17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation...

Platform-Independent Programs

Sang Kil Cha, Brian Pak, David BrumleyCarnegie Mellon University

Richard J. LiptonGeorgia Institute of Technology

17th ACM CCS (October, 2010)

A Seminar at Advanced Defense Lab 2

Outline Introduction Problem Statement Approach RG Design Implementation Related Work


Introduction

x86


Platform-Independent Program?

A typical and often implicit security assumption is that a program is only semantically meaningful on one platform› Radically different instruction sets› Different program encodings

But, is it true?


In this paper Automatically generate a single binary

string that› is a valid program on some architectures

› can have completely different desired runtime behaviors


Security-Critical Implications

Steganography.› m1(b) = normal program› m2(b) = secret information

Rogue Updates› m1(b) = normal program› mupdate(b) = malware› Security measures, such as digitally signing the

code, are insufficient since they only verify the code itself has not been tampered with, not the execution environment


Security-Critical Implications

Exfiltration Protection› m1(b) = important program› m2(b) = delete itself

Viruses and Shellcode

New Architecture› A company switches from architecture A to

B


Problem Statement Notation

› ∑ = {0, 1}› Bit string› mj(bi)

The execution of program bi on machine mj

› (bi, mj) bi is compiled for mj

› bi is not a valid string on mj

)( ij bm

*b


Problem Definition Platform-Independent Program

›

PIP generation challenge› Given (bi, mj) list›

)()( 21 bmbm

)()(:),( pipjijji bmbmmb


Approach

b1 b2 b3

bpip


Gadgets

b1 b2 b3

A Gadget


Gadget Header Example


Connecting Gadgets


Generation Algorithm


RG Design Header-Init: Finding Gadget Headers

› (nop)* (jmp) (.)*

Header generation algorithm› Enumeration all possible string X

several days for 4-byte header› Make header templates› Computing the intersection of templates


RG Design Disassemble, Gadget-Gen, and Merge


RG Design – PI Translation


PI Translation


Implementation RG is currently implemented in about

5,000 lines of a mixture of C++ and Ruby.

The gadget finder program finds all the possible 4-byte, 8-byte, and 12-byte gadget headers


Instruction Validity 32-bit long

› 90.12% for ARM› 68.46% for MIPS› 32.69% for x86

12.31%


Gadget Header Atomic NOPs

› 326 for x86› 241 for ARM› 14,709,948 for MIPS

Three-architecture gadget headers› 4×1014 for 12-byte long› 0.07 sec for 4-byte, 16 secs for 8-byte, 7

hours for 12-byte


Gadget Header


Evaluation Hello world

Prime Checker

Shellcode

Vulnerabilities› Snort 2.4› iPhone’s coreaudio library


Evaluation

Using PI Translation


Evaluation


Related Work Muti-Platform Execution

› Fat binary two independent program images are

combined with special meta-data that is used at run-time to select the appropriate image

› Drew Dean in 2003› Nemo in 2005 [link]

http://seclists.org/fulldisclosure/2005/Nov/387


Related Work(cont.) Steganography

› Simmons in 1984 The prisoner’s problem


Discussion PIP length More Gadget Headers Large Input Programs Indirect Jumps and Self-Modifying Code Generating Platform

› m(b) = normal program› generate m’› m’(b) = malware


Thank You

17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation...

Documents

Transcript of 17 th ACM CCS (October, 2010). Introduction Problem Statement Approach RG Design Implementation...