[00:00:10] >> I want to introduce Chachi Mishra. Is a Ph d. student from story broke University and her research interests are software and system security and trust an execution environments the worst primarily in the beginning code reuse attacks by means of attack surface production welcome we look forward to your talk thank you so much Laura thank you Steve all the names in this and colleague the one who was and who have been in touch but thank you for organizing everything it's a pleasure to be well what should we be a judge of. [00:00:51] Him from Stony Brook University part of the lab called Mad wisest advisors which. I guess and today I'll be presenting my talk. Motel if they specialization for attacks of the seduction So let's start. On the one on call Jews attacks fall into the details of what I'm doing so in the simplest terms in case of a call Jews attacks and they're real an attack on really uses instructions from a benign agenda in application they do this to attain arbitrary functionality. [00:01:30] There's this one combining which which I really like it's basically similar to how these same set of small pieces of labels can be used to meet any arbitrary design you know you can make a car proud of it you can make a judgment and out of it and you can make my favorite poem which is the baby Yoda. [00:01:52] To continue and a bit more technical but as I said in case of record use of time there has free can reuse the 9 chords from the process address space and to get an idea about how it works this is kind of a sample application that I will be using throughout my presentation. [00:02:11] Style control flow graph simple things starts that mean goes from one point to the other. And this happy occasion wants to interact with the cd or creating system it uses shared libraries which does this on the applications they have solicited the application makes a call to the shared library which in turn calls the operating system against it has nothing to be had this hidden but somewhere in the program and the attacker there ible to find it and exploit it the once exploited the a typo would have the ability to control shielded in the application and say they look for gadgets in the application now these gadgets could be small functions on instruction sequences we look at them later in the show when found what the attacker does or does these gadgets the chain the gathers to achieve arbitrary quote functionality. [00:03:07] Now see if this attack 0 would like to interact with the operating system which is going to be the case in order to do anything substantial You know usually to read or write a high to open a connection or something of that sort they would need to interact to deal with us and for that the gadgets that defined going to be from the shared library. [00:03:30] I was talking about could use a fax and how they well I had these simple sort of Lego was they were able to make a car or a watermelon or my favorite one which was the baby or don't know. What i'm so I would have been so this was. [00:03:48] Ok so yeah so going back to the west later I don't think I. Explored anything further as I said that the adversary can reuse the 9 called from the processes of dress so this is kind of a controlled feel grabs it moves from you know it's touching me in most month punching to the other. [00:04:08] And then this happy question once interact with us as I said it would do so using shared libraries now this if if this application suppose had this small bug and the attacker was able to exploit it they would kind of try to look for gadgets in the address space and chain them together for arbitrary functional now what I was saying last was you know if we had this application. [00:04:31] We have the it that they want to do anything substantial within the system that they have compromised say read or write files open then create networks of Metro connections what they would do would be they would try to look for these gadgets within the shared libraries. Going forward to get a better sense of how the studios of instructions that I just said book I was a small example of this quarterly a popular code reuse a crack. [00:05:01] Scenario called Return audited program so what Rob does is the child's form from one gadget to the other happens using it on instructions so let's say be had this attack but who wants to do something fairly simple which is just adds to the numbers I want to know what is the addition of high than 7 the simple instruction sequence for this would look something like this you know you move 5 into a. [00:05:28] Into a register 7 to another one and then add. You know this t.v. have this is the take section of a given application and begin I think it's safe to assume that this particular sequence of instructions that I had would not be present in the pic section so what this attacker tries to do is it tries to find snippets of instructions which would do this on the attack us be have to save the file means attack the instruction sequence each of them ending victory so we have these thieves sequences. [00:06:07] And we can see that using the sequence is there that has the ability to attain the functionality which was additional $5.00 and $7.00. Still what they do is they get these instructions get their addresses and create a payload which is which has these addresses of the points that we saw that the data in the let's get a small example and see what happens. [00:06:32] So the beginning really would have. To be the 2 justice would be empty as expected. And the stack pointer would be at the big very beginning of the of the pale now what it tries to do is 1st of all it will try to move to the 1st address and the 1st address is very simple it does pop whatever it is at the top of the stack into it so by the end of it we can see that e.d.s. now has this value fight Similarly in the next step we get the the other gadget and the once this is done if it's also has the Right now we look for the 3rd instruction which is the addition instruction and once this is executive the. [00:07:19] It adds the values from b.c. its immediate and basically just write it into into the register and at the end of this whole scenario of the have an adjuster which had the value 12 which was basically what the attacker was trying to do. Again this is an extremely simplified example but it gives a good idea about how rock Gorgios attacks really work so how does the attacks of this reduction thing help you because what we want is we want to reduce whatever is available for the attack so the basically the attacker is might not be able to find the gadgets that they're interested so in this case say they were able to find these 2 guards but when they wanted to look for the additional gadget. [00:08:03] You know. They tried to look for it in the tech section and it could not be found the attacker does would not be happy. So this is again a very simplified of a understanding how it works. You know who can use a tax agenda in the used as a 1st step in case of a hybrid attack what is a hybrid I'm going to explain the rub get it tell been proven to be cheering completely so they can implement any functionality that you want but as expected the extremely complicated to implement so in this case when they attack us to the use something called the hybrid model where the only user options have the beginning Roxanne's to attain executive of memory and once they have a memory that in the executive they will just simply write malicious instructions there and walk through that the for example here is the data section of an application which has the right but missions and the tactical right there militias hold on to it they just did it but obviously this cannot be executed. [00:09:15] What good that goes to here is that the use of rope to call the. Functional a question project into self in dos and women which which what it does it changes the memory permission once dysfunction has made changes so now we can see the double is gone and now this. [00:09:35] Study this part of memory is executed once this is done the attack they have basically just use it as a cord action evac and it could it can go for the from the what's important it is to notice that these kind of functions you know which deals with changing memory protections are extremely important and in what we call the most critical functions rather important we'll get to next. [00:10:02] The going back to the facts of this or that action obviously one way in one of the way the as the example that we saw was you know you remove anything that the application doesn't need a how does that even though we can understand that we have just one application here it uses the function full from a shared like. [00:10:23] One without any attacks of us about Sion and planes there tackle can dance to fun provides the application there would still have the ability to use another function say power from the same library with a tax office reduction in plain still when this function bar is removed it's no longer there because we knew that the application was never going to use so once that is the case what it does is when the attacker which tried to call this function but they basically not find it and it would be a type quilt. [00:10:57] So. Money is preventing these attacks. I'm sorry if this is one of the 1st thing of one of the 1st works that ever will the tax office reduction was called the stink was called stripping. Stripping was basically they they look into these dynamic libraries and the office phone the dynamically linked libraries are D.L.'s the add a latch or destroy the address space which is not going to be used so to get an idea I mean the I think it's safe to assume that the islands are used in applications of every size and for a reasonably useful application more than $100.00 the n.a.s. is not really that unheard of. [00:11:41] They do pack a lot of functionality into them for optimization focuses so that you know what once of the elders loaded you can use as many functions as possible but the applications obviously as expected do not use every function that is awful and now even if a single one of single function within the whole the island was being used basically the entire can get loaded so now the applications address space has not such code which would never be used by the application. [00:12:12] So here's a low I mean that I really like so the 1st question is what's the elephant in general meeting that you will you have this one executive with and that's all it uses the when I started working in this area my expectation was also you know though of what I think I think Rich was Ok We'll have a few few. [00:12:36] Links loaded then they can just look for the what actually happens is that there's this massive number of the Ls that have been loaded which has which back a lot of functionality which never gets used. So c.b. have the sample application we have which lots only one that's just started. [00:12:56] Which is the most popular Windows d.l.l. called penalty 2 if not set at the imports table determines what off what all functionality from this d.l.l. is going to be used by the sceptic issue. Now we can see whether the imported bill has the size of also basically there were only 4 functions that this application of a need and the fact of how it would if they're able to exploit the application they can deflect he use any of the functions that are available from the scandal 32 that they have loaded as you can see that has a lot of functionality which was not going to be used by the application and it is available for the attack but use. [00:13:39] The ones that functions that are going to be used by the application across its runtime and the identified the concept of it being a slimming basically creates a slim Lino hosier off of the same d.l.l. which is used which actually does the same exact thing that the earlier version was doing except for now it is really compact and only provides functionality that if there is that the current application was. [00:14:08] So at this point it genuinely looks like the problem was sold because you know this is what the application really needs really move everything else and. They attack us get no longer reuse everything at reuse or have access to anything that was not being used by the application. [00:14:29] The reality of it is slightly different. We'll see what that bench but before that let's a natural question to ask in such scenarios is what proportion of the yellowtail usually used by the application one and if the reduced attack some says actually prevents the kind of attacks that they're looking for so let's talk of the costs plus question which is what proportion of the a little usually. [00:14:55] We did our experiments with the number of windows and use it applications instead of going into the details let's just look at the 1st 2 tools the. We have though the columns here are different the each of the rule is for the one application that we tested and we can see if the majority do which exported close $12200.00 films to 2000 functions a complicated application like Adobe did barely use a stand percent of that thing is consistent across all the rules and across all the columns So to answer that question that we began with. [00:15:35] A very small proportion of the usually actually used by the applications so there is a lot of poor dead which is loaded which is available for the attack again so before we go any further let's go back to the concept of critical functions that these started off earlier so in that experience that are functions which are more important for the attack well. [00:16:01] Which are more important how they attack us compared to others identify the set of 52 functions that we call critical more important for the attack 5 of them I have. It include trust as the word library mates new library gets proper dress which finds the address of a function within the law that library create process which creates a new process where the last fill was for protected which is a lot of use to update memory protection. [00:16:30] Again use the same set of. Applications that we had for the 1st explain an experiment just to see if any of these functions applications were really using these functions the results look something like this green checkmark says that it has been used by leverage Cross says that it has not been without going into much detail I think it's easy to understand that off the critical functions that most of the applications used quite a big subset of the ones that this is. [00:17:03] This what this means here is an approach like the functional level attacks of the seduction that we did that. So initially would not actually help much because if the application is using something it is almost an ordering to be removed and because it's not going to get involved it's available for the attacker. [00:17:23] On top of it as we can see the 1st 2 columns here these 2 hunches the one to load a new library and the one to find the function address that in the library are used by everything everywhere so what that means is this combination it gives the ability to the attackers to load any random library of any function from. [00:17:44] Though the battle against that. One. From this point on which I think I've more debated enough I start talking about my old book and what they've been doing. Says a team of this talk who be introduced the same called arguments that will especially. As if one of the previous state not all functions can be removed by functional level debilitating what effects of us reduction of basically both mean the same thing. [00:18:19] You. Do you think that using arguments against the should I think should be for that extend the impact of this function the real effects of a seduction by this chick think the arguments passed to these critical functions so let's bring back the application that we were checking against and it has 2 instances of the function food being called even the function level attacks of his reduction we can see that the attacker can still make the same call just using a different argument and the called. [00:18:49] The argument level specialisation though the function fool he had get specialized It specialized only accept the arguments from the original codebase of the application in in question so in this case then to just what an end to now when the effect that tries to make another call using an argument which is that the tag basically. [00:19:14] Now is to start with we 1st introduced Windows based specialization to we'll call shredder and a simple statement that implements I given several specialization. Arguments for. Arguments critical functions defects off attacks of history that action can be for this extent. What share that does it is folks by identifying the security critical if they functions the kind of feature but discussing in the last few slight slight quit your project a lark that night and cetera as mentioned this list was directed by taking help from previous welcomed by studying in the wild exploits. [00:19:57] Just to get an idea well what are the kind of functionalities that did that was a look at the Google shadow is to neutralize dangerous argument values of combinations for example say a memory protection for that it's the host that that the application connects to the meaning to show and to all this just addition is that the way an occupation uses the critical function and the exploit gold so the attacker uses that are totally different to mutually exclusive and thus we would be able to do have that demarkation where we can say Ok this thing is just by the application everything is fine anything else has to be is to. [00:20:41] Fill the full going into how shadow walks and what it does submit a d.n.a. to see how the exploit code reuse is critically be a function. And I said created to fight 52 functions and critical but in the interest of time here I'll only be talking about 2 to the 1st one this was your project. [00:21:01] What those are pretty doesn't you provided with a memory area and the size was and you have what is the protection of the memory protection that is desired and it changes. Not really interested in 3 out of the fold arguments that has not interested in is that many protection that now in the 38 in the payload and the same holds the number of them that we tested we found that this value was almost exclusively all the set to see you know x. 40 Now what exactly is this this is the permission for page exact you treated right so what the attackers were trying to do they wanted to get all the problems the Dr and the executor on the mini protection and memory of that they had similarly for the other function we have this function called Virtual which changes the memory permissions but instead of changing one of them forward and Al-Arabiya look at a memory area what it does is it I look at a specific range of memory and with the kind of protection that we are looking here there are these 2 arguments which are important to us one is there for a project that his visit the what the what is the new memory permission going to be and the 2nd one is called the location that as we can see any of the memory protection is again said to 0 x. 40 that was executed right by the allocation that it is set to 0 x. 1000 **** basically memory committed with their what they say is I need the memory area right now. [00:22:33] Not to play have some idea about what the attackers are looking for let's go back to our tool which was called Shadow and what it what it does. So at the very 1st thing it tries to find all the critical functions that are used by accredited libraries so that is basically a 2nd a section of the important functions by the library was is and the critical function is that that they have once we've identified these lists. [00:23:00] For p.c. is the try to find the call sites of these functions so here in the 2nd step I have this example of such a project being called forth that the punch step is actually a very look for these arguments. In this gas company called site we can see 2 of the 4 argument regulars here at heart you can see the 2nd and the 3rd argument of what. [00:23:23] We get these are values for every cause side instance and create application right policies which capture these arguments for each Ghostlight of each culture it is important to note that it is important to mention here that it's not just be looking for these values we actually perform and into procedural by the analysis to find at what point these values could have been generated could have been originated and traced try to extract them. [00:23:52] Let's quickly jump to that all that we did how did it really woken for did really happen to good use of text. Against a list of 251 show hosts and 30 little payloads that we were able to. Test each other again. 10 popular videos and user programs and the main take it very self before we go into the detailed ones next is that we were evil to great about it in person. [00:24:26] But we were able to break about 300 per cent moral people's. Let's get into the detail. In it Ok. So the 1st question with any such policy similar to the was special edition is how many of these arguments could actually be statically fall. You know I explained I gave you an example which had to go but how frequently does that happen so the answer lies in this each bar here in the presence when the application while the by Access is the pulse and age of imported critical functions in that but. [00:25:06] Ignoring the multiple genres for now I think this safe to say that about 50 percent of functions do have at least one low argument. Now so that's our hypothesis about static argument values that could be derived from the brain that itself holds true now as far as for the contents each file hit indicates the number of arguments in a critical function that no one across an application. [00:25:39] Now moving on to the security evaluation for Shadow that the shell quits as the previous case we have one pair of us for each of the activation device access are the absolute number of shell codes that could be broken it changes from 0 to 250 as can be seen here shadow consistently breaks more shell call its than simple chord stripping a function level. [00:26:05] Attacks of this reduction that we talked about the nation did it is important to mention that because a payload and the tech appeal it broken if there's at least one function that could not be used either because it was removed. The moment hunching the attacks of this or that should audit because Shadow was able to filter out its argument. [00:26:28] Actually presidents though come in peace offer opulence x. axis has bonds again one put each application why the vi x. is number of throw billets from 0 political putting the think on our bus as can be seen here again consistent people fall much better than the green one for court stripping in fact in 8 out of the 10 applications that we tested we were successful in successful in breaking all the details that we just. [00:27:00] Saw this kind of controls the 1st half of our talk and produced a discussion about the shadow. Before going further before going into the next 5 to talk about what did what did they do next let's take a step back let's talk about something called control if you integrity and how it is an important tool in preventing against who would choose attacks in the luncheon c.f.i. is then time enforcement against school control to hi jack. [00:27:29] So it was explained extract in the control issue off the graph or by finding ballots sets of standards for the transfer and x. runtime c.f.i. in shows that every control should transfer sticks to the extractive but. Let's bring back the application from the one that we begin with the sample application that they have the control transfer rule should would look something like this the main function can go to either one or 2. [00:27:58] Function one and move next to 3 or 4 and so on and so forth in case of accord a kind of the one the sign the nation nights the fill the fill transfer would look something like this not the full flow transfer Hulett does not abide by the kind of rules that the already had and because of the because the 1st floor transfers feel inside the chancellor while it's the set of c.f.a. who is the attacker that's not succeed and the this control sure doesn't go through. [00:28:32] The inspect the state forward makes all the sense but the kind of example that they saw in the previous slide is what we call fine grain see effect unfortunately because off 2 major reasons findin c.f.i. is not actually practical bust the ability to accurately predict every control field transfer is what gives the a fight its And that is not treated possible because of many external factors the ballot sets that we statically find out all there is an overt approximation or what that ios it would be I'll give you a small example for that so we have Suppose this one function and one which has the snippet small could be have an if else if and then the mission and depending on which of these 3 hold still will have the full in the next function to be called could be 3 for a fight now when you do though do this static understand the static in the sense and to find the control program the graph of looks something like the one in goal to chill a study or one could go to $34.00 and $5.00 and I who will would be like this however in practice because we know the nature of the call we understand that only one of these 3 conditions would be true so there will be only one chance for that actually happens Hence we have instead of having one we have a set of 3 next steps which is a know what approximation consul fine and then say if I involve steps in every single in that a controlled for transfer as expected there are many of them if a lot. [00:30:14] Which means that in forcing find Lindsay a 5 would cause the performance of the application to take a major hit. There's a slightly more lenient but practical version of see a 5 fold school screen see a Friday has been researched accept there than them to mend it in the last few years with gold screen the c.f.i. attackers had no district to district and that they can jump into the middle of a function or instruction and then there are many such in the justifying my one tree he going to eat instead but we can just imagine that in the back of can no longer jump any added struction as we saw in the example. [00:30:53] So once they see if I see if I measures what it practice the attackers fear lies that there still is a possibility to launch attacks while they cannot use random instructions sequences they used they wanted some sophisticated ways and more destructive way looking at her full functions that get. [00:31:12] Here is this one example which is called control digits 0 which uses call sights and target functions as gadgets we look at one such example what's the end of the what happens now as we understand the attackers can bypass but not break or screen see afraid ones that know to stick that to specific control skills and the function can have my to go in location points we'll bring back the same thing same graph that they had initially and we can see that there are still well if. [00:31:42] The Linux functioned exactly if they just mention that when the move into the Linux still mean leaving the windows to the site though we have this thing called exec leave which basically executive in the command and that those is one of the most critical Linux functions. There are direct and indirect transfers and as we can see for the one on the right that are all that it transfers to see a fire was going to be really strict while for the Lex left one that is not going to be the case and because of that although they have the same function. [00:32:16] Other than the same function of the attack it is more interested in one over the other so people who defend. Against these attacks are also interested more in one over the other. So to understand how arguments level specialization would work in case of the kind of examples of the so what we look for is the 3 have say here are 2 examples of the open system in the 1st case we know what is the file that is going to be opened we just flashed up stash full well in the 2nd case we do not an application by policy something similar to shadow would put no instruction because well there was this one instance where he didn't know what was going to be cut. [00:33:01] So the attack and now can get any on them file from anywhere a context sensitive policy the kind of one that mean but that the implement now is going to specialize individual call sites thus for the 1st case the attacker Still it only opened the file that was already there but for the 2nd one they still have to walk through a to bring their control shield to this particular for that to be able to run well this brings us to our toolset fired I can see that I'm running a little bit behind Jane so I'll go try to go a little bit fast I'm so in a nutshell what's the fight is it creates a custom function for each call site to load only to its argument so we have the supplications source that the instance is a function full. [00:33:44] It goes through our ping calls a fire that started in on the mc binding millon about the next and I the end of the thumb status we have discussed in my specialized binary which is stay alert only to these specific quote sites. That start by understanding static argument by a binding very quickly basically round 2 things of this point so what we do is the prefix argument fails the can be statically identified that So for instance we have the snippet of course we have an open they break all of which takes in one of the 2 filenames according to what according to some condition and then for each other given we explore the paths that it has initialized find it's possible values in this case it would be file one dot or file 2 then change the calls type to call this new specialized function called us to open which verifies that whatever it is the argument being received at this point is one of the 2 that the expect. [00:34:45] The quick question here again is Ok I understand in the previous example there were these 2 pile names that could be statically found but how frequently does this happen basically the same question we had in the hosts case which add up the action is this so it's public square but it's very simple. [00:35:05] On the x. axis we have different thread recalls grouped by the application name on the left and the right axis we have the plus and they just will not convince and the though they've been will going into much gating I think it's safe to Zele that about 50 percent of the arguments could be statically not. [00:35:22] But we still have the 50 percent that he could not get any values for and for that we have done him a God given by and which is a matter of scope form a bit integrity to buy and such and some arguments obviously can be known only at runtime you know by list the memory addresses userland holds identify such arguments and try to find their originated from that point onwards we create a 64 bit hash of the value that was created to leave it in the secret shadow memory and as we did in the case of start the binding we create a custom function which reads the which we just call instead of the actual function this custom function now reached the same secret same value from the shadow memory the hash creates the hash of the well as the put it as a ceiling verifies them and only if it is. [00:36:14] The function goes goes further. Well Ok I think I'll just go past this because this is slightly more technical. Not like to get now to see her what we gain from the spheres these are the posts in the age of no one arguments that they had that on the stack it by need. [00:36:40] This is basically the same plot that. I think dynamic binding to it we can see that it provides an almost complete coverage on the arguments to each of the funds as each of the library calls that they looked. So basically using these 2 steps the 1st was that igniting the 2nd one was was done to make argument binding What you got able to achieve was 100 percent and the Out 100 person coverage on the kind of arguments that could be called that could be used to call these later repulsion. [00:37:14] Now to this point in all the examples that I've shown I've been talking about Calderside special is it called sites etc etc But then the talk although the local state health context that's of the question here is where does this going takes this effect think of as from now a color is specialized according to the union of all locations for example we have this thing over here which has a function pointer depending on some kind of. [00:37:44] Condition the function can evoke or Florida but once the dual who runs the events we use a fire to create it specialized version what we see is that the call site which is actually calling if b. of the function pointer hunt the 100 or $200.00 that's an change the what the changing is not really the call a shape report Beate really changing the context of the points that commits this function pointer avoids a site and then instead of calling it coincide specify a special edition because it could pick specific because of a case like this. [00:38:23] Now since this started talking about function pointers that's actually equally important to consider how the shadow argument thing would be generated in such. A long that doing the static analysis to find what are the values for the also have to do the same like a static analysis to find the kind of the kind of values the function pointers and those who are in the Skins this function pointer can be either of the order right. [00:38:50] Now looking at the 2 unknown arguments here or what we see here is that we have one what we want in the shadow variable is. That respect shows the context and assign one shadow in the. Dynamic argument poll function the safety has a predefined the next for read and then for write them and then he will a similar is what we do. [00:39:19] To talk about how well that's if I hadn't evaluated it so I started by showing the same graph that we saw last week in recon that after dynamic argument one thing the number of arguments that we could get values for increase close to a completion. No moving on till security evaluation for a proper vax that we tested for so we tested Safira but 11 popular Linux applications obviously open source applications because it gives of society we need this whole school to do our evaluation so the to do itin analysis retested them against a set of 17 proof of concept exploits good enough it's aimed towards arbitrary could it's a question will pull into what I'm getting memory protection. [00:40:10] Of the 11 obligations that we tested to find I was able to block all 17 payloads. From the applications while for 2 applications it was able to block. Them we also performed special security studies by fire against real world attacks from popular applications the ones that have been published in the last few years. [00:40:39] Tested to control the digital example that they get and then surely against other application engine ics then the are able to also test against core which is counterfeit object oriented programming attacks against Firefox and against. So quickly I want to touch base that wanted the vote really happen here. [00:41:02] Well and it makes the will start with controls it's against engine from the engine source country since this one function I've removed although not necessary details from your all you have to look for it is the function you passed and I give in to this function then that function that I've given is directly used by the exact the system as it in mind then exactly is one of the most critical Linux system calls of every cause mostly because you can basically have any arbitrary executor and once you have access to the exact So the attack them they could directly call this function the initial one engine next exit healt. [00:41:46] With the choice of their arguments and that argument for to be directly passed on to exactly and they would have arbitrary good execution. That's a fine however when we analyzed these functions in various arguments for the engine it at home needed the most that this function is only used to call the engine explain. [00:42:10] The reasons some things like when the so what updates itself and it has to launch I guess the only use case and this exit the call of this particular file called would be used. So we created the secure form of their version of the application and makes met any malicious code executor know any code exhibiting basically it would be compared to check if it is calling the path to the end if a function has only the engine explain that it says anything other than that gets blocked and what if hope to know what this is called executor. [00:42:46] The let me. Read it to get tested again a school up that is counterfeit a victory in the programming attack against chrome. And used cruel. Got that basically uses functions from chromes called base they did he call which directly caused the system called exactly again all that does looking forward is when they exist because to make any arbitrary Coltrane and they would gain all the control system as an attack. [00:43:22] If the attacker but able to manipulate the argument passed to the system well they could achieve arbitrary execution it's a fire however without end Imus's we found that except the course can only be used against 2 hard coded commands that there could be run in violent crime was friendly so one must be zip as you can see the 2nd one was tough to get using So fire once we harden the application then break the stick to exit the calls to only these are the still these 2 handles the security by the the secure combine it was generated again as expected any of the calls made by the attack of which were neither of these 2 these 2 executive was blocked using spike. [00:44:11] So this concludes our discussion about Quantic sensitive functions specialization tools of. Hunger. Ok So that have no common sense to me. I thought there was something in the charm the think it's mostly discussion of this and this concludes my discussion about it on tech sensitive function specialization tools the 5 a question now is what next what can we do. [00:44:49] So what we developed was this concept of it be a specialization and because this is an interface specialization. Applied to a number of cases and for the next dance we have been looking for interfaces that we could specially. In different legs that exist everywhere one of the things that they've been looking at preparations like who is louder 8 of us where the interaction in the machines and the machine and the and the uses happens via such interfaces vich could be specialized according to this specific needs of that really application. [00:45:29] This idea obviously could be extended here we are still looking into them and have not. Had any success I mean we have not really completed any off at analysis the. If a specialisation would also work through the station systems like humanities again because they are container opposition and a lot of mitigation happens from the user of from the administrators to through to the actual be a mother container that is Executive all these interactions happen across the aisles and the those A.P.'s could be specialized according to the particular custom used for that 30 case and their desk scenario or that the execution scenario that would be that would really reduce the tax office and done so for the new. [00:46:19] And lastly things that have been looking at systems which have trusted executives in environments like Intel. In case off just that it's occasion environments I guess again you have a trusted role and then you have an untrusted load and the communication and the security of the communication between these 2 words is wants defines trust based on the trusted part on the X.'s wash and if it is called the So those are also the interfaces that we've been looking at and trying and trying to get an idea if we can specialize them. [00:46:58] So to can fill it my talk today I introduced a place that. A technique for enforcing argument level specialization I presented the design Safad hunch and specialization once we have the close a list Windows binary specially the called Freddo and then we have the fire which is meant that it is quite open so as Linux based applications. [00:47:22] For both of them reenter the static specialization riches. Which is mentioned in the arguments that static rally with and call criticize the function body why the old saying to the standard by which it is a narrow scope form of data integrity that respects the acceptable values of arguments. [00:47:42] That cannot be determined so this is it from my end thank you so much I have that on any questions I would love to take the we have one question which is. How can the performance so what had been evaluated in case of such applications that fact if you have any valid question in the scenario because in the dealing with the nations these are the kind of functions that don't really happen every day. [00:48:08] And it's difficult to. Put us to understand how much performance higher system would cause so what we did. Was we used micro benchmarks the. Very kid these tiny applications vich had which were continuously made calls to these if yes just to get an idea about in the worst is just tested what would be. [00:48:33] What would be the case how bad the performance would be and in our tests I can say that for most of the case and a lot of processing and background the performance overhead was really needed we were even less than point 5 percent for most of the issues and gives us a fire that showed that again it was also retaining the next question we have here is how easy it is for the attacker to modify the payload to evade the protections against already rallied question mostly because. [00:49:08] As we can see you know we have also. All the presentation of every content that I talked about was mostly in homes off. You know the attacker does this is what the application does does they're mutually exclusive we can draw a line but when we started looking into a simple. [00:49:28] A simple commission here is just you just don't get an idea it's mostly unlikely for an application to even try to look at something like an executive. So even if the attackers would try to change their change there we can change their fields in a way that it would. [00:49:52] Change their payloads if would still be looking for if the functionality means the same that difference would still stick. So yeah it's not that easy understeer tackle wants to change their entire attack from ice it's. Ok so they have a question is how would you address that non open source applications yes so. [00:50:14] The problem that opens up the kitchens of what we did in the 1st half of the presentation when we did find it in that list is instead of really doing so scored analysis so we did the exact same thing that we did in the 1st if it was for Windows but. [00:50:31] As someone who is well the 1st course and someone who's worked at the same time that binary binary Now this is as difficult it's it's extremely complicated mostly because you know they're out in the middle number of for justice and every value gets assigned here and there over and over again but yes even that non open source applications if they have the brain many can build similar analysis it's just slightly more restricted so with shadow the 1st half of the target that was talking about No that's perfectly fine too and then don't be sorry. [00:51:09] I mean every shred of a you know when you do the backwards analysis to find where the values were generated at some point you have to stop because the number of x. that it can go through explodes and then it's very difficult to keep track of so I think if I remember correctly this shadow we just stopped at a depth of 30 or something so if going back to the instructions we were not able to find anything we would just give up and say Here I couldn't find it just because it was too complex but yes that was mostly an engineering effort the tied you from my end it can still be. [00:51:45] A you can still do better performance that get better performance there but even though those are stiction we were able to get really good coverage in terms of the number of hog so that. Kind of. Thank you for the question Ok let's see the make sure there are no more questions. [00:52:08] Well. Yes thank you so much Gloria for everyone else of that any more questions and you want to discuss to send me an e-mail a little bit above. You want to put your in the on the chat or up on the screen yes I can I can I can put it on the chat I mean. [00:52:33] Yeah people always ask questions after class Yes Yes I'm the student I can understand I also get through not go through these areas but because you know I think about it after 50 you go and even then I'm like Ok I need to I should have asked this and then he just doesn't. [00:52:50] Say yes he is the militarist and give you want to get in touch and and obviously the 2 worlds that I have that I presented are both published if you just go and scholar Google and search for those people say guess if you can get my mail address from that as. [00:53:11] Well base again and we'll see around and have a great read and everyone thanks so much. Doria Thank you everyone.