Top

Published in:

2018 | OriginalPaper | Chapter

PwIN – Pwning Intel piN: Why DBI is Unsuitable for Security Applications

Authors : Julian Kirsch, Zhechko Zhechev, Bruno Bierbaumer, Thomas Kittel

Published in: Computer Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Binary instrumentation is a robust and powerful technique which facilitates binary code modification of computer programs even when no source code is available. This is achieved either statically by rewriting the binary instructions of the program and then executing the altered program or dynamically, by changing the code at run-time right before it is executed. The design of most Dynamic Binary Instrumentation (DBI) frameworks puts emphasis on ease-of-use, portability, and efficiency, offering the possibility to execute inspecting analysis code from an interpositioned perspective maintaining full access to the instrumented program. This has established DBI as a powerful tool utilized for analysis tasks such as profiling, performance evaluation, and prototyping.

The interest of employing DBI tools for binary hardening techniques (e.g. Program Shepherding) and malware analysis is constantly increasing among researchers. However, the usage of DBI for security related tasks is questionable, as in such scenarios it is important that analysis code runs isolated from the instrumented program in a stealthy way.

In this paper, we show (1) that a plethora of literature implicitly seems to assume isolation and stealthiness of DBI frameworks and strongly challenge these assumptions. We use Intel Pin running on x86-64 Linux as an example to show that assuming a program is running in context of a DBI framework (2) the presence thereof can be detected, (3) policies introduced by binary hardening mechanisms can be subverted, and (4) otherwise hard-to-exploit bugs can be escalated to full code execution.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Automatic Detection of Various Malicious Traffic Using Side Channel Features on TCP Packets

next chapter POR for Security Protocol Equivalences

Available only for authorised users

https://github.com/gaasedelen/lighthouse.

See /proc/sys/vm/mmap_rnd_bits.

http://repzret.org/p/detecting-valgrind.

https://github.com/zhechkoz/PwIN.

CVE-2014-0160. Available from MITRE, CVE-2017-13089. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089. Accessed 24 Apr 2018

QuarkslaB Dynamic binary Instrumentation (QBDI). https://qbdi.quarkslab.com/. Accessed 24 Apr 2018

Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13, 4:1–4:40 (2009)CrossRef

Banescu, S., Wüchner, T., Guggenmos, M., Ochoa, M., Pretschner, A.: FEEBO: an empirical evaluation framework for malware behavior obfuscation. arXiv preprint arXiv:1502.03245 (2015)

Bruening, D., Duesterwald, E., Amarasinghe, S.: Design and implementation of a dynamic optimization framework for windows. In: 4th ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-4) (2001)

Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: International Symposium on Code Generation and Optimization, CGO 2003, pp. 265–275. IEEE (2003)

Bruening, D., Zhao, Q.: Practical memory checking with Dr. Memory. In: Proceedings of the 9th Annual IEEE/ACM International Symposium on Code Generation and Optimization, pp. 213–223. IEEE Computer Society (2011)

Chiueh, T.c., Hsu, F.H.: RAD: a compile-time solution to buffer overflow attacks. In: 21st International Conference on Distributed Computing Systems, pp. 409–417. IEEE (2001)

Clause, J., Li, W., Orso, A.: Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis, pp. 196–206. ACM (2007)

10.

Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: ASIACCS (2011)

11.

Elsabagh, M., Barbará, D., Fleck, D., Stavrou, A.: Detecting ROP with statistical learning of program characteristics. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 219–226. ACM (2017)

12.

Falcón, F., Riva, N.: Dynamic binary instrumentation frameworks: i know you’re there spying on me. In: RECon 2012 (2012). https://recon.cx/2012/schedule/attachments/42_FalconRiva_2012.pdf. Accessed 25 Apr 2018

13.

Follner, A., Bodden, E.: ROPocop - dynamic mitigation of code-reuse attacks. J. Inf. Secur. Appl. 29, 16–26 (2016)

14.

Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, vol. 3, pp. 191–206 (2003)

15.

Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 41–60. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_3CrossRef

16.

Intel Corporation: Intel\(\textregistered \) 64 and IA-32 Architectures Software Developer’s Manual, January 2018

17.

Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: Proceedings of the 11th USENIX Security Symposium, pp. 191–206. USENIX Association, Berkeley (2002)

18.

Kirsch, J., Bierbaumer, B., Kittel, T., Eckert, C.: Dynamic loader oriented programming on Linux. In: ROOTS (2017)

19.

Kulakov, Y.: MazeWalker - enriching static malware analysis. In: RECon 2017 (2017). https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-MazeWalker.pdf. Accessed 25 Apr 2018

20.

Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 386–395. ACM (2014)

21.

Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM Sigplan Notices, vol. 40, pp. 190–200. ACM (2005)

22.

Nethercote, N., Seward, J.: How to shadow every byte of memory used by a program. In: VEE (2007)

23.

Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: ACM Sigplan Notices, vol. 42, pp. 89–100. ACM (2007)

24.

Nethercote, N., Walsh, R., Fitzhardinge, J.: Building workload characterization tools with Valgrind. In: IISWC (2006)

25.

One, A.: Smashing the stack for fun and profit. In: Phrack 49 (1996)

26.

Orman, H.: The Morris worm: a fifteen-year perspective. IEEE Secur. Priv. 99(5), 35–43 (2003)CrossRef

27.

Polino, M., et al.: Measuring and defeating anti-instrumentation-equipped malware. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 73–96. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_4CrossRef

28.

Qiang, W., Huang, Y., Zou, D., Jin, H., Wang, S., Sun, G.: Fully context-sensitive CFI for COTS binaries. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 435–442. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59870-3_28CrossRef

29.

Quynh, N.A.: Skorpio: advanced binary instrumentation framework. In: OPCDE 2018, Dubai, April 2018

30.

Saudel, F., Salwan, J.: Triton: a dynamic symbolic execution framework. In: Symposium sur la sécurité des technologies de l’information et des communications, SSTIC, France, Rennes, 3–5 June 2015, pp. 31–54. SSTIC (2015)

31.

Tymburibá, M., Emilio, R., Pereira, F.: RipRop: a dynamic detector of ROP attacks. In: Proceedings of the 2015 Brazilian Congress on Software: Theory and Practice, p. 2 (2015)

32.

van der Veen, V., et al.: Practical context-sensitive CFI. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 927–940. ACM (2015)

33.

Vendicator, S.S.: A Stack Smashing Technique Protection Tool for Linux (2000). http://www.angelfire.com/sk/stackshield/info.html. Accessed 24 Apr 2018

Title: PwIN – Pwning Intel piN: Why DBI is Unsuitable for Security Applications
Authors: Julian Kirsch
Zhechko Zhechev
Bruno Bierbaumer
Thomas Kittel
Publisher: Springer International Publishing
Book: Computer Security
Print ISBN: 978-3-319-99072-9

Electronic ISBN: 978-3-319-99073-6

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-99073-6_18

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner