security bugs in embedded interpreters
play

Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, - PowerPoint PPT Presentation

Mar 17, 2023 •441 likes •1.39k views

Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL Embedded interpreters Host system Bytecode Embedded Output interpreter Input

  1. Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL

  2. Embedded interpreters Host system Bytecode Embedded Output interpreter Input

  3. Embedded interpreters Host system Bytecode Embedded Output interpreter Input • Define an instruction set in the form of bytecode

  4. Embedded interpreters Host system Bytecode Embedded Output interpreter Input • Define an instruction set in the form of bytecode • Interpret and execute bytecode on a virtual machine

  5. Embedded interpreters Host system Bytecode Embedded Output interpreter Input • Define an instruction set in the form of bytecode • Interpret and execute bytecode on a virtual machine • Usually light-weight, and no process-level sandboxing

  6. Prevalence of embedded interpreters and related vulnerabilities

  7. Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities

  8. Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF CVE-2010-4158 CVE-2012-3729 INET_DIAG CVE-2010-3880 CVE-2011-2213 AML CVE-2010-4347 CVE-2011-1021

  9. Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF CVE-2010-4158 CVE-2012-3729 INET_DIAG CVE-2010-3880 CVE-2011-2213 AML CVE-2010-4347 CVE-2011-1021 RarVM CVE-2007-3725 LLVM CVE-2011-3627

  10. Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF CVE-2010-4158 CVE-2012-3729 INET_DIAG CVE-2010-3880 CVE-2011-2213 AML CVE-2010-4347 CVE-2011-1021 RarVM CVE-2007-3725 LLVM CVE-2011-3627 Bitcoin bitcoin CVE-2010-5137

  11. Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF CVE-2010-4158 CVE-2012-3729 INET_DIAG CVE-2010-3880 CVE-2011-2213 AML CVE-2010-4347 CVE-2011-1021 RarVM CVE-2007-3725 LLVM CVE-2011-3627 Bitcoin bitcoin CVE-2010-5137 Python Pickle CVE-2011-2520 CVE-2012-4406

  12. Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF CVE-2010-4158 CVE-2012-3729 INET_DIAG CVE-2010-3880 CVE-2011-2213 AML CVE-2010-4347 CVE-2011-1021 RarVM CVE-2007-3725 LLVM CVE-2011-3627 Bitcoin bitcoin CVE-2010-5137 Python Pickle CVE-2011-2520 CVE-2012-4406 TrueType / Type 1 FreeType CVE-2010-2520 CVE-2011-0226 Charstring

  13. Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF CVE-2010-4158 CVE-2012-3729 INET_DIAG CVE-2010-3880 CVE-2011-2213 AML CVE-2010-4347 CVE-2011-1021 RarVM CVE-2007-3725 LLVM CVE-2011-3627 Bitcoin bitcoin CVE-2010-5137 Python Pickle CVE-2011-2520 CVE-2012-4406 TrueType / Type 1 FreeType CVE-2010-2520 CVE-2011-0226 Charstring

  14. Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF CVE-2010-4158 CVE-2012-3729 INET_DIAG CVE-2010-3880 CVE-2011-2213 AML CVE-2010-4347 CVE-2011-1021 RarVM CVE-2007-3725 LLVM CVE-2011-3627 Bitcoin bitcoin CVE-2010-5137 Python Pickle CVE-2011-2520 CVE-2012-4406 TrueType / Type 1 FreeType CVE-2010-2520 CVE-2011-0226 Charstring

  15. Our contributions • Studies of 10 widely-used embedded interpreters in real world • Studies of known vulnerabilities • Security guidelines • Research opportunities

  16. Why do people use embedded interpreter?

  17. A packet filtering example • Monitor all packets that do not originate from 18.26.5.* or 18.1.2.* $"tcpdump"‘ip"src"net"not"(18.26.5.0/24"or"18.1.2.0/24)’

  18. A packet filtering example • Monitor all packets that do not originate from 18.26.5.* or 18.1.2.* $"tcpdump"‘ip"src"net"not"(18.26.5.0/24"or"18.1.2.0/24)’ • Strawman 1: user space filtering • The kernel passes all packets to tcpdump filtered ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) packets kernel **** * * * **** * * * packets

  19. A packet filtering example • Monitor all packets that do not originate from 18.26.5.* or 18.1.2.* $"tcpdump"‘ip"src"net"not"(18.26.5.0/24"or"18.1.2.0/24)’ • Strawman 1: user space filtering • The kernel passes all packets to tcpdump • ✔ Flexibility ✔ Security ✘ Performance filtered ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) packets kernel **** * * * **** * * * packets

  20. A packet filtering example

  21. A packet filtering example • Strawman II: extensible kernel module

  22. A packet filtering example • Strawman II: extensible kernel module • tcpdump uploads compiled native code to the kernel ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) kernel ld*****12(%ebx),*%eax* Native test***%eax,*$0x800 code jeq****L3 filtered ld*****26(%ebx),*%eax packets and****%eax,*$0xffffff00 ********... **** * * * **** * * * Kernel module packets

  23. A packet filtering example • Strawman II: extensible kernel module • tcpdump uploads compiled native code to the kernel • ✔ Flexibility ✔ Performance ✘ Security ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) kernel ld*****12(%ebx),*%eax* Native test***%eax,*$0x800 code jeq****L3 filtered ld*****26(%ebx),*%eax packets and****%eax,*$0xffffff00 ********... **** * * * **** * * * Kernel module packets

  24. Solution: Berkeley Packet Filter (BPF)

  25. Solution: Berkeley Packet Filter (BPF) ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24)

  26. Solution: Berkeley Packet Filter (BPF) ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) ********ldh****[12] Bytecode ********jeq****#ETHERTYPE_IP,*L1,*L4 program L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*L4,*L2 L2:*****jeq****#0x12010200,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0

  27. Solution: Berkeley Packet Filter (BPF) ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) kernel ********ldh****[12] Bytecode Host ********jeq****#ETHERTYPE_IP,*L1,*L4 program L1:*****ld*****[26] system ********and****#0xffffff00 ********jeq****#0x121a0500,*L4,*L2 L2:*****jeq****#0x12010200,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0

  28. Solution: Berkeley Packet Filter (BPF) ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) kernel ********ldh****[12] Bytecode Host ********jeq****#ETHERTYPE_IP,*L1,*L4 program L1:*****ld*****[26] system ********and****#0xffffff00 ********jeq****#0x121a0500,*L4,*L2 L2:*****jeq****#0x12010200,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 BPF interpreter

  29. Solution: Berkeley Packet Filter (BPF) ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) kernel ********ldh****[12] Bytecode Host ********jeq****#ETHERTYPE_IP,*L1,*L4 program L1:*****ld*****[26] system ********and****#0xffffff00 ********jeq****#0x121a0500,*L4,*L2 L2:*****jeq****#0x12010200,*L4,*L3 Inputs to L3:*****ret****#TRUE L4:*****ret****#0 bytecode **** * * * **** * * * BPF interpreter packets

  30. Solution: Berkeley Packet Filter (BPF) ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) kernel ********ldh****[12] Bytecode Host ********jeq****#ETHERTYPE_IP,*L1,*L4 program L1:*****ld*****[26] system ********and****#0xffffff00 ********jeq****#0x121a0500,*L4,*L2 L2:*****jeq****#0x12010200,*L4,*L3 Inputs to L3:*****ret****#TRUE L4:*****ret****#0 bytecode **** * * * Filtered **** * * * BPF interpreter packets packets

  31. Solution: Berkeley Packet Filter (BPF) ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) kernel ********ldh****[12] Bytecode Host ********jeq****#ETHERTYPE_IP,*L1,*L4 program L1:*****ld*****[26] system ********and****#0xffffff00 ********jeq****#0x121a0500,*L4,*L2 L2:*****jeq****#0x12010200,*L4,*L3 Inputs to L3:*****ret****#TRUE L4:*****ret****#0 bytecode **** * * * Filtered **** * * * BPF interpreter packets packets ✔ Flexibility

  32. Solution: Berkeley Packet Filter (BPF) ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) kernel ********ldh****[12] Bytecode Host ********jeq****#ETHERTYPE_IP,*L1,*L4 program L1:*****ld*****[26] system ********and****#0xffffff00 ********jeq****#0x121a0500,*L4,*L2 L2:*****jeq****#0x12010200,*L4,*L3 Inputs to L3:*****ret****#TRUE L4:*****ret****#0 bytecode **** * * * Filtered **** * * * BPF interpreter packets packets ✔ Flexibility ✔ Performance —— no IPC & context switch overhead

  33. Solution: Berkeley Packet Filter (BPF) ip*src*net*not* tcpdump (18.26.5.0/24*or*18.0.0.0/24) kernel ********ldh****[12] Bytecode Host ********jeq****#ETHERTYPE_IP,*L1,*L4 program L1:*****ld*****[26] system ********and****#0xffffff00 ********jeq****#0x121a0500,*L4,*L2 L2:*****jeq****#0x12010200,*L4,*L3 Inputs to L3:*****ret****#TRUE L4:*****ret****#0 bytecode **** * * * Filtered **** * * * BPF interpreter packets packets ✔ Flexibility ✔ Performance —— no IPC & context switch overhead ✔ “Security” —— no direct control of the real machine

Recommend

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives Discuss the complexities in mitigating security bugs occurring in network protocols. Describe some current issues. Leave time for Q&A.

631 views • 50 slides
Interpreters and virtual machines Interpreters Michel Schinz 20070323 Interpreters Why

Interpreters and virtual machines Interpreters Michel Schinz 20070323 Interpreters Why

Interpreters and virtual machines Interpreters Michel Schinz 20070323 Interpreters Why interpreters? An interpreter is a program that executes another program, Interpreters enable the execution of a program without represented as some

365 views • 9 slides
Interpreters and virtual machines Michel Schinz 20070323 Interpreters Interpreters An

Interpreters and virtual machines Michel Schinz 20070323 Interpreters Interpreters An

Interpreters and virtual machines Michel Schinz 20070323 Interpreters Interpreters An interpreter is a program that executes another program, represented as some kind of data-structure. Common program representations include: raw

672 views • 53 slides
Embedded Interpreters Nick Benton Microsoft Research Cambridge UK Setting: Scripting languages

Embedded Interpreters Nick Benton Microsoft Research Cambridge UK Setting: Scripting languages

Embedded Interpreters Nick Benton Microsoft Research Cambridge UK Setting: Scripting languages for SML applications Application comprises many interesting higher-type values and new type definitions Purpose of scripting language

384 views • 25 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt Gierlichs KU Leuven, COSIC IACR Summer school 2015 Chia Laguna, Italy Attack on channel between communicating parties Encryption and

412 views • 6 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
The essence of dataflow programming Interpreters Comonadic Interpreters Comonads Tarmo Uustalu

The essence of dataflow programming Interpreters Comonadic Interpreters Comonads Tarmo Uustalu

Essence of DFP Varmo Vene Introduction Monadic The essence of dataflow programming Interpreters Comonadic Interpreters Comonads Tarmo Uustalu 1 Varmo Vene 2 Stream Functions Comonadic Interpreters Distributive Interpreters 1 Institute of

450 views • 44 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds of file formats are supported in Windows, Office, et al. Many written in C/C++ Programming errors security bugs! Random choice of x: one

493 views • 35 slides
Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on Computation and Society Harvard University Talk Outline Why Phishing Works Dynamic Security Skins Embedded Security Indicators Talk

731 views • 57 slides
Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The

Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The

Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The Same Bugs, Over and Over Again... SQL-injection, XSS, XSRF, etc -- OWASP Top 10 Root cause Inherently bug-prone APIs Developers are

313 views • 28 slides
Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Software Security: Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016 Robustness Security bugs are a fact of life How can we use access control to improve the security of software, so security bugs

695 views • 32 slides
A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 San Diego, USA Embedded Systems Are Everywhere Andrei Costin 2 By

1.03k views • 72 slides
Race Conditions A common cause of security bugs Usually involve multiprogramming or

Race Conditions A common cause of security bugs Usually involve multiprogramming or

Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different threads of control operating in unpredictable fashion When programmer thought theyd work in a

649 views • 21 slides
Securing the connected world Flexible and scalable embedded security IP Pieter Willems

Securing the connected world Flexible and scalable embedded security IP Pieter Willems

Securing the connected world Flexible and scalable embedded security IP Pieter Willems pieter.willems@silexinsight.com V2.0 2019 Overview Silex Insight Introduction Embedded security markets and applications Security

590 views • 15 slides
Who we are Eshard - Embedded Security Company Software & Hardware Security What do we

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we do: @eshardNews Tools: Side Channel / Code Analysis Consultancy https://www.eshard.com Audit contact@eshard.com Training

752 views • 54 slides
Healthcare Interpreters 2010: National Certification for Healthcare Interpreters Mara

Healthcare Interpreters 2010: National Certification for Healthcare Interpreters Mara

Certification Commission for Healthcare Interpreters 2010: National Certification for Healthcare Interpreters Mara Youdelman, CCHI Chair QHCDP Conf. Oct. 19, 2010 www.healthcareinterpretercertification.org LEP Demographics Over 55

444 views • 22 slides
Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison

Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison

Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison Qiushi Wu , Yang He, Stephen McCamant, and Kangjie Lu 1 Why do we need to identify security bugs? 2 Motivation The overwhelming number of bugs

1.12k views • 66 slides
BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on

BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on

BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on blood They are reddish-brown in colour An adult bed bug is approximately the size of an apple seed An egg is approximately the size of a

163 views • 15 slides
In Interpreters in in the Courtroom Language Access Webinar November 15, 2018 Leonardo Perales

In Interpreters in in the Courtroom Language Access Webinar November 15, 2018 Leonardo Perales

In Interpreters in in the Courtroom Language Access Webinar November 15, 2018 Leonardo Perales and Maria de Villiers State Licensed Court Interpreters OFFICE of COURT ADMINISTRATION His istory of f regulation of f Texas in interpreters

258 views • 25 slides
Serialization Bugs About Me Rohit Salecha Senior Security Consultant @ NotSoSecure 7+ yrs

Serialization Bugs About Me Rohit Salecha Senior Security Consultant @ NotSoSecure 7+ yrs

Serialization Bugs About Me Rohit Salecha Senior Security Consultant @ NotSoSecure 7+ yrs of Corporate Experience Pentesting (Web, Mobile, Infra) and Development in Java Trainer : AppSec for Developers, Basic Web Hacking @

535 views • 28 slides
Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark

Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark

Methodologies For Hacking Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark Carey is the Chief Scientist for Peak Security. Over 22 years of experience in engineering and security. - Keeper of

1.06k views • 103 slides
Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture Dom0 VMs QEMU Xen Scheduler MMU vPIC Memory CPUs I/O HW Emulation in hypervisor For performance Examples: Interrupt controller

859 views • 20 slides

More recommend