SlideShare uma empresa Scribd logo

Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks

Marcel Winandy
Marcel Winandy
1 de 19
Baixar para ler offline
RuhR-University Bochum System Security Lab Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy Ruhr-University Bochum, Germany ACM STC 2009 – 4th Annual Workshop on Scalable Trusted Computing Chicago, Illinois, USA – November 13, 2009
RuhR-University Bochum System Security Lab Introduction ● Return-Oriented Programming (ROP) Attacks – Generalization of “return-into-libc” attacks – Change program behavior without code injection – Instead, use existing code ● NX bit does'nt help! ● Discovered for Intel CISC (CCS 2007), and generalized to RISC architecture (CCS 2008) Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 2
RuhR-University Bochum System Security Lab ROP Attack Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 3
RuhR-University Bochum System Security Lab How does ROP work? ● Assumption: attacker controls the stack ● Stack is overwritten with return addresses Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 4
RuhR-University Bochum System Security Lab Properties of ROP ● Points to the middle of functions ● Typically small instruction sequences (gadgets) ● Creates unintended instructions sequences ● Example: b8 13 00 00 00 mov $0x13,%eax e9 c3 f8 ff ff jmp 3aae9 Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 5
RuhR-University Bochum System Security Lab Properties of ROP ● Points in the middle of functions ● Typically small instruction sequences (gadgets) ● Creates unintended instructions sequences ● Example: b8 13 00 00 00 mov $0x13,%eax e9 c3 f8 ff ff jmp 3aae9 Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 6
RuhR-University Bochum System Security Lab Properties of ROP ● Points in the middle of functions ● Typically small instruction sequences (gadgets) ● Creates unintended instructions sequences ● Example: b8 13 00 00 00 mov $0x13,%eax e9 c3 f8 ff ff jmp 3aae9 Code is interpreted differently! 00 00 add %al,(%eax) 00 e9 add %ch,%cl c3 ret Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 7
RuhR-University Bochum System Security Lab Our Proposal ● DynIMA: Dynamic Integrity Measurement and Attestion – Bridge gap between load-time attestation and runtime integrity monitoring – Support for wide-range of programs (e.g., no source code available) – Our focus: detection of ROP attacks ● Main idea: include runtime checks via code instrumentation before loading programs Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 8
RuhR-University Bochum System Security Lab DynIMA Architecture Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 9
RuhR-University Bochum System Security Lab Tracking Instrumentation ● We examine two approaches – Taint Tracking – Dynamic Tracing Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 10
RuhR-University Bochum System Security Lab Taint Tracking ● Dynamic taint analysis marks untrusted data as tainted and tracks its propagation ● Terminates program if tainted data is misused (e.g. as a pointer) Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 11
RuhR-University Bochum System Security Lab Using Taint Tracking to Detect ROP ● Idea: count instructions between two rets and raise alert if less or equal 5 instructions – Observation: ROP gadgets are small (2 – 5) – We were able to detect ROP attacks – But: does this work in general? ● False positives / false negatives Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 12
RuhR-University Bochum System Security Lab Dynamic Tracing ● Instrument code on-the-fly ● Tracing code exists only if probes are activated – Seems to be more flexible and faster ● DTrace (available on OpenSolaris, Mac OS X) – Code instrumentation and probe points configured via D programming language Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 13
RuhR-University Bochum System Security Lab Using DTrace ● Idea: Detect whether functions are called from beginning or in the middle ● D program: Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 14
RuhR-University Bochum System Security Lab Using DTrace ● Idea: Detect whether functions are called from beginning or in the middle ● D program: ● However: can only detect intended returns Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 15
RuhR-University Bochum System Security Lab Some Recent Results ● The underlying instrumentation tool of taint analysis is faster and more powerful than DTrace: PIN ● We now use PIN directly: – On function call: memorize valid ret address – Check every instruction if it is a ret – Compare current ret if valid address (in list) Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 16
RuhR-University Bochum System Security Lab Performance of Detection with PIN ● First results: gzip: w/o Pin: 16,49s with ROP-Detect: 24,51s bzip2: w/o Pin: 157,72s with ROP-Detect: 173,43s bunzip2: w/o Pin: 63,19s with ROP-Detect: 73,98s sha1sum: w/o Pin: 3,18s with ROP-Detect: 6,77s ● Overhead of ROP-Detect instrumentation: gzip: 48,64% bzip2: 9,96% bunzip2: 17,08 % sha1sum: 112,89 % Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 17
RuhR-University Bochum System Security Lab Conclusion ● Return-Oriented Programming attacks can change runtime program behavior without code injection ● Good solution would be: – Do your coding right (no buffer overflows, etc.) – CPU modification to protect return address stack – However, not to be expected on PCs soon ● Dynamic instrumentation might help to detect ROP attacks ● Future work: – Analyze ROP detection capability – Improve performance Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 18
RuhR-University Bochum System Security Lab Questions? Marcel Winandy Ruhr-University Bochum marcel.winandy@trust.rub.de Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 19

Recomendados

MIT Bitcoin Expo 2018 - Hardware Wallets Security
MIT Bitcoin Expo 2018 - Hardware Wallets SecurityMIT Bitcoin Expo 2018 - Hardware Wallets Security
MIT Bitcoin Expo 2018 - Hardware Wallets SecurityCharles Guillemet
 
Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs
Phosphor: Illuminating Dynamic Data Flow in Commodity JVMsPhosphor: Illuminating Dynamic Data Flow in Commodity JVMs
Phosphor: Illuminating Dynamic Data Flow in Commodity JVMsjon_bell
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)Pipat Methavanitpong
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesIan Kluft
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Resume - Varsharani
Resume - VarsharaniResume - Varsharani
Resume - VarsharaniVarsharani Kallimath
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 

Recomendados

MIT Bitcoin Expo 2018 - Hardware Wallets Security
MIT Bitcoin Expo 2018 - Hardware Wallets SecurityMIT Bitcoin Expo 2018 - Hardware Wallets Security
MIT Bitcoin Expo 2018 - Hardware Wallets SecurityCharles Guillemet
 
Phosphor: Illuminating Dynamic Data Flow in Commodity JVMs
Phosphor: Illuminating Dynamic Data Flow in Commodity JVMsPhosphor: Illuminating Dynamic Data Flow in Commodity JVMs
Phosphor: Illuminating Dynamic Data Flow in Commodity JVMsjon_bell
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)Pipat Methavanitpong
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesIan Kluft
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Resume - Varsharani
Resume - VarsharaniResume - Varsharani
Resume - VarsharaniVarsharani Kallimath
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Cloud Service Provider (Csp) internal threats
Cloud Service Provider (Csp) internal threats Cloud Service Provider (Csp) internal threats
Cloud Service Provider (Csp) internal threats Ahmed EL-KOSAIRY
 
A Pattern for Secure Graphical User Interface Systems
A Pattern for Secure Graphical User Interface SystemsA Pattern for Secure Graphical User Interface Systems
A Pattern for Secure Graphical User Interface SystemsMarcel Winandy
 
Internal and External threats to a corporate network : Bypassing perimeter de...
Internal and External threats to a corporate network : Bypassing perimeter de...Internal and External threats to a corporate network : Bypassing perimeter de...
Internal and External threats to a corporate network : Bypassing perimeter de...EyesOpen Association
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers GuideExclusive Networks ME
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...CODE BLUE
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT DetectionThibault Debatty
 
Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source B.A.
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayKaren Oliver
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Comprehensive guide for compromising network devices.
Comprehensive guide for compromising network devices.Comprehensive guide for compromising network devices.
Comprehensive guide for compromising network devices.Sri Manakula Vinayagar Engineering College
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
Security for The Machine: By Design
Security for The Machine: By DesignSecurity for The Machine: By Design
Security for The Machine: By DesignJames Salter
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersIBM Security
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)Hamid Reza
 
Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An IntroductionMarcel Winandy
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysMarcel Winandy
 

Mais conteúdo relacionado

Semelhante a Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks

Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Cloud Service Provider (Csp) internal threats
Cloud Service Provider (Csp) internal threats Cloud Service Provider (Csp) internal threats
Cloud Service Provider (Csp) internal threats Ahmed EL-KOSAIRY
 
A Pattern for Secure Graphical User Interface Systems
A Pattern for Secure Graphical User Interface SystemsA Pattern for Secure Graphical User Interface Systems
A Pattern for Secure Graphical User Interface SystemsMarcel Winandy
 
Internal and External threats to a corporate network : Bypassing perimeter de...
Internal and External threats to a corporate network : Bypassing perimeter de...Internal and External threats to a corporate network : Bypassing perimeter de...
Internal and External threats to a corporate network : Bypassing perimeter de...EyesOpen Association
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...CODE BLUE
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT DetectionThibault Debatty
 
Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source B.A.
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayKaren Oliver
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
Security for The Machine: By Design
Security for The Machine: By DesignSecurity for The Machine: By Design
Security for The Machine: By DesignJames Salter
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersIBM Security
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)Hamid Reza
 

Semelhante a Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks (20)

Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Cloud Service Provider (Csp) internal threats
Cloud Service Provider (Csp) internal threats Cloud Service Provider (Csp) internal threats
Cloud Service Provider (Csp) internal threats
 
A Pattern for Secure Graphical User Interface Systems
A Pattern for Secure Graphical User Interface SystemsA Pattern for Secure Graphical User Interface Systems
A Pattern for Secure Graphical User Interface Systems
 
Internal and External threats to a corporate network : Bypassing perimeter de...
Internal and External threats to a corporate network : Bypassing perimeter de...Internal and External threats to a corporate network : Bypassing perimeter de...
Internal and External threats to a corporate network : Bypassing perimeter de...
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers Guide
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
[CB19] Semzhu-Project – A self-made new world of embedded hypervisors and att...
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT Detection
 
Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Comprehensive guide for compromising network devices.
Comprehensive guide for compromising network devices.Comprehensive guide for compromising network devices.
Comprehensive guide for compromising network devices.
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
 
Security for The Machine: By Design
Security for The Machine: By DesignSecurity for The Machine: By Design
Security for The Machine: By Design
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange Partners
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)
 

Mais de Marcel Winandy

Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An IntroductionMarcel Winandy
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysMarcel Winandy
 
Uni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One DeviceUni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One DeviceMarcel Winandy
 
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...Marcel Winandy
 
A Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health CardA Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health CardMarcel Winandy
 
Securing the E-Health Cloud
Securing the E-Health CloudSecuring the E-Health Cloud
Securing the E-Health CloudMarcel Winandy
 
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop EnvironmentsTrusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop EnvironmentsMarcel Winandy
 
Patterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer SystemsPatterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer SystemsMarcel Winandy
 
TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web AuthenticationTruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web AuthenticationMarcel Winandy
 
Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...Marcel Winandy
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM VirtualizationMarcel Winandy
 
Compartmented Security for Browsers
Compartmented Security for BrowsersCompartmented Security for Browsers
Compartmented Security for BrowsersMarcel Winandy
 

Mais de Marcel Winandy (12)

Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An Introduction
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter Gateways
 
Uni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One DeviceUni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One Device
 
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...
 
A Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health CardA Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health Card
 
Securing the E-Health Cloud
Securing the E-Health CloudSecuring the E-Health Cloud
Securing the E-Health Cloud
 
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop EnvironmentsTrusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
 
Patterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer SystemsPatterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer Systems
 
TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web AuthenticationTruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
 
Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM Virtualization
 
Compartmented Security for Browsers
Compartmented Security for BrowsersCompartmented Security for Browsers
Compartmented Security for Browsers
 

Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks

  • 1. RuhR-University Bochum System Security Lab Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy Ruhr-University Bochum, Germany ACM STC 2009 – 4th Annual Workshop on Scalable Trusted Computing Chicago, Illinois, USA – November 13, 2009
  • 2. RuhR-University Bochum System Security Lab Introduction ● Return-Oriented Programming (ROP) Attacks – Generalization of “return-into-libc” attacks – Change program behavior without code injection – Instead, use existing code ● NX bit does'nt help! ● Discovered for Intel CISC (CCS 2007), and generalized to RISC architecture (CCS 2008) Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 2
  • 3. RuhR-University Bochum System Security Lab ROP Attack Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 3
  • 4. RuhR-University Bochum System Security Lab How does ROP work? ● Assumption: attacker controls the stack ● Stack is overwritten with return addresses Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 4
  • 5. RuhR-University Bochum System Security Lab Properties of ROP ● Points to the middle of functions ● Typically small instruction sequences (gadgets) ● Creates unintended instructions sequences ● Example: b8 13 00 00 00 mov $0x13,%eax e9 c3 f8 ff ff jmp 3aae9 Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 5
  • 6. RuhR-University Bochum System Security Lab Properties of ROP ● Points in the middle of functions ● Typically small instruction sequences (gadgets) ● Creates unintended instructions sequences ● Example: b8 13 00 00 00 mov $0x13,%eax e9 c3 f8 ff ff jmp 3aae9 Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 6
  • 7. RuhR-University Bochum System Security Lab Properties of ROP ● Points in the middle of functions ● Typically small instruction sequences (gadgets) ● Creates unintended instructions sequences ● Example: b8 13 00 00 00 mov $0x13,%eax e9 c3 f8 ff ff jmp 3aae9 Code is interpreted differently! 00 00 add %al,(%eax) 00 e9 add %ch,%cl c3 ret Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 7
  • 8. RuhR-University Bochum System Security Lab Our Proposal ● DynIMA: Dynamic Integrity Measurement and Attestion – Bridge gap between load-time attestation and runtime integrity monitoring – Support for wide-range of programs (e.g., no source code available) – Our focus: detection of ROP attacks ● Main idea: include runtime checks via code instrumentation before loading programs Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 8
  • 9. RuhR-University Bochum System Security Lab DynIMA Architecture Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 9
  • 10. RuhR-University Bochum System Security Lab Tracking Instrumentation ● We examine two approaches – Taint Tracking – Dynamic Tracing Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 10
  • 11. RuhR-University Bochum System Security Lab Taint Tracking ● Dynamic taint analysis marks untrusted data as tainted and tracks its propagation ● Terminates program if tainted data is misused (e.g. as a pointer) Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 11
  • 12. RuhR-University Bochum System Security Lab Using Taint Tracking to Detect ROP ● Idea: count instructions between two rets and raise alert if less or equal 5 instructions – Observation: ROP gadgets are small (2 – 5) – We were able to detect ROP attacks – But: does this work in general? ● False positives / false negatives Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 12
  • 13. RuhR-University Bochum System Security Lab Dynamic Tracing ● Instrument code on-the-fly ● Tracing code exists only if probes are activated – Seems to be more flexible and faster ● DTrace (available on OpenSolaris, Mac OS X) – Code instrumentation and probe points configured via D programming language Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 13
  • 14. RuhR-University Bochum System Security Lab Using DTrace ● Idea: Detect whether functions are called from beginning or in the middle ● D program: Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 14
  • 15. RuhR-University Bochum System Security Lab Using DTrace ● Idea: Detect whether functions are called from beginning or in the middle ● D program: ● However: can only detect intended returns Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 15
  • 16. RuhR-University Bochum System Security Lab Some Recent Results ● The underlying instrumentation tool of taint analysis is faster and more powerful than DTrace: PIN ● We now use PIN directly: – On function call: memorize valid ret address – Check every instruction if it is a ret – Compare current ret if valid address (in list) Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 16
  • 17. RuhR-University Bochum System Security Lab Performance of Detection with PIN ● First results: gzip: w/o Pin: 16,49s with ROP-Detect: 24,51s bzip2: w/o Pin: 157,72s with ROP-Detect: 173,43s bunzip2: w/o Pin: 63,19s with ROP-Detect: 73,98s sha1sum: w/o Pin: 3,18s with ROP-Detect: 6,77s ● Overhead of ROP-Detect instrumentation: gzip: 48,64% bzip2: 9,96% bunzip2: 17,08 % sha1sum: 112,89 % Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 17
  • 18. RuhR-University Bochum System Security Lab Conclusion ● Return-Oriented Programming attacks can change runtime program behavior without code injection ● Good solution would be: – Do your coding right (no buffer overflows, etc.) – CPU modification to protect return address stack – However, not to be expected on PCs soon ● Dynamic instrumentation might help to detect ROP attacks ● Future work: – Analyze ROP detection capability – Improve performance Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 18
  • 19. RuhR-University Bochum System Security Lab Questions? Marcel Winandy Ruhr-University Bochum marcel.winandy@trust.rub.de Marcel Winandy DynIMA: Towards Defense Against Return-Oriented Programming 2009-11-13 19