Learn, hack!

URL

http://events.ccc.de/congress/2009/Fahrplan/attachments/1515_secuBT-slides.pdf

File name

1515_secuBT-slides.pdf

File size

890.7 KB

MD5

1521ea24c2cae1e6d8d56729966c7332

SHA1

701c382bb235390125a525567a7fe48e50ad946c

In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator. In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator. secuBT implements user-space virtualization using dynamic binary translation and adds a system call interposition framework to limit and guard the interoperability of binary code with the kernel. Fast binary translation is a key component to user-space virtualization. secuBT uses and extends fastBT, a generator for low-overhead, table-based dynamic (just-in-time) binary translators. We discuss the most challenging sources of overhead and propose optimizations to further reduce these penalties. We argue for hardening techniques to ensure that the translated program can not escape out of the user-space virtualization. An important feature of secuBT is that only translated code is executed. This ensures code validity and makes it possible to rewrite individual instructions. The system call interposition framework validates every system call and offers the choice to (i) allow it, (ii) abort the program, (iii) redirect to an user-space emulation.