Presentation is loading. Please wait.

Presentation is loading. Please wait.

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

Published byMelinda Jinkins Modified over 10 years ago

Similar presentations

Presentation on theme: "All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,"— Presentation transcript:

1 All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos, David Brumley Presented by: Vaibhav Rastogi 1

2 The Root of All Evil Humans write programs This Talk: Computers Analyzing Programs Dynamically at Runtime 2

3 Two Essential Runtime Analyses Dynamic Taint Analysis: What values are derived from this source? Forward Symbolic Execution: What input will make execution reach this line of code? Malware Analysis Privacy Leakage Detection Vulnerability Detection Automatic Test- case Generation Input Filter Generation Malware Analysis 3

4 Contributions Formalize English descriptions An algorithm / operational semantics Technical highlights, caveats, issues, and unsolved problems that are deceptively hard Systematize recurring themes in a wealth of previous work 4

5 Contributions 5

6 Dynamic Taint Analysis How it WorksExample PoliciesIssues 6

7 Example 7

8 8 Input is tainted

9 Taint Introduction TaintedUntainted x Input is tainted 9

10 Taint Introduction VarValTaint ( T | F) x7T 10

11 Taint Propagation TaintedUntainted x Data derived from user input is tainted xy 42 11

12 Taint Propagation VarValTaint ( T | F) x7T y49T 12

13 Taint Checking TaintedUntainted x Policy violation detected xy 42 y 13

14 So What? x xy 42 y Exploit Detection Tainted return address 14

15 Taint Checking VarValTaint ( T | F) x7T y49T 15

16 Taint Semantics in SIMPIL 16

17 SIMPIL Operational Semantics tl;dr 17

18 Operational Semantics for Tainting 18

19 Operational Semantics for Tainting 19

20 Example Taint Semantics 20

21 Example Taint Policy 21

22 Dynamic Tainting Issues Tainted Addresses To taint, or not to taint Undertainting Control flows discussed earlier Overtainting Sanitization Time of Detection vs. Time of Attack Overwritten return address detected only at return 22

23 Dynamic Tainting Issues x xy 42 y Overwritten return address detected only at return 23

24 Tainted Addresses Dont taint y Table indices, e.g., a[i] == i Taint y tcpdump uses packet data to compute function pointers 24

25 Dilemma Undertainting: False Negatives Overtainting: False Positives 25

26 Forward Symbolic Execution How it WorksChallengesProposed Solutions 26

27 Example bad_abs(x is input) if (x < 0) return -x if (x = 0x12345678) return -x return x 27

28 Example 2 32 possible inputs 0x12345678 bad_abs(x is input) if (x < 0) return -x if (x = 0x12345678) return -x return x What input will execute this line of code? 28

29 Working bad_abs(x is input) if (x < 0) return -xif (x = 0x12345678) return -xreturn x FT TF x 0x < 0 x 0 && x == 0x12345678 x 0 && x != 0x12345678 29

30 Working bad_abs(x is input) if (x < 0) return -xif (x = 0x12345678) return -xreturn x FT TF x 0x < 0 x 0 && x == 0x12345678 x 0 && x != 0x12345678 What input will execute this line of code? 30

31 Operational Semantics 31

32 Operational Semantics 32

33 Challenges Exponential Number of PathsSymbolic MemorySystem Calls 33

34 Exponential Number of Paths 34

35 Exploration Strategies Bounded necessary – else loops maynt terminate! Bounded Depth First Search Possibly different weights to different paths Random Paths Mix symbolic and concrete execution Make symbolic execution follow a concrete execution path Concolic Execution 35

36 Symbolic memory Example: tables Aliasing issues Solutions: – Make unsound assumptions – Let the SMT solver do the work – Perform alias analysis A static analysis – may not be acceptable Related Problem: Symbolic jumps 36 addr1 = get_input() store(addr1, v) z = load(addr2)

37 Symbolic Jumps Explore jump targets found in concrete execution Let the solver solve itDo static analysis 37 The pc depends on the user input

38 System and Library Calls What are effects of such calls? Manual summarization is possible in some cases Use results from concrete execution – Not sound 38

39 Symbolic Execution is not Easy Exponential number of paths Exponentially sized formulas with substitution Solving a formula is NP-complete 39 s + s + s + s + s +s + s + s + s + s + s + s +s = 42

40 Conclusion Dynamic Taint Analysis and Forward Symbolic Execution both extensively used – A number of options explored This talk provided – Overview of the techniques – Applications – Issues and state-of-the-art solutions 40

Download ppt "All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,"

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Repaso: Unidad 1 Lección 2

Repaso: Unidad 1 Lección 2
Simplifications of Context-Free Grammars

Simplifications of Context-Free Grammars
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.

1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.

© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Create an Application Title 1A - Adult Chapter 3.

Create an Application Title 1A - Adult Chapter 3.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.

1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.

Similar presentations

Ads by Google