minemu
play

Minemu The world's fastest taint tracker Attack detection aimed at - PowerPoint PPT Presentation

Apr 22, 2023 •260 likes •669 views

Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik Bosman, Asia Slowinska, and Herbert Bos Challenge! ftp://ftp.minemu.org runs Proftpd vulnerable to CVE-2010-4221 First exploiter gets a present!

  1. Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik Bosman, Asia Slowinska, and Herbert Bos

  2. Challenge! ftp://ftp.minemu.org runs Proftpd vulnerable to CVE-2010-4221 First exploiter gets a present! 2

  3. T aint tracking: useful, but slow photo: sammydavisdog@flickr 3

  4. Performance problems fred_v@flickr 4

  5. Is this slowness fundamental? minemu memory layout use SSE registers to hold taint fast emulator 5

  6. Is this slowness fundamental? minemu memory layout use SSE registers to hold taint fast emulator 5

  7. Memory layout LINUX USER 6

  8. Memory layout (minemu) USER inaccessible minemu TAINT 7

  9. Memory layout (minemu) write to x USER inaccessible minemu TAINT 7

  10. Memory layout (minemu) write to x USER inaccessible minemu TAINT x+const 7

  11. Memory layout (minemu) USER inaccessible minemu TAINT 7

  12. Memory layout (minemu) USER inaccessible minemu TAINT 7

  13. Addressing shadow memory mov EAX, (EDX) 8

  14. Addressing shadow memory mov EAX, (EDX) address: EDX 8

  15. Addressing shadow memory mov EAX, (EDX) address: EDX taint: EDX+ const 8

  16. Addressing shadow memory mov EAX, (EDX+EBX*4) 9

  17. Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4 9

  18. Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4 taint: EDX+EBX*4+ const 9

  19. Addressing shadow memory push ESI 10

  20. Addressing shadow memory push ESI address: ESP 10

  21. Addressing shadow memory push ESI address: ESP taint: ESP+ const 10

  22. Is this slowness fundamental? minemu memory layout use SSE registers to hold taint fast emulator 11

  23. T aint propagation in SSE registers xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) 128-bit 12

  24. T aint propagation in SSE registers add EDX, x xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) 128-bit 12

  25. T aint propagation in SSE registers add EDX, x xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) 12

  26. T aint propagation in SSE registers add EDX, x xmm5 T(x) T(x) xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) vector insert 12

  27. T aint propagation in SSE registers add EDX, x xmm5 T(x) T(x) xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) or 12

  28. Is this slowness fundamental? minemu memory layout use SSE registers to hold taint fast emulator 13

  29. Emulator - translates large code chunks - keeps register state the same - aggressive caching 14

  30. Effectiveness Application Type of vulnerability Security advisory Snort 2.4.0 Stack overflow CVE-2005-3252 Cyrus imapd 2.3.2 Stack overflow CVE-2006-2502 Samba 3.0.22 Heap overflow CVE-2007-2446 Nginx 0.6.32 Buffer underrun CVE-2009-2629 Memcached 1.1.12 Heap overflow CVE-2009-2415 Proftpd 1.3.3a Stack overflow CVE-2010-4221 Samba 3.2.5 Heap overflow CVE-2010-2063 Ncompress 4.2.4 Stack overflow CVE-2001-1413 Iwconfig V.26 Stack overflow CVE-2003-0947 Aspell 0.50.5 Stack overflow CVE-2004-0548 Htget 0.93 Stack overflow CVE-2004-0852 Socat 1.4 Format string CVE-2004-1484 Aeon 0.2a Stack overflow CVE-2005-1019 Exim 4.41 Stack overflow EDB-ID#796 Htget 0.93 Stack overflow Tipxd 1.1.1 Format string OSVDB-ID#12346 15

  31. Performance HTTP HTTPS 16

  32. Performance SPECINT 2006 2.4x overall 5 4 3 2 1 0 400.perlbench 401.bzip2 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp 473.astar 483.xalancbmk overall 3 2 1 0 gzip OpenSSH PostgreSQL MediaWiki (scp+sshd) (pgbench) (HTTPS) 17

  33. Minemu is available now website runs on minemu source code is available Apache 2.0 licenced 18

  34. Minemu https://minemu.org/ The world's fastest taint tracker 19

  35. Minemu https://minemu.org/ The world's fastest taint tracker (until the next conference?) 19

  36. Demo 20

  38. Threads - duplicate cache structures - keep cache base address in SSE - code-deletion corner case 21

  39. Memory layout (64 bit) USER TAINT USER USER TAINT TAINT USER TAINT 22

  40. Memory layout (minemu) USER inaccessible minemu TAINT 23

More recommend