nebelwelt.net logo
About me Publications Research Blog Teaching

Research projects:

  • Levee, a prototype implementation of the CPI/CPS/double stack security mechanisms.
  • fuzzBALL, a binary symbolic execution framework.
  • memTrace, a lightweight memory tracing framework.
  • TRuE, a security-enforcing protection mechanism and dynamic binary rewriter.
  • adaptSTM, a self-adaptive STM system.

Levee: a CPI/CPS/Double Stack Prototype Implementation

Levee is a prototype implementation of Code-Pointer Integrity (CPI), Code-Pointer Separation (CPS), and the Double Stack proposed in our OSDI'14 paper. The full source code is released as open-source and as LLVM patch, hardened FreeBSD packages are released as binaries.

Downloads



fuzzBALL: a Fast Symbolic Execution Framework

fuzzBALL is a is a symbolic execution tool for binary code, based on the BitBlaze Vine library. (The name comes from the phrase "FUZZing Binaries with A Little Language", where "fuzzing" is a common application of symbolic execution to bug-finding, and the "little language" refers to the Vine intermediate language that FuzzBALL uses for execution. Also "fuzzball" is a common nickname for a small kitten, and FuzzBALL was (originally) intended to be simpler and lighter-weight than some other symbolic execution tools.) fuzzBALL is used in several research projects, e.g., HI-CFG, transformation-aware exploit generation, and transformation-aware system test generation

Downloads



memTrace: Lightweight Memory Tracing

memTrace is a lightweight memory tracing infrastructure that supports user-defined memlets (short sequences of code, execute for every memory access) for unmodified binary x86 applications. A cross-ISA binary translator builds on libdetox to translate the application from x86 to x86_64 and to weave the memlets into the executed application code.
By using the wider memory space and the additional registers of x86_64 memTrace is able to achieve very low performance overhead for full memory tracing.

Downloads



TRuE: Trusted RUntime Environment

TRuE logo TRuE is a secure runtime environment that enables the safe execution of untrusted (but not malicious) code. Untrusted code (e.g., the Apache server) is dynamically analyzed and secured against different forms of control-flow based attacks like code injection, control-flow redirection, and return oriented programming. This fine-grained security layer detects attacks right when they happen (i.e., before the control flow is executed) and the program is terminated. A second layer of protection uses a system-call interposition layer to validate each executed system call against a vigorous system call policy. TRuE uses several components to both extract information from the application and to secure the application:

  • A secure loader replaces the standard loader (ld.so). The secure loader is a part of the trusted domain and extracts information about each used shared object (the executable and all loaded shared libraries). The information contains details about individual memory regions and the locations of symbols and relocation slots. Details about the secure loader are published in the TRuE paper. The information is then used in the binary translator to weave control flow checks into the translated application code.
  • libdetox is the virtualization system that separates user-space into two execution domains: the trusted sandbox domain that contains the binary translator and the untrusted application domain. The sandbox domain uses a separate stack from the application stack and makes sure that no pointers leak to the application. All application code is translated using the binary translator. In addition, all system calls are redirected from the application domain to the sandbox domain where they are handled (interposed, redirected, or executed). The libdetox system is published at VEE'11, 27c3'11, and 26c3'09. The binary translator is also extended with low-level domain specific aspect language that makes code generation easier, see DSAL'12 for more information.
  • The binary translator fastBT uses a table-based translation scheme and thread-local code caches to dynamically translate all application code. Trampolines are used to translate individual indirect control flow transfers (indirect jumps, indirect calls, and function returns). The translation tables cover the complete set of x86-ia32 instructions and a table generator can be used to specify high-level code transformations (the API is similar to PIN with the difference that fastBT offers the high-level API at compile time while PIN offers the API at runtime). fastBT is published at SYSTOR'10 and AMAS-BT'09.

For a complete description and evaluation of TRuE look at my PhD thesis. If you are interested in a quick overview watch my Google TechTalk for an overview of fastBT, or my 27c3 talk and my 26c3 talk for an overview of libdetox.

TRuE has the following runtime requirements: a machine with an IA-32 (x86) CPU, a Linux kernel 2.6 or higher, and GCC version 4.2 or higher. You can download a given software package below, unpack it in a directory, read the INSTALL information, (optionally) adapt the translation tables, configure the optimizations (for both additional security and performance settings) and let it run. fastBT and libdetox both use LD_PRELOAD to inject the binary translator into the application while TRuE uses the secure loader to initialize the sandbox before the application is loaded.

Downloads



adaptSTM: a fast, adaptive Software Transactional Memory system

We present adaptSTM, a competitive, word-based STM library that is based on a global clock and an array of combined global versions (timestamps) and locks. To keep track of transactional data adaptSTM implements a multi-level buffer and uses read-set extension to achieve competitive performance.
A detailed description of the system is available in the technical report and the ISPASS'11 publication contains a more detailed evaluation.

Downloads