Memory corruption vulnerabilities, runtime mitigations and their bypasses

Video in TIB AV-Portal: Memory corruption vulnerabilities, runtime mitigations and their bypasses

Formal Metadata

Memory corruption vulnerabilities, runtime mitigations and their bypasses
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Memory corruption vulnerabilities are ubiquitous and unavoidable issues of our complex applications. There are many exploitation and exploit mitigation techniques offor them as well as bypass methods of for the used or proposed defenses. For instance beyond in addition to the nowadays classic defenses of Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), there are newer more recent proposals like Control Flow Integrity (CFI) and fine-grained ASLR, even if these solutions are not frequently used in practice today mainly for performance and compatibility reasons. The aim of this talk is to provide an overview of the main achievements of the state -of -the -art academic research in this field, and also to demonstrate and discuss some concrete uses of evasion techniques for bypassing runtime mitigations, like the Enhanced Mitigation Experience Toolkit (EMET) of Microsoft.

Related Material

Proxy server Read-only memory Semiconductor memory Hacker (term) Universe (mathematics) Mathematician Information Hacker (term) Information security Mathematician Information security Spacetime
Mobile app Service (economics) Proxy server Divisor Code Line (geometry) Demo (music) Archaeological field survey Formal language Revision control Data model Programmer (hardware) Read-only memory Semiconductor memory Kernel (computing) Computer worm Series (mathematics) Endliche Modelltheorie Physical system Programming language Enterprise architecture Dependent and independent variables Computer program Memory management Data storage device Code Line (geometry) Semiconductor memory Device driver Cartesian coordinate system Computer programming Formal language Process (computing) Error message Programmer (hardware) System programming Object (grammar) Family
Functional (mathematics) Run time (program lifecycle phase) Overhead (computing) Proxy server Observational study Source code Adaptive behavior Exploit (computer security) Mass Binary file Fast Fourier transform Number Usability Mathematics Read-only memory Semiconductor memory Modul <Datentyp> Cuboid Endliche Modelltheorie Information security Area Semiconductor memory Arithmetic mean Function (mathematics) Figurate number Information security
Point (geometry) Proxy server Archaeological field survey Control flow Semiconductor memory Leak Event horizon Pointer (computer programming) Error message Read-only memory Computer configuration Semiconductor memory Phase transition Endliche Modelltheorie
Point (geometry) Data model Pointer (computer programming) Proxy server Error message Read-only memory Personal digital assistant Semiconductor memory Operator (mathematics) Semiconductor memory Computer programming Reading (process)
Randomization Code INTEGRAL 40 (number) Variable (mathematics) Leak Pointer (computer programming) CAN bus Type theory Semiconductor memory Computer configuration Buffer solution Cuboid Local ring HTTP cookie Physical system Exception handling Data integrity Area Digitizing Variable (mathematics) Flow separation Connected space Type theory Data management Malware Phase transition Buffer solution Quicksort Freeware Spacetime Data buffer Point (geometry) Classical physics Random number Functional (mathematics) Proxy server Computer file Control flow Code Field (computer science) Wave packet Latent heat Read-only memory Subject indexing Data structure Proxy server Address space Hydraulic jump Module (mathematics) Information Physical law Memory management Content (media) Stack (abstract data type) Semiconductor memory Leak Casting (performing arts) Subject indexing Uniform resource locator Resource allocation Error message Personal digital assistant Function (mathematics) String (computer science) Funktionspunktmethode Object (grammar) HTTP cookie Integer Exception handling Buffer overflow Freezing Local ring Address space
Randomization Injektivität Scripting language Run time (program lifecycle phase) Just-in-Time-Compiler INTEGRAL Code Multiplication sign Function (mathematics) Computer programming Subset Independence (probability theory) Leak Semiconductor memory Different (Kate Ryan album) Entropie <Informationstheorie> Information security Position operator Data integrity Area Scripting language Injektivität Randomization File format Web page Bit Instance (computer science) Flow separation Position operator Arithmetic mean Pi Entropie <Informationstheorie> Linearization Compilation album output Right angle Spacetime Web page Implementation Overhead (computing) Proxy server Observational study Codierung <Programmierung> Density of states Writing Flow separation Read-only memory Computer hardware Linear programming Spacetime Module (mathematics) Overhead (computing) Just-in-Time-Compiler Validity (statistics) Code Independence (probability theory) Semiconductor memory Leak Exclusive or Computer hardware Partial derivative Library (computing) Address space
Discrete group Standard deviation Randomization Run time (program lifecycle phase) Ferry Corsten Code Multiplication sign View (database) Sheaf (mathematics) Mereology Leak Pointer (computer programming) Semiconductor memory Single-precision floating-point format Entropie <Informationstheorie> Cuboid Library (computing) Vulnerability (computing) Social class Randomization Block (periodic table) Web page Gradient Sound effect Bit Permutation Type theory Process (computing) Vector space Cost curve Pattern language Modul <Datentyp> Cycle (graph theory) Block (periodic table) Speicheradresse Point (geometry) Web page Autonomous System (Internet) Dataflow Functional (mathematics) Implementation Proxy server Theory Emulation Crash (computing) Read-only memory Energy level Spacetime Address space Standard deviation Run time (program lifecycle phase) Semiconductor memory System call Leak Compiler Uniform resource locator Speech synthesis Object (grammar) Disassembler Computer worm Address space
Axiom of choice System call INTEGRAL State of matter Code Graph (mathematics) Multiplication sign Demo (music) Execution unit Computer programming Commercial Orbital Transportation Services Medical imaging Different (Kate Ryan album) Computer configuration Videoconferencing Square number Heuristic Imperative programming Information security Partition (number theory) Vulnerability (computing) Physical system Data integrity Adventure game Scripting language Parsing Touchscreen Sound effect Control flow Netiquette Type theory Arithmetic mean output Software testing Information security Freeware Spacetime Point (geometry) Dataflow Game controller Freeware Overhead (computing) Proxy server Computer file Exploit (computer security) Control flow Heat transfer Code Goodness of fit Read-only memory Spacetime Utility software MiniDisc Software development kit Standard deviation Graph (mathematics) Run time (program lifecycle phase) Cellular automaton Graph (mathematics) Projective plane Expert system Heat transfer Code Stack (abstract data type) Line (geometry) Binary file Cartesian coordinate system Exploit (computer security) Kontrollfluss Moment of inertia Revision control Video game Fiber bundle Game theory Table (information) Buffer overflow Window
Run time (program lifecycle phase) Proxy server Read-only memory Military base Calculation Cartesian coordinate system
Presentation of a group Proxy server Read-only memory
Randomization Greatest element INTEGRAL Code Multiplication sign Demo (music) Compiler Insertion loss Pointer (computer programming) Mathematics Strategy game Linker (computing) Semiconductor memory Kernel (computing) Information security Data integrity Randomization Closed set Instance (computer science) Flow separation Exterior algebra Linker (computing) Uniform resource name Phase transition Order (biology) Software testing Summierbarkeit Quicksort Information security Reading (process) Data integrity Electric current Spacetime Row (database) Point (geometry) Reading (process) Dataflow Functional (mathematics) Game controller Freeware Overhead (computing) Proxy server Exploit (computer security) Control flow Revision control Workload Prototype Flow separation Read-only memory Software Computer hardware Spacetime Data structure Acoustic shadow MiniDisc Implementation Proxy server Mathematical optimization Overhead (computing) Run time (program lifecycle phase) Code Heat transfer Color management Binary file Semiconductor memory Coprocessor System call Compiler Word Kontrollfluss Software Computer hardware Function (mathematics) Universe (mathematics) Revision control Speech synthesis Digital Equipment Corporation Force Extension (kinesiology) Cloning
Ocean current Perfect group Run time (program lifecycle phase) Overhead (computing) Proxy server Code Multiplication sign View (database) Exploit (computer security) Maxima and minima Formal language Coefficient of determination Read-only memory Different (Kate Ryan album) Software Computer hardware Energy level Software testing Summierbarkeit Information security Proxy server Information Moment (mathematics) Code Control flow Explosion Personal digital assistant Computer hardware Quantum Software testing Energy level Information security
hi I'm Minnesota larceny that from the University of Saigon and in this talk I would like to present a short overview of memory corruption attacks and defenses uh I'm a
mathematician working as a lecturer at the University of 2nd who is interested in information security in general and especially of old Attica hacking I also feel responsible for security in general and especially for security education uh and I'm always have to the hackerspace again best according to the principle of spaces by IIMs Ministère learning I have just started to make and share some of In this talk
Idea briefly discuss so all that problem of low-level programming languages that idea presents a general model of memory corruption a text uh taken from a recent survey article after vaults I did talk old some currently deployed protections some advanced text and 1st services for the mall and then mentions family as the 1st proposals and might pull clear and by drawing some conclusions that basically the problem is very simple low-level programming languages and say uh you know C and its variants of C + + t stop and objects see I used extensively in operating system can have system diverse and embedded systems just to name a few of I was told to then this the language is the language of the programmer professional moreover we have millions of lines of legacy the code but the problem is that the factor of safety and what's more both BoW checking and dynamic memory management are solely the responsibility of the programmer on this so sees memory unsafe hence it is not surprising that is error-prone as and indeed we can enumerate the series of our laboratories from the more historical Heartbleed or just think of the homegrown contest but even the most hardened versions of operating systems and processes are exploited in every year but
nevertheless is still very popular and here you can see that I'm taking the most overall programming languages by the IT please he added 5 columns so the fall months of this 1 the so he and I columns so that means that application on the mobile application language is used for enterprise their store and scientific applications and for embedded systems respectively and it is
especially important to fight against them corruption box but it is difficult and it is of great challenge both for academia and industry but it is still considered to be for more than 3 decades we have seen a huge number of proposers idea mention of fuel but only a few mitigation meant to its are deployed in practice today and yesterday in the US duties are insufficient just border Texas has this situation natural raises the question of why this is so uh I like this figure already a much as if that after that we should not forget about other aspects namely usability and functionality functionality in favor of security but he must make a balance among with these sometimes conflicting and like title translated or adapted this to the area of the runtime mitigation techniques then the security becomes robust mass so that is the type of
attacks that can be prevented by the terrorists and hollow FFT of the metal used in the aspects of ease of use changes performance uh it is very important as studies shows that no mitigation technique to bit more than 5 10 per cent of runtime overhead can have widespread adaptation in practice and perhaps functionalities should be replaced by compatibility in which can be either binary compatibility meaning that the defended modulus still comply with unmodified libraries and if it is not possible really quite source compatibility with meaning that no manual annotation of the source code is necessary but beside modularity that is a possibility to introduce the same defense for different would was independently from each other are so there is often an important issue the no we let me present a model of memory corruption text
this is taken from an excellent survey article by a 2nd as the event and the song wonder what online here is a e you can see it today goal of them at beach maybe cortical options for control flow high check the Italian attack or a memory leak and the the steps of the for 1 about let's see the so in this model
in the 1st phase of that occur in the 1st phase of 1st that that occur must make a point of the embodied uh
memory corruption bonds in the program maker was appointed I don't go all out of balance or become dangling In the 1st case if you have a spatial level and in the 2nd case we have a temporarily and in both cases the next step is to leave the did 2 due finance the court at the point that this can be performed by identified 2 of 3 or by your own read operation the
14 status the a spatial point that are on file I might be caused by a classic buffer overflow or underflow or by location of fear generating the node not not we interviewed that might be exploited within cannot space and by indexing boxes in digital workflows punctuation inside this box and by including in corner point of costing Tampa appointed ourselves also called code use after free boxes and because that but the ending point that is due to that is used after the memory area it points to has been geolocated that is read by the memory management system during the free instruction uh but no debt to point out to a local variable can also became bending the vanity is assigned to a global between data and subroutine return was freeing the local variable from the stack them were about double freeze are also key because memory in a 2nd step that that do for is the court to point that there there's your using the idea to write or to free or to read a dusty began in the 1st case all right I to an address on the stack or overnight a function point in of the timber or overnight and then see the of single object thereby freeing she can overwrite the heat met that or overnight a function point out of an object under the but note that even just by reading the value of a quantity point that can be used to like Matias data that costado call options the reading the quantity point that maybe due execution of managers caught next the goal of the memory corruption of the 1st 2 steps may be quite different and the attacker can either modify another data point at the end of repeat the the uh phase von and face to read this newly we knew we corrected point that through the law he can
modify the or he can modify coach to this Attica specified called courts shared code and the achieve cold connection attack next she can caught up the point that I get to an address of he's injected chat or to an address of the code snippets of under memory module is called gadgets and data by an indirect coding didn't jump attorneys faction that had gotten heightened control flow this is sort type of attack that and please note there that it is also possible to just modify the data variables and and then if it is a sensitive data variable and adapted that the can can execute a detail we attacked and finally by corrupting and all output variable and light a 40 as the name field of this thing that information can be unique so there are several possibilities next thing that as the he discussed their content the deployed prime-time protection 1st we have s that cookies or support can is uh the charter random values between the local buffers and overturn addresses on the stack and they can be used to detect only continuous text that these buffer overflows since then the buffer overflows the Kennedy values is overwritten as that which can be detected later than the function returns In the lowest protection score the share can share hope the structured access from high and low alright protection validate the integrity of the exception handler point there's uh and exception training as the main problem with these techniques in a is that these are the only partial solutions and that is they only provide some values specific type of control-flow integrity and speckle cues can be bypassed by direct overnights the forties that's using the indexing of course but they can be the of commanded by memory leaks the next main
widely deployed mitigation technique is the flight for execute policy Police armament remembered that it has equally important fights so the 1st is called non-executable at the top or deep execution Prevention abbreviated as that individuals terminology and the 2nd might be called the LongWritable called or coding integrity node is the days implemented by memory page protection in modern protests uh is simple times over the must have the right overeat by mission for data the but never execute and the monopoly of you must have ever execute offbeat permission for code pages but never arrive at the same time and thus as in many other areas are also security the clear separation of data and code is a crucial year as of studies works well
and it enjoys hardware support there's so that it has a negative negligible overhead uh but it'd just it protects against code injection attacks and no user gains the most sophisticated could use a text that can be done to reach the return on integer programming lower John body and indeed orientated programming it also have some other issues because separation of data and code is not as easy as it 1st seems to have you must handle that program the just-in-time compilation of script languages valid for instance for the grocer this creates on user-supplied input data uh but they must be turned into executable code and also that our self-modifying code like that DOS the that forces attack us apply code used instead of code injection and it would be the main difference against code reuse Texas I just based on the musician especially under space linear trimerization abbreviated as he has it seems that randomizes that these subsets of the stacked heat and the mean executable since shared libraries it talks on item by conceding that doubtless a of that as possible gadgets from that occur in but it also has some of the 1st it acquires a position independence and secure both said that have 10 per cent the runtime overhead all of a sudden 1 is 32 bits by the format the entropy of the usual PSI implementation is under really there which is a subject to brute-force attacks moreover possible just overrides and memory leaks it can defeat yes our as well and that is similar to that area so lot is also and nothing time defense meaning that it just violent on ASR module can break the whole protection totally you know we let us look good some more advanced defense technique uh as
I mentioned earlier on in the standard the SM not only did these atlases of the code we do without randomized to increase the entropy of the location of metal would actually being stonewalled is so find grade of randomization of our proposed them gained here is that a single unique point that should not defeat the whole defense dominant musician can be applied in the following left us in in a modular began pattern or functions just basic blocks that is called parts at a single entity and exit points or we can apply in such a level of randomization and of course that this makes a lot of text found out by and leader of protection to the standard ESL out of uh against a it onto the vector X that what I doubt attacks there the requires just a single furthermore the veto repeated Mamelodi from the texts are still possible as we shall see here you can see
a whole new type of attack could call would just in time of the attack rock uh box at the main assumption here is that the side of a of y memories being that I will stop text that could also has a memory the social vulnerability which I will seem to read from arbitrary Mamelodi addressed in a process which other memory but as you probably know all time to read from an unknown located the schools is segmentation for and the application crashes usually classes that that could also needs a single value defined by Memorial address but of course it is not hard to obtain uh and their importance in theory is that it is also sufficient for review of audit direct here elected uh this are addressed the the objects of function theory and using the above-mentioned the memory leak that occurred to have read and a little disassemble the hall memory page that contains function in here denoted by page is evil and the disassembly of certainly the view on the evaluated them MOD us about 40 status you have there structural in cost function so here there is a section cost function be there so here is the address of the function the of course and under the cold stage it contains in it if it is contained in called page 1 year and by repeating this process that that contain a significant amount of disassembled pages so just by going cycle as he can obtain many disassembled COLT pp and finally a veto runtime gadget find out and the chief of compiler that he can generate abruptly at rope payload that works no matter how fine there I our salaries applied moreover if we have a user speaking embrittlement as number rose out or during the document these effects then the flow process can be automated has a call a memory leak to get a bit of rock and discrete danger can defeat even the strictest that must the yes of our implementation of the ES
cells being insufficient to the cultural flow integrity approach has gained of considerable interest recently in the main idea here is to that and control for attacks by that connecting the quantal transfer out for a good hour B 9 control flow of the application then I think that it can be done for us by computing the so called contraflow graph of the application and then when it monitoring the executables runtime behavior of courting according to these graphs and any deviation from the standard control fuel line or the to an unusual at this indicates a control hijacked so that it can be stopped but these electrode has the drawback says that uh the main program programming is that precisely basin of all India that control flow transfer of meaning or indirect costs and all indirect Johnson already told us that we're the only other returned to the original caller 1st introduces about our high overhead Opel 24 1 perhaps son and therefore in practice usually some already adventure now used instead it is so-called coarse-grained contraflow imperative policies are implemented the this C is still in it can be defeated by advanced can be defeated by in advance of text so
as the CFI contraflow integrated policy and depending on the type of India that bank is that are checked uh usually also use some behavior based Hayward states for example of the French use of freedom to a small code snippets and mean Decatur OpenStack and the time of check it can be a valid as valid in paper formed of community demonstrated the the points of the coarse-grained control-flow integrity approach a day 2 with these 5 represented implementing these the finance namely CFI for CFI for close binaries cables several back Rob God and Microsoft the map and divide the they needed to divide the combined will assess the DCF see from blowing these programs and so that even and then the square like what is he can be bypassed using 2 we knew we types of gadget uh the state called would of course that tragedy and unknown knock detection the normal as a concrete example let us look over at Microsoft he met the image stands for and has mitigation experience tool kit and it is a free mitigation tool that can be downloaded from the fact that that the main goal of the unit project is to and has more than protection to earlier versions of free knows it is highly more and it has no less than 14 different mitigation options that can be turned on and off 1 of that application these is solving many incompatibility problems so uh but like most practical tools to date it is not not body to prove that even Microsoft warned us that it can be bypassed the 1st main problem is that the it is the use of space for affection has the etiquette of the security there were able to provide all of the defense of their application complain completely several times and the mitigation can buy circumvented one-by-one justice you work for them all so for news and the more I used to look at does this utility in the video is a very nice tool from the CG security is basically a smooth the utility that can be used to what he calls our lowest partitions in the partition table and it it it saved my life is at least 1 time then I installed Windows over system and bundle main problem is that it this utility was all the accepted the image file as input and then assigns a in last May is found a buffer overflow a simple Buffalo Buffalo vulnerability in this application and of what I did was that i is the expert intersecting the inviolability which was the choice was easy but I would use the TIPS to turn on the mitigation technical effect and that 1 by 1 and I would lose the ability to bypass it finally so just to show you and at that can can you use the small create screen like this so if I do not have time to go into the details so I am feeling to show you the whole cold and how exploits books after the talk but the script is used just to generate just to generate the yes the coding game over exploit been and if I use it as input then opted just 1 moment in and I would like to show you that you met this in effect but yes so this is the graphical user face of the tool that you can see that all medications are being turned on and here's the shrewd CTS here this is the best means that there's this utility here and as I mentioned it is but
a vast dies so I can turn on mitigation metal what's on and off by the application bases but
if I put and is dead but then nothing happens but because the dead their dead calculator they just believe me have appeared there so oil on all my primary it does so but that I had committed to show you that it works but after the book so it is then just a general and demonstrated that the even even such a runtime mitigation tool can be bypassed problem I
can refer to online presentation and no 1
sorry i must be started
years sold here of the periodic
uh the datasets CFI protection solution of microphone solve this quality control full-flow flow got there it was introduced in the preview version of being those 8 . 1 but is was the same word in the final edition of liberty was that he had the ability and the update free and the it this can be found on the no stamp uh but it is also a partial and 14 by affecting by mentation of control-flow integrity and namely the close of 3 of performance the users and the 1 inject checks of the forward indirect costs has lead us are left unprotected really has it is effective against the evil alright ice but there already biased compiler and linker support and sort of optimal use and even all version of my M as binary 40 mean unprotected and no that even at universe bypass of CFG was demonstrated recently and knowing that the mention some of the of the sum the 1st proposals that have arise and then the reasoning in academic research as far as I know the Iast union prototype phase uh 1st the concept of court-appointed integrity is an alternative to the control-flow integrity and called randomization and that can guarantee data integrity of workload point that it was worth formally proven to be correct and this can be done by separating sensitive control did not like overdone that ended Jun targets in a safe protected region you know all of separation by isolation is 1 of the basic principles of security it also has next version called code point of separation was a single even small that overhead uh the main idea of the poor quality of the doctor or is to implement execute but not read policy in order to do quote winter hiding against the point that harvesting phase of which he took that acts as a but to needs hardware support for DEC and which is called content affiliated change in the bottom of the that the rows of biased Western can extensions as about I met a very interesting proposal isomeric as follows that totally different strategies instead of granting the it tolerates Mamelodi disclosures to achieve this goal and randomizes contraflow trans fats therefore the the need to close court amounts at the end you need to isomers of loss functions in the memory of course is something that was the memorial acquirements for but you know space is far less than issue then time-aware it works as follows the only each call and return instruction isolated the mind set that up to speech to that under mad but keep the execution in the current 1 and these are non deterministic retires and cause attacks impossible the experiment shows that the 2 would have accepted the borrowed time overhead that it can be integrated into the into a compiler and the last toward the obviously is scored have features it it is a hard assisted called also integrated solution that is significantly more efficient than existing software solutions it uses the shadow suspect to enforce their intended control flow more precisely than coarse-grained 5 2 we deplore 2 days for instance it and enforces return us to target not just any corpus instructions but only those that are in function that is is currently being executed and this can be done by 3 new professor into their structure as a conclusion
that we may say that the problem of ICPC code is far from being solved at the moment it should be obvious that that there is no silver about it's uh s securing the large amount of on-the-fly code is used and really mean high it also seems that economic world looks for perfect solution answer and this course unless somebody alive realization of the mitigation proposal the business sector is not invested in very fast mitigation against current mainstream exploring and is less costs of all possible bypasses and of course inefficient and incompatible solutions are useless in practice but they even a small a trade-off for efficiency can totally destroyed the defense and as we have seen in the case of quantum coarse-grained on fulfilling their at it is also clear that and that is information for from between at and defenses since known attacks can be mitigated as known differences can be bypassed the also solution can be at different levels so the dog really mainly discussed so far based technique here as hardware-based solutions usually need a considerable time to spread but many stuff that approaches have the performance overhead as the main bottleneck and hardware support can bring their views to this problem last even though it seems unrealistic no perhaps 1 day be read to you was type-safe languages instead of C and even as we have seen or runtime mitigation are far from being perfect dust on only of the fantasies like sick or curing the sick or security testing and and sandboxing should not be neglected OK that's all
I wanted to say thank you for your attention but the


 1292 ms - page object


AV-Portal 3.21.3 (19e43a18c8aa08bcbdf3e35b975c18acb737c630)