Skip to content
This repository has been archived by the owner on Jan 10, 2025. It is now read-only.

Machinecode Diversification in JIT #143

Merged
merged 11 commits into from
Jun 2, 2021
Merged

Machinecode Diversification in JIT #143

merged 11 commits into from
Jun 2, 2021

Conversation

Lichtso
Copy link

@Lichtso Lichtso commented Mar 9, 2021
edited
Loading

Based on:

Homescu, Andrei, et al. "Librando: transparent code randomization for just-in-time compilers"
Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security. 2013."

Implemented Techniques:

  • Instruction Address Randomization: Occasional emission of additional no-op instructions
  • Input Sanitization: Encryption of user provided values such as immediate values and offsets
  • Environment Obfuscation: Encryption of registers which the compiled program uses under the hood:
    • R10 - JitProgramArgument: The memory_mapping and bound syscall_context_objects
    • RBP - Stack frame pointer

@Lichtso Lichtso added the enhancement New feature or request label Mar 9, 2021
@Lichtso Lichtso marked this pull request as draft March 9, 2021 19:42
@Lichtso Lichtso force-pushed the feature/machinecode_randomization branch from bcae458 to faa96a6 Compare March 15, 2021 15:05
@Lichtso Lichtso force-pushed the feature/machinecode_randomization branch 3 times, most recently from 57e1f7f to 3e322b2 Compare April 30, 2021 10:24
@jon-chuang
Copy link

jon-chuang commented May 3, 2021
edited
Loading

So I guess the purpose here is to generate a local runtime specific binary with randomised executable address space to defend against reentrancy attacks that only have knowledge of the source code/eBPF bytecode.

@Lichtso Lichtso force-pushed the feature/machinecode_randomization branch 5 times, most recently from 15493c3 to ce7dd0b Compare May 7, 2021 16:13
@Lichtso Lichtso changed the title Machinecode Randomization in JIT Machinecode Diversification in JIT May 7, 2021
@jackcmay
Copy link

jackcmay commented May 7, 2021

In our environment I'm having a hard time figuring out what attack vectors this work is intending to address. Can you help me understand?

@Lichtso
Copy link
Author

Lichtso commented May 7, 2021
edited
Loading

@jackcmay I updated the description of the PR with a link to the paper in which the attacks and their prevention are described in detail.

@dmakarov
Copy link

dmakarov commented May 7, 2021

In current implementation address randomization seems to be always enabled. Would it be possible to add an option that would disable this?

@Lichtso
Copy link
Author

Lichtso commented May 7, 2021
edited
Loading

@dmakarov I added config options for both techniques here:

rbpf/src/vm.rs

Line 185 in d86853f

/// Ratio of instructions per no-op for randomization in the JIT code emitter

E.g. setting instructions_noop_salting_ratio to 0 would result in no randomization.

Edit: Also, all randomization happens at x86 level now, not at BPF level anymore. So it should be transparent for the tracer (but not for GDB / LLDB).

@Lichtso Lichtso marked this pull request as ready for review May 7, 2021 19:09
@jackcmay
Copy link

jackcmay commented May 8, 2021

@jackcmay I updated the description of the PR with a link to the paper in which the attacks and their prevention are described in detail.

@jackcmay jackcmay closed this May 8, 2021
@jackcmay jackcmay reopened this May 8, 2021
@Lichtso Lichtso force-pushed the feature/machinecode_randomization branch from 2560903 to be69f04 Compare May 21, 2021 14:10
@Lichtso Lichtso force-pushed the feature/machinecode_randomization branch from be69f04 to 8c9fbc7 Compare May 31, 2021 16:01
@Lichtso Lichtso merged commit f39fce7 into main Jun 2, 2021
Lichtso added a commit that referenced this pull request Jun 23, 2021
@Lichtso
Machinecode Diversification in JIT (#143)
608a756 
Implements:
    Instruction Address Randomization: Occasional emission of additional no-op instructions
    Input Sanitization: Encryption of user provided values such as immediate values and offsets
    Environment Obfuscation: Encryption of registers which the compiled program uses under the hood:
        R10 - JitProgramArgument: The memory_mapping and bound syscall_context_objects
        RBP - Stack frame pointer
@Lichtso Lichtso deleted the feature/machinecode_randomization branch January 19, 2022 10:24
@ndrewh ndrewh mentioned this pull request Jul 27, 2022
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Lichtso @jon-chuang @jackcmay @dmakarov