Jonas Maebe

Feedback-driven binary code diversification

As described in many blog posts and in the scientific literature, exploits for software vulnerabilities are often engineered on the basis of patches. For example, “Microsoft Patch Tuesday” is often followed by “Exploit Wednesday” during which yet unpatched systems become vulnerable to patch-based exploits. Part of the patch engineering includes the identification of the vulnerable binary code by means of reverse-engineering tools and diffing add-ons. In this article we present a feedback-driven compiler tool flow that iteratively transforms code until diffing tools become ineffective enough to close the “Exploit Wednesday” window of opportunity. We demonstrate the tools effectiveness on a set of real-world patches and against the latest version of BinDiff.

Javana: a system for building customized Java program analysis tools

Understanding the behavior of applications running on high-level language virtual machines, as is the case in Java, is non-trivial because of the tight entanglement at the lowest execution level between the application and the virtual machine. This paper proposes Javana, a system for building Java program analysis tools. Javana provides an easy-to-use instrumentation infrastructure that allows for building customized profiling tools very quickly.Javana runs a dynamic binary instrumentation tool underneath the virtual machine. The virtual machine communicates with the instrumentation layer through an event handling mechanism for building a vertical map that links low-level native instruction pointers and memory addresses to high-level language concepts such as objects, methods, threads, lines of code, etc. The dynamic binary instrumentation tool then intercepts all memory accesses and instructions executed and provides the Javana end user with high-level language information for all memory accesses and natively executed instructions.We demonstrate the power of Javana through a number of applications: memory address tracing, vertical cache simulation and object lifetime computation. For each of these applications, the instrumentation specification requires only a small number of lines of code. Developing similarly powerful profiling tools within a virtual machine (as done in current practice) is both time-consuming and error-prone; in addition, the accuracy of the obtained profiling results might be questionable as we show in this paper.

An efficient data race detector backend for DIOTA

Publisher Summary This chapter describes data race backend developed for DIOTA (Dynamic Instrumentation, Optimization and Transformation of Applications). DIOTA is generic instrumentation tool, and this tool uses so-called backend to use the information gathered using the instrumentation. Data race backend uses innovative technologies like multilevel bitmaps, snooped matrix clocks, and segment merging in order to limit the amount of memory used. The tool was implemented for Linux systems running on IA32 processors and is fully operational. In the future, if one wants to improve the speed of the data race backend in several ways, one technique is to remove redundant checks of addresses; once an address has been written to once in a segment, all subsequent read and write operations to the same address are irrelevant as far as data race detection is concerned. Therefore, it is possible to greatly optimize the instrumentation. Simple testing has shown that for e.g., the Mozilla web browser, 60% of the memory accesses use the same address as the previous memory access. Also when looking at loops, it is possible to move a lot of instrumentation code out of the loop body, e.g., the instrumentation of the write operations to loop counters.

Detecting data races in sequential programs with DIOTA

In this paper we show that data races, a type of bug that generally only causes havoc in parallel programs, can also occur in sequential programs that use signal handlers. Fortunately, it turns out that adapting existing data race detectors to detect such bugs for sequential programs is straightforward. We present such a tool, and we describe the modifications that were necessary to detect data races in sequential programs. The experimental evaluation revealed a number of data races in some widely used programs.

Mitigating Smart Card Fault Injection with Link-Time Code Rewriting: A Feasibility Study

We present a feasibility study to protect smart card software against fault-injection attacks by means of binary code rewriting. We implemented a range of protection techniques in a link-time rewriter and evaluate and discuss the obtained coverage, the associated overhead and engineering effort, as well as its practical usability.

Link-time smart card code hardening

This paper presents a feasibility study to protect smart card software against fault-injection attacks by means of link-time code rewriting. This approach avoids the drawbacks of source code hardening, avoids the need for manual assembly writing, and is applicable in conjunction with closed third-party compilers. We implemented a range of cookbook code hardening recipes in a prototype link-time rewriter and evaluate their coverage and associated overhead to conclude that this approach is promising. We demonstrate that the overhead of using an automated link-time approach is not significantly higher than what can be obtained with compile-time hardening or with manual hardening of compiler-generated assembly code.

Building Java program analysis tools using Javana

Javana is a tool for creating customized Java program analysis tools. It comes with an easy-to-use instrumentation framework that enables programmers to develop profiling tools that crosscut the Java application, the Java Virtual Machine (JVM) and the native execution layers. The goal of this poster is to demonstrate the power of Javana, using object lifetime computation as an example.Object lifetime has proven to be useful for analyzing and optimizing the behavior of Java applications. Computing object lifetime is conceptually simple, however, in practice it is often challenging. The JVM needs to be adjusted in numerous ways in order to track all possible accesses to all objects, including accesses that occur through the Java Native Interface (JNI), the standard class libraries, and the JVM implementation itself. Capturing all object accesses through manual instrumentation requires an in-depth understanding of the JVM and its libraries. We show that using Javana is both easier and more accurate than manual instrumentation.