peng li
play

Peng Li UNC, Chapel Hill, NC, USA Debin Gao School of Information - PowerPoint PPT Presentation

Dec 07, 2022 •551 likes •816 views

Peng Li UNC, Chapel Hill, NC, USA Debin Gao School of Information Systems, Singapore Management University, Singapore Mike Reiter UNC, Chapel Hill, NC, USA 1 Background and Introduction Overall Structure Conversion Algorithm

  1. Peng Li UNC, Chapel Hill, NC, USA Debin Gao School of Information Systems, Singapore Management University, Singapore Mike Reiter UNC, Chapel Hill, NC, USA 1

  2.  Background and Introduction  Overall Structure  Conversion Algorithm  Evaluation  Summary 2

  3.  By statically analyzing the source code or the binary  No false alarms  Less sensitive  By training  Better tuned to the workload where they operate; more sensitive  May suffer from false alarms 3

  4. Input Input syscall syscall … ... [S. A. Hofmeyr et al.] [R. Sekar et al.] 4

  5.  Rebuild the model by collecting traces of the updated program Problems: 1. Setting up sanitized environment free of attacks 2. Setting up environment as similar as possible to the one in which the updated program will be run 3. Multiple such environments  Adapt the old model to the changes induced by the patch 5

  6. Bin Diff Analyzer Ingredient III Ingredient II Ingredient I 6

  7. Call stack 1 main.2 f.1 sys1 main () { 1: int a = 2; Call stack 2 main.2 f.5 sys5 2: f(a); } f () void f (int x){ 1: sys_call (1); f.1 1 2: if (x == 1) main () 3: sys_call (3); 4: else if (x==2) main.2 5: sys_call (5); } f.5 5 7

  8. White-box technique: main () f () main () { enter enter 1: int a = 2; 1 2: f(a); } f.1 void f (int x){ main.2 5 1: sys_call (1); 2: if (x == 1) f.3 f.5 3: sys_call (3); 4: else if (x==2) 3 5: sys_call (5); } exit exit 8

  9. BinHunt [Gao, Reiter, Song, ICICS08]  A novel technique for finding semantic differences in binary programs  Computes the maximum common induced subgraphs between control flow graphs  Maximum match per pair of functions  Maximum match between two programs patched unpatched 9

  10.  Background and Introduction  Overall Structure  Conversion Algorithm  Evaluation  Summary 10

  11. BinHunt Diff CFG pieces Old Execution Graph 11

  12.  Background and Introduction  Overall Structure  Conversion Algorithm  Evaluation  Summary 12

  13.  We iteratively do the conversion for each pair of matched functions: copying nodes and edges  For the function that has no match or for the unmatched portion of the matched functions, we resort to static analysis  Then we do conversion on edges which connect functions (calls and returns) 13

  14. When simple copy doesn’t work g() f() call g’() call f’() jz jz ? syscall4 syscall3 noncall syscall3 call g’’() call f’’() Matched parts for two functions 14

  15. “Extended Similarity” f() g() 3 3 syscall syscall g’() f’() call g’() call f’() enter enter syscall syscall … call g’’() call f’’() 4 4 exit exit Please see proof in the paper 15

  16.  Are the properties of Execution Graph model preserved after our conversion?  Will the converted model raise false alarm on the language accepted by the trained model?  How to make use of the output from binary difference analyzer? … 16

  17.  Background and Introduction  Overall Structure  Conversion Algorithm  Evaluation  Summary 17

  18.  tar  Old version has an input validation error  Patched part only involves a function call that does not make any syscalls  EG unchanged  ncompress  Old version misses a boundary check  In the new version, an err-msg printing branch is added  Converted EG expanded slightly 18

  19.  ProFTPD  Cross-site Request forgery is possible  Input validation checks added  Converted EG expanded slightly  Unzip  May pass invalid pointers and potentially execute arbitrary code  Patch involves changes in four functions  Nodes and edges increase more significantly 19

  20. Copied Not copied Nodes Edges Nodes Edges tar 478 1430 0 (0%) 0 (0%) ncompress 151 489 3 (1.9%) 23 (4.5%) ProFTPD 775 1850 6 (0.7%) 28 (1.5%) unzip 374 1004 50 (11.8%) 195 (16.3%) Statistics for nodes and edges in the converted execution graph 20

  21. Old Binary New binary Old EG New EG New EG (trained) (converted) (trained) nodes edges nodes edges time (sec) nodes edges tar 478 1430 478 1430 14.5 478 1430 ncompress 151 489 154 512 13.1 151 489 ProFTPD 775 1850 781 1878 17.4 776 1853 unzip 374 1004 424 1199 41.6 377 1017 Statistics for the size comparison and algorithm efficiency 21

  22. System call sequences by analyzing the CFG U Please see proof in the paper System call sequences accepted by the converted model System call sequences System call sequence accepted by the trained model 22

  23.  Background and Introduction  Overall Structure  Conversion Algorithm  Evaluation  Summary 23

  24.  An approach to adapt a trained anomaly detector to software patches  An algorithm for the conversion  We show that our algorithm is sound  (Proof) The behavior accepted by the converted detector is consistent with the static analysis of the binary  (Empirically) The converted detector did not raise alarms on the behavior accepted by the trained detector of the new binary 24

  25. pengli@cs.unc.edu 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SVM vs Regularized Least Squares Classification Peng Zhang and Jing Peng Electrical Engineering

SVM vs Regularized Least Squares Classification Peng Zhang and Jing Peng Electrical Engineering

SVM vs Regularized Least Squares Classification Peng Zhang and Jing Peng Electrical Engineering and Computer Science Department Tulane University, New Orleans, LA 70118, USA { zhangp,jp } @eecs.tulane.edu Abstract 2. SVMs and RLS Our learning

154 views • 4 slides
Characterizing Pixel Tracking through the Lens of Disposable Email Services Hang Hu, Peng Peng,

Characterizing Pixel Tracking through the Lens of Disposable Email Services Hang Hu, Peng Peng,

Characterizing Pixel Tracking through the Lens of Disposable Email Services Hang Hu, Peng Peng, Gang Wang Computer Science Virginia Tech hanghu@vt.edu 1 Privacy #1: Online Activity Real-world Identity Email address is one of the most

400 views • 23 slides
Dr. A.F.M Afzal Hossain 1 , PEng. Dr. A.F.M Afzal Hossain 1 , PEng. Saad Siddiqui 2 PEng. Saad

Dr. A.F.M Afzal Hossain 1 , PEng. Dr. A.F.M Afzal Hossain 1 , PEng. Saad Siddiqui 2 PEng. Saad

Dr. A.F.M Afzal Hossain 1 , PEng. Dr. A.F.M Afzal Hossain 1 , PEng. Saad Siddiqui 2 PEng. Saad Siddiqui 2 PEng. Md. Jakir Hossain 3 Md. Jakir Hossain 3 Zannatul Ferdous Haque 4 Zannatul Ferdous Haque 4 1 Deputy Executive Director (P&D); 2

882 views • 54 slides
Load Balanced Parallel GPU Out-of-Core for Continuous LOD Model Visualization Chao Peng, Peng Mi

Load Balanced Parallel GPU Out-of-Core for Continuous LOD Model Visualization Chao Peng, Peng Mi

Load Balanced Parallel GPU Out-of-Core for Continuous LOD Model Visualization Chao Peng, Peng Mi and Yong Cao Department of Computer Science, Virginia Tech, Blacksburg, Virginia, USA Ultrascale Visualization Workshop 2012 Motivation How

380 views • 24 slides
Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng

Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng

Computer Science Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng Ning, Douglas Reeves North Carolina State Univ. Xinyuan Wang George Mason Univ. 1 Attack Through Stepping Stones Telnet/ Attack

460 views • 20 slides
A Design Of Secure Preferential E-Voting Kun Peng and Feng Bao { dr.kun.peng } @gmail.com

A Design Of Secure Preferential E-Voting Kun Peng and Feng Bao { dr.kun.peng } @gmail.com

A Design Of Secure Preferential E-Voting Kun Peng and Feng Bao { dr.kun.peng } @gmail.com Institute for Inforcomm Research (I 2 R), Singapore 1 Agenda 1. Preferential E-Voting 2. Coercion attack and coercion resistent 3. Italian attack

229 views • 21 slides
Deploy your own replication system with Wal2json PGCONF.EU 2019 Mai PENG 17/10/2019 Hello

Deploy your own replication system with Wal2json PGCONF.EU 2019 Mai PENG 17/10/2019 Hello

Deploy your own replication system with Wal2json PGCONF.EU 2019 Mai PENG 17/10/2019 Hello Mai Peng , DBA @webedia movies pro Data operations : migrations Detect bottleneck latency Find solutions for Fast Data Processing

869 views • 32 slides
Network Management Scenarios for RELOAD

Network Management Scenarios for RELOAD

Network Management Scenarios for RELOAD dra:-peng-p2psip-network-management- scenarios-02 IETF #80 Yonglin PENG, Wei WANG, Jin PENG Lifeng LE,

357 views • 11 slides
Building infrastructure to support global trade Matthew Walton-Knight, PEng CEng MI CE I an

Building infrastructure to support global trade Matthew Walton-Knight, PEng CEng MI CE I an

Building infrastructure to support global trade Matthew Walton-Knight, PEng CEng MI CE I an Galsworthy, PEng CEng MI CE Jody Addah, PMP LEED-AP Port Metro Vancouver Non-shareholder, financially self- sufficient corporation established

1.37k views • 73 slides
MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides
Towards a Virtual Stuntman Xue Bin (Jason) Peng UC Berkeley Animation Animation Computer

Towards a Virtual Stuntman Xue Bin (Jason) Peng UC Berkeley Animation Animation Computer

Towards a Virtual Stuntman Xue Bin (Jason) Peng UC Berkeley Animation Animation Computer Animation [Geijtenbeek et al. 2013] [Brown et al. 2013] [Ju et al. 2013] [Tan et al. 2014] [Kwon and Hodgins 2017] [Peng et al. 2018] Physics-Based

1.82k views • 113 slides
One Hop Lookups Plugin for RELOAD IETF81@Quebec, Canada draft-peng-p2psip-one-hop-plugin-00 Jin

One Hop Lookups Plugin for RELOAD IETF81@Quebec, Canada draft-peng-p2psip-one-hop-plugin-00 Jin

One Hop Lookups Plugin for RELOAD IETF81@Quebec, Canada draft-peng-p2psip-one-hop-plugin-00 Jin Peng Kai Feng Lifeng Le Agenda Why One Hop Lookups Plugin? Peer data structure Event notification procedure Updates message

589 views • 12 slides
How WeveGot it Wrong L. Hampson, PEng, CD

How WeveGot it Wrong L. Hampson, PEng, CD

Demys&fying First Na&on Communica&ons 101 How WeveGot it Wrong L. Hampson, PEng, CD Senior Project Manager Directorate of Contaminated

615 views • 15 slides
Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer Science University of

Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer Science University of

Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer Science University of British Columbia November 6th 2018 Peng & Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 1 / 21 Why Smtlink 2.0? 1 A Simple Ring Oscillator

419 views • 27 slides
Label Embedding Based on Multi-Scale Locality Preservation Cheng-Lun Peng, An Tao, Xin Geng

Label Embedding Based on Multi-Scale Locality Preservation Cheng-Lun Peng, An Tao, Xin Geng

Label Embedding Based on Multi-Scale Locality Preservation Cheng-Lun Peng, An Tao, Xin Geng Reporter: Cheng-Lun Peng Date: July 17, 2018 Outline 1 Background 2 Proposed Method: MSLP 3 Experiment 4 Conclusion 1 Background: LE

482 views • 21 slides
Low-rank modeling for data representation Chong Peng College of Science and Technology, Qingdao

Low-rank modeling for data representation Chong Peng College of Science and Technology, Qingdao

Low-rank modeling for data representation Chong Peng College of Science and Technology, Qingdao University May 16, 2018 Chong Peng (QDU) VALSE Webinar May 16, 2018 1 / 66 Introduction Chong Peng (QDU) VALSE Webinar May 16, 2018 2 / 66

1.52k views • 66 slides
Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain access to hardware features and the shell behind the RouterOS that has no ls Who? Me? Who am I? https://twitter.com/KirilsSolovjovs

753 views • 43 slides
Resources: what you need to complete the tutuorial. Computer with Vivado 19.1 and USB

Resources: what you need to complete the tutuorial. Computer with Vivado 19.1 and USB

Red Pitaya Tutorial #1 Resources: what you need to complete the tutuorial. Computer with Vivado 19.1 and USB serial console. Red Pitaya Board. SD Card Reader & Micro SD. USB Cables (Power and Comms). Host computer with

336 views • 9 slides
Solutions Problem A: Santising print(x * 0.6) Problem B: Hidden text One simple solution

Solutions Problem A: Santising print(x * 0.6) Problem B: Hidden text One simple solution

Armenian Open Programming Competition In memory of Vladimir Yeghiazaryan Solutions Problem A: Santising print(x * 0.6) Problem B: Hidden text One simple solution Copy the file into a text editor Replace all tabs to nothing

304 views • 17 slides
SAT and SMT Solvers in Practice Marijn J.H. Heule and Ruben Martins

SAT and SMT Solvers in Practice Marijn J.H. Heule and Ruben Martins

SAT and SMT Solvers in Practice Marijn J.H. Heule and Ruben Martins http://www.cs.cmu.edu/~mheule/15816-f19/ Automated Reasoning and Satisfiability, September 12, 2019 1/24 DIMACS: SAT solver input format The DIMACS format for SAT solvers has

580 views • 27 slides
REbus Make your security tools cooperate Raphal Rigo with slides by Xavier Mehrenberger July 5

REbus Make your security tools cooperate Raphal Rigo with slides by Xavier Mehrenberger July 5

REbus Make your security tools cooperate Raphal Rigo with slides by Xavier Mehrenberger July 5 th / RMLL Sec 2016 REbus Example malware CFG analysis workflow graph img Image viewer Bin CFG July 5 th / RMLL Sec 2016 2 REbus Example

510 views • 26 slides
R 2 Academy Command Line Crash Course www.r-squared.in/gi t-hub Connect With Us Rsquared

R 2 Academy Command Line Crash Course www.r-squared.in/gi t-hub Connect With Us Rsquared

R 2 Academy Command Line Crash Course www.r-squared.in/gi t-hub Connect With Us Rsquared Academy Website Free Online R Courses R Packages Shiny Apps Blog GitHub YouTube Twitter Facebook Linkedin

927 views • 47 slides
The Fuzzing Project https://fuzzing-project.org/ Hanno B ock 1 / 18 Introduction Motivation

The Fuzzing Project https://fuzzing-project.org/ Hanno B ock 1 / 18 Introduction Motivation

Introduction Examples Tools Objections Conclusions The Fuzzing Project https://fuzzing-project.org/ Hanno B ock 1 / 18 Introduction Motivation Examples Fuzzing Tools C Memory Bugs Objections Invalid memory access example

303 views • 18 slides
Studio 3 18.05 Spring 2014 Jeremy Orloff and Jonathan Bloom frequency density 4 0.4 3 0.3 2

Studio 3 18.05 Spring 2014 Jeremy Orloff and Jonathan Bloom frequency density 4 0.4 3 0.3 2

Studio 3 18.05 Spring 2014 Jeremy Orloff and Jonathan Bloom frequency density 4 0.4 3 0.3 2 0.2 1 0.1 x x .5 1.5 2.5 3.5 4.5 .5 1.5 2.5 3.5 4.5 Concept questions Suppose X is a continuous random variable. a) What is P ( a X

158 views • 12 slides

More recommend