Download presentation

Presentation is loading. Please wait.

Published byMelinda Jinkins Modified over 2 years ago

1
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos, David Brumley Presented by: Vaibhav Rastogi 1

2
The Root of All Evil Humans write programs This Talk: Computers Analyzing Programs Dynamically at Runtime 2

3
Two Essential Runtime Analyses Dynamic Taint Analysis: What values are derived from this source? Forward Symbolic Execution: What input will make execution reach this line of code? Malware Analysis Privacy Leakage Detection Vulnerability Detection Automatic Test- case Generation Input Filter Generation Malware Analysis 3

4
Contributions Formalize English descriptions An algorithm / operational semantics Technical highlights, caveats, issues, and unsolved problems that are deceptively hard Systematize recurring themes in a wealth of previous work 4

5
Contributions 5

6
Dynamic Taint Analysis How it WorksExample PoliciesIssues 6

7
Example 7

8
8 Input is tainted

9
Taint Introduction TaintedUntainted x Input is tainted 9

10
Taint Introduction VarValTaint ( T | F) x7T 10

11
Taint Propagation TaintedUntainted x Data derived from user input is tainted xy 42 11

12
Taint Propagation VarValTaint ( T | F) x7T y49T 12

13
Taint Checking TaintedUntainted x Policy violation detected xy 42 y 13

14
So What? x xy 42 y Exploit Detection Tainted return address 14

15
Taint Checking VarValTaint ( T | F) x7T y49T 15

16
Taint Semantics in SIMPIL 16

17
SIMPIL Operational Semantics tl;dr 17

18
Operational Semantics for Tainting 18

19
Operational Semantics for Tainting 19

20
Example Taint Semantics 20

21
Example Taint Policy 21

22
Dynamic Tainting Issues Tainted Addresses To taint, or not to taint Undertainting Control flows discussed earlier Overtainting Sanitization Time of Detection vs. Time of Attack Overwritten return address detected only at return 22

23
Dynamic Tainting Issues x xy 42 y Overwritten return address detected only at return 23

24
Tainted Addresses Dont taint y Table indices, e.g., a[i] == i Taint y tcpdump uses packet data to compute function pointers 24

25
Dilemma Undertainting: False Negatives Overtainting: False Positives 25

26
Forward Symbolic Execution How it WorksChallengesProposed Solutions 26

27
Example bad_abs(x is input) if (x < 0) return -x if (x = 0x ) return -x return x 27

28
Example 2 32 possible inputs 0x bad_abs(x is input) if (x < 0) return -x if (x = 0x ) return -x return x What input will execute this line of code? 28

29
Working bad_abs(x is input) if (x < 0) return -xif (x = 0x ) return -xreturn x FT TF x 0x < 0 x 0 && x == 0x x 0 && x != 0x

30
Working bad_abs(x is input) if (x < 0) return -xif (x = 0x ) return -xreturn x FT TF x 0x < 0 x 0 && x == 0x x 0 && x != 0x What input will execute this line of code? 30

31
Operational Semantics 31

32
Operational Semantics 32

33
Challenges Exponential Number of PathsSymbolic MemorySystem Calls 33

34
Exponential Number of Paths 34

35
Exploration Strategies Bounded necessary – else loops maynt terminate! Bounded Depth First Search Possibly different weights to different paths Random Paths Mix symbolic and concrete execution Make symbolic execution follow a concrete execution path Concolic Execution 35

36
Symbolic memory Example: tables Aliasing issues Solutions: – Make unsound assumptions – Let the SMT solver do the work – Perform alias analysis A static analysis – may not be acceptable Related Problem: Symbolic jumps 36 addr1 = get_input() store(addr1, v) z = load(addr2)

37
Symbolic Jumps Explore jump targets found in concrete execution Let the solver solve itDo static analysis 37 The pc depends on the user input

38
System and Library Calls What are effects of such calls? Manual summarization is possible in some cases Use results from concrete execution – Not sound 38

39
Symbolic Execution is not Easy Exponential number of paths Exponentially sized formulas with substitution Solving a formula is NP-complete 39 s + s + s + s + s +s + s + s + s + s + s + s +s = 42

40
Conclusion Dynamic Taint Analysis and Forward Symbolic Execution both extensively used – A number of options explored This talk provided – Overview of the techniques – Applications – Issues and state-of-the-art solutions 40

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google