Presentation is loading. Please wait.

Presentation is loading. Please wait.

CompSci 725 Presentation by Siu Cho Jun, William.

Published byJohn Turner Modified over 6 years ago

Similar presentations

Presentation on theme: "CompSci 725 Presentation by Siu Cho Jun, William."— Presentation transcript:

1 CompSci 725 Presentation by Siu Cho Jun, William

2 CompSci 725 Presentation Playing Inside the Black Box:
Using Dynamic Instrumentation to Create Security Holes by Barton P. Miller, Mihai Christodorescu, Robert Iverson, Tevfik Kosar, Alexander Mirgorodskii, Florentina Popovici

3 CompSci 725 Presentation Computer Sciences Department, University of Wisconsin Paradyn Project Exploring new approaches to build scalable tools for monitoring or tuning of parallel program performance.

4 Outline Introduction Background Demo 1 Demo 2 Conclusion
The Aim of this paper Background What is “DynInst”? Demo 1 Demo 2 Conclusion

5 Introduction Programs in execution have long been considered to be immutable objects Use “DynInst API” to build tools Operate on binary codes during execution

6 Introduction Show how Dynamic Instrumentation techniques can be used to subvert system security through vulnerabilities Provide some suggestions to compromise those vulnerabilities

7 Background What is “DynInst”?
A post-compiler program manipulation tool Provides an Application Program Interface (API) for programming instrumentation tools with the dynamic instrumentation technology C++ class library

8 What is “DynInst”? (cont.)
Background What is “DynInst”? (cont.) Allows tool builders build tools that can make insertion and modification to a running program Without re-compile, re-link, or even re-execute the program Machine independent

9 What can tools built with “DynInst API” do?
Background What can tools built with “DynInst API” do? (1) inspect a running process, obtaining structural information about the program; (2) control the execution of the program; (3) cause new libraries to be dynamically loaded into the process' address space;

10 What can tools built with “DynInst API” do?
Background What can tools built with “DynInst API” do? (cont.) (4) splice new code sequences into the running program and remove them; (5) replace individual call instructions or entire functions.

11 Background Terms: Mutator Mutatee Point Snippet
The tool built for performing instrumentation Mutatee The program to be instrumented Point A location in a program where instrumentation can be inserted Snippet A piece of executable code to be inserted into a program at a point

12 Background How it works? p.s. Image extracted from the paper
“Playing Inside the Black Box: Using Dynamic Instrumentation to Create Security Holes”

13 Background How it works?
p.s. Image extracted from the paper “An API for Runtime Code Patching”

14 Demo 1 The Lurking Condor Job Goal
To expose security vulnerabilities in a distributed computing environment

15 Demo 1 Background Info. Platform: Unix with Condor
High-Throughput Computing System allows users to schedule and run application programs on idle hosts in widely distributed environment Users do not need to have account and privileges on other hosts

16 Demo 1 Condor SM: Submitting Machine EM: Execution Machine

17 Demo 1 Attack strategy

18 Demo 1 Attack strategy

19 Demo 1 Attack strategy

20 Demo 1 Attack strategy

21 Demo 1 Attack strategy

22 Vulnerability of Condor System
Demo 1 Vulnerability of Condor System Condor starts a shadow process on the SM when it starts the submitted program on the remote EM The shadow process receives remote system calls from the EM and executes with the normal privileges of the submitting user

23 Vulnerability of Condor System (cont.)
Demo 1 Vulnerability of Condor System (cont.) EM might subvert the submitted program and cause it to make inappropriate and malicious requests to the user's SM Condor use the same user id for every job on the EM, this allow the lurker process to access subsequently arriving jobs

24 Demo 1 Suggestions: On SM On trusted EM
Create “Sandbox” around the shadow process On trusted EM Restrict the use of system call on EM Clear up after a job migrated or completed Use multiple user ID’s Malicious EM can bypass any of those measures

25 Subverting License Checking
Demo 2 Subverting License Checking Goal Use DynInst tools to bypass license checking And attain full program functionality even when the license data could not be obtained

26 Demo 2 Background Info. Target application:
Framemaker word processing tool from Adobe Platform: UltraSPARC IIi running Solaris License checking method in Framemaker: Obtain license data from license server and validate it

27 Demo 2 Attack Strategy (1) See the program as a black box and capture the I/O operations to located those were specific to contacting the license server Attach DynInst to Framemaker and trace all library functions that performs I/O operations Replace the open, read, write, send, and recv library function with custom versions which are modified to copy their data into a mirror file

28 Demo 2 Attack Strategy (2) Trace the flow control within the program to understand where the license checking is performed By tracing the control flow for the cases: the license server is successfully contacted the license server cannot be contacted

29 Demo 2 Attack Strategy (3) Determine the functions to be skipped or replaced to avoid the failure of the license check

30 Demo 2 Attack toolkit (1) Function Call Tracer
The depth of the call stack, order of calls, and return values from each function are reported (2) Function Argument Parser For tracking the type and name of each parameter to a function in the application

31 Demo 2 Attack toolkit (3) Java to DynInst Compiler (JavaD)
Since the DynInst API calls operate at the machine language level Write snippet in Java and translate to DynInst calls To simplify the task of creating code snippets

32 Demo 2 Result Successfully bypassed the licensing checks by the following steps: (1) Allowed the retrieval of the license data to fail. (2) Prevented FrameMaker from entering demo mode by deleting the function call of ChangeProductToDemo.

33 Demo 2 Result (cont.) (3) Bypassed the first license data validation by skipping over the sequence of code that performed it. (4) Modified all later license data validations to always succeed, regardless of the presence of the license data in memory.

34 Demo 2 Suggestion Basic code obfuscation techniques can be used:
obscure naming of modules and functions violating modularity by having many implementations of the same functionality especially for the license checking function Include error reporting code

35 Conclusion With DynInst library:
It is easy to monitor and control almost any running program. It is also easy to make arbitrary changes that program's behavior.

36 Conclusion More significant study is needed for Safe remote execution which includes: preventing inappropriate operations preventing undetected modification or spoiling of computational results

37 Question We have seen several tamper-proofing/tamper-resistance technique: Software Guards Obfuscation Software aging How well do they serve in protecting software?

Download ppt "CompSci 725 Presentation by Siu Cho Jun, William."

Similar presentations

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.
Software Security & Privacy Risks in Mobile E-Commerce Kartikeya Kakarala CSCI 5939-Independent Study Wireless Application Protocols.

Software Security & Privacy Risks in Mobile E-Commerce Kartikeya Kakarala CSCI 5939-Independent Study Wireless Application Protocols.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Remote Controlled Agent Avital Yachin Ran Didi SoftLab – June 2006.

Remote Controlled Agent Avital Yachin Ran Didi SoftLab – June 2006.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Chap 2 System Structures.

Chap 2 System Structures.
Operating-System Structures

Operating-System Structures
© 2000 Barton P. MillerSeptember 6, 2000DynInst Security Playing Inside the Blackbox: Using Dynamic Instrumentation to Create Security Holes Barton P.

© 2000 Barton P. MillerSeptember 6, 2000DynInst Security Playing Inside the Blackbox: Using Dynamic Instrumentation to Create Security Holes Barton P.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
© 2001 Barton P. MillerDecember 2001DynInst Security Playing Inside the Blackbox: Using Dynamic Instrumentation to Create Security Holes Barton P. Miller.

© 2001 Barton P. MillerDecember 2001DynInst Security Playing Inside the Blackbox: Using Dynamic Instrumentation to Create Security Holes Barton P. Miller.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.

Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.
DISTRIBUTED PROCESS IMPLEMENTAION BHAVIN KANSARA.

DISTRIBUTED PROCESS IMPLEMENTAION BHAVIN KANSARA.
The Origin of the VM/370 Time-sharing system Presented by Niranjan Soundararajan.

The Origin of the VM/370 Time-sharing system Presented by Niranjan Soundararajan.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Similar presentations

Ads by Google