Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
-
Upload
arabella-harrington -
Category
Documents
-
view
220 -
download
0
Transcript of Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
![Page 1: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/1.jpg)
Efficient Instruction Set Randomization Using Software Dynamic Translation
Michael Crane
Wei Hu
![Page 2: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/2.jpg)
Outline
Introduction Code injection, ISR
Problem Inefficiency of ISR
Tools Diablo, Strata
Solution Efficient ISR using Strata
Conclusion
![Page 3: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/3.jpg)
Introduction
Most exploits involve some kind of code injection Stack overflows Heap overflows etc
Several defenses proposed StackGuard Address Space Randomization ISR
![Page 4: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/4.jpg)
Instruction Set Randomization
A general defense against code injection Any application code must be decoded before
execution Code that has been injected will not be encoded with
the proper key, and will fail This approach works regardless of how or where
code is injected However, it does not address other exploits that
do not inject code i.e. return-to-libc attacks
![Page 5: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/5.jpg)
Disadvantage of ISR
High overhead Every instruction must be decoded at run-time Most implementations use an emulator
i.e. bochs or Valgrind
Emulators can be 5-100 times slower than native execution, depending on the application
Our goal is to use Strata, a software dynamic translation tool, to overcome this overheard
![Page 6: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/6.jpg)
Our Approach
Randomize a binary statically before run-time We are using a binary rewriting tool called Diablo Instructions are XORed with a key
Derandomize the program at run-time using software dynamic translation We are using a SDT system called Strata All instructions are XORed with the same key
![Page 7: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/7.jpg)
Diablo
A retargetable link-time binary rewriting framework.
Only works on statically linked programs. Its inputs are the object files and libraries
from which the program is built, instead of just the program executable.
![Page 8: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/8.jpg)
How Diablo Works
Merges code sections of each object file Disassembles the binary text Builds a control flow graph Does some optimizations Reassembles the assembly code Write to a binary file
![Page 9: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/9.jpg)
How We Can Use Diablo
Diablo does a lot of work for us Disassembles binaries Builds control graph Writes binaries
Modify Diablo to randomize the codes
![Page 10: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/10.jpg)
Strata
A software dynamic translation infrastructure, written in C and assembly
Main design by Kevin Scott, Jack Davidson’s PhD student here at UVa
So far it has been targeted to SPARC, MIPS, and x86
![Page 11: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/11.jpg)
Strata
Imposes a translation layer between the executable and the processor
Code fragments are fetched from the binary, optionally translated, and then placed into a fragment cache
Processor control is switched to the fragment for direct execution
![Page 12: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/12.jpg)
Software Dynamic Translation
Application
Context Management Linker
Memory Management
Cache ManagementStrata Virtual CPU
Target Interface
Target-specific Functions
Host CPU
Str
ata
Vir
tua
lM
ach
ine
![Page 13: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/13.jpg)
Using Strata
Application
Linker
Strata
New Application
![Page 14: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/14.jpg)
Apache Under Strata
We can successfully run Apache under Strata with no randomization
Performance was tested with a tool called Flood that generates HTTP requestsNative execution
190.05 requests/secondUnder Strata
137.00 requests/second1.39x slowdown
![Page 15: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/15.jpg)
How We Can Use Strata
Implement a custom fetch routine
Any time an instruction is fetched from the binary, XOR it with the key before placing it into the fragment cache
![Page 16: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/16.jpg)
Implementation
Application
Diablo
Strata
key
RandomizedApplication
![Page 17: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/17.jpg)
Issues with Our Approach
Strata is designed to be linked in directly with the applicationStrata must share the process space with the
randomized application This introduces several problems
Selective randomizationShared librariesProgram start up and shut down
![Page 18: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/18.jpg)
Selective Randomization
We have to distinguish the code of the application from that of Strata, and only randomize the code of the application.
We modified Diablo so that: it remembers the source object file of every code
section it checks the source object file before randomization
and does nothing if the code is from Strata
![Page 19: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/19.jpg)
Shared Libraries
Functions in glibc are called both by the application and by Strata
What’s wrong? Everything outside Strata should be randomized If the shared function is randomized, the program will
crash when Strata calls it
![Page 20: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/20.jpg)
Shared Libraries Solution
Create a separate copy of glibc functions Use objcopy to rename all the names of
glibc functions called by Strata The code bloat incurred by separate copy
of glibc for Strata is about 400Kb
(Strata doesn’t use too much)
![Page 21: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/21.jpg)
Current Status
We can run real server applications (Apache) under Strata without randomization
We can successfully randomize and derandomize a simple program
There are still some sharing issues with real programs
![Page 22: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/22.jpg)
Things Left To Do
Get Apache working with ISR Verify that ISR will protect against a buffer
overflow attack Collect performance numbers
![Page 23: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/23.jpg)
Insider Attack
Our current implementation assumes a remote attack, where the attacker does not have access to the randomized binaryThe encryption scheme is simpleThe key is stored in the binary itself
We must address these issues in order to protect against an insider attack
![Page 24: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/24.jpg)
How Effective is ISR?
Our primary goal was to show an efficient implementation of ISR
Strata can also be modified to check the current PC and reject execution of any code on the stack or other illegal location
Does this accomplish the same thing at a much lower cost?
![Page 25: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/25.jpg)
ISR vs. Non-Executable Stack
There are legitimate uses for an executable stack [Cowan 1998] gcc uses executable stacks for function trampolines
for nested functions Linux uses executable user stacks for signal handling Functional programming languages, and some other
programs, rely on executable stacks for run-time code generation
In these cases, ISR can help us differentiate between injected code and legitimate code on the stack
![Page 26: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/26.jpg)
Conclusions
Implementing ISR using emulation is very inefficient
Software dynamic translation can be used for a more efficient approach
However, implementation can be very tricky due to sharing problems
![Page 27: Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.](https://reader035.fdocuments.in/reader035/viewer/2022062314/56649d975503460f94a80f80/html5/thumbnails/27.jpg)
Questions?