Minemu The world's fastest taint tracker Attack detection aimed at - - PowerPoint PPT Presentation

minemu
SMART_READER_LITE
LIVE PREVIEW

Minemu The world's fastest taint tracker Attack detection aimed at - - PowerPoint PPT Presentation

Apr 22, 2023 260 likes •669 views

Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik Bosman, Asia Slowinska, and Herbert Bos Challenge! ftp://ftp.minemu.org runs Proftpd vulnerable to CVE-2010-4221 First exploiter gets a present!

slide-1
SLIDE 1

Minemu

Attack detection aimed at production environments.

Erik Bosman, Asia Slowinska, and Herbert Bos

The world's fastest taint tracker

slide-2
SLIDE 2

2

Challenge! ftp://ftp.minemu.org runs Proftpd vulnerable to CVE-2010-4221 First exploiter gets a present!

slide-3
SLIDE 3

3

T aint tracking: useful, but slow

photo: sammydavisdog@flickr

slide-4
SLIDE 4

4

Performance problems

fred_v@flickr

slide-5
SLIDE 5

5

Is this slowness fundamental?

memory layout use SSE registers to hold taint fast emulator

minemu

slide-6
SLIDE 6

5

Is this slowness fundamental?

memory layout use SSE registers to hold taint fast emulator

minemu

slide-7
SLIDE 7

6

LINUX USER Memory layout

slide-8
SLIDE 8

7

inaccessible

USER TAINT

minemu

Memory layout (minemu)

slide-9
SLIDE 9

7

inaccessible

USER TAINT

minemu write to x

Memory layout (minemu)

slide-10
SLIDE 10

7

inaccessible

USER TAINT

minemu write to x x+const

Memory layout (minemu)

slide-11
SLIDE 11

7

inaccessible

USER TAINT

minemu

Memory layout (minemu)

slide-12
SLIDE 12

7

inaccessible

USER TAINT

minemu

Memory layout (minemu)

slide-13
SLIDE 13

8

mov EAX, (EDX)

Addressing shadow memory

slide-14
SLIDE 14

8

mov EAX, (EDX) address: EDX

Addressing shadow memory

slide-15
SLIDE 15

8

mov EAX, (EDX) address: EDX taint: EDX+ const

Addressing shadow memory

slide-16
SLIDE 16

9

mov EAX, (EDX+EBX*4)

Addressing shadow memory

slide-17
SLIDE 17

9

mov EAX, (EDX+EBX*4) address: EDX+EBX*4

Addressing shadow memory

slide-18
SLIDE 18

9

mov EAX, (EDX+EBX*4) address: EDX+EBX*4 taint: EDX+EBX*4+ const

Addressing shadow memory

slide-19
SLIDE 19

10

push ESI

Addressing shadow memory

slide-20
SLIDE 20

10

push ESI address: ESP

Addressing shadow memory

slide-21
SLIDE 21

10

push ESI address: ESP taint: ESP+ const

Addressing shadow memory

slide-22
SLIDE 22

11

Is this slowness fundamental?

memory layout use SSE registers to hold taint fast emulator

minemu

slide-23
SLIDE 23

12

T aint propagation in SSE registers

T(eax) T(ecx) T(edx) T(ebx) T(eax) T(ecx) T(edx) T(ebx) xmm6 T(esp) T(ebp) T(esi) T(edi) T(esp) T(ebp) T(esi) T(edi) xmm7 xmm5 scratch register scratch register 128-bit

slide-24
SLIDE 24

12

T aint propagation in SSE registers

T(eax) T(ecx) T(edx) T(ebx) T(eax) T(ecx) T(edx) T(ebx) xmm6 T(esp) T(ebp) T(esi) T(edi) T(esp) T(ebp) T(esi) T(edi) xmm7 xmm5 scratch register scratch register 128-bit

add EDX, x

slide-25
SLIDE 25

12

T aint propagation in SSE registers

T(eax) T(ecx) T(edx) T(ebx) T(eax) T(ecx) T(edx) T(ebx) xmm6 T(esp) T(ebp) T(esi) T(edi) T(esp) T(ebp) T(esi) T(edi) xmm7 xmm5 scratch register scratch register

add EDX, x

slide-26
SLIDE 26

12

T aint propagation in SSE registers

T(eax) T(ecx) T(edx) T(ebx) T(eax) T(ecx) T(edx) T(ebx) xmm6 T(esp) T(ebp) T(esi) T(edi) T(esp) T(ebp) T(esi) T(edi) xmm7 xmm5 T(x) T(x)

add EDX, x vector insert

slide-27
SLIDE 27

12

T aint propagation in SSE registers

T(eax) T(ecx) T(edx) T(ebx) T(eax) T(ecx) T(edx) T(ebx) xmm6 T(esp) T(ebp) T(esi) T(edi) T(esp) T(ebp) T(esi) T(edi) xmm7 xmm5 T(x) T(x)

add EDX, x

  • r
slide-28
SLIDE 28

13

Is this slowness fundamental?

memory layout use SSE registers to hold taint fast emulator

minemu

slide-29
SLIDE 29

14

Emulator

  • translates large code chunks
  • keeps register state the same
  • aggressive caching
slide-30
SLIDE 30

15

Effectiveness

Application Type of vulnerability Security advisory Snort 2.4.0 Stack overflow CVE-2005-3252 Cyrus imapd 2.3.2 Stack overflow CVE-2006-2502 Samba 3.0.22 Heap overflow CVE-2007-2446 Nginx 0.6.32 Buffer underrun CVE-2009-2629 Memcached 1.1.12 Heap overflow CVE-2009-2415 Proftpd 1.3.3a Stack overflow CVE-2010-4221 Samba 3.2.5 Heap overflow CVE-2010-2063 Ncompress 4.2.4 Stack overflow CVE-2001-1413 Iwconfig V.26 Stack overflow CVE-2003-0947 Aspell 0.50.5 Stack overflow CVE-2004-0548 Htget 0.93 Stack overflow CVE-2004-0852 Socat 1.4 Format string CVE-2004-1484 Aeon 0.2a Stack overflow CVE-2005-1019 Exim 4.41 Stack overflow EDB-ID#796 Htget 0.93 Stack overflow Tipxd 1.1.1 Format string OSVDB-ID#12346

slide-31
SLIDE 31

16

Performance

HTTP HTTPS

slide-32
SLIDE 32

17

Performance

1 2 3 gzip OpenSSH (scp+sshd) PostgreSQL (pgbench) MediaWiki (HTTPS) 1 2 3 4 5 400.perlbench 401.bzip2 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp 473.astar 483.xalancbmk

  • verall

SPECINT 2006

2.4x overall

slide-33
SLIDE 33

18

Minemu is available now

website runs on minemu source code is available Apache 2.0 licenced

slide-34
SLIDE 34

19

https://minemu.org/

The world's fastest taint tracker

Minemu

slide-35
SLIDE 35

19

https://minemu.org/

The world's fastest taint tracker (until the next conference?)

Minemu

slide-36
SLIDE 36

20

Demo

slide-37
SLIDE 37
slide-38
SLIDE 38

21

Threads

  • duplicate cache structures
  • keep cache base address in SSE
  • code-deletion corner case
slide-39
SLIDE 39

22

TAINT USER Memory layout (64 bit)

TAINT USER TAINT USER TAINT USER

slide-40
SLIDE 40

23

inaccessible

USER TAINT

minemu

Memory layout (minemu)