Faculty Tzi-cker Chiueh
Project Members Manish
Prasad
Traditionally, binary translation has been applied immensely for program optimization and code migration across processor architectures. We explore applications of binary translation to software security. While myriad solutions have been developed in both research and commercial communities to incorporate security mechanisms into legacy programs, almost all such solutions are compiler-based and require the source code of the programs being protected to be available (e.g. most buffer overflow protection mechanisms). While this requirement is reasonable in many cases, there are scenarios in which it is not feasible, e.g., legacy applications that are purchased from an outside vendor.
Recent research in dynamic binary translation, have shown that run-time code analysis and instrumentation can be done with minimal overhead (unlike earlier), while achieving complete transparency (no offline program instrumentation) and 100% accuracy. Despite all these advantages of dynamic translation, there appear to be certain very compelling cases for static binary analysis e.g. inferring normal behavior of legacy programs without access to source code. This is particularly important if one needs to automatically generate application-specific security policies for such legacy programs. We explore the feasibility of static binary translation in this problem domain. Towards this end we have studied in considerable depth and detail, the disassembly and instrumentation issues involved in static binary translation. We have built a buffer overflow protection mechanism based on a binary rewriting approach to augment existing Win32/Intel Portable Executable (PE ) binary programs with a return address defense (RAD) mechanism, which protects the integrity of the return address on the stack with a redundant copy of the same.
Our prototype implementation achieves satisfactory disassembly precision in the presence of indirect branches, position-independent code sequences, hand crafted assembly code and arbitrary code/data mixing, and ensures safe binary instrumentation in most practical cases. We have applied the resulting prototype to rewrite several commercial grade Windows applications (Ftp server, Telnet Server, DNS server, DHCP server, Outlook Express, MS FrontPage, MS Publisher, Telnet, Ftp, Winhlp, Notepad, CL compiler, MS NetMeeting, MS PowerPoint, MS Access etc.), as well as experimented with published buffer overflow exploits.
Publications
Manish Prasad and Tzi-cker Chiueh, A Binary
Rewriting Defense Against Stack-based Buffer Overflow Attacks, in
the Proceedings of Usenix Annual Technical Conference, San Antonio, TX,
June 2003 [ps]
Related Links
[1] Tzi-cker Chiueh and Fu-hau Hsu, RAD: A compile time solution for buffer overflow attacks, 21st IEEE International Conference on Distributed Computing Systems (ICDCS), Phoenix, Arizona, USA, April 2001. [ps]
[2] Win32 Disassembler (http://www.geocities.com/~sangcho)
[3] Enhanced Disassembler (Source Code)
Presentations
Usenix'03 talk [ppt]