platform-independent programs
DESCRIPTION
Platform-Independent Programs. Sang Kil Cha, Brian Pak, David Brumley Carnegie Mellon University Richard J. Lipton Georgia Institute of Technology. 17 th ACM CCS (October, 2010). Outline. Introduction Problem Statement Approach RG Design Implementation Related Work. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Platform-Independent Programs
Sang Kil Cha, Brian Pak, David BrumleyCarnegie Mellon University
Richard J. LiptonGeorgia Institute of Technology
17th ACM CCS (October, 2010)
A Seminar at Advanced Defense Lab 2
Outline Introduction Problem Statement Approach RG Design Implementation Related Work
A Seminar at Advanced Defense Lab 3
Introduction
x86
A Seminar at Advanced Defense Lab 4
Platform-Independent Program?
A typical and often implicit security assumption is that a program is only semantically meaningful on one platform› Radically different instruction sets› Different program encodings
But, is it true?
A Seminar at Advanced Defense Lab 5
In this paper Automatically generate a single binary
string that› is a valid program on some architectures
› can have completely different desired runtime behaviors
A Seminar at Advanced Defense Lab 6
Security-Critical Implications
Steganography.› m1(b) = normal program› m2(b) = secret information
Rogue Updates› m1(b) = normal program› mupdate(b) = malware› Security measures, such as digitally signing the
code, are insufficient since they only verify the code itself has not been tampered with, not the execution environment
A Seminar at Advanced Defense Lab 7
Security-Critical Implications
Exfiltration Protection› m1(b) = important program› m2(b) = delete itself
Viruses and Shellcode
New Architecture› A company switches from architecture A to
B
A Seminar at Advanced Defense Lab 8
Problem Statement Notation
› ∑ = {0, 1}› Bit string› mj(bi)
The execution of program bi on machine mj
› (bi, mj) bi is compiled for mj
› bi is not a valid string on mj
)( ij bm
*b
A Seminar at Advanced Defense Lab 9
Problem Definition Platform-Independent Program
›
PIP generation challenge› Given (bi, mj) list›
)()( 21 bmbm
)()(:),( pipjijji bmbmmb
A Seminar at Advanced Defense Lab 10
Approach
b1 b2 b3
bpip
A Seminar at Advanced Defense Lab 11
Gadgets
b1 b2 b3
A Gadget
A Seminar at Advanced Defense Lab 12
Gadget Header Example
A Seminar at Advanced Defense Lab 13
Connecting Gadgets
A Seminar at Advanced Defense Lab 14
Generation Algorithm
A Seminar at Advanced Defense Lab 15
RG Design Header-Init: Finding Gadget Headers
› (nop)* (jmp) (.)*
Header generation algorithm› Enumeration all possible string X
several days for 4-byte header› Make header templates› Computing the intersection of templates
A Seminar at Advanced Defense Lab 16
RG Design Disassemble, Gadget-Gen, and Merge
A Seminar at Advanced Defense Lab 17
RG Design – PI Translation
A Seminar at Advanced Defense Lab 18
PI Translation
A Seminar at Advanced Defense Lab 19
Implementation RG is currently implemented in about
5,000 lines of a mixture of C++ and Ruby.
The gadget finder program finds all the possible 4-byte, 8-byte, and 12-byte gadget headers
A Seminar at Advanced Defense Lab 20
Instruction Validity 32-bit long
› 90.12% for ARM› 68.46% for MIPS› 32.69% for x86
12.31%
A Seminar at Advanced Defense Lab 21
Gadget Header Atomic NOPs
› 326 for x86› 241 for ARM› 14,709,948 for MIPS
Three-architecture gadget headers› 4×1014 for 12-byte long› 0.07 sec for 4-byte, 16 secs for 8-byte, 7
hours for 12-byte
A Seminar at Advanced Defense Lab 22
Gadget Header
A Seminar at Advanced Defense Lab 23
Evaluation Hello world
Prime Checker
Shellcode
Vulnerabilities› Snort 2.4› iPhone’s coreaudio library
A Seminar at Advanced Defense Lab 24
Evaluation
Using PI Translation
A Seminar at Advanced Defense Lab 25
Evaluation
A Seminar at Advanced Defense Lab 26
Related Work Muti-Platform Execution
› Fat binary two independent program images are
combined with special meta-data that is used at run-time to select the appropriate image
› Drew Dean in 2003› Nemo in 2005 [link]
A Seminar at Advanced Defense Lab 27
Related Work(cont.) Steganography
› Simmons in 1984 The prisoner’s problem
A Seminar at Advanced Defense Lab 28
Discussion PIP length More Gadget Headers Large Input Programs Indirect Jumps and Self-Modifying Code Generating Platform
› m(b) = normal program› generate m’› m’(b) = malware
A Seminar at Advanced Defense Lab 29
Thank You