SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,

Slides:



Advertisements
Similar presentations
Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.
Advertisements

Automated Test Data Generation Maili Markvardt. Outline Introduction Test data generation problem Black-box approach White-box approach.
Marking Schema question1: 40 marks question2: 40 marks question3: 20 marks total: 100 marks.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Bug Isolation via Remote Program Sampling Ben Liblit, Alex Aiken, Alice X.Zheng, Michael I.Jordan Presented by: Xia Cheng.
Chapter 1 Object Oriented Programming. OOP revolves around the concept of an objects. Objects are crated using the class definition. Programming techniques.
Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.
ITEC200 – Week07 Recursion. 2 Learning Objectives – Week07 Recursion (Ch 07) Students can: Design recursive algorithms to solve.
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
NP-Complete Problems Reading Material: Chapter 10 Sections 1, 2, 3, and 4 only.
IMSE Week 18 White Box or Structural Testing Reading:Sommerville (4th edition) ch 22 orPressman (4th edition) ch 16.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
Testing an individual module
EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,
Recursion Chapter 7. Chapter 7: Recursion2 Chapter Objectives To understand how to think recursively To learn how to trace a recursive method To learn.
1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
TEST CASE DESIGN Prepared by: Fatih Kızkun. OUTLINE Introduction –Importance of Test –Essential Test Case Development A Variety of Test Methods –Risk.
Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
System/Software Testing
By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.
1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Instructor Kostas Kontogiannis.
Tao Xie North Carolina State University Supported by CACC/NSA Related projects supported in part by ARO, NSF, SOSI.
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
1 “Operating System Protection Through Program Evolution” Dr. Frederick B. Cohen “…one of the major reasons attacks succeed is because of the static nature.
Recursion Chapter 7. Chapter Objectives  To understand how to think recursively  To learn how to trace a recursive method  To learn how to write recursive.
06/10/ Working with Data. 206/10/2015 Learning Objectives Explain the circumstances when the following might be useful: Disabling buttons and.
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal.
Mitigation of Buffer Overflow Attacks
Reporter: PCLee. Although assertions are a great tool for aiding debugging in the design and implementation verification stages, their use.
CSE403 Software Engineering Autumn 2001 More Testing Gary Kimura Lecture #10 October 22, 2001.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Review, Pseudocode, Flow Charting, and Storyboarding.
Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Software Engineering1  Verification: The software should conform to its specification  Validation: The software should do what the user really requires.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Binary Concolic Execution for Automatic Exploit Generation Todd Frederick.
Algorithm Discovery and Design Objectives: Interpret pseudocode Write pseudocode, using the three types of operations: * sequential (steps in order written)
SAFEWARE System Safety and Computers Chap18:Verification of Safety Author : Nancy G. Leveson University of Washington 1995 by Addison-Wesley Publishing.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Introduction to Software Analysis CS Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
Software testing techniques Software testing techniques REGRESSION TESTING Presentation on the seminar Kaunas University of Technology.
Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.
CS223: Software Engineering Lecture 26: Software Testing.
On the Relation Between Simulation-based and SAT-based Diagnosis CMPE 58Q Giray Kömürcü Boğaziçi University.
Execution with Unnecessary Privileges
White-Box Testing Pfleeger, S. Software Engineering Theory and Practice 2nd Edition. Prentice Hall, Ghezzi, C. et al., Fundamentals of Software Engineering.
Automatic Patch-Based Exploit Generation
Chapter 8 – Software Testing
UNIT-4 BLACKBOX AND WHITEBOX TESTING
White-Box Testing.
Static Testing Static testing refers to testing that takes place without Execution - examining and reviewing it. Dynamic Testing Dynamic testing is what.
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
VUzzer: Application-aware Evolutionary Fuzzing
CSC-682 Advanced Computer Security
UNIT-4 BLACKBOX AND WHITEBOX TESTING
Presentation transcript:

SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam, Dawn Song, Jiang Zheng

What the paper is trying to achieve

Given 2 binaries Program P if (input % 2 == 0) { s = input + 2; } else { s = input + 3; } ptr = realloc (ptr, s); /* use of ptr */ Program P' if (input % 2 == 0) { s = input + 2; } else { s = input + 3; } if (s <= input) { /* exit with error */ } ptr = realloc (ptr, s); /* use of ptr */

Create an 'exploit' Exploit as defined by paper: –input that crashes P –input causing information leakage –input that hijacks control flow Note: 'exploit' as defined by paper not the same 'exploit' as used in the security community which assumed –something usable –bypasses all counter measures Halvar Flake used the term "vulnerability trigger"

How it was done

Step 1: Compare the binary differences Program P if (input % 2 == 0) { s = input + 2; } else { s = input + 3; } ptr = realloc (ptr, s); /* use of ptr */ Program P' if (input % 2 == 0) { s = input + 2; } else { s = input + 3; } if (s <= input) { /* exit with error */ } ptr = realloc (ptr, s); /* use of ptr */

Step 2: Determine which is the vulnerable point Concerned with input sanitisation that is missing in P but added in P' Where there are many changes, use of heuristics: –minimal change => likely to be added input sanitisation –lots of changes, maybe new feature Program P' if (input % 2 == 0) { s = input + 2; } else { s = input + 3; } if (s <= input) { /* exit with error */ } ptr = realloc (ptr, s); /* use of ptr */ vul point

Step 3: Determine path(s) to the vulnerable point Path 1: –start point –(input % 2 == 0) is true –s = input + 2 –(s <= input) is true –vulnerable point Program P' if (input % 2 == 0) { s = input + 2; } else { s = input + 3; } if (s <= input) { /* exit with error */ } ptr = realloc (ptr, s); /* use of ptr */

Step 3: Determine path(s) to the vulnerable point Path 2: –start point –(input % 2 == 0) is false –s = input + 3 –(s <= input) is true –vulnerable point Program P' if (input % 2 == 0) { s = input + 2; } else { s = input + 3; } if (s <= input) { /* exit with error */ } ptr = realloc (ptr, s); /* use of ptr */

Step 3: Determine path(s) to the vulnerable point Not individual paths, but a graph of many paths: Program P' if (input % 2 == 0) { s = input + 2; } else { s = input + 3; } if (s <= input) { /* exit with error */ } ptr = realloc (ptr, s); /* use of ptr */

Step 3: Determine path(s) to the vulnerable point Single paths can be found via dynamic tracing, i.e. monitor the sequence of steps executed upon normal input Control flow graphs (CFG) determined via static analysis Combination: –find single path dynamically –choose any step in the path –determine statically the partial CFG from that step to the vulnerable point

Step 4: Generate constraint formula From the start point to the vulnerable, the sequence of conditions that are met in P', but not in P –(input % 2 == 0) is true –s = input + 2 –(s <= input) is true Constraint formula: –(input % 2 == 0) is true AND (s <= input) is true AND s = input + 2 Possible to generate constraint formula over a CFG Program P' if (input % 2 == 0) { s = input + 2; } else { s = input + 3; } if (s <= input) { /* exit with error */ } ptr = realloc (ptr, s); /* use of ptr */

Step 5: Give constraint formula to solver for solution NP-hard problem => the larger the constraint formula, the longer (exponential time) it takes to solve Solution of example constraint formula: –(input % 2 == 0) is true AND (s <= input) is true –where s = input + 2 –addition is mod 2 32 –possible answer: input = Polymorphic exploit: solve the new constraint formula: –(input % 2 == 0) is true AND (s <= input) is false AND (input != solutions_we_already_know) –where s = input + 2 –addition is mod 2 32

Step 6: Verify the 'exploit' There exists engines (TEMU) that can verify certain security policies, e.g. whether a return address on the stack is overwritten Verification: –Run software under engine with specified policy –Feed 'exploit' input –Examine results of engine –If negative, and other paths exists, try other paths

3rd party comments (Robert Graham, Halvar Flake) Exploit stated in paper not the same exploit used by others Able to generate input that triggers a vulnerability Not yet a usable exploit that can: –defeat security mechanisms (chk_esp (), safe_unlink ()) –steal info for info-leakage or equivalent of shell code for hijack control flow Useful, but not yet ready to generate the equivalent of a worm using this. Overstated the impact Practical cases may involve large constraints beyond capability of solver. Automated part least time consuming of steps in developing usable exploits

My comments Output of binary difference, which one is relevant ? For GDI vulnerability test case –vulnerable procedure: GetEvent () –Static analysis start point: CopyMetaFileW () –Remember solver cannot solve large constraints quickly or it may run out of memory –How to automate finding of suitable start point for static case ?

Conclusion Novel approach Overstated claims

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.