370 likes | 501 Vues
CompSci 725 Presentation. by Siu Cho Jun, William. CompSci 725 Presentation. Playing Inside the Black Box: Using Dynamic Instrumentation to Create Security Holes by Barton P. Miller, Mihai Christodorescu, Robert Iverson, Tevfik Kosar, Alexander Mirgorodskii, Florentina Popovici.
E N D
CompSci 725 Presentation by Siu Cho Jun, William
CompSci 725 Presentation Playing Inside the Black Box: Using Dynamic Instrumentation to Create Security Holes by Barton P. Miller, Mihai Christodorescu, Robert Iverson, Tevfik Kosar, Alexander Mirgorodskii, Florentina Popovici
CompSci 725 Presentation • Computer Sciences Department, University of Wisconsin • Paradyn Project • Exploring new approaches to build scalable tools for monitoring or tuning of parallel program performance.
Outline • Introduction • The Aim of this paper • Background • What is “DynInst”? • Demo 1 • Demo 2 • Conclusion
Introduction • Programs in execution have long been considered to be immutable objects • Use “DynInst API” to build tools • Operate on binary codes during execution
Introduction • Show how Dynamic Instrumentation techniques can be used to subvert system security through vulnerabilities • Provide some suggestions to compromise those vulnerabilities
Background • What is “DynInst”? • A post-compiler program manipulation tool • Provides an Application Program Interface (API) for programming instrumentation tools with the dynamic instrumentation technology • C++ class library
Background • What is “DynInst”? (cont.) • Allows tool builders build tools that can make insertion and modification to a running program • Without re-compile, re-link, or even re-execute the program • Machine independent
Background • What can tools built with “DynInst API” do? • (1) inspect a running process, obtaining structural information about the program; • (2) control the execution of the program; • (3) cause new libraries to be dynamically loaded into the process' address space;
Background • What can tools built with “DynInst API” do? (cont.) • (4) splice new code sequences into the running program and remove them; • (5) replace individual call instructions or entire functions.
Background • Terms: • Mutator • The tool built for performing instrumentation • Mutatee • The program to be instrumented • Point • A location in a program where instrumentation can be inserted • Snippet • A piece of executable code to be inserted into a program at a point
Background • How it works? p.s. Image extracted from the paper “Playing Inside the Black Box: Using Dynamic Instrumentation to Create Security Holes”
Background • How it works? p.s. Image extracted from the paper “An API for Runtime Code Patching”
Demo 1 The Lurking Condor Job • Goal • To expose security vulnerabilities in a distributed computing environment
Demo 1 • Background Info. • Platform: Unix with Condor • High-Throughput Computing System • allows users to schedule and run application programs on idle hosts in widely distributed environment • Users do not need to have account and privileges on other hosts
Demo 1 • Condor • SM: Submitting Machine • EM: Execution Machine
Demo 1 • Attack strategy
Demo 1 • Attack strategy
Demo 1 • Attack strategy
Demo 1 • Attack strategy
Demo 1 • Attack strategy
Demo 1 • Vulnerability of Condor System • Condor starts a shadow process on the SM when it starts the submitted program on the remote EM • The shadow process receives remote system calls from the EM and executes with the normal privileges of the submitting user
Demo 1 • Vulnerability of Condor System (cont.) • EM might subvert the submitted program and cause it to make inappropriate and malicious requests to the user's SM • Condor use the same user id for every job on the EM, this allow the lurker process to access subsequently arriving jobs
Demo 1 • Suggestions: • On SM • Create “Sandbox” around the shadow process • On trusted EM • Restrict the use of system call on EM • Clear up after a job migrated or completed • Use multiple user ID’s • Malicious EM can bypass any of those measures
Demo 2 Subverting License Checking • Goal • Use DynInst tools to bypass license checking • And attain full program functionality even when the license data could not be obtained
Demo 2 • Background Info. • Target application: Framemaker word processing tool from Adobe • Platform: UltraSPARC IIi running Solaris • License checking method in Framemaker: Obtain license data from license server and validate it
Demo 2 • Attack Strategy • (1) See the program as a black box and capture the I/O operations to located those were specific to contacting the license server • Attach DynInst to Framemaker and trace all library functions that performs I/O operations • Replace the open, read, write, send, and recv library function with custom versions which are modified to copy their data into a mirror file
Demo 2 • Attack Strategy • (2) Trace the flow control within the program to understand where the license checking is performed • By tracing the control flow for the cases: • the license server is successfully contacted • the license server cannot be contacted
Demo 2 • Attack Strategy • (3) Determine the functions to be skipped or replaced to avoid the failure of the license check
Demo 2 • Attack toolkit • (1) Function Call Tracer • The depth of the call stack, order of calls, and return values from each function are reported • (2) Function Argument Parser • For tracking the type and name of each parameter to a function in the application
Demo 2 • Attack toolkit • (3) Java to DynInst Compiler (JavaD) • Since the DynInst API calls operate at the machine language level • Write snippet in Java and translate to DynInst calls • To simplify the task of creating code snippets
Demo 2 • Result • Successfully bypassed the licensing checks by the following steps: • (1) Allowed the retrieval of the license data to fail. • (2) Prevented FrameMaker from entering demo mode by deleting the function call of ChangeProductToDemo.
Demo 2 • Result (cont.) • (3) Bypassed the first license data validation by skipping over the sequence of code that performed it. • (4) Modified all later license data validations to always succeed, regardless of the presence of the license data in memory.
Demo 2 • Suggestion • Basic code obfuscation techniques can be used: • obscure naming of modules and functions • violating modularity by having many implementations of the same functionality especially for the license checking function • Include error reporting code
Conclusion • With DynInst library: • It is easy to monitor and control almost any running program. • It is also easy to make arbitrary changes that program's behavior.
Conclusion • More significant study is needed for Safe remote execution which includes: • preventing inappropriate operations • preventing undetected modification or spoiling of computational results
Question • We have seen several tamper-proofing/tamper-resistance technique: • Software Guards • Obfuscation • Software aging • How well do they serve in protecting software?