Monday, October 4, 2004
2:30 PM - 3:30 PM
3331 CS
|
Nagendra Modadugu
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, D. Boneh
Stanford
On the Effectiveness of Address Space Randomization
CCS 2004
Local copy (with page numbers): http://www.cs.wisc.edu/areas/sec/asrandom.pdf
Address-space randomization is a technique used to
fortify systems against buffer overflow attacks. The
idea is to introduce artificial diversity by
randomizing the memory location of certain system
components. This mechanism is available for both
Linux (via PaX ASLR) and OpenBSD. We study the
effectiveness of address-space randomization and find
that its utility on 32-bit architectures is limited
by the number of bits available for address
randomization. In particular, we demonstrate a
derandomization attack that will convert any
standard buffer-overflow exploit into an exploit
that works against systems protected by
address-space randomization. The resulting exploit
is as effective as the original exploit, although it
takes a little longer to compromise a target
machine: on average 216 seconds to compromise Apache
running on a Linux PaX ASLR system. The attack does
not require running code on the stack.
We also explore various ways of strengthening
address-space randomization and point out weaknesses
in each. Surprisingly, increasing the frequency of
re-randomizations adds at most 1 bit of
security. Furthermore, compile-time randomization
appears to be more effective than runtime
randomization. We conclude that, on 32-bit
architectures, the only benefit of PaX-like
address-space randomization is a small slowdown in
worm propagation speed. The cost of randomization is
extra complexity in system support.
|
Monday, October 11, 2004
1:30 PM - 2:30 PM
3331 CS
|
Drew Dean
Alan J. Hu
Drew Dean, Alan J. Hu
SRI / UBC
Fixing Races for Fun and Profit: How to use access(2)
USENIX Security 2004
URL: http://www.csl.sri.com/users/ddean/papers/usenix04.pdf
Local copy (with page numbers): http://www.cs.wisc.edu/areas/sec/deanusenix04.pdf
It is well known that it is insecure to use the
access(2) system call in a setuid program to
test for the ability of the program's executor to
access a file before opening said file. Although the
access(2) call appears to have been designed
exactly for this use, such use is vulnerable to a
race condition. This race condition is a classic
example of a time-of-check-to-time-of-use (TOCTTOU)
problem. We prove the ``folk theorem'' that no
portable, deterministic solution exists without
changes to the system call interface, we present a
probabilistic solution, and we examine the effect of
increasing CPU speeds on the exploitability of the
attack.
|
Monday, October 18, 2004
2:30 PM - 3:30 PM
3331 CS
|
Drew Dean
Drew Dean
SRI
The security of static typing with dynamic linking
CCS'97
URL: http://www.csl.sri.com/users/ddean/papers/ccs4.pdf
Dynamic linking is a requirement for portable
executable content. Executable content cannot know,
ahead of time, where it is going to be executed, nor
know the proper operating system interface. This
imposes a requirement for dynamic linking. At the
same time, we would like languages supporting
executable content to be statically typable, for
increased efficiency and security. Static typing and
dynamic linking interact in a security-relevant
way. This interaction is the subject of this
paper. One solution is modeled in PVS, and formally
proven to be safe.
|