Upload
quinlan-gregory
View
24
Download
3
Embed Size (px)
DESCRIPTION
The 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach. Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University June 27 th , 2008. FC. User. Motivation. - PowerPoint PPT Presentation
Citation preview
Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach
Zhiqiang Lin Xiangyu Zhang, Dongyan Xu
Purdue University
June 27th, 2008
The 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
Motivation
Internet Worms(CodeRed, Slammer)
Denial of Service (DoS)User
DoSDoS
Viruses,Trojan Horses,Bots (Botnet)
FCFC
Vulnerability In Software
Accidental Breachesin Security
Related Work
Dynamic analysis Program shepherding (V. Kiriansky et al.)
TaintCheck (J. Newsome et al.)Control Flow Integrity (M. Abadi et al.)Data Flow Integrity (M. Castro et al.)…
Run-time overhead, and waiting for attack Static analysis
BOON (D. Wagner et al.), Splint (D. Larochelle et al.), Archer (Y. Xie et al.), RATS, Flawfinder
False positive Recent automated multi-path exploration
DART (P. Godefroid et al.), Cute (K. Sen et al.), EXE (C. Cadar et al.), SAGE (P. Godefroid et al.)
Low Efficiency
Problem Statement and Our Technique
How to more efficiently discover/convict software vulnerability
An Efficient Input Provenance Based Approach Conservative static analysis => Suspect Dynamic analysis => Convicting the suspect
and pruning false positives Randomly mutation is avoided No symbolic execution (can handle long
execution)
Key idea Data lineage tracing (Input Provenance)
Basic Idea
fread(&imagehed,sizeof(imagehed),1,in);...width=(imagehed.wide_lo+256*imagehed.wide_hi)height=(imagehed.high_lo+256*imagehed.high_hi);...if((...(byte *)malloc(width*height))...) { fclose(in); return(_PICERR_NOMEM); } ...
231
245246
494495496497498
Input a.gif (256x128):xx...0x00 0x01 0x80 0x00...
Input Data label (Offset): 6 7 8 9
An image viewer: Zgv-5.8/readgif.c
Integer Overflow
Architecture
Static-front End
Input Lineage Tracer
Input Mutator
Run-time Detector
Program/binary
Lineage
Program Input
Evidence
Suspect New Input
A piece of instruction which is exploitable to trigger the
vulnerability
Component 1. Input Lineage Tracer
Label the input stream (using the offset) Track their propagation
mov 0xfffffffc(%ebp),%eax
mov %eax, 0xfffffff8(%ebp)
add %eax, %ecx
mov %ecx, %edx
Component 1. Input Lineage Tracer
Key concept Data Dependency (direct propagation)
Control dependency (indirect propagation)
1. b=a;
1. if (a==1)2. b=1;3. else4. c=0;
mov 0xfffffffc(%ebp),%eax
mov %eax,0xfffffff8(%ebp) b=a
cmpl $0x1,0xfffffffc(%ebp)
jne 804832d <main+0x25>
movl $0x1,0xfffffff8(%ebp)
movl $0x0,0xfffffff4(%ebp)
jmp 8048334 <main+0x2c>
a==1
b=1
c=0
Component 1. Data Lineage Tracer
DL(Si)=DL(def@si)
DL(def@si) =
get_new_id() if def is an input value
U DL(usex@si) otherwise
Input data tracking (labeled with its offset in the input stream)
DL Representation: reduced ordered Binary Decision
Diagram (roBDD)
Component 1. Data Lineage Tracer
An Example
fread(&imagehed,sizeof(imagehed),1,in);...width=(imagehed.wide_lo+256*imagehed.wide_hi)height=(imagehed.high_lo+256*imagehed.high_hi);...if((...(byte *)malloc(width*height))...) { fclose(in); return(_PICERR_NOMEM); } ...
231
245246
494495496497498
READ (buf,size,...), 0<= i < size , buf[i], DL(buf[i]@pc231) = get_new_id()DL(wide_lo@pc245)=
DL(buf[6]@pc231) = {6}DL(wide_hi@pc245)=DL(buf[7]@pc231) = {7}
DL(width@245) = DL(wide_hi@pc245) U DL(wide_lo@pc245) = {6; 7}DL(height@246) = DL(high_hi@pc246) U DL(high_lo@pc246) = {8; 9}
DL((width*height)@494) = {6;7;8;9}
Component 2. Input Mutator
Program InputData Lineage Evidence
Heuristics#1: Buffer overflow mutation(double buffer size …)
Heuristics#2: Format string mutation(replace %s in format string argument)
Heuristics#3: Integer overflow mutation(Boundary integer value:
0xffffffff,0,0x0fffffff)…
Suspect
Implementation
Diablo: Control flow graph Statically generate Control dependency to
facilitate Valgrind instrumentation http://diablo.elis.ugent.be/
Valgrind: Lineage tracing http://valgrind.org/ RoBDD (Reduced ordered Binary Decision
Diagram) to represent the data lineage.
Evaluation - Effectiveness
Static Detector Known vulnerability
CVE-2001-1413 (ncompress 4.2.4, SO) CVE-2001-1228 (gzip 1.2.4, SO) CVE-2002-1496 (Nullhttpd 0.50, HO) CVE-2002-1549 (lhttpd 0.1, SO) CVE-2000-0573 (wu-ftpd-2.6.0, Format String) CVE-2001-0609 (cfingerd-1.4.3, Format String) CVE-2005-0226 (ngircd-0.8.2, Format String) CVE-2004-0904 (xzgv-0.8, IO & HO) CVE-2006-3082 (GnuPG 1.4.3, IO & HO)
RATS (Unknown) Make extension to catch: buffer overflow,
integer overflow (ipgrab-0.99, epstool-3.3, dcraw-7.94)
Evaluation - CVE-2006-3082 (GnuPG 1.4.3)
GnuPG Parse_User_ID Remote Buffer Overflow Vulnerability
pktlen=in[2,3,4,5]=0x ff ff ff ff
Evaluation - CVE-2001-0609 (Cfingerd-1.4.3)
syslog(LOG_NOTICE, "%s", (char *) syslog_str);
Evaluation - Ipgrab-0.99 (A New VUL)
Evaluation – Performance (Lineage Tracing)
Platform: two 2.13 Ghz Pentium processors and 2G RAM running the Linux kernel 2.6.15
Evaluation - Performance
Evaluation - Space
Summary An input lineage tracing and mutation system:
Capable of convicting known and unknown vulnerability.
Has reasonable overhead for the scenario of offline vulnerability conviction.
Static-front End
Data Lineage Tracer
Input Mutator
Run-time Detector
Program/binary
LineageNew Input
Program Input
Evidence
Suspect
Thank you
For more information:
{zlin, xyzhang, dxu}@cs.purdue.edu
Q & A