Presentation is loading. Please wait.

Presentation is loading. Please wait.

Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University.

Published byRandall Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University."— Presentation transcript:

1 Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University June 27 th, 2008 The 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

2 Motivation Internet Worms (CodeRed, Slammer) Denial of Service (DoS) User DoS Viruses, Trojan Horses, Bots (Botnet) FC Vulnerability In Software Accidental Breaches in Security

3 Related Work  Dynamic analysis  Program shepherding (V. Kiriansky et al.) TaintCheck (J. Newsome et al.) Control Flow Integrity (M. Abadi et al.) Data Flow Integrity (M. Castro et al.)…  Run-time overhead, and waiting for attack  Static analysis  BOON (D. Wagner et al.), Splint (D. Larochelle et al.), Archer (Y. Xie et al.), RATS, Flawfinder  False positive  Recent automated multi-path exploration  DART (P. Godefroid et al.), Cute (K. Sen et al.), EXE (C. Cadar et al.), SAGE (P. Godefroid et al.)  Low Efficiency

4 Problem Statement and Our Technique  How to more efficiently discover/convict software vulnerability  An Efficient Input Provenance Based Approach  Conservative static analysis => Suspect  Dynamic analysis => Convicting the suspect and pruning false positives  Randomly mutation is avoided  No symbolic execution (can handle long execution)  Key idea  Data lineage tracing (Input Provenance)

5 Basic Idea fread(&imagehed,sizeof(imagehed),1,in);... width=(imagehed.wide_lo+256*imagehed.wide_hi) height=(imagehed.high_lo+256*imagehed.high_hi);... if((...(byte *)malloc(width*height))...) { fclose(in); return(_PICERR_NOMEM); }... 231 245 246 494 495 496 497 498 Input a.gif (256x128):xx...0x00 0x01 0x80 0x00... Input Data label (Offset): 6 789 An image viewer: Zgv-5.8/readgif.c Integer Overflow

6 Architecture Static- front End Input Lineage Tracer Input Mutator Run-time Detector Program/ binary Lineage Program Input Evidence Suspect New Input A piece of instruction which is exploitable to trigger the vulnerability

7 Component 1. Input Lineage Tracer  Label the input stream (using the offset)  Track their propagation mov 0xfffffffc(%ebp),%eax mov %eax, 0xfffffff8(%ebp) add %eax, %ecx mov %ecx, %edx

8 Component 1. Input Lineage Tracer  Key concept  Data Dependency (direct propagation)  Control dependency (indirect propagation) 1. b=a; 1. if (a==1) 2. b=1; 3. else 4. c=0; mov 0xfffffffc(%ebp),%eax mov %eax,0xfffffff8(%ebp) b=a cmpl $0x1,0xfffffffc(%ebp) jne 804832d movl $0x1,0xfffffff8(%ebp) movl $0x0,0xfffffff4(%ebp) jmp 8048334 a==1 b=1 c=0

9 Component 1. Data Lineage Tracer  DL(S i )=DL(def@s i )  DL(def@s i ) = get_new_id() if def is an input value U DL(use x @s i )otherwise Input data tracking (labeled with its offset in the input stream) DL Representation: reduced ordered Binary Decision Diagram (roBDD)

10 Component 1. Data Lineage Tracer  An Example fread(&imagehed,sizeof(imagehed),1,in);... width=(imagehed.wide_lo+256*imagehed.wide_hi) height=(imagehed.high_lo+256*imagehed.high_hi);... if((...(byte *)malloc(width*height))...) { fclose(in); return(_PICERR_NOMEM); }... 231 245 246 494 495 496 497 498 READ (buf,size,...), 0<= i < size, buf[i], DL(buf[i]@pc231) = get_new_id() DL(wide_lo@pc245)= DL(buf[6]@pc231) = {6}DL(wide_hi@pc245)=DL(buf[7]@pc231) = {7} DL(width@245) = DL(wide_hi@pc245) U DL(wide_lo@pc245) = {6; 7} DL(height@246) = DL(high_hi@pc246) U DL(high_lo@pc246) = {8; 9} DL((width*height)@494) = {6;7;8;9}

11 Component 2. Input Mutator Program Input Data Lineage Evidence Heuristics#1: Buffer overflow mutation (double buffer size …) Heuristics#2: Format string mutation (replace %s in format string argument) Heuristics#3: Integer overflow mutation (Boundary integer value: 0xffffffff,0,0x0fffffff) … Suspect

12 Implementation  Diablo:  Control flow graph  Statically generate Control dependency to facilitate Valgrind instrumentation  http://diablo.elis.ugent.be/  Valgrind:  Lineage tracing  http://valgrind.org/  RoBDD (Reduced ordered Binary Decision Diagram) to represent the data lineage.

13 Evaluation - Effectiveness  Static Detector  Known vulnerability  CVE-2001-1413 (ncompress 4.2.4, SO)  CVE-2001-1228 (gzip 1.2.4, SO)  CVE-2002-1496 (Nullhttpd 0.50, HO)  CVE-2002-1549 (lhttpd 0.1, SO)  CVE-2000-0573 (wu-ftpd-2.6.0, Format String)  CVE-2001-0609 (cfingerd-1.4.3, Format String)  CVE-2005-0226 (ngircd-0.8.2, Format String)  CVE-2004-0904 (xzgv-0.8, IO & HO)  CVE-2006-3082 (GnuPG 1.4.3, IO & HO)  RATS (Unknown)  Make extension to catch: buffer overflow, integer overflow (ipgrab-0.99, epstool-3.3, dcraw-7.94)

14 Evaluation - CVE-2006-3082 (GnuPG 1.4.3)  GnuPG Parse_User_ID Remote Buffer Overflow Vulnerability pktlen=in[2,3,4,5] =0x ff ff ff ff

15 Evaluation - CVE-2001-0609 (Cfingerd-1.4.3) syslog(LOG_NOTICE, "%s", (char *) syslog_str);

16 Evaluation - Ipgrab-0.99 (A New VUL)

17 Evaluation – Performance (Lineage Tracing) Platform: two 2.13 Ghz Pentium processors and 2G RAM running the Linux kernel 2.6.15

18 Evaluation - Performance

19 Evaluation - Space

20 Summary  An input lineage tracing and mutation system:  Capable of convicting known and unknown vulnerability.  Has reasonable overhead for the scenario of offline vulnerability conviction. Static-front End Data Lineage Tracer Input Mutator Run-time Detector Program/ binary Lineage New Input Program Input Evidence Suspect

21 Thank you For more information: {zlin, xyzhang, dxu}@cs.purdue.edu Q & A

Download ppt "Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University."

Similar presentations

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
A Binary Agent Technology for COTS Software Integrity Richard Schooler Anant Agarwal InCert Software.

A Binary Agent Technology for COTS Software Integrity Richard Schooler Anant Agarwal InCert Software.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation.

1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation.
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Fuzzing and Patch Analysis: SAGEly Advice. Introduction.

Fuzzing and Patch Analysis: SAGEly Advice. Introduction.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.
Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.

Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.

Similar presentations

Ads by Google