Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Published byWade Sutherland Modified over 9 years ago

Similar presentations

Presentation on theme: "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song."— Presentation transcript:

1 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song Network and Distributed Systems Security Symposium (NDSS), Feb 2005. CS451 Spring 2011 Instructor: Christos Papadopoulos Original slides by Devendra Salvi (2007)

2 Motivation Worms exploit several software vulnerabilities  buffer overflow  “format string” vulnerability Attack detectors ideally should:  Detect new attacks and detect them early  Be easy to deploy  Few false positives and false negatives  Be able to automatically generate filters and sharable fingerprints

3 Motivation (contd.) Attack detectors are:  Coarse grained detectors Detect anomalous behavior but do not provide detailed information about the vulnerability Scan detectors, anomaly detectors  Fine grained detectors are highly desirable Detect attacks on programs vulnerabilities and hence provide detailed information about the attack But some require source code (typically not available for commercial software), recompilation, bounds checking, library recompilation, source code modification, etc.  Other options: content-based filtering (e.g., IDS’ such as snort and Bro), but automatic signature generation is hard

4 TaintCheck: Basic Ideas 1. Program execution normally derived from trusted sources, not attacker input 2. Mark all input data to the computer as “tainted” (e.g., network, stdin, etc.) 3. Monitor program execution and track how tainted data propagates (follow bytes, arithmetic operations, jump addresses, etc.) 4. Detect when tainted data is used in dangerous ways

5 Step 1: Add Taint Checking code TaintCheck first runs the code through an emulation environment (Valgrind) and adds instructions to monitor tainted memory. Binary re-writer Taint Check X86 instructions UCode X86 instructions Dynamic taint analysis

6 TaintCheck Detection Modules TaintSeed: Mark untrusted data as tainted TaintTracker: Track each instruction, determine if result is tainted TaintAssert: Check is tainted data is used dangerously Jump addresses: function pointers or offsets Format strings: is tainted data used as a format string arg? System call arguments Application or library customized checks

7 TaintCheck Operation X Memory byte Shadow Memory Taint Data structure* untainted Use as Fn pointer Attack detected TaintTrackerTaint seedTaintAssert Exploit Analyzer TaintCheck Shadow Memory *TDS holds the system call number, a snapshot of the current stack, and a copy of the data that was written

8 TaintSeed Marks any data from untrusted sources as “tainted”  Each byte of memory has a four-byte shadow memory (ick!) that stores a pointer to a Taint data structure if that location is tainted  Else store a NULL pointer Memory is mapped to TDS

9 TaintTracker Tracks each instruction that manipulates data in order to determine whether the result is tainted.  When the result of an instruction is tainted by one of the operands, TaintTracker sets the shadow memory of the result to point to the same Taint data structure as the tainted operand. Memory is mapped to TDSResult is mapped to TDS

10 TaintAssert  Checks whether tainted data is used in ways that its policy defines as illegitimate Memory is mapped to TDSOperand is mapped to TDS vulnerability

11 Exploit Analyzer  Provides useful information about how the exploit happened, and what the exploit attempts to do  Useful to generate exploit fingerprints Memory is mapped to TDSOperand is mapped to TDS vulnerability

12 Attacks Detected by TaintCheck Overwrite attack  jump targets (such as return addresses, function pointers, and function pointer offsets), whether altered to point to existing code (existing code attack) or injected code (code injection attack) Format string attacks  an attacker provides a malicious format string to trick the program into leaking data or into writing an attacker-chosen value to an attacker-chosen memory address.  E.g., use of %n, %s and %x format tokens

13 When does TaintCheck Fail? A false negative occurs if an attacker can cause sensitive data to take on a value without that data becoming tainted E.g. if (x == 0)y = 0; else if (x == 1) y = 1;... If values are copied from hard-coded literals, rather than arithmetically derived from the input IIS translates ASCII input into Unicode via a table If TaintCheck is configured to trust inputs that should not be trusted data from the network could be first written to a file on disk, and then read back into memory

14 When does TaintCheck give a False Positive? TaintCheck detects that tainted data is being used in an illegitimate way even when there is no attack taking place. Possibilities:  There are vulnerabilities in the program and need to be fixed, or  The program performs sanity checks before using the data

15 Compatibility with Existing Code Does TaintCheck raise false alerts? Networked programs: 158K+ DNS queries  No false +ves All (!!) client and non-network programs (tainted data is stdin):  Only vim and firebird caused false +ves (data from config files used as offset to jump address)

16 Attack Detection: Synthetic + Actual Exploits

17 Performance Evaluation – CPU Bound Process Hardware: 2.00 GHz Pentium 4, 512 MB RAM, RedHat 8.0 Application: bzip2(15mb)  Normal runtime 8.2s  Valgrind nullgrind skin runtime: 25.6s (3.1x)  Memcheck runtime: 109s (13.3x)  TaintCheck runtime: 305s (37.2x)

18 Short-lived Processes Short processes cause TaintCheck to run repeatedly (caching helps, however) Application: Cfingerd Normal runtime: 0.0222s Valgrind nullgrind:13x Memcheck : 32x TaintCheck:13x

19 Apache: Different Page Sizes A more representative case, network and I/O

20 Applications of TaintCheck Standalone: typically not practical  But maybe if you sample requests.. TaintCheck-enabled honeypots  Monitor network services, verify exploit and provide additional information about the detected attack TaintCheck with OS randomization  OS randomization causes application to crach  Use TaintCheck to identify which request causes the crash and generate signature for the attack or block future TaintCheck in a distributed environment  Share signatures

21 Automatic Signature Generation Automatic semantic analysis based signature generation  Find value used to override return address – typically fixed value in the exploit code  Sometimes as little as 3 bytes! See paper for details

22 Conclusions Interesting approach to combat exploits. Pros:  Does not require source code or specially compiled binaries  Reliably detects most overwrite attacks  Has no known false positives  Automatic signature generation (see paper) Cons: Overhead!  May get a lot better with tuning and better emulators

Download ppt "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
CS252: Systems Programming Ninghui Li Final Exam Review.

CS252: Systems Programming Ninghui Li Final Exam Review.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Similar presentations

Ads by Google