Lecture Outline
• Binary Translation: Why, What, and When.
Dynamic Binary Translation • Why: Guarding against buffer overruns
• What, when: overview of two dynamic translators: Lecture 24 –Dynamo-RIO by HP, MIT – CodeMorph by Transmeta
• Techniques used in dynamic translators acknowledgement: E. Duesterwald (IBM), S. Amarasinghe (MIT) – Path profiling
2 Ras Bodik CS 164 Lecture 24 1 Ras Bodik CS 164 Lecture 24
Motivation: preventing buffer overruns Preventing buffer overrun attacks
Recall the typical buffer overrun attack: Two general approaches:
1. program calls a method foo() • static (compile-time): analyze the program – find all array writes that may outside array bounds 2. foo() copies a string into an on-stack array: – program proven safe before you run it – string supplied by the user – user’s malicious code copied into foo’s array – foo’s return address overwritten to point to user code • dynamic (run-time): analyze the execution – make sure no write outside an array happens 3. foo() returns – unknowingly jumping to the user code – execution proven safe (enough to achieve security)
3 4 Ras Bodik CS 164 Lecture 24 Ras Bodik CS 164 Lecture 24
Dynamic buffer overrun prevention A different idea the idea, again: perhaps less safe, but easier to implement: –goal: detect that return address was overwritten. • prevent writes outside the intended array instrument the program so that – as is done in Java – it keeps an extra copy of the return address: – harder in C: must add “size” to each array • done in CCured, a Berkeley project 1. store aside the return address when function called (store it in an inaccessible shadow stack) 2. when returning, check that the return address in AR matches the stored one; 3. if mismatch, terminate program
5 6 Ras Bodik CS 164 Lecture 24 Ras Bodik CS 164 Lecture 24