platform-independent programs

Platform-Independent Programs

Sang Kil Cha, Brian Pak, David BrumleyCarnegie Mellon University

Richard J. LiptonGeorgia Institute of Technology

17th ACM CCS (October, 2010)

A Seminar at Advanced Defense Lab 2

Outline Introduction Problem Statement Approach RG Design Implementation Related Work


Introduction

x86


Platform-Independent Program?

A typical and often implicit security assumption is that a program is only semantically meaningful on one platform› Radically different instruction sets› Different program encodings

But, is it true?


In this paper Automatically generate a single binary

string that› is a valid program on some architectures

› can have completely different desired runtime behaviors


Security-Critical Implications

Steganography.› m1(b) = normal program› m2(b) = secret information

Rogue Updates› m1(b) = normal program› mupdate(b) = malware› Security measures, such as digitally signing the

code, are insufficient since they only verify the code itself has not been tampered with, not the execution environment


Security-Critical Implications

Exfiltration Protection› m1(b) = important program› m2(b) = delete itself

Viruses and Shellcode

New Architecture› A company switches from architecture A to

B


Problem Statement Notation

› ∑ = {0, 1}› Bit string› mj(bi)

The execution of program bi on machine mj

› (bi, mj) bi is compiled for mj

› bi is not a valid string on mj

)( ij bm

*b


Problem Definition Platform-Independent Program

›

PIP generation challenge› Given (bi, mj) list›

)()( 21 bmbm

)()(:),( pipjijji bmbmmb


Approach

b1 b2 b3

bpip


Gadgets

b1 b2 b3

A Gadget


Gadget Header Example


Connecting Gadgets


Generation Algorithm


RG Design Header-Init: Finding Gadget Headers

› (nop)* (jmp) (.)*

Header generation algorithm› Enumeration all possible string X

several days for 4-byte header› Make header templates› Computing the intersection of templates


RG Design Disassemble, Gadget-Gen, and Merge


RG Design – PI Translation


PI Translation


Implementation RG is currently implemented in about

5,000 lines of a mixture of C++ and Ruby.

The gadget finder program finds all the possible 4-byte, 8-byte, and 12-byte gadget headers


Instruction Validity 32-bit long

› 90.12% for ARM› 68.46% for MIPS› 32.69% for x86

12.31%


Gadget Header Atomic NOPs

› 326 for x86› 241 for ARM› 14,709,948 for MIPS

Three-architecture gadget headers› 4×1014 for 12-byte long› 0.07 sec for 4-byte, 16 secs for 8-byte, 7

hours for 12-byte


Gadget Header


Evaluation Hello world

Prime Checker

Shellcode

Vulnerabilities› Snort 2.4› iPhone’s coreaudio library


Evaluation

Using PI Translation


Evaluation


Related Work Muti-Platform Execution

› Fat binary two independent program images are

combined with special meta-data that is used at run-time to select the appropriate image

› Drew Dean in 2003› Nemo in 2005 [link]

http://seclists.org/fulldisclosure/2005/Nov/387


Related Work(cont.) Steganography

› Simmons in 1984 The prisoner’s problem


Discussion PIP length More Gadget Headers Large Input Programs Indirect Jumps and Self-Modifying Code Generating Platform

› m(b) = normal program› generate m’› m’(b) = malware


Thank You

platform-independent programs

Documents

advanced defense lab22

advanced defense lab16

advanced defense lab17

advanced defense lab20

advanced defense lab14

advanced defense lab8

advanced defense lab13

advanced defense lab12