research-article

Security bugs in embedded interpreters

Authors:

Nickolai Zeldovich,

M. Frans KaashoekAuthors Info & Claims

APSys '13: Proceedings of the 4th Asia-Pacific Workshop on Systems

Article No.: 17, Pages 1 - 7

https://doi.org/10.1145/2500727.2500747

Published: 29 July 2013 Publication History

Abstract

Because embedded interpreters offer flexibility and performance, they are becoming more prevalent, and can be found at nearly every level of the software stack. As one example, the Linux kernel defines languages to describe packet filtering rules and uses embedded interpreters to filter packets at run time. As another example, the RAR archive format allows embedding bytecode in compressed files to describe reversible transformations for decompression. This paper presents an analysis of common pitfalls in embedded interpreter implementations, which can lead to security vulnerabilities, and their impact. We hope that these results are useful both in augmenting existing embedded interpreters and in aiding developers in building new, more secure embedded interpreters.

References

[1]

Bitcoin. Script - Bitcoin, 2013. https://en.bitcoin.it/wiki/Script.

[2]

D. Blazakis. Interpreter exploitation: Pointer inference and JIT spraying. BlackHat DC, 2010.

[3]

C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th Symposium on Operating Systems Design and Implementation (OSDI), San Diego, CA, Dec. 2008.

Digital Library

[4]

J. Corbet. A JIT for packet filters, Apr. 2011. http://lwn.net/Articles/437981/.

[5]

R. Cox, T. Bergan, A. T. Clements, M. F. Kaashoek, and E. Kohler. Xoc, an extension-oriented compiler for systems programming. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 244--254, Seattle, WA, Mar. 2008.

Digital Library

[6]

DragonFlyBSD. Dragonflybsd bug 1748, 2010. http://bugs.dragonflybsd.org/issues/1748.

[7]

W. Drewry. SECure COMPuting with filters, Jan. 2012. http://lwn.net/Articles/498231/.

[8]

D. R. Engler. VCODE: A retargetable, extensible, very fast dynamic code generation system. In Proceedings of the 1996 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 160--170, Philadelphia, PA, June 1996.

Digital Library

[9]

D. R. Engler, M. F. Kaashoek, and J. W. O'Toole. Exokernel: An operating system architecture for application-level resource management. In Proceedings of the 15th ACM Symposium on Operating Systems Principles (SOSP), Copper Mountain, CO, Dec. 1995.

Digital Library

[10]

P. Godefroid, M. Y. Levin, and D. Molnar. SAGE: Whitebox fuzzing for security testing. Communications of the ACM, 55(3):41--44, Jan. 2012.

Digital Library

[11]

Hewlett-Packard, Intel, Microsoft, Phoenix, and Toshiba. Advanced configuration and power interface specification, Dec. 2011. http://www.acpi.info/DOWNLOADS/ACPIspec50.pdf.

[12]

A. S. Incorporated. The type 2 charstring format, Mar. 2000. http://partners.adobe.com/public/developer/en/font/5177.Type2.pdf.

[13]

A. Kuznetosv. SS utility: Quick intro, Sept. 2001. http://www.cyberciti.biz/files/ss.html.

[14]

K. McAllister. Attacking hardened Linux systems with kernel JIT spraying, Nov. 2012. http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html.

[15]

S. McCanne and V. Jacobson. The BSD packet filter: A new architecture for user-level packet capture. In Proceedings of the Winter 1993 USENIX Annual Technical Conference, San Diego, CA, Jan. 1993.

Digital Library

[16]

S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2008. http://bitcoin.org/bitcoin.pdf.

[17]

T. Ormandy. Fun with constrained programming, 2012. http://blog.cmpxchg8b.com/2012/09/fun-with-constrained-programming.html.

[18]

A. Pitrou. Pickle protocol version 4. PEP 3154, Dec. 2011. http://www.python.org/dev/peps/pep-3154.

[19]

R. Price, C. Bormann, J. Christoffersson, H. Hannu, Z. Liu, and J. Rosenberg. Signaling compression (SigComp). RFC 3320, Jan. 2003. http://www.ietf.org/rfc/rfc3320.txt.

Digital Library

[20]

C. Reis, A. Barth, and C. Pizano. Browser security: Lessons from Google Chrome. Communications of the ACM, 52(8):45--49, June 2009.

Digital Library

[21]

C. Rohlf and Y. Ivnitskiy. The security challenges of client-side just-in-time engines. Security & Privacy, IEEE, 10 (2):84--86, 2012.

Digital Library

[22]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pages 552--561, Alexandria, VA, Oct.--Nov. 2007.

Digital Library

[23]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS), pages 298--307, Washington, DC, Oct. 2004.

Digital Library

[24]

J. Sigwald. Analysis of the jailbreakme v3 font exploit, July 2011. http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit.

[25]

M. Slaviero. Sour pickles: Shellcoding in Python's serialisation format, 2011. https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_WP.pdf.

[26]

TrueType. The instruction set, 2011. https://developer.apple.com/fonts/TTRefMan/RM05/Chap5.html.

[27]

TrueType. TrueType hinting, 2012. http://www.truetype-typography.com/tthints.htm.

[28]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proceedings of the 14th ACM Symposium on Operating Systems Principles (SOSP), pages 203--216, Asheville, NC, Dec. 1993.

Digital Library

[29]

X. Wang, H. Chen, Z. Jia, N. Zeldovich, and M. F. Kaashoek. Improving integer security for systems with Kint. In Proceedings of the 10th Symposium on Operating Systems Design and Implementation (OSDI), pages 163--177, Hollywood, CA, Oct. 2012.

Digital Library

[30]

A. Wu. Bytecode signatures for polymorphic malware, Nov. 2010. http://blog.clamav.net/2011/11/bytecode-signatures-for-polymorphic.html.

Cited By

Sultana NZhu HZhong KZheng ZMao RChauhan DCarrasquillo SZhao JShi LVasilakis NLoo B(2022)Towards Practical Application-level Support for Privilege SeparationProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564664(71-87)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564664
Nelson LVan Geffen JTorlak EWang XLu SHowell J(2020)Specification and verification in the fieldProceedings of the 14th USENIX Conference on Operating Systems Design and Implementation10.5555/3488766.3488769(41-61)Online publication date: 4-Nov-2020
https://dl.acm.org/doi/10.5555/3488766.3488769
Van Geffen JNelson LDillig IWang XTorlak E(2020)Synthesizing JIT Compilers for In-Kernel DSLsComputer Aided Verification10.1007/978-3-030-53291-8_29(564-586)Online publication date: 14-Jul-2020
https://doi.org/10.1007/978-3-030-53291-8_29
Show More Cited By

Recommendations

Embedded interpreters

This is a tutorial on using type-indexed embedding/projection pairs when writing interpreters in statically-typed functional languages. The method allows (higher-order) values in the interpreting language to be embedded in the interpreted language and ...
Definitional Interpreters for Higher-Order Programming Languages

Higher-order programming languages (i.e., languages in which procedures or labels can occur as values) are usually defined by interpreters that are themselves written in a programming language based on the lambda calculus (i.e., an applicative language ...
Definitional interpreters for higher-order programming languages
ACM '72: Proceedings of the ACM annual conference - Volume 2

Higher-order programming languages (i.e., languages in which procedures or labels can occur as values) are usually defined by interpreters which are themselves written in a programming language based on the lambda calculus (i.e., an applicative language ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

APSys '13: Proceedings of the 4th Asia-Pacific Workshop on Systems

July 2013

131 pages

ISBN:9781450323161

DOI:10.1145/2500727

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Nanyang Technological University
SUTD: Singapore University of Technology and Design
NUS: NUS

In-Cooperation

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 July 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

APSys '13

Sponsor:

SUTD
NUS

APSys '13: Asia-Pacific Workshop on Systems

July 29 - 30, 2013

Singapore, Singapore

Acceptance Rates

APSys '13 Paper Acceptance Rate 23 of 73 submissions, 32%;

Overall Acceptance Rate 169 of 430 submissions, 39%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
207
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)1

Reflects downloads up to 17 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sultana NZhu HZhong KZheng ZMao RChauhan DCarrasquillo SZhao JShi LVasilakis NLoo B(2022)Towards Practical Application-level Support for Privilege SeparationProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564664(71-87)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564664
Nelson LVan Geffen JTorlak EWang XLu SHowell J(2020)Specification and verification in the fieldProceedings of the 14th USENIX Conference on Operating Systems Design and Implementation10.5555/3488766.3488769(41-61)Online publication date: 4-Nov-2020
https://dl.acm.org/doi/10.5555/3488766.3488769
Van Geffen JNelson LDillig IWang XTorlak E(2020)Synthesizing JIT Compilers for In-Kernel DSLsComputer Aided Verification10.1007/978-3-030-53291-8_29(564-586)Online publication date: 14-Jul-2020
https://doi.org/10.1007/978-3-030-53291-8_29
Holmqvist VNilsfors JLeitner PApte VDi Marco ALitoiu MMerseguer J(2019)Cachematic - Automatic Invalidation in Application-Level Caching SystemsProceedings of the 2019 ACM/SPEC International Conference on Performance Engineering10.1145/3297663.3309666(167-178)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297663.3309666
Yadegari BDebray S(2017)Control Dependencies in Interpretive SystemsRuntime Verification10.1007/978-3-319-67531-2_19(312-329)Online publication date: 6-Sep-2017
https://doi.org/10.1007/978-3-319-67531-2_19
Cojocar LZaddach JVerdult RBos HFrancillon ABalzarotti D(2015)PIEProceedings of the 31st Annual Computer Security Applications Conference10.1145/2818000.2818035(251-260)Online publication date: 7-Dec-2015
https://dl.acm.org/doi/10.1145/2818000.2818035
Min CKashyap SLee BSong CKim TMiller EHand S(2015)Cross-checking semantic correctnessProceedings of the 25th Symposium on Operating Systems Principles10.1145/2815400.2815422(361-377)Online publication date: 4-Oct-2015
https://dl.acm.org/doi/10.1145/2815400.2815422
Wang XLazar DZeldovich NChlipala ATatlock ZFlinn JLevy H(2014)JitkProceedings of the 11th USENIX conference on Operating Systems Design and Implementation10.5555/2685048.2685052(33-47)Online publication date: 6-Oct-2014
https://dl.acm.org/doi/10.5555/2685048.2685052
Lee BLu LWang TKim TLee W(2014)From Zygote to MorulaProceedings of the 2014 IEEE Symposium on Security and Privacy10.1109/SP.2014.34(424-439)Online publication date: 18-May-2014
https://dl.acm.org/doi/10.1109/SP.2014.34

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents