1 / 11

Compilers and Application Security

Compilers and Application Security. CSS 548 Dan Chock. Overview. What are some ways that compilers can affect application security ? Improving Application Security Checking for and preventing potential vulnerabilities Additional Effects on Security

ilar
Download Presentation

Compilers and Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compilers and Application Security CSS 548 Dan Chock

  2. Overview • What are some ways that compilers can affect application security? • Improving Application Security • Checking for and preventing potential vulnerabilities • Additional Effects on Security • Understanding compiler optimization for binary obfuscation • Reducing Application Security • Compiler vulnerabilities and backdoors

  3. Improving Application Security • More Secure Code • Preventing stack buffer overflow exploitation via canaries “Anatomy of a Stack Smashing Attack and How GCC Prevents It”, Dr. Dobbs, Oliver Mueller, June 19, 2012

  4. Improving Application Security • GCC Options • -fstack-protector; -fstack-protector-all • Adds a guard variable (aka canary) to functions that are initialized when a function is entered and checked when exited. If a guard check fails the program exits. • Visual Studio Switches • /GS • Shadowing to protect class member definitions, stack data reordering to protect function pointers

  5. Improving Application Security • /sdl– Superset of /GS, expands scope and treats select security warnings as errors “Compiler Security Enhancements in Visual Studio 11”, SDL Team, MSDN, Dec. 2, 2011

  6. Additional Effects On Security • Binary Obfuscation • volatilekeyword “Binary Obfuscation from the Top Down”, Sean Taylor

  7. Binary Obfuscation • volatilekeyword “Binary Obfuscation from the Top Down”, Sean Taylor

  8. Reducing Application Security • Compiler Vulnerabilities • Insecure Compiler Optimization • Improperly removing sensitive data from memory • Dead store removal - code that is used to overwrite memory is removed by the compiler • Compiler backdoors • Modifying compiler to recognize specific code while compiling and include a backdoor in the output • Ken Thompson - “Reflections on Trusting Trust” describes modified C compiler that would backdoor the login command to accept backdoor password

  9. Specialized Compilers and Security • Compiler/hardware approaches to embedded systems security [1] • Secure compiler inserts hidden code into the compiled code that is validated during run-time by hardware • Security-preserving compiler for distributed programs [2] • Four stages: slicing, control flow protection (to keep track of state), replication (implement distributed program variables as local replicas), and cryptography (insert crypto operations to protect variable changes)

  10. Additional References: • [1] “Performance Study of a Compiler/Hardware Approach to Embedded Systems Security”, Kripashankar Mohan, BhagiNarahari, Rahul Simha, Paul Ott1,Alok Choudhary, and Joe Zambreno • [2] “A Security-Preserving Compiler for Distributed Programs From Information-Flow Policies to Cryptographic Mechanisms”, CédricFournet, Gurvan Le Guernic, Tamara Rezk

  11. Questions?

More Related