Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University.

Slides:

Advertisements

Similar presentations

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Advertisements

A Binary Agent Technology for COTS Software Integrity Richard Schooler Anant Agarwal InCert Software.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Fuzzing and Patch Analysis: SAGEly Advice. Introduction.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS,

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Keyloggers Evan Racine-Johnson.

Address Space Layout Permutation

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.

Detection and Prevention of Buffer Overflow Exploit Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Vikram Reddy Enukonda.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.

Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution Zhiqiang Lin 1 Xuxian Jiang 2, Dongyan Xu 1, Xiangyu Zhang 1 1.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.

Deriving Input Syntactic Structure From Execution Zhiqiang Lin Xiangyu Zhang Purdue University November 11 th, 2008 The 16th ACM SIGSOFT International.

Exploitation possibilities of memory related vulnerabilities

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution Zhiqiang Lin 1 Xuxian Jiang 2, Dongyan Xu 1, Xiangyu Zhang 1 1.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

CNIT 127: Exploit Development Ch 1: Before you begin.

An Integrated Framework for Dependable and Revivable Architecture Using Multicore Processors Weidong ShiMotorola Labs Hsien-Hsin “Sean” LeeGeorgia Tech.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Binary Concolic Execution for Automatic Exploit Generation Todd Frederick.

Using Dynamic Compilers for Software Testing Ben Breech Lori Pollock John Cavazos.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.

Binary Context-Sensitive Recognizer (BCSR) Hong Pham December 4, 2007.

Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.

Application Communities

ASIACCS 2007 AutoPaG: Towards Automated Software Patch Generation with Source Code Root Cause Identification and Repair Zhiqiang Lin 1,3 Xuxian Jiang 2,

Pinpointing Vulnerabilities

Taint tracking Suman Jana.

SUDS: An Infrastructure for Creating Bug Detection Tools

Presentation transcript:

Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University June 27 th, 2008 The 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

Motivation Internet Worms (CodeRed, Slammer) Denial of Service (DoS) User DoS Viruses, Trojan Horses, Bots (Botnet) FC Vulnerability In Software Accidental Breaches in Security

Related Work  Dynamic analysis  Program shepherding (V. Kiriansky et al.) TaintCheck (J. Newsome et al.) Control Flow Integrity (M. Abadi et al.) Data Flow Integrity (M. Castro et al.)…  Run-time overhead, and waiting for attack  Static analysis  BOON (D. Wagner et al.), Splint (D. Larochelle et al.), Archer (Y. Xie et al.), RATS, Flawfinder  False positive  Recent automated multi-path exploration  DART (P. Godefroid et al.), Cute (K. Sen et al.), EXE (C. Cadar et al.), SAGE (P. Godefroid et al.)  Low Efficiency

Problem Statement and Our Technique  How to more efficiently discover/convict software vulnerability  An Efficient Input Provenance Based Approach  Conservative static analysis => Suspect  Dynamic analysis => Convicting the suspect and pruning false positives  Randomly mutation is avoided  No symbolic execution (can handle long execution)  Key idea  Data lineage tracing (Input Provenance)

Basic Idea fread(&imagehed,sizeof(imagehed),1,in);... width=(imagehed.wide_lo+256*imagehed.wide_hi) height=(imagehed.high_lo+256*imagehed.high_hi);... if((...(byte *)malloc(width*height))...) { fclose(in); return(_PICERR_NOMEM); } Input a.gif (256x128):xx...0x00 0x01 0x80 0x00... Input Data label (Offset): An image viewer: Zgv-5.8/readgif.c Integer Overflow

Architecture Static- front End Input Lineage Tracer Input Mutator Run-time Detector Program/ binary Lineage Program Input Evidence Suspect New Input A piece of instruction which is exploitable to trigger the vulnerability

Component 1. Input Lineage Tracer  Label the input stream (using the offset)  Track their propagation mov 0xfffffffc(%ebp),%eax mov %eax, 0xfffffff8(%ebp) add %eax, %ecx mov %ecx, %edx

Component 1. Input Lineage Tracer  Key concept  Data Dependency (direct propagation)  Control dependency (indirect propagation) 1. b=a; 1. if (a==1) 2. b=1; 3. else 4. c=0; mov 0xfffffffc(%ebp),%eax mov %eax,0xfffffff8(%ebp) b=a cmpl $0x1,0xfffffffc(%ebp) jne d movl $0x1,0xfffffff8(%ebp) movl $0x0,0xfffffff4(%ebp) jmp a==1 b=1 c=0

Component 1. Data Lineage Tracer  DL(S i i )  i ) = get_new_id() if def is an input value U DL(use i )otherwise Input data tracking (labeled with its offset in the input stream) DL Representation: reduced ordered Binary Decision Diagram (roBDD)

Component 1. Data Lineage Tracer  An Example fread(&imagehed,sizeof(imagehed),1,in);... width=(imagehed.wide_lo+256*imagehed.wide_hi) height=(imagehed.high_lo+256*imagehed.high_hi);... if((...(byte *)malloc(width*height))...) { fclose(in); return(_PICERR_NOMEM); } READ (buf,size,...), 0<= i < size, buf[i], = get_new_id() = = {7} = U = {6; 7} = U = {8; 9} = {6;7;8;9}

Component 2. Input Mutator Program Input Data Lineage Evidence Heuristics#1: Buffer overflow mutation (double buffer size …) Heuristics#2: Format string mutation (replace %s in format string argument) Heuristics#3: Integer overflow mutation (Boundary integer value: 0xffffffff,0,0x0fffffff) … Suspect

Implementation  Diablo:  Control flow graph  Statically generate Control dependency to facilitate Valgrind instrumentation   Valgrind:  Lineage tracing   RoBDD (Reduced ordered Binary Decision Diagram) to represent the data lineage.

Evaluation - Effectiveness  Static Detector  Known vulnerability  CVE (ncompress 4.2.4, SO)  CVE (gzip 1.2.4, SO)  CVE (Nullhttpd 0.50, HO)  CVE (lhttpd 0.1, SO)  CVE (wu-ftpd-2.6.0, Format String)  CVE (cfingerd-1.4.3, Format String)  CVE (ngircd-0.8.2, Format String)  CVE (xzgv-0.8, IO & HO)  CVE (GnuPG 1.4.3, IO & HO)  RATS (Unknown)  Make extension to catch: buffer overflow, integer overflow (ipgrab-0.99, epstool-3.3, dcraw-7.94)

Evaluation - CVE (GnuPG 1.4.3)  GnuPG Parse_User_ID Remote Buffer Overflow Vulnerability pktlen=in[2,3,4,5] =0x ff ff ff ff

Evaluation - CVE (Cfingerd-1.4.3) syslog(LOG_NOTICE, "%s", (char *) syslog_str);

Evaluation - Ipgrab-0.99 (A New VUL)

Evaluation – Performance (Lineage Tracing) Platform: two 2.13 Ghz Pentium processors and 2G RAM running the Linux kernel

Evaluation - Performance

Evaluation - Space

Summary  An input lineage tracing and mutation system:  Capable of convicting known and unknown vulnerability.  Has reasonable overhead for the scenario of offline vulnerability conviction. Static-front End Data Lineage Tracer Input Mutator Run-time Detector Program/ binary Lineage New Input Program Input Evidence Suspect

Thank you For more information: {zlin, xyzhang, Q & A