Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: exploitation

26C3: secuBT – Hacking the hackers with User-Space Virtualization

secuBT – Hacking the hackers with User-Space Virtualization

In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator.

Aim: To visualize and encapsulate running programs to guard and protect the computer system


  • programs can execute any system call
  • Security vulnerabilities can be used to execute unintended system calls
  • Patches are a reactive form of dealing with the problem


User-space virtualization encapsulates a running program

  • Executed code is checked and validated
  • Code can be wrapped or modified
  • System calls can be controlled

User-space virtualization is implemented through Dynamic Binary Translation

  • secuBT implements a User-Space sandbox
  • Dynamic BT used for virtualization layer
  • System calls interposition framework – Checks and validates system calls, implements checks to avoid breakout

Static vs Dynamic translation

Static reads the binary, reassembles it into a new binary after processing – This is prone to issues, but is quicker
Dynamic translates all code as it gets executed – This is slightly slower, but improves compatibility

Dynamic Translation implements two levels of code execution:

  • ‘Privileged’ code of BT library
  • Translated and cached user code

When performing translation the following checks are made:

  • All instructions are checked
  • All (direct and indirect) jump targets are verified
  • All system calls are verified

Security hardening

  • Enforce NX-bit
  • Check ELF headers, regions, and rights
  • Protect internal data structures (mprotect)
  • Check and verify (valid) return addresses
  • Check and verify indirect control transfers

System Call Interposition Framework

Guards and rewrites all system calls through sysenter & INT 80 redirection to a validation function

The validation function can reimplement the syscall in user-space (allows fake responses or return a value as desired)

This allows a specific set of permitted syscalls to be defined, and unwanted syscalls can be blocked.

– 7% only using Binary Translation,  increasing to 9% with all security implementations in place

What does secuBT protect ?

  • Heap and stack based overflow
  • Return to libc style attacks
  • Overwriting the return instruction pointer (using shadow stack)

More information can be found at the following locations :

SANS SEC:709 – Developing Exploits for Penetration Testers – Day 2

SANS SEC:709 – Developing Exploits for Penetration Testers – Day 2

I didn’t get a chance to post up my thoughts on the second day of the SEC:709 class before leaving London, so here’s a quick recap of the second day.

Today we began looking at the Windows side of exploit writing. Although in theory things are slightly harder with Windows exploitation than with Linux (at least at the level we were working at), things seemed to click on the second day. Whereas the first day was new concepts mixed with exercises to show how things work, the second day looked at the same points made in day 1 from a Windows standpoint. The examples were a chance to review some points from day 1 in a new light, and introduce some new points. The day was finished off with a Capture the Flag. Most people managed to get a couple of flags at least, but with the limited time, and a raging brain ache from “drinking from the fire-hose” so to speak, it was slow going. One person managed to get almost all the flags, which was impressive given the time spent learning these points. I guess with some more reviewing of the topics and some practice, I’ll be able to get the hang of this mystical side to penetration testing and security research.

Overall the course was very fun. As it’s a 700 level course (from my understanding SANS does 400, 500, 600 and now 700 level courses. 400 being the basics, through to 700, which is, more than a little advanced) so you get what you ask for. It’s high-tech from moment 1, and the pace is fast and furious. It’s not one of those courses where you can get into class 10 minutes late from lunch and still catchup. If you miss a concept, then everything that follows will be that much harder to grasp. Stephen Sims (the class author and the teacher for the London class) is looking to take the class to 4 days. I think this would make the concepts easier to grasp, as more time could be spent in labs to drill the concepts into your head. One of the other facilitators (class helpers, of which I was lucky enough to be one) said that the 4 day course should be the contents from days 1 and 2 repeated twice ;). Still Stephen said he wants to put more into the 4 day course. So keep your eyes peeled for that in the near future.

Overall my time in London was great. I managed to meet some really smart people, and the SANS Christmas dinner was really fun. Working as a facilitator for a SANS conference is fun, but a lot of work. If you’re thinking of try it out, expect a lot of >12 hour days, and bleeding fingers. Still, from my experiences it’s 100% worth it. Just getting a chance to work with the SANS instructors and staff is reward enough. If anybody will be attending the upcoming SANS Munich 2009 (June/July time) then looking for a stressed and tired looking facilitator, it’ll probably be me…

SANS SEC:709 – Developing Exploits for Penetration Testers – Day 1

SANS SEC:709 – Developing Exploits for Penetration Testers – Day 1

Day 1 of the SEC:709 course is finished. Before I give some points on the course, I want to say that I’m not a coder, and to be honest, scripting is enough of a challenge for me. So, when I said I’d facilitate for the course, I knew things would be above my head. Still, 50% through and I’m surprised at how much clearer things seem.

Day 1 covered the Linux side of exploit writing, as well as covering the basic points needed for tomorrows trip into the world of Windows. The pace is hectic and fast paced. Then again, with the amount to cover and the topics being highly technical (this is a SANS 700 level course), the exercises will need to be redone, and redone, and then once more to be sure. These are not the kind of labs you can GET in one try. Sure some of the basics fit together without too much brain ache, but the more advanced (well advanced for me) stuff will need some more work.

If you’re a penetration tester who wants to move beyond Metasploit and into the world of custom proof of concepts, then this is a great introduction. No 2 day course will take you from A to Z, but this one will give you the foundation to build on. I’ll let you know how day 2 does tomorrow… that is, if I survive 😉