Presentation is loading. Please wait.

Presentation is loading. Please wait.

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

Similar presentations


Presentation on theme: "All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,"— Presentation transcript:

1 All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos, David Brumley Presented by: Vaibhav Rastogi 1

2 The Root of All Evil Humans write programs This Talk: Computers Analyzing Programs Dynamically at Runtime 2

3 Two Essential Runtime Analyses Dynamic Taint Analysis: What values are derived from this source? Forward Symbolic Execution: What input will make execution reach this line of code? Malware Analysis Privacy Leakage Detection Vulnerability Detection Automatic Test- case Generation Input Filter Generation Malware Analysis 3

4 Contributions Formalize English descriptions An algorithm / operational semantics Technical highlights, caveats, issues, and unsolved problems that are deceptively hard Systematize recurring themes in a wealth of previous work 4

5 Contributions 5

6 Dynamic Taint Analysis How it WorksExample PoliciesIssues 6

7 Example 7

8 8 Input is tainted

9 Taint Introduction TaintedUntainted x Input is tainted 9

10 Taint Introduction VarValTaint ( T | F) x7T 10

11 Taint Propagation TaintedUntainted x Data derived from user input is tainted xy 42 11

12 Taint Propagation VarValTaint ( T | F) x7T y49T 12

13 Taint Checking TaintedUntainted x Policy violation detected xy 42 y 13

14 So What? x xy 42 y Exploit Detection Tainted return address 14

15 Taint Checking VarValTaint ( T | F) x7T y49T 15

16 Taint Semantics in SIMPIL 16

17 SIMPIL Operational Semantics tl;dr 17

18 Operational Semantics for Tainting 18

19 Operational Semantics for Tainting 19

20 Example Taint Semantics 20

21 Example Taint Policy 21

22 Dynamic Tainting Issues Tainted Addresses To taint, or not to taint Undertainting Control flows discussed earlier Overtainting Sanitization Time of Detection vs. Time of Attack Overwritten return address detected only at return 22

23 Dynamic Tainting Issues x xy 42 y Overwritten return address detected only at return 23

24 Tainted Addresses Dont taint y Table indices, e.g., a[i] == i Taint y tcpdump uses packet data to compute function pointers 24

25 Dilemma Undertainting: False Negatives Overtainting: False Positives 25

26 Forward Symbolic Execution How it WorksChallengesProposed Solutions 26

27 Example bad_abs(x is input) if (x < 0) return -x if (x = 0x ) return -x return x 27

28 Example 2 32 possible inputs 0x bad_abs(x is input) if (x < 0) return -x if (x = 0x ) return -x return x What input will execute this line of code? 28

29 Working bad_abs(x is input) if (x < 0) return -xif (x = 0x ) return -xreturn x FT TF x 0x < 0 x 0 && x == 0x x 0 && x != 0x

30 Working bad_abs(x is input) if (x < 0) return -xif (x = 0x ) return -xreturn x FT TF x 0x < 0 x 0 && x == 0x x 0 && x != 0x What input will execute this line of code? 30

31 Operational Semantics 31

32 Operational Semantics 32

33 Challenges Exponential Number of PathsSymbolic MemorySystem Calls 33

34 Exponential Number of Paths 34

35 Exploration Strategies Bounded necessary – else loops maynt terminate! Bounded Depth First Search Possibly different weights to different paths Random Paths Mix symbolic and concrete execution Make symbolic execution follow a concrete execution path Concolic Execution 35

36 Symbolic memory Example: tables Aliasing issues Solutions: – Make unsound assumptions – Let the SMT solver do the work – Perform alias analysis A static analysis – may not be acceptable Related Problem: Symbolic jumps 36 addr1 = get_input() store(addr1, v) z = load(addr2)

37 Symbolic Jumps Explore jump targets found in concrete execution Let the solver solve itDo static analysis 37 The pc depends on the user input

38 System and Library Calls What are effects of such calls? Manual summarization is possible in some cases Use results from concrete execution – Not sound 38

39 Symbolic Execution is not Easy Exponential number of paths Exponentially sized formulas with substitution Solving a formula is NP-complete 39 s + s + s + s + s +s + s + s + s + s + s + s +s = 42

40 Conclusion Dynamic Taint Analysis and Forward Symbolic Execution both extensively used – A number of options explored This talk provided – Overview of the techniques – Applications – Issues and state-of-the-art solutions 40


Download ppt "All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,"

Similar presentations


Ads by Google