sabre
play

SaBRE Load-time selective binary rewriting Paul-Antoine Arras , - PowerPoint PPT Presentation

Nov 12, 2022 •233 likes •786 views

FOSDEM 2020 SaBRE Load-time selective binary rewriting Paul-Antoine Arras , Anastasios Andronidis, Lus Pina, Karolis Mituzas, Qianyi Shu, Daniel Grumberg, Cristian Cadar Software Reliability Group, Imperial College London How resilient is my

  1. FOSDEM 2020 SaBRE Load-time selective binary rewriting Paul-Antoine Arras , Anastasios Andronidis, Luís Pina, Karolis Mituzas, Qianyi Shu, Daniel Grumberg, Cristian Cadar Software Reliability Group, Imperial College London

  2. How resilient is my software? ● Assess fault tolerance ● E.g. disk full, memory exhausted ● Hard to reproduce on real system ● Can we simulate a fault? ● Yes, but... ● Kernel hacking is dangerous ● Tinkering with libraries can also be painful ● What’s in between? 2

  3. Hello world Python User code print('Hello, User space world!') Library System call interface Operating system Kernel space 3

  4. System call interface ● Set of low-level operations User space ● Request a service System call interface ● Very similar to function call Kernel space ○ Several arguments ○ One result Python System call (C syntax) print('Hello, write(1, “Hello, world!”, 13) world!') 4

  5. System call errors ● Return value User space ○ ≥ 0 → success ○ < 0 → failure System call interface ● write Kernel space ○ Size written ○ E.g. permission denied (EPERM), disk full (ENOSPC) Python System call file = open(“/tmp/hello”, “w”) open(“/tmp/hello”, “w”) = 8 file.write(“Hello!”) write(8, “Hello!”, 6) = 6 write(8, “Hello!”, 6) = EPERM < 0 5

  6. Fault injection ● How to simulate e.g. a permission error at system call level? ● Swap return value with error code write(8, “Hello!”, 6) = 6 write(8, “Hello!”, 6) = EPERM How to achieve that? 6

  7. Binary rewriting 7

  8. What is binary rewriting? ● Modify program at machine code level ● No source code needed ● Does not require recompilation ● Only requirement: disassembling ○ Break program into sequence of instructions ○ Assume done for now push R0 load 0x14,R0 0 1 0 0 1 0 0 1 0 0 1 Disassembling call fnct or 0x67,R2 Binary Disassembly 8

  9. What is binary rewriting? ● Modify program at machine code level ● No source code needed ● Does not require recompilation ● Only requirement: disassembling ○ Break program into sequence of instructions ○ Assume done for now push R0 load 0x14,R0 0 1 0 0 1 0 0 1 0 0 1 Disassembling call fnct or 0x67,R2 Binary Disassembly 9

  10. Disassembly Offset Size in bytes Human-readable instruction (mnemonic + operands) 0x00 1 push R0 0x01 2 load 0x14,R0 0x03 5 call fnct 0x08 3 or 0x67,R2 0x0b 2 jump L1 0x0d 3 and 0x45,R2 0x10 5 jump L2 …

  11. Operations on instructions ● Remove ● Replace ● Add

  12. Remove Pad with nop s 0x00 1 push R0 0x00 1 push R0 0x01 1 nop 0x01 2 load 0x14,R0 0x02 1 nop 0x03 5 call fnct 0x03 5 call fnct 0x08 3 or 0x67,R2 0x08 3 or 0x67,R2

  13. Replace Call → jump 0x00 1 push R0 0x00 1 push R0 0x01 2 load 0x14,R0 0x01 2 load 0x14,R0 0x03 ? jump 0x03 5 call fnct 0x?? 3 or 0x67,R2 0x08 3 or 0x67,R2

  14. Size matters ● Shifting instructions is impractical ○ Jumps become invalid ○ Addresses have to be recomputed ● Do rewritten instructions fit? ● Compare instruction sizes ○ Original S(O) ○ Rewritten S(R)

  15. Replace Call → jump 0x00 1 push R0 0x00 1 push R0 0x01 2 load 0x14,R0 0x01 2 load 0x14,R0 0x03 ? jump 0x03 5 call fnct 0x?? 3 or 0x67,R2 0x08 3 or 0x67,R2 S(O) = 5 S(R) = ?

  16. Replace Call → jump 0x00 1 push R0 0x00 1 push R0 0x01 2 load 0x14,R0 0x01 2 load 0x14,R0 0x03 5 jump 0x03 5 call fnct 0x08 3 or 0x67,R2 0x08 3 or 0x67,R2 S(O) = S(R)

  17. Replace Call → jump 0x00 1 push R0 0x00 1 push R0 0x01 2 load 0x14,R0 0x01 2 load 0x14,R0 0x03 3 jump 0x03 5 call fnct 0x06 1 nop 0x08 3 or 0x67,R2 0x07 1 nop 0x08 3 or 0x67,R2 S(O) ≤ S(R)

  18. Replace depends on relative sizes ● If S(R) = S(O) → just replace ● If S(R) < S(O) → pad with nop s ● If S(R) > S(O) → ???

  19. Problem How to fit larger instructions? 19

  20. Detour ● Problem: S(R) ≥ S(O) ● Shifting instructions still not an option ● Solution: relocate instructions to out-of-line scratch space 1. Allocate memory 2. Move instructions 3. Add jumps into and out of moved instructions 20

  21. Add with detour Insert a jump to rewritten instructions 0x00 1 push R0 0x00 1 push R0 0x01 2 load 0x14,R0 0x01 2 load 0x14,R0 0x03 5 jump D0 0x03 5 call fnct L0: 0x08 3 or 0x67,R2 0x08 3 or 0x67,R2 … D0: Out-of-line 0xffec 5 call fnct scratch space … // added instructions 0xfffd 5 jump L0

  22. Add with detour Insert a jump to rewritten instructions 0x00 1 push R0 0x00 1 push R0 0x01 2 load 0x14,R0 0x01 2 load 0x14,R0 0x03 5 jump D0 0x03 5 call fnct L0: 0x08 3 or 0x67,R2 0x08 3 or 0x67,R2 … D0: Out-of-line 0xffec 5 call fnct scratch space … // added instructions S(O) = S(J) 0xfffd 5 jump L0

  23. Replace with detour ● If S(J) ≤ S(O) → replace and pad with nop s ● Otherwise, relocate neighbouring instructions 0x00 1 push R0 0x00 1 push R0 0x01 5 jump D0 0x01 2 load 0x14,R0 0x06 1 nop 0x03 5 call fnct 0x07 1 nop 0x08 3 or 0x67,R2 L0: 0x08 3 or 0x67,R2 … D0: S(J) = 5 Out-of-line … // substitute instructions scratch space 0xfff8 5 call fnct S(O) = 2 0xfffd 5 jump L0

  24. Replace depends on relative sizes ● S(R) = S(O) → replace O with R ● S(R) < S(O) → replace and pad with nop s ● S(R) > S(O) → detour with jump (J) ○ S(J) = S(O) → replace O with J ○ S(J) < S(O) → replace and pad with nop s ○ S(J) > S(O) → replace and relocate surrounding instructions

  25. Can instructions always be relocated?

  26. Side effects Alter status flags push R0 set parity flag test R0,R1 jump if parity even jpe L0 or 0x67,R2 Solution push R0 test R0,R1 Whitelist of instructions add R2,R3 known to be safe to relocate jpe L0 or 0x67,R2

  27. PC-relative addressing 0x00 1 push R0 0x00 1 push R0 0x01 5 jump D0 0x01 2 load 0x06 1 nop 0x48(PC),R0 0x07 1 nop 0x03 5 call fnct L0: 0x08 3 or 0x67,R2 0x08 3 or 0x67,R2 … D0: 0x48 + 0x01 = 0x49 … // added instructions 0xffea 2 load 0x48(PC),R0 0xffec 5 call fnct 0xfffd 5 jump L0 0x48 + 0xFFEA = 0x10032

  28. Solution PC-relative addressing Fixup displacement in relocated instruction 0x00 1 push R0 0x00 1 push R0 0x01 5 jump D0 0x01 2 load 0x06 1 nop 0x48(PC),R0 0x07 1 nop 0x03 5 call fnct L0: 0x08 3 or 0x67,R2 0x08 3 or 0x67,R2 … D0: … // added instructions 0xffe6 6 load -0xff9d(PC),R0 0x49 - 0xFFE6 = -0xFF9D 0xffec 5 call fnct 0xfffd 5 jump L0

  29. Branch target 0x00 1 push R0 0x00 1 push R0 0x01 5 jump D0 0x01 2 load 0x14,R0 0x06 1 nop L0: 0x07 1 nop 0x03 5 call fnct L1: 0x08 3 or 0x67,R2 0x08 3 or 0x67,R2 … … 0x68 2 jump L0 0x68 2 jump L0 … D0: Solution 0xffec 2 load 0x14,R0 … // added instructions 0xfff8 5 call fnct Record branch target 0xfffd 5 jump L1 locations before rewriting

  30. Problematic instructions ● Branch targets → do not rewrite ● PC-relative addressing → fixup displacement ● Side effects → only rewrite white-listed instructions

  31. What if not enough instructions can be relocated? 31

  32. Cannot relocate instructions ● Cannot accommodate jump ● Detour cannot be used ● Instead, insert short illegal instruction ● Setup signal handler to catch SIGILL ● Put added instructions into handler ● Significant overhead but extremely rare 32

  33. Disassembling 33

  34. What is disassembling? Break binary code into sequence of instructions push R0 load 0x14,R0 0 1 0 0 1 0 0 1 0 0 1 Disassembling call fnct or 0x67,R2 Binary Disassembly push R0 load 0x14,R0 0 1 0 0 1 0 0 1 0 0 1 Disassembling call fnct or 0x67,R2 Binary Disassembly 34

  35. Disassembler types ● Dynamic ○ Actually run program ○ Decode instructions just in time ○ Runtime penalty ○ E.g. Dyninst, DynamoRIO, Pin ● Static ○ Program is not run ○ Binary scanned according to algorithm ○ No runtime penalty ○ E.g. Multiverse 35

  36. Static disassembler Linear Sweep Recursive Traversal 0x00 1 push R0 0x00 1 push R0 0x01 2 load 0x14,R0 0x01 2 load 0x14,R0 0x03 5 call fnct 0x03 5 call fnct 0x08 3 or 0x67,R2 0x08 3 or 0x67,R2 0x0b 2 jump L1 0x0b 2 jump L1 0x0d 3 and 0x45,R2 … // skipped instructions 0x10 5 jump L2 0x15 ? bad // garbage L1: 0x6c 4 move R0,R1

  37. Disassembly challenges ● Code discovery or content classification problem ○ Mixed code and data ○ Halting problem ● Instruction overlapping ○ Variable-length ISA ○ One byte encodes several instructions ○ Obfuscation technique 37

  38. SaBRe: Load-time selective binary rewriting for system calls and function prologues 38

  39. Fault injection ● How to simulate e.g. a permission error at system call level? ● Swap return value with error code write(8, “Hello!”, 6) = 6 write(8, “Hello!”, 6) = EPERM How to achieve that? 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

First measurements with a NaI(Tl) crystal for the SABRE experiment 2nd year research activity

First measurements with a NaI(Tl) crystal for the SABRE experiment 2nd year research activity

First measurements with a NaI(Tl) crystal for the SABRE experiment 2nd year research activity report October 17th, 2019 Ambra Mariani Outline Introduction The SABRE strategy 1 The SABRE Proof of Principle (PoP) 2 SABRE crystals: NaI-31

429 views • 22 slides
The SABRE Proof of Principle Simone Copello on behalf of the SABRE collaboration *Gran Sasso

The SABRE Proof of Principle Simone Copello on behalf of the SABRE collaboration *Gran Sasso

The SABRE Proof of Principle Simone Copello on behalf of the SABRE collaboration *Gran Sasso Science Institute, LAquila, Italy TAUP 2019 - 8/14 September, Toyama, Japan 1 Outline Experimental goal and strategies Annual modulation

568 views • 24 slides
(SABRE) cohort Therese Tillin Institute of Cardiovascular Science University College London

(SABRE) cohort Therese Tillin Institute of Cardiovascular Science University College London

Southall And Brent REvisited (SABRE) cohort Therese Tillin Institute of Cardiovascular Science University College London .and Brent Background- mid 1980s A) Higher rates of diabetes, coronary heart disease and stroke in South Asians B)

554 views • 31 slides
Preventing Zika Transmission with Environmentally- Friendly Mosquito Control The Sabre Companies

Preventing Zika Transmission with Environmentally- Friendly Mosquito Control The Sabre Companies

Preventing Zika Transmission with Environmentally- Friendly Mosquito Control The Sabre Companies Presented to the State of Florida July 2016 World-Renowned Reputation Environmentally-Friendly Microbial Technology Sabres reputation as

267 views • 9 slides
10-50 WILLOW STREET LONDON EC2A 4BH UNITED KINGDOM T/ +44 (0)207 683 1200

10-50 WILLOW STREET LONDON EC2A 4BH UNITED KINGDOM T/ +44 (0)207 683 1200

REV06 25 / 04 / 2017 10-50 WILLOW STREET LONDON EC2A 4BH UNITED KINGDOM T/ +44 (0)207 683 1200 enquiries-shoreditch@nobuhotels.com www.nobuhotelshoreditch.com SABRE: NB 313219 AMADEUS: NB LONNHS WORLDSPAN: NB LCYNH APOLLO/GALILEO: NB

711 views • 15 slides
Delivering Engineered Solutions www.bowyerengineering.co.uk

Delivering Engineered Solutions www.bowyerengineering.co.uk

Delivering Engineered Solutions www.bowyerengineering.co.uk stevea@bowyerengineering.co.uk AS9100, ISO 9001 &amp; RR Sabre Accredited Delivering Engineered Solutions Staff and Premises Knowledge &amp;

284 views • 15 slides
LLVM - the early days Where did it come from, and how? Before LLVM September 1999 Tiger native

LLVM - the early days Where did it come from, and how? Before LLVM September 1999 Tiger native

LLVM - the early days Where did it come from, and how? Before LLVM September 1999 Tiger native compiler Directed study in compilers @ UofP: with Dr. Steven Vegdahl, Nick Forrette http://www.nondot.org/sabre/Projects/Compilers/ Tiger native

966 views • 79 slides
Price Search and Airlines 1 History Price search for airfares used to be very difficult---in

Price Search and Airlines 1 History Price search for airfares used to be very difficult---in

Price Search and Airlines 1 History Price search for airfares used to be very difficult---in many cases had to be performed by a trained professional. Even after computerized search and ticketing (e.g. Sabre), price search by customers

308 views • 9 slides
Cadence Space Access or how to achieve affordable, effective space access Robert Bond

Cadence Space Access or how to achieve affordable, effective space access Robert Bond

SABRE A New Approach to Low Cost, High Cadence Space Access or how to achieve affordable, effective space access Robert Bond Reaction Engines 1 After 60 years of space access . some amazing things have been achieved Expansion

516 views • 16 slides
Half-Year Results Presentation July 2018 Disclaimer LEGAL NOTICE This presentation has been

Half-Year Results Presentation July 2018 Disclaimer LEGAL NOTICE This presentation has been

Half-Year Results Presentation July 2018 Disclaimer LEGAL NOTICE This presentation has been prepared to inform investors and prospective investors in the secondary markets and other market participants about Sabre Insurance Group plc and its

349 views • 21 slides
NETWORK MUSIC PLAYER THE PERFORMANCE SWEET SPOT STRIKING THE PERFECT PRICE/PERFORMANCE BALANCE

NETWORK MUSIC PLAYER THE PERFORMANCE SWEET SPOT STRIKING THE PERFECT PRICE/PERFORMANCE BALANCE

NETWORK MUSIC PLAYER THE PERFORMANCE SWEET SPOT STRIKING THE PERFECT PRICE/PERFORMANCE BALANCE ALL-NEW CHASSIS CONSTRUCTION DUAL ES9028PRO SABRE DAC &amp; TECHNOLOGY HIGHLIGHTS ALL-NEW CHASSIS CONSTRUCTION FEATURING THICK CNC PANELS

315 views • 15 slides
through Application Discovery with ExplorViz SSP 18 9th Symposium on Software Performance

through Application Discovery with ExplorViz SSP 18 9th Symposium on Software Performance

Simplifying Software System Monitoring through Application Discovery with ExplorViz SSP 18 9th Symposium on Software Performance 2018 Alexander Krause, Christian Zirkelbach, Wilhelm Hasselbring Talk by Sren Henning Kiel University

416 views • 26 slides
Foliations : Whats next after Thurston ? The mathematical legacy of Bill Thurston, tienne

Foliations : Whats next after Thurston ? The mathematical legacy of Bill Thurston, tienne

Foliations : Whats next after Thurston ? The mathematical legacy of Bill Thurston, tienne Ghys, CNRS ENS Lyon A dozen publications between 1972 and 1976 On proofs and progress in mathematics, Thurston 1994 First I will discuss briefly

1.16k views • 74 slides
Data Viz April 2, 2020 Data Science CSCI 1951A Brown University Instructor: Ellie Pavlick

Data Viz April 2, 2020 Data Science CSCI 1951A Brown University Instructor: Ellie Pavlick

Data Viz April 2, 2020 Data Science CSCI 1951A Brown University Instructor: Ellie Pavlick HTAs: Josh Levin, Diane Mutako, Sol Zitter 1 Announcements Videos on if you can! Use raise-hand feature for questions. Any questions/concerns

1.08k views • 74 slides
Language-specific debugging Most languages include some features/support for debugging, good

Language-specific debugging Most languages include some features/support for debugging, good

Language-specific debugging Most languages include some features/support for debugging, good idea to know what they are Special variables with key information Special functions/libraries that can be used Special options that can be

422 views • 7 slides
Lecture 2 Annotation tools &amp; Segmentation Summary of Part 1 Annotation theory

Lecture 2 Annotation tools &amp; Segmentation Summary of Part 1 Annotation theory

Center for Reflected Text Analytics Lecture 2 Annotation tools &amp; Segmentation Summary of Part 1 Annotation theory Guidelines Inter-Annotator agreement Inter-subjective annotations Annotation exercise Discuss

671 views • 22 slides
Scratch: Making Programming Easy and Fun John Maloney Lifelong Kindergarten Group MIT Media

Scratch: Making Programming Easy and Fun John Maloney Lifelong Kindergarten Group MIT Media

Scratch: Making Programming Easy and Fun John Maloney Lifelong Kindergarten Group MIT Media Laboratory My Software Passions Smalltalk Other fun, dynamic programming languages Implementing such languages User Interface

257 views • 15 slides
INTERNET DRAFTS TODAY Basic concepts Markdown Git I-D Template GitHub C-I

INTERNET DRAFTS TODAY Basic concepts Markdown Git I-D Template GitHub C-I

GIT, GITHUB, AND MARKDOWN FOR Mike Bishop INTERNET DRAFTS TODAY Basic concepts Markdown Git I-D Template GitHub C-I Systems Getting started with I-D Template and GitHub Local setup each machine Repo setup

492 views • 32 slides
Chapter 08 Trophic Dynamics in Evolutionary Context FIGURE 8-1 This simple compartment model

Chapter 08 Trophic Dynamics in Evolutionary Context FIGURE 8-1 This simple compartment model

Chapter 08 Trophic Dynamics in Evolutionary Context FIGURE 8-1 This simple compartment model illustrates the basic grazing food chain along with the decomposer compartment. Note that decomposers do not fit into the linear food chain, and note

433 views • 41 slides
Which should I use for producing print publications? Michael Miller Vice President Antenna

Which should I use for producing print publications? Michael Miller Vice President Antenna

CSS or XSL-FO: Which should I use for producing print publications? Michael Miller Vice President Antenna House, Inc. mike@antennahouse.com www.antennahouse.com Is This A Marketing Talk? Every Technical Detail ? Pages, Print &amp; Paper

623 views • 58 slides
Page 1 Malignant Peripheral Nerve Sheath Tumor Protein Correlates of Molecular Genetic Arise

Page 1 Malignant Peripheral Nerve Sheath Tumor Protein Correlates of Molecular Genetic Arise

NEXT-GENERATION IMMUNOHISTOCHEMISTRY Disclosures FOR SOFT TISSUE TUMORS: FROM DIFFERENTIATION TO MOLECULAR GENETICS Dr. Jason Hornick discloses the following financial interests: Jason L Hornick, MD, PhD Director of Surgical Pathology

400 views • 25 slides
Permutation Ciphers Instead of substituting different characters, scramble up the existing

Permutation Ciphers Instead of substituting different characters, scramble up the existing

Permutation Ciphers Instead of substituting different characters, scramble up the existing characters Use algorithm based on the key to control how theyre scrambled Decryption uses key to unscramble Lecture 3 Page 1 CS 236

734 views • 10 slides
review From Data to Insight Dr. etinkaya-Rundel July 11, 2016 Terminology R: statistical

review From Data to Insight Dr. etinkaya-Rundel July 11, 2016 Terminology R: statistical

review From Data to Insight Dr. etinkaya-Rundel July 11, 2016 Terminology R: statistical programming language RStudio: front-end software for R that allows you to organize your files and plot, keeps a history of your command, and

475 views • 9 slides
E COLOGICAL NICHE MODELING AND INFECTIOUS DISEASE : CONSIDERING SPACE , TIME , AND EVOLUTION W HAT

E COLOGICAL NICHE MODELING AND INFECTIOUS DISEASE : CONSIDERING SPACE , TIME , AND EVOLUTION W HAT

E COLOGICAL NICHE MODELING AND INFECTIOUS DISEASE : CONSIDERING SPACE , TIME , AND EVOLUTION W HAT IS E COLOGICAL N ICHE M ODELING ? Estimate the complete or possible geographic distribution for a species using correlation of environmental

640 views • 30 slides

More recommend