libdetox

Description

In the age of coordinated malware distribution and zero-day exploits security becomes increasingly more important. We presents libdetox, a framework for the safe execution of untrusted binary code based on a dynamic binary translator.
Coordinated malware distribution and zero-day exploits require that security is a primary concern of any system. Yet despite numerous warnings, many users download active content from the web. libdetox presents an approach for the safe execution of untrusted binary code based on user-space process virtualization. This approach is based on dynamic binary translation with the addition of process sandboxing by using a system call interposition framework to limit and guard the interactions between binary code and the kernel and implements policy-based system call authorization to control the interposition framework.

We implemented this approach in the libdetox framework, which is based on a low-overhead, table-based dynamic (just-in-time) binary translator,  and describe the additions that make a binary translator a useful base for secure execution (e.g.,  hardening techniques like executable space protection, ensuring that no injected code can be executed, and protection of internal data structures) to ensure that the translated program cannot escape out of the user-space virtualization. An important feature of libdetox is that only translated code is executed. This setup ensures code validity and makes it possible to rewrite individual instructions. The system call interposition framework validates every system call and offers the choice to (i) allow it, (ii) abort the program, (iii) redirect to an user-space emulation.

The policy-based system call authorization uses the interposition framework to define, on a per system call basis, fine grained arguments that are allowed or denied. These policies are used to implement access restrictions for untrusted programs. An interactive mode can be used for untrusted code to control each individual system call, and a daemon mode allows to sandbox and isolate server processes.

The combination of user-space virtualization and policy-based system call interposition imposes only low overhead  and is therefore an attractive option to encapsulate and sandbox untrusted code.

Information

• Uses the fastBT framework (for the 1st security principle)
  
  • See AMAS-BT'09 and SYSTOR'10 papers
  • Evolved out of secuBT (presented at 26c3'09)
• Additional guards added during compilation and dynamic guards during runtime
  • See 26c3'09, 27c3'10, and VEE'11 papers

Download

• Ask me for the current devloper version or SVN access.
• Version v0.2 (reimplementation with auxiliary information, includes former optimizations, released 11-03-23)
• Version v0.1 used for results in VEE'11