Hardware-Assisted Application Misbehavior Detection
0 likes39 views
This document discusses a hardware-assisted application misbehavior detection solution that tracks expected and unexpected branches in program execution to identify bugs and security vulnerabilities. It outlines the implementation of this solution, including automated learning and detection policies, and presents evaluation results through synthetic and real application examples. The authors suggest future developments for improving the system, such as OS self-repair and enhancing crash report analysis.
![Introduction Our Solution Conclusions
Evaluation
Evaluation
Synthetic Example
Code 1: Validation code.
main (){
char s t r [MAX STRING ] ;
i n t loop =0, opt =0;
do{
scanf (”%d”,& opt ) ;
i f ( opt >0){ p r i n t f (” Greater than zero n ” ) ; }
e l s e i f ( opt <0){ p r i n t f (” Smaller than zero n ” ) ; }
e l s e { p r i n t f (”Bad choice n ” ) ; scanf (”%s ” , s t r ) ; }
} while ( ! loop ) ;
p r i n t f (” Should never be executed n ” ) ;
Hardware-Assisted Application Misbehavior Detection XVIII SBSEG](https://image.slidesharecdn.com/misbehavior-190810045017/85/Hardware-Assisted-Application-Misbehavior-Detection-17-320.jpg)
![Introduction Our Solution Conclusions
Evaluation
Evaluation
Easy File Share
Code 2: Real application under a ROP-based attack. Differences between
the expected and the observed branches.
Unexpected Branches : [0 x150C , 0x1C80C , 0x13020 ]
Unexpected Branches : [ ]
Unexpected Branches : [0 x1731A , 0xD31A , 0x7C81A ,
0x33B1A , 0x2AC1A , 0xFC21A , 0x12941A , 0x29A1A ]
Hardware-Assisted Application Misbehavior Detection XVIII SBSEG](https://image.slidesharecdn.com/misbehavior-190810045017/85/Hardware-Assisted-Application-Misbehavior-Detection-18-320.jpg)
Hardware-Assisted Application Misbehavior Detection
- 1. Introduction Our Solution Conclusions Hardware-Assisted Application Misbehavior Detection Marcus Botacin Paulo de Geus Andr´e Gr´egio XVIII SBSEG 2018 Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 2. Introduction Our Solution Conclusions Agenda 1 Introduction 2 Our Solution Key Idea Implementation Evaluation Discussion 3 Conclusions Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 3. Introduction Our Solution Conclusions Roteiro 1 Introduction 2 Our Solution Key Idea Implementation Evaluation Discussion 3 Conclusions Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 4. Introduction Our Solution Conclusions Bugs Undesirable Safety: Crashes. Security: Exploitation. Countermeasures Good Software Engineering: Really ? Fuzzing: Too slow to cover all paths. CFI: Too specific to extend to general cases. Alternative Runtime Monitoring: COTS binaries monitoring. Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 5. Introduction Our Solution Conclusions Background Program as a Finite State Machine Figure: Program as a Finite State Machine. Data is inputted to an initial state and transitions lead to the final state, outputting the computation result. Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 6. Introduction Our Solution Conclusions Program in Memory Branch as Transitions Figure: Program representation in memory. Branch instructions are responsible for state transitions. Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 7. Introduction Our Solution Conclusions Roteiro 1 Introduction 2 Our Solution Key Idea Implementation Evaluation Discussion 3 Conclusions Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 8. Introduction Our Solution Conclusions Key Idea Roteiro 1 Introduction 2 Our Solution Key Idea Implementation Evaluation Discussion 3 Conclusions Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 9. Introduction Our Solution Conclusions Key Idea Our Solution Tracking Expected Branches Figure: Expected Branches Policy. The solid arrows correspond to paths previously seem, thus representing expected branches. The dotted arrows represent so-far unknown branches, which might indicate a misbehavior. Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 10. Introduction Our Solution Conclusions Key Idea Our Solution Learning Expected Branches Figure: Automated learning. Flags 1 and 0 indicate, respectively, whether a given branch was expected (allowed) to occur or not. Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 11. Introduction Our Solution Conclusions Implementation Roteiro 1 Introduction 2 Our Solution Key Idea Implementation Evaluation Discussion 3 Conclusions Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 12. Introduction Our Solution Conclusions Implementation Our Solution Implementation Table: ASLR-aware data collection. Offset normalization. Despite the distinct image base addresses, branch offsets are unique. Branch Execution 1 Execution 2 Execution N Offset I 0x7FF1D30 0x7FF3D30 0x7FF5D80 0x1D30 II 0x7FF1E30 0x7FF3E30 0x7FF5E80 0x1E30 II 0x7FF1EF0 0x7FF3EF0 0x7FF5F40 0x1EF0 Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 13. Introduction Our Solution Conclusions Implementation Our Solution Implementation Figure: Branch Database. Source addresses are used to index allowed target addresses. Unidentified entries are considered as unexpected branches. Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 14. Introduction Our Solution Conclusions Implementation Detection Policies Violation Detection Figure: Misbehavior Detection. Solution detects violations using a threshold value over data from a moving window. Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 15. Introduction Our Solution Conclusions Implementation Our Solution Implementation Figure: Semi-supervised learning. Solution asks for user confirmation. Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 16. Introduction Our Solution Conclusions Evaluation Roteiro 1 Introduction 2 Our Solution Key Idea Implementation Evaluation Discussion 3 Conclusions Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 17. Introduction Our Solution Conclusions Evaluation Evaluation Synthetic Example Code 1: Validation code. main (){ char s t r [MAX STRING ] ; i n t loop =0, opt =0; do{ scanf (”%d”,& opt ) ; i f ( opt >0){ p r i n t f (” Greater than zero n ” ) ; } e l s e i f ( opt <0){ p r i n t f (” Smaller than zero n ” ) ; } e l s e { p r i n t f (”Bad choice n ” ) ; scanf (”%s ” , s t r ) ; } } while ( ! loop ) ; p r i n t f (” Should never be executed n ” ) ; Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 18. Introduction Our Solution Conclusions Evaluation Evaluation Easy File Share Code 2: Real application under a ROP-based attack. Differences between the expected and the observed branches. Unexpected Branches : [0 x150C , 0x1C80C , 0x13020 ] Unexpected Branches : [ ] Unexpected Branches : [0 x1731A , 0xD31A , 0x7C81A , 0x33B1A , 0x2AC1A , 0xFC21A , 0x12941A , 0x29A1A ] Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 19. Introduction Our Solution Conclusions Evaluation Evaluation Easy File Share Figure: Exploit Execution Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 20. Introduction Our Solution Conclusions Discussion Roteiro 1 Introduction 2 Our Solution Key Idea Implementation Evaluation Discussion 3 Conclusions Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 21. Introduction Our Solution Conclusions Discussion Discussion Immediate Follow-up Enriching Crash Reports. Future Developments Distributed Allowed Paths Identification. OS Self-Repair. Automatic Backup recovery. Challenges Distinguish Exploits from Crashes. Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 22. Introduction Our Solution Conclusions Roteiro 1 Introduction 2 Our Solution Key Idea Implementation Evaluation Discussion 3 Conclusions Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 23. Introduction Our Solution Conclusions Concluding Remarks Advances: Low-Overhead, Ruleless Misbehavior Detection. Challenges: Distinguish Exploitation from Crashes. Future: OS Self-repair. Hardware-Assisted Application Misbehavior Detection XVIII SBSEG
- 24. Introduction Our Solution Conclusions Questions ? Contact Information mfbotacin@inf.ufpr.br Hardware-Assisted Application Misbehavior Detection XVIII SBSEG