1,339 research outputs found
Counter-Measures against Stack Buffer Overflows in GNU/Linux Operating Systems
AbstractWe address the particular cyber attack technique known as stack buffer overflow in GNU/Linux operating systems, which are widely used in HPC environments. The buffer overflow problem has been around for quite some time and continues to be an ever present issue. We develop a mechanism to successfully detect and react whenever a stack buffer overflow occurs. Our solution requires no compile-time support and so can be applied to any program, including legacy or closed source software for which the source code is not available. This makes it especially useful in HPC environments where given their complexity and scope of the computing system, incidents like overflows might be difficult to detect and react to accordingly
ScaRR: Scalable Runtime Remote Attestation for Complex Systems
The introduction of remote attestation (RA) schemes has allowed academia and
industry to enhance the security of their systems. The commercial products
currently available enable only the validation of static properties, such as
applications fingerprint, and do not handle runtime properties, such as
control-flow correctness. This limitation pushed researchers towards the
identification of new approaches, called runtime RA. However, those mainly work
on embedded devices, which share very few common features with complex systems,
such as virtual machines in a cloud. A naive deployment of runtime RA schemes
for embedded devices on complex systems faces scalability problems, such as the
representation of complex control-flows or slow verification phase.
In this work, we present ScaRR: the first Scalable Runtime Remote attestation
schema for complex systems. Thanks to its novel control-flow model, ScaRR
enables the deployment of runtime RA on any application regardless of its
complexity, by also achieving good performance. We implemented ScaRR and tested
it on the benchmark suite SPEC CPU 2017. We show that ScaRR can validate on
average 2M control-flow events per second, definitely outperforming existing
solutions.Comment: 14 page
Survey of Protections from Buffer-Overflow Attacks
Buffer-overflow attacks began two decades ago and persist today. Over that time, many solutions to provide protection from buffer-overflow attacks have been proposed by a number of researchers. They all aim to either prevent or protect against buffer-overflow attacks. As defenses improved, attacks adapted and became more sophisticated. Given the maturity of field and the fact that some solutions now exist that can prevent most buffer-overflow attacks, we believe it is time to survey these schemes and examine their critical issues. As part of this survey, we have grouped approaches into three board categories to provide a basis for understanding buffer-overflow protection schemes
Countering Code Injection Attacks With Instruction Set Randomization
We describe a new, general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoff's principle, by creating process-specific randomized instruction sets (e.g., machine instructions) of the system executing potentially vulnerable software. An attacker who does not know the key to the randomization algorithm will inject code that is invalid for that randomized processor, causing a runtime exception. To determine the difficulty of integrating support for the proposed mechanism in the operating system, we modified the Linux kernel, the GNU binutils tools, and the bochs-x86 emulator. Although the performance penalty is significant, our prototype demonstrates the feasibility of the approach, and should be directly usable on a suitable-modified processor (e.g., the Transmeta Crusoe).Our approach is equally applicable against code-injecting attacks in scripting and interpreted languages, e.g., web-based SQL injection. We demonstrate this by modifying the Perl interpreter to permit randomized script execution. The performance penalty in this case is minimal. Where our proposed approach is feasible (i.e., in an emulated environment, in the presence of programmable or specialized hardware, or in interpreted languages), it can serve as a low-overhead protection mechanism, and can easily complement other mechanisms
Cyber-security protection techniques to mitigate memory errors exploitation
Tesis por compendio[EN] Practical experience in software engineering has demonstrated that the goal of
building totally fault-free software systems, although desirable, is impossible
to achieve. Therefore, it is necessary to incorporate mitigation techniques in
the deployed software, in order to reduce the impact of latent faults.
This thesis makes contributions to three memory corruption mitigation
techniques: the stack smashing protector (SSP), address space layout
randomisation (ASLR) and automatic software diversification.
The SSP is a very effective protection technique used against stack buffer
overflows, but it is prone to brute force attacks, particularly the dangerous
byte-for-byte attack. A novel modification, named RenewSSP, has been proposed
which eliminates brute force attacks, can be used in a completely transparent
way with existing software and has negligible overheads. There are two
different kinds of application for which RenewSSP is especially beneficial:
networking servers (tested in Apache) and application launchers (tested on
Android).
ASLR is a generic concept with multiple designs and implementations. In this
thesis, the two most relevant ASLR implementations of Linux have been analysed
(Vanilla Linux and PaX patch), and several weaknesses have been found. Taking
into account technological improvements in execution support (compilers and
libraries), a new ASLR design has been proposed, named ASLR-NG, which
maximises entropy, effectively addresses the fragmentation issue and removes a
number of identified weaknesses. Furthermore, ASLR-NG is transparent to
applications, in that it preserves binary code compatibility and does not add
overheads. ASLR-NG has been implemented as a patch to the Linux kernel 4.1.
Software diversification is a technique that covers a wide range of faults,
including memory errors. The main problem is how to create variants,
i.e. programs which have identical behaviours on normal inputs but
where faults manifest differently. A novel form of automatic variant
generation has been proposed, using multiple cross-compiler suites and
processor emulators.
One of the main goals of this thesis is to create applicable results.
Therefore, I have placed particular emphasis on the development of real
prototypes in parallel with the theoretical study. The results of this thesis
are directly applicable to real systems; in fact, some of the results have
already been included in real-world products.[ES] La creación de software supone uno de los retos más complejos para el
ser humano ya que requiere un alto grado de abstracción. Aunque se ha
avanzado mucho en las metodologÃas para la prevención de los fallos
software, es patente que el software resultante dista mucho de ser
confiable, y debemos asumir que el software que se produce no está
libre de fallos. Dada la imposibilidad de diseñar o implementar
sistemas libres de fallos, es necesario incorporar técnicas de
mitigación de errores para mejorar la seguridad.
La presente tesis realiza aportaciones en tres de las principales
técnicas de mitigación de errores de corrupción de memoria: Stack
Smashing Protector (SSP), Address Space Layout Randomisation (ASLR) y
Automatic Software Diversification.
SSP es una técnica de protección muy efectiva contra
ataques de desbordamiento de buffer en pila, pero es sensible a ataques de
fuerza bruta, en particular al peligroso ataque denominado byte-for-byte.
Se ha propuesto una novedosa modificación del SSP, llamada RenewSSP,
la cual elimina los ataques de fuerza bruta. Puede ser usada
de manera completamente transparente con los programas existentes sin
introducir sobrecarga. El RenewSSP es especialmente beneficioso en dos áreas de
aplicación: Servidores de red (probado en Apache) y
lanzadores de aplicaciones eficientes (probado en Android).
ASLR es un concepto genérico, del cual hay multitud de diseños e
implementaciones. Se han analizado las dos implementaciones más
relevantes de Linux (Vanilla Linux y PaX patch), encontrándose en
ambas tanto debilidades como elementos mejorables. Teniendo en cuenta
las mejoras tecnológicas en el soporte a la ejecución (compiladores y
librerÃas), se ha propuesto un nuevo diseño del ASLR, llamado
ASLR-NG, el cual: maximiza la entropÃa, soluciona el problema de la
fragmentación y elimina las debilidades encontradas. Al igual que la
solución propuesta para el SSP, la nueva propuesta de ASLR es
transparente para las aplicaciones y compatible a nivel
binario sin introducir sobrecarga. ASLR-NG ha sido implementado como
un parche del núcleo de Linux para la versión 4.1.
La diversificación software es una técnica que cubre una amplia gama
de fallos, incluidos los errores de memoria. La principal dificultad
para aplicar esta técnica radica en la generación de las
"variantes", que son programas que tienen un comportamiento idéntico
entre ellos ante entradas normales, pero tienen un comportamiento
diferenciado en presencia de entradas anormales. Se ha propuesto una
novedosa forma de generar variantes de forma automática a partir de un
mismo código fuente, empleando la emulación de sistemas.
Una de las máximas de esta investigación ha sido la aplicabilidad de
los resultados, por lo que se ha hecho especial hincapié en el
desarrollo de prototipos sobre sistemas reales a la par que se llevaba
a cabo el estudio teórico. Como resultado, las propuestas de esta
tesis son directamente aplicables a sistemas reales, algunas de ellas
ya están siendo explotadas en la práctica.[CA] La creació de programari suposa un dels reptes més complexos per al ser humà ja
que requerix un alt grau d'abstracció. Encara que s'ha avançat molt en les
metodologies per a la prevenció de les fallades de programari, és palès que el
programari resultant dista molt de ser confiable, i hem d'assumir que el
programari que es produïx no està lliure de fallades. Donada la impossibilitat
de dissenyar o implementar sistemes lliures de fallades, és necessari
incorporar tècniques de mitigació d'errors per a millorar la seguretat.
La present tesi realitza aportacions en tres de les principals tècniques de
mitigació d'errors de corrupció de memòria: Stack Smashing Protector (SSP),
Address Space Layout Randomisation (ASLR) i Automatic Software
Diversification.
SSP és una tècnica de protecció molt efectiva contra atacs de desbordament de
buffer en pila, però és sensible a atacs de força bruta, en particular al
perillós atac denominat byte-for-byte.
S'ha proposat una nova modificació del SSP, RenewSSP, la qual elimina els atacs
de força bruta. Pot ser usada de manera completament transparent amb els
programes existents sense introduir sobrecà rrega. El RenewSSP és especialment
beneficiós en dos à rees d'aplicació: servidors de xarxa (provat en Apache) i
llançadors d'aplicacions eficients (provat en Android).
ASLR és un concepte genèric, del qual hi ha multitud de dissenys i
implementacions. S'han analitzat les dos implementacions més rellevants de
Linux (Vanilla Linux i PaX patch), trobant-se en ambdues tant debilitats com
elements millorables. Tenint en compte les millores tecnològiques en el suport
a l'execució (compiladors i llibreries), s'ha proposat un nou disseny de
l'ASLR: ASLR-NG, el qual, maximitza l'entropia, soluciona el problema de
la fragmentació i elimina les debilitats trobades. Igual que la solució
proposada per al SSP, la nova proposta d'ASLR és transparent per a les
aplicacions i compatible a nivell binari sense introduir sobrecà rrega. ASLR-NG
ha sigut implementat com un pedaç del nucli de Linux per a la versió 4.1.
La diversificació de programari és una tècnica que cobrix una à mplia gamma de
fa\-llades, inclosos els errors de memòria. La principal dificultat per a aplicar
esta tècnica radica en la generació de les "variants", que són programes que
tenen un comportament idèntic entre ells davant d'entrades normals, però tenen
un comportament diferenciat en presència d'entrades anormals. S'ha proposat una
nova forma de generar variants de forma automà tica a partir d'un mateix codi
font, emprant l'emulació de sistemes.
Una de les mà ximes d'esta investigació ha sigut l'aplicabilitat dels resultats,
per la qual cosa s'ha fet especial insistència en el desenrotllament de
prototips sobre sistemes reals al mateix temps que es duia a terme l'estudi
teòric. Com a resultat, les propostes d'esta tesi són directament aplicables
a sistemes reals, algunes d'elles ja estan sent explotades en la prà ctica.Marco Gisbert, H. (2015). Cyber-security protection techniques to mitigate memory errors exploitation [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/57806TESISCompendi
Linux Kernel Memory Safety
Linux kernel vulnerabilities are often long lived and in some cases challenging to patch after discovery. The current focus in upstream Linux security has therefore been on categorical protections against whole error classes, not only reactive patching of specific vulnerabilities. Our work contributes to these efforts by tackling memory errors in the Linux kernel from two different fronts. First, we contributed to the upstream Linux kernel by working on a mechanism to prevent use-after-free errors caused by reference counter overflows. Second, we explored the applicability of Intel MPX as a general mechanism to prevent spatial memory errors in the Linux kernel
Defense against buffer overflow attack by software design diversity
A buffer overflow occurs during program execution when a fixed-size buffer has had too much data copied into it. This causes the data to overwrite into adjacent memory locations, and, depending on what is stored there, the behavior of the program itself might be affected; Attackers can select the value to place in the location in order to redirect execution to the location of their choice. If it contains machine code, the attacker causes the program to execute any arbitrary set of instructions---essentially taking control of the process. Successfully modifying the function return address allows the attacker to execute instructions with the same privileges as that of the attacked program; In this thesis, we propose to design software with multiple variants of the modules/functions. It can provide strong defense against the buffer overflow attack. A way can be provided to select a particular variant (implementation) of the module randomly when software is executed. This proves to be useful when an attacker designs the attack for a particular variant/implementation which may not be chosen in the random selection process during execution. It would be much difficult for the attacker to design an attack because of the different memory (stack-frame) layout the software could have every time it is executed
Quire: Lightweight Provenance for Smart Phone Operating Systems
Smartphone apps often run with full privileges to access the network and
sensitive local resources, making it difficult for remote systems to have any
trust in the provenance of network connections they receive. Even within the
phone, different apps with different privileges can communicate with one
another, allowing one app to trick another into improperly exercising its
privileges (a Confused Deputy attack). In Quire, we engineered two new security
mechanisms into Android to address these issues. First, we track the call chain
of IPCs, allowing an app the choice of operating with the diminished privileges
of its callers or to act explicitly on its own behalf. Second, a lightweight
signature scheme allows any app to create a signed statement that can be
verified anywhere inside the phone. Both of these mechanisms are reflected in
network RPCs, allowing remote systems visibility into the state of the phone
when an RPC is made. We demonstrate the usefulness of Quire with two example
applications. We built an advertising service, running distinctly from the app
which wants to display ads, which can validate clicks passed to it from its
host. We also built a payment service, allowing an app to issue a request which
the payment service validates with the user. An app cannot not forge a payment
request by directly connecting to the remote server, nor can the local payment
service tamper with the request
- …