ASurveyonRuntimeSmashedStackDetection课件

ASurveyonRuntimeSmashedStackDetectionBackgroundnVulnerabilitybecomesSeriousSocialProblemsVulnerabilitybecomesSeriousSocialProblemsex)nMorrisWormonUNIXin1988nCodeRedonWindowsin2001nNimdaonWindowsin2001nRootDNSAttackin2002CERT/CCAdvisoriesDominant Attacksare caused byBuffer OverflowBuffer OverflowBufferOverflowAttacknStackSmashingAttackStackSmashingAttackCommonmodeofbufferoverflowattackforhijackingsystemcontrolnHijackProcessHijackProcess1.InjecttheattackcodenAllapplicationsarereadyforinjection2.ForcetheprocesstoexecutetheinjectedcodenStackbufferoverflowvulnerabilityallowmaliciousinputtooverwritethereturnaddressandtosnatchtheexecutionflowText Area(program)Data AreaStack AreaMalicious CodeStackSmashingAttack(1)nProgramStructureofClikelanguagesProgramStructureofClikelanguagesint main(int argc,char*argv)calc_something(x,y);show_something();return 0;void calc(int n)void calc_something(int x,int y)calc(x);StackSmashingAttack(2)nFlowControlDataFlowControlDataint main(int argc,char*argv)calc_something(x,y);return 0;void calc(int n)void calc_something(int x,int y)calc(x);First In Last Out Buffermain:line ncalc_something:line mStackSmashingAttack(3)nLocalVariablesLocalVariablesAllocatedinFILObufferunifiedwithflowcontroldatavoid calc(int n)int a,b;char buffer1024;foo();bar();return addresschar buffer1024;int b;int a;Local Variablesofcalc()Stack Frameofcalc()StackSmashingAttack(4)nInjectionsandHijacksInjectionsandHijacksreturn addresschar buffer1024;int b;int a;malicious codeoverwritten by buffer overflowas buffer1024,buffer10270 x046424Malicious Code0 x046424Approaches(1)nSoftwareApproachesSoftwareApproachesNovelsecureprogramlanguagesorperfectprogramswithoutbugsCompilerapproacheswithoutfixingeachsourceprogramnStaticAnalysisAFirstStepTowardsAutomatedDetectionofBufferOverrunVulnerabilities“pointer”cannotbeanalyzedperfectlynRuntimeDetectionLibSafe(LibVerify)wrapperlibraryStackGuardStackShieldProPoliceApproaches(2)nHardwareApproachesHardwareApproachesNon-ExecPagesnNonExecutableUserStackvsreturn-into-libcattacksignalhandlingnNonExecutableDataPagesmodifieddynamicloadermodifiedjust-in-time(JIT)compilerSecureReturnAddressStack(SRAS)nArchitectureSupportforDefendingAgainstBufferOverflowAttacksnAProcessorArchitectureDefenseagainstBufferOverflowAttacksSecureCachenACacheArchitecturetoPreventMaliciousCodeExecutionsSecureReturnAddressStack(1)nConceptConceptReturn-Address-Stack(RAS)nimplementedatfetchorissuestageonmodernprocessorsPentium,Alpha,SPARC,POWERnmonitortheinstructionswhichmean“call”and“return”call:pushcurrentprogramcountertotheRASreturn:popanaddressfromtheRASnforimprovementofexecutionpathpredictionbutRASisnotperfectlymatchedwiththerealcallstackspeculativeupdatewithbranchpredictionRAStableoverflowDetectmismatchesbetweenRASandStackinformationnraiseexceptionSecureReturnAddressStack(2)nImprovementImprovementImplementanotherRASatcommitstagenavoidspeculativeupdateTableoptimizationnoverflowhandlingsmainmemorywithhardwareorOSsupportnenoughsizeforthemajority64entryinthecaseofSPEC2000SecureReturnAddressStack(3)nNon-FILOControlFlowOperationProblemsNon-FILOControlFlowOperationProblemssetjmp/longjmpFunctionsC+ExceptionsMultiThreadingTailRecursion(handmadeeccentricassemblylanguageprograms!)ntheseareoftenhistoricalandcritical:-)nProblem&SolutionProblem&SolutionthesecodesaccessandmodifythecallstackdirectlyncausemismatchesbetweenRASandStackinformationwecannottreatthesecodestransparentlywithSRASapproachnspecialinstructionsras_pushandsras_poparerequiredforstackoperationSecureCache(1)nConceptConceptDuplicateCache-linesasread-onlyReplica-linesDetectreturnaddressmismatchesbetweenCache-linesandReplica-linesreturn addressCache LineReplica Linereturn addressmalicious datamismatchSecureCache(2)nAdvantagesAdvantagesEfficientspaceswithoutswapTransparentsupportforNon-FILOControlFlowOperationsnDisadvantageDisadvantageDetectionisnotperfectnLosereplicainformationoncachelinereplacementCommercialImplementsnNXBit/ExecuteDisableBitNXBit/ExecuteDisableBitAMD-Opteron/Athlon64Intel-Itanium/Pentium4Transmeta-EfficeonnSmartMIPSASESmartMIPSASESecureMemorySpacesInterpretedLanguageAccelerationCryptographyAccelerationnSecureCore(ARM)SecureCore(ARM)MemoryProtectionUnitJazelleTechnologyCryptographyAccelerationnTrustZone(ARM)TrustZone(ARM)programsmarkedastrustedrunwithhighlevelprivilegeandcanaccessdatainsecurezoneConclusionnStackSmashingAttacksisimportantsecurityproblemStackSmashingAttacksisimportantsecurityproblemnHardwareapproachesachievemoretransparentwayHardwareapproachesachievemoretransparentwaywithoutmodificationsofapplicationsnRealizationoftruetransparentdetectionisdifficultRealizationoftruetransparentdetectionisdifficultNon-FILOControlFlowOperationProblemsnsetjmp/longjmpFunctionsnC+ExceptionsnMultiThreadingnTailRecursionButcoolideamightrealizesufficientlytransparentdetection