intflow integer error handling with information flow
play

IntFlow: Integer Error Handling With Information Flow Tracking - PowerPoint PPT Presentation

Oct 17, 2022 •129 likes •463 views

IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D. Keromytis December 7, 2014 Columbia University mpomonis@cs.columbia.edu IntFlow Columbia

  1. IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D. Keromytis December 7, 2014 Columbia University mpomonis@cs.columbia.edu IntFlow Columbia University 1 / 29

  2. Integer Error mpomonis@cs.columbia.edu IntFlow Columbia University 2 / 29

  3. Example 1. img t *table ptr; 2. unsigned int num imgs = get num imgs(); 3. unsigned int alloc size = sizeof(img t) * num imgs; 4. table ptr = (img t *) malloc (alloc size); 5. for (i = 0; i < num imgs; i++) 6. table ptr[i] = read img(i); mpomonis@cs.columbia.edu IntFlow Columbia University 3 / 29

  4. Integer Errors Mathematical representation vs machine representation Instances: Integer overflow/underflow Precision loss Signedness change mpomonis@cs.columbia.edu IntFlow Columbia University 4 / 29

  5. Characteristics Mainly C/C++ specific: Signed integers only (Java, Python) Overflow protection (Python) Undefined: Negative → unsigned INT MAX + 1 Optimizations Expected behavior mpomonis@cs.columbia.edu IntFlow Columbia University 5 / 29

  6. Importance Can lead to buffer overflows, memory leaks etc... Integral part of exploits Erroneous memory allocation Integer overflow in top 25 most dangerous software errors > 50 vulnerability reports (CVE) in 2014 QuickTime → Signedness change launchd (iOS) → Integer overflow Wireshark → Signedness change Google Chrome → Integer overflow mpomonis@cs.columbia.edu IntFlow Columbia University 6 / 29

  7. Integer Overflow Checker (IOC)[ICSE2012] /* a = b + c */ Clang AST bool error = false; Dangerous operation a = safe add(b, c, error); Static: operation → if (error) safe function Dynamic: detect report(); errors Report and (optionally) abort Clang trunk v3.3 mpomonis@cs.columbia.edu IntFlow Columbia University 7 / 29

  8. Integer Overflow Checker (IOC)[ICSE2012] Dynamic detection mechanism Offline use Input set from user mpomonis@cs.columbia.edu IntFlow Columbia University 8 / 29

  9. IOC Issue Overly comprehensive Lack of severity level Error � = vulnerability mpomonis@cs.columbia.edu IntFlow Columbia University 9 / 29

  10. Developer Intended Violations Idioms → errors Examples Controlled umax = (unsigned) -1; Expected neg = (char) INT MAX; bahavior smax = 1 << (WIDTH - 1) - 1; Not affected by smax++; attacker IOC → report all Large list Manually distill critical errors mpomonis@cs.columbia.edu IntFlow Columbia University 10 / 29

  11. Intflow Goals: 1. Eliminate reports of developer intended violations 2. Retain and highlight critical error reports mpomonis@cs.columbia.edu IntFlow Columbia University 11 / 29

  12. IntFlow Challenges: 1. Can we identify potential vulnerabilities? 2. Can we identify potentially exploitable vulnerabilities? 3. Can we do it accurately? mpomonis@cs.columbia.edu IntFlow Columbia University 12 / 29

  13. Critical Arithmetic Errors An error is potentially critical if: 1. Untrusted source → arithmetic error e.g. read(), getenv()... OR 2. Arithmetic error → sensitive sink e.g. *alloc(), strcpy()... mpomonis@cs.columbia.edu IntFlow Columbia University 13 / 29

  14. IntFlow: Architecture mpomonis@cs.columbia.edu IntFlow Columbia University 14 / 29

  15. Static Information Flow Tracking Set of techniques analyzing data-flow Common compiler methodology Distinguishes flows to/from integer operations Pros Cons ✓ No runtime ✗ Accuracy overhead ✗ Scalability ✓ Coverage mpomonis@cs.columbia.edu IntFlow Columbia University 15 / 29

  16. IntFlow: Architecture mpomonis@cs.columbia.edu IntFlow Columbia University 16 / 29

  17. Backward Slicing: Operation → Sources mpomonis@cs.columbia.edu IntFlow Columbia University 17 / 29

  18. Forward Slicing: Source → Operation mpomonis@cs.columbia.edu IntFlow Columbia University 18 / 29

  19. Forward Slicing: Source → Operation mpomonis@cs.columbia.edu IntFlow Columbia University 19 / 29

  20. Sources Examination If sources = trusted → result = developer intended mpomonis@cs.columbia.edu IntFlow Columbia University 20 / 29

  21. Remove IOC Check mpomonis@cs.columbia.edu IntFlow Columbia University 21 / 29

  22. IntFlow: Architecture mpomonis@cs.columbia.edu IntFlow Columbia University 22 / 29

  23. Sensitive Operations Dynamic detection Operations → sensitive functions Operation → bit Check before a sensitive function Report if any bit set mpomonis@cs.columbia.edu IntFlow Columbia University 23 / 29

  24. Modes Of Operation Blacklisting mode Untrusted sources → operation Whitelisting mode Trusted sources → operation Sensitive mode Operation → sensitive sinks Combination of modes Blacklisting/Whitelisting + Sensitive ↑ Confidence - ↓ Completeness mpomonis@cs.columbia.edu IntFlow Columbia University 24 / 29

  25. Evaluation Whitelisting mode Flexible Context agnostic ✓ Untrusted sources ✓ Error propagation Upper bound on report number mpomonis@cs.columbia.edu IntFlow Columbia University 25 / 29

  26. SPEC CINT2000 250 IOC Intended IntFlow Intended 200 Number of Reported Arithmetic Errors IOC Critical IntFlow Critical 150 100 40 30 20 10 0 gzip vpr gcc crafty parser perlbmk gap vortex mpomonis@cs.columbia.edu IntFlow Columbia University 26 / 29

  27. Real-world Applications Detected vulnerabilities: CVE Number Application Error Type CVE-2009-3481 Dillo Integer Overflow CVE-2012-3481 GIMP Integer Overflow CVE-2010-1516 Swftools Integer Overflow CVE-2013-6489 Pidgin Signedness Change Produced reports Overall Dillo GIMP Swftools Pidgin IOC 330 31 231 68 0 IntFlow 82 26 13 43 0 mpomonis@cs.columbia.edu IntFlow Columbia University 27 / 29

  28. Runtime Overhead Offline use CPU-bound (e.g. grep): 50-80% IO-bound (e.g. nginx): 20% mpomonis@cs.columbia.edu IntFlow Columbia University 28 / 29

  29. Summary Coupled IFT with IOC Identified critical errors Focused on potentially exploitable vulnerabilities Code: http://nsl.cs.columbia.edu/projects/intflow mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

  30. Bonus Backup Slides mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

  31. Runtime Overhead 2 Whitelisting 1.9 Blacklisting Sensitive 1.8 1.7 Slowdown (normalized) 1.6 1.5 1.4 1.3 1.2 1.1 1 0.9 0.8 0.7 0.6 0.5 grep wget wwwx zshx tcpdump cher nginx mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

  32. Additional Evaluation Results Independent stress test (red team) Artificial vulnerabilities in popular applications IO Inputs Good: no exploit → normal execution Bad: exploit → detect and abort Aggregate result ( TP + TN Total ): 79.30% mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

llvm::Error Rich Error Handling in LLVM Error Handling History LLVMs APIs historically

llvm::Error Rich Error Handling in LLVM Error Handling History LLVMs APIs historically

llvm::Error Rich Error Handling in LLVM Error Handling History LLVMs APIs historically used ad-hoc approaches bools, nullptrs, string errors std::error_code C++ standard library error type Enumerable errors only Lack

273 views • 9 slides
Improving the Quality of Error-Handling Code in Systems Software using Function-Local Information

Improving the Quality of Error-Handling Code in Systems Software using Function-Local Information

Improving the Quality of Error-Handling Code in Systems Software using Function-Local Information Suman Saha Laboratoire d'Informatique de Paris 6 Regal 25 th March, 2013 Outline Motivation Contribution 1: Understanding error-handling

869 views • 62 slides
Error Handling Marco Chiarandini Department of Mathematics &amp; Computer Science University of

Error Handling Marco Chiarandini Department of Mathematics &amp; Computer Science University of

DM560 Introduction to Programming in C++ Error Handling Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark [ Based on slides by Bjarne Stroustrup ] Error Handling Outline 1. Error Handling 2

573 views • 36 slides
Compilers Error Handling Alex Aiken Error Handling Purpose of the compiler is To detect

Compilers Error Handling Alex Aiken Error Handling Purpose of the compiler is To detect

Compilers Error Handling Alex Aiken Error Handling Purpose of the compiler is To detect non-valid programs To translate the valid ones Many kinds of possible errors (e.g. in C) Error kind Example Detected

656 views • 9 slides
CPSC 213 Exceptional Control Flow: Processes, System Call Error Handling VM as a Tool for

CPSC 213 Exceptional Control Flow: Processes, System Call Error Handling VM as a Tool for

Readings for Next Two Lectures Text CPSC 213 Exceptional Control Flow: Processes, System Call Error Handling VM as a Tool for Memory Protection 2nd edition: 8.2, 8.3, 9.5 1st edition: 8.2, 8.3, 10.5 Introduction to Computer

137 views • 3 slides
Exception Handling in C++ throw - try - catch ! class InvalidNumber { }; void main() {

Exception Handling in C++ throw - try - catch ! class InvalidNumber { }; void main() {

14 . Exception Handling: Mechanism and Usage Exception Handling Synchronous Errors Asynchronous Errors An Example function : Call may result in an error double sqrt(int number); Traditional Error Handling Exit the program Return an

453 views • 8 slides
Functional Error Handling 1 / 13 Whats right with exceptions? Exceptions provide a way to

Functional Error Handling 1 / 13 Whats right with exceptions? Exceptions provide a way to

Functional Error Handling 1 / 13 Whats right with exceptions? Exceptions provide a way to consolidate error handling code and separate it from main logic, and an alternative to APIs that require callers of functions to know error

477 views • 13 slides
Error Handling in RCMS Error Handling in RCMS An Overview Francesco Lelli

Error Handling in RCMS Error Handling in RCMS An Overview Francesco Lelli

CMS Error Handling in RCMS Error Handling in RCMS An Overview Francesco Lelli Francesco.lelli@lnl.infn.it L.N.L L.N.L D.S.I. Venezia Venezia D.S.I. CMS Overview Error Handler Principles An Error Handling Framemork: Purpose

729 views • 21 slides
Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 1 Table of Contents

240 views • 12 slides
1 Handling exceptions (III) Handling exceptions (II) n try -statements can be nested and

1 Handling exceptions (III) Handling exceptions (II) n try -statements can be nested and

2.6 Error, exception and event Error and exception handling in handling Pascal n There are conditions that have to be fulfilled by a n While errors definitely can occur in Pascal programs, program that sometimes are not fulfilled, which Pascal

143 views • 3 slides
1 Benefits of exception handling Handling exceptions Generally, there are many ways to handle an

1 Benefits of exception handling Handling exceptions Generally, there are many ways to handle an

Java exception mechanism when an error or exceptional condition occurs, you throw an exception which is caught by an exception handler try { // statements that may throw an exception.. if (someCondition) Exceptions and error handling

289 views • 6 slides
Java Programming Unit 7 Error Handling. Excep8ons. (c)

Java Programming Unit 7 Error Handling. Excep8ons. (c)

Java Programming Unit 7 Error Handling. Excep8ons. (c) Yakov Fain 2014 Run8me errors An excep8on is an run-8me error that may stop

453 views • 20 slides
Control Exception Handling: Exception handling is the control of error conditions or other

Control Exception Handling: Exception handling is the control of error conditions or other

Control Exception Handling: Exception handling is the control of error conditions or other unusual events during the execution of a program. 1 Control In a language without exception handling: When an exception occurs, control

1.15k views • 19 slides
Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code

Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code

Error Handling Input-Output Writing Better Code Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code Dr. Marina De Vos University of Bath Ext: 5053 Academic Year 2012-2013 Lecture D.10. (MDV)

844 views • 81 slides
ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we

ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we

ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we will look at more detail into error handling mechanisms and the use of exceptions. Motivation: what can go wrong? The two and a half approaches

523 views • 18 slides
ERROR HANDLING IN COCOA AGENDA Objective-Cs NSError Swifts try/catch/throws Swifts

ERROR HANDLING IN COCOA AGENDA Objective-Cs NSError Swifts try/catch/throws Swifts

ERROR HANDLING IN COCOA AGENDA Objective-Cs NSError Swifts try/catch/throws Swifts Result&lt;S,F&gt; type Exceptions &amp; Assertions OBJECTIVE-C ERROR HANDLING NSERROR IN OBJECTIVE-C NSError *error = nil; NSString *string =

453 views • 28 slides
L OCKPICK : Lock Inference for Atomic Sections Jeffrey S. Foster Michael Hicks Polyvios

L OCKPICK : Lock Inference for Atomic Sections Jeffrey S. Foster Michael Hicks Polyvios

L OCKPICK : Lock Inference for Atomic Sections Jeffrey S. Foster Michael Hicks Polyvios Pratikakis University of Maryland, College Park Lock Inference for Atomic Sections p. 1/11 Introduction Concurrent programming is notoriously

595 views • 31 slides
Why add layers? Originally, operating systems supported just one file system. What changed?

Why add layers? Originally, operating systems supported just one file system. What changed?

V irtual F ile system S witch A brief overview of the Linux storage stack Why add layers? Originally, operating systems supported just one file system. What changed? introduction of removable media (floppy, CD-ROM, usb drives, etc.)

409 views • 18 slides
Dynamic Memory Review C++ must figure out the amount of space each variable takes up in

Dynamic Memory Review C++ must figure out the amount of space each variable takes up in

Dynamic Memory Review C++ must figure out the amount of space each variable takes up in memory at compile-time (before the program is run). When a function is called, C++ reserves a block of memory for all of that function's variables at

619 views • 30 slides
Professor: Kevin Molloy (adapted from slides originally developed by Alvin Chao) Loops and Scope

Professor: Kevin Molloy (adapted from slides originally developed by Alvin Chao) Loops and Scope

Professor: Kevin Molloy (adapted from slides originally developed by Alvin Chao) Loops and Scope l Reminder the scope of a variable is the part of the program where that variable is visible l Will this compile? while (number &lt; 10) {

307 views • 19 slides
Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: General

Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: General

1 Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: General software engineering. Using const-time instructions. 2 Software optimization Almost all software is much slower than it could be. 2 Software

1.03k views • 100 slides
Nonunique Factorization in the Ring of Integer-Valued Polynomials Paul Baginski Fairfield

Nonunique Factorization in the Ring of Integer-Valued Polynomials Paul Baginski Fairfield

Nonunique Factorization in the Ring of Integer-Valued Polynomials Paul Baginski Fairfield University March 22, 2019 Paul Baginski Fairfield University Nonunique Factorization in the Ring of Integer-Valued Polynomials 2016 Fairfield

334 views • 30 slides
Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School

Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School

Sound and Complete Flow Typing with Unions, Intersections and Negations David J. Pearce School of Engineering and Computer Science Victoria University of Wellington What is Flow Typing? Defining characteristic : ability to retype variables JVM

534 views • 18 slides
Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS, Universit de Lorraine, Inria JNCF CIRM November 2014 1/81 Plan Presentation of the problems Cryptographic background Primality,

919 views • 88 slides

More recommend