Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2000 Barton P. MillerSeptember 6, 2000DynInst Security Playing Inside the Blackbox: Using Dynamic Instrumentation to Create Security Holes Barton P.

Published byDerrick Walton Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2000 Barton P. MillerSeptember 6, 2000DynInst Security Playing Inside the Blackbox: Using Dynamic Instrumentation to Create Security Holes Barton P."— Presentation transcript:

1 © 2000 Barton P. MillerSeptember 6, 2000DynInst Security Playing Inside the Blackbox: Using Dynamic Instrumentation to Create Security Holes Barton P. Miller bart@cs.wisc.edu Computer Sciences Department University of Wisconsin Madison, Wisconsin 53705 USA

2 – 2 –© 2000 Barton P. Miller DynInst Security A New View Running programs are objects to be easily manipulated. Kinds of manipulations might include: qInstrumentation qOptimization qControl qSubversion?

3 – 3 –© 2000 Barton P. Miller DynInst Security The Vehicle:The DynInst API A machine-independent library for machine level code patching. qEases the task of building new tools. qProvides the basic abstractions to patch code on- the-fly

4 – 4 –© 2000 Barton P. Miller DynInst Security Dynamic Instrumentation qDoes not require recompiling or relinking Saves time: compile and link times are significant in real systems. Can instrument without the source code (e.g., proprietary libraries). Can instrument without linking (relinking is not always possible. qInstrument optimized code.

5 – 5 –© 2000 Barton P. Miller DynInst Security Dynamic Instrumentation (con’d) qOnly instrument what you need, when you need No hidden cost of latent instrumentation. Enables “one pass” tools. qCan instrument running programs (such as Web or database servers) Production systems. Embedded systems. Systems with complex start-up procedures.

6 – 6 –© 2000 Barton P. Miller DynInst Security The Basic Mechanism Application Program Function foo Trampoline Pre-Instrumentation Relocated Instruction Post-Instrumentation

7 – 7 –© 2000 Barton P. Miller DynInst Security The DynInst Interface qMachine independent representation qObject-based interface to build Abstract Syntax Trees (AST’s) qWrite-once, instrument-many (portable) qHides most of the complexity in the API Process Hijacker: only 700 lines of user code! MPI tracer: 250 lines

8 – 8 –© 2000 Barton P. Miller DynInst Security Basic DynInst Operations qProcess control: Attach/create process Monitor process status changes Callbacks for fork/exec/exit qImage (executable program) routines: Find procedures/modules/variables Call graph (parent/child) queries

9 – 9 –© 2000 Barton P. Miller DynInst Security Basic DynInst Operations qInferior (application processor) operations: Malloc/free –Allocate heap space in application process Inferior RPC –Asynchronously execute a function in the application. Load module –Cause a new.so/.dll to be loaded into the application.

10 – 10 –© 2000 Barton P. Miller DynInst Security Basic DynInst Operations qInferior operations (continued): Remove Function Call –Disable an existing function call in the application Replace Function Call –Redirect a function call to a new function Replace Function –Redirect all calls (current and future) to a function to a new function.

11 – 11 –© 2000 Barton P. Miller DynInst Security Basic DynInst Operations qBuilding AST code sequences: Control structures: if and goto Arithmetic and Boolean expressions Get PID/TID operations Read/write registers and global variables Read/write parameters and return value Function call

12 – 12 –© 2000 Barton P. Miller DynInst Security Applications of DynInst qProcess Hijacking (Vic Zandy) Submitting already-running jobs to Condor qMPI Tracer (Chris Chambreau) Insert Vampir or Pablo trace calls on the fly. qFunction Call Tracer (Roland Wismüller) Generate dynamic call graph qImage Mentor (Brian Wylie) Query module/function/memory structure qRe-Tee (Jeff Hollingsworth) Redirect program output on-the-fly qLicense server bypassing qCondor security attacks

13 – 13 –© 2000 Barton P. Miller DynInst Security License Server Attack: The Bypass Program License Data Network License Server Normal: licensed program runs after communicates with license server. Program License Data Network License Server Undesired: licensed program refuses to run if license server does not respond.

14 – 14 –© 2000 Barton P. Miller DynInst Security Example: Adobe FrameMaker Two-step license verification: retrieve license data from server [once] check license data for correctness [often] In practice: allow FM to time-out waiting for server allow FM to attempt to go into “demo” mode switch FM back to normal mode insure that future license checks always succeed

15 – 15 –© 2000 Barton P. Miller DynInst Security Strategies qComplete reverse engineering: not an option –legal problems –complexity (FrameMaker is a 7 MB binary!) qFocus on certain characteristics: I/O (network sockets) traffic execution trace

16 – 16 –© 2000 Barton P. Miller DynInst Security Tools qHigh-level language translators: Dyner: interactive, interpreted C subset Jdyninst: Java to DynInst compiler qBypasser: an interactive call graph browser Search and walk application call graph Resolves function pointers at runtime Can follow caller or callee paths Can generate call trace

17 – 17 –© 2000 Barton P. Miller DynInst Security Use qDetermining where to apply changes: get trace for a successful run get trace for a (forced-)failure run compare to find differences repeat as needed

18 – 18 –© 2000 Barton P. Miller DynInst Security Details  FM calls NlOpenlicenses on start up Contacts license server and caches credential if successful  At end of main, calls NluiCheckLicense If credential is not present, call ChangeProductToDemo (cannot save files) qFrequently, during operation, FM will check for cached credentials.

19 – 19 –© 2000 Barton P. Miller DynInst Security Details  FM calls NlOpenlicenses on start up Contacts license server and caches credential if successful Allow this to fail.  At end of main, calls NluiCheckLicense If credential is not present, call ChangeProductToDemo (cannot save files) qFrequently, during operation, FM will check for cached credentials.

20 – 20 –© 2000 Barton P. Miller DynInst Security Details  FM calls NlOpenlicenses on start up Contacts license server and caches credential if successful Allow this to fail.  At end of main, calls NluiCheckLicense If credential is not present, call ChangeProductToDemo (cannot save files) Delete the call to ChangeProductToDemo. qFrequently, during operation, FM will check for cached credentials.

21 – 21 –© 2000 Barton P. Miller DynInst Security Details  FM calls NlOpenlicenses on start up Contacts license server and caches credential if successful Allow this to fail.  At end of main, calls NluiCheckLicense If credential is not present, call ChangeProductToDemo (cannot save files) Delete the call to ChangeProductToDemo. qFrequently, during operation, FM will check for cached credentials. Change this call to always return “true”.

22 – 22 –© 2000 Barton P. Miller DynInst Security Condor Attack: Lurking Jobs qCondor schedules jobs on idle computers. qIn a normal mode, jobs run as a common, low- privilege user ID: “nobody”. qThis common user ID provides an opportunity for an evil lurking process to ambush subsequent jobs (from other users):

23 – 23 –© 2000 Barton P. Miller DynInst Security Condor Job Structure Submitting Host Shadow Process Execution Host User Job system calls

24 – 24 –© 2000 Barton P. Miller DynInst Security Condor Job Structure Submitting Host Shadow Process Execution Host Evil User Job system calls Lurker Process fork

25 – 25 –© 2000 Barton P. Miller DynInst Security Condor Job Structure Submitting Host Execution Host Lurker Process

26 – 26 –© 2000 Barton P. Miller DynInst Security Condor Job Structure Submitting Host Shadow Process Execution Host Innocent User Job system calls Lurker Process

27 – 27 –© 2000 Barton P. Miller DynInst Security Condor Job Structure Submitting Host Shadow Process Execution Host Innocent User Job system calls Lurker Process attach

28 – 28 –© 2000 Barton P. Miller DynInst Security Condor Job Structure Submitting Host Shadow Process Execution Host Innocent User Job system calls Control remote system calls Lurker Process rm -rf *

29 – 29 –© 2000 Barton P. Miller DynInst Security How to Get a Copy of DynInst: Release 1.3 Free for research use. Runs on Solaris (SPARC & x86), Windows NT, AIX/SP2, Linux (x86), Irix (MIPS),Tru64 Unix (Alpha). http://www.cs.wisc.edu/paradyn paradyn@cs.wisc.edu

Download ppt "© 2000 Barton P. MillerSeptember 6, 2000DynInst Security Playing Inside the Blackbox: Using Dynamic Instrumentation to Create Security Holes Barton P."

Similar presentations

PHP I.

PHP I.
Remote Procedure Call (RPC)

Remote Procedure Call (RPC)
Chap 2 System Structures.

Chap 2 System Structures.
© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.

© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.
© 2001 Barton P. MillerDecember 2001DynInst Security Playing Inside the Blackbox: Using Dynamic Instrumentation to Create Security Holes Barton P. Miller.

© 2001 Barton P. MillerDecember 2001DynInst Security Playing Inside the Blackbox: Using Dynamic Instrumentation to Create Security Holes Barton P. Miller.
Processes CSCI 444/544 Operating Systems Fall 2008.

Processes CSCI 444/544 Operating Systems Fall 2008.
Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.

Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.

Condor Overview Bill Hoagland. Condor Workload management system for compute-intensive jobs Harnesses collection of dedicated or non-dedicated hardware.
Software Development and Software Loading in Embedded Systems.

Software Development and Software Loading in Embedded Systems.
Course: Introduction to Computers

Course: Introduction to Computers
Distributed Process Implementation Hima Mandava. OUTLINE Logical Model Of Local And Remote Processes Application scenarios Remote Service Remote Execution.

Distributed Process Implementation Hima Mandava. OUTLINE Logical Model Of Local And Remote Processes Application scenarios Remote Service Remote Execution.
Chapter 8 Windows 2000. 2 Outline Programming Windows 2000 System structure Processes and threads in Windows 2000 Memory management The Windows 2000 file.

Chapter 8 Windows Outline Programming Windows 2000 System structure Processes and threads in Windows 2000 Memory management The Windows 2000 file.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
© Janice Regan, CMPT 128, Jan. 2007 0 CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.

© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.
1 Lecture 4: Threads Operating System Fall 2006. 2 Contents Overview: Processes & Threads Benefits of Threads Thread State and Operations User Thread.

1 Lecture 4: Threads Operating System Fall Contents Overview: Processes & Threads Benefits of Threads Thread State and Operations User Thread.
Process Management. Processes Process Concept Process Scheduling Operations on Processes Interprocess Communication Examples of IPC Systems Communication.

Process Management. Processes Process Concept Process Scheduling Operations on Processes Interprocess Communication Examples of IPC Systems Communication.
Operating Systems CS3502 Fall 2014 Dr. Jose M. Garrido

Operating Systems CS3502 Fall 2014 Dr. Jose M. Garrido
CHAPTER FOUR COMPUTER SOFTWARE.

CHAPTER FOUR COMPUTER SOFTWARE.
OS provide a user-friendly environment and manage resources of the computer system. Operating systems manage: –Processes –Memory –Storage –I/O subsystem.

OS provide a user-friendly environment and manage resources of the computer system. Operating systems manage: –Processes –Memory –Storage –I/O subsystem.

Similar presentations

Ads by Google