Bestand wählen
Merken

Type confusion: discovery, abuse, and protection

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
and
it is a and I and the me and so we see both C + + programmers kind of use typecasting like we just go for about half a beer at a bar um and they don't really seem to enforce yeah the types very um yet carefully the this compilers don't and memory access is also a bit of a problem but this leads to all sorts of issues like is a citizen specifically type confusion another role abilities the but he has prior to the has come to a solid from Purdue University the other places but as recently from Purdue University that having to tell us all about a compiler base extension that he's been working on that should be able to detect and avert some of these bugs and with that it's over 2 yes early but the few vision and different forms of type safety will abilities that can be exploited by attackers to gain some form of code execution and the works for quite a bit on looking at the type hierarchy of C + + and different forms of all abilities that can arise they can then be exploited in different parts and it's a as the just just a quick show of hands who here is a C + + programmer while pretty much every 1 of you who has written more than let's say 10 thousand lines of C + + code a lot of the other today that's a good setting as plus plus programmers you're likely used to the different forms of typecasting any have set a constant then M. Acosta want to Vodafone costs and amazingly C + + has no form of type safety whatsoever so this talk could also be described as bloody
was a chance of calculators as we'll see in a this there's a lot of opportunity than attacker can get to exploit these different forms of our of type Confucius
plans type confusion leads to remote code execution which anniversary can abuse the different forms of type confusion and the different settings in a type parity to pretty much execute arbitrary code and you're on your system and so on especially browsers and hypervisors and kernels are great targets to find different forms of high confusion and then exploit them as was recently shown on the the
point on competition and we've seen a couple of
these I by confusions that are used to spy on calculators all over the place the which are fun so calculate payment shows you that you get Arbitrary code execution as against 1 at and as we see if you think about it on the attack surface that we face on our systems is pretty much huge the are no longer working hours are systems of a couple of thousand lines of code but was millions and millions of lines of code the abstraction is this immense and if you get
if you look at Google Chrome for example on we have more than 100 million lines of code which is an immense codebase that facing and it's very hard to protect against what abilities and as large code bases and even the folks at Google are doing an awesome job at code reviews figuring out of test sets cases checking all the different conditions is still a large opportunity for different forms of type confusion in there's lots of subspace as such as Google Chrome 76 million lines of code but also a bunch of all other systems and part of that there's your the window managers dares your of standard there's the Linux kernel there's a hypervisor and so on and is easily clocks into more than 100 million lines of code and there's an easy easily there's a lot of opportunities for different forms of high confusion the the we will explore this different opportunities of high confusion we will see how we can find type confucian 1 abilities how we can automate the search for high confusion will abilities and also will discuss what kind of phone and abilities anniversary can gets through different forms of kite that is a how can you exploited what is the underlying attack vector what the attack primitives how can you build attack primitives and then India and how can how we can automate it's a figure of out excitability now the attacker model is as
follows we start off with an external user for example without any form of good execution capabilities has to match this on on 1 hand you have a program that is on answering 2 different forms of requests your sending a request getting a reply is defined as some form of capital of computational capabilities that you get on the other end right so can send in a request you get a reply and it is for that conforms to some form of Comp but computation and allowed to execute so your severely limited in what kind of computation you can execute so for example if you're in fact things of that you're sending a request and is supposed to get an HMO file as a response they can render and and the but had anniversary tries to craft a request is being sent in so that instead of HTML on document you get a shell in return and among several steps you are extending your capabilities from an external user that is issuing requests to to retrieve documents to a local user and then 10 administrator account the and these all the steps are being followed to extend the capabilities of an adverse 3 step by step and download of the nice thing is that on external adverse 3 can easily
triggered these so these attacks by asru very simple means by other a simple of simple request that is being set up the on current
softer the we're mostly focusing on contraflow hijack attacks and as a the so for security community over the last 20 plus years we have worked on a large amount of mitigations different forms of mitigations that try to detect and exploit condition or some form of all ability there's so given the attack the set of shown before it is highly likely that the large amount of code that we have will contain will abilities so the are working on mechanisms that protect integrity and availability of our systems even in the presence of all about its so the very 1st step we have to accept the fact that there will be bucks in our code so all the defenses that we have all the mitigation city have focus on detecting this exploit conditions stopping anniversary from actually running a full export and order last 20 plus years we've developed a set of different mitigations and hence submitted harder and harder for adverse trees to gain full code execution capabilities so if you want to hijack the control flow on the current system you need to jump through a set of hoops to actually get code execution which allows you to spawn a calculator or execute arbitrary order commands to so for contraflow hijack attack
103 does as it influences the address space off an application of a process to adjusts the different forms of of of code pointers pointers and the date of the application that it executes something different so imagine originated code is just the web server but instead of serving at that document you wanted to open a shell for you because you full computational capabilities of that system that you can interact with the system and then further escalated privileges 10 and straighter the now was all the different mitigations that we have in our systems is severely restricted to the set of capabilities that anniversary can have even if there are vulnerabilities men received a 1 or both of type 61 abilities in the code the and it's like you're shows the address space of the program in an abstract form so we see that the code section the is read-only and only so and but adverse 3 and this is the only section that is readable and executable that were stricken no longer inject new code and is 1 of 2 defenses we came up with In addition to that scares Odyssey heap and stack which readable and writeable but not executable so the only way in adverse can influence the program is by modifying the data and then reusing the existing code the so what we have here is we have a large amount of good pointers on the heap and on the stack which then points to decode which to get code execution or to high-tech the contraflow anniversary can simply overwrites these code pointers and redirect them to some alternate location and this is precisely what is being done for contraflow high-tech attack this can either be for direct quote pointers that point from the keyboard a stack into the code reach itself or we can also go through the tables which is of way for C + + to handle on inheritance and virtual functions that have a virtual function you art the allowing it to be all written depending on the class hierarchy and if you're dispatching based on a virtual function your following the code point of accord pointer to specific class based implementation the the and they can influence all these these different pointers as an attacker and then redirect and stitched together the existing code parts an ultimate what's the no
as the show of hands should be for all of you are already C + + programmers but still prickly goes through the different forms of casting behavior and and even if you if you've been using C + + for a while you may not be aware of how the different costing operators actually boil down to the underlying code hold being compiled down into an actual application Sears 2 main casting
operations that we have the static costs and their dynamic costs the esthetic cost allows you to cast their an object or a pointer to an object into a different cost the the advantages esthetic cost is very very fast the disadvantages it doesn't do anything except for doing a feasibility check at compile time so what esthetic cost actually isn't it tells the compiler please check if there is a pass from the current type to the order types type to the target if there's any pause in the class hierarchy that all that goes from that source type to the target type then the cost is actually a lot and and of it is need any runtime information doesn't we introduce a new law had of which is which is great for of performance but it doesn't give you any security guarantees and anemic cast on the other hand executes an actual runtime check that M. Acosta somewhat comparable to a cost in another of programming language like for example in Java loss on the neutrino typecast it is action force that types that your costing into 40 D objects that your costing 2 different type actually is off that order time so that the cost is allowed and in C + + at anemic endocast leads to a runtime check no to actually execute the runtime check you need the runtime type information to be able to decide he what this the actual type of the optical is the type of memory area that you're looking at on you need to identify the underlying type of the memory object in some form the and this is verse than of Mory's he's off the drawbacks of C + + C + + is an extension of C pretty much in see everything boils down to untyped memory Everything boils down to bytes in memory but you have some car a they can be interpreted in different ways and without an actual identification of the underlying Kari you don't know what the tiny bits and as a dynamic cost you're using a unique identifier for an object to actually decide what type it it's and this is ver but the the table pointer is actually being used this allows you to have a unique identifier for the actual object that allows it to the side here this is the runtime type of this object so it's a unique way to identify different or to distinguish between the different object types the so let's look at the different costing but be hearing a little more
detail this have a static cost the cost of an object into of pointer reader and this is being compiled down into a Lotus off the pointer B the in 2 of the X register and then a store into this other target area for there's no real type-checked happening there and the compiler only does a feasibility check at compile-time many goes from from B to a picture of the right type the now if you have a dynamic cost if a compiler was 0 0 result optimization we
see that there's actually a lot of code being generated again below the pointer view to a null check of an and addition to that the loads the pointer to do the on creature class and we looked a pointer to the base class and then we execute a full than and cost this allows us to do this this actual check and make sure that the type of the runtime object that we have conforms to the actual type that we expect to be me to have full runtime enforcement no if the optimize
this on Edenic cost below the 2 pointers to 2 based pointers we check what the the current based pointer is off the current objects and depending on the result of the car speed allow it or we terminate the program at run-time is a type safety while lation but let's look what a static cost
is optimized it ends up in 0 instructions because we reuse the order register so esthetic cost does not mean cure any runtime overhead and does not endure any runtime check did I use this as a as a take home message static costs do not result in any instructions being executed at runtime so no performance overhead and the our no security guarantees the so now with his knowledge of
what actually is type confusion type confusion
arises 3 legal down costs assume we have the following type parakeet we have a parent class and 2 dependent clauses child 1 and 5 now if we allocate an object on child 1 of type child 1 and we store it in the pointer the we can cost it's too apparent type but so you can cost from the child objects to and 1 object the parent object and as these 2 classes are dependent this is a valid costs and we can store the pointer to p our the in no and in the end the pointer and we can use a paired object sort of fuels of that paired objects the now as the 2nd step we can casted apparent object into a child object and if the child to object but it's if the underlying object has been allocated as a child to object then this cost would be allowed to but this study cost does not do any checks right so at run time this would lead to so to type confusion and this is exactly they're exploitable behavior comes at so With this static cost which is not being checked the static costs could be abused to interprets the underlying memory as a different type the let me did you a little bit more detail on background
on that on the type confusion we have the parent class and if the child cause all break it down to just parent and child to make a little bit easier the not a paired object only has a single variable so incited called in I often into and the child class has a 2nd in type and a virtual function called print do now if the allocate at p object the only allocates the 4 by 4 bytes are being used for the integer if the allocate C type object we have to be table pointer that points to the actual on the actual location it contains all the good we have the x integer and we have to widen today can all be used now let's assume the
Al-Qaeda the p object a paradoxically have appointed to it the if you do a static cost and see our the pointer is the pointer ends up pointing above the actual object and all the underlying object or the underlying data is at that location would be re-interpreted as in the table pointer the along with so why object or why integer they could then be read and written which would expose the underlying memory this leads some memory safety while lation and contraflow checking after type confusion and if you look at the end at the chain of violations that type Confucianist the 1st thing that happens that violates the integrity underlying application and this is the initial time entry vector for an attacker to abused as underlying all doctors this type confucian but and this can then be used as a memory safety confucian I'm emissivity while addition order for contraflow hijacking the never how do we use in this vulnerability type to build exploit primitive but so
imagine Dad on when you're using type confusion when you're exploiting type confucian and in your programs you're trying to control 2 pointers of different types that most points to the same memory area but the 2 pointers of different type allow you to re interprets the different fields of the object in 2 different ways they have if a certain memory area that is off of 1 or ritual Tiger has been allocated 1 original type we have 2 pointers all the different types of it's a memory area and for example in the in the 1st type 3rd parameter is that the 1st entry is interpreted as at the table pointer while in the 2nd type is interpreted as a long by it and if you if use a center for his long value you can use it to right to the table pointer in the other view the imagine that you're using the 1st you to set the table pointer and then using the 2nd point to that you control a well of different types the dispatch on that pointer don't as a simple example on
just to show you that the power of this exploit primitive but again imagine that we have a base class that is implement some basic functionality and we have 2 subclasses of a 2 distinct classes if agreed to a class that just says hello and an I a great execute as a service so both of those are into are implemented as virtual function because we may want to build our fancy framework on top of that this additional functionality so we want to be able to override functionality so to execute the service implements 1 virtual function called xx that takes a string that is then being passed system executed as a as an additional service and the greater function just print the string to standard out so that sounds pretty reasonable that and there's no way that and so a programmer would confuse xic nc high because the 2 functions have different names and there's no way for us to confuse it right a
no it if In the allocate uh to base objects B 1 and B 2 of type the first one of type creature and the 2nd type but the 2nd object of type X X we can actually dispatch our the does but dispatch on those objects so we allocate these 2 objects 1 object of type greeted the 2nd object of type X X and then we cast the 1st object B 1 into greater and we called reaches high and then creatures as high to and this is the 2nd object we again casted into greater so from the base class to policy and the compiler does a runtime of compact and check and he's all yes the of the creature type is dependent or a descendant of the base types it is that the cost is actually allowed and we can call high was this veered strain use Rabin ex-cop Edwards perfectly 5 the compiler doesn't complain end the this is actually really fun if you look into this
thank we see this is exactly the codes that I've just shown we've got the study costs into integrator here and we've got the set constant reader here and we call say hi twice FIL we make the object the allocates to objects of type base of type creature and type xx but the both we called the same high a nested 2 times and if he executed we once the 1st call to see high this creators is high and the 2nd call this a high opens a calculator which not what we
want on if you look at how this is actually implemented so what why does this but happens 1st off the initial but the underlying but is that the type hierarchy order compiler cannot I stop us from costing and base class into agreed upon us even though it is an X. class we've got this to the
tables from B 1 and B 2 and the 1st 3 Table points to the table after of the greeter type and the 2nd basis of the 2 pointer points to the x type on the and we can easily cost between the 2 of you without type system in the post lecture complaining against it the and if you look at it as at the actual implementation for drill down in the source code what it actually ends up with this be dereferenced the 1st field off the of the creature class which is to be table pointer and then we reference the 1st we table pointer so you know we're executing say hi or we have written the high in the source code it boils down to executing D it's 6 function the and the our class instead of the degree class leading to the actual type confusion the now this is a fun a fun way to exploit softer enough that part question is how do we find these types of vulnerabilities how can be find such issues in our and the classic approach of people have been using of for the last couple of years especially to find 1 abilities in large browsers has been fussing and fussing is great but but
what it ended up being as you your fuzzing and you're trying to find this type confusion wall abilities but as as i've just shown it's really hard to find or to actually triggered a type confusion will abilities because there's no way for you to and enforced actual check bytes to the only evaded you will discover that something is amiss is is if you run into a memory corruption if you run into segmentation fault if you don't run into segmentation full there's no way for you to detect the actual type confusion and you may be missing a large amount of type confusion by CIA only if you're running a father you all the detecting the subset of type confusion and results in a direct memory corruption a segmentation fault there may be a large amount of type confusion that could be abused but you're missing and what we wanted to look at can be discovered the missing set of high
confusion so can be bring type safety to C + + or at least some form of type system and typing so that we can give the of band legal cast as being happening right so did the underlying
problem that we have here is in C + + as static cost is checked only at compile time which is fast but does not give us any form of runtime guarantees on the other hand we have dynamic costs their checked at runtime which result in high overhead and a limited to polymorphic classes Polimorf across the classes that have were functions in them why are that any costs limit to more classes model be need to have some a a way to identify individual objects or the type of a new objects and the table pointers such an identifying field and this goes back to the design of C + + in C + + a structure is a class in a classes the structure I the allocated struct and see if you have no idea what the underlying type this right he did there's no way it's he remembers that you and allocated through struck it could be any arbitrary types only if you have an identifying feel the Type ID only then you connection identified underlying touch I save object-oriented like languages likes jealousy sharp and so on never you allocated objects they have an object ID object type did it clearly identifies underlying type this is missing in C + + this is why we cannot explicitly check all the costs between any objects but only for holomorphic objects virtual classes so the figures this is did there's something missing here we need to be able to on do an actual type for any of these objects so according to the model after 34
C. 3 we figured we would to about and bring Taisei C to C + + and under on our underlying
idea is that the it we would take every single type costs so we do it in any check for every single type cost and then aggressively remove as many costs that we can as part of our design as part of our implementation the we're making type text explicit so we enforce an
explicit runtime check at all come up at all costs sites for dynamic costs static costs reinterpret costs and also seaside costing the now this sounds like a contradiction right I just told you that this is not possible for all in the existing framework that C + + tax because we have no way to identify the underlying type of an object how do we solve this problem may never you allocate an object whenever you are executed constructors or if you simply goes to the Al-Qaeda we remember that this memory area over here is of that particular type and we keep some form of of metadata table somewhere in the background that allows us to theory and look up for any byte in memory what type of justice this a piece of memory have and we can then use this information in any of the costs we can replace a static cost with an actual runtime checking and make sure that we detect a type confusion problem right when it happens right at the cost site and not plus much later than an actual memory corruption happens so we build a global type hierarchy during the compilation of the software and we keep track of the allocation type of each object to be instrument all forms of allocation and we keep this in our disjoint meter data table and then in a 2nd step we can execute for every single type cast that happens at 1 time we can execute this this check and make sure that actually matches
so we built this large system of based on Italian there the instruments source code on top of client lists additional explosives type checks during the the compilation we do object tracing it as part of additional held Poseidon and track the type parity and then at run time you can check if something fails or not and we have a hardened binary that does all the explicit type checks the compared to some prior work you may know you on which does the checking for holomorphic types only this allows us to check every single type courses out for static well for study costs and for that any costs to do this this
fine-grained checking the of the cover you object allocations recover placement new cover reinterpret cost and a bunch of other things right so the worked very hard to compile real softer including Chrome Firefox and other systems do not a problem is as soon as you enforce full type checks for every single cost you run into impressive overheads said our main task was to reduce your had to make it more useful so on 1 hand the limits tracing to unsafe objects if an object is only used in a safe context the for example there's only if it has never been used for costing we don't need to instrumented you don't need to remember remember the type of the underlying object if an object is everything constant we don't need to worry about it right they can remove tracing for typesetter never cast in the programs on the limit checking to unsafe costs so we do some study were ification inside the scope of a function to figure out what parts of the code are actually used in a safe way and this also allows us to remove some of the all of the costs but we also replace all the dynamic causes our special form of costing as it turns out our cost that we have developed using or metadata information is much faster than any costs done through the RTI information that's the original signals for cinema cost us I'm as it turns out that in a cost has never been optimized people don't really use dynamic constitute a performance overhead therefore it's not been optimize therefore it's not being used so it's this is endless circle a life you replace all the Burma causes our type but type cost you can actually improve the performance of all that but
the interestingly but is doing this based system we already found for new 1 abilities in Apache Xerxes which is a large XML processing library and in Burberry there cost speedy from and non-text text implementation node to Don element implementation of which allowed us to reinterpret these bodies types in different ways the and it also font type confusion in other the QT based library going from the note-based today to the map the map node itself and those were easy low-hanging fruit study followed by simply compiling software and running it on a day-to-day use so the by simply compiling your C + + software our type the type checker you can already find 1 abilities and books In this offer by just running them in your day-to-day settings the this was step 1 and we found of a bunch of of different 1 abilities but you wanted to go further so a couple of weeks before the Congress who started to follows
all the things as it turns out you can
combine all were pipes safety mechanisms where's a AFL so you can compile the any arbitrary C + + softer with Our Hicks types LDM-based instrumentation and you then run the software on top of LOD and you've you've posits to find different forms of type confusion is simply let a folded smash magic and you have to invest some time into triaging all the type confusion reports and you'll figure out different forms of abilities comment at this point in time I would like to on if a huge shot out to students that actually all the work and invested a lot of time into developing the systems and and triaging own abilities this building there the system and playing with it for for such time so we spent some time fuzzing on
our Diderot fuzzing cluster that we have under the the a disk of 1 of 2 students use it as a very low power power setting you we have 5 machines that on that were running different pieces of software but nevertheless we found quite a couple
of of interesting cases so after 2 weeks of flooding we found 2 new type confucian bugs and qt core unfortunate exploitable but I would've already been fixed and acknowledged by the developers he found 1 more body in success and he found on 7 issues or reports and let's ask reversal looking if they're exploitable or not and as it turns out pretty much every softer you throw at it will generate a couple of reports and there's part of some of these reports are due to the underlying problems with this C + + as there's no explicit type information on the developers are abusing the type system in many other ways which leads to some spurious reports cell actually triaging in figuring out if it is an actual book or not adds additional were the so you have to spend some time some time to look into it and as for example is let's us now we focused most of our time on small software to test the scalability of our approach and to find some some reasonable bucks but we also looked at Firefox for a while also to test our the performance overhead for example so
the our desired results for Firefox that we currently have and the folly impressive it so based on a specific set of of benchmarks we found let's just say some type confusion reports and you're still figuring out on how we can handle these large amount of type future parts may of them will be doubly cats and even more of them will be false positives and you're working hard and triaging and trying to reduce them to a smaller set also of actual books that we can fit then report to the Firefox of Firefox people the big problem that we're facing for Firefox also for chrominance but much more so for Firefox that the code is really really messy of a hard problem that we have here is that of Firefox has several allocators that is different forms of or different locations in the codes that handle different parts of the heapsort different keeps still that move data back and forth that share data and is very all allocators that are missing with different parts of the there's not a US 7 billion type confusion books in Firefox or at least you hope so the the case that the number will be much lower but it's a it's a 1st step and they're working on on reducing them so Firefox's ongoing work and we'll see how we can of how we can get there and making more more useful on if you if you end up after by or 6 days of but of fuzzing mishandling reports it's clear to many that we have to figure out how to how to reduce them to the see which ones can be it interesting
so the little there could in his concluding remarks remarks what did he do whatever whatever steps forwards How can we improve from here the on 1 hand
time 1 to follows all the things so we want to go deeper on find more suffering to find better test cases better better fuzzy inputs and get deeper coverage 40 all world systems and especially looking at Firefox 1 thing we want to do is we want to select a fuzzy so instead of just blindly fuzzing on a large software system which may result in a large amount of false positives due to do weighted this office architected that think about the the Firefox example again you allocate an object it may be reused in different times without being freed this would funding so or or let me take a step back right so that 1 of the problems is seen as Firefox let large amount of reports is that you often a locate an object you return this object to a pool you know the developer knows that there's no more life reference that object but is then being re-interpreted and reused as a different type of object which heats a type confucian report but this is not the and actually exploitable but it's just a work of lack of a type system that C + + have the so you want to move towards mosses selective fall fussing worry can say hey we're only interested in this subset of the type hierarchy so we want to do explicit type checks for this subset of the hypercube we're not interested in anything else to focusing on for example just the dome orchestre telescript script objects or something like that in addition to that they're also looking into an always on check for polymorphic objects I think it is think back to the contraflow hijacking defense talked about in the beginning of the talk of 1 option is that you check the type of the object whenever you do a virtual dispatch this would protect against the the type confucian from from the 4 right on and thank as in as an
example if you're looking at the at at the code here the before I could also when I compiled and it made 2 versions that you may have observed the 2nd version is Mr. type safety mechanism and if I run it persist type-safety could protection instead of
I'm opening up the calculator it actually reports type-safety or type confusion so we want to extend this into the our
but of bigger and larger systems of it can it can run partially we can build it on top of of Firefox and selective flective part we can also use it for your software to specifically protect against these dispatch abilities as we just saw here as the high wanted to dispatch we stop the execution and terminates the program this
that actually conclude the on confucian is fundamental in today's exploit there's a set of existing solutions that are incomplete partial and slow and make it but Marie hard for us to protect the systems and especially in large software systems like Chrome Firefox and other large large mechanisms we need to develop new ways to protect force type-safety at runtime and my presentat but picks type which is an LDM-based extension that allows you to trap upon type confusion they can compile your software on with this type confusion protection which allows you to track the true type of every object that he allocate and then upon typecasts or dispatches allows you to do an actual type-checked so can trap at the type confucian and not at the later memory safety violations I showed you 1 application of this approach nervous combined or hex type mechanism that that's the type checking with of fuzzing approach and we found a nice set of of bugs and that are now being fixed were were fixed the overall this has reasonable or so for Firefox depending on the benchmark we have between 0 and 50 per cent of the the on overhead and you can integrate it received all 4 broad book discovery and as always with our research it's all open source so you can download the system you can play visited it takes about 15 minutes to build it on on your machine on you can then compile your softer this elegant and fold type checking and with that I would like to thank you for your attention and happy to take any questions this and was it was so um we have 4 microphones here 1 2 3 4 where you can now mass questions add and just to be clear a question is like 1 sentences with a question mark behind it and with that I'm going to go to microphone to the fact of this this is slow would also be possible to have a compiler but in that prevents you from using static custard component I could we could build something that only allows it to you those knowledge used because combined with uh that establish the but let me think about your question what would you want to detect the type confucian statically or would you just 4 bits the programmer from using the standard costs for any object that has a virtual function so I just want to prevent books that usually in C + + we try to notice much shaking as possible at about and so we are in different words so it would be nice to this allowed them to become cast for anything that this approach true something but this is also because you yeah so you peace and followed a similar approach they convert and make all the static costs for holomorphic objects into dynamic costs and simply replace them on unfortunately as of the the 3 3 examples show the base class is not necessarily holomorphic so you run into the year at runtime behavior where so all what's a like the base class is not holomorphic and if you turn that a constant then the cost you fail right so that there's C + + code is really really messy on it's very hard for you to act it simply replaced and you can reported as a warning all this part of to compile process but in the end you need to you need to support our non-polymorphic base classes which are surprisingly frequent especially for our 4 brothers as we found that if they're several base classes that are non-polymorphic that to a microphone 3 8 but is voice great all um you mentioned that in Firefox you have the problem that some objects were freed and we use so was wanna introdu build on top of from a memory safety analysis and you take that information to account to make your analysis more precise sure about the process memory safety usually clocks in at like 2 3 x overhead solid is actually more expensive than what we are doing but it wouldn't be an obstacle to fuzzing right but if you only use of a fuzzy number and right on sure about i ideally you you would combine it with additional sanitizers false you would you'd use our our tight sanitizer combined with that of his is of a spatial and temporal memory safety sanitizers also you can you can use it as a sentence or in addition to that on I I you ask about this the the additional data that you have from the type safety system ah story from the members if 2 system would be useful in our analysis and I would ask you that the temp oral memory safety sanitizer will run into the same problem by said this is this is C B or C + + you have a lot of untyped memory and Firefox simply reuses the memory even though they're references to it and then just change the type 1 errors and is allowed according to C + + semantics and again adding something illegal it's just that it is really really messy and we'll have to work around these these quirks that they have their thanks and of microphone for if I do we call a friend and a bit of a puzzle by because our just because the title from was not check them OK it doesn't mean that it doesn't exist so it wouldn't it be better to have some of static solutions like but preventing the thing but this that static n forcing others to use them in don't also link it would be used much faster than having a further falls the entire application because the result of and the problem this board compile-time and not the throwing some of the things that chart this would be a great solution unfortunate doesn't scale I try try to do this for 75 million lines of code where you have 200 thousand violations so that rewriting all the whole softer stack is always a solution you may run into time constraints I didn't this is just the source space that we have to live a it's a great solution so you're you're approach would actually work really well there are 2 of protect against these down costs sorry legal down downcast confused on costs the you may have a hard time rewriting all the softer and there are and polar more fake objects where he cannot enforce of than any costs but they can only do dynamic costs for polar Morphic objects they may have any legal down costs for non-polymorphic object itself that would be if you could take the configure offline it sounds a little girl about microphone to but thank you for the talk i will you give an example counter to it at the very beginning you uniquely and instead has introduced the code and this is in exactly correct is that everything is implementation-defined at this point but you can you can shift
especially when you're going from attack has multiple inheritance and the shift around to get to the correct books on this introduces a very specific type of type confusion about where if 1 has to avoid point and then from the void pointer to the different type in a chain it will do the shifting property and it also is a very this is the 1 that might be hard hot him to catch how you how you intend to catch those ones but you were always yes you wouldn't mind he know his level of memory you all the memory for instance if I you use in the real world is all I to use them is the fact that you anything you want you find those various levels to time as I whenever you call back into some water type we look up what is the type of this object if is through the into through everything is fine always quarter of their and this linear casting from going going to be due to the new costing from anything OK thank you so we really need to do most of the talking about this is of the have you have here on the side of our 1 of these features is that of course have on on I just want you to call of this of feature which which pretty much on the part you just the parentheses and the target by on this is pretty much a hammer hammer this object and this is all the time but it has made this or underlying memory area in all of this all the time so this is the pretty much the obvious thing you can do if your programming was close never ever under any circumstances use you start off because really messes up the the underlying file system the thanks microphone 3 I also agree here you try here to live her and what happens we did not I believe Iran and this Firefox mostly we tried a little those come on again want 1 of our future work so as to be ported to more softer and large the so far for this presentation eerie focus most in smaller libraries and so on yeah I've anyway once you to offer more resources the free of life you want to run it on safari it's open source knowledge building on your system run it on safari and report the results yet it just my heart here that you may have even more of a spare parts taking issues with the way that they do testing the dough I think like did the difference he from between Firefox and Chrome so I don't know what a for a but I can tell you an anecdote between the difference of about the differences between Firefox and Chrome the Firefox has a very old code base today there's a lot of ugliness hidden in there so we found from the things that on that do directs dispatches or indirect patches In in assembly code and the doing the itself to be table pointers in in in line a summit is due to the legacy of nature or Firefox while in Chrome chrome is a much more recent code base and it uses a much more recent see for sparse centers it's much nicer and much less likely to we find bugs in there so just at the age of the codebase on is that for a for Firefox or needs to have a large amount of potential abilities so some refactoring is needed but by going for um yeah would be would use like super call on emerges my question is like but do the concept of down testing is a code smell right and is in your school talent like people to keep code smell and keep writing smelly code basically and I assume libraries and say well only have a good basis would be better to have like something that would help people to to write notes to encode sure let's rewrite everything in rust I'm I'm all for it right the the sisters 100 + million lines of code that are lying around and we can easily ported and the the job that we try to do is we try to make it as secure as possible and we try to find apprehension wall abilities in the existing code base if you have unlimited resources is stops right now rewrite everything we have them in a safe language sure I'm animal animal opt for it Our is is the fact that we have this large amount of code that is out there and you're using it right so you have to do the best that we can to bump up the protection for his code as much as possible microphone to the things for a war and do very similar idea for the code the yes is the asset is in this world who were already there aid read something about it us all of it is in progress and we can talk offline about it year old the the OK microphone 3 into for the local so I would like to know why you right the do they do that that's a during location and the building in a site you contacted the Chu you more accurately and you would also be was the solved the problem of course for the every type has a constructive OK so the of what would we do pretty much as the new many allocate new type we don't run it in the allocated but as part of Klein be nobody allocators or and we can then target and adds the metadata as additional code so as part of our playing past we detect where ever the is being allocated or their individual costs of yeah allocators art and the target and then instrumented in a later step this allows us to tackle all the locations and not just those are the ones that have constructors so it allows us to extend the coverage for to not just all classes constructors but although the object allocations you so imagine and this is something we found on some older software as well you allocate the you called now look on a structure and then use it as a class you would never be able to detect it as part of all instrumenting a constructor and this actually happens in in suffer like Firefox and on older could basis you you call malloc instead of new and use structured instead of a class the N sets the code is really really ugly and here you see the the similarity between C and C + + Indian the class just structure and if you allocate objects as structure you may end up missing a large amount of objects shouldn't encourage is because then they complain combined and he's you cast striped across it's it's all like the the uh at not a class can be struck by the area equivalent if it's the same types it if you can use the structures of this type this and they can have a class that is a descendant of that struck all right this demo thank you C + + is ugly the with it only about and with that we end at the end of a questions um I like to thank the speaker but yes again for his wonderful talk and contribution to the C + + well on lucrative and more the in that you were much the thachd the 1st
St St St sects back back
Objektverfolgung
Bit
Typentheorie
Subtraktion
Typprüfung
Compiler
Güte der Anpassung
Gateway
Programm
Hierarchische Struktur
Quick-Sort
Code
Dijkstra-Algorithmus
Bildschirmmaske
Menge
Typentheorie
Festspeicher
Mereologie
Computersicherheit
Maßerweiterung
Streaming <Kommunikationstechnik>
Maschinelles Sehen
Gerade
Typentheorie
Subtraktion
Punkt
Abstraktionsebene
Browser
Automatische Handlungsplanung
Physikalisches System
Rechnen
Code
Kernel <Informatik>
Bildschirmmaske
Menge
RPC
Flächentheorie
Gerade Zahl
Typentheorie
Gerade
Kernel <Informatik>
Typentheorie
Subtraktion
Nabel <Mathematik>
Systemverwaltung
Flächentheorie
Digital Rights Management
Programm
Google Chrome
Code
Kernel <Informatik>
Informationsmodellierung
Bildschirmmaske
Prozess <Informatik>
Endogene Variable
Bildschirmfenster
Primitive <Informatik>
Figurierte Zahl
Gerade
Softwaretest
Gebäude <Mathematik>
Güte der Anpassung
Datenmodell
Systemverwaltung
Google Chrome
Sampler <Musikinstrument>
Vektorraum
Physikalisches System
Elektronische Publikation
Unterraum
Menge
Rechter Winkel
Datenverarbeitungssystem
Konditionszahl
Mereologie
Ablöseblase
Kraftfahrzeugmechatroniker
Subtraktion
Spyware
Computersicherheit
Physikalisches System
Rechnen
Fokalpunkt
Code
Integral
Netzwerktopologie
Bildschirmmaske
Menge
Konditionszahl
Kontrollstruktur
Spyware
Kontrollfluss
Ordnung <Mathematik>
Typentheorie
Subtraktion
Prozess <Physik>
Punkt
Kontrollstruktur
Nabel <Mathematik>
Virtualisierung
Adressraum
Klasse <Mathematik>
Programm
Implementierung
Hierarchische Struktur
Kartesische Koordinaten
Code
Richtung
Benutzerbeteiligung
Bildschirmmaske
Vererbungshierarchie
Auswahlverfahren
Zeiger <Informatik>
Nichtlinearer Operator
Addition
Schnelltaste
Lineares Funktional
Siedepunkt
Güte der Anpassung
Datenmodell
Physikalisches System
Auswahlverfahren
Menge
Softwareschwachstelle
Mereologie
Server
Garbentheorie
Speicherverwaltung
URL
Tabelle <Informatik>
Resultante
Hydrostatik
Subtraktion
Typentheorie
Einfügungsdämpfung
Minimierung
Compiler
Gruppenoperation
Klasse <Mathematik>
Hierarchische Struktur
Information
Gesetz <Physik>
Last
Bildschirmmaske
Typentheorie
Code
Operations Research
Speicher <Informatik>
Zeiger <Informatik>
Maßerweiterung
Programmiersprache
Nichtlinearer Operator
Siedepunkt
Diskretes System
Rechenzeit
Feasibility-Studie
Computersicherheit
Systemidentifikation
Rechenzeit
Ausnahmebehandlung
Quellcode
Zeiger <Informatik>
Auswahlverfahren
Objekt <Kategorie>
Flächeninhalt
Forcing
Festspeicher
Identifizierbarkeit
Information
Compiler
Ordnung <Mathematik>
Message-Passing
Tabelle <Informatik>
Resultante
Addition
Typentheorie
Sichtenkonzept
Typprüfung
Minimierung
Klasse <Mathematik>
Programm
Rechenzeit
Gasströmung
Zeiger <Informatik>
Code
Objekt <Kategorie>
Last
Last
Typentheorie
Vererbungshierarchie
Zeiger <Informatik>
Beobachtungsstudie
Typentheorie
Bit
Vererbungshierarchie
Computersicherheit
Klasse <Mathematik>
Rechenzeit
Quick-Sort
Hydrostatik
Objekt <Kategorie>
Typentheorie
Festspeicher
Vererbungshierarchie
Overhead <Kommunikationstechnik>
Ordnung <Mathematik>
Zeiger <Informatik>
Message-Passing
Addition
Lineares Funktional
Klasse <Mathematik>
Typentheorie
Bit
Physikalischer Effekt
Hochdruck
Klasse <Mathematik>
Kartesische Koordinaten
Vektorraum
Hochdruck
Integral
Objekt <Kategorie>
Verkettung <Informatik>
Softwareschwachstelle
Ganze Zahl
Typentheorie
Festspeicher
Vererbungshierarchie
URL
Ordnung <Mathematik>
Zeiger <Informatik>
Tabelle <Informatik>
Subtraktion
Typentheorie
Punkt
Kontrollstruktur
Klasse <Mathematik>
Programm
Oval
ROM <Informatik>
Framework <Informatik>
Statechart
Typentheorie
Vererbungshierarchie
Flächeninhalt
Zeiger <Informatik>
Demo <Programm>
Leistung <Physik>
Parametersystem
Lineares Funktional
Sichtenkonzept
Physikalisches System
Zeiger <Informatik>
Objekt <Kategorie>
Dienst <Informatik>
Datenfeld
Körper <Physik>
Flächeninhalt
Festspeicher
Tabelle <Informatik>
Zeichenkette
Beobachtungsstudie
Betriebsmittelverwaltung
Hydrostatik
Typentheorie
Compiler
Rechenzeit
Systemaufruf
Rechnen
Homepage
Integral
Objekt <Kategorie>
Statechart
Kompakter Raum
Vererbungshierarchie
Codierung
Demo <Programm>
Hydrostatik
Lineares Funktional
Typentheorie
Punkt
Compiler
Browser
Klasse <Mathematik>
Klassische Physik
Hierarchische Struktur
Implementierung
Physikalisches System
Quellcode
Datenfeld
Minimalgrad
Kommandosprache
Softwareschwachstelle
Basisvektor
Mereologie
Vererbungshierarchie
Ordnung <Mathematik>
Zeiger <Informatik>
Demo <Programm>
Tabelle <Informatik>
Resultante
Teilmenge
Bildschirmmaske
Typentheorie
Typprüfung
Typentheorie
Gruppe <Mathematik>
Festspeicher
Physikalisches System
Auswahlverfahren
Richtung
Einfach zusammenhängender Raum
Maschinenschreiben
Lineares Funktional
Klasse <Mathematik>
Typentheorie
Virtualisierung
Rechenzeit
Formale Sprache
Klasse <Mathematik>
Modifikation <Mathematik>
Rechenzeit
Gasströmung
Objekt <Kategorie>
Hydrostatik
Informationsmodellierung
Bildschirmmaske
Datenfeld
Rechter Winkel
Typentheorie
Holomorphe Funktion
Zeiger <Informatik>
Datenstruktur
Overhead <Kommunikationstechnik>
Figurierte Zahl
Tabelle <Informatik>
Betriebsmittelverwaltung
Hydrostatik
Klasse <Mathematik>
Typentheorie
Web Site
Weg <Topologie>
Compiler
Implementierung
Hierarchische Struktur
Framework <Informatik>
Hydrostatik
Metadaten
Bildschirmmaske
Weg <Topologie>
Software
Typentheorie
Meter
Betriebsmittelverwaltung
Implementierung
Fehlermeldung
Diskretes System
Rechenzeit
Rechenzeit
Einfache Genauigkeit
Gasströmung
Objekt <Kategorie>
Bildschirmmaske
Hierarchische Struktur
Flächeninhalt
Rechter Winkel
Festspeicher
Mereologie
Information
Tabelle <Informatik>
Betriebsmittelverwaltung
Typentheorie
Compiler
Programm
Programmverifikation
PASS <Programm>
Information
Binärcode
Metadaten
Client
Typentheorie
Code
Auswahlverfahren
Betriebsmittelverwaltung
Lineares Funktional
Addition
Physikalischer Effekt
Globale Optimierung
Quellcode
Kontextbezogenes System
Hierarchische Struktur
Gerade Zahl
Verschlingung
Information
Overhead <Kommunikationstechnik>
Programmbibliothek
Explosion <Stochastik>
Objekt <Kategorie>
Ablaufverfolgung
Code
Überlagerung <Mathematik>
Task
Open Source
Bildschirmmaske
Computerspiel
Inverser Limes
Holomorphe Funktion
Beobachtungsstudie
Binärcode
Kreisfläche
Rechenzeit
Einfache Genauigkeit
Mailing-Liste
Physikalisches System
Überlagerung <Mathematik>
Inverser Limes
Objekt <Kategorie>
Mereologie
Wiederherstellung <Informatik>
Beobachtungsstudie
Typentheorie
Subtraktion
Prozess <Physik>
Fuzzy-Logik
Implementierung
Physikalisches System
Element <Mathematik>
Mapping <Computergraphik>
Knotenmenge
Menge
Software
Typentheorie
Programmbibliothek
Programmbibliothek
Kraftfahrzeugmechatroniker
Typentheorie
Subtraktion
Punkt
Ortsoperator
Gebäude <Mathematik>
t-Test
Physikalisches System
Virtuelle Maschine
Software
Bildschirmmaske
Programmfehler
Software
Mini-Disc
Compiler
Figurierte Zahl
Verkehrsinformation
Leistung <Physik>
Resultante
Betriebsmittelverwaltung
Typentheorie
Subtraktion
Gemeinsamer Speicher
Zellularer Automat
Zahlenbereich
Code
Interrupt <Informatik>
Eins
Bildschirmmaske
Skalierbarkeit
Reverse Engineering
Software
Code
Softwareentwickler
Benchmark
Umwandlungsenthalpie
DoS-Attacke
Physikalisches System
Exploit
Programmfehler
Menge
Mereologie
Codierung
Speicherabzug
Information
URL
Overhead <Kommunikationstechnik>
Computerunterstützte Übersetzung
Verkehrsinformation
Objekt <Kategorie>
Typentheorie
Subtraktion
Hypercube
Ortsoperator
Modifikation <Mathematik>
Hierarchische Struktur
Computerspiel
Software
Konsistenz <Informatik>
Trennschärfe <Statistik>
Typentheorie
Skript <Programm>
Softwareentwickler
Softwaretest
Addition
Fuzzy-Logik
Modifikation <Mathematik>
Physikalisches System
Konfiguration <Informatik>
Office-Paket
Objekt <Kategorie>
Teilmenge
Software
Overhead <Kommunikationstechnik>
Verkehrsinformation
Kraftfahrzeugmechatroniker
Explosion <Stochastik>
Typentheorie
Typprüfung
Synchronisierung
Versionsverwaltung
Programm
Physikalisches System
Rechnen
Code
Wurm <Informatik>
Software
Typentheorie
Trennschärfe <Statistik>
Mereologie
Betriebsmittelverwaltung
Typentheorie
Vektorpotenzial
Demo <Programm>
Desintegration <Mathematik>
Programm
Partielle Differentiation
Twitter <Softwareplattform>
Raum-Zeit
Formale Semantik
Metadaten
Typentheorie
Dateiverwaltung
Gerade
Benchmark
Verschiebungsoperator
Softwaretest
Addition
Kraftfahrzeugmechatroniker
Typprüfung
Kategorie <Mathematik>
Gebäude <Mathematik>
Temporale Logik
Schwach besetzte Matrix
Auswahlverfahren
Exploit
Menge
Polarisation
Forcing
Rechter Winkel
Festspeicher
Ablöseblase
Benutzerführung
Fehlermeldung
Instantiierung
Tabelle <Informatik>
Subtraktion
Hyperbelverfahren
Wasserdampftafel
Klasse <Mathematik>
Äquivalenzklasse
Whiteboard
Virtuelle Maschine
Arithmetische Folge
Vererbungshierarchie
Programmbibliothek
Holomorphe Funktion
Maßerweiterung
Datenstruktur
Konfigurationsraum
Analysis
Open Source
Rechenzeit
Programmfehler
Fuzzy-Logik
Overhead <Kommunikationstechnik>
Wort <Informatik>
Resultante
Bit
Prozess <Physik>
Punkt
Natürliche Zahl
Formale Sprache
Familie <Mathematik>
Kartesische Koordinaten
Übergang
Eins
Prozess <Informatik>
Umwandlungsenthalpie
Lineares Funktional
Zentrische Streckung
Konstruktor <Informatik>
Assembler
Systemaufruf
Ähnlichkeitsgeometrie
Quellcode
Arithmetisches Mittel
Verkettung <Informatik>
Information
URL
Faltung <Mathematik>
Overhead <Kommunikationstechnik>
Refactoring
Nebenbedingung
Web Site
Zahlenbereich
Kombinatorische Gruppentheorie
ROM <Informatik>
Code
Hydrostatik
Computerspiel
Software
Zusammenhängender Graph
Zeiger <Informatik>
Sechsecknetz
Diskretes System
Physikalisches System
Fokalpunkt
Objekt <Kategorie>
Fundamentalsatz der Algebra
Flächeninhalt
Mereologie
Basisvektor
Hypermedia
Medianwert
Systemprogrammierung

Metadaten

Formale Metadaten

Titel Type confusion: discovery, abuse, and protection
Serientitel 34th Chaos Communication Congress
Autor gannimo
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34792
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Type confusion, often combined with use-after-free, is the main attack vector to compromise modern C++ software like browsers or virtual machines. Typecasting is a core principle that enables modularity in C++. For performance, most typecasts are only checked statically, i.e., the check only tests if a cast is allowed for the given type hierarchy, ignoring the actual runtime type of the object. Using an object of an incompatible base type instead of a derived type results in type confusion. Attackers have been abusing such type confusion issues to compromise popular software products including Adobe Flash, PHP, Google Chrome, or Firefox, raising critical security concerns. We discuss the details of this vulnerability type and how such vulnerabilities relate to memory corruption. Based on an LLVM-based sanitizer that we developed, we will show how to discover such vulnerabilities in large software through fuzzing and how to protect yourself against this class of bugs.
Schlagwörter Security

Zugehöriges Material

Folgende Ressource ist Begleitmaterial zum Video
Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback