Presentation is loading. Please wait.

Presentation is loading. Please wait.

Edward J. Schwartz, Thanassis Avgerinos, David Brumley

Published bySilas Fleming Modified over 6 years ago

Similar presentations

Presentation on theme: "Edward J. Schwartz, Thanassis Avgerinos, David Brumley"— Presentation transcript:

1 Edward J. Schwartz, Thanassis Avgerinos, David Brumley
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis Avgerinos, David Brumley 11/15/2018 Carnegie Mellon University

2 Edward J. Schwartz, Thanassis Avgerinos, David Brumley
A Few Things You Need to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis Avgerinos, David Brumley 11/15/2018 Carnegie Mellon University

3 The Root of All Evil Humans write programs This Talk: Computers Analyzing Programs Dynamically at Runtime 11/15/2018 Carnegie Mellon University

4 Two Essential Runtime Analyses
Detect Exploits [Costa2005,Crandall2005, Newsome2005,Suh2004] Detect packing in malware [Bayer2009,Yin2007] Dynamic Taint Analysis: What values are derived from user input? Forward Symbolic Execution: What input will make execution reach this line of code? Input Filter Generation [Costa2007,Brumley2008] Automated Test Case Generation [Cadar2008,Godefroid2005,Sen2005] 11/15/2018 Carnegie Mellon University

5 Our Contributions 1: Turn English descriptions into an algorithm
Computers Analyzing Programs Dynamically at Runtime 1: Turn English descriptions into an algorithm Operational Semantics 2: Algorithm highlights caveats, issues, and unsolved problems that are deceptively hard Dynamic Taint Analysis: Is this value affected by user input? Forward Symbolic Execution: What input will make execution reach this line of code? 11/15/2018 Carnegie Mellon University

6 Our Contributions (cont’d)
3: Systematize recurring themes in a wealth of previous work 11/15/2018 Carnegie Mellon University

7 Dynamic Taint Analysis: What values are derived from user input?
How it works – example Desired properties Example issue. Paper has many more. 11/15/2018 Carnegie Mellon University

8 Carnegie Mellon University
Δ Var Val tainted untainted x = get_input( ) y = x + 42 … goto y x 7 Input is tainted Tainted? Var τ Taint Introduction Input t = IsUntrusted(src) get_input(src)↓ t x T 11/15/2018 Carnegie Mellon University

9 Δ τ t1 = τ[x1] , t2 = τ[x2] BinOp x1 + x2 ↓ t1 v t2 Var Val x 7
tainted untainted x = get_input( ) y = x + 42 … goto y y 49 Data derived from user input is tainted Tainted? T Var x τ Taint Propagation BinOp t1 = τ[x1] , t2 = τ[x2] x1 + x2 ↓ t1 v t2 y T 11/15/2018 Carnegie Mellon University

10 Δ τ Pgoto(ta) = ¬ ta (Must be true to execute) Var Val x 7 y 49
tainted untainted x = get_input( ) y = x + 42 … goto y Policy Violation Detected Tainted? T Var x y τ Taint Checking Pgoto(ta) = ¬ ta (Must be true to execute) 11/15/2018 Carnegie Mellon University

11 x = get_input( ) y = … … goto y
Real Use: Exploit Detection x = get_input( ) y = … … goto y Jumping to overwritten return address strcpy(buffer,argv[1]) ; return ; 11/15/2018 Carnegie Mellon University

12 Carnegie Mellon University
Memory Load Variables Memory Δ Var Val x 7 μ Addr Val 7 42 Tainted? T Var x τ Tainted? F Addr 7 τμ 11/15/2018 Carnegie Mellon University

13 Problem: Memory Addresses
Δ Var Val x = get_input( ) y = load( x ) goto y x 7 μ Addr Val 7 42 All values derived from user input are tainted?? Tainted? F Addr 7 τμ 11/15/2018 Carnegie Mellon University

14 Δ μ τμ Policy 1: Undertainting Failing to identify tainted values
Taint depends only on the memory cell Δ Var Val x = get_input( ) y = load( x ) goto y Undertainting Failing to identify tainted values - e.g., missing exploits x 7 Jump target could be any untainted memory cell value μ Addr Val 7 42 Taint Propagation Tainted? F Addr 7 τμ Load v = Δ[x] , t = τμ[v] load(x) ↓ t 11/15/2018 Carnegie Mellon University

15 Policy 2: Overtainting Unaffected values are tainted
If either the address or the memory cell is tainted, then the value is tainted Memory printa printb x = get_input( ) y = load(jmp_table + x % 2 ) goto y Overtainting Unaffected values are tainted - e.g., exploits on safe inputs Address expression is tainted jmp_table Policy Violation? Taint Propagation Load v = Δ[x] , t = τμ[v], ta = τ[x] load(x) ↓ t v ta 11/15/2018 Carnegie Mellon University

16 Research Challenge State-of-the-Art is not perfect for all programs
Undertainting: Policy may miss taint Overtainting: Policy may wrongly detect taint 11/15/2018 Carnegie Mellon University

17 Carnegie Mellon University
Forward Symbolic Execution: What input will make execution reach this line of code? How it works – example Inherent problems of symbolic execution Proposed solutions 11/15/2018 Carnegie Mellon University

18 Carnegie Mellon University
The Challenge bad_abs(x is input) if (x < 0) then return -x if (x = 0x ) then return -x return x 232 possible inputs 0x Forward Symbolic Execution: What input will make execution reach this line of code? 11/15/2018 Carnegie Mellon University

19 A Simple Example x symbolic can have any value Interpreter
bad_abs(x is input) If (x < 0) If x == 0x return -x return x What input will make execution reach this line of code? Interpreter Interpreter x ≥ 0 t f Interpreter Interpreter t f x < 0 x ≥ 0 Λ x != 0x x ≥ 0 Λ x == 0x 11/15/2018 Carnegie Mellon University

20 One Problem: Exponential Blowup Due to Branches
Interpreter Branch 1 Branch 2 Branch 3 Exponential Number of Interpreters/formulas in # of branches 11/15/2018 Carnegie Mellon University

21 Path Selection Heuristics
Symbolic Execution Tree However, these are heuristics. In the worst case all create an exponential number of formulas in the tree height. Depth-First Search (bounded) ,Random Search [Cadar2008] Concolic Testing [Sen2005,Godefroid2008] 11/15/2018 Carnegie Mellon University

22 Symbolic Execution is not Easy
Exponential number of interpreters/formulas Exponentially-sized formulas Solving a formula is NP-Complete! branching s + s + s + s + s + s + s + s == 42 substitution 11/15/2018 Carnegie Mellon University

23 Other Important Issues
Formalization Π = (s + s + s + s + s + s + s + s) == 42 More complex policies 11/15/2018 Carnegie Mellon University

24 Carnegie Mellon University
Conclusion Dynamic taint analysis and forward symbolic execution used extensively in literature Formal algorithm and what is done for each possible step of execution often not emphasized We provided a formal definition and summarized Critical issues State-of-the-art solutions Common tradeoffs 11/15/2018 Carnegie Mellon University

25 Carnegie Mellon University
Thank You! Questions? 11/15/2018 Carnegie Mellon University

Download ppt "Edward J. Schwartz, Thanassis Avgerinos, David Brumley"

Similar presentations

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Architecture-dependent optimizations Functional units, delay slots and dependency analysis.

Architecture-dependent optimizations Functional units, delay slots and dependency analysis.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Dynamic Programming.

Dynamic Programming.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Unleashing Mayhem on Binary Code

Unleashing Mayhem on Binary Code
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
Algorithms and Problem Solving-1 Algorithms and Problem Solving.

Algorithms and Problem Solving-1 Algorithms and Problem Solving.
Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.

Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.
AUTOMATIC CONCOLIC TEST GENERATION WITH VIRTUAL PROTOTYPES FOR POST-SILICON VALIDATION Reviewer: Shin-Yann Ho Instructor: Jie-Hong Jiang.

AUTOMATIC CONCOLIC TEST GENERATION WITH VIRTUAL PROTOTYPES FOR POST-SILICON VALIDATION Reviewer: Shin-Yann Ho Instructor: Jie-Hong Jiang.
Dynamic Taint Analysis and Forward Symbolic Execution Ankush Tyagi.

Dynamic Taint Analysis and Forward Symbolic Execution Ankush Tyagi.
Week 2 CS 361: Advanced Data Structures and Algorithms

Week 2 CS 361: Advanced Data Structures and Algorithms
Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.

Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.
Effective Real-time Android Application Auditing

Effective Real-time Android Application Auditing
EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012.

EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012.
1 Hybrid-Formal Coverage Convergence Dan Benua Synopsys Verification Group January 18, 2010.

1 Hybrid-Formal Coverage Convergence Dan Benua Synopsys Verification Group January 18, 2010.
Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:

Dana Nau: Lecture slides for Automated Planning Licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License:
What's The Plan? Algorithmic Thinking Step-by-step directions for whatever someone, or the computer, needs to do © 2004 Lawrence Snyder.

What's The Plan? Algorithmic Thinking Step-by-step directions for whatever someone, or the computer, needs to do © 2004 Lawrence Snyder.
Theory of Programming Languages Introduction. What is a Programming Language? John von Neumann (1940’s) –Stored program concept –CPU actions determined.

Theory of Programming Languages Introduction. What is a Programming Language? John von Neumann (1940’s) –Stored program concept –CPU actions determined.

Similar presentations

Ads by Google