Security Bugs in Embedded Interpreters

Size: px

Start display at page:

Download "Security Bugs in Embedded Interpreters"

Silvester Cummings
6 years ago
Views:

1 Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL

2 Embedded interpreters Host system Bytecode Input Embedded interpreter Output

3 Embedded interpreters Host system Bytecode Input Embedded interpreter Output Define an instruction set in the form of bytecode

4 Embedded interpreters Host system Bytecode Input Embedded interpreter Output Define an instruction set in the form of bytecode Interpret and execute bytecode on a virtual machine

5 Embedded interpreters Host system Bytecode Input Embedded interpreter Output Define an instruction set in the form of bytecode Interpret and execute bytecode on a virtual machine Usually light-weight, and no process-level sandboxing

6 Prevalence of embedded interpreters and related vulnerabilities

7 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities

8 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML CVE CVE CVE CVE CVE CVE

9 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE

10 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE Bitcoin bitcoin CVE

11 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE Bitcoin bitcoin CVE Python Pickle CVE CVE

12 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE Bitcoin bitcoin CVE Python Pickle CVE CVE FreeType TrueType / Type 1 Charstring CVE CVE

13 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE Bitcoin bitcoin CVE Python Pickle CVE CVE FreeType TrueType / Type 1 Charstring CVE CVE

RarVM LLVM CVE-2010-4158 CVE-2012-3729 CVE-2010-3880

CVE-2011-3627 Bitcoin bitcoin CVE-2010-5137 Python Pickle

14 Prevalence of embedded interpreters and related vulnerabilities Software Interpreter Known vulnerabilities BPF INET_DIAG AML RarVM LLVM CVE CVE CVE CVE CVE CVE CVE CVE Bitcoin bitcoin CVE Python Pickle CVE CVE FreeType TrueType / Type 1 Charstring CVE CVE

15 Our contributions Studies of 10 widely-used embedded interpreters in real world Studies of known vulnerabilities Security guidelines Research opportunities

16 Why do people use embedded interpreter?

17 A packet filtering example Monitor all packets that do not originate from * or * $"tcpdump" ip"src"net"not"( /24"or" /24)

18 A packet filtering example Monitor all packets that do not originate from * or * $"tcpdump" ip"src"net"not"( /24"or" /24) Strawman 1: user space filtering The kernel passes all packets to tcpdump ip*src*net*not* ( /24*or* /24) tcpdump filtered packets kernel ***** ***** packets

19 A packet filtering example Monitor all packets that do not originate from * or * $"tcpdump" ip"src"net"not"( /24"or" /24) Strawman 1: user space filtering The kernel passes all packets to tcpdump Flexibility Security Performance ip*src*net*not* ( /24*or* /24) tcpdump filtered packets kernel ***** ***** packets

20 A packet filtering example

21 A packet filtering example Strawman II: extensible kernel module

22 A packet filtering example Strawman II: extensible kernel module tcpdump uploads compiled native code to the kernel ip*src*net*not* ( /24*or* /24) tcpdump kernel Native code ld*****12(%ebx),*%eax* test***%eax,*$0x800 jeq****l3 ld*****26(%ebx),*%eax and****%eax,*$0xffffff00 ********... filtered packets ***** ***** packets Kernel module

23 A packet filtering example Strawman II: extensible kernel module tcpdump uploads compiled native code to the kernel Flexibility Performance Security ip*src*net*not* ( /24*or* /24) tcpdump kernel Native code ld*****12(%ebx),*%eax* test***%eax,*$0x800 jeq****l3 ld*****26(%ebx),*%eax and****%eax,*$0xffffff00 ********... filtered packets ***** ***** packets Kernel module

24 Solution: Berkeley Packet Filter (BPF)

25 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump

26 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program

27 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program

28 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program BPF interpreter

29 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter

30 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter Filtered packets

31 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter Filtered packets Flexibility

32 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter Filtered packets Flexibility Performance no IPC & context switch overhead

33 Solution: Berkeley Packet Filter (BPF) ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter Filtered packets Flexibility Performance no IPC & context switch overhead Security no direct control of the real machine

34 Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* ( /24*or* /24) tcpdump kernel Inputs to bytecode Host system ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 L1:*****ld*****[26] ********and****#0xffffff00 ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L3:*****ret****#TRUE L4:*****ret****#0 Bytecode program ***** ***** packets BPF interpreter Filtered packets

Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* (18.26.5.0/

@#S****[238472398] ********jeq****#ethertype_ip,*l1,*l4 *********$&$s****#934dead L1:*****ld*****[26] L1:*****@#&#$(&@#$*#@$ ********and****#0xffffff00

35 Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* ( /24*or* /24) kernel Inputs to bytecode Host system tcpdump ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 *********$&$s****#934dead L1:*****ld*****[26] ********and****#0xffffff00 ********kill****[xxx] ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L2:*****... L3:*****ret****#TRUE ********ret*****#deadbeaf L4:*****ret****#0 Untrusted bytecode Bytecode program ***** ***** packets BPF interpreter Filtered packets

36 Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* ( /24*or* /24) kernel Untrusted input Inputs to bytecode Host system tcpdump ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 *********$&$s****#934dead L1:*****ld*****[26] ********and****#0xffffff00 ********kill****[xxx] ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L2:*****... L3:*****ret****#TRUE ********ret*****#deadbeaf L4:*****ret****#0 Untrusted bytecode Bytecode program ***** packets ***** BPF interpreter Filtered packets

37 Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* ( /24*or* /24) kernel Untrusted input Inputs to bytecode Host system tcpdump ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 *********$&$s****#934dead L1:*****ld*****[26] ********and****#0xffffff00 ********kill****[xxx] ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L2:*****... L3:*****ret****#TRUE ********ret*****#deadbeaf L4:*****ret****#0 Untrusted bytecode Bytecode program ***** packets ***** BPF interpreter Filtered packets

38 Solution: Berkeley Packet Filter (BPF) Are embedded interpreters really secure? ip*src*net*not* ( /24*or* /24) kernel Untrusted input Inputs to bytecode Host system tcpdump ********ldh****[12] ********jeq****#ethertype_ip,*l1,*l4 *********$&$s****#934dead L1:*****ld*****[26] ********and****#0xffffff00 ********kill****[xxx] ********jeq****#0x121a0500,*l4,*l2 L2:*****jeq****#0x ,*L4,*L3 L2:*****... L3:*****ret****#TRUE ********ret*****#deadbeaf L4:*****ret****#0 Untrusted bytecode Bytecode program ***** packets ***** BPF interpreter Filtered packets

39 Security of embedded interpreters

40 Security of embedded interpreters Untrusted bytecode Must validate the bytecode before execution

41 Security of embedded interpreters Untrusted bytecode Must validate the bytecode before execution Untrusted input Must execute the bytecode defensively

42 Security of embedded interpreters Untrusted bytecode Must validate the bytecode before execution Untrusted input Must execute the bytecode defensively No strict isolation Must prevent bugs in embedded interpreters from affecting the host system

43 Security of embedded interpreters Untrusted bytecode Must validate the bytecode before execution Untrusted input Must execute the bytecode defensively No strict isolation Must prevent bugs in embedded interpreters from affecting the host system Embedded interpreters that fail to do so (correctly) will be vulnerable

44 Vulnerability case studies Untrusted bytecode INET_DIAG infinite loop vulnerability (CVE ) Untrusted input ClamAV signed division vulnerability No strict isolation FreeType arbitrary code execution vulnerability (CVE )

45 INET DIAG infinite loop vulnerability

46 INET DIAG infinite loop vulnerability $*ss*...

47 INET DIAG infinite loop vulnerability $*ss*... Userspace filter code """""sge""""21,"l1,"rej""";"02"04"... L1:""sge""1024,"L2,"acc""";"02"04"... L2:""jmp""rej""""""""""""";"01"04"... acc:"nop"""""""""""""""""";"00"04 rej:

48 INET DIAG infinite loop vulnerability $*ss*... Userspace filter code """""sge""""21,"l1,"rej""";"02"04"... L1:""sge""1024,"L2,"acc""";"02"04"... L2:""jmp""rej""""""""""""";"01"04"... acc:"nop"""""""""""""""""";"00"04 rej: suspicious Socket suspicious files state (trusted) files

49 INET DIAG infinite loop vulnerability $*ss*... Userspace filter code """""sge""""21,"l1,"rej""";"02"04"... L1:""sge""1024,"L2,"acc""";"02"04"... L2:""jmp""rej""""""""""""";"01"04"... acc:"nop"""""""""""""""""";"00"04 rej: struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; suspicious Socket suspicious files state (trusted) files

50 INET DIAG infinite loop vulnerability $*ss*... Userspace filter code """""sge""""21,"l1,"rej""";"02"04"... L1:""sge""1024,"L2,"acc""";"02"04"... L2:""jmp""rej""""""""""""";"01"04"... acc:"nop"""""""""""""""""";"00"04 rej: struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; suspicious Socket suspicious files state (trusted) files

51 INET DIAG infinite loop vulnerability $*ss*... Userspace filter code """""sge""""21,"l1,"rej""";"02"04"... L1:""sge""1024,"L2,"acc""";"02"04"... L2:""jmp""rej""""""""""""";"01"04"... acc:"nop"""""""""""""""""";"00"04 rej: struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; //"validate"bytecode const"void"*bc"="bytecode; while"(len">"0)"{ """"struct"inet_diag_bc_op"*op"="bc; """"... suspicious Socket suspicious files state (trusted) files """"bc"+="opp>oplen; """"len"p="opp>oplen; }

52 INET DIAG infinite loop vulnerability $*ss*... """""sge""""21,"l1,"rej""";"02"04"... 02"00 L1:""sge""1024,"L2,"acc""";"02"04"... 02"00 L2:""jmp""rej""""""""""""";"01"04"... 01"00 acc:"nop"""""""""""""""""";"00"04 00"00 rej: Userspace filter code struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; //"validate"bytecode const"void"*bc"="bytecode; while"(len">"0)"{ """"struct"inet_diag_bc_op"*op"="bc; """"... suspicious Socket suspicious files state (trusted) files """"bc"+="opp>oplen; """"len"p="opp>oplen; } Infinite loop when op^>oplen is zero

53 INET DIAG infinite loop vulnerability $*ss*... """""sge""""21,"l1,"rej""";"02"04"... 02"00 L1:""sge""1024,"L2,"acc""";"02"04"... 02"00 L2:""jmp""rej""""""""""""";"01"04"... 01"00 acc:"nop"""""""""""""""""";"00"04 00"00 rej: Userspace filter code struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; //"validate"bytecode const"void"*bc"="bytecode; while"(len">"0)"{ """"struct"inet_diag_bc_op"*op"="bc; """"... suspicious Socket suspicious files state (trusted) files """"bc"+="opp>oplen; """"len"p="opp>oplen; } Infinite loop when op^>oplen is zero

54 INET DIAG infinite loop vulnerability $*ss*... """""sge""""21,"l1,"rej""";"02"04"... 02"00 L1:""sge""1024,"L2,"acc""";"02"04"... 02"00 L2:""jmp""rej""""""""""""";"01"04"... 01"00 acc:"nop"""""""""""""""""";"00"04 00"00 rej: Userspace filter code suspicious Socket suspicious files state (trusted) files struct"inet_diag_bc_op"{"""""//"instruction"header """"unsigned"char"""opcode;""//"opcode """"unsigned"char"""oplen;"""//"instruction"length }; //"validate"bytecode const"void"*bc"="bytecode; while"(len">"0)"{ """"struct"inet_diag_bc_op"*op"="bc; """"... +"""if"(opp>oplen"<"min_len)"//"min_len"is"at"least"4 +"""""""return"peinval; """"bc"+="opp>oplen; """"len"p="opp>oplen; } Infinite loop when op^>oplen is zero

55 Vulnerability case studies Untrusted bytecode INET_DIAG infinite loop vulnerability (CVE ) Untrusted input ClamAV signed division vulnerability No strict isolation FreeType arbitrary code execution vulnerability (CVE )

56 ClamAV signed division vulnerability

57 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b...

58 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b... suspicious suspicious Suspicious files local files file " " "...

59 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b... suspicious suspicious Suspicious files local files file " " "... switch"(opcode)"{ Interpreter code... case"op_sdiv: { """"int64_t"a"="binops(0);"//"dividend """"int64_t"b"="binops(1);"//"divisor """"if"(b"=="0" "(a"=="p1"&&"b"=="int64_min)) """"""""return"cl_ebytecode; """"valuep>v"="a"/"b; } }

60 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b... suspicious suspicious Suspicious files local files file " " "... switch"(opcode)"{ Interpreter code... case"op_sdiv: { """"int64_t"a"="binops(0);"//"dividend """"int64_t"b"="binops(1);"//"divisor """"if"(b"=="0" "(a"=="p1"&&"b"=="int64_min)) """"""""return"cl_ebytecode; """"valuep>v"="a"/"b; } }

61 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b... suspicious suspicious Suspicious files local files file " " "... Interpreter code switch"(opcode)"{... case"op_sdiv: { """"int64_t"a"="binops(0);"//"dividend """"int64_t"b"="binops(1);"//"divisor """"if"(b"=="0" "(a"=="p1"&&"b"=="int64_min)) """"""""return"cl_ebytecode; """"valuep>v"="a"/"b; } } Might trap on a/0 and INT64_MIN*/*^1

62 ClamAV signed division vulnerability Cloud Bytecode signature %a"="load"i64*"inttoptr"i64"0"to"i64* %b"="load"i64*"inttoptr"i64"8"to"i64* %r"="sdiv"i64"%a,"%b... suspicious suspicious Suspicious files local files file " " "... WRONG! Should swap a and b Interpreter code switch"(opcode)"{... case"op_sdiv: { """"int64_t"a"="binops(0);"//"dividend """"int64_t"b"="binops(1);"//"divisor """"if"(b"=="0" "(a"=="p1"&&"b"=="int64_min)) """"""""return"cl_ebytecode; """"valuep>v"="a"/"b; } } Might trap on a/0 and INT64_MIN*/*^1

63 Vulnerability case studies Untrusted bytecode INET_DIAG infinite loop vulnerability (CVE ) Untrusted input ClamAV signed division vulnerability No strict isolation FreeType arbitrary code execution vulnerability (CVE )

64 FreeType arbitrary code execution JailbreakMe CVE

65 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font JailbreakMe CVE

66 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font JailbreakMe CVE

67 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE

68 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE

69 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE

70 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE //"execute"callothersubr case"call_other_subr: """"//"dispatch"and"call"subroutines """"... """"//"pop"out"arguments"from"the"stack """"decoderp>top"p="nargs;

71 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE //"execute"callothersubr case"call_other_subr: """"//"dispatch"and"call"subroutines """"... """"//"pop"out"arguments"from"the"stack """"decoderp>top"p="nargs; Did not validate nargs is in range

72 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer }; JailbreakMe CVE //"execute"callothersubr case"call_other_subr: """"//"dispatch"and"call"subroutines """"... """"//"pop"out"arguments"from"the"stack """"decoderp>top"p="nargs; Did not validate nargs is in range

73 FreeType arbitrary code execution push"0xfea50000"""";"nargs"="p347 push"0x2a"""""""""";"subroutine"num"="42 callothersubr"""""";"call"custom"function..."... Malicious PDF file with embedded T1 font struct"t1_decoderrec"{""""""""""""""//"t1"vm"state """"FT_Long"""stack[MAX_OPERANDS];""//"execution"stack """"FT_Long*""top;""""""""""""""""""//"stack"pointer """"... """"T1_Decoder_Callback"""parse_callback;"//"func"pointer JailbreakMe }; CVE //"execute"callothersubr case"call_other_subr: """"//"dispatch"and"call"subroutines """"... """"//"pop"out"arguments"from"the"stack """"decoderp>top"p="nargs; Overwrite function pointer Did not validate nargs is in range

74 Security guidelines

75 Security guidelines A better solution: process isolation Running interpreter in a separate OS process Can prevent bugs in the interpreter from affecting the host system Example: Chrome browser

76 Security guidelines A better solution: process isolation Running interpreter in a separate OS process Can prevent bugs in the interpreter from affecting the host system Example: Chrome browser Exceptions Application requires extreme performance No processes (e.g. OS kernels)

77 Pitfall 1: complex feature sets

78 Pitfall 1: complex feature sets Feature vs. vulnerability checklist The more expressive a bytecode is, the wider range of attack vectors there could be

79 Pitfall 1: complex feature sets Feature vs. vulnerability checklist The more expressive a bytecode is, the wider range of attack vectors there could be Feature set Arithmetic operations Loops (backward jumps) Function calls External calls to the host Register file or scratch memory Potential attack vectors Div-by-zero, integer overflow Infinite loops, DoS Infinite recursion, stack overflow Arbitrary code execution Information leak

80 Pitfall 1: complex feature sets Feature vs. vulnerability checklist The more expressive a bytecode is, the wider range of attack vectors there could be Feature set Arithmetic operations Loops (backward jumps) Function calls External calls to the host Register file or scratch memory Potential attack vectors Div-by-zero, integer overflow Infinite loops, DoS Infinite recursion, stack overflow Arbitrary code execution Information leak Advices Do not over-design Example: bitcoin disabled many unused opcodes

81 Pitfall 2: resource consumption

82 Pitfall 2: resource consumption Unconstrained resource consumption can cause DoS attack to the host system

83 Pitfall 2: resource consumption Unconstrained resource consumption can cause DoS attack to the host system Advices Limit execution time or total number of instructions Limit stack growth and depth of nested calls Terminate the bytecode and reclaim resources when necessary

84 Pitfall 3: calls to the host system Allowing calling external functions from the bytecode is a bad idea Break interpreter / host isolation Examples: python s pickle library Easily leads to arbitrary code execution

85 Pitfall 3: calls to the host system Allowing calling external functions from the bytecode is a bad idea Break interpreter / host isolation Easily leads to arbitrary code execution Examples: python s pickle library Advices Need a clean and explicit interface Ideally, all interaction with external world should be limit to input and output

86 Research Opportunities

87 Research Opportunities Testing embedded interpreters

88 Research Opportunities Testing embedded interpreters Static analysis (or formal verification) Challenge: many invariants are dynamic and complicated

89 Research Opportunities Testing embedded interpreters Static analysis (or formal verification) Challenge: many invariants are dynamic and complicated Symbolic testing Challenge: control flow highly depends on the bytecode

90 Research Opportunities Testing embedded interpreters Static analysis (or formal verification) Challenge: many invariants are dynamic and complicated Symbolic testing Challenge: control flow highly depends on the bytecode Building reusable embedded interpreter Embedded interpreter? General-purpose bytecode (e.g. Java)

91 Research Opportunities Testing embedded interpreters Static analysis (or formal verification) Challenge: many invariants are dynamic and complicated Symbolic testing Challenge: control flow highly depends on the bytecode Building reusable embedded interpreter Challenge: trade-off between complexity and generality Embedded interpreter Size of runtime? Performance Portability General-purpose bytecode (e.g. Java)

92 References BPF: S. McCanne and V. Jacobson. The BSD packet filter: A new architecture for userlevel packet capture. USENIX ATC 93. ClamAV: A. Wu. Bytecode signatures for polymorphic malware. RarVM: T. Ormandy. Fun with constrained programming. FreeType: J. Sigwald. Analysis of the jailbreakme v3 font exploit. Pickles: M. Slaviero. Sour pickles: Shellcoding in Python s serialization format. media.blackhat.com/bh-us-11/slaviero/bh_us_11_slaviero_sour_pickles_wp.pdf. DWARF: J. Oakley and S. Bratus. Exploiting the hard-working DWARF: Trojan and exploit techniques with no native executable code. USENIX WOOT 11. JIT: C. Rohlf and Y. Ivnitskiy. The security challenges of client-side Just-in-Time engines. IEEE S&P 12.

93 Conclusion Embedded interpreters and their vulnerabilities are prevalent in real world Pitfalls and security guidelines Research opportunities Testing embedded interpreters Building reusable embedded interpreters

94 Q & A Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL

ISOLATION DEFENSES GRAD SEC OCT

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud: