malicious bytecode
play

Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop - PowerPoint PPT Presentation

Mar 24, 2024 •19 likes •369 views

Mitigating the Danger of Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox A Common Pattern 1. Create sandbox 2.

  1. Mitigating the Danger of Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011

  2. A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox

  3. A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox Sandbox Blacklist os.* io.* debug.* package.loadlib package.loaders[3] package.loaders[4]

  4. A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox Sandbox Whitelist string.gsub table.sort

  5. A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox Sandbox Whitelist string.gsub  Arbitrary native code table.sort execution* * At least for Lua 5.1.4 on x86 Windows (even with DEP and ASLR)

  6. Bytecode Source code Bytecode Virtual machine print “ Lua ” GETGLOBAL r0, print load call LOADK r1, “ Lua ” CALL r0, 1, 0

  7. Bytecode Source code Bytecode Virtual machine print “ Lua ” GETGLOBAL r0, print load call LOADK r1, “ Lua ” CALL r0, 1, 0 dump Serialised bytecode \27Lua\x51\0\1\4\4\4\8\0\7\0\0\0\61stdin \0\1\0\0\0\1\0\0\0\0\0\0\2\4\0\0\0\5\0\0 \0\65\64\0\0\28\64\00\1\30\0\128\0\2\0\0 \0\4\6\0\0\0print\0\4\4\0\0\0Lua\0\0\0\0 \0\4\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0

  8. Logical TValue

  9. Physical TValue

  10. C API abusing a TValue void lua_rawget(lua_State* L, int idx) { TValue* t = index2adr(L, idx); api_check(L, ttistable(t)); L->top[ – 1] = *luaH_get(hvalue(t), L->top - 1); }

  11. C API abusing a TValue void lua_rawget(lua_State* L, int idx) { TValue* t = index2adr(L, idx); api_check(L, ttistable(t)); L->top[ – 1] = *luaH_get(hvalue(t), L->top - 1); } int table.sort(lua_State* L) { luaL_checktype(L, 1, LUA_TTABLE); /* ... */ lua_rawget(L, 1); /* ... */ }

  12. C API abusing a TValue void lua_rawget(lua_State* L, int idx) { TValue* t = index2adr(L, idx); api_check(L, ttistable(t)); L->top[ – 1] = *luaH_get(hvalue(t), L->top - 1); } int table.sort(lua_State* L) { luaL_checktype(L, 1, LUA_TTABLE); /* ... call comparison function ... */ lua_rawget(L, 1); /* ... call comparison function ... */ }

  13. Virtual Machine abusing a TValue for x = init, GETGLOBAL init limit, GETGLOBAL limit step GETGLOBAL step do FORPREP print(x) GETGLOBAL print MOVE x CALL end FORLOOP

  14. Function Calls local t = {“go”, “a”} table.sort(t, function(lhs, rhs) return #lhs < #rhs end)

  15. Function Calls local t = {“go”, “a”} {“go”, “a”} r0 table.sort r1 table.sort(t, {“go”, “a”} r2 function(lhs, rhs) function r3 return #lhs < #rhs r4 end) r5 r6 r7 r8 r9

  16. Function Calls local t = {“go”, “a”} {“go”, “a”} table.sort table.sort(t, {“go”, “a”} 1 function(lhs, rhs) function 2 return #lhs < #rhs end)

  17. Function Calls local t = {“go”, “a”} {“go”, “a”} table.sort table.sort(t, {“go”, “a”} 1 function(lhs, rhs) function 2 return #lhs < #rhs “go” -5 end) “a” -4 function -3 “a” -2 “go” -1

  18. Function Calls local t = {“go”, “a”} {“go”, “a”} table.sort table.sort(t, {“go”, “a”} function(lhs, rhs) function return #lhs < #rhs “go” end) “a” function “a” r0 “go” r1 r2

  19. Function Calls local t = {“go”, “a”} {“go”, “a”} table.sort table.sort(t, {“go”, “a”} function(lhs, rhs) function return #lhs < #rhs “go” end) “a” function “a” r0 “go” r1 false r2

  20. Function Calls local t = {“go”, “a”} {“go”, “a”} table.sort table.sort(t, {“go”, “a”} 1 function(lhs, rhs) function 2 return #lhs < #rhs “go” -3 end) “a” -2 false -1 “a” “go” false

  21. Function Calls local t = {“go”, “a”} {“a”, “go”} table.sort table.sort(t, {“a”, “go”} 1 function(lhs, rhs) function 2 return #lhs < #rhs “go” end) “a” false “a” “go” false

  22. Function Calls local t = {“go”, “a”} {“a”, “go”} r0 table.sort r1 table.sort(t, {“a”, “go”} r2 function(lhs, rhs) function r3 return #lhs < #rhs “go” r4 end) “a” r5 false r6 “a” r7 “go” r8 false r9

  23. Upvalues local x = 10 10 upvalue #0 (function) GETUPVAL local count = ADD function() SETUPVAL GETUPVAL x = x + 1 RETURN return x end

  24. Upvalues \27Lua\x51 10 upvalue #0 (function) GETUPVAL ... ADD (malicious SETUPVAL GETUPVAL bytecode RETURN here) ...

  25. Malicious Bytecode Catalogue • Violating type assumptions in the VM – FORLOOP – SETLIST in 5.2 • Emulating debug.[gs]etlocal – Reading leftover locals – Promiscuous upvalues • Violating type assumptions in the C API – lua_(next|raw[gs]eti?) – lua_[gs]etuservalue in 5.2

  26. Mitigation Catalogue • Don’t load bytecode – First byte decimal 27 – load(ld, source, "t" [, env]) in 5.2 • Compile with LUA_USE_APICHECK (*) • Static analysis and verification of bytecode (*) Makes exploitation harder, doesn’t prevent information leakage attacks, may not save you.

  27. Static Analysis, Blunt Approach • Violating type assumptions in the VM – For each stack slot, at each VM instruction, determine a set of possible types • Emulating debug.[gs]etlocal – Ensure stack slots are safely readable – For each stack slot, at each VM instruction, determine if it could be an upvalue – Segregating calls from upvalues

  28. Static Type Analysis function example(x) .parameter r0 if x then TEST r0; JMP $+2 x = 3.14 LOADK r0, k0 else JMP $+1 x = “pi” LOADK r0, k1 end return x RETURN r0 end

  29. Static Type Analysis function example(x) TEST r0 if x then x = 3.14 LOADK r0 3.14 else LOADK r0 “pi” x = “pi” end return x RETURN r0 end

  30. Static Type Analysis * function example(x) TEST r0 if x then x = 3.14 LOADK r0 3.14 num else LOADK r0 “pi” x = “pi” str end {num, str} return x RETURN r0 end

  31. Static Analysis Prerequisites • Decode and understand each instruction • Ensure control flow doesn’t leave • Valid (register|constant |…) indices • Verify some VM assumptions, like: – TEST instructions are followed by a JMP – Boolean constants are either 0 or 1 • Instructions which produce or consume a variable number of values must come in pairs

  32. Static Analysis, Subtle Approach • Violating type assumptions in the VM – Protect loop control variables – Perform runtime table type checks • Emulating debug.[gs]etlocal – At each VM instruction, split the stack into locals / temporary / unused Upvalues Calls Unreadable

  33. Static Analysis, Subtle Approach • Debug information embedded within bytecode – Gives size of the local region at each instruction – Specifies which locals are loop control variables • The temporary region always grows into the next available unused stack slot • The local region always grows to absorb a temporary • Backward jumps are to locations with no temporaries • Forward jumps merge to the smallest of the temporary ranges

  34. “Practical” Static Analysis require "lbcv" lbcv.verify(ld) lbcv.load(ld [, source [, mode]])

  35. Questions? Peter Cawley <lua@corsix.org> Lua Workshop 2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Specification language and WP calculus for Java Bytecode. joint work in progress Mariela

Specification language and WP calculus for Java Bytecode. joint work in progress Mariela

Specification language and WP calculus for Java Bytecode. joint work in progress Mariela Pavlova, Lilian Burdy INRIA Sophia-Antipolis spopS p. 1 Motivation Proof Carrying ByteCode Proof obligations. What is the language in which

443 views • 31 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
Decompiling Boolean Expressions from Java TM Bytecode Mangala Gowri Nanda (IBM-IRL) and S.

Decompiling Boolean Expressions from Java TM Bytecode Mangala Gowri Nanda (IBM-IRL) and S.

Decompiling Boolean Expressions from JavaTM Bytecode Decompiling Boolean Expressions from Java TM Bytecode Mangala Gowri Nanda (IBM-IRL) and S. Arun-Kumar (IIT Delhi) Decompiling Boolean Expressions from JavaTM Bytecode Introduction The

570 views • 37 slides
Link-Time Enforcement of Confined Types for JVM Bytecode Philip W. L. Fong pwlfong@cs.uregina.ca

Link-Time Enforcement of Confined Types for JVM Bytecode Philip W. L. Fong pwlfong@cs.uregina.ca

Link-Time Enforcement of Confined Types for JVM Bytecode Philip W. L. Fong pwlfong@cs.uregina.ca Department of Computer Science University of Regina Regina, Saskatchewan, Canada Overview Motivation Confined Types A Bytecode-level

348 views • 34 slides
Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views • 27 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain EUROCRYPT 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

1.11k views • 57 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain TPMPC 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

925 views • 69 slides
Compiling Techniques Lecture 10: Introduction to Java ByteCode Christophe Dubach 10 November

Compiling Techniques Lecture 10: Introduction to Java ByteCode Christophe Dubach 10 November

Introduction Java ByteCode Details Compiling Techniques Lecture 10: Introduction to Java ByteCode Christophe Dubach 10 November 2015 Christophe Dubach Compiling Techniques Introduction Java ByteCode Details Coursework: Block and

570 views • 23 slides
Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First Conference, Vienna Agenda Background Previous work Information leakage by malicious insider Our Research How to prevent 2 Insider

335 views • 30 slides
A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web

A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web

Stephan Chenette Principal Security Researcher Websense Labs FIRESHARK A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web Communities Malicious Web Communities Mass Injection Analysis Redirection

1.49k views • 99 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia

PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia

PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia Institute of Technology 1 Malicious Documents On the Rise 2 3 4 Adobe Components Exploited Element parser JavaScript engine 137 CVEs in 2015

883 views • 62 slides
5. Symbol Table 5.1 Overview 5.2 Objects 5.3 Scopes 5.4 Types 5.5 Universe 1

5. Symbol Table 5.1 Overview 5.2 Objects 5.3 Scopes 5.4 Types 5.5 Universe 1

5. Symbol Table 5.1 Overview 5.2 Objects 5.3 Scopes 5.4 Types 5.5 Universe 1 Responsibilities of the Symbol Table 1. It maintains all declared names and their properties type value (for named constants) address (for variables,

675 views • 40 slides
FINDINGS Central Oregon Intergovernmental Council December 201 9 1 INTER VIEW S 9 leaders

FINDINGS Central Oregon Intergovernmental Council December 201 9 1 INTER VIEW S 9 leaders

12/12/2019 HOUSING FOR ALL INTERVIEW FINDINGS Central Oregon Intergovernmental Council December 201 9 1 INTER VIEW S 9 leaders from different sectors T om Anderson,DeschutesC ountyAdministrator JessicaBiel,PinnacleArchitecture

498 views • 13 slides
Subroutines Parameters Passing Parameter Passing p. 1/7 Methods of Passing Parameters In

Subroutines Parameters Passing Parameter Passing p. 1/7 Methods of Passing Parameters In

Systems Architecture Subroutines Parameters Passing Parameter Passing p. 1/7 Methods of Passing Parameters In Registers Must document registers used Limited number of registers Uses fast on-chip registers Dictates register usage

462 views • 14 slides
Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control

Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control

Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control Zachary Kincaid Azadeh Farzan University of Toronto January 18, 2013 Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18,

751 views • 54 slides
Intergovernmental Fiscal Relations in the US Sally Wallace, Dean AYSPS and University of Pretoria

Intergovernmental Fiscal Relations in the US Sally Wallace, Dean AYSPS and University of Pretoria

Intergovernmental Fiscal Relations in the US Sally Wallace, Dean AYSPS and University of Pretoria Scope of government in the US Federal republic 50 States plus the District of Columbia 89,004 local governments 3,031 counties

260 views • 9 slides
Distributed Systems What can we do now that we could not do before? Introduction Paul

Distributed Systems What can we do now that we could not do before? Introduction Paul

Distributed Systems What can we do now that we could not do before? Introduction Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License.

218 views • 9 slides
Distributed Query Processing Advanced Topics in Database Management (INFSCI 2711) Some materials

Distributed Query Processing Advanced Topics in Database Management (INFSCI 2711) Some materials

Distributed Query Processing Advanced Topics in Database Management (INFSCI 2711) Some materials are from Database System Concepts, Siberschatz, Korth and Sudarshan Vladimir Zadorozhny, DINS, University of Pittsburgh 1 1 Banking Example

277 views • 25 slides
BlazeDS by John Mason mason@fusionlink.com Flex Meetup - we meet once a month - all

BlazeDS by John Mason mason@fusionlink.com Flex Meetup - we meet once a month - all

BlazeDS by John Mason mason@fusionlink.com Flex Meetup - we meet once a month - all meetings are held over Adobe Connect sessions - all meetings will be recorded and posted to Charlie Arehart's UGTV - www.carehart.org/ugtv Next

400 views • 18 slides

More recommend