20 research outputs found
Return-Oriented Programming on RISC-V
This paper provides the first analysis on the feasibility of Return-Oriented
Programming (ROP) on RISC-V, a new instruction set architecture targeting
embedded systems. We show the existence of a new class of gadgets, using
several Linear Code Sequences And Jumps (LCSAJ), undetected by current
Galileo-based ROP gadget searching tools. We argue that this class of gadgets
is rich enough on RISC-V to mount complex ROP attacks, bypassing traditional
mitigation like DEP, ASLR, stack canaries, G-Free, as well as some
compiler-based backward-edge CFI, by jumping over any guard inserted by a
compiler to protect indirect jump instructions. We provide examples of such
gadgets, as well as a proof-of-concept ROP chain, using C code injection to
leverage a privilege escalation attack on two standard Linux operating systems.
Additionally, we discuss some of the required mitigations to prevent such
attacks and provide a new ROP gadget finder algorithm that handles this new
class of gadgets.Comment: 27 pages, 8 figures, originally published at AsiaCCS 202
MicroWalk: A Framework for Finding Side Channels in Binaries
Microarchitectural side channels expose unprotected software to information
leakage attacks where a software adversary is able to track runtime behavior of
a benign process and steal secrets such as cryptographic keys. As suggested by
incremental software patches for the RSA algorithm against variants of
side-channel attacks within different versions of cryptographic libraries,
protecting security-critical algorithms against side channels is an intricate
task. Software protections avoid leakages by operating in constant time with a
uniform resource usage pattern independent of the processed secret. In this
respect, automated testing and verification of software binaries for
leakage-free behavior is of importance, particularly when the source code is
not available. In this work, we propose a novel technique based on Dynamic
Binary Instrumentation and Mutual Information Analysis to efficiently locate
and quantify memory based and control-flow based microarchitectural leakages.
We develop a software framework named \tool~for side-channel analysis of
binaries which can be extended to support new classes of leakage. For the first
time, by utilizing \tool, we perform rigorous leakage analysis of two
widely-used closed-source cryptographic libraries: \emph{Intel IPP} and
\emph{Microsoft CNG}. We analyze different cryptographic implementations
consisting of million instructions in about minutes of CPU time. By
locating previously unknown leakages in hardened implementations, our results
suggest that \tool~can efficiently find microarchitectural leakages in software
binaries
Analogy-Making as a Core Primitive in the Software Engineering Toolbox
An analogy is an identification of structural similarities and
correspondences between two objects. Computational models of analogy making
have been studied extensively in the field of cognitive science to better
understand high-level human cognition. For instance, Melanie Mitchell and
Douglas Hofstadter sought to better understand high-level perception by
developing the Copycat algorithm for completing analogies between letter
sequences. In this paper, we argue that analogy making should be seen as a core
primitive in software engineering. We motivate this argument by showing how
complex software engineering problems such as program understanding and
source-code transformation learning can be reduced to an instance of the
analogy-making problem. We demonstrate this idea using Sifter, a new
analogy-making algorithm suitable for software engineering applications that
adapts and extends ideas from Copycat. In particular, Sifter reduces
analogy-making to searching for a sequence of update rule applications. Sifter
uses a novel representation for mathematical structures capable of effectively
representing the wide variety of information embedded in software. We conclude
by listing major areas of future work for Sifter and analogy-making in software
engineering.Comment: Conference paper at SPLASH 'Onward!' 2020. Code is available at
https://github.com/95616ARG/sifte
CyberChallenge.IT@Unige: Ethical Hacking for Young Talents
We present our experience as educators of small groups of students interested in cybersecurity and ethical hacking. Since 2018 we have been involved in a national cybersecurity training program whose primary goal is bringing talented young students to this field and lessen the gap between the available workforce and what the market demands. The training model exploits gamification principles, and our students apply their knowledge and skills in online competitions, playing in virtual arenas. These provide lawful environments to experiment with cybersecurity vulnerabilities, attacks, and defenses freely and legally. In this paper we first describe the national program we are involved in, and then we detail the activities taken at our university, with a special emphasis on this year edition that, due to the COVID-19 restrictions, is currently running entirely online
Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus
Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. Compared to earlier versions of Zeus, this peer-to-peer variant is fundamentally more difficult to disable. Through a detailed analysis of this new Zeus variant, we demonstrate the high resilience of state of the art peer-to-peer botnets in general, and of peer-to-peer Zeus in particular
Now You See Me: Real-time Dynamic Function Call Detection
International audienc
NetCAT: Practical cache attacks from the network
Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.In this paper, we reverse engineer the behavior of DCA, widely referred to as Data-Direct I/O (DDIO), on recent Intel processors and present its first security analysis. Based on our analysis, we present NetCAT, the first Network-based PRIME+PROBE Cache Attack on the processor's LLC of a remote machine. We show that NetCAT not only enables attacks in cooperative settings where an attacker can build a covert channel between a network client and a sandboxed server process (without network), but more worryingly, in general adversarial settings. In such settings, NetCAT can enable disclosure of network timing-based sensitive information. As an example, we show a keystroke timing attack on a victim SSH connection belonging to another client on the target server. Our results should caution processor vendors against unsupervised sharing of (additional) microarchitectural components with peripherals exposed to malicious input