h ow to r epair v ulnerabilities
play

H OW TO R EPAIR V ULNERABILITIES ? Correcting vulnerable logic, e.g. - PowerPoint PPT Presentation

Feb 29, 2024 •316 likes •931 views

A UTOMATIC P ROGRAM R EPAIR Zhen Huang 1 Penn State University Spring 2019 CMPSC 447, Software Security P RE PATCH W INDOW Attackers can leverage the window of time before a vulnerability is addressed. Attackers can exploit the

  1. A UTOMATIC P ROGRAM R EPAIR Zhen Huang 1 Penn State University Spring 2019 CMPSC 447, Software Security

  2. P RE ‐ PATCH W INDOW  Attackers can leverage the window of time before a vulnerability is addressed. Attackers can exploit the vulnerability! pre‐patch window Users Apply the Patch Vendor Releases a Patch Discovery of a Vulnerability 2

  3. P RE ‐ PATCH W INDOW IS S IGNIFICANT  Study on 130 real‐world vulnerabilities [1]  7‐30 days for 1/4 vulnerabilities  30+ days for 1/3 vulnerabilities  52 days on average 1. Z. Huang, M. D’Angelo, D. Miyani, D. Lie. Talos: Neutralizing Vulnerabilities with Security Workaround for Rapid Response . IEEE Symposium on Security & Privacy 2016. 3

  4. I SSUES OF M ANUAL R EPAIR  Time required to construct a correct fix is significant.  It accounts for 89% of the time for releasing a patch. Multiple attempts of patching (Quotes from a bug report)  Constructing a correct fix is non‐trivial. The developer: “This updates the previous patch...”  Some vulnerabilities are fixed only after .... several attempts. The developer: “This patch builds on the previous one...” .... The developer: “I’ve just committed more changes...” .... .... 4 The tester: “I’m afraid I found a bug...”

  5. O UR G OAL  Automatically repair software vulnerabilities i.e. automated program repair  Focuses on source code repair  Easier for developers to adopt 5

  6. H OW TO R EPAIR V ULNERABILITIES ?  Correcting vulnerable logic, e.g. race condition  Preventing vulnerable code from being executed  Adding checks to detect vulnerability‐triggering inputs Is the value of payload correct? Heartbleed Vulnerability: Official fix: memcpy(bp, pl, payload); If (… payload… > ...length) return 0; …. memcpy(bp, pl, payload); Client can craft the value of payload 6 to acquire sensitive data.

  7. T WO T YPES OF R EPAIRS  Mitigation  Preventing vulnerabilities from being triggered  Rapid  Fix  Removing vulnerabilities  Slow 7

  8. M ITIGATION  Prevents execution of vulnerable code to thwarts exploits  Rapidly closes pre‐patch window  Unobtrusiveness is desirable  Only vulnerable code should be affected  Trade off between functionality loss and security 8

  9. S ECURITY W ORKAROUND FOR R APID R ESPONSE (SWRR)  Designed to be simple and unobtrusive int foo(...) { int foo(…) { return error_code; .... SWRR .... // vulnerable code // vulnerable code .... .... }  Oblivious to vulnerability types  Requires minimum developer effort 9

  10. H OW TO A CHIEVE U NOBTRUSIVENESS ?  Terminate the target program?  Throw an exception?  Return to caller? What value to return? int foo(...) { return ?; .... // vulnerable code .... 10

  11. U SING E XISTING E RROR R ETURN V ALUES  Leveraging target program’s own error handling mechanism apache HTTP server call malicious request SWRR Main Module Status error request rejected Module 11

  12. I DENTIFYING E RROR R ETURN V ALUES  Documentation of common libraries or API functions  Developers’ annotations  Observing behaviors of applications  Analyzing error propagation  Using heuristics 12

  13. A NALYZING E RROR P ROPAGATION Downward Propagation Upward Propagation Int bar() { Int bar() { foo: NULL bar: ‐2 …. if (foo() == NULL) if (spam() == ‐3) return ‐2; bar: ‐2 spam: ‐3 return ‐2; …. Direct Propagation Int ham() { bar: ‐2 …. return bar(); ham: ‐2 …. 13

  14. U SING H EURISTICS Error Logging Return NULL int baz() { char *foo() { .… …. If (error) { if (error) log_msg(“ERROR!”); return NULL; return ‐1; …. } …. 14

  15. C OMBINING E RROR P ROPAGATION A NALYSIS AND H EURISTICS Function Error Return Value foo NULL bar ‐2 spam ‐3 ham ‐2 15

  16. G ENERATING SWRR S  An SWRR is simply a return statement:  return error; char *foo() { Function Error Return return NULL; SWRR ….. Value foo NULL bar ‐2 Int bar() { spam ‐3 return ‐2; SWRR ….. ham ‐2 16

  17. S TATE ‐ OF ‐ ART T OOLS  Talos  Generates source code SWRRs  Uses static program analysis  Instruments SWRRs into the source code of a target program https://github.com/huang‐zhen/talos  RVM  Generates binary code SWRRs  Instruments SWRRs into the binary of a target program 17 https://gitlab.com/zhenhuang/RVM

  18. T ALOS D EMO – T ARGET V ULNERABILITY 18

  19. T ALOS D EMO – G ENERATING CFG & CDG Talos generates CFG and CDG for apache http server 2.4.7 19

  20. T ALOS D EMO – I DENTIFYING E RROR R ETURN V ALUES Talos identifies error return values Found error return value for status_handler status_handler function 20

  21. T ALOS D EMO – S YNTHESIZING AND I NSERTING SWRR Talos synthesizes and inserts an SWRR into status_handler function status_handler function 21

  22. M ITIGATION : S UMMARY  Prevents adversaries to exploit vulnerabilities  Disallows the execution of vulnerable code  Exchanges functionality loss for security  The challenge is to preserve unobtrusiveness 22

  23. M ITIGATION : S TRENGTHS & D RAWBACKS  Strengths  Patch is simple and effective  Can be deployed rapidly  Drawbacks  Causes functionality loss 23

  24. F IX  Removes vulnerabilities from code  Preserves program functionality  Fix correctness is desired particularly for vulnerabilities 24

  25. S TEPS TO PRODUCE A FIX 1. Finding the faulty statement 2. Synthesizing a patch 3. Testing patch correctness (optional) 25

  26. T WO APPROACHES TO PRODUCE A FIX  Example‐based repair  Bottom‐up, relies on concrete example inputs  Property‐based repair  Top‐down, uses expert‐defined properties 26

  27. E XAMPLE ‐ BASED R EPAIR  Requires human‐labelled example inputs  Positive tests – expected program behavior  Negative tests – expose the defect Positive Tests Negative Tests Before the fix Pass Fail After the fix Pass Pass 27

  28. A F AULTY P ROGRAM // returns x‐y if x > y; 0 if x == y; y‐x if x < y 1 int distance(int x, int y) { 2 int result; 3 if (x >y) 4 result = x ‐ y; 5 else if (x == y) 6 result = 0; 7 else 8 result = x ‐ y; // should be y ‐ x 9 return result; Input# Label 10 } x y distance (expected) distance (actual) 1 Positive 2 1 1 1 2 Positive 3 3 0 0 28 3 Negative 1 4 3 ‐3 4 Negative 0 5 5 ‐5

  29. E XAMPLE ‐ BASED : FINDING THE FAULTY STATEMENT  Statistical fault localization  Faulty statement is executed more in negative tests but fewer in positive tests  Run the target program to collect execution count of each statement: #passed and #failed 29

  30. S TATISTICAL FAULT LOCALIZATION Compute a suspiciousness score for each 1. statement Rank each statement by its susp. score 2. Statement Susp. Score #failed #passed 8 result = x ‐y 1.0 2 0 5 else if (x == y) 0.67 2 1 3 if (x > y) 0.5 2 2 4 result = x ‐ y 0.0 0 1 30 6 result = 0 0.0 0 1

  31. E XAMPLE ‐ BASED : S YNTHESIZING A P ATCH  Using pre‐defined ways  Adding a guard, e.g. if (…) result = x – y;  Modifying RHS of the assignment, e.g. result = y ‐ x;  ….  Learning from correct code  Borrowing code from other similar programs 31

  32. M ODIFYING RHS OF AN ASSIGNMENT 1. Replacing the RHS with f(…)  … can be function parameters and local variables 2. Finding the constraint that f(…) needs to satisfy for the given example inputs 3, x==1 and y==4 f(x, y) = 5, x==0 and y==5 3. Concretizing f(x, y) 32

  33. C ONCRETIZING F ( X , Y )  Constants  3 works for input #3 but not input #4  5 works for input #4 but not input #3  Arithmetic  f(x, y) x + y  f(x, y) y – x  Comparison  Logic  …. 33

  34. L EARNING FROM CORRECT CODE  Focuses on missing checks for error‐ triggering inputs  E.g. check on input to prevent buffer overflow  Requires a donor program  Performs same functionality  Accepts same inputs  Contains a check for error‐triggering inputs  Borrows the check from the donor program 34

  35. B ORROWING THE C HECK FROM T HE D ONOR P ROGRAM  Can we borrow the check from FEH (donor) and transfer it to CWebP (recipient)? FEH Overflow Check CWebP Buffer Overflow int ReadJPEG(…) { char load(…) { …. …. // overflow error if (height>16) { rgb = malloc(stride * cinfo.height); // quit …. } } …. } 35

  36. C HALLENGES  How to identify the required check?  How to transfer the check from the donor to the recipient?  The check is implemented in the code of the donor 36

  37. I DENTIFYING THE C HECK  Using a seed input and an error‐triggering input  Seed input passes the check  Error‐triggering input fails the check  Running the donor program with both inputs to identify such check  Search all checks in the donor program Checks Seed Input Error Input if (height > 16) pass fail 37 …. …. ….

  38. T RANSFERRING THE CHECK  How to transfer the check to the recipient program? Lifts the check to an application‐ 1. independent form Finds a location in the recipient to insert the 2. check Translates the check back to program 3. expressions in the recipient Inserts the check into the recipient 4. 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MORE stands for M aintenance O ptimization R epair E ngineering W e offer high-quality kiln

MORE stands for M aintenance O ptimization R epair E ngineering W e offer high-quality kiln

Wh What c at can we an we do fo do for y r you? ou? Standard kiln services 2015 MORE stands for M aintenance O ptimization R epair E ngineering W e offer high-quality kiln specialist service to cement, paper, and mineral companies worldwide

230 views • 7 slides
S EM F IX : P ROGRAM R EPAIR VIA S EMANTIC A NALYSIS CREST Workshop, Jan 2014 H.D.T. Nguyen,

S EM F IX : P ROGRAM R EPAIR VIA S EMANTIC A NALYSIS CREST Workshop, Jan 2014 H.D.T. Nguyen,

S EM F IX : P ROGRAM R EPAIR VIA S EMANTIC A NALYSIS CREST Workshop, Jan 2014 H.D.T. Nguyen, Dawei Qi, Abhik Roychoudhury National University of Singapore , &amp; Satish Chandra Samsung 1 Talk given at 30 th CREST Workshop, London, Jan 2014. W

490 views • 29 slides
SMART S tony-brook M illstone: A dvocate, R epair, T ransform Carolyn Wagner, Anna Pimenta, Kate

SMART S tony-brook M illstone: A dvocate, R epair, T ransform Carolyn Wagner, Anna Pimenta, Kate

SMART S tony-brook M illstone: A dvocate, R epair, T ransform Carolyn Wagner, Anna Pimenta, Kate Norris Mission Statement The Stony Brook Millstone Watershed is an important watershed in central New Jersey. The goal of SMART is to improve the

579 views • 12 slides
IP P o R eg egions ns E ng ngag aged ed to in n LIF LIFE IP P olicies icies of A ir (PREP

IP P o R eg egions ns E ng ngag aged ed to in n LIF LIFE IP P olicies icies of A ir (PREP

Pr Prel elimi mina nary ry ass ssessme ssment and d IAM IAM models IP P o R eg egions ns E ng ngag aged ed to in n LIF LIFE IP P olicies icies of A ir (PREP EPAIR) AIR) Michele Stortjni 1 , Stefano Bande 2 , Marco Desertj 3 , Katja

196 views • 18 slides
U SING Q UALITY V IEWS TO T ACKLE T ECHNICAL D EBT AT S EEN N OT S EEN Q UALITY V IEWS M OTIVATION

U SING Q UALITY V IEWS TO T ACKLE T ECHNICAL D EBT AT S EEN N OT S EEN Q UALITY V IEWS M OTIVATION

U SING Q UALITY V IEWS TO T ACKLE T ECHNICAL D EBT AT S EEN N OT S EEN Q UALITY V IEWS M OTIVATION Big Ball of Mud Foote and Yoder E XPEDIENT R EPAIR Of course this is only temporary , unless it works . Red Green The secret is

1.05k views • 57 slides
How to Waste Time and Money Testing the Performance of a Software Product David Daly | Lead

How to Waste Time and Money Testing the Performance of a Software Product David Daly | Lead

How to Waste Time and Money Testing the Performance of a Software Product David Daly | Lead Engineer -- Performance | @daviddaly44 | https://daviddaly.me/ - 22 % 2 3 Understand the performance of our software and when it changes. 4 How

668 views • 33 slides
The Real Deal of Android Device Security: The Third Party Collin Mulliner and Jon Oberheide

The Real Deal of Android Device Security: The Third Party Collin Mulliner and Jon Oberheide

The Real Deal of Android Device Security: The Third Party Collin Mulliner and Jon Oberheide CanSecWest 2014 Introductions Collin Mulliner Jon Oberheide Mulliner and Oberheide, CSW 2014 #Cats4Fun Mulliner and Oberheide, CSW 2014

949 views • 90 slides
Community &amp; Tools Update 2017 Thomas Monjalon DPDK Maintainer Mellanox Qian Xu

Community &amp; Tools Update 2017 Thomas Monjalon DPDK Maintainer Mellanox Qian Xu

Community &amp; Tools Update 2017 Thomas Monjalon DPDK Maintainer Mellanox Qian Xu DPDK CI &amp; Bugzilla Manager Intel DPDK Summit Userspace Dublin 2017 Agenda Community Growth Community Interactions Community

609 views • 29 slides
Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
Self-defending software: g Automatically patching errors in deployed software Michael Ernst

Self-defending software: g Automatically patching errors in deployed software Michael Ernst

Self-defending software: g Automatically patching errors in deployed software Michael Ernst Michael Ernst University of Washington Joint work with: Joint work with: Saman Amarasinghe, Jonathan Bachrach, Michael Carbin, Sung Kim, Samuel

873 views • 44 slides
Releasing and Testing Free Opensource Graphics Drivers: the case of Mesa3D Emil Velikov

Releasing and Testing Free Opensource Graphics Drivers: the case of Mesa3D Emil Velikov

Releasing and Testing Free Opensource Graphics Drivers: the case of Mesa3D Emil Velikov (emil.velikov@collabora.com) Juan A. Surez (jasuarez@igalia.com) with Pierre-Loup Griffais (pgriffais@valvesoftware.com) XDC 2018 The speakers - Emil

606 views • 35 slides
Patch Review Daniel Vetter, v1.3 Goals Technical Review Process Q&amp;A 2 Goal: Reviewed-by

Patch Review Daniel Vetter, v1.3 Goals Technical Review Process Q&amp;A 2 Goal: Reviewed-by

Patch Review Daniel Vetter, v1.3 Goals Technical Review Process Q&amp;A 2 Goal: Reviewed-by tag Formal statement: Reviewers statement of oversight See Documentation/SubmittingPatches Shouldnt be dropped onto patches

171 views • 13 slides
Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018

Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018

Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018 October 24, 2018 Introduction About Patches Commitfests Reviewing a Patch Committing Patches Committers Stephen Frost Chief Technology Officer @

637 views • 25 slides
HTTP-PATCH for read-write linked data rurik.greenall@computas.com / @brinxmat Apart from

HTTP-PATCH for read-write linked data rurik.greenall@computas.com / @brinxmat Apart from

HTTP-PATCH for read-write linked data rurik.greenall@computas.com / @brinxmat Apart from being a person who likes using all available fonts on one slide I work as a consultant for Computas, where I specialise in semantic web and library

876 views • 51 slides
Debugging the Performance of Mavens Test Isolation: Experience Report Pengyu Nie 1 Ahmet Celik

Debugging the Performance of Mavens Test Isolation: Experience Report Pengyu Nie 1 Ahmet Celik

Debugging the Performance of Mavens Test Isolation: Experience Report Pengyu Nie 1 Ahmet Celik 2 Matthew Coley 3 Aleksandar Milicevic 4 Jonathan Bell 3 Milos Gligoric 1 1 The University of Texas at Austin 2 Facebook, Inc. 3 George Mason

849 views • 49 slides
Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic

Understanding Automatically- Generated Patches Through Symbolic Invariant Differences Padraic Cashin, Carianne Martinez, Westley Weimer, Stephanie Forrest The Problem Automated program repair may reduce software maintenance costs

86 views • 8 slides
T o w a r d s E a s i e r S e c u r i t y P a t c h P o r t i n g

T o w a r d s E a s i e r S e c u r i t y P a t c h P o r t i n g

T o w a r d s E a s i e r S e c u r i t y P a t c h P o r t i n g L u c i a n o B e l l o l u c i a n o @d e b i a n . o r g l u c i a n o . b e l l o @i b m . c o m J

522 views • 13 slides
poudriere for Ports Maintenance Matthew Seaman EuroBSDCon 2019 Lillehammer Who am I?

poudriere for Ports Maintenance Matthew Seaman EuroBSDCon 2019 Lillehammer Who am I?

poudriere for Ports Maintenance Matthew Seaman EuroBSDCon 2019 Lillehammer Who am I? FreeBSD Admin since the last millennium Ports committer since 2012 pkg(8) developer (lapsed) Former core secretary Who are you? Name

792 views • 41 slides
Anti-debugging techniques Malware Analysis Seminar Meeting 3 Cody Cutler, Anton Burtsev

Anti-debugging techniques Malware Analysis Seminar Meeting 3 Cody Cutler, Anton Burtsev

Anti-debugging techniques Malware Analysis Seminar Meeting 3 Cody Cutler, Anton Burtsev Debugger detection PEB.BeingDebuggedFlag BeingDebugged flag in PEB Call kernel32!IsDebuggerPresent() call [IsDebuggerPresent] test eax,eax

1.09k views • 56 slides
IP Log for tools.ajdt Version 2.1.0, June 2010 Licenses Eclipse Public License v1.0

IP Log for tools.ajdt Version 2.1.0, June 2010 Licenses Eclipse Public License v1.0

IP Log for tools.ajdt Version 2.1.0, June 2010 Licenses Eclipse Public License v1.0 Third-Party Code CQ Third-Party Code License Use (no third-party dependencies) No pre-req dependencies Committers Past and Present Active Name

434 views • 4 slides
Measuring the impacts of the Preempt-RT patch maxime.chevallier@smile.fr October 25, 2017 RT

Measuring the impacts of the Preempt-RT patch maxime.chevallier@smile.fr October 25, 2017 RT

Measuring the impacts of the Preempt-RT patch maxime.chevallier@smile.fr October 25, 2017 RT Linux projects Simulation platform : bi-xeon, lots ot RAM 200 s wakeup latency, networking Test bench : Intel atom 1s max latency, I/O and networking

431 views • 25 slides
Tensor Networks for Medical Image Classification Presented at MIDL, 2020 Raghav endra Selvan &amp;

Tensor Networks for Medical Image Classification Presented at MIDL, 2020 Raghav endra Selvan &amp;

university of copenhagen Tensor Networks for Medical Image Classification Presented at MIDL, 2020 Raghav endra Selvan &amp; Erik B. Dam Dept. of Computer Science, University of Copenhagen raghav@di.ku.dk @SuperVoxel Code:

488 views • 26 slides
Minimal Rewiring: Efficient Live Expansion for Clos Data Center Networks Shizhen Zhao 1 2 ,

Minimal Rewiring: Efficient Live Expansion for Clos Data Center Networks Shizhen Zhao 1 2 ,

Minimal Rewiring: Efficient Live Expansion for Clos Data Center Networks Shizhen Zhao 1 2 , Rui Wang 1 , Junlan Zhou 1 , Joon Ong 1 ,Jeffrey C. Mogul 1 , Amin Vahdat 1 1. Google NetInfra; 2. Shanghai Jiao Tong University 1 Clos Topology for

536 views • 26 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides

More recommend