©атсн²² (in)sесuяitу

Because we're damned if we do, and we're damned if we don't!

  • Archives


  •  Subscribe in a reader

  • Twitter

    • Jägermeister Austrian style. Chilled to perfection. Let the party begin! http://twitpic.com/185o95 8 hours ago
    • RT @lotusebhat: Our dev teams opine, "we are too busy for appsec training." > If you're too busy to train, it leaves more time for failure! 8 hours ago
    • RT @security4all: ECCouncil trying to leave blog comment spam on my blog -> rejected > There's a lot of that going about recently! 9 hours ago
    • It's always good when you look at your bank account and find more money there than you thought. I'm sure that won't last long though ;) 11 hours ago
    • RT @masontech: I am 37 today. Seriously on the wrong side of 30 now!> Happy birthday! 0x25 looksbetter though ;) 21 hours ago
«
»

26C3: secuBT – Hacking the hackers with User-Space Virtualization

Posted by ChrisJohnRiley on December 30, 2009

secuBT – Hacking the hackers with User-Space Virtualization

In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator.

Aim: To visualize and encapsulate running programs to guard and protect the computer system

Problem

  • programs can execute any system call
  • Security vulnerabilities can be used to execute unintended system calls
  • Patches are a reactive form of dealing with the problem

Solution

User-space virtualization encapsulates a running program

  • Executed code is checked and validated
  • Code can be wrapped or modified
  • System calls can be controlled

User-space virtualization is implemented through Dynamic Binary Translation

  • secuBT implements a User-Space sandbox
  • Dynamic BT used for virtualization layer
  • System calls interposition framework – Checks and validates system calls, implements checks to avoid breakout

Static vs Dynamic translation

Static reads the binary, reassembles it into a new binary after processing – This is prone to issues, but is quicker
Dynamic translates all code as it gets executed – This is slightly slower, but improves compatibility

Dynamic Translation implements two levels of code execution:

  • ‘Privileged’ code of BT library
  • Translated and cached user code

When performing translation the following checks are made:

  • All instructions are checked
  • All (direct and indirect) jump targets are verified
  • All system calls are verified

Security hardening

  • Enforce NX-bit
  • Check ELF headers, regions, and rights
  • Protect internal data structures (mprotect)
  • Check and verify (valid) return addresses
  • Check and verify indirect control transfers

System Call Interposition Framework

Guards and rewrites all system calls through sysenter & INT 80 redirection to a validation function

The validation function can reimplement the syscall in user-space (allows fake responses or return a value as desired)

This allows a specific set of permitted syscalls to be defined, and unwanted syscalls can be blocked.

Overhead – 7% only using Binary Translation,  increasing to 9% with all security implementations in place

What does secuBT protect ?

  • Heap and stack based overflow
  • Return to libc style attacks
  • Overwriting the return instruction pointer (using shadow stack)

More information can be found at the following locations :

  • http://events.ccc.de/congress/2009/Fahrplan/events/3515.en.html
  • secuBT paper (PDF)
  • secuBT project page (link)

This entry was posted on December 30, 2009 at 12:15 pm and is filed under Conference, Security. Tagged: , , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«
»