The DynamoRIODynamic Tool PlatformDerek Bruening
Typical Modern Application: IIS                                  2
Runtime Interposition Layer                  running application                     DynamoRIO:             manipulate eve...
OutlineSystem OverviewExample Tools• Security• DebuggingOpen Source Project                      4
Direct Code Modification e9 37 6f 48 92   jmp <callout>         Kernel32!TerminateProcess:         7d4d1028 7c 05         ...
Entry Point Complications e9 37 6f 48 92   jmp <callout>         Kernel32!TerminateProcess:         7d4d1028 7c 05        ...
Basic Interpreter   application code    foo()        bar()         A                                 interpreter     B    ...
Improvement #1: Basic Block Cache   application code                 software                                      code   ...
Improvement # 2: Linking Direct Branches   application code                        software                               ...
Improvement # 3: Linking Indirect Branches   application code                             software                        ...
Improvement # 4: Building Traces   application code                             software                                  ...
Tool Platform   application code                             software                                                  cod...
TransparencyDo not want to interfere with the semantics of the programDangerous to make any assumptions about:• Register u...
Painful, But NecessaryDifficult and costly to handle corner casesMany applications will not notice……but some will!• Micros...
Avoid Resource Conflicts         Linux             Windows                                     15
DynamoRIO DemoInserts counters into every basic blockCounters are visible via shared memory                               ...
OutlineSystem OverviewExample Tools• Security• DebuggingOpen Source Project                      17
Anatomy of an Attack                                                 network                     ENTER                  CO...
Critical Data: Control Flow IndirectionSubroutine calls• Return address and activation records on visible stackDynamic lib...
Critical Data: Control Flow ExploitsReturn address overwrite• Classic buffer overflowGOT overwriteObject pointer overwrite...
Preventing Data Corruption Is DifficultStored program addresses legitimately manipulated bymany different entities• Dynami...
Insight: Hijack Violates Execution Model                              Hardware                              Interface     ...
Goal: Shrink Hardware Interface                                 Constrained                              Hardware Interfac...
Program ShepherdingMonitor all control-flow transfers during program execution• DynamoRIO is in perfect position to do thi...
OutlineSystem OverviewExample Tools• Security• DebuggingOpen Source Project                      25
Memory BugsMemory bugs are challenging to detect and fix• Memory corruption, reading uninitialized memory, memory leaksObs...
Dr. MemoryDetects unaddressable memoryaccesses• Wild access to invalid address• Use-after-free• Buffer and array overflow ...
Implementation StrategyTrack the state of application memory using shadowmemory• Track whether allocated and whether defin...
Shadow MetadataShadow each byte of memory with one of 3 states:                     allocate: mmap, calloc             all...
Shadow Memory          Shadow Stack             Shadow Heap  Stack                   Heap            defined      header  ...
Performance Comparison     Valgrind failed     Valgrind failed31
OutlineSystem OverviewExample Tools• Security• DebuggingOpen Source Project                      32
DynamoRIO History       Dynamo             Dynamo      @HP Labs            @HP Labs      on PA-RISC           on x86      ...
DynamoRIO History Cont’d                                          VMware          Google  DynamoRIO        Determina      ...
DynamoRIO Team                                           Google DynamoRIO     Determina        VMware    sponsors   @MIT  ...
DynamoRIO Open Source ProjectGoogle Code• BSD license• Subversion repository     300 KLOC     Mostly C, some assembly• I...
Dr. Memory Open Source ProjectGoogle Code• http://code.google.com/p/drmemory• LGPL 2.1 license• Subversion repository    ...
Potential ProjectsBuild a New Tool• Code coverage• Fuzzer• Profiler: basic block, edge, function, etc.• Malware sandbox• R...
Potential Projects Cont’dBuild a Tool Library• Control flow, call graph, data dependence analysis• Symbol table accessCont...
Upcoming SlideShare
Loading in …5
×

Dynamorio rpioss-aug2011

2,282 views

Published on

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,282
On SlideShare
0
From Embeds
0
Number of Embeds
1,025
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Dynamorio rpioss-aug2011

  1. 1. The DynamoRIODynamic Tool PlatformDerek Bruening
  2. 2. Typical Modern Application: IIS 2
  3. 3. Runtime Interposition Layer running application DynamoRIO: manipulate every instruction in running application underlying platform (stock OS, commodity hardware) 3
  4. 4. OutlineSystem OverviewExample Tools• Security• DebuggingOpen Source Project 4
  5. 5. Direct Code Modification e9 37 6f 48 92 jmp <callout> Kernel32!TerminateProcess: 7d4d1028 7c 05 jl 7d4d102f 7d4d102a 33 c0 xor %eax,%eax 7d4d102c 40 inc %eax 7d4d102d eb 08 jmp 7d4d1037 7d4d102f 50 push %eax 7d4d1030 e8 ed 7c 00 00 call 7d4d8d22 5
  6. 6. Entry Point Complications e9 37 6f 48 92 jmp <callout> Kernel32!TerminateProcess: 7d4d1028 7c 05 jl 7d4d102f 7d4d102a 33 c0 xor %eax,%eax 7d4d102c 40 inc %eax 7d4d102d eb 08 jmp 7d4d1037 7d4d102f 50 push %eax 7d4d1030 e8 ed 7c 00 00 call 7d4d8d22 6
  7. 7. Basic Interpreter application code foo() bar() A interpreter B C fetch decode execute D E FSlowdown: ~300x 7
  8. 8. Improvement #1: Basic Block Cache application code software code foo() bar() cache A A B C C DynamoRIO D D E E F FSlowdown: 300x 25x 8
  9. 9. Improvement # 2: Linking Direct Branches application code software code foo() bar() cache A A B C C DynamoRIO D D E E F FSlowdown: 300x 25x 3x 9
  10. 10. Improvement # 3: Linking Indirect Branches application code software code foo() bar() cache A A B C C DynamoRIO D D E E indirect branch F lookup FSlowdown: 300x 25x 3x 1.2x 10
  11. 11. Improvement # 4: Building Traces application code software code foo() bar() cache A A C B C D DynamoRIO E D cmp F E indirect branch F lookupSlowdown: 300x 26x 3x 1.2x 1.1x 11
  12. 12. Tool Platform application code software code foo() bar() cache tool code A A C X B C DynamoRIO D E D cmp F E indirect branch F lookup 12
  13. 13. TransparencyDo not want to interfere with the semantics of the programDangerous to make any assumptions about:• Register usage• Calling conventions• Stack layout• Memory/heap usage• I/O and other system call use 13
  14. 14. Painful, But NecessaryDifficult and costly to handle corner casesMany applications will not notice……but some will!• Microsoft Office: Visual Basic generated code, stack convention violations• COM, Star Office, MMC: trampolines• Adobe Premiere: self-modifying code• VirtualDub: UPX-packed executable• etc. 14
  15. 15. Avoid Resource Conflicts Linux Windows 15
  16. 16. DynamoRIO DemoInserts counters into every basic blockCounters are visible via shared memory 16
  17. 17. OutlineSystem OverviewExample Tools• Security• DebuggingOpen Source Project 17
  18. 18. Anatomy of an Attack network ENTER CORRUPT DATA system and application memory HIJACK PROGRAM COUNTER COMPROMISE kernel
  19. 19. Critical Data: Control Flow IndirectionSubroutine calls• Return address and activation records on visible stackDynamic library linking• Function exports and importsObject oriented polymorphism: dynamic dispatch• VtablesCallbacks – registered function pointers• Event dispatch, atexitException handlingAny problem in computer science can be solved with another layerof indirection. - David Wheeler
  20. 20. Critical Data: Control Flow ExploitsReturn address overwrite• Classic buffer overflowGOT overwriteObject pointer overwrite or uninitialized useFunction pointer overwrite• Heap, stack, data, PEBException handler overwrites• SEH exploitsAny problem in computer science can be solved with another layerof indirection. But that usually will create another problem. - David Wheeler
  21. 21. Preventing Data Corruption Is DifficultStored program addresses legitimately manipulated bymany different entities• Dynamic linker, language runtimeIntermingled with regular data• Return addresses on stack• Vtables in heapEven if could distinguish a good write from a bad write, tooexpensive to monitor all data writes
  22. 22. Insight: Hijack Violates Execution Model Hardware Interface Typical Application Security Attack Execution Model
  23. 23. Goal: Shrink Hardware Interface Constrained Hardware Interface Typical Application Security Attack Execution Model
  24. 24. Program ShepherdingMonitor all control-flow transfers during program execution• DynamoRIO is in perfect position to do thisValidate that each transfer satisfies security policy basedon execution model• Application Binary Interface (ABI): calling convention, library invocationThe application may be damaged by data corruption, butthe system will not be compromised by hijacking controlflow
  25. 25. OutlineSystem OverviewExample Tools• Security• DebuggingOpen Source Project 25
  26. 26. Memory BugsMemory bugs are challenging to detect and fix• Memory corruption, reading uninitialized memory, memory leaksObservable symptoms resulting from memory bugs areoften delayed and non-deterministic• Errors are difficult to discover during regular testing• Testing usually relies on randomly happening to hit visible symptoms• The sources of these bugs are painful and time-consuming to track down from observed crashesMemory bugs often remain in shipped products and canshow up in customer usage 26
  27. 27. Dr. MemoryDetects unaddressable memoryaccesses• Wild access to invalid address• Use-after-free• Buffer and array overflow and underflow• Read beyond top of stack• Invalid free, double freeDetects uninitialized memory readsDetects memory leaks 27
  28. 28. Implementation StrategyTrack the state of application memory using shadowmemory• Track whether allocated and whether definedMonitor every memory-related action by the application:• System call• Malloc, realloc, calloc, free, mmap, mumap, mremap• Memory read or write• Stack adjustmentAt exit or on request, scan memory to check for leaks 28
  29. 29. Shadow MetadataShadow each byte of memory with one of 3 states: allocate: mmap, calloc allocate: malloc, stack write unaddressable uninitialized defined deallocate deallocate 29
  30. 30. Shadow Memory Shadow Stack Shadow Heap Stack Heap defined header unaddr uninit defined malloc uninit defined defined unaddr padding unaddr header unaddr freed unaddr 30
  31. 31. Performance Comparison Valgrind failed Valgrind failed31
  32. 32. OutlineSystem OverviewExample Tools• Security• DebuggingOpen Source Project 32
  33. 33. DynamoRIO History Dynamo Dynamo @HP Labs @HP Labs on PA-RISC on x86 late 1990’s 2000 RIO @MIT Dynamo + RIO  (Runtime Introspection DynamoRIO and Optimization) 1999 2001 33
  34. 34. DynamoRIO History Cont’d VMware Google DynamoRIO Determina acquires sponsors @MIT security startup Determina Dr. Memory2001 2003 2007 2010 open-sourced binary releases BSD license 2002 2009 34
  35. 35. DynamoRIO Team Google DynamoRIO Determina VMware sponsors @MIT security startup Dr. Memory 35
  36. 36. DynamoRIO Open Source ProjectGoogle Code• BSD license• Subversion repository  300 KLOC  Mostly C, some assembly• Issue trackerGoogle Groups http://dynamorio.org• User discussion forum/mailing list• Developer mailing list 36
  37. 37. Dr. Memory Open Source ProjectGoogle Code• http://code.google.com/p/drmemory• LGPL 2.1 license• Subversion repository  67 KLOC  Mostly C• Issue trackerGoogle Groups• User discussion forum/mailing list• Developer mailing list 37
  38. 38. Potential ProjectsBuild a New Tool• Code coverage• Fuzzer• Profiler: basic block, edge, function, etc.• Malware sandbox• Reverse engineeringContribute to an Existing Tool• Dr. Memory or Dr. Heapstat• Revive PiPA or UMI 38
  39. 39. Potential Projects Cont’dBuild a Tool Library• Control flow, call graph, data dependence analysis• Symbol table accessContribute to Platform• Buffer filling API• Probe API• Port to MacOS• Port to ARM• Debugger integration 39

×