modelgen
play

Modelgen: Mining Explicit Information Flow Specifications from - PowerPoint PPT Presentation

Jan 07, 2023 •145 likes •992 views

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp, Saswat Anand, Alex Aiken Stanford University I Why mine specifications? Whole-program static analysis Application Whole-program static

  1. Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp, Saswat Anand, Alex Aiken Stanford University

  2. I Why mine specifications?

  3. Whole-program static analysis Application

  4. Whole-program static analysis Static Malware? Application Analysis Bugs? Documentation

  5. Whole-program static analysis? Application Platform (e.g. Android)

  6. Whole-program static analysis? ??? Static Application Analysis Platform (e.g. Android)

  7. Whole-program static analysis? ??? Static Application Analysis Platform • Native code (e.g. Android)

  8. Whole-program static analysis? ??? Static Application Analysis Platform • Native code (e.g. Android) • Reflection

  9. Whole-program static analysis? ??? Static Application Analysis Platform • Native code (e.g. Android) • Reflection • Complex OOP patterns / indirection

  10. Whole-program static analysis? ??? Static Application Analysis Platform • Native code (e.g. Android) • Reflection • Complex OOP patterns / indirection • Large (e.g. Android >2 MLOC, Java)

  11. Whole-program static analysis? ??? Static Application Analysis Platform • Native code (e.g. Android) • Reflection • Complex OOP patterns / indirection • Large (e.g. Android >2 MLOC, Java)

  12. Options: Best-case Under-approximation Static Application Analysis (Very) Unsound Platform False negatives (e.g. Android)

  13. Options: Worst-case Over-approximation Static Application Analysis (Very) Imprecise Platform False positives (e.g. Android)

  14. Options: Specifications Slight over-approximation • Application Manually written • Platform (e.g. Android) Effort intensive* • * Our system (STAMP): Models for 1,116 methods, written over 2 years

  15. Mining Specifications Slight over-approximation • Application Manually written • Platform (e.g. Android) Effort intensive •

  16. Mining Specifications Slight over-approximation • Application Mined automatically using • Platform dynamic analysis (e.g. Android)

  17. Mining Specifications Application Platform Specifications (e.g. Android) Dynamic Analysis

  18. Mining Specifications Static Malware? Application Analysis Bugs? Platform Documentation Specifications (e.g. Android) Dynamic Analysis

  19. II Information flow specifications

  20. Static taint analysis Information Flow Report #LOCATION -> ! INTERNET S.T.A.M.P. Static #CONTACTS -> ! Analysis INTERNET #PHONE_NUM -> Human !INTERNET Auditor

  21. Information flow specifications // Set-up SocketChannel socket = ...; CharBuffer buffer = ...; CharsetEncoder encoder = ...; TelephonyManager tMgr = ...; // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer);

  22. Information flow specifications // Set-up SocketChannel socket = ...; CharBuffer buffer = ...; CharsetEncoder encoder = ...; TelephonyManager tMgr = ...; // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer); #PHONE_NUM ->

  23. Information flow specifications // Set-up SocketChannel socket = ...; CharBuffer buffer = ...; CharsetEncoder encoder = ...; TelephonyManager tMgr = ...; // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer); #PHONE_NUM -> ... -> ... -> ... -> !INTERNET

  24. Information flow specifications // Set-up SocketChannel socket = ...; CharBuffer buffer = ...; CharsetEncoder encoder = ...; TelephonyManager tMgr = ...; // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer);

  25. Information flow specifications TelephonyManager.getLine1Number() // Set-up #PHONE_NUM -> return SocketChannel socket = ...; CharBuffer buffer = ...; CharsetEncoder encoder = ...; TelephonyManager tMgr = ...; // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer); #PHONE_NUM -> mPhoneNumber

  26. Information flow specifications TelephonyManager.getLine1Number() // Set-up #PHONE_NUM -> return SocketChannel socket = ...; CharBuffer buffer = ...; CharBuffer.put(String,int,int) CharsetEncoder encoder = ...; arg#1 -> this TelephonyManager tMgr = ...; arg#1 -> return this -> return // Leak phone number // ( #PHONE_NUM -> !INTERNET ) String mPhoneNumber = tMgr.getLine1Number(); CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer); #PHONE_NUM -> mPhoneNumber -> b1

  27. Information flow specifications TelephonyManager.getLine1Number() // Set-up #PHONE_NUM -> return SocketChannel socket = ...; CharBuffer buffer = ...; CharBuffer.put(String,int,int) CharsetEncoder encoder = ...; arg#1 -> this TelephonyManager tMgr = ...; arg#1 -> return this -> return // Leak phone number // ( #PHONE_NUM -> !INTERNET ) CharsetEncoder.encode(CharBuffer) String mPhoneNumber = tMgr.getLine1Number(); arg#1 -> return CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); socket.write(bytebuffer); #PHONE_NUM -> mPhoneNumber -> b1 -> bytebuffer

  28. Information flow specifications TelephonyManager.getLine1Number() // Set-up #PHONE_NUM -> return SocketChannel socket = ...; CharBuffer buffer = ...; CharBuffer.put(String,int,int) CharsetEncoder encoder = ...; arg#1 -> this TelephonyManager tMgr = ...; arg#1 -> return this -> return // Leak phone number // ( #PHONE_NUM -> !INTERNET ) CharsetEncoder.encode(CharBuffer) String mPhoneNumber = tMgr.getLine1Number(); arg#1 -> return CharBuffer b1 = buffer.put(mPhoneNumber,0,10); ByteBuffer bytebuffer = encoder.encode(b1); SocketChannel.write(ByteBuffer) socket.write(bytebuffer); arg#1 -> !INTERNET #PHONE_NUM -> mPhoneNumber -> b1 -> bytebuffer -> !INTERNET

  29. III Technique

  30. Instrument, run, analyze Instrument Run Analyze

  31. Instrument, run, analyze Instrument Run Analyze

  32. Instrument, run, analyze Instrument Run Analyze

  33. Instrument, run, analyze Instrument Run Analyze

  34. Instrument, run, analyze Instrument Run Analyze

  35. Method trace Definition:

  36. Method trace Definition: Sequence of recorded operations between • method entry and return.

  37. Method trace Definition: Sequence of recorded operations between • method entry and return. Including calls to other methods. •

  38. Example o . m ( arg1 , arg2 ) : t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  39. Example o . m ( arg1 , arg2 ) : t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  40. Example o . m ( arg1 , arg2 ) : t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  41. Example o . m ( arg1 , arg2 ) : t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  42. Example o . m ( arg1 , arg2 ) : Spec: t = arg1 ⊗ arg2 arg1->this o1 = o.f arg2->this o2 = o1.g Initialization o3 = o.g o2.f = t return o

  43. Example o . m ( arg1 , arg2 ) : Spec: t = arg1 ⊗ arg2 arg1->this o1 = o.f arg2->this o2 = o1.g Initialization this->return o3 = o.g o2.f = t return o

  44. Example o . m ( arg1 , arg2 ) : Spec: t = arg1 ⊗ arg2 arg1->this o1 = o.f arg2->this o2 = o1.g Initialization this->return o3 = o.g o2.f = t arg1->return return o arg2-> return

  45. Example: Initialization o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  46. Example: Taint propagation o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization t o3 = o.g o2.f = t return o

  47. Example: Loads o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o1 o3 = o.g o2.f = t return o

  48. Example: Loads o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o1 o3 = o.g o2.f = t o2 return o

  49. Example: Loads o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 o3 = o.g o2.f = t return o

  50. Example: Loads o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

  51. Example: Store o . m ( arg1 , arg2 ) : ret = o . m ( arg1 , arg2 ) t = arg1 ⊗ arg2 o1 = o.f o2 = o1.g Initialization o3 = o.g o2.f = t return o

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2 , Yizhuo Wang 1 , Juanru Li 1 , Siqi Ma 3 1 Shanghai Jiao Tong University , China 2 University of Michigan , America 3 Data 61, CSIRO , Australia

918 views • 38 slides
Pointers char *a = hi; ! Solution exists: ( char *)*p = &a; ! = =

Pointers char *a = hi; ! Solution exists: ( char *)*p = &a; ! = =

Pointers char *a = hi; ! Solution exists: ( char *)*p = &a; ! = = untainted ! ( char *)*q = p; ! char *b = fgets(); ! = = tainted *q = b; " printf(*p); untainted Misses illegal flow! !

634 views • 13 slides
An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se)

An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se)

An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se) Visiting Associate Professor, Stanford, CA, U.S.A. Chalmers, Gteborg, Sweden Work-in-progress with Pablo Buiras (Chalmers), Deian Stefan (Stanford),

328 views • 20 slides
Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A Checksum-Aware Background Directed Fuzzing Tool for Automatic Motivation Software Vulnerability Detection TaintScope Intuition Tielei Wang 1 ,

427 views • 5 slides
PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng AsiaSlowinska,HerbertBos VrijeUniversiteitAmsterdam Whypointertain,ng? AFacks Exploitlowlevelmemoryerrors

1.41k views • 65 slides
DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY

995 views • 66 slides
PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki Arefi (mnavaki@unm.edu) Geoffrey Alexander Jedidiah R. Crandall What is PII? Personally Identifiable Information (PII) is information that can

380 views • 20 slides
A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages Peter Aldous and Matthew Might University of Utah This title is a little much, so Faster automated proofs that information doesnt leak in

1.66k views • 115 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman <erik@minemu.org> Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An

Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An

Privacy on Smartphones Presentation by Claude Barthels Roadmap TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones MockDroid: Trading Privacy for Application Functionality on Smartphones

429 views • 38 slides
Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio Orlandi (Aarhus University) 1 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin

1.23k views • 90 slides
Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna

Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna

Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna Balasubramanian, Anthony LaMarca, David Wetherall 1 Continuous sensing apps Step Counting Fall Detection Driver Monitor Theft Detection Healthcare apps:

743 views • 29 slides
Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Compiler Infrastructure Systems and Internet Infrastructure Security

603 views • 23 slides
A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE

A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE

A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE Department, Rice University EuroSys 2017 How do we deal with complexity? 2 Modularization complex 1 2 3 4 system 3 Modularization 1

672 views • 26 slides
Kaestner: Tax, Estate Planning, and Trust Administration Implications By: Jonathan G.

Kaestner: Tax, Estate Planning, and Trust Administration Implications By: Jonathan G.

7/1/2019 Kaestner: Tax, Estate Planning, and Trust Administration Implications Handout materials are available for download or printing on the HANDOUT TAB on the gotowebinar console. If the tab is not open click on that tab to open it and

278 views • 23 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web Applications Web Application <SCRIPT>...</SCRIPT> Attackers evil script executed using victims credentials Omer Tripp Marco

410 views • 6 slides
Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis

Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis

Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis Dr. Alexander von Rhein Alexander von Rhein Research Software Verification Software-Product-Line Analysis Taint-Analysis Consulting Software

894 views • 30 slides
Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

425 views • 31 slides
QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC 2013

735 views • 25 slides
Organiza)onal Privilege & Organiza)onal Insiders

Organiza)onal Privilege & Organiza)onal Insiders

Organiza)onal Privilege & Organiza)onal Insiders Kathleen Clark AALS New Orleans January 5, 2013 Lawyers Represen)ng Whistleblowers

546 views • 37 slides
SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen

SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen

SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen UniversityofMichigan SOSP2009 Overview App App Policy App Policy Speculation Infrastructure Mechanism

891 views • 5 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and

Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and

Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and Jason Flinn University of Michigan Speculative Execution TIME Sequential dependent tasks Predict A Predict results of Task A to break

589 views • 25 slides

More recommend