SlideShare a Scribd company logo

Automated reduction of attack surface using call graph enumeration

Ruo Ando
Ruo Ando

2018 2nd International Conference on Management Engineering, Software Engineering and Service Sciences (ICMSS) Jan 13-15, 2018 in Wuhan, China

Engineering
1 of 10
Download to read offline
Automated reduction of attack surface using call graph enumeration Ruo Ando National Institute of Informatics, Japan 2018 2nd International Conference on Management Engineering, Software Engineering and Service Sciences (ICMSS) Jan 13-15, 2018 in Wuhan, China SESSION 1: Software Engineering and System Modeling 13:30 – 13:45
Attack surface Vulnerable function CVE-2013-4371 Use-after-free Xen Hypervisor under high memory pressure What is an attack surface ? The Attack Surface of an application is: 1.the sum of all paths for data/commands into and out of the application, and 2.the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding), and 3.all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and 4.the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls). For simplification, in this paper, we define attack surface as function call graph from malicious input to vulnerable function. https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet Malicious input
Abstract: Attack surface reduction In this paper, we propose a method of attack surface reduction using enumeration of call graph. ① Proposal system is divided into two steps: enumerating edge E[Function Fi, Function Fi+1] and constructing call graph by recursive search of [E1, E2, En]. ② Proposed method enables us to find the sum of paths of which leaf node is vulnerable function VF. Also, root node RF of call graph is part of program which is open to attacker. ③ Therefore, call graph [VF, RF] can be eliminated according the situation where the program is running. We apply proposal method to the real programs (Xen) and extracts the attack surface of CVE-2013-4371. Malicious input vulnerability
TARGET: Xen Open Source Hypervisor Software # global -t cmdtable_lookup cmdtable_lookup tools/libxl/xl_cmdtable.c 390 INPUT 20struct cmd_spec cmd_table[] = { 34 { "list", 35 &main_list, 36 "List information about all/some domains", 37 "[options] [Domain]¥n", 38 "-l, --long Output all VM details¥n" 39 "-v, --verbose Prints out UUIDs", 40 }, 134 { "migrate-receive", 135 &main_migrate_receive, 136 "Restore a domain from a saved state", 137 "- for internal use only", 138 }, This attack surface can be eliminated (reduced). https://www.xenproject.org/ VULNERABLE FUNCTION libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool)
TARGET: CVE-2013-4371 Use-after-free Xen Hypervisor 402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo)); 388libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool) 389{ 390 libxl_cpupoolinfo *ptr, *tmp; 397 poolid = 0; 398 for (i = 0;; i++) { 399 info = xc_cpupool_getinfo(ctx->xch, poolid); 400 if (info == NULL) 401 break; 402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo)); 403 if (!tmp) { 404 LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info"); 405 free(ptr); 406 xc_cpupool_infofree(ctx->xch, info); 407 return NULL; 408 } 409 ptr = tmp; 410 ptr[i].poolid = info->cpupool_id; 411 ptr[i].sched_id = info->sched_id; 412 ptr[i].n_dom = info->n_dom; 413 if (libxl_cpumap_alloc(ctx, &ptr[i].cpumap)) { 414 xc_cpupool_infofree(ctx->xch, info); 415 break; 416 } 417 memcpy(ptr[i].cpumap.map, info->cpumap, ptr[i].cpumap.size); 418 poolid = info->cpupool_id + 1; 419 xc_cpupool_infofree(ctx->xch, info); 420 } realloc use-after-free vulnerability Use-after-free vulnerability in the libxl¥_list_cpupool function in the libxl toolstack library in Xen 4.2.x and 4.3.x, when running "under memory pressure," returns the original pointer when the realloc function fails, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors. At line 402, Xen uses realloc for reallocating the memory. Note that the address of libxl_cpupoolinfo is already assigned outside of this routine. Under high pressure, realloc can not extend the memory from the original pointer which is already obtained. in this case, realloc newly yielding the address which remaining the data to be written. FOR LOOP without boundary condition is dangerous *tmp is return value of realloc
User-after-free (aka heap spray) : CVE-2013-4371 Xen hypervisor http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber- attacks.html create() free() realloc() use() Jump to payload on heap ROP + Shellcode int *tmp = (int*)realloc(k,(N+1)*sizeof(int)); if( tmp!=NULL ){ k = tmp; puts("________realloc(k)_________"); for(i=0; i<N+1; i++){ printf("&k[%d]:%p , k[%d]=%d¥n",i,&k[i],i,k[i]); } } realloc() allocates new area if realloc() fails to expand the pointer of first argument. Consequently, the string is saved but the address is changed. If too many realloc() is invoked, DoS is enabled by adversary and an arbitrary malicious string can be executed. void* realloc (void* ptr, size_t size);
① enumerating function call graph of routine(R[I], N[J], F[K]) ② enumerating invocation list(I[O], M[P], F[Q]) ③generating list (R,N) for each F F[k] {(R[i1], N[j1]), (R[i2], N[j2]) . . } ④ For each invocation list(I[O], M[P], F[K]), Detecting a position of S[x] of M[P] in list F[k]{R[i]N[j]..} with binary search ⑤ Concatenating (R[I], S[x-1], F[k]) and (I[O],F[Q]) of S[x-1] ⑥ Generating a list of E({(R[i], S[x-1], F[k]), (I[O], M[P], F[K])} ...) by repeating ④ and ⑤. E is enumerable. That is, ⑥ should be finished in finite steps. ⑦ Enumerating CG (Call Graph) of E({(R[i], S[x-1], F[k]),(I[O], M[P], F[K])} ...) from vulnerable function to malicious input. Exit Condition 1:node is EMPTY Exit Condition2:node is MAIN https://github.com/RuoAndo/Saturator/blob/master/postgres/ex.py Algorithm of detecting attack surface
node invocation edge H(時) M(分) S(秒) xen401 1111 193297 7149 2 45 48 xen451 1792 406859 11513 6 5 27 xen420 1542 344695 9566 5 3 49 xen434 1630 367031 10077 5 28 54 xen403 1123 193480 7191 2 44 41 xen461 1783 435286 11795 6 41 25 xen441 1676 389811 10516 5 56 40 xen342 907 163628 5070 2 27 8 xen410 1302 195986 7977 2 54 28 xen343 908 163832 5082 2 26 36 xen453 1795 407036 11546 6 16 7 xen464 1783 436076 11809 6 34 9 xen341 906 163088 5036 2 28 40 xen412 1309 196290 8008 2 54 49 xen415 1384 197232 8560 2 57 32 xen471 2281 466237 16291 7 13 20 xen413 1310 196503 8024 2 56 9 xen340 906 1628849 7250 30 11 28 xen442 1679 389955 10554 5 47 17 xen480 2299 442614 15769 7 51 48 xen423 1550 345345 9670 5 12 36 Enumerating (counting all) node, invocation and edge in source code 200: Function B Function A @ FILE X cmdtable_lookup tools/libxl/xl_cmdtable.c 390 Function B @ FILE Y node invocation edge
version search depth EMPTY (LEAF) EDGE version search depth EMPTY (LEAF) EDGE xen440 1 1 15xen433 1 1 7 xen440 2 6 62xen433 2 5 36 xen440 3 68 876xen433 3 74 998 xen412 1 0 8xen453 1 1 15 xen412 2 1 17xen453 2 6 65 xen412 3 10 119xen453 3 11 208 xen414 1 0 8xen432 1 1 7 xen414 2 1 17xen432 2 5 36 xen414 3 10 119xen432 3 88 1223 xen410 2 1 17xen450 1 1 15 xen410 3 10 122xen450 2 6 65 xen441 1 1 15xen450 3 11 203 xen441 2 6 62xen451 1 1 15 xen441 3 83 1068xen451 2 6 65 xen415 1 0 8xen451 3 10 201 xen415 2 1 17xen434 1 1 7 xen415 3 10 119xen434 2 5 36 xen422 1 0 8xen434 3 81 1043 xen422 2 3 36xen455 1 1 15 xen422 3 87 1525xen455 2 6 65 xen424 1 0 8xen455 3 12 217 xen424 2 3 36xen430 1 1 7 xen424 3 80 1476xen430 2 5 36 xen413 1 0 8xen430 3 62 761 xen413 2 1 17xen442 1 1 15 xen413 3 10 119xen442 2 6 62 xen425 1 0 8xen442 3 68 876 xen440 : libxl_list_cpupool : 3 : 68 : 876 psycopg2.Operational Error: FATAL: sorry, too many clients already FATAL: sorry, too many clients already xen440 : libxl_list_cpupool : 4 : 297 : 4811 xen414 : libxl_list_cpupool : 3 : 10 : 119 xen414 : libxl_list_cpupool : 4 : 10 : 123 xen414 : libxl_list_cpupool : 5 : 10 : 127 LIMITATION: Upper bound of PostgreSQL: search depth > 4 (path explotion)
Conclusion: automated attack surface reduction is possible ! In this paper, we propose a method of attack surface reduction using enumeration of call graph. ① Proposal system is divided into two steps: enumerating edge E[Function Fi, Function Fi+1] and constructing call graph by recursive search of [E1, E2, En]. ② Proposed method enables us to find the sum of paths of which leaf node is vulnerable function VF. Also, root node RF of call graph is part of program which is open to attacker. ③ Therefore, call graph [VF, RF] can be eliminated according the situation where the program is running. Malicious input vulnerability Proposal method can detect attack surface in major open source software such as xen CVE-2013-4371 in feasible computing time (2-7 hours).

Recommended

Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab FileKandarp Tiwari
 
My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...Luigi Auriemma
 
Q 1
Q 1Q 1
Q 1rahulbarde420
 
Mod03 linking and accelerating
Mod03 linking and acceleratingMod03 linking and accelerating
Mod03 linking and acceleratingPeter Haase
 
Program for hamming code using c
Program for hamming code using cProgram for hamming code using c
Program for hamming code using csnsanth
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)CODE BLUE
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 

Recommended

Computer Networks Lab File
Computer Networks Lab FileComputer Networks Lab File
Computer Networks Lab FileKandarp Tiwari
 
My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...Luigi Auriemma
 
Q 1
Q 1Q 1
Q 1rahulbarde420
 
Mod03 linking and accelerating
Mod03 linking and acceleratingMod03 linking and accelerating
Mod03 linking and acceleratingPeter Haase
 
Program for hamming code using c
Program for hamming code using cProgram for hamming code using c
Program for hamming code using csnsanth
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)CODE BLUE
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Bind Peeking - The Endless Tuning Nightmare
Bind Peeking - The Endless Tuning NightmareBind Peeking - The Endless Tuning Nightmare
Bind Peeking - The Endless Tuning NightmareSage Computing Services
 
Mod04 debuggers
Mod04 debuggersMod04 debuggers
Mod04 debuggersPeter Haase
 
Interfaz Grafica En Java
Interfaz Grafica En JavaInterfaz Grafica En Java
Interfaz Grafica En JavaŘỉgö VẻGầ
 
Network lap pgms 7th semester
Network lap pgms 7th semesterNetwork lap pgms 7th semester
Network lap pgms 7th semesterDOSONKA Group
 
Network lab manual
Network lab manualNetwork lab manual
Network lab manualPrabhu D
 
mysql 高级优化之 理解索引使用
mysql 高级优化之 理解索引使用mysql 高级优化之 理解索引使用
mysql 高级优化之 理解索引使用nigel889
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dumpAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Python sqlite3 - flask
Python sqlite3 - flaskPython sqlite3 - flask
Python sqlite3 - flaskEueung Mulyana
 
Basic Programs of C++
Basic Programs of C++Basic Programs of C++
Basic Programs of C++Bharat Kalia
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
IT6712 lab manual
IT6712 lab manualIT6712 lab manual
IT6712 lab manualMadhu Amarnath
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
OOUG: VST , visual sql tuning diagrams
OOUG: VST , visual sql tuning diagramsOOUG: VST , visual sql tuning diagrams
OOUG: VST , visual sql tuning diagramsKyle Hailey
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
FEAL - CSAW CTF 2014 Quals Crypto300
FEAL - CSAW CTF 2014 Quals Crypto300FEAL - CSAW CTF 2014 Quals Crypto300
FEAL - CSAW CTF 2014 Quals Crypto300YOKARO-MON
 
Data structures
Data structuresData structures
Data structuresgayatrigayu1
 
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...akaptur
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
A Replay Approach to Software Validation
A Replay Approach to Software ValidationA Replay Approach to Software Validation
A Replay Approach to Software ValidationJames Pascoe
 
Star bed 2018.07.19
Star bed 2018.07.19Star bed 2018.07.19
Star bed 2018.07.19Ruo Ando
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 

More Related Content

What's hot

Bind Peeking - The Endless Tuning Nightmare
Bind Peeking - The Endless Tuning NightmareBind Peeking - The Endless Tuning Nightmare
Bind Peeking - The Endless Tuning NightmareSage Computing Services
 
Network lap pgms 7th semester
Network lap pgms 7th semesterNetwork lap pgms 7th semester
Network lap pgms 7th semesterDOSONKA Group
 
Network lab manual
Network lab manualNetwork lab manual
Network lab manualPrabhu D
 
mysql 高级优化之 理解索引使用
mysql 高级优化之 理解索引使用mysql 高级优化之 理解索引使用
mysql 高级优化之 理解索引使用nigel889
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Python sqlite3 - flask
Python sqlite3 - flaskPython sqlite3 - flask
Python sqlite3 - flaskEueung Mulyana
 
Basic Programs of C++
Basic Programs of C++Basic Programs of C++
Basic Programs of C++Bharat Kalia
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
OOUG: VST , visual sql tuning diagrams
OOUG: VST , visual sql tuning diagramsOOUG: VST , visual sql tuning diagrams
OOUG: VST , visual sql tuning diagramsKyle Hailey
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
FEAL - CSAW CTF 2014 Quals Crypto300
FEAL - CSAW CTF 2014 Quals Crypto300FEAL - CSAW CTF 2014 Quals Crypto300
FEAL - CSAW CTF 2014 Quals Crypto300YOKARO-MON
 
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...akaptur
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
A Replay Approach to Software Validation
A Replay Approach to Software ValidationA Replay Approach to Software Validation
A Replay Approach to Software ValidationJames Pascoe
 

What's hot (20)

Bind Peeking - The Endless Tuning Nightmare
Bind Peeking - The Endless Tuning NightmareBind Peeking - The Endless Tuning Nightmare
Bind Peeking - The Endless Tuning Nightmare
 
Mod04 debuggers
Mod04 debuggersMod04 debuggers
Mod04 debuggers
 
Interfaz Grafica En Java
Interfaz Grafica En JavaInterfaz Grafica En Java
Interfaz Grafica En Java
 
Network lap pgms 7th semester
Network lap pgms 7th semesterNetwork lap pgms 7th semester
Network lap pgms 7th semester
 
Network lab manual
Network lab manualNetwork lab manual
Network lab manual
 
mysql 高级优化之 理解索引使用
mysql 高级优化之 理解索引使用mysql 高级优化之 理解索引使用
mysql 高级优化之 理解索引使用
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dump
 
Python sqlite3 - flask
Python sqlite3 - flaskPython sqlite3 - flask
Python sqlite3 - flask
 
Basic Programs of C++
Basic Programs of C++Basic Programs of C++
Basic Programs of C++
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
IT6712 lab manual
IT6712 lab manualIT6712 lab manual
IT6712 lab manual
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
OOUG: VST , visual sql tuning diagrams
OOUG: VST , visual sql tuning diagramsOOUG: VST , visual sql tuning diagrams
OOUG: VST , visual sql tuning diagrams
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
FEAL - CSAW CTF 2014 Quals Crypto300
FEAL - CSAW CTF 2014 Quals Crypto300FEAL - CSAW CTF 2014 Quals Crypto300
FEAL - CSAW CTF 2014 Quals Crypto300
 
Data structures
Data structuresData structures
Data structures
 
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
A Replay Approach to Software Validation
A Replay Approach to Software ValidationA Replay Approach to Software Validation
A Replay Approach to Software Validation
 

Similar to Automated reduction of attack surface using call graph enumeration

Star bed 2018.07.19
Star bed 2018.07.19Star bed 2018.07.19
Star bed 2018.07.19Ruo Ando
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기Ji Hun Kim
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios
 
re:Invent 2019 BPF Performance Analysis at Netflix
re:Invent 2019 BPF Performance Analysis at Netflixre:Invent 2019 BPF Performance Analysis at Netflix
re:Invent 2019 BPF Performance Analysis at NetflixBrendan Gregg
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)akirahiguchi
 
Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and ArchitectureSidney Chen
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityBrendan Gregg
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Global Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealGlobal Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealTzung-Bi Shih
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법GangSeok Lee
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisApplication of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisPositive Hack Days
 

Similar to Automated reduction of attack surface using call graph enumeration (20)

Star bed 2018.07.19
Star bed 2018.07.19Star bed 2018.07.19
Star bed 2018.07.19
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
 
re:Invent 2019 BPF Performance Analysis at Netflix
re:Invent 2019 BPF Performance Analysis at Netflixre:Invent 2019 BPF Performance Analysis at Netflix
re:Invent 2019 BPF Performance Analysis at Netflix
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)
 
Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and Architecture
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Global Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the SealGlobal Interpreter Lock: Episode I - Break the Seal
Global Interpreter Lock: Episode I - Break the Seal
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisApplication of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
 

More from Ruo Ando

KISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfKISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfRuo Ando
 
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Ruo Ando
 
解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdfRuo Ando
 
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~Ruo Ando
 
解説#83 情報エントロピー
解説#83 情報エントロピー解説#83 情報エントロピー
解説#83 情報エントロピーRuo Ando
 
解説#82 記号論理学
解説#82 記号論理学解説#82 記号論理学
解説#82 記号論理学Ruo Ando
 
解説#81 ロジスティック回帰
解説#81 ロジスティック回帰解説#81 ロジスティック回帰
解説#81 ロジスティック回帰Ruo Ando
 
解説#74 連結リスト
解説#74 連結リスト解説#74 連結リスト
解説#74 連結リストRuo Ando
 
解説#76 福岡正信
解説#76 福岡正信解説#76 福岡正信
解説#76 福岡正信Ruo Ando
 
解説#77 非加算無限
解説#77 非加算無限解説#77 非加算無限
解説#77 非加算無限Ruo Ando
 
解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレスRuo Ando
 
解説#78 誤差逆伝播
解説#78 誤差逆伝播解説#78 誤差逆伝播
解説#78 誤差逆伝播Ruo Ando
 
解説#73 ハフマン符号
解説#73 ハフマン符号解説#73 ハフマン符号
解説#73 ハフマン符号Ruo Ando
 
【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法Ruo Ando
 
【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-freeRuo Ando
 
ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 Ruo Ando
 
ファジングの解説
ファジングの解説ファジングの解説
ファジングの解説Ruo Ando
 
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月Ruo Ando
 
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰Ruo Ando
 
Intel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopIntel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopRuo Ando
 

More from Ruo Ando (20)

KISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfKISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdf
 
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
 
解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf
 
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
 
解説#83 情報エントロピー
解説#83 情報エントロピー解説#83 情報エントロピー
解説#83 情報エントロピー
 
解説#82 記号論理学
解説#82 記号論理学解説#82 記号論理学
解説#82 記号論理学
 
解説#81 ロジスティック回帰
解説#81 ロジスティック回帰解説#81 ロジスティック回帰
解説#81 ロジスティック回帰
 
解説#74 連結リスト
解説#74 連結リスト解説#74 連結リスト
解説#74 連結リスト
 
解説#76 福岡正信
解説#76 福岡正信解説#76 福岡正信
解説#76 福岡正信
 
解説#77 非加算無限
解説#77 非加算無限解説#77 非加算無限
解説#77 非加算無限
 
解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス
 
解説#78 誤差逆伝播
解説#78 誤差逆伝播解説#78 誤差逆伝播
解説#78 誤差逆伝播
 
解説#73 ハフマン符号
解説#73 ハフマン符号解説#73 ハフマン符号
解説#73 ハフマン符号
 
【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法
 
【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free
 
ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料
 
ファジングの解説
ファジングの解説ファジングの解説
ファジングの解説
 
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
 
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
 
Intel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopIntel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st Workshop
 

Recently uploaded

Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGSIVASHANKAR N
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 

Recently uploaded (20)

Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 

Automated reduction of attack surface using call graph enumeration

  • 1. Automated reduction of attack surface using call graph enumeration Ruo Ando National Institute of Informatics, Japan 2018 2nd International Conference on Management Engineering, Software Engineering and Service Sciences (ICMSS) Jan 13-15, 2018 in Wuhan, China SESSION 1: Software Engineering and System Modeling 13:30 – 13:45
  • 2. Attack surface Vulnerable function CVE-2013-4371 Use-after-free Xen Hypervisor under high memory pressure What is an attack surface ? The Attack Surface of an application is: 1.the sum of all paths for data/commands into and out of the application, and 2.the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding), and 3.all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and 4.the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls). For simplification, in this paper, we define attack surface as function call graph from malicious input to vulnerable function. https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet Malicious input
  • 3. Abstract: Attack surface reduction In this paper, we propose a method of attack surface reduction using enumeration of call graph. ① Proposal system is divided into two steps: enumerating edge E[Function Fi, Function Fi+1] and constructing call graph by recursive search of [E1, E2, En]. ② Proposed method enables us to find the sum of paths of which leaf node is vulnerable function VF. Also, root node RF of call graph is part of program which is open to attacker. ③ Therefore, call graph [VF, RF] can be eliminated according the situation where the program is running. We apply proposal method to the real programs (Xen) and extracts the attack surface of CVE-2013-4371. Malicious input vulnerability
  • 4. TARGET: Xen Open Source Hypervisor Software # global -t cmdtable_lookup cmdtable_lookup tools/libxl/xl_cmdtable.c 390 INPUT 20struct cmd_spec cmd_table[] = { 34 { "list", 35 &main_list, 36 "List information about all/some domains", 37 "[options] [Domain]¥n", 38 "-l, --long Output all VM details¥n" 39 "-v, --verbose Prints out UUIDs", 40 }, 134 { "migrate-receive", 135 &main_migrate_receive, 136 "Restore a domain from a saved state", 137 "- for internal use only", 138 }, This attack surface can be eliminated (reduced). https://www.xenproject.org/ VULNERABLE FUNCTION libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool)
  • 5. TARGET: CVE-2013-4371 Use-after-free Xen Hypervisor 402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo)); 388libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool) 389{ 390 libxl_cpupoolinfo *ptr, *tmp; 397 poolid = 0; 398 for (i = 0;; i++) { 399 info = xc_cpupool_getinfo(ctx->xch, poolid); 400 if (info == NULL) 401 break; 402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo)); 403 if (!tmp) { 404 LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info"); 405 free(ptr); 406 xc_cpupool_infofree(ctx->xch, info); 407 return NULL; 408 } 409 ptr = tmp; 410 ptr[i].poolid = info->cpupool_id; 411 ptr[i].sched_id = info->sched_id; 412 ptr[i].n_dom = info->n_dom; 413 if (libxl_cpumap_alloc(ctx, &ptr[i].cpumap)) { 414 xc_cpupool_infofree(ctx->xch, info); 415 break; 416 } 417 memcpy(ptr[i].cpumap.map, info->cpumap, ptr[i].cpumap.size); 418 poolid = info->cpupool_id + 1; 419 xc_cpupool_infofree(ctx->xch, info); 420 } realloc use-after-free vulnerability Use-after-free vulnerability in the libxl¥_list_cpupool function in the libxl toolstack library in Xen 4.2.x and 4.3.x, when running "under memory pressure," returns the original pointer when the realloc function fails, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors. At line 402, Xen uses realloc for reallocating the memory. Note that the address of libxl_cpupoolinfo is already assigned outside of this routine. Under high pressure, realloc can not extend the memory from the original pointer which is already obtained. in this case, realloc newly yielding the address which remaining the data to be written. FOR LOOP without boundary condition is dangerous *tmp is return value of realloc
  • 6. User-after-free (aka heap spray) : CVE-2013-4371 Xen hypervisor http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber- attacks.html create() free() realloc() use() Jump to payload on heap ROP + Shellcode int *tmp = (int*)realloc(k,(N+1)*sizeof(int)); if( tmp!=NULL ){ k = tmp; puts("________realloc(k)_________"); for(i=0; i<N+1; i++){ printf("&k[%d]:%p , k[%d]=%d¥n",i,&k[i],i,k[i]); } } realloc() allocates new area if realloc() fails to expand the pointer of first argument. Consequently, the string is saved but the address is changed. If too many realloc() is invoked, DoS is enabled by adversary and an arbitrary malicious string can be executed. void* realloc (void* ptr, size_t size);
  • 7. ① enumerating function call graph of routine(R[I], N[J], F[K]) ② enumerating invocation list(I[O], M[P], F[Q]) ③generating list (R,N) for each F F[k] {(R[i1], N[j1]), (R[i2], N[j2]) . . } ④ For each invocation list(I[O], M[P], F[K]), Detecting a position of S[x] of M[P] in list F[k]{R[i]N[j]..} with binary search ⑤ Concatenating (R[I], S[x-1], F[k]) and (I[O],F[Q]) of S[x-1] ⑥ Generating a list of E({(R[i], S[x-1], F[k]), (I[O], M[P], F[K])} ...) by repeating ④ and ⑤. E is enumerable. That is, ⑥ should be finished in finite steps. ⑦ Enumerating CG (Call Graph) of E({(R[i], S[x-1], F[k]),(I[O], M[P], F[K])} ...) from vulnerable function to malicious input. Exit Condition 1:node is EMPTY Exit Condition2:node is MAIN https://github.com/RuoAndo/Saturator/blob/master/postgres/ex.py Algorithm of detecting attack surface
  • 8. node invocation edge H(時) M(分) S(秒) xen401 1111 193297 7149 2 45 48 xen451 1792 406859 11513 6 5 27 xen420 1542 344695 9566 5 3 49 xen434 1630 367031 10077 5 28 54 xen403 1123 193480 7191 2 44 41 xen461 1783 435286 11795 6 41 25 xen441 1676 389811 10516 5 56 40 xen342 907 163628 5070 2 27 8 xen410 1302 195986 7977 2 54 28 xen343 908 163832 5082 2 26 36 xen453 1795 407036 11546 6 16 7 xen464 1783 436076 11809 6 34 9 xen341 906 163088 5036 2 28 40 xen412 1309 196290 8008 2 54 49 xen415 1384 197232 8560 2 57 32 xen471 2281 466237 16291 7 13 20 xen413 1310 196503 8024 2 56 9 xen340 906 1628849 7250 30 11 28 xen442 1679 389955 10554 5 47 17 xen480 2299 442614 15769 7 51 48 xen423 1550 345345 9670 5 12 36 Enumerating (counting all) node, invocation and edge in source code 200: Function B Function A @ FILE X cmdtable_lookup tools/libxl/xl_cmdtable.c 390 Function B @ FILE Y node invocation edge
  • 9. version search depth EMPTY (LEAF) EDGE version search depth EMPTY (LEAF) EDGE xen440 1 1 15xen433 1 1 7 xen440 2 6 62xen433 2 5 36 xen440 3 68 876xen433 3 74 998 xen412 1 0 8xen453 1 1 15 xen412 2 1 17xen453 2 6 65 xen412 3 10 119xen453 3 11 208 xen414 1 0 8xen432 1 1 7 xen414 2 1 17xen432 2 5 36 xen414 3 10 119xen432 3 88 1223 xen410 2 1 17xen450 1 1 15 xen410 3 10 122xen450 2 6 65 xen441 1 1 15xen450 3 11 203 xen441 2 6 62xen451 1 1 15 xen441 3 83 1068xen451 2 6 65 xen415 1 0 8xen451 3 10 201 xen415 2 1 17xen434 1 1 7 xen415 3 10 119xen434 2 5 36 xen422 1 0 8xen434 3 81 1043 xen422 2 3 36xen455 1 1 15 xen422 3 87 1525xen455 2 6 65 xen424 1 0 8xen455 3 12 217 xen424 2 3 36xen430 1 1 7 xen424 3 80 1476xen430 2 5 36 xen413 1 0 8xen430 3 62 761 xen413 2 1 17xen442 1 1 15 xen413 3 10 119xen442 2 6 62 xen425 1 0 8xen442 3 68 876 xen440 : libxl_list_cpupool : 3 : 68 : 876 psycopg2.Operational Error: FATAL: sorry, too many clients already FATAL: sorry, too many clients already xen440 : libxl_list_cpupool : 4 : 297 : 4811 xen414 : libxl_list_cpupool : 3 : 10 : 119 xen414 : libxl_list_cpupool : 4 : 10 : 123 xen414 : libxl_list_cpupool : 5 : 10 : 127 LIMITATION: Upper bound of PostgreSQL: search depth > 4 (path explotion)
  • 10. Conclusion: automated attack surface reduction is possible ! In this paper, we propose a method of attack surface reduction using enumeration of call graph. ① Proposal system is divided into two steps: enumerating edge E[Function Fi, Function Fi+1] and constructing call graph by recursive search of [E1, E2, En]. ② Proposed method enables us to find the sum of paths of which leaf node is vulnerable function VF. Also, root node RF of call graph is part of program which is open to attacker. ③ Therefore, call graph [VF, RF] can be eliminated according the situation where the program is running. Malicious input vulnerability Proposal method can detect attack surface in major open source software such as xen CVE-2013-4371 in feasible computing time (2-7 hours).