Presentation is loading. Please wait.

Presentation is loading. Please wait.

TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.

Published byWilfred Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011."— Presentation transcript:

1 TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011

2 2 Acknowledgements Authors: Tielei Wang, Tao Wei, Guofei Gu, Wei Zou Paper Title: TaintScope: A Checksum- Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection In Proceedings of the 31st IEEE Symposium on Security & Privacy, Oakland, CA, May 2010. Awarded Best Student Paper

3 3 Fuzz Testing TaintScope Performance Conclusions

4 4 Fuzz Testing TaintScope Performance Conclusions

5 5 Fuzz Testing Attempt to crash or hang a program by feeding it malformed inputs Blackbox fuzzing –Generational –Mutation

6 6 Fuzz Testing: Motivation Nobody is perfect Programs may be very large and dificult to test Find bugs to fix Exploit programs for malware

7 7 Fuzz Testing: Challenges Random fuzzing has to cover a huge sample space –E.g. audio signal of 4s, 32k bytes 2 256,000 possible values Symbolic fuzzing can’t bypass checksum instructions

8 8 Fuzz Testing TaintScope Performance Conclusions

9 9 TaintScope Fuzzer that can bypass checksum –independent of the algorithm Concentrates on data flow dependence Uses IDA Pro Disassembler Works like a classifier

10 10 TaintScope: How it Works Identify hot bytes in input –Bytes that affect API functions Memory management String operations –Input bytes are tainted with unique id Identify possible checksum points

11 11 TaintScope: How it Works Well-formed inputs take a true/false path Malformed inputs take a false/true path Intersection yields the check points TaintScope creates bypass rules

12 12 TaintScope: How it Works Fuzzer runs with bypass rules and mutates only hot bytes Crashes and hangs are recorded

13 13 TaintScope: How it Works Crashed samples are repaired for replay –C–Checksum are corrected Type of vulnerability can be analyzed

14 14 Fuzz Testing TaintScope Performance Conclusions

15 15 Performance: Hot Bytes

16 16 Performance: Checksum

17 17 Performance: Vulnerabilities

18 18 What is accomplished? TaintScope has found vulnerabilities in popular programs (e.g. MS Paint, Adobe Acrobat, and more) Vendors have patched the software Vulnerabilities have been published in –Secunia –Common Vulnerabilities and Exposure

19 19 MW Paint Search

20 20 Adobe Acrobat Search

21 21 Fuzz Testing TaintScope Performance Conclusions

22 22 Conclusions Fuzzer able to bypass checksum Works with Linux/Windows binaries 100% inputs cause crash or hang Low input samples Tested on many well-known applications and formats

23 23 Weakness Doesn’t talk about code coverage Needs to run the program several times to find information of interest Can’t detect correctly checksums where data is encrypted with key-based algorithm

24 24 Improvements Consider incorporating a tool like HyperNEAT –can learn search space patterns –work with encryption (e.g. DES S-Boxes) Dynamic update to reduce number of runs needed to build hot bytes/checksum information

25 25 References 1.Tielei Wang’s website: http://sites.google.com/site/tieleiwang/ http://sites.google.com/site/tieleiwang/ 2.Month of Kernel Bugs: http://projects.info- pull.com/mokb/http://projects.info- pull.com/mokb/ 3.Month Browsers Bug: http://browserfun.blogspot.com/http://browserfun.blogspot.com/ 4.Secunia: http://secunia.com/http://secunia.com/ 5.Comon Vulnerabilities and Exposure: http://cve.mitre.org/ http://cve.mitre.org/ 6.IDA Disassembler: http://www.hex-rays.com/idapro/http://www.hex-rays.com/idapro/ 7.Google Images: http://images.google.comhttp://images.google.com

26 26 QUESTIONS

Download ppt "TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011."

Similar presentations

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
White-Box Cryptography

White-Box Cryptography
Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia

Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
TAintscope A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1Peking.

TAintscope A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1Peking.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.

1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.
CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2011.
Silvio Cesare Ph.D. Candidate, Deakin University.

Silvio Cesare Ph.D. Candidate, Deakin University.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.

A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.

Similar presentations

Ads by Google