IntScope : Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution

Similar documents
IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution

Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs

Mining for Bugs with Graph Database Queries

Applying Clang Static Analyzer to Linux Kernel

Dynamic Behavior Analysis Using Binary Instrumentation

How to Write a Checker in 24 Hours

Hotpatching and the Rise of Third-Party Patches

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Static Taint-Analysis on Binary Executables

Security types to the rescue

x64 Cheat Sheet Fall 2015

Data Structure Reverse Engineering

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc()

AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS

CS Computer Security Thirteenth topic: System attacks. defenses

A Test Suite for Basic CWE Effectiveness. Paul E. Black.

esrever gnireenigne tfosorcim seiranib

Securing software by enforcing data-flow integrity

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Introduction. Figure 1 Schema of DarunGrim2

The programming language C. sws1 1

Visualizing Information Flow through C Programs

Differential Slicing: Identifying Causal Execution Differences for Security Applications

X86-64 Architecture Guide

Whitebox Fuzzing for Security Testing

Software Vulnerability Detection using Backward Trace Analysis and Symbolic Execution

On the value of hybrid security testing

MPI-Checker Static Analysis for MPI

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

1) The postfix expression for the infix expression A+B*(C+D)/F+D*E is ABCD+*F/DE*++

Software Vulnerabilities

Microsoft Patch Analysis

Dynamic Spyware Analysis

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

How To Trace

Complete 8086 instruction set

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Compiler-Assisted Binary Parsing

Towards practical reactive security audit using extended static checkers 1

Illustration 1: Diagram of program function and data flow

Static Checking of C Programs for Vulnerabilities. Aaron Brown

How to Sandbox IIS Automatically without 0 False Positive and Negative

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

LLVMLinux: Embracing the Dragon

Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?

MSc Computer Science Dissertation

Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge

What Happens In Windows 7 Stays In Windows 7

Dynamic Spyware Analysis

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals

Bypassing Browser Memory Protections in Windows Vista

Transparent Monitoring of a Process Self in a Virtual Environment

A Memory Model for Static Analysis of C Programs

umps software development

Laboratorio di Sistemi Operativi Anno Accademico

Virtual Servers. Virtual machines. Virtualization. Design of IBM s VM. Virtual machine systems can give everyone the OS (and hardware) that they want.

Windows XP SP3 Registry Handling Buffer Overflow

Efficient Program Exploration by Input Fuzzing

Dynamic Spyware Analysis

The C Programming Language course syllabus associate level

Automating Mimicry Attacks Using Static Binary Analysis

Mike Melanson

Bypassing Memory Protections: The Future of Exploitation

Dynamic programming formulation

Automatic Network Protocol Analysis

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Detecting Software Vulnerabilities Static Taint Analysis

Practical taint analysis for protecting buggy binaries

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

Oracle Business Intelligence Publisher. 1 Oracle Business Intelligence Publisher Certification. Certification Information 10g Release 3 (

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

6.088 Intro to C/C++ Day 4: Object-oriented programming in C++ Eunsuk Kang and Jean Yang

Dynamic VM Monitoring using Hypervisor Probes

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

Stacks. Linear data structures

Sources: On the Web: Slides will be available on:

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

Detecting Logic Vulnerabilities in E-Commerce Applications

An Analysis of Address Space Layout Randomization on Windows Vista

The following themes form the major topics of this chapter: The terms and concepts related to trees (Section 5.2).

How To Detect A Buffer Overflow Vulnerability In Binary Code

Common Errors in C/C++ Code and Static Analysis

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

Fine-Grained User-Space Security Through Virtualization. Mathias Payer and Thomas R. Gross ETH Zurich

Korset: Code-based Intrusion Detection for Linux

System Requirements and Platform Support Guide

SERVER AND WORKSTATION MINIMUM REQUIREMENT

ERNW Newsletter 51 / September 2015

Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation

1 The Java Virtual Machine

Loop-Extended Symbolic Execution on Binary Programs

Obfuscation: know your enemy

How Safe does my Code Need to be? Shawn A. Prestridge, Senior Field Applications Engineer

Custom Penetration Testing

Habanero Extreme Scale Software Research Project

10CS35: Data Structures Using C

Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware

Transcription:

IntScope : Automatically Detecting Integer Overflow Vulnerability in 86 Binary Using Symbolic Execution Tielei Wang 1, Tao Wei 1, Zhiqiang Lin 2, Wei Zou 1 1 Peking University, China 2 Purdue University

Outline Motivation Case Study Modeling Challenges & Approaches Implementation & Evaluation Related Work Conclusion 2

What is Integer Overflow? An integer overflow occurs when an operation results in a value greater than the maximum one of the integral data type. unsigned int a = 0xffffffff; unsigned int b = 0x1 ; a = a + b ;//now, a is 0! Integer overflow vulnerability is an underestimated threat 3

The # of integer overflow vulnerabilities grows rapidly Num 140 120 100 80 60 40 20 0 2001 2002 2003 2004 2005 2006 2007 Year Data 2009-2-23 Source: National Vulnerability Database ICST@PKU 4

Integer Overflow Vulnerabilities affected various kinds of software OS Kernel CVE-2008-4036 (Windows P, Server 2003, Vista) CVE-2008-3276 (Linux) CVE-2008-4220 (Mac OS) CVE-2008-1391 (NetBSD) Libraries CVE-2008-2316 (Python) CVE-2008-5352 (JAVA) Applications CVE-2008-0726 (Adobe Reader) CVE-2008-4061 (Firefox) CVE-2008-2947 (IE7) CVE-2008-0120 (PowerPoint) CVE-2008-1722(CUPS) CVE-2008-2430(VLC) CVE-2008-5238(ine) 5

Most of Integer Overflow Vulnerabilities are dangerous According to Common Vulnerability Scoring System(CVSS), more than 60% of Integer Overflow vulnerabilities have the highest severity score. 2009-2-23 Data Source: Common Vulnerability Scoring SystemICST@PKU 6

Outline Motivation Case Study Modeling Challenges & Approaches Implementation & Evaluation Related Work Conclusion 7

What are the common features of integer overflow vulnerabilities? an untrusted source unsigned int x = read_int(); if ( x > 0x7fffffff ) abort(); unsigned int s = x*sizeof(int); char* p=malloc(s); read_int_into_buf(p, x); an incomplete check an integer overflow a heap overflow followed a sensitive operation 8

CVE-2008-5238(ine) if (version == 4) { an untrusted source const uint16_t sps = BE_16 (this->header+44)? : 1; this->w = BE_16 (this->header+42); this->h = BE_16 (this->header+40); this->cfs = BE_32 (this->header+24); this->frame_len = this->w * this->h; this->frame_size = this->frame_len * sps; this->frame_buffer = calloc(this->frame_size, 1); an integer overflow a sensitive operation 9

CVE-2008-1722(CUPS) an untrusted source png_get_ihdr(pp, info, &width, &height, &bit_depth, &color_type, &interlace_type, &compression_type, &filter_type); { if (width == 0 width > CUPS_IMAGE_MA_WIDTH height == 0 height > CUPS_IMAGE_MA_HEIGHT) {//error return (1); } } img->xsize = width; img->ysize = height; if (color_type == PNG_COLOR_TYPE_GRAY color_type == PNG_COLOR_TYPE_GRAY_ALPHA) in = malloc(img->xsize * img->ysize); else in = malloc(img->xsize * img->ysize * 3); an incomplete check an integer overflow a sensitive operation 10

CVE-2008-2430(VLC) an untrusted source if( ChunkFind( p_demux, "fmt ", &i_size ) ) { msg_err( p_demux, "cannot find 'fmt ' chunk" ); goto error; } if( i_size < sizeof( WAVEFORMATE ) - 2 ) { msg_err( p_demux, "invalid 'fmt ' chunk" ); goto error; } stream_read( p_demux->s, NULL, 8 ); /* Cannot fail */ /* load waveformatex */ p_wf_ext = malloc( EVEN( i_size ) + 2 ); an incomplete check an integer overflow a sensitive operation 11

What s the essential feature of integer overflow vulnerabilities? an untrusted source unsigned int x = read_int(); if ( x > 0x7fffffff ) abort(); unsigned int s = x*sizeof(int); char* p=malloc(s); read_int_into_buf(p, x); an incomplete check an integer overflow a sensitive operation 12

What s the essential feature of integer overflow vulnerabilities? an untrusted source unsigned int x = read_int(); if ( x > 0x7fffffff ) abort(); unsigned int s = x*sizeof(int); char* p=malloc(s); read_int_into_buf(p, x); an incomplete check an integer overflow Typical view the essential feature is the actual overflow itself a sensitive operation 13

Integer Overflow!= Integer Overflow Vulnerability Case 1: The overflowed value is NOT used in any sensitive operation e.g. TCP sequence number rolls back per 4GB Case 2: The overflowed value is NOT tainted Most untainted integer overflows are on purpose, i.e., benign overflows, e.g. computing random seeds So Integer overflow itself is not the essential part of the vulnerability 14

What s the essential feature of integer overflow vulnerabilities? an untrusted source unsigned int x = read_int(); if ( x > 0x7fffffff ) abort(); unsigned int s = x*sizeof(int); char* p=malloc(s); read_int_into_buf(p, x); an incomplete check an integer overflow a sensitive operation The essential feature is those sensitive operations which use some tainted overflowed data. 15

Outline Motivation Case Study Modeling Challenges & Approaches Implementation & Evaluation Related work Conclusion 16

Modeling Integer Overflow Vulnerability An instance of taint-based problem Source Sink 17

Modeling Integer Overflow Vulnerability An instance of taint-based problem Source Sink an untrusted source: fread(), fscan(), 18

Modeling Integer Overflow Vulnerability An instance of taint-based problem Source Sink an untrusted source: fread(), fscan(), a sink using tainted overflowed data: *alloc(), array index, pointer offset, some predicates, 19

Modeling Integer Overflow Vulnerability An instance of taint-based problem Source Sink an untrusted source: fread(), fscan(), A feasible path connecting the source and the sink a sink using tainted overflowed data: *alloc(), array index, pointer offset, some predicates, 20

Outline Motivation Case Study Modeling Challenges & Approaches Implementation & Evaluation Related Work Conclusion 21

Natural Approach Based on general static taint analysis Given a binary program Main 22

Natural Approach Decompile the binary program Generate the intermediate representations, call graphs, CFGs, Main 23

Natural Approach Decompile Traverse all paths from main() using symbolic execution Main 24

Natural Approach Decompile Traverse, Prune infeasible paths, whose path constraints cannot be satisfied, during traversing Main 25

Natural Approach Decompile Traverse, Prune, Check possible integer overflows during traversing Main 26

Natural Approach Decompile Traverse, Prune, Check, Tag sources and sinks during traversing Main Source Sink 27

Natural Approach Decompile Traverse, Prune, Check, Tag Output suspicious paths in which tainted overflowed data used in sinks Main Source Sink 28

Does this natural approach work efficiently? Major Challenges 1. Lack of type information 2. Path explosion 29

Challenge 1. Lack of type information During traversing, how can we determine there is an overflow or not? mov eax, 0xffffffff ; eax = 0xffffffff or -1 add eax, 2 ; eax = eax + 2 Overflow or not? 30

How to solve this? Lazy check : only check integer overflows used in sinks Decompile Traverse, Prune, Check, Tag Output Decompile Traverse, Prune, Tag, Check, Output 31

Lazy check Only check integer overflows used in sinks eax is 0xffffffff, not -1 mov eax, 0xffffffff add eax, 2 sub eax, 4 jb label1 eax is 1 now, overflowed unsinged cmp => eax is unsigned 32

Benefit of Lazy check Useful type information hints Signed/unsigned comparisons signed: JG, JGE, JNL, JNGE, JLE, JNG, JE, JNE unsigned: JA, JAE, JNB, JB, JNAE, JBE, JNA, JE, JNE void *calloc(size_t nmemb, size_t size); void *malloc(size_t size); Much less checks, much more efficiency 33

Challenge 2. Path explosion We need path-sensitive analysis, but the number of paths through software is very large. 34

Exponential Traversing Time time spent in traversing (sec) 1600 1400 1200 1000 800 600 400 200 0 0 10 20 30 40 50 60 branches in path (QEMU) Only pruning during execution is not enough 35

Solution: Pre-pruning before traversing Only consider paths between sources and possible sinks Main 36

Pre-pruning Tag sources and possible sinks before traversing Main Source Sink 37

Pre-pruning Tag Cut off those paths irrelevant to sources and sinks using some inter-function slicing algorithms Main Source Sink 38

Put it all together Decompile Tag, Pre-prune Traverse, Prune, Lazy Check Output suspicious paths Main Source Sink 39

Put it all together Given a binary program Main 40

Put it all together Decompile the program Generate the IR, call graph, CFGs, and so on Main 41

Put it all together Decompile Tag possible sources and sinks Main Source Sink 42

Put it all together Decompile Tag, Pre-prune: Cut off those paths irrelevant to sources and sinks Main Source Sink 43

Put it all together Decompile Tag, Pre-prune Traverse paths left using symbolic execution Main Source Sink 44

Put it all together Decompile Tag, Pre-prune Traverse, Prune infeasible paths during traversing Main Source Sink 45

Put it all together Decompile Tag, Pre-prune Traverse, Prune, Lazy Check : check integer overflows used in sinks Main Source Sink 46

Put it all together Decompile Tag, Pre-prune Traverse, Prune, Lazy Check Output suspicious paths Main Source Sink 47

Outline Motivation Case Study Modeling Challenges & Approaches Implementation & Evaluation Related Work Conclusion 48

IntScope Architecture Suspicious Paths Constraint Solver Lazy Checker Symbolic Environments PANDA Prepruning Symbolic Execution Engine IntScope Decompiler BESTAR [SAS2007] Cut off irrelevant paths Pre-pruning Engine Symbolic Execution Environment Engine Pruning during traversing Constraint Solver Lazy Checker IntScope BESTAR Decompiler 2009-2-23 Binary ICST@PKU 3rd Party Modules Disassembler: IDA Pro CAS: GiNaC Constraint Solver: STP 49

How to use IntScope Binary IntScope Suspicious Paths Confirm Report 50

Evaluation Two Windows DLLs GDI32.dll comctl32.dll Several widely used applications QEMU, en Media players Mplayer ine VLC FAAD2 MPD Others Cximage, Hamsterdb, Goom 51

Effectiveness Detected known integer overflow bugs in Windows DLLs Detected 20+ zero-day integer overflow vulnerabilities Confirmed by developers or concrete test cases Some projects have released patches We have reported vulnerabilities in QEMU and FAAD2 to French Security Incident Response Team (FrSIRT) CVE-2008-4201 FrSIRT/ADV-2008-2919 52

Effectiveness Among 26 integer overflow vulnerability points, 21 of them have been confirmed 53

Efficiency AMD Opteron Server (2.6 GHz) with 8GB memory Average time : about 5 min Longest time : < 12 min 54

Outline Motivation Case Study Modeling Intuition & Challenge Implementation & Evaluation Related Work Conclusion 55

Related Work w/ source code Run-time Protection Safe integer libraries RICH [NDSS 07] GCC Dynamic and/or Static analysis Range checker [S&P 02] CQual[PLDI02], EE[CCS06], KLEE[OSDI08], DART[PLDI05], CUTE[FSE05] w/o source code Fuzzing SAGE [NDSS 08] Catchconv [Molnar and Wagner, Berkeley] Static analysis of integer overflows using sym exec <= IntScope 56

Outline Motivation Case Study Modeling Intuition & Challenge Implementation & Evaluation Related Work Conclusion 57

Conclusion IntScope Modeling Integer Overflow Vulnerability as a taint-based problem Lazy Check : only check integer overflows lazily at sinks Pre-prune : prune paths irrelative to sources and possible sinks before traversing Detect 20+ Zero-day integer overflow vulnerabilities 58

Questions? weitao@icst.pku.edu.cn 59

Backup slides 60

Modeling Integer Overflow Vulnerability An instance of taint-based problem Source Sink an untrusted source: fread(), fscan(), A feasible path connecting the source and the sink a sink using tainted overflowed data: *alloc(), array index, pointer offset, some predicates, 61

Suspicious Paths IntScope is a static analysis tool, so it may generate false positives. Missing of the constraints between inputs. Lack of global information Imprecise symbolic execution For each vulnerability, if we cannot construct a concrete test case to trigger it, we leave it as a suspicious one. 62

False positives IntScope is a static analysis tool, so it may generate false positives. Missing of the constraints between inputs. Lack of global information Imprecise symbolic execution It s hard to prove an alert is a real vulnerability we need to construct a concrete test case to trigger the vulnerability. If we can not construct such test cases, we take these alerts as suspicious ones. 63

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information