Probing and Patching of an Heartbleed Bug
In this demo, we first run a buggy OpenSSL server in
a VM on top of QEMU/KVM. Next, we migrate the guest VM into DECAF and
verify that the OpenSSL server continues to run. Then we load the
tracecap plugin into DECAF to obtain an instruction trace of the
OpenSSL process. Using this instruction trace and virtual machine
introspection (built into DECAF), we locate the Heartbleed bug in the
OpenSSL server and implement a binary patch. Then we implemented a
binary patching plugin for DECAF that uses DECAF's virtual machine
introspection support to locate the library of interest (e.g. libssl)
and then live patch the library instructions in memory. Finally, we
migrate the OpanSSL server back to QEMU/KVM and confirm that the
Heartbleed vulnerability has been eliminated. For more
information please refer to our ACSAC'15 paper [1].
Watch the live demo by clicking here.
Paper:
Jinpeng Wei, Lok Yan, and Muhammad Azizul Hakim. "MOSE: Live Migration Based On-the-Fly Software Emulation". Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015), pages 221–230. Download (529 KB). Acceptance rate: 47/193 = 24.4%.