Cатсн²² (in)sесuяitу / ChrisJohnRiley

secuBT – Hacking the hackers with User-Space Virtualization

In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator.

Aim: To visualize and encapsulate running programs to guard and protect the computer system

Problem

• programs can execute any system call
• Security vulnerabilities can be used to execute unintended system calls
• Patches are a reactive form of dealing with the problem

Solution

User-space virtualization encapsulates a running program

• Executed code is checked and validated
• Code can be wrapped or modified
• System calls can be controlled

User-space virtualization is implemented through Dynamic Binary Translation

• secuBT implements a User-Space sandbox
• Dynamic BT used for virtualization layer
• System calls interposition framework – Checks and validates system calls, implements checks to avoid breakout

Static vs Dynamic translation

Static reads the binary, reassembles it into a new binary after processing – This is prone to issues, but is quicker
Dynamic translates all code as it gets executed – This is slightly slower, but improves compatibility

Dynamic Translation implements two levels of code execution:

• ‘Privileged’ code of BT library
• Translated and cached user code

When performing translation the following checks are made:

• All instructions are checked
• All (direct and indirect) jump targets are verified
• All system calls are verified

Security hardening

• Enforce NX-bit
• Check ELF headers, regions, and rights
• Protect internal data structures (mprotect)
• Check and verify (valid) return addresses
• Check and verify indirect control transfers

System Call Interposition Framework

Guards and rewrites all system calls through sysenter & INT 80 redirection to a validation function

The validation function can reimplement the syscall in user-space (allows fake responses or return a value as desired)

This allows a specific set of permitted syscalls to be defined, and unwanted syscalls can be blocked.

Overhead – 7% only using Binary Translation,  increasing to 9% with all security implementations in place

What does secuBT protect ?

• Heap and stack based overflow
• Return to libc style attacks
• Overwriting the return instruction pointer (using shadow stack)

More information can be found at the following locations :

• http://events.ccc.de/congress/2009/Fahrplan/events/3515.en.html
• secuBT paper (PDF)
• secuBT project page (link)