Advertisement

PwIN – Pwning Intel piN: Why DBI is Unsuitable for Security Applications

  • Julian Kirsch
  • Zhechko Zhechev
  • Bruno Bierbaumer
  • Thomas Kittel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11098)

Abstract

Binary instrumentation is a robust and powerful technique which facilitates binary code modification of computer programs even when no source code is available. This is achieved either statically by rewriting the binary instructions of the program and then executing the altered program or dynamically, by changing the code at run-time right before it is executed. The design of most Dynamic Binary Instrumentation (DBI) frameworks puts emphasis on ease-of-use, portability, and efficiency, offering the possibility to execute inspecting analysis code from an interpositioned perspective maintaining full access to the instrumented program. This has established DBI as a powerful tool utilized for analysis tasks such as profiling, performance evaluation, and prototyping.

The interest of employing DBI tools for binary hardening techniques (e.g. Program Shepherding) and malware analysis is constantly increasing among researchers. However, the usage of DBI for security related tasks is questionable, as in such scenarios it is important that analysis code runs isolated from the instrumented program in a stealthy way.

In this paper, we show (1) that a plethora of literature implicitly seems to assume isolation and stealthiness of DBI frameworks and strongly challenge these assumptions. We use Intel Pin running on x86-64 Linux as an example to show that assuming a program is running in context of a DBI framework (2) the presence thereof can be detected, (3) policies introduced by binary hardening mechanisms can be subverted, and (4) otherwise hard-to-exploit bugs can be escalated to full code execution.

Keywords

Dynamic Binary Instrumentation Intel Pin Control Flow Integrity Program shepherding Malware analysis Evasive malware Virtual machine escape Exploitation 

References

  1. 1.
    CVE-2014-0160. Available from MITRE, CVE-2017-13089. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089. Accessed 24 Apr 2018
  2. 2.
    QuarkslaB Dynamic binary Instrumentation (QBDI). https://qbdi.quarkslab.com/. Accessed 24 Apr 2018
  3. 3.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13, 4:1–4:40 (2009)CrossRefGoogle Scholar
  4. 4.
    Banescu, S., Wüchner, T., Guggenmos, M., Ochoa, M., Pretschner, A.: FEEBO: an empirical evaluation framework for malware behavior obfuscation. arXiv preprint arXiv:1502.03245 (2015)
  5. 5.
    Bruening, D., Duesterwald, E., Amarasinghe, S.: Design and implementation of a dynamic optimization framework for windows. In: 4th ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-4) (2001)Google Scholar
  6. 6.
    Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: International Symposium on Code Generation and Optimization, CGO 2003, pp. 265–275. IEEE (2003)Google Scholar
  7. 7.
    Bruening, D., Zhao, Q.: Practical memory checking with Dr. Memory. In: Proceedings of the 9th Annual IEEE/ACM International Symposium on Code Generation and Optimization, pp. 213–223. IEEE Computer Society (2011)Google Scholar
  8. 8.
    Chiueh, T.c., Hsu, F.H.: RAD: a compile-time solution to buffer overflow attacks. In: 21st International Conference on Distributed Computing Systems, pp. 409–417. IEEE (2001)Google Scholar
  9. 9.
    Clause, J., Li, W., Orso, A.: Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis, pp. 196–206. ACM (2007)Google Scholar
  10. 10.
    Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: ASIACCS (2011)Google Scholar
  11. 11.
    Elsabagh, M., Barbará, D., Fleck, D., Stavrou, A.: Detecting ROP with statistical learning of program characteristics. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 219–226. ACM (2017)Google Scholar
  12. 12.
    Falcón, F., Riva, N.: Dynamic binary instrumentation frameworks: i know you’re there spying on me. In: RECon 2012 (2012). https://recon.cx/2012/schedule/attachments/42_FalconRiva_2012.pdf. Accessed 25 Apr 2018
  13. 13.
    Follner, A., Bodden, E.: ROPocop - dynamic mitigation of code-reuse attacks. J. Inf. Secur. Appl. 29, 16–26 (2016)Google Scholar
  14. 14.
    Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, vol. 3, pp. 191–206 (2003)Google Scholar
  15. 15.
    Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 41–60. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23644-0_3CrossRefGoogle Scholar
  16. 16.
    Intel Corporation: Intel\(\textregistered \) 64 and IA-32 Architectures Software Developer’s Manual, January 2018Google Scholar
  17. 17.
    Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: Proceedings of the 11th USENIX Security Symposium, pp. 191–206. USENIX Association, Berkeley (2002)Google Scholar
  18. 18.
    Kirsch, J., Bierbaumer, B., Kittel, T., Eckert, C.: Dynamic loader oriented programming on Linux. In: ROOTS (2017)Google Scholar
  19. 19.
    Kulakov, Y.: MazeWalker - enriching static malware analysis. In: RECon 2017 (2017). https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-MazeWalker.pdf. Accessed 25 Apr 2018
  20. 20.
    Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 386–395. ACM (2014)Google Scholar
  21. 21.
    Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM Sigplan Notices, vol. 40, pp. 190–200. ACM (2005)Google Scholar
  22. 22.
    Nethercote, N., Seward, J.: How to shadow every byte of memory used by a program. In: VEE (2007)Google Scholar
  23. 23.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: ACM Sigplan Notices, vol. 42, pp. 89–100. ACM (2007)Google Scholar
  24. 24.
    Nethercote, N., Walsh, R., Fitzhardinge, J.: Building workload characterization tools with Valgrind. In: IISWC (2006)Google Scholar
  25. 25.
    One, A.: Smashing the stack for fun and profit. In: Phrack 49 (1996)Google Scholar
  26. 26.
    Orman, H.: The Morris worm: a fifteen-year perspective. IEEE Secur. Priv. 99(5), 35–43 (2003)CrossRefGoogle Scholar
  27. 27.
    Polino, M., et al.: Measuring and defeating anti-instrumentation-equipped malware. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 73–96. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-60876-1_4CrossRefGoogle Scholar
  28. 28.
    Qiang, W., Huang, Y., Zou, D., Jin, H., Wang, S., Sun, G.: Fully context-sensitive CFI for COTS binaries. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 435–442. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59870-3_28CrossRefGoogle Scholar
  29. 29.
    Quynh, N.A.: Skorpio: advanced binary instrumentation framework. In: OPCDE 2018, Dubai, April 2018Google Scholar
  30. 30.
    Saudel, F., Salwan, J.: Triton: a dynamic symbolic execution framework. In: Symposium sur la sécurité des technologies de l’information et des communications, SSTIC, France, Rennes, 3–5 June 2015, pp. 31–54. SSTIC (2015)Google Scholar
  31. 31.
    Tymburibá, M., Emilio, R., Pereira, F.: RipRop: a dynamic detector of ROP attacks. In: Proceedings of the 2015 Brazilian Congress on Software: Theory and Practice, p. 2 (2015)Google Scholar
  32. 32.
    van der Veen, V., et al.: Practical context-sensitive CFI. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 927–940. ACM (2015)Google Scholar
  33. 33.
    Vendicator, S.S.: A Stack Smashing Technique Protection Tool for Linux (2000). http://www.angelfire.com/sk/stackshield/info.html. Accessed 24 Apr 2018

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Julian Kirsch
    • 1
  • Zhechko Zhechev
    • 1
  • Bruno Bierbaumer
    • 1
  • Thomas Kittel
    • 1
  1. 1.Technical University of MunichMunichGermany

Personalised recommendations