1. 17 th ACM CCS (October, 2010)

2.  Introduction  Problem Statement  Approach  RG Design  Implementation  Related Work 2 A Seminar at Advanced Defense Lab

3. 3

4.  A typical and often implicit security assumption is that a program is only semantically meaningful on one platform › Radically different instruction sets › Different program encodings  But, is it true? A Seminar at Advanced Defense Lab 4

5.  Automatically generate a single binary string that › is a valid program on some architectures › can have completely different desired runtime behaviors A Seminar at Advanced Defense Lab 5

6.  Steganography. › m 1 (b) = normal program › m 2 (b) = secret information  Rogue Updates › m1(b) = normal program › m update (b) = malware › Security measures, such as digitally signing the code, are insufficient since they only verify the code itself has not been tampered with, not the execution environment A Seminar at Advanced Defense Lab 6

7.  Exfiltration Protection › m 1 (b) = important program › m 2 (b) = delete itself  Viruses and Shellcode  New Architecture › A company switches from architecture A to B A Seminar at Advanced Defense Lab 7

8.  Notation › ∑ = {0, 1} › Bit string › m j (b i )  The execution of program b i on machine m j › (bi, mj)  b i is compiled for m j ›  b i is not a valid string on m j A Seminar at Advanced Defense Lab 8

9.  Platform-Independent Program ›  PIP generation challenge › Given (b i, m j ) list › A Seminar at Advanced Defense Lab 9

10. 10

11. A Seminar at Advanced Defense Lab 11 A Gadget

12. A Seminar at Advanced Defense Lab 12

13. A Seminar at Advanced Defense Lab 13

14. A Seminar at Advanced Defense Lab 14

15.  Header-Init: Finding Gadget Headers › (nop)* (jmp) (.)*  Header generation algorithm › Enumeration all possible string  X  several days for 4-byte header › Make header templates › Computing the intersection of templates A Seminar at Advanced Defense Lab 15

16.  Disassemble, Gadget-Gen, and Merge A Seminar at Advanced Defense Lab 16

17. A Seminar at Advanced Defense Lab 17

18. A Seminar at Advanced Defense Lab 18

19.  RG is currently implemented in about 5,000 lines of a mixture of C++ and Ruby.  The gadget finder program finds all the possible 4-byte, 8-byte, and 12-byte gadget headers A Seminar at Advanced Defense Lab 19

20.  32-bit long › 90.12% for ARM › 68.46% for MIPS › 32.69% for x86 A Seminar at Advanced Defense Lab 20 12.31%

21.  Atomic NOPs › 326 for x86 › 241 for ARM › 14,709,948 for MIPS  Three-architecture gadget headers › 4×10 14 for 12-byte long › 0.07 sec for 4-byte, 16 secs for 8-byte, 7 hours for 12-byte A Seminar at Advanced Defense Lab 21

22. A Seminar at Advanced Defense Lab 22

23.  Hello world  Prime Checker  Shellcode  Vulnerabilities › Snort 2.4 › iPhone’s coreaudio library A Seminar at Advanced Defense Lab 23

24. A Seminar at Advanced Defense Lab 24 Using PI Translation

25. A Seminar at Advanced Defense Lab 25

26.  Muti-Platform Execution › Fat binary  two independent program images are combined with special meta-data that is used at run-time to select the appropriate image › Drew Dean in 2003 › Nemo in 2005 [link]link A Seminar at Advanced Defense Lab 26

27.  Steganography › Simmons in 1984  The prisoner’s problem A Seminar at Advanced Defense Lab 27

28.  PIP length  More Gadget Headers  Large Input Programs  Indirect Jumps and Self-Modifying Code  Generating Platform › m(b) = normal program › generate m’ › m’(b) = malware A Seminar at Advanced Defense Lab 28

29. A Seminar at Advanced Defense Lab 29