Post on 18-Jan-2018
description
Platform-Independent Programs
Sang Kil Cha, Brian Pak, David BrumleyCarnegie Mellon University
Richard J. LiptonGeorgia Institute of Technology
17th ACM CCS (October, 2010)
A Seminar at Advanced Defense Lab 2
Outline Introduction Problem Statement Approach RG Design Implementation Related Work
A Seminar at Advanced Defense Lab 3
Introduction
x86
A Seminar at Advanced Defense Lab 4
Platform-Independent Program?
A typical and often implicit security assumption is that a program is only semantically meaningful on one platform› Radically different instruction sets› Different program encodings
But, is it true?
A Seminar at Advanced Defense Lab 5
In this paper Automatically generate a single binary
string that› is a valid program on some architectures
› can have completely different desired runtime behaviors
A Seminar at Advanced Defense Lab 6
Security-Critical Implications
Steganography.› m1(b) = normal program› m2(b) = secret information
Rogue Updates› m1(b) = normal program› mupdate(b) = malware› Security measures, such as digitally signing the
code, are insufficient since they only verify the code itself has not been tampered with, not the execution environment
A Seminar at Advanced Defense Lab 7
Security-Critical Implications
Exfiltration Protection› m1(b) = important program› m2(b) = delete itself
Viruses and Shellcode
New Architecture› A company switches from architecture A to
B
A Seminar at Advanced Defense Lab 8
Problem Statement Notation
› ∑ = {0, 1}› Bit string› mj(bi)
The execution of program bi on machine mj
› (bi, mj) bi is compiled for mj
› bi is not a valid string on mj
)( ij bm
*b
A Seminar at Advanced Defense Lab 9
Problem Definition Platform-Independent Program
›
PIP generation challenge› Given (bi, mj) list›
)()( 21 bmbm
)()(:),( pipjijji bmbmmb
A Seminar at Advanced Defense Lab 10
Approach
b1 b2 b3
bpip
A Seminar at Advanced Defense Lab 11
Gadgets
b1 b2 b3
A Gadget
A Seminar at Advanced Defense Lab 12
Gadget Header Example
A Seminar at Advanced Defense Lab 13
Connecting Gadgets
A Seminar at Advanced Defense Lab 14
Generation Algorithm
A Seminar at Advanced Defense Lab 15
RG Design Header-Init: Finding Gadget Headers
› (nop)* (jmp) (.)*
Header generation algorithm› Enumeration all possible string X
several days for 4-byte header› Make header templates› Computing the intersection of templates
A Seminar at Advanced Defense Lab 16
RG Design Disassemble, Gadget-Gen, and Merge
A Seminar at Advanced Defense Lab 17
RG Design – PI Translation
A Seminar at Advanced Defense Lab 18
PI Translation
A Seminar at Advanced Defense Lab 19
Implementation RG is currently implemented in about
5,000 lines of a mixture of C++ and Ruby.
The gadget finder program finds all the possible 4-byte, 8-byte, and 12-byte gadget headers
A Seminar at Advanced Defense Lab 20
Instruction Validity 32-bit long
› 90.12% for ARM› 68.46% for MIPS› 32.69% for x86
12.31%
A Seminar at Advanced Defense Lab 21
Gadget Header Atomic NOPs
› 326 for x86› 241 for ARM› 14,709,948 for MIPS
Three-architecture gadget headers› 4×1014 for 12-byte long› 0.07 sec for 4-byte, 16 secs for 8-byte, 7
hours for 12-byte
A Seminar at Advanced Defense Lab 22
Gadget Header
A Seminar at Advanced Defense Lab 23
Evaluation Hello world
Prime Checker
Shellcode
Vulnerabilities› Snort 2.4› iPhone’s coreaudio library
A Seminar at Advanced Defense Lab 24
Evaluation
Using PI Translation
A Seminar at Advanced Defense Lab 25
Evaluation
A Seminar at Advanced Defense Lab 26
Related Work Muti-Platform Execution
› Fat binary two independent program images are
combined with special meta-data that is used at run-time to select the appropriate image
› Drew Dean in 2003› Nemo in 2005 [link]
A Seminar at Advanced Defense Lab 27
Related Work(cont.) Steganography
› Simmons in 1984 The prisoner’s problem
A Seminar at Advanced Defense Lab 28
Discussion PIP length More Gadget Headers Large Input Programs Indirect Jumps and Self-Modifying Code Generating Platform
› m(b) = normal program› generate m’› m’(b) = malware
A Seminar at Advanced Defense Lab 29
Thank You