Presentation is loading. Please wait.

Presentation is loading. Please wait.

By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha.

Published byBenjamin Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha."— Presentation transcript:

1 By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha

2 Presenter: Xin Zhao

3  Definition ◦ Vulnerability - A vulnerability is a type of bug that can be used by an attacker to alter the intended operation of the software in a malicious way. ◦ Exploit - An exploit is an actual input that triggers a software vulnerability, typically with malicious intent and devastating consequences

4  Zero-day attacks that exploit unknown vulnerabilities represent a serious threat  No patch or signature available  Symantec:20 unknown vulnerabilities exploited 07/2005 – 06/2007  Current practice is new vulnerability analysis and protection generation is mostly manual  Our goal: automate the process of protection generation for unknown vulnerabilities

5  Beware the lion ◦ New year 2001 ◦ 10,000 systems affected ◦ invades Linux systems through a network exploit ◦ infiltrates BIND DNS through TCP or UDP Protocol ◦ allows infiltration through a legit request, but then can execute arbitrary commands through additional string of characters ◦ incident report March 30 by CERT

6  Software Patch: patch the binary of vulnerable application  Input Filter: a network firewall or a module on the I/O path  Data Patch: patch the data input instead of binary  Signature: signature-based input filtering Data Input Input Filter Vulnerable application Dropped

7  Automatic signature generation  Reason: ◦ Manual signature generation is slow and error ◦ Fast generation is important – previously unknown or unpatched vulnerabilities can be exploited orders of magnitude faster than a human can respond ◦ More accurate

8  There are usually several different polymorphic exploit variants that can trigger a software vulnerability  Exploit variants may differ syntactically but be semantically equivalent  To be effective -- the signature should be constructed based on the property of the vulnerability, instead of an exploit

9  Require manual steps  Employ heuristics which may fail in many settings  Techniques rely on specific properties of an exploit – return addresses  Be limited by underlying signature representation they can generate  Only work for specific vulnerabilities in specific circumstances

10  At a high level, our main contribution is a new class of signature, that is not specific to details such as whether an exploit successfully hijacks control of the program, but instead whether executing an input will (potentially) result in an unsafe execution state.

11  vulnerability signature ◦ whether executing an input potentially results in an unsafe program state  T(P, x) ◦ the execution trace obtained by executing a program P on input x  Vulnerability condition ◦ representation (how to express a vulnerability as a signature) ◦ coverage (measured by false positive rate)

12  vulnerability signature ◦ representation for set of inputs that define a specified vulnerability condition  trade-offs ◦ representation: matching accuracy vs. efficiency ◦ signature creation: creation time vs. coverage  {P,T,x,c} ◦ binary program (P), instruction trace (T), exploit string (x), vulnerability condition (c)

13  (P,c) = (,c)  T(P,x) is the execution trace of running P with input x means T satisfies vulnerability condition c  L P,c consists of the set of all inputs x to a program P such that  Formally:  An exploit for a vulnerability (P,c) is an input

14  P given in box  x = g/AAAA  T={1,2,3,4,6,7, 8,9,8,10,11,10, 11,10,11,10, 11,10,11}  c = heap overflow (on 5th iteration of line 11)

15  A vulnerability signature is a matching function MATCH which for an input x returns either EXPLOIT or BENIGN for a program P without running the program  A perfect vulnerability signature satisfies  Completeness:  Soundness:

16  C: Ґ×D×M×K×I ->{BENIGN, EXPLOIT}  Ґ is a memory  D is the set of variables defined  M is the program’s map from memory to values  K is the continuation stack  I is the next instruction to execute

17  Turing machine signatures ◦ precise (no false positive or negatives) ◦ may not terminate (in presence of loops, e.g.)  symbolic constraint signatures ◦ approximates looping, aliasing ◦ guaranteed to terminate  regular expression signatures ◦ approximates elementary constructs (counting) ◦ very efficient

18  Can provide a precise, even exact, characterization of the vulnerability condition in a particular program  A TM that exactly emulates the program has no error rate

19  says that for 10-char input, the first char is ‘g’ or ‘G’, up to four of the next chars may be spaces and at least 5 chars are non-spaces

20  says ‘g’ or ‘G’ followed by 0 or more spaces and at least 5 non-spaces  E.g: [g|G][ ]*[ˆ ]{5,}

21  TM - inlining vulnerability condition takes poly time  Symb. Constraint - poly-time transformations on TM  Regexp - solve constraint (exp time; PSPACE- complete)  or data-flow on TM (poly time)

22  MEP is a straight-line program -- e.g. the path that the exploit took to reach the vulnerability  PEP includes different paths to the vulnerability  a complete PEP coverage signature accepts all inputs in L P,c  complete coverage through a chop of the program includes all paths from the input read (v init ) to the vulnerability point (v final )

23 Presenter: Xitao Wen

24  Input: ◦ Vulnerable program P ◦ Vul condition c ◦ Sample exploit x ◦ Instruction trace T  Output: ◦ TM sig ◦ Symbolic constraint sig ◦ RegEx sig

25 PPre-process ◦D◦Disassemble binary ◦C◦Convert to an intermediate representation (IR) CChop P w.r.t. trace T ◦A◦A chop is a partial program P’ that starts at T 0 and ends at exploit point ◦C◦Call-graph level CCompute the sig ◦G◦Get TM sig ◦T◦TM -> Symbolic constraint ◦S◦Symbolic constraint -> RegEx

26  Chopping reduces the size of program to be analyzed  Performed on call- graph level  No function pointer support yet

27  Replace outgoing JMP with RET BENIGN

28  Statically estimate effects of memory updates and loops  Memory updates: SSA analysis  Loops: static unrolling

29  Solution 1: Solve constraint system S and or- ing together all members  Solution 2: Data-flow analysis optimization

30  9000 lines C++ code ◦ CBMC model checker to build/solve symbolic constraints, generate RegEx’s ◦ disassembler based on Kruegel; IR new  ATPhttpd ◦ various vulnerabilities; sprintf-style string too long ◦ 10 distinct subpaths to RegEx in 0.1216sec  BIND ◦ stack overflow vulnerability; TSIG vulnerability ◦ 10 distinct graphs in symbolic constraint ◦ 30ms for chopping ◦ 88% of functions were reachable between entry and vulnerability

31

Download ppt "By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha."

Similar presentations

Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)

Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)
The Assembly Language Level

The Assembly Language Level
Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.

Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.
The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.

The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.
SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,

SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
FIT1002 2006 1 FIT1002 Computer Programming Unit 19 Testing and Debugging.

FIT FIT1002 Computer Programming Unit 19 Testing and Debugging.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.

Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
Cpeg421-08S/final-review1 Course Review Tom St. John.

Cpeg421-08S/final-review1 Course Review Tom St. John.
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.

Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
CSE 341 -- S. Tanimoto Syntax and Types 1 Representation, Syntax, Paradigms, Types Representation Formal Syntax Paradigms Data Types Type Inference.

CSE S. Tanimoto Syntax and Types 1 Representation, Syntax, Paradigms, Types Representation Formal Syntax Paradigms Data Types Type Inference.
On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.
Describing Syntax and Semantics

Describing Syntax and Semantics
Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Composing Dataflow Analyses and Transformations Sorin Lerner (University of Washington) David Grove (IBM T.J. Watson) Craig Chambers (University of Washington)

Composing Dataflow Analyses and Transformations Sorin Lerner (University of Washington) David Grove (IBM T.J. Watson) Craig Chambers (University of Washington)

Similar presentations

Ads by Google