Presentation is loading. Please wait.

Presentation is loading. Please wait.

EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012.

Published byScarlett Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012."— Presentation transcript:

1 EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012

2 - 1 - Announcements v Exams returned »Answer Key can be found on the course website »One week to turn in written requests for exam regrades v Sign up for project presentation slots »Friday on Scott’s office door, Monday in class v Today’s class reading »"Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software," James Newsome and Dawn Song, Proceedings of the Network and Distributed System Security Symposium, Feb. 2005. »Optional background reading: "All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)," Edward J. Schwartz, Thanassis Avgerinos, David Brumley, Proceedings of the 2010 IEEE Symposium on Security and Privacy, May 2010.

3 - 2 - EECS 583 Exam Statistics Exam Score Mean: 70.6StDev: 12.8High: 94Low: 44

4 - 3 - The Problem v Unknown Vulnerability Detection ** »Buffer Overflows »Format string vulnerabilties »The goal of TaintCheck v Malware Analysis »What is the software doing with sensitive data? »Data propagation from triggers »Ex. TaintDroid v More Generally - Tracking the flow of data through a program

5 - 4 - Buffer Overflow v Example Stack Buffer Overflow

6 - 5 - Buffer Overflow

7 - 6 - Format String Vulnerability v Attacker controls a format string

8 - 7 - Format String Vulnerability v Attacker controls a format string »Overwrite arbitrary memory  Take control of program execution  %n commonly used in conjunction with other format specifiers u Writes number of bytes written thus far to the stack »Dump memory  ex. printf ("%08x.%08x.%08x.%08x.%08x\n"); »Crash the program  ex. printf ("%s%s%s%s%s%s%s%s%s%s%s%s");  Denial of Service

9 - 8 - Dynamic Taint Analysis v Track information flow through a program at runtime v Identify sources of taint – “TaintSeed” »What are you tracking?  Untrusted input  Sensitive data v Taint Policy – “TaintTracker” »Propagation of taint v Identify taint sinks – “TaintAssert” »Taint checking  Special calls u Jump statements u Format strings  Outside network

10 - 9 - TaintCheck v Performed on x86 binary »No need for source v Implemented using Valgrind skin »X86 -> Valgrind’s Ucode »Taint instrumentation added »Ucode -> x86 v Sources -> TaintSeed v Taint Policy -> TaintTracker v Sinks -> TaintAssert v Add on “Exploit Analyzer”

11 - 10 - Taint Analysis in Action

12 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 11 x = get_input( ) y = x + 42 … goto y Input is tainted untaintedtainted x7 Δ VarVal T x Tainted? Var τ Input t = IsUntrusted(src) get_input(src)↓ t TaintSeed

13 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 12 x = get_input( ) y = x + 42 … goto y Data derived from user input is tainted untaintedtainted y49 Δ VarVal x7 T y Tainted? T Var x τ BinOp t 1 = τ[x 1 ], t 2 = τ[x 2 ] x 1 + x 2 ↓ t 1 v t 2 TaintTracker

14 P goto (t a ) = ¬ t a (Must be true to execute) 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 13 Policy Violation Detected Policy Violation Detected x = get_input( ) y = x + 42 … goto y untaintedtainted Δ VarVal x7 y49 Tainted? T T Var x y τ TaintAssert

15 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 14 x = get_input( ) y = … … goto y … strcpy(buffer,argv[1]) ; … return ; Jumping to overwritten return address

16 - 15 - TaintCheck - Exploit Analyzer v TaintPolicy - Keep track of Taint propagation info »Backtrace chain of taint structures »Allow generation of attack signatures v Transfer control to sandbox for analysis

17 - 16 - TaintCheck - Evaluation v False Negatives »Use control flow to change value without gathering taint  Example: if (x == 0) y=0; else if (x == 1) y=1; u Equivalent to x=y; »Tainted index into a hardcoded table  Policy – value translation is not tainted »Enumerating all sources of taint v False Positives »Vulnerable code? »Sanity Checks not removing taint  Requires fine-tuning  Taint sanitization problem »0 false positives? v Thoughts?

18 - 17 - Policy Considerations?

19 Memory Load 10/17/2015Carnegie Mellon University18 VariablesMemory Δ VarVal x7 Tainted? T Var x τ μ AddrVal 74242 Tainted? F Addr 7 τμτμ

20 Problem: Memory Addresses 10/17/2015Carnegie Mellon University19 x = get_input( ) y = load( x ) … goto y All values derived from user input are tainted?? 74242 μ AddrVal Tainted? F Addr 7 τμτμ x7 Δ VarVal

21 μ AddrVal x = get_input( ) y = load( x ) … goto y Jump target could be any untainted memory cell value Policy 1: 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 20 Load v = Δ[x], t = τ μ [v] load(x) ↓ t Taint depends only on the memory cell Taint Propagation 74242 Tainted? F Addr 7 τμτμ x7 Δ VarVal Undertainting Failing to identify tainted values - e.g., missing exploits

22 jmp_table Policy Violation? 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 21 x = get_input( ) y = load(jmp_table + x % 2 ) … goto y Policy 2: Memory printa printb Address expression is tainted Load v = Δ[x], t = τ μ [v], t a = τ[x] load(x) ↓ t v t a If either the address or the memory cell is tainted, then the value is tainted Taint Propagation Overtainting Unaffected values are tainted - e.g., exploits on safe inputs

23 General Challenge State-of-the-Art is not perfect for all programs 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 22 Undertainting: Policy may miss taint Overtainting: Policy may wrongly detect taint

24 - 23 - TaintCheck - Attack Detection v Synthetic Exploits »Buffer overflow -> function pointer »Buffer overflow -> format string »Format string -> info leak »Success! v Actual Exploits »3 real world examples »Random sample? »Prevalence of protected exploits? slightly more convincing

25 - 24 - Performance v Implementation decisions »Use of Valgrind »Better on IO bound tasks »How much performance would you give up?

26 - 25 - TaintCheck Uses v Individual Sites »Cost? v Honeypots v “TaintCheck plus OS Randomization” »Rely on OS randomization to cause crashes »Log and reproduce with tainting v Sampling »Users rather than requests  Do I just need more infected computers? »Distributed Sampling

27 - 26 - Signatures v Automatic Semantic Analysis »Exploit Analyzer v Generated signature validation

28 - 27 - Other considerations v Effectiveness in the wild »Side-channel attacks  Can the attacker determine when someone is using taint tracking? u Speed? u Perform the attack only on native systems  Similar to existing virtual machine and honeypot problems »Circumventing the taint system  Clean your data before exploit u Depends on policy u Example: Hex to ASCII translation  Cause false positives u Raises cost of running the system u Admins may turn it off »Difficult to evaluate without motivated attackers

Download ppt "EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012."

Similar presentations

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,

SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Unleashing Mayhem on Binary Code

Unleashing Mayhem on Binary Code
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Similar presentations

Ads by Google