TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

Slides:

Advertisements

Similar presentations

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Advertisements

1 Symbolic Execution Kevin Wallace, CSE

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Chapter 3 (Part 1) Network Security

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

TAintscope A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1Peking.

Fuzzing Dan Fleck CS 469: Security Engineering Sources:

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

C++ Programming: From Problem Analysis to Program Design, Third Edition Chapter 1: An Overview of Computers and Programming Languages C++ Programming:

Computer Science: A Structured Programming Approach Using C1 Objectives ❏ To understand the structure of a C-language program. ❏ To write your first C.

1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.

Chapter 3 Planning Your Solution

1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.

Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Address Space Layout Permutation

University of Maryland parseThat: A Robust Arbitrary-Binary Tester for Dyninst Ray Chen.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Computer Security and Penetration Testing

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1,2, Tao Wei 1,2, Guofei Gu 3, Wei Zou 1,2.

Scalable Analysis of Distributed Workflow Traces Daniel K. Gunter and Brian Tierney Distributed Systems Department Lawrence Berkeley National Laboratory.

Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley

Automated Whitebox Fuzz Testing Network and Distributed System Security (NDSS) 2008 by Patrice Godefroid, ‏Michael Y. Levin, and ‏David Molnar Present.

Which Configuration Option Should I Change? Sai Zhang, Michael D. Ernst University of Washington Presented by: Kıvanç Muşlu.

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Part 2: Packet Transmission Packets, frames Local area networks (LANs) Wide area networks (LANs) Hardware addresses Bridges and switches Routing and protocols.

Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.

C++ Programming: From Problem Analysis to Program Design, Third Edition Chapter 1: An Overview of Computers and Programming Languages.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.

Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:

1 Context-dependent Product Line Practice for Constructing Reliable Embedded Systems Naoyasu UbayashiKyushu University, Japan Shin NakajimaNational Institute.

Today’s Agenda  Reminder: HW #1 Due next class  Quick Review  Input Space Partitioning Software Testing and Maintenance 1.

Algorithms & FlowchartsLecture 10. Algorithm’s CONCEPT.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.

Concepts and Realization of a Diagram Editor Generator Based on Hypergraph Transformation Author: Mark Minas Presenter: Song Gu.

PLC '06 Experience in Testing Compiler Optimizers Using Comparison Checking Masataka Sassa and Daijiro Sudo Dept. of Mathematical and Computing Sciences.

A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.

Fuzzing And Oracles By: Thomas Sidoti. Overview Introduction Motivation Fuzzable Exploits Oracles Implementation Fuzzing Results.

Random Test Generation of Unit Tests: Randoop Experience

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.

Analyzing Input Validation vulnerabilities in Android System Services NAMJUN PARK (NPAR350)

AppAudit Effective Real-time Android Application Auditing Andrew Jeong

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Configuration Fuzzing for Software Vulnerability Detection

Secure Software Development: Theory and Practice

Introduction to Information Security

RDE: Replay DEbugging for Diagnosing Production Site Failures

C++ Programming: From Problem Analysis to Program Design

Presented by Mahadevan Vasudevan + Microsoft , *UC-Berkeley

Introduction to the C Language

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

VUzzer: Application-aware Evolutionary Fuzzing

CSC-682 Advanced Computer Security

CS5123 Software Validation and Quality Assurance

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.

Stelios Sidiroglou-Douskos, Eric Lahtinen, Fan Long, Martin Rinard

Format String Vulnerability

Presentation transcript:

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking University, China 2 Texas A&M University, US 31st IEEE Symposium on Security & Privacy

Outline Introduction  Background  Motivation TaintScope  Intuition  System Design  Evaluation Conclusion

Fuzzing/Fuzz Testing Feed target applications with malformed inputs e.g., invalid, unexpected, or random test cases  Proven to be remarkably successful  E.g., randomly mutate well-formed inputs and runs the target application with the “mutations” Application Fuzzer crash Malformed Input 3 Introduction TaintScopeConclusion

Fuzzing is great 4 However… Introduction TaintScopeConclusion In the best case, malformed inputs will explore different program paths, and trigger security vulnerabilities

A quick example Malformed images will be dropped when the decoder function detects checksums mismatch 5 1 void decode_image(FILE* fd){ int length = get_length(fd); 4 int recomputed_chksum = checksum(fd, length); 5 int chksum_in_file = get_checksum(fd); //line 6 is used to check the integrity of inputs 6 if(chksum_in_file != recomputed_chksum) 7 error(); 8 int Width = get_width(fd); 9 int Height = get_height(fd); 10 int size = Width*Height*sizeof(int);//integer overflow 11 int* p = malloc(size); re-compute a new checksum read the attached checksum compare tow values Introduction TaintScopeConclusion

Checksum: the bottleneck 6 Checksum is a common way to test the integrity of input data Introduction TaintScopeConclusion if(checksum( D ata )!= C hksum ) Most mutations are blocked at the checksum test point

Our motivation Penetrate checksum checks! 7 Our Goal Introduction TaintScopeConclusion

Intuition Disable checksum checks by control flow alteration Fuzz the modified program Repair the checksum fields in malformed inputs that can crash the modified program 8 if(checksum( D ata )!= C hksum ) goto L1; exit(); L1: continue(); Original program Modified program Introduction TaintScope Conclusion

Key Questions Q1: How to locate the checksum test instructions in a binary program? Q2: How to effectively and efficiently fuzz for security vulnerability detection? Q3: How to generate the correct checksum value for the invalid inputs that can crash the modified program? 9 Introduction TaintScope Conclusion

TaintScope Overview 10 Execution Monitor Checksum Locator Directed Fuzzer Checksum Repairer Modified Program Hot Bytes Info Instruction Profile Crashed Samples Reports Q1 Q2Q3

A1: Locate the checksum test instruction 11 Introduction TaintScope Conclusion Checksum is usually used to protect a large number of input bytes if(checksum( D ata ) != C hksum ) D ata C hksum Key Observation 1 Based on fine-grained taint analysis, we first find the conditional jump instructions (e.g., jz, je ) that depend on more than a certain number of input bytes Take these conditional jump instructions as candidates

A1: Locate the checksum test instruction Key Observation 2 12 Introduction TaintScope Conclusion Well-formed inputs can pass the checksum test, but most malformed inputs cannot We log the behaviors of candidate conditional jump instructions

A1: Locate the checksum test instruction Key Observation 2 13 Introduction TaintScope Conclusion Well-formed inputs can pass the checksum test, but most malformed inputs cannot We log the behaviors of candidate conditional jump instructions ① Run well-formed inputs, identify the always-taken and always-not-taken insts

A1: Locate the checksum test instruction Key Observation 2 14 Introduction TaintScope Conclusion Well-formed inputs can pass the checksum test, but most malformed inputs cannot We log the behaviors of candidate conditional jump instructions ① Run well-formed inputs, identify the always-taken and always-not-taken insts ② Run malformed inputs, also identify the always-taken and always-not-taken insts

A1: Locate the checksum test instruction Key Observation 2 15 Introduction TaintScope Conclusion Well-formed inputs can pass the checksum test, but most malformed inputs cannot We log the behaviors of candidate conditional jump instructions ① Run well-formed inputs, identify the always-taken and always-not-taken insts ② Run malformed inputs, also identify the always-taken and always-not-taken insts ③ Identify the conditional jump inst that behaves completely different when processing well-formed and malformed inputs

A2: Effective and efficient fuzzing Blindly mutating will create huge amount of redundant test cases --- ineffective and inefficient Directed fuzzing: focus on modifying the “hot bytes” that refer to the input bytes flow into critical system/library calls  Memory allocation, string operation… 16 Introduction TaintScope Conclusion 1 void decode_image(FILE* fd){ if(chksum_in_file != recomputed_chksu goto 8; 7 error(); 8 int Width = get_width(fd); 9 int Height = get_height(fd); 10 int size = Width*Height*sizeof(int);//integer overflow 11 int* p = malloc(size); 12 … Directly modifying “width” or “height" fields will trigger the bug easily

A3: Generate the correct checksum The classical solution is symbolic execution and constraint solving We use combined concrete/symbolic execution  Only leave the bytes in the checksum field as symbolic values  Collect and solve the trace constraints on C hksum when reaching the checksum test inst.  Note that: checksum( D ata ) is a runtime determinable constant value. C hksum originates from the checksum field, but may be transformed, such as from hex/oct to dec number, from little-endian to big-endian. 17 Solving checksum( D ata )== C hksum is hard or impossible, if both D ata and C hksum are symbolic values Introduction TaintScope Conclusion

Design Summary Directed Fuzzing  Identify and modify “hot bytes” in valid inputs to generate malformed inputs On top of PIN binary instrumentation platform Checksum-aware Fuzzing  Locate checksum check points and checksum fields.  Modify the program to accept all kinds input data  Generate correct checksum fields for malformed inputs that can crash the modified program Offline symbolically execute the trace, using STP solver 18 Introduction TaintScope Conclusion

Evaluation Component evaluation  E1: Whether TaintScope can locate checksum points and checksum fields?  E2: How many hot byte in a valid input?  E3: Whether TaintScope can generate a correct checksum field? Overall evaluation  E 4 : Whether TaintScope can detect previous unknown vulnerabilities in real-world applications? 19 Introduction TaintScope Conclusion

Evaluation 1 : locate checksum points We test several common checksum algorithms, including CRC32, MD5, Adler32. TaintScope accurately located the check statements. 20 Introduction TaintScope Conclusion

Evaluation 2 : identify hot bytes We measured the number of bytes could affect the size arguments in memory allocation functions 21 Introduction TaintScope Conclusion

Evaluation 3 : generate correct checksum fields We test malformed inputs in four kinds of file formats. TaintScope is able to generate correct checksum fields. 22 Introduction TaintScope Conclusion

Evaluation 4 : 27 previous unknown vulns 23 Introduction TaintScope Conclusion MS Paint Google Picasa Adobe Acrobat ImageMagick irfanview gstreamer WinampXEmacs Amaya dillo wxWidgets PDFlib

Evaluation 4 : 27 previous unknown vulns 24

Evaluation 4: 27 previous unknown vulns 25 Introduction TaintScope Conclusion

Checksum is a big challenge for fuzzing tools TaintScope can perform:  Directed fuzzing Identify which bytes flow into system/library calls. dramatically reduce the mutation space.  Checksum-aware fuzzing Disable checksum checks by control flow alternation. Generate correct checksum fields in invalid inputs. TaintScope detected dozens of serious previous unknown vulnerabilities. 26 IntroductionTaintScope Conclusion

Thanks for your attention!