minemu protecting buggy binaries from memory corruption
play

Minemu: Protecting buggy binaries from memory corruption attacks - PowerPoint PPT Presentation

Jan 29, 2023 •101 likes •1.22k views

Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman <erik@minemu.org> Programming Languages type-safe vs. not type-safe Programming Languages type-safe vs. not type-safe Java Python Ruby Javascript

  1. Taint tracking (1/2): - remember whether data is trusted or not - untrusted data is 'tainted' - when data is copied, its taint is copied along - taint is ORed for arithmetic operations

  2. Taint tracking (2/2): When the code jumps to an address in memory, the source of this address is checked for taint. eg.: - RET - CALL *%eax - JMP *0x1c(%ebx)

  4. T aint tracking photo: sammydavisdog@ fl ickr useful, but slow as hell

  5. Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

  6. Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

  7. Emulator compile jit code

  8. Emulator run jit code compile jit code

  9. Emulator indirect jump run jit code find jump compile jit code address

  10. Emulator indirect jump lookup miss run jit code find jump compile jit code address

  11. Dynamic instrumentation t_eax = t_eax | t_ecx eax = eax + ecx eax = eax + ebx original code jit code

  12. Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

  13. Linux stack User heap/libs executable

  14. Memory layout (linux) linux kernel USER

  15. Memory layout (minemu) linux USER kernel minemu TAINT

  16. Memory layout (minemu) linux USER kernel minemu TAINT

  17. Memory layout (minemu) linux write to x USER kernel minemu TAINT

  18. Memory layout (minemu) linux write to x USER kernel minemu TAINT x+const

  19. Memory layout (minemu) taint data to linux user USER memory kernel minemu user TAINT data to taint memory

  20. Memory layout (minemu) taint data to linux user USER memory kernel minemu user TAINT data to taint memory

  21. Addressing shadow memory mov EAX, (EDX)

  22. Addressing shadow memory mov EAX, (EDX) address: EDX

  23. Addressing shadow memory mov EAX, (EDX) address: EDX taint: EDX+ const

  24. Addressing shadow memory mov EAX, (EDX+EBX*4)

  25. Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4

  26. Addressing shadow memory mov EAX, (EDX+EBX*4) address: EDX+EBX*4 taint: EDX+EBX*4+ const

  27. Addressing shadow memory push ESI

  28. Addressing shadow memory push ESI address: ESP

  29. Addressing shadow memory push ESI address: ESP taint: ESP+ const

  30. Is this slowness fundamental? minemu fast emulator memory layout use SSE registers to hold taint

  31. T aint propagation in SSE registers xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) 128-bit

  32. T aint propagation in SSE registers add EDX, x xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) 128-bit

  33. T aint propagation in SSE registers add EDX, x xmm5 scratch register scratch register xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi)

  34. T aint propagation in SSE registers add EDX, x xmm5 T(x) T(x) xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) vector insert

  35. T aint propagation in SSE registers add EDX, x xmm5 T(x) T(x) xmm6 T(eax) T(eax) T(ecx) T(ecx) T(edx) T(edx) T(ebx) T(ebx) xmm7 T(esp) T(esp) T(ebp) T(ebp) T(esi) T(esi) T(edi) T(edi) or

  36. E ff ectiveness Application Type of vulnerability Security advisory Snort 2.4.0 Stack over fl ow CVE-2005-3252 Cyrus imapd 2.3.2 Stack over fl ow CVE-2006-2502 Samba 3.0.22 Heap over fl ow CVE-2007-2446 Memcached 1.1.12 Heap over fl ow CVE-2009-2415 Nginx 0.6.32 Buffer underrun CVE-2009-2629 Proftpd 1.3.3a Stack over fl ow CVE-2010-4221 Samba 3.2.5 Heap over fl ow CVE-2010-2063 Telnetd 1.6 Heap over fl ow CVE-2011-4862 Ncompress 4.2.4 Stack over fl ow CVE-2001-1413 Iwcon fi g V.26 Stack over fl ow CVE-2003-0947 Aspell 0.50.5 Stack over fl ow CVE-2004-0548 Htget 0.93 Stack over fl ow CVE-2004-0852 Socat 1.4 Format string CVE-2004-1484 Aeon 0.2a Stack over fl ow CVE-2005-1019 Exim 4.41 Stack over fl ow EDB-ID#796 Htget 0.93 Stack over fl ow Tipxd 1.1.1 Format string OSVDB-ID#12346

  37. Performance HTTP HTTPS

  38. Performance SPECINT 2006 2.4x overall 5 4 3 2 1 0 400.perlbench 401.bzip2 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp 473.astar 483.xalancbmk overall 3 2 1 0 gzip OpenSSH PostgreSQL MediaWiki (scp+sshd) (pgbench) (HTTPS)

  39. Limitations

  40. Limitations Doesn't prevent memory corruption, only acts when the untrusted data is used for arbitrary code execution.

  41. Limitations Tainted pointer dereferences ->some_field = useful_untainted_value; tainted_pointer

  42. Limitations Tainted pointer dereferences ->some_field = useful_untainted_value; tainted_pointer propagation can lead to false positives: dispatch_table[ ](); checked_input

  43. Limitations Taint whitewashing out = latin1_to_ascii[ ]; in

  44. Limitations Format string attacks: printf( ); "%65534s %123$hn" // Propagates taint in glibc printf( ); // Does not :-( "FillerFiller...%123$hn"

  45. Limitations Does not protect against non-control-flow exploits

  46. Limitations Does not protect against non-control-flow exploits void char char try_system( *username, *cmd) { user_rights = get_credentials(username); int 16 char buf[16] ; strcpy(buf, username); (user_rights & ) ALLOW_SYSTEM if system(cmd); else log_error( , buf); "user attempted login" %s }

  47. Limitations Does not protect against non-control-flow exploits void char char try_system( *username, *cmd) { user_rights = get_credentials(username); int 16 char buf[16] ; strcpy(buf, username); (user_rights & ) ALLOW_SYSTEM if system(cmd); else log_error( , buf); "user attempted login" %s }

  48. Limitations Does not protect against non-control-flow exploits void char char try_system( *username, *cmd) { user_rights = get_credentials(username); int 16 char buf[16] ; strcpy(buf, username); (user_rights & ) ALLOW_SYSTEM if system(cmd); else log_error( , buf); "user attempted login" %s }

Recommend

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman &lt;erik@minemu.org&gt; Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and

Destroy All Memory Corruption by Walter Bright Dconf 2020 Memory Corruption A pernicious and expensive problem Impractical to manually review code for it Corruption can easily be introduced by unwary changes (again with the

702 views • 45 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song Georgia Tech Agenda Memory corruption vulnerability Thesis Statement Approaches SDCG Kenali HDFI Conclusion Memory

737 views • 72 slides
Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory protection Special security issues for memory Buffer overflows Lecture 8 Page 1 CS 236 Online What Is In Memory? Executable code

401 views • 24 slides
Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik

Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik

Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik Bosman, Asia Slowinska, and Herbert Bos Challenge! ftp://ftp.minemu.org runs Proftpd vulnerable to CVE-2010-4221 First exploiter gets a present!

669 views • 40 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Enhancing Server Availability and Security Through Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow Out of Bounds Array Accesses Invalid Pointer Accesses Importance Martin Rinard,

340 views • 4 slides
R2-D2 Goes to Buggy Emily Yeh &amp; Anastassia Kornilova 1/33 Buggy R2D2 Goes to Buggy by

R2-D2 Goes to Buggy Emily Yeh &amp; Anastassia Kornilova 1/33 Buggy R2D2 Goes to Buggy by

R2-D2 Goes to Buggy Emily Yeh &amp; Anastassia Kornilova 1/33 Buggy R2D2 Goes to Buggy by Anastassia Kornilova &amp; Emily Yeh 2/33 Vehicle Safety in the Real World R2D2 Goes to Buggy by Anastassia Kornilova &amp; Emily Yeh 3/33 R2-D2

589 views • 33 slides
New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and Nicholas Carlini http://hexhive.github.io (c) Castro Theatre and Spoke Art, 2013 DR. STRANGELOVE DR. STRANGELOVE OR: HOW I LEARNED TO STOP OR: HOW I

549 views • 42 slides
Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption

Combating Corruption in Procurement Macedonia - 2017 Aleksandar Argirovski How is corruption measured Complex issue without an exact answer Perception of corruption vs. corruption What can be done? Policy measures Preventive

702 views • 12 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource

Aid, Donors and Corruption: Emerging Issues Liz Hart, Director U4 Anti-Corruption Resource Centre Anti-Corruption in development: Evolution of practice 1 st generation: the principal-agent problem Corruption = Monopoly + Discretion

417 views • 7 slides
Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &amp;

750 views • 45 slides
Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 Protecting the irreplaceable

Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 Protecting the irreplaceable

Flashback OS X Malware Broderick Ian Aquilino September 27, 2012 Protecting the irreplaceable | f-secure.com Agenda Infection Vector Installation Main Binary C&amp;C Servers Payload Remaining Binaries

618 views • 34 slides
COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr.

COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr.

COMBATING BRIBERY &amp; CORRUPTION A Presentation on Anti-Corruption Mechanism in India by Dr. T.M.Bhasin Vigilance Commissioner, CVC at National Judicial Academy, Bhopal on 04.09.2016 1 Corruption Definition and Cause World Bank

473 views • 43 slides
gravitational-wave bursts with memory Marc Favata UWM Objectives: Provide a general

gravitational-wave bursts with memory Marc Favata UWM Objectives: Provide a general

gravitational-wave bursts with memory Marc Favata UWM Objectives: Provide a general overview of the memory effect applicable to all GW sources ( not just compact-object binaries). Understand how to describe memory signals and make rough

514 views • 17 slides
Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer |

Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer |

Memory Corruption The (almost) Complete History... haroon meer - 2010 @haroonmeer | haroon@thinkst.com Who ? haroon meer thinkst ? some papers, some books, some talks academic wannabe Why? Why? Why? Why? Why? twitter made me do it!

959 views • 92 slides
Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone Jan 14, 2017, 2nd Fudan Winter School on Black Hole Astrophysics Overview Phenomena associated with binary evolution Formation of close binaries

651 views • 30 slides
Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook Oh(mat@monkey.org,oh.jeongwook@gmail.com) Jeongwook Oh works on eEye's flagship product called &quot;Blink&quot;. He develops traffic analysis module that filters

841 views • 60 slides
Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption

Lobbying and Corruption Dr James Tremewan (james.tremewan@univie.ac.at) Gender and Corruption Introduction Gender and Corruption Women are often perceived as less susceptable to corruption than men. In Mexico City traffic officers all

768 views • 33 slides
Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future ET detector Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET detector detectors The (disputed) existence of IMBHs Modeling BBH Luca

199 views • 16 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides

More recommend