binary code retrofitting and hardening using sgx
play

Binary Code Retrofitting and Hardening Using SGX Shuai Wang, Wenhao - PowerPoint PPT Presentation

Jan 10, 2023 •558 likes •822 views

Binary Code Retrofitting and Hardening Using SGX Shuai Wang, Wenhao Wang, Qinkun Bao, Pei Wang, XiaoFeng Wang, and Dinghao Wu The Pennsylvania State University, Indiana University Bloomington, Institute of Information Engineering Motivation

  1. Binary Code Retrofitting and Hardening Using SGX Shuai Wang, Wenhao Wang, Qinkun Bao, Pei Wang, XiaoFeng Wang, and Dinghao Wu The Pennsylvania State University, Indiana University Bloomington, Institute of Information Engineering

  2. Motivation  Available in Intel Commercial CPUs  Hardware isolated memory regions  Protection under a strong adversary model  A bit performance penalty (~10%)

  3. Motivation  Available in Intel Commercial CPUs  Hardware isolated memory regions  Protection under a strong adversary model  A bit performance penalty Can binary code hardening benefit from SGX?

  4. Motivation  Graphene-SGX, Haven Large TCB (53 kloc for  Graphene-SGX)

  5. Motivation  Graphene-SGX, Haven Large TCB (53 kloc for  Graphene-SGX)  Our solution  Techniques to dissect binary code into multiple components  Put into separated enclaves

  6. Background on SGX  Two capabilities address mapping change in enclave  memory access Processor semantics Reserved Memory (PRM) protection of the ELRANGE  Enclave Page address mappings of Cache (EPC) the application

  7. Background on SGX  Life cycle Enclave Initialization (ECREATE/EINIT) EENTER ERESUME non-enclave enclave mode mode AEX EEXIT Enclave Destroy (EREMOVE)

  8. Background on SGX  Life cycle Enclave Initialization (ECREATE/EINIT) EENTER ERESUME non-enclave enclave mode mode AEX EEXIT Enclave Destroy (EREMOVE)

  9. Background on SGX  Controlled enclave entry  Separated stack  CPU state and registers are cleared if exceptions occur inside the enclaves.

  10. Methodology

  11. Methodology OCALL ECALL ECALL Interface library: maintain routine code for ecall and ocall

  12. Methodology OCALL ECALL ECALL In-place binary editing: Trampoline code

  13. Challenges  Binary code reassembly disassembling Uroboros   How to generate enclave libraries  Intel SGX SDK  Binary instrumentation to jump to the enclave entry  Trampoline code  Exceptions  Customized exception handling inside the enclaves

  14. Challenges  Binary code reassembly disassembling Uroboros   How to generate enclave libraries  Intel SGX SDK  Binary instrumentation to jump to the enclave entry  Trampoline code  Exceptions  Customized exception handling inside the enclaves

  15. Some technique details  In-place binary editing Trampoline code 

  16. Some technique details  Exceptions Customized exception handling inside the enclaves 

  17. Proof-of-concept implementation  Extend Uroboros with SGX instrumentation functionalities. Employ the core functionality of Uroboros to identify program relocation  symbols (e.g., code pointers). Use industrial standard reverse engineering tool (IDA-Pro) to recover the  function type information.  Implement the instrumentation functionality in Scala, with over 1,700 LOC.  The proof-of-concept implementation of the exception handling mechanism adds 56 lines of C code.

  18. Evaluation  Evaluations mainly focus on understanding the feasibility and cost of the instrumentation products.  Two major factors would contribute to the performance penalty of the SGX protected code:  Execution slowdown of code components inside enclaves.  Cross-enclave control flow transfers, e.g., enclave ECALL.

  19. Evaluation Setup  Our preliminary evaluation instruments sensitive procedures provided by cryptographic libraries .  AES implementation in OpenSSL (version 0.9.7)  Write sample code to trigger the encryption and decryption functions in the library.  key length is set as 256.  AES electronic codebook (ECB) mode.

  20. Evaluation Setup To measure the performance cost of code within enclave (first factor): • All encryption/decryption computations are performed within one enclave. • Pointers on key and data blocks are passed in through the interface.

  21. Evaluation Setup To measure the impact of inter-enclave control flow transfers (second factor): • Put the block-level encryption/decryption functions into the enclave. • Control the number of inter-enclave control transfers by changing the length of the input data.

  22. Evaluation Results 4 × overhead over computation without SGX when processing over 100k data blocks, overhead is 6.91%.

  23. Evaluation Results We measure the size increase in terms of multiple components: • Size of output binary is identical with the input, since we perform in- place binary instrumentation. • Both SDK routines and our routine code introduce size increase. • The overall size increase is within a reasonable extent. • Evaluation One has three more functions than Evaluation Two .

  24. Future works  Limitations How to reliably recover the function prototype?  How to deal with the shared variables among several isolated enclaves?  Some instructions/operations may not be supported inside the enclaves.  … 

  25. Thanks! Contact: ww31@indiana.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

Welcome back! In the last session, we started to look at computers and coding, and explored the computer language binary. Can anyone remember what binary code looks like? (Binary code is a series of digits, that are either ones or zeros.

402 views • 25 slides
CCured: Type-safe Retrofitting of Legacy Code By Necula, McPeak, Weimer Presented By: Philip

CCured: Type-safe Retrofitting of Legacy Code By Necula, McPeak, Weimer Presented By: Philip

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CCured: Type-safe Retrofitting of Legacy Code By Necula,

284 views • 24 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology

Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology

Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology ACL2 Workshop, May, 2017 Goal Lift binary code into logic JVM bytecode x86 binary code Then verify against a spec using Axe

276 views • 24 slides
Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters e.g. ASCII code A = 01000001 fixed-length code B = 01000010 C = 01000011 How to decode: ? 01000001010000100100001101000001 Problem:

348 views • 14 slides
Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters e.g. ASCII code A = 01000001 fixed-length code B = 01000010 C = 01000011 How to decode: ? 01000001010000100100001101000001 Problem:

163 views • 13 slides
! The variable-length code is a prefix min f ( c ) d ( c ) code : no binary string is

! The variable-length code is a prefix min f ( c ) d ( c ) code : no binary string is

Coding ! Representing characters from some input alphabet using another alphabet . Example: input characters from the Latin Huffman Codes alphabet, output strings of binary digits. ! Fixed-length binary character code: for an input

326 views • 3 slides
Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis Nikolaos 2422

513 views • 22 slides
Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI

Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI

Thoughts on Retrofitting Legacy Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI (April 2, 2015) Kaminsky scores 23, No. 5 Wisconsin beats Illinois 68-49 Feb 15, 2015 Somesh Jha Retrofitting

752 views • 56 slides
Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

884 views • 41 slides
DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang Li, Jinghan Wang, and Heng Yin 1 Motivation Binary Code Differential Analysis quantitatively measure the similarity between two given

507 views • 27 slides
Ex. 8.4 7-4-2-1 code Codeconverter 7-4-2-1-code to BCD-code. When encoding the digits 0 ... 9

Ex. 8.4 7-4-2-1 code Codeconverter 7-4-2-1-code to BCD-code. When encoding the digits 0 ... 9

Ex. 8.4 7-4-2-1 code Codeconverter 7-4-2-1-code to BCD-code. When encoding the digits 0 ... 9 sometimes in the past a code having weights 7-4-2-1 instead of the binary code weights 8-4-2-1 was used. In the cases where a digit's code word

830 views • 66 slides
Binary code browser Student: Alin Mindroc (Romania) Mentor: Dr. Sandro Wenzel Main goals:

Binary code browser Student: Alin Mindroc (Romania) Mentor: Dr. Sandro Wenzel Main goals:

Binary code browser Student: Alin Mindroc (Romania) Mentor: Dr. Sandro Wenzel Main goals: -Create two projects: web app and Eclipse plugin which could assist developers in the process of browsing/analyzing binary code -Create an abstract layer

277 views • 13 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David <rdavid@quarkslab.com> Luigi Coniglio <luigi.coniglio@studenti.unitn.it> Mariano Ceccato <mariano.ceccato@univr.it>

1.12k views • 82 slides
Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public Service Commission May 4, 2007 Mark A. Jamison, PURC Director Leadership in Infrastructure Policy Leadership in Infrastructure Policy

487 views • 45 slides
and Compiler-Automated Instrumentation Adisak Pochanayon Principal Software Engineer

and Compiler-Automated Instrumentation Adisak Pochanayon Principal Software Engineer

Runtime CPU Spike Detection using Manual and Compiler-Automated Instrumentation Adisak Pochanayon Principal Software Engineer Netherrealm Studios adisak@wbgames.com Topics to Cover This talk is about runtime instrumentation-based

892 views • 67 slides
Classification with Partial Labels Weibin Meng , Ying Liu, Shenglin Zhang, Dan Pei Hui Dong, Lei

Classification with Partial Labels Weibin Meng , Ying Liu, Shenglin Zhang, Dan Pei Hui Dong, Lei

Device-Agnostic Log Anomaly Classification with Partial Labels Weibin Meng , Ying Liu, Shenglin Zhang, Dan Pei Hui Dong, Lei Song, Xulong Luo 2018/6/23 weibin 1 Motivation Architecture of Datacenter Networks Inter-DC Network Core Core

192 views • 15 slides
The Reformation Alones We get right with God by grace alone through faith alone in Christ

The Reformation Alones We get right with God by grace alone through faith alone in Christ

11/28/2017 The Reformation Alones We get right with God by grace alone through faith alone in Christ alone to Gods glory alone. We know this is true because the Bible says so! Romans 3:22, 24 & 27 , NIV This righteousness is given

203 views • 3 slides
Mark 7:1-23 Blue Bible pg 1071 Mark 7:1-23 Blue Bible pg 1071 Mark 7:1 13 ESV Traditions and

Mark 7:1-23 Blue Bible pg 1071 Mark 7:1-23 Blue Bible pg 1071 Mark 7:1 13 ESV Traditions and

Mark 7:1-23 Blue Bible pg 1071 Mark 7:1-23 Blue Bible pg 1071 Mark 7:1 13 ESV Traditions and Commandments 1 Now when the Pharisees gathered to Jesus, with some of the scribes who had come from Jerusalem, 2 they saw that some of his

614 views • 23 slides
Kprobes internals Thomas Bitzberger bitz@lse.epita.fr What are kprobes Kprobes enables you

Kprobes internals Thomas Bitzberger bitz@lse.epita.fr What are kprobes Kprobes enables you

Kprobes internals Thomas Bitzberger bitz@lse.epita.fr What are kprobes Kprobes enables you to dynamically break into any kernel routine and collect debugging and performance information non-disruptively. You can trap at almost any kernel

642 views • 36 slides
20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

About Past Present Future 20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland

803 views • 40 slides
When 3 Memory Models Arent Enough October 23, 2019 Porting VMS to x86 using LLVM Began

When 3 Memory Models Arent Enough October 23, 2019 Porting VMS to x86 using LLVM Began

When 3 Memory Models Arent Enough October 23, 2019 Porting VMS to x86 using LLVM Began two years ago Host LLVM on OpenVMS Itanium Using older 3.4.2 due to Itanium C++ Convert our backends IR to LLVM IR Reuse existing

112 views • 8 slides
Static instrumentation based on executable file formats About Romain Thomas - Security

Static instrumentation based on executable file formats About Romain Thomas - Security

Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats About Romain Thomas - Security engineer at Quarkslab Working on various topics: Android, (de)obfuscation, software protection and reverse

1.04k views • 77 slides

More recommend