--- tags: IsoPhase --- The entire motivation example rewritten w.r.t to OMRChecker. The structure has directly been taken from paper. # Motivation example We use autograding application called [OMRChecker](https://github.com/Udayraj123/OMRChecker) to demonstrate how ISOPHASE prevents vulnerabilities in the OpenCV framework from affecting the security sensitive data in the application. ## A. The victim application **Implementation:** The application gives grades by scanning and analyzing input OMR images. This application uses OpenCV to analyzes images and Pandas to write the grading results to a CSV file. [CVE-2017-1000450] **Workflow:** * 1. The program load OMR images and the template file. * 2. The program uses the OpenCV to preprocess the images and match the template answers in the OMR image. * 3. The program grades the score and write the results to the CSV file. ## B. The Exploit We create an attack based on a publicly released CVE that can corrupt memory. We leverage an out of bound write vulnerability inside OpenCV's `imread()` to inject a malicious payload that changes the students' scores. The malicious payload change the value stored in the `score` variable. In our attack, we assume that the attacker knows the target address. We disable the GCC stack protector and ASLR. ## C. Exploitation without IsoPhase The attacker (student) seamlessly exploits the vulnerability in `imread()` in order to alter the memory (specifically variable `score`) such that the recorded grade for the student may be full regardless of the actual answer of the student. Since the the `score` variable is in the same process as from which `imread()` is exploited, the attacker will have access to it. Moreover, if the exploit causes a segmentation fault, *the entire system crashes*, affecting the availability of the system. ## D. IsoPhase Mitigation **1) Phase Partitioning and Isolation:** When IsoPhase is applied to this application. `imread()` belongs to phase 1. `evaluate()` belongs to phase 2 and `pd.DataFrame()` belongs to phase 3. Because `imread()` are handled in the load phase and `score` is stored in the algorithm phase. The exploit in the load phase cannot change the value of `score`. **2) Mitigation by APIs and Data flow Enforcement:** Attacker may also try to use system APIs to access data in other processes. But IsoPhase only allows the execution of intended APIs .i.e. In bussiness phase, `remove()` is called to remove intermediate images and cannot be called in other phases. Moreover, we infer safe data flow directions by analyzing the target program, and enforce them at runtime to reduce the attack surface. Due to dataflow enforcement, the attacker cannot use `imread()` to steal or look at other scores. This is because of dataflow enforcement by IsoPhase. IsoPhase restricts load phase from reading from algorithm phase and ensures that load phase can only write to algorithm phase. ```python def process_files(omr_files, template, args, out)： for filepath in omr_files: inOMR = cv2.imread(filepath, cv2.IMREAD_GRAYSCALE) score = evaluate(resp, explain=explain) results_line = [filename, filepath, newfilepath, score] + respArray pd.DataFrame(results_line,dtype=str).T.to_csv(out.filesObj["Results"],quoting=QUOTE_NONNUMERIC, header=False,index=False) ``` <div style="text-align:center; font-style: italic;">Above code is shows fundamental flow of OMRChecker</div> **3) Mitigation by Runtime Monitoring and Phase Restarting:** IsoPhase monitors each phase and seamlessly restarts faulty phases. In practice, exploits(even if they are not Denial of Service ones) often result in crashes. For example, code injection exploits are particularly sensitive to the address space layout. If malicious payloads fail to guess the correct address for the injecting payloads, the victim process will crash. In our motivation example, a failed exploitation attempt would crash the load phase process. In such a case, IsoPhase’s phase manager detects the crash and restarts the crashed phase, reestablishing the data flows between other phases so that the entire system can continue to function