TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.

Slides:

Advertisements

Similar presentations

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

Advertisements

White-Box Cryptography

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

TAintscope A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1Peking.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

Fuzzing Dan Fleck CS 469: Security Engineering Sources:

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.

CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2011.

Silvio Cesare Ph.D. Candidate, Deakin University.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering.

Computer Security and Penetration Testing

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1,2, Tao Wei 1,2, Guofei Gu 3, Wei Zou 1,2.

Parallelizing Security Checks on Commodity Hardware E.B. Nightingale, D. Peek, P.M. Chen and J. Flinn U Michigan.

Helix Automatic Software Repair with Evolutionary Computation Stephanie Forrest Westley Weimer.

What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley

EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012.

Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.

Automated Whitebox Fuzz Testing Network and Distributed System Security (NDSS) 2008 by Patrice Godefroid, ‏Michael Y. Levin, and ‏David Molnar Present.

Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou.

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Software Security Without The Source Code By Matt Hargett.

Alattin: Mining Alternative Patterns for Detecting Neglected Conditions Suresh Thummalapenta and Tao Xie Department of Computer Science North Carolina.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

王卓. Agenda Overview People Tools Overview Taint analysis 主要原理 : 将来自于网络等不被信任的渠道的数据都会被标记为 “ 被污染 ” 的，由此产生的一系列算术和逻辑操作新生成的数据也会继承源数据的 “ 是否被污染 ” 的属性。然后根.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

Fuzzing And Oracles By: Thomas Sidoti. Overview Introduction Motivation Fuzzable Exploits Oracles Implementation Fuzzing Results.

Android Root and its Providers: A double-edged sword Presented by: Peter Huang Paper written by: Hang Zhang, Dongdong She, Zhiyun Qian.

Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2016.

Fuzz Testing (Fuzzing) Eng. Hector M Lugo-Cordero, MS CIS 4361 Jan 27, 2012.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Adaptive Android Kernel Live Patching

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Attacking Antivirus Software's Kernel Driver

*Acknowledgements: Dawn Song, Kostya Serebryany,

Automated Pattern Based Mobile Testing

Secure Software Development: Theory and Practice

Introduction to Information Security

Presented by Mahadevan Vasudevan + Microsoft , *UC-Berkeley

*Acknowledgements: Suman Jana, Dawn Song, Kostya Serebryany,

Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou

AdaCore Technologies for Cyber Security

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou

VUzzer: Application-aware Evolutionary Fuzzing

Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou University of Central Florida.

Malware and Software Vulnerability Analysis Q&A of Fuzzing Programming Project 2 Cliff Zou University of Central Florida.

Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou

VUzzer: Application-aware Evolutionary Fuzzing

CSC-682 Advanced Computer Security

CS5123 Software Validation and Quality Assurance

Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.

FOT: A Versatile, Configurable, Extensible Fuzzing Framework

Presentation transcript:

TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011

2 Acknowledgements Authors: Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Paper Title: TaintScope: A Checksum- Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection In Proceedings of the 31st IEEE Symposium on Security & Privacy, Oakland, CA, May Awarded Best Student Paper

3 Fuzz Testing TaintScope Performance Conclusions

4 Fuzz Testing TaintScope Performance Conclusions

5 Fuzz Testing Attempt to crash or hang a program by feeding it malformed inputs Blackbox fuzzing –Generational –Mutation

6 Fuzz Testing: Motivation Nobody is perfect Programs may be very large and dificult to test Find bugs to fix Exploit programs for malware

7 Fuzz Testing: Challenges Random fuzzing has to cover a huge sample space –E.g. audio signal of 4s, 32k bytes 2 256,000 possible values Symbolic fuzzing can’t bypass checksum instructions

8 Fuzz Testing TaintScope Performance Conclusions

9 TaintScope Fuzzer that can bypass checksum –independent of the algorithm Concentrates on data flow dependence Uses IDA Pro Disassembler Works like a classifier

10 TaintScope: How it Works Identify hot bytes in input –Bytes that affect API functions Memory management String operations –Input bytes are tainted with unique id Identify possible checksum points

11 TaintScope: How it Works Well-formed inputs take a true/false path Malformed inputs take a false/true path Intersection yields the check points TaintScope creates bypass rules

12 TaintScope: How it Works Fuzzer runs with bypass rules and mutates only hot bytes Crashes and hangs are recorded

13 TaintScope: How it Works Crashed samples are repaired for replay –C–Checksum are corrected Type of vulnerability can be analyzed

14 Fuzz Testing TaintScope Performance Conclusions

15 Performance: Hot Bytes

16 Performance: Checksum

17 Performance: Vulnerabilities

18 What is accomplished? TaintScope has found vulnerabilities in popular programs (e.g. MS Paint, Adobe Acrobat, and more) Vendors have patched the software Vulnerabilities have been published in –Secunia –Common Vulnerabilities and Exposure

19 MW Paint Search

20 Adobe Acrobat Search

21 Fuzz Testing TaintScope Performance Conclusions

22 Conclusions Fuzzer able to bypass checksum Works with Linux/Windows binaries 100% inputs cause crash or hang Low input samples Tested on many well-known applications and formats

23 Weakness Doesn’t talk about code coverage Needs to run the program several times to find information of interest Can’t detect correctly checksums where data is encrypted with key-based algorithm

24 Improvements Consider incorporating a tool like HyperNEAT –can learn search space patterns –work with encryption (e.g. DES S-Boxes) Dynamic update to reduce number of runs needed to build hot bytes/checksum information

25 References 1.Tielei Wang’s website: Month of Kernel Bugs: pull.com/mokb/ pull.com/mokb/ 3.Month Browsers Bug: 4.Secunia: 5.Comon Vulnerabilities and Exposure: IDA Disassembler: 7.Google Images:

26 QUESTIONS