Learn, hack!

URL

http://events.ccc.de/congress/2009/Fahrplan/attachments/1430_secuBT.pdf

File name

1430_secuBT.pdf

File size

166.6 KB

MD5

ee51f2537d8d1e40e0030a7bc5f20eb1

SHA1

43b779abffc73824651259725028cce6a5eea815

In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator. In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator. secuBT implements user-space virtualization using dynamic binary translation and adds a system call interposition framework to limit and guard the interoperability of binary code with the kernel. Fast binary translation is a key component to user-space virtualization. secuBT uses and extends fastBT, a generator for low-overhead, table-based dynamic (just-in-time) binary translators. We discuss the most challenging sources of overhead and propose optimizations to further reduce these penalties. We argue for hardening techniques to ensure that the translated program can not escape out of the user-space virtualization. An important feature of secuBT is that only translated code is executed. This ensures code validity and makes it possible to rewrite individual instructions. The system call interposition framework validates every system call and offers the choice to (i) allow it, (ii) abort the program, (iii) redirect to an user-space emulation.