Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Slides:

Advertisements

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Advertisements

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

Computer System Overview

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N.

Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.

Computer Security and Penetration Testing

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.

Parallelizing Security Checks on Commodity Hardware Ed Nightingale Dan Peek, Peter Chen Jason Flinn Microsoft Research University of Michigan.

SEC835 Runtime integrity and resource control. Application based Denial of Service Application can crash for many reasons and at any time due to programming.

Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:

Exploit Defenses: ASLR, W X, TaintCheck Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Operating Systems Security

Electronic Analog Computer Dr. Amin Danial Asham by.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

File Systems cs550 Operating Systems David Monismith.

Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.

Advanced Anti-Virus Techniques

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.

Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University.

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

Pinpointing Vulnerabilities

CSC 495/583 Topics of Software Security Stack Overflows (2)

Taint tracking Suman Jana.

Authors: James Newsome, Dawn Song

Introduction to Operating Systems

Continuous, Low Overhead, Run-Time Validation of Program Executions

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

Software Security Lesson Introduction

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

CS5123 Software Validation and Quality Assurance

Understanding and Preventing Buffer Overflow Attacks in Unix

FIGURE Illustration of Stack Buffer Overflow

Dynamic Binary Translators and Instrumenters

Format String Vulnerability

Return-to-libc Attacks

Presentation transcript:

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song Network and Distributed Systems Security Symposium (NDSS), Feb Presented by: Devendra Salvi 03/22/2007

Outline Motivation Dynamic Taint analysis Evaluation Application Review

Motivation Worms exploit software vulnerabilities like, buffer overrun and “format string” vulnerability For a new attack, attack signatures should be developed automatically.

Motivation (contd.) Attack detectors are  Coarse grained detectors Detect anomalous behavior and do not provide detailed information about the vulnerability  Fine grained detectors Detect attacks on programs vulnerabilities and hence provide detailed information about the attack

Dynamic taint analysis 1. Mark input data as “tainted” 2. Monitor program execution to track how tainted attributes propagate 3. Check when tainted data is used in dangerous ways

Dynamic taint analysis TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. Binary re-writer Taint Check X86 instructions UCode X86 instructions Dynamic taint analysis

X Memory byte Shadow Memory Taint Data structure* untainted Use as Fn pointer Attack detected TaintTrackerTaint seedTaintAssert Exploit Analyzer TaintCheck Shadow Memory *TDS holds the system call number, a snapshot of the current stack, and a copy of the data that was written

Dynamic taint analysis TaintSeed  It marks any data from untrusted sources as “tainted” Each byte of memory has a four-byte shadow memory that stores a pointer to a Taint data structure if that location is tainted, or a NULL pointer if it is not. Memory is mapped to TDS

Dynamic taint analysis TaintTracker  It tracks each instruction that manipulates data in order to determine whether the result is tainted. When the result of an instruction is tainted by one of the operands, TaintTracker sets the shadow memory of the result to point to the same Taint data structure as the tainted operand. Memory is mapped to TDSResult is mapped to TDS

Dynamic taint analysis TaintAssert  It checks whether tainted data is used in ways that its policy defines as illegitimate. Memory is mapped to TDSOperand is mapped to TDS vulnerability

Dynamic taint analysis Exploit Analyzer  The Exploit Analyzer can provide useful information about how the exploit happened, and what the exploit attempts to do. Memory is mapped to TDSOperand is mapped to TDS vulnerability

Dynamic taint analysis Types of attacks detected by TaintCheck are  Overwrite attack jump targets (such as return addresses, function pointers, and function pointer offsets), whether altered to point to existing code (existing code attack) or injected code (code injection attack).  Format string attacks an attacker provides a malicious format string to trick the program into leaking data or into writing an attacker-chosen value to an attacker-chosen memory address.  E.g.. use of %s and %x format tokens to print data from the stack or possibly other locations in memory.

Dynamic taint analysis Why to use TaintCheck ?  Does not require source code or specially compiled binaries.  Reliably detects most overwrite attacks.  Has no known false positives.  Enables automatic semantic analysis based signature generation.

Evaluation False Negatives  A false negative occurs if an attacker can cause sensitive data to take on a value without that data becoming tainted.  E.g. if (x == 0)y = 0; else if (x == 1) y = 1;...  If values are copied from hard-coded literals, rather than arithmetically derived from the input.  IIS translates ASCII input into Unicode via a table  If TaintCheck is configured to trust inputs that should not be trusted.  data from the network could be first written to a file on disk, and then read back into memory.

Evaluation False Positives  TaintCheck detects that tainted data is being used in an illegitimate way even when there is no attack taking place. It indicates, there are vulnerabilities in the program  E.g. A program uses tainted data as a format string, but makes sure it does not use it in a malicious way.

Evaluation Synthetic  To detect Overwritten return addresses Overwritten function pointer Format string vulnerability Actual exploits  ATPhttpd exploit (buffer overflow)  Cfingerd exploit (format string vulnerability)  Wu-ftpd exploit (format string vulnerability)

Evaluation

Performance  CPU bound  a 2.00 GHz Pentium 4, and 512 MB of RAM, running RedHat 8.0. was used to compress bzip2(15mb)  Normal runtime 8.2s  Valgrind nullgrind skin runtime25.6s (3.1 times longer)  Memcheck runtime 109s (13.3 times longer)  TaintCheck runtime 305s (37.2 times longer)  Short-lived  Common case

Evaluation Performance  CPU bound  Short-lived Basic blocks are cached and hence the penalty is acceptable over long lived programs. For short lived programs it is still significantly large  Normal runtime for Cfingerd was0.0222s  Valgrind nullgrind skin runtime took 13 times longer  Memcheck runtime took 32 times longer  TaintCheck runtime took 13 times longer  Common case

Evaluation Performance  CPU bound  Short-lived  Common case For network services the latency experienced is due to network and/or disk I/O and the TaintCheck performance penalty should not be noticeable

Evaluation Performance

Application It is not practical to implement TaintCheck as a standalone due to the performance overhead  TaintCheck enabled honeypots could use TaintCheck to monitor all of its network services TaintCheck will verify the exploit and provide additional information about the detected attack  TaintCheck with OS randomization identify which request contained an attack and generate signature for the attack or blocking future requests from the user.  TaintCheck in a distributed environment

Application Automatic semantic analysis based signature generation  as it monitors how each byte of each attack payload is used by the vulnerable program at the processor-instruction level.

Review Strengths  Zero false positives  Provides a trace of a vulnerability

Review Weakness  Large overhead

Review Improvements  Using efficient emulators to reduce the overhead

Questions ?