Rewriting and Repair Mathias Payer*, Boris Bluntschli, Thomas R. - - PowerPoint PPT Presentation

rewriting and repair
SMART_READER_LITE
LIVE PREVIEW

Rewriting and Repair Mathias Payer*, Boris Bluntschli, Thomas R. - - PowerPoint PPT Presentation

Dec 30, 2023 194 likes •409 views

DynSec: On-the-fly Code Rewriting and Repair Mathias Payer*, Boris Bluntschli, Thomas R. Gross Department of Computer Science ETH Zurich * now at UC Berkeley Security dilemma Integrity and availability threatened by vulnerabilities Two

slide-1
SLIDE 1

DynSec: On-the-fly Code Rewriting and Repair

Mathias Payer*, Boris Bluntschli, Thomas R. Gross Department of Computer Science ETH Zurich * now at UC Berkeley

slide-2
SLIDE 2

Security dilemma

Integrity and availability threatened by vulnerabilities Two remedies: update or sandboxing

  • Security updates fix known vulnerabilities but

require service restart

  • Sandboxes protect from unknown exploits but stop

the service when an attack is detected

slide-3
SLIDE 3

DynSec in 2 Minutes

Key insight: both sandboxes and dynamic update mechanisms rely on some form of virtualization Binary Translation (BT) provides virtualization

  • Sandbox protects integrity
  • Dynamic update mechanism protects availability
slide-4
SLIDE 4

DynSec in 2 Minutes

Binary Translation Application DynSec Kernel Patches Loader Patch extraction and distribution

slide-5
SLIDE 5

Outline

Binary Translation Application DynSec Kernel Patches Loader Patch extraction and distribution

slide-6
SLIDE 6

Code Translation

  • Translates individual basic blocks
  • Weave patches into translated code
  • Protect from security exploits

Original Code Translated Code Binary Translator

1 2 4 3 1' 2' 3'

Kernel

slide-7
SLIDE 7

Outline

Binary Translation Application DynSec Kernel Patches Loader Patch extraction and distribution

slide-8
SLIDE 8

Patching Architecture

DynSec thread waits for incoming patches Patch application happens in 3 steps:

  • Signal all application threads to stop
  • Flush all code caches
  • Restart application threads

Patch is applied indirectly when code is retranslated

  • BT checks for every instruction if a patch is available
slide-9
SLIDE 9

Outline

Binary Translation Application DynSec Kernel Patches Loader Patch extraction and distribution

slide-10
SLIDE 10

Patch Format

The focus of DynSec is on security patches

  • Most security patches are only few lines of code
  • Type changes and code refactoring out of scope

Patches are sets of changed instructions Each patch may specify additional shared library for more heavyweight changes

slide-11
SLIDE 11

Patch Extraction

Build patched application with current toolchain Extract instruction differences between patched and unpatched version of the binary (per function)

  • Changed instructions are added to patch
  • Check differences in static read-only data
  • Manually ensure integrity of patch (no type changes,

no data changes)

slide-12
SLIDE 12

Patch Distribution

Most Linux distributions provide dynamic update service, piggy pack on this distribution service

  • Automatically generate a dynamic patch when new

package is generated

  • Systems download packages and install dynamic

patches to running services

  • System administrators update binaries during next

maintenance window

slide-13
SLIDE 13

Outline

Binary Translation Application DynSec Kernel Patches Loader Patch extraction and distribution

slide-14
SLIDE 14

Implementation

DynSec builds on TRuE/libdetox [IEEE S&P’12, ACM VEE’11]

  • Patching thread injected in BT layer
  • Implemented in <2000 LoC
  • 48 LoC changed in TRuE to add DynSec hooks
  • Supports unmodified, unaware, multi-threaded x86

applications on Linux

slide-15
SLIDE 15

Evaluation

DynSec evaluated using SPEC CPU2006

  • CPU: Intel Core2 Quad Q6600 @ 2.64GHz, 8GB RAM
  • Ubuntu 11.04, Linux 2.6.38
  • Used GCC 4.5.1 with –O2

Three configurations

  • Native
  • Sandboxing (use TRuE w/ shadow stack and checks)
  • DynSec (with one large patch)
slide-16
SLIDE 16

SPEC CPU2006: Performance

0.5 1 1.5 2 2.5

400.perlbench 401.bzip2 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp 473.astar 410.bwaves 416.gamess 433.milc 434.zeusmp 435.gromacs 436.cactusADM 437.leslie3d 444.namd 450.soplex 453.povray 454.calculix 459.GemsFDTD 465.tonto 470.lbm 482.sphinx3 Mean

Sandbox DynSec

slide-17
SLIDE 17

SPEC CPU2006: Performance

0.5 1 1.5 2 2.5

400.perlbench 401.bzip2 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp 473.astar 410.bwaves 416.gamess 433.milc 434.zeusmp 435.gromacs 436.cactusADM 437.leslie3d 444.namd 450.soplex 453.povray 454.calculix 459.GemsFDTD 465.tonto 470.lbm 482.sphinx3 Mean

Sandbox DynSec

Low performance overhead (~11%)

slide-18
SLIDE 18

CoreHTTP Security Study

CoreHTTP is a simple web server with CGI support We evaluate three security vulnerabilities

  • CVE-2007-4060: missing input sanitation in sscanf

(results in buffer overflow)

  • CVE-2009-3586: off-by-one error in input sanitation

(results in 1 byte buffer overflow)

  • ExploitDB-10610: arbitrary command execution

(popen is called with unescaped input string)

DynSec patches each vulnerability and protects CoreHTTP from exploitation

slide-19
SLIDE 19

Outline

Binary Translation Application DynSec Kernel Patches Loader Patch extraction and distribution

slide-20
SLIDE 20

Conclusion

DynSec offers on-the-fly code rewriting and repair for unmodified applications Use virtualization (through Binary Translation) to combine power of two worlds:

  • Sandbox protects integrity (control-flow protection)
  • Dynamic update framework provides availability