own virtual address space tables and the MMU (if available) security due to

1.25k views • 68 slides
Lecture 11: Persistent Memory Databases 1 / 71 Persistent Memory Databases Recap

Lecture 11: Persistent Memory Databases 1 / 71 Persistent Memory Databases Recap

Persistent Memory Databases Lecture 11: Persistent Memory Databases 1 / 71 Persistent Memory Databases Recap Larger-than-Memory Databases Recap 2 / 71 Persistent Memory Databases Recap Larger-than-Memory Databases Larger-than-Memory

894 views • 71 slides
Memory Hierarchy: Caching CSE 141, S2'06 Jeff Brown The memory subsystem Computer Control

Memory Hierarchy: Caching CSE 141, S2'06 Jeff Brown The memory subsystem Computer Control

Memory Hierarchy: Caching CSE 141, S2'06 Jeff Brown The memory subsystem Computer Control Input Memory Output Datapath CSE 141, S2'06 Jeff Brown Memory Locality Memory hierarchies take advantage of memory locality . Memory

340 views • 33 slides
Memory Management Ideally programmers want memory that is large fast non

Memory Management Ideally programmers want memory that is large fast non

Memory Management Virtual Memory Background; key issues Memory allocation schemes Virtual memory Memory management design and implementation issues 1 Memory Management Ideally programmers want memory that is large fast non

412 views • 30 slides
28.05.04 09:50 Memory Management The computer memory is a limited resource so the Memory

28.05.04 09:50 Memory Management The computer memory is a limited resource so the Memory

28.05.04 09:50 Memory Management The computer memory is a limited resource so the Memory Management memory use of programs has to be managed in some way. Memory Management The memory management is usually performed by a runtime system

785 views • 13 slides
CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College

CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College

3/29/2012 CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College of India I N T R O D U C T I O N What is Cyber-safety Consequences Threats of Inaction Cyber-safety? Cyber-safety Cyber-safety at

220 views • 7 slides
Certain representations with unique models Yuanqing Cai Kyoto University November 2020 New York

Certain representations with unique models Yuanqing Cai Kyoto University November 2020 New York

Certain representations with unique models Yuanqing Cai Kyoto University November 2020 New York H : the quaternion algebra over R : H R &gt; 0 tr : H R : R C nontrivial additive character 1

744 views • 35 slides
2019 Linkping, Sweden TMALL 0145 Presentation Widescreen v 1.0 Daniel Jakobsson Source: World

2019 Linkping, Sweden TMALL 0145 Presentation Widescreen v 1.0 Daniel Jakobsson Source: World

Fourth Stream Reasoning Workshop 17 April 2019 Linkping, Sweden TMALL 0145 Presentation Widescreen v 1.0 Daniel Jakobsson Source: World Travel &amp; Tourism Council https://www.hotelbusiness.com/delo itte-hoteliers-should-plan-ahead/ We

627 views • 20 slides
1.4 Qualification of 525 kV DC extruded cables Technologies for Global Energy Grid 27.06.2019

1.4 Qualification of 525 kV DC extruded cables Technologies for Global Energy Grid 27.06.2019

1.4 Qualification of 525 kV DC extruded cables Technologies for Global Energy Grid 27.06.2019 Dr. Roland D. Zhang Topics Introduction GTSO PQ tests for HVDC underground cable systems Qualification of DC submarine cable systems

356 views • 11 slides
INF4140 - Models of concurrency Hsten 2015 November 2, 2015 Abstract This is the

INF4140 - Models of concurrency Hsten 2015 November 2, 2015 Abstract This is the

INF4140 - Models of concurrency Hsten 2015 November 2, 2015 Abstract This is the handout version of the slides for the lecture (i.e., its a rendering of the content of the slides in a way that does not waste so much paper when

529 views • 17 slides
Combining ModelCheckin g and Abstra ct Interpret a t ion P arallel Combina tio n

Combining ModelCheckin g and Abstra ct Interpret a t ion P arallel Combina tio n

Combining ModelCheckin g and Abstra ct Interpret a t ion P arallel Combina tio n of Abstra ct Interpret a ti on Ho w and ModelBased A utoma tic Anal ysis of Softw are Abstract symb olic metho

290 views • 5 slides
High Performance Systems EuroMPI 2015 Objectives Yet another performance analysis tool

High Performance Systems EuroMPI 2015 Objectives Yet another performance analysis tool

Tutorial 1: Performance analysis for High Performance Systems EuroMPI 2015 Objectives Yet another performance analysis tool Developping performance analysis features for your application/library 2 EuroMPI 2015 Performance analysis for

632 views • 30 slides
European Energy Regulation A Bridge to 2025 Retail Markets Patricia de Suzzoni Chair of the

European Energy Regulation A Bridge to 2025 Retail Markets Patricia de Suzzoni Chair of the

European Energy Regulation A Bridge to 2025 Retail Markets Patricia de Suzzoni Chair of the Customer and Retail Markets Working Group Brussels, 29 April 2014 The 2025 Bridge and its pillars Green Paper: Energy Regulation: A bridge to

208 views • 7 slides
UNFCCC COP22 Mini Side Event: Eco Village Development: A Low-carbon Adaptation and Mitigation

UNFCCC COP22 Mini Side Event: Eco Village Development: A Low-carbon Adaptation and Mitigation

UNFCCC COP22 Mini Side Event: Eco Village Development: A Low-carbon Adaptation and Mitigation Strategy for Development in South Asia UN Climate Change Studio 8/11/2016 Marrakech, Morocco Link to Publication:

532 views • 4 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.