Information Leaks Without Memory Disclosures: Remote Side ...

Information Leaks Without Memory Disclosures: Remote Side ...

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Sderstrm Presented by Samuel Suddath Introduction Problem: detailed knowledge of code layout is required to execute a code reuse attack, such as what code is in memory, and where in memory the code is located.

In order to provide security, systems diversify code to make such attacks harder: having an element of randomness or change to where code is located, or even what code is used. These techniques rely on the assumption that since the attacker cannot read the code in memory, then he cannot know what code is there nor where it is located, resulting in the attacker not being able to reliably exploit the code. Two answers: Entropy Attacks and Memory Disclosure Vulnerabilities Entropy Attacks

Are brute force attacks Attempt to exploit diversification techniques that do not introduce enough randomness Will eventually allow the hacker to guess how code has been diversified Countered by diversification techniques with high degrees of complexity and randomness Memory Disclosure Vulnerabilities Allow a hacker to read contents of memory directly and dynamically during runtime

Allows a hacker to know exactly how code has been diversified without guessing Requires finding two specialized vulnerabilities: read and writing to unintended memory. Code Diversification Methods Address Space Layout Randomization (ASLR) -base address of stack, heap, and libraries are randomized Replace instructions with other equivalent ones Virtual Machine that tracks the order instructions are executed, then fetches and decodes them as necessary.

Insert NOP instructions randomly into compiler emitted code Randomize order of instructions in code Side Channel Attacks on Cryptography Timing- execution time can be used to infer a secret key Fault Analysis- faults can be induced which corrupt memory and allow the secret key to be inferred through analyzing output Cache- Cache hits and misses can leak information about execution time and allow cryptographic keys to be inferred Physical- there are many attacks that can only be performed

when the hacker has physical access to the target machine, where the hacker uses various physical information streams(power usage, sound output, EM field) to discern the secret key. How They Work Hackers choose either a memory address and attempt to locate the gadget there, or choose a gadget and attempt to find its location Hackers must be able to receive feedback, either through a network or through a scripting environment.

If gadgets can be accessed, they can be used to build an info-leak attack Most exploits require code that handles crashes by restarting, as invalid memory access faults are caused often by the attack Fault Analysis Attacks Works by sending a payload, receiving the result of the execution, and then interpret the return. The repeated execution of this attack can be used to reveal where the executed code is located.

Types: Overwrite Data: overwrite data used as an index to determine where in memory code is located Overwrite Data Pointer: overwrite a data pointer so that a computation is done on a specific memory location, revealing where and what changes have been made to code. Overwrite Code Pointer: overwrite a code pointer to cause a computation resulting in a result that could be distinct to a single piece of code. Timing Attacks

Start a timer, send the payload, receive a signal upon completion of execution, stop the timer. The timing can reveal information about the code. Types: Crafted Input: similar to timing attacks in cryptography, sends specific series of inputs to execute different code paths Overwrite Data: allows the hacker to modify certain variables to execute specific pieces of code. Overwrite Data Pointer: overwrite a data pointer to reveal memory contents through a timed execution Overwrite Code Pointer: control flow is manipulated by

overwriting code pointers like return addresses and function pointers. Effectiveness USS uncertainty set size Determining the location of distinct gadgets using byte sequences like 0x00 and 0xff Return Locations- knowing these locations allow the hacker to determine which function they are exploiting Output can be used to determine what was executed using fault analysis and timing analysis.

Timing is most likely accessible to the hacker, and while it doesnt provide as much information as other attacks, can still identify executed functions. Uses of Side Channels Most commonly used as a stepping stone to other attacks, providing information on executed functions and memory locations making other attacks possible. Once gadget locations have been found using side channels, those gadgets can be used to find others in Libc

Defenses Complete Memory Safety Re-randomizing pages during execution Data Space Randomization Instruction Set Randomization Insertion of dead code that does not modify execution time Normalizing every measurement to be the same, preventing timing exploits from leaking data.

Recently Viewed Presentations

  • CMPUT603 - Fall 2005 Topic1: Common Abbreviations +

    CMPUT603 - Fall 2005 Topic1: Common Abbreviations +

    CMPUT603 - Fall 2005 Topic1: Common Abbreviations + Writing Pet Peeves José Nelson Amaral et al. http://www.cs.ualberta.ca/~c603
  • Section 01: Standards and Lesson Planning Florida Department

    Section 01: Standards and Lesson Planning Florida Department

    Florida Department of Education Standards and Instructional Support. http://www.fldoe.org/academics/standards/ English Language Arts Florida Standards (LAFS) by Grade ...
  • Diapositiva 1 - St Leonard's College

    Diapositiva 1 - St Leonard's College

    As its name suggest mixed land use activities. The Oldest Suburbs in Melbourne. Located within the tram Zone of Melbourne. Just outside the CBD. Zone of Transition - area of great change. High Density Developments
  • Dynamics of Signaling

    Dynamics of Signaling

    We started by asking whether it is possible for meaning to emerge spontaneously. Here it seems almost necessary for signaling to evolve. Is this result robust? ... Then the Markov chain is ergodic. Small Mutation Limit. Study the proportion of...
  • Legal, Ethical, Safety and Security issues affecting ICT

    Legal, Ethical, Safety and Security issues affecting ICT

    Legal, Ethical, Safety and Security issues affecting ICT. This learning outcome is all about how legal, ethical, safety and security issues affect how computers should be used. All businesses use computers today for many different reasons and because of this...
  • Slide 0

    Slide 0

    Maintaining a short-term liquidity balance is key under any of these approaches. Basic Approach: Keep all cash in short-term investments such as bank deposits or the NCCMT. Pros: Liquidity. Limited time commitment. Low cost. Cons: Invested on short-end of the...
  • Multiculturalism in BC

    Multiculturalism in BC

    Multiculturalism in BC. ... Immigration Act. Even though the chinese worked for us they weren't allowed to vote, they were segregated, and in 1885 the Immigration act put a head tax on each chinese person immigrating into Canada. First $50,...
  • Think - Pair - Share

    Think - Pair - Share

    beyond viewable text and a teacher speaking (e.g., text in digital files that could be read aloud, online resources, audio, video, pictures, charts) b. ... Intended to complement other 'Look-Fors' schools may use (e.g. Skillful Teaching).