250 likes | 260 Views
This lecture discusses the topic of hair dryer attacks and their impact on software engineering. It explores the concept of array subtyping and Java security. Examples of violating type safety with a hair dryer are provided.
E N D
Lecture 20: Hair Dryer Attacks David Evans http://www.cs.virginia.edu/evans Image from www.clean-funny.com, GoldenBlue LLC. CS201j: Engineering Software University of Virginia Computer Science
Menu • Array Subtyping • Java Security Review • Violating Type Safety with a Hair Dryer CS 201J Fall 2003
Subtyping and Arrays If B <= A, should B[] <= A []? CS 201J Fall 2003
Array Subtyping static public Object getFirst (Object [] els) throws NoSuchElementException { if (els == null || els.length == 0) { throw new NoSuchElementException (); } else { return els[0]; } } static public void main (String args[]) { try { Object o = getFirst (args); System.err.println ("The first parameter is: " + o); } catch (NoSuchElementException e) { System.err.println ("There are no parameters!"); } } CS 201J Fall 2003
Array Store static public void setFirst (Object [] els) throws NoSuchElementException { if (els == null || els.length == 0) { throw new NoSuchElementException (); } else { els[0] = new Object (); } } > javac TestArrays.java > java TestArrays test The first parameter is: test Exception in thread "main" java.lang.ArrayStoreException at TestArrays.setFirst(TestArrays.java:16) at TestArrays.main(TestArrays.java:25) static public void main (String args[]) { try { Object o = getFirst (args); System.err.println ("The first parameter is: " + o); setFirst (args); } catch (NoSuchElementException e) { System.err.println ("There are no parameters!"); } } CS 201J Fall 2003
ESC/Java and Array Stores > escjava TestArrays.java ESC/Java version 1.2.4, 27 September 2001 TestArrays ... TestArrays: getFirst(java.lang.Object[]) ... [0.199 s] passed TestArrays: setFirst(java.lang.Object[]) ... ------------------------------------------------------------------------ TestArrays.java:16: Warning: Type of right-hand side possibly not a subtype of array element type (ArrayStore) els[0] = new Object (); CS 201J Fall 2003
Java • Type checking: B <= A B[] <= A[] • Need a run-time check for every array store (to an array where the actual element type is not known) • Better rule: no inference of array subtypes CS 201J Fall 2003
Java Security CS 201J Fall 2003
Joe User Java javac Compiler malcode.java malcode.class JVML Trusted Computing Base Java Bytecode Verifier Invalid “Okay” STOP JavaVM CS 201J Fall 2003
Bytecode Verifier • Checks JVML code satisfies safety properties • Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once • After code is verified, it is trusted: is not checked for type safety at run time (except for casts, array stores) Key assumption: when a value is written to a memory location, the value in that memory location is the same value when it is read. CS 201J Fall 2003
Violating the Assumption … // The object on top of the stack is a SimObject astore_0 // There is a SimObject in location 0 aload_0 // The value on top of the stack is a SimObject If a cosmic ray hits the right bit of memory, between the store and load, the assumption might be wrong. CS 201J Fall 2003
Improving the Odds • Set up memory so that a single bit error is likely to be exploitable • Mistreat the hardware memory to increase the odds that bits will flip Following slides adapted (with permission) from Sudhakar Govindavajhala and Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine, July 2003. CS 201J Fall 2003
Making Bit Flips Useful Fill up memory with Filler objects, and one Pointee object: class Filler { class Pointee { Pointee a1; Pointee a1; Pointee a2; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a5; Pointee a6; Pointee a6; Pointee a7; Pointee a7; } } CS 201J Fall 2003
a1 Filling Up Memory a2 a3 a4 Filler Object a5 a6 Pointee p = new Pointee (); Vector fillers = new Vector (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; } a7 a1 a2 f Pointee Object b a5 a6 a7 a1 Filler Object a2 a3 CS 201J Fall 2003 a4 a5 a6 a7
a1 Wait for a bit flip… a2 a3 a4 Filler Object • Remember: there are lots of Filler objects (fill up all of memory) • If a bit flips, good chance (~70%) it will be in a field of a Filler object and it will now point to a Filler object instead of a Pointee object a5 a6 a7 a1 a2 f Pointee Object b a5 a6 a7 a1 Filler Object a2 a3 CS 201J Fall 2003 a4 a5 a6 a7
a1 Type Violation a2 a3 a4 Filler Object After the bit flip, the value of f.a2 is a Filler object, but f.a2 was declared as a Pointee object! a5 a6 a7 a1 a2 f Pointee Object b a5 a6 a7 Can we exploit this? a1 Filler Object a2 a3 CS 201J Fall 2003 a4 a5 a6 a7
Pointee p = new Pointee (); Vector fillers = new Vector (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; } Finding the Bit Flip while (true) { for (Enumeration e = fillers.elements (); e.hasMoreElements () ; ) { Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! … } else if (f.a2 != p) { … } } CS 201J Fall 2003
class Filler { class Pointee { Pointee a1; Pointee a1; Pointee a2; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a5; Pointee a6; Pointee a6; Pointee a7; Pointee a7; } } Violating Type Safety Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time Declared Type f.a1 Pointee f.a1.b int fr == f.a1 Filler fr.a4 == f.a1.b Pointee CS 201J Fall 2003
class Filler { class Pointee { Pointee a1; Pointee a1; Pointee a2; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a5; Pointee a6; Pointee a6; Pointee a7; Pointee a7; } } Violating Type Safety Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time f.a1.b = 69473248; // Address of bank balance object fr.a4.a1 = p.a5; // Set it to a new value CS 201J Fall 2003
class Filler { class Pointee { Pointee a1; Pointee a1; Pointee a2; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a5; Pointee a6; Pointee a6; Pointee a7; Pointee a7; } } Violating Type Safety Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time f.a1.b = 1524383; // Address of the SecurityManager fr.a4.a1 = null; // Set it to a null // Do whatever you want! There’s no security policy now… new File (“C:\thesis.doc”).delete (); CS 201J Fall 2003
Getting a Bit Flip • Wait for a Cosmic Ray • You have to be really, really patient… (or move machine out of Earth’s atmosphere) • X-Rays • Expensive, not enough power to generate bit-flip • High energy protons and neutrons • Work great - but, you need a particle accelerator • Hmm…. CS 201J Fall 2003
Using Heat • 50-watt spotlight bulb • Between 80°-100°C, memory starts to have a few failures • Attack applet is successful (at least half the time)! • Hairdryer works too, but it fries too many bits at once Picture from Sudhakar Govindavajhala CS 201J Fall 2003
Should Anyone be Worried? Java virtual machine CS 201J Fall 2003
Recap • Verifier assumes the value you write is the same value when you read it • By flipping bits, we can violate this assumption • By violating this assumption, we can violate type safety: get two references to the same storage that have inconsistent types • By violating type safety, we can get around all other security measures • For details, see paper linked from notes CS 201J Fall 2003
Charge: Problem Set 6 • Violate type safety to steal an election • No need to open up ITC machines to try to heat up memory • Please don’t try this in lab (but try it at home if you want) • Instead, use java –noverify to get around type checking: allows byte codes to run without verifying them CS 201J Fall 2003