secubt hacking the hackers with user space virtualization
play

secuBT Hacking the Hackers with User-Space Virtualization - PowerPoint PPT Presentation

Dec 10, 2022 •281 likes •693 views

secuBT Hacking the Hackers with User-Space Virtualization Mathias Payer <mathias.payer@inf.ethz.ch> 1 Mathias Payer: secuBT - User-Space Virtualization Motivation Virtualizing and encapsulating running programs is important:

  1. secuBT – Hacking the Hackers with User-Space Virtualization Mathias Payer <mathias.payer@inf.ethz.ch> 1 Mathias Payer: secuBT - User-Space Virtualization

  2. Motivation Virtualizing and encapsulating running programs is important: Sandboxing for server processes to guard against unknown software vulnerabilities Execution of untrusted code Offers different security contexts per user Untrusted code (program) user space Kernel space 2 Mathias Payer: secuBT - User-Space Virtualization

  3. Problem statement Programs can execute any system call No custom-tailored selection Security vulnerabilities can be used to execute unintended system calls These are not typical for the application Patches are a reactive form of security Untrusted code (program) user space kernel space 3 Mathias Payer: secuBT - User-Space Virtualization

  4. Solution: User-space Virtualization User-space virtualization encapsulates a running program Executed code is checked & validated Code can be wrapped or modified System calls are validated before execution User-space virtualization enables a proactive Untrusted code form of security (program) secuBT fake user system space calls kernel space 4 Mathias Payer: secuBT - User-Space Virtualization

  5. Introduction User-Space Virtualization is implemented through Dynamic Binary Translation Binary Translation as the art of adding, removing or replacing individual instructions Control over all user-code instructions 5 Mathias Payer: secuBT - User-Space Virtualization

  6. Contribution secuBT implements a User-Space Sandbox Dynamic BT used for the virtualization layer Privilege separation in user-space to guard BT System Call Interposition Framework Checks and validates all System Calls Ensures that the program cannot break out of the virtualization layer 6 Mathias Payer: secuBT - User-Space Virtualization

  7. Fahrplan Introduction Design and Implementation User-Space Virtualization through BT Basic Translator Optimizations Security Hardening System Call Interposition Framework Performance & Demonstration Conclusion 7 Mathias Payer: secuBT - User-Space Virtualization

  8. Dynamic BT Binary Translation (BT) as a program instrumentation tool Static vs. dynamic BT BT unit translates code before it is executed Checks and validates instructions based on translation tables Two levels of code execution: 'Privileged' code of the BT library Translated and cached user code 8 Mathias Payer: secuBT - User-Space Virtualization

  9. BT for Security Using BT the program is encapsulated in an additional protection layer All instructions are checked All (direct & indirect) jump targets are verified All system calls are verified 9 Mathias Payer: secuBT - User-Space Virtualization

  10. Design & Implementation BT in a nutshell: Original program Translator Code cache Opcode table 1' 0 1 3' Trampoline to translate 4 2 3 2' Mapping 3 3' 4 1 1' 2 2' 10 Mathias Payer: secuBT - User-Space Virtualization

  11. Fahrplan Introduction Design and Implementation User-Space Virtualization through BT Basic Translator Optimizations Security Hardening System Call Interposition Framework Performance & Demonstration Conclusion 11 Mathias Payer: secuBT - User-Space Virtualization

  12. Dynamic BT Translation efficiency Fast table-based translation process Code cache Efficiency of generated code Master control transfers Indirect jumps Indirect calls Function returns 12 Mathias Payer: secuBT - User-Space Virtualization

  13. Optimization: Translation Efficiency Table-based iterator Based on intermediate representation (IR) No global state or IR needed IR transformation and global state needed Instructions decoded according to information in Optimizations based on IR the translation tables rewriting Local peephole IR transformed back to optimizations like inlining machine code still possible 13 Mathias Payer: secuBT - User-Space Virtualization

  14. Optimization: Efficient Code Indirect control flow transfers are expensive Runtime lookup & patching Indirect control transfer replaced by software trap! Calculate target address from original instr. Execute software trap Lookup target (translated?) 1 instruction translated to ~30 instructions Fix return address and redirect to target Ensure that no ptr. to code cache leak Can we avoid that? Or lower the cost? 14 Mathias Payer: secuBT - User-Space Virtualization

  15. Optimization: Efficient Code Be clever about the code secuBT generates! Instruction encodings are manifold: Choose best fitting optimization Translate different indirect calls: 'Static': call *(fixed_location) Use a static prediction 'Dynamic': call *(%reg) Use inlined, fast dispatch Combination possible as well 15 Mathias Payer: secuBT - User-Space Virtualization

  16. Optimization: Efficient Code Static ind. call: call *(fixed_location) pushl src_addr pushl src_addr (1) jmp *xx(ind_target) cmpl $cached_target, *xx(i_trgt) (2) je $trans_target pushl *xx(ind_target) (3) pushl $tld pushl $addr_of_cached_target call fix_ind_call_predict 1. Push original src IP 2. Compare actual target w/ cached target & branch if prediction ok 3. Recover if there is a misprediction 16 Mathias Payer: secuBT - User-Space Virtualization

  17. Optimization: Efficient Code Dynamic ind. call: call *(reg) pushl src_addr pushl src_addr, *(reg), %ebx, %ecx jmp *(reg) movl 12(%esp), %ebx # load target movl %ebx, %ecx # duplicate ip andl HASH_PATTERN, %ebx # hash fct cmpl hashtlb(0, %ebx, 8), %ecx # check jne nohit movl hashtlb+4(0, %ebx, 8), %ebx # load trgt movl %ebx, (tld->ind_jmp_targt) popl %ecx, %ebx # epilogue leal 4(%esp), %esp # readjust stack jmp *(tld->ind_jmp_targt) # jmp to trans.trgt nohit: use ind_jump to recover 17 Mathias Payer: secuBT - User-Space Virtualization

  18. Optimization: Efficient Code Many more optimizations available: Return instructions Shadow stack or fast dispatch Indirect jumps Jumptable optimization Prediction, and fast dispatch Function inlining Complete or partial function inlining Optimizations bring competitive performance! 18 Mathias Payer: secuBT - User-Space Virtualization

  19. Fahrplan Introduction Design and Implementation User-Space Virtualization through BT Basic Translator Optimizations Security Hardening System Call Interposition Framework Performance & Demonstration Conclusion 19 Mathias Payer: secuBT - User-Space Virtualization

  20. Security Hardening BT enables additional security checks: Enforce NX-bit Check ELF headers, regions, and rights Protecting internal data structures ( mprotect ) Check and verify (valid) return addresses Checking & verifying indirect control transfers 20 Mathias Payer: secuBT - User-Space Virtualization

  21. Security: NX-bit Enforcing the NX-bit (1 bit / page) IA32 does not enforce the executable bit Only regions that are marked executable are allowed to contain code If code branches to a NX-region the program is terminated The translator checks for every new block if the source code is from an executable region 21 Mathias Payer: secuBT - User-Space Virtualization

  22. Security: ELF headers Checking ELF headers, regions, and rights Check call instructions to only call exported functions Check jump instructions to stay inside individual modules Enforce defined access rights on ELF regions, not on coarse-grained pages 22 Mathias Payer: secuBT - User-Space Virtualization

  23. Security: mprotect Protecting internal data structures Use mprotect calls to (write-)protect all internal data structures Remove protection when switching to the VM Reinstantiate protection when returning to user-code Write-protect all translated user-code regions and libraries Trade-off: Probabilistic to explicit protection through additional mprotect calls 23 Mathias Payer: secuBT - User-Space Virtualization

  24. Security: RIP Check and verify (valid) return addresses Match return addresses with addresses on a shadow stack hidden from user code 24 Mathias Payer: secuBT - User-Space Virtualization

  25. Security: References Check and verify indirect control transfers Validate target of indirect control transfers Indirect calls (e.g., function pointers) (Valid) return addresses Indirect jumps (e.g., switch tables) If target is not valid code, not in a code region, or the control transfer is illegal (e.g. jump into a different library) terminate the program 25 Mathias Payer: secuBT - User-Space Virtualization

  26. Fahrplan Introduction Design and Implementation User-Space Virtualization through BT Basic Translator Optimizations Security Hardening System Call Interposition Framework Performance & Demonstration Conclusion 26 Mathias Payer: secuBT - User-Space Virtualization

  27. System Call Interposition System calls through sysenter & int 80 redirected to validation function Depending on the system call and the arguments the system call is: Allowed and executed Disallowed and the program terminated Redirected to some user-space function Validation based on checker functions on a per system call basis 27 Mathias Payer: secuBT - User-Space Virtualization

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtualization Virtualization Memory virtualization Process feels like it has its own

Virtualization Virtualization Memory virtualization Process feels like it has its own

4/25/08 Virtualization Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view of disks connected to a machine External

441 views • 8 slides
Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH

Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH

Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application access to the minimum amount of data

890 views • 29 slides
Hacking the Law: A Hackers Safety Guide to Electronic Crime Laws of Pakistan Jawad A Sarwana

Hacking the Law: A Hackers Safety Guide to Electronic Crime Laws of Pakistan Jawad A Sarwana

Hacking the Law: A Hackers Safety Guide to Electronic Crime Laws of Pakistan Jawad A Sarwana Abraham &amp; Sarwana P.I.D.C House Karachi Ph : 568 7360 / 568 7370 Fax : 568 7364 Email : abrahams@cyber.net.pk Overview

347 views • 20 slides
4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Distributed Systems Storage virtualization Logical view of disks connected to a machine

407 views • 3 slides
EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong

EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong

EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong Liao Dong Yin Lixin Gao Yong Liao, Dong Yin, Lixin Gao Univ. of Massachusetts, Amherst Network Virtualization Platform Network Virtualization

367 views • 17 slides
Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year

Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year

Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year Ethical Hacking @MikeyJck BSc @ Abertay Member Abertay Ethical mikeyjck.io Hacking Society I &lt;3 Cryptography Whats all this then?

953 views • 37 slides
Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me

Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me

Virtually Pwned Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me Claudio Criscione The need for security Breaking virtualization means hacking the underlying layer accessing systems

781 views • 46 slides
meets Micro-Hypervisors: Towards a Virtualization Architecture for User-Centric Multi-Clouds Alex

meets Micro-Hypervisors: Towards a Virtualization Architecture for User-Centric Multi-Clouds Alex

Nested Virtualization meets Micro-Hypervisors: Towards a Virtualization Architecture for User-Centric Multi-Clouds Alex PALESANDRO Marc LACOSTE Nadia BENNANI Chirine GHEDIRA-GUEGAN SEC2 - 30 June 2015, Lille Is this the best of all possible

294 views • 6 slides
Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/ or hardware upon which other software runs. This simulated environment is called a virtual machine --Wikipedia 2 Computer Systems Arch.

1.26k views • 26 slides
Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized

Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized

Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized cybercrime Joseph Menn Agenda Agenda Why Russia matters (and differs from China) Why Russia matters (and differs from China) How three hackers got

557 views • 12 slides
CREATIVITY UNLOCKED: HOW TO MAKE LIBREOFFICE UI ELEMENTS MOVE Target audience New (UI)

CREATIVITY UNLOCKED: HOW TO MAKE LIBREOFFICE UI ELEMENTS MOVE Target audience New (UI)

CREATIVITY UNLOCKED: HOW TO MAKE LIBREOFFICE UI ELEMENTS MOVE Target audience New (UI) hackers Core hackers with little UI hacking experience What will we learn Add UNO command Add toolbar/sidebar button, menu entry with

348 views • 20 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Hacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa , Kari

Hacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa , Kari

Hacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa , Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch knellt@student.ethz.ch User Interfaces Consists of input

726 views • 21 slides
Smart TV Hacking Nikos Sidiropoulos Periklis Stefopoulos Why Smart TVs are so attractive?

Smart TV Hacking Nikos Sidiropoulos Periklis Stefopoulos Why Smart TVs are so attractive?

Smart TV Hacking Nikos Sidiropoulos Periklis Stefopoulos Why Smart TVs are so attractive? More than a TV Popularity Transparency Not fully researched in security Hackers Paradise Research Question What kind of security

374 views • 8 slides
1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

Memory Protection Memory Protection Paging Virtual memory provides protection by: Each process (user or OS) has different virtual memory space. Machines and Virtualization Machines and Virtualization The OS maintain the page tables

83 views • 5 slides
Per-user Policy Enforcement on Mobile Apps through Network Functions Virtualization Workshop on

Per-user Policy Enforcement on Mobile Apps through Network Functions Virtualization Workshop on

Per-user Policy Enforcement on Mobile Apps through Network Functions Virtualization Workshop on Mobility in the Evolving Internet Architecture Sep. 11, 2014, Maui, Hawaii, USA Yong Liao, Mario Baldi, Amedeo Sapio Gyan Ranjan, Alok Tongaonkar,

515 views • 14 slides
Handling Large Formats On a Small Budget Tuesday, November 15, 11 What We Do at

Handling Large Formats On a Small Budget Tuesday, November 15, 11 What We Do at

Handling Large Formats On a Small Budget Tuesday, November 15, 11 What We Do at the CHL Anything up to 36x48 is stored in folders and boxes Anything above that is encapsulated and

622 views • 39 slides
Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking

Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking

Introduction VXLAN prototype Security assessment Q&amp;A Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam February 5, 2014 Guido Pineda Reyes Security

430 views • 32 slides
Biological Products Micro-encapsulation November &amp; December 2017 Introduction Eden is an

Biological Products Micro-encapsulation November &amp; December 2017 Introduction Eden is an

Biological Products Micro-encapsulation November &amp; December 2017 Introduction Eden is an industrial biotechnology company that delivers Natural Solutions to challenges in plant protection, consumer products and animal health .

859 views • 18 slides
MEXICO BIENVENIDO - WELCOME WE HOPE YOUVE BEEN HAVING A GREAT TIME OUR GOAL BE THE BEST

MEXICO BIENVENIDO - WELCOME WE HOPE YOUVE BEEN HAVING A GREAT TIME OUR GOAL BE THE BEST

MEXICO BIENVENIDO - WELCOME WE HOPE YOUVE BEEN HAVING A GREAT TIME OUR GOAL BE THE BEST AND HELP YOU GROW YOU ARE ARE YOU TAKING FULL ADVANTAGE? Training Business Development Tech Support Tribal Knowledge &amp; Resources IDI

671 views • 49 slides
Secret-free DRM and efficient delivery method Prepared for CPTWG. Jan 11 2007 Presented by Yves

Secret-free DRM and efficient delivery method Prepared for CPTWG. Jan 11 2007 Presented by Yves

c o n t e n t , u n p l u g g e d Secret-free DRM and efficient delivery method Prepared for CPTWG. Jan 11 2007 Presented by Yves Legris (yves@zotus.com) Contact: Vladan Djakovic, CEO 415.934.0373 voice, 415.934.1276 fx, vladan@zotus.com

126 views • 12 slides
Newbury BO 1447(32) Alternatives Presentation Meeting Town Highway 3, Bridge 15 over Wells River

Newbury BO 1447(32) Alternatives Presentation Meeting Town Highway 3, Bridge 15 over Wells River

Newbury BO 1447(32) Alternatives Presentation Meeting Town Highway 3, Bridge 15 over Wells River June 26, 2019 Introductions Laura Stone, P.E. VTrans Scoping Engineer Todd Sumner, P.E. VTrans Project Manager Purpose of Meeting Provide

796 views • 52 slides
Bryan Tomm Carmi, IL 8/4/17 1 Hypoxia The Hypoxia Zone in the Gulf of Mexico is one of the

Bryan Tomm Carmi, IL 8/4/17 1 Hypoxia The Hypoxia Zone in the Gulf of Mexico is one of the

Bryan Tomm Carmi, IL 8/4/17 1 Hypoxia The Hypoxia Zone in the Gulf of Mexico is one of the largest dead zones in the world Large seasonal impacts on marine life and fishing industry Nitrate runoff from farmland in the Mississippi River

595 views • 20 slides
and Fragmentation on Mosquito Community Dynamics Hayley Brant, Robert Ewers, Indra Vythilingam,

and Fragmentation on Mosquito Community Dynamics Hayley Brant, Robert Ewers, Indra Vythilingam,

Impacts of Tropical Deforestation and Fragmentation on Mosquito Community Dynamics Hayley Brant, Robert Ewers, Indra Vythilingam, Chris Drakeley, Suzan Benedick &amp; John Mumford Land Use Change Land use and land cover changes modify:

393 views • 15 slides

More recommend