minemu
play

Minemu The world's fastest taint tracker Attack detection aimed at - PowerPoint PPT Presentation

Apr 22, 2023 •260 likes •669 views

Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik Bosman, Asia Slowinska, and Herbert Bos Challenge! ftp://ftp.minemu.org runs Proftpd vulnerable to CVE-2010-4221 First exploiter gets a present!

  1. Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik Bosman, Asia Slowinska, and Herbert Bos

  2. Challenge! ftp://ftp.minemu.org runs Proftpd vulnerable to CVE-2010-4221 First exploiter gets a present! 2

  3. T aint tracking: useful, but slow photo: sammydavisdog@flickr 3

  4. Performance problems fred_v@flickr 4

  5. Is this slowness fundamental? minemu memory layout use SSE registers to hold taint fast emulator 5

  6. Is this slowness fundamental? minemu memory layout use SSE registers to hold taint fast emulator 5

  7. Memory layout LINUX USER 6

  8. Memory layout (minemu) USER inaccessible minemu TAINT 7

  9. Memory layout (minemu) write to x USER inaccessible minemu TAINT 7

  10. Memory layout (minemu) write to x USER inaccessible minemu TAINT x+const 7

  11. Memory layout (minemu) USER inaccessible minemu TAINT 7

  12. Memory layout (minemu) USER inaccessible minemu TAINT 7

  13. Addressing shadow memory mov EAX, (EDX) 8

  14. Addressing shadow memory mov EAX, (EDX) address: EDX 8

  15. Addressing shadow memory mov EAX, (EDX) address: EDX taint: EDX+ const 8

  16. Addressing shadow memory mov EAX, (EDX+EBX*4) 9

  17. Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4 9

  18. Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4 taint: EDX+EBX*4+ const 9

  19. Addressing shadow memory push ESI 10

  20. Addressing shadow memory push ESI address: ESP 10

  21. Addressing shadow memory push ESI address: ESP taint: ESP+ const 10

  22. Is this slowness fundamental? minemu memory layout use SSE registers to hold taint fast emulator 11

  23. T aint propagation in SSE registers xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) 128-bit 12

  24. T aint propagation in SSE registers add EDX, x xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) 128-bit 12

  25. T aint propagation in SSE registers add EDX, x xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) 12

  26. T aint propagation in SSE registers add EDX, x xmm5 T(x) T(x) xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) vector insert 12

  27. T aint propagation in SSE registers add EDX, x xmm5 T(x) T(x) xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) or 12

  28. Is this slowness fundamental? minemu memory layout use SSE registers to hold taint fast emulator 13

  29. Emulator - translates large code chunks - keeps register state the same - aggressive caching 14

  30. Effectiveness Application Type of vulnerability Security advisory Snort 2.4.0 Stack overflow CVE-2005-3252 Cyrus imapd 2.3.2 Stack overflow CVE-2006-2502 Samba 3.0.22 Heap overflow CVE-2007-2446 Nginx 0.6.32 Buffer underrun CVE-2009-2629 Memcached 1.1.12 Heap overflow CVE-2009-2415 Proftpd 1.3.3a Stack overflow CVE-2010-4221 Samba 3.2.5 Heap overflow CVE-2010-2063 Ncompress 4.2.4 Stack overflow CVE-2001-1413 Iwconfig V.26 Stack overflow CVE-2003-0947 Aspell 0.50.5 Stack overflow CVE-2004-0548 Htget 0.93 Stack overflow CVE-2004-0852 Socat 1.4 Format string CVE-2004-1484 Aeon 0.2a Stack overflow CVE-2005-1019 Exim 4.41 Stack overflow EDB-ID#796 Htget 0.93 Stack overflow Tipxd 1.1.1 Format string OSVDB-ID#12346 15

  31. Performance HTTP HTTPS 16

  32. Performance SPECINT 2006 2.4x overall 5 4 3 2 1 0 400.perlbench 401.bzip2 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp 473.astar 483.xalancbmk overall 3 2 1 0 gzip OpenSSH PostgreSQL MediaWiki (scp+sshd) (pgbench) (HTTPS) 17

  33. Minemu is available now website runs on minemu source code is available Apache 2.0 licenced 18

  34. Minemu https://minemu.org/ The world's fastest taint tracker 19

  35. Minemu https://minemu.org/ The world's fastest taint tracker (until the next conference?) 19

  36. Demo 20

  38. Threads - duplicate cache structures - keep cache base address in SSE - code-deletion corner case 21

  39. Memory layout (64 bit) USER TAINT USER USER TAINT TAINT USER TAINT 22

  40. Memory layout (minemu) USER inaccessible minemu TAINT 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman

Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman

Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman <erik@minemu.org> Programming Languages type-safe vs. not type-safe Programming Languages type-safe vs. not type-safe Java Python Ruby Javascript

1.22k views • 111 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman <erik@minemu.org> Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Containers At Scale At Google, the Google Cloud Platform and Beyond Joe Beda jbeda@google.com

Containers At Scale At Google, the Google Cloud Platform and Beyond Joe Beda jbeda@google.com

Containers At Scale At Google, the Google Cloud Platform and Beyond Joe Beda jbeda@google.com @jbeda google.com/+JoeBeda Senior Staff Software Engineer, Google Cloud Platform GlueCon - May 22, 2014 Google and Containers Everything

574 views • 18 slides
Towards Characterizing Cities with Social Media Images Daniela Opitz Universidad del Desarrollo

Towards Characterizing Cities with Social Media Images Daniela Opitz Universidad del Desarrollo

Towards Characterizing Cities with Social Media Images Daniela Opitz Universidad del Desarrollo Eduardo Graells-Garrido Barcelona Supercomputing Center Universidad del Desarrollo Ignacio Prez-Messina Universidad del Desarrollo I(mages)

397 views • 20 slides
Event Recognition by Learning Amir Habibian Qualcomm Research, Amsterdam 27 Feb 2017 1 What is

Event Recognition by Learning Amir Habibian Qualcomm Research, Amsterdam 27 Feb 2017 1 What is

Event Recognition by Learning Amir Habibian Qualcomm Research, Amsterdam 27 Feb 2017 1 What is an event? Interaction of people and objects under a certain scene Event Object People Examples Actio Scene n Personal events: marriage

636 views • 44 slides
Southeast Community College Operationalize 2 year public institution Resources

Southeast Community College Operationalize 2 year public institution Resources

4/20/2012 Creating a Dynamic Professional Development Conference within Your Institution Dennis Headrick PhD, VP of Instruction Carolyn Butler MS, Coordinator, Professional Development Southeast Community College Lincoln, Nebraska

313 views • 5 slides
q f al y't ni XI IE EI Hn Gi ai x ex p E fo Uj f l t't y't X l T f n y e X n t Y e l

q f al y't ni XI IE EI Hn Gi ai x ex p E fo Uj f l t't y't X l T f n y e X n t Y e l

Fields Random CRE Conditional Learning Eet feature X y f function for feature K PG xlw E wnfnlyt.lt X exp PCylx.io Eg Phi Hw Eyexp wnfnlyI 4I xt Box E PCynlxn.io LL w n z IEI.IE wnfnl4tih i.Xt 2 log xn EE tfnGiiii ua xi 7 2

298 views • 4 slides
7 th International Confluence Competition Takahito Aoto Makoto Hamana Nao Hirokawa Aart

7 th International Confluence Competition Takahito Aoto Makoto Hamana Nao Hirokawa Aart

7 th International Confluence Competition Takahito Aoto Makoto Hamana Nao Hirokawa Aart Middeldorp Julian Nagele Naoki Nishida Kiraku Shintani Harald Zankl CoCo 2018 tools try to show confluence and related properties of rewrite systems

296 views • 12 slides
SUSY@ILC Abdelhak DJOUADI (LPT Orsay/Next Southampton) 1. Probing SUSY 2. Precision SUSY

SUSY@ILC Abdelhak DJOUADI (LPT Orsay/Next Southampton) 1. Probing SUSY 2. Precision SUSY

SUSY@ILC Abdelhak DJOUADI (LPT Orsay/Next Southampton) 1. Probing SUSY 2. Precision SUSY measurements at the ILC 3. Determining the SUSY Lagrangian 4. Summary From the physics chapter of the ILC Reference Design Report: Physics at the

444 views • 23 slides
Mark 10:32-45 32 And they were on the road, going up to Jerusalem, and Jesus was walking

Mark 10:32-45 32 And they were on the road, going up to Jerusalem, and Jesus was walking

Mark 10:32-45 32 And they were on the road, going up to Jerusalem, and Jesus was walking ahead of them. And they were amazed, and those who followed were afraid. And taking the twelve again, he began to tell them what was to happen to him,

755 views • 43 slides
Pad approach to pseudoscalar poles in HLbL based on P. Masjuan, PS: Phys.Rev. D95 (2017) Pablo

Pad approach to pseudoscalar poles in HLbL based on P. Masjuan, PS: Phys.Rev. D95 (2017) Pablo

Pad approach to pseudoscalar poles in HLbL based on P. Masjuan, PS: Phys.Rev. D95 (2017) Pablo Sanchez-Puertas, Charles University Prague sanchezp@ipnp.troja.mff.cuni.cz Pad approach to pseudoscalar poles in HLbL Outline 1. A (very)

1.08k views • 61 slides
! Generalized Bisimulation Metrics ! Catuscia Palamidessi ! Based on joint work with: ! Kostas

! Generalized Bisimulation Metrics ! Catuscia Palamidessi ! Based on joint work with: ! Kostas

! ! Generalized Bisimulation Metrics ! Catuscia Palamidessi ! Based on joint work with: ! Kostas Chatzikokolakis, Daniel Gebler, Lili Xu 1 Plan of the talk Motivations ! Desiderata in a notion of pseudo-metric ! Kantorovich

817 views • 34 slides
language aesthetics Sam Aaron "The aesthetic is at once, as I try to show, the very secret

language aesthetics Sam Aaron "The aesthetic is at once, as I try to show, the very secret

language aesthetics Sam Aaron "The aesthetic is at once, as I try to show, the very secret prototype of human subjectivity in early capitalist society, and a vision of human energies as radical ends in themselves which is the implacable

996 views • 63 slides
Quasiconformal extentions via the chordal Loewner equation P avel G umenyuk U niversit ` a degli

Quasiconformal extentions via the chordal Loewner equation P avel G umenyuk U niversit ` a degli

P rogressi R ecenti in G eometria R eale e C omplessa IX Quasiconformal extentions via the chordal Loewner equation P avel G umenyuk U niversit ` a degli studi di R oma T or V ergata Joint work with Ikkei HOTTA Tokyo Institute of

524 views • 23 slides
NO SURP RPRISE RISES! S! BIG PICTURE! CTURE! A. Disciples Prepared! Luke 18:31a Luke 18:31-34

NO SURP RPRISE RISES! S! BIG PICTURE! CTURE! A. Disciples Prepared! Luke 18:31a Luke 18:31-34

6/10/2019 NO SURP RPRISE RISES! S! BIG PICTURE! CTURE! A. Disciples Prepared! Luke 18:31a Luke 18:31-34 (NIV) 31 Jesus took the Twelve aside and told them, "We are Jesus clearly tells them what is going up to Jerusalem, and

419 views • 4 slides
The DFG JIT, Inside & Out JavaScriptCores Optimizing Compiler JSConf.EU 2012 Andy Wingo

The DFG JIT, Inside & Out JavaScriptCores Optimizing Compiler JSConf.EU 2012 Andy Wingo

The DFG JIT, Inside & Out JavaScriptCores Optimizing Compiler JSConf.EU 2012 Andy Wingo wingo@igalia.com Compiler hacker at Igalia Contract work on language implementations V8, JavaScriptCore Schemer Hubris Now that

702 views • 30 slides
Rebuilding After Disaster Strikes: Strategies That Work September 25, 2018 Rebuilding after

Rebuilding After Disaster Strikes: Strategies That Work September 25, 2018 Rebuilding after

Rebuilding After Disaster Strikes: Strategies That Work September 25, 2018 Rebuilding after Disaster Strikes Jeff Pomeranz, City Manager, Cedar Rapids, IA 2008 Flood Strikes Cedar Rapids $5.4 billion in community-wide damage

657 views • 28 slides
American Cyanamid Superfund Site Joe Battipaglia, Region 2 RPM Climate Change Adaptation Webinar

American Cyanamid Superfund Site Joe Battipaglia, Region 2 RPM Climate Change Adaptation Webinar

American Cyanamid Superfund Site Joe Battipaglia, Region 2 RPM Climate Change Adaptation Webinar 4/1/2015 cluin.org Site Location & Background Located in Bridgewater Twp. in Central Northern NJ Pfizer acquired the property from

507 views • 24 slides
Ventura River Ventura River Multi- -Species HCP Species HCP Multi Presentation to: Ventura

Ventura River Ventura River Multi- -Species HCP Species HCP Multi Presentation to: Ventura

Ventura River Ventura River Multi- -Species HCP Species HCP Multi Presentation to: Ventura River Watershed Council Presentation to: Ventura River Watershed Council Laura Riege Riege, , Entrix Entrix, Inc. , Inc. Laura March 13, 2007

713 views • 21 slides
CSCI 3136 Principles of Programming Languages Syntactic Analysis and Context-Free Grammars - 4

CSCI 3136 Principles of Programming Languages Syntactic Analysis and Context-Free Grammars - 4

CSCI 3136 Principles of Programming Languages Syntactic Analysis and Context-Free Grammars - 4 Summer 2013 Faculty of Computer Science Dalhousie University 1 / 125 FOLLOW( X ) Definition 2 / 125 FOLLOW( X ) Definition For any A V we

1.76k views • 125 slides
Overview of the Celebrity Profiling Task at PAN 2020 Lil Wayne WEEZY F LeFloid Kendall Neymar

Overview of the Celebrity Profiling Task at PAN 2020 Lil Wayne WEEZY F LeFloid Kendall Neymar

Overview of the Celebrity Profiling Task at PAN 2020 Lil Wayne WEEZY F LeFloid Kendall Neymar Jr @ LilTunechi @ LeFloid @ KendallJenner @ nejmarjr Matti Wiegmann , Benno Stein, Martin Potthast Bauhaus-Universitt Weimar webis.de Celebrity

518 views • 29 slides
Joseph Gonzalez Joint work with: Yucheng Haijie Danny Carlos Low Gu Bickson Guestrin

Joseph Gonzalez Joint work with: Yucheng Haijie Danny Carlos Low Gu Bickson Guestrin

Distributed Graph-Parallel Computation on Natural Graphs Joseph Gonzalez Joint work with: Yucheng Haijie Danny Carlos Low Gu Bickson Guestrin Graphs are ubiquitous.. 2 Social Media Science Advertising Web Graphs encode

780 views • 58 slides
Tao: Facebook's Distributed Data Store For The Social Graph Bronson et. al., ATC 2013 Joy

Tao: Facebook's Distributed Data Store For The Social Graph Bronson et. al., ATC 2013 Joy

Tao: Facebook's Distributed Data Store For The Social Graph Bronson et. al., ATC 2013 Joy Arulraj CMU 15-799 : Paper Presentation Talk Overview Graph-aware cache backed by a database Efficiency vs. consistency Motivation Memcached

778 views • 24 slides
Election in Trees and Rings T-79.4001 Seminar on Theoretical Computer Science Ilari Nieminen

Election in Trees and Rings T-79.4001 Seminar on Theoretical Computer Science Ilari Nieminen

Leader Election Election in Trees Election in Rings Election in Trees and Rings T-79.4001 Seminar on Theoretical Computer Science Ilari Nieminen 21.02.2007 Ilari Nieminen Election in Trees and Rings Leader Election Election in Trees

655 views • 30 slides

More recommend