Your SlideShare is downloading. ×
0
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks

538

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
538
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. RuhR-University Bochum System Security Lab Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy Ruhr-University Bochum, Germany ACM STC 2009 – 4th Annual Workshop on Scalable Trusted Computing Chicago, Illinois, USA – November 13, 2009
  • 2. RuhR-University Bochum System Security Lab Introduction ● Return-Oriented Programming (ROP) Attacks – Generalization of “return-into-libc” attacks – Change program behavior without code injection – Instead, use existing code ● NX bit doesnt help! ● Discovered for Intel CISC (CCS 2007), and generalized to RISC architecture (CCS 2008)Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 2
  • 3. RuhR-University Bochum System Security Lab ROP AttackMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 3
  • 4. RuhR-University Bochum System Security Lab How does ROP work? ● Assumption: attacker controls the stack ● Stack is overwritten with return addressesMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 4
  • 5. RuhR-University Bochum System Security Lab Properties of ROP ● Points to the middle of functions ● Typically small instruction sequences (gadgets) ● Creates unintended instructions sequences ● Example: b8 13 00 00 00 mov $0x13,%eax e9 c3 f8 ff ff jmp 3aae9Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 5
  • 6. RuhR-University Bochum System Security Lab Properties of ROP ● Points in the middle of functions ● Typically small instruction sequences (gadgets) ● Creates unintended instructions sequences ● Example: b8 13 00 00 00 mov $0x13,%eax e9 c3 f8 ff ff jmp 3aae9Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 6
  • 7. RuhR-University Bochum System Security Lab Properties of ROP ● Points in the middle of functions ● Typically small instruction sequences (gadgets) ● Creates unintended instructions sequences ● Example: b8 13 00 00 00 mov $0x13,%eax e9 c3 f8 ff ff jmp 3aae9 Code is interpreted differently! 00 00 add %al,(%eax) 00 e9 add %ch,%cl c3 retMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 7
  • 8. RuhR-University Bochum System Security Lab Our Proposal ● DynIMA: Dynamic Integrity Measurement and Attestion – Bridge gap between load-time attestation and runtime integrity monitoring – Support for wide-range of programs (e.g., no source code available) – Our focus: detection of ROP attacks ● Main idea: include runtime checks via code instrumentation before loading programsMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 8
  • 9. RuhR-University Bochum System Security Lab DynIMA ArchitectureMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 9
  • 10. RuhR-University Bochum System Security Lab Tracking Instrumentation ● We examine two approaches – Taint Tracking – Dynamic TracingMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 10
  • 11. RuhR-University Bochum System Security Lab Taint Tracking ● Dynamic taint analysis marks untrusted data as tainted and tracks its propagation ● Terminates program if tainted data is misused (e.g. as a pointer)Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 11
  • 12. RuhR-University Bochum System Security Lab Using Taint Tracking to Detect ROP ● Idea: count instructions between two rets and raise alert if less or equal 5 instructions – Observation: ROP gadgets are small (2 – 5) – We were able to detect ROP attacks – But: does this work in general? ● False positives / false negativesMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 12
  • 13. RuhR-University Bochum System Security Lab Dynamic Tracing ● Instrument code on-the-fly ● Tracing code exists only if probes are activated – Seems to be more flexible and faster ● DTrace (available on OpenSolaris, Mac OS X) – Code instrumentation and probe points configured via D programming languageMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 13
  • 14. RuhR-University Bochum System Security Lab Using DTrace ● Idea: Detect whether functions are called from beginning or in the middle ● D program:Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 14
  • 15. RuhR-University Bochum System Security Lab Using DTrace ● Idea: Detect whether functions are called from beginning or in the middle ● D program: ● However: can only detect intended returnsMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 15
  • 16. RuhR-University Bochum System Security Lab Some Recent Results ● The underlying instrumentation tool of taint analysis is faster and more powerful than DTrace: PIN ● We now use PIN directly: – On function call: memorize valid ret address – Check every instruction if it is a ret – Compare current ret if valid address (in list)Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 16
  • 17. RuhR-University Bochum System Security Lab Performance of Detection with PIN ● First results: gzip: w/o Pin: 16,49s with ROP-Detect: 24,51s bzip2: w/o Pin: 157,72s with ROP-Detect: 173,43s bunzip2: w/o Pin: 63,19s with ROP-Detect: 73,98s sha1sum: w/o Pin: 3,18s with ROP-Detect: 6,77s ● Overhead of ROP-Detect instrumentation: gzip: 48,64% bzip2: 9,96% bunzip2: 17,08 % sha1sum: 112,89 %Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 17
  • 18. RuhR-University Bochum System Security Lab Conclusion ● Return-Oriented Programming attacks can change runtime program behavior without code injection ● Good solution would be: – Do your coding right (no buffer overflows, etc.) – CPU modification to protect return address stack – However, not to be expected on PCs soon ● Dynamic instrumentation might help to detect ROP attacks ● Future work: – Analyze ROP detection capability – Improve performanceMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 18
  • 19. RuhR-University Bochum System Security Lab Questions? Marcel Winandy Ruhr-University Bochum marcel.winandy@trust.rub.deMarcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 19

×