retrofitting security in input parsing routines
play

Retrofitting Security in input parsing routines Jayakrishna Menon, - PowerPoint PPT Presentation

Dec 07, 2022 •334 likes •702 views

Retrofitting Security in input parsing routines Jayakrishna Menon, Christophe Hauser, Yan Shoshitaishvili, Stephen Schwab {jmenon, hauser, schwab}@isi.edu yans@asu.edu Modern defenses Vulnerabilities Many programs are still OS defenses

  1. Retrofitting Security in input parsing routines Jayakrishna Menon, Christophe Hauser, Yan Shoshitaishvili, Stephen Schwab {jmenon, hauser, schwab}@isi.edu yans@asu.edu

  2. Modern defenses Vulnerabilities Many programs are still ● OS defenses (ASLR, DEP). ● written in unsafe Compiler-level defenses ● languages like C/C++. (e.g., stack canaries). Memory corruption ● Code audit tools. ● vulnerabilities remain prominent.

  3. parsers Directly exposed to user input. ● Many custom implementations in unsafe languages (C/C++). ● Over 170 vulnerabilities reported in various parsing ● mechanisms since 1999. Varying semantics and the abundance of string ● manipulations make their implementation error-prone.

  4. Solution space

  5. Design time post-design security security Parser libraries. ● Code audits. ● Parser generators. ● Refactoring/inserting ● correct parsers. Formal methods. ● No source code? ●

  6. Binary-level approach Source code not always ● available (legacy code, uncooperative editors, untrusted IoT devices). What you see is not what ● you execute: compiler bugs, compiler “backdoors” WYSINWYX e.g., XCodeGhost (linking malicious code into executables).

  7. challenges

  8. Scaling problem Program analysis techniques are difficult to automate in a scalable and precise manner.

  9. Static analysis Symbolic execution Precise. ● Scalable. ● Unscalable. ● Imprecise. ●

  10. Dynamic analysis Precise. ● Low coverage. ●

  11. Source code Binary Types. ● Registers. ● Variable names. ● Memory locations. ● Functions. ● Basic blocks. ● ... ● ... ●

  12. How to scale to real world programs?

  13. template-based approach … to discover vulnerabilities based on templates corresponding to common classes of security bugs. … to retrofit security by patching programs at the binary-level.

  14. Initial approach classes/templates Focuses on overflows in ● buffers allocated Unconstrained input. ● statically on the stack. Under-constrained input ● size. template-based: ● Unchecked termination ● categorize causes of condition. vulnerabilities into ... ● three classes. Combines static analysis ● and symbolic execution.

  15. Unconstrained Improper usage of functions that do not check for sizes such as input. strcpy, sprintf etc.

  16. Example 1: CVE-2003-0390 int opt_atoi( char *s) { char buf[1024]; char *fmt = "String [ %s ] is not valid"; sprintf(buf, fmt, s); }

  17. Under-constrained Improper validation of size field in functions such as memcpy. input size.

  18. Example 2: CVE-2015-3329 void phar_set_inode( phar_entry_info *entry) { char tmp[1024]; memcpy(tmp, entry -> phar -> fname, entry->phar->fname_len); }

  19. Unchecked Performing operations on termination (possibly) incorrectly terminated strings. condition.

  20. 2-step Analysis approach Symbolic analysis Static analysis } Identify string Identify } program paths. } CFG manipulation destination functions. buffers (sinks). SE Dangerous Identify user Analyze backward DDG input. data-dependency. Path constraints. (Memory corruption caused by unsafe buffer manipulation)

  21. Analysis results Static Analysis Symbolic Overall execution False positive rate 6.6% 0% 0% * False negative rate 40% 0% * 40% Time 1-260s 1-400s 2-660s

  22. New bugs 2 new bugs found in the binary code of common opensource projects and libraries (in a semi-automatic setting)

  23. Retrofitting security: binary patching

  24. Remember: we focus on stack ● Adding the missing buffers. On the identified program ● checks paths, we constrain the user input such that: user_input_size < stack_buffer_size

  25. When the constraints are Adding the missing violated, we crash the program. checks This is equivalent to e.g., __sprintf_chk()

  26. Static reassembly problems: breaking internal program references. Patching the binary Partial solution: inject trampoline gadgets in padding bytes between functions (up to 15 consecutive NOPs).

  27. Inserting checks int opt_atoi(char *s) int opt_atoi(char *s) if(strlen(s)>1024) sprintf(buf, fmt, s); exit() sprintf(buf, fmt, s);

  28. More templates

  29. New template Memory allocation errors … authentication errors. … misuses of cryptographic APIs. … information leakage.

  30. New bugs 12 new bugs found in the binary code of common opensource programs and libraries (in a fully automated setting).

  31. discussion Lightweight and scalable approach. … but high rate of false negatives. … limited patching capabilities.

  32. Data structure recovery. Stumbling blocks Pointer aliasing.

  33. Future work Improve data dependence tracking. ● Leverage static reassembly techniques. ● More vulnerability templates. ● Apply to large corpus of IoT firmware. ●

  34. Key takeaways - Templates per vulnerability class. - Scalable, two-level approach based on a combination of static analysis + symbolic execution. - High-precision: we can infer semantic-agnostic patches for each class. - New bugs.

  35. ?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bottom-up parsing LR parsing Construct parse tree for input from leaves up LR( k ) parsing

Bottom-up parsing LR parsing Construct parse tree for input from leaves up LR( k ) parsing

Bottom-up parsing LR parsing Construct parse tree for input from leaves up LR( k ) parsing reducing a string of tokens to single start symbol L eft-to-right scan of input, R ightmost derivation (inverse of deriving a string of tokens from

413 views • 5 slides
LL1 Parsing a b $ S 1 A 4 B 3 2 a b b b 1. S --&gt; a B

LL1 Parsing a b $ S 1 A 4 B 3 2 a b b b 1. S --&gt; a B

LL1 Parsing a b $ S 1 A 4 B 3 2 a b b b 1. S --&gt; a B Input 2. B --&gt; 3. B --&gt; A S 4. A --&gt; b B Parse Stack Compare Input and Stacktop 1 LL1 Parsing a b $ S 1 A

694 views • 17 slides
Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security

370 views • 33 slides
CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3

CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3

CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3 Top-down Parsing predictive parsers 4 Suggested reading: https://en.wikipedia.org/wiki/LL_parser Top-down Parsing contd.. Also called

750 views • 46 slides
Top-Down Parsing Slides modified from Louden Book and Dr. Scherger Top Down Parsing A

Top-Down Parsing Slides modified from Louden Book and Dr. Scherger Top Down Parsing A

Compiler Design and Construction Top-Down Parsing Slides modified from Louden Book and Dr. Scherger Top Down Parsing A top-down parsing algorithm parses an input string of tokens by tracing out the steps in a leftmost derivation. Such an

1.12k views • 96 slides
Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI

Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI

Thoughts on Retrofitting Legacy Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI (April 2, 2015) Kaminsky scores 23, No. 5 Wisconsin beats Illinois 68-49 Feb 15, 2015 Somesh Jha Retrofitting

752 views • 56 slides
CCured: Type-safe Retrofitting of Legacy Code By Necula, McPeak, Weimer Presented By: Philip

CCured: Type-safe Retrofitting of Legacy Code By Necula, McPeak, Weimer Presented By: Philip

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CCured: Type-safe Retrofitting of Legacy Code By Necula,

284 views • 24 slides
Bottom Up Parsing Also known as Shift-Reduce parsing More powerful than top down Dont

Bottom Up Parsing Also known as Shift-Reduce parsing More powerful than top down Dont

9/26/2012 Bottom Up Parsing Also known as Shift-Reduce parsing More powerful than top down Dont need left factored grammars Can handle left recursion Bottom Up Parsing Attempt to construct parse tree from an input string

654 views • 6 slides
Bottom up Parsing Bottom up parsing trys to transform the input string into the start symbol.

Bottom up Parsing Bottom up parsing trys to transform the input string into the start symbol.

Bottom up Parsing Bottom up parsing trys to transform the input string into the start symbol. Moves through a sequence of sentential forms (sequence of Nonterminal or terminals). Trys to identify some substring of the sentential form that

308 views • 15 slides
Predictive Parsers LL(k) Parsing Can we avoid backtracking? Yes, if for a given input symbol and

Predictive Parsers LL(k) Parsing Can we avoid backtracking? Yes, if for a given input symbol and

10/17/2012 Predictive Parsers LL(k) Parsing Can we avoid backtracking? Yes, if for a given input symbol and given non- LL(k) terminal, we can choose the alternative appropriately. L left to right scan L leftmost derivation

396 views • 7 slides
Bottom up parsing Construct a parse tree for an input string beginning at leaves and going

Bottom up parsing Construct a parse tree for an input string beginning at leaves and going

Bottom up parsing Construct a parse tree for an input string beginning at leaves and going towards root OR Reduce a string w of input to start symbol of grammar Consider a grammar S aABe The sentential forms A Abc | b happen

1.21k views • 79 slides
Algorithms for NLP IITP, Fall 2019 Lecture 11: Parsing III Yulia Tsvetkov 1 Syntactic Parsing

Algorithms for NLP IITP, Fall 2019 Lecture 11: Parsing III Yulia Tsvetkov 1 Syntactic Parsing

Algorithms for NLP IITP, Fall 2019 Lecture 11: Parsing III Yulia Tsvetkov 1 Syntactic Parsing INPUT: The move followed a round of similar increases by other lenders, reflecting a continuing decline in that market OUTPUT:

1.36k views • 115 slides
IT350: Web &amp; Internet Programming Set 19: Security, Hacking and myspace Input to your

IT350: Web &amp; Internet Programming Set 19: Security, Hacking and myspace Input to your

IT350: Web &amp; Internet Programming Set 19: Security, Hacking and myspace Input to your Website How does a user input information to your site? How does your server-side code process the input? How do you store the input?

717 views • 12 slides
Parsing (Syntactic Structure) INPUT: Boeing is located in Seattle. OUTPUT: S 6.864: Lecture 2,

Parsing (Syntactic Structure) INPUT: Boeing is located in Seattle. OUTPUT: S 6.864: Lecture 2,

Parsing (Syntactic Structure) INPUT: Boeing is located in Seattle. OUTPUT: S 6.864: Lecture 2, Fall 2007 Parsing and Syntax I NP VP N V VP Boeing is V PP P NP located in N Seattle 1 3 Overview Syntactic Formalisms Work

400 views • 18 slides
CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing

CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing

CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing Bottom-up parsing Recursive-descent Shift-reduce parsers parsing LR(0) parsing LL(1) parsing LR(0) items LL(1) parsing

429 views • 29 slides
Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm

Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm

Outline Review LL parsing Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm Constructing LR parsing tables 2 Top-Down Parsing: Review Top-Down Parsing: Review Top-down parsing expands a

470 views • 13 slides
Allocation for Social Good Auditing Mechanisms for Utility Maximization Taylor Lundy 1 , Alexander

Allocation for Social Good Auditing Mechanisms for Utility Maximization Taylor Lundy 1 , Alexander

Allocation for Social Good Auditing Mechanisms for Utility Maximization Taylor Lundy 1 , Alexander Wei 2 , Hu Fu 1 , Scott Duke Kominers 2 , Kevin Leyton-Brown 1 1 University of British Columbia 2 Harvard University Food Banks and Food Pantries

489 views • 24 slides
David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris Friday, 17 June

David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris Friday, 17 June

David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris Friday, 17 June 2011 if (slide == introduction) System.out.println( &quot; Im David Rook &quot; ); Security Analyst, Realex Payments, Ireland CISSP, CISA,

933 views • 74 slides
Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit Pierre et Marie Curie, Master Informatique, Spcialit STL 2 Communication Vincent Simonet, 2013-2014 Universit Pierre et Marie Curie, Master

782 views • 57 slides
Internet Systems Programming NFS: Protocols, Programming, and Implementation Erez Zadok

Internet Systems Programming NFS: Protocols, Programming, and Implementation Erez Zadok

Internet Systems Programming NFS: Protocols, Programming, and Implementation Erez Zadok ezk@cs.columbia.edu October 25, 1999 The BIG Picture portmap biod NFS Client (kernel) mountd process lockd NFS_READ read() RPC XDR XDR RPC

469 views • 15 slides
The 10 Commandments of Release Engineering Dinah McNutt Google, Inc. Overview This talk is

The 10 Commandments of Release Engineering Dinah McNutt Google, Inc. Overview This talk is

The 10 Commandments of Release Engineering Dinah McNutt Google, Inc. Overview This talk is really about &quot;Build &amp; Release&quot;, not just &quot;Release&quot; Focus is on server-side software The commandments are solutions to

358 views • 16 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Announcements Syllabus: posted on website Academic Integrity PRE posted on website Team formation - how's it going? Grades will be in UBLearns

456 views • 43 slides

More recommend