Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: secuBT

26C3: secuBT – Hacking the hackers with User-Space Virtualization

secuBT – Hacking the hackers with User-Space Virtualization

In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator.

Aim: To visualize and encapsulate running programs to guard and protect the computer system


  • programs can execute any system call
  • Security vulnerabilities can be used to execute unintended system calls
  • Patches are a reactive form of dealing with the problem


User-space virtualization encapsulates a running program

  • Executed code is checked and validated
  • Code can be wrapped or modified
  • System calls can be controlled

User-space virtualization is implemented through Dynamic Binary Translation

  • secuBT implements a User-Space sandbox
  • Dynamic BT used for virtualization layer
  • System calls interposition framework – Checks and validates system calls, implements checks to avoid breakout

Static vs Dynamic translation

Static reads the binary, reassembles it into a new binary after processing – This is prone to issues, but is quicker
Dynamic translates all code as it gets executed – This is slightly slower, but improves compatibility

Dynamic Translation implements two levels of code execution:

  • ‘Privileged’ code of BT library
  • Translated and cached user code

When performing translation the following checks are made:

  • All instructions are checked
  • All (direct and indirect) jump targets are verified
  • All system calls are verified

Security hardening

  • Enforce NX-bit
  • Check ELF headers, regions, and rights
  • Protect internal data structures (mprotect)
  • Check and verify (valid) return addresses
  • Check and verify indirect control transfers

System Call Interposition Framework

Guards and rewrites all system calls through sysenter & INT 80 redirection to a validation function

The validation function can reimplement the syscall in user-space (allows fake responses or return a value as desired)

This allows a specific set of permitted syscalls to be defined, and unwanted syscalls can be blocked.

– 7% only using Binary Translation,  increasing to 9% with all security implementations in place

What does secuBT protect ?

  • Heap and stack based overflow
  • Return to libc style attacks
  • Overwriting the return instruction pointer (using shadow stack)

More information can be found at the following locations :