EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012

- 1 - Announcements v Exams returned »Answer Key can be found on the course website »One week to turn in written requests for exam regrades v Sign up for project presentation slots »Friday on Scott’s office door, Monday in class v Today’s class reading »"Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software," James Newsome and Dawn Song, Proceedings of the Network and Distributed System Security Symposium, Feb »Optional background reading: "All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)," Edward J. Schwartz, Thanassis Avgerinos, David Brumley, Proceedings of the 2010 IEEE Symposium on Security and Privacy, May 2010.

- 2 - EECS 583 Exam Statistics Exam Score Mean: 70.6StDev: 12.8High: 94Low: 44

- 3 - The Problem v Unknown Vulnerability Detection ** »Buffer Overflows »Format string vulnerabilties »The goal of TaintCheck v Malware Analysis »What is the software doing with sensitive data? »Data propagation from triggers »Ex. TaintDroid v More Generally - Tracking the flow of data through a program

- 4 - Buffer Overflow v Example Stack Buffer Overflow

- 5 - Buffer Overflow

- 6 - Format String Vulnerability v Attacker controls a format string

- 7 - Format String Vulnerability v Attacker controls a format string »Overwrite arbitrary memory  Take control of program execution  %n commonly used in conjunction with other format specifiers u Writes number of bytes written thus far to the stack »Dump memory  ex. printf ("%08x.%08x.%08x.%08x.%08x\n"); »Crash the program  ex. printf ("%s%s%s%s%s%s%s%s%s%s%s%s");  Denial of Service

- 8 - Dynamic Taint Analysis v Track information flow through a program at runtime v Identify sources of taint – “TaintSeed” »What are you tracking?  Untrusted input  Sensitive data v Taint Policy – “TaintTracker” »Propagation of taint v Identify taint sinks – “TaintAssert” »Taint checking  Special calls u Jump statements u Format strings  Outside network

- 9 - TaintCheck v Performed on x86 binary »No need for source v Implemented using Valgrind skin »X86 -> Valgrind’s Ucode »Taint instrumentation added »Ucode -> x86 v Sources -> TaintSeed v Taint Policy -> TaintTracker v Sinks -> TaintAssert v Add on “Exploit Analyzer”

Taint Analysis in Action

10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 11 x = get_input( ) y = x + 42 … goto y Input is tainted untaintedtainted x7 Δ VarVal T x Tainted? Var τ Input t = IsUntrusted(src) get_input(src)↓ t TaintSeed

10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 12 x = get_input( ) y = x + 42 … goto y Data derived from user input is tainted untaintedtainted y49 Δ VarVal x7 T y Tainted? T Var x τ BinOp t 1 = τ[x 1 ], t 2 = τ[x 2 ] x 1 + x 2 ↓ t 1 v t 2 TaintTracker

P goto (t a ) = ¬ t a (Must be true to execute) 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 13 Policy Violation Detected Policy Violation Detected x = get_input( ) y = x + 42 … goto y untaintedtainted Δ VarVal x7 y49 Tainted? T T Var x y τ TaintAssert

10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 14 x = get_input( ) y = … … goto y … strcpy(buffer,argv[1]) ; … return ; Jumping to overwritten return address

TaintCheck - Exploit Analyzer v TaintPolicy - Keep track of Taint propagation info »Backtrace chain of taint structures »Allow generation of attack signatures v Transfer control to sandbox for analysis

TaintCheck - Evaluation v False Negatives »Use control flow to change value without gathering taint  Example: if (x == 0) y=0; else if (x == 1) y=1; u Equivalent to x=y; »Tainted index into a hardcoded table  Policy – value translation is not tainted »Enumerating all sources of taint v False Positives »Vulnerable code? »Sanity Checks not removing taint  Requires fine-tuning  Taint sanitization problem »0 false positives? v Thoughts?

Policy Considerations?

Memory Load 10/17/2015Carnegie Mellon University18 VariablesMemory Δ VarVal x7 Tainted? T Var x τ μ AddrVal Tainted? F Addr 7 τμτμ

Problem: Memory Addresses 10/17/2015Carnegie Mellon University19 x = get_input( ) y = load( x ) … goto y All values derived from user input are tainted?? μ AddrVal Tainted? F Addr 7 τμτμ x7 Δ VarVal

μ AddrVal x = get_input( ) y = load( x ) … goto y Jump target could be any untainted memory cell value Policy 1: 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 20 Load v = Δ[x], t = τ μ [v] load(x) ↓ t Taint depends only on the memory cell Taint Propagation Tainted? F Addr 7 τμτμ x7 Δ VarVal Undertainting Failing to identify tainted values - e.g., missing exploits

jmp_table Policy Violation? 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 21 x = get_input( ) y = load(jmp_table + x % 2 ) … goto y Policy 2: Memory printa printb Address expression is tainted Load v = Δ[x], t = τ μ [v], t a = τ[x] load(x) ↓ t v t a If either the address or the memory cell is tainted, then the value is tainted Taint Propagation Overtainting Unaffected values are tainted - e.g., exploits on safe inputs

General Challenge State-of-the-Art is not perfect for all programs 10/17/2015 All You Ever Wanted to Know About Dynamic Taint Analysis 22 Undertainting: Policy may miss taint Overtainting: Policy may wrongly detect taint

TaintCheck - Attack Detection v Synthetic Exploits »Buffer overflow -> function pointer »Buffer overflow -> format string »Format string -> info leak »Success! v Actual Exploits »3 real world examples »Random sample? »Prevalence of protected exploits? slightly more convincing

Performance v Implementation decisions »Use of Valgrind »Better on IO bound tasks »How much performance would you give up?

TaintCheck Uses v Individual Sites »Cost? v Honeypots v “TaintCheck plus OS Randomization” »Rely on OS randomization to cause crashes »Log and reproduce with tainting v Sampling »Users rather than requests  Do I just need more infected computers? »Distributed Sampling

Signatures v Automatic Semantic Analysis »Exploit Analyzer v Generated signature validation

Other considerations v Effectiveness in the wild »Side-channel attacks  Can the attacker determine when someone is using taint tracking? u Speed? u Perform the attack only on native systems  Similar to existing virtual machine and honeypot problems »Circumventing the taint system  Clean your data before exploit u Depends on policy u Example: Hex to ASCII translation  Cause false positives u Raises cost of running the system u Admins may turn it off »Difficult to evaluate without motivated attackers