Korset: Code-based Intrusion Detection for Linux

Transcription

1 Problem Korset Theory Implementation Evaluation Epilogue Korset: Code-based Intrusion Detection for Linux Ohad Ben-Cohen Avishai Wool Tel Aviv University

2 Problem Korset Theory Implementation Evaluation Epilogue Table of Contents why what how demo! evaluate

3 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Section 1: The Problem

4 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Exploit this void sayhi(char param) { char buf[96]; gets(buf); printf("hi %s, please don t hurt me!\n", buf); }

5 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Buffer Overflow

6 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Buffer Overflow

7 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Buffer Overflow

8 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Buffer Overflow

9 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Buffer Overflow

10 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Code Injection

11 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Defense

12 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Host-based Intrusion Detection Systems (HIDS s) To Identify Malicious Activities Pre-construct a model of normal behavior Monitor running processes Compare data to model Alarm when deviates

13 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Host-based Intrusion Detection Systems (HIDS s) To Identify Malicious Activities Pre-construct a model of normal behavior Monitor running processes Compare data to model Alarm when deviates Terms False Positives ( usability) False Negatives ( precision)

14 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Models of normal behavior

15 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Models of normal behavior 1. Machine Learning Automated Capable of detecting a wide range of attacks Statistical Have False Alarms

16 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Models of normal behavior 1. Machine Learning Automated Capable of detecting a wide range of attacks Statistical Have False Alarms False Alarms are inherent and inevitable if(time() < YEAR2009) read(...); else write(...);

17 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Models of normal behavior 1. Machine Learning Automated Capable of detecting a wide range of attacks Statistical Have False Alarms False Alarms are inherent and inevitable if(time() < YEAR2009) read(...); else write(...); 2. Program Policies Can be very accurate Eliminate False Alarms Tedious and demanding

18 Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS Models of normal behavior 1. Machine Learning Automated Capable of detecting a wide range of attacks Statistical Have False Alarms False Alarms are inherent and inevitable if(time() < YEAR2009) read(...); else write(...); 2. Program Policies Can be very accurate Eliminate False Alarms Tedious and demanding

19 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Section 2: Korset

20 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo General Architecture

21 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Model of Normal Behavior Control Flow Graph (CFG)

22 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo General Architecture

23 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo General Architecture

24 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Stage #1: Model Preconstruction

25 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

26 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Assumption: System calls are the only way to inflict damage (Not entirely true...)

27 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

28 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

29 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

30 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

31 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

32 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

33 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

34 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

35 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

36 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protect me

37 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Model of Normal Behavior System call sequences Paths in the graph

38 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Model of Normal Behavior System call sequences Paths in the graph No path in the graph Invalid system call sequence

39 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Stage #2: Runtime Monitoring

40 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

41 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

42 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

43 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

44 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

45 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

46 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

47 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

48 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

49 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

50 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

51 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Protecting

52 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo In words Model of Normal Behavior Control Flow Graphs (CFG) Only System Calls Statically Preconstructed Once for every app Runtime Monitoring Monitor system calls emitted in run-time Simulate observed system calls on automata Always maintain a current node Terminate diverging processes

53 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Code-based Intrusion Detection

54 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Code-based Intrusion Detection First work by David Wagner and Drew Dean, 2001

55 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Intrusion Detection via Static Analysis Pros Automated Provable zero false positives (assuming that code isn t self modifying)

56 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Intrusion Detection via Static Analysis Pros Automated Provable zero false positives (assuming that code isn t self modifying) Cons Limited to code injection attacks High precision comes with a cost

57 Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo Action!

58 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Section 3: Not so simple

59 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions

60 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions - Link CFGs

61 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism And... Simplify

62 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Simplification Process Simple and Smooth u w u w v y z y z

63 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Challenge #1

64 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions Redux - Context Insensitivity Before linking

65 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions Redux - Context Insensitivity After linking

66 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions Redux - Context Insensitivity After linking... So?

67 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Functions Redux - Context Insensitivity After linking... So? Impossible execution paths are allowed E.g.: open-read-write

68 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Context Insensitivity A Function after linking... So? Impossible execution paths are allowed E.g.: open-read-write

69 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Hey before you link Not all functions emit/lead to system calls

70 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Unlinking Do not link them

71 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Unlinking Just ditch their calling nodes...

72 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Inline CFGs of functions that issue system calls

73 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Create Private Copies

74 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Link Private Copies

75 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Simplify Result

76 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining After Simplifying

77 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Inlining Depth?

78 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Graph Inlining Inlining Depth? (currently - depth 1)

79 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Challenge #2

80 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Non Determinism Which write is it?

81 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism %EIP?

82 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism %EIP does not help

83 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Solution: Merge Nodes Solution: Merge nodes

84 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Non Determinism Solution: Merge nodes

85 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Merging cost Graph now allows impossible paths! b g o b g o r r r y g y g accepting: gry, grg, bry, org accepting: gry, grg, bry, org, brg, ory

86 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism Minimizing Merging cost Don t merge, add

87 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism the Deterministic Callgraph Automaton (DCA)

88 Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism the Deterministic Callgraph Automaton (DCA) Only system call nodes There are no ɛ-edges Need to check only direct descendants No control flow ambiguity No more than a single match Current state is always a single node Complexity Time: O( ) Space: O(1) ( - set of system calls)

89 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Section 4: Implementation

90 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction General Architecture

91 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction General Architecture

92 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction General Architecture

93 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Kernel guts The Monitoring Agent User Space example ELF executable System Calls Kernel Space Korset Monitoring Agent Kernel System Call Handler example.korset write read close read write close

94 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Per process state sched.h struct task struct {... char korset graph; u32 korset node;... };

95 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Monitoring Agent - via a new LSM hook entry.s ENTRY(system call)... GET THREAD INFO(%rcx) SAVE ARGS movq %rax,%rsi movq %rcx,%rdi call security system call cmpl $0, %eax jnz syscall noperm RESTORE ARGS... call sys call table(,%rax,8)...

96 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Monitoring Agent - via a new LSM hook entry.s ENTRY(system call)... GET THREAD INFO(%rcx) SAVE ARGS movq %rax,%rsi movq %rcx,%rdi call security system call cmpl $0, %eax jnz syscall noperm RESTORE ARGS... call sys call table(,%rax,8)...

97 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Monitoring Agent - via a new LSM hook entry.s ENTRY(system call)... GET THREAD INFO(%rcx) SAVE ARGS movq %rax,%rsi movq %rcx,%rdi call security system call cmpl $0, %eax jnz syscall noperm RESTORE ARGS... call sys call table(,%rax,8)...

98 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Monitoring Agent - via a new LSM hook entry.s ENTRY(system call)... GET THREAD INFO(%rcx) SAVE ARGS movq %rax,%rsi movq %rcx,%rdi call security system call cmpl $0, %eax jnz syscall noperm RESTORE ARGS... call sys call table(,%rax,8)...

99 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ korset runtime monitor start

100 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ korset runtime monitor stop

101 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Monitoring Agent Sum up Integrated into the Kernel s system call handler Uses and extends the Linux Security Module (LSM) interface Simulate automaton on observed system calls Terminate subverted applications Can dynamically update in-memory DCA Can dump updated DCA back to disk

102 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Userland The Static Analyzer User Space example.c i = read(fd, buf, n); if (i == n) { write(fd, buf, n); } close(fd); gcc, ld,... Korset Static Analyzer System Calls example ELF executable example.korset read write close Kernel Space

103 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ korset static analyzer start

104 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ gcc -c foo.c -o foo.o

105 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ gcc -c bar.s -o bar.o

106 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ ar c foobar.a foo.o bar.o

107 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ gcc foo.o bar.o -o foobar

108 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction foo.o.kvcg

109 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction bar.o.kvcg

110 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction foobar.a.kvcg

111 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction foobar.korset

112 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction $ korset static analyzer stop

113 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Static Analyzer Sum up Wraps the Linux build tools Transparently runs whenever user compiles, links or ar(chives) Creates DCAs for objects, libraries and executables

114 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Constructing the Graphs

115 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day

116 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day

117 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day

118 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day

119 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day

120 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day

121 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day GCC Plugins?

122 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction GCC saves the day $ gcc -dv -fdump-rtl-pass

123 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Visualization of Compiler Graphs (VCG) Just parse and the CFG is yours graph: { title: "hack digit"... node: { title: "hack digit.0" }... edge: { sourcename: "hack digit.0" targetname: "hack digit.7" color: blue } node: { title: "hack digit.7" label: "note 7" }...

124 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for C files foo.0 note 6 insn 40 insn 41 insn 42 insn 8 jump_insn 9 code_label 11 insn 14 insn 16 insn 17 insn 18 call_insn 19 insn 21 code_label 22 insn 24 jump_insn 25 insn 45 note 47 jump_insn 46 END Use gcc s VCG output $ gcc -dv -fdump-rtl-pass -c foo.c void foo(void) { int i; for (i = 0; i < 10; i++) fwrite("hello!\n", 7, 1, stdout); } basic block 7

125 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Simplification Process Simple and Smooth u w u w v y z y z

126 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for C files After simplifying VCG output void foo(void) { int i; for (i = 0; i < 10; i++) fwrite("hello!\n", 7, 1, stdout); } vcg-demo.o call fwrite foo.0 END

127 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction VCG Summary Neat.

128 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction VCG Summary Neat. Does not apply for Assembly files...

129 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for Assembly files Lots of Macros... #include <sysdep cancel.h> PSEUDO ( libc read, read, 3) ret PSEUDO END( libc read) libc hidden def ( libc read) weak alias ( libc read, read) libc hidden weak ( read) weak alias ( libc read, read) libc hidden weak (read)

130 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for Assembly files Disassemble corresponding object file: mov %rdx,0x18(%rsp) callq 35 < write nocancel+0x2c> R X86 64 PC32 libc enable asynccancel mov 0x8(%rsp),%rdi mov 0x10(%rsp),%rsi mov 0x18(%rsp),%rdx mov %rax,(%rsp) mov $0x1,%eax syscall

131 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for Assembly files Look for system and function calls: mov %rdx,0x18(%rsp) callq 35 < write nocancel+0x2c> R X86 64 PC32 libc enable asynccancel mov 0x8(%rsp),%rdi mov 0x10(%rsp),%rsi mov 0x18(%rsp),%rdx mov %rax,(%rsp) mov $0x1,%eax syscall

132 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for Assembly files Create a simplified matching graph Crude, ok for simple files Sound solution Requires a better flow analysis

133 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for stdin files something like this: $ gcc -x c++ -o output.o - redundant?

134 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for stdin files common glibc build: (echo #include <sysdep cancel.h> ; \ echo PSEUDO ( libc read, read, 3) ; \ echo ret ; \ echo PSEUDO END( libc read) ; \ echo libc hidden def ( libc read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak ( read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak (read) ; \ ) gcc c x assembler with cpp o read.o

135 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for stdin files Disassemble output file and build graph: (echo #include <sysdep cancel.h> ; \ echo PSEUDO ( libc read, read, 3) ; \ echo ret ; \ echo PSEUDO END( libc read) ; \ echo libc hidden def ( libc read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak ( read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak (read) ; \ ) gcc c x assembler with cpp o read.o

136 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Creating CFGs for stdin files Result: a simplified matching graph

137 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Is it enough? common glibc build: (echo #include <sysdep cancel.h> ; \ echo PSEUDO ( libc read, read, 3) ; \ echo ret ; \ echo PSEUDO END( libc read) ; \ echo libc hidden def ( libc read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak ( read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak (read) ; \ ) gcc c x assembler with cpp o read.o

138 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Pay attention to symbol aliases common glibc build: (echo #include <sysdep cancel.h> ; \ echo PSEUDO ( libc read, read, 3) ; \ echo ret ; \ echo PSEUDO END( libc read) ; \ echo libc hidden def ( libc read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak ( read) ; \ echo weak alias ( libc read, read) ; \ echo libc hidden weak (read) ; \ ) gcc c x assembler with cpp o read.o

139 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Collect symbol information objdump syms read.o: file format elf64 x86 64 SYMBOL TABLE: g F.text libc read g F.text read nocancel w F.text read w F.text read

140 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Collect symbol information objdump syms read.o: file format elf64 x86 64 SYMBOL TABLE: g F.text libc read g F.text read nocancel w F.text read w F.text read

141 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Add symbol aliases Before

142 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Add symbol aliases After

143 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Linking issues Not all functions are equal malloc.o: file format elf64 x86 64 SYMBOL TABLE: e4 l F.text f malloc check 00001c46 l F.text f2 free check w UND dso handle e g F.text calloc e w F.text calloc 00001b79 g F.text cd cfree 00001b79 w F.text cd cfree 00003e41 g F.text cf malloc

144 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Linking issues Not all functions are equal malloc.o: file format elf64 x86 64 SYMBOL TABLE: e4 l F.text f malloc check 00001c46 l F.text f2 free check w UND dso handle e g F.text calloc e w F.text calloc 00001b79 g F.text cd cfree 00001b79 w F.text cd cfree 00003e41 g F.text cf malloc

145 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Linking issues Not all functions are equal malloc.o: file format elf64 x86 64 SYMBOL TABLE: e4 l F.text f malloc check 00001c46 l F.text f2 free check w UND dso handle e g F.text calloc e w F.text calloc 00001b79 g F.text cd cfree 00001b79 w F.text cd cfree 00003e41 g F.text cf malloc

146 Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction Linking issues Not all functions are equal malloc.o: file format elf64 x86 64 SYMBOL TABLE: e4 l F.text f malloc check 00001c46 l F.text f2 free check w UND dso handle e g F.text calloc e w F.text calloc 00001b79 g F.text cd cfree 00001b79 w F.text cd cfree 00003e41 g F.text cf malloc

147 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Section 4: Evaluation

148 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Micro-Benchmarks Overhead Percentage Micro-Benchmarks write read write > /dev/null setuid BestCase BadCase WorstCase

149 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Core-utils Benchmarks Overhead (%) Core-Utils Benchmark cp ls cat

150 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Precision Analysis The Branching Factor

151 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Graphs Analysis Glibc Graph Branching average branch degree э-less CFG basic DCA Final DCA glibc DCA branching open read write execve malloc gets fopen fread fwrite printf empty main

152 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision malloc() malloc() syscall 45 syscall 90 syscall 125 syscall 91

153 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision fwrite() syscall 90 syscall 197 syscall 54 syscall 45 syscall 108 syscall 140 syscall 4 syscall 125 fwrite() syscall 91

154 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Empty main void main(void) { }

155 Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision Empty main empty.c.49.stack

156 Problem Korset Theory Implementation Evaluation Epilogue Section 5: Sum up

157 Problem Korset Theory Implementation Evaluation Epilogue Sum up Summary Zero False Positives Intrusion Detection Negligible (/Bounded) Runtime Overhead Linux Kernel Prototype Automatic Analysis of the GNU C library Free Software (GPL ed) Status Proof of concept! Very limited, e.g.: only static linking

158 Problem Korset Theory Implementation Evaluation Epilogue

159 Problem Korset Theory Implementation Evaluation Epilogue THE END

160 Problem Korset Theory Implementation Evaluation Epilogue Thank You