Runtime integrity validation of executable C binaries using trusted platform module
Software developers working under pressure and tight deadlines frequently fail to implement secure programming practices during software development stages. Both constraints are one of the major contributing factors leading to the exploitation of software vulnerabilities for malicious intentions....
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | English |
| Published: |
2017
|
| Online Access: | http://psasir.upm.edu.my/id/eprint/71109/1/FK%202017%2024%20-%20IR.pdf http://psasir.upm.edu.my/id/eprint/71109/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| id |
my.upm.eprints.71109 |
|---|---|
| record_format |
eprints |
| institution |
Universiti Putra Malaysia |
| building |
UPM Library |
| collection |
Institutional Repository |
| continent |
Asia |
| country |
Malaysia |
| content_provider |
Universiti Putra Malaysia |
| content_source |
UPM Institutional Repository |
| url_provider |
http://psasir.upm.edu.my/ |
| language |
English |
| description |
Software developers working under pressure and tight deadlines frequently fail to
implement secure programming practices during software development stages. Both
constraints are one of the major contributing factors leading to the exploitation of
software vulnerabilities for malicious intentions. Furthermore, commercially
developed software, owing to intellectual property protection, do not provide the
source code – finished products are only shipped in the form of executable binaries.
Unfortunately, the exploitation of executable binaries with vulnerabilities, especially
those coded with the C programming language leads to malicious, undesirable
effects such as buffer overflows, privilege escalation (spawning an attackers’ shell)
or premature termination of an executing binary (the C language possesses powerful
memory manipulation features i.e. pointers). The following gaps were identified in
these three related past efforts into the integrity validation of executables: CBones,
Dytan and RTC. First, in CBones, these limitations were identified: a memory
debugging tool called Valgrind is required for validation, does not mitigate the
vulnerable executable and reports high overheads (Normalized Performance of 0.87).
Second, in Dytan, these limitations were identified: requires the use of a dynamic
binary instrumentation tool called PINTOOLS for validation, does not mitigate the
vulnerable executable and reports high overheads (Normalized Performance of 0.85).
Lastly, in RTC, these limitations were identified the executable source code is
required for validation and heavy use of static analysis leading to high overheads
(Normalized Performance of 1.10). In this thesis, we propose our framework for the
runtime integrity validation of executable binaries: Runtime Integrity Validation of
Executable Binaries or RIBS. Our framework merges both static (for offline
profiling) and dynamic (for runtime validation) analysis techniques for the runtime
validation of the integrity of executables compiled with the C programming
language. The integrity validation metadata of a trusted, origin executable is stored
in a Trusted Platform Module (TPM) hardware register to prevent tampering. Such
ensures that the executable binary integrity validation metadata can be totally
trusted. In the security evaluation of RIBS, we had subjected RIBS to mitigate 10
categories of buffer overflow attack patterns in the Wilander and Kamkar testsuite (encompassing the stack, heap and data/bss executable userspace memory areas), 5
real world shellcodes and 3 real world applications with buffer overflow
vulnerability. RIBS is successful in the detection and termination of all 18 attacks
patterns deployed. In terms of performance evaluations, overhead was measured in
terms of CPU execution time [via GNU clock()]. We measured the CPU execution
time of RIBS and compared the results with the CPU execution time of two major
categories of attack mitigation mechanism deployed in the testbed Fedora Core 20
Linux OS: Address Space Layout Randomization (ALSR) and 5 other attack
mitigation mechanisms implemented via the gcc compiler. Performance evaluations
reveal that RIBS reported highest Normalized Performance (NP) of 0.68, which is
the lowest as compared to CBones (0.87), Dytan (0.85) and RTC (1.10).
Conclusively, RIBS performs marginally better as compared to all three efforts
(CBones, Dytan and RTC) which requires the use of memory debugging tools for
integrity validation of executable binaries. RIBS does not require the use of any
tools. RIBS is able to detect integrity violations caused by these categories of
violations: all forms of buffer overflow attacks mounted via the Wilander and
Kamkar testsuite and real world privilege escalation attack shellcodes. Furthermore,
as a last line of defence, RIBS is able mitigate integrity violations in executables via
the runtime termination of the offending executable. This feature not available in
CBones, Dytan and RTC. |
| format |
Thesis |
| author |
Teh, Jia Yew |
| spellingShingle |
Teh, Jia Yew Runtime integrity validation of executable C binaries using trusted platform module |
| author_facet |
Teh, Jia Yew |
| author_sort |
Teh, Jia Yew |
| title |
Runtime integrity validation of executable C binaries using trusted platform module |
| title_short |
Runtime integrity validation of executable C binaries using trusted platform module |
| title_full |
Runtime integrity validation of executable C binaries using trusted platform module |
| title_fullStr |
Runtime integrity validation of executable C binaries using trusted platform module |
| title_full_unstemmed |
Runtime integrity validation of executable C binaries using trusted platform module |
| title_sort |
runtime integrity validation of executable c binaries using trusted platform module |
| publishDate |
2017 |
| url |
http://psasir.upm.edu.my/id/eprint/71109/1/FK%202017%2024%20-%20IR.pdf http://psasir.upm.edu.my/id/eprint/71109/ |
| _version_ |
1643839825917247488 |
| spelling |
my.upm.eprints.711092019-08-29T08:15:14Z http://psasir.upm.edu.my/id/eprint/71109/ Runtime integrity validation of executable C binaries using trusted platform module Teh, Jia Yew Software developers working under pressure and tight deadlines frequently fail to implement secure programming practices during software development stages. Both constraints are one of the major contributing factors leading to the exploitation of software vulnerabilities for malicious intentions. Furthermore, commercially developed software, owing to intellectual property protection, do not provide the source code – finished products are only shipped in the form of executable binaries. Unfortunately, the exploitation of executable binaries with vulnerabilities, especially those coded with the C programming language leads to malicious, undesirable effects such as buffer overflows, privilege escalation (spawning an attackers’ shell) or premature termination of an executing binary (the C language possesses powerful memory manipulation features i.e. pointers). The following gaps were identified in these three related past efforts into the integrity validation of executables: CBones, Dytan and RTC. First, in CBones, these limitations were identified: a memory debugging tool called Valgrind is required for validation, does not mitigate the vulnerable executable and reports high overheads (Normalized Performance of 0.87). Second, in Dytan, these limitations were identified: requires the use of a dynamic binary instrumentation tool called PINTOOLS for validation, does not mitigate the vulnerable executable and reports high overheads (Normalized Performance of 0.85). Lastly, in RTC, these limitations were identified the executable source code is required for validation and heavy use of static analysis leading to high overheads (Normalized Performance of 1.10). In this thesis, we propose our framework for the runtime integrity validation of executable binaries: Runtime Integrity Validation of Executable Binaries or RIBS. Our framework merges both static (for offline profiling) and dynamic (for runtime validation) analysis techniques for the runtime validation of the integrity of executables compiled with the C programming language. The integrity validation metadata of a trusted, origin executable is stored in a Trusted Platform Module (TPM) hardware register to prevent tampering. Such ensures that the executable binary integrity validation metadata can be totally trusted. In the security evaluation of RIBS, we had subjected RIBS to mitigate 10 categories of buffer overflow attack patterns in the Wilander and Kamkar testsuite (encompassing the stack, heap and data/bss executable userspace memory areas), 5 real world shellcodes and 3 real world applications with buffer overflow vulnerability. RIBS is successful in the detection and termination of all 18 attacks patterns deployed. In terms of performance evaluations, overhead was measured in terms of CPU execution time [via GNU clock()]. We measured the CPU execution time of RIBS and compared the results with the CPU execution time of two major categories of attack mitigation mechanism deployed in the testbed Fedora Core 20 Linux OS: Address Space Layout Randomization (ALSR) and 5 other attack mitigation mechanisms implemented via the gcc compiler. Performance evaluations reveal that RIBS reported highest Normalized Performance (NP) of 0.68, which is the lowest as compared to CBones (0.87), Dytan (0.85) and RTC (1.10). Conclusively, RIBS performs marginally better as compared to all three efforts (CBones, Dytan and RTC) which requires the use of memory debugging tools for integrity validation of executable binaries. RIBS does not require the use of any tools. RIBS is able to detect integrity violations caused by these categories of violations: all forms of buffer overflow attacks mounted via the Wilander and Kamkar testsuite and real world privilege escalation attack shellcodes. Furthermore, as a last line of defence, RIBS is able mitigate integrity violations in executables via the runtime termination of the offending executable. This feature not available in CBones, Dytan and RTC. 2017-03 Thesis NonPeerReviewed text en http://psasir.upm.edu.my/id/eprint/71109/1/FK%202017%2024%20-%20IR.pdf Teh, Jia Yew (2017) Runtime integrity validation of executable C binaries using trusted platform module. PhD thesis, Universiti Putra Malaysia. |
| score |
13.211869 |