How Twiggy Saved Sparky Joseph Calandrino Matt Spear
- Slides: 21
How Twiggy Saved Sparky Joseph Calandrino Matt Spear Malware Seminar – Fall 2004
Meet Twiggy, while aware of the performance penalties, supports Stack. Shield-like protection methods for critical data. http: //goatload. com/mt/
Meet Robbie http: //www. mumi. org/metissages/fr/artificiel. html http: //www. dachshundalley. com/
Robbie’s Setup walk. Animal(name) feed. Animal(name) pet. Animal(name) call do. Action(action, name)
Evil Is Afoot If only I could modify the action for do. Action… http: //www. austinpowers. com/ http: //www. rit. edu/~sli 4356/
More on Robbie pet. Animal(name) name action P E T do. Action(action, name) Disclaimer: This is simplified
Evil Is Afoot pet. Animal(“SPARKYEA”)… Sparky is mine!!!
More on Robbie pet. Animal(name) name action S P A R K Y E A T do. Action(action, name)
Sparky Senses Danger pet. Animal(name) name S P A R K Y action P E T do. Action(action, name) http: //www. svet-je-lep. com/gallery/slike/Twiggy/Zanimiv_morfing. jpg
The Dreaded Double Pointer name S P A R K Y action P E T http: //www. austinpowers. com/
Evil Will Not Be Deterred name S P A R K Y action E A T
Turn on the Twiggy-Signal http: //www. erva. com/pics/Product. Ideal/SQUIRREL%201. jpg
Twiggy to the Rescue Secret key = 32589 Robbie needs to store this somewhere inaccessible to Dr. Evil… name action P E T Modify Robbie’s code to maintain hashes of all buffers: addr len hash action 3 hash(PET) Also stores data for name: name Hash(…) http: //kevintdriver. hopto. org/images/squirrel. ski. jpg
Without Spoiling Your Day But Twiggy is a busy squirrel, so he enlists the aid of a sourceto-source transformer. http: //www. lemta. com/boatshows/midamerica/twiggy-history. shtml
Stop That Modification! Check it before use: pet. Animal(name) S P A R K Y E A T if(hash(_) != _) exit action 3 hash(PET) do. Action(action, name)
Dr. Evil Is Foiled Dr. Evil can’t effectively modify buffers without altering entries in the table… which are hashed using a secret key. http: //www. cotbn. com/2002_12_01_archive. html
But At What Cost? Hashes and checks can be computationally expensive Can Robbie feed Twiggy and Sparky on time? http: //www. pets. info. vic. gov. au/02/sdd_dlang. htm http: //www. nd. edu/~tdavidso/Mexico. htm
The Statistics
Reduce the Cost Do we need to check all buffers? What about only checking buffers used as inputs to dangerous methods? (That’s all the buffers in our example, but likely far fewer than in the program) Can Twiggy use call-graph analysis to find those buffers?
Did It Work? • Basic defense method protects buffers from modification. • Aliasing ignored. • Can we track down critical buffer values? • We’re still working on that. • But, for Twiggy, yes (this is supposed to be a happy story)
Happily Ever After By maintaining hashes of critical buffer values and verifying them before dangerous function calls, Twiggy efficiently prevents malicious modifications and moves on to new adventures. http: //greywolf. critter. net/gallery/ironclawgallery-icsu 04. htm
Once saved always saved false
Caller save vs callee save
Spear status
Spear needle decompression
Sudo setoolkit
Spear in spiritual warfare
Bonis spear
Spear thrower
Patron saint of england
"scripted.com"
Finn norse mythology
Service oriented architecture franchise
Saul throws a spear at david
Romans and greeks
Angels in heaven rejoice
What must
Vray vfb
Saved
Can souls in hell be saved
Born again prayer
Chris rice cartoons
Sinner saved by grace
