Abstract image of a woman sitting on books and studying on a laptop

Feast '20 slides

Download as PPTX, PDF
G
gailkaiser

The document introduces binary quilting as a solution for customized updates in enterprise-critical systems, enabling updates without full recompilation. It outlines a methodology that uses binary analysis to patch executables while minimizing changes to the original code, capturing diffs through a changelog database. The approach was evaluated on real open-source projects, demonstrating successful application with minimal overhead.

Technology
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Binary Quilting to Generate Patched Executables without Compilation Anthony Saieva, Gail Kaiser Columbia University 1
Motivation -- Problematic Updates ● The typical update cycle is usually sufficient to keep code updated and secure. ● However in enterprise-critical systems, sysadmins may be reluctant to update systems for fear of unwanted side-effects. ● This leads to insecure deployments even when patches are available. ● When many update cycles have passed between the deployed and current versions, deploying the updated version is not simple and may not be feasible without major changes to the dependent systems. 2
Why Binary Analysis? Changes may need to be made at binary level, either because legacy code no longer has the source code available or because proprietary licenses prevent making the source code available. Binary manipulations usually involve non-semantic changes like shadow stacks and stack canaries. 3
Solution -- Customized Update Cycle Updating to the entire new version may break enterprise-critical functionality. Customized updates allows customers to maintain software through partial updates. 4
Binary Quilting ● We introduce binary quilting to accomplish these customized updates. ● We leave untouched as much of the original code as possible. ● We only replace the overwritten code with the corresponding new code and its dependencies. 5
We use binary analysis to associate changes at the source code level with changes at the binary level. The modified symbol table informs us which code to include in the update. Binary Patch Decomposition 6
Binary Patch Decomposition We record the diffs between the previously compiled versions and the newly compiled versions by integrating binary change tracking into the build process. These diffs are stored in a changelog database. The developers send the appropriate metadata to each client depending on the deployed version of the client’s software and what they want to upgrade. 7
Quilting Procedure Symbols function as a point of reference between the binaries. Since x86 defines strict function calling conventions, it guarantees a consistent state where we can interpose new code. References fall into 3 categories 1) Code References 2) Data References 3) PLT Interposition 8
Evaluation Evaluated with 5 open source projects curl, coreutils, wget, libpng, and redis. LOC changes of size up to 40+ additions and 141- deletions. Resolved hundreds of code and data section references to successfully quilt the patches. 9
Selected Case Studies Crashing bug in libpng (image processing library) where mathematical error causes invalid memory access. Quilted binary successfully parses problematic image. 10 Libcurl (command line networking client) failed to parse some malicious URL’s correctly due to erroneous conditional. Quilted binary functions correctly in network sensitive context.
Quilting Overhead Quilting in new code adds to potentially vulnerable attack surface area. Since we quilt only the minimum required patch our technique introduces minimal space overhead. The largest size increase was 14%, but usually much smaller. 11
Conclusion We successfully demonstrated binary quilting on real open source projects. In future work we plan to expand our evaluation and investigate formal verification approaches to prove that no side effects are introduced during the patching process. 12
Questions? 13

More Related Content

PPTX
Ase 2018 parikshan
gailkaiser
 
PDF
Replay without Recording of Production Bugs for Service Oriented Applications
jon_bell
 
PPTX
Software Testing in a Distributed Environment
Perforce
 
PPTX
How Samsung Engineers Do Pre-Commit Builds with Perforce Helix Streams
Perforce
 
PDF
Toward Hybrid Cloud Serverless Transparency with Lithops Framework
LibbySchulze
 
PPTX
Streaming the platform with Confluent (Apache Kafka)
GiuseppeBaccini
 
PDF
The future of DevOps: fully left-shifted deployments with version control and...
Red Gate Software
 
PDF
Using Redgate, AKS and Azure to bring DevOps to your Database
Red Gate Software
 
Ase 2018 parikshan
gailkaiser
 
Replay without Recording of Production Bugs for Service Oriented Applications
jon_bell
 
Software Testing in a Distributed Environment
Perforce
 
How Samsung Engineers Do Pre-Commit Builds with Perforce Helix Streams
Perforce
 
Toward Hybrid Cloud Serverless Transparency with Lithops Framework
LibbySchulze
 
Streaming the platform with Confluent (Apache Kafka)
GiuseppeBaccini
 
The future of DevOps: fully left-shifted deployments with version control and...
Red Gate Software
 
Using Redgate, AKS and Azure to bring DevOps to your Database
Red Gate Software
 

What's hot (19)

PPTX
Managing Microservices at Scale
Perforce
 
PPTX
Protecting Your IP with Perforce Helix and Interset
Perforce
 
PDF
SoftwareCircus 2020 "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
PPTX
Bro, manage test data like a pro! [QA Fest 2018]
Mikalai Alimenkou
 
PDF
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
PDF
Deployment pipeline for databases
Eduardo Piairo
 
PPTX
Testing Microservices
Anil Allewar
 
PDF
Testing Microservices
Nathan Jones
 
PDF
Integration Testing with Docker Containers with DockerCompose
Mike Holdsworth
 
PPTX
ATAGTR2017 Batch Workload Modelling and Performance Optimization
Agile Testing Alliance
 
PDF
Delivery pipelines at Symphony Talent - Present and Future
Nathan Jones
 
PDF
Hexagonal architecture for java applications
Fabricio Epaminondas
 
PDF
Standardizing Jenkins with CloudBees Jenkins Team
Deborah Schalm
 
PDF
Designing Scalable Applications
Fabricio Epaminondas
 
PPTX
Testing Microservices Architecture
Łukasz Rosłonek
 
PPTX
Measure() or die()
Tamar Duvshani Hermel
 
PDF
Fundamental Spring Boot: Keep it Simple, Get it Right, Be Productive and Have...
VMware Tanzu
 
PPTX
Vulnerability Discovery in the Cloud
DevOps.com
 
PDF
Deployment Pipeline for databases (Azure SQL Database, SQL Server)
Eduardo Piairo
 
Managing Microservices at Scale
Perforce
 
Protecting Your IP with Perforce Helix and Interset
Perforce
 
SoftwareCircus 2020 "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
Bro, manage test data like a pro! [QA Fest 2018]
Mikalai Alimenkou
 
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
Deployment pipeline for databases
Eduardo Piairo
 
Testing Microservices
Anil Allewar
 
Testing Microservices
Nathan Jones
 
Integration Testing with Docker Containers with DockerCompose
Mike Holdsworth
 
ATAGTR2017 Batch Workload Modelling and Performance Optimization
Agile Testing Alliance
 
Delivery pipelines at Symphony Talent - Present and Future
Nathan Jones
 
Hexagonal architecture for java applications
Fabricio Epaminondas
 
Standardizing Jenkins with CloudBees Jenkins Team
Deborah Schalm
 
Designing Scalable Applications
Fabricio Epaminondas
 
Testing Microservices Architecture
Łukasz Rosłonek
 
Measure() or die()
Tamar Duvshani Hermel
 
Fundamental Spring Boot: Keep it Simple, Get it Right, Be Productive and Have...
VMware Tanzu
 
Vulnerability Discovery in the Cloud
DevOps.com
 
Deployment Pipeline for databases (Azure SQL Database, SQL Server)
Eduardo Piairo
 
Ad

Similar to Feast '20 slides (20)

PDF
Using Containers to More Effectively Manage DevOps Continuous Integration
Cognizant
 
PDF
AZ-400 Exam Dumps Online – Proven by Learners Worldwide
lemoncuc92
 
PDF
A New Paradigm In Linux Debug From Viosoft
guestc28df4
 
DOC
CV_RishabhDixit
Rishabh Dixit
 
DOC
A New Paradigm In Linux Debug From Viosoft Corporation
art_lee
 
PDF
Converting to the latest COBOL Compiler made simple with the right tools
DevOps for Enterprise Systems
 
DOC
Foundry Management System Desktop Application
Dharmendra Sid
 
PDF
Continuous Integration for Oracle Database Development
Vladimir Bakhov
 
PDF
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
LibbySchulze
 
PDF
1506.08725v1
Sandeep Sivanandan
 
PPTX
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Amine Barrak
 
PDF
Building a CI/CD Pipeline for PHP apps
Juan Manuel Torres
 
PPTX
Ultimate Guide to Microservice Architecture on Kubernetes
kloia
 
PPTX
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...
Simplilearn
 
PDF
GITLAB-CICD_For_Professionals_KodeKloud.pdf
deepaktyagi0048
 
PPTX
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
Oleg Shalygin
 
PDF
Migration Effort in the Cloud - The Case of Cloud Platforms
Stefan Kolb
 
PDF
Workshop: Delivering chnages for applications and databases
Eduardo Piairo
 
PPTX
The Science of database CICD - UKOUG Breakthrough
Jasmin Fluri
 
PDF
Relational Database CI/CD
Jasmin Fluri
 
Using Containers to More Effectively Manage DevOps Continuous Integration
Cognizant
 
AZ-400 Exam Dumps Online – Proven by Learners Worldwide
lemoncuc92
 
A New Paradigm In Linux Debug From Viosoft
guestc28df4
 
CV_RishabhDixit
Rishabh Dixit
 
A New Paradigm In Linux Debug From Viosoft Corporation
art_lee
 
Converting to the latest COBOL Compiler made simple with the right tools
DevOps for Enterprise Systems
 
Foundry Management System Desktop Application
Dharmendra Sid
 
Continuous Integration for Oracle Database Development
Vladimir Bakhov
 
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
LibbySchulze
 
1506.08725v1
Sandeep Sivanandan
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Amine Barrak
 
Building a CI/CD Pipeline for PHP apps
Juan Manuel Torres
 
Ultimate Guide to Microservice Architecture on Kubernetes
kloia
 
DevOps Interview Questions Part - 1 | Devops Interview Questions And Answers ...
Simplilearn
 
GITLAB-CICD_For_Professionals_KodeKloud.pdf
deepaktyagi0048
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
Oleg Shalygin
 
Migration Effort in the Cloud - The Case of Cloud Platforms
Stefan Kolb
 
Workshop: Delivering chnages for applications and databases
Eduardo Piairo
 
The Science of database CICD - UKOUG Breakthrough
Jasmin Fluri
 
Relational Database CI/CD
Jasmin Fluri
 
Ad

Recently uploaded (20)

PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PDF
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Five Habits of High-Impact Board Members
OnBoard
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Configure Apache Mutual Authentication
Antonino Piraino
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 

Feast '20 slides

  • 1. Binary Quilting to Generate Patched Executables without Compilation Anthony Saieva, Gail Kaiser Columbia University 1
  • 2. Motivation -- Problematic Updates ● The typical update cycle is usually sufficient to keep code updated and secure. ● However in enterprise-critical systems, sysadmins may be reluctant to update systems for fear of unwanted side-effects. ● This leads to insecure deployments even when patches are available. ● When many update cycles have passed between the deployed and current versions, deploying the updated version is not simple and may not be feasible without major changes to the dependent systems. 2
  • 3. Why Binary Analysis? Changes may need to be made at binary level, either because legacy code no longer has the source code available or because proprietary licenses prevent making the source code available. Binary manipulations usually involve non-semantic changes like shadow stacks and stack canaries. 3
  • 4. Solution -- Customized Update Cycle Updating to the entire new version may break enterprise-critical functionality. Customized updates allows customers to maintain software through partial updates. 4
  • 5. Binary Quilting ● We introduce binary quilting to accomplish these customized updates. ● We leave untouched as much of the original code as possible. ● We only replace the overwritten code with the corresponding new code and its dependencies. 5
  • 6. We use binary analysis to associate changes at the source code level with changes at the binary level. The modified symbol table informs us which code to include in the update. Binary Patch Decomposition 6
  • 7. Binary Patch Decomposition We record the diffs between the previously compiled versions and the newly compiled versions by integrating binary change tracking into the build process. These diffs are stored in a changelog database. The developers send the appropriate metadata to each client depending on the deployed version of the client’s software and what they want to upgrade. 7
  • 8. Quilting Procedure Symbols function as a point of reference between the binaries. Since x86 defines strict function calling conventions, it guarantees a consistent state where we can interpose new code. References fall into 3 categories 1) Code References 2) Data References 3) PLT Interposition 8
  • 9. Evaluation Evaluated with 5 open source projects curl, coreutils, wget, libpng, and redis. LOC changes of size up to 40+ additions and 141- deletions. Resolved hundreds of code and data section references to successfully quilt the patches. 9
  • 10. Selected Case Studies Crashing bug in libpng (image processing library) where mathematical error causes invalid memory access. Quilted binary successfully parses problematic image. 10 Libcurl (command line networking client) failed to parse some malicious URL’s correctly due to erroneous conditional. Quilted binary functions correctly in network sensitive context.
  • 11. Quilting Overhead Quilting in new code adds to potentially vulnerable attack surface area. Since we quilt only the minimum required patch our technique introduces minimal space overhead. The largest size increase was 14%, but usually much smaller. 11
  • 12. Conclusion We successfully demonstrated binary quilting on real open source projects. In future work we plan to expand our evaluation and investigate formal verification approaches to prove that no side effects are introduced during the patching process. 12

Editor's Notes

  • #2: This is a note