Department of Electrical & Computer Engineering
EC 700Hardware and Systems Security
Prof. Michel A. Kinsy
Application level attacks: Code injection, Buffer Overflow,
Control-Flow Hijacking
Department of Electrical & Computer Engineering
Legacy of the Von Neumann Architecture § Stored-program computer architecture• Conceptualized in 1945 by the John Von Neumann• A computer architecture where both data and
instructions would be stored in memory§ It was radical then!
§ There are now inherent security issues due to the architecture itself
Control Arithmetic
Memory
Department of Electrical & Computer Engineering
Harvard Architecture
WBSelALU / Mem
Op2Sel
“base”
disp
ImmSelOpCode
ALUControl
ALU
0x4
Add
clk
addrinst
Inst.Memory
PC
RegWrite
clk
rd1
GPRs
rs1rs2
wswd rd2
we
ImmSelect
clk
MemWrite
addr
wdata
rdataData Memory
we
§ What are its inherent security (good or bad) implications?
Department of Electrical & Computer Engineering
Harvard Architecture
WBSelALU / Mem
Op2Sel
“base”
disp
ImmSelOpCode
ALUControl
ALU
0x4
Add
clk
addrinst
Inst.Memory
PC
RegWrite
clk
rd1
GPRs
rs1rs2
wswd rd2
we
ImmSelect
clk
MemWrite
addr
wdata
rdataData Memory
we
§ What are its inherent security (good or bad) implications?
Two separate memory modules
Department of Electrical & Computer Engineering
Princeton Microarchitecture
IR
0x4
clk
RegDst
PCSel RegWrite
Op2Sel
WBSel
31
ImmSelOpCode
Add
rd1
GPRs
rs1rs2
wswd rd2
we
ImmSelect
addr
wdata
rdataData Memory
ALU
Add
ALUControl
clk
we
MemWrite
clk
PC
PCen
IRen AddrSel
clk
Fetch phase
Br Logic
Department of Electrical & Computer Engineering
Princeton Microarchitecture
IR
0x4
clk
RegDst
PCSel RegWrite
Op2Sel
WBSel
31
ImmSelOpCode
Add
rd1
GPRs
rs1rs2
wswd rd2
we
ImmSelect
addr
wdata
rdataData Memory
ALU
Add
ALUControl
clk
we
MemWrite
clk
PC
PCen
IRen AddrSel
clk
Fetch phase
Br Logic
Single memory module
Department of Electrical & Computer Engineering
Current Memory System Hierarchy§ Today’s memory organization is really a hybrid of
the Harvard and Princeton architectures
L1 Data Cache
L1 Instruction Cache
Unified L2 Cache
RF Memory
Memory
Memory
Memory
Multi-ported register file
(part of CPU)
Split instruction & data primary
caches (on-chip SRAM)
Multiple interleaved memory banks(off-chip DRAM)
Large unified secondary cache (on-chip SRAM)
CPU
Department of Electrical & Computer Engineering
Hardware Multithreading § Beyond the memory organization and its security
implications, security issues are further exacerbated by hardware multithreading
Fetch Decode/Map Queue RegRead Execute Dcache/StoreBuffer
RegWrite Retire
IcacheDcache
PC
RegisterMap
Regs Regs
Department of Electrical & Computer Engineering
Programming Model § The underlying programming model does not help
either § In the mid in 50’s, the programmer’s view of the
machine was inseparable from the actual hardware implementation
HardwareView
Department of Electrical & Computer Engineering
Programming Model § Over time the programmer’s view and the hardware
implementation diverged § Programmer visible state of the processor (and
memory) plays a central role in computer organization for both hardware and software§ Software must make efficient use of it
§ Programmer’s machine model is a contract between the hardware and software
HardwareView
Programmer’sView
Department of Electrical & Computer Engineering
Application Compiling Process§ Providing that layer of abstraction
Compiler
Error messages
Target Program(MIPS, x86,etc.)
Input
Output
Source Program(C, C++, etc.)
Scanner(lexicalanalysis)
Parser(syntaxanalysis)
CodeOptimizer
SemanticAnalysis
(IC generator)
CodeGenerator
Symbols&
Attributes Table
High-levellanguage
Targetlanguage
Language-focused transformations
Architecture-focused transformations
Department of Electrical & Computer Engineering
Procedure Environment§ Activations and Allocations
Common Area
Activation record of main program
Activation record of S1
Activation record of S2
etc.
Space for local variables
Space for passed parameters
Return address
Temporary space for express evaluation
Department of Electrical & Computer Engineering
Stack-Based Environments§ Environment management is more dynamic§ Since procedures have no fixed locations for
their activations, environment pointer (ep) is used to track the current activation
§ Activations are in a stack, the pointer to the previous activation record is called control linkor dynamic link
Voidfoo(void) {….
}
Voidbar(void) {….foo()
}
Voidmain(void) {….bar()
}
Department of Electrical & Computer Engineering
Stack-Based Environments§ With the execution of main
Activation record of main program
ep
Free space
Voidfoo(void) {….
}
Voidbar(void) {….foo()
}
Voidmain(void) {….bar()
}
Department of Electrical & Computer Engineering
Stack-Based Environments§ After bar is called
Activation record of main program
ep
Free space
Activation record of bar()
Control link
Department of Electrical & Computer Engineering
Stack-Based Environments§ Finally with the call of foo
Activation record of main program
ep
Free space
Activation record of foo()
Control link
Activation record of bar()
Control link
Department of Electrical & Computer Engineering
Program memory managementHigher
Addresses
Lower Addresses
Text Segment [Program code]
Fixed Size
Data Segment [Initialized global and static variables]
Fixed Size
BSS Segment [Initialized global and static variables]
Fixed Size
Heap Segment [Dynamic variables managed by
malloc(), free(), etc.]Variable Size
Stack Segment [Stack frames consisting of parameters,
return addresses and local variables]
Variable Size
Free spaceTop of the
stack
Bottom of the stack
Department of Electrical & Computer Engineering
The Address Translation Scheme
Virtual Address
TLBLookup
Page TableWalk
Update TLBPage Fault
(OS loads page)
ProtectionCheck
PhysicalAddress
(to cache)
miss hit
the page is is not in memory is in memory denied permitted
ProtectionFault
HardwareHardware or softwareSoftware
Segment FaultWhere?
§ The address translation apparatus represents another major attack surface
Department of Electrical & Computer Engineering
Instruction Types§ We will channel the RISC-V ISA here§ Register-to-Register Arithmetic and Logical
operations§ Control Instructions alter the sequential control flow§ Memory Instructions move data to and from memory§ CSR Instructions move data between CSRs and
GPRs; the instructions often perform read-modify-write operations on CSRs
§ Privileged Instructions are needed by the operating systems, and most cannot be executed by user programs
Department of Electrical & Computer Engineering
Attack Formalism§ An attack has three components
• Channel§ Delivery mechanism
• Entry § Bug or vulnerability or even feature exploitation§ Binary vulnerabilities
• Stack overflow• Heap overflow• Null pointer dereference
• Payload § The actual attack function § E.g., Get the Instruction Pointer to point to an attacker specified
procedure
Department of Electrical & Computer Engineering
Code Injection§ Code injection can be used by an attacker to
introduce (or "inject") code into another program to change the flow of the execution and to execute their own dedicated malicious code
§ There are many types of code injection schemes• SQL injection• Script injection• Shell injection• OS command injection
Department of Electrical & Computer Engineering
Buffer Overflow§ There can overflow on both
§ The stack§ The heap
void bar (char *str) {char array[256];strcpy(array, str);foo(array);
}
If *str is let us say 512 bytes long, then after strcpy, the function bar return address may be overwritten
Department of Electrical & Computer Engineering
Buffer Overflow§ There can overflow on both
§ The stack§ The heap
§ Many C functions like: § strcpy (char *dest, const char *src) are unsafe and
their advertised safe versions, like strncpy(), are not either § strncpy() may leave buffer unterminated§ Should be replaced by
§ strncpy(dest, src, sizeof(dest)-1)§ dest[sizeof(dest)-1] = ̀ \0`;
Department of Electrical & Computer Engineering
Buffer Overflow§ Example attack steps are
• Inject attack code into buffer• Overflow return address• Redirect control flow to attack code• Execute attack code
§ Buffer overflow and return-to-libc exploits need to know the (virtual) address to which pass control§ Use of Address Space Layout Randomization as
protection § Arrange the positions of key data areas randomly in a process'
address space
Department of Electrical & Computer Engineering
Buffer Overflow§ Function pointer overwritten• Overflowing function pointer• Harder to defend than return-address overflow
attacks§ Smashing the Stack• Overflow the stack so that it overwrites the return
address• When the function finishes, it will return to whatever
address/value is written on the stack• A specific return/new address can be written to
stack paired with code to perform hijack
Department of Electrical & Computer Engineering
Buffer Overflow§ Non-executable stacks
§ Can prevent many stack-based attacks§ But cannot guard against return-to-libc attacks§ Or protect against heap and function pointer
overflows § Canaries
§ Insert canaries in stack frames and verify their integrity during function returns
§ Have a canary for each frame and make as random as possible to make it hard on the attacker to guess or learn
Department of Electrical & Computer Engineering
Execution Control Flow Transfers§ Changes the control flow of a program in a
specific way, conditionally or unconditionally§ Direct transfer: Target is encoded as immediate
offset in the instruction itself§ Indirect transfer: Target depends on the runtime
value of a register or memory reference§ Some of these control flow transfers are
§ Exceptions§ Direct or conditional jumps or function calls § Indirect jumps or calls § Return instructions
Department of Electrical & Computer Engineering
Control-Flow Graph (CFG)int x,y,z;x = z – 2;y = z * 2;if (x > y) {
y = y * (-1);} else {
x = x + 100;}z = x + y;
x=z– 2;y=z*2;If(x>y)
y=y*(-1) x=x+100
z=x+y
B1
B2 B3
B4
T F
§ CFG represents the control-flow execution of a program:§ Nodes are basic blocks§ Edges are possible flow
control between blocks§ Each block can have multiple
incoming/outgoing edges
Department of Electrical & Computer Engineering
Control-Flow Hijacking§ Takes control over the victim by overwriting
sensitive data structures to modify control flow of a program
§ Considered one of the most dangerous class of security attacks§ Exploit software vulnerabilities directly without
asking for user actions§ Used as basic building blocks to propagate
between victim machines
Department of Electrical & Computer Engineering
Control-Flow Hijacking§ Tries to control an indirect control-flow transfer
instruction in vulnerable program§ Function pointers§ Return addresses
§ Often leads to code-reuse and code-injection attacks§ Buffer overflow§ Return-to-libc§ Return-oriented programming (ROP)
Department of Electrical & Computer Engineering
Buffer Overflow
void foo(char *str) {char buffer[16];strcpy(buffer,str);
}
void main(){char large_str[256];int i;for(i=0; i<255; i++) {
large_str[i] = ‘A’;
}foo(large_str)
}
256bytes*str
ret
Savedebp
buffer 16bytes
Stack
Department of Electrical & Computer Engineering
Buffer Overflow
void foo(char *str) {char buffer[16];strcpy(buffer,str);
}
void main(){char large_str[256];int i;for(i=0; i<255; i++) {
large_str[i] = ‘A’;
}foo(large_str)
}
256bytes
16bytes
Stack0x41414141…
0x41414141
0x41414141
0x41414141…
Department of Electrical & Computer Engineering
Control-Flow Integrity (CFI)§ Ensures the validity of control-flow graph (CFG)
intended by the programmer§ Inserts checks before control-flow instructions to
allow only valid targets§ Problem: Hard to be adopted in real-world
applications• Requires complete and precise CFG of the
protected application• Hinders incremental deployment in real systems• Results in high performance overhead
Department of Electrical & Computer Engineering
Compact Control Flow Integrity and Randomization (CCFIR)
§ Resolves CFI limitations § Focuses on protecting targets of indirect
jump/call and return instructions
C.Zhangetal.,"PracticalControlFlowIntegrityandRandomization forBinaryExecutables,"2013IEEESymposiumonSecurityandPrivacy,Berkeley,CA,2013,pp.559-573.
Department of Electrical & Computer Engineering
Compact Control Flow Integrity and Randomization (CCFIR)
§ Resolves CFI limitations § Focuses on protecting targets of indirect
jump/call and return instructions§ Introduces the “Springboard” section• Is attached to each legitimate module• Collects legal targets of indirect instructions• Randomizes the order of collected targets
(Springboard stubs) at load-time
Department of Electrical & Computer Engineering
CCFIR Assumptions§ The system already has Address Space Layout
Randomization (ASLR) and W⊕X protection§ No self-modifying code § Limited information disclosure vulnerabilities are
available to attackers
C.Zhangetal.,"PracticalControlFlowIntegrityandRandomization forBinaryExecutables,"2013IEEESymposiumonSecurityandPrivacy,Berkeley,CA,2013,pp.559-573.
Department of Electrical & Computer Engineering
Springboard SectionHardenedModuleOriginalModule
CodeSection
1
3 4
6
2
5
CodeSection
1
3 4
6
2
5
3’ 4’
Springboard Section
Springboard stubclassification:• Functionpointer stubs• Returnaddressstubsfornormal functions• Returnaddressstubsforsensitivefunctions
(e.g.system() inlibc)
Department of Electrical & Computer Engineering
CCFIR Enforcements
§ Indirect calls and jumps can only jump to function pointer stubs in Springboard
§ Return instructions in normal functions can only jump to normal return address stubs in Springboard, but not sensitive return address stubs
§ Return instructions in sensitive functions can jump to any return address stubs in Spring board
Department of Electrical & Computer Engineering
Additional Reading§ Smirnov, Alexey, and Tzi-cker Chiueh. "DIRA: Automatic Detection, Identification
and Repair of Control-Hijacking Attacks." NDSS. 2005.§ Göktas, Enes, et al. "Out of control: Overcoming control-flow integrity." Security and
Privacy (SP), 2014 IEEE Symposium on. IEEE, 2014.§ Carlini, Nicholas, et al. "Control-Flow Bending: On the Effectiveness of Control-Flow
Integrity." USENIX Security. Vol. 14. 2015.§ https://en.wikipedia.org/wiki/Return-oriented_programming§ Shacham, H. (October 2007). "The geometry of innocent flesh on the bone: return-
into-libc without function calls (on the x86)". Proceedings of the 14th ACM conference on Computer and communications security - CCS '07. pp. 552–561. doi:10.1145/1315245.1315313. ISBN 978-1-59593-703-2.
§ One, Aleph. "Smashing The Stack For Fun And Profit." .:: Phrack Magazine ::.Http://phrack.org
§ Bhat, Rashid. "Return Oriented Programming (ROP) Attacks." InfoSec Resources. Http://resources.infosecinstitute.com,
§ https://www.cs.utexas.edu/~pingali/CS380C/2013/lectures/CFG.pdf§ https://nebelwelt.net/blog/20160911-ControlFlowIntegrity.html
Department of Electrical & Computer Engineering
Next Class§ Classic and Modern encryption algorithms: AES,
RSA, Hash, MAC, digital signatures, etc.