Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

Published byMelvin Bond Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan."— Presentation transcript:

1 1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan Caballero, Zhenkai Liang, James Newsome, and Dawn Song Carnegie Mellon University

2 2 Introduction Many different implementations usually exist for the same protocol –HTTP Servers: Apache, Miniweb, … Deviation — difference in how two implementations of the same protocol interpret the same input Deviations are often results of –Implementation errors –Different interpretations of the same protocol specification

3 3 Importance of Deviations Security applications of deviations Error detection –Deviations suggest good candidate for errors –No need for complex protocol model Fingerprint generation –Inputs triggering deviation are natural fingerprints –Automatic fingerprint generation is important for fingerprinting tools

4 4 Problem Definition: Deviation Detection We focus on behavior-related deviations, instead of minor output details –HTTP Status 200 vs. Status 404 We view program as function from input space I to protocol state space S –Apache maps “ GET /index.html ” to Status 200 Given two programs P A and P M of the same protocol, easy to find an input i, Our goal: Automatically generate input j, P : I ! S P A (i) = P M (i) = s P A (j) ≠ P M (j)

5 5 A M Problem Setting Are there deviations between server A and server M? If yes, how to find inputs to demonstrate them?

6 6 Possible HTTP Queries A M Naïve Solution: Random Testing Status 200

7 7 Possible HTTP Queries Inferring Inputs M A Symbolic Input Status 200 (IA [ IM)¡(IA \ IM)(IA [ IM)¡(IA \ IM)

8 8 Our Approach INPUT: two implementations P A and P M of the same protocol 1.Create formula f A modeling how P A interprets a symbolic input, formula f M modeling how P M interprets the same input –Symbolic formula: predicate over symbolic inputs 2.Use f A and f M to infer (I A [ I M ) ¡ (I A \ I M ) ? –Generate candidate deviation inputs 3.Validate candidate deviation inputs OUTPUT: generated list of inputs that make P A and P M reach different protocol states

9 9 Contributions 1.A novel approach for automatically discover deviations in binaries of a protocol –Build symbolic formulas to compare two implementations Benefits: –Faithful to implementations –No source code needed –Efficient 2.Two applications of deviations –Error detection –Fingerprint generation 3.Found errors and fingerprints in real programs

10 10 Talk Outline Introduction Approach Overview Evaluation Related Work Summary

11 11 Approach Overview 1. Formula Extraction 2. Deviation Detection 3. Validation A M Symbolic FormulasCandidate Deviation Inputs Deviation Inputs (IA [ IM)¡(IA \ IM)(IA [ IM)¡(IA \ IM)

12 12 Key Concepts Key idea: Use a symbolic formula f to represent how a program P interprets a symbolic input i Recall: A program P is a function from input space to protocol state space A symbolic formula f is a predicate on symbolic inputs. –Formula f represents the inputs can make program P reaches protocol state s

13 13 Key Concepts (Cont.) Formula f can be generated by calculating weakest precondition from P and s For a reasonable formula size, our current approach generates formulas on a single program path

14 14 Step 1: Formula Extraction x86 instructions MOV AL, [ECX] SUB AL, ‘/’ JZ NEXT... Intermediate Language (ILA) AL = INPUT[4] AL = AL – ‘/’ ZF = (AL == 0) IF (ZF==1) THEN JMP(NEXT) Symbolic formula f A (INPUT) = (INPUT[4] == ‘/’) GET /index.html : ZF == 1 A INPUT[4]

15 15 Step 2: Deviation Detection Formulas from Step 1 –Server A: f A ( INPUT ) = ( INPUT[4] == ‘/’) –Server M: f M ( INPUT ) = ( INPUT[4] != 0) Construct queries Solve f A ^: f M, : f A ^ f M –Candidate deviation inputs GET %index.html GET Aindex.html... I M -I A f A ^: f M :fA^fM:fA^fM

16 16 Step 3: Validation Problem: Multiple paths to a protocol state –Our formula is based on a single path –Candidate deviation inputs may not lead to deviations Solution: Validate candidate deviation inputs –Send candidate deviation inputs to both implementations –Compare resulting protocol states Deviation inputs GET %index.html, GET Aindex.html, …

17 17 Talk Outline Introduction Approach Overview Evaluation Related Work Summary

18 18 Evaluation Overview Implementation –BitBlaze binary analysis platform –Solver: STP (decision procedure) –Supports Windows and Linux binaries Evaluated text and binary protocols –Text-based protocol: HTTP »Apache 2.2.4, Miniweb 0.8.1, Savant 3.1 –Binary-based protocol: NTP »NetTime 2.0b7, NTPD 4.1.72

19 19 Input: Request for homepage GET /index.html Step 2: DetectionStep 3: Validation f Apache ^: f Miniweb No candidate f Apache ^: f Savant CandidateNo deviation f Miniweb ^: f Apache CandidateDeviation f Miniweb ^: f Savant CandidateDeviation f Savant ^: f Apache No candidate f Savant ^: f Miniweb No candidate Evaluation: HTTP

20 20 HTTP Deviation: Error Detection Miniweb follows its original path, while Apache doesn’t. Original input: GET /index.html Deviation inputs: GET %index.html GET Aindex.html Miniweb Response: HTTP/1.1 200 OK Server: Miniweb Cache-control: no-cache content of /index.html Apache Response: HTTP/1.1 400 Bad Request Date: Sat, 03 Feb 2007 05:33:55 GMT Server: Apache/2.2.4 (Win32)...

21 21 Evaluation: NTP Input: Client query for time synchronization Step 2: DetectionStep 3: Validation f NetTime ^: f NTPD CandidateDeviation f NTPD ^: f NetTime No candidate

22 22 NTP Deviation: Fingerprint Generation Original input Deviation input 11100011 11000011 Leap Indicator Version Mode Leap Indicator Version Mode NetTime responded normally. NTPD didn’t respond. RFC 4330 (SNTP): Version 0 is reserved and should not be supported. Older specification: No special treatment of version 0 First byte:

23 23 Performance Time Apache 39.5s Miniweb 20.5s Savant 21.5s NTPD 5.37s NetTime 5.05s Time Apache & Miniweb 21.3s Apache & Savant 11.8s Savant & Miniweb 9.0s NetTime & NTPD 0.56s Symbolic formulaCandidate Deviation Inputs NTP: 6 seconds to detect deviation HTTP: 1 minute to detect deviation

24 24 Future Work Explore different program paths –Rudder: automatic dynamic path exploration Create multi-path formulas –The weakest precondition algorithm used in our approach can handle multiple program paths Details at http://bitblaze.cs.berkeley.edu

25 25 Related Work Symbolic execution [King76] and weakest precondition [Dijkstra76, Cohen90, Brumley07] Fuzz testing [Kaksonen01,Marquis05,Oehlert05,Xiao03] –Random and semi-random input generation –No deep analysis on how an input is used Implementation error detection –Static source code analysis [Chen02, Udrea06] and Model checking [Chaki03, Musuvathi02, Musuvathi04] »Need manually defined models Protocol fingerprint generation –Manual fingerprint generation [Comer94, Paxson97] »Need manual analysis –Automatic fingerprint generation [Caballero07] »Need semi-random input selection

26 26 Summary A novel approach for automatically discover deviations in binaries –Use symbolic formulas to represent how a program interprets inputs –Solve formulas to compare two implementations –Validate generated inputs Applications of deviations –Error detection –Fingerprint generation

27 27 Thank you! For more information and related projects: Visit http://bitblaze.cs.berkeley.edu

Download ppt "1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan."

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Network Resource Broker for IPTV in Cloud Computing Lei Liang, Dan He University of Surrey, UK OGF 27, G2C Workshop 15 Oct 2009 Banff,

Network Resource Broker for IPTV in Cloud Computing Lei Liang, Dan He University of Surrey, UK OGF 27, G2C Workshop 15 Oct 2009 Banff,
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
White Box and Black Box Testing Tor Stålhane. What is White Box testing White box testing is testing where we use the info available from the code of.

White Box and Black Box Testing Tor Stålhane. What is White Box testing White box testing is testing where we use the info available from the code of.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.

Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
CHAPTER TWO Creating Simple Visual Basic.NET Windows Applications.

CHAPTER TWO Creating Simple Visual Basic.NET Windows Applications.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
HTTP – HyperText Transfer Protocol

HTTP – HyperText Transfer Protocol
The Lumina Center Grantseeking Workshop Series Presents Outcomes & Evaluations April 20, 2006.

The Lumina Center Grantseeking Workshop Series Presents Outcomes & Evaluations April 20, 2006.
What’s a Web Cache? Why do people use them? Web cache location Web cache purpose There are two main reasons that Web cache are used:  to reduce latency.

What’s a Web Cache? Why do people use them? Web cache location Web cache purpose There are two main reasons that Web cache are used:  to reduce latency.
Workshop on Cyber Infrastructure in Combustion Science April 19-20, 2006 Subrata Bhattacharjee and Christopher Paolini Mechanical.

Workshop on Cyber Infrastructure in Combustion Science April 19-20, 2006 Subrata Bhattacharjee and Christopher Paolini Mechanical.
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
1 Advanced Material The following slides contain advanced material and are optional.

1 Advanced Material The following slides contain advanced material and are optional.

Similar presentations

Ads by Google