automatically generating malicious disks using symbolic
play

Automatically Generating Malicious Disks using Symbolic Execution - PowerPoint PPT Presentation

Apr 18, 2023 •231 likes •571 views

Automatically Generating Malicious Disks using Symbolic Execution Junfeng Yang, Can Sar, Paul Twohey, Cristian Cadar and Dawson Engler Stanford University Trend: mount untrusted disks Removable device (USB stick, CD, DVD) Let untrusted

  1. Automatically Generating Malicious Disks using Symbolic Execution Junfeng Yang, Can Sar, Paul Twohey, Cristian Cadar and Dawson Engler Stanford University

  2. Trend: mount untrusted disks  Removable device (USB stick, CD, DVD)  Let untrusted user mount files as disk images

  3. File systems vulnerable to malicious disks  Privileged, run in kernel  Not designed to handle malicious disks. FS folks not paranoid (v.s. networking)  Complex structures (40 if statements in ext2 mount)  many corner cases. Hard to sanitize, test  Result: easy exploits

  4. Generated disk of death (JFS, Linux 2.4.19, 2.4.27, 2.6.10) Create 64K file, set 64 th sector to above. Mount. And PANIC your kernel!

  5. Goal: automatically find many file system security holes

  6. FS security holes are hard to test  Manual audit/test: labor, miss errors   Random test: automatic  . can’t go far   Unlikely to hit narrow input range.  Blind to structures int fake_mount(char* disk) { struct super_block *sb = disk; if(sb->magic != 0xEF53) //hard to pass using random return -1; // sb->foo is unsigned, therefore >= 0 if(sb->foo > 8192) return -1; x = y/sb->foo; //potential division-by-zero return 0; }

  7. Soln: let FS generate its own disks  EXE: Execution generated Executions [Cadar and Engler, SPIN’05] [Cadar et al Stanford TR2006 -1]  Run code on symbolic input, initial value = “anything”  As code observes input, it tells us values input can be  At conditional branch that uses symbolic input, explore both  On true branch, add constraint input satisfies check  On false that it does not  exit() or error: solve constraints for input.  To find FS security holes, set disk symbolic

  8. A galactic view 1 User-Mode- Linux 4 5 2 3 ext3 Unmodified Linux EXE-cc instrumented

  9. Outline  How EXE works  Apply EXE to Linux file systems  Results

  10. The toy example int fake_mount(char* disk) { struct super_block *sb = disk; if(sb->magic != 0xEF53) //hard to pass using random return -1; // sb->foo is unsigned, therefore >= 0 if(sb->foo > 8192) return -1; x = y/sb->foo; //potential division-by-zero return 0; }

  11. Concrete v.s. symbolic execution Concrete: sb->magic = 0xEF53, sb->foo = 9000 sb->magic != 0xEF53 return -1 sb->foo > 8192 return -1 x=y/sb->foo return 0

  12. Concrete v.s. symbolic execution Symbolic: sb->magic and sb->foo unconstrained sb->magic != 0xEF53 return -1 sb->magic != 0xEF53 sb->foo > 8192 return -1 sb->magic == 0xEF53 sb->foo > 8192 x=y/sb->foo sb->magic == 0xEF53 sb->foo < 8192 return 0 x == y/sb->foo

  13. The toy example: instrumentation int fake_mount(char* disk) { int fake_mount_exe(char* disk) { struct super_block *sb = disk; struct super_block *sb = disk; if(fork() == child) { constraint(sb->magic != 0xEF53); if(sb->magic != 0xEF53) return -1; return -1; } else constraint(sb->magic == 0xEF53); if(fork() == child) { if(sb->foo > 8192) constraint(sb->foo > 8192); return -1; return -1; } else constraint(sb->foo <= 8192); check_symbolic_div_by_zero(sb->foo); x = y/sb->foo; x=y/sb->foo; return 0; return 0; } }

  14. How to use EXE  Mark disk blocks as symbolic  void make_symbolic(void* disk_block, unsigned size)  Compile with EXE-cc (based on CIL)  Insert checks around every expression: if operands all concrete, run as normal. Otherwise, add as constraint  Insert fork when symbolic could cause multiple acts  Run: forks at each decision point.  When path terminates, solve constraints and generate disk images  Terminates when: (1) exit, (2) crash, (3) error  Rerun concrete through uninstrumented Linux

  15. Why generate disks and rerun?  Ease of diagnosis. No false positive  One disk, check many versions  Increases path coverage, helps correctness testing

  16. Mixed execution  Too many symbolic var, too many constraints  constraint solver dies  Mixed execution: don’t run everything symbolically  Example: x = y+z;  if y, z both concrete, run as in uninstrumented  Otherwise set “ x == y + z ”, record x = symbolic.  Small set of symbolic values  disk blocks (make_symbolic) and derived  Result: most code runs concretely, small slice deals w/ symbolics, small # of constraints  Perhaps why worked on Linux mounts, sym on demand

  17. Symbolic checks int fake_mount(char* disk) { int fake_mount_exe(char* disk) { struct super_block *sb = disk; struct super_block *sb = disk; if(fork() == child) { constraint(sb->magic != 0xEF53); if(sb->magic != 0xEF53) return -1; return -1; } else constraint(sb->magic == 0xEF53); if(fork() == child) { if(sb->foo > 8192) constraint(sb->foo > 8192); return -1; return -1; } else constraint(sb->foo <= 8192); check_symbolic_div_by_zero(sb->foo); x = y/sb->foo; x=y/sb->foo; return 0; return 0; } }

  18. Symbolic checks  Key: Symbolic reasons about many possible values simultaneously. Concrete about just current ones (e.g. Purify).  Symbolic checks:  When reach dangerous op, EXE checks if any input exists that could cause blow up.  Builtin: x/0, x%0, NULL deref, mem overflow, arithmetic overflow, symbolic assertion

  19. Check symbolic div-by-0: x/y, y symbolic  Found 2 bugs in ext2, copied to ext3 void check_sym_div_by_zero (y) { if(query(y==0) == satisfiable) if(fork() == child) { constraint(y != 0); return; } else { constraint(y == 0); solve_and_generate_disk(); error(“divided by 0!”) } }

  20. More on EXE (Stanford TR2006-1)  Handling C constructs  Casts: untyped memory  Bitfield  Symbolic pointer, array index: disjunctions  Limitations  Constraint solving NP  Uninstrumented functions  Symbolic div/mod: assert divisor = power of two  Symbolic double dereference: concretize  Symbolic loop: heuristic search

  21. Outline  How EXE works  Apply EXE to Linux file systems  Results

  22. A galactic view User-Mode- Linux ext3 Unmodified Linux EXE-cc instrumented

  23. Why User-Mode-Linux + disk driver  Hard to cut Linux FS out of kernel. User-Mode-Linux=check in situ  End-to-end check  EXE needs to fork/wait for process  Hard to debug OS on raw machine  We already had the framework

  24. Making Linux work with EXE  Disable threading  Replace ASM functions called by FS (strcmp, memcpy … ) with C versions  User-Mode-Linux loaded @ fixed (too small) location. Stripped down  EXE-cc/CIL can ’ t compile 8 files. Not called with symbolic args. Use gcc

  25. Making EXE work with Linux  Still research prototype  bugs  EXE dies if too many constraints, too many symbolic var  Optimization: v = symbolic_exp, if symbolic_exp has unique value, don ’ t make v symbolic. Slow down “ tainting ”  No free of symbolic heap objects

  26. Outline  How EXE works  Apply EXE to Linux file systems  Results

  27. Results  Checked ext2, ext3, and JFS mounts  Ext2: four bugs.  One buffer overflow  read and write arbitrary kernel memory (next slide)  Two div/mod by 0  One kernel crash  Ext3: four bugs (copied from ext2)  JFS: one NULL pointer dereference  Extremely easy-to-diagnose: just mount!

  28. Simplified: ext2 r/w kernel memory int ext2_overflow(int block, unsigned count) { block is symbolic if(block < lower_bound block + count can overflow || (block+count) > higher_bound) return -1; and becomes negative! while(count--) Pass block to bar bar(block++); } void bar(int block) { // B = power of 2 block_group is symbolic int block_group = (block-A)/B; … //array length is 8 block can be large! … = array[ block_group] Symbolic read off bound … array[block_group ] = … Symbolic write off bound … }

  29. Related Work  FS testing  Mostly stress test for functionality bugs  Linux ISO9660 FS handling flaw, Mar 2005 (http://lwn.net/Articles/128365/)  Static analysis  Model checking  Symbolic model checking  Input generation  Using symbolic execution to generate testcases

  30. Conclusion  FS vulnerable to malicious disks  Applied EXE to Linux file systems ext2, ext3, JFS mounts. Worked well. Found 5 unique security holes  EXE offers a promising approach to finding security holes

  31. Future work  Automatic exploit generation  User interacts with kernel through syscalls  Compile Linux with EXE. Mark data(syscall arg) from user as symbolic  Find paths to bugs  Generate concrete input + C code to call kernel.  Mechanized way to produce exploits.

  32. Future work (Cont.)  Automatic “hardening”  EXE finds error with path constraints.  Can translate constraints to if-statements and reject concrete input that satisfies.  E.g. wrap up disk reads. If disk malicious, return “Cannot mount.”  Similar to Shield, vulnerability signature checking  Nice feature: fully automatic, no manual filter, automatically detect exploit

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic Cashin, Carianne Martinez, Westley Weimer, Stephanie Forrest The Problem Automated program repair may reduce software maintenance costs

86 views • 8 slides
Automatically Generating Predicates and Solutions for Configuration Troubleshooting * Ya-Yunn Su

Automatically Generating Predicates and Solutions for Configuration Troubleshooting * Ya-Yunn Su

Automatically Generating Predicates and Solutions for Configuration Troubleshooting * Ya-Yunn Su Jason Flinn NEC Laboratories University of America Michigan Troubleshooting misconfigurations is hard! Users may have to Edit

354 views • 31 slides
Exploring Action Unit Granularity for Automatically Generating Natural Language Descriptions

Exploring Action Unit Granularity for Automatically Generating Natural Language Descriptions

Exploring Action Unit Granularity for Automatically Generating Natural Language Descriptions for Methods Lori Pollock Collaborators: Xiaoran Wang, K. Vijay-Shanker University of Delaware UD-Summarize ( Sridhara et al. 2010) Method

724 views • 43 slides
Automatically Generating Virtual Guided Tours Tsai-Yen Li, Jyh-Ming Lien, Shih-Yen Chiu, and

Automatically Generating Virtual Guided Tours Tsai-Yen Li, Jyh-Ming Lien, Shih-Yen Chiu, and

Automatically Generating Virtual Guided Tours Tsai-Yen Li, Jyh-Ming Lien, Shih-Yen Chiu, and Tzong-Hann Yu Computer Science Department National Chengchi University Taipei, Taiwan, R.O.C. Email: {li, s8415, s8433, s8410}@cs.nccu.edu.tw

361 views • 14 slides
Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department of Computer Science Portland State University 1 Agenda Introduction Related work and Background Our Approach Evaluation

717 views • 32 slides
Automatically Generating User Interfaces Adapted To Users Motor And Vision Capabilities

Automatically Generating User Interfaces Adapted To Users Motor And Vision Capabilities

Automatically Generating User Interfaces Adapted To Users Motor And Vision Capabilities Krzysztof Z. Gajos, Jacob O. Wobbrock and Daniel S. Weld Road Map Introduction Interface generation as optimization Modeling motor capabilities

1.57k views • 123 slides
Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1 Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin 2 1 University of Washington 2 University of Illinois at Urbana-Champaign 3

709 views • 31 slides
Generating and Solving Symbolic Parity Games Gijs Kant Jaco van de Pol Formal Methods &amp;

Generating and Solving Symbolic Parity Games Gijs Kant Jaco van de Pol Formal Methods &amp;

Generating and Solving Symbolic Parity Games Gijs Kant Jaco van de Pol Formal Methods &amp; Tools University of Twente The Netherlands Games 2012, Napoli, Italia 1 / 26 Motivation Application: formal verification of process algebraic

531 views • 26 slides
Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas

Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas

Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas Chris&gt;n Carnegie Mellon University Carnegie Mellon University ECE / Cylab ECE / Cylab

491 views • 28 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken PLDI, Santa Barbara, June 16, 2016 Symbolic

Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken PLDI, Santa Barbara, June 16, 2016 Symbolic

Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken PLDI, Santa Barbara, June 16, 2016 Symbolic Execution Automatically Program Reason about Verification Programs Program Equivalence 2 Automatically reasoning about

799 views • 48 slides
AST 1420 Galactic Structure and Dynamics Today: disks! NGC 5907 M31 Today: disks! Outline

AST 1420 Galactic Structure and Dynamics Today: disks! NGC 5907 M31 Today: disks! Outline

AST 1420 Galactic Structure and Dynamics Today: disks! NGC 5907 M31 Today: disks! Outline Simple gravitational potentials for disks Realistic potentials for disks Orbits in axisymmetric potentials Close-to-circular orbits

826 views • 66 slides
Recursive Definitions Generating Functions Lecture 18 Generating Functions A generating

Recursive Definitions Generating Functions Lecture 18 Generating Functions A generating

Recursive Definitions Generating Functions Lecture 18 Generating Functions A generating function is an alternate representation of an infinite sequence, which allows making useful deductions about the sequence (including, possibly, a closed

865 views • 17 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
Show Me the Money- Grant Writing in One Day, No Magic Wand Needed Lacey Berumen What this

Show Me the Money- Grant Writing in One Day, No Magic Wand Needed Lacey Berumen What this

Show Me the Money- Grant Writing in One Day, No Magic Wand Needed Lacey Berumen What this workshop is not Going to Make you a grant writing expert Give you all of the answers But it will .. Give you a starting place, new

207 views • 16 slides
Magic Wand One-Page Proposal Worksheet Visit www.GrantsMagic.org for downloadable worksheet,

Magic Wand One-Page Proposal Worksheet Visit www.GrantsMagic.org for downloadable worksheet,

Magic Wand One-Page Proposal Worksheet Visit www.GrantsMagic.org for downloadable worksheet, examples, and FREE video training to get you started! Purpose: The Magic Wand One-Page Proposal Worksheet (next page) is one of the mightiest

418 views • 5 slides
Julie-Ann Walkden Nicola Moran Deputy Commissioning Clinical Physiotherapy Lead Belfast &amp;

Julie-Ann Walkden Nicola Moran Deputy Commissioning Clinical Physiotherapy Lead Belfast &amp;

MAGIC Pre-Commercial Procurement : Impact on Post Stroke Rehabilitation Julie-Ann Walkden Nicola Moran Deputy Commissioning Clinical Physiotherapy Lead Belfast &amp; Specialist in Stroke Regional Stroke Network Belfast Health &amp; Social

559 views • 33 slides
Ma Magic Mountain Pipeline Phase 4 Pr gic Mountain Pipeline Phase 4 Project oject Board Meeting

Ma Magic Mountain Pipeline Phase 4 Pr gic Mountain Pipeline Phase 4 Project oject Board Meeting

Ma Magic Mountain Pipeline Phase 4 Pr gic Mountain Pipeline Phase 4 Project oject Board Meeting September 4, 2018 Magic Mountain Pipeline (MMP), Phases 4 6 Magic Mountain Park Existing MMP, Ph3 2,400 ft 2,900 ft 2 Magic Mountain

325 views • 7 slides
Ken Swift University of Houston Law Center krswift@central.uh.edu 1 The Seven Principles for

Ken Swift University of Houston Law Center krswift@central.uh.edu 1 The Seven Principles for

Ken Swift University of Houston Law Center krswift@central.uh.edu 1 The Seven Principles for Good Practice in Legal Education Good Practice in Legal Education: 1. Encourages student-faculty contact 2. Encourages cooperation among students 3.

257 views • 11 slides
Magic Planet Display Andrew Squelch (iVEC@CSIRO) and Paul Bourke (iVEC@UWA) Introduction

Magic Planet Display Andrew Squelch (iVEC@CSIRO) and Paul Bourke (iVEC@UWA) Introduction

Magic Planet Display Andrew Squelch (iVEC@CSIRO) and Paul Bourke (iVEC@UWA) Introduction iVEC: Partnership between CSIRO, Murdoch University, Edith Cowan University, Curtin University, and The University of Western Australia. Manage

519 views • 14 slides
FREE DOWNLOAD A DECK OF 101 MAGIC TRICKS: STEP-BY-STEP ILLUSIONS ON 52 CARDS IN A PRESENTATION

FREE DOWNLOAD A DECK OF 101 MAGIC TRICKS: STEP-BY-STEP ILLUSIONS ON 52 CARDS IN A PRESENTATION

FREE DOWNLOAD A DECK OF 101 MAGIC TRICKS: STEP-BY-STEP ILLUSIONS ON 52 CARDS IN A PRESENTATION TIN BOX Author: Nicholas Einhorn Number of Pages: 52 pages Published Date: 16 Feb 2013 Publisher: Anness Publishing Publication Country: London,

178 views • 3 slides
P O You ' ll Ever Need by Michelle

P O You ' ll Ever Need by Michelle

The Only P O You ' ll Ever Need by Michelle Barry Franco www.speaksoitmatters.com CRAFT YOUR THOUGHT LEADERSHIP TALK OUTLINE The best way to organize your content into a captivating and

348 views • 5 slides

More recommend