Presentation is loading. Please wait.

Presentation is loading. Please wait.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

Published byPorter Shreve Modified over 9 years ago

Similar presentations

Presentation on theme: "TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking."— Presentation transcript:

1 TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking University, China 2 Texas A&M University, US 31st IEEE Symposium on Security & Privacy

2 Outline Introduction  Background  Motivation TaintScope  Intuition  System Design  Evaluation Conclusion 2......

3 Fuzzing/Fuzz Testing Feed target applications with malformed inputs e.g., invalid, unexpected, or random test cases  Proven to be remarkably successful  E.g., randomly mutate well-formed inputs and runs the target application with the “mutations” Application Fuzzer crash Malformed Input 3 Introduction TaintScopeConclusion

4 Fuzzing is great 4 However… Introduction TaintScopeConclusion In the best case, malformed inputs will explore different program paths, and trigger security vulnerabilities

5 A quick example Malformed images will be dropped when the decoder function detects checksums mismatch 5 1 void decode_image(FILE* fd){ 2... 3 int length = get_length(fd); 4 int recomputed_chksum = checksum(fd, length); 5 int chksum_in_file = get_checksum(fd); //line 6 is used to check the integrity of inputs 6 if(chksum_in_file != recomputed_chksum) 7 error(); 8 int Width = get_width(fd); 9 int Height = get_height(fd); 10 int size = Width*Height*sizeof(int);//integer overflow 11 int* p = malloc(size); 12... re-compute a new checksum read the attached checksum compare tow values Introduction TaintScopeConclusion

6 Checksum: the bottleneck 6 Checksum is a common way to test the integrity of input data Introduction TaintScopeConclusion if(checksum( D ata )!= C hksum ) Most mutations are blocked at the checksum test point

7 Our motivation Penetrate checksum checks! 7 Our Goal Introduction TaintScopeConclusion

8 Intuition Disable checksum checks by control flow alteration Fuzz the modified program Repair the checksum fields in malformed inputs that can crash the modified program 8 if(checksum( D ata )!= C hksum ) goto L1; exit(); L1: continue(); Original program Modified program Introduction TaintScope Conclusion

9 Key Questions Q1: How to locate the checksum test instructions in a binary program? Q2: How to effectively and efficiently fuzz for security vulnerability detection? Q3: How to generate the correct checksum value for the invalid inputs that can crash the modified program? 9 Introduction TaintScope Conclusion

10 TaintScope Overview 10 Execution Monitor Checksum Locator Directed Fuzzer Checksum Repairer Modified Program Hot Bytes Info Instruction Profile Crashed Samples Reports Q1 Q2Q3

11 A1: Locate the checksum test instruction 11 Introduction TaintScope Conclusion Checksum is usually used to protect a large number of input bytes if(checksum( D ata ) != C hksum ) D ata C hksum Key Observation 1 Based on fine-grained taint analysis, we first find the conditional jump instructions (e.g., jz, je ) that depend on more than a certain number of input bytes Take these conditional jump instructions as candidates

12 A1: Locate the checksum test instruction Key Observation 2 12 Introduction TaintScope Conclusion Well-formed inputs can pass the checksum test, but most malformed inputs cannot We log the behaviors of candidate conditional jump instructions

13 A1: Locate the checksum test instruction Key Observation 2 13 Introduction TaintScope Conclusion Well-formed inputs can pass the checksum test, but most malformed inputs cannot We log the behaviors of candidate conditional jump instructions ① Run well-formed inputs, identify the always-taken and always-not-taken insts

14 A1: Locate the checksum test instruction Key Observation 2 14 Introduction TaintScope Conclusion Well-formed inputs can pass the checksum test, but most malformed inputs cannot We log the behaviors of candidate conditional jump instructions ① Run well-formed inputs, identify the always-taken and always-not-taken insts ② Run malformed inputs, also identify the always-taken and always-not-taken insts

15 A1: Locate the checksum test instruction Key Observation 2 15 Introduction TaintScope Conclusion Well-formed inputs can pass the checksum test, but most malformed inputs cannot We log the behaviors of candidate conditional jump instructions ① Run well-formed inputs, identify the always-taken and always-not-taken insts ② Run malformed inputs, also identify the always-taken and always-not-taken insts ③ Identify the conditional jump inst that behaves completely different when processing well-formed and malformed inputs

16 A2: Effective and efficient fuzzing Blindly mutating will create huge amount of redundant test cases --- ineffective and inefficient Directed fuzzing: focus on modifying the “hot bytes” that refer to the input bytes flow into critical system/library calls  Memory allocation, string operation… 16 Introduction TaintScope Conclusion 1 void decode_image(FILE* fd){ 2...... 6 if(chksum_in_file != recomputed_chksu goto 8; 7 error(); 8 int Width = get_width(fd); 9 int Height = get_height(fd); 10 int size = Width*Height*sizeof(int);//integer overflow 11 int* p = malloc(size); 12 … Directly modifying “width” or “height" fields will trigger the bug easily

17 A3: Generate the correct checksum The classical solution is symbolic execution and constraint solving We use combined concrete/symbolic execution  Only leave the bytes in the checksum field as symbolic values  Collect and solve the trace constraints on C hksum when reaching the checksum test inst.  Note that: checksum( D ata ) is a runtime determinable constant value. C hksum originates from the checksum field, but may be transformed, such as from hex/oct to dec number, from little-endian to big-endian. 17 Solving checksum( D ata )== C hksum is hard or impossible, if both D ata and C hksum are symbolic values Introduction TaintScope Conclusion

18 Design Summary Directed Fuzzing  Identify and modify “hot bytes” in valid inputs to generate malformed inputs On top of PIN binary instrumentation platform Checksum-aware Fuzzing  Locate checksum check points and checksum fields.  Modify the program to accept all kinds input data  Generate correct checksum fields for malformed inputs that can crash the modified program Offline symbolically execute the trace, using STP solver 18 Introduction TaintScope Conclusion

19 Evaluation Component evaluation  E1: Whether TaintScope can locate checksum points and checksum fields?  E2: How many hot byte in a valid input?  E3: Whether TaintScope can generate a correct checksum field? Overall evaluation  E 4 : Whether TaintScope can detect previous unknown vulnerabilities in real-world applications? 19 Introduction TaintScope Conclusion

20 Evaluation 1 : locate checksum points We test several common checksum algorithms, including CRC32, MD5, Adler32. TaintScope accurately located the check statements. 20 Introduction TaintScope Conclusion

21 Evaluation 2 : identify hot bytes We measured the number of bytes could affect the size arguments in memory allocation functions 21 Introduction TaintScope Conclusion

22 Evaluation 3 : generate correct checksum fields We test malformed inputs in four kinds of file formats. TaintScope is able to generate correct checksum fields. 22 Introduction TaintScope Conclusion

23 Evaluation 4 : 27 previous unknown vulns 23 Introduction TaintScope Conclusion MS Paint Google Picasa Adobe Acrobat ImageMagick irfanview gstreamer WinampXEmacs Amaya dillo wxWidgets PDFlib

24 Evaluation 4 : 27 previous unknown vulns 24

25 Evaluation 4: 27 previous unknown vulns 25 Introduction TaintScope Conclusion

26 Checksum is a big challenge for fuzzing tools TaintScope can perform:  Directed fuzzing Identify which bytes flow into system/library calls. dramatically reduce the mutation space.  Checksum-aware fuzzing Disable checksum checks by control flow alternation. Generate correct checksum fields in invalid inputs. TaintScope detected dozens of serious previous unknown vulnerabilities. 26 IntroductionTaintScope Conclusion

27 Thanks for your attention!

Download ppt "TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking."

Similar presentations

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
1 Symbolic Execution Kevin Wallace, CSE504 2010-04-28.

1 Symbolic Execution Kevin Wallace, CSE
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
TAintscope A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1Peking.

TAintscope A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1Peking.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
C++ Programming: From Problem Analysis to Program Design, Third Edition Chapter 1: An Overview of Computers and Programming Languages C++ Programming:

C++ Programming: From Problem Analysis to Program Design, Third Edition Chapter 1: An Overview of Computers and Programming Languages C++ Programming:
Computer Science: A Structured Programming Approach Using C1 Objectives ❏ To understand the structure of a C-language program. ❏ To write your first C.

Computer Science: A Structured Programming Approach Using C1 Objectives ❏ To understand the structure of a C-language program. ❏ To write your first C.
1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.

1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.
Chapter 3 Planning Your Solution

Chapter 3 Planning Your Solution
1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.

1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.

A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.
Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.

Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.

Similar presentations

Ads by Google