PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng - PowerPoint PPT Presentation

Pointless Tain,ng?  Evalua,ng the Prac,cality of Pointer  Tain,ng  Asia Slowinska, Herbert Bos  Vrije Universiteit Amsterdam 

Why pointer tain,ng?  • AFacks  Exploit low‐level memory errors  Buffer overflows  Dangling pointers  Format strings  

Why pointer tain,ng?  • AFacks  Exploit low‐level memory errors  Buffer overflows  Dangling pointers  Format strings   Control‐diver,ng 

Why pointer tain,ng?  • AFacks  Exploit low‐level memory errors  Buffer overflows  Dangling pointers  Format strings   Control‐diver,ng  Non‐control‐diver,ng 

Why pointer tain,ng?  • Keyloggers, etc.   • AFacks  Installed by users or by the way of exploits  Exploit low‐level memory errors  e.g., trojan  Buffer overflows  Dangling pointers  Format strings   Control‐diver,ng  Non‐control‐diver,ng 

Why pointer tain,ng?  • Keyloggers, etc.   • AFacks  Installed by users or by the way of exploits  Exploit low‐level memory errors  e.g., trojan  Buffer overflows  Dangling pointers  • Pointer tain*ng   Format strings   • Capable of detec,ng  Control‐diver,ng  • Memory corrup,on aFacks  • Both control‐ and non‐control‐ Non‐control‐diver,ng  diver,ng   • Privacy‐breaching malware  • PROBLEMATIC 

Basic tain,ng  memory    taint tag  App 1  App 2  App 3  Guest OS  Emulator  Host OS 

Basic tain,ng  memory    taint tag  ret  App 1  App 2  App 3  Guest OS  Emulator  Host OS 

Basic tain,ng  1. Mark network data  as tainted.  memory    taint tag  ret  App 1  App 2  App 3  Guest OS  Emulator  Host OS 

Basic tain,ng  1. Mark network data  as tainted.  memory    taint tag  2. Propagate taint  through the OS.  ret  App 1  App 2  App 3  Guest OS  Emulator  Host OS 

Basic tain,ng  1. Mark network data  as tainted.  memory    taint tag  2. Propagate taint  through the OS.  ret  3. Alert for  App 1  App 2  App 3  dereferences due  to tainted jumps,  func,on calls/ Guest OS  returns.  Emulator  Host OS 

AFacks: (in)effec,veness of basic tain,ng  void serve(int fd) { reply msg  char *reply = ...; char request[64]; read(fd, request, 128); srv_send(fd, reply, 1024); } reply  request 

AFacks: (in)effec,veness of basic tain,ng  void serve(int fd) { reply msg  char *reply = ...; server private  char request[64]; data  read(fd, request, 128); srv_send(fd, reply, 1024); } reply  request 

Pointer tain,ng  1. Mark network data as  tainted.  2. Propagate taint through  the OS.  • AFacks  3. Alert for dereferences  due to tainted jumps,  func,on calls/returns.  +  If  p  is tainted, raise an alert  on any dereference of  p

Pointer tain,ng  1. Mark network data as  tainted.  2. Propagate taint through  the OS.  • AFacks  • Keylogger detec,on  +  If  p  is tainted, any  3. Alert for dereferences  due to tainted jumps,  dereference of  p  taints the  func,on calls/returns.  des,na,on   +  If  p  is tainted, raise an alert  on any dereference of  p

AFacks: effec,veness of pointer tain,ng  void serve(int fd) { reply msg  char *reply = ...; server private  char request[64]; data  read(fd, request, 128); srv_send(fd, reply, 1024); } reply  request 

Pointer tain,ng: FPs likely  void serve(int fd) { char *reply; char request; read(fd, request, 1); srv_send(fd, reply, 1); }

Pointer tain,ng: FPs likely  void serve(int fd) { char *reply; char request; read(fd, request, 1); reply = to_lower[request]; srv_send(fd, reply, 1); }

Pointer tain,ng: FPs likely  void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143  0x63 (‘c’)  reply = to_lower[request]; 0x142  0x62 (‘b’)  srv_send(fd, reply, 1); 0x141  0x61 (‘a’)  } 0x100 

Pointer tain,ng: FPs likely  void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143  0x63 (‘c’)  reply = to_lower[request]; 0x142  0x62 (‘b’)  srv_send(fd, reply, 1); 0x141  0x61 (‘a’)  } request = 0x41 ‘A’ 0x100 

Pointer tain,ng: FPs likely  void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143  0x63 (‘c’)  reply = to_lower[request]; 0x142  0x62 (‘b’)  srv_send(fd, reply, 1); 0x141  0x61 (‘a’)  } request = 0x41 ‘A’ 0x100  addr = 0x100 + request reply = *addr

Keylogger detec,on  memory    taint tag  App 1  App 2  App 3  Guest OS  Emulator  Host OS  Poten,al malware  Internet browser 

Keylogger detec,on: FPs likely (again)  struct hlist_head *head = get_list_head(filename);

Keylogger detec,on: FPs likely (again)  struct hlist_head *head = get_list_head(filename); base 

Keylogger detec,on: FPs likely (again)  struct hlist_head *head = get_list_head(filename); index = hash(filename) base 

Keylogger detec,on: FPs likely (again)  struct hlist_head *head = get_list_head(filename); struct dentry *dentry = head->first;

Keylogger detec,on: FPs likely (again)  dentry of foo.txt  struct hlist_head *head = next = NULL  get_list_head(filename); info  struct dentry *dentry = head->first;

Keylogger detec,on: FPs likely (again)  dentry of foo.txt  struct hlist_head *head = next = NULL  get_list_head(“test.txt”); info  struct dentry *dentry = head->first;

Keylogger detec,on: FPs likely (again)  dentry of foo.txt  struct hlist_head *head = next = NULL  get_list_head(“test.txt”); info  dentry of test.txt  struct dentry next  *dentry = head->first; info 

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng - PowerPoint PPT Presentation

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng AsiaSlowinska,HerbertBos VrijeUniversiteitAmsterdam Whypointertain,ng? AFacks Exploitlowlevelmemoryerrors

Pointless fusion for pointwise application Malcolm Wallace University of York (soon @

Extremely Pointless Curves Jon Grantham Qu ebec-Maine Number Theory Conference September 2020

T axing We alth in an Unc e r tain Wor ld Da nie l He me l Unive rsity o f Chic a g o L a w

Relational algebra tuple). More formally, R S is defined as follows: tain To ob- tributes of

Re Reas ason onin ing g Un Unde der Un Uncerta tain inty ty: Varia Va iabl ble eli

-Decay Total Absorption Spectroscopy: A Tool for Applied and Fundamental Research

Probati tion Unit t } Psychoth therapy } Medical Ev Evaluati tion and Treatm tment t

RN, pHD student, Tain Pizzignacco CF CENTRE AT RIBEIRO PRETO THE HEALTH CARE SYSTEM OF BRAZIL

Re Reas ason onin ing g Un Unde der Un Uncerta tain inty ty: B Belie lief f Netw Ne

BANK OF SCOTLAND AND ABBIAN HOUSE TAIN (FORMERLY BRITISH LINEN BANK) TOWER STREET Scotlands

Good Busin iness ess, Su Susta tain inable able Busin iness ess Brad Marwoo wood AAMIG

Managing Director Elstree Studios is home to some of the top shows on British television today;

An Introduction to Analysing Qualitative Data PAUL GREENBANK CENTRE FOR LEARNING AND TEACHING

INT RODUCT ION NRHA has always r e quir e d that builde r s par tic ipating in our

Pr ProTrac acer er: T : Towar ards Pr ds Prac ac-c -cal Pr al Provenanc enance T e

Safer er and Sustai tainable nable at Hom ome Virtual al community ity-led worksh shops s

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

Pointers char a = hi; ! Solution exists: ( char )*p = &a; ! = =

An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se)

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng - PowerPoint PPT Presentation

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng AsiaSlowinska,HerbertBos VrijeUniversiteitAmsterdam Whypointertain,ng? AFacks Exploitlowlevelmemoryerrors

Pointless fusion for pointwise application Malcolm Wallace University of York (soon @

Extremely Pointless Curves Jon Grantham Qu ebec-Maine Number Theory Conference September 2020

T axing We alth in an Unc e r tain Wor ld Da nie l He me l Unive rsity o f Chic a g o L a w

Relational algebra tuple). More formally, R S is defined as follows: tain To ob- tributes of

Re Reas ason onin ing g Un Unde der Un Uncerta tain inty ty: Varia Va iabl ble eli

-Decay Total Absorption Spectroscopy: A Tool for Applied and Fundamental Research

Probati tion Unit t } Psychoth therapy } Medical Ev Evaluati tion and Treatm tment t

RN, pHD student, Tain Pizzignacco CF CENTRE AT RIBEIRO PRETO THE HEALTH CARE SYSTEM OF BRAZIL

Re Reas ason onin ing g Un Unde der Un Uncerta tain inty ty: B Belie lief f Netw Ne

BANK OF SCOTLAND AND ABBIAN HOUSE TAIN (FORMERLY BRITISH LINEN BANK) TOWER STREET Scotlands

Good Busin iness ess, Su Susta tain inable able Busin iness ess Brad Marwoo wood AAMIG

Managing Director Elstree Studios is home to some of the top shows on British television today;

An Introduction to Analysing Qualitative Data PAUL GREENBANK CENTRE FOR LEARNING AND TEACHING

INT RODUCT ION NRHA has always r e quir e d that builde r s par tic ipating in our

Pr ProTrac acer er: T : Towar ards Pr ds Prac ac-c -cal Pr al Provenanc enance T e

Safer er and Sustai tainable nable at Hom ome Virtual al community ity-led worksh shops s

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

Pointers char *a = hi; ! Solution exists: ( char *)*p = &amp;a; ! = =

An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se)

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Pointers char a = hi; ! Solution exists: ( char )*p = &a; ! = =