static analysis for exploitable vulnerability detection
play

Static analysis for exploitable vulnerability detection Marie-Laure - PowerPoint PPT Presentation

Apr 21, 2023 •107 likes •546 views

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

  1. Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43

  2. Outline 1 Context Vulnerability detection process Static analysis 2 Use-after-free detection and exploitability Our approach Detection Exploitability Prototype 3 Conclusion Projects Bibliographie Static analysis for exploitable vulnerability detection 2/43

  3. Outline 1 Context Vulnerability detection process Static analysis 2 Use-after-free detection and exploitability Our approach Detection Exploitability Prototype 3 Conclusion Projects Bibliographie Static analysis for exploitable vulnerability detection 3/43

  4. The present “A software flaw that may become a security threat . . . ” invalid memory access (e.g., buffer overflows, dangling pointers) , arithmetic overflow, race conditions, etc. Still present in current applications and OS kernels: 5000 in 2011, 5200 in 2012, 6700 in 2013 . . . [Symantec] Multiple consequences: program crash, malware injection, priviledge escalation, etc. A business A market has been established for vulnerabilities Companies, governments and criminals buy vulnerability information and accompanying exploits Up to $250,000 for a single zero - day exploit Static analysis for exploitable vulnerability detection 4/43

  5. Practice in terms of vulnerability analysis 1 Identification of flaws dangerous patterns, fuzzing and crashes identification . . . 2 Possibility of exploit (exploitability) poc elaboration, taint analysis, crash analysis . . . 3 Building an real exploit hijacking countermeasures (sandboxing, DEP, ASLR) using well-established techniques and forms of shellcodes Current practice : fuzzing + manual crash analysis ⇒ Challenges : classification of flaws that are exploitable, false positive/negative, real exploits (dedicated expertise) Static analysis for exploitable vulnerability detection 5/43

  6. Example 1 1 void bufCopy(char *dst , char *src) 2 { 3 char *p = dst; 4 while (*src != ’\0’) *p++ = *src ++; 5 *p = ’\0’; 6 } 1 void CallbufCopy(char *src) 2 {char dst [4] ; 3 bufCopy(dst , src); 4 } 1 Flaw: buffer overflow if no 0 in the first four characters 2 Poc : control flow hijacking if the return address is erased 3 Weaponized exploit : DEP ( → ROP), ASLR ( → address leaking, unrandomized library . . . ) Sandboxing ( → own vulnerability) Static analysis for exploitable vulnerability detection 6/43

  7. Outline 1 Context Vulnerability detection process Static analysis 2 Use-after-free detection and exploitability Our approach Detection Exploitability Prototype 3 Conclusion Projects Bibliographie Static analysis for exploitable vulnerability detection 7/43

  8. Used Static analysis technics Static analysis : all traces can be taken into account (or a significant part of), possibility of symbolic reasoning Technics we use: Taint and dependency analysis impact of inputs, data and control dependencies Value analysis Determine set of values including reachable values (abstract interpretation) Symbolic execution (or concolic) Build path predicates and resolve them by SMT solvers. Example 1 with size(dst)=4 and size(src)=8: p0 = dst0 and not(*src0=’\0’) and *p0=*src0 and p1=p0+1 and src1=src0+1 and not(*src1=’\0’) and *p1=*src1 and p2=p1+1 and src2=src1+1 and *src2=’\0’and *p2=’\0’ Pathcrawler/Klee: 9 test cases (4+4+1) Static analysis for exploitable vulnerability detection 8/43

  9. Static analysis and vulnerability detection Applications for vulnerability detection: identification of sensible parts of code (sophisticated patterns involving values) input generation from symbolic paths (slicing) generalization of traces (exploitability) ⇒ Exploitability only makes sense at the binary level Challenges : Taint and dependency analysis require a value analysis bitvector representation and adapted memory models scalability/completeness Static analysis for exploitable vulnerability detection 9/43

  10. Binary level and dependency ⇒ Taint analysis at the source level: 1 int x, *p, y; 2 x = 3 ; 3 p = &x ; 4 y = *p + 4 ; -- y is untainted ⇒ Taint analysis at the assembly level: Assembly Value analysis result /* x=3; */ mov [ebp-4], 3 Mem[ebp-4]=3 lea eax, [ebp-4] eax = ebp-4 /* p = &x ;*/ mov [ebp-8], eax Mem[ebp-8] = ebp-4 mov eax, [ebp-8] eax = Mem[ebp-8] /* y = *p+4 ; */ mov eax, [eax] eax = Mem[Mem[ebp-8]] = Mem[ebp-4] add eax, 4 eax = Mem[ebp-4] + 4 mov [ebp-12], eax Mem[ebp-12] = eax = Mem[ebp-4] + 4 = 3 + 4 Mem[ebp-12] is untainted. Static analysis for exploitable vulnerability detection 10/43

  11. Adapted memory models Verification: detection of undefined behaviors separate regions (stack frames, block allocation, array . . . ) Vulnerability detection: exploitation of undefined behaviors memory layout representation (flat memory) Problems: value analysis : weak update/ strong update Symbolic reasoning : select ( store ( t , i , v ) , i ) = v select ( store ( t , i , v ) , j ) = select ( t , j , v ) if i � = j Static analysis for exploitable vulnerability detection 11/43

  12. Exploitability ⇒ Generalization of a crash adding constraints (PC corruption, writing a determined portion of memory ...).Example (12 loop traversals for rewriting the return address): p0 = dst0 // initialization and not (*src0=’\0’) and *p0=*src0 and p1=p0+1 and src1=src0+1 // ex. 1 ... ... and not(*src8=’\0’) and *p8=*src8 and p9=p8+1 and src9=src8+1 // ex. 9 and not(*src9=’\0’) and *p9=*src9 and p10=p9+1 and src10=src9+1 // ex. 10 and not(*src10=’\0’) and *p10=*src10 and p11=p10+1 and src11=src10+1 // ex. 11 and not(*src11=’\0’) and *p11=*src11 and p12=p11+1 and src12=src11+1 // ex. 13 and *src8=’A’and *src9=’B’and *src10=’C’ and *src11=’D’ // \@ payload and *src12=’\0’ and *p12=’\0’ AEG a new domain (Sean Heelan, David Brumley,BinSec). Challenges: how to generalize? memory models between flat models and fine-grained regions exploitability conditions for other vulnerabilities Static analysis for exploitable vulnerability detection 12/43

  13. Our approach ⇒ Identifying exploitable paths and building appropriate inputs Using static analysis in order to slice interesting behaviours structural patterns and static taint analysis Using static/dynamic analysis for exploitability condition Symbolic exploitability conditions and dependency Using concolic or genetic approach to produce inputs guided fuzzing ⇒ Buffer overflow : SERE11 (BO pattern), SAW’14 (inter-procedural static taint analysis), ECND10, SECTEST11 (fitness functions and mutations) ⇒ Prototype: IdaPro+REIL Static analysis for exploitable vulnerability detection 13/43

  14. Outline 1 Context Vulnerability detection process Static analysis 2 Use-after-free detection and exploitability Our approach Detection Exploitability Prototype 3 Conclusion Projects Bibliographie Static analysis for exploitable vulnerability detection 14/43

  15. Outline 1 Context Vulnerability detection process Static analysis 2 Use-after-free detection and exploitability Our approach Detection Exploitability Prototype 3 Conclusion Projects Bibliographie Static analysis for exploitable vulnerability detection 15/43

  16. Use after free : dangling pointer + access 1 2 typedef struct { 3 void (*f)(void); 4 } st; 5 6 void nothing () 7 { 8 printf("Nothing\n"); 9 } 10 11 int main(int argc , char * argv []) 12 { 13 st *p1; 14 char *p2; 15 p1=(st*) malloc(sizeof(st)); 16 p1 ->f=& nothing; 17 free(p1); // p1 freed 18 p2=malloc(strlen(argv [1])); // possible re -allocation 19 strcpy(p2 ,argv [1]); 20 p1 ->f(); // Use 21 return 0; 22 } Static analysis for exploitable vulnerability detection 16/43

  17. Motivations Motivations Use-After-Free more and more frequent (CVE-2014-0322 (internet explorer), CVE-2014-1512 (firefox,thunderbird)) Static approach for finding exploitable vulnerabilities → an adapted modelling of the heap 200 Broswer Number of CVE related to UaF Other 150 100 50 0 2 , 008 2 , 009 2 , 010 2 , 011 2 , 012 2 , 013 Years https://web.nvd.nist.gov/view/vuln/search , 4 june 2013 Static analysis for exploitable vulnerability detection 17/43

  18. State of art Specificity of UaF No easy ” pattern”(like for buffer overflow / string format) Trigger of several dispatched events (alloc/free/use) Strongly depends on the allocation/liberation strategy source level detection tools Binary code On binary code, state of the art focused more on dynamic analysis Fuzzing + custom allocator (AddressSanitizer) Exploit studied after UaF found (Undangle) New Microsoft protections for navigators (separated heaps, safe memory management) (June 2014) Static analysis for exploitable vulnerability detection 18/43

  19. Proposed approach Goal : extract subgraphs of CFG leading to exploitable Use-After-Free Approach 2 steps : Step 1 : Detection of Use-After-Free Value analysis Characterization of Use-After-Free Step 2 : Exploitability of Use-After-Free Determining possible re-allocations Exploitability condition (ongoing work) Semi-automatic : choice of allocation strategy properties Static analysis for exploitable vulnerability detection 19/43

  20. Outline 1 Context Vulnerability detection process Static analysis 2 Use-after-free detection and exploitability Our approach Detection Exploitability Prototype 3 Conclusion Projects Bibliographie Static analysis for exploitable vulnerability detection 20/43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of

929 views • 78 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services Nuno Antunes, Marco Vieira PRDC 2009 nmsa@dei.uc.pt, mvieira@dei.uc.pt University of Coimbra

370 views • 24 slides
Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis Lucas Cordeiro (Formal Methods

1.9k views • 188 slides
Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis (Part II) Lucas Cordeiro (Formal

2.24k views • 169 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A

Static Analysis for Memory Safety Salvatore Guarnieri sammyg@cs.washington.edu Papers A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities Using static analysis and integer range analysis to find buffer overflows

1.33k views • 56 slides
What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/

What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/

What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/ Middlesex University With thanks to David Clark 2011/4/6 L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 1 / 21 Overview

1.3k views • 53 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Kaestner: Tax, Estate Planning, and Trust Administration Implications By: Jonathan G.

Kaestner: Tax, Estate Planning, and Trust Administration Implications By: Jonathan G.

7/1/2019 Kaestner: Tax, Estate Planning, and Trust Administration Implications Handout materials are available for download or printing on the HANDOUT TAB on the gotowebinar console. If the tab is not open click on that tab to open it and

278 views • 23 slides
A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE

A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE

A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE Department, Rice University EuroSys 2017 How do we deal with complexity? 2 Modularization complex 1 2 3 4 system 3 Modularization 1

672 views • 26 slides
Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Compiler Infrastructure Systems and Internet Infrastructure Security

603 views • 23 slides
Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna

Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna

Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen , Aruna Balasubramanian, Anthony LaMarca, David Wetherall 1 Continuous sensing apps Step Counting Fall Detection Driver Monitor Theft Detection Healthcare apps:

743 views • 29 slides
Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web Applications Web Application <SCRIPT>...</SCRIPT> Attackers evil script executed using victims credentials Omer Tripp Marco

410 views • 6 slides
Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis

Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis

Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis Dr. Alexander von Rhein Alexander von Rhein Research Software Verification Software-Product-Line Analysis Taint-Analysis Consulting Software

894 views • 30 slides
Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

425 views • 31 slides
QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC 2013

735 views • 25 slides

More recommend