Securing Untrusted Code via Compiler-Agnostic Binary Rewriting Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin The University of Texas.

Slides:



Advertisements
Similar presentations
Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.
Advertisements

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
ByteWeight: Learning to Recognize Functions in Binary Code
Control Flow Integrity & Software Fault Isolation David Brumley Carnegie Mellon University.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
PRESENTED BY: © Mandiant Corporation. All rights reserved. X86 Binary Rewriting Many Binaries. Such Secure. Wow. Richard Wartell 06/29/14.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by.
InkTag: Secure Applications on an Untrusted Operating system
“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar Google Inc
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
A Type System for Expressive Security Policies David Walker Cornell University.
Partial Automation of an Integration Reverse Engineering Environment of Binary Code Author : Cristina Cifuentes Reverse Engineering, 1996., Proceedings.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Kumar R., Singhania A., Castner A., Kohler E Proceedings of Design Automation Conference Pages: June /7/13.
Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,
CIS NET Applications1 Chapter 2 –.NET Component- Oriented Programming Essentials.
6.828: PC hardware and x86 Frans Kaashoek
Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
CS533 Concepts of Operating Systems Jonathan Walpole.
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
DARPA Jul A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco Thomas E. Anderson, Susan L. Graham J. Garrett Morris, presenter.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Operating Systems Security
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Efficient Software-Based Fault Isolation By Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham Presented by Pehr Collins.
Introduction to Information Security ROP – Recitation 5.
Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.
Efficient Software-based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson & Susan L. Graham Presented By Tony Bock.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham.
Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.
Control-Flow Integrity
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
Chapter 1 Basic Concepts of Operating Systems Introduction Software A program is a sequence of instructions that enables the computer to carry.
A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.
17 th ACM CCS (October, 2010).  Introduction  Problem Statement  Approach  RG Design  Implementation  Related Work 2 A Seminar at Advanced Defense.
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
CS533 Concepts of Operating Systems Jonathan Walpole.
Correct RelocationMarch 20, 2016 Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat
Lecture 18: ROP - Continued CS 2011 Spring 2016, Dr. Rozier.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.
Introduction to Information Security
Remix: On-demand Live Randomization
Efficient Software-Based Fault Isolation
EnGarde: Mutually Trusted Inspection of SGX Enclaves
Computer Architecture and Assembly Language
Suman Jana *Original slides from Vitaly Shmatikov
The University of Adelaide, School of Computer Science
Introduction to Information Security
Inline Reference Monitors: SFI, CFI, XFI, WIT, NaCl
Information Security - 2
Program Assembly.
Gang Tan Penn State University Spring 2019
Presentation transcript:

Securing Untrusted Code via Compiler-Agnostic Binary Rewriting Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin The University of Texas at Dallas Supported in part by NSF, AFOSR, and DARPA 1

Software Fault Isolation (SFI) Automatically rewrite binaries to make them safer [Wahbe, Lucco, Anderson, Graham, SOSP 1993] 2 Untrusted code Rewriter Safe code

Software Fault Isolation (SFI) trusted & untrusted modules in common address space Example #1: web browser plug-ins Example #2: trusted system libraries inside untrusted application Goal: protect trusted modules from untrusted ones confine untrusted module behaviors Example: Untrusted modules must obey trusted module interfaces Blocks ROP attacks [Shacham, CCS 2007] 3 eMule.exe kernel32.dll user.dll Trusted Untrusted

Inlined Reference Monitors (IRMs) SFI foundation supports higher-level policies [Abadi, Budiu, Erlingsson, and Ligatti. CCS 2005] Example: IRMs [Schneider, ISS 2000] Enforces powerful policies: program-specific (no other programs affected) light-weight enforcement (minimize context switches) Statefulness Example: Adobe Reader may access the network (to check for updates) and may read my confidential files, but may not access the network after reading my confidential files. 4 reader.exe kernel32.dll user.dll Trusted Untrusted IRM

A Brief History of SFI Wahbe 1 PittSFIeld 3 CFI / SMAC 2 XFI 4 NaCl 5 1: [Wahbe, Lucco, Anderson, and Graham. SOSP 1993] 2: [Abadi, Budiu, Erlingsson, and Ligatti. CCS 2005] 3: [McCamant and Morrisett. USENIX 2006] 4: [Erlingsson, Abadi, Vrable, Budiu, and Necula. SOSDI 2006] 5: [Yee, Sehr, Dardyk, Chen, Muth, Ormandy, Okasaka, Narula, and Fullagar. S&P 2009]

A Brief History of SFI Wahbe 1 RISC only PittSFIeld 3 Special GCC CFI / SMAC 2 Needs PDB XFI 4 Needs PDB NaCl 5 Special GCC All prior works require explicit code-producer cooperation 1: [Wahbe, Lucco, Anderson, and Graham. SOSP 1993] 2: [Abadi, Budiu, Erlingsson, and Ligatti. CCS 2005] 3: [McCamant and Morrisett. USENIX 2006] 4: [Erlingsson, Abadi, Vrable, Budiu, and Necula. SOSDI 2006] 5: [Yee, Sehr, Dardyk, Chen, Muth, Ormandy, Okasaka, Narula, and Fullagar. S&P 2009]

Reins: REwriting and IN-lining System Main Discovery: means of enforcing SFI for near arbitrary COTS binaries no source code or debug info (assumed unavailable) no disassembly listing compiler-agnostic real COTS binary features interleaved code and data computed control-flows dynamic linking event-driven callbacks multithreading Low overhead (~2%) Formal machine-verification of policy enforcement 7

Binary Rewriting w/o metadata Relocation information, debug tables and symbol stores not always available Reverse engineering concerns Perfect static disassembly without metadata is provably undecidable Best disassemblers (IDA Pro) make many mistakes ProgramInstruction Count IDA Pro Errors mfc42.dll mplayerc.exe vmware.exe

Infeasibility of Perfect Disassembly Disassemble this hex sequence Undecidable problem FF E0 5B 5D C3 0F F 84 EC 8B Valid Disassembly FF E0jmp eax 5Bpop ebx 5Dpop ebp C3retn 0F F 84 EC jcc 8B …mov Valid Disassembly FF E0jmp eax 5Bpop ebx 5Dpop ebp C3retn 0Fdb (1) F 84 EC mov 8B …mov Valid Disassembly FF E0jmp eax 5Bpop ebx 5Dpop ebp C3retn 0F 88db (2) 52push edx 0F 84 EC 8B … jcc 9

Original Binary Reins Binary Separating Code from Data Header IAT.data.text Original Memory Layout Rewritten Header IAT.data.told (NX bit set) Rewritten Memory Layout.tnew (NW bit set) Denotes a section that is modified during static rewriting 10 High Memory Low Memory kernel32.dlluser32.dll kernel32.dll

De-Shingling Disassembly HexPath 1Path 2Path 3Path 4 FFjmp eax E0loopne 5Bpop 5DL1: pop C3retn 0Fjcc 88mov B0mov 50 FFN/A FF 8BL2: mov Byte Sequence: FF E0 5B 5D C3 0F 88 B0 50 FF FF 8B 11 Disassembled Invalid Included Disassembly jmp eax pop L1: pop retn jcc L2: mov loopne jmp L1 mov jmp L2

Aligning Instructions 12 Original Binary 0x68900Fmov eax, 0x6891D8 0x689015add eax, 1 0x68901Bcall eax …… 0x6891D9push ebx 0x6891DAmov ebx, [esp+4] Rewritten Binary 0x78900Fnop 0x789010mov eax, 0x6891d8 0x789016add eax, 1 0x78901Cnop (x4) 0x789020nop (x8) 0x789028and eax, 0x0FFFFFF0 0x78902Ecall eax 0x789030… 0x7892E0push ebx 0x7892E1mov ebx, [esp+4] 0x7892E5… Chunk instructions to 16 byte boundaries with targets at the beginning, and calls at the end [McCamant and Morrisett. USENIX 2006] Alignment nops Injected Instructions

Rewritten Binary Preserving Good Flows 13 Original Binary 0x68900Fmov eax, 0x6891D8 0x689015add eax, 1 0x68901Bcall eax …… 0x6891D9push ebx 0x6891DAmov ebx, [esp+4] Turn original code section into a dynamic lookup table.told0x6891D90xF4 loc_7892F0.tnew0x78900Fnop 0x789010mov eax, 0x6891d8 0x789016add eax, 1 0x78901Cnop (x4) 0x789020cmp 0xF4, [eax] 0x789023cmovz eax, [eax+1] 0x789027nop 0x789028and eax, 0x0FFFFFF0 0x78902Ecall eax 0x789030… 0x7892F0push ebx 0x7892F1mov ebx, [esp+4] 0x7892F5… Alignment nops Injected Instructions

Preserving Good Inter-module Flows 14 jmp [IAT:CreateWindow] Original CodeRewritten Code CreateWindow jmp [IAT:CreateWindow] CreateWindow IAT data section locked non-writable

Computed Inter-module Flows computed jumps to trusted modules dynamic linking (DLLs) callbacks (event-driven programming) 15 trusted library intermediary library (trusted) rewritten code caller callback stub callback_ret callback return trampoline

Results 16

IRM Synthesis Enforced policies on Eureka client (>1.6MB code): Disallow creation of.exe,.msi, or.bat files Disallow execution of Windows explorer as an external process Disallow opening more than 100 SMTP connections Malware policies: Disallow creation of.exe,.msi, or.bat files Successfully stopped virus propagation for real world malware samples 17 Policy-adherant binary Policy Rewriter Binary

TCB Formal Verification Formal verification of rewritten binaries 1500 SLOC of 80-column OCaml code no shared code between verifier and rewiter median verification time: 0.4 ms/KB code Allows rewriter to remain completely untrusted! rewriting deployable as an untrusted service 18 Policy-adherant binary Policy Rewriter Binary Verifier

Compatibility Limitations COM objects Runtime code generation (JIT) Undocumented OS callbacks 19

Conclusion Reins finally opens the door to full-scale COTS native SFI for massively complex, real-world applications without source. no source code, debug info, or disassembly (assumed unavailable) compiler-agnostic real COTS binary features interleaved code and data, computed control-flows, dynamic linking, event- driven callbacks, multithreading automated synthesis of monitor from policy specification automated machine-verification low runtime overhead (~2.4%) successfully tested on real commercial applications (>3MB code) Practical Applications: safe reuse of untrusted commercial software in security-critical environments rewriting on demand: rewriter deployable as an untrusted third-party service due to separate verifier 20

References R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proc. ACM Sym. Operating Systems Principles, pages 203–216, F. B. Schneider. Enforceable security policies. ACM Trans. Information and Systems Security, 3(1):30–50, M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In ACM Conference on Computer and Communications Security, pages , S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In Proc. USENIX Security Sym., Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In Proc. Sym. Operating Systems Design and Implementation, pages 75–88, H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proc. ACM Conf. Computer and Communications Security, pages 552–561, B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. In Proc. IEEE Sym. Security and Privacy, pages 79–93,

Advantage over VMs no air gap IRM has controlled but direct access to system resources and other processes no semantic gap no dynamic instruction interpretation or translation better performance fewer context switches light-weight VM logic essentially in-lined into code formal verification few VMs have been formally verified each change to VM (e.g., to enforce new policy) requires re- verification of VM 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.