SlideShare a Scribd company logo

Security Hardening for Just-In-Time Virtual Machines

E
ESUG

1. Security is important for just-in-time (JIT) virtual machines (VMs) that run untrusted mobile code, as these VMs are trusted to securely sandbox the mobile code. 2. Smalltalk VMs have not traditionally focused on security from a mobile code perspective, but this is becoming more important as mobile code capabilities come to Smalltalk. 3. If an attacker can break out of a VM's sandbox, they can potentially access private information or compromise the trusting relationship between the VM, mobile code, and end user.

TechnologyBusiness
1 of 48
Download to read offline
one aspect of Security on JIT VMs and more Richie++ / richie / gera@corest.com 1
Security? ● Does you application need security? ● Do you do anything for its security? 2
one aspect of Security on JIT VMs and more 3
Scenario ● VM installed on user's machine (your application) ● Attacker provides content (behavior) ● Attacker escapes VM restrictions (if any) ● Attacker accesses private information 4
nativizing VMs Digitalk VS @1: 7F647D: push EBP test: arg 7F647E: mov EBP, ESP ^self with: 0 with: inst with: arg 7F6480: push EAX 7F6481: mov ESI, EAX ... @2:7F6492: push 1 ; PushSmallInteger0 1 <13> PushSmallInteger0 7F6497: push [ESI] ; PushInstance1 7F6499: push [EBP+8] ; PushArgument1 2 <8C> PushInstance1 7F649C: mov EAX, ESI ; LoadSelf 3 <55> PushArgument1 7F649E: call 740207 ; SendSelector1 4 <0A> LoadSelf 7F64A3: mov ESP, EBP ; Return 5 <E2> SendSelector1 7F64A5: pop EBP 7F64A6: mov ESI, [EBP-4] 6 <48> Return 7F64A9: ret 4 NEAR ● Smalltalk stack == native stack ● Instance variables are accessed directly ● Contexts are stored in native stack 5
nativizing VMs Cincom VW 888AE6A: push EBP test: arg 888AE6B: mov EBP, ESP 888AE6D: sub ESP, 4 ^self with: 0 with: inst with: arg ... 888AE7D: push EBX ; save receiver 888AE7E: push ESI ; save first arg ... 1 <44> push self 888AE87: push 3 ; push 0 2 <49> push 0 888AE89: mov EDI, [EBP-10] ; push local 0 3 <10> push local 0 888AE8C: mov ESI, [EDX] ; push inst 0 888AE8E: mov EBX, [EBP-14] ; push self 4 <00> push inst 0 888AE91: mov EDX, 9502FF0 5 <CE BE>send 888AE96: call 80A6570 ; send with:with:with 6 <65> return 888AE9B: leave 888AE9C: ret ● Smalltalk stack =~= native stack ● First arguments go in registers ● Instance variables are accessed “directly” (some) ● Contexts are stored in native stack 6
Disassembler 7
Conding in assembly stack operations PushR PushSmallInteger 2048 7EAFA2: push EAX ; PushR PushLiteral1/Assoc1 7EAFA3: push 1001 ; PushSmallInteger 2048 7EAFA8: push 1100000C ; PushLiteral1 PushInstance1 7EAFAD: push [ESI] ; PushInstance1 PushTemporary1 7EAFAF: push [EBP-C] ; PushTemporary1 PushArgument1 7EAFB2: push [EBP+4] ; PushArgument1 PushContextTemporary1 7EAFB5: push [EDI+18] ; PushContextTemporary1 7EAFB8: pop EAX ; PopR PopR 7EAFB9: add ESP, 4 ; DropTos1 DropTos1 7EAFBC: mov [EBP-C], EAX ; StoreTemporary1 StoreTemporary1 7EAFBF: mov ESP, EBP ; Return NoFrameProlog ● Push: add arbitrary things to the stack ● StoreTemporary: random access to negative offsets ● PopR, DropTos: arbitrarily move the stack pointer ● NoFrameProlog: skips saving/restoring the FP and SP 8
Escaping Digitalk VM @1: 7CBC6D: push EBP 7CBC6E: mov EBP, ESP 7CBC70: push EAX 7CBC71: mov ESI, EAX DropTosN 4 ... PushArgument1 @2: 7CBC82: add ESP, 10 ; 1 <05> DropTosN 4 Return 7CBC85: push [EBP+4] ; 4 <55> PushArgument1 7CBC88: mov ESP, EBP ; 5 <48> Return 7CBC8A: pop EBP 7CBC8B: mov ESI, [EBP-4] 7CBC8E: ret NEAR ● Drop top of stack ● Overwrite return address with argument ● Return 9
Unbalancing the stack @1: 7F2CDD: push EBP 7F2CDE: mov EBP, ESP 7F2CE0: push EAX 7F2CE1: mov ESI, EAX selector: #test 7F2CE3: push 100BCF14 7F2CE8: cmp ESP, [10028CD4] arguments: 5 7F2CEE: inc EBX 7F2CEF: jbe @5 Return 7F2CF1: inc EBX @2: 7F2CF2: mov ESP, EBP ; 1 <48> Return 7F2CF4: pop EBP 7F2CF5: mov ESI, [EBP-4] 7F2CF8: ret 14 NEAR ● Caller pushes no arguments ● Callee cleans 5 arguments, unbalances stack ● Caller can modify protected values (return address) 10
Escaping Cincom VM 9C8EAE2: push EBP 9C8EAE3: mov EBP, ESP 9C8EAE5: sub ESP, 4 selector: #test: 9C8EAE8: push 9C877B8 arguments: 8 9C8EAED: cmp ESP, [80DB614] 9C8EAF3: jc 9C8EAC4 frame size: 10 9C8EAF5: push EBX 9C8EAF6: push ESI OpReturnReceiver 9C8EAF7: push EDI 9C8EAF8: mov EBX, [EBP-C] ; OpReturnReceiver 9C8EAFB: leave 9C8EAFC: ret 1C NEAR ● Caller pushes 1 argument ● Callee cleans 7 arguments, unbalances stack ● Caller can modify protected values (return address) 11
Attack layout ● Attacker transfers a CompiledMethod and activates it ● Attacker escapes the VM, and accesses the OS ● OS does not provide Application storage isolation ● Attacker gets stored passwords and credit cards 12
Securing Smalltalk (some ideas) fileMeta := 0 class class class allInstances detect: [:metaClass | Reachability metaClass instanceClass name = 'File']. fileMeta instanceClass openReadOnly: '...savedPasswords' File pathNameReadOnly: 'temporaryFile.dat' Sandboxing File pathNameReadOnly: '...savedPasswords' PushR, PushR, DropTos2, Return Verifier PushR, PushR, Return ● Are all three necessary? 13
Escaping Digitalk VM @2: 796DA2: mov EAX, [ESI] ; 1 <7F> LoadInstance1 SmallInteger >> #readMemory 796DA4: mov ESP, EBP ; 2 <48> Return LoadInstance1 796DA6: pop EBP Return 796DA7: mov ESI, [EBP-4] 796DAA: ret 4 NEAR @2: 7FCA82: mov EAX, [EBP+8] ; 1 <50> LoadArgument1 SmallInteger >> #writeMemory: 7FCA85: mov [ESI], EAX ; 2 <96> StoreInstance1 LoadArgument1 7FCA87: call 1001AEA0 7FCA8C: mov ESP, EBP ; 3 <48> Return StoreInstance1 7FCA8E: pop EBP Return 7FCA8F: mov ESI, [EBP-4] 7FCA92: ret 4 NEAR ● Arbitrary memory read ● Arbitrary memory write 14
Escaping Cincom VM 8EA1F09:mov EDX, [ESI] ; OpStorePopInst SmallInteger >> #readMemory 8EA1F0B:mov EBX, [EDX] OpLoadInst ... OpReturn 8EA1F20:leave ; OpReturn 8EA1F21:ret NEAR SmallInteger >> #writeMemory: 8EA1F09:mov EDX, [ESI] ; OpStorePopInst 8EA1F0B:mov [EDX], EBX OpLoadTemp ... OpStorePopInst 8EA1F20:leave ; OpReturn OpReturn 8EA1F21:ret 4 NEAR ● Arbitrary memory read (#[0 0 0 16r78 16r56 16r34 16r12] copyToHeap asInteger / 4) readMemory ● Arbitrary memory write 15
[Audience hasQuestions] whileTrue: [ self answer: Audience nextQuestion] 16
Further understanding better assessment PushArgument2 17
Documenting Bytecodes BytecodeNativizerPushR Assembler >> #pushR assembler pushR self assembleByte: 16r50 " push eax " BytecodeNativizerDropTos1 assembler dropTos: 1 Assembler >> #dropTos: index self " sub esp, index * 4 " BytecodeNativizerDropTosN assemble: #[16r83 16rC4]; | idx | assembleByte: index * 4 idx := self nextIndex. assembler dropTos: idx Assembler >> #loadFromInstance: index " We need mov eax, [esi + index*4] " self assembleByte: 16r8B. BytecodeNativizerLoadInstN index = 1 ifTrue: [^self reg: 0 mod: 0 rm: 6]. assembler loadFromInstance: index abs > 31 self nextIndex ifTrue: [ self reg: 0 mod: 2 rm: 6. self assembleLong: index - 1 * 4] ifFalse: [...] 18
Testing Bytecodes Templates Test loadInstance1 testSameAsOriginal: cm " | original documentation | 1 <7F> LoadInstance1 original := CompiledMethodNativizer 2 <48> Return originalNativize: cm. " documentation := CompiledMethodNativizer |a| nativize: cm. ^testSelector self assert: original == documentation loadInstanceNoProlog1 shortForwardTestJumpFalse " " 1 <02> NoFrameProlog 1 <0E> LoadTrue 2 <7F> LoadInstance1 2 <1B> TestJumpFalse 6 3 <48> Return 5 <14> LoadSmallInteger1 " 6 <49> ReturnSelf ^testSelector " true ifTrue: [1]. 19
So far so good... but does the generated code work? 20
Two worlds unite PushSmallInteger 1234 PushArgument1 LoadSelf SendSelector1 methodLookup() rtCompile() Return 21
Two worlds unite PushSmallInteger 1234 PushArgument1 LoadSelf SendSelector1 methodLookup() rtCompile() Return rtCompile: aCompiledMethod Transcript show: 'got callback '; Show: aCompiledMethod printString; cr cr. aCompiledMethod selector = #testMethod ifTrue: [ ^self nativize: aCompiledMethod]. ^0 22
What's next? ● Debugging JIT ● Frozen code ● All in Smalltalk 23
[Audience hasQuestions] whileTrue: [ self answer: Audience nextQuestion]. Audience do: [:you | self thank: you]. self returnTo: Audience 24
one aspect of Security on JIT VMs and more Richie++ / richie / gera@corest.com 1 • We understand why it's important that all this VMs have security: We use most of them every day in some way or another, and through them we extend our trust to untrusted mobile code applications from we download from unknown sources. • They have all gone, directly or indirectly, through some security audits and, one way or another, their developers today care about security issues. • Smalltalk has grown as the very open "socialist" environment we all love, were we just trust everybody. The VMs developers community has not really payed much attention to security (not at least from a mobile code perspective) • Time has come for mobile code to also reach Smalltalk (browser plugins, Croquet objects with their own behavior, Scratch/EToys projects, seaside hosting)
Security? ● Does you application need security? ● Do you do anything for its security? 2 • Any application installed on a computer can open the door to an attacker, in our scenario we are assuming mobile code (maybe embedded in other type of content) • The VM is supposed to provide some sandboxing, if the sandboxing can be broken the trust chain can be abused: the user trusts the VM the VM trusts/verifies the mobile code the mobile code fools the VM
one aspect of Security on JIT VMs and more 3 • We understand why it's important that all this VMs have security: We use most of them every day in some way or another, and through them we extend our trust to untrusted mobile code applications from we download from unknown sources. • They have all gone, directly or indirectly, through some security audits and, one way or another, their developers today care about security issues. • Smalltalk has grown as the very open "socialist" environment we all love, were we just trust everybody. The VMs developers community has not really payed much attention to security (not at least from a mobile code perspective) • Time has come for mobile code to also reach Smalltalk (browser plugins, Croquet objects with their own behavior, Scratch/EToys projects, seaside hosting)
Scenario ● VM installed on user's machine (your application) ● Attacker provides content (behavior) ● Attacker escapes VM restrictions (if any) ● Attacker accesses private information 4 • Any application installed on a computer can open the door to an attacker, in our scenario we are assuming mobile code (maybe embedded in other type of content) • The VM is supposed to provide some sandboxing, if the sandboxing can be broken the trust chain can be abused: the user trusts the VM the VM trusts/verifies the mobile code the mobile code fools the VM
nativizing VMs Digitalk VS @1: 7F647D: push EBP test: arg 7F647E: mov EBP, ESP ^self with: 0 with: inst with: arg 7F6480: push EAX 7F6481: mov ESI, EAX ... @2:7F6492: push 1 ; PushSmallInteger0 1 <13> PushSmallInteger0 7F6497: push [ESI] ; PushInstance1 7F6499: push [EBP+8] ; PushArgument1 2 <8C> PushInstance1 7F649C: mov EAX, ESI ; LoadSelf 3 <55> PushArgument1 7F649E: call 740207 ; SendSelector1 4 <0A> LoadSelf 7F64A3: mov ESP, EBP ; Return 5 <E2> SendSelector1 7F64A5: pop EBP 7F64A6: mov ESI, [EBP-4] 6 <48> Return 7F64A9: ret 4 NEAR ● Smalltalk stack == native stack ● Instance variables are accessed directly ● Contexts are stored in native stack 5 • Smalltalk is compiled to Bytecode • Bytecode is nativized • Smalltalk is directly compiled to Assembly • Here we can see • Smalltalk stack is kept in the native stack (push nativized to push) • Contexts are normal native stack frames • return addresses managed through native call/ret • Arguments are accessed through the native frame pointer • Local variables are accessed through the native frame pointer • The receiver is saved in a local • Instance variables are accessed with direct memory accesses without any checks • If we could arbitrarily access any indexed argument we could corrupt the return address or saved
nativizing VMs Cincom VW 888AE6A: push EBP test: arg 888AE6B: mov EBP, ESP 888AE6D: sub ESP, 4 ^self with: 0 with: inst with: arg ... 888AE7D: push EBX ; save receiver 888AE7E: push ESI ; save first arg ... 1 <44> push self 888AE87: push 3 ; push 0 2 <49> push 0 888AE89: mov EDI, [EBP-10] ; push local 0 3 <10> push local 0 888AE8C: mov ESI, [EDX] ; push inst 0 888AE8E: mov EBX, [EBP-14] ; push self 4 <00> push inst 0 888AE91: mov EDX, 9502FF0 5 <CE BE>send 888AE96: call 80A6570 ; send with:with:with 6 <65> return 888AE9B: leave 888AE9C: ret ● Smalltalk stack =~= native stack ● First arguments go in registers ● Instance variables are accessed “directly” (some) ● Contexts are stored in native stack 6 • Here we can see • Smalltalk stack is kept in the native stack (push nativized to push) • Contexts are normal native stack frames • return addresses managed through native call/ret • after 3 args they accessed through the native frame pointer • Local variables are accessed through the native frame pointer • The receiver is saved in a local • Some instance variables are accessed with direct memory accesses without any checks, some are accessed through a routing that MAY do checks. • If we could arbitrarily write any indexed argument we could corrupt the return address, saved receiver or locals (from other frames) • If we could arbitrarily manipulate any indexed
Disassembler 7
Conding in assembly stack operations PushR PushSmallInteger 2048 7EAFA2: push EAX ; PushR PushLiteral1/Assoc1 7EAFA3: push 1001 ; PushSmallInteger 2048 7EAFA8: push 1100000C ; PushLiteral1 PushInstance1 7EAFAD: push [ESI] ; PushInstance1 PushTemporary1 7EAFAF: push [EBP-C] ; PushTemporary1 PushArgument1 7EAFB2: push [EBP+4] ; PushArgument1 PushContextTemporary1 7EAFB5: push [EDI+18] ; PushContextTemporary1 7EAFB8: pop EAX ; PopR PopR 7EAFB9: add ESP, 4 ; DropTos1 DropTos1 7EAFBC: mov [EBP-C], EAX ; StoreTemporary1 StoreTemporary1 7EAFBF: mov ESP, EBP ; Return NoFrameProlog ● Push: add arbitrary things to the stack ● StoreTemporary: random access to negative offsets ● PopR, DropTos: arbitrarily move the stack pointer ● NoFrameProlog: skips saving/restoring the FP and SP 8
Escaping Digitalk VM @1: 7CBC6D: push EBP 7CBC6E: mov EBP, ESP 7CBC70: push EAX 7CBC71: mov ESI, EAX DropTosN 4 ... PushArgument1 @2: 7CBC82: add ESP, 10 ; 1 <05> DropTosN 4 Return 7CBC85: push [EBP+4] ; 4 <55> PushArgument1 7CBC88: mov ESP, EBP ; 5 <48> Return 7CBC8A: pop EBP 7CBC8B: mov ESI, [EBP-4] 7CBC8E: ret NEAR ● Drop top of stack ● Overwrite return address with argument ● Return 9
Unbalancing the stack @1: 7F2CDD: push EBP 7F2CDE: mov EBP, ESP 7F2CE0: push EAX 7F2CE1: mov ESI, EAX selector: #test 7F2CE3: push 100BCF14 7F2CE8: cmp ESP, [10028CD4] arguments: 5 7F2CEE: inc EBX 7F2CEF: jbe @5 Return 7F2CF1: inc EBX @2: 7F2CF2: mov ESP, EBP ; 1 <48> Return 7F2CF4: pop EBP 7F2CF5: mov ESI, [EBP-4] 7F2CF8: ret 14 NEAR ● Caller pushes no arguments ● Callee cleans 5 arguments, unbalances stack ● Caller can modify protected values (return address) 10
Escaping Cincom VM 9C8EAE2: push EBP 9C8EAE3: mov EBP, ESP 9C8EAE5: sub ESP, 4 selector: #test: 9C8EAE8: push 9C877B8 arguments: 8 9C8EAED: cmp ESP, [80DB614] 9C8EAF3: jc 9C8EAC4 frame size: 10 9C8EAF5: push EBX 9C8EAF6: push ESI OpReturnReceiver 9C8EAF7: push EDI 9C8EAF8: mov EBX, [EBP-C] ; OpReturnReceiver 9C8EAFB: leave 9C8EAFC: ret 1C NEAR ● Caller pushes 1 argument ● Callee cleans 7 arguments, unbalances stack ● Caller can modify protected values (return address) 11
Attack layout ● Attacker transfers a CompiledMethod and activates it ● Attacker escapes the VM, and accesses the OS ● OS does not provide Application storage isolation ● Attacker gets stored passwords and credit cards 12
Securing Smalltalk (some ideas) fileMeta := 0 class class class allInstances detect: [:metaClass | Reachability metaClass instanceClass name = 'File']. fileMeta instanceClass openReadOnly: '...savedPasswords' File pathNameReadOnly: 'temporaryFile.dat' Sandboxing File pathNameReadOnly: '...savedPasswords' PushR, PushR, DropTos2, Return Verifier PushR, PushR, Return ● Are all three necessary? 13 • In a fully dynamic and reflective system reachability is hard to constrain • Sandboxing, ACL or permissions must be implemented in the VM itself. They could be bypassed, most likely, if implemented in the image. • A bytecode verifier is mandatory in any kind of nativizing VM, and strict checks are also required in an interpreter.
Escaping Digitalk VM @2: 796DA2: mov EAX, [ESI] ; 1 <7F> LoadInstance1 SmallInteger >> #readMemory 796DA4: mov ESP, EBP ; 2 <48> Return LoadInstance1 796DA6: pop EBP Return 796DA7: mov ESI, [EBP-4] 796DAA: ret 4 NEAR @2: 7FCA82: mov EAX, [EBP+8] ; 1 <50> LoadArgument1 SmallInteger >> #writeMemory: 7FCA85: mov [ESI], EAX ; 2 <96> StoreInstance1 LoadArgument1 7FCA87: call 1001AEA0 7FCA8C: mov ESP, EBP ; 3 <48> Return StoreInstance1 7FCA8E: pop EBP Return 7FCA8F: mov ESI, [EBP-4] 7FCA92: ret 4 NEAR ● Arbitrary memory read ● Arbitrary memory write 14
Escaping Cincom VM 8EA1F09:mov EDX, [ESI] ; OpStorePopInst SmallInteger >> #readMemory 8EA1F0B:mov EBX, [EDX] OpLoadInst ... OpReturn 8EA1F20:leave ; OpReturn 8EA1F21:ret NEAR SmallInteger >> #writeMemory: 8EA1F09:mov EDX, [ESI] ; OpStorePopInst 8EA1F0B:mov [EDX], EBX OpLoadTemp ... OpStorePopInst 8EA1F20:leave ; OpReturn OpReturn 8EA1F21:ret 4 NEAR ● Arbitrary memory read (#[0 0 0 16r78 16r56 16r34 16r12] copyToHeap asInteger / 4) readMemory ● Arbitrary memory write 15
[Audience hasQuestions] whileTrue: [ self answer: Audience nextQuestion] 16
Further understanding better assessment PushArgument2 17 • Just randomly looking how each bytecode is nativized is not enough to asses the security of the system, we need to understand all possible variations for each bytecode. • So we need to understand and document the workings of the JIT nativizer, and what better documentation that something which can be debugged. So, as we all learned long time ago with the original specification of the Smalltalk VM, we started documenting not in .doc, but in .st
Documenting Bytecodes BytecodeNativizerPushR Assembler >> #pushR assembler pushR self assembleByte: 16r50 " push eax " BytecodeNativizerDropTos1 assembler dropTos: 1 Assembler >> #dropTos: index self " sub esp, index * 4 " BytecodeNativizerDropTosN assemble: #[16r83 16rC4]; | idx | assembleByte: index * 4 idx := self nextIndex. assembler dropTos: idx Assembler >> #loadFromInstance: index " We need mov eax, [esi + index*4] " self assembleByte: 16r8B. BytecodeNativizerLoadInstN index = 1 ifTrue: [^self reg: 0 mod: 0 rm: 6]. assembler loadFromInstance: index abs > 31 self nextIndex ifTrue: [ self reg: 0 mod: 2 rm: 6. self assembleLong: index - 1 * 4] ifFalse: [...] 18
Testing Bytecodes Templates Test loadInstance1 testSameAsOriginal: cm " | original documentation | 1 <7F> LoadInstance1 original := CompiledMethodNativizer 2 <48> Return originalNativize: cm. " documentation := CompiledMethodNativizer |a| nativize: cm. ^testSelector self assert: original == documentation loadInstanceNoProlog1 shortForwardTestJumpFalse " " 1 <02> NoFrameProlog 1 <0E> LoadTrue 2 <7F> LoadInstance1 2 <1B> TestJumpFalse 6 3 <48> Return 5 <14> LoadSmallInteger1 " 6 <49> ReturnSelf ^testSelector " true ifTrue: [1]. 19
So far so good... but does the generated code work? 20
Two worlds unite PushSmallInteger 1234 PushArgument1 LoadSelf SendSelector1 methodLookup() rtCompile() Return 21
Two worlds unite PushSmallInteger 1234 PushArgument1 LoadSelf SendSelector1 methodLookup() rtCompile() Return rtCompile: aCompiledMethod Transcript show: 'got callback '; Show: aCompiledMethod printString; cr cr. aCompiledMethod selector = #testMethod ifTrue: [ ^self nativize: aCompiledMethod]. ^0 22
What's next? ● Debugging JIT ● Frozen code ● All in Smalltalk 23
[Audience hasQuestions] whileTrue: [ self answer: Audience nextQuestion]. Audience do: [:you | self thank: you]. self returnTo: Audience 24

Recommended

Play ja kansai
Play ja kansaiPlay ja kansai
Play ja kansaiTakafumi Ikeda
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part In|u - The Open Security Community
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Pure Java RAD and Scaffolding Tools Race
Pure Java RAD and Scaffolding Tools RacePure Java RAD and Scaffolding Tools Race
Pure Java RAD and Scaffolding Tools RaceBaruch Sadogursky
 

Recommended

Play ja kansai
Play ja kansaiPlay ja kansai
Play ja kansaiTakafumi Ikeda
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part In|u - The Open Security Community
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Pure Java RAD and Scaffolding Tools Race
Pure Java RAD and Scaffolding Tools RacePure Java RAD and Scaffolding Tools Race
Pure Java RAD and Scaffolding Tools RaceBaruch Sadogursky
 
Sintsov advanced exploitation in win32
Sintsov advanced exploitation in win32Sintsov advanced exploitation in win32
Sintsov advanced exploitation in win32DefconRussia
 
Advanced GAR
Advanced GARAdvanced GAR
Advanced GARdmichelsen
 
Android audio system(audioflinger)
Android audio system(audioflinger)Android audio system(audioflinger)
Android audio system(audioflinger)fefe7270
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsSheng-Hao Ma
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
Oredev 2015 - Taming Java Agents
Oredev 2015 - Taming Java AgentsOredev 2015 - Taming Java Agents
Oredev 2015 - Taming Java AgentsAnton Arhipov
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
エンタープライズ・クラウドと 並列・分散・非同期処理
エンタープライズ・クラウドと 並列・分散・非同期処理エンタープライズ・クラウドと 並列・分散・非同期処理
エンタープライズ・クラウドと 並列・分散・非同期処理maruyama097
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
Voxxed Days Vilnius 2015 - Having fun with Javassist
Voxxed Days Vilnius 2015 - Having fun with JavassistVoxxed Days Vilnius 2015 - Having fun with Javassist
Voxxed Days Vilnius 2015 - Having fun with JavassistAnton Arhipov
 
Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)Alexey Fyodorov
 
Endevor api an introduction to the endevor application programming interface
Endevor api an introduction to the endevor application programming interface Endevor api an introduction to the endevor application programming interface
Endevor api an introduction to the endevor application programming interface Kevin Grimes
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
What you need to remember when you upload to CPAN
What you need to remember when you upload to CPANWhat you need to remember when you upload to CPAN
What you need to remember when you upload to CPANcharsbar
 
What`s new in Java 7
What`s new in Java 7What`s new in Java 7
What`s new in Java 7Georgian Micsa
 
Class 17: Golden Sneezewort
Class 17: Golden SneezewortClass 17: Golden Sneezewort
Class 17: Golden SneezewortDavid Evans
 
Riga Dev Day 2016 - Having fun with Javassist
Riga Dev Day 2016 - Having fun with JavassistRiga Dev Day 2016 - Having fun with Javassist
Riga Dev Day 2016 - Having fun with JavassistAnton Arhipov
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examplesTeja Bheemanapally
 
DevOps in PHP environment
DevOps in PHP environmentDevOps in PHP environment
DevOps in PHP environmentEvaldo Felipe
 
とにかく始めるClojure
とにかく始めるClojureとにかく始めるClojure
とにかく始めるClojureMasayuki Muto
 
0330 다복솔2010 001[1]
0330 다복솔2010 001[1]0330 다복솔2010 001[1]
0330 다복솔2010 001[1]소금별이야기
 
GC in Smalltalk - Now What?
GC in Smalltalk - Now What?GC in Smalltalk - Now What?
GC in Smalltalk - Now What?ESUG
 

More Related Content

What's hot

Sintsov advanced exploitation in win32
Sintsov advanced exploitation in win32Sintsov advanced exploitation in win32
Sintsov advanced exploitation in win32DefconRussia
 
Android audio system(audioflinger)
Android audio system(audioflinger)Android audio system(audioflinger)
Android audio system(audioflinger)fefe7270
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsSheng-Hao Ma
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
Oredev 2015 - Taming Java Agents
Oredev 2015 - Taming Java AgentsOredev 2015 - Taming Java Agents
Oredev 2015 - Taming Java AgentsAnton Arhipov
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
エンタープライズ・クラウドと 並列・分散・非同期処理
エンタープライズ・クラウドと 並列・分散・非同期処理エンタープライズ・クラウドと 並列・分散・非同期処理
エンタープライズ・クラウドと 並列・分散・非同期処理maruyama097
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
Voxxed Days Vilnius 2015 - Having fun with Javassist
Voxxed Days Vilnius 2015 - Having fun with JavassistVoxxed Days Vilnius 2015 - Having fun with Javassist
Voxxed Days Vilnius 2015 - Having fun with JavassistAnton Arhipov
 
Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)Alexey Fyodorov
 
Endevor api an introduction to the endevor application programming interface
Endevor api an introduction to the endevor application programming interface Endevor api an introduction to the endevor application programming interface
Endevor api an introduction to the endevor application programming interface Kevin Grimes
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
What you need to remember when you upload to CPAN
What you need to remember when you upload to CPANWhat you need to remember when you upload to CPAN
What you need to remember when you upload to CPANcharsbar
 
Class 17: Golden Sneezewort
Class 17: Golden SneezewortClass 17: Golden Sneezewort
Class 17: Golden SneezewortDavid Evans
 
Riga Dev Day 2016 - Having fun with Javassist
Riga Dev Day 2016 - Having fun with JavassistRiga Dev Day 2016 - Having fun with Javassist
Riga Dev Day 2016 - Having fun with JavassistAnton Arhipov
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examplesTeja Bheemanapally
 
DevOps in PHP environment
DevOps in PHP environmentDevOps in PHP environment
DevOps in PHP environmentEvaldo Felipe
 
とにかく始めるClojure
とにかく始めるClojureとにかく始めるClojure
とにかく始めるClojureMasayuki Muto
 

What's hot (20)

Sintsov advanced exploitation in win32
Sintsov advanced exploitation in win32Sintsov advanced exploitation in win32
Sintsov advanced exploitation in win32
 
Advanced GAR
Advanced GARAdvanced GAR
Advanced GAR
 
Android audio system(audioflinger)
Android audio system(audioflinger)Android audio system(audioflinger)
Android audio system(audioflinger)
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
 
Oredev 2015 - Taming Java Agents
Oredev 2015 - Taming Java AgentsOredev 2015 - Taming Java Agents
Oredev 2015 - Taming Java Agents
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
 
エンタープライズ・クラウドと 並列・分散・非同期処理
エンタープライズ・クラウドと 並列・分散・非同期処理エンタープライズ・クラウドと 並列・分散・非同期処理
エンタープライズ・クラウドと 並列・分散・非同期処理
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
 
Voxxed Days Vilnius 2015 - Having fun with Javassist
Voxxed Days Vilnius 2015 - Having fun with JavassistVoxxed Days Vilnius 2015 - Having fun with Javassist
Voxxed Days Vilnius 2015 - Having fun with Javassist
 
Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)Counter Wars (JEEConf 2016)
Counter Wars (JEEConf 2016)
 
Endevor api an introduction to the endevor application programming interface
Endevor api an introduction to the endevor application programming interface Endevor api an introduction to the endevor application programming interface
Endevor api an introduction to the endevor application programming interface
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
What you need to remember when you upload to CPAN
What you need to remember when you upload to CPANWhat you need to remember when you upload to CPAN
What you need to remember when you upload to CPAN
 
What`s new in Java 7
What`s new in Java 7What`s new in Java 7
What`s new in Java 7
 
Class 17: Golden Sneezewort
Class 17: Golden SneezewortClass 17: Golden Sneezewort
Class 17: Golden Sneezewort
 
Riga Dev Day 2016 - Having fun with Javassist
Riga Dev Day 2016 - Having fun with JavassistRiga Dev Day 2016 - Having fun with Javassist
Riga Dev Day 2016 - Having fun with Javassist
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples
 
DevOps in PHP environment
DevOps in PHP environmentDevOps in PHP environment
DevOps in PHP environment
 
とにかく始めるClojure
とにかく始めるClojureとにかく始めるClojure
とにかく始めるClojure
 

Viewers also liked

GC in Smalltalk - Now What?
GC in Smalltalk - Now What?GC in Smalltalk - Now What?
GC in Smalltalk - Now What?ESUG
 
Proposals for the Reborn Pharo Developer
Proposals for the Reborn Pharo DeveloperProposals for the Reborn Pharo Developer
Proposals for the Reborn Pharo DeveloperESUG
 
RBuilder and ByteSurgeon
RBuilder and ByteSurgeonRBuilder and ByteSurgeon
RBuilder and ByteSurgeonMarcus Denker
 
Behavioral Reflection
Behavioral ReflectionBehavioral Reflection
Behavioral ReflectionMarcus Denker
 
Logic Lessons That Last Generations
Logic Lessons That Last GenerationsLogic Lessons That Last Generations
Logic Lessons That Last GenerationsErin Dees
 

Viewers also liked (8)

0330 다복솔2010 001[1]
0330 다복솔2010 001[1]0330 다복솔2010 001[1]
0330 다복솔2010 001[1]
 
GC in Smalltalk - Now What?
GC in Smalltalk - Now What?GC in Smalltalk - Now What?
GC in Smalltalk - Now What?
 
Proposals for the Reborn Pharo Developer
Proposals for the Reborn Pharo DeveloperProposals for the Reborn Pharo Developer
Proposals for the Reborn Pharo Developer
 
RBuilder and ByteSurgeon
RBuilder and ByteSurgeonRBuilder and ByteSurgeon
RBuilder and ByteSurgeon
 
Stoop 390-instruction stream
Stoop 390-instruction streamStoop 390-instruction stream
Stoop 390-instruction stream
 
Stoop 305-reflective programming5
Stoop 305-reflective programming5Stoop 305-reflective programming5
Stoop 305-reflective programming5
 
Behavioral Reflection
Behavioral ReflectionBehavioral Reflection
Behavioral Reflection
 
Logic Lessons That Last Generations
Logic Lessons That Last GenerationsLogic Lessons That Last Generations
Logic Lessons That Last Generations
 

Similar to Security Hardening for Just-In-Time Virtual Machines

08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdfhasan58964
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterOguzhan Topgul
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
Realization of an 8 bit pipelined microprocessor in verilog hdl
Realization of an 8 bit pipelined microprocessor in verilog hdlRealization of an 8 bit pipelined microprocessor in verilog hdl
Realization of an 8 bit pipelined microprocessor in verilog hdlAlexander Decker
 
04basic Concepts
04basic Concepts04basic Concepts
04basic ConceptsZhiwen Guo
 
How to recover malare assembly codes
How to recover malare assembly codesHow to recover malare assembly codes
How to recover malare assembly codesFACE
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
Please convert the following C code to assembly Y86int j,k; .....pdf
Please convert the following C code to assembly Y86int j,k; .....pdfPlease convert the following C code to assembly Y86int j,k; .....pdf
Please convert the following C code to assembly Y86int j,k; .....pdffoottraders
 
Assembly language
Assembly languageAssembly language
Assembly languagebryle12
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112Bordeaux I
 

Similar to Security Hardening for Just-In-Time Virtual Machines (20)

08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
 
Virtual machine re building
Virtual machine re buildingVirtual machine re building
Virtual machine re building
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdf
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow Better
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
 
Realization of an 8 bit pipelined microprocessor in verilog hdl
Realization of an 8 bit pipelined microprocessor in verilog hdlRealization of an 8 bit pipelined microprocessor in verilog hdl
Realization of an 8 bit pipelined microprocessor in verilog hdl
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
04basic Concepts
04basic Concepts04basic Concepts
04basic Concepts
 
How to recover malare assembly codes
How to recover malare assembly codesHow to recover malare assembly codes
How to recover malare assembly codes
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Please convert the following C code to assembly Y86int j,k; .....pdf
Please convert the following C code to assembly Y86int j,k; .....pdfPlease convert the following C code to assembly Y86int j,k; .....pdf
Please convert the following C code to assembly Y86int j,k; .....pdf
 
Assembly language
Assembly languageAssembly language
Assembly language
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112
 

More from ESUG

Workshop: Identifying concept inventories in agile programming
Workshop: Identifying concept inventories in agile programmingWorkshop: Identifying concept inventories in agile programming
Workshop: Identifying concept inventories in agile programmingESUG
 
Technical documentation support in Pharo
Technical documentation support in PharoTechnical documentation support in Pharo
Technical documentation support in PharoESUG
 
The Pharo Debugger and Debugging tools: Advances and Roadmap
The Pharo Debugger and Debugging tools: Advances and RoadmapThe Pharo Debugger and Debugging tools: Advances and Roadmap
The Pharo Debugger and Debugging tools: Advances and RoadmapESUG
 
Sequence: Pipeline modelling in Pharo
Sequence: Pipeline modelling in PharoSequence: Pipeline modelling in Pharo
Sequence: Pipeline modelling in PharoESUG
 
Migration process from monolithic to micro frontend architecture in mobile ap...
Migration process from monolithic to micro frontend architecture in mobile ap...Migration process from monolithic to micro frontend architecture in mobile ap...
Migration process from monolithic to micro frontend architecture in mobile ap...ESUG
 
Analyzing Dart Language with Pharo: Report and early results
Analyzing Dart Language with Pharo: Report and early resultsAnalyzing Dart Language with Pharo: Report and early results
Analyzing Dart Language with Pharo: Report and early resultsESUG
 
Transpiling Pharo Classes to JS ECMAScript 5 versus ECMAScript 6
Transpiling Pharo Classes to JS ECMAScript 5 versus ECMAScript 6Transpiling Pharo Classes to JS ECMAScript 5 versus ECMAScript 6
Transpiling Pharo Classes to JS ECMAScript 5 versus ECMAScript 6ESUG
 
A Unit Test Metamodel for Test Generation
A Unit Test Metamodel for Test GenerationA Unit Test Metamodel for Test Generation
A Unit Test Metamodel for Test GenerationESUG
 
Creating Unit Tests Using Genetic Programming
Creating Unit Tests Using Genetic ProgrammingCreating Unit Tests Using Genetic Programming
Creating Unit Tests Using Genetic ProgrammingESUG
 
Threaded-Execution and CPS Provide Smooth Switching Between Execution Modes
Threaded-Execution and CPS Provide Smooth Switching Between Execution ModesThreaded-Execution and CPS Provide Smooth Switching Between Execution Modes
Threaded-Execution and CPS Provide Smooth Switching Between Execution ModesESUG
 
Exploring GitHub Actions through EGAD: An Experience Report
Exploring GitHub Actions through EGAD: An Experience ReportExploring GitHub Actions through EGAD: An Experience Report
Exploring GitHub Actions through EGAD: An Experience ReportESUG
 
Pharo: a reflective language A first systematic analysis of reflective APIs
Pharo: a reflective language A first systematic analysis of reflective APIsPharo: a reflective language A first systematic analysis of reflective APIs
Pharo: a reflective language A first systematic analysis of reflective APIsESUG
 
Garbage Collector Tuning
Garbage Collector TuningGarbage Collector Tuning
Garbage Collector TuningESUG
 
Improving Performance Through Object Lifetime Profiling: the DataFrame Case
Improving Performance Through Object Lifetime Profiling: the DataFrame CaseImproving Performance Through Object Lifetime Profiling: the DataFrame Case
Improving Performance Through Object Lifetime Profiling: the DataFrame CaseESUG
 
Pharo DataFrame: Past, Present, and Future
Pharo DataFrame: Past, Present, and FuturePharo DataFrame: Past, Present, and Future
Pharo DataFrame: Past, Present, and FutureESUG
 
thisContext in the Debugger
thisContext in the DebuggerthisContext in the Debugger
thisContext in the DebuggerESUG
 
Websockets for Fencing Score
Websockets for Fencing ScoreWebsockets for Fencing Score
Websockets for Fencing ScoreESUG
 
ShowUs: PharoJS.org Develop in Pharo, Run on JavaScript
ShowUs: PharoJS.org Develop in Pharo, Run on JavaScriptShowUs: PharoJS.org Develop in Pharo, Run on JavaScript
ShowUs: PharoJS.org Develop in Pharo, Run on JavaScriptESUG
 
Advanced Object- Oriented Design Mooc
Advanced Object- Oriented Design MoocAdvanced Object- Oriented Design Mooc
Advanced Object- Oriented Design MoocESUG
 
A New Architecture Reconciling Refactorings and Transformations
A New Architecture Reconciling Refactorings and TransformationsA New Architecture Reconciling Refactorings and Transformations
A New Architecture Reconciling Refactorings and TransformationsESUG
 

More from ESUG (20)

Workshop: Identifying concept inventories in agile programming
Workshop: Identifying concept inventories in agile programmingWorkshop: Identifying concept inventories in agile programming
Workshop: Identifying concept inventories in agile programming
 
Technical documentation support in Pharo
Technical documentation support in PharoTechnical documentation support in Pharo
Technical documentation support in Pharo
 
The Pharo Debugger and Debugging tools: Advances and Roadmap
The Pharo Debugger and Debugging tools: Advances and RoadmapThe Pharo Debugger and Debugging tools: Advances and Roadmap
The Pharo Debugger and Debugging tools: Advances and Roadmap
 
Sequence: Pipeline modelling in Pharo
Sequence: Pipeline modelling in PharoSequence: Pipeline modelling in Pharo
Sequence: Pipeline modelling in Pharo
 
Migration process from monolithic to micro frontend architecture in mobile ap...
Migration process from monolithic to micro frontend architecture in mobile ap...Migration process from monolithic to micro frontend architecture in mobile ap...
Migration process from monolithic to micro frontend architecture in mobile ap...
 
Analyzing Dart Language with Pharo: Report and early results
Analyzing Dart Language with Pharo: Report and early resultsAnalyzing Dart Language with Pharo: Report and early results
Analyzing Dart Language with Pharo: Report and early results
 
Transpiling Pharo Classes to JS ECMAScript 5 versus ECMAScript 6
Transpiling Pharo Classes to JS ECMAScript 5 versus ECMAScript 6Transpiling Pharo Classes to JS ECMAScript 5 versus ECMAScript 6
Transpiling Pharo Classes to JS ECMAScript 5 versus ECMAScript 6
 
A Unit Test Metamodel for Test Generation
A Unit Test Metamodel for Test GenerationA Unit Test Metamodel for Test Generation
A Unit Test Metamodel for Test Generation
 
Creating Unit Tests Using Genetic Programming
Creating Unit Tests Using Genetic ProgrammingCreating Unit Tests Using Genetic Programming
Creating Unit Tests Using Genetic Programming
 
Threaded-Execution and CPS Provide Smooth Switching Between Execution Modes
Threaded-Execution and CPS Provide Smooth Switching Between Execution ModesThreaded-Execution and CPS Provide Smooth Switching Between Execution Modes
Threaded-Execution and CPS Provide Smooth Switching Between Execution Modes
 
Exploring GitHub Actions through EGAD: An Experience Report
Exploring GitHub Actions through EGAD: An Experience ReportExploring GitHub Actions through EGAD: An Experience Report
Exploring GitHub Actions through EGAD: An Experience Report
 
Pharo: a reflective language A first systematic analysis of reflective APIs
Pharo: a reflective language A first systematic analysis of reflective APIsPharo: a reflective language A first systematic analysis of reflective APIs
Pharo: a reflective language A first systematic analysis of reflective APIs
 
Garbage Collector Tuning
Garbage Collector TuningGarbage Collector Tuning
Garbage Collector Tuning
 
Improving Performance Through Object Lifetime Profiling: the DataFrame Case
Improving Performance Through Object Lifetime Profiling: the DataFrame CaseImproving Performance Through Object Lifetime Profiling: the DataFrame Case
Improving Performance Through Object Lifetime Profiling: the DataFrame Case
 
Pharo DataFrame: Past, Present, and Future
Pharo DataFrame: Past, Present, and FuturePharo DataFrame: Past, Present, and Future
Pharo DataFrame: Past, Present, and Future
 
thisContext in the Debugger
thisContext in the DebuggerthisContext in the Debugger
thisContext in the Debugger
 
Websockets for Fencing Score
Websockets for Fencing ScoreWebsockets for Fencing Score
Websockets for Fencing Score
 
ShowUs: PharoJS.org Develop in Pharo, Run on JavaScript
ShowUs: PharoJS.org Develop in Pharo, Run on JavaScriptShowUs: PharoJS.org Develop in Pharo, Run on JavaScript
ShowUs: PharoJS.org Develop in Pharo, Run on JavaScript
 
Advanced Object- Oriented Design Mooc
Advanced Object- Oriented Design MoocAdvanced Object- Oriented Design Mooc
Advanced Object- Oriented Design Mooc
 
A New Architecture Reconciling Refactorings and Transformations
A New Architecture Reconciling Refactorings and TransformationsA New Architecture Reconciling Refactorings and Transformations
A New Architecture Reconciling Refactorings and Transformations
 

Recently uploaded

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Security Hardening for Just-In-Time Virtual Machines

  • 1. one aspect of Security on JIT VMs and more Richie++ / richie / gera@corest.com 1
  • 2. Security? ● Does you application need security? ● Do you do anything for its security? 2
  • 3. one aspect of Security on JIT VMs and more 3
  • 4. Scenario ● VM installed on user's machine (your application) ● Attacker provides content (behavior) ● Attacker escapes VM restrictions (if any) ● Attacker accesses private information 4
  • 5. nativizing VMs Digitalk VS @1: 7F647D: push EBP test: arg 7F647E: mov EBP, ESP ^self with: 0 with: inst with: arg 7F6480: push EAX 7F6481: mov ESI, EAX ... @2:7F6492: push 1 ; PushSmallInteger0 1 <13> PushSmallInteger0 7F6497: push [ESI] ; PushInstance1 7F6499: push [EBP+8] ; PushArgument1 2 <8C> PushInstance1 7F649C: mov EAX, ESI ; LoadSelf 3 <55> PushArgument1 7F649E: call 740207 ; SendSelector1 4 <0A> LoadSelf 7F64A3: mov ESP, EBP ; Return 5 <E2> SendSelector1 7F64A5: pop EBP 7F64A6: mov ESI, [EBP-4] 6 <48> Return 7F64A9: ret 4 NEAR ● Smalltalk stack == native stack ● Instance variables are accessed directly ● Contexts are stored in native stack 5
  • 6. nativizing VMs Cincom VW 888AE6A: push EBP test: arg 888AE6B: mov EBP, ESP 888AE6D: sub ESP, 4 ^self with: 0 with: inst with: arg ... 888AE7D: push EBX ; save receiver 888AE7E: push ESI ; save first arg ... 1 <44> push self 888AE87: push 3 ; push 0 2 <49> push 0 888AE89: mov EDI, [EBP-10] ; push local 0 3 <10> push local 0 888AE8C: mov ESI, [EDX] ; push inst 0 888AE8E: mov EBX, [EBP-14] ; push self 4 <00> push inst 0 888AE91: mov EDX, 9502FF0 5 <CE BE>send 888AE96: call 80A6570 ; send with:with:with 6 <65> return 888AE9B: leave 888AE9C: ret ● Smalltalk stack =~= native stack ● First arguments go in registers ● Instance variables are accessed “directly” (some) ● Contexts are stored in native stack 6
  • 8. Conding in assembly stack operations PushR PushSmallInteger 2048 7EAFA2: push EAX ; PushR PushLiteral1/Assoc1 7EAFA3: push 1001 ; PushSmallInteger 2048 7EAFA8: push 1100000C ; PushLiteral1 PushInstance1 7EAFAD: push [ESI] ; PushInstance1 PushTemporary1 7EAFAF: push [EBP-C] ; PushTemporary1 PushArgument1 7EAFB2: push [EBP+4] ; PushArgument1 PushContextTemporary1 7EAFB5: push [EDI+18] ; PushContextTemporary1 7EAFB8: pop EAX ; PopR PopR 7EAFB9: add ESP, 4 ; DropTos1 DropTos1 7EAFBC: mov [EBP-C], EAX ; StoreTemporary1 StoreTemporary1 7EAFBF: mov ESP, EBP ; Return NoFrameProlog ● Push: add arbitrary things to the stack ● StoreTemporary: random access to negative offsets ● PopR, DropTos: arbitrarily move the stack pointer ● NoFrameProlog: skips saving/restoring the FP and SP 8
  • 9. Escaping Digitalk VM @1: 7CBC6D: push EBP 7CBC6E: mov EBP, ESP 7CBC70: push EAX 7CBC71: mov ESI, EAX DropTosN 4 ... PushArgument1 @2: 7CBC82: add ESP, 10 ; 1 <05> DropTosN 4 Return 7CBC85: push [EBP+4] ; 4 <55> PushArgument1 7CBC88: mov ESP, EBP ; 5 <48> Return 7CBC8A: pop EBP 7CBC8B: mov ESI, [EBP-4] 7CBC8E: ret NEAR ● Drop top of stack ● Overwrite return address with argument ● Return 9
  • 10. Unbalancing the stack @1: 7F2CDD: push EBP 7F2CDE: mov EBP, ESP 7F2CE0: push EAX 7F2CE1: mov ESI, EAX selector: #test 7F2CE3: push 100BCF14 7F2CE8: cmp ESP, [10028CD4] arguments: 5 7F2CEE: inc EBX 7F2CEF: jbe @5 Return 7F2CF1: inc EBX @2: 7F2CF2: mov ESP, EBP ; 1 <48> Return 7F2CF4: pop EBP 7F2CF5: mov ESI, [EBP-4] 7F2CF8: ret 14 NEAR ● Caller pushes no arguments ● Callee cleans 5 arguments, unbalances stack ● Caller can modify protected values (return address) 10
  • 11. Escaping Cincom VM 9C8EAE2: push EBP 9C8EAE3: mov EBP, ESP 9C8EAE5: sub ESP, 4 selector: #test: 9C8EAE8: push 9C877B8 arguments: 8 9C8EAED: cmp ESP, [80DB614] 9C8EAF3: jc 9C8EAC4 frame size: 10 9C8EAF5: push EBX 9C8EAF6: push ESI OpReturnReceiver 9C8EAF7: push EDI 9C8EAF8: mov EBX, [EBP-C] ; OpReturnReceiver 9C8EAFB: leave 9C8EAFC: ret 1C NEAR ● Caller pushes 1 argument ● Callee cleans 7 arguments, unbalances stack ● Caller can modify protected values (return address) 11
  • 12. Attack layout ● Attacker transfers a CompiledMethod and activates it ● Attacker escapes the VM, and accesses the OS ● OS does not provide Application storage isolation ● Attacker gets stored passwords and credit cards 12
  • 13. Securing Smalltalk (some ideas) fileMeta := 0 class class class allInstances detect: [:metaClass | Reachability metaClass instanceClass name = 'File']. fileMeta instanceClass openReadOnly: '...savedPasswords' File pathNameReadOnly: 'temporaryFile.dat' Sandboxing File pathNameReadOnly: '...savedPasswords' PushR, PushR, DropTos2, Return Verifier PushR, PushR, Return ● Are all three necessary? 13
  • 14. Escaping Digitalk VM @2: 796DA2: mov EAX, [ESI] ; 1 <7F> LoadInstance1 SmallInteger >> #readMemory 796DA4: mov ESP, EBP ; 2 <48> Return LoadInstance1 796DA6: pop EBP Return 796DA7: mov ESI, [EBP-4] 796DAA: ret 4 NEAR @2: 7FCA82: mov EAX, [EBP+8] ; 1 <50> LoadArgument1 SmallInteger >> #writeMemory: 7FCA85: mov [ESI], EAX ; 2 <96> StoreInstance1 LoadArgument1 7FCA87: call 1001AEA0 7FCA8C: mov ESP, EBP ; 3 <48> Return StoreInstance1 7FCA8E: pop EBP Return 7FCA8F: mov ESI, [EBP-4] 7FCA92: ret 4 NEAR ● Arbitrary memory read ● Arbitrary memory write 14
  • 15. Escaping Cincom VM 8EA1F09:mov EDX, [ESI] ; OpStorePopInst SmallInteger >> #readMemory 8EA1F0B:mov EBX, [EDX] OpLoadInst ... OpReturn 8EA1F20:leave ; OpReturn 8EA1F21:ret NEAR SmallInteger >> #writeMemory: 8EA1F09:mov EDX, [ESI] ; OpStorePopInst 8EA1F0B:mov [EDX], EBX OpLoadTemp ... OpStorePopInst 8EA1F20:leave ; OpReturn OpReturn 8EA1F21:ret 4 NEAR ● Arbitrary memory read (#[0 0 0 16r78 16r56 16r34 16r12] copyToHeap asInteger / 4) readMemory ● Arbitrary memory write 15
  • 16. [Audience hasQuestions] whileTrue: [ self answer: Audience nextQuestion] 16
  • 17. Further understanding better assessment PushArgument2 17
  • 18. Documenting Bytecodes BytecodeNativizerPushR Assembler >> #pushR assembler pushR self assembleByte: 16r50 " push eax " BytecodeNativizerDropTos1 assembler dropTos: 1 Assembler >> #dropTos: index self " sub esp, index * 4 " BytecodeNativizerDropTosN assemble: #[16r83 16rC4]; | idx | assembleByte: index * 4 idx := self nextIndex. assembler dropTos: idx Assembler >> #loadFromInstance: index " We need mov eax, [esi + index*4] " self assembleByte: 16r8B. BytecodeNativizerLoadInstN index = 1 ifTrue: [^self reg: 0 mod: 0 rm: 6]. assembler loadFromInstance: index abs > 31 self nextIndex ifTrue: [ self reg: 0 mod: 2 rm: 6. self assembleLong: index - 1 * 4] ifFalse: [...] 18
  • 19. Testing Bytecodes Templates Test loadInstance1 testSameAsOriginal: cm " | original documentation | 1 <7F> LoadInstance1 original := CompiledMethodNativizer 2 <48> Return originalNativize: cm. " documentation := CompiledMethodNativizer |a| nativize: cm. ^testSelector self assert: original == documentation loadInstanceNoProlog1 shortForwardTestJumpFalse " " 1 <02> NoFrameProlog 1 <0E> LoadTrue 2 <7F> LoadInstance1 2 <1B> TestJumpFalse 6 3 <48> Return 5 <14> LoadSmallInteger1 " 6 <49> ReturnSelf ^testSelector " true ifTrue: [1]. 19
  • 20. So far so good... but does the generated code work? 20
  • 21. Two worlds unite PushSmallInteger 1234 PushArgument1 LoadSelf SendSelector1 methodLookup() rtCompile() Return 21
  • 22. Two worlds unite PushSmallInteger 1234 PushArgument1 LoadSelf SendSelector1 methodLookup() rtCompile() Return rtCompile: aCompiledMethod Transcript show: 'got callback '; Show: aCompiledMethod printString; cr cr. aCompiledMethod selector = #testMethod ifTrue: [ ^self nativize: aCompiledMethod]. ^0 22
  • 23. What's next? ● Debugging JIT ● Frozen code ● All in Smalltalk 23
  • 24. [Audience hasQuestions] whileTrue: [ self answer: Audience nextQuestion]. Audience do: [:you | self thank: you]. self returnTo: Audience 24
  • 25. one aspect of Security on JIT VMs and more Richie++ / richie / gera@corest.com 1 • We understand why it's important that all this VMs have security: We use most of them every day in some way or another, and through them we extend our trust to untrusted mobile code applications from we download from unknown sources. • They have all gone, directly or indirectly, through some security audits and, one way or another, their developers today care about security issues. • Smalltalk has grown as the very open "socialist" environment we all love, were we just trust everybody. The VMs developers community has not really payed much attention to security (not at least from a mobile code perspective) • Time has come for mobile code to also reach Smalltalk (browser plugins, Croquet objects with their own behavior, Scratch/EToys projects, seaside hosting)
  • 26. Security? ● Does you application need security? ● Do you do anything for its security? 2 • Any application installed on a computer can open the door to an attacker, in our scenario we are assuming mobile code (maybe embedded in other type of content) • The VM is supposed to provide some sandboxing, if the sandboxing can be broken the trust chain can be abused: the user trusts the VM the VM trusts/verifies the mobile code the mobile code fools the VM
  • 27. one aspect of Security on JIT VMs and more 3 • We understand why it's important that all this VMs have security: We use most of them every day in some way or another, and through them we extend our trust to untrusted mobile code applications from we download from unknown sources. • They have all gone, directly or indirectly, through some security audits and, one way or another, their developers today care about security issues. • Smalltalk has grown as the very open "socialist" environment we all love, were we just trust everybody. The VMs developers community has not really payed much attention to security (not at least from a mobile code perspective) • Time has come for mobile code to also reach Smalltalk (browser plugins, Croquet objects with their own behavior, Scratch/EToys projects, seaside hosting)
  • 28. Scenario ● VM installed on user's machine (your application) ● Attacker provides content (behavior) ● Attacker escapes VM restrictions (if any) ● Attacker accesses private information 4 • Any application installed on a computer can open the door to an attacker, in our scenario we are assuming mobile code (maybe embedded in other type of content) • The VM is supposed to provide some sandboxing, if the sandboxing can be broken the trust chain can be abused: the user trusts the VM the VM trusts/verifies the mobile code the mobile code fools the VM
  • 29. nativizing VMs Digitalk VS @1: 7F647D: push EBP test: arg 7F647E: mov EBP, ESP ^self with: 0 with: inst with: arg 7F6480: push EAX 7F6481: mov ESI, EAX ... @2:7F6492: push 1 ; PushSmallInteger0 1 <13> PushSmallInteger0 7F6497: push [ESI] ; PushInstance1 7F6499: push [EBP+8] ; PushArgument1 2 <8C> PushInstance1 7F649C: mov EAX, ESI ; LoadSelf 3 <55> PushArgument1 7F649E: call 740207 ; SendSelector1 4 <0A> LoadSelf 7F64A3: mov ESP, EBP ; Return 5 <E2> SendSelector1 7F64A5: pop EBP 7F64A6: mov ESI, [EBP-4] 6 <48> Return 7F64A9: ret 4 NEAR ● Smalltalk stack == native stack ● Instance variables are accessed directly ● Contexts are stored in native stack 5 • Smalltalk is compiled to Bytecode • Bytecode is nativized • Smalltalk is directly compiled to Assembly • Here we can see • Smalltalk stack is kept in the native stack (push nativized to push) • Contexts are normal native stack frames • return addresses managed through native call/ret • Arguments are accessed through the native frame pointer • Local variables are accessed through the native frame pointer • The receiver is saved in a local • Instance variables are accessed with direct memory accesses without any checks • If we could arbitrarily access any indexed argument we could corrupt the return address or saved
  • 30. nativizing VMs Cincom VW 888AE6A: push EBP test: arg 888AE6B: mov EBP, ESP 888AE6D: sub ESP, 4 ^self with: 0 with: inst with: arg ... 888AE7D: push EBX ; save receiver 888AE7E: push ESI ; save first arg ... 1 <44> push self 888AE87: push 3 ; push 0 2 <49> push 0 888AE89: mov EDI, [EBP-10] ; push local 0 3 <10> push local 0 888AE8C: mov ESI, [EDX] ; push inst 0 888AE8E: mov EBX, [EBP-14] ; push self 4 <00> push inst 0 888AE91: mov EDX, 9502FF0 5 <CE BE>send 888AE96: call 80A6570 ; send with:with:with 6 <65> return 888AE9B: leave 888AE9C: ret ● Smalltalk stack =~= native stack ● First arguments go in registers ● Instance variables are accessed “directly” (some) ● Contexts are stored in native stack 6 • Here we can see • Smalltalk stack is kept in the native stack (push nativized to push) • Contexts are normal native stack frames • return addresses managed through native call/ret • after 3 args they accessed through the native frame pointer • Local variables are accessed through the native frame pointer • The receiver is saved in a local • Some instance variables are accessed with direct memory accesses without any checks, some are accessed through a routing that MAY do checks. • If we could arbitrarily write any indexed argument we could corrupt the return address, saved receiver or locals (from other frames) • If we could arbitrarily manipulate any indexed
  • 32. Conding in assembly stack operations PushR PushSmallInteger 2048 7EAFA2: push EAX ; PushR PushLiteral1/Assoc1 7EAFA3: push 1001 ; PushSmallInteger 2048 7EAFA8: push 1100000C ; PushLiteral1 PushInstance1 7EAFAD: push [ESI] ; PushInstance1 PushTemporary1 7EAFAF: push [EBP-C] ; PushTemporary1 PushArgument1 7EAFB2: push [EBP+4] ; PushArgument1 PushContextTemporary1 7EAFB5: push [EDI+18] ; PushContextTemporary1 7EAFB8: pop EAX ; PopR PopR 7EAFB9: add ESP, 4 ; DropTos1 DropTos1 7EAFBC: mov [EBP-C], EAX ; StoreTemporary1 StoreTemporary1 7EAFBF: mov ESP, EBP ; Return NoFrameProlog ● Push: add arbitrary things to the stack ● StoreTemporary: random access to negative offsets ● PopR, DropTos: arbitrarily move the stack pointer ● NoFrameProlog: skips saving/restoring the FP and SP 8
  • 33. Escaping Digitalk VM @1: 7CBC6D: push EBP 7CBC6E: mov EBP, ESP 7CBC70: push EAX 7CBC71: mov ESI, EAX DropTosN 4 ... PushArgument1 @2: 7CBC82: add ESP, 10 ; 1 <05> DropTosN 4 Return 7CBC85: push [EBP+4] ; 4 <55> PushArgument1 7CBC88: mov ESP, EBP ; 5 <48> Return 7CBC8A: pop EBP 7CBC8B: mov ESI, [EBP-4] 7CBC8E: ret NEAR ● Drop top of stack ● Overwrite return address with argument ● Return 9
  • 34. Unbalancing the stack @1: 7F2CDD: push EBP 7F2CDE: mov EBP, ESP 7F2CE0: push EAX 7F2CE1: mov ESI, EAX selector: #test 7F2CE3: push 100BCF14 7F2CE8: cmp ESP, [10028CD4] arguments: 5 7F2CEE: inc EBX 7F2CEF: jbe @5 Return 7F2CF1: inc EBX @2: 7F2CF2: mov ESP, EBP ; 1 <48> Return 7F2CF4: pop EBP 7F2CF5: mov ESI, [EBP-4] 7F2CF8: ret 14 NEAR ● Caller pushes no arguments ● Callee cleans 5 arguments, unbalances stack ● Caller can modify protected values (return address) 10
  • 35. Escaping Cincom VM 9C8EAE2: push EBP 9C8EAE3: mov EBP, ESP 9C8EAE5: sub ESP, 4 selector: #test: 9C8EAE8: push 9C877B8 arguments: 8 9C8EAED: cmp ESP, [80DB614] 9C8EAF3: jc 9C8EAC4 frame size: 10 9C8EAF5: push EBX 9C8EAF6: push ESI OpReturnReceiver 9C8EAF7: push EDI 9C8EAF8: mov EBX, [EBP-C] ; OpReturnReceiver 9C8EAFB: leave 9C8EAFC: ret 1C NEAR ● Caller pushes 1 argument ● Callee cleans 7 arguments, unbalances stack ● Caller can modify protected values (return address) 11
  • 36. Attack layout ● Attacker transfers a CompiledMethod and activates it ● Attacker escapes the VM, and accesses the OS ● OS does not provide Application storage isolation ● Attacker gets stored passwords and credit cards 12
  • 37. Securing Smalltalk (some ideas) fileMeta := 0 class class class allInstances detect: [:metaClass | Reachability metaClass instanceClass name = 'File']. fileMeta instanceClass openReadOnly: '...savedPasswords' File pathNameReadOnly: 'temporaryFile.dat' Sandboxing File pathNameReadOnly: '...savedPasswords' PushR, PushR, DropTos2, Return Verifier PushR, PushR, Return ● Are all three necessary? 13 • In a fully dynamic and reflective system reachability is hard to constrain • Sandboxing, ACL or permissions must be implemented in the VM itself. They could be bypassed, most likely, if implemented in the image. • A bytecode verifier is mandatory in any kind of nativizing VM, and strict checks are also required in an interpreter.
  • 38. Escaping Digitalk VM @2: 796DA2: mov EAX, [ESI] ; 1 <7F> LoadInstance1 SmallInteger >> #readMemory 796DA4: mov ESP, EBP ; 2 <48> Return LoadInstance1 796DA6: pop EBP Return 796DA7: mov ESI, [EBP-4] 796DAA: ret 4 NEAR @2: 7FCA82: mov EAX, [EBP+8] ; 1 <50> LoadArgument1 SmallInteger >> #writeMemory: 7FCA85: mov [ESI], EAX ; 2 <96> StoreInstance1 LoadArgument1 7FCA87: call 1001AEA0 7FCA8C: mov ESP, EBP ; 3 <48> Return StoreInstance1 7FCA8E: pop EBP Return 7FCA8F: mov ESI, [EBP-4] 7FCA92: ret 4 NEAR ● Arbitrary memory read ● Arbitrary memory write 14
  • 39. Escaping Cincom VM 8EA1F09:mov EDX, [ESI] ; OpStorePopInst SmallInteger >> #readMemory 8EA1F0B:mov EBX, [EDX] OpLoadInst ... OpReturn 8EA1F20:leave ; OpReturn 8EA1F21:ret NEAR SmallInteger >> #writeMemory: 8EA1F09:mov EDX, [ESI] ; OpStorePopInst 8EA1F0B:mov [EDX], EBX OpLoadTemp ... OpStorePopInst 8EA1F20:leave ; OpReturn OpReturn 8EA1F21:ret 4 NEAR ● Arbitrary memory read (#[0 0 0 16r78 16r56 16r34 16r12] copyToHeap asInteger / 4) readMemory ● Arbitrary memory write 15
  • 40. [Audience hasQuestions] whileTrue: [ self answer: Audience nextQuestion] 16
  • 41. Further understanding better assessment PushArgument2 17 • Just randomly looking how each bytecode is nativized is not enough to asses the security of the system, we need to understand all possible variations for each bytecode. • So we need to understand and document the workings of the JIT nativizer, and what better documentation that something which can be debugged. So, as we all learned long time ago with the original specification of the Smalltalk VM, we started documenting not in .doc, but in .st
  • 42. Documenting Bytecodes BytecodeNativizerPushR Assembler >> #pushR assembler pushR self assembleByte: 16r50 " push eax " BytecodeNativizerDropTos1 assembler dropTos: 1 Assembler >> #dropTos: index self " sub esp, index * 4 " BytecodeNativizerDropTosN assemble: #[16r83 16rC4]; | idx | assembleByte: index * 4 idx := self nextIndex. assembler dropTos: idx Assembler >> #loadFromInstance: index " We need mov eax, [esi + index*4] " self assembleByte: 16r8B. BytecodeNativizerLoadInstN index = 1 ifTrue: [^self reg: 0 mod: 0 rm: 6]. assembler loadFromInstance: index abs > 31 self nextIndex ifTrue: [ self reg: 0 mod: 2 rm: 6. self assembleLong: index - 1 * 4] ifFalse: [...] 18
  • 43. Testing Bytecodes Templates Test loadInstance1 testSameAsOriginal: cm " | original documentation | 1 <7F> LoadInstance1 original := CompiledMethodNativizer 2 <48> Return originalNativize: cm. " documentation := CompiledMethodNativizer |a| nativize: cm. ^testSelector self assert: original == documentation loadInstanceNoProlog1 shortForwardTestJumpFalse " " 1 <02> NoFrameProlog 1 <0E> LoadTrue 2 <7F> LoadInstance1 2 <1B> TestJumpFalse 6 3 <48> Return 5 <14> LoadSmallInteger1 " 6 <49> ReturnSelf ^testSelector " true ifTrue: [1]. 19
  • 44. So far so good... but does the generated code work? 20
  • 45. Two worlds unite PushSmallInteger 1234 PushArgument1 LoadSelf SendSelector1 methodLookup() rtCompile() Return 21
  • 46. Two worlds unite PushSmallInteger 1234 PushArgument1 LoadSelf SendSelector1 methodLookup() rtCompile() Return rtCompile: aCompiledMethod Transcript show: 'got callback '; Show: aCompiledMethod printString; cr cr. aCompiledMethod selector = #testMethod ifTrue: [ ^self nativize: aCompiledMethod]. ^0 22
  • 47. What's next? ● Debugging JIT ● Frozen code ● All in Smalltalk 23
  • 48. [Audience hasQuestions] whileTrue: [ self answer: Audience nextQuestion]. Audience do: [:you | self thank: you]. self returnTo: Audience 24