Presentation is loading. Please wait.

Presentation is loading. Please wait.

Taint tracking Suman Jana.

Published byPaula Spencer Modified over 6 years ago

Similar presentations

Presentation on theme: "Taint tracking Suman Jana."— Presentation transcript:

1 Taint tracking Suman Jana

2 Dynamic Taint Analysis
Track information flow through a program at runtime Identify sources of taint – “TaintSeed” What are you tracking? Untrusted input Sensitive data Taint Policy – “TaintTracker” Propagation of taint Identify taint sinks – “TaintAssert” Taint checking Special calls: Jump statements, Format strings, etc. Outside network

3 TaintCheck (Newsome et al.)
Performed on x86 binary No need for source Implemented using Valgrind skin X86 -> Valgrind’s Ucode Taint instrumentation added Ucode -> x86 Sources -> TaintSeed Taint Policy -> TaintTracker Sinks -> TaintAssert Add on “Exploit Analyzer”

4 TaintCheck (Newsome et al.)
TaintSeed: Mark untrusted data as tainted TaintTracker: Track each instruction, propagate taint TaintAssert: Check is tainted data is used dangerously

5 TaintSeed Marks any data from untrusted sources as “tainted”
Each byte of memory has a four-byte shadow memory that stores a pointer to a Taint data structure if that location is tainted Else store a NULL pointer

6 TaintTracker Tracks each instruction that manipulates data in order to determine whether the result is tainted. When the result of an instruction is tainted by one of the operands, TaintTracker sets the shadow memory of the result to point to the same Taint data structure as the tainted operand.

7 TaintAssert & Exploit Analyzer
Checks whether tainted data is used in ways that its policy defines as illegitimate Exploit Analyzer Backtrace chain of taint structures: provides useful information about how the exploit happened, and what the exploit attempts to do Useful to generate exploit fingerprints Transfer control to sandbox for analysis

8 Automatic Signature Generation
Find value used to override return address – typically fixed value in the exploit code

9 Taint Analysis in Action

10 Δ τ t = IsUntrusted(src) Input get_input(src)↓ t Var Val
tainted untainted Δ Var Val x = get_input( ) y = x + 42 … goto y x 7 Input is tainted Tainted Var τ TaintSeed Input t = IsUntrusted(src) get_input(src)↓ t x T

11 Data derived from user input is tainted
Δ Var Val x 7 tainted untainted x = get_input( ) y = x + 42 … goto y y 49 Data derived from user input is tainted Tainted T Var x τ TaintTracker BinOp t1 = τ[x1] , t2 = τ[x2] x1 + x2 ↓ t1 v t2 y T

12 Pgoto(ta) = ¬ ta (Must be true to execute)
Δ Var Val x 7 y 49 tainted untainted x = get_input( ) y = x + 42 … goto y Policy Violation Detected Tainted T Var x y τ TaintAssert Pgoto(ta) = ¬ ta (Must be true to execute)

13 Jumping to overwritten return address
x = get_input( ) y = … … goto y Jumping to overwritten return address strcpy(buffer,argv[1]) ; return ;

14 Policy Considerations?

15 Δ μ τ τμ Memory Load Variables Memory Var Val x 7 Addr Val 7 42
Tainted T Var x τ Tainted F/T? Addr 7 τμ

16 Problem: Memory Addresses
Δ Var Val x = get_input( ) y = load( x ) goto y x 7 μ Addr Val 7 42 All values derived from user input are tainted?? Tainted? F Addr 7 τμ

17 Jump target could be any untainted memory cell value
Policy 1: Taint depends only on the memory cell Δ Var Val x = get_input( ) y = load( x ) goto y Undertainting Failing to identify tainted values - e.g., missing exploits x 7 Jump target could be any untainted memory cell value μ Addr Val 7 42 Taint Propagation Tainted F Addr 7 τμ Load v = Δ[x] , t = τμ[v] load(x) ↓ t

18 Address expression is tainted
Policy 2: If either the address or the memory cell is tainted, then the value is tainted Memory printa printb x = get_input( ) y = load(jmp_table + x % 2 ) goto y Overtainting Unaffected values are tainted - e.g., exploits on safe inputs Address expression is tainted jmp_table Policy Violation? Taint Propagation Load v = Δ[x] , t = τμ[v], ta = τ[x] load(x) ↓ t v ta

19 General Challenge: State-of-the-Art is not perfect for all programs
Undertainting: Policy may miss taint Overtainting: Policy may wrongly detect taint

20 TaintCheck Evaluation

21 Effectiveness of TaintCheck
False Negatives Use control flow to change value without gathering taint Example: if (x == 0) y=0; else if (x == 1) y=1; Equivalent to x=y; Tainted index into a hardcoded table Policy – value translation is not tainted Enumerating all sources of taint False Positives Vulnerable code? Sanity Checks not removing taint Requires fine-tuning Taint sanitization problem Want your data to be cleaned before it hits the sink

22 Effectiveness of TaintCheck
Does TaintCheck raise false alerts for existing code? network programs: apache, ATPhttpd, bftpd, cfingerd, and named client programs: ssh and firebird non-network programs: gcc, ls, bzip2, make, latex, vim, emacs, and bash Networked programs: 158K+ DNS queries No false +ves All client and non-network programs (tainted data is stdin): Only vim and firebird caused false +ves (data from config files used as offset to jump address)

23 TaintCheck - Attack Detection
Synthetic Exploits Buffer overflow -> function pointer Buffer overflow -> format string Format string -> info leak Actual Exploits 3 real world examples

24 TaintCheck Performance
Performance overhead for Apache

Download ppt "Taint tracking Suman Jana."

Similar presentations

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation.

1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation.
2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
Dynamic Taint Analysis and Forward Symbolic Execution Ankush Tyagi.

Dynamic Taint Analysis and Forward Symbolic Execution Ankush Tyagi.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Similar presentations

Ads by Google