Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.
-
Upload
graciela-carte -
Category
Documents
-
view
225 -
download
3
Transcript of Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.
![Page 2: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/2.jpg)
A Common Pattern
1. Create sandbox2. Load user-supplied Lua (byte|source) code3. Run code in sandbox
![Page 3: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/3.jpg)
A Common Pattern
1. Create sandbox2. Load user-supplied Lua (byte|source) code3. Run code in sandbox Sandbox Blacklist
os.* io.* debug.*package.loadlibpackage.loaders[3]package.loaders[4]
![Page 4: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/4.jpg)
A Common Pattern
1. Create sandbox2. Load user-supplied Lua (byte|source) code3. Run code in sandbox Sandbox Whitelist
string.gsub table.sort
![Page 5: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/5.jpg)
A Common Pattern
1. Create sandbox2. Load user-supplied Lua (byte|source) code3. Run code in sandbox
Arbitrary native codeexecution*
Sandbox Whitelist
string.gsub table.sort
* At least for Lua 5.1.4 on x86 Windows (even with DEP and ASLR)
![Page 6: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/6.jpg)
BytecodeBytecode
GETGLOBAL r0, printLOADK r1, “Lua”CALL r0, 1, 0
Source code
print “Lua”
Virtualmachine
load call
![Page 7: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/7.jpg)
BytecodeBytecode
GETGLOBAL r0, printLOADK r1, “Lua”CALL r0, 1, 0
Source code
print “Lua”
Virtualmachine
load call
Serialised bytecode
\27Lua\x51\0\1\4\4\4\8\0\7\0\0\0\61stdin\0\1\0\0\0\1\0\0\0\0\0\0\2\4\0\0\0\5\0\0\0\65\64\0\0\28\64\00\1\30\0\128\0\2\0\0\0\4\6\0\0\0print\0\4\4\0\0\0Lua\0\0\0\0\0\4\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0
dump
![Page 8: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/8.jpg)
Logical TValue
![Page 9: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/9.jpg)
Physical TValue
![Page 10: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/10.jpg)
C API abusing a TValuevoid lua_rawget(lua_State* L, int idx) { TValue* t = index2adr(L, idx); api_check(L, ttistable(t)); L->top[–1] = *luaH_get(hvalue(t), L->top - 1);}
![Page 11: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/11.jpg)
C API abusing a TValuevoid lua_rawget(lua_State* L, int idx) { TValue* t = index2adr(L, idx); api_check(L, ttistable(t)); L->top[–1] = *luaH_get(hvalue(t), L->top - 1);}
int table.sort(lua_State* L) { luaL_checktype(L, 1, LUA_TTABLE); /* ... */ lua_rawget(L, 1); /* ... */}
![Page 12: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/12.jpg)
C API abusing a TValuevoid lua_rawget(lua_State* L, int idx) { TValue* t = index2adr(L, idx); api_check(L, ttistable(t)); L->top[–1] = *luaH_get(hvalue(t), L->top - 1);}
int table.sort(lua_State* L) { luaL_checktype(L, 1, LUA_TTABLE); /* ... call comparison function ... */ lua_rawget(L, 1); /* ... call comparison function ... */}
![Page 13: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/13.jpg)
Virtual Machine abusing a TValue
for x = init, limit, stepdo print(x)
end
GETGLOBAL initGETGLOBAL limitGETGLOBAL stepFORPREPGETGLOBAL printMOVE xCALLFORLOOP
![Page 14: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/14.jpg)
Function Calls
local t = {“go”, “a”}table.sort(t, function(lhs, rhs) return #lhs < #rhs end)
![Page 15: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/15.jpg)
Function Calls
local t = {“go”, “a”}table.sort(t, function(lhs, rhs) return #lhs < #rhs end)
{“go”, “a”} r0
table.sort r1
{“go”, “a”} r2
function r3
r4
r5
r6
r7
r8
r9
![Page 16: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/16.jpg)
Function Calls
local t = {“go”, “a”}table.sort(t, function(lhs, rhs) return #lhs < #rhs end)
{“go”, “a”}
table.sort
{“go”, “a”} 1
function 2
![Page 17: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/17.jpg)
Function Calls
local t = {“go”, “a”}table.sort(t, function(lhs, rhs) return #lhs < #rhs end)
{“go”, “a”}
table.sort
{“go”, “a”} 1
function 2
“go” -5
“a” -4
function -3
“a” -2
“go” -1
![Page 18: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/18.jpg)
Function Calls
local t = {“go”, “a”}table.sort(t, function(lhs, rhs) return #lhs < #rhs end)
{“go”, “a”}
table.sort
{“go”, “a”}
function
“go”
“a”
function
“a” r0
“go” r1
r2
![Page 19: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/19.jpg)
Function Calls
local t = {“go”, “a”}table.sort(t, function(lhs, rhs) return #lhs < #rhs end)
{“go”, “a”}
table.sort
{“go”, “a”}
function
“go”
“a”
function
“a” r0
“go” r1
false r2
![Page 20: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/20.jpg)
Function Calls
local t = {“go”, “a”}table.sort(t, function(lhs, rhs) return #lhs < #rhs end)
{“go”, “a”}
table.sort
{“go”, “a”} 1
function 2
“go” -3
“a” -2
false -1
“a”
“go”
false
![Page 21: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/21.jpg)
Function Calls
local t = {“go”, “a”}table.sort(t, function(lhs, rhs) return #lhs < #rhs end)
{“a”, “go”}
table.sort
{“a”, “go”} 1
function 2
“go”
“a”
false
“a”
“go”
false
![Page 22: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/22.jpg)
Function Calls
local t = {“go”, “a”}table.sort(t, function(lhs, rhs) return #lhs < #rhs end)
{“a”, “go”} r0
table.sort r1
{“a”, “go”} r2
function r3
“go” r4
“a” r5
false r6
“a” r7
“go” r8
false r9
![Page 23: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/23.jpg)
Upvalues
local x = 10local count = function() x = x + 1 return x end
10
(function)
upvalue #0GETUPVALADDSETUPVALGETUPVALRETURN
![Page 24: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/24.jpg)
Upvalues
\27Lua\x51...(malicious bytecode here)...
10
(function)
upvalue #0GETUPVALADDSETUPVALGETUPVALRETURN
![Page 25: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/25.jpg)
Malicious Bytecode Catalogue
• Violating type assumptions in the VM– FORLOOP– SETLIST in 5.2
• Emulating debug.[gs]etlocal– Reading leftover locals– Promiscuous upvalues
• Violating type assumptions in the C API– lua_(next|raw[gs]eti?)– lua_[gs]etuservalue in 5.2
![Page 26: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/26.jpg)
Mitigation Catalogue
• Don’t load bytecode– First byte decimal 27– load(ld, source, "t" [, env]) in 5.2
• Compile with LUA_USE_APICHECK (*)• Static analysis and verification of bytecode
(*) Makes exploitation harder, doesn’t prevent information leakage attacks, may not save you.
![Page 27: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/27.jpg)
Static Analysis, Blunt Approach
• Violating type assumptions in the VM– For each stack slot, at each VM instruction,
determine a set of possible types• Emulating debug.[gs]etlocal– Ensure stack slots are safely readable– For each stack slot, at each VM instruction,
determine if it could be an upvalue– Segregating calls from upvalues
![Page 28: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/28.jpg)
Static Type Analysis
function example(x) if x then x = 3.14 else x = “pi” end return xend
.parameter r0TEST r0; JMP $+2LOADK r0, k0JMP $+1LOADK r0, k1
RETURN r0
![Page 29: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/29.jpg)
Static Type Analysis
function example(x) if x then x = 3.14 else x = “pi” end return xend
TEST r0
LOADK r0 3.14
LOADK r0 “pi”
RETURN r0
![Page 30: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/30.jpg)
Static Type Analysis
function example(x) if x then x = 3.14 else x = “pi” end return xend
TEST r0
LOADK r0 3.14
LOADK r0 “pi”
RETURN r0
*
num
str{num, str}
![Page 31: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/31.jpg)
Static Analysis Prerequisites
• Decode and understand each instruction• Ensure control flow doesn’t leave• Valid (register|constant|…) indices• Verify some VM assumptions, like:– TEST instructions are followed by a JMP– Boolean constants are either 0 or 1
• Instructions which produce or consume a variable number of values must come in pairs
![Page 32: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/32.jpg)
Static Analysis, Subtle Approach
• Violating type assumptions in the VM– Protect loop control variables– Perform runtime table type checks
• Emulating debug.[gs]etlocal– At each VM instruction, split the stack into
locals / temporary / unused
Upvalues Calls Unreadable
![Page 33: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/33.jpg)
Static Analysis, Subtle Approach
• Debug information embedded within bytecode– Gives size of the local region at each instruction– Specifies which locals are loop control variables
• The temporary region always grows into the next available unused stack slot
• The local region always grows to absorb a temporary• Backward jumps are to locations with no temporaries• Forward jumps merge to the smallest of the
temporary ranges
![Page 34: Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649c755503460f949280fa/html5/thumbnails/34.jpg)
“Practical” Static Analysis
require "lbcv"
lbcv.verify(ld)
lbcv.load(ld [, source [, mode]])