1 / 29

Platform-Independent Programs

Platform-Independent Programs. Sang Kil Cha, Brian Pak, David Brumley Carnegie Mellon University Richard J. Lipton Georgia Institute of Technology. 17 th ACM CCS (October, 2010). Outline. Introduction Problem Statement Approach RG Design Implementation Related Work. Introduction.

lucio
Download Presentation

Platform-Independent Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Platform-Independent Programs Sang Kil Cha, Brian Pak, David Brumley Carnegie Mellon University Richard J. Lipton Georgia Institute of Technology 17th ACM CCS (October, 2010)

  2. Outline • Introduction • Problem Statement • Approach • RG Design • Implementation • Related Work A Seminar at Advanced Defense Lab

  3. Introduction x86 A Seminar at Advanced Defense Lab

  4. Platform-Independent Program? • A typical and often implicit security assumption is that a program is only semantically meaningful on one platform • Radically different instruction sets • Different program encodings • But, is it true? A Seminar at Advanced Defense Lab

  5. In this paper • Automatically generate a single binary string that • is a valid program on some architectures • can have completely different desired runtime behaviors A Seminar at Advanced Defense Lab

  6. Security-Critical Implications • Steganography. • m1(b) = normal program • m2(b) = secret information • Rogue Updates • m1(b) = normal program • mupdate(b) = malware • Security measures, such as digitally signing the code, are insufficient since they only verify the code itself has not been tampered with, not the execution environment A Seminar at Advanced Defense Lab

  7. Security-Critical Implications • Exfiltration Protection • m1(b) = important program • m2(b) = delete itself • Viruses and Shellcode • New Architecture • A company switches from architecture A to B A Seminar at Advanced Defense Lab

  8. Problem Statement • Notation • ∑ = {0, 1} • Bit string • mj(bi) • The execution of program bi on machine mj • (bi, mj) • bi is compiled for mj • bi is not a valid string on mj A Seminar at Advanced Defense Lab

  9. Problem Definition • Platform-Independent Program • PIP generation challenge • Given (bi, mj) list A Seminar at Advanced Defense Lab

  10. Approach b1 b2 b3 bpip A Seminar at Advanced Defense Lab

  11. Gadgets b1 b2 b3 A Gadget A Seminar at Advanced Defense Lab

  12. Gadget Header Example A Seminar at Advanced Defense Lab

  13. Connecting Gadgets A Seminar at Advanced Defense Lab

  14. Generation Algorithm A Seminar at Advanced Defense Lab

  15. RG Design • Header-Init: Finding Gadget Headers • (nop)* (jmp) (.)* • Header generation algorithm • Enumeration all possible string X • several days for 4-byte header • Make header templates • Computing the intersection of templates A Seminar at Advanced Defense Lab

  16. RG Design • Disassemble, Gadget-Gen, and Merge A Seminar at Advanced Defense Lab

  17. RG Design – PI Translation A Seminar at Advanced Defense Lab

  18. PI Translation A Seminar at Advanced Defense Lab

  19. Implementation • RG is currently implemented in about 5,000 lines of a mixture of C++ and Ruby. • The gadget finder program finds all the possible 4-byte, 8-byte, and 12-byte gadget headers A Seminar at Advanced Defense Lab

  20. Instruction Validity • 32-bit long • 90.12% for ARM • 68.46% for MIPS • 32.69% for x86 12.31% A Seminar at Advanced Defense Lab

  21. Gadget Header • Atomic NOPs • 326 for x86 • 241 for ARM • 14,709,948 for MIPS • Three-architecture gadget headers • 4×1014 for 12-byte long • 0.07 sec for 4-byte, 16 secs for 8-byte, 7 hours for 12-byte A Seminar at Advanced Defense Lab

  22. Gadget Header A Seminar at Advanced Defense Lab

  23. Evaluation • Hello world • Prime Checker • Shellcode • Vulnerabilities • Snort 2.4 • iPhone’scoreaudio library A Seminar at Advanced Defense Lab

  24. Evaluation Using PI Translation A Seminar at Advanced Defense Lab

  25. Evaluation A Seminar at Advanced Defense Lab

  26. Related Work • Muti-Platform Execution • Fat binary • two independent program images are combined with special meta-data that is used at run-time to select the appropriate image • Drew Dean in 2003 • Nemo in 2005 [link] A Seminar at Advanced Defense Lab

  27. Related Work(cont.) • Steganography • Simmons in 1984 • The prisoner’s problem A Seminar at Advanced Defense Lab

  28. Discussion • PIP length • More Gadget Headers • Large Input Programs • Indirect Jumps and Self-Modifying Code • Generating Platform • m(b) = normal program • generate m’ • m’(b) = malware A Seminar at Advanced Defense Lab

  29. Thank You A Seminar at Advanced Defense Lab

More Related