# Goals and Timeline * First Month * [1 week] Identifying Changes between the patched and unpatched binaries. * For each function and each data block * [1 week] Reason about changes per instruction for micropatching * Why is each instruction changed, and how? * How we can reason? * If we want to transplant the instruction, how can you do? * [1 week] Reason about changes per data (in their own data type, e.g., integer, floating point, strings, ...) for micropatching * Why is each value in the data section changed, and how? * How we can reason? * If we want to transplant the value (e.g., modify/add the value in to another binary), how can you do? * [1 week] Design an automated way of doing micropatching: (1) survey literature (2.5 days), (2) come up with your own solution (tentative) of doing micro patching * Design your own solution based on the previous observations. * Second Month * [1 week] First attempt to do the micropatching (manually) * Leverage the experience in the first month to micropatch manually. * [1 week] Iteration 1: Automating the micropatching (with manually but in a way that can be automated) -- This may require refactoring of your approach. * Automate the manual micropatching process. * [1 week] Iteration 2: Automating the micropatching (with manually but in a way that can be automated) -- This may require refactoring of your approach. * Automate the manual micropatching process (learn from the failures in the first iteration and improve the algorithm). * [1 week] Iteration 3: Automating the micropatching (with manually but in a way that can be automated) -- This may require refactoring of your approach. * Automate the manual micropatching process (learn from the failures in the first/second iterations and improve the algorithm). # Tracking Sudo's Security Patch Effects * main * <_start> * Initial offset: 50h * Address range: 6528-6559 * * branch for <__libc_start_main@plt> changed from 42e0 to 4330 * branch for <abort@plt> changed from 44c0 to 4510 * <call_weak_fn> * Initial offset: 50 * Address range: 6578-65a7 * adrp is changed from 2e000 to 2f000, changing <__FRAME_END__+0x10270> to <__FRAME_END__+0xfe40> * cpz - compare if zero branch for <call_weak_fn+0x10> changed from 6570 to 65c0 * b - branch changed from 4490 to 44e0 for <__gmon_start__@plt> * <deregister_tm_clones> * Initial offset: 50 * Address range: 6560-65b0 * adrp is changed 30000 to 31000 (x2) * add immediate operand changed from 0x448 to 0x450 (x2) * b.eq changed from 65a0 to 65f0 * adrp is changed 2e000 to 2f000 (x2) * cpz - compare if zero branch for <deregister_tm_clones+0x28> changed from 65a0 to 65f0 * <register_tm_clones> * Initial offset: 50 * Address range: 65e0-6627 * adrp is changed 30000 to 31000, <saved_signals+0x4a8> to <saved_signals+0x4a0> (x2) * cpz - compare if zero branch for <register_tm_clones+0x34> changed from 65dc to 662c (x2) * adrp is changed 2e000 to 2f000, <__FRAME_END__+0x10270> to <__FRAME_END__+0xfe40> (x2) * <__do_global_dtors_aux> * Initial offset: 50 * Address range: 65e0-6627 * adrp is changed 30000 to 31000, <saved_signals+0x4a8> to <saved_signals+0x4a0> * ldrb - load data - immediate operand changed from #1096 to #1104 * cpnz - compare if not zero branch for <__do_global_dtors_aux+0x3c> changed from 661c to 666c (x2) * adrp is changed 2e000 to 2f000, <__FRAME_END__+0x10270> to <__FRAME_END__+0xfe40> * cbz - compare if zero - changed from 6610 to 6660 * adrp changed from 2f000 to 30000 for <memcpy@GLIBC_2.17> * ldr changed immediate operand #1560 to #1568 * bl changed from 40c0 to 4110 for <__cxa_finalize@plt> * bl changed from 6578 to 65c8 for <deregister_tm_clones> * strb - store byte - from #1096 to #1104 * <frame_dummy> * Initial offset: 50 * Address range: 6528-6629 * b - branch - changed from 65a8 to 65f8 for <register_tm_clones> * <sudo_conversation> * Initial offset: 50 * Address range: 6630-68b7 * bl - branch if less than - changed 4280 to 42d0 * adrp is changed 2e000 to 2f000, <__FRAME_END__+0x10270> to <__FRAME_END__+0xfe40> * bl - branch if less than - changed 4440 to 4490 for <sudo_debug_set_active_instance_v1@plt> * b.le - changed 687c to 68cc for <sudo_conversation+0x24c> * adrp is changed 2e000 to 2f000, <__FRAME_END__+0x10270> to <__FRAME_END__+0xfe40> * adrp is changed 17000 to 19000, changing <tgetpass+0x2c8> to <tgetpass+0x300> * add changed immediate operand #0xf08 to #0x258 * adrp is changed, 2e000 to 2f000, and <__FRAME_END__+0x10270> to <__FRAME_END__+0xfe40> * b - branch - 6714 is changed to 6764, not changing <sudo_conversation+0xe4> * b.eq - branch - 674c is changed to 679c, not changing <sudo_conversation+0x11c> * b.ne - branch - 6798 is changed to 67e8, not changing <sudo_conversation+0x168> * bl - 16d38 changed to 18088 <tgetpass> * b400600 cbz changed operand 6798 changed to 67e8, <sudo_conversation+0x168> unchanged * bl operand 43f0 changed to 4440 for <strdup@plt> * cbz operand 6898 cnaged to 68e8 for <sudo_conversation+0x268> * bl operand changed from 3f70 to 3fc0 for <strlen@plt> * bl operand changed from 48f0 to 4930 for <sudo_memset_s@plt> * b.eq operand 686c changed to 68bc, <sudo_conversation+0x23c> unchanged * b.eq operand 675c changed to 67ac, <sudo_conversation+0x12c> unchanged * b.le operand 66b0 changed to 6700, <sudo_conversation+0x80> unchanged * b.eq operand 6760 changed to 67b0, <sudo_conversation+0x130> unchanged * b.ne operand 6798 changed to 67e8, <sudo_conversation+0x168> unchanged * b operand 66c4 changed to 6714, <sudo_conversation+0x94> unchanged * cbz operand changed from 6704 to 6754, <sudo_conversation+0xd4> unchanged * tbz operand changed from 6788 to 67d8, <sudo_conversation+0x158> unchanged * bl operand changed from 4260 to 42b0, <open@plt> unchanged * b.ne operand changed from 6818 to 6868, <sudo_conversation+0x1e8> unchanged * bl operand changed from 3fb0 to 4000 <fputs@plt> * b.ne operand changed from 6704 to 6754, <sudo_conversation+0xd4> unchanged * b40002b5 cbz operand changed from 67ec to 683c, <sudo_conversation+0x1bc> unchanged * b operand changed from 67b0 <sudo_conversation+0x180> unchanged * cbz operand 67e0 changed to 6830, <sudo_conversation+0x1b0> unchanged * bl operand changed from 3f70 to 3fc0, <strlen@plt> unchanged * bl operand changed from 4630 to 4680, <free@plt> unchanged * b.ne operand changed from 67ac 67fc, <sudo_conversation+0x17c> unchanged * bl operand changed from 4440 to 4490, <sudo_debug_set_active_instance_v1@plt> unchanged * bl operand changed from 3f70 to 3fc0, <strlen@plt> * bl operand changed from 44b0 to 4500, <write@plt> unchanged * bl operand changed from 4430 to 4480, <close@plt> unchanged * b.ne operand changed from 6704 to 6754, <sudo_conversation+0xd4> unchanged * b operand changed from 6788 to 67d8, <sudo_conversation+0x158> unchanged * bl operand changed from 4440 to 4490, <sudo_debug_set_active_instance_v1@plt> unchanged * adrp operand changed from 17000 to 19000, <tgetpass+0x2c8> to <utmp_login+0x300> * adrp operand changed from 17000 to 19000, <tgetpass+0x2c8> to <utmp_login+0x300> * adrp operand changed from 17000 to 19000, <tgetpass+0x2c8> to <utmp_login+0x300> * add operand changed from #0xec8 to #0x218 * add operand changed from #0xee8 to #0x238 * add operand changed from #0xf00 to #0x280 * bl operand changed from 4380 to 43c0, <sudo_fatalx_nodebug_v1@plt> unchanged * <sudo_conversation_1_7> * Initial offset: 50 * Address range: 68b8-6908 * b operand changed from 6630 to 6680, <sudo_conversation> unchanged * <sudo_conversation_printf> * <rpl_putenv> * <getenv_unhooked> * <getenv> * <putenv> * <setenv> * <unsetenv> * <exec_cmnd> * <sudo_terminated> * <sudo_execute> * <terminate_command> * <disable_execute> * <sudo_execve> * <deliver_signal> * <mon_backchannel_cb> * <mon_errpipe_cb> * <send_status> * <mon_signal_cb> * <exec_monitor> * <errpipe_cb> * <handle_sigchld_nopty> * <signal_cb_nopty> * <exec_nopty> * <sigttin> * <sigttou> * <log_stdin> * <log_ttyin> * <log_suspend> * <log_stderr> * <log_stdout> * <log_ttyout> * <add_io_events> * <send_command_status> * <schedule_signal> * <sync_ttysize> * <check_foreground> * <fwdchannel_cb> * <del_io_events> * <safe_close> * <ev_free_by_fd.isra.1> * <write_callback> * <read_callback> * <suspend_sudo> * <signal_cb_pty> * <backchannel_cb> * <io_buf_new.isra.2.constprop.4> * <pty_cleanup> * <pty_make_controlling> * <exec_pty> * <get_pty> * <register_hook_internal.isra.0> * <deregister_hook_internal.isra.2> * <process_hooks_setenv> * <process_hooks_putenv> * <process_hooks_getenv> * <process_hooks_unsetenv> * <register_hook> * <deregister_hook> * <get_net_ifs> * <free_plugin_info> * <sudo_load_plugin.isra.0> * <sudo_load_plugins> * <env_insert> * <usage_out> * <usage_err> * <usage> * <usage_excl.constprop.0> * <parse_args> * <add_preserved_fd> * <closefrom_except> * <parse_preserved_fds> * <sudo_handler> * <signal_pending> * <save_signals> * <restore_signals> * <init_signals> * <sudo_sigaction> * <sudo_check_suid> * <iolog_close.isra.3> * <format_plugin_settings.isra.5> * <iolog_open> * <get_user_info.constprop.6> * <policy_close.isra.2.constprop.17> * <os_init_common> * <disable_coredump> * <set_user_groups> * <run_command> * <policy_init_session> * <gc_add> * <switch_user> * <dir_is_writable.constprop.3> * <sudo_edit_open.constprop.0> * <sudo_edit_copy_tfiles> * <sudo_edit_create_tfiles> * <sudo_edit> * <sigttou> * <tcsetpgrp_nobg> * <tgetpass_handler> * <tgetpass_display_error> * <suspend> * <getln.constprop.0> * <tgetpass> * <get_process_ttyname> * <utmp_settime.isra.0> * <utmp_login> * <utmp_logout> * <__libc_csu_init> * <__libc_csu_fini> * <_fini>