Environment Selection Application  Firefox 1.0 or 2.0  Apache 2.0.36 Operating System  Linux  Windows XP Instrumentation Package  JIT (DynamoRio,

Slides:



Advertisements
Similar presentations
Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,
Advertisements

Evaluating Indirect Branch Handling Mechanisms in Software Dynamic Translation Systems Jason D. Hiser, Daniel Williams, Wei Hu, Jack W. Davidson, Jason.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Amanda Silver Director of Program Management Visual Studio Tools for Client Applications Cross-Platform Development using Visual Studio.
Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.
Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.
1 Platform-Based Design A paper by Alberto Sangiovanni-Vincentelli EE 249, 11/5/2002 Presenter: Mel Tsai.
Author: Texas Instruments ®, Sitara™ ARM ® Processors Building Blocks for PRU Development Module 2 PRU Firmware Development This session covers how to.
Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.
Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Umbra: Efficient and Scalable Memory Shadowing CGO 2010, Toronto, Canada April 26, 2010.
September 2008 IT Software Development Guide.
Chocolate Bar! luqili. Milestone 3 Speed 11% of final mark 7%: path quality and speed –Some cleverness required for full marks –Implement some A* techniques.
INFO425: Systems Design INFORMATION X Finalizing Scope (functions/level of automation)  Finalizing scope in terms of functions and level of.
University of Maryland Compiler-Assisted Binary Parsing Tugrul Ince PD Week – 27 March 2012.
@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.
Zhonghua Qu and Ovidiu Daescu December 24, 2009 University of Texas at Dallas.
1 SWE 513: Software Engineering Usability II. 2 Usability and Cost Good usability may be expensive in hardware or special software development User interface.
Oracle HTMLDB introduction IT-AIS-HR Giovanni Chierico 1/16 Oracle HTMLDB introduction CERN Oracle Developers Forum: May 12 th 2005.
Analyzing parallel programs with Pin Moshe Bach, Mark Charney, Robert Cohn, Elena Demikhovsky, Tevi Devor, Kim Hazelwood, Aamer Jaleel, Chi- Keung Luk,
Multimedia Teaching Tool SimArch V1.0 Faculty of Electronic Engineering University of Nis Serbia.
ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.
The ID process Identifying needs and establishing requirements Developing alternative designs that meet those requirements Building interactive versions.
TRACEREP: GATEWAY FOR SHARING AND COLLECTING TRACES IN HPC SYSTEMS Iván Pérez Enrique Vallejo José Luis Bosque University of Cantabria TraceRep IWSG'15.
Adventures in Mastering the Use of Performance Evaluation Tools Manuel Ríos Morales ICOM 5995 December 4, 2002.
Andrew Bernat, Bill Williams Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 New Features in Dyninst
Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.
The HipHop Compiler from Facebook By Megha Gupta & Nikhil Kapoor.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
SimArch: Work in Progress Multimedia Teaching Tool Faculty of Electronic Engineering University of Nis Serbia.
FLUKA GUI Status FLUKA Meeting CERN, 10/7/2006.
Fundamental Programming: Fundamental Programming K.Chinnasarn, Ph.D.
University of Maryland Dynamic Floating-Point Error Detection Mike Lam, Jeff Hollingsworth and Pete Stewart.
02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.
PROGRAMMING LANGUAGES FOR WHEN USING QUANT ANALYSIS FOR HIGH FREQUENCY TRADING.
Application Recognition Sam Larsen Determina. Process Control One method to improve computer security is through process control  Whitelist: user specifies.
November 2005 New Features in Paradyn and Dyninst Matthew LeGendre Ray Chen
PRIOR TO WEB SERVICES THE OTHER TECHNOLOGIES ARE:.
Determina, Inc. Persisting Information Across Application Executions Derek Bruening Determina, Inc.
EGR 115 Introduction to Computing for Engineers Introduction to Computer Programming Wednesday 27 Aug 2014 EGR 115 Introduction to Computing for Engineers.
The.NET ModelKit Suite is released in the following editions: 1) 2) 3) 4)
Application Communities Phase II Technical Progress, Instrumentation, System Design, Plans March 10, 2009.
1 JIFL: JIT Instrumentation Framework for Linux Marek Olszewski Adam Czajkowski Keir Mierle University of Toronto.
Department of Electronic & Electrical Engineering Introduction to C - The Development cycle. Why C? The development cycle. Using Visual Studio ? A simple.
1 Manipulating Managed Execution Runtimes to support Self-Healing Systems Rean Griffith‡, Gail Kaiser‡ Presented by Rean Griffith
Application Communities Phase 2 (AC2) Project Overview Nov. 20, 2008 Greg Sullivan BAE Systems Advanced Information Technologies (AIT)
1 ROGUE Dynamic Optimization Framework Using Pin Vijay Janapa Reddi PhD. Candidate - Electrical And Computer Engineering University of Colorado at Boulder.
Color Palette To use or remove these color palettes, go to View/Master/Slide Master Optional logo for your notes/handouts slides APPLYING THESE COLORS.
Introduction to Computer Programming Concepts M. Uyguroğlu R. Uyguroğlu.
Qin Zhao1, Joon Edward Sim2, WengFai Wong1,2 1SingaporeMIT Alliance 2Department of Computer Science National University of Singapore
Windows App Studio Windows App Studio is the tool that makes it fast and easy to build Windows 10 apps. It’s accessible from any device with a browser.
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Virtual Machine Monitors
Introduction to ASP.NET Core
Outline Introduction to the Phalanger System
Adaptive Android Kernel Live Patching
Introduction to .NET Core
The heavyweight parts of lightweight languages
Rean Griffith‡, Gail Kaiser‡ Presented by Rean Griffith
CompSci 725 Presentation by Siu Cho Jun, William.
Want to Write a Compiler?
DotnetConf 11/14/2018 3:27 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE.
3D applications in Delphi
Java Workflow Tooling (JWT) Release review: JWT v0
Introduction to Virtual Machines
Co-designed Virtual Machines for Reliable Computer Systems
OS Simulator Develop and test embedded applications on Windows or Linux host environments Eliminates the need for the original OS and expensive.
Introduction to Virtual Machines
JIT Compiler Design Maxine Virtual Machine Dhwani Pandya
Dynamic Binary Translators and Instrumenters
Running C# in the browser
Presentation transcript:

Environment Selection Application  Firefox 1.0 or 2.0  Apache Operating System  Linux  Windows XP Instrumentation Package  JIT (DynamoRio, Pin)  Trampoline (Dyninst, Detours, Pin, etc)

Application Firefox 1.0 (Phase 1)  Complex app with embedded interpreter  39 to 46 applicable vulnerabilities Firefox 2.0  Similar vulnerabilities as 1.0 Apache  Less complex application  6-8 applicable vulnerabilities Proposal: Firefox 1.0  Many interesting vulnerabilities  Leverages Phase 1 experience

Operating System Linux  Open source  Open source tools (gcc, Xnee, etc)  Instrumentation tools are supported better Windows XP  Closed source  More marketable results Proposal: Windows XP  No show stoppers for Windows  Shows program is more generally applicable

Instrumentation Tools Instrumentation tool approaches  JIT  Probe based Call interception  System call  Library call

JIT Binary Translation PIN & DynamoRIO Allows us, at runtime, to manipulate every instruction, with:  Minimal performance overhead  Full transparency Exports interface for building custom tools No modifications to hardware, operating system, or application

How does it work? (conceptually) fetchdecodeexecute Start

In more detail 120% to 200%

JIT-mode Summary Powerful instruction-level instrumentation  Supports shadow stack  Supports arbitrary repairs  Stack-walk Direct access to system call gateway

Probe based instrumentation: PIN probe, Dyninst, Detours

Probe-based Repair

Probe-mode Summary Considerably faster than JIT-mode  No constant performance overhead Potential issues  x86: need at least 5 bytes for trampolines  Can be expensive for fine-grained instrumentation  Limited to function-level instrumentation  Does not support shadow stack

Direct System Call Interception Application System call gateway Operating System Interception

Library System Call Interception Application System call gateway Operating System Win32 API Win32 DLLs Interception

Issue With Library Interception Can only catch system calls made through API (libc, win32API) Malicious attacker could inject a different version of the library we are intercepting  But that would require code-injection

Library Interception Can only catch system calls made through API (libc, win32API) Malicious attacker could inject a different version of the library we are intercepting  But that would require code-injection Stable, coherent interface

Monitor/Repair Matrix ToolTypeOSStack Replace Args Change or drop syscall Syscall return value Perform ance PINJIT Win, Linux SS SW YYY 500% 240% PINProbe Win, Linux SWLLL180% DRJIT Win, Linux SS SW YLL 400% 220% DetoursProbeWinSWLLL~180% DyninstProbeLinuxSWLLL~180%

PIN Automatically in-lines instrumentation code  Uses callouts ‣ More expensive but easy to write  No restrictions on library usage Simple, easy-to-use API Works on Linux and Windows Two modes of operation: JIT and Probe  Cover both models we want to use Only slightly slower than DynamoRIO

DynamoRIO Lower level interface Library calls are constrained  Must use DR version of calls (e.g., malloc)  Some calls (e.g., sockets) not supported Does not allow direct manipulation of system calls Just released as open source Phase 1 code (shadow stack, HeapGuard) now available

Plan Use Pin to develop prototype  Supports both JIT and Probe  Easy to use Implement final approach later  Evaluate numerous exploits  Understand what our needs are Options  Use probe mode if possible  Consider DynamoRio if necessary for speed and/or flexibility

Conclusion Application: Firefox 1.0 Operating System: Windows XP Instrumentation: Pin for now

Windows-Linux: Development Windows is closed source  Forced to reverse engineer Windows (and its tools) to debug problems  Visual Studio compiler is closed source ‣ Difficult to debug ‣ Cygwin environment has issues

Accomplishments Monitoring framework Analysis framework Reproduction framework

Monitoring Framework PIN-based monitoring tool Two modes of operation  JIT  Probe Analysis  Shadow stack  Stack walk (after we disable FP optimization)

Analysis Framework Tools for analyzing callstack information  Finite state automata data-structure  Visual representation  Suffix-tree fast lookup comparisons Implemented in Python  Using networkx libraries  Cross platform

Reproduction Framework Automate training  Record & replay user interactions with FF ‣ Record mouse & keyboard events  Works in Linux ‣ Using Xnee

Windows - Linux Pin Performance Windows  Shadow Stack: ~4.5x  Stack Walk: ~0.40x Linux  Shadow Stack: ~4.0x  Stack Walk: ~0.30x

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.