deploying dynamic analyses and preventing compiler
play

Deploying Dynamic Analyses and Preventing Compiler Backdoors with - PowerPoint PPT Presentation

Mar 26, 2023 •205 likes •945 views

Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Lus Pina l.pina@imperial.ac.uk Joint work with Cristian Cadar , Anastasios Andronidis , and John Regehr Imperial College London, UK University of

  1. Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Luís Pina l.pina@imperial.ac.uk Joint work with Cristian Cadar , Anastasios Andronidis , and John Regehr Imperial College London, UK University of Utah, USA Runtime Verification beyond Monitoring (ArVi) ICT COST Action IC1402 Barcelona, March 10th, 2016

  2. Deploying Dynamic Analysis? Why? ./server 2

  3. Deploying Dynamic Analysis? Why? ./server Segmentation fault 3

  4. Deploying Dynamic Analysis? Why? ./server 4

  5. Deploying Dynamic Analysis? Why? valgrind --tool=memcheck server Invalid read of size 32 by 0x40B07FF4: memcpy (mc_replace_strmem.c:635) by 0x40AC751B: dtls1_process_heartbeat(SSL *s) (ssl/d1_both.c:1497) Address 0xBFFFF0E0 is not stack’d, malloc’d or free’d 5

  6. Deploying Dynamic Analysis? Why? valgrind --tool=memcheck server Invalid read of size 32 by 0x40B07FF4: memcpy (mc_replace_strmem.c:635) by 0x40AC751B: dtls1_process_heartbeat(SSL *s) (ssl/d1_both.c:1497) Address 0xBFFFF0E0 is not stack’d, malloc’d or free’d 7x–57x slowdown 6

  7. Deploying Dynamic Analysis? Why? gcc -fsanitize=address server.c -o server ./server ==2268==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000013748 at pc 0x7f228f5f0cfa READ of size 32768 at 0x629000013748 thread T0 #0 0x43d075 in memcpy /usr/include/bits/string3.h:51 #1 0x43d075 in tls1_process_heartbeat ssl/t1_lib.c:2586 #2 0x50e498 in ssl3_read_bytes ssl/s3_pkt.c:1092 #3 0x51895c in ssl3_get_message ssl/s3_both.c:457 ... ==2268== ABORTING 1.10x–2.67x slowdown 7

  8. N-Version Execution Server 8

  9. N-Version Execution Version 1 Server Coordinator Version 2 9

  10. N-Version Execution Version 1 Server Coordinator Version 2 10

  11. N-Version Execution Version 1 Server Coordinator Version 2 11

  12. N-Version Execution Version 1 Server Coordinator Version 2 12

  13. Varan Version 1 Coordinator Version 2 13

  14. Varan Version 1 Leader Coordinator Version 2 Follower 1 14

  15. Varan Version 1 Leader Version 2 Follower 1 15

  16. Varan Version 1 Leader Version 2 Follower 1 16

  17. Varan Version 1 Leader Version 2 Follower 1 17

  18. Varan Version 1 Leader Version 2 Follower 1 18

  19. Varan Version 1 Leader Version 2 Follower 1 19

  20. Varan Version 1 Leader Version 2 Follower 1 20

  21. Varan Version 1 Leader Version 2 Follower 1 21

  22. Varan Version 1 Leader Version 2 Follower 1 22

  23. Varan Version 1 Leader Version 2 Follower 1 23

  24. Varan System calls 01 02 while ( true ) { 03 04 sckt = accept(); // Wait for client 05 req = parse(read(skt)); // Handle request 06 07 file = open(req); 08 rsp = read(file); 09 10 11 // Send response 12 write(skt, rsp); 13 14 } 15 24

  25. Varan System calls 01 02 while ( true ) { 03 04 sckt = accept (); // Wait for client 05 req = parse( read (skt)); // Handle request 06 07 file = open (req); 08 rsp = read (file); 09 10 11 12 write (skt, rsp); // Send response 13 14 } 15 25

  26. Varan Version 1 Leader Version 2 Follower 1 26

  27. Varan Version 1 Leader Version 2 Follower 1 1x–1.17x slowdown 27

  28. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 28

  29. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 29

  30. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 30

  31. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 31

  32. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 32

  33. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 33

  34. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 34

  35. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 35

  36. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 36

  37. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 37

  38. Larger ringbuffer? Leader Native Follower 1 Sanitized 38

  39. Larger ringbuffer? Leader Native Follower 1 Sanitized 39

  40. Larger ringbuffer Interactive applications ◮ alias vim =’vx vim vim-asan’ ◮ alias htop =’vx htop htop-asan’ ◮ alias mutt =’vx mutt mutt-asan’ ◮ alias ssh =’vx ssh ssh-asan’ ◮ alias ls =’vx ls ls-asan’ 40

  41. Drop requests Leader Native Follower 1 41 Sanitized

  42. Drop requests Leader ? Native Follower 1 42 Sanitized

  43. Drop requests Leader ✓ ? Native Follower 1 43 Sanitized

  44. Drop requests Leader ? Native Follower 1 44 Sanitized

  45. Drop requests Leader ✗ ? Native Follower 1 45 Sanitized

  46. Experiment Check performance with varying drop rate on simple HTTP server ◮ Single process/thread ◮ gcc -fsanitize=address on follower ◮ BZip2 the response 46

  47. Results 219 # files downloaded in 30 seconds 196 HTTP Server HTTP Server Native HTTP Server Native No Varan Varan 47

  48. Results 219 219 # files downloaded in 30 seconds # files downloaded in 30 seconds 196 196 HTTP Server HTTP Server Native HTTP Server HTTP Server 93 82 Sanitized Native HTTP Server No Varan No Varan Varan Varan Sanitized 48

  49. Results 219 219 216 204 209 201 # files downloaded in 30 seconds # files downloaded in 30 seconds # files downloaded in 30 seconds 196 196 197 HTTP Server HTTP Server 182 141 Native 122 HTTP Server HTTP Server 109 99 93 82 Sanitized Native HTTP Server No Varan No Varan Varan Varan 2.75 13.3 23.7 32.1 38.8 50.3 65.6 82.5 88.3 97.0 Sanitized sanitized requests (%) 49

  50. Multi-version execution for security 50

  51. a or b? 01 int x = 1; 02 03 void f(void) { if (5 % (3 * x) + 2 != 4) 04 05 puts("a"); else 06 07 puts("b"); 08 } 51

  52. a or b? 01 int x = 1; 02 03 void f(void) { if (5 % (3 * x) + 2 != 4) 04 05 puts("a"); else 06 07 puts("b"); 08 } Clang 3.3 says a https://llvm.org/bugs/show_bug.cgi?id=15940 52

  53. sudo 01 htop 02 # command not found: htop 03 04 apt-get install htop 05 # Permission denied, are you root? 06 07 sudo apt-get install htop 08 # Installing... 09 10 htop 11 # running htop... 53

  54. sudo 01 whoami 02 # user 03 04 sudo whoami 05 # root 54

  55. sudo backdoor 01 gcc sudo.c -o sudo-gcc 02 clang sudo.c -o sudo-clang 03 04 ./sudo-gcc whomai 05 # user is not in the sudoers file. 06 # This incident will be reported. 07 08 ./sudo-clang whomai 09 # root 10 11 12 https://github.com/regehr/sudo-1.8.13/tree/ compromise/backdoor-info 55

  56. sudo backdoor 01 gcc sudo.c -o sudo-gcc 02 clang sudo.c -o sudo-clang 03 04 ./sudo-gcc whomai 05 # user is not in the sudoers file. 06 # This incident will be reported. 07 08 ./sudo-clang whomai 09 # root 10 11 vx ./sudo-gcc ./sudo-clang -- whoami 12 # divergence detected, terminating Cristian Cadar and Luís Pina and John Regehr, Multi-Version Execution Defeats a Compiler-Bug-Based Backdoor , http://blog.regehr.org/archives/1282 , 2015 56

  57. Undefined behavior 01 int saturating_add(int x, int y) { 02 if (x > 0 && y > 0 && x + y < 0) return INT_MAX; 03 if (x < 0 && y < 0 && x + y > 0) 04 return INT_MIN; 05 return x + y; 06 07 } 57

  58. Undefined behavior 01 int saturating_add(int x, int y) { 02 if (x > 0 && y > 0 && x + y < 0) return INT_MAX; 03 if (x < 0 && y < 0 && x + y > 0) 04 return INT_MIN; 05 return x + y; 06 07 } x y Result 1 2 3 58

  59. Undefined behavior 01 int saturating_add(int x, int y) { 02 if (x > 0 && y > 0 && x + y < 0) return INT_MAX; 03 if (x < 0 && y < 0 && x + y > 0) 04 return INT_MIN; 05 return x + y; 06 07 } x y Result 1 2 3 1000000000 1000000000 2000000000 59

  60. Undefined behavior 01 int saturating_add(int x, int y) { 02 if (x > 0 && y > 0 && x + y < 0) return INT_MAX; 03 if (x < 0 && y < 0 && x + y > 0) 04 return INT_MIN; 05 return x + y; 06 07 } x y Result 1 2 3 1000000000 1000000000 2000000000 2000000000 2000000000 2147483647 60

  61. Undefined behavior 01 int saturating_add(int x, int y) { 02 if (x > 0 && y > 0 && x + y < 0) return INT_MAX; 03 if (x < 0 && y < 0 && x + y > 0) 04 return INT_MIN; 05 return x + y; 06 07 } x y gcc -O0 gcc -O2 1 2 3 3 1000000000 1000000000 2000000000 2000000000 2000000000 2000000000 2147483647 -294967296 61

  62. Multi-version execution for security ◮ Prevents compiler backdoors ◮ Detects exploits based on undefined behavior ◮ Interesting programs: ◮ Sudo ◮ OpenSSH ◮ Password vaults ◮ GnuPG 62

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dynamic Web Applications Authoring, Deploying And Consuming Mixed-Namespace XML T. V. Raman IBM

Dynamic Web Applications Authoring, Deploying And Consuming Mixed-Namespace XML T. V. Raman IBM

Dynamic Web Applications Authoring, Deploying And Consuming Mixed-Namespace XML T. V. Raman IBM Research Dynamic Web Applications p. 1 Outline Characteristics of a Web application. Building on what we have. Whats left to solve.

487 views • 22 slides
Compiler Analyses for Improved Return Value Prediction Christopher J.F . Pickett Clark

Compiler Analyses for Improved Return Value Prediction Christopher J.F . Pickett Clark

Compiler Analyses for Improved Return Value Prediction Christopher J.F . Pickett Clark Verbrugge { cpicke,clump } @sable.mcgill.ca School of Computer Science, McGill University Montr eal, Qu ebec, Canada H3A 2A7 Overview Introduction

759 views • 49 slides
Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

134 views • 10 slides
Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

481 views • 37 slides
Verified translation validation of static analyses Sandrine Blazy joint work with Gilles Barthe,

Verified translation validation of static analyses Sandrine Blazy joint work with Gilles Barthe,

Verified translation validation of static analyses Sandrine Blazy joint work with Gilles Barthe, Vincent Laporte, David Pichardie and Alix Trieu IFIP WG 1.9/2.15, Leuven, 2017-05-11 1 Background: verifying a compiler Compiler + proof that the

446 views • 19 slides
263-2810: Advanced Compiler Design Compilation with dynamic information Thomas R. Gross Computer

263-2810: Advanced Compiler Design Compilation with dynamic information Thomas R. Gross Computer

263-2810: Advanced Compiler Design Compilation with dynamic information Thomas R. Gross Computer Science Department ETH Zurich, Switzerland Outline Dynamic information: Information obtained at runtime During program execution Why use

1.16k views • 63 slides
Another Dynamic Algorithm: Scoreboard Summary Tomasulo Algorithm Speedup 1.7 from compiler;

Another Dynamic Algorithm: Scoreboard Summary Tomasulo Algorithm Speedup 1.7 from compiler;

Another Dynamic Algorithm: Scoreboard Summary Tomasulo Algorithm Speedup 1.7 from compiler; 2.5 by hand For IBM 360/91 about 3 years after CDC 6600 BUT slow memory (no cache) limits benefit Goal: High Performance without special

303 views • 3 slides
A Dynamic to Static DSL Compiler for Image Processing Applications Compilers for Parallel

A Dynamic to Static DSL Compiler for Image Processing Applications Compilers for Parallel

A Dynamic to Static DSL Compiler for Image Processing Applications Compilers for Parallel Computing 2016 Pierre Guillou, Benot Pin, Fabien Coelho, Franois Irigoin July 8, 2016, Valladolid, Spain MINES ParisTech, PSL Research University,

325 views • 31 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides
Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures)

Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures)

Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures) Thomas Noll Lehrstuhl f ur Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de

384 views • 22 slides
Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures)

Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures)

Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures) Thomas Noll Lehrstuhl f ur Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de

945 views • 46 slides
Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler Perhaps a new source language Perhaps a new target for an existing compiler Perhaps both 2 Compiler Construction Compiler Construction

661 views • 18 slides
Compiler/Run-Time Framework for Dynamic Data-Flow Parallelization of Tiled Programs Martin Kong 1

Compiler/Run-Time Framework for Dynamic Data-Flow Parallelization of Tiled Programs Martin Kong 1

Compiler/Run-Time Framework for Dynamic Data-Flow Parallelization of Tiled Programs Martin Kong 1 Antoniu Pop 2 R. Govindarajan 3 Louis-Nol Pouchet 1 Albert Cohen 4 P . Sadayappan 1 1 The Ohio State University 2 The University of Manchester 3

200 views • 4 slides
252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2 Admin issues Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1.1

1.27k views • 46 slides
Introduction Demands on and expectations for simulated representations of the natural

Introduction Demands on and expectations for simulated representations of the natural

Geospatial Data Quality for Analytical Command and Control Applications: Preventing the Tanker Tw o-Step Robert Richbourg and George Lukes Institute for Defense Analyses 4850 Mark Center Drive Alexandria, VA rrichbou@ida.org,

513 views • 10 slides
Deploying Machine Learning Models on The Edge Deploying Machine Learning Models on The Edge Yan

Deploying Machine Learning Models on The Edge Deploying Machine Learning Models on The Edge Yan

Deploying Machine Learning Models on The Edge Deploying Machine Learning Models on The Edge Yan Zhang, Mathew Salvaris Microsoft https://github.com/microsoft/deploy-MLmodels-on-iotedge Cloud Analytics Edge Analytics Device/Sensor Analytics

373 views • 34 slides
Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos VU University Amsterdam DIMVA 2014 Introduction Trigger-Based Malware Trigger-based malware (TBM) remains dormant until a specific trigger E.g.

586 views • 14 slides
Lattice polynomial functions and their use in qualitative decision making AAA83 . . . . .

Lattice polynomial functions and their use in qualitative decision making AAA83 . . . . .

. . Lattice polynomial functions and their use in qualitative decision making AAA83 . . . . . Miguel Couceiro Jointly with D. Dubois, J.-L. Marichal, T. Waldhauser, . . . University of Luxembourg March 2012 Decision making DM Main

1.09k views • 69 slides
Analogy-Based Preference Learning with Kernels Mohsen Ahmadi Fahandar , Eyke Hllermeier

Analogy-Based Preference Learning with Kernels Mohsen Ahmadi Fahandar , Eyke Hllermeier

Analogy-Based Preference Learning with Kernels Mohsen Ahmadi Fahandar , Eyke Hllermeier Intelligent Systems and Machine Learning Group Heinz Nixdorf Institute and Department of Computer Science Paderborn University KI 2019, Wednesday,

496 views • 22 slides
What is DEL good for? Alexandru Baltag Oxford University Copenhagen 2010 ESSLLI 2 DEL is a

What is DEL good for? Alexandru Baltag Oxford University Copenhagen 2010 ESSLLI 2 DEL is a

Copenhagen 2010 ESSLLI 1 What is DEL good for? Alexandru Baltag Oxford University Copenhagen 2010 ESSLLI 2 DEL is a Method, Not a Logic! I take Dynamic Epistemic Logic () to refer to a general type of logical approach to information change ,

751 views • 49 slides
Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and

Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and

Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and Undocumented Functionality Sam L. Thomas , Tom Chothia, Flavio D. Garcia School of Computer Science University of Birmingham Birmingham United Kingdom B15

700 views • 42 slides
HOMSC14 WG-5, Low Level RF, Controls and System Integra@on

HOMSC14 WG-5, Low Level RF, Controls and System Integra@on

HOMSC14 WG-5, Low Level RF, Controls and System Integra@on Brian Chase, Larry DooliEle Familiar block diagram Common to LLRF and Instrumenta@on

628 views • 9 slides
Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction

Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction

Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction 2. Examples 3. Application: Stackelberg Duopoly 4. [Next Application: Negotiation] 2 Definitions Perfect-Information game is a game in which all

331 views • 11 slides
Complexity of backward induction games Jakub Szymanik October 17, 2012 Outline Introduction

Complexity of backward induction games Jakub Szymanik October 17, 2012 Outline Introduction

Complexity of backward induction games Jakub Szymanik October 17, 2012 Outline Introduction Computational complexity Complexity of a single trial Outlook Only surprising thing about the WikiLeaks revelations is that they contain no

1.21k views • 82 slides

More recommend