precisely characterizing security impact in a flood of
play

Precisely Characterizing Security Impact in a Flood of Patches via - PowerPoint PPT Presentation

Dec 20, 2022 •444 likes •1.12k views

Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison Qiushi Wu , Yang He, Stephen McCamant, and Kangjie Lu 1 Why do we need to identify security bugs? 2 Motivation The overwhelming number of bugs

  1. Precisely Characterizing Security Impact in a Flood of Patches via Symbolic Rule Comparison Qiushi Wu , Yang He, Stephen McCamant, and Kangjie Lu 1

  2. Why do we need to identify security bugs? 2

  3. Motivation ● The overwhelming number of bugs reports ○ ○ ■ 3

  4. Motivation ● The overwhelming number of bugs reports ● Patch propagation in derivative programs is hard and expensive ○ https://developer.solid-run.com/knowl 4 edge-base/linux-based-os-for-ib8000/

  5. Motivation ● The overwhelming number of bugs reports ○ ● Patch propagation in derivative programs is hard and expensive Maintainers are prioritizing to fix security bugs. Unrecognized security bugs may be left unpatched! 5

  6. Our goal:

  7. How to identify patches for security bugs? 7

  8. Traditional approaches: ● Text-mining ○ ● Statistical analysis ○ Limitations: 8

  9. Limitations of traditional approaches: CVE-2014-8133 Permission bypass commit 41bdc78544b8a93a9c6814b8bbbfef966272abbe Author: Andy Lutomirski <luto@amacapital.net> Date: Thu Dec 4 16:48:16 2014 -0800 x86/tls: Validate TLS entries to protect espfix Installing a 16-bit RW data segment into the GDT defeats espfix. AFAICT this will not affect glibc, Wine, or dosemu at all. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: H. Peter Anvin <hpa@zytor.com> Cc: stable@vger.kernel.org Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: security@kernel.org <security@kernel.org> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Ingo Molnar <mingo@kernel.org> 9

  10. We prefer a program analysis--based method ● Understand the semantics of patches and bugs precisely ● A bug is a security bug if it causes security impacts when triggered. ● A patch is for a security bug when it blocks the security impacts 10

  11. How to know if a patch blocks security impacts? 11

  12. A security impact = A security-rule violation Security rules are coding guidelines used to prevent security bugs. Security-rule violations cause security impacts. We thus check if a patch blocks security-rule violations 12

  13. Common security rules Rule 1: In-bound access Rule 3: Use after initialization Rule 4: Permission check Rule 2: No use after free before sensitive operations 13

  14. Violations for common security rules Rule 1: In-bound access Rule 3: Use after initialization violation violation Uninitialized use Out-of-bound access Rule 4: Permission check Rule 2: No use after free before sensitive operations violation violation Use-after-free Permission bypass 14

  15. A patch blocks security impacts if: If we can prove the following conditions: Condition 1: The unpatched version of code violates a security rule. Condition 2: The patched version of code does not violate the security rule. 15

  16. Challenge:

  17. Intuition: two unique properties under-constrained symbolic execution

  18. Property 1: Constraints model violations Security-rule violations can be modeled as constraints Example: Buffer access: Constraints for out-of-bound access: Index ⩾ UpBound Index ⩽ LowBound 18

  19. Property 2: Conservativeness Under-constrained symbolic execution is conservative. ● False-positive solutions ○ If the constraints are solvable, this can be a false positive. ● Proved unsolvability ○ If it cannot find a solution against constraints, they are indeed unsolvable. 19

  20. Leverage the properties for determining the security-rule violations ● Patch-related operations can be modeled as symbolic constraints ○ ● To show the patched version won’t violate a security rule ○ violating ● To show the unpatched version will violate the security rule non-violating ○ 20

  21. Our approach: Symbolic rule comparison 1. Construct opposite constraint sets for the patched and unpatched version 2. Check the unsolvability of these constraint sets 3. Confirm the patches for security bugs if both constraint sets are unsolvable 21

  22. Rationale behind our approach ● For a security rule, the patched version NEVER violate it ○ 22

  23. Rationale behind our approach ● For a security rule, the patched version NEVER violate it ○ ● In the situations that opposite to conditions of the patch, the unpatched version MUST violate this security rule ○ 23

  24. Rationale behind our approach ● For a security rule, the patched version NEVER violate it ○ ● In the situations that opposite to conditions of the patch, the unpatched version MUST violate this security rule ○ ● The patch changes the code from an unsafe state to a safe state ○ Precisely confirmed with property 2 24

  25. Rationale behind our approach ● For a security rule, the patched version NEVER violate it ○ ● In the situations that opposite to conditions of the patch, the unpatched version MUST violate this security rule ○ ● The patch changes the code from an unsafe state to a safe state The patch fixed a security bug with the security impact that corresponding to the security rule violation. 25

  26. A concrete example 26

  27. STEP 1: Symbolically analyzing patched code // CVE-2012-6712 1 int iwl_sta_ucode_activate(... , u8 sta_id) { 2 + if (sta_id >= IWLAGN_STATION_COUNT) { 3 + IWL_ERR(priv, "invalid sta_id %u", sta_id); 4 + return -EINVAL; 5 + } 6 7 if (!(priv->stations[sta_id].used )) 8 IWL_ERR(priv,"Error active station id %u " 9 "addr %pM\n", 10 sta_id, priv->stations[sta_id].sta.sta.addr); 11 12 ... 13 return 0; 14 } 15 27

  28. STEP 1: Symbolically analyzing patched code Identify security operations. // CVE-2012-6712 1 int iwl_sta_ucode_activate(... , u8 sta_id) { 2 + if (sta_id >= IWLAGN_STATION_COUNT) { 3 + IWL_ERR(priv, "invalid sta_id %u", sta_id); 4 + return -EINVAL; 5 + } 6 7 if (!(priv->stations[sta_id].used )) 8 IWL_ERR(priv,"Error active station id %u " 9 "addr %pM\n", 10 sta_id, priv->stations[sta_id].sta.sta.addr); 11 12 ... 13 return 0; 14 } 15 28

  29. STEP 1: Symbolically analyzing patched code Identify security operations. // CVE-2012-6712 1 int iwl_sta_ucode_activate(... , u8 sta_id) { 2 + if (sta_id >= IWLAGN_STATION_COUNT) { 3 + IWL_ERR(priv, "invalid sta_id %u", sta_id); 4 Extract critical variable. + return -EINVAL; 5 + } 6 7 if (!(priv->stations[sta_id].used )) 8 IWL_ERR(priv,"Error active station id %u " 9 "addr %pM\n", 10 sta_id, priv->stations[sta_id].sta.sta.addr); 11 12 ... 13 return 0; 14 } 15 29

  30. STEP 1: Symbolically analyzing patched code Identify security operations. // CVE-2012-6712 1 int iwl_sta_ucode_activate(... , u8 sta_id) { 2 + if (sta_id >= IWLAGN_STATION_COUNT) { 3 + IWL_ERR(priv, "invalid sta_id %u", sta_id); 4 Extract critical variable. + return -EINVAL; 5 Slicing + } 6 7 if (!(priv->stations[sta_id].used )) Identify vulnerable operations. 8 IWL_ERR(priv,"Error active station id %u " 9 "addr %pM\n", 10 sta_id, priv->stations[sta_id].sta.sta.addr); 11 12 ... 13 return 0; 14 } 15 30

  31. STEP 2: Collecting and construct constraints for patched code Collecting constraints // CVE-2012-6712 1 int iwl_sta_ucode_activate(... , u8 sta_id) { 2 Constraints source Constraints + if (sta_id >= IWLAGN_STATION_COUNT) { 3 + IWL_ERR(priv, "invalid sta_id %u", sta_id); 4 Security operations + return -EINVAL; 5 + } 6 7 if (!(priv->stations[sta_id].used )) 8 Slice IWL_ERR(priv,"Error active station id %u " 9 "addr %pM\n", 10 Artificial constraints sta_id, priv->stations[sta_id].sta.sta.addr); 11 (Security rules) 12 ... 13 Violating security rules return 0; 14 } 15 31

  32. STEP 3: Solving constraints for patched code Collecting constraints // CVE-2012-6712 1 int iwl_sta_ucode_activate(... , u8 sta_id) { 2 Constraints source Constraints + if (sta_id >= IWLAGN_STATION_COUNT) { 3 + IWL_ERR(priv, "invalid sta_id %u", sta_id); 4 Security operations + return -EINVAL; 5 + } 6 7 if (!(priv->stations[sta_id].used )) 8 Slice IWL_ERR(priv,"Error active station id %u " 9 "addr %pM\n", 10 Artificial constraints sta_id, priv->stations[sta_id].sta.sta.addr); 11 (Security rules) 12 ... 13 These constraints are unsolvable! return 0; 14 } 15 32

  33. STEP 3: Solving constraints for patched code // CVE-2012-6712 1 int iwl_sta_ucode_activate(... , u8 sta_id) { 2 + if (sta_id >= IWLAGN_STATION_COUNT) { 3 + IWL_ERR(priv, "invalid sta_id %u", sta_id); 4 The patched version won’t + return -EINVAL; 5 violate the security rule. + } 6 7 if (!(priv->stations[sta_id].used )) 8 IWL_ERR(priv,"Error active station id %u " 9 "addr %pM\n", 10 sta_id, priv->stations[sta_id].sta.sta.addr); 11 12 ... 13 These constraints are unsolvable! return 0; 14 } 15 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Flood Forecasting Initiative Guy Shalev Flooding impact Flood Forecasting Flood Forecasting

Flood Forecasting Initiative Guy Shalev Flooding impact Flood Forecasting Flood Forecasting

Flood Forecasting Initiative Guy Shalev Flooding impact Flood Forecasting Flood Forecasting Initiative Initiative The Google Flood Forecasting Initiative Goal: Scalable high-accuracy high-resolution flood forecasts and warnings globally

550 views • 23 slides
Macro Level Water Management Planning using Remote Sensing and its Impact on Food Security

Macro Level Water Management Planning using Remote Sensing and its Impact on Food Security

Macro Level Water Management Planning using Remote Sensing and its Impact on Food Security Muhammad Jawad Pakistan Space &amp; Upper Atmosphere Research Commission. Flood at Tori Embankment Army Rescue Operation Flood Affected Homeless

695 views • 30 slides
Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways

Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways

Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways Bradley Reaves , Nolen Scaife, Dave Tian, Logan Blue, Patrick Traynor, Kevin R. B. Butler Florida Institute of Cyber Security (FICS) SMS Ecosystem Cell

404 views • 14 slides
Texas Flood Response System Developing Near-Real-Time Flood Impact Mapping in Texas Dr. David

Texas Flood Response System Developing Near-Real-Time Flood Impact Mapping in Texas Dr. David

Texas Flood Response System Developing Near-Real-Time Flood Impact Mapping in Texas Dr. David Arctur , University of Texas at Austin Center for Water and the Environment (CWE) Presentation to H-GAC Geographic Data Workgroup, 3 October 2018

563 views • 40 slides
1 2 Flood is one of natural disasters having the most impact in Vietnam. It can make a long term

1 2 Flood is one of natural disasters having the most impact in Vietnam. It can make a long term

1 2 Flood is one of natural disasters having the most impact in Vietnam. It can make a long term effect that people have to face damages within minutes or hours. Besides the flood inundation, that is the salinization in Mekong Delta, Vietnam.

373 views • 18 slides
Characterizing the impact of geometric properties of word embeddings on task performance Brendan

Characterizing the impact of geometric properties of word embeddings on task performance Brendan

. . . . . . . . . . . . . . Characterizing the impact of geometric properties of word embeddings on task performance Brendan Whitaker, Denis Newman-Griffjs, Aparajita Haldar Hakan Ferhatosmanoglu, Eric Fosler-Lussier Ohio State

1.05k views • 17 slides
Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*,

Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*,

Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*, Damon McCoy, Stefan Savage, Geoffrey M. Voelker 2 3 4 5 6 Spam was 70% of total email traffic in 2013 7 buydrugs.com canadianpharmacy.com

686 views • 49 slides
Inspection Methods for Characterizing Subsurface Impact Damage in Solid Laminate Aerospace

Inspection Methods for Characterizing Subsurface Impact Damage in Solid Laminate Aerospace

Inspection Methods for Characterizing Subsurface Impact Damage in Solid Laminate Aerospace Composites Stephen Neidigk, Dennis Roach, Tom Rice, Randy Duvall FAA Airworthiness Assurance Center Sandia National Labs FAA William J. Hughes Sandia

423 views • 26 slides
The Flood of Noah Why The Flood is an important topic Why we need answers What The

The Flood of Noah Why The Flood is an important topic Why we need answers What The

The Flood of Noah Why The Flood is an important topic Why we need answers What The World believes What Major Creation Science Ministries Believe caused the Flood Hydroplate Theory Explanation for the Flood The Flood of Noah

979 views • 60 slides
Identifying and characterizing Sybils in the Tor network August 12, 2016 USENIX Security

Identifying and characterizing Sybils in the Tor network August 12, 2016 USENIX Security

Identifying and characterizing Sybils in the Tor network August 12, 2016 USENIX Security Symposium Philipp Winter Princeton University and Karlstad University Roya Ensafi Princeton University Karsten Loesing The Tor Project Nick Feamster

313 views • 28 slides
Changes Coming to the National Flood Insurance Program What to Expect Impact of of cha

Changes Coming to the National Flood Insurance Program What to Expect Impact of of cha

Changes Coming to the National Flood Insurance Program What to Expect Impact of of cha hanges to to the the N NFI FIP u under the the Bi Biggert- Wate ters Fl Floo ood Insurance a and Refo form Ac Act t 0f f 2012 Why the

125 views • 9 slides
infrastructure (GI) for flood loss avoidance in the United States 2013 International Low Impact

infrastructure (GI) for flood loss avoidance in the United States 2013 International Low Impact

Atkins Lectures Nationwide study of the benefits of green infrastructure (GI) for flood loss avoidance in the United States 2013 International Low Impact Development Symposium, Minnesota, USA Daniel Medina, senior engineer, Water Resources

433 views • 41 slides
On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies Internet Routing Policies Feng Wang Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts, Amherst MA 01002, USA 1

450 views • 18 slides
National Flood Insurance Program A Disc scussi ssion on i in Three Parts: ts: The Nature

National Flood Insurance Program A Disc scussi ssion on i in Three Parts: ts: The Nature

National Flood Insurance Program A Disc scussi ssion on i in Three Parts: ts: The Nature of Flood Risk An Overview of the NFIP Impact of Recent Legislation (BW - 12 &amp; HFIAA -14) 4) Nature of Flood Risk FLOODS ARE AN ACT

529 views • 33 slides
Security Middleware for Distributed applications Professor : Sophie Chabridon Ma Siqi Shalini

Security Middleware for Distributed applications Professor : Sophie Chabridon Ma Siqi Shalini

Security Middleware for Distributed applications Professor : Sophie Chabridon Ma Siqi Shalini Nagar 1 CONTENTS Security Characterizing Security General Scenario Tactics for Security A Design Checklist for Security Summary 2 01

487 views • 25 slides
Flood SensorWeb 10-16-08 Purpose Vision of Flood Sensor Web Present status of Flood

Flood SensorWeb 10-16-08 Purpose Vision of Flood Sensor Web Present status of Flood

1 Dan Mandl / Fritz Policelli NASA/GSFC Flood SensorWeb 10-16-08 Purpose Vision of Flood Sensor Web Present status of Flood SensorWeb initiative Some relevant examples from Fire SensorWeb efforts Goal is to visualize

643 views • 28 slides
IETF-88 Draft status: draft-ietf-nvo3-gap-analysis Eric Gray (Ericsson) Nabil Bitar (Verizon)

IETF-88 Draft status: draft-ietf-nvo3-gap-analysis Eric Gray (Ericsson) Nabil Bitar (Verizon)

IETF-88 Draft status: draft-ietf-nvo3-gap-analysis Eric Gray (Ericsson) Nabil Bitar (Verizon) Xiaoming Chen (Huawei) Marc Lasserre (Alcatel-Lucent) Tina Tsou (Huawei) Current Status Update We presented the status of the combined

276 views • 14 slides
Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS introduced a mess of new terms for Windows 8, and I have to go through them so we dont get confused. Windows RT: An edition of Windows 8 that runs on

389 views • 8 slides
ATTACK AGAINST CONSTANT-TIME CRYPTO IMPLEMENTATIONS IN SGX Daniel Moghimi Ph.D. Student

ATTACK AGAINST CONSTANT-TIME CRYPTO IMPLEMENTATIONS IN SGX Daniel Moghimi Ph.D. Student

#RSAC SESSION ID: CRYP-T07 MEMJAM: A FALSE DEPENDENCY ATTACK AGAINST CONSTANT-TIME CRYPTO IMPLEMENTATIONS IN SGX Daniel Moghimi Ph.D. Student Worcester Polytechnic Institute @danielmgmi MemJam: A False Dependency Attack against

784 views • 49 slides
Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography

Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography

Cryptography Advanced Encryption Standard Overview of AES Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography AES in OpenSSL AES in Python School of Engineering and Technology CQUniversity

456 views • 30 slides
Charged-particle pseudorapidity density N part versus N coll Christian Holm Christensen Niels

Charged-particle pseudorapidity density N part versus N coll Christian Holm Christensen Niels

U N I V E R S I T Y O F C O P E N H A G E N N I E L S B O H R I N S T I T U T E faculty of science Charged-particle pseudorapidity density N part versus N coll Christian Holm Christensen Niels Bohr Institute COST Workshop on interplay of

811 views • 44 slides
The Portage Ecosystem Ivan Lazar Miljenovic emerge -uR world Introduction Pre-emerge

The Portage Ecosystem Ivan Lazar Miljenovic emerge -uR world Introduction Pre-emerge

The Portage Ecosystem The Portage Ecosystem Ivan Lazar Miljenovic emerge -uR world Introduction Pre-emerge emerge-ing Ivan Lazar Miljenovic Post-emerge Other tips and Gentoo Down Under, LCA 2008 tricks Conclusion 29 January, 2008

1.92k views • 174 slides
Drivechain Overview and Misconceptions Paul Sztorc TAB Conf Atlanta, GA Jan 27, 2018

Drivechain Overview and Misconceptions Paul Sztorc TAB Conf Atlanta, GA Jan 27, 2018

1 Drivechain Overview and Misconceptions Paul Sztorc TAB Conf Atlanta, GA Jan 27, 2018 v1.0 Feb 4 th , 2018 v2.0 2 3 Drivechain gives miners more power Optionality Criterion DC allows users to choose to make a

1.07k views • 80 slides
Parallel Execution Lecture # 14 Database Systems Andy Pavlo AP AP Computer Science

Parallel Execution Lecture # 14 Database Systems Andy Pavlo AP AP Computer Science

Parallel Execution Lecture # 14 Database Systems Andy Pavlo AP AP Computer Science 15-445/15-645 Carnegie Mellon Univ. Fall 2018 2 ADM IN ISTRIVIA Project #3 is due Monday October 19 th Project #4 is due Monday December 10 th Homework #4

909 views • 47 slides

More recommend