OS-SOMMELIER: Memory-Only Operating System Fingerprinting in the Cloud
|
|
|
- Rudolph Parks
- 6 years ago
- Views:
Transcription
1 OS-SOMMELIER: Memory-Only Operating System Fingerprinting in the Cloud Yufei Gu, Yangchun Fu, Aravind Prakash Dr. Zhiqiang Lin, Dr. Heng Yin University of Texas at Dallas Syracuse University October 16 th, 2012
2 Outline 1 Motivation 2 State-of-the-Art 3 Detailed Design 4 Evaluation 5 Conclusion
3 What is OS Fingerprinting
4 What is OS Fingerprinting OS Fingerprinting in the Cloud Given a virtual machine (VM) image (or a running instance), precisely infer its specific OS kernel versions
5 Why we need OS Fingerprinting in the Cloud
6 Why we need OS Fingerprinting in the Cloud 1 Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 03]
7 Why we need OS Fingerprinting in the Cloud 1 Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 03] 2 Penetration Testing
8 Why we need OS Fingerprinting in the Cloud 1 Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 03] 2 Penetration Testing 3 VM Management (Kernel Update)
9 Why we need OS Fingerprinting in the Cloud 1 Virtual Machine Introspection [Garfinkel and Rosenblum, NDSS 03] 2 Penetration Testing 3 VM Management (Kernel Update) 4 Memory Forensics
![NDSS 03] A](/docs-images/77/75141377/images/10-5.jpg "Trusted OS")
10 Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum, NDSS 03] A Trusted OS Linux Win 7.. Secure VM Product VM Product VM Introspect Virtualization Layer Hardware Layer
11 Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum, NDSS 03] A Trusted OS Linux Win 7 Using a trusted, isolated, dedicated VM to monitor other VMs.. Secure VM Product VM Product VM Introspect Virtualization Layer Hardware Layer
12 Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum, NDSS 03] A Trusted OS Linux Win 7 Using a trusted, isolated, dedicated VM to monitor other VMs.. Secure VM Product VM Product VM Introspect Virtualization Layer Hardware Layer Binary Code Reuse based VMI Virtuoso [Dolan-Gavitt et al, Oakland 11]: using trained existing legacy code to perform VMI VM Space Traveler [Fu and Lin, Oakland 12]: dynamically instrumenting legacy binary code to perform VMI
13 Basic Approaches for OS Fingerprinting
14 Basic Approaches for OS Fingerprinting NETWORK DISK Virtual Machine Monitor Layer
15 Basic Approaches for OS Fingerprinting NETWORK DISK Basic Approaches 1 Network 2 File System 3 CPU State 4 Memory 5 Their Combinations Virtual Machine Monitor Layer
16 Network-based OS Fingerprinting TCP/ICMP Packet Response Packet
17 Network-based OS Fingerprinting TCP/ICMP Packet Response Packet Existing Techniques Probing TCP implementations [Comer and Lin, USENIX Summer ATC 94] Nmap [Fyodor] Xprob2 [Yarochkin, DSN 09] Synscan [Taleck, CanSecWest 04]...
18 Network-based OS Fingerprinting TCP/ICMP Packet Response Packet Existing Techniques Probing TCP implementations [Comer and Lin, USENIX Summer ATC 94] Nmap [Fyodor] Xprob2 [Yarochkin, DSN 09] Synscan [Taleck, CanSecWest 04] Limitations Imprecise: not accurate enough, cannot pinpoint minor differences Can be disabled: many modern OSes disable most of the network services as a default security policy...
19 File-System Based OS Fingerprinting File System Distinctive Files
20 File-System Based OS Fingerprinting File System Distinctive Files Basic Approach Mount the VM file system image Walk through the files in the disk Advantages: Simple, Intuitive, Efficient, and Precise
21 File-System Based OS Fingerprinting File System Distinctive Files Basic Approach Mount the VM file system image Walk through the files in the disk Advantages: Simple, Intuitive, Efficient, and Precise Limitations File System Encryption Cannot suit for memory forensics applications when only having memory dump
22 CPU Register based OS Fingerprinting CS DS ES FS SS ldtr itdr gdtr TR DR
23 CPU Register based OS Fingerprinting CS DS ES FS SS ldtr itdr gdtr TR DR
24 CPU Register based OS Fingerprinting CS DS ES FS SS ldtr itdr gdtr TR DR Existing Technique UFO: Operating system fingerprinting for virtual machines [Quynh, DEFCON 10] Advantage: efficient (super fast)
25 CPU Register based OS Fingerprinting CS DS ES FS SS ldtr itdr gdtr TR DR Existing Technique UFO: Operating system fingerprinting for virtual machines [Quynh, DEFCON 10] Advantage: efficient (super fast) Limitations Imprecise: not accurate enough. WinXP (SP2) vs WinXP (SP3) Cannot suit for memory forensics applications when only having memory dump
26 CPU and Memory Combination based OS Fingerprinting Interrupt Handler IDT
27 CPU and Memory Combination based OS Fingerprinting IDT Interrupt Handler Existing Techniques Using IDT pointer to retrieve interrupt handler code, and hash these code to fingerprint guest VM [Christodorescu et al, CCSW 09]
28 CPU and Memory Combination based OS Fingerprinting IDT Interrupt Handler Existing Techniques Using IDT pointer to retrieve interrupt handler code, and hash these code to fingerprint guest VM [Christodorescu et al, CCSW 09] Limitations Imprecise: not accurate enough, cannot pinpoint minor differences Cannot suit for memory forensics applications when only having memory dump
29 Memory-Only Approach for OS Fingerprinting task thread mm signal task task
30 Memory-Only Approach for OS Fingerprinting task thread mm signal task task Existing Technique SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures [Lin et al, NDSS 11]
31 Memory-Only Approach for OS Fingerprinting task thread mm signal task task Existing Technique SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures [Lin et al, NDSS 11] Limitations Inefficient: a few minutes Requires kernel data structure definitions
32 OS-Sommelier: Memory-Only OS Fingerprinting Goal Precise: can pinpoint even minor OS differences Efficient: in a few seconds Robust: hard to evade, security perspective
33 OS-Sommelier: Memory-Only OS Fingerprinting Goal Precise: can pinpoint even minor OS differences Efficient: in a few seconds Robust: hard to evade, security perspective Key Idea Compute the hash values of core kernel code in the physical memory for the precise fingerprinting.
34 Some Statistics on Core Kernel Page
35 OS-Sommelier: Challenges Challenges How to get a robust and generic way to identify the kernel page table (when only having memory dump)? To traverse memories, We need PGDs to do virtual-to-physical address translation.
36 OS-Sommelier: Challenges Challenges How to get a robust and generic way to identify the kernel page table (when only having memory dump)? How to differentiate the main kernel code from the rest of code and data in the memory? There are core kernel code, kernel data, module code and module data in memories.
37 OS-Sommelier: Challenges Challenges How to get a robust and generic way to identify the kernel page table (when only having memory dump)? How to differentiate the main kernel code from the rest of code and data in the memory? How to correctly disassemble the kernel code? Code could start from any position. If we start disassembling from wrong positions, we will get totally wrong codes.
38 OS-Sommelier: Challenges Challenges How to get a robust and generic way to identify the kernel page table (when only having memory dump)? How to differentiate the main kernel code from the rest of code and data in the memory? How to correctly disassemble kernel code? How to normalize the kernel code to deal with practical issues such as ASLR? Some modern OSs such as Windows Vista and Windows 7 have enabled address space layout randomization(aslr).
39 OS-Sommelier: Architecture PGD Identification PGD-i Physical Memory Snapshot Kernel Code Identification Core Kernel Code Pages Signatures Signatures (arrays of MD5s) Signature Generation Signature Matching Result
40 PGD (Page Global Directory) Identification PGD Identification PGD-i Physical Memory Snapshot Kernel Code Identification Core Kernel Code Pages Signatures Signatures (arrays of MD5s) Signature Generation Signature Matching Result
41 PGD (Page Global Directory) Identification 10-bits 10-bits 12-bits Offset in PGD Offset in PDE Offset in Data Page Page Directory PDE Page Table PTE pte Data Page CR3 12-bits.. X 0 0 X X X X 1 1 cache write present reserved page size cache through writable Page Directory Entry (PDE) disabled accessed 12-bits.. Page Table Entry (PTE) global page U/S R/W present
42 PGD (Page Global Directory) Identification 10-bits 10-bits 12-bits Offset in PGD Offset in PDE Offset in Data Page Page Directory Page Table Data Page PDE PTE pte CR3 PGD Signature Three-layer points-to relation Unique SigGraph [NDSS 11] Signatures. 12-bits.. X 0 0 X X X X 1 1 cache write present reserved page size cache through writable Page Directory Entry (PDE) disabled accessed 12-bits.. Page Table Entry (PTE) global page U/S R/W present
43 PGD (Page Global Directory) Identification CR3 10-bits 10-bits 12-bits Offset in PGD Offset in PDE Offset in Data Page Page Directory.. PDE Page Table PTE pte 12-bits Data Page X 0 0 X X X X 1 1 cache write present reserved page size cache through writable Page Directory Entry (PDE) disabled accessed 12-bits.. Page Table Entry (PTE) global page U/S R/W present PGD Signature Three-layer points-to relation Unique SigGraph [NDSS 11] Signatures. Alternative Approach Extract CR3 when taking the memory snapshot
44 Core Kernel Code Identification PGD Identification PGD-i Physical Memory Snapshot Kernel Code Identification Core Kernel Code Pages Signatures Signatures (arrays of MD5s) Signature Generation Signature Matching Result
45 Core Kernel Code Identification PGD Identification PGD-i Physical Memory Snapshot Kernel Code Identification Core Kernel Code Pages Signatures Signatures (arrays of MD5s) Signature Generation Signature Matching Result
46 Core Kernel Code Identification: Step I Cluster PDE Cluster Page Size PTE... Global U/S R/W Page Properties Read Only Writable User System Global Non-Global Page size: 4M 4K
47 Core Kernel Code Identification: Step I OS-kernels C K Win-XP 883 Win-XP (SP2) 952 Win-XP (SP3) 851 Win-Vista 2310 Win Win-2003 Server 1028 Win-2003 Server (SP2) 1108 Win-2008 Server 1804 Win-2008 Server (SP2) 1969 FreeBSD FreeBSD FreeBSD OpenBSD OpenBSD OpenBSD NetBSD NetBSD Linux Linux Linux Linux Linux Linux PDE Page Size PTE Global U/S R/W Page Properties Read Only Writable User System Global Non-Global Page size: 4M 4K
48 Core Kernel Code Identification: Step II Cluster Cluster... Which cluster contains the main kernel code?
49 Core Kernel Code Identification: Step II Cluster Cluster... Which cluster contains the main kernel code? Search system instruction sequences Appearing in main kernel code Having unique pattern Not in kernel modules
50 X86 System Instruction Distributions in Kernel Pages System Inst. Linux Windows-XP FreeBSD-9.0 OpenBSD-5.1 Instructions Length #Inst. #pages #Inst. #pages #Inst. #pages #Inst. #pages LLDT SLDT LGDT SGDT LTR STR LIDT SIDT MOV CR MOV CR MOV CR MOV CR SMSW LMSW CLTS MOV DRn INVD WBINVD INVLPG HLT RSM RDMSR WRMSR RDPMC RDTSC RDTSCP XGETBV XSETBV
51 Core Kernel Code Identification: Step II Cluster 0F 20 D8 0F 22 D8 0F 20 D8 0F 22 D8 0F 20 D8 0F 22 D8 Cluster 0F 20 D8 0F 22 D8 6 bytes system instruction sequence Search System Instruction 0F 20 D8: mov EAX, CR3; 0F 22 D8: mov CR3, EAX; This instruction sequence is used for TLB flush
52 Core Kernel Code Identification: Step II OS-kernels C K C K k Win-XP Win-XP (SP2) Win-XP (SP3) Win-Vista Win Win-2003 Server Win-2003 Server (SP2) Win-2008 Server Win-2008 Server (SP2) FreeBSD FreeBSD FreeBSD OpenBSD OpenBSD OpenBSD NetBSD NetBSD Linux Linux Linux Linux Linux Linux F 20 D8 0F 22 D8 6 bytes system instruction sequence Search System Instruction 0F 20 D8: mov EAX, CR3; 0F 22 D8: mov CR3, EAX; This instruction sequence is used for TLB flush
53 Core Kernel Code Identification: Step III Cluster Core Kernel Code Clustering Cluster V0 V1 V2 Vi Vj Vj+1 Vn-1... Core kernel code Forward direct function call Backward direct function call...
54 Core Kernel Code Identification: Step III Cluster Core Kernel Code Clustering Cluster V0 V1 V2 Vi Vj Vj+1 Vn-1... Core kernel code Forward direct function call Backward direct function call... Forward Direct Function Call A direct forward function call is a call instruction whose operand is a positive value (e.g., the case for e8 2a )
55 Core Kernel Code Identification: Step III OS-kernels T #Pages Win-XP Win-XP (SP2) Win-XP (SP3) Win-Vista Win Win-2003 Server Win-2003 Server (SP2) Win-2008 Server Win-2008 Server (SP2) FreeBSD FreeBSD FreeBSD OpenBSD OpenBSD OpenBSD NetBSD NetBSD Linux Linux Linux Linux Linux Linux Core Kernel Code Clustering V0 V1 V2 Core kernel code Forward direct function call Vi Forward Direct Function Call Vj Vj+1 Vn-1 Backward direct function call A direct forward function call is a call instruction whose operand is a positive value (e.g., the case for e8 2a )
56 Signature Generation PGD Identification PGD-i Physical Memory Snapshot Kernel Code Identification Core Kernel Code Pages Signatures Signatures (arrays of MD5s) Signature Generation Signature Matching Result
57 Signature Generation PGD Identification PGD-i Physical Memory Snapshot Kernel Code Identification Core Kernel Code Pages Signatures Signatures (arrays of MD5s) Signature Generation Signature Matching Result
58 Signature Generation Can we directly hash the code page?
59 Signature Generation Can we directly hash the code page? Distill Operand to Neutralize the Effect of ASR (Code Rebase) 0x828432b6: 33 f6 xor esi, esi 0x828432b8: 83 3d 38 fe cmp dword ptr ds[0x8299fe38], 0x2 0x828432bf: 0f jnbe 0x a 0x828432c5: 8b 0d 3c fe mov ecx, dword ptr ds[0x8299fe3c] 0x828432cb: 33 c0 xor eax, eax... 0x : e8 e4 9e call 0x828dd31b 0x828182b6: 33 f6 xor esi, esi 0x828182b8: 83 3d 38 4e cmp dword ptr ds[0x82974e38], 0x2 0x828182bf: 0f jnbe 0x a 0x828182c5: 8b 0d 3c 4e mov ecx, dword ptr ds[0x82974e3c] 0x828182cb: 33 c0 xor eax, eax... 0x : e8 e4 9e call 0x828b231b
60 Correlative Disassembling Correlative Disassembling 0xc1087c86: e8 25 2c call 0xc108a8b0... 0xc108a8b0: 55 push ebp 0xc108a8b1: 89 e5 mov ebp, esp (a) Linux Kernel 0x806eee0a: e8 3d call 0x806f574c... 0x806f574c: 8b ff mov edi, edi 0x806f574e: 55 push ebp 0x806f574f: 8b ec mov ebp, esp (b) Windows Kernel 0xc04d675f: e8 0c cf call 0xc04e xc04e3670: 55 push ebp 0xc04e3671: 89 e5 mov ebp,esp (c) FreeBSD/OpenBSD/NetBSD Kernel Algorithm 1 Search machine code e8 x x x x. 2 Compute callee address. 3 If the callee address has the pattern of a function prologue, start to disassemble the target page from the callee address. 4 Stop when encountering a ret or a direct or indirect jmp instruction.
61 Signature Matching PGD Identification PGD-i Physical Memory Snapshot Kernel Code Identification Core Kernel Code Pages Signatures Signatures (arrays of MD5s) Signature Generation Signature Matching Result
62 Signature Matching PGD Identification PGD-i Physical Memory Snapshot Kernel Code Identification Core Kernel Code Pages Signatures Signatures (arrays of MD5s) Signature Generation Signature Matching Result
63 Signature Matching Signatures Signatures (arrays of MD5s) Signature Matching Result Signature Matching Works similar to KMP [Knuth, 1977] string matching algorithm except the element of the string is a 32-bytes MD5 Value
64 Evaluation Implementation Implemented with 4.5K lines of C code Correlative disassembler is based on XED library.
65 Evaluation Implementation Implemented with 4.5K lines of C code Correlative disassembler is based on XED library. Experimental Setup Using over 45 OS kernels from five widely used OS families (Microsoft Windows, Linux, *BSD). Comparing with other state-of-the-art OS fingerprinting techniques: UFO and IDT.
66 Effectiveness OS-kernels #PGD C K C K k #Pages T #Pages #Sig-Gen #Sig-Match Win-XP Win-XP (SP2) Win-XP (SP3) Win-Vista Win Win-2003 Server Win-2003 Server (SP2) Win-2008 Server Win-2008 Server (SP2) FreeBSD FreeBSD FreeBSD OpenBSD OpenBSD OpenBSD NetBSD NetBSD Linux Linux Linux Linux Linux Linux mean
67 Performance Overhead of Each Component 100% PGD Identification Kernel Code Identification Signature Generation Signature Matching 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Win-XP Win-XP(sp2) Win-XP(sp3) Win-Vista Win-7 Win-2003 Win-2003(sp2) Win-2008 Win-2008(sp2) FreeBSD-7.4 FreeBSD-8.0 FreeBSD-8.2 FreeBSD-8.3 FreeBSD-9.0 OpenBSD-4.7 OpenBSD-4.8 OpenBSD-4.9 OpenBSD-5 OpenBSD-5.1 NetBSD-4.0 NetBSD NetBSD-5.0 NetBSD NetBSD NetBSD-5.1 NetBSD Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux The signature generation process takes 1.50 seconds on average.
68 Experiment Result OS-Kernels UFO IDT-based OS-Sommelier Win-XP Win-XP (SP2) Win-XP (SP3) Win-Vista Win-7 Win-2003 Server Win-2003 Server (SP2) Win-2008 Server Win-2008 Server (SP2) Table: Experiment with Windows kernel.
69 Experiment Result OS-Kernels UFO IDT-based OS-Sommelier FreeBSD 7.4 FreeBSD 8.0 FreeBSD 8.2 FreeBSD 8.3 FreeBSD 9.0 OpenBSD 4.7 OpenBSD 4.8 OpenBSD 4.9 OpenBSD 5.0 OpenBSD 5.1 NetBSD 4.0 NetBSD NetBSD 5.0 NetBSD NetBSD NetBSD 5.1 NetBSD Table: Experiment with BSD Family kernel.
70 Experiment Result OS-Kernels UFO IDT-based OS-Sommelier Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Table: Experiment with Linux kernel.
71 Limitation and Future work Limitations Too sensitive Kernel recompilation Obfuscating the kernel code
72 Limitation and Future work Limitations Too sensitive Kernel recompilation Obfuscating the kernel code Future Work Micro-kernel (MINIX)?
73 Conclusion OS-SOMMELIER A physical memory-only based system for OS fingerprinting in Cloud. Precise Efficient Robust
74 Thank you PGD Identification PGD-i Physical Memory Snapshot Kernel Code Identification Core Kernel Code Pages FreeBSD-8.0 Signatures Signatures (arrays of MD5s) Signature Generation Win-2008 Server Linux Signature Matching Result WINXP(SP2) To contact us {yufei.gu, yangchun.fu, {arprakas,
Tutorial 10 Protection Cont.
Tutorial 0 Protection Cont. 2 Privilege Levels Lower number => higher privilege Code can access data of equal/lower privilege levels only Code can call more privileged data via call gates Each level has
Part I. X86 architecture overview. Secure Operating System Design and Implementation x86 architecture. x86 processor modes. X86 architecture overview
X86 architecture overview Overview Secure Operating System Design and Implementation x86 architecture Jon A. Solworth Part I X86 architecture overview Dept. of Computer Science University of Illinois at
Space Traveling across VM
Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine Introspection via Online Kernel Data Redirection Yangchun Fu, and Zhiqiang Lin Department of Computer Sciences The University
IA32 Intel 32-bit Architecture
1 2 IA32 Intel 32-bit Architecture Intel 32-bit Architecture (IA32) 32-bit machine CISC: 32-bit internal and external data bus 32-bit external address bus 8086 general registers extended to 32 bit width
IA32/Linux Virtual Memory Architecture
IA32/Linux Virtual Memory Architecture Basic Execution Environment Application Programming Registers General-purpose registers 31 0 EAX AH AL EBX BH BL ECX CH CL EDX DH DL EBP ESI EDI BP SI DI Segment
Microkernel Construction
Microkernel Construction Kernel Entry / Exit Nils Asmussen 05/04/2017 1 / 45 Outline x86 Details Protection Facilities Interrupts and Exceptions Instructions for Entry/Exit Entering NOVA Leaving NOVA 2
Microkernel Construction
Kernel Entry / Exit SS2013 Control Transfer Microkernel User Stack A Address Space Kernel Stack A User Stack User Stack B Address Space Kernel Stack B User Stack 1. Kernel Entry (A) 2. Thread Switch (A
Outline. x86 Architecture
Data Representation Code Representation Summary Data Representation Code Representation Summary Code Representation Summary Outline CS 6V81-05: System Security and Malicious Code Analysis 1 2 Data Representation
143A: Principles of Operating Systems. Lecture 6: Address translation. Anton Burtsev January, 2017
143A: Principles of Operating Systems Lecture 6: Address translation Anton Burtsev January, 2017 Address translation Segmentation Descriptor table Descriptor table Base address 0 4 GB Limit
238P: Operating Systems. Lecture 5: Address translation. Anton Burtsev January, 2018
238P: Operating Systems Lecture 5: Address translation Anton Burtsev January, 2018 Two programs one memory Very much like car sharing What are we aiming for? Illusion of a private address space Identical
143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018
143A: Principles of Operating Systems Lecture 5: Address translation Anton Burtsev October, 2018 Two programs one memory Or more like renting a set of rooms in an office building Or more like renting a
x86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT
x86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT kaashoek@mit.edu Outline Enforcing modularity with virtualization Virtualize processor and memory x86 mechanism for virtualization
MICROPROCESSOR MICROPROCESSOR ARCHITECTURE. Prof. P. C. Patil UOP S.E.COMP (SEM-II)
MICROPROCESSOR UOP S.E.COMP (SEM-II) 80386 MICROPROCESSOR ARCHITECTURE Prof. P. C. Patil Department of Computer Engg Sandip Institute of Engineering & Management Nashik pc.patil@siem.org.in 1 Introduction
Low Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź
Low Level Programming Lecture 2 Intel processors' architecture reminder Fig. 1. IA32 Registers IA general purpose registers EAX- accumulator, usually used to store results of integer arithmetical or binary
Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어
ICS143A: Principles of Operating Systems. Midterm recap, sample questions. Anton Burtsev February, 2017
ICS143A: Principles of Operating Systems Midterm recap, sample questions Anton Burtsev February, 2017 Describe the x86 address translation pipeline (draw figure), explain stages. Address translation What
Overview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin
CS 6V81-05 Data Structure Reverse Engineering Zhiqiang Lin Department of Computer Science The University of Texas at Dallas September 2 nd, 2011 Outline 1 Overview 2 REWARDS 3 TIE 4 HOWARD 5 Summary Outline
5-Level Paging and 5-Level EPT
5-Level Paging and 5-Level EPT White Paper Revision 1.1 May 2017 Document Number: 335252-002 Notice: This document contains information on products in the design phase of development. The information here
iapx Systems Electronic Computers M
iapx Systems Electronic Computers M 1 iapx History We analyze 32 bit systems: generalization to 64 bits is straigtforward Segment Registers (16 bits) Code Segment Stack Segment Data Segment Extra Ssegment
Complex Instruction Set Computer (CISC)
Introduction ti to IA-32 IA-32 Processors Evolutionary design Starting in 1978 with 886 Added more features as time goes on Still support old features, although obsolete Totally dominate computer market
Return-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
Buffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
AMD-K5. Software Development Guide PROCESSOR
AMD-K5 TM PROCESSOR Software Development Guide Publication # 20007 Rev: D Amendment/0 Issue Date: September 1996 This document contains information on a product under development at Advanced Micro Devices
Rootkits n Stuff
Rootkits n Stuff www.sigmil.org What a rootkit is(n t) IS Software intended to conceal running processes, files, etc from the OS A way to maintain control of a system after compromising it. ISN T A buffer
Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
3. Process Management in xv6
Lecture Notes for CS347: Operating Systems Mythili Vutukuru, Department of Computer Science and Engineering, IIT Bombay 3. Process Management in xv6 We begin understanding xv6 process management by looking
T Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
Chapter 11. Addressing Modes
Chapter 11 Addressing Modes 1 2 Chapter 11 11 1 Register addressing mode is the most efficient addressing mode because the operands are in the processor itself (there is no need to access memory). Chapter
x86 Memory Protection and Translation
Lecture Goal x86 Memory Protection and Translation Don Porter CSE 506 ò Understand the hardware tools available on a modern x86 processor for manipulating and protecting memory ò Lab 2: You will program
Lecture Dependable Systems Practical Report Software Implemented Fault Injection. July 31, 2010
Lecture Dependable Systems Practical Report Software Implemented Fault Injection Paul Römer Frank Zschockelt July 31, 2010 1 Contents 1 Introduction 3 2 Software Stack 3 2.1 The Host and the Virtual Machine.....................
Virtualization. Adam Belay
Virtualization Adam Belay What is a virtual machine Simulation of a computer Running as an application on a host computer Accurate Isolated Fast Why use a virtual machine? To run multiple
W4118: PC Hardware and x86. Junfeng Yang
W4118: PC Hardware and x86 Junfeng Yang A PC How to make it do something useful? 2 Outline PC organization x86 instruction set gcc calling conventions PC emulation 3 PC board 4 PC organization One or more
Introduction to The x86 Microprocessor
Introduction to The x86 Microprocessor Prof. V. Kamakoti Digital Circuits And VLSI Laboratory Indian Institute of Technology, Madras Chennai - 600 036. http://vlsi.cs.iitm.ernet.in Protected Mode Memory
Introduction to IA-32. Jo, Heeseung
Introduction to IA-32 Jo, Heeseung IA-32 Processors Evolutionary design Starting in 1978 with 8086 Added more features as time goes on Still support old features, although obsolete Totally dominate computer
W4118: virtual machines
W4118: virtual machines Instructor: Junfeng Yang References: Modern Operating Systems (3 rd edition), Operating Systems Concepts (8 th edition), previous W4118, and OS at MIT, Stanford, and UWisc Virtual
INTRODUCTION TO IA-32. Jo, Heeseung
INTRODUCTION TO IA-32 Jo, Heeseung IA-32 PROCESSORS Evolutionary design Starting in 1978 with 8086 Added more features as time goes on Still support old features, although obsolete Totally dominate computer
Protection and System Calls. Otto J. Anshus
Protection and System Calls Otto J. Anshus Protection Issues CPU protection Prevent a user from using the CPU for too long Throughput of jobs, and response time to events (incl. user interactive response
We can study computer architectures by starting with the basic building blocks. Adders, decoders, multiplexors, flip-flops, registers,...
COMPUTER ARCHITECTURE II: MICROPROCESSOR PROGRAMMING We can study computer architectures by starting with the basic building blocks Transistors and logic gates To build more complex circuits Adders, decoders,
FLARE-On 4: Challenge 3 Solution greek_to_me.exe
FLARE-On 4: Challenge 3 Solution greek_to_me.exe Challenge Author: Matt Williams (@0xmwilliams) greek_to_me.exe is a Windows x86 executable whose strings reveal what is likely the desired state of the
Preliminary Information. AMD Duron Processor Model 7 Revision Guide
AMD Duron Processor Model 7 Revision Guide Publication # 24806 Rev: E Issue Date: October 2003 2002, 2003 Advanced Micro Devices, Inc. All rights reserved. The contents of this document are provided in
COURSE OVERVIEW & OPERATING SYSTEMS CONCEPT Operating Systems Design Euiseong Seo
COURSE OVERVIEW & OPERATING SYSTEMS CONCEPT 2017 Operating Systems Design Euiseong Seo (euiseong@skku.edu) Overview What this course is about How you study this course Why you have to take this course
6/17/2011. Introduction. Chapter Objectives Upon completion of this chapter, you will be able to:
Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Introduction This chapter presents the microprocessor
Chapter 2: The Microprocessor and its Architecture
Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Introduction This chapter presents the microprocessor
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
Mechanisms for entering the system
Mechanisms for entering the system Yolanda Becerra Fontal Juan José Costa Prats Facultat d'informàtica de Barcelona (FIB) Universitat Politècnica de Catalunya (UPC) BarcelonaTech 2017-2018 QP Content Introduction
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
CS3210: Booting and x86. Taesoo Kim
1 CS3210: Booting and x86 Taesoo Kim 2 What is an operating system? e.g. OSX, Windows, Linux, FreeBSD, etc. What does an OS do for you? Abstract the hardware for convenience and portability Multiplex the
Advanced Malware Analysis Training Series.
Advanced Malware Analysis Training Series Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to
For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to access them. Contents at a Glance About the Author...xi
IA-32 Architecture. CS 4440/7440 Malware Analysis and Defense
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code
x86 Assembly Tutorial COS 318: Fall 2017
x86 Assembly Tutorial COS 318: Fall 2017 Project 1 Schedule Design Review: Monday 9/25 Sign up for 10-min slot from 3:00pm to 7:00pm Complete set up and answer posted questions (Official) Precept: Monday
Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1
Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD 21252 rkarne@towson.edu 11/12/2014 Slide 1 Intel x86 Aseembly Language Assembly Language Assembly Language
Program Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
EECE416 :Microcomputer Fundamentals and Design. X86 Assembly Programming Part 1. Dr. Charles Kim
EECE416 :Microcomputer Fundamentals and Design X86 Assembly Programming Part 1 Dr. Charles Kim Department of Electrical and Computer Engineering Howard University www.mwftr.com 1 Multiple Address Access
PROTECTION CHAPTER 4 PROTECTION
Protection 4 CHAPTER 4 PROTECTION In protected mode, the Intel Architecture provides a protection mechanism that operates at both the segment level and the page level. This protection mechanism provides
Darshan Institute of Engineering & Technology
1. Explain 80286 architecture. OR List the four major processing units in an 80286 microprocessor and briefly describe the function of each. Ans - The 80286 was designed for multi-user systems with multitasking
Introduction Mapping the ELF Pinpointing Fragmentation Evaluation Conclusion. Bin-Carver. Automatic Recovery of Binary Executable Files
Bin-Carver Automatic Recovery of Binary Executable Files Scott Hand, Zhiqiang Lin, Guofei Gu*, Bhavani Thuraisingham Department of Computer Science, The University of Texas at Dallas *Deparment of Computer
CS3210: Booting and x86
CS3210: Booting and x86 Lecture 2 Instructor: Dr. Tim Andersen 1 / 34 Today: Bootstrapping CPU -> needs a first instruction Memory -> needs initial code/data I/O -> needs to know how to communicate 2 /
Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics
Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and Zhiqiang Lin The University of Texas at Dallas March 9 th, 2016 What is ASLR [Tea00] 0xbfffd5d8 0xbfffd618
Preliminary Information. AMD Athlon Processor Model 6 Revision Guide
AMD Athlon Processor Model 6 Revision Guide Publication # 24332 Rev: E Issue Date: December 2002 2001, 2002 Advanced Micro Devices, Inc. All rights reserved. The contents of this document are provided
CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
What You Need to Know for Project Three. Dave Eckhardt Steve Muckle
What You Need to Know for Project Three Dave Eckhardt Steve Muckle Overview Introduction to the Kernel Project Mundane Details in x86 registers, paging, the life of a memory access, context switching,
CanSecWest Nicolás A. Economou Andrés Lopez Luksenberg
CanSecWest 2012 Nicolás A. Economou Andrés Lopez Luksenberg INTRO There have been as many new MBR threats found in the first seven months of 2011 as there were in previous three years.... Symantec Intelligence
3.6. PAGING (VIRTUAL MEMORY) OVERVIEW
an eight-byte boundary to yield the best processor performance. The limit value for the GDT is expressed in bytes. As with segments, the limit value is added to the base address to get the address of the
Assembly Language. Lecture 2 x86 Processor Architecture
Assembly Language Lecture 2 x86 Processor Architecture Ahmed Sallam Slides based on original lecture slides by Dr. Mahmoud Elgayyar Introduction to the course Outcomes of Lecture 1 Always check the course
MICROPROCESSOR MICROPROCESSOR ARCHITECTURE. Prof. P. C. Patil UOP S.E.COMP (SEM-II)
MICROPROCESSOR UOP S.E.COMP (SEM-II) 80386 MICROPROCESSOR ARCHITECTURE Prof. P. C. Patil Department of Computer Engg Sandip Institute of Engineering & Management Nashik pc.patil@siem.org.in 1 Introduction
Lecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
Assembly Language. Lecture 2 - x86 Processor Architecture. Ahmed Sallam
Assembly Language Lecture 2 - x86 Processor Architecture Ahmed Sallam Introduction to the course Outcomes of Lecture 1 Always check the course website Don t forget the deadline rule!! Motivations for studying
1 Confining code with legacy OSes. 2 Virtual machines. 3 Implementing virtual machines. 4 Binary translation. 5 Hardware-assisted virtualization
Administrivia Last project due Friday Final Exam - Wednesday, December 9th, 3:30-6:30pm - Open notes (except textbook), covers all 19 lectures (including topics already on the midterm) Final review session
Background SigGraph KOP Summary CS 6V Kernel Rootkit Defense I: Graph-based Scanning Approach. Zhiqiang Lin
CS 6V81-05 Kernel Rootkit Defense I: Graph-based Scanning Approach Zhiqiang Lin Department of Computer Science The University of Texas at Dallas September 2 nd, 2011 Outline 1 Background 2 SigGraph 3 KOP
Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11
X86 Debug Computer Systems Section 3.11 GDB is a Source Level debugger We have learned how to debug at the C level Now, C has been translated to X86 assembler! How does GDB play the shell game? Makes it
The Instruction Set. Chapter 5
The Instruction Set Architecture Level(ISA) Chapter 5 1 ISA Level The ISA level l is the interface between the compilers and the hardware. (ISA level code is what a compiler outputs) 2 Memory Models An
Pre-virtualization internals
Pre-virtualization internals Joshua LeVasseur 3 March 2006 L4Ka.org Universität Karlsruhe (TH) Compile time overview Compiler C code Assembler code OS source code Hand-written assembler Afterburner Assembler
BOOTSTRAP, PC BIOS, AND IA32 MEMORY MODES. CS124 Operating Systems Winter , Lecture 5
BOOTSTRAP, PC BIOS, AND IA32 MEMORY MODES CS124 Operating Systems Winter 2015-2016, Lecture 5 2 Bootstrapping All computers have the same basic issue: They require a program to tell them what to do but
Administrivia. Last project due Friday Final Exam. Final review session Friday (recorded) Extra office hours for me 1:30pm-4:30pm Friday
Administrivia Last project due Friday Final Exam - Monday, March 20th, 3:30-6:30pm - Open notes (except textbook) - Covers all lectures including topics already on the midterm - Make sure you understand
Leveraging Relocations in ELF-Binaries for Linux Kernel Version Identification
DIGITAL FORENSIC RESEARCH CONFERENCE Leveraging Relocations in ELF-Binaries for Linux Kernel Version Identification By Manish Bhatt, Irfan Ahmed From the proceedings of The Digital Forensic Research Conference
Embedded Systems Programming
Embedded Systems Programming x86 Memory and Interrupt (Module 8) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 X86 ISA Data Representations Little-endian byte ordering
Digital Forensics Lecture 3 - Reverse Engineering
Digital Forensics Lecture 3 - Reverse Engineering Low-Level Software Akbar S. Namin Texas Tech University Spring 2017 Reverse Engineering High-Level Software Low-level aspects of software are often the
Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27
Procedure Calls Young W. Lim 2016-11-05 Sat Young W. Lim Procedure Calls 2016-11-05 Sat 1 / 27 Outline 1 Introduction References Stack Background Transferring Control Register Usage Conventions Procedure
Ramblr. Making Reassembly Great Again
Ramblr Making Reassembly Great Again Ruoyu Fish Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, Giovanni Vigna Motivation Available Solutions
Virtual Machine Introspection Bhushan Jain
Virtual Machine Introspection Bhushan Jain Computer Science Department Stony Brook University 1 Traditional Environment Operating System 2 Traditional Environment Process Descriptors Kernel Heap Operating
T Using debuggers to analyze malware. Antti Tikkanen, F-Secure Corporation
T-110.6220 Using debuggers to analyze malware Antti Tikkanen, F-Secure Corporation Agenda Debugger basics Introduction Scenarios and tools How do debuggers work? Debug API The debugging loop Underlying
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
Computer Organization (II) IA-32 Processor Architecture. Pu-Jen Cheng
Computer Organization & Assembly Languages Computer Organization (II) IA-32 Processor Architecture Pu-Jen Cheng Materials Some materials used in this course are adapted from The slides prepared by Kip
µ-kernel Construction (12)
µ-kernel Construction (12) Review 1 Threading Thread state must be saved/restored on thread switch We need a Thread Control Block (TCB) per thread TCBs must be kernel objects TCBs implement threads We
Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29
Procedure Calls Young W. Lim 2017-08-21 Mon Young W. Lim Procedure Calls 2017-08-21 Mon 1 / 29 Outline 1 Introduction Based on Stack Background Transferring Control Register Usage Conventions Procedure
CS429: Computer Organization and Architecture
CS429: Computer Organization and Architecture Warren Hunt, Jr. and Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 1, 2014 at 12:03 CS429 Slideset 6: 1 Topics
MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION
MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics:
Autodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
Lab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
Marking Scheme. Examination Paper Department of CE. Module: Microprocessors (630313)
Philadelphia University Faculty of Engineering Marking Scheme Examination Paper Department of CE Module: Microprocessors (630313) Final Exam Second Semester Date: 02/06/2018 Section 1 Weighting 40% of
Confining code with legacy OSes. Administrivia. Escaping chroot. Using chroot. System call interposition. Limitations of syscall interposition
Guest lecture Thursday Administrivia - Mark Lentczner (Google) on the Belay project - Please attend lecture if at all possible Last project due Thursday - No extensions unless all non-scpd group members
Virtual Machine Virtual Machine Types System Virtual Machine: virtualize a machine Container: virtualize an OS Program Virtual Machine: virtualize a process Language Virtual Machine: virtualize a language
1 Confining code with legacy OSes. 2 Virtual machines. 3 Implementing virtual machines. 4 Binary translation. 5 Hardware-assisted virtualization
Administrivia Last project due Friday Final Exam - Thursday, March 19, 12:15-3:15pm - Open notes, covers all 16 lectures (including topics already on the midterm) Final review session Friday (recorded)
CIS Operating Systems CPU Mode. Professor Qiang Zeng Spring 2018
CIS 3207 - Operating Systems CPU Mode Professor Qiang Zeng Spring 2018 CPU Modes Two common modes Kernel mode The CPU has to be in this mode to execute the kernel code User mode The CPU has to be in this
Low-Level Essentials for Understanding Security Problems Aurélien Francillon
Low-Level Essentials for Understanding Security Problems Aurélien Francillon francill@eurecom.fr Computer Architecture The modern computer architecture is based on Von Neumann Two main parts: CPU (Central
CMSC 313 Lecture 08 Project 2 Questions Recap Indexed Addressing Examples Some i386 string instructions A Bigger Example: Escape Sequence Project
CMSC 313 Lecture 08 Project 2 Questions Recap Indexed Addressing Examples Some i386 string instructions A Bigger Example: Escape Sequence Project UMBC, CMSC313, Richard Chang CMSC 313,
16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling