Casper

1
Securing Software Systems
Gaurav S. Kc Programming Systems Lab 9th April,
2003
2
Codiva Code Diversity

• Using code diversity to increase software
  security
• Approach
• Runtime management of processes
• Vulnerabilities and attack techniques
• Automatic defence mechanisms
• Implementations
• Casper, RiSA
• Inter-group collaboration
• Compilers, OS, Programming Languages, Security
• Kaiser, Aho, Edwards, Keromytis

3
Codiva Casper

• Compiler-assisted securing of programs at runtime
• Via added runtime checks as part of function
  invocations
• Add protection code
• Protect what control data in stack frames
• What from most stack-smashing attacks
• Available as patches
• Compiler gcc-2.95
• Debugger gdb-5.2.1

4
Casper contd.

• Source function and runtime layout

void function(int x, float y, char s) int
a int b char bufferSIZE int c ...
strcpy(buffer, s) ...
PC
ret. addr 32-bit XOR ret. addr
0xBadAdda0 ... ... ... (/bin/sh) exec

• Casper protection
• Mask original return address value when entering
  function
• Unmask and restore the original return address
  value when returning from function
• Overwritten value will be restored to invalid
  code address

• Stacksmashing attack
• Buffer overrun
• Code injection
• Return address overwritten

5
Codiva Randomised ISAs

• Unique machine instruction set per process
• Reversible mapping
• machine instruction ? garbage bit sequence
• Post-compilation stage
• Encode all executable sections with key
• Store codec key in file header
• New cycle fetch, decrypt, decode, execute
• decrypt Processor restores each block of bytes
  to valid, original instruction
• Injected code gets probabilistically transformed
  to garbage bit-sequence that cannot be decoded

6
Randomised ISAs contd.
SOURCE CODE
7
Codiva future work

• Randomised ISA on real machine
• Programmable Transmeta chips
• Dynamo Dynamic optimiser of native code
• Activation records
• automatically managed, randomised layout
• Heap smashing techniques
• break type-system
• corrupt malloc data, Diversified research
• Languages, Compilers C, Sun CC, Visual C
• Other architectures Solaris, Alpha (DLX -)

8
Worklets

• Java-based mobile agent system
• Code transportation and dynamic integration
  mechanism

9
Worklets past projects

• Dan Phung, Alex Bogomolov
• Micro-control of junctions
• repeat, start-condition, etc.
• Registration and discovery mechanism
• Security
• encryption, authentication and authorisation
• Optimised Worklet transportation
• Workgroup Cache
• Partial compression