DOCSLIB.ORG

Securing the EDK II Image Loader

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Securing the EDK II Image Loader Marvin Hauser¨ Vitaly Cheptsov Technische Universitat¨ Kaiserslautern; Ivannikov Institute for System Programming Ivannikov Institute for System Programming of the Russian Academy of Sciences of the Russian Academy of Sciences Moscow, Russia Kaiserslautern, Germany [email protected] [email protected] Abstract—The Unified Extensible Firmware Interface (UEFI) UEFI for image signature is Microsoft Authenticode [5], which is a standardised interface between the firmware and the op- bundles image signature within the PE file and requires most erating system used in all x86-based platforms over the past of structural parsing for its verification. While the choice of ten years, which continues to spread to other architectures such as ARM and RISC-V. The UEFI incorporates a modular this algorithm made it possible to reuse the code signing tools design based on images containing a driver or an application also used for Windows driver signing easing the development in a Common Object File Format (COFF) either as a Portable process, it also imposed a number of extra security require- Executable (PE) or as a Terse Executable (TE). The de-facto ments on the software in charge of the signature verification standard generic UEFI services implementation, including the process on the firmware side. image loading functionality, is TianoCore EDK II. Its track of security issues shows numerous design and implementation Today most of the platform-independent code of the flaws some of which are yet to be addressed. In this paper we UEFI firmwares is implemented as part of the open-source outline both the requirements for a secure UEFI Image Loader TianoCore EDK II [6] toolkit. This implementation consisting and the issues of the existing implementation. As an alternative of about a million lines of C code also includes the code to we propose a formally verified Image Loader supporting both handle the PE images that can be found in practically any mod- PE and TE images with fine-grained hardening enabling a seamless integration with EDK II and subsequently with the ern firmware. In an attempt to make the implementation more other firmwares. reliable contributions to EDK II go through a thorough review Index Terms—UEFI, Parsing, Security, Program verification. process backed with additional specifications covering the development from architecture to code style, automated testing I. INTRODUCTION on several platforms and on-demand testing with several static The fast spread of the Unified Extensible Firmware Inter- and dynamic analysers [7]. The amount of vulnerabilities face (UEFI) [1] over x86-based platforms would not have found in modern firmwares over the last ten years shows been possible without the adoption of other specifications that the measures taken are clearly not enough [8]. While backed with existing widely available tools. The use of the the attempts to introduce other programming languages with Portable Executable (PE) [2] format let Intel reuse the existing built-in safety checkers may improve the situation with naive specification for the format itself as well as the established security issues like buffer overflows, logic errors are much compiler infrastructure. This decision led the UEFI Forum to harder to find and in general cannot be identified automatically. keep including the PE format as part of the UEFI specification In this paper we suggest using formal verification to se- essentially making it the core of the UEFI modular architec- cure the PE image loading functionality in UEFI. Section II ture. describes the issues of the current implementation present in The UEFI architecture is designed in a way that not all EDK II and specifications separating design defects, functional arXiv:2012.05471v2 [cs.CR] 3 Jun 2021 the modules used during the boot sequence can be equally defects, and potential issues not covered by the existing trusted. While firmware module trust is assumed as a fact implementation. Section III provides a basic introduction into by the UEFI and UEFI PI [3] specifications and is handled formal verification and introduces AstraVer, the tool we used by vendor-specific technologies such as Intel BootGuard [4], to verify the code against our models. Section IV describes other module protection is not taken for granted and is the implementation and the verification model. part of the “Secure Boot and Driver Signing” and “Secure Note: We would like to clarify on our terminology to avoid Technologies” sections of the UEFI specification. ambiguities. Please note that specific terms from the cited A driver coming with an option ROM, a UEFI application, specifications will not be repeated. or a standalone UEFI driver are by all means less trusted but • “[Raw] file” shall mean the format in which a PE or TE usually do not execute with significantly reduced privileges image is saved on storage devices. compared to firmware drivers and applications. To circumvent • “[Loaded] image” shall mean the format of a PE or TE this disadvantage each module external to the firmware is image expanded into the execution environment. verified to belong to an authority that is trusted by the firmware • “Verification” shall mean the process of ensuring the prior to execution. The standardised verification algorithm in plausibility of data structures within a file or image M. Hauser¨ and V. Cheptsov, ”Securing the EDK II Image Loader,” 2020 Ivannikov Ispras Open Conference (ISPRAS), 2020, pp. 16-25, DOI: 10.1109/ISPRAS51486.2020.00010. © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. conforming to the PE format [2]. environment (UEFI protocol installation). Consequently, • “Hashing” shall mean the cryptographic hashing of the the Image Loader locates and exposes the location of this raw file data in a way described in the used signature data7. However, no verification occurs within or outside verification algorithm such as Authenticode [5]. the Image Loader before the data is exposed at load time8. • “Loading” shall mean the transformation of a TE or PE Loading an image cannot be seen as an act of trusting it, raw file into a loaded image. as with a safe loader implementation the image did not • “Relocating” shall mean rebasing a loaded image from yet gain or was given any control over the system. one virtual address base to another. This defect needs to be addressed on UEFI specification • “Image Loader” shall mean the library that performs level. actions such as verification, hashing, loading or relocating 4) Ambiguous context ownership of a raw file or image. Traditionally, context instances are owned by the library that declares them — coming from an object-orientated II. STATE OF THE ART programming paradigm, they can be thought of as non- The EDK II Image Loader contains various defects. While static members of a class instance. While public reading some are bugs of the specific implementation (“functional can be tolerated to simplify the interface, writes should defects”), others are fundamental design flaws of the library be performed strictly within the library implementation design that significantly raise the risk of introducing functional to preserve consistent states. EDK II currently relies on defects (“design defects”). external context writes as part of the library function 9 A. Design defects contracts . This defect is addressed by hardened design (IV-D). 1) Time-of-check/Time-of-use vulnerable design 5) Complicated function contracts The EDK II Image Loader uses a function provided by Function contracts should be easy to understand and the caller to abstract the gradual image data reading1. control flows easy to comprehend. Presently EDK II As made clear by the function specification its explicit relies on explicitly declaring the context fields required purpose is to allow arbitrary, untrusted data sources such to be valid and the context fields ensured to be valid as networks. At the time of writing there are a total by each function10. Except for fields explicitly allowed of 18 calls to this function across multiple stages of to be publicly read this severely overcomplicates the loading which makes ensuring data is not re-read and documentation. used unverified (TOC/TOU) a non-trivial task. This is This defect is addressed by hardened design (IV-D). currently an actual threat as the image headers are read 6) Decentralisation of code early for verification2 and then again when loading the There are several locations throughout the EDK II code- image into its final memory destination3 without ensuring base that access PE and TE image structures directly equivalence or re-verifying the data read. Whether this is instead of utilising the Image Loader11. This is strongly an actual security vulnerability depends on whether the undesired especially for the hashing algorithm which is caller-provided read function uses a trusted source (e.g. present four times12 outside the Image Loader, where the main memory) or not (e.g. network). function logically belongs. Without the library explicitly This defect is addressed by hardened design (IV-D). expressing the guarantees it makes regarding image data 2) Out-of-bounds vulnerable design structures (as opposed to only its own context structure) HII data that is provided to the caller4 is variably-sized. the code cannot trust the structures. Validating them Since its internal offsets are not validated to be in bounds then may lead to code duplication depending on the of the image address space and it is also not stored with library implementation details. Furthermore, the Image the maximum bounds, so that it can be safely accessed5, Loader is exposed via two separate libraries13 for no the caller is left at a high risk of an out-of-bounds access.
Recommended publications
  • The “Stabs” Debug Format

    The “Stabs” Debug Format

    The \stabs" debug format Julia Menapace, Jim Kingdon, David MacKenzie Cygnus Support Cygnus Support Revision TEXinfo 2017-08-23.19 Copyright c 1992{2021 Free Software Foundation, Inc. Contributed by Cygnus Support. Written by Julia Menapace, Jim Kingdon, and David MacKenzie. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled \GNU Free Documentation License". i Table of Contents 1 Overview of Stabs ::::::::::::::::::::::::::::::: 1 1.1 Overview of Debugging Information Flow ::::::::::::::::::::::: 1 1.2 Overview of Stab Format ::::::::::::::::::::::::::::::::::::::: 1 1.3 The String Field :::::::::::::::::::::::::::::::::::::::::::::::: 2 1.4 A Simple Example in C Source ::::::::::::::::::::::::::::::::: 3 1.5 The Simple Example at the Assembly Level ::::::::::::::::::::: 4 2 Encoding the Structure of the Program ::::::: 7 2.1 Main Program :::::::::::::::::::::::::::::::::::::::::::::::::: 7 2.2 Paths and Names of the Source Files :::::::::::::::::::::::::::: 7 2.3 Names of Include Files:::::::::::::::::::::::::::::::::::::::::: 8 2.4 Line Numbers :::::::::::::::::::::::::::::::::::::::::::::::::: 9 2.5 Procedures ::::::::::::::::::::::::::::::::::::::::::::::::::::: 9 2.6 Nested Procedures::::::::::::::::::::::::::::::::::::::::::::: 11 2.7 Block Structure
  • Linkers and Loaders Hui Chen Department of Computer & Information Science CUNY Brooklyn College

    Linkers and Loaders Hui Chen Department of Computer & Information Science CUNY Brooklyn College

    CISC 3320 MW3 Linkers and Loaders Hui Chen Department of Computer & Information Science CUNY Brooklyn College CUNY | Brooklyn College: CISC 3320 9/11/2019 1 OS Acknowledgement • These slides are a revision of the slides by the authors of the textbook CUNY | Brooklyn College: CISC 3320 9/11/2019 2 OS Outline • Linkers and linking • Loaders and loading • Object and executable files CUNY | Brooklyn College: CISC 3320 9/11/2019 3 OS Authoring and Running a Program • A programmer writes a program in a programming language (the source code) • The program resides on disk as a binary executable file translated from the source code of the program • e.g., a.out or prog.exe • To run the program on a CPU • the program must be brought into memory, and • create a process for it • A multi-step process CUNY | Brooklyn College: CISC 3320 9/11/2019 4 OS CUNY | Brooklyn College: CISC 3320 9/11/2019 5 OS Compilation • Source files are compiled into object files • The object files are designed to be loaded into any physical memory location, a format known as an relocatable object file. CUNY | Brooklyn College: CISC 3320 9/11/2019 6 OS Relocatable Object File • Object code: formatted machine code, but typically non-executable • Many formats • The Executable and Linkable Format (ELF) • The Common Object File Format (COFF) CUNY | Brooklyn College: CISC 3320 9/11/2019 7 OS Examining an Object File • In Linux/UNIX, $ file main.o main.o: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped $ nm main.o • Also use objdump, readelf, elfutils, hexedit • You may need # apt-get install hexedit # apt-get install elfutils CUNY | Brooklyn College: CISC 3320 9/11/2019 8 OS Linking • During the linking phase, other object files or libraries may be included as well • Example: $ g++ -o main -lm main.o sumsine.o • A program consists of one or more object files.
  • Intel Updates

    Intel Updates

    Intel Updates Jun Nakajima Intel Open Source Technology Center Xen Summit November 2007 Legal Disclaimer y INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL® PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. INTEL PRODUCTS ARE NOT INTENDED FOR USE IN MEDICAL, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS. y Intel may make changes to specifications and product descriptions at any time, without notice. y All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice. y Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request. y Intel and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. y *Other names and brands may be claimed as the property of others. y Copyright © 2007 Intel Corporation. Throughout this presentation: VT-x refers to Intel®
  • 6 Boot Loader

    6 Boot Loader

    BootBoot LoaderLoader 66 6.1 INTRODUCTION The Boot Loader is a utility program supplied with the ADSP-21000 Family Development Software. The loader converts an ADSP-21xxx executable program, generated by the linker, into a format which can be used to boot a target hardware system and initialize its memory. The loader’s invocation command is LDR21K. The boot loader replaces the MEM21K memory initializer used with the ADSP-21020 processor. Any executable file to be processed with the LDR21K boot loader must not be processed by MEM21K. The -nomem switch of the C compiler should be used when compiling any C source files—this switch prevents the compiler from running MEM21K. The following naming conventions are used throughout this chapter: The loader refers to LDR21K contained in the software release. The boot loader refers to the executable file that performs the memory initialization on the target. The boot file refers to the output of the loader that contains the boot loader and the formatted system configurations. Booting refers to the process of loading the boot loader, initialization system memory, and starting the application on the target. Memory is referred to as being either data memory, program memory, or internal memory. Remember that the ADSP-21020 processor has separate external program and data memories, but does not have any internal memory. The ADSP-2106x SHARC has both internal and external memory. 6 – 1 66 BootBoot LoaderLoader To use the loader, you should be familiar with the hardware requirements of booting an ADSP-21000 target. See Chapter 11 of the ADSP-2106x SHARC User’s Manual or Chapter 9 of the ADSP-21020 User’s Manual for further information.
  • EXPLOITING BLUEBORNE in LINUX- BASED IOT DEVICES Ben Seri & Alon Livne

    EXPLOITING BLUEBORNE in LINUX- BASED IOT DEVICES Ben Seri & Alon Livne

    EXPLOITING BLUEBORNE IN LINUX- BASED IOT DEVICES Ben Seri & Alon Livne EXPLOITING BLUEBORNE IN LINUX-BASED IOT DEVICES – © 2019 ARMIS, INC. Preface 3 Brief Bluetooth Background 4 L2CAP 4 Overview 4 Mutual configuration 5 Linux kernel RCE vulnerability - CVE-2017-1000251 6 Impact 8 Exploitation 9 Case Study #1 - Samsung Gear S3 9 Extracting the smartwatch kernel 9 Leveraging stack overflow into PC control 10 From Kernel to User-Mode 13 Aarch64 Return-Oriented-Programming 13 Structural considerations 14 SMACK 19 Case Study #2 - Amazon Echo 22 Getting out of bounds 23 Analyzing the stack 23 Developing Write-What-Where 26 Putting it all together 28 Case Study #n - Defeating modern mitigations 29 A new information leak vulnerability in the kernel - CVE-2017-1000410 29 Conclusions 31 BLUEBORNE ON LINUX — ©​ 2019 ARMIS, INC. — 2 ​ ​ Preface In September 2017 the BlueBorne attack vector was disclosed by Armis Labs. BlueBorne allows attackers to leverage Bluetooth connections to penetrate and take complete control over targeted devices. Armis Labs has identified 8 vulnerabilities related to this attack vector, affecting four operating systems, including Windows, iOS, Linux, and Android. Previous white papers on BlueBorne were published as well: ● The dangers of Bluetooth implementations detailed the overall research, the attack ​ surface, and the discovered vulnerabilities. ● BlueBorne on Android detailed the exploitation process of the BlueBorne vulnerabilities ​ on Android. This white paper will elaborate upon the Linux RCE vulnerability (CVE-2017-1000251) and its ​ ​ exploitation. The exploitation of this vulnerability will be presented on two IoT devices - a Samsung Gear S3 Smartwatch, and the Amazon Echo digital assistant.
  • Dartmouth Computer Science Technical Report TR2011-680 (Draft Version) Exploiting the Hard-Working DWARF: Trojans with No Native Executable Code

    Dartmouth Computer Science Technical Report TR2011-680 (Draft Version) Exploiting the Hard-Working DWARF: Trojans with No Native Executable Code

    Dartmouth Computer Science Technical Report TR2011-680 (Draft version) Exploiting the Hard-Working DWARF: Trojans with no Native Executable Code James Oakley and Sergey Bratus Computer Science Dept. Dartmouth College Hanover, New Hampshire [email protected] April 11, 2011 Abstract All binaries compiled by recent versions of GCC from C++ programs include complex data and dedicated code for exception handling support. The data structures describe the call stack frame layout in the DWARF format byte- code. The dedicated code includes an interpreter of this bytecode and logic to implement the call stack unwinding. Despite being present in a large class of programs { and therefore poten- tially providing a huge attack surface { this mechanism is not widely known or studied. Of particular interest to us is that the exception handling mech- anism provides the means for fundamentally altering the flow of a program. DWARF is designed specifically for calculating call frame addresses and reg- ister values. DWARF expressions are Turing-complete and may calculate register values based on any readable data in the address space of the pro- cess. The exception handling data is in effect an embedded program residing within every C++ process. This paper explores what can be accomplished with control of the debugging information without modifying the program's text or data. We also examine the exception handling mechanism and argue that it is rife for vulnerability finding, not least because the error states of a program are often those least well tested. We demonstrate the capabilities of this DWARF virtual machine and its suitableness for building a new type of backdoor as well as other implications it has on security.
  • Portable Executable File Format

    Portable Executable File Format

    Chapter 11 Portable Executable File Format IN THIS CHAPTER + Understanding the structure of a PE file + Talking in terms of RVAs + Detailing the PE format + The importance of indices in the data directory + How the loader interprets a PE file MICROSOFT INTRODUCED A NEW executable file format with Windows NT. This for- mat is called the Portable Executable (PE) format because it is supposed to be portable across all 32-bit operating systems by Microsoft. The same PE format exe- cutable can be executed on any version of Windows NT, Windows 95, and Win32s. Also, the same format is used for executables for Windows NT running on proces- sors other than Intel x86, such as MIPS, Alpha, and Power PC. The 32-bit DLLs and Windows NT device drivers also follow the same PE format. It is helpful to understand the PE file format because PE files are almost identi- cal on disk and in RAM. Learning about the PE format is also helpful for under- standing many operating system concepts. For example, how operating system loader works to support dynamic linking of DLL functions, the data structures in- volved in dynamic linking such as import table, export table, and so on. The PE format is not really undocumented. The WINNT.H file has several struc- ture definitions representing the PE format. The Microsoft Developer's Network (MSDN) CD-ROMs contain several descriptions of the PE format. However, these descriptions are in bits and pieces, and are by no means complete. In this chapter, we try to give you a comprehensive picture of the PE format.
  • Process Address Spaces and Binary Formats

    Process Address Spaces and Binary Formats

    Process Address Spaces and Binary Formats Don Porter – CSE 506 Housekeeping ò Lab deadline extended to Wed night (9/14) ò Enrollment finalized – if you still want in, email me ò All students should have VMs at this point ò Email Don if you don’t have one ò TA office hours posted ò Private git repositories should be setup soon Review ò We’ve seen how paging and segmentation work on x86 ò Maps logical addresses to physical pages ò These are the low-level hardware tools ò This lecture: build up to higher-level abstractions ò Namely, the process address space Definitions (can vary) ò Process is a virtual address space ò 1+ threads of execution work within this address space ò A process is composed of: ò Memory-mapped files ò Includes program binary ò Anonymous pages: no file backing ò When the process exits, their contents go away Problem 1: How to represent? ò What is the best way to represent the components of a process? ò Common question: is mapped at address x? ò Page faults, new memory mappings, etc. ò Hint: a 64-bit address space is seriously huge ò Hint: some programs (like databases) map tons of data ò Others map very little ò No one size fits all Sparse representation ò Naïve approach might would be to represent each page ò Mark empty space as unused ò But this wastes OS memory ò Better idea: only allocate nodes in a data structure for memory that is mapped to something ò Kernel data structure memory use proportional to complexity of address space! Linux: vm_area_struct ò Linux represents portions of a process with a vm_area_struct,
  • Common Object File Format (COFF)

    Common Object File Format (COFF)

    Application Report SPRAAO8–April 2009 Common Object File Format ..................................................................................................................................................... ABSTRACT The assembler and link step create object files in common object file format (COFF). COFF is an implementation of an object file format of the same name that was developed by AT&T for use on UNIX-based systems. This format encourages modular programming and provides powerful and flexible methods for managing code segments and target system memory. This appendix contains technical details about the Texas Instruments COFF object file structure. Much of this information pertains to the symbolic debugging information that is produced by the C compiler. The purpose of this application note is to provide supplementary information on the internal format of COFF object files. Topic .................................................................................................. Page 1 COFF File Structure .................................................................... 2 2 File Header Structure .................................................................. 4 3 Optional File Header Format ........................................................ 5 4 Section Header Structure............................................................. 5 5 Structuring Relocation Information ............................................... 7 6 Symbol Table Structure and Content........................................... 11 SPRAAO8–April 2009
  • Open and Efficient Type Switch For

    Open and Efficient Type Switch For

    Draft for OOPSLA 2012 Open and Efficient Type Switch for C++ Yuriy Solodkyy Gabriel Dos Reis Bjarne Stroustrup Texas A&M University Texas, USA fyuriys,gdr,[email protected] Abstract – allow for independent extensions, modular type-checking Selecting operations based on the run-time type of an object and dynamic linking. On the other, in order to be accepted is key to many object-oriented and functional programming for production code, the implementation of such a construct techniques. We present a technique for implementing open must equal or outperform all known workarounds. However, and efficient type-switching for hierarchical extensible data existing approaches to case analysis on hierarchical exten- types. The technique is general and copes well with C++ sible data types are either efficient or open, but not both. multiple inheritance. Truly open approaches rely on expensive class-membership To simplify experimentation and gain realistic prefor- testing combined with decision trees []. Efficient approaches mance using production-quality compilers and tool chains, rely on sealing either the class hierarchy or the set of func- we implement our type swich constructs as an ISO C++11 li- tions, which loses extensibility [9, 18, 44, 51]. Consider a brary. Our library-only implementation provides concise no- simple expression language: tation and outperforms the visitor design pattern, commonly exp ∶∶= val S exp + exp S exp − exp S exp ∗ exp S exp~exp used for type-casing scenarios in object-oriented programs. For many uses, it equals or outperforms equivalent code in In an object-oriented language without direct support for languages with built-in type-switching constructs, such as algebraic data types, the type representing an expression-tree OCaml and Haskell.
  • Virtual Table Hijacking Protection Enhancement for CFG

    Virtual Table Hijacking Protection Enhancement for CFG

    Liberation Guard: Virtual Table Hijacking Protection Enhancement for CFG Eyal Itkin [email protected] eyalitkin.wordpress.com Abstract—Control Flow Guard (CFG) is an advanced defense mechanism by Microsoft, that aims to mitigate exploiting tech- niques using control flow integrity checks. In this paper we1 present a proposed enhancement of CFG, that adds virtual table integrity checks which will mitigate most virtual table hijacking exploits. The proposed defense creates a strong differentiation between ordinary and virtual functions, thus significantly nar- rowing the exploit options available when controlling an indirect virtual call. This differentiation will impose strong restrictions over current virtual table hijacking exploits, thus significantly raising the protection CFG can offer to protected programs2. I. PRELIMINARIES Fig. 1. Example of address translation for an unaligned address (at the top) and an aligned address (at the bottom). A. Control Flow Guard Overview Control Flow Guard (CFG) is an advanced control flow integrity (CFI) defense mechanism introduced by Microsoft in In order to use this CFI knowledge, the compiler adds Windows 8.1 and Windows 10 [4]. CFG aims to significantly a validation check prior to each indirect call (only call restrict the allowed control flow in the cases of indirect calls, assembly opcode, and not jump opcodes). This function is and is supported in Visual Studio 2015. stored in ntdll.dll, and exported to the rest of the DLLs. This defense mechanism is based on the fact that during The function verifies the requested address against the stored compilation time the compiler ”learns” where ”legitimate” bitmap, while acting as a NOP in case the bit is ”1” and crashes functions start, and records these addresses in the compiled the program in case the bit is ”0”.
  • Download Slides

    Download Slides

    Redistribution of this material in any form is not allowed without written permission. ROBOTS AND WINDOWS Joakim Sandström (JODE) nSense define: Joakim Sandström On since 1993’ish 13:37 (EEST) Work: • Chief Technology Officer / Founder @ nSense Interests • Application security • Smartphone security • Code reviews • Writing code • Obscure protocols and more… nSense in a nutshell • Highly specialised in information security • International organization with a strong local presence • Financially independent • The key owners work for the company • High customer satisfaction • ~50 employees Be the leading European IT security assessor Page 4 nSense Service Offering Trusted Advisor Business Enabler Execution Strategic security Security management Vulnerability assessment consultation Penetration testing PCI compliance Security Improvement Program Code reviews ISO and ISF compliance Security reviews and Security coaching analyses services Secure software development Vulnerability management Incident response services Training services Karhu vulnerability scanner Page 5 Main Objectives • Provide a brief overview of the Android and WP7 OS • Security models and architecture • Comparison • Common pitfalls • Allow developers to understand better the underlying platform- and security frameworks. Intro Platforms • Definitions • Overview • Architecture • Ecosystem Devices Outro • Secure programming • Conclusions • Authentication • QA • Authorization • Transport • Storage • Logging • Exception management • Server-side processing Definitions Architecture