Presentation is loading. Please wait.

Presentation is loading. Please wait.

TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.

Similar presentations


Presentation on theme: "TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011."— Presentation transcript:

1 TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011

2 2 Acknowledgements Authors: Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Paper Title: TaintScope: A Checksum- Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection In Proceedings of the 31st IEEE Symposium on Security & Privacy, Oakland, CA, May 2010. Awarded Best Student Paper

3 3 Fuzz Testing TaintScope Performance Conclusions

4 4 Fuzz Testing TaintScope Performance Conclusions

5 5 Fuzz Testing Attempt to crash or hang a program by feeding it malformed inputs Blackbox fuzzing –Generational –Mutation

6 6 Fuzz Testing: Motivation Nobody is perfect Programs may be very large and dificult to test Find bugs to fix Exploit programs for malware

7 7 Fuzz Testing: Challenges Random fuzzing has to cover a huge sample space –E.g. audio signal of 4s, 32k bytes 2 256,000 possible values Symbolic fuzzing can’t bypass checksum instructions

8 8 Fuzz Testing TaintScope Performance Conclusions

9 9 TaintScope Fuzzer that can bypass checksum –independent of the algorithm Concentrates on data flow dependence Uses IDA Pro Disassembler Works like a classifier

10 10 TaintScope: How it Works Identify hot bytes in input –Bytes that affect API functions Memory management String operations –Input bytes are tainted with unique id Identify possible checksum points

11 11 TaintScope: How it Works Well-formed inputs take a true/false path Malformed inputs take a false/true path Intersection yields the check points TaintScope creates bypass rules

12 12 TaintScope: How it Works Fuzzer runs with bypass rules and mutates only hot bytes Crashes and hangs are recorded

13 13 TaintScope: How it Works Crashed samples are repaired for replay –C–Checksum are corrected Type of vulnerability can be analyzed

14 14 Fuzz Testing TaintScope Performance Conclusions

15 15 Performance: Hot Bytes

16 16 Performance: Checksum

17 17 Performance: Vulnerabilities

18 18 What is accomplished? TaintScope has found vulnerabilities in popular programs (e.g. MS Paint, Adobe Acrobat, and more) Vendors have patched the software Vulnerabilities have been published in –Secunia –Common Vulnerabilities and Exposure

19 19 MW Paint Search

20 20 Adobe Acrobat Search

21 21 Fuzz Testing TaintScope Performance Conclusions

22 22 Conclusions Fuzzer able to bypass checksum Works with Linux/Windows binaries 100% inputs cause crash or hang Low input samples Tested on many well-known applications and formats

23 23 Weakness Doesn’t talk about code coverage Needs to run the program several times to find information of interest Can’t detect correctly checksums where data is encrypted with key-based algorithm

24 24 Improvements Consider incorporating a tool like HyperNEAT –can learn search space patterns –work with encryption (e.g. DES S-Boxes) Dynamic update to reduce number of runs needed to build hot bytes/checksum information

25 25 References 1.Tielei Wang’s website: http://sites.google.com/site/tieleiwang/ http://sites.google.com/site/tieleiwang/ 2.Month of Kernel Bugs: http://projects.info- pull.com/mokb/http://projects.info- pull.com/mokb/ 3.Month Browsers Bug: http://browserfun.blogspot.com/http://browserfun.blogspot.com/ 4.Secunia: http://secunia.com/http://secunia.com/ 5.Comon Vulnerabilities and Exposure: http://cve.mitre.org/ http://cve.mitre.org/ 6.IDA Disassembler: http://www.hex-rays.com/idapro/http://www.hex-rays.com/idapro/ 7.Google Images: http://images.google.comhttp://images.google.com

26 26 QUESTIONS


Download ppt "TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011."

Similar presentations


Ads by Google