Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[HES2014] Applying science to eliminate 100% of...

HackitoErgoSum
April 24, 2014
Research
0
290

[HES2014] Applying science to eliminate 100% of buffer overflows by Andreas Bogk

Violation of memory safety is still a major source of vulnerabilities in everyday systems. This talk presents the state of the art in compiler instrumentation to completely eliminate such vulnerabilities in C/C++ software.

More information about Hackito Ergo Sum here : http://www.hackitoergosum.org

HackitoErgoSum

April 24, 2014
Tweet

More Decks by HackitoErgoSum

See All by HackitoErgoSum
[HES2014] Vaccinating APK’s by Milan Gabor & Danijel Grah
hackitoergosum
0
190
[HES2014] WMI Shell: A new way to get shells on remote Windows machines using only the WMI service by Andrei Dumitrescu
hackitoergosum
2
4.9k
[HES2014] LTE vs. Darwin: The Evolution Strikes Back? by Hendrik Schmidt & Brian Butterly
hackitoergosum
0
140
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phone got pwnd ! by Mathieu ‘GoToHack’ RENARD
hackitoergosum
1
250
[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userland by Ole André Vadla Ravnås
hackitoergosum
0
250
[HES2013] Paparazzi over ip by Daniel Mende
hackitoergosum
0
64
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
hackitoergosum
0
440
[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa
hackitoergosum
0
170
[HES2013] The reality about Red October by Paul “RootBSD” Rascagneres
hackitoergosum
0
110

Other Decks in Research

See All in Research
Weekly AI Agents News! 8月号 プロダクト/ニュースのアーカイブ
masatoto
1
190
医療支援AI開発における臨床と情報学の連携を円滑に進めるために
moda0
0
110
Weekly AI Agents News! 9月号 論文のアーカイブ
masatoto
1
120
marukotenant01/tenant-20240826
marketing2024
0
510
非ガウス性と非線形性に基づく統計的因果探索
sshimizu2006
0
360
Weekly AI Agents News! 7月号 論文のアーカイブ
masatoto
1
220
Human-Informed Machine Learning Models and Interactions
hiromu1996
2
470
尺度開発における質的研究アプローチ(自主企画シンポジウム7:認知行動療法における尺度開発のこれから)
litalicolab
0
350
RSJ2024「基盤モデルの実ロボット応用」チュートリアルA(河原塚)
haraduka
3
640
LLM時代にLabは何をすべきか聞いて回った1年間
hargon24
1
490
日本語医療LLM評価ベンチマークの構築と性能分析
fta98
3
640
最近のVisual Odometryと Depth Estimation
sgk
1
270

Featured

See All Featured
Raft: Consensus for Rubyists
vanstee
136
6.6k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Making Projects Easy
brettharned
115
5.9k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
850
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Designing Experiences People Love
moore
138
23k

Transcript

  1. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Bug class genocide Applying science to eliminate 100%

    of buffer overflows Hackito Ergo Sum, 2014 Andreas Bogk, @andreasdotorg

  2. TOP SECRET//HCS/SI/TK//ORCON/NOFORN The problem void foo (char* arg) { char

    some[16]; char* p = some; while (*p++ = *arg++); }

  3. TOP SECRET//HCS/SI/TK//ORCON/NOFORN The problem: spatial memory safety void foo (char*

    arg) { char some[16]; char* p = some; while (*p++ = *arg++); }

  4. TOP SECRET//HCS/SI/TK//ORCON/NOFORN The other problem void bar (char* arg) {

    char* p = malloc(16); free(p); while (*p++ = *arg++); free(p); }

  5. TOP SECRET//HCS/SI/TK//ORCON/NOFORN The other problem: temporal memory safety void bar

    (char* arg) { char* p = malloc(16); free(p); while (*p++ = *arg++); free(p); }

  6. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Existing approaches • Use a safe language! •

    Mitigations: ASLR, DEP, stack canaries • Memory debugging tools: – Valgrind – gcc and llvm memory sanitizer – SAFEcode – Ccured – SafeC – Cyclone – Etc... – –

  7. TOP SECRET//HCS/SI/TK//ORCON/NOFORN A word on notation red.is­>compiler_generated(code); black.is­>user_written(code);

  8. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Object-based approach if (IsPoisoned(address)) { ReportError(address); } *address

    = ...; // or: ... = *address;

  9. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Intrastructural safety struct { char id[8]; int account_balance;

    } bank_account; char* ptr = &(bank_account.id); strcpy(ptr, "overflow...");

  10. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Pointer-based approach • Every pointer represented by three

    words: pointer value, base, bound • We call that a „fat pointer“

  11. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Meet SoftBoundCETS • Santosh Nagarakatte, Jianzhou Zhao, Milo

    M. K. Martin, Steve Zdancewic; UPenn • SoftBound: spatial safety • CETS: temporal safety • Uses disjoint fat pointers • Proof of correctness (but caveat emptor) • Implemented as LLVM optimizer pass

  12. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Meet SoftBoundCETS • Source compatibility • Complete coverage

    • Separate compilation • Low overhead

  13. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: instrumenting dereference check(ptr, ptr_base, ptr_bound, sizeof(*ptr)); value

    = *ptr;

  14. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: implementation of check void check(ptr, base, bound,

    size) { if ((ptr < base) || (ptr + size > bound)) { abort(); } }

  15. TOP SECRET//HCS/SI/TK//ORCON/NOFORN „Beware of bugs in the above code; I

    have only proved it correct, not tried it.“ – Donald E. Knuth

  16. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: correct implementation of check void check(ptr, base,

    bound, size) { if ((ptr < base) || (ptr + size > bound) || (ptr + size < ptr)) { abort(); } }

  17. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: memory allocation ptr = malloc(size); ptr_base =

    ptr; ptr_bound = ptr + size; if (ptr == NULL) ptr_bound = NULL;

  18. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: stack allocation int array[100]; ptr = &array;

    ptr_base = &array[0]; ptr_bound = ptr_base + sizeof(array);

  19. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: Pointer arithmetic newptr = ptr + index;

    // or &ptr[index] newptr_base = ptr_base; newptr_bound = ptr_bound;

  20. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: narrowing struct { ... int num; ...

    } *n; ... p = &(n­>num); p_base = max(&(n­>num), n_base); p_bound = min(p_base + sizeof(n­>num), n_bound);

  21. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: more narrowing struct { ... int arr[5];

    ... } *n; ... p = &(n­>arr[2]); p_base = max(&(n­>arr), n_base); p_bound = min(p_base + sizeof(n­>arr), n_bound);

  22. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: loading metadata int** ptr; int* new_ptr; ...

    check(ptr, ptr_base, ptr_bound,sizeof(*ptr)); newptr = *ptr; newptr_base = table_lookup(ptr)­>base; newptr_bound = table_lookup(ptr)­>bound;

  23. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: storing metadata int** ptr; int* new_ptr; ...

    check(ptr, ptr_base, ptr_bound, sizeof(*ptr)); (*ptr) = new_ptr; table_lookup(ptr)­>base = newptr_base; table_lookup(ptr)­>bound = newptr_bound; •

  24. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: augmenting function calls int func(char* s) {

    ... } int value = func(ptr); int func(char* s,void* s_base,void* s_bound) { ... } int value = func(ptr, ptr_base, ptr_bound);

  25. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: loose ends • Global variables • Separate

    compilation and library code • Memcpy() • Function pointers • Creating pointers from integers • Arbitrary casts and unions • Variable argument functions

  26. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: allocation ptr = malloc(size); ptr_key = next_key++;

    ptr_lock_addr = allocate_lock(); *(ptr_lock_addr) = ptr_key; freeable_ptrs_map.insert(ptr_key, ptr); •

  27. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: dereference check if (ptr_key != *ptr_lock_addr) {

    abort(); } value = *ptr;

  28. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: pointer arithmetic newptr = ptr + offset;

    // or &ptr[index] newptr_key = ptr_key; newptr_lock_addr = ptr_lock_addr;

  29. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: free if (freeable_ptrs_map.lookup(ptr_key) != ptr) { abort();

    } freeable_ptrs_map.remove(ptr_key); free(ptr); *(ptr_lock_addr) = INVALID_KEY; deallocate_lock(ptr_lock_addr);

  30. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: propagating metadata int** ptr; int* newptr; if

    (ptr_key != *ptr_lock_addr) { abort(); } newptr = *ptr; newptr_key = table_lookup(ptr)­>key; newptr_lock_addr = table_lookup(ptr)­>lock_addr;

  31. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: propagating metadata int** ptr; int* newptr; if

    (ptr_key != *ptr_lock_addr) { abort(); } (*ptr) = newptr; table_lookup(ptr)­>key = newptr_key; table_lookup(ptr)­>lock_addr = newptr_lock_addr;

  32. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: globals int var; // global variable ptr

    = &var; ptr_key = GLOBAL_KEY; ptr_lock_addr = GLOBAL_LOCK_ADDR;

  33. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: loose ends • Threads. Shared state is

    evil. Zalgo, etc. • Shared memory. Shared state... see above.

  34. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Own contribution • Introduced two function attributes to

    control instrumentation process • Ported SoftBoundCETS to FreeBSD • Instrumented FreeBSD libc and executable startup code • Deleted ton of now useless wrappers • Goal: build all of FreeBSD world with safe memory access • Status: PoC works!

  35. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Demo Time! • Everybody loves a good demo!

    • Sufficiently advanced technology is indistinguishable from a propery rigged demo.

  36. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Thanks and references • SoftBoundCETS: http://www.cs.rutgers.edu/~santosh.nagarakatte/softbound/ • SoftBoundCETS

    on FreeBSD: https://github.com/andreas23/freebsd/tree/softbounds • Many thanks to Hannes Mehnert for joint work on FreeBSD port • Many thanks to Santosh Nagarakatte, Milo M. K. Martin, Steve Zdancewic for answering questions and providing access to beta versions of code