Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011.

Published byGraciela Carte Modified over 9 years ago

Similar presentations

Presentation on theme: "Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011."— Presentation transcript:

1 Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011

2 A Common Pattern 1.Create sandbox 2.Load user-supplied Lua (byte|source) code 3.Run code in sandbox

3 A Common Pattern 1.Create sandbox 2.Load user-supplied Lua (byte|source) code 3.Run code in sandbox Sandbox Blacklist os.* io.* debug.* package.loadlib package.loaders[3] package.loaders[4]

4 A Common Pattern 1.Create sandbox 2.Load user-supplied Lua (byte|source) code 3.Run code in sandbox Sandbox Whitelist string.gsub table.sort

5 A Common Pattern 1.Create sandbox 2.Load user-supplied Lua (byte|source) code 3.Run code in sandbox  Arbitrary native code execution* Sandbox Whitelist string.gsub table.sort * At least for Lua 5.1.4 on x86 Windows (even with DEP and ASLR)

6 Bytecode GETGLOBAL r0, print LOADK r1, “Lua” CALL r0, 1, 0 Source code print “Lua” Virtual machine loadcall

7 Bytecode GETGLOBAL r0, print LOADK r1, “Lua” CALL r0, 1, 0 Source code print “Lua” Virtual machine loadcall Serialised bytecode \27Lua\x51\0\1\4\4\4\8\0\7\0\0\0\61stdin \0\1\0\0\0\1\0\0\0\0\0\0\2\4\0\0\0\5\0\0 \0\65\64\0\0\28\64\00\1\30\0\128\0\2\0\0 \0\4\6\0\0\0print\0\4\4\0\0\0Lua\0\0\0\0 \0\4\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0 dump

8 Logical TValue

9 Physical TValue

10 C API abusing a TValue void lua_rawget(lua_State* L, int idx) { TValue* t = index2adr(L, idx); api_check(L, ttistable(t)); L->top[–1] = *luaH_get(hvalue(t), L->top - 1); }

11 C API abusing a TValue void lua_rawget(lua_State* L, int idx) { TValue* t = index2adr(L, idx); api_check(L, ttistable(t)); L->top[–1] = *luaH_get(hvalue(t), L->top - 1); } int table.sort(lua_State* L) { luaL_checktype(L, 1, LUA_TTABLE); /*... */ lua_rawget(L, 1); /*... */ }

12 C API abusing a TValue void lua_rawget(lua_State* L, int idx) { TValue* t = index2adr(L, idx); api_check(L, ttistable(t)); L->top[–1] = *luaH_get(hvalue(t), L->top - 1); } int table.sort(lua_State* L) { luaL_checktype(L, 1, LUA_TTABLE); /*... call comparison function... */ lua_rawget(L, 1); /*... call comparison function... */ }

13 Virtual Machine abusing a TValue for x = init, limit, step do print(x) end GETGLOBAL init GETGLOBAL limit GETGLOBAL step FORPREP GETGLOBAL print MOVE x CALL FORLOOP

14 Function Calls local t = {“go”, “a”} table.sort(t, function(lhs, rhs) return #lhs < #rhs end)

15 Function Calls local t = {“go”, “a”} table.sort(t, function(lhs, rhs) return #lhs < #rhs end) {“go”, “a”}r0 table.sortr1 {“go”, “a”}r2 functionr3 r4 r5 r6 r7 r8 r9

16 Function Calls local t = {“go”, “a”} table.sort(t, function(lhs, rhs) return #lhs < #rhs end) {“go”, “a”} table.sort {“go”, “a”}1 function2

17 Function Calls local t = {“go”, “a”} table.sort(t, function(lhs, rhs) return #lhs < #rhs end) {“go”, “a”} table.sort {“go”, “a”}1 function2 “go”-5 “a”-4 function-3 “a”-2 “go”

18 Function Calls local t = {“go”, “a”} table.sort(t, function(lhs, rhs) return #lhs < #rhs end) {“go”, “a”} table.sort {“go”, “a”} function “go” “a” function “a”r0 “go”r1 r2

19 Function Calls local t = {“go”, “a”} table.sort(t, function(lhs, rhs) return #lhs < #rhs end) {“go”, “a”} table.sort {“go”, “a”} function “go” “a” function “a”r0 “go”r1 falser2

20 Function Calls local t = {“go”, “a”} table.sort(t, function(lhs, rhs) return #lhs < #rhs end) {“go”, “a”} table.sort {“go”, “a”}1 function2 “go”-3 “a”-2 false “a” “go” false

21 Function Calls local t = {“go”, “a”} table.sort(t, function(lhs, rhs) return #lhs < #rhs end) {“a”, “go”} table.sort {“a”, “go”}1 function2 “go” “a” false “a” “go” false

22 Function Calls local t = {“go”, “a”} table.sort(t, function(lhs, rhs) return #lhs < #rhs end) {“a”, “go”}r0 table.sortr1 {“a”, “go”}r2 functionr3 “go”r4 “a”r5 falser6 “a”r7 “go”r8 falser9

23 Upvalues local x = 10 local count = function() x = x + 1 return x end 10 (function) upvalue #0 GETUPVAL ADD SETUPVAL GETUPVAL RETURN

24 Upvalues \27Lua\x51... (malicious bytecode here)... 10 (function) upvalue #0 GETUPVAL ADD SETUPVAL GETUPVAL RETURN

25 Malicious Bytecode Catalogue Violating type assumptions in the VM – FORLOOP – SETLIST in 5.2 Emulating debug.[gs]etlocal – Reading leftover locals – Promiscuous upvalues Violating type assumptions in the C API – lua_(next|raw[gs]eti?) – lua_[gs]etuservalue in 5.2

26 Mitigation Catalogue Don’t load bytecode – First byte decimal 27 – load(ld, source, "t" [, env]) in 5.2 Compile with LUA_USE_APICHECK (*) Static analysis and verification of bytecode (*) Makes exploitation harder, doesn’t prevent information leakage attacks, may not save you.

27 Static Analysis, Blunt Approach Violating type assumptions in the VM – For each stack slot, at each VM instruction, determine a set of possible types Emulating debug.[gs]etlocal – Ensure stack slots are safely readable – For each stack slot, at each VM instruction, determine if it could be an upvalue – Segregating calls from upvalues

28 Static Type Analysis function example(x) if x then x = 3.14 else x = “pi” end return x end.parameter r0 TEST r0; JMP $+2 LOADK r0, k0 JMP $+1 LOADK r0, k1 RETURN r0

29 Static Type Analysis function example(x) if x then x = 3.14 else x = “pi” end return x end TEST r0 LOADK r0 3.14 LOADK r0 “pi” RETURN r0

30 Static Type Analysis function example(x) if x then x = 3.14 else x = “pi” end return x end TEST r0 LOADK r0 3.14 LOADK r0 “pi” RETURN r0 * num str {num, str}

31 Static Analysis Prerequisites Decode and understand each instruction Ensure control flow doesn’t leave Valid (register|constant|…) indices Verify some VM assumptions, like: – TEST instructions are followed by a JMP – Boolean constants are either 0 or 1 Instructions which produce or consume a variable number of values must come in pairs

32 Static Analysis, Subtle Approach Violating type assumptions in the VM – Protect loop control variables – Perform runtime table type checks Emulating debug.[gs]etlocal – At each VM instruction, split the stack into locals / temporary / unused UpvaluesCallsUnreadable

33 Static Analysis, Subtle Approach Debug information embedded within bytecode – Gives size of the local region at each instruction – Specifies which locals are loop control variables The temporary region always grows into the next available unused stack slot The local region always grows to absorb a temporary Backward jumps are to locations with no temporaries Forward jumps merge to the smallest of the temporary ranges

34 “Practical” Static Analysis require "lbcv" lbcv.verify(ld) lbcv.load(ld [, source [, mode]])

35 Questions? Peter Cawley Lua Workshop 2011

Download ppt "Mitigating the Danger of Malicious Bytecode Peter Cawley Lua Workshop 2011."

Similar presentations

Topic Reviews For Unit 5 - 6. ET156 – Introduction to C Programming Topic Reviews For Unit 5 - 6.

Topic Reviews For Unit ET156 – Introduction to C Programming Topic Reviews For Unit
AP Computer Science Anthony Keen. Computer 101 What happens when you turn a computer on? –BIOS tries to start a system loader –A system loader tries to.

AP Computer Science Anthony Keen. Computer 101 What happens when you turn a computer on? –BIOS tries to start a system loader –A system loader tries to.
Foundations of Programming and Problem Solving Introduction.

Foundations of Programming and Problem Solving Introduction.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
Based on Mike Feeley’s original slides; Modified by George Tsiknis Unit 11 Local Variables, Parameters and the Stack Relevant Information CPSC 213 Companion.

Based on Mike Feeley’s original slides; Modified by George Tsiknis Unit 11 Local Variables, Parameters and the Stack Relevant Information CPSC 213 Companion.
The IA-64 Architectural Innovations Hardware Support for Software Pipelining José Nelson Amaral 1.

The IA-64 Architectural Innovations Hardware Support for Software Pipelining José Nelson Amaral 1.
1 Patt and Patel Ch. 7 LC-3 Assembly Language. 2 LC-3 is a load/store RISC architecture Has 8 general registersHas 8 general registers Has a flat 16-bit.

1 Patt and Patel Ch. 7 LC-3 Assembly Language. 2 LC-3 is a load/store RISC architecture Has 8 general registersHas 8 general registers Has a flat 16-bit.
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Slides created by: Professor Ian G. Harris Efficient C Code  Your C program is not exactly what is executed  Machine code is specific to each ucontroller.

Slides created by: Professor Ian G. Harris Efficient C Code  Your C program is not exactly what is executed  Machine code is specific to each ucontroller.
ARM versions ARM architecture has been extended over several versions.

ARM versions ARM architecture has been extended over several versions.
CSC 3210 Computer Organization and Programming

CSC 3210 Computer Organization and Programming
RAT R1 R2 R3 R4 R5 R6 R7 Fetch Q RS MOB ROB Execute Retire.

RAT R1 R2 R3 R4 R5 R6 R7 Fetch Q RS MOB ROB Execute Retire.
Overheads for Computers as Components 2nd ed.

Overheads for Computers as Components 2nd ed.
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 11 th December, 2008.

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M th December, 2008.
Class Addressing modes

Class Addressing modes
COMPSCI 210 Semester 2 - 2014 Tutorial 10 Exercises from CH 14.

COMPSCI 210 Semester Tutorial 10 Exercises from CH 14.
MIPS Assembly Tutorial

MIPS Assembly Tutorial
Instruction-Level Parallelism

Instruction-Level Parallelism

Similar presentations

Ads by Google