people | mit csail€¦ · kbouncer partial control-flow integrity against rop transparent...
TRANSCRIPT
!"#$%&!'!()*'+(,()'
-'!*.)*/0*1'2342'
#5*678'
!"#$% !&'"(% )'$*+$,%
449:;' <8=>*'?6,)1@A=B6'!*)'$867B/(C8=B6' D8687'!(6E8'
4293;' DFB@6A*19'$G"'/(=58=B6' H(AE8I(,'"BIJAE1B68K(,'
429L3' M&?!D9'N?OP'OB1'&*)*1B5*6*B@,'!J,)*/,' QB*I'"B1R@*)'
494;' #@)B)B/(A'F(681J'!)1@A)@1*'$867B/(C8=B6' #65'%@('
49;3' STA(*6)'N*)*1/(6(,=A'H@I=)E1*87(65')E1B@5E'!AE*7@I*'$*I8U8=B6'
&*/(65'%@('
292;' V(0*1)J'#1AE()*A)@1*' N**.'WEB,E'
:933' !"#$%&!'#1AE()*A)@1*'!.*AX'>3X4Y'M18.'@.' !(/E8'!*)E@/87E8>86'
&(5EI(5E),'
• ?!$9'<8=>*'(/.I*/*6)8=B6'– G>*1E*87'(,'3X2Z'#,'I([I*'8,';'I(6*,'B\'+*1(IB5'AB7*'
• N?OP9'G6'E*)*1B5*6*B@,',J,)*/,]B6]AE(.'– G>*1E*87'^()EB@)')855(65'_3Z`'^()E')855(65'I(6*81')B'.*1A*6)85*'B\'/*/B1J')E8)'(,')8(6)*7'
• $G"9'H!$'FI@*'&8)'M(66*1'• $F!9'!.(6'Ba'B6'O(1/^81*',*A@1()J'
!"#$%&'()*+,-#.(&/%*&0"(1.234"#.(&
!"#"$%&'#("!"#$%&'(&)%"*(+(,'&%!"
#$%&'&%"-$..$%!"/01(')%"*(,)+23%!"
4&+5$"4(657+$85$9$0%
56%&7+.89%2&
:)8$2;"
! 42%6(+%"$,("'$,1('2"%&+&'$,"
< )*+*,%=&08)>%")0"?@A!"/08,)&8")0"/BC"
! 42%6(+"%(D7,&62"+$67,("E76"F$,"F,)+"G$>'(%%"
! /H$DI%"8&JD7'6"6)"8(9(').!"E76">&8('2"8(.')2$E'("
< 4&+&'$,"G$>%")0"%&+&'$,"+$D5&0(%"
2
:(&;<"2=9%&>&?+3$%@8A&?.B(9."1&
1. Hackers insert malicious URL
2. Users visits a website
3. User redirected to bad website
4. Malware installed surreptitiously
3
5"9C&D$%+$3%B&
! -,)E'(+"
! 4)'73)0"! K0%6,7D3)0"4(6"B$08)+&L$3)0"
! 4)M>$,("N5)&D(%"< 4&01'(OI(2"< -$1(O+)8("
! P$,8>$,("N5)&D(%"< 4&+7'$3)0"B(%7'6%"
< K+.'(+(06$3)0"
! 4(D7,&62"/0$'2%&%"! N)0D'7%&)0"
4
E.,(*%+3(F&G.2.F%(%3*A&
! Q&9(,%&F2R"< S)"6>)"%2%6(+%"%5)7'8"E("$'&I("
< S)6">&65)76".,)E'(+%"
! T),D("$H$DI%"6)"E("6$&'),O+$8("
< U)>",(67,0O)FO&09(%6+(06"F),"8(9(').+(06"
< S)"')01(,"$%"'7D,$39("
5
'()*+,-#.(&/%*&0"(1.234"#.(&
! V$D5"+$D5&0("5$%"$"8&W(,(06"K4/"
< N)8("F),")0("8)(%0 6">),I")0"$0)65(,"
< V9(0"E(H(,"&F"65&%"K4/"D$0"E("I(.6"%(D,(6"
! -,(9(06%""--"D)8(O&0X(D3)0"$H$DI%"< KF"+$'&D&)7%" D)8( "&0%(,6(8"&06)"$..'&D$3)0"0)6"
&0"')D$'"K4/!"&6"D$00)6"(?(D76("
< Y0$765),&L(8"1(0(,&D"E&0$,2"D$00)6"(?(D76(
6
G.B&*.&'/0 34%H&
! -,)E'(+$3DZ"N$00)6",($''2"5$9(".,)D(%%),%">&65"
70&[7("K4/ %"
! \0("%)'73)0]"V0D,2.6">&65",$08)+"I(2%")F"^?(8"
>&865"
< =&65"_`@OE&6"I(2%!"'$,1("(0)715"I(2O%.$D("aF),"0)>b"
< 45)7'8"0)6"8&%,7.6"(%6$E'&%5(8"%2%6(+"%6$08$,8%"a)*+*!"9&,67$'"+(+),2"%7E%2%6(+!"D$D5(%b"
7
/.IB"+%&?%)3F(&D=#.()&@&;(-+A=#.(&
! K8($''2"K4B"%5)7'8"E("$'>$2%")0"
! P)>"%6,)01"$0"(0D,2.3)0"6)"$'')>c"< N'$%%&D".(,F),+$0D(dF70D3)0$'&62"6,$8(O)W"
! =($I"(0D,2.3)0"
< e\B!"6,$0%.)%&3)0"
< U)>")9(,5($8"E76"$'%)"')>"%(D7,&62"
< B($%)0">52"($,'&(,"%)M>$,(OE$%(8"&+.'(+(06$3)0%"8&80 6"6$I("
)W"
! 46,)01"(0D,2.3)0"< /V4!"B4/"
< P&15"%(D7,&62!"E76"$'%)"5&15")9(,5($8%"8
/.IB"+%&?%)3F(&D=#.()&>&J%A&K)"F%&L+"(,9"+3*A&
! -(,"%2%6(+"
! -(,".,&9&'(1("'(9('"
! -(,".,)D(%%"
! -(,"^'(">&65"(?(D76$E'("D)8("
! -(,"a(?(D76$E'(b"+(+),2".$1("
! \65(,%"a0(6>),I!"F70D3)0%!"&0%6,7D3)0%!")./*b"
9
/3(F9%@J%A&'/0&>&;-.)A)*%2&
1
2
3
4
5
7
6 8
9
Gateway
App DB
Key DB
User
Trusted Proxy
Developer
Manufacturer
10
7"F%@M.1%&'/0&@&;-.)A)*%2&
User
App Gateway & DB
Key DB
_"
2
5
3
4
6
7
11
G"+1B"+%&?%)3F(&D=#.()&
! /',($82",7'(8")76"70&[7("0$39("K4/%"
12
G"+1B"+%&?%)3F(&D=#.()&
! /',($82",7'(8")76"70&[7("0$39("K4/%"
! Q(D,2.6"X7%6"E(F),(d>&65&0".&.('&0("
U`"
KU_"
QU_"
C(+"
-&.('&0("13
G"+1B"+%&?%)3F(&D=#.()&
! /',($82",7'(8")76"70&[7("0$39("K4/%"
! Q(D,2.6"X7%6"E(F),(d>&65&0".&.('&0("
! Q(D,2.6"$6"U_OK"$08"U`"&06(,F$D("
U`"
KU_"
QU_"
C(+"
-&.('&0("14
G"+1B"+%&?%)3F(&D=#.()&
! /',($82",7'(8")76"70&[7("0$39("K4/%"
! Q(D,2.6"X7%6"E(F),(d>&65&0".&.('&0("
! Q(D,2.6"$6"U_OK"$08"U`"&06(,F$D("
! Q(D,2.6"$6"U`"$08"+(+),2"&06(,F$D("
U`"
KU_"
QU_"
C(+"
-&.('&0("15
E"$%"*)&B3*6&NOP2%2.+A&?%-+A=#.(&
! P)>"8)">("8(D,2.6"&0%6,7D3)0%"(?D'7%&9('2c"< :$1"8$6$"9%Z"&0%6,7D3)0"
< :,$DI"+&%%",([7(%6%"6)"^17,("&F"D$D5("^''"&%"QdK"
! S)6"(0)715"
< Q&%$'')>"D,)%%OQdK"D$D5("^''%"$E)9("
< =52c"
16
/32,9"#.()&)6.BQ&
! f(0D5+$,I%"F,)+"4-VN"N-Y"`IA!"1(+g"4-/BNdU&07?"$,D5&6(D67,("
! _`h"D2D'("'$6(0D2"F),"8(D,2.3)0"
R%(-62"+C" ?%-.1%& NSPNO& NOPM%2.+A&
EL&.`" i`j`ZkiA" hZhhk" hZhhk"
1)E+I" `A`iZi`l" __Zi_k" hZ_Al"
5++(," igkjZkg`" hZhhi" hZhhk"
+DF" ``l@Zi_h" hZhh_" hZhh_"
0$+8" illkZ_hi" _Zhkj" hZh"
'&E[7$067+" gkjkZhk_" hZh_i" hZh_`"
'E+" _A`AZhk_" hZh" hZh"
/9(,$1(" kAiAZlk`" _Zl@`" hZh`A"17
'2=9%2%(*"#.(&@&D=%(/7:0E&
MIL
IFQ L1 I-Cache
ITLB
Decode
Pipeline
To LSU
NIR/TIR 2
NIR/TIR 1
NIR/TIR 4
NIR/TIR 3
PC
br-pc/trap-pc
Schedule
From LSU
18
Implementation Simplicity
! Minimal changes to hardware code – For single-key, <5 lines – For page-mode, ~500 lines
! Requires software support too – But software design relatively inexpensive
19
/%-,+3*A&:("9A)3)&@&7+.*%-#.()&
! N)8("K0X(D3)0"/H$DI%"
! fK\4df))6"-,)6(D3)0"
! N)8("\EF7%D$3)0"
20
/%-,+3*A&:("9A)3)&@&T,9(%+"8393#%)&
! Q)(%"0)6"17$,$06(("&06(1,&62"< B(.'$2"$08"%.'&D&01"$H$DI%"
< N$0"E("&06(1,$6(8">&65"+($%7,(%">5&D5"8)"
! 43''"97'0(,$E'("6)"8$6$O8,&9(0"$H$DI%"
! -$1(O+)8("K4B",([7&,(%"6,7%6(8"\4"
21
5.&-.(-9,1%Q&
! P)+)1(0(&62"E$8!"8&9(,%&62"1))8"
! K4B".,)9&8(%"%D$'$E'("$08"0)0O8&%,7.39("8&9(,%&F2&01")..),670&62"
! Q(9(').(8"5$,8>$,("K4B"%7..),6"F),"65("^,%6"3+("
< #(,2"%&+.'("&+.'(+(06$3)0">&65"0(1'&1&E'(")9(,5($8%"
22
U,%)#.()H&
23
1
Defending against Return-Oriented Programming
Vasilis
Pappas, Michalis Polychronakis, Angelos
Keromytis
Columbia University
SPARCHS meeting –
September 6, 2012
2
(Machine Code) Attacks and Defenses
Code Injection
W X
Code Reuse
ASLRReturn-Oriented
Programming?
3
ASLR is not Fully Supported
Executable programs in Ubuntu
LinuxOnly 66 out of 1,298 binaries in /usr/bin [SAB11]
Popular third-party Windows applicationsOnly 2 out of 16 [Pop10]
Even applications that enable ASLR sometimes have statically mapped DLLs
EMET forced randomization
4
Information Leaks Break ASLR [Ser12]
5
Outline
Background
In-place code randomizationIEEE Security & Privacy 2012
kBouncerMicrosoft BlueHat
Prize v1.0 winner!
Future directions
6
!!!!"#$$!!!!!
"#"""""""$!"#$$!!!%!
"#"""""""%!"#$$!!!&!
!"#$$!!!%!
"#""&"""""!"#$$!!!'!
!!!
'()*+(, -+,.
"#/00"""""12+2 .(#3.4!!!
"#/00"""$"12+2 ./#3.4!!!
"#/00"""%"1(,, .(#5 ./#3.4!!!
"#/00"""6"17+8
9./#:5 .(#3.4
.;2
<=4>+?;
.(#
@ $
./#
@ %
.(#
A@ ./#
./#
@ "#&"""""
B./#
@ .(#
7
ROP Defenses
ROPdefender[DSW11]
DROP[CXS+09]
DROP++[CXH+11]
G-Free[OBL+10]
Return-less[LWJ+10]
CFL[BJF11]
Low
Source Code
Input
Hig
h
Runt
ime
Ove
rhea
d
Program Binary
8
In-Place Code Randomization
Software diversification
Applicable on third-party applications
Zero (non-measurable) performance overhead
9
Why In-Place?
Randomization usually changes the code sizeNeed to update the control-flow graph (CFG)
Accurate disassembly of stripped binaries is hardIncomplete CFG (data vs. code)Code resize not an option
Must randomize in-place!
10
Code Transformations
Instruction Substitution
Instruction ReorderingIntra Basic BlockRegister Preservation Code
Register Reassignment
11
Instruction Substitution
7+8
(*5"#$=72
(*5/**.( .(#59./2 "#0":
(,, 9.,#:5.,>3.4
7+8
(*5"#$()*
#+,-+*.( .(#59./2 "#0":
(,, 9.-":5.,>/)0+
1.#*2!"3$4!$!546
C" "$ 6< -6 0D &E 0" E" F0
C" "$ '$ 7$ 0D &E 0" E" F0
12
Instruction Reordering (Intra Basic Block)
!"#$"#%&# &#'()*+*)
,(--()
./+012*( 34*567)*89
0C &$ $"
7+8
.(#59.=#A"#$":
E6
2G;H ./#
0C EI "- 7+8
./#59.=#A"#-:
6C -6 =72
.(#5./#
0I &$ "0 7+8
9.=#A"#0:5.(#
JK &K L*.
"#E=
EI
*089 .#"
"- 6C :; -+,!"'<
-6
;.=
13
Instruction Reordering (Intra Basic Block)
0C &$ $"
7+8
.(#59.=#A"#$":
E6
2G;H ./#
0C EI "- 7+8
./#59.=#A"#-:
6C -6 =72
.(#5./#
0I &$ "0 7+8
9.=#A"#0:5.(#
JK &K L*.
"#E=
&$
>?( .("
$" 0I &$ "0 6C -6-@(
1.(" !"'AA5BC<B6,(+
14
Register Preservation Code Reordering
*089 .#"*089 .8>7+8
./#5.=#*089 .@>7+8
.;>5.,#!!!
*:* .@>*:* .8>*:* .#"3.4
*089 .@>*089 .#"*089 .8>7+8
./#5.=#7+8
.;>5.,#!!!
*:* .8>*:* .#"*:* .@>3.4
'3+*+M
K2>*+M
15
Register Reassignment
.(# .,>N>8. 3.M>+?;
OG?=4>+?12G;H .;>2G;H .,>7+8
.,>59./2A"#0:7+8
.(#59.,>A"#$&:4.;4 .(#5.(#LP
"#&<0"F&"C7+8
./#59./2A"#$":2G;H ./#*.( .=#59./2 "#&:2G;H .=#2G;H .,>=(** .(#!!!
OG?=4>+?12G;H .;>2G;H .,>7+8
.(#59./2A"#0:7+8
.,>59.,>A"#$&:4.;4 .,>5.,>LP
"#&<0"F&"C7+8
./#59./2A"#$":2G;H ./#*.( .=#59./2 "#&:2G;H .=#2G;H .-"=(** .@>!!!
16
Implementation: Orp
Focused on the Windows platformCould be integrated in Microsoft’s EMET
CFG extraction using IDA ProImplicitly used registersLiveness analysis (intra and inter-function)Register categorization (arg., preserved, …)RandomizationBinary rewriting (relocations fixing, …)
17
Evaluation
Correctness and performanceUsed Wine’s extensive test suite with randomized
versions of Windows DLLs
Randomization Coverage
Effectiveness against real-world exploits
Robustness against ROP Compilers
18
Randomization Coverage
Dataset: 5,235 PE files (~0.5GB code) from Windows, Firefox, iTunes, Reader
19
Real-World Exploits
Exploit/Reusable Payload Unique Gadgets Modifiable Combinations
Adobe Reader v9.3.4 11 6 287
Integard
Pro v2.2.0 16 10 322K
Mplayer
Lite
r33064 18 7 1.1M
msvcr71.dll (While Phosphorus) 14 9 3.3M
msvcr71.dll (Corelan) 16 8 1.7M
mscorie.dll
(White Phosphorus) 10 4 25K
mfc71u.dll (Corelan) 11 6 170K
Modifiable gadgets were not always directly replaceable!
20
ROP Compilers
Is it possible to create a randomization-resistant ROP payload?
Using only the remaining non-randomized gadgets
Tested two ROP payload construction tools
mona.py:
constructs DEP+ASLR bypassing codeAllocate a WX buffer, copy shellcode, and jump to it
Q:
state-of-the-art ROP compiler [SAB11]Designed to be robust against small gadget sets
21
ROP Compiler Results
Non-ASLR Code Base MonaOriginal Rand.
QOriginal Rand.
Adobe Reader v9.3.4
Integard
Pro v2.2.0
Mplayer
Lite
r33064
msvcr71.dll
mscorie.dll
mfc71u.dll
Both tools failed to construct ROP payloadsusing non-randomized code!
22
kBouncer
Partial control-flow integrity against ROP
TransparentApplicable on third-party applicationsCompatible with code signing, self-modifying code, JIT, ...
LightweightLess than 5% runtime overhead
EffectivePrevents real-world exploits
23
ROP disrupts the regular call path pattern
Legitimate code: ;.=
transfers control to the instruction right after the
corresponding (-++
legitimate call sites
ROP code: ;.=
transfers control to the first instruction of the
next gadget
arbitrary locations
Main idea: Runtime monitoring of ;.=
instructions’
targets
24
Last Branch Record (LBR)
Introduced in the Intel Nehalem architecture
Stores the last 16 executed branches in a set of model-specific registers (MSR)
Can filter certain types of branches (relative/indirect calls/jumps, returns, ...)
Multiple advantagesZero overhead for recording the branchesFully transparent to the running applicationDoes not require source code or debug symbolsCan be dynamically enabled for any running application
25
Monitoring Granularity
Non-zero overhead for reading the LBR cache (accessible only from kernel level)
Lower frequency
lower overhead
ROP code can run at any point
Higher frequency
higher accuracy
26
Monitoring Granularity
Meaningful ROP code will eventually interact with the OS through system calls
Check for abnormal control transfers on system call entry
27
Implementation
Working prototype for Windows 7 x64 SP1API interception using Detours for PatchGuard
compatibility
Uses only the Windows SDK and DDK (no third-party code)
28
Runtime Overhead
Low overhead (1-6%) even when checking all syscalls
No false positives
Application real/usr/sys time # Call/Ret # SyscallFalse
PositivesOverhead
ms (%)
WM Player '!DC'E!D&CE!D&% '!D$F %G5H ! ''D$ I3JK
InternetExplorer CD&5E!D!3E!D!5 %D4F '5H ! 4D5 I4JK
AdobeReader 5D%%E%D'&E!D&5 '4D'F %!CH ! %$DC I%JK
29
Effectiveness
Successfully prevented two real-world exploitsAdobe Reader: CVE-2010-2883MPlayer: EDB-ID-17124
30
31
Future Directions
The Limited LBR size (16) might allow for evasionInvoke syscall
through a path of legitimate branches
Seems hard, but might be possible...
ROP without returns (JOP)Characteristic runtime pattern (dispatcher gadget)Could be detected by enabling tracking of all indirect branchesMore pressure on the LBR cache...
What would be an ideal LBR size?
Other hardware features that could help?
32
Function Call Return Value Profiling
Build profiles of benign program behavior for anomaly detection
Modeling based on a small window of previous function calls and their return values [LSC+08]
Explore the use of LBR or other hardware features for runtime checking
33
Combining control and data flow tracking
Build models of expected behavior based on memory footprints
Causality of data inputs and generated outputsLifetime and interactions of program-specific objectsAccessed memory locations
Control + data flow information
Prototyping using Libdft
(Pin-based DFT)
Explore optimizations based on hardware features
34
REASSURE
Enables software self-healing using rescue pointsRescue points reuse valid error codes returned by functions to handle unforeseen errors
Handles NULL pointer dereference bugs
Transforms fail-stop protection mechanisms to fail once
Generate a rescue point definition after observing an error the first time
Self-contained
35
Future Work on REASSURE
Self-healing kernels
Challenge: achieve low performance overhead
Our approach: Hardware assisted self-healing
Use hardware transactional memory (HTM)Provide checkpoint/rollbackHandle concurrency efficiently
Software transactional self-healing prototype
36
Summary
Return-Oriented Programming is increasingly used in real-world exploits
In-place code randomization and branch target monitoring prevent real exploits
Focus on hardware-assisted runtime detection and protection mechanisms
In-place code randomization prototype (Python) http://nsl.cs.columbia.edu/projects/orp
37
References:;67&#< =671*4
>? ;674(? @A6 B()6 /C 8A6 -67C6B8 *4C/ +6(DE #%&#?A88-F""GA/H*(B?A*)-(A(BD?B/1"19 )80CC")6B07*89"=+()AIJ;KLI29-())?-HC?
:;JM&&< NHO(7H >? ;BAO(78G 68 (+? PF 6Q-+/*8 A(7H64*4R 1(H6 6()9? 3;NSTU ;6B07*89E #%&&?:,/-&%< J+*4
L(H
,/-? V6-"()+7
*1-+61648(8*/4 -7/R76)) *4 -/-0+(7 8A*7H -(789 O*4H/O) (--+*B(8*/4)E #%&%?A88-F "")6B04*(?B/1"RCQ"-HC"VN,IJ;KLI#%&%I-(-67?-HC?
:;A(%W< X/5(5
;A(BA(1? @A6 R6/16879 /C *44/B648 C+6)A /4 8A6 2/46F 768074 *48/ +*2B
O*8A/08 C04B8*/4 B(++)Y/4 8A6 QZ[\? ..;E #%%W?
:.VV]&%< ;86-A64 .A6BD/O(9
68 (+? L68074 /7*6486H -7/R7(11*4R O*8A/08 768074)? ..;E #%&%:M>=K&&< @9+67 M+68)BA
68 (+? >01- /7*6486H -7/R7(11*4RF ( 46O B+()) /C B/H6 760)6 (88(BD? J;TJ..;E #%&&?:K^_`&&2< a(4Rb*6
K0 68 (+? ,(BD6HE -7*48(2+6E (4H -/+91/7-A*B 768074 /7*6486H -7/R7(11*4RE LJTVE #%&&?:V;_&&< K0B() V(5*
68 (+? L/-H6C64H67F ( H686B8*/4 8//+ 8/ H6C64H (R(*4)8 768074 /7*6486H -7/R7(11*4R(88(BD)? J;TJ..;E #%&&
:.U;]%c< ,*4R .A64 68 (+? V7/-F V686B8*4R 768074 /7*6486H -7/R7(11*4R 1(+*B*/0) B/H6E T.T;;E #%%c?:.UX]&&< ,*4R .A64 68 (+? NCC*B*648 H686B8*/4 /C 8A6 768074 /7*6486H -7/R7(11*4R 1(+*B*/0) B/H6E
T.T;;E #%&&?:dMK]&%< a((4
d4(7+*/R+0
68 (+? ` C766F H6C6(8*4R 768074 /7*6486H -7/R7(11*4R 8A7/0RA R(HR68 +6))2*4(7*6)? J.;J.E #%&%?
:K_>]&%< >*4D0
K* 68 (+? V6C6(8*4R 768074 /7*6486H 7//8D*8)
O*8A e768074 +6))f
D6746+)? N07/;9)E #%&%?:M>=&&< @9+67 M+68)BA
68 (+? g*8*R(8*4R B/H6 760)6 (88(BD) O*8A B/487/+ C+/O +/BD*4R? J.;J.E #%&&?[LSC+08] Michael E. Locasto
et al. Return value predictability for self-healing. IWSEC 2008.
38
/GOO.39: ;(8., KQ'RRRRS#F<S#"JS#EIS#K0S#TTS#TTS#TTS#TTS#-$ &"""C$%<2(,,>?M
.;2
!!!&"""C$%< L72
.8*!!!
;+7.!,**
S#F<S#"JS#EIS#K0S#TT
Code Injection
!!!&"""C$%< L72
.-"!!!
;+7.!,**
.(#
&"""C$%<
39
NX
W^X, PaX, Exec Shield, DEP
x86 support introduced by AMD, followed by IntelPentium 4 (late models)
DEP introduced in XP SP2 (hardware-only)Applications can opt-in (SetProcessDEPPolicy() or /NXCOMPAT)
&"""C$%<S#F<S#"JS#EIS#K0S#TTS#TTS#TTS#TTS#-$
40
U/>?U;H
Ret2libc ROP
ret2libc [Solar Designer ’97]
V.#.=8.2(,,>?M O(W. 3.4
.;2
(3M$VOG?=% O(W. 3.4(3M$VOG?=$ *:*L *:*L ;.= (3M%
.;2
ret2libc chaining [Nergal
’01]
41
Ret2libc ROP
Borrowed code chunks technique [Krahmer
’05]
Pass function arguments through registers (IA-64)
"#""""""""""&""(0%1
2+2 X3/#"#""""""""""&""(061
3.4Y
"#""""%(((((=J&6,E1
7+8
X3/#5X;-"
M8N8=.)"#""""%(((((=J&6,01
(,, Z"#."5X3;2"#""""%(((((=J&6,O1
2+2 X3/#"#""""%(((((=J&6."1
3.4Y
"#""""%(((((=E"/O&1
7+8
X3;25X;@>
E#>?E89"#""""%(((((=E"/OJ1
=(**Y
BX.(#
Return-oriented programming [Shacham
’07]
Turing-complete return-oriented “shellcode”Jump-oriented programming [Shacham
’10]
42
Current State of ROP exploits
First-stage ROP code for bypassing DEPAllocate/set W+X memory ([>34G(*<**+=, [>34G(*'3+4.=4, …)Copy embedded shellcode into the newly allocated areaExecute!
The complexity of ROP exploit code increases…New anti-ROP features in EMETROP exploit mitigations in Windows 8
The embedded shellcode can be concealedROP-based unpacker
[Lu ’11]
43
Modifiable Gadgets
44
Impact on Broken Gadgets’
Instructions
45
Randomization Entropy for Broken Gadgets
!"#$%&'()*+,-.'#*/01,+20*'3405'61+.7-*8'/01'"9:91089*90;<'$)<:9,<'
=0>4'?01@;9:'+*A'$-,B+'$9:B;,+AB+C+*'
D04;,E-+'F*-C91<-:)'G'HIJIKLML'
N;:4-*9'
• #*:10A;.20*'– ()*+,-.'#*/01,+20*'3405'61+.7-*8'O(#36P'– "9:91089*90;<'<)<:9,<'
• Q94+:9A'5017'– 6+8',+*+89,9*:'
• 6B9'!"#$%'+1.B-:9.:;19'• #,R49,9*:+20*'+*A'O+'/95P'19<;4:<'• D0*.4;<-0*'
(#36'• $-*.9'+4,0<:'+'A9.+A9S',+*)'B+1A5+19'+RR10+.B9<'
• D019'R1-*.-R49'– 6+-*:'A+:+'/10,';*:1;<:9A'<0;1.9<'
• TU:1+':+8'E-:'R91'E):9I501A'– ?10R+8+:9':+-*:'A;1-*8'R1081+,'9U9.;20*'
• NR91+20*'0*':+-*:9A'A+:+'R10A;.9<':+-*:9A'19<;4:'– DB9.7'<R;1-0;<';<9<'0/':+-*:9A'A+:+'
• D0A9'9U9.;20*'
• (9:9.20*'0/'405V49C94';R':0'B-8BV49C94'+W+.7<'O+*A':0'<0,9'9U:9*A'-*/01,+20*'49+7+89P'
(#36'V'TU+,R49'
• $-,R49'E;X91'0C91Y05'+W+.7'
!"#$%&"'#!("$)'*+,$-%"+./0$1$$$'*+,$2&%345678$$$9:;<$-=,'8$$$$=,'$>$%(?/")%"+./@$A,B08$$$$C*!D/$)%E/#=)2&%@$FG4H@$=,'00$1$$$$$I$$$J$$$$,/#&,"$G8$J$
19:;1*'+AA19<<'
E;/'ZK[J\'
]+4-.-0;<'-*R;:'A+:+'+W+.7'
(#36'G'.0*.9R:;+4'-,R49,9*:+20*'
#V.+.B9'
D?F'
(V.+.B9'
#/9:.B' 6+8'.B9.7'OMP'
(9.0A9' ?04-.)'(9.0A9'
Q3'A+:+'+..9<<' Q3':+8'+..9<<'
TU9.;:9'G'^_F' 6+8'R10R+8+20*'
]9,01)'O19+AI51-:9P' 6+8']9,01)'O19+AI51-:9P'
V' 6+8'.B9.7'OKP'
!`' 6+8'!`' ]9,01)'
"9:91089*90;<'<)<:9,<'
• T,E9AA9A'<)<:9,<'– T*918)V9a.-9*.)'.0*.91*<'– (9A-.+:9A'+<),,9:1-.'R10.9<<01<'– ^..9491+:01<'
• D0,,0A-:)'<)<:9,<'– ?91/01,+*.9'.0*.91*<'– b?b?F'– ^..9491+:01<'O.1)R:0S'9:.cP'
(#36'/01'B9:91089*90;<'<)<:9,<'
• ]+-*4)'R91-RB91+4'A9C-.9<'<0'/+1'– $0;1.9<'01'<-*7<S'E-*+1)'+..9<<'.0*:104'E)'<0d5+19'
• !B+:'+E0;:'+..9491+:01<e'– ]9,01)':0',9,01)',0A94<'– $B0;4A'E9'-*:981+:9A':0':B9'(#36'-*/1+<:1;.:;19'
Q94+:9A'5017'G'!"#$%&'#$('<.B9,9'(+:+'9U:9*<-0*'5-:B':+8<'
• ?10<&'– _05'.0,R49U-:)'– D0*<-<:9*.)'E)'A9/+;4:'– T+<)'+..9<<'/01'+..9491+:01<'
• D0*<&'– f0*V<:+*A+1A',9,01)'E+*7<S'<R9.-+4'D?F'-*<:1;.20*<'
– "-8B'+19+'0C91B9+A'O5+<:9/;4'-*',0<:'.+<9<P'
Z]-*0<S'Q+7<B+\'
D?F'
D+.B9<'
]9,01)'
Q94+:9A'5017'G')$*+,-.$('<.B9,9'$9R+1+20*'0/'A+:+'+*A':+8<''• ?10<&'
– _05'+19+'0C91B9+A'• D0*<&'
– "-8B'.0,R49U-:)'– D0*<-<:9*.)',;<:'E9'+AA19<<9A'<R9.-g.+44)'
– (-a.;4:':0'+A+R:'/01'+..9491+:01<'
Z$;BI(#36S'349U-:+-*:S'%+**+*ID0R10S'(9*8I3?b^\'
D?F'
D+.B9<'
]9,01)'
6B9'!"#$%'+1.B-:9.:;19'
• "05':0'89:':B9'E9<:'0/'E0:B'<.B9,9<e'– _05'+19+'0C91B9+A'– _05'.0,R49U-:)'
• ")E1-A'<.B9,9'– h(9.0;R49Ai'<:01+89'– h#*:981+:9Ai'-*:91/+.9<'
!"#$%'G'_05'+19+'0C91B9+A ''
• (9.0;R49A'<.B9,9'– ?+89V:+E49'<:1;.:;19'• 3-1<:'49C94&'R+89'81+*;4+1-:)'• $9.0*A'49C94&'O0*VA9,+*AP'501A'81+*;4+1-:)'
– ?B)<-.+4'+AA19<<'<R+.9'
6+8'R+89V:+E49'
(+:+'
]9,01)'
!"#$%'G'_05'.0,R49U-:)'
• #*:981+:9A'-*:91/+.9<'– ?10.9<<01<'– ^..9491+:01<'
D?F'
?D'-*<:'
j':+8'
j'A+:+'
j':+8'
:+8' :+8'
^..9491+:01'
j'(-'
j'(0'
6-' 60'
!"#$%'G'6+8',+*+89,9*:'OMP'
• ^:'R4+k01,'49C94' 6+8'R+89V:+E49'
(+:+'
]9,01)'
]9,01)'.0*:104491'
<?6?Q'
$)<:9,'#*:91.0**9.:' <6_`'
• NR2,-l+20*<e'
!"#$%'G'6+8',+*+89,9*:'OKP'
• ?10.9<<01<'D?F'
-*<:' A+:+'
#V.+.B9' (V.+.B9'
• <6_`<'– TUR40-:'R+89'81+*;4+1-:)'– "+*A49'R+89'19g*9,9*:' #V<6_`' (V<6_`'
<?6?Q'
!"#$%'G'6+8',+*+89,9*:'OKP'
• ?10.9<<01<'D?F'
-*<:' A+:+'
#V.+.B9' (V.+.B9'
• <6_`<'– TUR40-:'R+89'81+*;4+1-:)'– "+*A49'R+89'19g*9,9*:' #V<6_`' (V<6_`'
• $9R+1+:9':+8'.+.B9<'– _0591'+19+'
• D0,,;*-.+20*'R10:0.04'– fNfTS'!#6"S'Nf_m'
<?6?Q'
!"#$%'G'6+8',+*+89,9*:'OnP'
• ^..9491+:01<'
• <6_`'
• $91-+4-l91I(9<91-+4-l91'
• ?+89'19g*9,9*:'
^..9491+:01'
!1+RR91'
<6_`'o'<?6?Q' #f6'
!"#$%'G'6+8',+*+89,9*:'OpP'
• <6_`<'– <6_`VR'– <6_`V5'
• $0d5+19'<;RR01:'– ?+89':+E49'– ?6?Q<'– ?+89'19g*9,9*:'– 6+8'R04-.-9<'
D?F'
]9,01)'
]9,01)'D0*:104491'
.+.B9<'
6V.+.B9<'
<6_`<VR'<6_`V5'
^..9491+:01'
<6_`VR'
#,R49,9*:+20*'• "+1A5+19'
– `+<9A'0*'$0D_-E'<-,;4+20*'/1+,95017'– ]#?$'R10.9<<01'O<-*849V-<<;9'R-R94-*9P'– !1-:9VE+.7'.+.B9<'– (-19.:01)VE+<9A'.0B919*.9'R10:0.04'– f0'C-1:;+4',9,01)'– D10<<E+1'-*:91.0**9.:'
– $)<:9,D'G'`D^'
• $0d5+19'– ];:97"&'A9A-.+:9A'791*94'/01'9,E9AA9A'<)<:9,<'
(#36'/;44'<)<:9,'
D?F'
]9,01)'
]9,01)'D0*:104491'
.+.B9<'
6V.+.B9<'
<6_`<VR' <?6?Q'
_q$$'
<6_`VR'
<6_`V5'
<?6?Q'
^T$'
<6_`VR' <?6?Q'
(]^'
<6_`VR' <?6?Q'
<?6?Q'
%91*94' 4-E<:+8'
+RR4-.+20*'
<)<:9,'-*:91.0**9.:'
#DF'
TC+4;+20*<'• $9:'0/'<0d5+19'E9*.B,+17<'
– ];42,9A-+V01-9*:9AS'A+:+V-*:9*<-C9'– .rR98S',-*-,+AS'UC-As9*.S'UC-AsA9.'
• $9:'0/'B+1A5+19',-.10VE9*.B,+17<'– #*R;:'E;X91'OK[J'R+89<P'Vt'+..9491+:01'Vt'0;:R;:'E;X91'
• `+<94-*9'R91/01,+*.9'40<<'– (#36'-*/1+<:1;.:;19'-<'+.2C9'E;:';*;<9A'
• ?1-.9'0/'<9.;1-:)'C<c'hA98199i'0/'<9.;1-:)'
`+<94-*9'G'<0d5+19'+RR4-.+20*<'
`+<94-*9'G'+..9491+:01<'
(#36'G'<0d5+19'+RR4-.+20*<'
(#36'G'+..9491+:01<'
D0*.4;<-0*'• (#36'+<'+'B+1A5+19'<9.;1-:)'R1-,-2C9'
– 3;44V<)<:9,'(#36'– $9+,49<<'-*:981+20*'0/'0;1'(#36'R4+k01,'E+.7E0*9'5-:B'R+<:'19<9+1.B'
• f984-8-E49'R91/01,+*.9'40<<'5B9*'*0:';24-l-*8':+88-*8'• OTUR9.:9AP'4-*9+1'.01194+20*'E9:599*':B9'R1-.9'0/':B9'<9.;1-:)'+*A':B9'
+,0;*:'0/':+88-*8'
• $B01:V:91,'/;:;19'5017&'– `;8<'gU-*8'– 3-*-<B'<-,;4+20*<'– ];42VR10.9<<01'<)<:9,'
• _0*8V:91,'/;:;19'5017&'– TU:91*+44)',+*+89A'(#36'<)<:9,'
Embedded System Exploitation and Defense CRASH Site Visit
September 6, 2012
Ang Cui Columbia IDS Lab
Salvatore J. Stolfo Columbia IDS Lab
Autotomic Binary Structure Randomization (ABSR)
Lessons Learned From HP RFU Vulnerability • Legit Features can be serious vulnerabilities • Legit Features can’t always be disabled
So!
• “disable” all unused “features” to reduce attack surface • Turn unused code into dead-code
• Dead-code can be used for defense • Binary randomization, re-structuring • ROP/Return-to-Lib detection
Autotomic Binary Structure Randomization (ABSR)
So!
• “disable” all unused “features” to reduce attack surface • AUTOTOMIC
• Dead-code can be used for defense • BINARY STRUCTURE RANDOMIZATION
Post-ABSR Symbiote Organization
!Symbiotes in Self-Monitoring-Monitors Configuration!
!
Autotomic Binary Structure Randomization (ABSR) STATUS
!Initial Proof of Concept implementation
Autotomic Binary Structure Randomization
(ABSR) STATUS
!Presentation to Symantec, HP Several Provisional patent filing Michael Costello hired as FTE Paper under review BlackHat/Defcon presentations Red Balloon Security Inc. founded www.redballoonsecurity.com
!"#"$#%&"'(")*+,-.(/,.,01+-+23*(4563.70,89+-:(
.70;5:7(<*7,956,(#,68=83;-
>,1+-:(?5+!"#$%&'()"*(!"
#+,%"-.//.&,)0!"1(.'.%&"-(+!"#(%2)%&"3.%&"
"4+56.0)"4'78)97":.;"<+/(9;$."=%$>)07$8'
?+%@)8)09$%$79"$%"A(/B8,0).@$%&
• C$D)0)%8"0(%7"!"@$D)0)%8";),.>$+07!"@)E)%@$%&"+%"8,0).@"7F,)@(/)7"
• <.(7)"/+87"+2"E0+;/)97"– C.8."0.F)"– 4)F(0$8'")GE/+$8"H1+8I.0"JKLM"– N"
Thread 0 Thread 1
Apache Bug #21287
Thread 0 Thread 1
mutex_lock(M) *obj = … mutex_unlock(M)
mutex_lock(M) free(obj) mutex_unlock(M)
mutex_lock(M) *obj = … mutex_unlock(M) mutex_lock(M)
free(obj) mutex_unlock(M)
?+%@)8)09$%$7BF"4'%F,0+%$O.B+%
Thread 0 Thread 1
FFT in SPLASH2
…… barrier_wait(B) print(result)
…… barrier_wait(B) result += …
Thread 0 Thread 1
…… barrier_wait(B) print(result)
…… barrier_wait(B) result += …
C.8."P.F)
C)8)09$%$7BF"A(/B8,0).@$%&"QCARS
• 4.9)"$%E(8"""7.9)"7F,)@(/)"– T@@0)77)7"9.%'"E0+;/)97"@()"8+"%+%@)8)09$%$79""
• UG$7B%&"CAR"7'78)97")%2+0F)")$8,)0"+2"– !"#$%&$'()*+(V"@)8)09$%$7BF"8+8./"+0@)0"+2"7'%F,"+E)0.B+%7"Q)W&W!"/+FXQSY(%/+FXQSS"
– ,(-%&$'()*+(V"@)8)09$%$7BF"+0@)0"+2"7,.0)@"9)9+0'".FF)77)7"Q)W&W!"/+.@Y78+0)S"
Thread 0 Thread 1
FFT in SPLASH2
…… barrier_wait(B) print(result)
…… barrier_wait(B) result += …
Thread 0 Thread 1
…… barrier_wait(B) print(result)
…… barrier_wait(B) result += …
4'%FZ7F,)@(/)
• HRUP?"[4C\"JK]M!"H^)%@+"T4I:[4"J]_M!")8F"• I0+7V")`F$)%8"QKab"+>)0,).@"$%"^)%@+S"• <+%7V"@)8)09$%$7BF"+%/'"6,)%"%+"0.F)7"– A.%'"E0+&0.97"F+%8.$%"0.F)7"H:("T4I:[4"J]cM"
Thread 0 Thread 1
Apache Bug #21287
Thread 0 Thread 1
mutex_lock(M) *obj = … mutex_unlock(M)
mutex_lock(M) free(obj) mutex_unlock(M)
mutex_lock(M) *obj = … mutex_unlock(M) mutex_lock(M)
free(obj) mutex_unlock(M)
A)9Z7F,)@(/)
• H<[PUCUR"T4I:[4"JK]M!"H@[4"[4C\"JK]M!")8F"• I0+7V"@)8)09$%$7BF"@)7E$8)"+2"@.8."0.F)7"• <+%7V",$&,"+>)0,).@"Q)W&W!"KWLdK]WKe"7/+6@+6%"$%"@[4S"
Thread 0 Thread 1
FFT in SPLASH2
…… barrier_wait(B) print(result)
…… barrier_wait(B) result += …
Thread 0 Thread 1
…… barrier_wait(B) print(result)
…… barrier_wait(B) result += …
[E)%"<,.//)%&)"H*[CUR"JKKM
• U$8,)0"@)8)09$%$79"+0")`F$)%F'!";(8"%+8";+8,"
@AB,(;C(<*7,956, /,.,01+-+21 ")*+,-*A
4'%F # $A)9 $ #
<.%"6)"&)8";+8,f"
3)7!"6)"F.%g
@AB,(;C(<*7,956, /,.,01+-+21 ")*+,-*A
4'%F # $A)9 $ #
IUPU-P\?U $ $
IUPU-P\?U"\%7$&,8
• ./$(&01/1(+"02$$*10– \%8($B>)/'!"9.%'"0.F)7"!"./0).@'"@)8)F8)@"– U9E$0$F.//'!"7$G"0)./".EE7"!"(E"8+"K]"0.F)7"+FF(0)@"
• 3"415)0&$'()*+(0– 4'%FZ7F,)@(/)"$%"0.F)Z20))"E+0B+%"Q9.h+0S"– A)9Z7F,)@(/)"$%"0.F'"E+0B+%"Q9$%+0S"
IUPU-P\?UV"U`F$)%8"CAR
• !$'()*+(0.(+/6/72#0– P)F+0@")G)F(B+%"80.F)"2+0"%)6"$%E(8"– P)/.G"80.F)"$%8+"'"415)0&$'()*+("– P)(7)"+%"9.%'"$%E(87V"@)8)09$%$7BF"i")`F$)%8"
• P)(7)"0.8)"$7",$&,"Q)W&W!"_]Wjb"2+0"TE.F,)!"HRUP?"[4C\"JK]MS"• T(8+9.BF"(7$%&"%)6"E0+&0.9".%./'7$7"8)F,%$k()7"
• P(%"$%":$%(G!"(7)0"7E.F)"• 1.%@/)"I8,0).@"7'%F,0+%$O.B+%"+E)0.B+%7"• *+0X"6$8,"7)0>)0"E0+&0.97"HRUP?"[4C\"JK]M"
4(99.0'"+2"P)7(/87• U>./(.8)@"+%"."@$>)07)"7)8"+2"Kc"E0+&0.97"
– l"0)./".EE/$F.B+%7V"TE.F,)!"Imn$EL!".&)8!"E27F.%"– Kj"7F$)%BoF"E0+&0.97"QK]"20+9"4I:T41L!"j"20+9"ITP4U<S"– P.F)'"QE+E(/.0"780)77"8)7B%&"8++/"2+0"CARS"
• C)8)09$%$7BF.//'"0)7+/>)".//"0.F)7"
• U`F$)%8V"plb"2.78)0"8+"l_b"7/+6)0"
• 48.;/)V"20)k()%8/'"0)(7)"7F,)@(/)7"2+0"_"E0+&0.97"– A.%'";)%)o87V")W&W!"0)(7)"&++@"7F,)@(/)7"HRUP?"[4C\"JK]M"
[(8/$%)
• !"#"$#%&"(;D,0D+,E(• T%")G.9E/)"• U>./(.B+%"• <+%F/(7$+%"• q(8(0)"6+0X"
IUPU-P\?U"[>)0>$)6
%-2.051,-.;0(
FFG4(
#,*;09,0(
H<(
!0;:081(
<*7,956,(?8*7,
89:;<
I?+J(<+K
!0;:081(<;50*,(
4+22 >+.
I?J<K"=,*53;-(@08*,2
I?LJ(<LK(M(
I?-J(<-K
89:;<J(<+89:;<
#,B68A,0(
H<(
!0;:081(
N-86AO,0(
48.*7P
[(8/$%)
• IUPU-P\?U"+>)0>$)6"• N-(,=81B6,(
• U>./(.B+%"• <+%F/(7$+%"• q(8(0)"6+0X"
T%"UG.9E/)!"#$%"&'()*(+"&*,"&'-./0*1***$2+&3"4*5*"26#%"&'-.7/08***9#:3*5*"26#%"&'-.;/08***<6&%#578*#=$2+&3"48*>>#0*****?2+&3"4@(&3"23%A6&B3&08***A6&B3&%08******#<*%%<C"'5"26#%"&'-.D/005570*****&39EC2*>5*F8***?&#$2<%GH4I$J)*&39EC208*K*A6&B3&%0*1***(+"&*,4"2"8***4"2"*5*!"CC6(%9#:3L$2+&3"408***<6&%#5M8*#=9#:3L$2+&3"48*>>#0*****4"2".#/*5*!NO3"4%#08****?2+&3"4@!E23P@C6(B%Q!E23P08***&39EC2*>5*F8***?2+&3"4@!E23P@E$C6(B%Q!E23P08*K*
LL*O3"4*#$?E2R*
LL*S&3"23*(+#C4&3$*2+&3"49R*
LL*O3"4*<&6!*G&39EC2JR*
LL*T*26*G&39EC2JR*
LL*UCC6("23*4"2"*A#2+*G9#:3L$2+&3"4JR*
LL*O3"4*4"2"*<&6!*4#9B*"$4*(6!?E23R*LL*V&"W*!E23PR*
LL*T6&BR*LL*X#99#$'*?2+&3"4@Y6#$%0*
LL*#<*G<C"'J*#9*7)*E?4"23*G&39EC2JR*
\%780(9)%8+0!"#$%"&'()*(+"&*,"&'-./0*1*!!"#$%&'(!)!'#*+,'%-./0123!!!4+5&!)!'#*+,'%-./6123!**<6&%#578*#=$2+&3"48*>>#0*****?2+&3"4@(&3"23%A6&B3&08***A6&B3&%08***LL*X#99#$'*?2+&3"4@Y6#$%0***#<*%%<C"'5"26#%"&'-.D/005570*****&39EC2*>5*F8***?&#$2<%GH4I$J)*&39EC208*K*A6&B3&%0*1***(+"&*,4"2"8***4"2"*5*!"CC6(%9#:3L$2+&3"408***<6&%#5M8*#=9#:3L$2+&3"48*>>#0*!!!!('#'/+1!)!789&'(,+23!!**?2+&3"4@!E23P@C6(B%Q!E23P08***&39EC2*>5*F8***?2+&3"4@!E23P@E$C6(B%Q!E23P08*K*
LL*Z$92&E!3$2*(6!!"$4*C#$3*"&'E!3$29R*
LL*Z$92&E!3$2*&3"4%0*<E$(2#6$*A#2+#$*!NO3"4%0R*
\%780(9)%8+0!"#$%"&'()*(+"&*,"&'-./0*1***"#$%&'(!)!'#*+,'%-./0123!!!4+5&!)!'#*+,'%-./6123!**<6&%#578*#=$2+&3"48*>>#0*!!!!:#$%&'(;<%&'#&,=*%>&%23!**A6&B3&%08***LL*X#99#$'*?2+&3"4@Y6#$%0***#<*%%<C"'5"26#%"&'-.D/005570*****&39EC2*>5*F8***?&#$2<%GH4I$J)*&39EC208*K*A6&B3&%0*1***(+"&*,4"2"8***4"2"*5*!"CC6(%9#:3L$2+&3"408***<6&%#5M8*#=9#:3L$2+&3"48*>>#0*!!!!('#'/+1!)!789&'(,+23!!!!:#$%&'(;7?#&@;A*<>,B7?#&@23!**&39EC2*>5*F8*!!:#$%&'(;7?#&@;?"A*<>,B7?#&@23!K*
LL*Z$92&E!3$2*(6!!"$4*C#$3*"&'E!3$29R*
LL*Z$92&E!3$2*&3"4%0*<E$(2#6$R*
LL*Z$92&E!3$2*9N$(+&6$#:"2#6$*6?3&"2#6$R*
LL*Z$92&E!3$2*9N$(+&6$#:"2#6$*6?3&"2#6$R*
LL*Z$92&E!3$2*9N$(+&6$#:"2#6$*6?3&"2#6$R*
""""""rWY.W+(8""L""L""]""""""""""""""""""""P)F+0@)0!"#$%"&'()*(+"&*,"&'-./0*1***$2+&3"4*5*"26#%"&'-.7/08***9#:3*5*"26#%"&'-.;/08***<6&%#578*#=$2+&3"48*>>#0*****?2+&3"4@(&3"23%A6&B3&08***A6&B3&%08***LL*X#99#$'*?2+&3"4@Y6#$%0***#<*%%<C"'5"26#%"&'-.D/005570*****&39EC2*>5*F8***?&#$2<%GH4I$J)*&39EC208*K*A6&B3&%0*1***(+"&*,4"2"8***4"2"*5*!"CC6(%9#:3L$2+&3"408***<6&%#5M8*#=9#:3L$2+&3"48*>>#0*****4"2".#/*5*!NO3"4%#08****?2+&3"4@!E23P@C6(B%Q!E23P08***&39EC2*>5*F8***?2+&3"4@!E23P@E$C6(B%Q!E23P08*K*
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557***?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
**%<C"'557055M*
**%;=$2+&3"4055M*
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0*
**?&#$2<%F)&39EC20*
""""""rWY.W+(8""L""L""]""""""""""""""""""""P)F+0@)0
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557***?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
**%<C"'557055M*
**%;=$2+&3"4055M*
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0*
**?&#$2<%F)&39EC20*
T%./'O)0V"1';0$@"4F,)@(/)
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557***?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
**%<C"'557055M*
**%;=$2+&3"4055M*
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0*
!!:#$%&'(;<%&'#&,2!
!!!!A*<>,2!
!!!!?"A*<>,2!!!!!A*<>,2!
!!!!?"A*<>,2!
[+&3"4*7*[+&3"4*M*
**?&#$2<%F)&39EC20*
T%./'O)0V"1';0$@"4F,)@(/)
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557***?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
**%<C"'557055M*
**%;=$2+&3"4055M*
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0*
!!:#$%&'(;<%&'#&,2!
!!!!A*<>,2!
!!!!?"A*<>,2!!!!!A*<>,2!
!!!!?"A*<>,2!
[+&3"4*7*[+&3"4*M*
!!!
!!!!%&4?A#C)D3!
!!!!%&4?A#C)D3!
!!:%+"#E,DF%&4?A#2!
**?&#$2<%F)&39EC20*
T%./'O)0V"1';0$@"4F,)@(/)
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557***?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
**%<C"'557055M*
**%;=$2+&3"4055M*
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0*
!!:#$%&'(;<%&'#&,2!
!!!!A*<>,2!
!!!!?"A*<>,2!!!!!A*<>,2!
!!!!?"A*<>,2!
[+&3"4*7*[+&3"4*M*
!!:%+"#E,DF%&4?A#2!
!!!!%&4?A#C)D3!
T%./'O)0V"1';0$@"4F,)@(/)
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557***?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
**%<C"'557055M*
**%;=$2+&3"4055M*
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0*
!!:#$%&'(;<%&'#&,2!
!!!!A*<>,2!
!!!!?"A*<>,2!!!!!A*<>,2!
!!!!?"A*<>,2!
[+&3"4*7*[+&3"4*M*
!!:%+"#E,DF%&4?A#2!
!!!!%&4?A#C)D3!
**?&#$2<%F)&39EC20*
"""""""""""""""""""""""""""""""""T%./'O)0V"I0)F+%@$B+%
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557***?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
**%<C"'557055M*
**%;=$2+&3"4055M*
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0*
**?&#$2<%F)&39EC20*
""<,.//)%&)7"– U%7(0)"7F,)@(/)"$7"2).7$;/)"– U%7(0)"%+"%)6"0.F)7"
!!:#$%&'(;<%&'#&,2!!!!!A*<>,2!!!!!?"A*<>,2!
!!!!A*<>,2!
!!!!?"A*<>,2!
[+&3"4*7*[+&3"4*M*
!!:%+"#E,DF%&4?A#2!
!!!!%&4?A#C)D3!
WY.W+(8""L""L""]
1';0$@"4F,)@(/)
!"#$%"&'()*(+"&*,"&'-./0*1***$2+&3"4*5*"26#%"&'-.7/08***9#:3*5*"26#%"&'-.;/08***<6&%#578*#=$2+&3"48*>>#0*****?2+&3"4@(&3"23%A6&B3&08***A6&B3&%08***LL*X#99#$'*?2+&3"4@Y6#$%0***#<*%%<C"'5"26#%"&'-.D/005570*****&39EC2*>5*F8***?&#$2<%GH4I$J)*&39EC208*K*FF*
?.s>)"TEE0+.F,"8+"<+9E(B%&"I0)F+%@$B+%7
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557***?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
**%<C"'557055M*
**%;=$2+&3"4055M*
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0*
"#$%&'())6!
4+5&))6!
!!,0G"#$%&'(2))0!
!!,6G"#$%&'(2))H!
!!!!,HG4+5&I"#$%&'(2))0!
!!!!,0G4+5&I"#$%&'(2))H!
!!!!,HG4+5&I"#$%&'(2))0!
!!!!,0G4+5&I"#$%&'(2))H!
**?&#$2<%F)&39EC20*!!,EA'-))02))H!
EA'-J)0!
T%./'O)0V"I0)F+%@$B+%7"Q."?.s>)"*.'S
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0*!!,0G"#$%&'(2))0!**?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*!!!!,HG4+5&I"#$%&'(2))0!****4"2".#/5!NO3"4%0*!!!!,0G4+5&I"#$%&'(2))H!
**,EA'-))02))H!
!!,6G"#$%&'(2))H!
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*!!!!,HG4+5&I"#$%&'(2))0!****4"2".#/5!NO3"4%0*!!!!,0G4+5&I"#$%&'(2))H!
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0* • I0+;/)9V"+>)0ZF+%780.$%$%&g"– &5=("9(78";)"L"8+"0)(7)"
• T;7+0;)@"9+78"+2"+(0";0.$%"E+6)0"$%"8,$7"E.E)0g"
• 4+/(B+%V"86+"%)6"E0+&0.9".%./'7$7"8)F,%$k()7t"7))"E.E)0"
"#$%&'())6!
4+5&))6!
EA'-J)0!
**?&#$2<%F)&39EC20*
T%./'O)0V"I0)F+%@$B+%7
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557***?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
!!%<C"'557055M*
**%;=$2+&3"4055M*
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0*
"#$%&'())6!
!!,0G"#$%&'(2))0!
!!,6G"#$%&'(2))H!
!!,EA'-))02))H!
EA'-J)0!
**?&#$2<%F)&39EC20*
WY.W+(8""L""K]]]""j"""""""""""""P)E/.')0
"#$%&'())6!
EA'-J)0!
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557***?2+&3"4@(&3"23%0*
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
!!%<C"'557055M*
**%;=$2+&3"4055M*
[+&3"4*M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
****C6(B%0*****&39EC2>5F8*****E$C6(B%0*
!"#$%0*
**A6&B3&%0*
!!:#$%&'(;<%&'#&,2!!!!!A*<>,2!!!!!?"A*<>,2!
!!!!A*<>,2!
!!!!?"A*<>,2!
[+&3"4*7*[+&3"4*M*
!!:%+"#E,DF%&4?A#2!
!!!!%&4?A#C)D3!
1';0$@"4F,)@(/)
**?&#$2<%F)&39EC20*
I0)F+%@$B+%7
m)%)o87"+2"IUPU-P\?U
[+&3"4*7*
**$2+&3"45"26#%0***9#:35"26#%0***%7=$2+&3"40557*!!:#$%&'(;<%&'#&,2!
**A6&B3&%0*****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
!!,EA'-))02))H!
**%;=$2+&3"4055M*
[+&3"4*M*
!!!!A*<>,2!****&39EC2>5F8*!!!!?"A*<>,2!
****4"2"5!"CC6(%0*****%M=9#:3L$2+&3"40557*****4"2".#/5!NO3"4%0*****%7=9#:3L$2+&3"4055M*
!!!!A*<>,2!!!!!%&4?A#C)D3!!!!!?"A*<>,2!
!"#$%0*
**A6&B3&%0*
!!,0G"#$%&'(2))0!
!!,6G"#$%&'(2))H!
• K&#&%7+"+4#+<L!&396C-3*&"(3*6$*!"#$%&8*$6*$3A*4"2"*&"(39'
• MEE+<+&"#\*C66?9*6$*()&)*+'&E$*#$*?"&"CC3C*
• N#'OA&*.[]O^*_`aZ*b7M/\*("$*&3E93*6$*"$N*4"2"*9#:3*6&*(6$23$29*
• _2+3&*"??C#("2#6$9*?699#WC38*2"CB*26*E9c*
!!:%+"#E,DF%&4?A#2!
[(8/$%)
• IUPU-P\?U"+>)0>$)6"• T%")G.9E/)"• "D86583;-(• <+%F/(7$+%"• q(8(0)"6+0X"
-)%)0./"UGE)0$9)%8"4)8(E• I0+&0.9Z6+0X/+.@"
– NB8*7,V"@+6%/+.@"."K]]^m",89/"E.&)"(7$%&"TE.F,)m)%F,"– !QR+BSV"F+9E0)77"."K]Am"o/)"– N:,.V"@+6%/+.@"/$%(GZjW]WKW8.0W;OL!"uuAmW"– !C2*8-V"7F.%"X)'6+0@"v0)8(0%w"K]]"o/)7"20+9"&FF"E0+h)F8"– LT(2*+,-3U*(V,-*7180W2"QK]"20+9"4I:T41L!"j"20+9"ITP4U<SV"0(%"2+0"KZK]]"97"
– #8*,AV"@)2.(/8"6+0X/+.@"
• A.F,$%)V"LWau-1O"@(./Z7+FX)8"k(.@ZF+0)"\%8)/"e)+%"9.F,$%)"Q)$&,8"F+0)7S"6$8,"Ll-m"9)9+0'"
• <+%F(00)%F'V")$&,8"8,0).@7"2+0".//")GE)0$9)%87"
C)8)09$%$79
!0;:081 X(#8*,2 <A-*Y2*7,956,
>AV0+9(2*7,956,
NB8*7, Z $ $
!QR+BS [ # $
V80-,2 \ # $
] LZ # $
65Y-;-Y*;-3: LZ # $
2.0,81*652.,0 Z $ $
08*,A L^_`_[ # $
[>)0,).@"$%"P)(7$%&"4F,)@(/)7
b"+2"\%780(FB+%7":)5"$%"8,)"R0.F)
<+%F/(7$+%
• 1';0$@"7F,)@(/)V"F+9;$%)"8,)";)78"+2";+8,"7'%FZ7F,)@(/)".%@"9)9Z7F,)@(/)7"
• IUPU-P\?U"– 4F,)@(/)"0)/.G.B+%"8+"F+9E(8)",';0$@"7F,)@(/)7"– C)8)09$%$7BF"Q9.X)".//"u"0.F'"E0+&0.97"@)8)09$%$7BFS"
– U`F$)%8"Qplb"2.78)0"8+"l_b"7/+6)0S"– 48.;/)"Q20)k()%8/'"0)(7)"7F,)@(/)"2+0"_"+(8"+2"KuS"
q(8(0)"*+0X
• <,)FX"F0$BF./"7'78)9"0(/)7"– "C)8)F8)@"KKj"7'78)9"0(/)">$+/.B+%7"20+9"6$@)/'"(7)@":$%(G"(B/$B)7"
– K]"7)0$+(7"@.8."/+77")00+07"$%"6$@)/'"(7)@"(B/$B)7"6$8,"L"F+%o09)@";'"@)>)/+E)07"
• 4E))@(E"@$780$;(B+%"7'78)97"9+@)/"F,)FX$%&"
• 4(EE+08"[E)%AI"
P)/.8)@"*+0X"
• C)8)09$%$7BF"UG)F(B+%"– H-0.F)"[[I4:T"J]_M!"H^)%@+"T4I:[4"J]_M!"HCAI"T4I:[4"J]_M!"H<[PUCUR"
T4I:[4"JK]M!"H@[4"[4C\"JK]M!"HC)8)09$%.8+0"[4C\"JK]M!"H@8,0).@7"4[4I"JKKM"
• C)8)09$%$7BF"P)E/.'"– HP)x$08"[4C\"J]LM"!"H4AIZP)x$08"xUU"J]cM!"H<.E+"T4I:[4"J]_M!"HIPU4"4[4I"
J]_M!"H[CP"4[4I"J]_M!"H4F0$;)"4\-AURP\<4"JK]M"
• <+%F(00)%F'"U00+07"– HU0.7)0"R[<4"J_uM!"HP.F)G"4[4I"J]jM!"HP.F)R0.FX"4[4I"J]pM!"HT>$+"T4I:[4"
J]aM!"H:(")/"T4I:[4"J]cM!"H<R0$&&)0"T4I:[4"J]_M"
• 4'9;+/$F"UG)F(B+%"– H<=RU"q4UZKjM!"HUeU"<<4"J]aM!"H3.%&")/"4I"J]aM!"Hm+(%F)0"4[4I"J]uM!"H^:UU"
[4C\"J]cM!"H<.780+")/"T4I:[4"J]cM"
R,.%X"'+(g"y()7B+%7f
Liberty Architecture
Jordan Fix Soumyadeep Ghosh
Advisor: David I. August
!"#$%&'($)*$#+&",#'-)
• !"#$%&'"()*+%&(,-%&%+"./%0&1"02&%3%(4#,+&&
• 5*()%6&%376%00*,+&,1&2)%&76,86"'&'%"+0&%"0*%6&"+-&.%9%6&"+"/:0*0&1,6&0%(46*2:;&,7#'*<"#,+;&7"6"//%/*<"#,+;&%2(=&
>)%&?*.%62:&@6()*2%(246%&(,'.*+%0&2)%&.%02&,1&.,2)&
!"#$%&'(#)*+,-* .%"/0#)*1#23%(4*5'$4*
A3%(4#,+&>:7%& !"#$%& B+2%676%2%-&
A3%(4#,+&C7%%-& D"02& C/,E&
@+"/:<".*/*2:& ?,E& F*8)&
G7#'*<".*/*2:& ?,E& F*8)&
C"1%2:& H+0"1%& C"1%&
I&
JG@?K&5%2)*+L&"6()*2%(246%&-%0*8+&2,&"()*%$%&0%(46*2:;&/,+8%$*2:;&7%61,6'"+(%&40*+8&2)%&'*+*'"/&0%2&,1&1%"246%0&
C%(46*2:&– M,+26,/&N,E&"+-&-"2"&*+2%86*2:&O2)*0&2"/LP&
?,+8%$*2:&&– 5%02,6%0&2)%&".026"(#,+&.6,L%+&.:&Q4/#(,6%&"+-&JRH0&– C:02%'&*0&76,$*-%-&"//&40%14/&76,86"'&*+1,6'"#,+&– R6,86"'&*+1,6'"#,+&("+&.%&40%-&*+&+%E&"6()*2%(246%&7"6"-*8'0&O*=%=&6%(,+S846"./%P&
R%61,6'"+(%&&– T:+"'*(&,7#'*<"#,+&– C'"62&6%07,+0%&2,&-:+"'*("//:&()"+8*+8&40%6&6%U4*6%'%+20V&"+-&2,&*+742&0%2&$"6*"#,+&
W&
V@64+&5"'"+;&@:"/&X"L0;&Y"%&Z=&?%%;&T"$*-&B=&@48402=&R"6("%K&"&0:02%'&1,6&N%3*./%&7"6"//%/&%3%(4#,+=&R?TB&[\I=&
• A37/*(*2&M,+26,/&D/,E&
• A37/*(*2&T"2"&T%7%+-%+(%0&
]&
6789+5+!*5:;!<:9*=9:>*
^&
void Callee(){. . .char str[26];gets(str);. . .return;
}
Ret: . . . . . .
Caller: . . . call Callee
str[0]
str[1]
. . .
str[24]
str[25]
return address = Cont
. . .
Top of Stack
= ‘a’&
= ‘b’&
= ‘y’&
= ‘z’&
malicious&
malicious .&mal:. . .
. . .
Callee: . . . return
_&
Caller: . . . cblk Callee
. . . . . .
Callee: . . . . . .
str[0]
str[1]
. . .
str[24]
str[25]
. . .
Top of Stack
= ‘a’&
= ‘b’&
= ‘y’&
= ‘z’&
malicious .&mal:. . .
. . .
`&
void Callee(){. . .char str[26];gets(str);. . .return;
}
M,+026"*+0&M,+26,/&D/,E&2,&MDJ&
R6,2%(20&T"2"&B+2%86*2:&
C%7"6"2%&R6,2%(2%-&5%246+&C2"(L&
!,&C,aE"6%&54+#'%&G$%6)%"-&
M,-%&G68"+*<%-&B+2,&R"6"//%/*<"./%&b/,(L0&
?*.%62:& c%0& c%0& c%0& c%0& c%0&
Q,+-6*3&d\e& !,& c%0& c%0& !,& !,&
MDB&dIe& c%0& !,& !,& !,& !,&
CDB&dWe& c%0& c%0& !,& !,& !,&
fDB&d]e& c%0& c%0& c%0& !,& !,&
fDBgFZ&d^e& c%0& c%0& c%0& c%0& !,&
Q*+,0&d_e& c%0& c%0& !,& c%0& !,&
>5BRC&d`e& !,& !,& !,& c%0& c%0&
\= A''%9&Z*2()%/;&%2&"/=&Q,+-6*3K&'%',6:&*0,/"#,+&1,6&/*+43&40*+8&',+-6*""+&'%',6:&76,2%(#,+=&CGCR&hi^=&I= Q"6#+&@."-*;&%2&"/=&M,+26,/gN,E&*+2%86*2:=&MMC&hi^=&W= Q*)"*&b4-*4;&%2&"/=&@6()*2%(246"/&0477,62&1,6&0,aE"6%g."0%-&76,2%(#,+=&@CBT&hi_=&]= j/1"6&A6/*+800,+;&%2&"/=&&fDBK&0,aE"6%&84"6-0&1,6&0:02%'&"--6%00&07"(%0=&GCTB&hi_=&^= T"$*-&C%)6;&%2&"/=&@-"7#+8&0,aE"6%&1"4/2&*0,/"#,+&2,&(,+2%'7,6"6:&MRH&"6()*2%(246%0=&B+&R6,(%%-*+80&,1&2)%&\k2)&HCA!Bf&
(,+1%6%+(%&,+&C%(46*2:=&HCA!Bf&C%(46*2:h\i=&_= Y%-*-*")&5=&M6"+-"//;&%2&"/=&Q*+,0K&M,+26,/&T"2"&@9"(L&R6%$%+#,+&G62),8,+"/&2,&Q%',6:&Q,-%/=&QBM5G&hi]=&`= @"6,+&C'*2);&%2&"/=&M,'7*/*+8&1,6&ATJA&@6()*2%(246%0=&MJG&hi_=&
l&
;:;?5:;!<:9*@-!-*-!!-5A,*-;@*><+!6*+;!6B<+!C*
k&
7"00E,6-dke&
7"00E,6-die&
F*8)&"--6%00&
7"00E,6-&
"42),6*<%&
?,E&"--6%00&
i&i&i&i&
int authenticate (char[] pwd) {!!int authorize = 0;!!char password[10];!!…!!strcpy(password, pwd);!!…!!if(authorize) !! !return 1;!!return 0;!
}!
\i&
026(7:O7"00E,6-;&m/,+87"00E,6-nP&
F*8)&"--6%00&
7"00E,6-&
"42),6*<%&
?,E&"--6%00&
int authenticate (char[] pwd) {!!int authorize = 0;!!char password[10];!!…!!strcpy(password, pwd);!!…!!if(authorize) !! !return 1;!!return 0;!
}!i&7"00E,6-dke&
7"00E,6-die&
i&i&i&
6&,&E&0&0&"&7&8&+&,&/&
-&
\\&
F*8)&"--6%00&
7"00E,6-&
"42),6*<%&
?,E&"--6%00&
int authenticate (char[] pwd) {!!int authorize = 0;!!char password[10];!!…!!strcpy(password, pwd);!!…!!if(authorize) !! !return 1;!!return 0;!
}!i&i&i&i&
6&,&E&0&0&"&7&8&+&,&/&
-&
\I&
M&C2"+-"6-&
>)%&M&02"+-"6-&07%(*S%0&2)"2&2)%&1,//,E*+8&.%)"$*,60&"6%&4+-%S+%-K&• R,*+2%6&"6*2)'%#(&',6%&2)"+&,+%&.:2%&.%:,+-&"//,("#,+&4+*2&.,4+-0&
• @((%00*+8&.%:,+-&.,4+-0&,1&"//,("#,+&4+*20&• R,*+2%60&.%1,6%&S602&.:2%&,1&"//,("#,+&4+*2&• T%6%1%6%+(*+8&4+-%S+%-&7,*+2%6&$"/4%0&&• @((%00*+8&2)%&$"/4%&,1&"+&4+*+*#"/*<%-&$"6*"./%&
\W&
V&*+(/4-%0&"//&M&02"+-"6-0&0*+(%&Mlk&
\]&
b/4%&/*+%0&*+-*("2%&'%',6:&-%7%+-%+(%0&&A+(,-%&-%7%+-%+(%&*+1,6'"#,+&*+2,&2)%&BC@=&F"6-E"6%&,+/:&"//,E0&02"#("//:&-%2%(2%-&-%7%+-%+(%0&2,&'"+*1%02=&
int authenticate (char[] pwd) {!!int authorize = 0;!!char password[10];!!…!!int i=0;!!while(password[i] = pwd[i]) !! !i++;!!…!!if(authorize) !! !return 1;!!return 0;!
}!
"42),6*<%&o&i&
*&o&i&
02,6%&2,&7"00E,6-d*e&
/,"-&7E-d*e&
/,"-&"42),6*<%&
/,"-&*&
*&o&*&p&\&
"42),6*<%&o&i&
*&o&i&
02,6%&2,&7"00E,6-d*e&
/,"-&7E-d*e&/,"-&"42),6*<%&
/,"-&*&
*&o&*&p&\&
Z)*2%&/*+%0&*+-*("2%&Q":@/*"0&6%/"#,+0)*70&
\^&
authorize = 0;!i = 0;!while(…) {!
!tmp1 = pwd[i]!!password[i] = tmp1!!tmp2 = i;!!i = tmp2 + 1!
}!…!tmp = authorize;!if(tmp)!
!…!!
7E-&
7"00E,6-&
"42),6*<%&
\_&
*&
7E-&(,+2"*+0&m/,+87"00E,6-n&2'7\&"+-&2'7I&"6%&6%8*02%60&
Z6*2%&B+2%86*2:&>%0#+8&OZB>P&R=&@L6*#-*0;&M=M"-"6&%2&"/=&R6%$%+#+8&'%',6:&%37/,*20&E*2)&ZB>=&B+&BAAA&C:'7,0*4'&,+&C%(46*2:&"+-&R6*$"(:;&Iiil&
Q*0'"2()K&q*,/"#,+&-%2%(2%-r&
s/t&s,t&s+t&s8t&s7t&s"t&s0t&s0t&sEt&s,t&s6t&s-t&
i&i&i&i&
i&i&i&
i&
s/t&s,t&s+t&s8t&s7t&s"t&s0t&s0t&sEt&s,t&
q4/+%6".*/*2:&M,$%6"8%&
• R6,$*-%0&7"6#"/&'%',6:&0"1%2:&• Q%',6:&0"1%2:&%66,60&-%2%(2%-&*+(/4-%K&
– b4u%6&,$%664+0&– T"+8/*+8&7,*+2%6&6%1%6%+(%0&OH0%&"a%6&16%%P&– Z*/-&7,*+2%6&"((%00%0&
• C2,6%&p&?,"-&()%(L0&"/0,&76%$%+2&/%"L"8%&,1&(,+S-%+#"/&*+1,6'"#,+&
• ?*.%62:&@6()*2%(246%&*'7/%'%+20&ZB>&*+&)"6-E"6%&
\`&
?,"-&B+0264(#,+&C%'"+#(0&/,"-&"--6;&6%8*,+&
v 72%&!&R"8%&>"./%&%+26:&1,6&"--6&v B0&72%"6%"-&264%w&
R"8%&>"./%&A+26:&OR>AP&M)%(L&
v OB+0264(#,+=6%8*,+oo&"--6=6%8*,+P&w&/,"-&K&1"*/&
5%8*,+&M)%(L&
v (4665%8&!&Q%'d"--6e&
?,"-&
\l&
C2,6%&B+0264(#,+&C%'"+#(0&02,6%&$"/;&"--6;&6%8*,+&
v 72%&!&R"8%&>"./%&A+26:&1,6&"--6&v B0&72%"E6*2%&264%w&
R"8%&>"./%&A+26:&OR>AP&M)%(L&
v OB+0264(#,+=6%8*,+&oo&"--6=6%8*,+P&w&02,6%K&1"*/&
5%8*,+&M)%(L&
v Q%'d"--6e&!&$"/4%&
C2,6%&
\k&
!4'.%6&,1&5%8*,+0&T%2%(2%-&
i&
^i&
\ii&
\^i&
Iii&
I^i&
Wii&
W^i&
\_]=8<*7& \`^=$76& I^_=.<*7I& Wii=2E,/1& ]i\=.<*7I&Ii&
A"()&6%8*,+&6%76%0%+20&7,00*./%&N,E&,1&-"2"&2)6,48)&'%',6:&
?*.%62:&@6()*2%(246%&C2"240&• T%0*8+&
– B+*#"/&BC@&(,'7/%2%&– C%(,+-&*2%6"#,+&,1&-%0*8+&*+&76,86%00&
• >%()+,/,8:&– M,'7*/%6&&
• @+"/:0*0&7"00&(,'7/%2%&• M,-%&J%+%6"#,+&*+&76,86%00&
– @00%'./%6&(,'7/%2%&– ?*+L%6&(,'7/%2%&– BC@&D4+(#,+"/&C*'4/"2,6&(,'7/%2%&– BC@&>*'*+8&C*'4/"2,6&*+&76,86%00&– T:+"'*(&G7#'*<%6&*+&76,86%00&
I\&
x4%0#,+0w&
II&
!"#$%&!'#()*+,-),.(-''
$-/+0+12'345'
!"#$%#&'()*• +,-.#/)#)*
• 0#1(")#2,*
• 3$&"(4#%25.'(*(6(%78/$*
• 9/$8$7/7)*'(5"$#$:*
• ;(&5#"*5$4*;(%/1(",*
!"#$%&'()"*&• +,-./%,'*&
– 01%'/234(1&5.'&6"1)(7,8"4(1&
• 91:/.),3'";,#,'*&– <;(213./&
• &=."/1,1>&– ?.'./(>.1.(2%&01@(/7"4(1&A#(B&!/"3$,1>&&– CD:#,3,'&).:.1).13.&.13(),1>&
• 6.:",/&– E2'('(7,3&F,1"/*&5'/23'2/.&6"1)(7,8"4(1&&
!"#$"%&'()*+(%• ,#-'"(#+.%
– /0(+")12$0%3'+%&405$6#742$0%– !"#$%&'()*
• 809"'5#1+4:#*#+.%– ;:$)01'"<%+%#(*,-./*
• %='4"0#0>%– ?'+'"$>'0'$)(@0(123-.%/0A$"642$0%B*$C%D"41E#0><%%%– FG9*#1#+%5'9'05'01'%'01$5#0>%– 456-57%51*8-.9:-.(*;(.<&.#-57(*=&25'(.)*
• &'94#"%– H)+$+$6#1%I#04".%3+")1+)"'%&405$6#742$0%– 04>!!?04%%
!"#$%&'&()*!+,%-./&%*
• 0%12-3+)*4+"5"+-6*– 7.#+&,+#$.3"#32+,'*#$,%("-*– 8.94'"*,+#$.3"#32+,'*":3"%-.&%-*– ;'",%*-)-3"9*&+(,%.<,/&%*
!"#$%&'#&("')*'#("%&+)*&,-.,".)
/"0&'#&'.)1/)
*'#("%&+)1/)
234)
*56)
7!8!)
9:)
!"#$%&'()!"%*&#"+)
!"#$% &'()*+(",-./% 0(.$12")$%
+,&-"%) !'%./0)1+.234./)5-&403'"+)+&6")#73//"2+8) 9:;)
1!9)) <"()+'.%30")=.%)1!9) >?@)
AB1!<) ,%3#C&/0)&/=.%-34./)D.E) >?@F)G3'3)
H32E3%") I/.-32()6"'"#4./F)J"3%/&/0) >?@F)G3'3F)KA)
A3'#7) ,%3/+="%)>,9J)'.)!"#$%")1L)56(/3-&#)#7"#C&/08) >?@F)G3'3)
9"#.*"%() >7"#CM.&/'F)%"#.*"%()3/6)%"+'.%") G3'3)
!"#$%&'()*+,$%*$-)%'
!%*-),$"'./'
0123'
0123'
0123'024/51'
0166'
636'0527'
0123'
638.('
9:;'
<10'
!"#$%&'()*+),&#%-.%#/&'"#'$%")
01234)
513)
161)
,1,789)
0:;;15)2*,1<)
84*!=):>*2)
!*?>@A+<B3)
>B>)CBA@2*A1)
>8):>*2)
!"#$%&'()*#+#)+,'%+
• -'./+),+0#1%)*23+#$.4%516+'%.751$.14%$++– 89+:;<+
• ='>+5?@A$?$*1'()*#+'%$+@%$&'A$*1+– B)*6+9B+
• B6#1$?#+'%$+.)*C24%$>+5*.)%%$.1A6+– :)41$%++
• B6#1$?+4@>'1$+,4*.()*#+'%$+'AD'6#+#4#@$.1E+– F)*&$*5$*1+4@>'(*2+5#+'A#)+.)*&$*5$*1+'G'./+#4%,'.$+
+++
+
!"#$%!&'()*"&%
• +",%-'..//(%0"#1&234%%
• 50%6&27"%%
• !'.8)%'3%9-5:%;5<%– 6.'((",%=2)23%
!"#"$%&'()'#*+'(,'-#%.%'
!" #$%&" '()*+,-(.")''/*01#2'+3%04*'56'!789:;!'' :5<2=23"3',''>3?325='@5*@$AA3*@B'8C#@.%'' :5<=23"3'D''752B<5A=E0@'F0@A5#A@E0"3@"$A3%'' GHI'J''K!LM#%3+'%326LE3#20*4'' ':5<=23"3'N''K=1<0O3+'/*65A<#15*'P25Q'-A#@.0*4'R:5<=023AS'' 'DHI'T''/*U3@15*LM#%3+'!B<M05"3'' ':5<=23"3'V''/!9'3W"3*%05*%'' ':5<=23"3'G''>B*#<0@'>0?3A%0X3+'93=20@#%'L'/*01#2'>3%04*'' ':5<=23"3')H'';#A+Q#A3'%$==5A"'65A'/!9'' ':5<=23"3'))''Y<$2#15*'3?#2$#15*'K!LM#%3+'%326'E3#20*4'' 'GHI'),''/*01#2'E#A+Q#A3'%$==5A"'65A'E3#20*4'' 'P5A"E@5<0*4')D'/!9'%$==5A"3+'!B<M05"3' 'P5A"E@5<0*4')J''>363*%3%'#4#0*%"'@5*@$AA3*@B'#C#@.%' 'ZHI')Z''!789:;!'#A@E0"3@"$A3'#*+'+3%04*' ',ZI'
!"#$%&'()*+,-./0,• 123,4%56789'**6$,:"$*6;'#%$%<=,>'&<);?,@,A6<;%&,B);,A6'+";%*C,D*B);E'()*,F6'G'C6,• H)9*,I6EE6J,K)#6;<,A';(*J,@5'E,L'G+E'*,'*5,4%E9',46<9"E'59'M'*J,,• !;)&665%*C+,)B,<96,NO<9,@8APDQQQ,D*<6;*'()*'$,4=ER)+%"E,• )*,8)ER"<6;,@;&9%<6&<";6,-D48@0J,/S2/J,!);<$'*5J,TKJ,U4@V,-@&&6R<'*&6,• ;'<6?,2WX0,
• 1/3,Y%E6,L';R?,K6<9%*G%*C,Y%E6G66R%*C,'*5,!6;B);E'*&6,A6'+";6E6*<,A6&9'*%+E+,<),A%(C'<6,4%56,89'**6$+,,• K)#6;<,A';(*J,H)9*,I6EE6,'*5,4%E9',46<9"E'59'M'*J,• !;)&665%*C+,)B,<96,NO<9,@8APDQQQ,D*<6;*'()*'$,4=ER)+%"E,)*,8)ER"<6;,• @;&9%<6&<";6,-D48@0J,/S2/J,!);<$'*5J,TKJ,U4@V,-@&&6R<'*&6,;'<6?,2WZX0,
• 1N3,K'R%5,D56*([&'()*,)B,@;&9%<6&<";'$,\)]$6*6&G+,M%',!;6&%+6,QM6*<,8)"*(*C,• H)9*,I6EE6,'*5,4%E9',46<9"E'59'M'*J,,• !;)&665%*C+,)B,<96,NW<9,@8APDQQQ,D*<6;*'()*'$,4=ER)+%"E,)*,8)ER"<6;,@;&9%<6&<";6,-D48@0^J,/S22J,4'*,H)+6J,8@J,
U4@V,-@&&6R<'*&6,;'<6?,2OZX0,
• 1_3,G`"';5?,F%C9<a6%C9<,b6;*6$,!;)<6&()*,'C'%*+<,K6<";*7<)7"+6;,@]'&G+,• :'+%$6%)+,!V,b6E6;$%+J,`6);C%)+,!);<)G'$%5%+J,'*5,@*C6$)+,IV,b6;)E=(+V,Y),'RR6';,%*,<96,!;)&665%*C+,)B,<96,/2+<,
U4QcDd,46&";%<=,4=ER)+%"EV,@"C"+<,/S2/J,\6$$6M"6J,L@V,-@&&6R<'*&6,;'<6?,2OV_X0,
• 1e3,4E'+9%*C,<96,`'5C6<+?,f%*56;%*C,K6<";*7T;%6*<65,!;)C;'EE%*C,U+%*C,D*7!$'&6,8)56,K'*5)E%g'()*h,• :'+%$%+,!'RR'+J,A%&9'$%+,!)$=&9;)*'G%+J,'*5,@*C6$)+,IV,b6;)E=(+V,D*,!;)&665%*C+,)B,<96,NN;5,DQQQ,4=ER)+%"E,)*,
46&";%<=,i,!;%M'&=,-4i!0J,RRV,jS2,7,j2eV,A'=,/S2/J,4'*,>;'*&%+&)J,8@V,-@&&6R<'*&6,;'<6?,2NX0,
!"#$%&'()*+,-./0,• 123,4,56*67'$,4887)'&9,:)7,;<&%6*=$>,4&&6$67'(*?,@)AB'76C#'+6D,E>*'F%&,E'=',G$)B,H7'&I%*?,)*,J)FF)D%=>,K'7DB'76,• L'*?I))I,M66N,56)7?%)+,!)7=)I'$%D%+N,O'+%$6%)+,!P,L6F67$%+N,@)"F>'D668,59)+9N,E'Q%D,RP,4"?"+=N,'*D,4*?6$)+,EP,L67)F>(+P,R*,!7)&66D%*?+,):,=96,ST=9,
R*=67*6=,@)&%6=>,-R@UJ0,@>F8)+%"F,)*,V6=B)7I,'*D,E%+=7%#"=6D,@>+=6F+,@6&"7%=>,-@VE@@0P,G6#7"'7>,/WS/N,@'*,E%6?)N,J4P,-4&&68='*&6,7'=6X,SYPZ[0,
• 1Y3,\U!,!'>$)'D,E6=6&()*,]+%*?,@86&"$'(Q6,J)D6,;^6&"()*,• _%&9'$%+,!)$>&97)*'I%+,'*D,4*?6$)+,EP,L67)F>(+P,R*,!7)&66D%*?+,):,=96,2=9,R*=67*'()*'$,J)*:676*&6,)*,_'$%&%)"+,'*D,]*B'*=6D,@)AB'76,
-_4`a4\;0N,88P,bZ,C,2bP,U&=)#67,/WSSN,G'c'7D)N,!\P,-d6+=,!'867,4B'7D0,
• 1Z3,M"*:6*?,.'*?N,4*?,J"%N,@'$Q'=)76,MP,@=)$:)N,@%F9',@6=9"F'D9'Q'*e,fJ)*&"776*&>,4g'&I+ef,=96,G)"7=9,]@;VRh,a)7I+9)8,)*,K)=,H)8%&+,%*,!'7'$$6$%+Fe,/WS/iW2iWYP,
• 1T3,4*?,J"%N,M'(*,L'='7%'N,@'$Q'=)76,MP,@=)$:)e,fG7)F,!76>,H),K"*=67X,H7'*+:)7F%*?,`6?'&>,;F#6DD6D,E6Q%&6+,R*=),;^8$)%='()*,@6*+)7,57%D+ef,H96,/Y=9,4**"'$,J)F8"=67,@6&"7%=>,488$%&'()*+,J)*:676*&6,-4J@4J0e,/WSSiS/iWbP,
• 1SW3,4*?,J"%N,@'$Q'=)76,MP,@=)$:)e,fE6:6*D%*?,`6?'&>,;F#6DD6D,@>+=6F+,B%=9,@)AB'76,@>F#%)=6+ef,H96,Sj=9,R*=67*'()*'$,@>F8)+%"F,)*,\6&6*=,4DQ'*&6+,%*,R*=7"+%)*,E6=6&()*,-\4RE0e,/WSSiWTi/W,
• 1SS3,4*?,J"%N,@'$Q'=)76,MP,@=)$:)N,M'(*,L'='7%'e,fL%$$%*?,=96,_>=9,):,J%+&),RU@,E%Q67+%=>X,H)B'7D+,\6$%'#$6N,`'7?6C@&'$6,;^8$)%='()*,):,J%+&),RU@ef,b=9,]@;VRh,a)7I+9)8,)*,Uk6*+%Q6,H6&9*)$)?%6+,-aUUH0e,/WSSiWZiWZ,
• 1S/3,\"*(F6,4+>*&97)*)"+,G'"$=,H)$67'*&6,Q%',@86&"$'()*,."*,l9'*?N,@)"F>'D668,59)+9N,M%'$",K"'*?N,M'6,aP,`66N,@&)g,4P,_'9$I6N,'*D,E'Q%D,RP,4"?"+=P,!7)&66D%*?+,):,=96,/WS/,R*=67*'()*'$,@>F8)+%"F,)*,J)D6,56*67'()*,'*D,U8(F%m'()*,-J5U0N,487%$,/WS/P,,
• 1Sn3,4,56*67'$,4887)'&9,:)7,;<&%6*=$>,4&&6$67'(*?,@)AB'76C#'+6D,E>*'F%&,E'=',G$)B,H7'&I%*?,)*,J)FF)D%=>,K'7DB'76,,L'*?I))I,M66N,56)7?%)+,!)7=)I'$%D%+N,O'+%$6%)+,!P,L6F67$%+N,@)"F>'D668,59)+9N,E'Q%D,RP,4"?"+=N,'*D,4*?6$)+,EP,L67)F>(+P,!7)&66D%*?+,):,=96,ST=9,R*=67*6=,@)&%6=>,-R@UJ0,@>F8)+%"F,)*,V6=B)7I,'*D,E%+=7%#"=6D,@>+=6F+,@6&"7%=>,-VE@@0N,G6#7"'7>,/WS/P,,
• 1Sj3,@86&"$'(Q6,@68'7'()*,:)7,!7%Q'(m'()*,'*D,\6D"&()*+N,V%&I,!P,M)9*+)*N,K'*c"*,L%FN,!7'I'+9,!7'#9"N,4>'$,l'I+N,'*D,E'Q%D,RP,4"?"+=P,!7)&66D%*?+,):,=96,nn7D,4J_,@R5!`4V,J)*:676*&6,)*,!7)?7'FF%*?,`'*?"'?6,E6+%?*,'*D,RF8$6F6*='()*,-!`ER0N,M"*6,/WS/P,,