IntFlow: Integer Error Handling With Information Flow Tracking - - PowerPoint PPT Presentation

intflow integer error handling with information flow
SMART_READER_LITE
LIVE PREVIEW

IntFlow: Integer Error Handling With Information Flow Tracking - - PowerPoint PPT Presentation

Oct 17, 2022 129 likes •463 views

IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D. Keromytis December 7, 2014 Columbia University mpomonis@cs.columbia.edu IntFlow Columbia

slide-1
SLIDE 1

IntFlow: Integer Error Handling With Information Flow Tracking

Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D. Keromytis December 7, 2014 Columbia University

mpomonis@cs.columbia.edu IntFlow Columbia University 1 / 29

slide-2
SLIDE 2

Integer Error

mpomonis@cs.columbia.edu IntFlow Columbia University 2 / 29

slide-3
SLIDE 3

Example

  • 1. img t *table ptr;
  • 2. unsigned int num imgs = get num imgs();
  • 3. unsigned int alloc size = sizeof(img t) * num imgs;
  • 4. table ptr = (img t *) malloc(alloc size);
  • 5. for (i = 0; i < num imgs; i++)

6. table ptr[i] = read img(i);

mpomonis@cs.columbia.edu IntFlow Columbia University 3 / 29

slide-4
SLIDE 4

Integer Errors

Mathematical representation vs machine representation Instances:

Integer overflow/underflow Precision loss Signedness change mpomonis@cs.columbia.edu IntFlow Columbia University 4 / 29

slide-5
SLIDE 5

Characteristics

Mainly C/C++ specific:

Signed integers only (Java, Python) Overflow protection (Python)

Undefined:

Negative → unsigned INT MAX + 1 Optimizations Expected behavior mpomonis@cs.columbia.edu IntFlow Columbia University 5 / 29

slide-6
SLIDE 6

Importance

Can lead to buffer overflows, memory leaks etc...

Integral part of exploits Erroneous memory allocation

Integer overflow in top 25 most dangerous software errors > 50 vulnerability reports (CVE) in 2014

QuickTime → Signedness change launchd (iOS) → Integer overflow Wireshark → Signedness change Google Chrome → Integer overflow mpomonis@cs.columbia.edu IntFlow Columbia University 6 / 29

slide-7
SLIDE 7

Integer Overflow Checker (IOC)[ICSE2012]

Clang AST Dangerous operation

Static: operation → safe function Dynamic: detect errors Report and (optionally) abort

Clang trunk v3.3 /* a = b + c */ bool error = false; a = safe add(b, c, error); if (error) report();

mpomonis@cs.columbia.edu IntFlow Columbia University 7 / 29

slide-8
SLIDE 8

Integer Overflow Checker (IOC)[ICSE2012]

Dynamic detection mechanism Offline use Input set from user

mpomonis@cs.columbia.edu IntFlow Columbia University 8 / 29

slide-9
SLIDE 9

IOC Issue

Overly comprehensive Lack of severity level Error = vulnerability

mpomonis@cs.columbia.edu IntFlow Columbia University 9 / 29

slide-10
SLIDE 10

Developer Intended Violations

Idioms → errors Controlled

Expected bahavior Not affected by attacker

IOC → report all

Large list Manually distill critical errors

Examples

umax = (unsigned) -1; neg = (char) INT MAX; smax = 1 << (WIDTH - 1) - 1; smax++;

mpomonis@cs.columbia.edu IntFlow Columbia University 10 / 29

slide-11
SLIDE 11

Intflow

Goals:

  • 1. Eliminate reports of developer intended violations
  • 2. Retain and highlight critical error reports

mpomonis@cs.columbia.edu IntFlow Columbia University 11 / 29

slide-12
SLIDE 12

IntFlow

Challenges:

  • 1. Can we identify potential vulnerabilities?
  • 2. Can we identify potentially exploitable

vulnerabilities?

  • 3. Can we do it accurately?

mpomonis@cs.columbia.edu IntFlow Columbia University 12 / 29

slide-13
SLIDE 13

Critical Arithmetic Errors

An error is potentially critical if:

  • 1. Untrusted source → arithmetic error

e.g. read(), getenv()... OR

  • 2. Arithmetic error → sensitive sink

e.g. *alloc(), strcpy()...

mpomonis@cs.columbia.edu IntFlow Columbia University 13 / 29

slide-14
SLIDE 14

IntFlow: Architecture

mpomonis@cs.columbia.edu IntFlow Columbia University 14 / 29

slide-15
SLIDE 15

Static Information Flow Tracking

Set of techniques analyzing data-flow Common compiler methodology Distinguishes flows to/from integer operations

Pros

✓ No runtime

  • verhead

✓ Coverage

Cons

✗ Accuracy ✗ Scalability

mpomonis@cs.columbia.edu IntFlow Columbia University 15 / 29

slide-16
SLIDE 16

IntFlow: Architecture

mpomonis@cs.columbia.edu IntFlow Columbia University 16 / 29

slide-17
SLIDE 17

Backward Slicing: Operation → Sources

mpomonis@cs.columbia.edu IntFlow Columbia University 17 / 29

slide-18
SLIDE 18

Forward Slicing: Source → Operation

mpomonis@cs.columbia.edu IntFlow Columbia University 18 / 29

slide-19
SLIDE 19

Forward Slicing: Source → Operation

mpomonis@cs.columbia.edu IntFlow Columbia University 19 / 29

slide-20
SLIDE 20

Sources Examination

If sources = trusted → result = developer intended

mpomonis@cs.columbia.edu IntFlow Columbia University 20 / 29

slide-21
SLIDE 21

Remove IOC Check

mpomonis@cs.columbia.edu IntFlow Columbia University 21 / 29

slide-22
SLIDE 22

IntFlow: Architecture

mpomonis@cs.columbia.edu IntFlow Columbia University 22 / 29

slide-23
SLIDE 23

Sensitive Operations

Dynamic detection Operations → sensitive functions Operation → bit Check before a sensitive function Report if any bit set

mpomonis@cs.columbia.edu IntFlow Columbia University 23 / 29

slide-24
SLIDE 24

Modes Of Operation

Blacklisting mode

Untrusted sources → operation

Whitelisting mode

Trusted sources → operation

Sensitive mode

Operation → sensitive sinks

Combination of modes

Blacklisting/Whitelisting + Sensitive ↑ Confidence - ↓ Completeness mpomonis@cs.columbia.edu IntFlow Columbia University 24 / 29

slide-25
SLIDE 25

Evaluation

Whitelisting mode

Flexible Context agnostic

✓ Untrusted sources ✓ Error propagation

Upper bound on report number mpomonis@cs.columbia.edu IntFlow Columbia University 25 / 29

slide-26
SLIDE 26

SPEC CINT2000

gzip vpr gcc crafty parser perlbmk gap vortex

Number of Reported Arithmetic Errors

10 20 30 40 100 150 200 250 IOC Intended IOC Critical IntFlow Intended IntFlow Critical

mpomonis@cs.columbia.edu IntFlow Columbia University 26 / 29

slide-27
SLIDE 27

Real-world Applications

Detected vulnerabilities: CVE Number Application Error Type CVE-2009-3481 Dillo Integer Overflow CVE-2012-3481 GIMP Integer Overflow CVE-2010-1516 Swftools Integer Overflow CVE-2013-6489 Pidgin Signedness Change Produced reports Overall Dillo GIMP Swftools Pidgin IOC 330 31 231 68 IntFlow 82 26 13 43

mpomonis@cs.columbia.edu IntFlow Columbia University 27 / 29

slide-28
SLIDE 28

Runtime Overhead

Offline use CPU-bound (e.g. grep): 50-80% IO-bound (e.g. nginx): 20%

mpomonis@cs.columbia.edu IntFlow Columbia University 28 / 29

slide-29
SLIDE 29

Summary

Coupled IFT with IOC Identified critical errors Focused on potentially exploitable vulnerabilities Code: http://nsl.cs.columbia.edu/projects/intflow

mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

slide-30
SLIDE 30

Bonus

Backup Slides

mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

slide-31
SLIDE 31

Runtime Overhead

0.5 0.6 0.7 0.8 0.9 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 2 grep wget wwwx zshx tcpdump cher nginx Slowdown (normalized) Whitelisting Blacklisting Sensitive

mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

slide-32
SLIDE 32

Additional Evaluation Results

Independent stress test (red team)

Artificial vulnerabilities in popular applications IO Inputs

Good: no exploit → normal execution Bad: exploit → detect and abort

Aggregate result ( TP+TN

Total ): 79.30%

mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29