symbolic execution
play

Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 - PowerPoint PPT Presentation

Sep 13, 2023 •287 likes •1.17k views

Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution 4-way handshake Handling Crypto

  1. Rooting Routers Using Symbolic Execution Mathy Vanhoef — @vanhoefm HITB DXB 2018, Dubai, 27 November 2018

  2. Overview Symbolic Execution 4-way handshake Handling Crypto Results 2

  3. Overview Symbolic Execution 4-way handshake Handling Crypto Results 3

  4. Symbolic Execution Mark data as symbolic void recv(data, len) { Symbolic branch if (data[0] != 1) return if (data[1] != len) return int num = len/data[2] ... } 4

  5. Symbolic Execution data[0] != 1 data[0] == 1 void recv(data, len) { void recv(data, len) { if (data[0] != 1) if (data[0] != 1) return return if (data[1] != len) if (data[1] != len) return return int num = len/data[2] int num = len/data[2] ... ... } } 5

  6. Symbolic Execution PC = Path data[0] != 1 data[0] == 1 Constraint Continue execution: if (data[1] != len) 6

  7. Symbolic Execution data[0] != 1 data[0] == 1 && data[0] == 1 && data[1] != len data[1] == len Continue execution 7

  8. Symbolic Execution data[0] == 1 && data[1] == len void recv(data, len) { if (data[0] != 1) Yes! Bug detected! return if (data[1] != len) return Can data[2] equal zero int num = len/data[2] under the current PC? ... 8

  9. Implementations We build upon KLEE › Works on LLVM bytecode › Actively maintained Practical limitations: › 𝑞𝑏𝑢ℎ𝑡 = 2 |𝑗𝑔−𝑡𝑢𝑏𝑢𝑓𝑛𝑓𝑜𝑢𝑡| › Infinite-length paths › SMT query complexity 9

  10. Overview Symbolic Execution 4-way handshake Handling Crypto Results 10

  11. Motivating Example Mark data as symbolic void recv(data, len) { Summarize crypto algo. plain = decrypt(data, len) (time consuming) if (plain == NULL) return Analyze crypto algo. if (plain[0] == COMMAND) (time consuming) process_command(plain) else Won’t reach this function! ... } 11

  12. Efficiently handling decryption? Decrypted output = fresh symbolic variable 12

  13. Example Mark data as symbolic void recv(data, len) { Create fresh plain = decrypt(data, len) symbolic variable if (plain == NULL) return if (plain[0] == COMMAND) Normal analysis process_command(plain) else  Can now analyze code ... that parses decrypted data } 13

  14. Other than handling decryption Handling hash functions › Output = fresh symbolic variable › Also works for HMACs (Message Authentication Codes) Tracking use of crypto primitives? › Record relationship between input & output › = Treat fresh variable as information flow taint 14

  15. Detecting Crypto Misuse Timing side-channels › ∀(𝑞𝑏𝑢ℎ𝑡) : all bytes of MAC in path constraint? › If not: comparison exits on first byte difference Decryption oracles › Behavior depends on unauth. decrypted data › Decrypt data is in path constraint, but not in MAC 15

  16. Overview Symbolic Execution 4-way handshake Handling Crypto Results 16

  17. The 4-way handshake Used to connect to any protected Wi-Fi network Negotiates fresh PTK: Mutual authentication pairwise transient key 17

  18. 4-way handshake (simplified) 18

  19. 4-way handshake (simplified) 19

  20. 4-way handshake (simplified) PTK = Combine(shared secret, ANonce, SNonce) 20

  21. 4-way handshake (simplified) 21

  22. 4-way handshake (simplified) 22

  23. 4-way handshake (simplified) Encrypted with PTK 23

  24. 4-way handshake (simplified) 24

  25. 4-way handshake (simplified) 25

  26. 4-way handshake (simplified) Authenticated with a MAC 26

  27. We focus on the client Symbolic execution of Intel’s iwd deamon wpa_supplicant kernel driver How to get these working under KLEE? 27

  28. Intel’s iwd Avoid running full program under KLEE › Would need to model Wi-Fi stack symbolically Our approach › iwd contains unit test for the 4-way handshake › Reuse initialization code of unit test! › Symbolically execute only receive function 28

  29. wpa_supplicant Unit test uses virtual Wi-Fi interface › Would again need to simulate Wi- Fi stack… Alternative approach: › Write unit test that isolates 4-way handshake like iwd › Then symbolically execute receive function! › Need to modify code of wpa_supplicant (non-trivial) 29

  30. MediaTek’s Driver No unit tests & it’s a Linux driver › Symbolically executing the Linux kernel?! Inspired by previous cases › Write unit test & simulate used kernel functions in userspace › Verify that code is correctly simulated in userspace › Again symbolically execute receive function! 30

  31. Not all our unit tests have clean code https://github.com/vanhoefm/woot2018 31

  32. Overview Symbolic Execution 4-way handshake Handling Crypto Results 32

  33. Discovered Bugs I Timing side-channels › Authenticity tag not checked in constant time › MediaTek and iwd are vulnerable Denial-of-service in iwd › Caused by integer underflow › Leads to huge malloc that fails 33

  34. Discovered Bugs II Buffer overflow in MediaTek kernel module › Occurs when copying the group key › Remote code execution (details follow) Flawed AES unwrap crypto primitive › Also in MediaTek’s kernel driver › Manually discovered 34

  35. Decryption oracle in wpa_supplicant Decryption oracle: › Authenticity of Msg3 not checked › But decrypts and processes data  Decrypt group key in Msg3 (details follow) 35

  36. Rooting Routers: Buffer overflow in MediaTek kernel module 36

  37. MediaTek buffer overflow preconditions I Triggered when the client processes Msg3 › Adversary needs password of network › Examples: Wi-Fi at conferences, hotels, etc. 37

  38. MediaTek buffer overflow preconditions II Which clients use the MediaTek driver? › Not part of Linux kernel source tree › Used in repeater modes of routers Our target: › RT-AC51U running Padavan firmware › Original firmware has no WPA2 repeater 38

  39. Popularity of Padavan firmware 39

  40. Popularity of Padavan firmware We exploit this version 40

  41. The vulnerable code (simplified) void RMTPParseEapolKeyData(pKeyData, KeyDataLen, MsgType) { UCHAR GTK[MAX_LEN_GTK]; if (MsgType == PAIR_MSG3 || MsgType == GROUP_MSG_1) { PKDE_HDR *pKDE = find_tlv(pKeyData, KeyDataLen, WPA2GTK); GTK_KDE *pKdeGtk = (GTK_KDE*)pKDE->octet; UCHAR GTKLEN = pKDE->Len – 6; NdisMoveMemory(GTK, pKdeGtk->GTK, GTKLEN); } APCliInstallSharedKey(GTK, GTKLEN); } 41

  42. The vulnerable code (simplified) void RMTPParseEapolKeyData(pKeyData, KeyDataLen, MsgType) { UCHAR GTK[MAX_LEN_GTK]; if (MsgType == PAIR_MSG3 || MsgType == GROUP_MSG_1) { PKDE_HDR *pKDE = find_tlv(pKeyData, KeyDataLen, WPA2GTK); GTK_KDE *pKdeGtk = (GTK_KDE*)pKDE->octet; UCHAR GTKLEN = pKDE->Len – 6; NdisMoveMemory(GTK, pKdeGtk->GTK, GTKLEN); } APCliInstallSharedKey(GTK, GTKLEN); } 42

  43. The vulnerable code (simplified) void RMTPParseEapolKeyData(pKeyData, KeyDataLen, MsgType) { UCHAR GTK[MAX_LEN_GTK]; if (MsgType == PAIR_MSG3 || MsgType == GROUP_MSG_1) { Len controlled by attacker PKDE_HDR *pKDE = find_tlv(pKeyData, KeyDataLen, WPA2GTK); GTK_KDE *pKdeGtk = (GTK_KDE*)pKDE->octet; UCHAR GTKLEN = pKDE->Len – 6; NdisMoveMemory(GTK, pKdeGtk->GTK, GTKLEN); } Destination buffer 32 bytes d APCliInstallSharedKey(GTK, GTKLEN); } 43

  44. Main exploitation steps • Code execution in kernel • Obtain a process context • Inject shellcode in process • Run injected shellcode 44

  45. Main exploitation steps • Code execution in kernel • Obtain a process context • Inject shellcode in process • Run injected shellcode 45

  46. Gaining kernel code execution How to control return address & where to return? › Kernel doesn’t use stack canaries › Kernel stack has no address randomization › And the kernel stack is executable Return to shellcode on stack & done? 46

  47. Gaining kernel code execution How to control return address & where to return? › Kernel doesn’t use stack canaries › Kernel stack has no address randomization › And the kernel stack is executable Return to shellcode on stack & done? Nope… our shellcode crashes 47

  48. Problem: cache incoherency on MIPS Memory … old stack data … Data cache … old stack data … 48

  49. Problem: cache incoherency on MIPS Memory … old stack data … Fetch Data cache Instruction cache … … shellcode <no cached entry> … … 49

  50. Problem: cache incoherency on MIPS Memory … old stack data … Fetch Data cache Instruction cache … … shellcode old stack data … … 50

  51. Solution: flush cache after write Memory … old stack data … Flush Data cache Instruction cache … … shellcode <no cached entry> … … 51

  52. Solution: flush cache after write Memory … shellcode … Flush Fetch Data cache Instruction cache … … shellcode <no cached entry> … … 52

  53. Solution: flush cache after write Memory … shellcode … Flush Fetch Data cache Instruction cache … … shellcode shellcode … … 53

  54. How to flush the cache? Execute kernel function to flush cache › Rely on Return Oriented Programming (ROP) › Use mipsrop tool of Craig Heffner  Building ROP chain is tedious but doable 54

  55. Main exploitation steps • Code execution in kernel • Obtain a process context • Inject shellcode in process • Run injected shellcode 55

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Planning in Context Planning in the Context of Domain Modelling, Task Assignment and Execution

Planning in Context Planning in the Context of Domain Modelling, Task Assignment and Execution

http://www.inf.ed.ac.uk/teaching/courses/plan/ Planning in Context Planning in the Context of Domain Modelling, Task Assignment and Execution Literature O-Plan Papers http://www.aiai.ed.ac.uk/project/oplan/ Tate, A., Dalton, J. and

634 views • 15 slides
t r t

t r t

t r t r r tts ts r

1.14k views • 46 slides
GNOME for system administrators Jessie edition Mini Debconf Lyon 2015 12 april 2015

GNOME for system administrators Jessie edition Mini Debconf Lyon 2015 12 april 2015

GNOME for system administrators Jessie edition Mini Debconf Lyon 2015 12 april 2015 Introduction Debian is awesome to use in a 1000+ machines environment Automated deployment tools Customization: custom APT repositories

538 views • 28 slides
Positive TAGED with a Bounded Number of Constraints P.-C. Ham, Vincent Hugot, O. Kouchnarenko

Positive TAGED with a Bounded Number of Constraints P.-C. Ham, Vincent Hugot, O. Kouchnarenko

On Positive TAGED with a Bounded Number of Constraints P.-C. Ham, Vincent Hugot, O. Kouchnarenko {pheam,vhugot,okouchna}@femto-st.fr University of Franche-Comt DGA &amp; INRIA/CASSIS &amp; FEMTO-ST (DISC) July 2, 2013 Introduction

758 views • 71 slides
Encryption and Forensics/Data Hiding Cryptography Background See:

Encryption and Forensics/Data Hiding Cryptography Background See:

1 Encryption and Forensics/Data Hiding Cryptography Background See: http://www.cacr.math.uwaterloo.ca/hac/ For more information 2 Security Objectives Confidentiality (Secrecy): Prevent/Detect/Deter improper disclosure of information

673 views • 35 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 3 User Authentication KTH DD2395 Sonja Buchegger 1 User Authentication KTH DD2395 Sonja Buchegger 2 User

485 views • 27 slides
High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware 10. December

High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware 10. December

RUHR-UNIVERSITT BOCHUM High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware 10. December 2014 Horst Grtz Institute for IT-Security Ruhr University Bochum Friedrich Wiemer and Ralf Zimmermann Friedrich Wiemer

484 views • 29 slides
Introduction to Metasploit and tools Michal Novotn Malware Researcher &amp; Security Analyst

Introduction to Metasploit and tools Michal Novotn Malware Researcher &amp; Security Analyst

Introduction to Metasploit and tools Michal Novotn Malware Researcher &amp; Security Analyst Introduction Michal Novotn Malware Researcher &amp; Security Analyst at &amp; Co-founder and member of E-mail: michal.novotny@greycortex.com

454 views • 21 slides

More recommend