a posteriori taint tracking for demonstrating non
play

A posteriori taint-tracking for demonstrating non-interference in - PowerPoint PPT Presentation

Oct 20, 2023 •503 likes •1.66k views

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages Peter Aldous and Matthew Might University of Utah This title is a little much, so Faster automated proofs that information doesnt leak in

  1. c c c c c c c All of our paths go through this node. They also go through other nodes, which are also postdominators, but this is the first. So it is the immediate forward dominator or immediate postdominator. Equivalently, we say that this node postdominates the node at the top.

  2. 0 if ( secret ) { 1 x = true; (0,1) 2 } else { 3 x = false; (0,3) 4 } 5 y = 3; (0,5) Let’s walk through this in our code sample. There are two paths from 0:

  3. 0 if ( secret ) { 1 x = true; (0,1) 2 } else { 3 x = false; (0,3) 4 } 5 y = 3; (0,5) The true branch, which goes to line 1 and then to line 4, and …

  4. 0 if ( secret ) { 1 x = true; (0,1) 2 } else { 3 x = false; (0,3) 4 } 5 y = 3; (0,5) … the false branch, which goes to line 3 and then to line 4.

  5. 0 if ( secret ) { 1 x = true; (0,1) 2 } else { 3 x = false; (0,3) 4 } 5 y = 3; (0,5) Accordingly, we remove or ignore the implicit taint (0,5).

  6. 0 if ( secret ) { 1 x = true; (0,1) 2 } else { 3 x = false; (0,3) 4 } 5 y = 3; (0,5) So we remove or ignore the implicit taint (0,5).

  7. CESKTB Of course, there is still the question of abstraction.

  8. CESKTB As we said, we already know how to abstract CESK machines from Van Horn and Might.

  9. CESKTB What remains is to abstract the taint store and the context taint set. The context taint set is just a set of code points and needs no abstraction.

  10. CESKTB What remains is abstraction of the taint store.

  11. CESKTB T = Addr → Taint The taint store must be abstracted as is the value store; it needs to map abstract addresses to abstract taint values. Binary taint values need no abstraction, but richer taint values might.

  12. We have an analysis Now that we’ve taken Denning and Denning’s work and paired it with that of Cousot and Cousot (among others), we have a small-step abstract interpreter that tracks taint values. But we haven’t demonstrated that it identifies all possible information leaks.

  13. Does it work? Now that we’ve taken Denning and Denning’s work and paired it with that of Cousot and Cousot (among others), we have a small-step abstract interpreter that tracks taint values. But we haven’t demonstrated that it identifies all possible information leaks.

  14. Almost It turns out that we can construct a counterexample, although it’s a little convoluted.

  15. private boolean secret; void printSecret(int frame) { if (frame == 0) printSecret(1); else if (secret) return; if (frame == 1) { System.out.print(“not “); return; } System.out.println(“true”); } Consider two di ff erent executions of a function. In one, secret is true. In the other, secret is false.

  16. private boolean secret; void printSecret(int frame) { if (frame == 0) printSecret(1); else if (secret) return; if (frame == 1) { System.out.print(“not “); return; } System.out.println(“true”); } If we create a function that recurs on itself (with a value that di ff ers at di ff erent stack frames) …

  17. private boolean secret; void printSecret(int frame) { if (frame == 0) printSecret(1); else if (secret) return; if (frame == 1) { System.out.print(“not “); return; } System.out.println(“true”); } … and returns conditionally on the secret value, then we have created a situation where two di ff erent traces would end up at the same code point but are on di ff erent levels in the stack and, consequently, have di ff erent but untainted local values.

  18. private boolean secret; void printSecret(int frame) { if (frame == 0) printSecret(1); else if (secret) return; if (frame == 1) { System.out.print(“not “); return; } System.out.println(“true”); } It’s then trivial to behave di ff erently based on one of those local values.

  19. private boolean secret; void printSecret(int frame) { if (frame == 0) printSecret(1); else if (secret) return; if (frame == 1) { System.out.print(“not “); return; } System.out.println(“true”); } Predictably, the execution of printSecret(0) where secret is true results in the text “true” being printed. The other execution, where secret is false, results in the text “not true” being printed. This technique allows us to leak a bit without detection. Putting this in a loop would allow for arbitrary amounts of leakage.

  20. D&D

  21. now what? The problem with the system, as formulated, is that the projection to a control flow graph is insu ffi ciently precise. Two executions reached the same code point but in di ff erent contexts. We need information about the stack.

  22. The intuition is to keep both code points and continuations when we project from our abstract transition graph. We want to use as little information as possible in creating this graph, because less information means we can merge nodes together …

  23. … and merging nodes can lead to an earlier postdominator. This, in turn, means that taint will not propagate as far. What we want is the least precise execution point graph possible that still allows us to prove non-interference.

  24. The intuition is to keep both code points and continuations when we project from our abstract transition graph. We want to use as little information as possible in creating this graph, because less information means we can merge nodes together …

  25. c,k c,k c,k c,k c,k c,k c,k We actually want to make our graph as imprecise as possible; the more merging there is in the graph, the faster control flows converge. And the faster control flows converge, the fewer taints we propagate.

  26. c,h c,h c,h c,h c,h c,h c,h So we actually project to code points and stack heights, which are trivially calculated from continuations. We call this graph the “execution point graph”. It might have been more properly called a control flow graph, but the term was already taken.

  27. c,h c,h c,h c,h c,h c,h c,h Of course, the stack height has to be abstracted. Happily, we have already abstracted stacks, so most of the work is taken care of. But even systems like CFA2 and PDCFA can’t always calculate the precise height of the stack, so our abstract stack height needs to include a special value for indeterminate stack heights. Nodes with indeterminate stack heights are never postdominators for our purposes. Our context taint set now needs to store execution points instead of just code points.

  28. prove it! The proof (which is in the paper) uses a weakened bisimulation notion. Two program traces must act the same except when they’ve branched on a sensitive value. In that case, a value in the context taint set labels observable behaviors as unsafe.

  29. Our abstract interpreter’s exploration finds states.

  30. As exploration proceeds, …

  31. … it may branch on a sensitive value. If we re-envision this as two concrete program traces that di ff er only on that sensitive value, …

  32. … we have exactly the type of situation described in the definition of non-interference.

  33. What we need to prove is that these two traces will di ff er only in detectable ways - either based on tainted values or in tainted contexts. So we define a notion called similarity: states are similar if they are identical except for values at tainted addresses. We need to prove that similarity of one pair of (concrete) states implies the similarity of their successors.

  34. When they branch, this invariant is broken. So we weaken it slightly; it’s fine if they branch, as long as they don’t do anything observable during the branches …

  35. … and as long as values a ff ected during the branches don’t a ff ect observable behaviors downstream. So our two traces, with respect to observable behaviors, …

  36. … are actually identical.

  37. Therefore, two traces that start with two similar states will be similar throughout execution - except for states between branches on sensitive values and those branches’ postdominators. Similar states’ behaviors must be identical or identified as unsafe by the taint tracking mechanism.

  38. Results? TODO make a table showing the results of augmented state

  40. Complexity? Of 12 test applications, 12 time out

  41. CESKTB The complexity of small-step abstract interpretation is bounded by the size of the state space, …

  42. | C | ᐧ | E | ᐧ | S | ᐧ | K | ᐧ | T | ᐧ | B | … which is bounded by the number of possible states that can exist.

  43. | T | = | Addr | ᐧ | Taint | The number of possible taint stores is the number of possible addresses multiplied by the number of possible values at each address. Practically speaking, changes to the taint store will happen in lock step with the store and so this is unlikely to actually increase the number of states found.

  44. | B | = 2 |C| On the other hand, the size of the context taint set is exponential in the size of the program.

  45. Can we improve it?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data JIYONG YU, , MENGJIA YAN, ARTEM KHYZHA*, ADAM MORRISON*, JOSEP TORRELLAS, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN

1.22k views • 85 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk Black Hat USA 2017, Las Vegas Agenda User kernel communication pitfalls in modern operating systems Introduction

1.21k views • 120 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that efficiently protects against transient side-channel attacks by executing and selectively forwarding an instruction if it cannot forward a covert

411 views • 21 slides
Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

CS 261: Systems Security Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall 12 Announcements Exam next Wednesday Open book All lectures except for this one Presenter: Pasin No writer, but

533 views • 19 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk REcon 2017, Montreal Alternative title (cheers Alex Ionescu!) Memory Disclosure Alternative title KERNELBLEED Agenda

1.7k views • 140 slides
Demonstrating BMP Effectiveness With Microbial Source Tracking & Host Fecal Score June

Demonstrating BMP Effectiveness With Microbial Source Tracking & Host Fecal Score June

Demonstrating BMP Effectiveness With Microbial Source Tracking & Host Fecal Score June 20th-21st, 2018 3rd Annual Conference on Environmental Conditions of the Animas and San Juan Watersheds Providing Genetic & Analytic Solutions for

387 views • 20 slides
The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009 Taint Common term in soDware

238 views • 9 slides
Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1 Taint Analysis for Android Tracks flow of private data Controlled at

629 views • 35 slides
Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West Fortify Software 2.21.08 Overview Motivation Dynamic taint propagation Sources of inaccuracy Integrating with QA Related work

740 views • 70 slides
Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England Olena.doran@uwe.ac.uk BPEX Workshop, Peterborough, 20 March 2013 Boar Taint An offensive odour in the meat of 5-10% of uncastrated male pigs Is

707 views • 22 slides
Scalable Semidefinite Relaxation for Maximum A Posteriori Estimation Qixing Huang, Yuxin Chen, and

Scalable Semidefinite Relaxation for Maximum A Posteriori Estimation Qixing Huang, Yuxin Chen, and

ICML 2014, Beijing Scalable Semidefinite Relaxation for Maximum A Posteriori Estimation Qixing Huang, Yuxin Chen, and Leonidas Guibas Stanford University Page 1 Maximum A Posteriori (MAP) Inference Markov Random Field (MRF) w i :

777 views • 33 slides
On the use of a Second Moment Equation for A Posteriori Error Estimate in CFD University of

On the use of a Second Moment Equation for A Posteriori Error Estimate in CFD University of

On the use of a Second Moment Equation for A Posteriori Error Estimate in CFD University of Manchester EngD Stuart Russant Supervisors: D. Laurence, H. Iacovides On the use of a Second Moment Equation for A Posteriori Error Estimate in CFD

388 views • 26 slides
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis

738 views • 25 slides
CS 287 Advanced Robotics (Fall 2019) Lecture 13: Kalman Smoother, Maximum A Posteriori, Maximum

CS 287 Advanced Robotics (Fall 2019) Lecture 13: Kalman Smoother, Maximum A Posteriori, Maximum

CS 287 Advanced Robotics (Fall 2019) Lecture 13: Kalman Smoother, Maximum A Posteriori, Maximum Likelihood, Expectation Maximization Pieter Abbeel UC Berkeley EECS Outline n Kalman smoothing n Maximum a posteriori sequence n Maximum likelihood

865 views • 68 slides
Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection

Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection

Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection on for or Transiently Accessed Secrets Ac Jiyong Yu, Mengjia Yan, Artem Khyzha,* Adam Morrison,* Josep Torrellas, Christopher W. Fletcher

298 views • 28 slides
PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki Arefi (mnavaki@unm.edu) Geoffrey Alexander Jedidiah R. Crandall What is PII? Personally Identifiable Information (PII) is information that can

380 views • 20 slides
DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY

995 views • 66 slides
PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng AsiaSlowinska,HerbertBos VrijeUniversiteitAmsterdam Whypointertain,ng? AFacks Exploitlowlevelmemoryerrors

1.41k views • 65 slides
Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp, Saswat Anand, Alex Aiken Stanford University I Why mine specifications? Whole-program static analysis Application Whole-program static

992 views • 84 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman <erik@minemu.org> Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An

Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An

Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones MockDroid: Trading Privacy for Application Functionality on Smartphones

429 views • 38 slides
Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio Orlandi (Aarhus University) 1 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin

1.23k views • 90 slides
Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna

Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna

Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna Balasubramanian, Anthony LaMarca, David Wetherall 1 Continuous sensing apps Step Counting Fall Detection Driver Monitor Theft Detection Healthcare apps:

743 views • 29 slides

More recommend