Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pinpointing Vulnerabilities

Published byCleopatra Lawson Modified over 6 years ago

Similar presentations

Presentation on theme: "Pinpointing Vulnerabilities"— Presentation transcript:

1 Pinpointing Vulnerabilities
Yue Chen, Mustakimur Khandaker, Zhi Wang Florida State University Vulnerabilities Pinpointing Vulnerabilities

2 Question When an attack is detected, how to locate the underlying vulnerability? Attack Vulnerability Pinpointing Vulnerabilities

3 Example A control-flow violation is detected at line 6.
Root Cause Symptom A control-flow violation is detected at line 6. The vulnerability lies at line 4 (buffer overflow). Pinpointing Vulnerabilities

4 Attack Detection v.s. Vulnerability Locating
Control-flow Integrity (CFI) Detect the control-flow graph violation (e.g., on function returns) Taint Analysis Detect tainted data being loaded to PC System Call Interposition Detect abnormal syscalls made by the payload Manifestation of attack rarely coincides with the vulnerabilities Pinpointing Vulnerabilities

5 Ravel – Three Components
Root-cause Analysis of Vulnerabilities from Exploitation Log Online attack detector Record & replay with instrumentation Offline vulnerability locator Pinpointing Vulnerabilities

6 Ravel – Strengths Reliably reproduce real-world attacks in the lab environment Low online performance overhead Locating vulnerabilities is time-consuming Extensible: New attack detection and vulnerability locating techniques can be easily integrated (already support a variety of vulnerability locating techniques) Pinpointing Vulnerabilities

7 Attack Detection Ravel uses existing attack detection methods
Program crash (or other exceptions) Abnormal system calls (sequence/arguments) Control-flow integrity violation (to be included) New methods can be easily adopted by Ravel Pinpointing Vulnerabilities

8 More robust against attacks, with low cost
Record & Replay What to record & replay? All the non-deterministic inputs (e.g., network packets) Where to record & replay? Application interface Library interface Virtual machine interface System call interface More robust against attacks, with low cost Pinpointing Vulnerabilities

9 Record System call return values
Userspace data structures modified by syscalls Data copied from kernel to userspace Asynchronous signals Special instructions (e.g., RDTSC) Synchronization primitives Pinpointing Vulnerabilities

10 Replay with Instrumentation
Some syscalls replayed without real execution e.g., gettimeofday Some syscalls need to be re-executed e.g., mmap Replay under a binary translation (BT) engine BT collects detailed memory accesses by the target Replay distinguishes syscalls made by the target from those made by BT Pinpointing Vulnerabilities

11 Vulnerability Locator
Data-flow Analysis Race Condition Use-after-free Double-free Integer Errors Pinpointing Vulnerabilities

12 Data-flow Analysis Analyze def-use relations between instructions
Define: writes to a memory address Use: reads from a memory address write read define use A B Pinpointing Vulnerabilities

13 Data-flow Analysis Precompute a data-flow graph (DFG)
DFG: the valid def-use relations in the program Our prototype uses dynamic analysis Extra relations regarded as violations Violation to DFG indicates the vulnerability location It could be the def or the use, but which one? Refine the results with heuristics Pinpointing Vulnerabilities

14 Data-flow Analysis Heuristics
One def, many uses: def is closer to the vulnerability Example: buffer overflow def Normal Violating use use use Pinpointing Vulnerabilities

15 Data-flow Analysis Heuristics
One def, many uses: def is closer to the vulnerability Example: buffer overflow Many defs, one use: use is closer to the vulnerability Example: information leakage use def Pinpointing Vulnerabilities

16 Integer Errors Focus on common integer errors Example:
Start from common functions/instructions that take integer operands E.g., memcpy, recvfrom; movs, stos… Search backwards for integer errors Example: memcpy ( void * destination, const void * source, size_t num ); Search from num backwards for integer errors. Pinpointing Vulnerabilities

17 Integer Errors Benign integer errors?
Assignment truncation (e.g., 0x → 0x5678) To detect: assign from a longer to a shorter integer type Integer overflow/underflow (e.g., 0xFFFFFFFF + 1) To detect: check the RFLAGS register Signedness error (e.g., unsigned_int_var = signed_int_var) To detect: collect hints from functions and instructions Instructions: jg, jge, ja, jae, cmovg, cmova, idiv, div, etc. Functions: memmove, strncat, etc. Benign integer errors? Related to a reported vulnerability! Pinpointing Vulnerabilities

18 Use-after-free and Double-free
Ravel instruments memory allocation/free functions to track the memory life-time Use-after-free: freed memory is accessed again Double-free: memory freed more than once without re-allocation Pinpointing Vulnerabilities

19 Race Condition When race condition happens, the execution deviates from the recorded one as we do not implement strict R&R When detected, use the happens-before relation to check for race conditions Pinpointing Vulnerabilities

20 Implementation Record & replay: Vulnerability locator:
FreeBSD release 10.2 Kernel modification + small user-space utility Vulnerability locator: Extended from Valgrind Pinpointing Vulnerabilities

21 Evaluation – Effectiveness
Buffer overflow Integer errors Information leakage Use-after-free and double-free Format string vulnerabilities Pinpointing Vulnerabilities

22 CVE-2013-2028 of Nginx signed comparison Ravel unsigned signed
Data-flow Violation Signedness Conflict Memory Exception unsigned signed larger than expected buffer overflow Pinpointing Vulnerabilities

23 Evaluation – Effectiveness
More examples are in the paper (Heartbleed, etc.) Pinpointing Vulnerabilities

24 Evaluation – Performance
Performance overhead of Ravel’s online components relative to the original FreeBSD system Pinpointing Vulnerabilities

25 Pinpointing Vulnerabilities
Q&A Vulnerabilities Pinpointing Vulnerabilities

26 Backup Slides Pinpointing Vulnerabilities

27 Attack Detection Example
Typical scenario example: Attacker guesses memory addresses Program crashes (due to ASLR, DEP, etc.) Victim forks a new process Attack Fork Pinpointing Vulnerabilities

Download ppt "Pinpointing Vulnerabilities"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,

Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.

Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,

Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
MemTracker Efficient and Programmable Support for Memory Access Monitoring and Debugging Guru Venkataramani, Brandyn Roemer, Yan Solihin, Milos Prvulovic.

MemTracker Efficient and Programmable Support for Memory Access Monitoring and Debugging Guru Venkataramani, Brandyn Roemer, Yan Solihin, Milos Prvulovic.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
CS252: Systems Programming Ninghui Li Final Exam Review.

CS252: Systems Programming Ninghui Li Final Exam Review.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

Similar presentations

Ads by Google