Intra-Process Memory Protection for Applications on ARM and x86: Leveraging the ELF ABI

Presented at Black Hat USA 2016, Aug. 3, 2016, 3 p.m. (50 minutes)

Today's software needs to isolate not only processes but the many components *within* a process from each other. Process-level isolation via jails, sandboxes, VMs, or hypervisors is finally becoming mainstream, but it misses an important point about modern software: its growing number of libraries that are all loaded into the same address space, and may all interact with complex inputs by way of vulnerable parsers. A process, even isolated, is as weak as the weakest of its components, but is as valuable as the most sensitive data it holds. Heartbleed was a perfect example of this: a faulty parser in a library could read absolutely everything in memory; there are many others less famous but no better. The biggest challenge of making intra-process memory protection practical is that it cannot require major changes to how software is written. A practical granular memory protection scheme must work for the existing C/C++ build chains, nor should it change the ABI. Further, it cannot rely on concepts that aren't already intuitively clear to C/C++ programmers. Many academic proposals for more granular memory access control stopped short of this. They disregard the glue what keeps the development process and runtime together: the ABI. We demonstrate ELFbac, a system that uses the Linux ELF ABI to express access control policies between a program's components, such as libraries, and requires no changes to the GNU build chain. It enforces these policies by using a modified Linux loader and the Linux virtual memory system. ELFbac policies operate on the level of ELF object file sections. Custom data and code units can be created with existing GCC C/C++ attributes with a one-line annotation per unit; they are no more complex than C's static scoping. We have developed prototypes for ARM and x86. We used our ARM prototype to protect a validating proxy firewall for DNP3, a popular ICS protocol, and our x86 one to write a basic policy for Nginx. We will also demonstrate a policy for protecting OpenSSH.

Presenters:

• Sergey Bratus - Dartmouth College
  Sergey Bratus is a research associate professor at Dartmouth College. He and his students demonstrated a number of unexpectedly powerful execution mechanisms where least expected: in DWARF debugging and exception handling, in ELF metadata, in the x86 MMU, and collaborated with industry researchers to build security tools for protocols such as USB (Facedancer), 802.15.4/ZigBee (Apimote + KillerBee), and 802.11 fingerprinting (Baffle).
• Julian Bangert - MIT
  Julian Bangert is a Ph.D. student at MIT. He graduated from Dartmouth, where he worked with Sergey Bratus on ELF parsing differentials and the x86 MMU weird machine.
• Maxwell Koo - Narf Industries
  Max Koo is a researcher at Narf Industries. He is the principal author of the ARM port of ELFbac. Max has 8 years of experience in the computer industry where his focus has been on low-level software development and embedded systems security.

Links:

• https://www.blackhat.com/us-16/briefings.html#intra-process-memory-protection-for-applications-on-arm-and-x86-leveraging-the-elf-abi
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/Intra-Process Memory Protection for Applications on ARM and X86 - Leveraging the ELF ABI.mp4
• https://www.youtube.com/watch?v=YXh2aIc9u64
• https://www.blackhat.com/docs/us-16/materials/us-16-Bratus-Intra-Process-Memory-Protection-For-Applications-On-ARM-And-x86.pdf
• https://www.blackhat.com/docs/us-16/materials/us-16-Bratus-Intra-Process-Memory-Protection-For-Applications-On-ARM-And-x86-wp.pdf

Similar Presentations:

• THOTCON 0x9 (2018) / Reflective PE Unloading
• DEF CON 23 (2015) / Dark side of the ELF - leveraging dynamic loading to pwn noobs
• REcon 2019 / The Backdoor Foundry: A Toolchain for Building Application Specific Implants