DOCSLIB.ORG

Practical Control-Flow Integrity

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Practical Control-Flow Integrity by Ben Niu Presented to the Graduate and Research Committee of Lehigh University in Candidacy for the Degree of Doctor of Philosophy in Computer Science Lehigh University January, 2016 Copyright © 2015 Ben Niu. All rights reserved. ii Approved and recommended for acceptance as a dissertation in partial fulfillment of the re- quirements for the degree of Doctor of Philosophy. Ben Niu Practical Control-Flow Integrity Date Gang Tan, Dissertation Director Accepted Date Committee Members Gang Tan (Chair) Mooi-Choo Chuah Michael Spear Stephen McCamant iii ACKNOWLEDGEMENTS I am very grateful to my great advisor Prof. Gang Tan. I had no idea how to do research when I came to Lehigh, and he taught me what to think of, how to think, how to present my thoughts, and how to write them down. His door was always open for discussion, he replied emails during weekends, and he provided detailed guidance on any technical problem. I was constantly surprised at his breadth of knowledge and depth of understanding, and I enjoyed working with him. I also thank my thesis committee members, Prof. Mooi-Choo Chuah, Prof. Michael Spear, and Prof. Stephen McCamant for their courses, research works and insightful comments on my research. Michael’s parallel programming course introduced me lock-free algorithms and his operating system course consolidated my system programming skills. Stephen’s research on SFI provided me a foundation in my research, without which I would be still looking for decent solutions. I appreciate my colleagues at MSRC during my internship at Microsoft, especially Matt & Ken, Suha, Vishal, Swamy, Joe, Axel and Marcus. Discussion with them about the design of Control- Flow Guard helps me better understand practicality of CFI. I owe a big debt of gratitude to my apprehensive wife Yinzi, without whose company I could never finish this dissertation. I also thank her for bringing our daughter Jill to the world, who brought our family hope and joy, and I could not imagine how my life would be without her. Moreover, I am very thankful for the invaluable help and support my parents and parents-in-law provided during this adventure. Last but not least, I thank my friends Zheng Shi, Shen Liu, Qi Li, Junqi Chen, Zhongyuan Wei, Zhongliang Liang, Mengtao Sun, Dongrui Zeng, Zi Wang, Bin Zeng and Siliang Li for their generous help in my daily life. iv To my family. v Contents List of Tables x List of Figures xii Abstract 1 1 Introduction 2 1.1 Control-Flow Hijacking .................................. 2 1.2 Deployed Defenses ..................................... 4 1.3 Control-Flow Integrity ................................... 6 1.3.1 Threat Model .................................... 7 1.3.2 The Classic Implementation of CFI ........................ 8 1.3.3 Granularity of CFI ................................. 9 1.4 Practical Issues of Previous CFI .............................. 10 1.5 Challenges to CFI Practicality ............................... 12 1.6 Thesis Statement ...................................... 14 1.7 Contributions ........................................ 14 1.8 This Dissertation versus Previous Publications ..................... 14 1.9 Outline ............................................ 15 2 Modular Control-Flow Integrity 16 2.1 Overview ........................................... 16 vi 2.2 Fine-grained CFG Generation ............................... 17 2.2.1 Source-Level Semantics-based CFG Generation ................ 17 2.2.2 CFG Soundness ................................... 24 2.2.3 CFG Precision Loss ................................. 28 2.3 Modularity and Efficiency ................................. 30 2.3.1 Design of IDs and ID Tables ............................ 32 2.3.2 Memory Layout of MCFI and Protection of ID Tables ............. 34 2.3.3 CFG Check and Update Transactions ...................... 35 2.4 Interoperability ....................................... 43 2.5 Implementation ....................................... 46 2.6 Evaluation .......................................... 46 2.6.1 CFG Statistics .................................... 47 2.6.2 Performance Evaluation .............................. 52 2.7 Future Work ......................................... 54 2.8 Summary ........................................... 56 3 Per-Input Control-Flow Integrity 58 3.1 Overview ........................................... 58 3.1.1 Motivation for per-input CFGs .......................... 60 3.1.2 From edge addition to address activation .................... 63 3.2 System Design ........................................ 64 3.2.1 Secure code patching ................................ 64 3.2.2 Address activation ................................. 66 3.2.3 Compatibility issues ................................ 73 3.3 Implementation ....................................... 75 3.4 Evaluation .......................................... 75 3.4.1 ECFG Statistics ................................... 75 3.4.2 Performance Evaluation .............................. 78 3.5 Future Work ......................................... 79 vii 3.6 Summary ........................................... 81 4 RockJIT 82 4.1 Overview ........................................... 82 4.2 System Design ........................................ 83 4.2.1 Common JIT Architecture ............................. 83 4.2.2 RockJIT Architecture ................................ 85 4.2.3 RockJIT CFG Generation .............................. 85 4.3 JITted Code Manipulation ................................. 87 4.3.1 JITted Code Verification .............................. 88 4.3.2 JITted Code Installation, Deletion, and Modification .............. 90 4.4 Modification to a JIT compiler ............................... 91 4.5 Evaluation .......................................... 93 4.5.1 SCFG and ECFG Statistics ............................. 93 4.5.2 Performance Overhead .............................. 94 4.6 Future Work ......................................... 96 4.7 Summary ........................................... 97 5 Security Analysis 98 5.1 Mitigation of Advanced Attack Forms .......................... 99 5.1.1 Just-In-Time Code Reuse .............................. 99 5.1.2 JIT Spraying ..................................... 100 5.1.3 Counterfeit Object-Oriented Programming ................... 101 5.1.4 Control-Flow Bending ............................... 101 5.1.5 Control Jujutsu ................................... 102 5.1.6 Sigreturn-Oriented Programming ........................ 103 5.2 Comparison with Deployed Defenses .......................... 103 5.2.1 Stack Cookie ..................................... 103 5.2.2 ASLR ......................................... 104 5.3 Limitations of CFI and Future Research ......................... 105 viii 6 Related Work 108 6.1 Control-Flow Integrity ................................... 108 6.2 Software-based Fault Isolation ............................... 110 6.3 JIT Compiler Hardening .................................. 110 6.4 Software Transactional Memory .............................. 111 7 Conclusions 113 Bibliography 124 Vita 125 ix List of Tables 2.1 Condition violations in SPECCPU2006 C benchmarks. ................. 26 2.2 Numbers of cases for the two kinds of violations. .................... 27 2.3 Condition violations in SPECCPU2006 C++ benchmarks. ............... 28 2.4 CFG statistics for SPECCPU2006 C/C++ benchmarks. ................. 48 2.5 Edge distribution for SPECCPU2006 C/C++ benchmarks. ............... 48 2.6 CFG statistics for SPECCPU2006 C/C++ benchmarks without tail-call elimination. 49 2.7 Equivalence class loss of returns. ............................. 50 2.8 Equivalence class loss due to legalized C++ upcalls. .................. 50 2.9 Equivalence class loss due to C++ method pointers. .................. 51 2.10 CFG generation time decomposition. ........................... 52 3.1 ECFG statistics of SPECCPU2006 C/C++ benchmarks. ................ 76 3.2 ECFG statistics of Nginx .................................. 79 4.1 Equivalence classes for Google V8 JavaScript compiler. ................ 93 4.2 ECFG statistics of the Google V8 JavaScript engine. .................. 94 4.3 Performance overhead contributors to RockJIT-hardened V8. ............. 95 x List of Figures 1.1 A stack buffer overflow bug (CVE-2013-2028) in Nginx 1.4.0. ............. 3 1.2 A proof of concept example of Return-Oriented Programming (ROP) attacks. ... 5 1.3 An example of the ClassicCFI instrumentation for x64 Linux. ............. 9 2.1 A toy C++ example of virtual method call targets. ................... 18 2.2 An example about C++ function pointers. ........................ 19 2.3 Control transfers during C++ table-based exception handling. ............ 21 2.4 Metadata annotation for the assembly code of memcpy. ................. 23 2.5 Bad function pointer type cast example in C. ...................... 24 2.6 Example of CFG precision loss due to MCFI tail-call elimination. .......... 29 2.7 Example of CFG precision loss because of indirect calls. ................ 30 2.8 Example code of CFG precision loss due to C++ method pointers. .......... 31 2.9 MCFI’s ID Encoding for x64. ................................ 32 2.10 Memory layout of MCFI. .................................. 36 2.11 Pseudocode for implementing update transactions. .................. 39 2.12 Implementation of check transactions for x64 return instructions. .......... 40 2.13 A compatibility condition violation introduced by the interoperability support. 44 2.14
Recommended publications
  • Compiling Sandboxes: Formally Verified Software Fault Isolation

    Compiling Sandboxes: Formally Verified Software Fault Isolation

    Compiling Sandboxes: Formally Verified Software Fault Isolation Frédéric Besson1[0000−0001−6815−0652], Sandrine Blazy1[0000−0002−0189−0223], Alexandre Dang1, Thomas Jensen1, and Pierre Wilke2[0000−0001−9681−644X] 1 Inria, Univ Rennes, CNRS, IRISA 2 CentraleSupélec, Inria, Univ Rennes, CNRS, IRISA Abstract. Software Fault Isolation (SFI) is a security-enhancing pro- gram transformation for instrumenting an untrusted binary module so that it runs inside a dedicated isolated address space, called a sandbox. To ensure that the untrusted module cannot escape its sandbox, existing approaches such as Google’s Native Client rely on a binary verifier to check that all memory accesses are within the sandbox. Instead of rely- ing on a posteriori verification, we design, implement and prove correct a program instrumentation phase as part of the formally verified com- piler CompCert that enforces a sandboxing security property a priori. This eliminates the need for a binary verifier and, instead, leverages the soundness proof of the compiler to prove the security of the sandbox- ing transformation. The technical contributions are a novel sandboxing transformation that has a well-defined C semantics and which supports arbitrary function pointers, and a formally verified C compiler that im- plements SFI. Experiments show that our formally verified technique is a competitive way of implementing SFI. 1 Introduction Isolating programs with various levels of trustworthiness is a fundamental se- curity concern, be it on a cloud computing platform running untrusted code provided by customers, or in a web browser running untrusted code coming from different origins. In these contexts, it is of the utmost importance to pro- vide adequate isolation mechanisms so that a faulty or malicious computation cannot compromise the host or neighbouring computations.
  • Defeating Memory Corruption Attacks Via Pointer Taintedness Detection

    Defeating Memory Corruption Attacks Via Pointer Taintedness Detection

    Defeating Memory Corruption Attacks via Pointer Taintedness Detection Shuo Chen †, Jun Xu ‡, Nithin Nakka †, Zbigniew Kalbarczyk †, Ravishankar K. Iyer † † Center for Reliable and High-Performance Computing, ‡ Department of Computer Science University of Illinois at Urbana-Champaign, North Carolina State University 1308 W. Main Street, Urbana, IL 61801 Raleigh, NC 27695 {shuochen, nakka, kalbar, iyer}@crhc.uiuc.edu [email protected] Abstract formal methods have been adopted to prevent Most malicious attacks compromise system security programmers from writing insecure software. But despite through memory corruption exploits. Recently proposed substantial research and investment, the state of the art is techniques attempt to defeat these attacks by protecting far from perfect, and as a result, security vulnerabilities are program control data. We have constructed a new class of constantly being discovered in the field. The most direct attacks that can compromise network applications without counter-measure against vulnerabilities in the field is tampering with any control data. These non-control data security patching. Patching, however, is reactive in nature attacks represent a new challenge to system security. In and can only be applied to known vulnerabilities. The long this paper, we propose an architectural technique to latency between bug discovery and patching allows defeat both control data and non-control data attacks attackers to compromise many unpatched systems. An based on the notion of pointer taintedness . A pointer is alternative to patching is runtime vulnerability masking said to be tainted if user input can be used as the pointer that can stop ongoing attacks. Compiler and library value. A security attack is detected whenever a tainted interception techniques have been proposed to mask value is dereferenced during program execution.
  • Representing and Reasoning About Dynamic Code

    Representing and Reasoning About Dynamic Code

    Representing and reasoning about dynamic code Item Type Proceedings Authors Bartels, Jesse; Stephens, Jon; Debray, Saumya Citation Bartels, J., Stephens, J., & Debray, S. (2020, September). Representing and Reasoning about Dynamic Code. In 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE) (pp. 312-323). IEEE. DOI 10.1145/3324884.3416542 Publisher ACM Journal Proceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020 Rights © 2020 Association for Computing Machinery. Download date 23/09/2021 23:26:56 Item License http://rightsstatements.org/vocab/InC/1.0/ Version Final accepted manuscript Link to Item http://hdl.handle.net/10150/652285 Representing and Reasoning about Dynamic Code Jesse Bartels Jon Stephens Saumya Debray Department of Computer Science Department of Computer Science Department of Computer Science The University Of Arizona University Of Texas The University Of Arizona Tucson, AZ 85721, USA Austin, TX 78712, USA Tucson, AZ 85721, USA [email protected] [email protected] [email protected] ABSTRACT and trace dependencies back, into and through the JIT compiler’s Dynamic code, i.e., code that is created or modified at runtime, is code, to understand the data and control flows that influenced the ubiquitous in today’s world. The behavior of dynamic code can JIT compiler’s actions and caused the generation of the problem- depend on the logic of the dynamic code generator in subtle and non- atic code. E.g., for the CVE-2017-5121 bug mentioned above, we obvious ways, e.g., JIT compiler bugs can lead to exploitable vul- might want to perform automated analyses to identify which anal- nerabilities in the resulting JIT-compiled code.
  • Using the GNU Compiler Collection (GCC)

    Using the GNU Compiler Collection (GCC)

    Using the GNU Compiler Collection (GCC) Using the GNU Compiler Collection by Richard M. Stallman and the GCC Developer Community Last updated 23 May 2004 for GCC 3.4.6 For GCC Version 3.4.6 Published by: GNU Press Website: www.gnupress.org a division of the General: [email protected] Free Software Foundation Orders: [email protected] 59 Temple Place Suite 330 Tel 617-542-5942 Boston, MA 02111-1307 USA Fax 617-542-2652 Last printed October 2003 for GCC 3.3.1. Printed copies are available for $45 each. Copyright c 1988, 1989, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being \GNU General Public License" and \Funding Free Software", the Front-Cover texts being (a) (see below), and with the Back-Cover Texts being (b) (see below). A copy of the license is included in the section entitled \GNU Free Documentation License". (a) The FSF's Front-Cover Text is: A GNU Manual (b) The FSF's Back-Cover Text is: You have freedom to copy and modify this GNU Manual, like GNU software. Copies published by the Free Software Foundation raise funds for GNU development. i Short Contents Introduction ...................................... 1 1 Programming Languages Supported by GCC ............ 3 2 Language Standards Supported by GCC ............... 5 3 GCC Command Options .........................
  • Bringing GNU Emacs to Native Code

    Bringing GNU Emacs to Native Code

    Bringing GNU Emacs to Native Code Andrea Corallo Luca Nassi Nicola Manca [email protected] [email protected] [email protected] CNR-SPIN Genoa, Italy ABSTRACT such a long-standing project. Although this makes it didactic, some Emacs Lisp (Elisp) is the Lisp dialect used by the Emacs text editor limitations prevent the current implementation of Emacs Lisp to family. GNU Emacs can currently execute Elisp code either inter- be appealing for broader use. In this context, performance issues preted or byte-interpreted after it has been compiled to byte-code. represent the main bottleneck, which can be broken down in three In this work we discuss the implementation of an optimizing com- main sub-problems: piler approach for Elisp targeting native code. The native compiler • lack of true multi-threading support, employs the byte-compiler’s internal representation as input and • garbage collection speed, exploits libgccjit to achieve code generation using the GNU Com- • code execution speed. piler Collection (GCC) infrastructure. Generated executables are From now on we will focus on the last of these issues, which con- stored as binary files and can be loaded and unloaded dynamically. stitutes the topic of this work. Most of the functionality of the compiler is written in Elisp itself, The current implementation traditionally approaches the prob- including several optimization passes, paired with a C back-end lem of code execution speed in two ways: to interface with the GNU Emacs core and libgccjit. Though still a work in progress, our implementation is able to bootstrap a func- • Implementing a large number of performance-sensitive prim- tional Emacs and compile all lexically scoped Elisp files, including itive functions (also known as subr) in C.
  • Hop Client-Side Compilation

    Hop Client-Side Compilation

    Chapter 1 Hop Client-Side Compilation Florian Loitsch1, Manuel Serrano1 Abstract: Hop is a new language for programming interactive Web applications. It aims to replace HTML, JavaScript, and server-side scripting languages (such as PHP, JSP) with a unique language that is used for client-side interactions and server-side computations. A Hop execution platform is made of two compilers: one that compiles the code executed by the server, and one that compiles the code executed by the client. This paper presents the latter. In order to ensure compatibility of Hop graphical user interfaces with popular plain Web browsers, the client-side Hop compiler has to generate regular HTML and JavaScript code. The generated code runs roughly at the same speed as hand- written code. Since the Hop language is built on top of the Scheme program- ming language, compiling Hop to JavaScript is nearly equivalent to compiling Scheme to JavaScript. SCM2JS, the compiler we have designed, supports the whole Scheme core language. In particular, it features proper tail recursion. How- ever complete proper tail recursion may slow down the generated code. Despite an optimization which eliminates up to 40% of instrumentation for tail call in- tensive benchmarks, worst case programs were more than two times slower. As a result Hop only uses a weaker form of tail-call optimization which simplifies recursive tail-calls to while-loops. The techniques presented in this paper can be applied to most strict functional languages such as ML and Lisp. SCM2JS can be downloaded at http://www-sop.inria.fr/mimosa/person- nel/Florian.Loitsch/scheme2js/.
  • Sok: Make JIT-Spray Great Again

    Sok: Make JIT-Spray Great Again

    SoK: Make JIT-Spray Great Again Robert Gawlik and Thorsten Holz Ruhr-Universitat¨ Bochum Abstract Attacks against client-side programs such as browsers were at first tackled with a non-executable stack to pre- Since the end of the 20th century, it has become clear that vent execution of data on the stack and also with a non- web browsers will play a crucial role in accessing Internet executable heap to stop heap sprays of data being later resources such as the World Wide Web. They evolved executed as code. This defense became widely known into complex software suites that are able to process a as W ⊕ X (Writable xor eXecutable) or Data Execution multitude of data formats. Just-In-Time (JIT) compilation Prevention (DEP) to make any data region non-executable was incorporated to speed up the execution of script code, in 2003 [45, 54]. To counter DEP, attackers started to per- but is also used besides web browsers for performance form code reuse such as Return-Oriented Programming reasons. Attackers happily welcomed JIT in their own (ROP) and many variants [10, 11, 32, 68]. In general, if an way, and until today, JIT compilers are an important target adversary knows the location of static code in the address of various attacks. This includes for example JIT-Spray, space of the vulnerable target, she can prepare a fake stack JIT-based code-reuse attacks and JIT-specific flaws to cir- with addresses of these gadgets. As soon as control of cumvent mitigation techniques in order to simplify the the instruction pointer is gained, these gadgets execute exploitation of memory-corruption vulnerabilities.
  • Rockjit: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity

    Rockjit: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity

    RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity Ben Niu Gang Tan Lehigh University Lehigh University 19 Memorial Dr West 19 Memorial Dr West Bethlehem, PA, 18015 Bethlehem, PA, 18015 [email protected] [email protected] ABSTRACT For performance, modern managed language implementations Managed languages such as JavaScript are popular. For perfor- adopt Just-In-Time (JIT) compilation. Instead of performing pure mance, modern implementations of managed languages adopt Just- interpretation, a JIT compiler dynamically compiles programs into In-Time (JIT) compilation. The danger to a JIT compiler is that an native code and performs optimization on the fly based on informa- attacker can often control the input program and use it to trigger a tion collected through runtime profiling. JIT compilation in man- vulnerability in the JIT compiler to launch code injection or JIT aged languages is the key to high performance, which is often the spraying attacks. In this paper, we propose a general approach only metric when comparing JIT engines, as seen in the case of called RockJIT to securing JIT compilers through Control-Flow JavaScript. Hereafter, we use the term JITted code for native code Integrity (CFI). RockJIT builds a fine-grained control-flow graph that is dynamically generated by a JIT compiler, and code heap for from the source code of the JIT compiler and dynamically up- memory pages that hold JITted code. dates the control-flow policy when new code is generated on the fly. In terms of security, JIT brings its own set of challenges. First, a Through evaluation on Google’s V8 JavaScript engine, we demon- JIT compiler is large and usually written in C/C++, which lacks strate that RockJIT can enforce strong security on a JIT compiler, memory safety.
  • Rust: Systems Programmers Can Have Nice Things

    Rust: Systems Programmers Can Have Nice Things

    Rust: Systems Programmers Can Have Nice Things Arun Thomas [email protected] @arunthomas EuroBSDCon 2019 On Systems Programming [A] systems programmer has seen the terrors of the world and understood the intrinsic horror of existence -James Mickens, The Night Watch 2 What Makes Systems Software Hard? • Stakes are High: Systems software is critical to enforcing security and safety • Kernels, hypervisors, firmware, bootloaders, embedded software, language runtimes, browsers, … • Usually written in C or C++ for performance • BUT C and C++ are not memory-safe • Memory corruption vulnerabilities abound (and are exploited) • See recent Microsoft study (next slide) 3 Memory Unsafety is a Problem https://msrc-blog.microsoft.com/2019/07/16/a-proactive-approach-to-more-secure-code/ Microsoft found ~70% of CVEs in their products each year continue to be memory safety issues (Matt Miller, MSRC @ Blue Hat IL 2019) 4 Microsoft and Rust 5 Intel and Rust 6 Talk Overview “Systems Programmers Can Have Nice Things” -Robert O’Callahan Random Thoughts On Rust • Why Rust? • Rust for Systems Software • Getting Started with Rust on BSD 7 Why ust? 8 I like C. 9 But it turns out programming languages have evolved in the last 50 years. 10 Rust is a safe, fast, productive systems programming language. 11 Mozilla and Rust • Rust was originally created by Mozilla Research • Initial use case: Servo browser engine • Mozilla began shipping Rust components in Firefox 48 in 2016 • Oxidation is Mozilla’s term for “Rusting out” components • Rust code has improved Firefox’s
  • Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019

    Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019

    Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs when an integer is increased beyond its maximum value or decreased beyond its minimum value Standard integer types (signed) signed char, short int, int, long int, long long int Signed overflow vs unsigned overflow An unsigned overflow occurs when the underlying representation can no longer represent an integer value. A signed overflow occurs when a value is carried over to the sign bit 4 Overflow Examples unsigned int ui; signed int si; ui = UINT_MAX; // 4,294,967,295; ui++; ui = 0 printf(“ui = %u\n", ui); si = INT_MAX; // 2,147,483,647 si++; si = -2,147,483,648 printf(“si = %d\n", si); 5 Overflow Examples, cont’d ui = 0; ui‐‐; ui = 4,294,967,295 printf(“ui = %u\n", ui); si = INT_MIN; // ‐2,147,483,648; si‐‐; si = 2,147,483,647 printf(“si = %d\n", si); 6 Integer Overflow Example int main(int argc, char *const *argv) { unsigned short int total; total = strlen(argv[1]) + strlen(argv[2]) + 1; char *buff = (char *) malloc(total); strcpy(buff, argv[1]); strcat(buff, argv[2]); } What if the total variable is overflowed because of the addition operation? 7 Vulnerability: JPEG Example Based on a real‐world vulnerability in the handling of the comment field in JPEG files void getComment(unsigned int len, char *src) { unsigned int size; size is interpreted as a large size = len ‐ 2; positive value of 0xffffffff
  • Objective-C Internals Realmac Software

    Objective-C Internals Realmac Software

    André Pang Objective-C Internals Realmac Software 1 Nice license plate, eh? In this talk, we peek under the hood and have a look at Objective-C’s engine: how objects are represented in memory, and how message sending works. What is an object? 2 To understand what an object really is, we dive down to the lowest-level of the object: what it actually looks like in memory. And to understand Objective-C’s memory model, one must first understand C’s memory model… What is an object? int i; i = 0xdeadbeef; de ad be ef 3 Simple example: here’s how an int is represented in C on a 32-bit machine. 32 bits = 4 bytes, so the int might look like this. What is an object? int i; i = 0xdeadbeef; ef be af de 4 Actually, the int will look like this on Intel-Chip Based Macs (or ICBMs, as I like to call them), since ICBMs are little- endian. What is an object? int i; i = 0xdeadbeef; de ad be ef 5 … but for simplicity, we’ll assume memory layout is big-endian for this presentation, since it’s easier to read. What is an object? typedef struct _IntContainer { int i; } IntContainer; IntContainer ic; ic.i = 0xdeadbeef; de ad be ef 6 This is what a C struct that contains a single int looks like. In terms of memory layout, a struct with a single int looks exactly the same as just an int[1]. This is very important, because it means that you can cast between an IntContainer and an int for a particular value with no loss of precision.
  • An Examination of the Generic Memory Corruption Exploit Prevention

    An Examination of the Generic Memory Corruption Exploit Prevention

    AN EXAMINATION OF THE GENERIC MEMORY CORRUPTION EXPLOIT PREVENTION MECHANISMS ON APPLE'S LEOPARD OPERATING SYSTEM Haroon Meer SensePost, Rhodes University [email protected] AN EXAMINATION OF THE GENERIC MEMORY CORRUPTION EXPLOIT PREVENTION MECHANISMS ON APPLE'S LEOPARD OPERATING SYSTEM ABSTRACT The Win32 platform has long been the whipping boy of memory corruption attacks and malware, which has forced Microsoft into implementing aggressive anti-exploitation mechanisms into their newer Operating Systems. Apple's Mac OS X (Leopard) has had a much smoother run, both in the media, and in terms of high profile attacks and the reason for this is less clear. In light of Apple's increased market-share, a comparison between Microsoft's defences and Apple's defences is required as the number of anti-exploitation techniques increases with time. In order to produce a side-by-side comparison, an overview of memory corruption attacks is provided and the common generic anti-exploitation techniques for these attacks are enumerated and described. For each operating system, the quality and effective of each implemented defence is evaluated. The results of the study show that Leopard trails Windows Vista in both the number of defences, as well as the quality and effectiveness of the defences that are implemented. KEY WORDS exploit memory corruption stack heap shellcode overflow ret-2-libc 1 INTRODUCTION This paper will cover the basics of memory corruption exploits, and will then examine how Microsoft Windows Vista and Apple MacOS X Leopard combat these attacks in their default state. The intention is to examine how Apple’s Leopard measures up against the automatic exploit mitigations built into Vista.