SlideShare una empresa de Scribd logo

Taint scope

Descargar como PPTX, PDF
G
geeksec80
Tecnología
1 de 34
A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1 Peking University, China 2 Texas A&M University, US
2  Checksum – a way to check the integrity of data. Used in network protocols and files. data Checksum function data Checksum field Fuzzing – generating malformed inputs and feeding them to the application.  Dynamic Taint Analysis – runs a program and observes which computations are affected by predefined taint sources (e.g. input) 
3  The input mutation space is enormous .  Most malformed inputs dropped at an early stage, if the program employs a checksum mechanism.
4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 void decode_image(FILE* fd){ ... int length = get_length(fd); int recomputed_chksum = checksum(fd, length); int chksum_in_file = get_checksum(fd); //line 6 is used to check the integrity of inputs if(chksum_in_file != recomputed_chksum) error(); int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); ... for(i=0; i<Height; i++){// read ith row to p read_row(p+Width*i, i, fd);
5  To infer whether/where a program checks the integrity of input.  Identify which input bytes can flow into sensitive points: Taint analysis at byte level – monitors how application uses the input data.  Create malformed input focusing the “hot bytes”.  Repair checksum fields in input, to expose vulnerability.  Fully automatic  Found 27 new vulnerability – acrobat reader, google picasa and more.
6 1. 2. 3. 4. Dynamic taint tracing Detecting checksum Directed fuzzing Repairing crashed samples
7 Modified Crashed Program Samples Checksum Locator Directed Fuzzer Instruction Profile Execution Monitor Checksum Repairer Hot Bytes Info Reports
8  Runs the program with well-formed input.  Execution  Which input bytes related to arguments of API functions (e.g.  monitor records: malloc, strcpy) – “hot bytes” report. Which bytes each conditional jump instruction depends on (e.g. JZ, JE, JB) – checksum report.  Considering only data flow (no control flow).
9  Instruments instructions – movement (e.g. MOV, PUSH), arithmetic (e.g. SUB, ADD), logic (e.g. AND, XOR)  Taints all values written by an instruction with union of all taint labels associated with values used by that instruction.  Considering also eflags register. eax {0x6, 0x7}, ebx {0x8, 0x9} add eax, ebx eax {0x6, 0x7, 0x8, 0x9}, eflags
10 Input size is 1024 bytes “hot bytes” report: 8 9 10 11 int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); … 0x8048d5b: invoking malloc: [0x8,0xf] …
11 Input size is 1024 bytes checksum report: 6 7 if(chksum_in_file != recomputed_chksum) error(); … 0x8048d4f: JZ: 1024: [0x0,0x3ff] …
12 Checksum detector:  identify    potential checksum check points the recomputed checksum value depends on many input bytes Instruments conditional jump. Before execution, checks whether the number of marks associated with eflags register exceeds a threshold. Problem with decompressed bytes.
13 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot
14 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot  Run well-formed inputs, identify the always-taken and always-not-taken instructions.
15 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot   Run well-formed inputs, identify the always-taken and always-not-taken instructions. Run malformed inputs, also identify the always-taken and always-not-taken instructions.
16 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot    Run well-formed inputs, identify the always-taken and always-not-taken instructions. Run malformed inputs, also identify the always-taken and always-not-taken instructions. Identify the conditional jump instructions that behaves completely different when processing well-formed and malformed inputs.
17 Checksum detector:  Creates bypass rules – always-taken, always-not-taken 6 7 if(chksum_in_file != recomputed_chksum) error(); … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … 0x8048d4f: JZ: always-taken
18 Checksum detector:  Checksum 6 7 field identification if(chksum_in_file != recomputed_chksum) error(); Input bytes that affects chksum_in_file are the checksum field.
19  Generates malformed test cases – feeds them to the original or instrumented program.  According to the bypass rules, alters the execution traces at check points – sets the eflags register.
20  All malformed test cases are constructed based on the “hot bytes” information  Using attack heuristics: bytes that influence memory allocation are set to small, large or negative. bytes that flow into string functions are replaced by characters such as %n, %p.  Output – test cases that could cause to crash or consume 100% CPU.
21 6 7 8 9 10 11 if(chksum_in_file != recomputed_chksum) error(); int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); Checksum report … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … Bypass info 0x8048d4f: JZ: always-taken “hot bytes” report … 0x8048d5b: invoking malloc: [0x8,0xf] …
22 6 if(chksum_in_file != recomputed_chksum) 7 error(); 8 int Width = get_width(input_file); 9 Before executing 0x8048d4f, int Height = get_height(input_file); 10 int size = Width*Height*sizeof(int); 11 the fuzzer sets the flag int* p = malloc(size); in eflags Checksum report to an … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … Bypass info 0x8048d4f: JZ: always-taken ZF opposite value … “hot bytes” report 0x8048d5b: invoking malloc: [0x8,0xf] …
23  Fixing is expensive - fixes checksum fields only in test cases that caused crashing.  How? Cr – row data in the checksum field D – input data protected by checksum filed Checksum() – the complete checksum algorithm T – transformation We want to pass the constraint: Checksum(D) == T(Cr)
24 Using symbolic execution to solve: Checksum(D) == T(Cr) Checksum(D) is a runtime determinable constant: c== T(Cr) Only Cr is a symbolic value.  Common transformations (e.g. converting from hex/oct to decimal), can be solved by existing solvers (STP).
25 If the new test case cause the original program to crash, a potential vulnerability is detected!
26 An incomplete list of applications:
27 “hot bytes” identification results – memory allocation
28 Checksum identification results: Threshold = 16
29 Correct checksum fields:
30 27 previous unknown Vulnerabilities: MS Paint Google Picasa irfanview gstreamer Amaya dillo Adobe Acrobat ImageMagick Winamp XEmacs wxWidgets PDFlib
31 Vulnerabilities detected by TaintScope:
32  TaintScope cannot deal with secure integrity check schemes (e.g. cryptographic hash algorithms, digital signature) – impossible to generate valid test cases.  Limited effectiveness when all input data are encrypted (tracking decrypted data).  Checksum check points identification can be affected by the quality of inputs.  Not tracks control flow propagation.  Not all instructions of x86 are instrumented by the execution monitor.
33 TaintScope can perform:  Directed fuzzing   Identify which bytes flow into system/library calls. dramatically reduce the mutation space.  Checksum-aware   fuzzing Disable checksum checks by control flow alternation. Generate correct checksum fields in invalid inputs.
34

Recomendados

Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities?
Andrey Karpov
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
jduart
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
OOO "Program Verification Systems"
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
eurobsdcon
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
johseg
 
Fuzzing python modules
Fuzzing python modulesFuzzing python modules
Fuzzing python modules
delimitry
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Asuka Nakajima
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation
Florian Müller
 

Recomendados

Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities?
Andrey Karpov
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
jduart
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
OOO "Program Verification Systems"
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
eurobsdcon
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
johseg
 
Fuzzing python modules
Fuzzing python modulesFuzzing python modules
Fuzzing python modules
delimitry
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Asuka Nakajima
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation
Florian Müller
 
セキュキャンのススメ
セキュキャンのススメセキュキャンのススメ
セキュキャンのススメ
shutingrz
 
Taint analysis
Taint analysisTaint analysis
Taint analysis
Edgar Barbosa
 
Argosの紹介 #x86study
Argosの紹介 #x86studyArgosの紹介 #x86study
Argosの紹介 #x86study
Tokoroten Nakayama
 
Dynamic PHP web-application analysis
Dynamic PHP web-application analysisDynamic PHP web-application analysis
Dynamic PHP web-application analysis
ax330d
 
Hsbd taint
Hsbd taintHsbd taint
Hsbd taint
Tai Nguyen Thanh
 
Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)
James Clause
 
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
Asuka Nakajima
 
Risky Business - Is the Risk Worth the Reward?
Risky Business - Is the Risk Worth the Reward? Risky Business - Is the Risk Worth the Reward?
Risky Business - Is the Risk Worth the Reward?
Empowered Presentations
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
Monitoring InfluxEnterprise
Monitoring InfluxEnterpriseMonitoring InfluxEnterprise
Monitoring InfluxEnterprise
InfluxData
 
Secure erasure code based cloud storage system with secure data forwarding
Secure erasure code based cloud storage system with secure data forwardingSecure erasure code based cloud storage system with secure data forwarding
Secure erasure code based cloud storage system with secure data forwarding
Priyank Rupera
 
ONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEMONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEM
Rohit malav
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for Middleware
Manuel Brugnoli
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/O
YourHelper1
 
Application-Specific Models and Pointcuts using a Logic Meta Language
Application-Specific Models and Pointcuts using a Logic Meta LanguageApplication-Specific Models and Pointcuts using a Logic Meta Language
Application-Specific Models and Pointcuts using a Logic Meta Language
ESUG
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
Ante Gulam
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
Lec05 buffers basic_examples
Lec05 buffers basic_examplesLec05 buffers basic_examples
Lec05 buffers basic_examples
Taras Zakharchenko
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical file
Ankit Dixit
 
Java IO Streams V4
Java IO Streams V4Java IO Streams V4
Java IO Streams V4
Sunil OS
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
Di Shen
 

Más contenido relacionado

Destacado

セキュキャンのススメ
セキュキャンのススメセキュキャンのススメ
セキュキャンのススメ
shutingrz
 
Dynamic PHP web-application analysis
Dynamic PHP web-application analysisDynamic PHP web-application analysis
Dynamic PHP web-application analysis
ax330d
 
Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)
James Clause
 

Destacado (8)

セキュキャンのススメ
セキュキャンのススメセキュキャンのススメ
セキュキャンのススメ
 
Taint analysis
Taint analysisTaint analysis
Taint analysis
 
Argosの紹介 #x86study
Argosの紹介 #x86studyArgosの紹介 #x86study
Argosの紹介 #x86study
 
Dynamic PHP web-application analysis
Dynamic PHP web-application analysisDynamic PHP web-application analysis
Dynamic PHP web-application analysis
 
Hsbd taint
Hsbd taintHsbd taint
Hsbd taint
 
Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)
 
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
 
Risky Business - Is the Risk Worth the Reward?
Risky Business - Is the Risk Worth the Reward? Risky Business - Is the Risk Worth the Reward?
Risky Business - Is the Risk Worth the Reward?
 

Similar a Taint scope

[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
 
ONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEMONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEM
Rohit malav
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for Middleware
Manuel Brugnoli
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
Ante Gulam
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
chiportal
 

Similar a Taint scope (20)

[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Monitoring InfluxEnterprise
Monitoring InfluxEnterpriseMonitoring InfluxEnterprise
Monitoring InfluxEnterprise
 
Secure erasure code based cloud storage system with secure data forwarding
Secure erasure code based cloud storage system with secure data forwardingSecure erasure code based cloud storage system with secure data forwarding
Secure erasure code based cloud storage system with secure data forwarding
 
ONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEMONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEM
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for Middleware
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/O
 
Application-Specific Models and Pointcuts using a Logic Meta Language
Application-Specific Models and Pointcuts using a Logic Meta LanguageApplication-Specific Models and Pointcuts using a Logic Meta Language
Application-Specific Models and Pointcuts using a Logic Meta Language
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Lec05 buffers basic_examples
Lec05 buffers basic_examplesLec05 buffers basic_examples
Lec05 buffers basic_examples
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical file
 
Java IO Streams V4
Java IO Streams V4Java IO Streams V4
Java IO Streams V4
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
Vulnerability analysis and practical data flow analysis visualization
Vulnerability analysis and practical data flow analysis visualizationVulnerability analysis and practical data flow analysis visualization
Vulnerability analysis and practical data flow analysis visualization
 
Advances in Unit Testing: Theory and Practice
Advances in Unit Testing: Theory and PracticeAdvances in Unit Testing: Theory and Practice
Advances in Unit Testing: Theory and Practice
 

Más de geeksec80

Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)
geeksec80
 
Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)
geeksec80
 
Sipoc diagram
Sipoc diagramSipoc diagram
Sipoc diagram
geeksec80
 
Python arsenal for re (1)
Python arsenal for re (1)Python arsenal for re (1)
Python arsenal for re (1)
geeksec80
 
Python arsenal for re
Python arsenal for rePython arsenal for re
Python arsenal for re
geeksec80
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
geeksec80
 
44 con slides (1)
44 con slides (1)44 con slides (1)
44 con slides (1)
geeksec80
 
44 con slides
44 con slides44 con slides
44 con slides
geeksec80
 
Rpc调试通用
Rpc调试通用Rpc调试通用
Rpc调试通用
geeksec80
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wp
geeksec80
 
Taking browsers fuzzing new
Taking browsers fuzzing newTaking browsers fuzzing new
Taking browsers fuzzing new
geeksec80
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
geeksec80
 
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelDeep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
geeksec80
 
2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)
geeksec80
 
12058 woot13-kholia
12058 woot13-kholia12058 woot13-kholia
12058 woot13-kholia
geeksec80
 
Https interception proxies
Https interception proxiesHttps interception proxies
Https interception proxies
geeksec80
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
geeksec80
 
Automated antlr tree walker
Automated antlr tree walkerAutomated antlr tree walker
Automated antlr tree walker
geeksec80
 

Más de geeksec80 (19)

Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)
 
Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)
 
Sipoc diagram
Sipoc diagramSipoc diagram
Sipoc diagram
 
Python arsenal for re (1)
Python arsenal for re (1)Python arsenal for re (1)
Python arsenal for re (1)
 
Python arsenal for re
Python arsenal for rePython arsenal for re
Python arsenal for re
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
 
44 con slides (1)
44 con slides (1)44 con slides (1)
44 con slides (1)
 
44 con slides
44 con slides44 con slides
44 con slides
 
Fuzz nt
Fuzz ntFuzz nt
Fuzz nt
 
Rpc调试通用
Rpc调试通用Rpc调试通用
Rpc调试通用
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wp
 
Taking browsers fuzzing new
Taking browsers fuzzing newTaking browsers fuzzing new
Taking browsers fuzzing new
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelDeep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
 
2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)
 
12058 woot13-kholia
12058 woot13-kholia12058 woot13-kholia
12058 woot13-kholia
 
Https interception proxies
Https interception proxiesHttps interception proxies
Https interception proxies
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
 
Automated antlr tree walker
Automated antlr tree walkerAutomated antlr tree walker
Automated antlr tree walker
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Taint scope

  • 1. A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1 Peking University, China 2 Texas A&M University, US
  • 2. 2  Checksum – a way to check the integrity of data. Used in network protocols and files. data Checksum function data Checksum field Fuzzing – generating malformed inputs and feeding them to the application.  Dynamic Taint Analysis – runs a program and observes which computations are affected by predefined taint sources (e.g. input) 
  • 3. 3  The input mutation space is enormous .  Most malformed inputs dropped at an early stage, if the program employs a checksum mechanism.
  • 4. 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 void decode_image(FILE* fd){ ... int length = get_length(fd); int recomputed_chksum = checksum(fd, length); int chksum_in_file = get_checksum(fd); //line 6 is used to check the integrity of inputs if(chksum_in_file != recomputed_chksum) error(); int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); ... for(i=0; i<Height; i++){// read ith row to p read_row(p+Width*i, i, fd);
  • 5. 5  To infer whether/where a program checks the integrity of input.  Identify which input bytes can flow into sensitive points: Taint analysis at byte level – monitors how application uses the input data.  Create malformed input focusing the “hot bytes”.  Repair checksum fields in input, to expose vulnerability.  Fully automatic  Found 27 new vulnerability – acrobat reader, google picasa and more.
  • 6. 6 1. 2. 3. 4. Dynamic taint tracing Detecting checksum Directed fuzzing Repairing crashed samples
  • 8. 8  Runs the program with well-formed input.  Execution  Which input bytes related to arguments of API functions (e.g.  monitor records: malloc, strcpy) – “hot bytes” report. Which bytes each conditional jump instruction depends on (e.g. JZ, JE, JB) – checksum report.  Considering only data flow (no control flow).
  • 9. 9  Instruments instructions – movement (e.g. MOV, PUSH), arithmetic (e.g. SUB, ADD), logic (e.g. AND, XOR)  Taints all values written by an instruction with union of all taint labels associated with values used by that instruction.  Considering also eflags register. eax {0x6, 0x7}, ebx {0x8, 0x9} add eax, ebx eax {0x6, 0x7, 0x8, 0x9}, eflags
  • 10. 10 Input size is 1024 bytes “hot bytes” report: 8 9 10 11 int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); … 0x8048d5b: invoking malloc: [0x8,0xf] …
  • 11. 11 Input size is 1024 bytes checksum report: 6 7 if(chksum_in_file != recomputed_chksum) error(); … 0x8048d4f: JZ: 1024: [0x0,0x3ff] …
  • 12. 12 Checksum detector:  identify    potential checksum check points the recomputed checksum value depends on many input bytes Instruments conditional jump. Before execution, checks whether the number of marks associated with eflags register exceeds a threshold. Problem with decompressed bytes.
  • 13. 13 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot
  • 14. 14 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot  Run well-formed inputs, identify the always-taken and always-not-taken instructions.
  • 15. 15 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot   Run well-formed inputs, identify the always-taken and always-not-taken instructions. Run malformed inputs, also identify the always-taken and always-not-taken instructions.
  • 16. 16 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot    Run well-formed inputs, identify the always-taken and always-not-taken instructions. Run malformed inputs, also identify the always-taken and always-not-taken instructions. Identify the conditional jump instructions that behaves completely different when processing well-formed and malformed inputs.
  • 17. 17 Checksum detector:  Creates bypass rules – always-taken, always-not-taken 6 7 if(chksum_in_file != recomputed_chksum) error(); … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … 0x8048d4f: JZ: always-taken
  • 18. 18 Checksum detector:  Checksum 6 7 field identification if(chksum_in_file != recomputed_chksum) error(); Input bytes that affects chksum_in_file are the checksum field.
  • 19. 19  Generates malformed test cases – feeds them to the original or instrumented program.  According to the bypass rules, alters the execution traces at check points – sets the eflags register.
  • 20. 20  All malformed test cases are constructed based on the “hot bytes” information  Using attack heuristics: bytes that influence memory allocation are set to small, large or negative. bytes that flow into string functions are replaced by characters such as %n, %p.  Output – test cases that could cause to crash or consume 100% CPU.
  • 21. 21 6 7 8 9 10 11 if(chksum_in_file != recomputed_chksum) error(); int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); Checksum report … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … Bypass info 0x8048d4f: JZ: always-taken “hot bytes” report … 0x8048d5b: invoking malloc: [0x8,0xf] …
  • 22. 22 6 if(chksum_in_file != recomputed_chksum) 7 error(); 8 int Width = get_width(input_file); 9 Before executing 0x8048d4f, int Height = get_height(input_file); 10 int size = Width*Height*sizeof(int); 11 the fuzzer sets the flag int* p = malloc(size); in eflags Checksum report to an … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … Bypass info 0x8048d4f: JZ: always-taken ZF opposite value … “hot bytes” report 0x8048d5b: invoking malloc: [0x8,0xf] …
  • 23. 23  Fixing is expensive - fixes checksum fields only in test cases that caused crashing.  How? Cr – row data in the checksum field D – input data protected by checksum filed Checksum() – the complete checksum algorithm T – transformation We want to pass the constraint: Checksum(D) == T(Cr)
  • 24. 24 Using symbolic execution to solve: Checksum(D) == T(Cr) Checksum(D) is a runtime determinable constant: c== T(Cr) Only Cr is a symbolic value.  Common transformations (e.g. converting from hex/oct to decimal), can be solved by existing solvers (STP).
  • 25. 25 If the new test case cause the original program to crash, a potential vulnerability is detected!
  • 26. 26 An incomplete list of applications:
  • 27. 27 “hot bytes” identification results – memory allocation
  • 30. 30 27 previous unknown Vulnerabilities: MS Paint Google Picasa irfanview gstreamer Amaya dillo Adobe Acrobat ImageMagick Winamp XEmacs wxWidgets PDFlib
  • 32. 32  TaintScope cannot deal with secure integrity check schemes (e.g. cryptographic hash algorithms, digital signature) – impossible to generate valid test cases.  Limited effectiveness when all input data are encrypted (tracking decrypted data).  Checksum check points identification can be affected by the quality of inputs.  Not tracks control flow propagation.  Not all instructions of x86 are instrumented by the execution monitor.
  • 33. 33 TaintScope can perform:  Directed fuzzing   Identify which bytes flow into system/library calls. dramatically reduce the mutation space.  Checksum-aware   fuzzing Disable checksum checks by control flow alternation. Generate correct checksum fields in invalid inputs.
  • 34. 34