Regions are types, types are policy, and other ramblings

did find that there are addresses that were written by the bootloader that were not anywhere in the table and I can't tell you whether that's a documentation issue or that's above in the bootloader but there are some yunsik's that are not necessarily being enforced and we could if we just started understanding like seeing these regions of memory as objects for a policy in which we can follow and we don't have to necessarily have a runtime enforcement of it but it would be helpful while testing to happen if we can have like the hardware support to do runtime all the better and yes you can use page table to secure you know if that's enabled there's ways to do this

and I will talk we have some prototype that uses page tables though enforce this type of region needs access controller so during boot loading like gone over a lot of this but the memory map in the outer space may change over time so you would see phases of different APIs regions being okay to write to or being read-only or beating or containing nothing or not even being back to any backing storage registry then you know remember to be initialized syntax might be boot scene into five times for the particular bootloader I studied they just had a dance around itself until I got it up round so it can spread out not move it's it's up its stack anymore it's so

execution can be divided dividing the sub stages by how the memory or how memory the attic space is intended to be used how the regions are intended to be used you know once the staff changes location you might want to say well this is a new sub stage I'm going to look the staff is over here now the there's just you know many different things that you can think about when you're thinking about policy regions as types types policy and so when I was thinking about sub stages for a pool owner for a letter specifically when I wanted to write a policy based on regions I thought well the major you know the major things that

as it's executing preparing loading watching linking some region of memory need to be used by future sub stage which by which I mean it could be where the image from the neck to the target that's gonna be loaded is it could be it's setting up you know with steering out are we to the memory for the BSS for data that is assumed to be zero dad's bar could be performing internal bookkeeping and there's a lot of internal bookkeeping these letters they need to you know keep track their progress in you to have pointers to all the driver is in remember all the devices that it already found and initialized and so these are sort of the

major stages bookkeeping preparing a future substage copy to feature sub stage and I have wrote a policy and I'm not really talking and it's so closely about the policy over here so sub stages the bootloader I classified as either loading the future sub stage at region so coffee save big chunks of data into their patching such as you know real doing small little hi dispatches doing wheels fix ups or doing stuff to keep track of where it is and then during each of these sub stages I thoughts to divide the region's into you know code which should never be registers I just decided to kind of make it something you can say maybe if it's

bookkeeping or maybe if it's looting and touching can say no right intended registers bookkeeping stage so if it's in the bookkeeping stage you can allow it to write the bookkeeping data but if it's loading or patching and saying they know right into bookkeeping data and then let you know a region that's not quite ready yet to be used but be prepared to a future substage image region another like tag to classify it Oh so of course everyone wants to ask me like oh did you find any you know today and you did it well so every single device has a way different build you could is just like a big pile of code that is compiled down you know to

something and a lot of code is not shared necessarily between devices but you know the big thing with this particular device that's you know this development board it beagleboard-xm is it reads the head on the image from the storage from the fat file system from that it will figure out where the header of it lies in memory it using that header it will read both using them sorry the header sorry this particular pointer was wearing a copy the header and it will read that chunk of the file that has like better information for this binary into memory and from there it will look at this header that have just loaded copied straight off the file

to memory and purses and then after that this particular variable I circled SQL image loader that is directly copied from the header so the binary can say I live on top of all these registers memory mapped i/o and it will just read you know bytes into that address so it will just copy things in there and then like you have undefined behavior because you're just writing whatever I mean probably define it better but so have trustworthy is it well like how much you trust the image is loading but also you really have no choice to trust it this is this particular food environment is not meant to be like locked down or anything but there is this very there's often a

trust in what you're loading is kind of telling you what it needs where it should be loaded or how big it is and it's up to the boob learner to know if that interferes with anything it already has set up in memory and like in this case it clearly doesn't but if we start thinking of regions as tight objects taking them we could write policy that works on that level I mean can you I can't imagine putting little types in here you know programming language that somehow prevents you know the region of memory with registers be overridden by this particular thing you have to really do a checking no packages and so forth so this is where I just

speak a little of some of my thesis work I called it right region based right access control and I said writes the word right a lot it could be any memory operation so that I think is done right since thesis and then so this components of doing a policy based on beaches and objects regions are types are in sub stages distinct phases of execution and the memory regions themselves and how they're expected to be used during that particular sub stage I never showed you this but when you start thinking about software in this way you start thinking and the bigger picture of policies like doing this you know he jumps into this piece of and I know it's gonna start off with

bookkeeping therefore it should not write to you know these particular areas of memory that may not have any fat in store or may not or be habit code itself that's being executed so there's like that phase and then suddenly it's you know it enables some external memory and it has space for a stack and now you have this new phase of execution of course this is like a hypothetical one but you know I'm kind of summarizing what I see often and boobers you know that will be ready and to give this space where there's new regions of Mary and new policies that you can add to that after that you'll have maybe be loading the target and so

we wanted to write to other sensitive regions in February other than that region for the future substage that target image is being copied and then there you know some success you know it succeeded some success sub stage where it's like ready to just jump into that next global stage of booth and this is you don't need to read this but like I'm just thinking how to legal memory basing the substance the luck column would be like the initial bookkeeping sub stage where it just as a system registers and then it gets into this next up stage where there's some you know memory that's been enabled so you can start reading writing more places and then it's final sub

stage where it's actually or that's not the final but that's the loading wrong word you still have these labels on there but you can't necessarily rights to certain regions because it's a different type of sub stage to the previously on the work I did to actually apply this type of policy to a good learner result in it is like the collaboration of tools and I have that I'm getting up and this is static analysis data then I use that to generate some tables that help with instrumentation and look for certain patterns in order for me to both study the how the bootloader executes and also to write a policy and enforce it or to write a policy and see if the bootloader

follows my expectations of how memory is being used and with this particular tool set I focused on rights because your region-based right access control are back and I also because I was focused on boot loaders I wanted to meet all the memory rights even after really patient so part of this full suite is to keep track of what regions were relocated and you know calculate offsets and so forth so that it'll move breakpoints or you know when it's tracking and it knows there's a relocation it'll start listening to that region or will know to accurate points depending on you know the actual method of transportation I do have a method where it is there's a

great point you never destruction so all those are you know who ones are added when there's a relocation so these tools is how I actually built a policy based on regions for a boot letter and so one of the things I did is I needed to identify all the the thesis where it was relocating winning is copying the image or like saying a future sub stage for you know medians doing the clearing attribute to the memory during it or copying the target image into a region my hypothesis was when this happens we'll see lots of men copyright operations by which I mean you know a sequence of adjacent fights were written entitled so but we were

looking at just like the rights that happened it'll be you know right age right knee plus one right because to you know just sequentially and no other rights in between and so I I call these block write operations and my tools will track that and like the what I contained and the block write operation is the you know the the address that was the instruction the offset in the image where the instructions lay in case it was relocated to sort of understand but if we look at the metadata of this image we want to know we have the right one otherwise it's relocated no metadata and that image walrus will refer to the relocated address of the instruction then the

destination of the right the number of bytes that we're good in and then I also keep track of where in the call stack that happens which is helpful because I'm starting to think now about thesis of operation and where you are on the stack helps you understand the phase of operation what the governor is trying to do so you can distinguish between different better copies or you know men copies zeros so that's the SS but none caught me something else music the ramen pot but then set to zero you mem said something else is probably for a different purpose so my corollary is that we should be able to use these block write operations to identify relocation pieces but also

other sort of phases where large things are copied and that's what I did um you're not gonna like there's nothing to help you understand this except for my voice when I did the tracking I found there was about 4,000 write operations for the u.s. scale and when I map that into block rights I got 10,000 operations to sort of look through to figure out like what they did what they are for what phase it can be signed to and here is sort of like sorted them all by size the first columns like the number of consecutive price and then it's like I put the you know the name I then wrote the number of bytes at some certain address and then I

just put the instruction that was used to actually write in the Vice send this one arm so the first one is actually 0 to be SS region and they've got other significant ones you know mostly it's pretty significant I just can't remember what they all are but there is a bunch of MMC they got these data's did I found it like I don't list them all because they're all the same size but it's actually just reading the hex key card in chunks 512 bytes at a time of memory and that was interesting I found a region of relocation that I didn't know about and it turns out if there's a function called the news feed

that is located is for tiny intercepts never actually execute must be some scene that's left over Wrexham older code that they branched off of the never bothered to change but that's like some of your location I didn't expect then they bit of course a lot of my call stacks changes here but this really helped me kind of zoom down and figure out what different faces there are and what happened to during those phases and this is just for like a rough idea of the static the call graph that I simplify is like a lot the different colors the villas are what I ended up to decline as a sub stage like an entry point to assess age so when

starts enter spearing like some initial sub stage if you go from if you go into the level of it here in another sub stage cetera et cetera and then I decided this is a campaign sub stage and that's like a bell there is a jump to image which is sort of 1860s gets the next sub stage and you can sort of have some some policy enforcement there if you want at the same time I was tracing the call being call trace of execution and you know every call function call and return so that I can start saying you know identify in the face that's that was copied and then in the end like this is complex because I this

is actually what works that you did and this is real is this is what I ended up with the season is of execution and the policy I wrote and we can start seeing that beta as a bookkeeping phase Delta is loading things and PI as a patching phase and you can start seeing there is these different cases and during some of these phases there's different regions of memory that there's like important events so after UK you can't be competing blah blah blah finish this little go to speedy preclude located function is available but it stops becoming available at the next sub stage because it gets copied over if you can see what SRAM is like some external RAM

that's initialized and you end up like seeing the progress that the lunar is better understanding it in a way that you can't get from just repeating the code in the end I want to build something on the clintus so the left side are the needs of sub stages the right size are how I need like different memory regions an edge between the two new means rights are allowed to that from that during that sub stage to that region so so the policy I made was not just allowed transitions between cases but also what regions can be written during a particular phase so when the phase cleared the assassins executed like only OBS s can be written and the

stack when it's you know copying copy clock one is where that location happens well generally right take the staff into that little region that I call go to speed so back to this email client that I kind of for this is potentially vulnerable you know client I think it's probably horrible we can think about pathways and memory there's the application for it's there would be the library and let's just say there's something like like period animals the key and let the keel isn't its static data the stock of the heap and you know bikini you wanted to eat sir right to the key area but when it's processing inputs it shouldn't but the nice thing

and this is word this project that I worked on old elf back comes in is we realized that a lot of what happens in memory is based on how the file looks like this I mean is a bunch of alfetta data but in it like I'm just assuming that this is statically compiled there is like a chunk of region that semantically you know equivalents of all this if we think that of course granularity at least so there's like heat code for the application data of the application but then there's a death different region that's dia for the key library and if you get that and start thinking about these out sections as regions region is being pipes type speed

policy yeah the ELCA which is very related to my thesis work that work but this works uses sections in the elf binary as files the objects and it has tools fill value to define sections few sections for policy objects so you can have a fine granularity if you want always say that certain Dino live in certain sections in the L file and will be mapped that way put on two different pages and the kernel will then be set up each table for each phase of execution so during the authentication phase that each table will only allow will allow keys to be written but during the process input phase it does not have write access or bead access to the keys

and so this alpha work has been championed by 70 brightest of Julian finger from a frontal catch for x86 matthew maxwell Kumu let me do some work at gnarrk he wrote in patch for forearm and friend of left forearm and so I've no idea what kind of is but some final box how do we charge software when it's so complex and when these behavioral constraints we have on it don't directly hood it's like high level attention that were most interested in you do not want these kids to be ridden during that phase it seems pretty important I mean a lot of the constraints we have now are very much looking at buffer overflows and sorry cliff low integrity and other

things and that it is like important that helps like lower-class packs but we think about the software as like an entity upon itself that is different from all other software not really but if you just look look at the attentions of the software if you want to be able to really enforce those intentions so as the agents as types we have this arbitrary object regularity in our policy and you can intuitively include some intended behavior with these phases in these regions and they kind of like to think of it as a policy sweet spot late and Commedia will find something even sweeter but it's very much it works on human-like understanding because it's easily applied to modules different

libraries are fairly easily like their own region and they often have a different trust level from the application itself and reintroduce some of the the terms that I tried to present and trying to champion a little so the arc black is the region is access control scheme that has more theoretical grind up but also test tools that will actually fill the call scene enforce a policy if you want a product in GDP that is out back is the kernel patches that does that uses the elf file as a way to include policy and then fiddle with the tools in a group for foo letters instrumenting them and also for applying under finding of right a region based policy and applying

that as an enforcement or just know if you want to see you can have it not actually stop the code execution you can just have it you know label events when they happen get don't follow the policy so thank you for its talk you can find more details on our block on my thesis at Tech region stuff comment and health fact that health back at work where you can get links to source code to my research advisor certain gratis work without too but I met narc now so thank you I will post slides on Twitter so if you follow me you can get that I'm sure someone else in the conference will between the link I will add more some

references to it so you can see some of the work that I've cited including Penn State so that's all I have do you have any questions okay well earth person talks a questions gets the deal this computer book 4.0 okay so okay so what we need this idea of defining the process of the stages and then changing the Commission's availability point could this be easily ported to desktop software or even like the PSP lifestyle so the question was is this style of the region's and the policy objects and the phases even forced by that can that be coordinating delete desktop pictures that's your question yeah okay yes it next well yes but Asterix so Outback is

exactly for that it works on user land applications it's tricky to work with now like it really needs some library support to do well and you just don't have like the like developer power to get all that but like if you have the right tools I think it would be it would be a lot easier right now we sort of have to reverse engineer some of Lipsy to figure out how to include that in our policy there's a lot of floating stuff that does unexpected things and yeah there's a lot of technical things we need to deal with but I think the theory of it is sound we applied this to it there was a it OpenSSL about a thing and

this was documented in an earlier talk I think at blackhat and so the health pack was used to kind of over apply at this policy based in regions over the existing open SSL library in order to like not let that vote or whatever the word is so that was applied to existing code using this sort of you should never be able to beat this region of memory during this time of execution and it was a very coarsely grant policy because focus specifically on that bug but it worked anyone else yes

yeah so question was by being able to read policy and have that enforced or logs you can detect bugs I haven't done that but I mean I'm sorry but I'm already running in sort of a debugging environment so you could probably compile it in the code coverage libraries I build that in I have to think a little bit more how to integrate it all but if I because I was looking at boot loaders I was the only Sunday passed through but if yeah I think that could be done and it's simply a really interesting use for it as like an actual debugging any other questions in the back yeah I'm just trying to wrap my

head around how you apply these policies I mean how much do you get for free based on which you can get things like that like the example you gave [Music] how much work is it to build a policy well in a little bit and how its applied it also depends limits not worth to and how its laid out so way I had a very specific idea of the type of policy I wanted to planet to a boot letter so I was just looking for her youth the regions of memory being ridden so there was the stage of the instrumenting it and getting that information and I think I did the Goethe policy for that and

kind of had to fix it multiple times cuz I find new things I probably did like maybe ten phases of like fixing up the policy to try to get something that worked and then I find it I that's how I found all the staff changes I can notice them before so I yeah so it can be tricky and I was working with existing code and I cashed it a little bit to make it easier for me so there's more of like when the face was a new face eccentric we knew would never exit so I had like no I in case if you think all something in return that was just for little insurance for

me but like who that was just for theoretical side of knowing that being able to say people never able don't really promise forward through this set of pages but I think with more complex soccer I wasn't the one that did the OpenSSL we think of as open SSL so I'm not sure how long that took but you certainly have to understand the work the software its if you're a developer for it like that's the idea of elba app is like the developers can bet to this like higher granularity and something another commode a little better if you're looking at the new code it's certainly harder anyone else I think that's time thank you for waking

up [Applause]