statically informed dynamic analysis tools to detect
play

Statically-informed Dynamic Analysis Tools to Detect Algorithmic - PowerPoint PPT Presentation

Jul 12, 2023 •7 likes •327 views

learn invent impact Statically-informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities 16th IEEE Interna,onal Working Conference on Source Code Analysis and Manipula,on (SCAM 2016) October 2, 2016 Benjamin Holland,

  1. learn invent impact Statically-informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities 16th IEEE Interna,onal Working Conference on Source Code Analysis and Manipula,on (SCAM 2016) October 2, 2016 Benjamin Holland, Ganesh Ram Santhanam, Payas Awadhutkar, and Suresh Kothari Email: {bholland, gsanthan, payas, kothari}@iastate.edu Acknowledgement : Team members at Iowa State University and EnSoft, DARPA contracts FA8750-12-2-0126 & FA8750-15-2-0080 learn invent impact

  2. Mo Mo,va,o ,va,on n o DARPA Space/Time Analysis for Cybersecurity (STAC) program ⁻ Given a compiled Java bytecode program ⁻ Discover Algorithmic Complexity (AC) vulnerabili,es <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> XML Parser <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> … <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Parsing a specially craVed input file of less than a kilobyte creates a string of 10 9 concatenated “lol” strings requiring approximately 3 gigabytes of memory. 2 learn invent impact

  3. Mo,va,o Mo ,va,on n o DARPA Space/Time Analysis for Cybersecurity (STAC) program ⁻ Given a compiled Java bytecode program ⁻ Discover Algorithmic Complexity (AC) vulnerabili,es ⁻ Vulnerabili,es are defined with respect to a budget Example: Max input size 1kb, execu,on ,me exceeds 300s on a given reference • plaWorm 3 learn invent impact

  4. Over Overvi view ew o Approach o Sta,c and Dynamic Analysis Tools o Sta,c loop analysis o Instrumenta,on and dynamic analysis o Case Study o Walkthrough analysis o Q/A 4 learn invent impact

  5. Ap Approa oach ch o Algorithmic complexity (AC) vulnerabili,es are rooted in the space and ,me complexi,es of externally-controlled execu,on paths with loops. ⁻ Exis,ng tools for compu,ng the loop complexity are limited and cannot prove termina,on for several classes of loops. ⁻ At the extreme, a completely automated detec,on of AC vulnerabili,es amounts to solving the intractable hal,ng problem. o Key Idea: Combine human intelligence with sta,c and dynamic analysis to achieve scalability and accuracy. ⁻ A lightweight sta,c analysis is used for a scalable explora,on of loops in bytecode from large so\ware, and an analyst selects a small subset of these loops for further evalua,on using a dynamic analysis for accuracy. 5 learn invent impact

  6. Vu Vulner erability Det y Detec, ec,on on Pr Proces ocess 1. Automated Explora7on: Iden,fy loops, pre-compute their crucial a]ributes such as intra- and inter-procedural nes,ng structures and depths, and termina,on condi,ons. 2. Hypothesis Genera7on: Through an interac,ve inspec,on of the pre- computed informa,on the analyst hypothesizes plausible AC vulnerabili,es and selects candidate loops for further examina,on using dynamic analysis. 3. Hypothesis Valida7on: The analyst inserts probes and creates a driver to exercise the program by feeding workloads to measure resource consump,on for the selected loops. 6 learn invent impact

  7. Sta,cally-informe med Dynami mic Analysis (SID) Tools o Loop Call Graph (LCG) ⁻ Recovers loop headers in bytecode using the DLI algorithm [Wei SAS 2007] ⁻ Combines call rela,onships to produce a compact visual model to explore intra- and inter-procedural nes,ng structures of loops. ⁻ Constructed sta,cally, interac,ve, expandable, corresponds to source o Time Complexity Analyzer (TCA) ⁻ A dynamic analyzer that enables the analyst to automa,cally instrument the selected loops with resource usage probes ⁻ Skeleton driver genera,on ⁻ Linear regression to es,mate complexity 7 learn invent impact

  8. Lo Loop Call G p Call Graph raph Nodes Nod es: - Methods containing loops (blue) - Methods reaching methods containing loops (white) Edges: Ed - Call rela,onships - Color a]ributes to show placement of call site in loop Ca Called ed In Inside Loop e Loop Called Ca ed Ou Outside Loop e Loop 8 learn invent impact

  9. Control Fl Flow Loop View o Loop levels are shaded darker for each nes,ng level o Branch condi,on coloring ⁻ Red is false ⁻ Green is true o Loop back edge is grey o Uncondi,onal is black 9 learn invent impact

  10. els – Trad In Interac, erac,ve Grap ve Graph Mod Models Tradi, i,on onal Call Grap al Call Graph 0-Level Call graph CFG Call Graph “smart view” 10 learn invent impact

  11. els – Trad In Interac, erac,ve Grap ve Graph Mod Models Tradi, i,on onal Call Grap al Call Graph Complete Call Graph Call Graph “smart view” 11 learn invent impact

  12. els – Lo In Interac, erac,ve Grap ve Graph Mod Models Loop Call G p Call Graph (Ex raph (Expandable) pandable) expandable Loop Call Graph “smart view” 12 learn invent impact

  13. els – Loop In Interac, erac,ve Grap ve Graph Mod Models Loop Call Grap Call Graph Vulnerability 13 learn invent impact

  14. Time me Comp mplexity Analyzer o Analyst picks entry point in the app using Loop Call Graph (LCG) view ⁻ LCG: Induced subgraph of reachable methods that contain loops o Analyst selects methods from the LCG view to instrument ⁻ Probe choices: Itera,on counters & Wall clock ,mers o Automa,c probe inser,on into Jimple & reassembly into bytecode o Automa,c driver skeleton genera,on ⁻ Analyst fills in the driver with code that provides test input o Automa,c plot of the collected measurements for the given test input 14 learn invent impact

  15. TCA Instrume menta,on o Itera,on Counters ⁻ Tracks the number of ,mes a loop header is executed ⁻ PlaWorm independent, repeatable o Wall Clock Timers ⁻ Uses ,mestamps to measure the cumula,ve ,me spent in a loop ⁻ More prone to noisy and inaccuracy, but s,ll useful Consider: caching or garbage collec,on side effects on the run,me • o Probes are inserted a\er selected loop headers 15 learn invent impact

  16. Driver Genera,o Driver G enera,on n o Generates driver “skeleton” with callsites to target methods o Workload is provided by the user ⁻ Workload should map inputs to a “workload size” 16 learn invent impact

  17. Comp mplexity Analysis o Plots results on a log-log scale Linear vs. Binary Inserhon Sort Performance on Random Data o Linear regression to fit 30 measurements linear, slope = 1.83, R 2 = 0.99 � 25 binary, slope = 1.23, R 2 = 0.99 o R 2 error value log(counter) 20 o A slope of m on the log-log plot 15 indicates the measured empirical 10 complexity of n m . 5 0 0 2 4 6 8 10 12 14 16 o Poten,al use in educa,on for log(input size) comparing empirical complexi,es of two algorithms 17 learn invent impact

  18. Walkthrough of Blogger 18 learn invent impact www.ece.iastate.edu learn learn invent impact

  19. Blogger Walkthrough/Workflow Analyst Goal – Find most expensive loops reachable in the app – Verify if they violate resource consump,on limit within the budget Demo: SID tools used to find AC vulnerability – Loop Call Graph: Find loops reachable from points of interest – Smart Views: On-demand composable analysis – Time Complexity Analyzer: Measure run,me performance of loops for inputs within budget 19 learn invent impact www.ece.iastate.edu learn learn invent impact

  20. Blogger > How we found the AC vulnerability 1. Follow call graphs from entry point to code that serves client requests – Call graph from JavaWebServer.main() is too large – No,ce that JDK APIs are used to start Threads – Look at reverse call graph from Thread.start() to see what threads are started 2. Iden,fy use of threads in applica,on server design – ServerRunnable is listener thread – ClientHandler is request processor thread 3. Iden,fy loops reachable from ClientHandler using LCG – Narrow down scope of vulnerability to 25 of the 422 methods 4. Formulate & Validate Hypothesis – Run dynamic analysis informed by LCG to find method causing vulnerability 20 learn invent impact www.ece.iastate.edu www.ece.iastate.edu learn learn invent impact learn learn invent impact

  21. Step 1 – Locate use of Threads Zooming into leaves of call graph from JavaWebServer.main() shows JDK APIs are used to start Threads NanoHTTPD is a threaded web server. Q. Where are threads started in the app? Which threads handle client requests? 21 learn invent impact www.ece.iastate.edu www.ece.iastate.edu learn learn invent impact learn learn invent impact

  22. Step 2 – ClientHandler Thread Handlers HTTP requests ClientHandler handles client requests Forward call graph from ClientHandler.run() is s,ll large: 483 nodes, 1135 edges Q. What loops in the app are reachable from ClientHandler.run() ? learn invent impact www.ece.iastate.edu www.ece.iastate.edu learn learn invent impact

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate

Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate

Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate Structures Structures Every successful structure must be capable of reaching stable equilibrium under its applied loads, regardless of

470 views • 32 slides
Introduction to Statically Introduction to Statically Indeterminate Indeterminate Analysis

Introduction to Statically Introduction to Statically Indeterminate Indeterminate Analysis

Introduction to Statically Introduction to Statically Indeterminate Indeterminate Analysis Indeterminate Indeterminate Analysis Analysis nalysis S pport reactions and internal Support reactions and internal forces of statically determinate

887 views • 60 slides
Introduction to Introduction to Statically Statically c ompatibility relationships ,

Introduction to Introduction to Statically Statically c ompatibility relationships ,

Additional equations come from Introduction to Introduction to Statically Statically c ompatibility relationships , Indeterminate Analysis Indeterminate Analysis which ensure continuity of displacements throughout the structure . The

402 views • 15 slides
Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic

Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic

Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic memory 2013/2014B Subjects Introducing shape analysis TVLA method Cutpoint-free method Separation logic method Conclusion &amp;

1.38k views • 70 slides
Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Statically vs. Dynamically typed languages

251 views • 9 slides
Program Analsysis Tools Steven J Zeil April 18, 2013 Program Analsysis Tools Outline

Program Analsysis Tools Steven J Zeil April 18, 2013 Program Analsysis Tools Outline

Program Analsysis Tools Program Analsysis Tools Steven J Zeil April 18, 2013 Program Analsysis Tools Outline Program Analsysis Tools Analysis Tools Static Analysis style checkers data flow analysis Dynamic Analysis

937 views • 45 slides
Dynamic analysis tools considered difficult (to write) Stephen Kell stephen.kell@usi.ch

Dynamic analysis tools considered difficult (to write) Stephen Kell stephen.kell@usi.ch

Dynamic analysis tools considered difficult (to write) Stephen Kell stephen.kell@usi.ch University of Lugano including joint work with Danilo Ansaloni, Yudi Zheng, Walter Binder (U. Lugano) Lubom r Bulej, Luk a s Marek, Petr T

459 views • 42 slides
Zhao-Bang Zeng Develop computa?onal tools for the whole pipeline data analysis. Build

Zhao-Bang Zeng Develop computa?onal tools for the whole pipeline data analysis. Build

GT4SP (Genomic Tools for Sweetpotato Improvement) https://sweetpotatogenomics.cals.ncsu.edu/ Zhao-Bang Zeng Develop computa?onal tools for the whole pipeline data analysis. Build rela?onship Genomics-informed Filter out between genome Ma?ng

330 views • 6 slides
Motivation We reason about programs statically, but we are really trying to make predictions

Motivation We reason about programs statically, but we are really trying to make predictions

Motivation We reason about programs statically, but we are really trying to make predictions about their dynamic behaviour. Why not examine this behaviour directly? It isnt generally feasible (e.g. termination, inputs) to run an entire

559 views • 27 slides
Plan Resist IR Detect Logs Endpoint Network **Challenges Host Check Push Tools Run

Plan Resist IR Detect Logs Endpoint Network **Challenges Host Check Push Tools Run

Plan Resist IR Detect Logs Endpoint Network **Challenges Host Check Push Tools Run Collections IRFartpull.ps1 7zip compress collection Pull collection package Analysis System Target System **Preparation **Preparation

545 views • 26 slides
PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis Tools with Easy-to-use Dynamic Instrumentation Portable Transparent Luk et al PLDI 2005 Efficient Presented by Godmar Back

223 views • 5 slides
Dynamic Motion Simulation ME 24-688 Introduction to CAD/CAE Tools Lecture Topics Dynamic

Dynamic Motion Simulation ME 24-688 Introduction to CAD/CAE Tools Lecture Topics Dynamic

Week 11 - Lecture Dynamic Motion Simulation ME 24-688 Introduction to CAD/CAE Tools Lecture Topics Dynamic Simulation Overview Common Use Cases and Terms Dynamic Simulation Workflow Joint Properties and Types Dynamic

575 views • 40 slides
Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu, Hong, Patrick A. V. Hall, and John H. R. May, &quot;Software Unit Test Coverage and Adequacy,&quot; ACM Computing Surveys, vol. 29, no.4, pp.

1.03k views • 58 slides
Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

481 views • 37 slides
Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

134 views • 10 slides
dynamic, patient-tailored method to detect abnormal laboratory test results PhD Student: Paolo

dynamic, patient-tailored method to detect abnormal laboratory test results PhD Student: Paolo

Development and preliminary validation of a dynamic, patient-tailored method to detect abnormal laboratory test results PhD Student: Paolo FraccaroMEng. Supervisors: Iain Buchan MD, FFPH, FACMI; Niels Peek PhD. External supervisor: Mattia

326 views • 13 slides
Generative and Discriminative Methods for Online Adaptation in SMT aschle , P. Simianer ,

Generative and Discriminative Methods for Online Adaptation in SMT aschle , P. Simianer ,

Generative and Discriminative Methods for Online Adaptation in SMT aschle , P. Simianer , N. Bertoldi , S. Riezler , K. W M. Federico Department of Computational Linguistics, Heidelberg University, Germany FBK, Trento,

907 views • 41 slides
Oregon Learns K-12 Achievement C Compact t Implementation p Oregon Education Investment

Oregon Learns K-12 Achievement C Compact t Implementation p Oregon Education Investment

Oregon Learns K-12 Achievement C Compact t Implementation p Oregon Education Investment Board April 12 2012 April 12, 2012 1 29% 29% 30% 30% 40% 40% 17% 18% 40% 41% 41% 42% 42% 20% 13% 13% 10% 10% All working-age Young

202 views • 19 slides
AN INTRODUCTION TO MICROSOFT SMALL BASIC RUSTY KEELE UETN TECH SUMMIT 2019 INTRODUCTION

AN INTRODUCTION TO MICROSOFT SMALL BASIC RUSTY KEELE UETN TECH SUMMIT 2019 INTRODUCTION

AN INTRODUCTION TO MICROSOFT SMALL BASIC RUSTY KEELE UETN TECH SUMMIT 2019 INTRODUCTION TODAYS PLAN History lesson: BASIC language What Small Basic is and isnt How to get Small Basic A Demonstration Resources for

799 views • 32 slides
South Carolina Electric &amp; Gas Company p y Virgil C. Summer Nuclear Station Units 2 and 3

South Carolina Electric &amp; Gas Company p y Virgil C. Summer Nuclear Station Units 2 and 3

Exhibit SCE000013 South Carolina Electric &amp; Gas Company p y Virgil C. Summer Nuclear Station Units 2 and 3 Combined Licenses Mandatory Hearing October 12-13, 2011 Safety Panel 1 Amy Monroe (SCE&amp;G) Amy Monroe (SCE&amp;G)

186 views • 14 slides
Connection between g 2, EDMs, CLFV and LHC Paride Paradisi University of Padua EPS 2015

Connection between g 2, EDMs, CLFV and LHC Paride Paradisi University of Padua EPS 2015

Connection between g 2, EDMs, CLFV and LHC Paride Paradisi University of Padua EPS 2015 10-15 August 2015 Rio de Janeiro, Brazil Paride Paradisi (University of Padua) Connection between g 2, EDMs, CLFV and LHC EPS 2015 1 / 21 Open

359 views • 21 slides
Andrea Raponi Andrea Raponi SUMMARY 1. Problems with the Classical Method 2. Understanding the

Andrea Raponi Andrea Raponi SUMMARY 1. Problems with the Classical Method 2. Understanding the

Andrea Raponi Andrea Raponi SUMMARY 1. Problems with the Classical Method 2. Understanding the Light Curve of the Bead 2. Understanding the Light Curve of the Bead 3 3. An application of the revised method A li ti f th i d th d 1.

323 views • 17 slides
Estimating the In use Steel Stock of Ci il Civil Engineering and Building in China i i d

Estimating the In use Steel Stock of Ci il Civil Engineering and Building in China i i d

Estimating the In use Steel Stock of Ci il Civil Engineering and Building in China i i d ildi i Chi via Nighttime Light via Nighttime Light Feng Chi, Hsu (David) 1 ; Feng Chi, Hsu (David) ; Christopher D. Elvidge 2 ; Yasunari Matsuno

286 views • 17 slides
W l Welcome! ! The webinar will begin at The webinar will begin at 2:00 Eastern/11:00 Pacific

W l Welcome! ! The webinar will begin at The webinar will begin at 2:00 Eastern/11:00 Pacific

W l Welcome! ! The webinar will begin at The webinar will begin at 2:00 Eastern/11:00 Pacific Audio Tips Todays audio is streaming to your computers speakers or headphones. Too loud or soft? Adjust volume level in the Audio broadcast

531 views • 32 slides

More recommend