Dynamorio rpioss-aug2011

The DynamoRIODynamic Tool PlatformDerek Bruening

Typical Modern Application: IIS 2

Runtime Interposition Layer running application DynamoRIO: manipulate every instruction in running application underlying platform (stock OS, commodity hardware) 3

OutlineSystem OverviewExample Tools• Security• DebuggingOpen Source Project 4

Direct Code Modification e9 37 6f 48 92 jmp <callout> Kernel32!TerminateProcess: 7d4d1028 7c 05 jl 7d4d102f 7d4d102a 33 c0 xor %eax,%eax 7d4d102c 40 inc %eax 7d4d102d eb 08 jmp 7d4d1037 7d4d102f 50 push %eax 7d4d1030 e8 ed 7c 00 00 call 7d4d8d22 5

Entry Point Complications e9 37 6f 48 92 jmp <callout> Kernel32!TerminateProcess: 7d4d1028 7c 05 jl 7d4d102f 7d4d102a 33 c0 xor %eax,%eax 7d4d102c 40 inc %eax 7d4d102d eb 08 jmp 7d4d1037 7d4d102f 50 push %eax 7d4d1030 e8 ed 7c 00 00 call 7d4d8d22 6

Basic Interpreter application code foo() bar() A interpreter B C fetch decode execute D E FSlowdown: ~300x 7

Improvement #1: Basic Block Cache application code software code foo() bar() cache A A B C C DynamoRIO D D E E F FSlowdown: 300x 25x 8

Improvement # 2: Linking Direct Branches application code software code foo() bar() cache A A B C C DynamoRIO D D E E F FSlowdown: 300x 25x 3x 9

Improvement # 3: Linking Indirect Branches application code software code foo() bar() cache A A B C C DynamoRIO D D E E indirect branch F lookup FSlowdown: 300x 25x 3x 1.2x 10

Improvement # 4: Building Traces application code software code foo() bar() cache A A C B C D DynamoRIO E D cmp F E indirect branch F lookupSlowdown: 300x 26x 3x 1.2x 1.1x 11

Tool Platform application code software code foo() bar() cache tool code A A C X B C DynamoRIO D E D cmp F E indirect branch F lookup 12

TransparencyDo not want to interfere with the semantics of the programDangerous to make any assumptions about:• Register usage• Calling conventions• Stack layout• Memory/heap usage• I/O and other system call use 13

Painful, But NecessaryDifficult and costly to handle corner casesMany applications will not notice……but some will!• Microsoft Office: Visual Basic generated code, stack convention violations• COM, Star Office, MMC: trampolines• Adobe Premiere: self-modifying code• VirtualDub: UPX-packed executable• etc. 14

Avoid Resource Conflicts Linux Windows 15

DynamoRIO DemoInserts counters into every basic blockCounters are visible via shared memory 16

Anatomy of an Attack network ENTER CORRUPT DATA system and application memory HIJACK PROGRAM COUNTER COMPROMISE kernel

Critical Data: Control Flow IndirectionSubroutine calls• Return address and activation records on visible stackDynamic library linking• Function exports and importsObject oriented polymorphism: dynamic dispatch• VtablesCallbacks – registered function pointers• Event dispatch, atexitException handlingAny problem in computer science can be solved with another layerof indirection. - David Wheeler

Critical Data: Control Flow ExploitsReturn address overwrite• Classic buffer overflowGOT overwriteObject pointer overwrite or uninitialized useFunction pointer overwrite• Heap, stack, data, PEBException handler overwrites• SEH exploitsAny problem in computer science can be solved with another layerof indirection. But that usually will create another problem. - David Wheeler

Preventing Data Corruption Is DifficultStored program addresses legitimately manipulated bymany different entities• Dynamic linker, language runtimeIntermingled with regular data• Return addresses on stack• Vtables in heapEven if could distinguish a good write from a bad write, tooexpensive to monitor all data writes

Insight: Hijack Violates Execution Model Hardware Interface Typical Application Security Attack Execution Model

Goal: Shrink Hardware Interface Constrained Hardware Interface Typical Application Security Attack Execution Model

Program ShepherdingMonitor all control-flow transfers during program execution• DynamoRIO is in perfect position to do thisValidate that each transfer satisfies security policy basedon execution model• Application Binary Interface (ABI): calling convention, library invocationThe application may be damaged by data corruption, butthe system will not be compromised by hijacking controlflow

Memory BugsMemory bugs are challenging to detect and fix• Memory corruption, reading uninitialized memory, memory leaksObservable symptoms resulting from memory bugs areoften delayed and non-deterministic• Errors are difficult to discover during regular testing• Testing usually relies on randomly happening to hit visible symptoms• The sources of these bugs are painful and time-consuming to track down from observed crashesMemory bugs often remain in shipped products and canshow up in customer usage 26

Dr. MemoryDetects unaddressable memoryaccesses• Wild access to invalid address• Use-after-free• Buffer and array overflow and underflow• Read beyond top of stack• Invalid free, double freeDetects uninitialized memory readsDetects memory leaks 27

Implementation StrategyTrack the state of application memory using shadowmemory• Track whether allocated and whether definedMonitor every memory-related action by the application:• System call• Malloc, realloc, calloc, free, mmap, mumap, mremap• Memory read or write• Stack adjustmentAt exit or on request, scan memory to check for leaks 28

Shadow MetadataShadow each byte of memory with one of 3 states: allocate: mmap, calloc allocate: malloc, stack write unaddressable uninitialized defined deallocate deallocate 29

Shadow Memory Shadow Stack Shadow Heap Stack Heap defined header unaddr uninit defined malloc uninit defined defined unaddr padding unaddr header unaddr freed unaddr 30

Performance Comparison Valgrind failed Valgrind failed31

DynamoRIO History Dynamo Dynamo @HP Labs @HP Labs on PA-RISC on x86 late 1990’s 2000 RIO @MIT Dynamo + RIO  (Runtime Introspection DynamoRIO and Optimization) 1999 2001 33

DynamoRIO History Cont’d VMware Google DynamoRIO Determina acquires sponsors @MIT security startup Determina Dr. Memory2001 2003 2007 2010 open-sourced binary releases BSD license 2002 2009 34

DynamoRIO Team Google DynamoRIO Determina VMware sponsors @MIT security startup Dr. Memory 35

DynamoRIO Open Source ProjectGoogle Code• BSD license• Subversion repository  300 KLOC  Mostly C, some assembly• Issue trackerGoogle Groups http://dynamorio.org• User discussion forum/mailing list• Developer mailing list 36

Dr. Memory Open Source ProjectGoogle Code• http://code.google.com/p/drmemory• LGPL 2.1 license• Subversion repository  67 KLOC  Mostly C• Issue trackerGoogle Groups• User discussion forum/mailing list• Developer mailing list 37

Potential ProjectsBuild a New Tool• Code coverage• Fuzzer• Profiler: basic block, edge, function, etc.• Malware sandbox• Reverse engineeringContribute to an Existing Tool• Dr. Memory or Dr. Heapstat• Revive PiPA or UMI 38

Potential Projects Cont’dBuild a Tool Library• Control flow, call graph, data dependence analysis• Symbol table accessContribute to Platform• Buffer filling API• Probe API• Port to MacOS• Port to ARM• Debugger integration 39

http://rcos.rpi.edu	380
http://rcosblogbymsk.blogspot.com	20
http://rcos.cs.rpi.edu	15
http://dashboard.rcos.cs.rpi.edu	3
http://www.blogger.com	1
http://observatory.rcos.cs.rpi.edu	1

Dynamorio rpioss-aug2011

by mskmoorthy

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 420

Statistics

Dynamorio rpioss-aug2011 Presentation Transcript