University of Virginia Department of Computer Science1 Applications of Software Dynamic Translation Jack Davidson University of Virginia February 27, 2002

University of Virginia Department of Computer Science2 What is SDT? Software: Implemented using flexible, software VM Dynamic: Operates on running programs Translation: Modifies some or all of a program’s instructions before they execute

University of Virginia Department of Computer Science3 Software Dynamic Translation

University of Virginia Department of Computer Science4 Why Use SDT? Improve program performance Adapt program to its execution environment Overcome economic barriers Allow one architecture’s binaries to run on another Application specific ISA improvements Code decompression Resource management Power, memory footprint, resource protection Software engineering and quality control Performance monitoring, fault isolation, debugging

University of Virginia Department of Computer Science5 Strata Infrastructure designed for building SDTs Can be extended to support a wide variety of SDT applications Provides: Platform independent common services Target interface that abstracts target-specific support functions Target-specific support functions SPARC and MIPS ARM and x86 (underway)

University of Virginia Department of Computer Science6 Strata Virtual Machine Base VM implements a simple SDT Programmer implements new SDTs by customizing the VM VM is customized by overriding functions in the target interface

University of Virginia Department of Computer Science7 Computer Viruses Melissa, Code Red, Nimba, I love you Cost of dealing with viruses is high Code Red cost $1.2B (USA Today) Melissa cost $385M (Trusecure Corp) Most viruses use a buffer overrun exploit to gain control

University of Virginia Department of Computer Science8 Spread of Code Red Animation

University of Virginia Department of Computer Science9 Hacking 101 Exploit lack of bounds checking in C programs Malicious user provides input string that is actually code Change return address to jump to malicious code by overrunning a buffer Typically use strcpy(), strcat(), sprintf(), etc.

University of Virginia Department of Computer Science10 Buffer Overrun Attacks

University of Virginia Department of Computer Science11 Hacking 201 #include char shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08\x81\xc7\xe0\x08\x83\xe8\x40\x01";

University of Virginia Department of Computer Science12 Hacking 201 void trustme (void) { unsigned buffer[24]; printf("Evil buffer lives at %08x\n", buffer); long_ptr = (long *)large_string; for (i=0; i<44; i++) *(long_ptr+i) = ((int)buffer) - 8; for (i=0; i<(int)strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy((char *)buffer, large_string); return; } void naive (void) { trustme(); return; /* This should execute the injected code. */ } void main (int argc, char *argv[]) { naive(); printf("Nothing bad happened!\n"); }

University of Virginia Department of Computer Science13 Stopping Viruses with Strata

University of Virginia Department of Computer Science14 Preventing Stack Smashing Attacks with Strata TI = SPARC_TI; TI.fetch = my_fetch; Override fetch insn_t my_fetch (iaddr_t PC) { if (in_stack(PC)) strata_fatal(“Smash!”); else (*SPARC_TI.fetch)(PC); }

University of Virginia Department of Computer Science15 Strata Security API With the security API a user can specify and implement security policies Prevent suid programs from exec’ing a shell Filter URLs Sandbox file system Prevent writes to specified files (e.g., registry) Produce audit trails