SLIDE 1
Pointless Tain,ng?
Evalua,ng the Prac,cality of Pointer Tain,ng
Asia Slowinska, Herbert Bos Vrije Universiteit Amsterdam
Why pointer tain,ng?
- AFacks
Exploit low‐level memory errors Buffer overflows Dangling pointers Format strings
PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng - - PowerPoint PPT Presentation
PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng - - PowerPoint PPT Presentation
PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng AsiaSlowinska,HerbertBos VrijeUniversiteitAmsterdam Whypointertain,ng? AFacks Exploitlowlevelmemoryerrors
SLIDE 2
SLIDE 3
Why pointer tain,ng?
- AFacks
Exploit low‐level memory errors Buffer overflows Dangling pointers Format strings
Control‐diver,ng
SLIDE 4
Why pointer tain,ng?
- AFacks
Exploit low‐level memory errors Buffer overflows Dangling pointers Format strings
Control‐diver,ng Non‐control‐diver,ng
SLIDE 5
Why pointer tain,ng?
- AFacks
Exploit low‐level memory errors Buffer overflows Dangling pointers Format strings
- Keyloggers, etc.
Installed by users or by the way of exploits e.g., trojan
Control‐diver,ng Non‐control‐diver,ng
SLIDE 6
Why pointer tain,ng?
- AFacks
Exploit low‐level memory errors Buffer overflows Dangling pointers Format strings
- Keyloggers, etc.
Installed by users or by the way of exploits e.g., trojan
Control‐diver,ng Non‐control‐diver,ng
- Pointer tain*ng
- Capable of detec,ng
- Memory corrup,on aFacks
- Both control‐ and non‐control‐
diver,ng
- Privacy‐breaching malware
- PROBLEMATIC
SLIDE 7
Basic tain,ng
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
SLIDE 8
Basic tain,ng
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
ret
SLIDE 9
Basic tain,ng
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
ret
1. Mark network data as tainted.
SLIDE 10
Basic tain,ng
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
ret
1. Mark network data as tainted.
SLIDE 11
Basic tain,ng
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
ret
1. Mark network data as tainted. 2. Propagate taint through the OS.
SLIDE 12
Basic tain,ng
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
ret
1. Mark network data as tainted. 2. Propagate taint through the OS.
SLIDE 13
Basic tain,ng
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
ret
1. Mark network data as tainted. 2. Propagate taint through the OS.
SLIDE 14
Basic tain,ng
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
ret
1. Mark network data as tainted. 2. Propagate taint through the OS. 3. Alert for dereferences due to tainted jumps, func,on calls/ returns.
SLIDE 15
Basic tain,ng
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
ret
1. Mark network data as tainted. 2. Propagate taint through the OS. 3. Alert for dereferences due to tainted jumps, func,on calls/ returns.
SLIDE 16
Basic tain,ng
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
ret
1. Mark network data as tainted. 2. Propagate taint through the OS. 3. Alert for dereferences due to tainted jumps, func,on calls/ returns.
SLIDE 17
AFacks: (in)effec,veness of basic tain,ng
void serve(int fd) { char *reply = ...; char request[64]; read(fd, request, 128); srv_send(fd, reply, 1024); }
reply msg reply request
SLIDE 18
void serve(int fd) { char *reply = ...; char request[64]; read(fd, request, 128); srv_send(fd, reply, 1024); }
reply msg server private data
AFacks: (in)effec,veness of basic tain,ng
reply request
SLIDE 19
Pointer tain,ng
- AFacks
+ If p is tainted, raise an alert
- n any dereference of p
1. Mark network data as tainted. 2. Propagate taint through the OS. 3. Alert for dereferences due to tainted jumps, func,on calls/returns.
SLIDE 20
Pointer tain,ng
- AFacks
+ If p is tainted, raise an alert
- n any dereference of p
- Keylogger detec,on
+ If p is tainted, any
dereference of p taints the des,na,on
1. Mark network data as tainted. 2. Propagate taint through the OS. 3. Alert for dereferences due to tainted jumps, func,on calls/returns.
SLIDE 21
void serve(int fd) { char *reply = ...; char request[64]; read(fd, request, 128); srv_send(fd, reply, 1024); }
AFacks: effec,veness of pointer tain,ng
reply msg server private data reply request
SLIDE 22
void serve(int fd) { char *reply; char request; read(fd, request, 1); srv_send(fd, reply, 1); }
Pointer tain,ng: FPs likely
SLIDE 23
void serve(int fd) { char *reply; char request; read(fd, request, 1); reply = to_lower[request]; srv_send(fd, reply, 1); }
Pointer tain,ng: FPs likely
SLIDE 24
void serve(int fd) { char *reply; char request; read(fd, request, 1); reply = to_lower[request]; srv_send(fd, reply, 1); }
0x100 0x141 0x142 0x143 0x61 (‘a’) 0x62 (‘b’) 0x63 (‘c’)
Pointer tain,ng: FPs likely
SLIDE 25
void serve(int fd) { char *reply; char request; read(fd, request, 1); reply = to_lower[request]; srv_send(fd, reply, 1); } request = 0x41 ‘A’
0x100 0x141 0x142 0x143 0x61 (‘a’) 0x62 (‘b’) 0x63 (‘c’)
Pointer tain,ng: FPs likely
SLIDE 26
void serve(int fd) { char *reply; char request; read(fd, request, 1); reply = to_lower[request]; srv_send(fd, reply, 1); } request = 0x41 ‘A’ addr = 0x100 + request reply = *addr
Pointer tain,ng: FPs likely
0x100 0x141 0x142 0x143 0x61 (‘a’) 0x62 (‘b’) 0x63 (‘c’)
SLIDE 27
void serve(int fd) { char *reply; char request; read(fd, request, 1); reply = to_lower[request]; srv_send(fd, reply, 1); } request = 0x41 ‘A’ addr = 0x100 + request reply = *addr
Pointer tain,ng: FPs likely
0x100 0x141 0x142 0x143 0x61 (‘a’) 0x62 (‘b’) 0x63 (‘c’)
SLIDE 28
Keylogger detec,on
Internet browser Poten,al malware
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
SLIDE 29
Keylogger detec,on
Internet browser Poten,al malware
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
SLIDE 30
Keylogger detec,on
Internet browser Poten,al malware
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
SLIDE 31
Keylogger detec,on
Internet browser Poten,al malware
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
SLIDE 32
Keylogger detec,on
Internet browser Poten,al malware
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
SLIDE 33
Keylogger detec,on
Internet browser Poten,al malware
memory taint tag Guest OS Emulator Host OS App 1 App 2 App 3
SLIDE 34
Keylogger detec,on: FPs likely (again)
struct hlist_head *head = get_list_head(filename);
SLIDE 35
base
Keylogger detec,on: FPs likely (again)
struct hlist_head *head = get_list_head(filename);
SLIDE 36
base
Keylogger detec,on: FPs likely (again)
struct hlist_head *head = get_list_head(filename);
index = hash(filename)
SLIDE 37
base
Keylogger detec,on: FPs likely (again)
struct hlist_head *head = get_list_head(filename);
index = hash(filename)
SLIDE 38
base
Keylogger detec,on: FPs likely (again)
struct hlist_head *head = get_list_head(filename);
index = hash(filename)
SLIDE 39
Keylogger detec,on: FPs likely (again)
struct hlist_head *head = get_list_head(filename); struct dentry *dentry = head->first;
SLIDE 40
Keylogger detec,on: FPs likely (again)
struct hlist_head *head = get_list_head(filename); struct dentry *dentry = head->first;
next = NULL dentry of foo.txt info
SLIDE 41
struct hlist_head *head = get_list_head(“test.txt”); struct dentry *dentry = head->first;
next = NULL dentry of foo.txt info
Keylogger detec,on: FPs likely (again)
SLIDE 42
struct hlist_head *head = get_list_head(“test.txt”); struct dentry *dentry = head->first;
next = NULL dentry of foo.txt next dentry of test.txt info info
Keylogger detec,on: FPs likely (again)
SLIDE 43
next dentry of test.txt next = NULL dentry of foo.txt info info
struct hlist_head *head = get_list_head(“test.txt”); struct dentry *dentry = head->first;
head
Keylogger detec,on: FPs likely (again)
SLIDE 44
next dentry of test.txt next = NULL dentry of foo.txt info info
struct hlist_head *head = get_list_head(“foo.txt”); struct dentry *dentry = head->first;
Keylogger detec,on: FPs likely (again)
SLIDE 45
next dentry of test.txt next = NULL dentry of foo.txt info info
struct hlist_head *head = get_list_head(“foo.txt”); struct dentry *dentry = head->first; dentry = dentry->next; return info = dentry->info;
Keylogger detec,on: FPs likely (again)
SLIDE 46
Pointer tain,ng
- AFacks
– If p is tainted, raise an alert
- n any dereference of p
- Keylogger detec,on
– If p is tainted, any dereference of p taints the des,na,on
1. Mark network data as tainted. 2. Propagate taint through the OS. 3. Alert for dereferences due to tainted jumps, func,on calls/returns.
SLIDE 47
Experiment
QEMU + Pointer tain,ng for keystrokes Linux
C program
SLIDE 48
Experiment
QEMU + Pointer tain,ng for keystrokes Linux
ls cp tar gzip
SLIDE 49
Keyloggers… false posi,ves!
kernel kernel threads hald-addon-storage dhcdbd hald syslogd pam-unix.so libnss-files-2.7.so console-kit-daemon bash (no. 1) bash (no. 2) run-parts bash (no. 3) bash (no. 4) sed tar gzip dash apt-get ls cp ping 50 100 150 200 Intervals clean dirty
SLIDE 50
Containment
- White and black lists
- ESP/EBP protec,on
- Landmarking
- …
SLIDE 51
Landmarking ‐ mo,va,on
Should NOT be tainted Should be tainted
val = transl_table[index] struct dentry dentry = prev_dentry->next;
SLIDE 52
Landmarking ‐ mo,va,on
Should NOT be tainted Should be tainted
val = transl_table[index] struct dentry dentry = prev_dentry->next;
affect tainted address with a clean value
SLIDE 53
Landmarking ‐ mo,va,on
Should NOT be tainted Should be tainted
val = transl_table[index] struct dentry dentry = prev_dentry->next; B = prev_dentry + offset dentry = *B
affect tainted address with a clean value
SLIDE 54
Landmarking ‐ mo,va,on
Should NOT be tainted Should be tainted
val = transl_table[index] struct dentry dentry = prev_dentry->next; B = prev_dentry + offset dentry = *B
affect tainted address with a clean value affect address with a tainted value
SLIDE 55
Landmarking ‐ mo,va,on
Should NOT be tainted Should be tainted
val = transl_table[index] A = address of an array B = A + index*4 val = *B struct dentry dentry = prev_dentry->next; B = prev_dentry + offset dentry = *B
affect tainted address with a clean value affect address with a tainted value
SLIDE 56
Full containment ‐ results
kernel apt-get bash (no. 1) gnome-terminal Xorg gnome-screensaver python2.5 dhcdbd hald-addon-storage kernel threads hald-addon-input metacity nm-applet gnome-panel hald nautilus bash (no. 2) tar (no. 1) gzip (no. 1) gpgv tar (no. 2) gzip (no. 2) 200 400 600 800 1000 1200 1400 Intervals clean dirty
SLIDE 57
Should NOT be tainted
struct hlist_head *head = d_hash(parent, hash); struct dentry *dentry = head->first;
Should be tainted
attributes = transl_table[kbd_data]; lower_case = attributes->lower;
How bad are things?
- 1. addr: combine clean pointer with a tainted index
2 new_addr: modify the resul,ng pointer with a constant
SLIDE 58
Conclusions
- We have analyzed pointer tain,ng
– A popular technique for detec,ng memory corrup,on aFacks and keyloggers
- Not suited for detec,ng privacy‐breaching
malware, like keyloggers
– False posi,ves hard to avoid
- Could be applied to detect memory corrup,on
aFacks
– Not suitable for x86 and Windows
SLIDE 59
Backup slides
SLIDE 60
Pollu,on due to tainted ESP/EBP
- If ESP/EBP get tainted, taint spreads instantly
– mov eax, dword ptr [ebp + 08h] – pop eax
- How ESP/EBP can become tainted?
– Linux kernel has numerous places where it can happen,
- E.g., a common opera,on like opening a file ends up
tain,ng EBP,
- Details in the paper
SLIDE 61
Pollu,on due to pointer arithme,c
Should NOT be tainted Should be tainted
A = address of an array i = index to be accessed B = A + i*4 Translated value: val = *B struct fd { HANDLER handler; STRING filename; struct fd *next; }; A = address of filename B = A – 0x0004 h1 = *(B + 0x0000) fd2 = *(B + 0x0020)
SLIDE 62
struct fd { HANDLER handler; STRING filename; struct fd *next; }; A = address of filename B = A – 0x0004 h1 = *(B + 0x0000) fd2 = *(B + 0x0020)
Pollu,on due to pointer arithme,c
Should NOT be tainted Should be tainted
A = address of an array i = index to be accessed B = A + i*4 Translated value: val = *B
How to dis,nguish between these two cases?
SLIDE 63
Landmarking
typedef struct test_t { int i; struct test_t *next; } test_t, *ptest_t; ptest_t table[256] = …; ptest_t i1 = table[index]; A = (table+index*sizeof(test_t)) ptest_t i2 = i1->next; addr: *(A + offset(next)) int i3 = i1->i; addr: *(A)
// tainted // clean // clean
SLIDE 64
Landmarking – why FPs?
- Possible scenarios:
– Assume eax contains a calculated tainted address
- It can be copied and altered before dereference
- Then both values become tainted
– Addresses calculated directly
- an array A of struct {int a; int b;}
– A[index].b: int b = *((char*)A+8*index+4)
- Very simplis,c, but the same problem might hold for
queues, stacks and hashtables
SLIDE 65
Landmarking – more problems
- False nega,ves
– Transla,on table containing structures instead of single elements
attributes = transl_table[kbd_data]; lower_case = attributes->lower;
- Much more problems in the paper