WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER - - PowerPoint PPT Presentation

weird machines in program metadata
SMART_READER_LITE
LIVE PREVIEW

WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER - - PowerPoint PPT Presentation

Dec 12, 2022 416 likes •567 views

ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013 WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx SHAPIRO DARTMOUTH COLLEGE TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1 UNIVERSITY

slide-1
SLIDE 1

ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG

UNIVERSITY OF ILLINOIS | DARTMOUTH COLLEGE | UC DAVIS | WASHINGTON STATE UNIVERSITY

FUNDING SUPPORT PROVIDED BY DOE-OE AND DHS S&T

1

WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES REBECCA “.bx” SHAPIRO

DARTMOUTH COLLEGE NOVEMBER 2013

slide-2
SLIDE 2

2

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

OUTLINE/CONTRIBUTIONS

  • Highlight metadata as a mostly

undefended attack vector

  • Demonstrate metadata-driven computation

environment

– “Weird machine” – Runtime loader → machine – Program metadata → instructions

  • Discuss defenses
slide-3
SLIDE 3

3

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

TRADITIONAL VIEW OF EXECUTABLES

slide-4
SLIDE 4

4

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

OUR VIEW OF EXECUTABLES

slide-5
SLIDE 5

5

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

ELF AND METADATA IN THE POWER GRID

  • ELF – one way to package code and data

– Executable and Linking Format – Binary metadata/file format of Linux/Unix

  • (Windows uses PE; OSX uses Mach-O)
  • ELF in the power grid

– Embedded Linux

  • Kernel binary
  • Kernel modules
  • Executable binaries
  • Shared libraries

Program code

slide-6
SLIDE 6

6

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

HOW TO LOAD/EXECUTE AN ELF

6

slide-7
SLIDE 7

7

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

HOW TO LOAD/EXECUTE AN ELF

7

Weird machines lurk here

slide-8
SLIDE 8

8

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

ELF DYNAMIC RELOCATION METADATA

  • Intended behavior

– Processed by RTLD (the runtime loader) – Instructs RTLD to write given value at given address

  • Unintended behavior

– Can locate base address of randomized libraries – Can perform dynamic linking – Can perform arbitrary computation (WOOT 2013)

slide-9
SLIDE 9

9

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

TAMING THE RTLD WEIRD MACHINE

  • Case study: ping in inetutils v1.8
  • Goal: insert backdoor that drops root shell

– Without changing code

  • Facts about ping:

– Widely used networking tool – Runs setuid as root – Drops privilege during execution

  • See 29C3 Talk

– “The Care and Feeding of Weird Machines Found in Executable Metadata”

  • Available in both ELF and Mach-O flavors
slide-10
SLIDE 10

10

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

TODAY’S DEFENSES ARE NOT SUFFICIENT

Photoshopped by Kythera of Anevern

  • Input validation
  • Data execution protection (DEP)
  • Address space layout randomization (ASLR)
  • Code signing/integrity checking
  • Access control (RWX)
  • (where is the vulnerability?)
slide-11
SLIDE 11

11

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

OUR DEFENSE APPROACH #1: ELFBAC

  • A more generic weird machine defense
  • Build/enforce intra-process access control
  • Limit the chunks of addresses that chunks of

running code can access

– e.g.: libraries should not touch application’s sensitive data

  • Enforce module-level control flow integrity

– e.g: data should be encrypted before sent over network

  • ELFbac: Using the Loader Format for Intent-level Semantics and Fine-

grained Protection. Dartmouth Computer Science Technical Report TR2013-727

slide-12
SLIDE 12

12

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

OUR DEFENSE APPROACH #2: LANGSEC

  • Defending against parser-based weird machines
  • Input  data  “instructions”
  • Input should be designed as a formal language
  • Input structure should be well-defined
  • Should not require a Turing machine to

validate/interpret input

  • Regular expressions can be reasoned about
  • Weird machines lurk in Turing-complete recognizers
  • Langsec.org (Bratus et al)
slide-13
SLIDE 13

13

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 6-7, 2013

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

DO YOU KNOW WHAT WEIRD MACHINES LURK IN YOUR DATA?

13