26C3: secuBT – Hacking the hackers with User-Space Virtualization

Posted on December 30, 2009 by ChrisJohnRiley| Leave a comment

secuBT – Hacking the hackers with User-Space Virtualization

In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator.

Aim: To visualize and encapsulate running programs to guard and protect the computer system

Problem

  • programs can execute any system call
  • Security vulnerabilities can be used to execute unintended system calls
  • Patches are a reactive form of dealing with the problem

Solution

User-space virtualization encapsulates a running program

  • Executed code is checked and validated
  • Code can be wrapped or modified
  • System calls can be controlled

User-space virtualization is implemented through Dynamic Binary Translation

  • secuBT implements a User-Space sandbox
  • Dynamic BT used for virtualization layer
  • System calls interposition framework – Checks and validates system calls, implements checks to avoid breakout

Static vs Dynamic translation

Static reads the binary, reassembles it into a new binary after processing – This is prone to issues, but is quicker
Dynamic translates all code as it gets executed – This is slightly slower, but improves compatibility

Dynamic Translation implements two levels of code execution:

  • ‘Privileged’ code of BT library
  • Translated and cached user code

When performing translation the following checks are made:

  • All instructions are checked
  • All (direct and indirect) jump targets are verified
  • All system calls are verified

Security hardening

  • Enforce NX-bit
  • Check ELF headers, regions, and rights
  • Protect internal data structures (mprotect)
  • Check and verify (valid) return addresses
  • Check and verify indirect control transfers

System Call Interposition Framework

Guards and rewrites all system calls through sysenter & INT 80 redirection to a validation function

The validation function can reimplement the syscall in user-space (allows fake responses or return a value as desired)

This allows a specific set of permitted syscalls to be defined, and unwanted syscalls can be blocked.

Overhead – 7% only using Binary Translation,  increasing to 9% with all security implementations in place

What does secuBT protect ?

  • Heap and stack based overflow
  • Return to libc style attacks
  • Overwriting the return instruction pointer (using shadow stack)

More information can be found at the following locations :

  • http://events.ccc.de/congress/2009/Fahrplan/events/3515.en.html
  • secuBT paper (PDF)
  • secuBT project page (link)

This entry was posted in Conference, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>