Mingwei's RPE Progress

My topic for RPE is "Binary instrumentation techniques for security". Basically, I would like to divide it into four branches. While SFI and CFI are two important approaches to ensure safety of program executation, static and dynamic binary instrumentation techniques are two different strategies for the underlining implementations. These four parts could overlap somehow, but with different emphasis

The final version of my RPE report will be available soon


Overall Grade: 4/5


Sub topics:

Software Fault Isolation
Control Flow Integrity
Static Binary Instrumentation
Dynamic Binary Instrumentation
Other Topics

Presentations & Notes

[ppt]Software Fault Isolation [notes]
[ppt]PittSFIeld: Efficient, Verifiable Binary Sandboxing for a CISC Architecture [notes]
[ppt]Control Flow Integrity [notes]
[ppt]XFI: Software Guards for System Address Spaces
[ppt]Native Client: A Sandbox for Portable, Untrusted x86 Native Code [notes]
[ppt]Bring Native Client to x86-64 & ARM; Bring it with JIT code [notes]
[pdf]DynamoRIO: Efficient, Transparent, and Comprehensive Runtime Code Manipulation

Future Presentations

[ppt]Secure Execution Via Program Shepherding

Some of Existing Defense Techniques

Stack Guard based: StackGuard; FormatGuard; StackShield; libsafe:abstract; ProPolice; StackGhost;
Bound Checking: C-Cured; notes
Randomization based: ASLR; ASR_win;; ASR ISR; PointGuard; DSR;
Data Execution Prevention: PaX: docs, notes; NX bit(hardware)
Type based: Kyung-suk Lhee
System Call Based: N-gram; FSA; VtPath; execGraph; Dataflow Anomaly; erratic_Arguments

Reading List

Software Fault Isolation[top]

Status Authors Name Conference Mechanisms Limitations Notes
done Robert Wahbe Efficient Software-Based Fault Isolation SOSP '93 sandboxing indirect control transfer
and indirect memory write(and/or read)
using dedicated registers
Only on RISC Architecture N/A
done Stephen McCamant
Greg Morrisett
Evaluating SFI for a CISC Architecture USENIX-SS'06 no dedicated register usage;
instead, sandbox the memory range
by masking the upperbits of target;
jump targets are 16 byte-aligned
no SSE MMX support N/A
done Bennet Yee Native Client: a sandbox for portable, untrusted x86 native code Security & Privacy 2009 SFI using 32-byte instruction
aligning with hardware segment
half David Sehr Adapting Software Fault Isolation to Contemporary CPU Architectures USENIX Security'10 x86-64 SFI relies on very large
memory guard page(40G) around
and one dedicated(readonly)
register(r15 or RZP)
done Bin Zeng
Gang Tan
Combining Control-Flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing CCS '11 N/A N/A N/A
done Ford, B. & Cox, R Vx32: lightweight user-level sandboxing on the x86 USENIX'08 Dynamic Rewriting with
hardware segment support
support 32bit program
at AMD64;
not yet Miguel Castro Fast Byte-Granularity Software Fault Isolation SOSP'09 N/A N/A N/A
done U Erlingsson SASI Enforcement of Security Policies: A Retrospective NSPW '99 a preliminary prototype Notes
done Thomas Gross Fine-Grained User-Space Security Through Virtualization VEE '11 employ dynamic binary translation
constraints control transfer coarsely
with a shadow call stack protecting ret;
protects data with randomization
performance is good
shadow stack relies on ASLR
not yet MICHAEL M. SWIFT Improving the reliability of commodity operating systems. SOSP '03 N/A N/A N/A

Control Flow Integrity (Attacks & Defensese)[top]

Status Authors Name Conference Mechanisms Limitations Notes
done Martin Abadi Control-Flow Integrity: Principles, Implementations, and Applications CCS-2005 Adding ID check before computed control
transfer(indirect jmp/call & ret)
no executable data and relies
on relocation
done U Erlingsson XFI: Software Guards for System Address Spaces USENIX OSDI'06 using SFI to isolate host and guest
while using CFI and two-stack to
contrain the guest behavior
relies on vulcan N/A
done P. Akritidis Preventing memory error exploits with WIT Security and Privacy '08 write integrity and control flow
integrity using color table;
low performance overhead
done Giampaolo Fresi Roglia Surgically returning to randomized lib(c) ACSAC '09 Using GOT to bypass ASLR
Using ROP to bypass DEP
Using ROP gadgets to compute lib function address
Do not work for Position-Independent Executable
done James Oakley
Sergey Bratus
Exploiting the hard-working dwarf: trojan and exploit techniques with no native executable code WOOT '11 crafting a malicious DWARF section to hijack control flow when exception occurs Requires Read-Writable DWARF metadata in ELF binary
eg: 1) JVM; 2) all .eh frame sections are mapped read-write on a 2009 OpenSolaris
done Pieter Philippaerts Code Pointer Masking: Hardening applications against code injection attacks DIMVA '11 preventing code injection on ARM by constraining the range of code pointer Do not prevent jmp to (global)data attack N/A
done Tyler Bletsch Mitigating Code-Reuse Attacks with Control-Flow Locking ACSAC '11 an lock op is added before indirect jmp occurs
only valid indirect target has unlock op
all instructions are bundled (32 byte)
all syscalls are preceded/bundled with not-locked-checking
done Yubin Xia Cfimon: Detecting violation of control flow integrity using performance counters DSN '12 Using performance monitoring tools to gather: 1) ret sets; 2) call sets; 3) jmp sets.
Enforce at runtime that control flow only goes to these sets
modify OS to handle signals
incomplete learning will cause false positive
delaying attack will cause false negative
done Wang, Z. & Jiang, X HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Security and Privacy '10 fine grained CFI;
page table lockdown
using WP bit in CR0
base on source code analysis;
not yet Miguel Castro Securing software by enforcing data-flow integrity USENIX OSDI'06 N/A N/A N/A
not yet Yong-Joon Park Efficient Validation of Control Flow Integrity for
Enhancing Computer System Security
Ph.D Thesis'10 N/A N/A N/A
not yet Nick L. Petroni Automated Detection of Persistent Kernel Control-Flow Attacks CCS'07 N/A N/A N/A
done N/A N/A N/A
done N/A N/A N/A
done N/A N/A N/A
done Edward J. Schwartz Q: Exploit Hardening Made Easy USENIX Security '11 Compiling a traditional exploit + target binary into ROP exploit N/A N/A

Static Binary Instrumentation Techniques[top]

Status Authors Name Conference Mechanisms Limitations Notes
half Niranjan Hasabnis Infrastructure for Architecture-Independent Binary Analsysis and Transformation RPE-Stony-Brook'11 N/A N/A Notes
not yet Cristina Cifuentes Recovery of Jump Table Case Statements from Binary Code IWPC '99 N/A N/A N/A
not yet Benjamin Schwarz Disassembly of Executable Code Revisited Reverse Engineering'02 N/A N/A N/A
half Benjamin Schwarz The design of a resourceable and retargetable binary translator WCRE'99 N/A N/A N/A
not yet Cristina Cifuentes UQBT: adaptable binary translation at low cost [ref] Computer 2000 N/A N/A N/A
not yet Lu Xun LEEL: A Linux Executable Editing Library [site] Master Thesis'00 N/A N/A N/A
half James Larus EEL: Machine-Independent Executable Editing [abstract] [slide] PLDI'95 N/A N/A N/A
not yet Tzi-cker Chiueh BIRD: Binary Interpretation using Runtime Disassembly [site] CGO'06 N/A N/A N/A
done Christopher Kruegel Static disassembly of obfuscated binaries USENIX Security'04 N/A N/A Notes
done Prateek Saxena Static Binary Analysis And Transformation For Sandboxing Untrusted Plugins Master Thesis-seclab N/A N/A Notes
done Tzi-cker Chiueh A Binary Rewriting Defense against Stack based Buffer Overflow Attacks USENIX'03 N/A N/A N/A
done P. O'Sullivan Preventing Buffer Overflows with Binary Rewriting Master Thesis'10 binary translation for stripped file:
stack canary insertion;
return address protection: copy & check
base pointer elimination
function pointer: from icall to large switch
longjmp/setjmp: integrity of jmp_buf
by hash table
N/A Notes
done P. O'Sullivan Retrofitting Security in COTS Software with Binary Rewriting IFIP-SEC'11 N/A N/A N/A
done Matthew Smithson Binary Rewriting without Relocation Information Tech-report-Maryland N/A N/A N/A
not yet Kapil Anand Decompilation to Compiler High IR in a binary rewriter Tech-report-Maryland N/A N/A N/A
done Laune C. Harris Practical analysis of stripped binary code ACM SIGARCH'05 speculative (indirect)control discovery:
search "gaps" for known
function prologue; then use
Orso's method to detect other
potential code addresses
done B. De Sutter On the Static Analysis of Indirect Control Transfers in Binaries PDPTA'2000 recognize indirect branches(switches)
by using pattern matching
not yet JongHyup Lee TIE: Principled Reverse Engineering of Types in Binary Programs NDSS'11 N/A N/A N/A

Dynamic Binary Instrumentation Techniques[top]

Status Authors Name Conference Mechanisms Limitations Notes
done Derek Bruening Efficient, Transparent, and Comprehensive Runtime Code Manipulation Ph.D Thesis 2004 N/A N/A Notes
done Derek Bruening Secure Execution Via Program Shepherding USENIX Security '02 code orgin check
restricted control transfer
un-circumventable sandboxing
not yet Chi-keung Luk Pin: building customized program analysis tools with dynamic instrumentation PLDI'05 N/A N/A N/A

Other Topcis[top]

Just In Time Compiler

Status Authors Name Conference Mechanisms Limitations Notes
done Jason Ansel Language-independent sandboxing of just-in-time compilation and self-modifying code PLDI '11 N/A N/A Notes
not yet Igor Bohm Generalized just-in-time trace compilation using a parallel task farm in a dynamic binary translator PLDI '11 N/A N/A Notes
not yet N/A N/A Notes


Status Authors Name Conference Mechanisms Limitations Notes
done Shuo Chen Non-control-data attacks are realistic threats USENIX Security'05 4 types of non-control data:
configuration data
User Input
User Identity data
Decision-making data
N/A Notes
not yet Model Carrying Code: A Practical Approach for Safe Execution of Untrusted Applications SOSP'03 N/A N/A Notes
not yet FRED B. SCHNEIDER Enforceable security policies TISSEC'00 N/A N/A Notes
not yet N/A N/A Notes
not yet G. Balakrishnan WYSINWYX: What You See Is Not What You eXecute N/A N/A Notes