david evans http www cs virginia edu evans n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
David Evans http://www.cs.virginia.edu/evans PowerPoint Presentation
Download Presentation
David Evans http://www.cs.virginia.edu/evans

Loading in 2 Seconds...

play fullscreen
1 / 25

David Evans http://www.cs.virginia.edu/evans - PowerPoint PPT Presentation


  • 260 Views
  • Uploaded on

Lecture 20: Hair Dryer Attacks. David Evans http://www.cs.virginia.edu/evans. Image from www.clean-funny.com, GoldenBlue LLC. CS201j: Engineering Software University of Virginia Computer Science. Menu. Array Subtyping Java Security Review Violating Type Safety with a Hair Dryer.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'David Evans http://www.cs.virginia.edu/evans' - hamlin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
david evans http www cs virginia edu evans

Lecture 20:

Hair Dryer Attacks

David Evans

http://www.cs.virginia.edu/evans

Image from www.clean-funny.com, GoldenBlue LLC.

CS201j: Engineering Software

University of Virginia

Computer Science

slide2
Menu
  • Array Subtyping
  • Java Security Review
  • Violating Type Safety with a Hair Dryer

CS 201J Fall 2003

subtyping and arrays
Subtyping and Arrays

If B <= A, should B[] <= A []?

CS 201J Fall 2003

array subtyping
Array Subtyping

static public Object getFirst (Object [] els) throws NoSuchElementException {

if (els == null || els.length == 0) {

throw new NoSuchElementException ();

} else {

return els[0];

}

}

static public void main (String args[]) {

try {

Object o = getFirst (args);

System.err.println ("The first parameter is: " + o);

} catch (NoSuchElementException e) {

System.err.println ("There are no parameters!");

}

}

CS 201J Fall 2003

array store
Array Store

static public void setFirst (Object [] els) throws NoSuchElementException {

if (els == null || els.length == 0) {

throw new NoSuchElementException ();

} else {

els[0] = new Object ();

}

}

> javac TestArrays.java

> java TestArrays test

The first parameter is: test

Exception in thread "main" java.lang.ArrayStoreException

at TestArrays.setFirst(TestArrays.java:16)

at TestArrays.main(TestArrays.java:25)

static public void main (String args[]) {

try {

Object o = getFirst (args);

System.err.println ("The first parameter is: " + o);

setFirst (args);

} catch (NoSuchElementException e) {

System.err.println ("There are no parameters!");

}

}

CS 201J Fall 2003

esc java and array stores
ESC/Java and Array Stores

> escjava TestArrays.java

ESC/Java version 1.2.4, 27 September 2001

TestArrays ...

TestArrays: getFirst(java.lang.Object[]) ...

[0.199 s] passed

TestArrays: setFirst(java.lang.Object[]) ...

------------------------------------------------------------------------

TestArrays.java:16: Warning: Type of right-hand side possibly not a subtype of array element type (ArrayStore)

els[0] = new Object ();

CS 201J Fall 2003

slide7
Java
  • Type checking: B <= A B[] <= A[]
  • Need a run-time check for every array store (to an array where the actual element type is not known)
  • Better rule: no inference of array subtypes

CS 201J Fall 2003

java security
Java Security

CS 201J Fall 2003

slide9

Joe User

Java

javac

Compiler

malcode.java

malcode.class

JVML

Trusted Computing Base

Java Bytecode Verifier

Invalid

“Okay”

STOP

JavaVM

CS 201J Fall 2003

bytecode verifier
Bytecode Verifier
  • Checks JVML code satisfies safety properties
    • Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once
    • After code is verified, it is trusted: is not checked for type safety at run time (except for casts, array stores)

Key assumption: when a value is written to a memory location, the value in that memory location is the same value when it is read.

CS 201J Fall 2003

violating the assumption
Violating the Assumption

// The object on top of the stack is a SimObject

astore_0

// There is a SimObject in location 0

aload_0

// The value on top of the stack is a SimObject

If a cosmic ray hits the right bit of memory, between the store and load, the assumption might be wrong.

CS 201J Fall 2003

improving the odds
Improving the Odds
  • Set up memory so that a single bit error is likely to be exploitable
  • Mistreat the hardware memory to increase the odds that bits will flip

Following slides adapted (with permission) from Sudhakar Govindavajhala and Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine, July 2003.

CS 201J Fall 2003

making bit flips useful
Making Bit Flips Useful

Fill up memory with Filler objects, and one Pointee object:

class Filler { class Pointee {

Pointee a1; Pointee a1;

Pointee a2; Pointee a2;

Pointee a3; Filler f;

Pointee a4; int b;

Pointee a5; Pointee a5;

Pointee a6; Pointee a6;

Pointee a7; Pointee a7;

} }

CS 201J Fall 2003

filling up memory

a1

Filling Up Memory

a2

a3

a4

Filler Object

a5

a6

Pointee p = new Pointee ();

Vector fillers = new Vector ();

try {

while (true) {

Filler f = new Filler ();

f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p;

fillers.add (f);

}

} catch (OutOfMemoryException e) { ; }

a7

a1

a2

f

Pointee Object

b

a5

a6

a7

a1

Filler Object

a2

a3

CS 201J Fall 2003

a4

a5

a6

a7

wait for a bit flip

a1

Wait for a bit flip…

a2

a3

a4

Filler Object

  • Remember: there are lots of Filler objects (fill up all of memory)
  • If a bit flips, good chance (~70%) it will be in a field of a Filler object and it will now point to a Filler object instead of a Pointee object

a5

a6

a7

a1

a2

f

Pointee Object

b

a5

a6

a7

a1

Filler Object

a2

a3

CS 201J Fall 2003

a4

a5

a6

a7

type violation

a1

Type Violation

a2

a3

a4

Filler Object

After the bit flip, the

value of f.a2 is a

Filler object, but

f.a2 was declared

as a Pointee object!

a5

a6

a7

a1

a2

f

Pointee Object

b

a5

a6

a7

Can we exploit this?

a1

Filler Object

a2

a3

CS 201J Fall 2003

a4

a5

a6

a7

finding the bit flip

Pointee p = new Pointee ();

Vector fillers = new Vector ();

try {

while (true) {

Filler f = new Filler ();

f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p;

fillers.add (f);

}

} catch (OutOfMemoryException e) { ; }

Finding the Bit Flip

while (true) {

for (Enumeration e = fillers.elements ();

e.hasMoreElements () ; ) {

Filler f = (Filler) e.nextElement ();

if (f.a1 != p) { // bit flipped!

} else if (f.a2 != p) {

}

}

CS 201J Fall 2003

violating type safety

class Filler { class Pointee {

Pointee a1; Pointee a1;

Pointee a2; Pointee a2;

Pointee a3; Filler f;

Pointee a4; int b;

Pointee a5; Pointee a5;

Pointee a6; Pointee a6;

Pointee a7; Pointee a7;

} }

Violating Type Safety

Filler f = (Filler) e.nextElement ();

if (f.a1 != p) { // bit flipped!

Object r = f.a1; //

Filler fr = (Filler) r; // Cast is checked at run-time

Declared Type

f.a1 Pointee

f.a1.b int

fr == f.a1 Filler

fr.a4 == f.a1.b Pointee

CS 201J Fall 2003

violating type safety1

class Filler { class Pointee {

Pointee a1; Pointee a1;

Pointee a2; Pointee a2;

Pointee a3; Filler f;

Pointee a4; int b;

Pointee a5; Pointee a5;

Pointee a6; Pointee a6;

Pointee a7; Pointee a7;

} }

Violating Type Safety

Filler f = (Filler) e.nextElement ();

if (f.a1 != p) { // bit flipped!

Object r = f.a1; //

Filler fr = (Filler) r; // Cast is checked at run-time

f.a1.b = 69473248; // Address of bank balance object

fr.a4.a1 = p.a5; // Set it to a new value

CS 201J Fall 2003

violating type safety2

class Filler { class Pointee {

Pointee a1; Pointee a1;

Pointee a2; Pointee a2;

Pointee a3; Filler f;

Pointee a4; int b;

Pointee a5; Pointee a5;

Pointee a6; Pointee a6;

Pointee a7; Pointee a7;

} }

Violating Type Safety

Filler f = (Filler) e.nextElement ();

if (f.a1 != p) { // bit flipped!

Object r = f.a1; //

Filler fr = (Filler) r; // Cast is checked at run-time

f.a1.b = 1524383; // Address of the SecurityManager

fr.a4.a1 = null; // Set it to a null

// Do whatever you want! There’s no security policy now…

new File (“C:\thesis.doc”).delete ();

CS 201J Fall 2003

getting a bit flip
Getting a Bit Flip
  • Wait for a Cosmic Ray
    • You have to be really, really patient… (or move machine out of Earth’s atmosphere)
  • X-Rays
    • Expensive, not enough power to generate bit-flip
  • High energy protons and neutrons
    • Work great - but, you need a particle accelerator
  • Hmm….

CS 201J Fall 2003

slide22

Using Heat

  • 50-watt spotlight bulb
  • Between 80°-100°C, memory starts to have a few failures
  • Attack applet is successful (at least half the time)!
  • Hairdryer works too, but it fries too many bits at once

Picture from Sudhakar Govindavajhala

CS 201J Fall 2003

should anyone be worried
Should Anyone be Worried?

Java virtual machine

CS 201J Fall 2003

recap
Recap
  • Verifier assumes the value you write is the same value when you read it
  • By flipping bits, we can violate this assumption
  • By violating this assumption, we can violate type safety: get two references to the same storage that have inconsistent types
  • By violating type safety, we can get around all other security measures
  • For details, see paper linked from notes

CS 201J Fall 2003

charge problem set 6
Charge: Problem Set 6
  • Violate type safety to steal an election
  • No need to open up ITC machines to try to heat up memory
    • Please don’t try this in lab (but try it at home if you want)
  • Instead, use java –noverify to get around type checking: allows byte codes to run without verifying them

CS 201J Fall 2003