All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

Slides:



Advertisements
Similar presentations
Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Advertisements

Repaso: Unidad 1 Lección 2
Simplifications of Context-Free Grammars
AP STUDY SESSION 2.
1
1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Create an Application Title 1A - Adult Chapter 3.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Around the World AdditionSubtraction MultiplicationDivision AdditionSubtraction MultiplicationDivision.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
Break Time Remaining 10:00.
Turing Machines.
Table 12.1: Cash Flows to a Cash and Carry Trading Strategy.
PP Test Review Sections 6-1 to 6-6
EU market situation for eggs and poultry Management Committee 20 October 2011.
Bright Futures Guidelines Priorities and Screening Tables
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
Bellwork Do the following problem on a ½ sheet of paper and turn in.
Exarte Bezoek aan de Mediacampus Bachelor in de grafische en digitale media April 2014.
VOORBLAD.
Name Convolutional codes Tomashevich Victor. Name- 2 - Introduction Convolutional codes map information to code bits sequentially by convolving a sequence.
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
1 RA III - Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Buenos Aires, Argentina, 25 – 27 October 2006 Status of observing programmes in RA.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
© 2012 National Heart Foundation of Australia. Slide 2.
Adding Up In Chunks.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt Synthetic.
Note to the teacher: Was 28. A. to B. you C. said D. on Note to the teacher: Make this slide correct answer be C and sound to be “said”. to said you on.
Model and Relationships 6 M 1 M M M M M M M M M M M M M M M M
25 seconds left…...
Subtraction: Adding UP
1 hi at no doifpi me be go we of at be do go hi if me no of pi we Inorder Traversal Inorder traversal. n Visit the left subtree. n Visit the node. n Visit.
Analyzing Genes and Genomes
Speak Up for Safety Dr. Susan Strauss Harassment & Bullying Consultant November 9, 2012.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
Exponents and Radicals
Clock will move after 1 minute
Intracellular Compartments and Transport
PSSA Preparation.
Essential Cell Biology
Immunobiology: The Immune System in Health & Disease Sixth Edition
 2003 Prentice Hall, Inc. All rights reserved. 1 Chapter 13 - Exception Handling Outline 13.1 Introduction 13.2 Exception-Handling Overview 13.3 Other.
Physics for Scientists & Engineers, 3rd Edition
Energy Generation in Mitochondria and Chlorplasts
Murach’s OS/390 and z/OS JCLChapter 16, Slide 1 © 2002, Mike Murach & Associates, Inc.
1 Decidability continued…. 2 Theorem: For a recursively enumerable language it is undecidable to determine whether is finite Proof: We will reduce the.
Edward J. Schwartz, Thanassis Avgerinos, David Brumley
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Presentation transcript:

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos, David Brumley Presented by: Vaibhav Rastogi 1

The Root of All Evil Humans write programs This Talk: Computers Analyzing Programs Dynamically at Runtime 2

Two Essential Runtime Analyses Dynamic Taint Analysis: What values are derived from this source? Forward Symbolic Execution: What input will make execution reach this line of code? Malware Analysis Privacy Leakage Detection Vulnerability Detection Automatic Test- case Generation Input Filter Generation Malware Analysis 3

Contributions Formalize English descriptions An algorithm / operational semantics Technical highlights, caveats, issues, and unsolved problems that are deceptively hard Systematize recurring themes in a wealth of previous work 4

Contributions 5

Dynamic Taint Analysis How it WorksExample PoliciesIssues 6

Example 7

8 Input is tainted

Taint Introduction TaintedUntainted x Input is tainted 9

Taint Introduction VarValTaint ( T | F) x7T 10

Taint Propagation TaintedUntainted x Data derived from user input is tainted xy 42 11

Taint Propagation VarValTaint ( T | F) x7T y49T 12

Taint Checking TaintedUntainted x Policy violation detected xy 42 y 13

So What? x xy 42 y Exploit Detection Tainted return address 14

Taint Checking VarValTaint ( T | F) x7T y49T 15

Taint Semantics in SIMPIL 16

SIMPIL Operational Semantics tl;dr 17

Operational Semantics for Tainting 18

Operational Semantics for Tainting 19

Example Taint Semantics 20

Example Taint Policy 21

Dynamic Tainting Issues Tainted Addresses To taint, or not to taint Undertainting Control flows discussed earlier Overtainting Sanitization Time of Detection vs. Time of Attack Overwritten return address detected only at return 22

Dynamic Tainting Issues x xy 42 y Overwritten return address detected only at return 23

Tainted Addresses Dont taint y Table indices, e.g., a[i] == i Taint y tcpdump uses packet data to compute function pointers 24

Dilemma Undertainting: False Negatives Overtainting: False Positives 25

Forward Symbolic Execution How it WorksChallengesProposed Solutions 26

Example bad_abs(x is input) if (x < 0) return -x if (x = 0x ) return -x return x 27

Example 2 32 possible inputs 0x bad_abs(x is input) if (x < 0) return -x if (x = 0x ) return -x return x What input will execute this line of code? 28

Working bad_abs(x is input) if (x < 0) return -xif (x = 0x ) return -xreturn x FT TF x 0x < 0 x 0 && x == 0x x 0 && x != 0x

Working bad_abs(x is input) if (x < 0) return -xif (x = 0x ) return -xreturn x FT TF x 0x < 0 x 0 && x == 0x x 0 && x != 0x What input will execute this line of code? 30

Operational Semantics 31

Operational Semantics 32

Challenges Exponential Number of PathsSymbolic MemorySystem Calls 33

Exponential Number of Paths 34

Exploration Strategies Bounded necessary – else loops maynt terminate! Bounded Depth First Search Possibly different weights to different paths Random Paths Mix symbolic and concrete execution Make symbolic execution follow a concrete execution path Concolic Execution 35

Symbolic memory Example: tables Aliasing issues Solutions: – Make unsound assumptions – Let the SMT solver do the work – Perform alias analysis A static analysis – may not be acceptable Related Problem: Symbolic jumps 36 addr1 = get_input() store(addr1, v) z = load(addr2)

Symbolic Jumps Explore jump targets found in concrete execution Let the solver solve itDo static analysis 37 The pc depends on the user input

System and Library Calls What are effects of such calls? Manual summarization is possible in some cases Use results from concrete execution – Not sound 38

Symbolic Execution is not Easy Exponential number of paths Exponentially sized formulas with substitution Solving a formula is NP-complete 39 s + s + s + s + s +s + s + s + s + s + s + s +s = 42

Conclusion Dynamic Taint Analysis and Forward Symbolic Execution both extensively used – A number of options explored This talk provided – Overview of the techniques – Applications – Issues and state-of-the-art solutions 40

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.