1 / 74

Software Security: Defenses

Learn about software security defenses, including stack canaries, non-executable pages, return-oriented programming, and more. Find out how to reason about memory safety and the correct use of preconditions and postconditions in code.

alecc
Download Presentation

Software Security: Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Security:Defenses Happy SF Pride! https://inst.eecs.berkeley.edu/~cs161/su19/feedback

  2. Announcements...

  3. It isn't just the stack...

  4. Compiler Operation:Compiling Object Oriented Code class Foo { int i, j, k; public virtual void bar(){ ... } public virtual void baz(){ ... } .... vtable ptr (class Foo) i j k ptr to Foo::bar ptr to Foo::baz ... ...

  5. So Targets ForOverwriting...

  6. Magic Numbers & Exploitation…

  7. ETERNALBLUE(screen)

  8. One defense:Don't Use C or C++

  9. But Suppose You Don’t WantTo? What Then?

  10. Stack Canaries… Saved Return Addr Saved Frame Ptr 🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦 data... data... data... data... aoeu

  11. How To (Not) Kill the Canary…

  12. And Canary Entropy…

  13. Non-Executable Pages

  14. Return Oriented Programming...

  15. W^X is Somewhat Ubiquitous As Well:Playing games with the page table...

  16. Address Space Layout Randomization

  17. These Defenses-In-Depth in Practice...

  18. Reasoning AboutMemory Safety

  19. Reasoning About Safety

  20. int deref(int *p) { return *p; } Precondition?

  21. /* requires: p != NULL (and p a valid pointer) */ int deref(int *p) { return *p; } Precondition: what needs to hold for function to operate correctly. Needs to be expressed in a way that a person writing code to call the function knows how to evaluate.

  22. void *mymalloc(size_t n) { void *p = malloc(n); if (!p) { perror("malloc"); exit(1); } return p; } Postcondition?

  23. /* ensures: retval != NULL(and a valid pointer)*/ void *mymalloc(size_t n) { void *p = malloc(n); if (!p) { perror("malloc"); exit(1); } return p; } Postcondition: what the function promises will hold upon its return. Likewise, expressed in a way that a person using the call in their code knows how to make use of.

  24. int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; } Precondition?

  25. int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; } General correctness proof strategy for memory safety: Identify each point of memory access Write down precondition it requires Propagate requirement up to beginning of function

  26. int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; } General correctness proof strategy for memory safety: Identify each point of memory access? Write down precondition it requires Propagate requirement up to beginning of function

  27. int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += a[i]; return total; } General correctness proof strategy for memory safety: Identify each point of memory access Write down precondition it requires Propagate requirement up to beginning of function

  28. int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* ?? */ total += a[i]; return total; } General correctness proof strategy for memory safety: Identify each point of memory access Write down precondition it requires? Propagate requirement up to beginning of function

  29. int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: a != NULL && 0 <= i && i < size(a) */ total += a[i]; return total; } size(X) = number of elements allocated for region pointed to by Xsize(NULL) = 0 This is an abstract notion, not something built into C (like sizeof). General correctness proof strategy for memory safety: Identify each point of memory access Write down precondition it requires Propagate requirement up to beginning of function

  30. int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: a != NULL && 0 <= i && i < size(a) */ total += a[i]; return total; } General correctness proof strategy for memory safety: Identify each point of memory access Write down precondition it requires Propagate requirement up to beginning of function?

  31. int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: a != NULL && 0 <= i && i < size(a) */ total += a[i]; return total; } Let’s simplify, given that a never changes.

  32. /* requires: a != NULL */int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: 0 <= i && i < size(a) */ total += a[i]; return total; }

  33. /* requires: a != NULL */int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: 0 <= i && i < size(a) */ total += a[i]; return total; } General correctness proof strategy for memory safety: Identify each point of memory access Write down precondition it requires Propagate requirement up to beginning of function?

  34. /* requires: a != NULL */int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: 0 <= i && i < size(a) */ total += a[i]; return total; } ? General correctness proof strategy for memory safety: Identify each point of memory access Write down precondition it requires Propagate requirement up to beginning of function?

  35. /* requires: a != NULL */int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: 0 <= i && i < size(a) */ total += a[i]; return total; } ✓ General correctness proof strategy for memory safety: Identify each point of memory access Write down precondition it requires Propagate requirement up to beginning of function?

  36. /* requires: a != NULL */int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: 0 <= i && i < size(a) */ total += a[i]; return total; } ✓ The 0 <= i part is clear, so let’s focus for now on the rest.

  37. /* requires: a != NULL */int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: i < size(a) */ total += a[i]; return total; }

  38. /* requires: a != NULL */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* requires: i < size(a) */ total += a[i]; return total; } ? General correctness proof strategy for memory safety: Identify each point of memory access Write down precondition it requires Propagate requirement up to beginning of function?

  39. /* requires: a != NULL */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; } ? General correctness proof strategy for memory safety: Identify each point of memory access Write down precondition it requires Propagate requirement up to beginning of function?

  40. /* requires: a != NULL */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; } ? How to prove our candidate invariant? n <= size(a) is straightforward because n never changes.

  41. /* requires: a != NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; }

  42. /* requires: a != NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; } ? What about i < n ?

  43. /* requires: a != NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; } ? What about i < n ? That follows from the loop condition.

  44. /* requires: a != NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; } At this point we know the proposed invariant will always hold...

  45. /* requires: a != NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* invariant?: i < n && n <= size(a) */ /* requires: i < size(a) */ total += a[i]; return total; } … and we’re done!

  46. /* requires: a != NULL && n <= size(a) */ int sum(int a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) /* invariant: a != NULL && 0 <= i && i < n && n <= size(a) */ total += a[i]; return total; } A more complicated loop might need us to use induction: Base case: first entrance into loop. Induction: show that postcondition of last statement of loop, plus loop test condition, implies invariant.

  47. int sumderef(int *a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += *(a[i]); return total; }

  48. /* requires: a != NULL && size(a) >= n && ??? */ int sumderef(int *a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += *(a[i]); return total; }

  49. /* requires: a != NULL && size(a) >= n && for all j in 0..n-1, a[j] != NULL */ int sumderef(int *a[], size_t n) { int total = 0; for (size_t i=0; i<n; i++) total += *(a[i]); return total; } This may still be memory safe but it can still have undefined behavior!

  50. char *tbl[N]; /* N > 0, has type int */ int hash(char *s) { int h = 17; while (*s) h = 257*h + (*s++) + 3; return h % N; } bool search(char *s) { int i = hash(s); return tbl[i] && (strcmp(tbl[i], s)==0); }

More Related