ROPocop - Dynamic Mitigation of Code-Reuse Attacks

Control-flow attacks, usually achieved by exploiting a buffer-overflow vulnerability, have been a serious threat to system security for over fifteen years. Researchers have answered the threat with various mitigation techniques, but nevertheless, new exploits that successfully bypass these technologies still appear on a regular basis. In this paper, we propose ROPocop, a novel approach for detecting and preventing the execution of injected code and for mitigating code-reuse attacks such as return-oriented programming (RoP). ROPocop uses dynamic binary instrumentation, requiring neither access to source code nor debug symbols or changes to the operating system. It mitigates attacks by both monitoring the program counter at potentially dangerous points and by detecting suspicious program flows. We have implemented ROPocop for Windows x86 using PIN, a dynamic program instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite show an average overhead of 2.4x, which is comparable to similar approaches, which give weaker guarantees. Real-world applications show only an initially noticeable input lag and no stutter. In our evaluation our tool successfully detected all 11 of the latest real-world code-reuse exploits, with no false alarms. Therefore, despite the overhead, it is a viable, temporary solution to secure critical systems against exploits if a vendor patch is not yet available

Analyzing the Gadgets Towards a Metric to Measure Gadget Quality

Current low-level exploits often rely on code-reuse, whereby short sections of code (gadgets) are chained together into a coherent exploit that can be executed without the need to inject any code. Several protection mechanisms attempt to eliminate this attack vector by applying code transformations to reduce the number of available gadgets. Nevertheless, it has emerged that the residual gadgets can still be sufficient to conduct a successful attack. Crucially, the lack of a common metric for "gadget quality" hinders the effective comparison of current mitigations. This work proposes four metrics that assign scores to a set of gadgets, measuring quality, usefulness, and practicality. We apply these metrics to binaries produced when compiling programs for architectures implementing Intel's recent MPX CPU extensions. Our results demonstrate a 17% increase in useful gadgets in MPX binaries, and a decrease in side-effects and preconditions, making them better suited for ROP attacks.Comment: International Symposium on Engineering Secure Software and Systems, Apr 2016, London, United Kingdo

Exactness and reliability of nonparametric estimators of species richness compared by simulation and field data

When estimating any value, the associated measures of error also have to be estimated. For each of the species richness estimators used above (see Chapter 5.2.3) methods of estimating variance and, hence, standard error are available (BURNHAM & OVERTON 1978, OTIS ET AL. 1978, CHAO 1984, CHAO ET AL. 1992 , CHAO & LEE 1992). However, some of these estimators of variance did not perform well in simulations (OTIS ET AL. 1978, BURNHAM & OVERTON 1979). Moreover, they are not comparable with one another and, thus, introduce an additional source of factors influencing the suitability of the estimators of species number. In order to eliminate this influence, two methods of estimating standard error were chosen, which can be used with all of the species richness estimators. The bootstrap technique to estimate standard error EFRON 1981) was already used for the jackknife estimator of species richness (NICHOLS ET AL. 1998B). Chao also suggests using it with some of her esti-mators (CHAO ET AL. 1996, CHAO ET AL. 2001). A related technique is Tukey's jackknife method(MILLER 1974), which proved its usefulness in estimating standard errors of population parameters (MANLY 1977). In a Monte Carlo study both estimators already proved to be similarly useful in estimating stan-dard errors of point estimates EFRON 1981). However, there is no comparative study of the perfor-mance of the bootstrap and the jackknife method for estimating standard errors with the corresponding methods of the species richness estimators (see Chapter 5.2.3). The aim of this study is to detect the most accurate estimator of standard error for each of the selected estimators of species

Optimierung von Krankentransporten des Roten Kreuzes mit Hilfe von Wartestrategien

Anhand der vom Roten Kreuz zur Verfügung gestellten Daten, der Krankentransporte in Graz, wurde die Anwendung verschiedener Tourenplanungsstrategien bzw. Wartestrategien getestet. Die Ergebnisse dieser Tests geben Aufschluss darüber, welche der vier Wartestrategien das größe Potential hat, die Fahrzeuganzahl und die Gesamttourlänge zu minimieren

On Generating Gadget Chains for Return-Oriented Programming

With the increased popularity of embedded devices, low-level programming languages like C and C++ are currently experiencing a strong renewed interest. However, these languages are, meaning that programming errors may lead to undefined behaviour, which, in turn, may be exploited to compromise a system's integrity. Many programs written in these languages contain such programming errors, most infamous of which are buffer overflows. In order to fight this, there exists a large range of mitigation techniques designed to hinder exploitation, some of which are integral parts of most major operating systems' security concept. Even the most sophisticated mitigations, however, can often be bypassed by modern exploits, which are based on the principle of code reuse: they assemble, or chain, together existing code fragments (known as gadgets) in a way to achieve malicious behaviour. This technique is currently the cornerstone of modern exploits. In this dissertation, we present ROPocop, an approach to mitigate code-reuse attacks. ROPocop is a configurable, heuristic-based detector that monitors program execution and raises an alarm if it detects suspicious behaviour. It monitors the frequency of indirect branches and the length of basic blocks, two characteristics in which code-reuse attacks differ greatly from normal program behaviour. However, like all mitigations, ROPocop has its weaknesses and we show that it and other similar approaches can be bypassed in an automatic way by an aware attacker. To this end, we present PSHAPE, a practical, cross-platform framework to support the construction of code-reuse exploits. It offers two distinguishing features, namely it creates concise semantic summaries for gadgets, which allow exploit developers to assess the utility of a gadget much quicker than by going through the individual assembly instructions. And secondly, PSHAPE automatically composes gadgets to construct a chain of gadgets that can invoke any arbitrary function with user-supplied parameters. Invoking a function is indeed the most common goal of concurrent exploits, as calling a function such as mprotect greatly simplifies later steps of exploitation. For a mitigation to be viable, it must detect actual attacks reliably while at the same time avoiding false positives and ensuring that protected applications remain usable, i.e., do not crash or become very slow. In the tested sample set of applications, ROPocop detects and stops all twelve real attacks with no false positives. When executed with ROPocop, real-world programs exhibit only some slight input lag at startup but otherwise remain responsive. Yet, we further show how PSHAPE can be used to fully automatically create exploits that bypass various mitigations, for example, ROPocop itself. We also show gadgets PSHAPE found easily, that have great relevance in real exploits, and which previously required intense manual searches to find. Lastly, using PSHAPE, we also discovered a new and very useful gadget type that greatly simplifies gadget chaining

Auswirkungen des Elbehochwassers 2002 auf ausgewählte Artengruppen : eine Einführung in das Projekt HABEX

Die Auswirkungen extremer Wetterereignisse auf die Biodiversität sind bisher nur unzureichend bekannt. In den letzten Jahren steigen daher die Bemühungen, Effekte solcher Ereignisse auf Arten und Ökosysteme zu quantifizieren und Schutzstrategien zu entwickeln. Das vom BMBF geförderte Verbundprojekt RIVA – Robustes Indikationssystem für ökologische Veränderungen in Auen (Scholz et al. 2001, 2009, Dziock et al. 2006) stellte eine hervorragende Grundlage für Untersuchungen der ökologischen Auswirkungen nach den extremen Hochwasserereignissen im Sommer 2002 und im Winter 2002/2003 sowie der folgenden extremen Trockenheit im Sommer 2003 dar. Für die Artengruppen Laufkäfer, Mollusken und Pflanzen bestand deshalb im Rahmen des hier vorgestellten HABEX-Projektes (AuenHABitate nach EXtremhochwasserereignissen am Beispiel der Mittleren Elbe) die einmalige Gelegenheit, die Auswirkungen dieses in Zeitpunkt und Intensität ungewöhnlichen Hochwassers auf denselben Probeflächen durch einen Zustandsvergleich der Jahre vor der Flut (1998/99) und danach (2003-2006) zu untersuchen

Deichrückverlegungen in Sachsen-Anhalt und wissenschaftliche Begleituntersuchungen am Beispiel des Roßlauer Oberluchs

Deichbau und andere flussbautechnische Maßnahmen haben dazu geführt, dass die Mittlere Elbe ihre ursprünglichen Überschwemmungsgebiete verloren hat. Um die Auswirkungen der alljährlich auftretenden Hochwasserereignisse einzudämmen, wurden große Bereiche der Talniederung durch Deiche vom Überflutungsgeschehen abgetrennt. Diese Eingriffe in den Naturhaushalt ermöglichten gleichfalls eine intensive ackerbauliche Nutzung oder eine hochwassersichere Bebauung der Auen. Die natürliche Auendynamik ist heute weitestgehend auf einen schmalen Bereich entlang der Elbe beschränkt. Hinter den Deichen sind die für die Elbeauen typischen Lebensräume von der lebenswichtigen Auendynamik abgeschnitten. Angepasste Auenarten und -lebensgemeinschaften treten zugunsten von Allerweltsarten zurück. Eine Wiederanbindung von Altauenbereichen an das Überflutungsgeschehen ist deshalb eine der vordringlichsten Maßnahmen zur Revitalisierung gefährdeter Auenlebensräume und stellt eine Chance dar, einen nachhaltigen und modernen Hochwasserschutz mit Naturschutzzielen zu verbinden. An der Elbe entspricht das aktuelle Hochwasserschutzsystem nicht den heutigen Anforderungen an den Hochwasserschutz. Um jedoch jederzeit auf mögliche große Hochwasserereignisse reagieren zu können, entstanden Anfang der 1990er Jahre in den Anliegerländern der Elbe zahlreiche Pläne für Deichrückverlegungen