Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University."— Presentation transcript:

1 1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University * UC Berkeley

2 2 Dynamic Symbolic Execution Combines concrete execution with symbolic execution Has important applications Program Testing and Analysis –Automatic test case generation (DART, PEX, EXE, KLEE, SAGE) –Given an initial test case, find a variant that executes a different path Computer Security –Vulnerability Discovery & Exploit Generation –Given an initial benign test case, find a variant that triggers a bug –Vulnerability Diagnosis & Signature Generation –Given an initial exploit for a vulnerability, find a set of conditions necessary to trigger it

3 3 Limitations of Previous Approach Symbolic ExecutionConcrete Execution Program Symbolic Formula Initial Input Single-Path Symbolic Execution (SPSE) Ineffective for loops!

4 4 Contributions of Our Work Symbolic Single-Path Reasoning Concrete Execution Symbolic Loop Reasoning Loop-Extended Symbolic Execution (LESE) Generalizes symbolic reasoning to loops SPSE LESE Applicable directly to binaries Demonstrate its effectiveness in an important security application Buffer overflow diagnosis & discovery Show scalability for practical real-world examples

5 5 Talk Outline Motivation Overview of LESE Technical Approach Results and Applications Conclusion & Related Work

6 6 Motivation: A HTTP Server Example Input void process_request (char* input) { char URL [1024]; … for (ptr = 4; input [ptr] != ' '; ptr++) urlLen ++; … for (i = 0, p = 4; i < urlLen; i++) { URL [i] = input [p++]; } GET /index.html HTTP/1.1 CMD URL VERSION Calculating length Copying URL to buffer

7 7 Motivation: A HTTP Server Example void process_request (char* input) { char URL [1024]; … for (ptr = 4; input [ptr] != ' '; ptr++) urlLen ++; … for (i = 0, p = 4; i < urlLen; i++) { ASSERT (i < 1024); URL [i] = input [p++]; } Goal: Check if the buffer can be overflowed

8 8 Motivation: A HTTP Server Example Symbolic Constraints GET /index.html HTTP/1.1 F url [0] ≠ ‘ ’ F url [1] ≠ ‘ ’ F url [2] ≠ ‘ ’ … F url [12]= ‘ ’ (‘/’ != ‘ ’) Concrete Constraints (‘i’ != ‘ ’) (‘n’ != ‘ ’) … (‘ ’ == ‘ ’) ‘i’ not symbolic Vanilla SPSE would try over 1000 tests before exploiting void process_request (char* input) { char URL [1024]; … for (ptr = 4; input [ptr] != ' '; ptr++) urlLen ++; … for (i = 0, p = 4; i < urlLen; i++) { ASSERT (i < 1024); URL [i] = input [p++]; }

9 9 Talk Outline Motivation Overview of LESE Technical Approach Results and Applications Conclusion & Related Work

10 10 Overview LESE: Finds an exploit for the example in 1 step Key Point: Summarize loop effects Intuition: Why was ‘i’ not symbolic? –SPSE only tracks data dependencies –‘i’ was loop dependent Model loop-dependencies in addition to data dependencies Symbolic Data Dependencies Concrete Execution Symbolic Loop Dependencies SPSE LESE

11 11 Practical Requirements Applicable to binary code –Works for closed-sourced security-critical applications Should be simple –Scale to real-world programs Should not require manual function summaries –Need to reason about custom input processing –Hard to write summaries for certain functions (like sprintf)

12 12 Talk Outline Motivation Overview of LESE Technical Approach Results and Applications Conclusion & Related Work

13 13 Introduce a symbolic “trip count” for each loop –Symbolic variable representing the number of times a loop executes LESE has 2 steps –STEP 1: Derive relationship between program variables and trip counts »Linear Relationships –STEP 2: Relate trip counts to inputs Approach

14 14 Introducing Symbolic Trip Counts Introduces symbolic loop trip counts TC L1 TC L2 void process_request (char* input) { char URL [1024]; … for (ptr = 4; input [ptr] != ' '; ptr++) urlLen ++; … for (i = 0, p = 4; i < urlLen; i++) { ASSERT (i < 1024); URL [i] = input [p++]; }

15 15 void process_request (char* input) { char URL [1024]; … for (ptr = 4; input [ptr] != ' '; ptr++) urlLen ++; … for (i = 0, p = 4; i < urlLen; i ++) { ASSERT (i < 1024); URL [i] = input [p++]; } Step 1: Relating program variables to TCs Links trip counts to program variables ptr = 4 + TC L1 Symbolic Constraints urlLen = 0 + TC L1 i = -1 + TC L2 p = 4 + TC L2 (i < urlLen)

16 16 Inputs –Initial Concrete Test Case –A Grammar »Fields »Delimiters Implicitly models symbolic attributes for fields –Lengths of fields –Counts of repeated elements Available from off-the-shelf tools –Network application grammars in Wireshark, GAPA –Media file formats in Hachoir, GAPA –Can even be automatically inferred [CCS07,S&P09] Step 2: Relating Trip Counts to Input GET /index.html HTTP/1.1

17 17 Step 2: Link trip counts to input Link trip counts to the input grammar (F uri [0] ≠ ‘ ’) && (F uri [1] ≠ ‘ ’) && … (F uri [12] == ‘ ’) Len(F URL ) == TC L1 G Symbolic Constraints void process_request (char* input) { char URL [1024]; … for (ptr = 4; input [ptr] != ' '; ptr++) urlLen ++; … for (i = 0, p = 4; i < urlLen; i++) { ASSERT (i < 1024); URL [i] = input [p++]; }

18 18 (i < urlLen) Solve using a decision procedure Link trip counts to the input grammar Symbolic Constraints ptr = 4 + TC L1 urlLen = 0 + TC L1 i = -1 + TC L1 p = 4 + TC L1 (i < urlLen) Len(F URL ) == TC L1 ASSERT (i >= 1024) SOLVE void process_request (char* input) { char URL [1024]; … for (ptr = 4; input [ptr] != ' '; ptr++) urlLen ++; … for (i = 0, p = 4; i < urlLen; i++) { ASSERT (i < 1024); URL [i] = input [p++]; }

19 19 Solution: HTTP Server Example Solve constraints Exploit Condition Len(F URL ) > 1024 GET aaa.. (1025 times)… void process_request (char* input) { char URL [1024]; … for (ptr = 4; input [ptr] != ' '; ptr++) urlLen ++; … for (i = 0, p = 4; i < urlLen; i++) { ASSERT (i < 1024); URL [i] = input [p++]; }

20 20 Challenges Problems: –Identifying loop dependencies on binaries »Syntactic induction variable analysis insufficient –Capturing the inter-dependence between two loops »An induction variable of may influence trip counts of subsequent loops Our Solution –Dynamic abstract interpretation of x86 machine code –Symbolic memory model for buffer pointers only

21 21 Talk Outline Motivation Overview of LESE Technical Approach Results and Applications Conclusion & Related Work

22 22 Experimental Setup Program LESE Decision Procedure (STP) Initial Test Case No Error Candidate Exploits Validation

23 23 Results (I): Vulnerability Discovery On 14 benchmark applications (MIT Lincoln Labs) –Created from historic buffer overflows (BIND, sendmail, wuftp) Found 1 or more vulnerabilities in each benchmark –1 new exploit location in sendmail 7 benchmark

24 24 Results (II): Real-world Vulnerabilities Diagnosis and Discovery 3 Real-world Case Studies –SQL Server Resolution [Slammer Worm 2003] –GDI Windows Library [MS07-046] –Gaztek HTTP web Server Diagnosis Results –Results precise and field level Discovery Results: Found 4 buffer overflows in 6 candidates –1 new exploit location for Gaztek HTTP server

25 25 Results (III): Loop statistics Provides new symbolic conditions –Loop Conditions

26 26 Talk Outline Limitations of SPSE Overview of LESE Requirements Technical Approach Results and Applications Conclusion & Related Work

27 27 Applications –Finding buffer overflows [NDSS00, FSE04,CCS03,FSE03] –Signature Generation [S&P06,RAID09,SOSP07] Dynamic Symbolic Execution –Whitebox fuzzing,DART,EXE,KLEE,PEX [NDSS08,PLDI05,CCS06,ODSI08,TAP08] –Generalizations »Length Abstraction [ISSTA08] »Compositional [POPL07] »Constraint subsumption [NDSS08] »Grammar-based fuzzing [PLDI08] »Protocol-level constraints [RAID09] Related Work

28 28 Conclusion LESE is a generalization of SPSE –Captures effect of program inputs on loops –Summarizes the effect of loops on program variables Works for real-world Windows and Linux binaries Key enabler for several applications –Buffer overflow discovery and diagnosis »Capable of finding new bugs »Does not require manual function summaries Thanks… Any Questions, comments, or feedback?

29 29 Challenges(II) Problem: Scaling the symbolic analysis to real programs –Combining dynamic information with symbolic information –Our Solution: Concretization when abstract values are beyond our symbolic theory Dealing with x86 binaries –No notion of program variables, types –Aliasing –Memory layouts –Our Solution »Stack abstract interpretation »Runtime information

Download ppt "1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University."

Similar presentations

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
Binary Analysis for Botnet Reverse Engineering & Defense Dawn Song UC Berkeley.

Binary Analysis for Botnet Reverse Engineering & Defense Dawn Song UC Berkeley.
Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.
1 Symbolic Execution Kevin Wallace, CSE504 2010-04-28.

1 Symbolic Execution Kevin Wallace, CSE
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Symbolic execution © Marcelo d’Amorim 2010.

Symbolic execution © Marcelo d’Amorim 2010.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
IBinHunt: Binary Hunting with Inter-Procedural Control Flow Jiang Ming, Meng Pan, and Debin Gao College of Information Sciences and Technology, Penn State.

IBinHunt: Binary Hunting with Inter-Procedural Control Flow Jiang Ming, Meng Pan, and Debin Gao College of Information Sciences and Technology, Penn State.
SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,

SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Pongsin Poosankam ‡* Prateek Saxena * Steve Hanna * Dawn.

1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications Pongsin Poosankam ‡* Prateek Saxena * Steve Hanna * Dawn.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Chapter Four Data Types Pratt 2 Data Objects A run-time grouping of one or more pieces of data in a virtual machine a container for data it can be –system.

Chapter Four Data Types Pratt 2 Data Objects A run-time grouping of one or more pieces of data in a virtual machine a container for data it can be –system.
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Similar presentations

Ads by Google