deploying dynamic analyses and preventing compiler
play

Deploying Dynamic Analyses and Preventing Compiler Backdoors with - PowerPoint PPT Presentation

Mar 26, 2023 •205 likes •945 views

Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Lus Pina l.pina@imperial.ac.uk Joint work with Cristian Cadar , Anastasios Andronidis , and John Regehr Imperial College London, UK University of

  1. Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Luís Pina l.pina@imperial.ac.uk Joint work with Cristian Cadar , Anastasios Andronidis , and John Regehr Imperial College London, UK University of Utah, USA Runtime Verification beyond Monitoring (ArVi) ICT COST Action IC1402 Barcelona, March 10th, 2016

  2. Deploying Dynamic Analysis? Why? ./server 2

  3. Deploying Dynamic Analysis? Why? ./server Segmentation fault 3

  4. Deploying Dynamic Analysis? Why? ./server 4

  5. Deploying Dynamic Analysis? Why? valgrind --tool=memcheck server Invalid read of size 32 by 0x40B07FF4: memcpy (mc_replace_strmem.c:635) by 0x40AC751B: dtls1_process_heartbeat(SSL *s) (ssl/d1_both.c:1497) Address 0xBFFFF0E0 is not stack’d, malloc’d or free’d 5

  6. Deploying Dynamic Analysis? Why? valgrind --tool=memcheck server Invalid read of size 32 by 0x40B07FF4: memcpy (mc_replace_strmem.c:635) by 0x40AC751B: dtls1_process_heartbeat(SSL *s) (ssl/d1_both.c:1497) Address 0xBFFFF0E0 is not stack’d, malloc’d or free’d 7x–57x slowdown 6

  7. Deploying Dynamic Analysis? Why? gcc -fsanitize=address server.c -o server ./server ==2268==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000013748 at pc 0x7f228f5f0cfa READ of size 32768 at 0x629000013748 thread T0 #0 0x43d075 in memcpy /usr/include/bits/string3.h:51 #1 0x43d075 in tls1_process_heartbeat ssl/t1_lib.c:2586 #2 0x50e498 in ssl3_read_bytes ssl/s3_pkt.c:1092 #3 0x51895c in ssl3_get_message ssl/s3_both.c:457 ... ==2268== ABORTING 1.10x–2.67x slowdown 7

  8. N-Version Execution Server 8

  9. N-Version Execution Version 1 Server Coordinator Version 2 9

  10. N-Version Execution Version 1 Server Coordinator Version 2 10

  11. N-Version Execution Version 1 Server Coordinator Version 2 11

  12. N-Version Execution Version 1 Server Coordinator Version 2 12

  13. Varan Version 1 Coordinator Version 2 13

  14. Varan Version 1 Leader Coordinator Version 2 Follower 1 14

  15. Varan Version 1 Leader Version 2 Follower 1 15

  16. Varan Version 1 Leader Version 2 Follower 1 16

  17. Varan Version 1 Leader Version 2 Follower 1 17

  18. Varan Version 1 Leader Version 2 Follower 1 18

  19. Varan Version 1 Leader Version 2 Follower 1 19

  20. Varan Version 1 Leader Version 2 Follower 1 20

  21. Varan Version 1 Leader Version 2 Follower 1 21

  22. Varan Version 1 Leader Version 2 Follower 1 22

  23. Varan Version 1 Leader Version 2 Follower 1 23

  24. Varan System calls 01 02 while ( true ) { 03 04 sckt = accept(); // Wait for client 05 req = parse(read(skt)); // Handle request 06 07 file = open(req); 08 rsp = read(file); 09 10 11 // Send response 12 write(skt, rsp); 13 14 } 15 24

  25. Varan System calls 01 02 while ( true ) { 03 04 sckt = accept (); // Wait for client 05 req = parse( read (skt)); // Handle request 06 07 file = open (req); 08 rsp = read (file); 09 10 11 12 write (skt, rsp); // Send response 13 14 } 15 25

  26. Varan Version 1 Leader Version 2 Follower 1 26

  27. Varan Version 1 Leader Version 2 Follower 1 1x–1.17x slowdown 27

  28. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 28

  29. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 29

  30. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 30

  31. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 31

  32. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 32

  33. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 33

  34. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 34

  35. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 35

  36. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 36

  37. Varan + Dynamic Analysis Leader Native Follower 1 Sanitized 37

  38. Larger ringbuffer? Leader Native Follower 1 Sanitized 38

  39. Larger ringbuffer? Leader Native Follower 1 Sanitized 39

  40. Larger ringbuffer Interactive applications ◮ alias vim =’vx vim vim-asan’ ◮ alias htop =’vx htop htop-asan’ ◮ alias mutt =’vx mutt mutt-asan’ ◮ alias ssh =’vx ssh ssh-asan’ ◮ alias ls =’vx ls ls-asan’ 40

  41. Drop requests Leader Native Follower 1 41 Sanitized

  42. Drop requests Leader ? Native Follower 1 42 Sanitized

  43. Drop requests Leader ✓ ? Native Follower 1 43 Sanitized

  44. Drop requests Leader ? Native Follower 1 44 Sanitized

  45. Drop requests Leader ✗ ? Native Follower 1 45 Sanitized

  46. Experiment Check performance with varying drop rate on simple HTTP server ◮ Single process/thread ◮ gcc -fsanitize=address on follower ◮ BZip2 the response 46

  47. Results 219 # files downloaded in 30 seconds 196 HTTP Server HTTP Server Native HTTP Server Native No Varan Varan 47

  48. Results 219 219 # files downloaded in 30 seconds # files downloaded in 30 seconds 196 196 HTTP Server HTTP Server Native HTTP Server HTTP Server 93 82 Sanitized Native HTTP Server No Varan No Varan Varan Varan Sanitized 48

  49. Results 219 219 216 204 209 201 # files downloaded in 30 seconds # files downloaded in 30 seconds # files downloaded in 30 seconds 196 196 197 HTTP Server HTTP Server 182 141 Native 122 HTTP Server HTTP Server 109 99 93 82 Sanitized Native HTTP Server No Varan No Varan Varan Varan 2.75 13.3 23.7 32.1 38.8 50.3 65.6 82.5 88.3 97.0 Sanitized sanitized requests (%) 49

  50. Multi-version execution for security 50

  51. a or b? 01 int x = 1; 02 03 void f(void) { if (5 % (3 * x) + 2 != 4) 04 05 puts("a"); else 06 07 puts("b"); 08 } 51

  52. a or b? 01 int x = 1; 02 03 void f(void) { if (5 % (3 * x) + 2 != 4) 04 05 puts("a"); else 06 07 puts("b"); 08 } Clang 3.3 says a https://llvm.org/bugs/show_bug.cgi?id=15940 52

  53. sudo 01 htop 02 # command not found: htop 03 04 apt-get install htop 05 # Permission denied, are you root? 06 07 sudo apt-get install htop 08 # Installing... 09 10 htop 11 # running htop... 53

  54. sudo 01 whoami 02 # user 03 04 sudo whoami 05 # root 54

  55. sudo backdoor 01 gcc sudo.c -o sudo-gcc 02 clang sudo.c -o sudo-clang 03 04 ./sudo-gcc whomai 05 # user is not in the sudoers file. 06 # This incident will be reported. 07 08 ./sudo-clang whomai 09 # root 10 11 12 https://github.com/regehr/sudo-1.8.13/tree/ compromise/backdoor-info 55

  56. sudo backdoor 01 gcc sudo.c -o sudo-gcc 02 clang sudo.c -o sudo-clang 03 04 ./sudo-gcc whomai 05 # user is not in the sudoers file. 06 # This incident will be reported. 07 08 ./sudo-clang whomai 09 # root 10 11 vx ./sudo-gcc ./sudo-clang -- whoami 12 # divergence detected, terminating Cristian Cadar and Luís Pina and John Regehr, Multi-Version Execution Defeats a Compiler-Bug-Based Backdoor , http://blog.regehr.org/archives/1282 , 2015 56

  57. Undefined behavior 01 int saturating_add(int x, int y) { 02 if (x > 0 && y > 0 && x + y < 0) return INT_MAX; 03 if (x < 0 && y < 0 && x + y > 0) 04 return INT_MIN; 05 return x + y; 06 07 } 57

  58. Undefined behavior 01 int saturating_add(int x, int y) { 02 if (x > 0 && y > 0 && x + y < 0) return INT_MAX; 03 if (x < 0 && y < 0 && x + y > 0) 04 return INT_MIN; 05 return x + y; 06 07 } x y Result 1 2 3 58

  59. Undefined behavior 01 int saturating_add(int x, int y) { 02 if (x > 0 && y > 0 && x + y < 0) return INT_MAX; 03 if (x < 0 && y < 0 && x + y > 0) 04 return INT_MIN; 05 return x + y; 06 07 } x y Result 1 2 3 1000000000 1000000000 2000000000 59

  60. Undefined behavior 01 int saturating_add(int x, int y) { 02 if (x > 0 && y > 0 && x + y < 0) return INT_MAX; 03 if (x < 0 && y < 0 && x + y > 0) 04 return INT_MIN; 05 return x + y; 06 07 } x y Result 1 2 3 1000000000 1000000000 2000000000 2000000000 2000000000 2147483647 60

  61. Undefined behavior 01 int saturating_add(int x, int y) { 02 if (x > 0 && y > 0 && x + y < 0) return INT_MAX; 03 if (x < 0 && y < 0 && x + y > 0) 04 return INT_MIN; 05 return x + y; 06 07 } x y gcc -O0 gcc -O2 1 2 3 3 1000000000 1000000000 2000000000 2000000000 2000000000 2000000000 2147483647 -294967296 61

  62. Multi-version execution for security ◮ Prevents compiler backdoors ◮ Detects exploits based on undefined behavior ◮ Interesting programs: ◮ Sudo ◮ OpenSSH ◮ Password vaults ◮ GnuPG 62

Recommend

Dynamic Web Applications Authoring, Deploying And Consuming Mixed-Namespace XML T. V. Raman IBM

Dynamic Web Applications Authoring, Deploying And Consuming Mixed-Namespace XML T. V. Raman IBM

Dynamic Web Applications Authoring, Deploying And Consuming Mixed-Namespace XML T. V. Raman IBM Research Dynamic Web Applications p. 1 Outline Characteristics of a Web application. Building on what we have. Whats left to solve.

487 views • 22 slides
Compiler Analyses for Improved Return Value Prediction Christopher J.F . Pickett Clark

Compiler Analyses for Improved Return Value Prediction Christopher J.F . Pickett Clark

Compiler Analyses for Improved Return Value Prediction Christopher J.F . Pickett Clark Verbrugge { cpicke,clump } @sable.mcgill.ca School of Computer Science, McGill University Montr eal, Qu ebec, Canada H3A 2A7 Overview Introduction

759 views • 49 slides
Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

134 views • 10 slides
Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

481 views • 37 slides
Verified translation validation of static analyses Sandrine Blazy joint work with Gilles Barthe,

Verified translation validation of static analyses Sandrine Blazy joint work with Gilles Barthe,

Verified translation validation of static analyses Sandrine Blazy joint work with Gilles Barthe, Vincent Laporte, David Pichardie and Alix Trieu IFIP WG 1.9/2.15, Leuven, 2017-05-11 1 Background: verifying a compiler Compiler + proof that the

446 views • 19 slides
263-2810: Advanced Compiler Design Compilation with dynamic information Thomas R. Gross Computer

263-2810: Advanced Compiler Design Compilation with dynamic information Thomas R. Gross Computer

263-2810: Advanced Compiler Design Compilation with dynamic information Thomas R. Gross Computer Science Department ETH Zurich, Switzerland Outline Dynamic information: Information obtained at runtime During program execution Why use

1.16k views • 63 slides
Another Dynamic Algorithm: Scoreboard Summary Tomasulo Algorithm Speedup 1.7 from compiler;

Another Dynamic Algorithm: Scoreboard Summary Tomasulo Algorithm Speedup 1.7 from compiler;

Another Dynamic Algorithm: Scoreboard Summary Tomasulo Algorithm Speedup 1.7 from compiler; 2.5 by hand For IBM 360/91 about 3 years after CDC 6600 BUT slow memory (no cache) limits benefit Goal: High Performance without special

303 views • 3 slides
A Dynamic to Static DSL Compiler for Image Processing Applications Compilers for Parallel

A Dynamic to Static DSL Compiler for Image Processing Applications Compilers for Parallel

A Dynamic to Static DSL Compiler for Image Processing Applications Compilers for Parallel Computing 2016 Pierre Guillou, Benot Pin, Fabien Coelho, Franois Irigoin July 8, 2016, Valladolid, Spain MINES ParisTech, PSL Research University,

325 views • 31 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides
Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures)

Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures)

Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures) Thomas Noll Lehrstuhl f ur Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de

384 views • 22 slides
Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures)

Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures)

Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures) Thomas Noll Lehrstuhl f ur Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de

945 views • 46 slides
Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler Perhaps a new source language Perhaps a new target for an existing compiler Perhaps both 2 Compiler Construction Compiler Construction

661 views • 18 slides
Compiler/Run-Time Framework for Dynamic Data-Flow Parallelization of Tiled Programs Martin Kong 1

Compiler/Run-Time Framework for Dynamic Data-Flow Parallelization of Tiled Programs Martin Kong 1

Compiler/Run-Time Framework for Dynamic Data-Flow Parallelization of Tiled Programs Martin Kong 1 Antoniu Pop 2 R. Govindarajan 3 Louis-Nol Pouchet 1 Albert Cohen 4 P . Sadayappan 1 1 The Ohio State University 2 The University of Manchester 3

200 views • 4 slides
252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2 Admin issues Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1.1

1.27k views • 46 slides
Introduction Demands on and expectations for simulated representations of the natural

Introduction Demands on and expectations for simulated representations of the natural

Geospatial Data Quality for Analytical Command and Control Applications: Preventing the Tanker Tw o-Step Robert Richbourg and George Lukes Institute for Defense Analyses 4850 Mark Center Drive Alexandria, VA rrichbou@ida.org,

513 views • 10 slides
Deploying Machine Learning Models on The Edge Deploying Machine Learning Models on The Edge Yan

Deploying Machine Learning Models on The Edge Deploying Machine Learning Models on The Edge Yan

Deploying Machine Learning Models on The Edge Deploying Machine Learning Models on The Edge Yan Zhang, Mathew Salvaris Microsoft https://github.com/microsoft/deploy-MLmodels-on-iotedge Cloud Analytics Edge Analytics Device/Sensor Analytics

373 views • 34 slides
Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &amp;

Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &amp;

Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &amp; Artificial Intelligence Lab http://pag.csail.mit.edu/~mernst/ PASTE June 7, 2004 Michael Ernst, page 1 Goals Theme: Static and dynamic analyses

451 views • 34 slides
Preventing Preventing Sepsis: Sepsis: A C A Community B ommunity Based ased Approach

Preventing Preventing Sepsis: Sepsis: A C A Community B ommunity Based ased Approach

Preventing Preventing Sepsis: Sepsis: A C A Community B ommunity Based ased Approach Approach NY NYS S Se Senior nior Acti Action on Co Coun uncil cil Dec Decem embe ber 13 r 13, , 20 2016 16 Ev Eve e Bank Bankert ert

283 views • 24 slides
Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1

Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1

Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1 OUTLINE INTRODUCTION to dynamic instrumentation Trap instruction INstruction punning technique Proposed compiler-assisted technique

662 views • 31 slides
deploying a wsn on an active volcano Clay McLeod September 29, 2015 1 references Paper

deploying a wsn on an active volcano Clay McLeod September 29, 2015 1 references Paper

deploying a wsn on an active volcano Clay McLeod September 29, 2015 1 references Paper Werner-Allen, G., Lorincz, K., Ruiz, M., Marcillo, O., Johnson, J., Lees, J., &amp; Welsh, M. (2006). Deploying a wireless sensor network on an active

779 views • 58 slides
Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Statically vs. Dynamically typed languages

251 views • 9 slides
Experiences in deploying the high-end Experiences in deploying the high-end visualization

Experiences in deploying the high-end Experiences in deploying the high-end visualization

Experiences in deploying the high-end Experiences in deploying the high-end visualization application in the visualization application in the transatlantic GLIF environment transatlantic GLIF environment Marek Baewicz marqs@man.poznan.pl

427 views • 26 slides
Baseline Analyses Using Baseline Analyses Using DBP (2006) &amp; AMP (2008) DBP (2006) &amp; AMP

Baseline Analyses Using Baseline Analyses Using DBP (2006) &amp; AMP (2008) DBP (2006) &amp; AMP

Baseline Analyses Using Baseline Analyses Using DBP (2006) &amp; AMP (2008) DBP (2006) &amp; AMP (2008) Program Data Program Data Steven Braithwait Christensen Associates Energy Consulting Conference Call May 26, 2009 Project Objectives

513 views • 16 slides
Cost-Effective Resource Allocation for Deploying 1 Vinay Setty vsetty@mpi-inf.mpg.de Pub/Sub

Cost-Effective Resource Allocation for Deploying 1 Vinay Setty vsetty@mpi-inf.mpg.de Pub/Sub

Cost-Effective Resource Allocation for Deploying 1 Vinay Setty vsetty@mpi-inf.mpg.de Pub/Sub on Cloud Published in ICDCS 2014 Roman Vitenberg Maarten van Steen Gunnar Kreitz Guido Urdaneta Cost-Effective Resource Allocation for Deploying

904 views • 41 slides

More recommend