A student at the Free University in Amsterdam has a virtual machine built-in memory-exploits exposure. Buffer overflows and return-oriented programming to be made harmless, but the software runs slower.
The virtual machine is intended for taint checking, which should prevent users code can inject into the memory. The for Linux developed tool to do that by software in a virtual machine to run, and of each byte in the memory is the origin. “A certain part of the memory, for example, user-input, then it may never be as code to be executed”, says Bosman.
Discovered Minemu that is tried to be non-trusted code to execute, then the execution of the software discontinued. Buffer overflows and return-oriented programming, two ways to use the memory rogue code to run, in fact, harmless. The meta-information about the origin of the code is stored in the fast sse registers in Intel cpus, which is actually for the processing of multimedia is intended.
A lot of malware makes use of memory exploits to execute code. In a buffer overflow the maximum size of a buffer to be exceeded, and can therefore own code to be run. In response, performed the operating systems support for address space layout randomization, so the location of buffers in the memory was randomized, and data execution prevention, which executable memory and ordinary variables are separated.
To aslr and dep bypass, have turned attackers to return oriented programming. In addition, the existing machine instructions of a specific program in a specific, attacker-chosen order, so he has his own code may compile. “In medium-sized software it is often possible,” says Bosman. “This project is actually the response to return oriented programming.”
At this moment it works Minemu only on 32bit x86 cpus. “Support for 64bit is a lot harder to build,” he says Tweakers.net, “for example, because the geheugenregisters be much larger.” He has, however, recently support for software with multiple threads built in, so many programs work well with the tool. Software-only with jit compilers that content of the internet as code to run, such as the javascript engine of Firefox, still produce problems. That engines want from outside stated code correctly run.
Within the virtual machine is running code significantly slower. In general, three to four times longer before code is executed. That is because the code is not being executed directly, but first to the taint analysis of Minemu passes. According to Bosman works the tool, however, is faster than other similar software, such as Argos and TEMU.
This is because the software works differently: where Argos and FOR the execute code of a complete systems check, Minemu that with a specific process. Minemu make a reservation for each byte in the memory has a byte for the analysis. This is twice as much memory is needed, apart from the space that Minemu itself occupies.
The operation of the virtual machine can still be bypassed, Bosman, by a number of specific operations on the memory release. That is, however, difficult to perform, claims he.
A Windows version of the software seems not likely: “would you have Windows on the system level need to adjust, so Microsoft would have to cooperate to make that possible.” On Linux, root access is sufficient for a system to make it suitable for the software. This must be what values are adjusted, for example, to reserve a large amount of virtual memory as possible. Any adjustments would make the tool suitable to other forms of code injection, such as sql injections, also harmless.