17 th ACM CCS (October, 2010)
Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense Lab
3
A typical and often implicit security assumption is that a program is only semantically meaningful on one platform › Radically different instruction sets › Different program encodings But, is it true? A Seminar at Advanced Defense Lab 4
Automatically generate a single binary string that › is a valid program on some architectures › can have completely different desired runtime behaviors A Seminar at Advanced Defense Lab 5
Steganography. › m 1 (b) = normal program › m 2 (b) = secret information Rogue Updates › m1(b) = normal program › m update (b) = malware › Security measures, such as digitally signing the code, are insufficient since they only verify the code itself has not been tampered with, not the execution environment A Seminar at Advanced Defense Lab 6
Exfiltration Protection › m 1 (b) = important program › m 2 (b) = delete itself Viruses and Shellcode New Architecture › A company switches from architecture A to B A Seminar at Advanced Defense Lab 7
Notation › ∑ = {0, 1} › Bit string › m j (b i ) The execution of program b i on machine m j › (bi, mj) b i is compiled for m j › b i is not a valid string on m j A Seminar at Advanced Defense Lab 8
Platform-Independent Program › PIP generation challenge › Given (b i, m j ) list › A Seminar at Advanced Defense Lab 9
10
A Seminar at Advanced Defense Lab 11 A Gadget
A Seminar at Advanced Defense Lab 12
A Seminar at Advanced Defense Lab 13
A Seminar at Advanced Defense Lab 14
Header-Init: Finding Gadget Headers › (nop)* (jmp) (.)* Header generation algorithm › Enumeration all possible string X several days for 4-byte header › Make header templates › Computing the intersection of templates A Seminar at Advanced Defense Lab 15
Disassemble, Gadget-Gen, and Merge A Seminar at Advanced Defense Lab 16
A Seminar at Advanced Defense Lab 17
A Seminar at Advanced Defense Lab 18
RG is currently implemented in about 5,000 lines of a mixture of C++ and Ruby. The gadget finder program finds all the possible 4-byte, 8-byte, and 12-byte gadget headers A Seminar at Advanced Defense Lab 19
32-bit long › 90.12% for ARM › 68.46% for MIPS › 32.69% for x86 A Seminar at Advanced Defense Lab %
Atomic NOPs › 326 for x86 › 241 for ARM › 14,709,948 for MIPS Three-architecture gadget headers › 4×10 14 for 12-byte long › 0.07 sec for 4-byte, 16 secs for 8-byte, 7 hours for 12-byte A Seminar at Advanced Defense Lab 21
A Seminar at Advanced Defense Lab 22
Hello world Prime Checker Shellcode Vulnerabilities › Snort 2.4 › iPhone’s coreaudio library A Seminar at Advanced Defense Lab 23
A Seminar at Advanced Defense Lab 24 Using PI Translation
A Seminar at Advanced Defense Lab 25
Muti-Platform Execution › Fat binary two independent program images are combined with special meta-data that is used at run-time to select the appropriate image › Drew Dean in 2003 › Nemo in 2005 [link]link A Seminar at Advanced Defense Lab 26
Steganography › Simmons in 1984 The prisoner’s problem A Seminar at Advanced Defense Lab 27
PIP length More Gadget Headers Large Input Programs Indirect Jumps and Self-Modifying Code Generating Platform › m(b) = normal program › generate m’ › m’(b) = malware A Seminar at Advanced Defense Lab 28
A Seminar at Advanced Defense Lab 29