Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[HES2014] Applying science to eliminate 100% of...

HackitoErgoSum
April 24, 2014
Research
0
290

[HES2014] Applying science to eliminate 100% of buffer overflows by Andreas Bogk

Violation of memory safety is still a major source of vulnerabilities in everyday systems. This talk presents the state of the art in compiler instrumentation to completely eliminate such vulnerabilities in C/C++ software.

More information about Hackito Ergo Sum here : http://www.hackitoergosum.org

HackitoErgoSum

April 24, 2014
Tweet

More Decks by HackitoErgoSum

See All by HackitoErgoSum
[HES2014] Vaccinating APK’s by Milan Gabor & Danijel Grah
hackitoergosum
0
190
[HES2014] WMI Shell: A new way to get shells on remote Windows machines using only the WMI service by Andrei Dumitrescu
hackitoergosum
2
4.9k
[HES2014] LTE vs. Darwin: The Evolution Strikes Back? by Hendrik Schmidt & Brian Butterly
hackitoergosum
0
130
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phone got pwnd ! by Mathieu ‘GoToHack’ RENARD
hackitoergosum
1
240
[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userland by Ole André Vadla Ravnås
hackitoergosum
0
250
[HES2013] Paparazzi over ip by Daniel Mende
hackitoergosum
0
64
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
hackitoergosum
0
430
[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa
hackitoergosum
0
170
[HES2013] The reality about Red October by Paul “RootBSD” Rascagneres
hackitoergosum
0
110

Other Decks in Research

See All in Research
Physics of Language Models: Part 3.1, Knowledge Storage and Extraction
sosk
1
930
[第62回NLPコロキウム]「なりきり」を促すHCI設計:対話型接客ロボットの遠隔操作者へのリアルタイム変換音声フィードバックの適用
nami_ogawa
0
300
クラウドソーシングによる学習データ作成と品質管理(セキュリティキャンプ2024全国大会D2講義資料)
takumi1001
0
260
医療分野におけるLLMの現状と応用可能性について
kento1109
11
3.5k
Inside Phishing Groups: Trust No One
0x1shu
0
110
Language is primarily a tool for communication rather than thought
ryou0634
4
720
RSJ2024「基盤モデルの実ロボット応用」チュートリアルA(河原塚)
haraduka
2
620
LLM based AI Agents Overview -What, Why, How-
masatoto
2
600
3次元点群の分類における評価指標について
kentaitakura
0
360
MIRU2024_招待講演_RALF_in_CVPR2024
udonda
1
330
尺度開発における質的研究アプローチ(自主企画シンポジウム7:認知行動療法における尺度開発のこれから)
litalicolab
0
320
Weekly AI Agents News! 10月号 論文のアーカイブ
masatoto
1
160

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
327
21k
[RailsConf 2023] Rails as a piece of cake
palkan
51
4.9k
Visualization
eitanlees
145
15k
Writing Fast Ruby
sferik
626
61k
Side Projects
sachag
452
42k
A Philosophy of Restraint
colly
203
16k
Git: the NoSQL Database
bkeepers
PRO
426
64k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
Designing for humans not robots
tammielis
249
25k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Code Review Best Practice
trishagee
64
17k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
680

Transcript

  1. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Bug class genocide Applying science to eliminate 100%

    of buffer overflows Hackito Ergo Sum, 2014 Andreas Bogk, @andreasdotorg

  2. TOP SECRET//HCS/SI/TK//ORCON/NOFORN The problem void foo (char* arg) { char

    some[16]; char* p = some; while (*p++ = *arg++); }

  3. TOP SECRET//HCS/SI/TK//ORCON/NOFORN The problem: spatial memory safety void foo (char*

    arg) { char some[16]; char* p = some; while (*p++ = *arg++); }

  4. TOP SECRET//HCS/SI/TK//ORCON/NOFORN The other problem void bar (char* arg) {

    char* p = malloc(16); free(p); while (*p++ = *arg++); free(p); }

  5. TOP SECRET//HCS/SI/TK//ORCON/NOFORN The other problem: temporal memory safety void bar

    (char* arg) { char* p = malloc(16); free(p); while (*p++ = *arg++); free(p); }

  6. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Existing approaches • Use a safe language! •

    Mitigations: ASLR, DEP, stack canaries • Memory debugging tools: – Valgrind – gcc and llvm memory sanitizer – SAFEcode – Ccured – SafeC – Cyclone – Etc... – –

  7. TOP SECRET//HCS/SI/TK//ORCON/NOFORN A word on notation red.is­>compiler_generated(code); black.is­>user_written(code);

  8. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Object-based approach if (IsPoisoned(address)) { ReportError(address); } *address

    = ...; // or: ... = *address;

  9. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Intrastructural safety struct { char id[8]; int account_balance;

    } bank_account; char* ptr = &(bank_account.id); strcpy(ptr, "overflow...");

  10. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Pointer-based approach • Every pointer represented by three

    words: pointer value, base, bound • We call that a „fat pointer“

  11. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Meet SoftBoundCETS • Santosh Nagarakatte, Jianzhou Zhao, Milo

    M. K. Martin, Steve Zdancewic; UPenn • SoftBound: spatial safety • CETS: temporal safety • Uses disjoint fat pointers • Proof of correctness (but caveat emptor) • Implemented as LLVM optimizer pass

  12. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Meet SoftBoundCETS • Source compatibility • Complete coverage

    • Separate compilation • Low overhead

  13. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: instrumenting dereference check(ptr, ptr_base, ptr_bound, sizeof(*ptr)); value

    = *ptr;

  14. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: implementation of check void check(ptr, base, bound,

    size) { if ((ptr < base) || (ptr + size > bound)) { abort(); } }

  15. TOP SECRET//HCS/SI/TK//ORCON/NOFORN „Beware of bugs in the above code; I

    have only proved it correct, not tried it.“ – Donald E. Knuth

  16. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: correct implementation of check void check(ptr, base,

    bound, size) { if ((ptr < base) || (ptr + size > bound) || (ptr + size < ptr)) { abort(); } }

  17. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: memory allocation ptr = malloc(size); ptr_base =

    ptr; ptr_bound = ptr + size; if (ptr == NULL) ptr_bound = NULL;

  18. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: stack allocation int array[100]; ptr = &array;

    ptr_base = &array[0]; ptr_bound = ptr_base + sizeof(array);

  19. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: Pointer arithmetic newptr = ptr + index;

    // or &ptr[index] newptr_base = ptr_base; newptr_bound = ptr_bound;

  20. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: narrowing struct { ... int num; ...

    } *n; ... p = &(n­>num); p_base = max(&(n­>num), n_base); p_bound = min(p_base + sizeof(n­>num), n_bound);

  21. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: more narrowing struct { ... int arr[5];

    ... } *n; ... p = &(n­>arr[2]); p_base = max(&(n­>arr), n_base); p_bound = min(p_base + sizeof(n­>arr), n_bound);

  22. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: loading metadata int** ptr; int* new_ptr; ...

    check(ptr, ptr_base, ptr_bound,sizeof(*ptr)); newptr = *ptr; newptr_base = table_lookup(ptr)­>base; newptr_bound = table_lookup(ptr)­>bound;

  23. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: storing metadata int** ptr; int* new_ptr; ...

    check(ptr, ptr_base, ptr_bound, sizeof(*ptr)); (*ptr) = new_ptr; table_lookup(ptr)­>base = newptr_base; table_lookup(ptr)­>bound = newptr_bound; •

  24. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: augmenting function calls int func(char* s) {

    ... } int value = func(ptr); int func(char* s,void* s_base,void* s_bound) { ... } int value = func(ptr, ptr_base, ptr_bound);

  25. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Spatial: loose ends • Global variables • Separate

    compilation and library code • Memcpy() • Function pointers • Creating pointers from integers • Arbitrary casts and unions • Variable argument functions

  26. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: allocation ptr = malloc(size); ptr_key = next_key++;

    ptr_lock_addr = allocate_lock(); *(ptr_lock_addr) = ptr_key; freeable_ptrs_map.insert(ptr_key, ptr); •

  27. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: dereference check if (ptr_key != *ptr_lock_addr) {

    abort(); } value = *ptr;

  28. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: pointer arithmetic newptr = ptr + offset;

    // or &ptr[index] newptr_key = ptr_key; newptr_lock_addr = ptr_lock_addr;

  29. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: free if (freeable_ptrs_map.lookup(ptr_key) != ptr) { abort();

    } freeable_ptrs_map.remove(ptr_key); free(ptr); *(ptr_lock_addr) = INVALID_KEY; deallocate_lock(ptr_lock_addr);

  30. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: propagating metadata int** ptr; int* newptr; if

    (ptr_key != *ptr_lock_addr) { abort(); } newptr = *ptr; newptr_key = table_lookup(ptr)­>key; newptr_lock_addr = table_lookup(ptr)­>lock_addr;

  31. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: propagating metadata int** ptr; int* newptr; if

    (ptr_key != *ptr_lock_addr) { abort(); } (*ptr) = newptr; table_lookup(ptr)­>key = newptr_key; table_lookup(ptr)­>lock_addr = newptr_lock_addr;

  32. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: globals int var; // global variable ptr

    = &var; ptr_key = GLOBAL_KEY; ptr_lock_addr = GLOBAL_LOCK_ADDR;

  33. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Temporal: loose ends • Threads. Shared state is

    evil. Zalgo, etc. • Shared memory. Shared state... see above.

  34. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Own contribution • Introduced two function attributes to

    control instrumentation process • Ported SoftBoundCETS to FreeBSD • Instrumented FreeBSD libc and executable startup code • Deleted ton of now useless wrappers • Goal: build all of FreeBSD world with safe memory access • Status: PoC works!

  35. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Demo Time! • Everybody loves a good demo!

    • Sufficiently advanced technology is indistinguishable from a propery rigged demo.

  36. TOP SECRET//HCS/SI/TK//ORCON/NOFORN Thanks and references • SoftBoundCETS: http://www.cs.rutgers.edu/~santosh.nagarakatte/softbound/ • SoftBoundCETS

    on FreeBSD: https://github.com/andreas23/freebsd/tree/softbounds • Many thanks to Hannes Mehnert for joint work on FreeBSD port • Many thanks to Santosh Nagarakatte, Milo M. K. Martin, Steve Zdancewic for answering questions and providing access to beta versions of code