软件安全论文报告.

1、- 1 -软件安全论文报告对于缓冲区溢出效应的利用故障指导老师班级 学号 姓名 日期2013年 5 月 18 日 Using Faults for Buffer Overflow EffectsPierre-Alain Fouque cole Normale Suprieure 45 rue dUlmF-75230 Paris CEDEX 05,Francepierre-alain.fouqueens.frDelphine LeresteuxUniversit Paris VII -DGA Information SuperiorityBP735998 Rennes Armes,Franced

2、elphine.leresteuxdga.defense.gouv.frFrdric ValetteDGA Information SuperiorityBP735998 Rennes Armes,Francefrederic.valettedga.defense.gouv.frABSTRACTFault attacks have been developed in the cryptographic com- munity to extract secret information on hardware implemen- tations. They have also been used

3、 to bypass security checks during authentication processes for example. Here, we show that they can be exploited to make more damage, taking the control of a machine as buffer overflow attacks do for instance. In this short paper, we demonstrate by using one example that countermeasures against buff

4、er overflow must also be used for software running on embedded processors.KeywordsBuffer Overflow, Fault Analysis, FPGA1. INTRODUCTIONThis paper studies a security vulnerability for embedded processors. Anderson and Kuhn in 1 describe a whole state- of-art on fault attacks. They especially focus att

5、acks on software and list many types of attacks which could affect software implementations like password checking or access rights.Related Work. Other consequences described for glitch are to turn away unconditional jump to other program seg- ment or an operation on variable into something else. Th

6、e attacks described in 1 only target systems in order to re- cover a secret value, to bypass a simple assembly command or to avoid a control test. Here, their goal is to bypass several times a if condition to dump the whole memory. Govindavajhala et al. in 3 present another fault attack which target

7、s soft memory error in Java virtual machines. Only one bit error allows to take control of a host. As in our attack, the code does not contain any bug. This attack pro- vokes malfunction in address space in memory. Two differ- ent kinds of pointers point toward the same place in the heap to execute

8、arbitrary code. Contrary to Govindavajhalas ar- ticle, we produce faults on the program instructions. OurPermission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercia

9、l advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.SAC12 March 25-29, 2012, Riva del Garda, Italy. Copyright 2012 ACM 978-1-4503-0857-1/

10、12/03 .$10.00.faults disrupt element places, while Govindavajhalas fault disrupts element types. Even if the results are the same, diverting a program, we target here the registers and not the pointers. The program counter register usually seems as a potential target. Corrupting its value allows att

11、acker to jump in another part of code. In state-of-the-art, attacks on stack pointer register saved in memory exist, but they only produce wrong branches into program execution. No fault analysis on stack pointer during function call has been already published. Here, our attack allows to branch into

12、 an- other valid program. Consequently, we present attack that allows to control the value of the program counter without provoking a fault on it.Our Results. This paper considers safe implementations that do not use overflowable functions and we target em- bedded software for which classical counte

13、rmeasures against buffer overflows are not always provided by the compilers. We analyze the consequences of the faults on the scheduling of program and we obtain similar results as buffer overflow attacks using fault attacks. We have experimented this at- tack and we show that it can be very efficie

14、nt.2. BACKGROUNDSIn this section, we recall buffer overflow and fault charac- teristics.Faults. Faults are generated by several external sources: spike on power supply, glitch on the clock, variation on the temperature, laser, electromagnetic radiations . Each flip flop has its own characteristic wh

15、ich depends on the tem- perature or on the voltage. Due to a glitch, some flip flops process their inputs before they have to 4. Data have to be treated too quickly and computations errors occur due to the briefness of the glitch. On the instruction modifications, fault attacks can also be used to a

16、void the storage of variable in a register, such as the number of rounds for a symmetric cryptographic protocol 1.Buffer Overflow. Buffer overflow consists in writing data into memory space at different places than the allocated and expected place. This writing can erase useful information on the pr

17、ocess. A buffer overflow allows an adversary to take control of a machine by modifying the schedule so that the next executed instruction will not be the expected one. Another instruction located either forward in the program or in another program can be executed instead. If this last one is malicio

18、us, the executed code can make damage or can take advantage of the attacked program privileges.3. A NEW KIND OF FAULT ATTACKAfter profiling fault effects, we mount our attack. In this attack, we target a specific function whose goal is to verify a password. Then, we explain its success rate and a ge

19、ner- alization of this attack that targets other functions, maybe not security function such as control access.3.1 Attack ContextThe attack modifies the value of the return address regis- ter at the end of a function call as in buffer overflow attack. In our attack, the faults are used to change the

20、 stack pointer so that it will point towards the input parameters. The at- tack can be extended to any programs or functions with or without security goals in any context. We have experiment and simulate theoretic and practical results on embedded development board with the microprocessor in using g

21、litch on clock.3.2 Attack ScheduleThis attack uses only one fault to avoid the execution of only one instruction. We illustrate our purpose with a pass- word verification example. Instead of using subfunction like strcmp, the developer uses his own function, for illustration my_strcmp (i.e. Function

22、 A), which realizes a comparison between entered word and the right password, to avoid over- flowable function. At each function call, the stack context is saved by several assembly commands. One of this kind of commands consists in an addition (addi) to the stack pointer (sp) with a negative value.

23、 We inject a fault dur- ing the execution of the addi instruction of the sp register at the beginning of the function my_strcmp in our case study. This precise and located fault avoids the modification of the sp value at the beginning of the subfunction, my_strcmp. Then we normally go back to the fu

24、nction named compar- ison (i.e. Function B) in our example, as it is shown in Figure 1.1. We make a fault during the subtraction (addi sp, sp,-160) instruction, so the sp pointer value is wrong.2. At the end of the call of the function, comparison in our case, the return address (ra) is retrieved by

25、 the load instruction (ldw ra, 156 (sp) (offset from faulty sp). In case of our fault, return address will point toward input parameters.Figure 1: Faulty execution during attackInput parameters contain address of any function after the password check function. That is why at the end of the function

26、comparison, the return address register loads the address of the continue function, as if the correct information was entered. Now, the return address register contains a faulty value. The final assembly ret command ends the faultattack by jumping to execution without stopping due to false password.

27、 This scenario needs only one fault and allows to bypass security control. It is illustrated by Figure 1.4. COUNTERMEASURESTo defeat these attacks, several countermeasures exist and could be implemented. In this section, we present hardware and software countermeasures. While ones prevent from fault

28、 attacks, the others detect buffer overflow exploits.4.1 Countermeasures Against Fault AttacksEssentially, two different kinds of countermeasures can be used against these attacks. The first category gathers to- gether protections against clock glitch and the second one protections against glitch ef

29、fects like software redundancy. In first type, hardware components filtering variations can be used. For instance pll for phase locked loop, our glitch attack scenario has been played without results. These tech- niques are so specific for fault injection means. Other fault injection provokes progra

30、m diverting.4.2 Countermeasures Against Buffer Overflow First countermeasure consists in obfuscating addresses in using randomized address. It prevents opponents from tar- geting function address after the targeted function. Second countermeasure duplicates stack pointer in a variable, in aregister,

31、 in other part of the stack or in another duplicatedstack like Stack Shield 2. This technique protects from unauthorized modification of stack pointer. The last coun- termeasure that defends from executing malicious code is non-executable stack, for the input parameters.5. CONCLUSIONThis fault attac

32、k represents a new real threat for embed- ded software systems. It is the first time that this associa- tion of two different attacks, fault attacks with buffer over- flow techniques, is realized. Furthermore, only one fault is needed. It reveals that it is important to adopt the same countermeasure

33、s against buffer overflows in software embed- ded system. The main rule consists of protecting stack mem- ory and registers integrity during all program execution.6. REFERENCES1 R. J. Anderson and M. G. Kuhn. Low Cost Attacks on Tamper Resistant Devices. In B. Christianson,B. Crispo, T. M. A. Lomas,

34、 and M. Roe, editors, Security Protocols Workshop, volume 1361 of Lecture Notes in Computer Science, pages 125136. Springer, 1997.2 C. Cowan, S. Beattie, R. Day, P. w. C. Pu, andE. Walthinsen. Protecting Systels from Stack Smashing Attacks with StackGuard. In Proceedings of the 5th Linux Expo., Rale

35、igh, NC, May 1999.3 S. Govindavajhala and A. W. Appel. Using Memory Errors to Attack a Virtual Machine. In IEEE Symposium on Security and Privacy, pages 154165, 2003.4 O. Kommerling and M. G. Kuhn. Design Principles for Tamper-Resistant Smartcard Processors. In WOST99: Proceedings of the USENIX Work

36、shop on Smartcard Technology, pages 920. USENIX Association, 1999.对于缓冲区溢出效应的利用故障Pierre-Alain Fouque1Delphine Leresteux2Frederic Valette31Ecole Normale Superieure45 rue dUlm2Universite Paris VII -DGA Information SuperiorityBP73DGA Information SuperiorityBP735998 Rennes Armees摘要 故障攻击已经开发出来了在加密区域提取秘密信息

37、在硬件上的实现。 例如，它们也被用于在认证 过程中绕过安全检查。 这里，我们介绍他们可以被用于制造更多的伤害,通过造成缓冲区溢出攻击来控制 机器的例子。 在这篇论文中，我们通过用一个缓冲区溢出防护策略必须使用于软件在嵌入式处理器上的 运行来进行证明。关键词 缓冲区溢出；故障分析；可编程门阵列（FPGA）1 介绍这篇论文我们学习一个对于嵌入式处理器的安全弱点。 Anderson and Kuhn在1中描 述了整个对于故障攻击的情形。 他们特别关注软件的攻击并且列出了多种影响软件安装启 动的密码检测或是授权的攻击类型。相关工作 其他结果用于描述故障要避开无条件跳转到其他程序段或一个对于变量的 操作

38、。 这种攻击描述在1中只有目标系统用来恢复机密价值，从而绕开一个汇编命令或 是避免控制测试。 这里，他们的目标是绕开少许时间，如果有一个条件来跳转整个内存。 Govindavajhala et al. in在3中描述了其他的在JAVA虚拟机上的目标软内存故障攻击。只 有一位故障允许控制整个主机。 在我们的攻击中，代码不能确定任何漏洞。 这种攻击引发 故障在内存中的地址空间。 两种不同的指针指向堆中的同一空间从而来执行任意的代码。 相比较Govindavajhala的文章，我们产生的故障是在程序命令上。 我们的故障在破坏原理 位数，然而Govindavajhala的故障破坏在原理类型。即使结果是

39、一样的，转移同一个程序， 我们的目标在寄存器而不是指针。 程序计数器寄存器通常看起来像一个潜在的目标。 它的 破坏价值是进攻者跳转到其他区域的代码。 在这种情形中，攻击在栈指针寄存器保存在内 存中，但是他们只处理执行程序中的故障分支。 在函数调用已被通过时，没有没有对于栈 指针的故障分析。 这里，我们的攻击允许进入其他的有效的程序。 因此，我们介绍的攻击 是允许控制程序中有价值的计数器而不引发程序中的的任何一个故障。我们的结果 这篇论文所认为的安全启动是不使用溢出功能，我们嵌入的软件对于经 典对抗措施防护缓冲区溢出不是通过编译器提供的。 我们分析的故障结果是在程序时序安排上的并且我们获得对于通

40、过使用故障攻击形成的缓冲区溢出攻击相同的结果。 我们已经 实验了这种攻击并且证实了那是非常有效的。2背景在这一部分，我们再次说起缓冲区溢出和故障特征。故障 故障通常通过外部程序产生：能量供应上上毛刺脉冲，时钟上的小故障，温度 上的变化，激光，电磁辐射.每种触发器都有自己需要温度或者电压的特征。 归功与一个 小故障，一些触发器在它们拥有4之前处理它们的输入。 数据被处理的过快和计算故障导 致了这个简单的故障。 在指令处理过程中，故障攻击能够被用来避开存储在寄存器中的变 量，如在一个对称加密协议1中循环的数量。缓冲区溢出 缓冲区溢出包括在数据写入内存空间不同的地方超过了分配和期望的地 方。 这种写

41、入将擦去进程中有用的信息。 一个缓冲区溢出允许一个敌手通过修改先前的编 制去控制一台机器从而造成接下来的指令将不是所期望的执行的。 其他的指令处于先前的 程序中或是其他能被执行的程序代替。 如果最后一个是恶意的，这个执行过的代码能够造 成危害或是能够利用攻击程序特权。3一种新的故障攻击在故障效应分析之后，我们列出我们的攻击。 在这些攻击中，我们瞄准一种特殊功能 的攻击，这种攻击目标是查证口令。 接着，我们解释他的成功率并且泛化这种瞄准其他功 能的攻击。 或许不是安全功能例如授权。3.1攻击内容这种攻击改变在一个函数调用之后的寄存器地址的返回值,称作缓冲区溢出攻击。 在 我们的攻击中，这种故障将

42、被用来改变堆栈指针。 所以，他将指向输入参数，这种攻击将 被应用在任何程序或是在任何情况下没有安全目标的函数中。 我们有实验，并且模拟理论 上的和实践上的结果，在嵌入式开发板上通过微处理器使用故障的时钟。3.2攻击计划这种攻击只使用一个故障来绕过执行一条指令。 我们通过使用一个口令验证例子 来说明我们的目的。 而不是使用相比较字符串的子函数，开发者使用他自己的函数，来 说my strcmp(i.e. Function A)，是一个输入字符和正确口令比较，来避免溢出功能。 在每 一个函数调用中，栈中的内容通过几个汇编命令存储。 这样的一个命令包括一个加一个 负值到栈指针。 在我们的案例研究中，从my strcmp子函数执行的开始我们注入一个故障 在栈指针寄存器执行的加法指令。 接着，我们正常回到我们例子中的比较函数comparison(i.e. Function B)，如图1所示：1. 我们在减法(addi sp, sp,-160)指令中做了一个故障所以SP指针只是错的。2. 在函数调用的最后，在我们案例中的比较，这个返回地址(ra)被加载的指令(ldw ra,156 (sp)恢复。 在我们的故障案例中返回地址指向输入的参量输入参量包含在口令 检查函数之后的任何函数。 这就是为什么会在比较函数的结尾，如果正确的信息被 输入，此时返回地