Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Tracing and Visualization of Software Security Structure and Properties Symposium on Visualization for Cyber Security 2012 (VizSec’12) Seattle,

Published byTyrone Nash Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Tracing and Visualization of Software Security Structure and Properties Symposium on Visualization for Cyber Security 2012 (VizSec’12) Seattle,"— Presentation transcript:

1 Automated Tracing and Visualization of Software Security Structure and Properties Symposium on Visualization for Cyber Security 2012 (VizSec’12) Seattle, WA, USA Oct. 15, 2012 Wenbin Fang, Barton P. Miller, and James A. Kupsch Computer Sciences Department University of Wisconsin-Madison

2 Motivation Visualization: an intrinsic part of in-depth security assessment First Principles Vulnerability Assessment (FPVA) Microsoft Threat Modeling Diagrams as road map for later analysis Key components and interaction The privilege level of each component Access to high-value resources 2

3 Example Diagrams From FPVA 3

4 4

5 5

6 6

7 Diagram Creation Problems Manual (time consuming) data collection Collected from many sources Potentially inaccurate Manual diagram construction Deferred until confident in data collection Limits diagrams produced Approach: Automate diagram construction 7

8 Data Collection Automatically collect trace data during runtime Visualization Construct diagrams/animation from trace data Web-based interface 8 SecSTAR: Security System Tracing, Analysis and Reporting Data Collection Instrumented Binary Code Trace Data Visualization Diagram Display Interface

9 Data Collection Overview Goal: automate system data collection Unmodified binaries Follows control flows to other processes Easy to extend to trace new security events SecSTAR: Uses self-propelled instrumentation Simple code snippets determine what to trace 9

10 Self-propelled Instrumentation Instrument unmodified binary code No special preparation Inject code snippet into a target process Instrumentation follows control flow Within a process Across thread boundaries Across process and even host boundaries 10

11 Self-propelled Instrumentation 11 Application Process Injector: Process to inject shared library Agent: Shared library Injector process a.out libc.so libpthread.so Agent.so Payload Functions Instrumentation Engine

12 12 void payload(SpPoint* pt){ if IsExit(pt) { trace(“exit” …) } else if IsConnect(pt) { trace(“connect” …) } else if... // detect other events } void main () { pthread_create(foo …) … } void foo () { connect(…) exit(0) } Host A Host B Process P Process Q Agent.so network Process R Injector Call How it works

13 Detect system events Process creation and destruction Privilege level changes Communication Resource access Query runtime info related to the current call Arguments / Return value Query Control Flow Graph (or CFG) structures Functions / Basic blocks / Edges Enables sophisticated code analysis 13 Payload Function

14 Visualization Overview Goal: Same-style same-quality diagrams as those constructed by skilled analysts Animate temporal data Interactive interface 14 Data Collection Instrumented Binary Code Trace Data Visualization Diagram Display Interface

15 Notation 15

16 Diagram, Animation and SecSTAR Interface Demo http://research.cs.wisc.edu/mist/projects/SecSTAR/ 16

17 Case Study Using SecSTAR to produce FPVA-style diagrams for Condor Condor: high-throughput job scheduling system Used worldwide ~700,000 lines of code 1000+ pages of documentation Multiple processes, multiple hosts 17

18 Original FPVA vs SecSTAR Original FPVA diagram construction Manual data collection from Many processes and hosts Documentation and code Correlated and distilled artifacts Manual diagram creation Months SecSTAR Automated data collection Automated diagram construction Hours, mostly to learn how to install and operate Condor 18

19 Diagram comparison 19 SecSTAR Original FPVA

20 Future Work Capture and visualize more events Capture and visualize resources Improve the web-based interface Integrating with Microsoft Threat Modeling 20

21 Summary SecSTAR Automated data collection Automated diagram/animation construction Case study Diagram construction for Condor Original FPVA vs SecSTAR 21

22 Questions? http://www.cs.wisc.edu/mist/ 22

23 Backup 1: Intra-process Propagation 23 a.out main 8430: 8431: 8433: 8444: 8449: 844b: 844e: 844f: push %ebp mov %esp,%ebp... call printf mov %ebp,%esp xor %eax,%eax pop %ebp ret foo call jmp Patch1 payload(foo) foo 0x8405 Agent.so call jmp payload(printf) printf 0x8449 Patch2 patch jmp push %ebp mov %esp,%ebp... call foo mov %ebp,%esp pop %ebp ret 83f0: 83f1: 83f3: 8400: 8405: 8413: 8414: Inject ActivatePropagate jmp Patch1 jmp Patch2

24 Backup 2: Inter-process Propagation 24 Main procedure for inter-process propagation 1.Detect the initiation of communication at the local site. connect, write, send … 2.Identify the remote process 3.Inject the agent into the remote process 4.Start following the flow of control in the remote site void main () { connect(…) recv(…) } void main () { accept(…) send(…) } Agent.so inject call payload() Process A Process B

Download ppt "Automated Tracing and Visualization of Software Security Structure and Properties Symposium on Visualization for Cyber Security 2012 (VizSec’12) Seattle,"

Similar presentations

Self-Propelled Instrumentation Alex Mirgorodskiy Barton Miller Computer Sciences Department University.

Self-Propelled Instrumentation Alex Mirgorodskiy Barton Miller Computer Sciences Department University.
GENI Experiment Control Using Gush Jeannie Albrecht and Amin Vahdat Williams College and UC San Diego.

GENI Experiment Control Using Gush Jeannie Albrecht and Amin Vahdat Williams College and UC San Diego.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
© 2005 by Prentice Hall Appendix 2 Automated Tools for Systems Development Modern Systems Analysis and Design Fourth Edition Jeffrey A. Hoffer Joey F.

© 2005 by Prentice Hall Appendix 2 Automated Tools for Systems Development Modern Systems Analysis and Design Fourth Edition Jeffrey A. Hoffer Joey F.
Distributed Self-Propelled Instrumentation Alex Mirgorodskiy VMware, Inc. Barton P. Miller University of Wisconsin-Madison.

Distributed Self-Propelled Instrumentation Alex Mirgorodskiy VMware, Inc. Barton P. Miller University of Wisconsin-Madison.
Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)

Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
2008/03/25 Unified Modeling Lanauage 1 Introduction to Unified Modeling Language (UML) – Part One Ku-Yaw Chang Assistant Professor.

2008/03/25 Unified Modeling Lanauage 1 Introduction to Unified Modeling Language (UML) – Part One Ku-Yaw Chang Assistant Professor.
Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Task Scheduling and Distribution System Saeed Mahameed, Hani Ayoub Electrical Engineering Department, Technion – Israel Institute of Technology - 2009.

Task Scheduling and Distribution System Saeed Mahameed, Hani Ayoub Electrical Engineering Department, Technion – Israel Institute of Technology
Debugging code with limited system resource. Minheng Tan Oct 28 2002.

Debugging code with limited system resource. Minheng Tan Oct
11.1 Lecture 11 CASE tools IMS2805 - Systems Design and Implementation.

11.1 Lecture 11 CASE tools IMS Systems Design and Implementation.
Objectives Explain the purpose and various phases of the traditional systems development life cycle (SDLC) Explain when to use an adaptive approach to.

Objectives Explain the purpose and various phases of the traditional systems development life cycle (SDLC) Explain when to use an adaptive approach to.
SIMULATING ERRORS IN WEB SERVICES International Journal of Simulation: Systems, Sciences and Technology 2004 Nik Looker, Malcolm Munro and Jie Xu.

SIMULATING ERRORS IN WEB SERVICES International Journal of Simulation: Systems, Sciences and Technology 2004 Nik Looker, Malcolm Munro and Jie Xu.
SE-565 Software System Requirements More UML Diagrams.

SE-565 Software System Requirements More UML Diagrams.
1 Business Intelligence: Report Creation and Automation Using Business Objects Dylan Black University of Wisconsin – Platteville

1 Business Intelligence: Report Creation and Automation Using Business Objects Dylan Black University of Wisconsin – Platteville
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Architectural Design.

Architectural Design.
Project Proposal: Academic Job Market and Application Tracker Website Project designed by: Cengiz Gunay Client: Cengiz Gunay Audience: PhD candidates and.

Project Proposal: Academic Job Market and Application Tracker Website Project designed by: Cengiz Gunay Client: Cengiz Gunay Audience: PhD candidates and.

Similar presentations

Ads by Google