Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Published byHugh Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed."— Presentation transcript:

1 Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed System Security Symposium

2  Some materials are taken from:  Authors presentation at NDSS'09 ◦ www.isoc.org/isoc/conferences/ndss/09/pdf/17.pdf 2

3  Problem Description ◦ Integer overflow detection in binary code  Approach ◦ Taint analysis and symbolic execution over an intermediate representation on disassembled code  Contributions  Weaknesses  Improvement 3

4  An integer overflow occurs when an operation results in a value greater than the maximum one of the integral data type. 4

5  Expected result?  Actual result? 5

6 6

7  According to Common Vulnerability Scoring System(CVSS), more than 60% of Integer Overflow vulnerabilities have the highest severity score. 7

8 8 Untrusted (tainted) source Integer Overflow Incomplete validations (sanitization) Stack Overflow

9 9

10  Untrusted Source: ◦ Input source like network messages, input files, or command line options.  Tainted data: ◦ Data that is derived from untrusted input sources.  Sink Sensitive operations or points in the program that uses tainted data. For example: ◦ Memory allocation ◦ Memory access ◦ Branch statement 10 main(…){ int i,j,x,y; i=0; j=read_int() ; x=i+1; y=x+j; printf(j); malloc(y); }

11  An instance of taint-based problem 11

12 12  Decompiler ◦ Disassemble the binary ◦ Translate it into Intermediate Representation (PANDA) ◦ Construct the control flow graph (G) and call graph (C)  Component Extractor ◦ Extract from C the candidate functions that are common ancestors connecting source to a sink  Profile Constructor ◦ Computes a chop flow graph G’ based on G, that includes only source-sink paths in candidate sub-graphs.

13  Decompile and create graphs  Tag sources and sinks  Prune irrelevant paths ( x )  Only keep source-to-sink paths ( ) 13

14 14  Symbolically execute each path in the components ◦ Collect path constraints, and check the feasibility of the path (constraint solver) ◦ Track the propagation of untrusted (tainted) data ◦ Only check whether untrusted data causes integer overflows at sink points

15  Symbolic execution  Collect path constraints and check the feasibility ( x )  Track tainted data propagation  Only check integer overflows at sink points 15

16 16

17 17

18 18  Tag sources (fread) and sinks (malloc)  Common ancestor (f() ) determines the component

19 19  S r =source, S k =sink, E sr =C entry ⇝S r, E sk =C entry ⇝S k, S e =S r ⇝C exit, G'=E sr ∪ (S e ∩E sk )

20  Statically “run” the program with symbolic values instead of concrete ones. 20 int* f(){ int x, y; x=rand()%5+1; y=read_int(); if(0<y && y<100){ return (int*) malloc(y*sizeof(int)); } else if (x>y){ x = x + y; y = x - y; x = x - y; if (x-y > 0){ return (int*) malloc(y*sizeof(int)); } else { return (int*) malloc(x*sizeof(int)); } return NULL; } // x = x 0, y = y 0 x = x + y; // x = x 0 + y 0 y = x - y; // y = (x 0 + y 0 )- y 0 = x 0 x = x - y; // x= (x 0 + y 0 )- x 0 = y 0 // x ⇄ y

21 21 x=rand()%5+1; y=read_int(); if(0<y && y<100)  Keeps track of symbolic values of variables and Path Constraint (PC)  Verify PC and discard unfeasible paths x = x + y; y = x - y; x = x - y; if (x-y > 0) true false return (int*) malloc(y*sizeof(int));return (int*) malloc(x*sizeof(int)); true false x=x 0 :[1,5], y=y 0 :[-limit, +limit], PC: true x=x 0 :[1,5], y=y 0 :[-limit, 5[, PC: (y 0 ≤0 || 100≤y 0 ) && (x 0 >y 0 ) return (int*) malloc(y*sizeof(int)); x=x 0 :[1,5], y=y 0 :]0,100[, PC: 0<y 0 && y 0 <100 if (x>y) x=x 0 :[1,5], y=y 0 :[-limit, +limit], PC: y 0 ≤0 || 100≤y 0 true false x=y 0 :[-limit, 5[, y=x 0 :[1,5], PC: (y 0 ≤0 || 100≤y 0 ) && (x 0 >y 0 ) && (y 0 -x 0 >0) not feasible x=y 0 :[-limit, 5[, y=x 0 :[1,5], PC: (y 0 ≤0 || 100≤y 0 ) && (x 0 >y 0 ) && (y 0 -x 0 ≤0) return NULL; x=x 0 :[1,5], y=y 0 :[1, +limit[, PC: (y 0 ≤0 || 100≤y 0 ) && (x 0 ≤y 0 ) int* f(){ int x, y; x=rand()%5+1; y=read_int(); if(0<y && y<100){ return (int*) malloc(y*sizeof(int)); } else if (x>y){ x = x + y; y = x - y; x = x - y; if (x-y > 0){ return (int*) malloc(y*sizeof(int)); } else { return (int*) malloc(x*sizeof(int)); } return NULL; }

22  Taint the untrusted data, and infer the possible propagation of such untrusted data 22 int* f(){ int x, y; x=rand()%5+1; y=read_int(); if(0<y && y<100){ return (int*) malloc(y*sizeof(int)); } else if (x>y){ x = x + y; y = x - y; x = x - y; if (x-y > 0){ return (int*) malloc(y*sizeof(int)); } else { return (int*) malloc(x*sizeof(int)); } return NULL; } tainted sanitized no problem taint propagation from y to x problem no problem not feasible

23  Assign taint types ( ) to program elements  Taint binary operator:  Environment, maps variables taint types  Literals are Untainted:  Variable Access: determined by environ:  Expressions uses binary operator:  Command sequence:  Assignment ( ):  Conditional: 23

24  Detected integer overflow bugs in Windows DLLs  Detected bugs in several widely used applications ◦ QEMU, Xen ◦ Media playersMplayer  Xine  VLC  FAAD2  MPD ◦ Others  Cximage, Hamsterdb, Goom 24

25 25  20+ confirmed vulnerabilities  Some suspicious (not confirmed) ones

26  IDA Pro: A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger ◦ https://www.hex-rays.com/products/ida/index.shtmlhttps://www.hex-rays.com/products/ida/index.shtml  GiNaC: Symbolic Execution Framework (C++) ◦ http://www.ginac.de/ http://www.ginac.de/  STP: Constraint Solver (automated prover) ◦ https://sites.google.com/site/stpfastprover/ https://sites.google.com/site/stpfastprover/ 26

27 A systematic method of combining taint analysis and path-sensitive symbolic execution to detect integer overflow vulnerabilities in executables. An intermediate instruction representation, based on IDA Pro’s disassembled code, and a symbolic execution engine. A prototype called IntScope to analyze real- world binaries, which shows the approach is highly effective. 27

28  Incomplete test case generation. ◦ Partial path analysis source⇝sink instead of main⇝sink  Missing of the constraints between inputs. ◦ Lack of information on intrinsic constraints between inputs leads to false positives.  Lack of global information ◦ Lack of information on global variables may lead to false positives.  Imprecise symbolic execution. ◦ Not accurately simulation of block memory functions (memmove, etc.) and string functions (strncmp,etc.) may lead to false negatives. 28

29  Produce Path Constraints for suspicious cases. ◦ They could be used in a fuzzing tools.  Improve the precision of the symbolic execution of block memory operations. ◦ Open problem ◦ More precise taint propagation 29

30  [1] WANG, T., WEI, T., LIN, Z., AND ZOU, W. Intscope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In Network Distributed Security Symposium (NDSS) (2009).  [2] D. Ceara, L. Mounier, and M.-L. Potet, Taint dependency sequences: A characterization of insecure execution paths based on input-sensitive cause sequences, in proceedings of the IEEE Int. workshop MDV'10. IEEE Computer Society, pages 371-380, 2010  [3] D. Ceara. Detecting Software Vulnerabilities Static Taint Analysis. www.tanalysis.googlecode.com/files/DumitruCeara_BSc.pdf.  [4] J. C. King. Symbolic Execution and Program Testing. Communications of the ACM, 19(7):385–394, 1976. 30

31 Jose Sanchez 31

Download ppt "Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed."

Similar presentations

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee.

Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
CSE 341 -- S. Tanimoto Syntax and Types 1 Representation, Syntax, Paradigms, Types Representation Formal Syntax Paradigms Data Types Type Inference.

CSE S. Tanimoto Syntax and Types 1 Representation, Syntax, Paradigms, Types Representation Formal Syntax Paradigms Data Types Type Inference.
Partial Automation of an Integration Reverse Engineering Environment of Binary Code Author : Cristina Cifuentes Reverse Engineering, 1996., Proceedings.

Partial Automation of an Integration Reverse Engineering Environment of Binary Code Author : Cristina Cifuentes Reverse Engineering, 1996., Proceedings.
Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x + 10... y...

Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x y...
Describing Syntax and Semantics

Describing Syntax and Semantics
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 5 Data Flow Testing ------------------------------------------------------------------

Handouts Software Testing and Quality Assurance Theory and Practice Chapter 5 Data Flow Testing
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.

Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Precision Going back to constant prop, in what cases would we lose precision?

Precision Going back to constant prop, in what cases would we lose precision?
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.

Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.
Chapter Seven Advanced Shell Programming. 2 Lesson A Developing a Fully Featured Program.

Chapter Seven Advanced Shell Programming. 2 Lesson A Developing a Fully Featured Program.
By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha.

By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha.
Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.

Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
AutoHacking with Phoenix Enabled Data Flow Analysis Richard Johnson |

AutoHacking with Phoenix Enabled Data Flow Analysis Richard Johnson |
COMPUTER SOFTWARE Section 2 “System Software: Computer System Management ” CHAPTER 4 Lecture-6/ T. Nouf Almujally 1.

COMPUTER SOFTWARE Section 2 “System Software: Computer System Management ” CHAPTER 4 Lecture-6/ T. Nouf Almujally 1.

Similar presentations

Ads by Google