Download presentation
Presentation is loading. Please wait.
Published byWilfred Casey Modified over 8 years ago
1
TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011
2
2 Acknowledgements Authors: Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Paper Title: TaintScope: A Checksum- Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection In Proceedings of the 31st IEEE Symposium on Security & Privacy, Oakland, CA, May 2010. Awarded Best Student Paper
3
3 Fuzz Testing TaintScope Performance Conclusions
4
4 Fuzz Testing TaintScope Performance Conclusions
5
5 Fuzz Testing Attempt to crash or hang a program by feeding it malformed inputs Blackbox fuzzing –Generational –Mutation
6
6 Fuzz Testing: Motivation Nobody is perfect Programs may be very large and dificult to test Find bugs to fix Exploit programs for malware
7
7 Fuzz Testing: Challenges Random fuzzing has to cover a huge sample space –E.g. audio signal of 4s, 32k bytes 2 256,000 possible values Symbolic fuzzing can’t bypass checksum instructions
8
8 Fuzz Testing TaintScope Performance Conclusions
9
9 TaintScope Fuzzer that can bypass checksum –independent of the algorithm Concentrates on data flow dependence Uses IDA Pro Disassembler Works like a classifier
10
10 TaintScope: How it Works Identify hot bytes in input –Bytes that affect API functions Memory management String operations –Input bytes are tainted with unique id Identify possible checksum points
11
11 TaintScope: How it Works Well-formed inputs take a true/false path Malformed inputs take a false/true path Intersection yields the check points TaintScope creates bypass rules
12
12 TaintScope: How it Works Fuzzer runs with bypass rules and mutates only hot bytes Crashes and hangs are recorded
13
13 TaintScope: How it Works Crashed samples are repaired for replay –C–Checksum are corrected Type of vulnerability can be analyzed
14
14 Fuzz Testing TaintScope Performance Conclusions
15
15 Performance: Hot Bytes
16
16 Performance: Checksum
17
17 Performance: Vulnerabilities
18
18 What is accomplished? TaintScope has found vulnerabilities in popular programs (e.g. MS Paint, Adobe Acrobat, and more) Vendors have patched the software Vulnerabilities have been published in –Secunia –Common Vulnerabilities and Exposure
19
19 MW Paint Search
20
20 Adobe Acrobat Search
21
21 Fuzz Testing TaintScope Performance Conclusions
22
22 Conclusions Fuzzer able to bypass checksum Works with Linux/Windows binaries 100% inputs cause crash or hang Low input samples Tested on many well-known applications and formats
23
23 Weakness Doesn’t talk about code coverage Needs to run the program several times to find information of interest Can’t detect correctly checksums where data is encrypted with key-based algorithm
24
24 Improvements Consider incorporating a tool like HyperNEAT –can learn search space patterns –work with encryption (e.g. DES S-Boxes) Dynamic update to reduce number of runs needed to build hot bytes/checksum information
25
25 References 1.Tielei Wang’s website: http://sites.google.com/site/tieleiwang/ http://sites.google.com/site/tieleiwang/ 2.Month of Kernel Bugs: http://projects.info- pull.com/mokb/http://projects.info- pull.com/mokb/ 3.Month Browsers Bug: http://browserfun.blogspot.com/http://browserfun.blogspot.com/ 4.Secunia: http://secunia.com/http://secunia.com/ 5.Comon Vulnerabilities and Exposure: http://cve.mitre.org/ http://cve.mitre.org/ 6.IDA Disassembler: http://www.hex-rays.com/idapro/http://www.hex-rays.com/idapro/ 7.Google Images: http://images.google.comhttp://images.google.com
26
26 QUESTIONS
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.