minemu protecting buggy binaries from memory corruption
play

Minemu: Protecting buggy binaries from memory corruption attacks - PowerPoint PPT Presentation

Jan 29, 2023 •101 likes •1.22k views

Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman <erik@minemu.org> Programming Languages type-safe vs. not type-safe Programming Languages type-safe vs. not type-safe Java Python Ruby Javascript

  1. Taint tracking (1/2): - remember whether data is trusted or not - untrusted data is 'tainted' - when data is copied, its taint is copied along - taint is ORed for arithmetic operations

  2. Taint tracking (2/2): When the code jumps to an address in memory, the source of this address is checked for taint. eg.: - RET - CALL *%eax - JMP *0x1c(%ebx)

  4. T aint tracking photo: sammydavisdog@ fl ickr useful, but slow as hell

  5. Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

  6. Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

  7. Emulator compile jit code

  8. Emulator run jit code compile jit code

  9. Emulator indirect jump run jit code find jump compile jit code address

  10. Emulator indirect jump lookup miss run jit code find jump compile jit code address

  11. Dynamic instrumentation t_eax = t_eax | t_ecx eax = eax + ecx eax = eax + ebx original code jit code

  12. Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

  13. Linux stack User heap/libs executable

  14. Memory layout (linux) linux kernel USER

  15. Memory layout (minemu) linux USER kernel minemu TAINT

  16. Memory layout (minemu) linux USER kernel minemu TAINT

  17. Memory layout (minemu) linux write to x USER kernel minemu TAINT

  18. Memory layout (minemu) linux write to x USER kernel minemu TAINT x+const

  19. Memory layout (minemu) taint data to linux user USER memory kernel minemu user TAINT data to taint memory

  20. Memory layout (minemu) taint data to linux user USER memory kernel minemu user TAINT data to taint memory

  21. Addressing shadow memory mov EAX, (EDX)

  22. Addressing shadow memory mov EAX, (EDX) address: EDX

  23. Addressing shadow memory mov EAX, (EDX) address: EDX taint: EDX+ const

  24. Addressing shadow memory mov EAX, (EDX+EBX*4)

  25. Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4

  26. Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4 taint: EDX+EBX*4+ const

  27. Addressing shadow memory push ESI

  28. Addressing shadow memory push ESI address: ESP

  29. Addressing shadow memory push ESI address: ESP taint: ESP+ const

  30. Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

  31. T aint propagation in SSE registers xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) 128-bit

  32. T aint propagation in SSE registers add EDX, x xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) 128-bit

  33. T aint propagation in SSE registers add EDX, x xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi)

  34. T aint propagation in SSE registers add EDX, x xmm5 T(x) T(x) xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) vector insert

  35. T aint propagation in SSE registers add EDX, x xmm5 T(x) T(x) xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) or

  36. E ff ectiveness Application Type of vulnerability Security advisory Snort 2.4.0 Stack over fl ow CVE-2005-3252 Cyrus imapd 2.3.2 Stack over fl ow CVE-2006-2502 Samba 3.0.22 Heap over fl ow CVE-2007-2446 Memcached 1.1.12 Heap over fl ow CVE-2009-2415 Nginx 0.6.32 Buffer underrun CVE-2009-2629 Proftpd 1.3.3a Stack over fl ow CVE-2010-4221 Samba 3.2.5 Heap over fl ow CVE-2010-2063 Telnetd 1.6 Heap over fl ow CVE-2011-4862 Ncompress 4.2.4 Stack over fl ow CVE-2001-1413 Iwcon fi g V.26 Stack over fl ow CVE-2003-0947 Aspell 0.50.5 Stack over fl ow CVE-2004-0548 Htget 0.93 Stack over fl ow CVE-2004-0852 Socat 1.4 Format string CVE-2004-1484 Aeon 0.2a Stack over fl ow CVE-2005-1019 Exim 4.41 Stack over fl ow EDB-ID#796 Htget 0.93 Stack over fl ow Tipxd 1.1.1 Format string OSVDB-ID#12346

  37. Performance HTTP HTTPS

  38. Performance SPECINT 2006 2.4x overall 5 4 3 2 1 0 400.perlbench 401.bzip2 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp 473.astar 483.xalancbmk overall 3 2 1 0 gzip OpenSSH PostgreSQL MediaWiki (scp+sshd) (pgbench) (HTTPS)

  39. Limitations

  40. Limitations Doesn't prevent memory corruption, only acts when the untrusted data is used for arbitrary code execution.

  41. Limitations Tainted pointer dereferences ->some_field = useful_untainted_value; tainted_pointer

  42. Limitations Tainted pointer dereferences ->some_field = useful_untainted_value; tainted_pointer propagation can lead to false positives: dispatch_table[ ](); checked_input

  43. Limitations Taint whitewashing out = latin1_to_ascii[ ]; in

  44. Limitations Format string attacks: printf( ); "%65534s %123$hn" // Propagates taint in glibc printf( ); // Does not :-( "FillerFiller...%123$hn"

  45. Limitations Does not protect against non-control-flow exploits

  46. Limitations Does not protect against non-control-flow exploits void char char try_system( *username, *cmd) { user_rights = get_credentials(username); int 16 char buf[16] ; strcpy(buf, username); (user_rights & ) ALLOW_SYSTEM if system(cmd); else log_error( , buf); "user attempted login" %s }

  47. Limitations Does not protect against non-control-flow exploits void char char try_system( *username, *cmd) { user_rights = get_credentials(username); int 16 char buf[16] ; strcpy(buf, username); (user_rights & ) ALLOW_SYSTEM if system(cmd); else log_error( , buf); "user attempted login" %s }

  48. Limitations Does not protect against non-control-flow exploits void char char try_system( *username, *cmd) { user_rights = get_credentials(username); int 16 char buf[16] ; strcpy(buf, username); (user_rights & ) ALLOW_SYSTEM if system(cmd); else log_error( , buf); "user attempted login" %s }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman &lt;erik@minemu.org&gt; Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and expensive problem Impractical to manually review code for it Corruption can easily be introduced by unwary changes (again with the

702 views • 45 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song Georgia Tech Agenda Memory corruption vulnerability Thesis Statement Approaches SDCG Kenali HDFI Conclusion Memory

737 views • 72 slides
Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory protection Special security issues for memory Buffer overflows Lecture 8 Page 1 CS 236 Online What Is In Memory? Executable code

401 views • 24 slides
Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik

Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik

Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik Bosman, Asia Slowinska, and Herbert Bos Challenge! ftp://ftp.minemu.org runs Proftpd vulnerable to CVE-2010-4221 First exploiter gets a present!

669 views • 40 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Enhancing Server Availability and Security Through Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow Out of Bounds Array Accesses Invalid Pointer Accesses Importance Martin Rinard,

340 views • 4 slides
R2-D2 Goes to Buggy Emily Yeh &amp; Anastassia Kornilova 1/33 Buggy R2D2 Goes to Buggy by

R2-D2 Goes to Buggy Emily Yeh &amp; Anastassia Kornilova 1/33 Buggy R2D2 Goes to Buggy by

R2-D2 Goes to Buggy Emily Yeh &amp; Anastassia Kornilova 1/33 Buggy R2D2 Goes to Buggy by Anastassia Kornilova &amp; Emily Yeh 2/33 Vehicle Safety in the Real World R2D2 Goes to Buggy by Anastassia Kornilova &amp; Emily Yeh 3/33 R2-D2

589 views • 33 slides
New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and Nicholas Carlini http://hexhive.github.io (c) Castro Theatre and Spoke Art, 2013 DR. STRANGELOVE DR. STRANGELOVE OR: HOW I LEARNED TO STOP OR: HOW I

549 views • 42 slides
Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption measured Complex issue without an exact answer Perception of corruption vs. corruption What can be done? Policy measures Preventive

702 views • 12 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource Centre Anti-Corruption in development: Evolution of practice 1 st generation: the principal-agent problem Corruption = Monopoly + Discretion

417 views • 7 slides
Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &amp;

750 views • 45 slides
Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 Protecting the irreplaceable

Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 Protecting the irreplaceable

Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 Protecting the irreplaceable | f-secure.com Agenda Infection Vector Installation Main Binary C&amp;C Servers Payload Remaining Binaries

618 views • 34 slides
Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia In-class CTF on Nov 16-17

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia In-class CTF on Nov 16-17

1 Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia In-class CTF on Nov 16-17 (24 hours)! Due: form your team and submit your CTF challenge by Nov 13! Due: Lab07 is out and its due on Nov 2 (two weeks!) NSA

596 views • 33 slides
Toward the KRW conjecture Cubic Formula Lower Bounds via Communication Complexity Irit Dinur Or

Toward the KRW conjecture Cubic Formula Lower Bounds via Communication Complexity Irit Dinur Or

Toward the KRW conjecture Cubic Formula Lower Bounds via Communication Complexity Irit Dinur Or Meir Irit Dinur, Or Meir Toward the KRW conjecture Formulas (de-Morgan) Formulas are circuits with fan-out 1 . Cannot store intermediate results.

982 views • 97 slides
HP Fortify Scanner Setup CSIF computer's should have the scanner already installed

HP Fortify Scanner Setup CSIF computer's should have the scanner already installed

HP Fortify Scanner Setup CSIF computer's should have the scanner already installed Command is sourceanalyzer Problems which sourceanalyzer == &lt;path&gt;/HP_Fortify/HP_Fortify_SCA_and_Apps_&lt;ver

358 views • 15 slides
Techniques Used for Optimizing 3D Techniques Used for Optimizing 3D Geovisualization of Terez n

Techniques Used for Optimizing 3D Techniques Used for Optimizing 3D Geovisualization of Terez n

Techniques Used for Optimizing 3D Techniques Used for Optimizing 3D Geovisualization of Terez n n Geovisualization of Terez Memorial Memorial Karel Jedli ka, Vclav ada, Radek Fiala, Pavel Hjek, Karel Jane ka, Jan Jeek, Jan

453 views • 20 slides
Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that

Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that

Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that are Ubiquitous Connected Dependable Complexity Unforeseen Consequences Software Security Today The line between secure/insecure is

624 views • 48 slides
The Power of Collaboration Among CCAs Presented by: Chris Sentieri Center for Climate

The Power of Collaboration Among CCAs Presented by: Chris Sentieri Center for Climate

The Power of Collaboration Among CCAs Presented by: Chris Sentieri Center for Climate Protection Webinar February 13, 2019 a division of Blue Strike Environmental Chris Sentieri Senior Manager- EcoShift Consulting, a division of Blue

65 views • 6 slides
Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the

Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the

Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the industrial revolution take place in the West and not, say, China? As many theories as there are authors The consensus if there is one

498 views • 21 slides
Research project Socioprofessional Dynamics The work presented in this seminar is part of the FNS

Research project Socioprofessional Dynamics The work presented in this seminar is part of the FNS

Introduction From structure to dynamics Synthetic analysis Conclusion References Introduction From structure to dynamics Synthetic analysis Conclusion References Research project Socioprofessional Dynamics The work presented in this

283 views • 7 slides

More recommend