Advertisement

Low-Level Software Security: Attacks and Defenses

  • Úlfar Erlingsson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4677)

Abstract

This tutorial paper considers the issues of low-level software security from a language-based perspective, with the help of concrete examples. Four examples of low-level software attacks are covered in full detail; these examples are representative of the major types of attacks on C and C++ software that is compiled into machine code. Six examples of practical defenses against those attacks are also covered in detail; these defenses are selected because of their effectiveness, wide applicability, and low enforcement overhead.

Keywords

Function Pointer Input String Return Address Library Function Machine Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abadi, M.: Protection in programming-language translations. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, pp. 868–883. Springer, Heidelberg (1998), Also Digital Equipment Corporation Systems Research Center report No. 154 (April 1998)Google Scholar
  2. 2.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-Flow Integrity: Principles, implementations, and applications. In: Proceedings of the ACM Conference on Computer and Communications Security (2005), Also as Microsoft Research Technical Report MSR-TR-05-18 (February 2005)Google Scholar
  3. 3.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: A theory of secure control flow. In: Proceedings of the 7th International Conference on Formal Engineering Methods (2005), Also as Microsoft Research Technical Report MSR-TR-05-17 (May 2005)Google Scholar
  4. 4.
    Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York (2001)Google Scholar
  5. 5.
    Bailey, M., Cooke, E., Jahanian, F., Watson, D., Nazario, J.: The Blaster worm: Then and now. IEEE Security and Privacy 03(4), 26–31 (2005)CrossRefGoogle Scholar
  6. 6.
    Blazy, S., Dargaye, Z., Leroy, X.: Formal verification of a C compiler front-end. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006. LNCS, vol. 4085, pp. 460–475. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Bray, B.: Compiler security checks in depth (2002), http://msdn2.microsoft.com/en-us/library/aa290051vs.71.aspx
  8. 8.
    Brumley, D., Chiueh, T.C., Johnson, R., Lin, H., Song, D.: Efficient and accurate detection of integer-based attacks. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (February 2007)Google Scholar
  9. 9.
    Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: USENIX 2006: Proceedings of the 7th conference on USENIX Symposium on Operating Systems Design and Implementation, Berkeley, CA, USA, USENIX Association, pp. 11–11 (2006)Google Scholar
  10. 10.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.: Non-control-data attacks are realistic threats. In: Proceedings of the Usenix Security Symposium, pp. 177–192 (2005)Google Scholar
  11. 11.
    Intel Corporation: Intel IA-32 architecture, software developer’s manual, vol. 1–3 (2007), http://developer.intel.com/design/Pentium4/documentation.htm
  12. 12.
    Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: FormatGuard: Automatic protection from printf format string vulnerabilities. In: Proceedings of the Usenix Security Symposium (2001)Google Scholar
  13. 13.
    Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: Protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the Usenix Security Symposium, pp. 91–104 (2003)Google Scholar
  14. 14.
    Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the Usenix Security Symposium, pp. 63–78 (1998)Google Scholar
  15. 15.
    Etoh, H., Yoda, K.: ProPolice—improved stack smashing attack detection. IPSJ SIGNotes Computer Security (CSEC) (14 October 2001)Google Scholar
  16. 16.
    Florio, E.: GDIPLUS VULN - MS04-028 - CRASH TEST JPEG (September 15, 2004), Forum message sent, www.full-disclosureatlists.netsys.com
  17. 17.
    Forrest, S., Somayaji, A., Ackley, D.: Building diverse computer systems. In: HOTOS ’97: Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), p. 67. IEEE Computer Society, Washington, DC (1997)CrossRefGoogle Scholar
  18. 18.
    Foster, J.C.: Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Syngress Publishing (2007)Google Scholar
  19. 19.
  20. 20.
    Howard, M.: Protecting against pointer subterfuge (redux) (2006), http://blogs.msdn.com/michael_howard/archive/2006/08/16/702707.aspx
  21. 21.
    Howard, M.: Hardening stack-based buffer overrun detection in VC++ 2005 SP1 (2007), http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx
  22. 22.
    Howard, M.: Lessons learned from the animated cursor security bug (2007), http://blogs.msdn.com/sdl/archive/2007/04/26/lessons-learned-from-the-animated-cursor-security-bug.aspx
  23. 23.
    Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond, WA (2006)Google Scholar
  24. 24.
    Howard, M., Thomlinson, M.: Windows Vista ISV security (April 2007), http://msdn2.microsoft.com/en-us/library/bb430720.aspx
  25. 25.
    Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., Wang, Y.: Cyclone: A safe dialect of C. In: Proceedings of the Usenix Technical Conference, pp. 275–288 (2002)Google Scholar
  26. 26.
    Johns, M., Beyerlein, C.: SMask: Preventing injection attacks in Web applications by approximating automatic data/code separation. In: SAC 2007: Proceedings of the 2007 ACM symposium on Applied computing, pp. 284–291. ACM Press, New York (2007)CrossRefGoogle Scholar
  27. 27.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 272–280. ACM Press, New York (2003)CrossRefGoogle Scholar
  28. 28.
    Kennedy, A.: Securing the .NET programming model. special issue of Theoretical Computer Science. In: Earlier version presented at APPSEM II Workshop, in Munich, Germany, September 12-15, 2005 (to appear, 2007)Google Scholar
  29. 29.
    Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure execution via program shepherding. In: Proceedings of the Usenix Security Symposium, pp. 191–206 (2002)Google Scholar
  30. 30.
    Klog.: The frame pointer overwrite. Phrack 9(55) (1999)Google Scholar
  31. 31.
    Leroy, X.: Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In: 33rd symposium Principles of Programming Languages, pp. 42–54. ACM Press, New York (2006)Google Scholar
  32. 32.
    Litchfield, D.: Defeating the stack buffer overflow prevention mechanism of Microsoft Windows 2003 Server (2003), http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf
  33. 33.
    Littlewood, B., Popov, P., Strigini, L.: Modeling software design diversity: a review. ACM Comput. Surv. 33(2), 177–208 (2001)CrossRefGoogle Scholar
  34. 34.
    Livshits, B., Erlingsson, Ú.: Using Web application construction frameworks to protect against code injection attacks. In: PLAS 2007: Proceedings of the 2007 workshop on Programming languages and analysis for security, pp. 95–104. ACM Press, New York (2007)CrossRefGoogle Scholar
  35. 35.
    Necula, G.C., McPeak, S., Weimer, W.: CCured: Type-safe retrofitting of legacy code. In: Proceedings of the 29th ACM Symposium on Principles of Programming Languages, pp. 128–139 (2002)Google Scholar
  36. 36.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2007) (February 2005)Google Scholar
  37. 37.
    PaX Project: The PaX project (2004), http://pax.grsecurity.net/
  38. 38.
    Pincus, J., Baker, B.: Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy 2(4), 20–27 (2004)CrossRefGoogle Scholar
  39. 39.
    Pucella, R., Schneider, F.B.: Independence from obfuscation: A semantic framework for diversity. In: CSFW 2006: Proceedings of the 19th IEEE workshop on Computer Security Foundations, pp. 230–241. IEEE Computer Society, Washington, DC (2006), Expanded version available as Cornell University Computer Science Department Technical Report TR 2006-2016Google Scholar
  40. 40.
    Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: submission (2006), http://hovav.net/dist/geometry.pdf
  41. 41.
    Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: CCS 2004: Proceedings of the 11th ACM conference on Computer and communications security, pp. 298–307. ACM Press, New York (2004)CrossRefGoogle Scholar
  42. 42.
    Small, C.: A tool for constructing safe extensible C++ systems. In: Proceedings of the 3rd Conference on Object-Oriented Technologies and Systems (1997)Google Scholar
  43. 43.
    Spafford, E.H.: The Internet worm program: An analysis. SIGCOMM Comput. Commun. Rev. 19(1), 17–57 (1989)CrossRefGoogle Scholar
  44. 44.
    Wikipedia: x86-64 (2007), http://en.wikipedia.org/wiki/X86-64
  45. 45.
    Zhou, F., Condit, J., Anderson, Z., Bagrak, I., Ennals, R., Harren, M., Necula, G., Brewer, E.: SafeDrive: Safe and recoverable extensions using language-based techniques. In: USENIX 2006: Proceedings of the 7th conference on USENIX Symposium on Operating Systems Design and Implementation, Berkeley, CA, USA, USENIX Association, pp. 4–4 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Úlfar Erlingsson
    • 1
  1. 1.Microsoft Research, Silicon Valley, and, Reykjavík UniversityIceland

Personalised recommendations