17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation...
-
Upload
polly-wiggins -
Category
Documents
-
view
218 -
download
0
description
Transcript of 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation...
![Page 1: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/1.jpg)
Platform-Independent Programs
Sang Kil Cha, Brian Pak, David BrumleyCarnegie Mellon University
Richard J. LiptonGeorgia Institute of Technology
17th ACM CCS (October, 2010)
![Page 2: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/2.jpg)
A Seminar at Advanced Defense Lab 2
Outline Introduction Problem Statement Approach RG Design Implementation Related Work
![Page 3: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/3.jpg)
A Seminar at Advanced Defense Lab 3
Introduction
x86
![Page 4: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/4.jpg)
A Seminar at Advanced Defense Lab 4
Platform-Independent Program?
A typical and often implicit security assumption is that a program is only semantically meaningful on one platform› Radically different instruction sets› Different program encodings
But, is it true?
![Page 5: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/5.jpg)
A Seminar at Advanced Defense Lab 5
In this paper Automatically generate a single binary
string that› is a valid program on some architectures
› can have completely different desired runtime behaviors
![Page 6: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/6.jpg)
A Seminar at Advanced Defense Lab 6
Security-Critical Implications
Steganography.› m1(b) = normal program› m2(b) = secret information
Rogue Updates› m1(b) = normal program› mupdate(b) = malware› Security measures, such as digitally signing the
code, are insufficient since they only verify the code itself has not been tampered with, not the execution environment
![Page 7: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/7.jpg)
A Seminar at Advanced Defense Lab 7
Security-Critical Implications
Exfiltration Protection› m1(b) = important program› m2(b) = delete itself
Viruses and Shellcode
New Architecture› A company switches from architecture A to
B
![Page 8: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/8.jpg)
A Seminar at Advanced Defense Lab 8
Problem Statement Notation
› ∑ = {0, 1}› Bit string› mj(bi)
The execution of program bi on machine mj
› (bi, mj) bi is compiled for mj
› bi is not a valid string on mj
)( ij bm
*b
![Page 9: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/9.jpg)
A Seminar at Advanced Defense Lab 9
Problem Definition Platform-Independent Program
›
PIP generation challenge› Given (bi, mj) list›
)()( 21 bmbm
)()(:),( pipjijji bmbmmb
![Page 10: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/10.jpg)
A Seminar at Advanced Defense Lab 10
Approach
b1 b2 b3
bpip
![Page 11: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/11.jpg)
A Seminar at Advanced Defense Lab 11
Gadgets
b1 b2 b3
A Gadget
![Page 12: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/12.jpg)
A Seminar at Advanced Defense Lab 12
Gadget Header Example
![Page 13: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/13.jpg)
A Seminar at Advanced Defense Lab 13
Connecting Gadgets
![Page 14: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/14.jpg)
A Seminar at Advanced Defense Lab 14
Generation Algorithm
![Page 15: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/15.jpg)
A Seminar at Advanced Defense Lab 15
RG Design Header-Init: Finding Gadget Headers
› (nop)* (jmp) (.)*
Header generation algorithm› Enumeration all possible string X
several days for 4-byte header› Make header templates› Computing the intersection of templates
![Page 16: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/16.jpg)
A Seminar at Advanced Defense Lab 16
RG Design Disassemble, Gadget-Gen, and Merge
![Page 17: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/17.jpg)
A Seminar at Advanced Defense Lab 17
RG Design – PI Translation
![Page 18: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/18.jpg)
A Seminar at Advanced Defense Lab 18
PI Translation
![Page 19: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/19.jpg)
A Seminar at Advanced Defense Lab 19
Implementation RG is currently implemented in about
5,000 lines of a mixture of C++ and Ruby.
The gadget finder program finds all the possible 4-byte, 8-byte, and 12-byte gadget headers
![Page 20: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/20.jpg)
A Seminar at Advanced Defense Lab 20
Instruction Validity 32-bit long
› 90.12% for ARM› 68.46% for MIPS› 32.69% for x86
12.31%
![Page 21: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/21.jpg)
A Seminar at Advanced Defense Lab 21
Gadget Header Atomic NOPs
› 326 for x86› 241 for ARM› 14,709,948 for MIPS
Three-architecture gadget headers› 4×1014 for 12-byte long› 0.07 sec for 4-byte, 16 secs for 8-byte, 7
hours for 12-byte
![Page 22: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/22.jpg)
A Seminar at Advanced Defense Lab 22
Gadget Header
![Page 23: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/23.jpg)
A Seminar at Advanced Defense Lab 23
Evaluation Hello world
Prime Checker
Shellcode
Vulnerabilities› Snort 2.4› iPhone’s coreaudio library
![Page 24: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/24.jpg)
A Seminar at Advanced Defense Lab 24
Evaluation
Using PI Translation
![Page 25: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/25.jpg)
A Seminar at Advanced Defense Lab 25
Evaluation
![Page 26: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/26.jpg)
A Seminar at Advanced Defense Lab 26
Related Work Muti-Platform Execution
› Fat binary two independent program images are
combined with special meta-data that is used at run-time to select the appropriate image
› Drew Dean in 2003› Nemo in 2005 [link]
![Page 27: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/27.jpg)
A Seminar at Advanced Defense Lab 27
Related Work(cont.) Steganography
› Simmons in 1984 The prisoner’s problem
![Page 28: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/28.jpg)
A Seminar at Advanced Defense Lab 28
Discussion PIP length More Gadget Headers Large Input Programs Indirect Jumps and Self-Modifying Code Generating Platform
› m(b) = normal program› generate m’› m’(b) = malware
![Page 29: 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation Related Work 2 A Seminar at Advanced Defense.](https://reader035.fdocuments.net/reader035/viewer/2022062401/5a4d1b447f8b9ab0599a2b36/html5/thumbnails/29.jpg)
A Seminar at Advanced Defense Lab 29
Thank You