SlideShare uma empresa Scribd logo

Dynamorio rpioss-aug2011

M
mskmoorthy
EducaçãoTecnologia
1 de 39
Baixar para ler offline
The DynamoRIO Dynamic Tool Platform Derek Bruening
Typical Modern Application: IIS 2
Runtime Interposition Layer running application DynamoRIO: manipulate every instruction in running application underlying platform (stock OS, commodity hardware) 3
Outline System Overview Example Tools • Security • Debugging Open Source Project 4
Direct Code Modification e9 37 6f 48 92 jmp <callout> Kernel32!TerminateProcess: 7d4d1028 7c 05 jl 7d4d102f 7d4d102a 33 c0 xor %eax,%eax 7d4d102c 40 inc %eax 7d4d102d eb 08 jmp 7d4d1037 7d4d102f 50 push %eax 7d4d1030 e8 ed 7c 00 00 call 7d4d8d22 5
Entry Point Complications e9 37 6f 48 92 jmp <callout> Kernel32!TerminateProcess: 7d4d1028 7c 05 jl 7d4d102f 7d4d102a 33 c0 xor %eax,%eax 7d4d102c 40 inc %eax 7d4d102d eb 08 jmp 7d4d1037 7d4d102f 50 push %eax 7d4d1030 e8 ed 7c 00 00 call 7d4d8d22 6
Basic Interpreter application code foo() bar() A interpreter B C fetch decode execute D E F Slowdown: ~300x 7
Improvement #1: Basic Block Cache application code software code foo() bar() cache A A B C C DynamoRIO D D E E F F Slowdown: 300x 25x 8
Improvement # 2: Linking Direct Branches application code software code foo() bar() cache A A B C C DynamoRIO D D E E F F Slowdown: 300x 25x 3x 9
Improvement # 3: Linking Indirect Branches application code software code foo() bar() cache A A B C C DynamoRIO D D E E indirect branch F lookup F Slowdown: 300x 25x 3x 1.2x 10
Improvement # 4: Building Traces application code software code foo() bar() cache A A C B C D DynamoRIO E D cmp F E indirect branch F lookup Slowdown: 300x 26x 3x 1.2x 1.1x 11
Tool Platform application code software code foo() bar() cache tool code A A C X B C DynamoRIO D E D cmp F E indirect branch F lookup 12
Transparency Do not want to interfere with the semantics of the program Dangerous to make any assumptions about: • Register usage • Calling conventions • Stack layout • Memory/heap usage • I/O and other system call use 13
Painful, But Necessary Difficult and costly to handle corner cases Many applications will not notice… …but some will! • Microsoft Office: Visual Basic generated code, stack convention violations • COM, Star Office, MMC: trampolines • Adobe Premiere: self-modifying code • VirtualDub: UPX-packed executable • etc. 14
Avoid Resource Conflicts Linux Windows 15
DynamoRIO Demo Inserts counters into every basic block Counters are visible via shared memory 16
Outline System Overview Example Tools • Security • Debugging Open Source Project 17
Anatomy of an Attack network ENTER CORRUPT DATA system and application memory HIJACK PROGRAM COUNTER COMPROMISE kernel
Critical Data: Control Flow Indirection Subroutine calls • Return address and activation records on visible stack Dynamic library linking • Function exports and imports Object oriented polymorphism: dynamic dispatch • Vtables Callbacks – registered function pointers • Event dispatch, atexit Exception handling Any problem in computer science can be solved with another layer of indirection. - David Wheeler
Critical Data: Control Flow Exploits Return address overwrite • Classic buffer overflow GOT overwrite Object pointer overwrite or uninitialized use Function pointer overwrite • Heap, stack, data, PEB Exception handler overwrites • SEH exploits Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem. - David Wheeler
Preventing Data Corruption Is Difficult Stored program addresses legitimately manipulated by many different entities • Dynamic linker, language runtime Intermingled with regular data • Return addresses on stack • Vtables in heap Even if could distinguish a good write from a bad write, too expensive to monitor all data writes
Insight: Hijack Violates Execution Model Hardware Interface Typical Application Security Attack Execution Model
Goal: Shrink Hardware Interface Constrained Hardware Interface Typical Application Security Attack Execution Model
Program Shepherding Monitor all control-flow transfers during program execution • DynamoRIO is in perfect position to do this Validate that each transfer satisfies security policy based on execution model • Application Binary Interface (ABI): calling convention, library invocation The application may be damaged by data corruption, but the system will not be compromised by hijacking control flow
Outline System Overview Example Tools • Security • Debugging Open Source Project 25
Memory Bugs Memory bugs are challenging to detect and fix • Memory corruption, reading uninitialized memory, memory leaks Observable symptoms resulting from memory bugs are often delayed and non-deterministic • Errors are difficult to discover during regular testing • Testing usually relies on randomly happening to hit visible symptoms • The sources of these bugs are painful and time-consuming to track down from observed crashes Memory bugs often remain in shipped products and can show up in customer usage 26
Dr. Memory Detects unaddressable memory accesses • Wild access to invalid address • Use-after-free • Buffer and array overflow and underflow • Read beyond top of stack • Invalid free, double free Detects uninitialized memory reads Detects memory leaks 27
Implementation Strategy Track the state of application memory using shadow memory • Track whether allocated and whether defined Monitor every memory-related action by the application: • System call • Malloc, realloc, calloc, free, mmap, mumap, mremap • Memory read or write • Stack adjustment At exit or on request, scan memory to check for leaks 28
Shadow Metadata Shadow each byte of memory with one of 3 states: allocate: mmap, calloc allocate: malloc, stack write unaddressable uninitialized defined deallocate deallocate 29
Shadow Memory Shadow Stack Shadow Heap Stack Heap defined header unaddr uninit defined malloc uninit defined defined unaddr padding unaddr header unaddr freed unaddr 30
Performance Comparison Valgrind failed Valgrind failed 31
Outline System Overview Example Tools • Security • Debugging Open Source Project 32
DynamoRIO History Dynamo Dynamo @HP Labs @HP Labs on PA-RISC on x86 late 1990’s 2000 RIO @MIT Dynamo + RIO  (Runtime Introspection DynamoRIO and Optimization) 1999 2001 33
DynamoRIO History Cont’d VMware Google DynamoRIO Determina acquires sponsors @MIT security startup Determina Dr. Memory 2001 2003 2007 2010 open-sourced binary releases BSD license 2002 2009 34
DynamoRIO Team Google DynamoRIO Determina VMware sponsors @MIT security startup Dr. Memory 35
DynamoRIO Open Source Project Google Code • BSD license • Subversion repository  300 KLOC  Mostly C, some assembly • Issue tracker Google Groups http://dynamorio.org • User discussion forum/mailing list • Developer mailing list 36
Dr. Memory Open Source Project Google Code • http://code.google.com/p/drmemory • LGPL 2.1 license • Subversion repository  67 KLOC  Mostly C • Issue tracker Google Groups • User discussion forum/mailing list • Developer mailing list 37
Potential Projects Build a New Tool • Code coverage • Fuzzer • Profiler: basic block, edge, function, etc. • Malware sandbox • Reverse engineering Contribute to an Existing Tool • Dr. Memory or Dr. Heapstat • Revive PiPA or UMI 38
Potential Projects Cont’d Build a Tool Library • Control flow, call graph, data dependence analysis • Symbol table access Contribute to Platform • Buffer filling API • Probe API • Port to MacOS • Port to ARM • Debugger integration 39

Recomendados

AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)
 
โครงสร้างภาษาซี1
โครงสร้างภาษาซี1โครงสร้างภาษาซี1
โครงสร้างภาษาซี1ธงชัย พาศรี
 
การกำหนดตัวแปร
การกำหนดตัวแปรการกำหนดตัวแปร
การกำหนดตัวแปรธงชัย พาศรี
 
โครงสร้างภาษาซี2
โครงสร้างภาษาซี2โครงสร้างภาษาซี2
โครงสร้างภาษาซี2ธงชัย พาศรี
 
ใบความรู้เรื่องคำสั่ง Printf scanf
ใบความรู้เรื่องคำสั่ง Printf scanfใบความรู้เรื่องคำสั่ง Printf scanf
ใบความรู้เรื่องคำสั่ง Printf scanfธงชัย พาศรี
 
เขียนโปรแกรมใช้คำสั่ง Printf scanf
เขียนโปรแกรมใช้คำสั่ง Printf scanfเขียนโปรแกรมใช้คำสั่ง Printf scanf
เขียนโปรแกรมใช้คำสั่ง Printf scanfธงชัย พาศรี
 
โครงสร้างภาษาซี
โครงสร้างภาษาซีโครงสร้างภาษาซี
โครงสร้างภาษาซีธงชัย พาศรี
 
EMF Compare 2.0: Scaling to Millions (updated)
EMF Compare 2.0: Scaling to Millions (updated)EMF Compare 2.0: Scaling to Millions (updated)
EMF Compare 2.0: Scaling to Millions (updated)mikaelbarbero
 

Recomendados

AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)
 
โครงสร้างภาษาซี1
โครงสร้างภาษาซี1โครงสร้างภาษาซี1
โครงสร้างภาษาซี1ธงชัย พาศรี
 
การกำหนดตัวแปร
การกำหนดตัวแปรการกำหนดตัวแปร
การกำหนดตัวแปรธงชัย พาศรี
 
โครงสร้างภาษาซี2
โครงสร้างภาษาซี2โครงสร้างภาษาซี2
โครงสร้างภาษาซี2ธงชัย พาศรี
 
ใบความรู้เรื่องคำสั่ง Printf scanf
ใบความรู้เรื่องคำสั่ง Printf scanfใบความรู้เรื่องคำสั่ง Printf scanf
ใบความรู้เรื่องคำสั่ง Printf scanfธงชัย พาศรี
 
เขียนโปรแกรมใช้คำสั่ง Printf scanf
เขียนโปรแกรมใช้คำสั่ง Printf scanfเขียนโปรแกรมใช้คำสั่ง Printf scanf
เขียนโปรแกรมใช้คำสั่ง Printf scanfธงชัย พาศรี
 
โครงสร้างภาษาซี
โครงสร้างภาษาซีโครงสร้างภาษาซี
โครงสร้างภาษาซีธงชัย พาศรี
 
EMF Compare 2.0: Scaling to Millions (updated)
EMF Compare 2.0: Scaling to Millions (updated)EMF Compare 2.0: Scaling to Millions (updated)
EMF Compare 2.0: Scaling to Millions (updated)mikaelbarbero
 
1
11
1guestc66a38
 
9 a05407 formal_languages_automata_theor_yfr_2029
9 a05407 formal_languages_automata_theor_yfr_20299 a05407 formal_languages_automata_theor_yfr_2029
9 a05407 formal_languages_automata_theor_yfr_2029Rajesh Yaramadi
 
Pla
PlaPla
PlaMasumaHammed
 
Tomasulo Algorithm
Tomasulo AlgorithmTomasulo Algorithm
Tomasulo AlgorithmFarwa Ansari
 
Eecs 317 20010209
Eecs 317 20010209Eecs 317 20010209
Eecs 317 20010209Saksham Yadav
 
Embedded C - Lecture 4
Embedded C - Lecture 4Embedded C - Lecture 4
Embedded C - Lecture 4Mohamed Abdallah
 
3D-DRESD Lorenzo Pavesi
3D-DRESD Lorenzo Pavesi3D-DRESD Lorenzo Pavesi
3D-DRESD Lorenzo PavesiMarco Santambrogio
 
Embedded c programming22 for fdp
Embedded c programming22 for fdpEmbedded c programming22 for fdp
Embedded c programming22 for fdpPradeep Kumar TS
 
บทที่ 2
บทที่ 2บทที่ 2
บทที่ 2น้ำฝน ทองคำ
 
Profcompact
ProfcompactProfcompact
ProfcompactTakefumi MIYOSHI
 
Genius it ians™ 8085 programming (part 2)
Genius it ians™ 8085 programming (part 2)Genius it ians™ 8085 programming (part 2)
Genius it ians™ 8085 programming (part 2)Manoj Shahu
 
Ugcnet4 u
Ugcnet4 uUgcnet4 u
Ugcnet4 usadhi
 
Capturing and Displaying Digital Image
Capturing and Displaying Digital ImageCapturing and Displaying Digital Image
Capturing and Displaying Digital ImageIntegrated Circuit Design Research & Education Center (ICDREC)
 
Unit1 jwfiles
Unit1 jwfilesUnit1 jwfiles
Unit1 jwfilesmrecedu
 
Basics of building a blackfin application
Basics of building a blackfin applicationBasics of building a blackfin application
Basics of building a blackfin applicationPantech ProLabs India Pvt Ltd
 
C Language Unit-1
C Language Unit-1C Language Unit-1
C Language Unit-1kasaragadda srinivasrao
 
Debugging TV Frame 0x13
Debugging TV Frame 0x13Debugging TV Frame 0x13
Debugging TV Frame 0x13Dmitry Vostokov
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5Shu-Yu Fu
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesDmitry Vostokov
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuEstelaJeffery653
 

Mais conteúdo relacionado

Mais procurados

9 a05407 formal_languages_automata_theor_yfr_2029
9 a05407 formal_languages_automata_theor_yfr_20299 a05407 formal_languages_automata_theor_yfr_2029
9 a05407 formal_languages_automata_theor_yfr_2029Rajesh Yaramadi
 
Tomasulo Algorithm
Tomasulo AlgorithmTomasulo Algorithm
Tomasulo AlgorithmFarwa Ansari
 
Embedded c programming22 for fdp
Embedded c programming22 for fdpEmbedded c programming22 for fdp
Embedded c programming22 for fdpPradeep Kumar TS
 

Mais procurados (9)

1
11
1
 
9 a05407 formal_languages_automata_theor_yfr_2029
9 a05407 formal_languages_automata_theor_yfr_20299 a05407 formal_languages_automata_theor_yfr_2029
9 a05407 formal_languages_automata_theor_yfr_2029
 
Pla
PlaPla
Pla
 
Tomasulo Algorithm
Tomasulo AlgorithmTomasulo Algorithm
Tomasulo Algorithm
 
Eecs 317 20010209
Eecs 317 20010209Eecs 317 20010209
Eecs 317 20010209
 
Embedded C - Lecture 4
Embedded C - Lecture 4Embedded C - Lecture 4
Embedded C - Lecture 4
 
3D-DRESD Lorenzo Pavesi
3D-DRESD Lorenzo Pavesi3D-DRESD Lorenzo Pavesi
3D-DRESD Lorenzo Pavesi
 
Embedded c programming22 for fdp
Embedded c programming22 for fdpEmbedded c programming22 for fdp
Embedded c programming22 for fdp
 
บทที่ 2
บทที่ 2บทที่ 2
บทที่ 2
 

Semelhante a Dynamorio rpioss-aug2011

Genius it ians™ 8085 programming (part 2)
Genius it ians™ 8085 programming (part 2)Genius it ians™ 8085 programming (part 2)
Genius it ians™ 8085 programming (part 2)Manoj Shahu
 
Ugcnet4 u
Ugcnet4 uUgcnet4 u
Ugcnet4 usadhi
 
Unit1 jwfiles
Unit1 jwfilesUnit1 jwfiles
Unit1 jwfilesmrecedu
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5Shu-Yu Fu
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesDmitry Vostokov
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuEstelaJeffery653
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
Programming with c language practical manual
Programming with c language practical manualProgramming with c language practical manual
Programming with c language practical manualAnil Bishnoi
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdfKhaledIbrahim10923
 
Digital Planet Tomorrows Technology and You Complete 10th Edition Beekman Tes...
Digital Planet Tomorrows Technology and You Complete 10th Edition Beekman Tes...Digital Planet Tomorrows Technology and You Complete 10th Edition Beekman Tes...
Digital Planet Tomorrows Technology and You Complete 10th Edition Beekman Tes...Germaneas
 
Memory efficient pytorch
Memory efficient pytorchMemory efficient pytorch
Memory efficient pytorchHyungjoo Cho
 

Semelhante a Dynamorio rpioss-aug2011 (20)

Profcompact
ProfcompactProfcompact
Profcompact
 
Genius it ians™ 8085 programming (part 2)
Genius it ians™ 8085 programming (part 2)Genius it ians™ 8085 programming (part 2)
Genius it ians™ 8085 programming (part 2)
 
Ugcnet4 u
Ugcnet4 uUgcnet4 u
Ugcnet4 u
 
Capturing and Displaying Digital Image
Capturing and Displaying Digital ImageCapturing and Displaying Digital Image
Capturing and Displaying Digital Image
 
Unit1 jwfiles
Unit1 jwfilesUnit1 jwfiles
Unit1 jwfiles
 
Basics of building a blackfin application
Basics of building a blackfin applicationBasics of building a blackfin application
Basics of building a blackfin application
 
C Language Unit-1
C Language Unit-1C Language Unit-1
C Language Unit-1
 
Debugging TV Frame 0x13
Debugging TV Frame 0x13Debugging TV Frame 0x13
Debugging TV Frame 0x13
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5程式設計師的自我修養 Chapter 5
程式設計師的自我修養 Chapter 5
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slides
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structu
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Programming with c language practical manual
Programming with c language practical manualProgramming with c language practical manual
Programming with c language practical manual
 
Assembler (2)
Assembler (2)Assembler (2)
Assembler (2)
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf
 
Icpc08b.ppt
Icpc08b.pptIcpc08b.ppt
Icpc08b.ppt
 
Digital Planet Tomorrows Technology and You Complete 10th Edition Beekman Tes...
Digital Planet Tomorrows Technology and You Complete 10th Edition Beekman Tes...Digital Planet Tomorrows Technology and You Complete 10th Edition Beekman Tes...
Digital Planet Tomorrows Technology and You Complete 10th Edition Beekman Tes...
 
Memory efficient pytorch
Memory efficient pytorchMemory efficient pytorch
Memory efficient pytorch
 

Mais de mskmoorthy

Crowdsourcing for geoint-11.11.11
Crowdsourcing for geoint-11.11.11Crowdsourcing for geoint-11.11.11
Crowdsourcing for geoint-11.11.11mskmoorthy
 
Shuttle trackersecondpresentationfall2011
Shuttle trackersecondpresentationfall2011Shuttle trackersecondpresentationfall2011
Shuttle trackersecondpresentationfall2011mskmoorthy
 
Mobile shuttle tracker_fall_2011_first_present
Mobile shuttle tracker_fall_2011_first_presentMobile shuttle tracker_fall_2011_first_present
Mobile shuttle tracker_fall_2011_first_presentmskmoorthy
 
Rcos presentation 9-23-2011
Rcos presentation 9-23-2011Rcos presentation 9-23-2011
Rcos presentation 9-23-2011mskmoorthy
 
Rcos presentation
Rcos presentationRcos presentation
Rcos presentationmskmoorthy
 
Auto scheduler presentation_2
Auto scheduler presentation_2Auto scheduler presentation_2
Auto scheduler presentation_2mskmoorthy
 
Second presentation idea_bank
Second presentation idea_bankSecond presentation idea_bank
Second presentation idea_bankmskmoorthy
 
Rpi planner geoffrey_wright_7-22-2011
Rpi planner geoffrey_wright_7-22-2011Rpi planner geoffrey_wright_7-22-2011
Rpi planner geoffrey_wright_7-22-2011mskmoorthy
 
Sean austin uir-2
Sean austin uir-2Sean austin uir-2
Sean austin uir-2mskmoorthy
 
Nexus2 7-22-1011
Nexus2 7-22-1011Nexus2 7-22-1011
Nexus2 7-22-1011mskmoorthy
 
Rpi planner geoffrey_wright_7-22-2011
Rpi planner geoffrey_wright_7-22-2011Rpi planner geoffrey_wright_7-22-2011
Rpi planner geoffrey_wright_7-22-2011mskmoorthy
 
Flagship safety, hfoss-7-22-2011
Flagship safety, hfoss-7-22-2011Flagship safety, hfoss-7-22-2011
Flagship safety, hfoss-7-22-2011mskmoorthy
 
Olympus pesentation2
Olympus pesentation2Olympus pesentation2
Olympus pesentation2mskmoorthy
 
Observatory 7 15-11
Observatory 7 15-11Observatory 7 15-11
Observatory 7 15-11mskmoorthy
 
Concerto conmoto
Concerto conmotoConcerto conmoto
Concerto conmotomskmoorthy
 
Scrutiny 07-01-2011.pdf
Scrutiny 07-01-2011.pdfScrutiny 07-01-2011.pdf
Scrutiny 07-01-2011.pdfmskmoorthy
 

Mais de mskmoorthy (20)

Crowdsourcing for geoint-11.11.11
Crowdsourcing for geoint-11.11.11Crowdsourcing for geoint-11.11.11
Crowdsourcing for geoint-11.11.11
 
Shuttle trackersecondpresentationfall2011
Shuttle trackersecondpresentationfall2011Shuttle trackersecondpresentationfall2011
Shuttle trackersecondpresentationfall2011
 
Rcos intro-2
Rcos intro-2Rcos intro-2
Rcos intro-2
 
Mobile shuttle tracker_fall_2011_first_present
Mobile shuttle tracker_fall_2011_first_presentMobile shuttle tracker_fall_2011_first_present
Mobile shuttle tracker_fall_2011_first_present
 
Rcos presentation 9-23-2011
Rcos presentation 9-23-2011Rcos presentation 9-23-2011
Rcos presentation 9-23-2011
 
Rcos presentation
Rcos presentationRcos presentation
Rcos presentation
 
Auto scheduler presentation_2
Auto scheduler presentation_2Auto scheduler presentation_2
Auto scheduler presentation_2
 
Second presentation idea_bank
Second presentation idea_bankSecond presentation idea_bank
Second presentation idea_bank
 
Scrutiny 2
Scrutiny 2Scrutiny 2
Scrutiny 2
 
Rpi planner geoffrey_wright_7-22-2011
Rpi planner geoffrey_wright_7-22-2011Rpi planner geoffrey_wright_7-22-2011
Rpi planner geoffrey_wright_7-22-2011
 
Sean austin uir-2
Sean austin uir-2Sean austin uir-2
Sean austin uir-2
 
Nexus2 7-22-1011
Nexus2 7-22-1011Nexus2 7-22-1011
Nexus2 7-22-1011
 
Rpi planner geoffrey_wright_7-22-2011
Rpi planner geoffrey_wright_7-22-2011Rpi planner geoffrey_wright_7-22-2011
Rpi planner geoffrey_wright_7-22-2011
 
Flagship safety, hfoss-7-22-2011
Flagship safety, hfoss-7-22-2011Flagship safety, hfoss-7-22-2011
Flagship safety, hfoss-7-22-2011
 
Olympus pesentation2
Olympus pesentation2Olympus pesentation2
Olympus pesentation2
 
Observatory 7 15-11
Observatory 7 15-11Observatory 7 15-11
Observatory 7 15-11
 
8.7.2011 agml
8.7.2011 agml8.7.2011 agml
8.7.2011 agml
 
Concerto conmoto
Concerto conmotoConcerto conmoto
Concerto conmoto
 
Koala pres1
Koala pres1Koala pres1
Koala pres1
 
Scrutiny 07-01-2011.pdf
Scrutiny 07-01-2011.pdfScrutiny 07-01-2011.pdf
Scrutiny 07-01-2011.pdf
 

Último

Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 

Último (20)

Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 

Dynamorio rpioss-aug2011

  • 1. The DynamoRIO Dynamic Tool Platform Derek Bruening
  • 3. Runtime Interposition Layer running application DynamoRIO: manipulate every instruction in running application underlying platform (stock OS, commodity hardware) 3
  • 4. Outline System Overview Example Tools • Security • Debugging Open Source Project 4
  • 5. Direct Code Modification e9 37 6f 48 92 jmp <callout> Kernel32!TerminateProcess: 7d4d1028 7c 05 jl 7d4d102f 7d4d102a 33 c0 xor %eax,%eax 7d4d102c 40 inc %eax 7d4d102d eb 08 jmp 7d4d1037 7d4d102f 50 push %eax 7d4d1030 e8 ed 7c 00 00 call 7d4d8d22 5
  • 6. Entry Point Complications e9 37 6f 48 92 jmp <callout> Kernel32!TerminateProcess: 7d4d1028 7c 05 jl 7d4d102f 7d4d102a 33 c0 xor %eax,%eax 7d4d102c 40 inc %eax 7d4d102d eb 08 jmp 7d4d1037 7d4d102f 50 push %eax 7d4d1030 e8 ed 7c 00 00 call 7d4d8d22 6
  • 7. Basic Interpreter application code foo() bar() A interpreter B C fetch decode execute D E F Slowdown: ~300x 7
  • 8. Improvement #1: Basic Block Cache application code software code foo() bar() cache A A B C C DynamoRIO D D E E F F Slowdown: 300x 25x 8
  • 9. Improvement # 2: Linking Direct Branches application code software code foo() bar() cache A A B C C DynamoRIO D D E E F F Slowdown: 300x 25x 3x 9
  • 10. Improvement # 3: Linking Indirect Branches application code software code foo() bar() cache A A B C C DynamoRIO D D E E indirect branch F lookup F Slowdown: 300x 25x 3x 1.2x 10
  • 11. Improvement # 4: Building Traces application code software code foo() bar() cache A A C B C D DynamoRIO E D cmp F E indirect branch F lookup Slowdown: 300x 26x 3x 1.2x 1.1x 11
  • 12. Tool Platform application code software code foo() bar() cache tool code A A C X B C DynamoRIO D E D cmp F E indirect branch F lookup 12
  • 13. Transparency Do not want to interfere with the semantics of the program Dangerous to make any assumptions about: • Register usage • Calling conventions • Stack layout • Memory/heap usage • I/O and other system call use 13
  • 14. Painful, But Necessary Difficult and costly to handle corner cases Many applications will not notice… …but some will! • Microsoft Office: Visual Basic generated code, stack convention violations • COM, Star Office, MMC: trampolines • Adobe Premiere: self-modifying code • VirtualDub: UPX-packed executable • etc. 14
  • 15. Avoid Resource Conflicts Linux Windows 15
  • 16. DynamoRIO Demo Inserts counters into every basic block Counters are visible via shared memory 16
  • 17. Outline System Overview Example Tools • Security • Debugging Open Source Project 17
  • 18. Anatomy of an Attack network ENTER CORRUPT DATA system and application memory HIJACK PROGRAM COUNTER COMPROMISE kernel
  • 19. Critical Data: Control Flow Indirection Subroutine calls • Return address and activation records on visible stack Dynamic library linking • Function exports and imports Object oriented polymorphism: dynamic dispatch • Vtables Callbacks – registered function pointers • Event dispatch, atexit Exception handling Any problem in computer science can be solved with another layer of indirection. - David Wheeler
  • 20. Critical Data: Control Flow Exploits Return address overwrite • Classic buffer overflow GOT overwrite Object pointer overwrite or uninitialized use Function pointer overwrite • Heap, stack, data, PEB Exception handler overwrites • SEH exploits Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem. - David Wheeler
  • 21. Preventing Data Corruption Is Difficult Stored program addresses legitimately manipulated by many different entities • Dynamic linker, language runtime Intermingled with regular data • Return addresses on stack • Vtables in heap Even if could distinguish a good write from a bad write, too expensive to monitor all data writes
  • 22. Insight: Hijack Violates Execution Model Hardware Interface Typical Application Security Attack Execution Model
  • 23. Goal: Shrink Hardware Interface Constrained Hardware Interface Typical Application Security Attack Execution Model
  • 24. Program Shepherding Monitor all control-flow transfers during program execution • DynamoRIO is in perfect position to do this Validate that each transfer satisfies security policy based on execution model • Application Binary Interface (ABI): calling convention, library invocation The application may be damaged by data corruption, but the system will not be compromised by hijacking control flow
  • 25. Outline System Overview Example Tools • Security • Debugging Open Source Project 25
  • 26. Memory Bugs Memory bugs are challenging to detect and fix • Memory corruption, reading uninitialized memory, memory leaks Observable symptoms resulting from memory bugs are often delayed and non-deterministic • Errors are difficult to discover during regular testing • Testing usually relies on randomly happening to hit visible symptoms • The sources of these bugs are painful and time-consuming to track down from observed crashes Memory bugs often remain in shipped products and can show up in customer usage 26
  • 27. Dr. Memory Detects unaddressable memory accesses • Wild access to invalid address • Use-after-free • Buffer and array overflow and underflow • Read beyond top of stack • Invalid free, double free Detects uninitialized memory reads Detects memory leaks 27
  • 28. Implementation Strategy Track the state of application memory using shadow memory • Track whether allocated and whether defined Monitor every memory-related action by the application: • System call • Malloc, realloc, calloc, free, mmap, mumap, mremap • Memory read or write • Stack adjustment At exit or on request, scan memory to check for leaks 28
  • 29. Shadow Metadata Shadow each byte of memory with one of 3 states: allocate: mmap, calloc allocate: malloc, stack write unaddressable uninitialized defined deallocate deallocate 29
  • 30. Shadow Memory Shadow Stack Shadow Heap Stack Heap defined header unaddr uninit defined malloc uninit defined defined unaddr padding unaddr header unaddr freed unaddr 30
  • 31. Performance Comparison Valgrind failed Valgrind failed 31
  • 32. Outline System Overview Example Tools • Security • Debugging Open Source Project 32
  • 33. DynamoRIO History Dynamo Dynamo @HP Labs @HP Labs on PA-RISC on x86 late 1990’s 2000 RIO @MIT Dynamo + RIO  (Runtime Introspection DynamoRIO and Optimization) 1999 2001 33
  • 34. DynamoRIO History Cont’d VMware Google DynamoRIO Determina acquires sponsors @MIT security startup Determina Dr. Memory 2001 2003 2007 2010 open-sourced binary releases BSD license 2002 2009 34
  • 35. DynamoRIO Team Google DynamoRIO Determina VMware sponsors @MIT security startup Dr. Memory 35
  • 36. DynamoRIO Open Source Project Google Code • BSD license • Subversion repository  300 KLOC  Mostly C, some assembly • Issue tracker Google Groups http://dynamorio.org • User discussion forum/mailing list • Developer mailing list 36
  • 37. Dr. Memory Open Source Project Google Code • http://code.google.com/p/drmemory • LGPL 2.1 license • Subversion repository  67 KLOC  Mostly C • Issue tracker Google Groups • User discussion forum/mailing list • Developer mailing list 37
  • 38. Potential Projects Build a New Tool • Code coverage • Fuzzer • Profiler: basic block, edge, function, etc. • Malware sandbox • Reverse engineering Contribute to an Existing Tool • Dr. Memory or Dr. Heapstat • Revive PiPA or UMI 38
  • 39. Potential Projects Cont’d Build a Tool Library • Control flow, call graph, data dependence analysis • Symbol table access Contribute to Platform • Buffer filling API • Probe API • Port to MacOS • Port to ARM • Debugger integration 39