Presentation is loading. Please wait.

Presentation is loading. Please wait.

Environment Selection Application  Firefox 1.0 or 2.0  Apache 2.0.36 Operating System  Linux  Windows XP Instrumentation Package  JIT (DynamoRio,

Published byMarjory Walker Modified over 9 years ago

Similar presentations

Presentation on theme: "Environment Selection Application  Firefox 1.0 or 2.0  Apache 2.0.36 Operating System  Linux  Windows XP Instrumentation Package  JIT (DynamoRio,"— Presentation transcript:

1 Environment Selection Application  Firefox 1.0 or 2.0  Apache 2.0.36 Operating System  Linux  Windows XP Instrumentation Package  JIT (DynamoRio, Pin)  Trampoline (Dyninst, Detours, Pin, etc)

2 Application Firefox 1.0 (Phase 1)  Complex app with embedded interpreter  39 to 46 applicable vulnerabilities Firefox 2.0  Similar vulnerabilities as 1.0 Apache 2.0.36  Less complex application  6-8 applicable vulnerabilities Proposal: Firefox 1.0  Many interesting vulnerabilities  Leverages Phase 1 experience

3 Operating System Linux  Open source  Open source tools (gcc, Xnee, etc)  Instrumentation tools are supported better Windows XP  Closed source  More marketable results Proposal: Windows XP  No show stoppers for Windows  Shows program is more generally applicable

4 Instrumentation Tools Instrumentation tool approaches  JIT  Probe based Call interception  System call  Library call

5 JIT Binary Translation PIN & DynamoRIO Allows us, at runtime, to manipulate every instruction, with:  Minimal performance overhead  Full transparency Exports interface for building custom tools No modifications to hardware, operating system, or application

6 How does it work? (conceptually) fetchdecodeexecute Start

7 In more detail 120% to 200%

8 JIT-mode Summary Powerful instruction-level instrumentation  Supports shadow stack  Supports arbitrary repairs  Stack-walk Direct access to system call gateway

9 Probe based instrumentation: PIN probe, Dyninst, Detours

10 Probe-based Repair

11 Probe-mode Summary Considerably faster than JIT-mode  No constant performance overhead Potential issues  x86: need at least 5 bytes for trampolines  Can be expensive for fine-grained instrumentation  Limited to function-level instrumentation  Does not support shadow stack

12 Direct System Call Interception Application System call gateway Operating System Interception

13 Library System Call Interception Application System call gateway Operating System Win32 API Win32 DLLs Interception

14 Issue With Library Interception Can only catch system calls made through API (libc, win32API) Malicious attacker could inject a different version of the library we are intercepting  But that would require code-injection

15 Library Interception Can only catch system calls made through API (libc, win32API) Malicious attacker could inject a different version of the library we are intercepting  But that would require code-injection Stable, coherent interface

16 Monitor/Repair Matrix ToolTypeOSStack Replace Args Change or drop syscall Syscall return value Perform ance PINJIT Win, Linux SS SW YYY 500% 240% PINProbe Win, Linux SWLLL180% DRJIT Win, Linux SS SW YLL 400% 220% DetoursProbeWinSWLLL~180% DyninstProbeLinuxSWLLL~180%

17 PIN Automatically in-lines instrumentation code  Uses callouts ‣ More expensive but easy to write  No restrictions on library usage Simple, easy-to-use API Works on Linux and Windows Two modes of operation: JIT and Probe  Cover both models we want to use Only slightly slower than DynamoRIO

18 DynamoRIO Lower level interface Library calls are constrained  Must use DR version of calls (e.g., malloc)  Some calls (e.g., sockets) not supported Does not allow direct manipulation of system calls Just released as open source Phase 1 code (shadow stack, HeapGuard) now available

19 Plan Use Pin to develop prototype  Supports both JIT and Probe  Easy to use Implement final approach later  Evaluate numerous exploits  Understand what our needs are Options  Use probe mode if possible  Consider DynamoRio if necessary for speed and/or flexibility

20 Conclusion Application: Firefox 1.0 Operating System: Windows XP Instrumentation: Pin for now

21 Windows-Linux: Development Windows is closed source  Forced to reverse engineer Windows (and its tools) to debug problems  Visual Studio compiler is closed source ‣ Difficult to debug ‣ Cygwin environment has issues

22 Accomplishments Monitoring framework Analysis framework Reproduction framework

23 Monitoring Framework PIN-based monitoring tool Two modes of operation  JIT  Probe Analysis  Shadow stack  Stack walk (after we disable FP optimization)

24 Analysis Framework Tools for analyzing callstack information  Finite state automata data-structure  Visual representation  Suffix-tree fast lookup comparisons Implemented in Python  Using networkx libraries  Cross platform

25 Reproduction Framework Automate training  Record & replay user interactions with FF ‣ Record mouse & keyboard events  Works in Linux ‣ Using Xnee

26 Windows - Linux Pin Performance Windows  Shadow Stack: ~4.5x  Stack Walk: ~0.40x Linux  Shadow Stack: ~4.0x  Stack Walk: ~0.30x

Download ppt "Environment Selection Application  Firefox 1.0 or 2.0  Apache 2.0.36 Operating System  Linux  Windows XP Instrumentation Package  JIT (DynamoRio,"

Similar presentations

Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,

Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,
Evaluating Indirect Branch Handling Mechanisms in Software Dynamic Translation Systems Jason D. Hiser, Daniel Williams, Wei Hu, Jack W. Davidson, Jason.

Evaluating Indirect Branch Handling Mechanisms in Software Dynamic Translation Systems Jason D. Hiser, Daniel Williams, Wei Hu, Jack W. Davidson, Jason.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Amanda Silver Director of Program Management Visual Studio Tools for Client Applications Cross-Platform Development using Visual Studio.

Amanda Silver Director of Program Management Visual Studio Tools for Client Applications Cross-Platform Development using Visual Studio.
Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.
Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.

Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.
1 Platform-Based Design A paper by Alberto Sangiovanni-Vincentelli EE 249, 11/5/2002 Presenter: Mel Tsai.

1 Platform-Based Design A paper by Alberto Sangiovanni-Vincentelli EE 249, 11/5/2002 Presenter: Mel Tsai.
Author: Texas Instruments ®, Sitara™ ARM ® Processors Building Blocks for PRU Development Module 2 PRU Firmware Development This session covers how to.

Author: Texas Instruments ®, Sitara™ ARM ® Processors Building Blocks for PRU Development Module 2 PRU Firmware Development This session covers how to.
Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.

Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.
Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Umbra: Efficient and Scalable Memory Shadowing CGO 2010, Toronto, Canada April 26, 2010.

Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Umbra: Efficient and Scalable Memory Shadowing CGO 2010, Toronto, Canada April 26, 2010.
September 2008 IT-3100 11 Software Development Guide.

September 2008 IT Software Development Guide.
Chocolate Bar! luqili. Milestone 3 Speed 11% of final mark 7%: path quality and speed –Some cleverness required for full marks –Implement some A* techniques.

Chocolate Bar! luqili. Milestone 3 Speed 11% of final mark 7%: path quality and speed –Some cleverness required for full marks –Implement some A* techniques.
INFO425: Systems Design INFORMATION X Finalizing Scope (functions/level of automation)  Finalizing scope in terms of functions and level of.

INFO425: Systems Design INFORMATION X Finalizing Scope (functions/level of automation)  Finalizing scope in terms of functions and level of.
University of Maryland Compiler-Assisted Binary Parsing Tugrul Ince PD Week 2012 26 – 27 March 2012.

University of Maryland Compiler-Assisted Binary Parsing Tugrul Ince PD Week – 27 March 2012.
@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.

@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.
Zhonghua Qu and Ovidiu Daescu December 24, 2009 University of Texas at Dallas.

Zhonghua Qu and Ovidiu Daescu December 24, 2009 University of Texas at Dallas.
1 SWE 513: Software Engineering Usability II. 2 Usability and Cost Good usability may be expensive in hardware or special software development User interface.

1 SWE 513: Software Engineering Usability II. 2 Usability and Cost Good usability may be expensive in hardware or special software development User interface.
Oracle HTMLDB introduction IT-AIS-HR Giovanni Chierico 1/16 Oracle HTMLDB introduction CERN Oracle Developers Forum: May 12 th 2005.

Oracle HTMLDB introduction IT-AIS-HR Giovanni Chierico 1/16 Oracle HTMLDB introduction CERN Oracle Developers Forum: May 12 th 2005.
Analyzing parallel programs with Pin Moshe Bach, Mark Charney, Robert Cohn, Elena Demikhovsky, Tevi Devor, Kim Hazelwood, Aamer Jaleel, Chi- Keung Luk,

Analyzing parallel programs with Pin Moshe Bach, Mark Charney, Robert Cohn, Elena Demikhovsky, Tevi Devor, Kim Hazelwood, Aamer Jaleel, Chi- Keung Luk,
Multimedia Teaching Tool SimArch V1.0 Faculty of Electronic Engineering University of Nis Serbia.

Multimedia Teaching Tool SimArch V1.0 Faculty of Electronic Engineering University of Nis Serbia.

Similar presentations

Ads by Google