Hardware and Systems Security - Secure Computing · Legacy of the Von Neumann Architecture § Stored-program computer architecture • Conceptualized in 1945 by the John Von Neumann

Department of Electrical & Computer Engineering

EC 700Hardware and Systems Security

Prof. Michel A. Kinsy

Application level attacks: Code injection, Buffer Overflow,

Control-Flow Hijacking


Legacy of the Von Neumann Architecture § Stored-program computer architecture• Conceptualized in 1945 by the John Von Neumann• A computer architecture where both data and

instructions would be stored in memory§ It was radical then!

§ There are now inherent security issues due to the architecture itself

Control Arithmetic

Memory


Harvard Architecture

WBSelALU / Mem

Op2Sel

“base”

disp

ImmSelOpCode

ALUControl

ALU

0x4

Add

clk

addrinst

Inst.Memory

PC

RegWrite

clk

rd1

GPRs

rs1rs2

wswd rd2

we

ImmSelect

clk

MemWrite

addr

wdata

rdataData Memory

we

§ What are its inherent security (good or bad) implications?


Harvard Architecture

WBSelALU / Mem

Op2Sel

“base”

disp

ImmSelOpCode

ALUControl

ALU

0x4

Add

clk

addrinst

Inst.Memory

PC

RegWrite

clk

rd1

GPRs

rs1rs2

wswd rd2

we

ImmSelect

clk

MemWrite

addr

wdata

rdataData Memory

we

§ What are its inherent security (good or bad) implications?

Two separate memory modules


Princeton Microarchitecture

IR

0x4

clk

RegDst

PCSel RegWrite

Op2Sel

WBSel

31

ImmSelOpCode

Add

rd1

GPRs

rs1rs2

wswd rd2

we

ImmSelect

addr

wdata

rdataData Memory

ALU

Add

ALUControl

clk

we

MemWrite

clk

PC

PCen

IRen AddrSel

clk

Fetch phase

Br Logic


Princeton Microarchitecture

IR

0x4

clk

RegDst

PCSel RegWrite

Op2Sel

WBSel

31

ImmSelOpCode

Add

rd1

GPRs

rs1rs2

wswd rd2

we

ImmSelect

addr

wdata

rdataData Memory

ALU

Add

ALUControl

clk

we

MemWrite

clk

PC

PCen

IRen AddrSel

clk

Fetch phase

Br Logic

Single memory module


Current Memory System Hierarchy§ Today’s memory organization is really a hybrid of

the Harvard and Princeton architectures

L1 Data Cache

L1 Instruction Cache

Unified L2 Cache

RF Memory

Memory

Memory

Memory

Multi-ported register file

(part of CPU)

Split instruction & data primary

caches (on-chip SRAM)

Multiple interleaved memory banks(off-chip DRAM)

Large unified secondary cache (on-chip SRAM)

CPU


Hardware Multithreading § Beyond the memory organization and its security

implications, security issues are further exacerbated by hardware multithreading

Fetch Decode/Map Queue RegRead Execute Dcache/StoreBuffer

RegWrite Retire

IcacheDcache

PC

RegisterMap

Regs Regs


Programming Model § The underlying programming model does not help

either § In the mid in 50’s, the programmer’s view of the

machine was inseparable from the actual hardware implementation

HardwareView


Programming Model § Over time the programmer’s view and the hardware

implementation diverged § Programmer visible state of the processor (and

memory) plays a central role in computer organization for both hardware and software§ Software must make efficient use of it

§ Programmer’s machine model is a contract between the hardware and software

HardwareView

Programmer’sView


Application Compiling Process§ Providing that layer of abstraction

Compiler

Error messages

Target Program(MIPS, x86,etc.)

Input

Output

Source Program(C, C++, etc.)

Scanner(lexicalanalysis)

Parser(syntaxanalysis)

CodeOptimizer

SemanticAnalysis

(IC generator)

CodeGenerator

Symbols&

Attributes Table

High-levellanguage

Targetlanguage

Language-focused transformations

Architecture-focused transformations


Procedure Environment§ Activations and Allocations

Common Area

Activation record of main program

Activation record of S1

Activation record of S2

etc.

Space for local variables

Space for passed parameters

Return address

Temporary space for express evaluation


Stack-Based Environments§ Environment management is more dynamic§ Since procedures have no fixed locations for

their activations, environment pointer (ep) is used to track the current activation

§ Activations are in a stack, the pointer to the previous activation record is called control linkor dynamic link

Voidfoo(void) {….

}

Voidbar(void) {….foo()

}

Voidmain(void) {….bar()

}


Stack-Based Environments§ With the execution of main


ep

Free space

Voidfoo(void) {….

}

Voidbar(void) {….foo()

}

Voidmain(void) {….bar()

}


Stack-Based Environments§ After bar is called


ep

Free space

Activation record of bar()

Control link


Stack-Based Environments§ Finally with the call of foo


ep

Free space

Activation record of foo()

Control link

Activation record of bar()

Control link


Program memory managementHigher

Addresses

Lower Addresses

Text Segment [Program code]

Fixed Size

Data Segment [Initialized global and static variables]

Fixed Size

BSS Segment [Initialized global and static variables]

Fixed Size

Heap Segment [Dynamic variables managed by

malloc(), free(), etc.]Variable Size

Stack Segment [Stack frames consisting of parameters,

return addresses and local variables]

Variable Size

Free spaceTop of the

stack

Bottom of the stack


The Address Translation Scheme

Virtual Address

TLBLookup

Page TableWalk

Update TLBPage Fault

(OS loads page)

ProtectionCheck

PhysicalAddress

(to cache)

miss hit

the page is is not in memory is in memory denied permitted

ProtectionFault

HardwareHardware or softwareSoftware

Segment FaultWhere?

§ The address translation apparatus represents another major attack surface


Instruction Types§ We will channel the RISC-V ISA here§ Register-to-Register Arithmetic and Logical

operations§ Control Instructions alter the sequential control flow§ Memory Instructions move data to and from memory§ CSR Instructions move data between CSRs and

GPRs; the instructions often perform read-modify-write operations on CSRs

§ Privileged Instructions are needed by the operating systems, and most cannot be executed by user programs


Attack Formalism§ An attack has three components

• Channel§ Delivery mechanism

• Entry § Bug or vulnerability or even feature exploitation§ Binary vulnerabilities

• Stack overflow• Heap overflow• Null pointer dereference

• Payload § The actual attack function § E.g., Get the Instruction Pointer to point to an attacker specified

procedure


Code Injection§ Code injection can be used by an attacker to

introduce (or "inject") code into another program to change the flow of the execution and to execute their own dedicated malicious code

§ There are many types of code injection schemes• SQL injection• Script injection• Shell injection• OS command injection


Buffer Overflow§ There can overflow on both

§ The stack§ The heap

void bar (char *str) {char array[256];strcpy(array, str);foo(array);

}

If *str is let us say 512 bytes long, then after strcpy, the function bar return address may be overwritten


Buffer Overflow§ There can overflow on both

§ The stack§ The heap

§ Many C functions like: § strcpy (char *dest, const char *src) are unsafe and

their advertised safe versions, like strncpy(), are not either § strncpy() may leave buffer unterminated§ Should be replaced by

§ strncpy(dest, src, sizeof(dest)-1)§ dest[sizeof(dest)-1] = ̀ \0`;


Buffer Overflow§ Example attack steps are

• Inject attack code into buffer• Overflow return address• Redirect control flow to attack code• Execute attack code

§ Buffer overflow and return-to-libc exploits need to know the (virtual) address to which pass control§ Use of Address Space Layout Randomization as

protection § Arrange the positions of key data areas randomly in a process'

address space


Buffer Overflow§ Function pointer overwritten• Overflowing function pointer• Harder to defend than return-address overflow

attacks§ Smashing the Stack• Overflow the stack so that it overwrites the return

address• When the function finishes, it will return to whatever

address/value is written on the stack• A specific return/new address can be written to

stack paired with code to perform hijack


Buffer Overflow§ Non-executable stacks

§ Can prevent many stack-based attacks§ But cannot guard against return-to-libc attacks§ Or protect against heap and function pointer

overflows § Canaries

§ Insert canaries in stack frames and verify their integrity during function returns

§ Have a canary for each frame and make as random as possible to make it hard on the attacker to guess or learn


Execution Control Flow Transfers§ Changes the control flow of a program in a

specific way, conditionally or unconditionally§ Direct transfer: Target is encoded as immediate

offset in the instruction itself§ Indirect transfer: Target depends on the runtime

value of a register or memory reference§ Some of these control flow transfers are

§ Exceptions§ Direct or conditional jumps or function calls § Indirect jumps or calls § Return instructions


Control-Flow Graph (CFG)int x,y,z;x = z – 2;y = z * 2;if (x > y) {

y = y * (-1);} else {

x = x + 100;}z = x + y;

x=z– 2;y=z*2;If(x>y)

y=y*(-1) x=x+100

z=x+y

B1

B2 B3

B4

T F

§ CFG represents the control-flow execution of a program:§ Nodes are basic blocks§ Edges are possible flow

control between blocks§ Each block can have multiple

incoming/outgoing edges


Control-Flow Hijacking§ Takes control over the victim by overwriting

sensitive data structures to modify control flow of a program

§ Considered one of the most dangerous class of security attacks§ Exploit software vulnerabilities directly without

asking for user actions§ Used as basic building blocks to propagate

between victim machines


Control-Flow Hijacking§ Tries to control an indirect control-flow transfer

instruction in vulnerable program§ Function pointers§ Return addresses

§ Often leads to code-reuse and code-injection attacks§ Buffer overflow§ Return-to-libc§ Return-oriented programming (ROP)


Buffer Overflow

void foo(char *str) {char buffer[16];strcpy(buffer,str);

}

void main(){char large_str[256];int i;for(i=0; i<255; i++) {

large_str[i] = ‘A’;

}foo(large_str)

}

256bytes*str

ret

Savedebp

buffer 16bytes

Stack


Buffer Overflow

void foo(char *str) {char buffer[16];strcpy(buffer,str);

}

void main(){char large_str[256];int i;for(i=0; i<255; i++) {

large_str[i] = ‘A’;

}foo(large_str)

}

256bytes

16bytes

Stack0x41414141…

0x41414141

0x41414141

0x41414141…


Control-Flow Integrity (CFI)§ Ensures the validity of control-flow graph (CFG)

intended by the programmer§ Inserts checks before control-flow instructions to

allow only valid targets§ Problem: Hard to be adopted in real-world

applications• Requires complete and precise CFG of the

protected application• Hinders incremental deployment in real systems• Results in high performance overhead


Compact Control Flow Integrity and Randomization (CCFIR)

§ Resolves CFI limitations § Focuses on protecting targets of indirect

jump/call and return instructions

C.Zhangetal.,"PracticalControlFlowIntegrityandRandomization forBinaryExecutables,"2013IEEESymposiumonSecurityandPrivacy,Berkeley,CA,2013,pp.559-573.


Compact Control Flow Integrity and Randomization (CCFIR)

§ Resolves CFI limitations § Focuses on protecting targets of indirect

jump/call and return instructions§ Introduces the “Springboard” section• Is attached to each legitimate module• Collects legal targets of indirect instructions• Randomizes the order of collected targets

(Springboard stubs) at load-time


CCFIR Assumptions§ The system already has Address Space Layout

Randomization (ASLR) and W⊕X protection§ No self-modifying code § Limited information disclosure vulnerabilities are

available to attackers

C.Zhangetal.,"PracticalControlFlowIntegrityandRandomization forBinaryExecutables,"2013IEEESymposiumonSecurityandPrivacy,Berkeley,CA,2013,pp.559-573.


Springboard SectionHardenedModuleOriginalModule

CodeSection

1

3 4

6

2

5

CodeSection

1

3 4

6

2

5

3’ 4’

Springboard Section

Springboard stubclassification:• Functionpointer stubs• Returnaddressstubsfornormal functions• Returnaddressstubsforsensitivefunctions

(e.g.system() inlibc)


CCFIR Enforcements

§ Indirect calls and jumps can only jump to function pointer stubs in Springboard

§ Return instructions in normal functions can only jump to normal return address stubs in Springboard, but not sensitive return address stubs

§ Return instructions in sensitive functions can jump to any return address stubs in Spring board


Additional Reading§ Smirnov, Alexey, and Tzi-cker Chiueh. "DIRA: Automatic Detection, Identification

and Repair of Control-Hijacking Attacks." NDSS. 2005.§ Göktas, Enes, et al. "Out of control: Overcoming control-flow integrity." Security and

Privacy (SP), 2014 IEEE Symposium on. IEEE, 2014.§ Carlini, Nicholas, et al. "Control-Flow Bending: On the Effectiveness of Control-Flow

Integrity." USENIX Security. Vol. 14. 2015.§ https://en.wikipedia.org/wiki/Return-oriented_programming§ Shacham, H. (October 2007). "The geometry of innocent flesh on the bone: return-

into-libc without function calls (on the x86)". Proceedings of the 14th ACM conference on Computer and communications security - CCS '07. pp. 552–561. doi:10.1145/1315245.1315313. ISBN 978-1-59593-703-2.

§ One, Aleph. "Smashing The Stack For Fun And Profit." .:: Phrack Magazine ::.Http://phrack.org

§ Bhat, Rashid. "Return Oriented Programming (ROP) Attacks." InfoSec Resources. Http://resources.infosecinstitute.com,

§ https://www.cs.utexas.edu/~pingali/CS380C/2013/lectures/CFG.pdf§ https://nebelwelt.net/blog/20160911-ControlFlowIntegrity.html


Next Class§ Classic and Modern encryption algorithms: AES,

RSA, Hash, MAC, digital signatures, etc.

Hardware and Systems Security - Secure Computing · Legacy of the Von Neumann Architecture § Stored-program computer architecture • Conceptualized in 1945 by the John Von Neumann

Documents