taint nobody got time for crash
play

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage - PowerPoint PPT Presentation

Aug 04, 2023 •129 likes •583 views

Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What code paths were executed What parts of the execution interacted with external data Input Determination Which input bytes influence the crash

  1. Taint Nobody Got Time for Crash Analysis

  2. Crash Analysis

  3. Triage Goals Execution Path ◦ What code paths were executed ◦ What parts of the execution interacted with external data Input Determination ◦ Which input bytes influence the crash Exploitability ◦ Does this crash have a security impact ◦ Read Access – Information Leak ◦ ASLR Bypass ◦ Write Access – Data Modification ◦ Credentials ◦ Control Flow ◦ Execute Access – Game Over

  4. Common Scenarios Fuzzing ◦ Spray ‘n Pray ◦ Grammar-based ◦ “Fuzzing with Code Fragments” Static Analysis ◦ Intra-procedural Analysis Tools ◦ Manual code review Third Party ◦ In-the-wild exploitation ◦ Vulnerability response teams ◦ Vulnerability brokers

  5. Existing Tools Execution Path ◦ Process Stalker, CoverIt (hexblog), BlockCov, IDA PIN Block Trace ◦ Bitblaze, Taintgrind, VDT Input Determination ◦ delta, tmin, diff Exploitability ◦ !exploitable ◦ CrashWrangler ◦ CERT Triage Tools

  6. Automation Methods Execution Path ◦ Code Coverage ◦ Taint Analysis Input Determination ◦ Slicing Exploitability ◦ Symbolic Execution ◦ Abstract Interpretation

  7. Automation Methods Execution Path ◦ Code Coverage ◦ Taint Analysis Input Determination ◦ Slicing Exploitability ◦ Symbolic Execution ◦ Abstract Interpretation

  8. Taint Analysis

  9. Concept Formally – Information Flow Analysis ◦ Type of dataflow analysis ◦ Can be static or dynamic, often hybrid ◦ Applied to track user controlled data through execution Methodology ◦ Define taint sources ◦ Single-step execution ◦ Apply taint propagation policy for each instruction ◦ Apply taint checks (if any)

  10. Concept Define Taint Sources ◦ Hook I/O Functions open() read() Look for defined taint source Check for tracked taint source id ◦ Look for taint sources Add descriptor to taint tracker Add memory addrs to taint tracker ◦ File name, network ip:port, etc ◦ Track tainted file descriptor ◦ Single-step main() ◦ Add future data reads from taint source descriptors to the taint tracking engine parse() single-step ◦ Apply taint policy on each tainted src operands propagate to dest instruction

  11. Concept Define Taint Sources E XPLICIT T AINT P ROPAGATION ◦ Hook I/O Functions A = TAINT() B = A ◦ Look for taint sources C = B + 1 D = C * B ◦ File name, network ip:port, etc E = *(D) ◦ Track tainted file descriptor ◦ Single-step I MPLICIT T AINT P ROPAGATION ◦ Add future data reads from taint source descriptors to A = TAINT() the taint tracking engine IF A > B: C = TRUE ◦ Apply taint policy on each ELSE: C = FALSE instruction

  12. Implementation Details We utilize a tracer forked from the Binary Analysis Platform from Carnegie-Mellon University to facilitate taint tracing ◦ Originally wrote separate PIN based tracer ◦ BAP’s tracer is also a Pintool ◦ Worked with the authors of BAP since early 2012 to improve the tracer so it performs acceptably against complex COTS software targets on Windows ◦ Added code coverage and memory dump collection to our private version PIN supplies a robust API and framework for binary instrumentation ◦ Supports easily hooking I/O functions for taint sources ◦ High performance single-stepping ◦ Supports instrumenting at instruction level for taint propagation / checks

  13. Implementation Details Taint Propagation Policy ◦ Tree of tainted references to registers and bytes of memory are individually tracked ◦ If input operands contain taint, propagate to all output operands ◦ No control flow tainting ◦ Optionally taint index registers ◦ All index registers for LEA instructions are tainted ◦ No support for MMX, Floating point FCMOV, SSE PREFETCH

  14. Taint Visualization Demo

  16. Design Considerations Taint Policy ◦ Implicit Information Flows ◦ Over-tainting ◦ Most common when applying implicit taint via control flow ◦ Under-tainting ◦ If control flow taint is ignored Performance ◦ Execution Speed ◦ Analysis on each instruction is expensive ◦ Avoid context switching ◦ Memory Overhead

  17. Trace Slicing

  18. Concept Trace slicing finds the sub-graph of dependencies between two nodes ◦ All nodes that influence or are influenced by specified node can be isolated ◦ Reachability Problem Forward Slicing ◦ Slice forward to determine instructions influenced by selected value Backward Slicing ◦ Slice backward to locate the instructions influencing a value ◦ Collect constraints to determine the degree of control over the value

  19. Concept Methodology ◦ Collect trace ◦ Convert native assembler to IL ◦ Select location and value of interest (register or memory address) ◦ Select direction of slice ◦ Follow dependencies in desired direction to produce sub-graph

  20. Forward Slicing S = {v} Slice forward to determine For each stmt in statements: If vars(stmt.rhs)  S !=  then instructions influenced by a value S := S  {stmt.lhs} else S := S – {stmt.lhs} Return S stmt S el_size , el_count, el_data = read() { el_size } total_size = el_size * el_count { el_size , total_size } buf = malloc( total_size ) {el_size, total_size } while count < el_count {el_size, total_size} offset = count * el_size { el_size , total_size, offset } data_offset = el_data + offset {el_size, total_size, offset , data_offset } buf_offset = buf + offset {el_size, total_size, offset , data_offset, buf_offset } memcpy(buf_offset, { el_size , total_size, offset, data_offset, data_offset , el_size ) buf_offset }

  21. Backward Slicing S = {v} Slice backward to locate the For each stmt in reverse(statements): If {stmt.lhs}  S !=  then instructions influencing a value S := S – {stmt.rhs} S := S  vars(stmt.rhs) Return S stmt S el_size, el_count, el_data = read() {data_offset, el_data , offset, count, el_size} total_size = el_size * el_count {data_offset, el_data, offset, count, el_size} buf = malloc(total_size) {data_offset, el_data, offset, count, el_size} while count < el_count {data_offset, el_data, offset, count, el_size} offset = count * el_size {data_offset, el_data, offset, count, el_size } data_offset = el_data + offset { data_offset , el_data , offset } buf_offset = buf + offset {data_offset} memcpy(buf_offset, { data_offset } data_offset , el_size)

  22. Implementation Details BAP includes an intermediate assembly language definition called BIL BIL expands each native assembly instruction into a sequence of micro operations that make native instruction side effects explicit We only have to handle assignments of the form var := exp We concretize the trace and convert to SSA to create uniqe labels for each assignment program ::= stmt * stmt ::= var := exp | jmp ( exp ) | cjmp ( exp,exp,exp ) | halt ( exp ) | assert ( exp ) | label label_kind | special (string)

  23. Implementation Details BAP includes an intermediate assembly language definition called BIL BIL expands each native assembly instruction into a sequence of micro operations that make native instruction side effects explicit We only have to handle assignments of the form var := exp We concretize the trace and convert to SSA to create uniqe labels for each assignment .text:08048887 mov edx, [edi+11223344h] ; .text:08048887 ; @context "R_EDX" = 0x1000, 0, u32, wr .text:08048887 ; @context "R_EDI" = 0x11, 1, u32, rd .text:08048887 ; @context "mem[0x11223355]" = 0x0, 0, u8, rd .text:08048887 ; @context "mem[0x11223356]" = 0x0, 0, u8, rd .text:08048887 ; @context "mem[0x11223357]" = 0x0, 0, u8, rd .text:08048887 ; @context "mem[0x11223358]" = 0x0, 0, u8, rd .text:08048887 ; label pc_0x8048887 .text:08048887 ; R_EDX:u32 = mem:?u32[R_EDI:u32 + 0x11223344:u32, e_little]:u32

  24. Backslice Demo

  25. Design Considerations Under-tainting Implicit Flows ◦ Backslice by “size” stops at node C because of a constant assignment ◦ “size” is implicitly dependent on e1, but not on e2 Over-tainting ◦ APIs that hold state created by a previously tainted value may indicate taint in later calls ◦ Inflates the trace size by including calls with untainted arguments ◦ Example: malloc(tainted_size) could permanently taint the allocator’s internal structures

  26. Symbolic Execution

  27. Concept Symbolic execution lets us “execute” a series of instructions without using concrete values for variables Instead of a numeric output, we get a formula for the output in terms of input variables that represents a potential range of values Given a crash state, analyze potential paths to find exploitable condition ◦ A path is exploitable if it meets prior path constraints and contains a tainted memory write or control transfer

  28. Concept Methodology ◦ Pick an initial state ◦ Trace taint until point of interest ◦ Store process state and memory image ◦ Choose desired future state ◦ Depth-First Search for all future states ◦ Encode program logic from initial state to future state into SMT formula ◦ Initialize values in the SMT formula with saved program state ◦ Replace one or more concrete values with symbolic value ◦ Solve formula with SMT solver

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009 Taint Common term in soDware

238 views • 9 slides
Fatalities by time after crash 35% 31% (0-9 Min.) (90+ Min.) 34% (10-90 Min.) GSM/CDMA GPS

Fatalities by time after crash 35% 31% (0-9 Min.) (90+ Min.) 34% (10-90 Min.) GSM/CDMA GPS

Fatalities by time after crash 35% 31% (0-9 Min.) (90+ Min.) 34% (10-90 Min.) GSM/CDMA GPS Vehicle TSP Call Data Center 5 Voice Public Safety Answering Point Dispatc h Emergency Medical Service, Doctors, Air Rescue, Police,

96 views • 9 slides
Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1 Taint Analysis for Android Tracks flow of private data Controlled at

629 views • 35 slides
FRICTION-FREE BUG REPORTING SPEND TIME WHERE IT MATTERS GAME DEV BUGS EXPECTED WORKFLOW Crash

FRICTION-FREE BUG REPORTING SPEND TIME WHERE IT MATTERS GAME DEV BUGS EXPECTED WORKFLOW Crash

Raphal Saint-Pierre, Tools Team Leader Ubisoft FRICTION-FREE BUG REPORTING SPEND TIME WHERE IT MATTERS GAME DEV BUGS EXPECTED WORKFLOW Crash Fix Close REAL WORKFLOW Crash Callstack Memdump Screenshot Duplicates ? Send bug to

369 views • 34 slides
Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West Fortify Software 2.21.08 Overview Motivation Dynamic taint propagation Sources of inaccuracy Integrating with QA Related work

740 views • 70 slides
Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England Olena.doran@uwe.ac.uk BPEX Workshop, Peterborough, 20 March 2013 Boar Taint An offensive odour in the meat of 5-10% of uncastrated male pigs Is

707 views • 22 slides
Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared 6/3/2020 1- Crash Identification Block The month, day and hour should be when the crash occurred Not when reported Not when you arrived 2- General

561 views • 15 slides
PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location System Website Address: http://pueblo.ms2soft.com Quick Search By: Study Location Location Crash Data Crash ID Date Crash Type LOG

555 views • 31 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides
Recursive Restarts for HA We have crash-only components now what? Reduce recovery time

Recursive Restarts for HA We have crash-only components now what? Reduce recovery time

1/14/2003 Recursive Restarts for HA We have crash-only components now what? Reduce recovery time by doing partial restarts: attempt recovery of a minimal subset of components What if restart ineffective? recover progressively

324 views • 3 slides
A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure RNA DNA Replication Encoding Proteins Protein Folding Types of DNA Manipulating DNA PCR Biological Computation CPSC

378 views • 36 slides
All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis

738 views • 25 slides
Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

@amchamwatch| @HofstedeInsight @RudPedersenFIN Country Manager Network Breakfast: Crash Course into the New Finnish Government and HQ Communication Crash Course into the New Finnish Government and HQ Communication Esa Suominen Managing

262 views • 25 slides
Welcome to the Six-Figure Account Manager Crash Course 3 Strategies to Wrestle Back Your Time,

Welcome to the Six-Figure Account Manager Crash Course 3 Strategies to Wrestle Back Your Time,

Welcome to the Six-Figure Account Manager Crash Course 3 Strategies to Wrestle Back Your Time, and Grow Your Accounts Win More Customers, Presented by Dan Englander Who is Dan Englander? How I started Here is your proposal, sir!

1.35k views • 100 slides
CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain Landscape Architecture &amp; Regional and Community Planning Kansas State University DLA Conference 2015 June 6, 2015 BACKGROUND AND CONTEXT

702 views • 31 slides
Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N. McDonough Archivist and Library Manager at the Kettering Foundation Owned by one cat Crash and Burn One fails toward success.

434 views • 7 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

CS 261: Systems Security Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall 12 Announcements Exam next Wednesday Open book All lectures except for this one Presenter: Pasin No writer, but

533 views • 19 slides
Purposely Divine Review What youve learned: See yourself as a soul/vibration Shift

Purposely Divine Review What youve learned: See yourself as a soul/vibration Shift

Purposely Divine Review What youve learned: See yourself as a soul/vibration Shift in Perspective Understanding the meaning of Purpose Lotttts of homework to get to know your soul! Purposely Divine - Danielle Paige

555 views • 23 slides
Building Hardware Systems for Information Flow Tracking Hari Kannan Computer Systems Laboratory

Building Hardware Systems for Information Flow Tracking Hari Kannan Computer Systems Laboratory

Building Hardware Systems for Information Flow Tracking Hari Kannan Computer Systems Laboratory Stanford University The Computer Security Crisis More systems are online, vulnerable Banking, Power, Water, Government

673 views • 56 slides
Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

CS 152: Programming Language Paradigms Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University Parsing JSON (in-class) Review: additional Ruby eval methods instance_eval evaluates code within the body of an

689 views • 43 slides
Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, Amar Bhosale , Limin Jia,

Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, Amar Bhosale , Limin Jia,

Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, Amar Bhosale , Limin Jia, and Lujo Bauer Carnegie Mellon University *presenting Motivation Detect malicious apps that leak sensitive data. E.g., leak contacts list to

514 views • 26 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk Black Hat USA 2017, Las Vegas Agenda User kernel communication pitfalls in modern operating systems Introduction

1.21k views • 120 slides
SSS12 - HW3: TaintDroid Alexander Georgii-Hemming Cyon Andreas Cederholm Mathias Pedersen

SSS12 - HW3: TaintDroid Alexander Georgii-Hemming Cyon Andreas Cederholm Mathias Pedersen

SSS12 - HW3: TaintDroid Alexander Georgii-Hemming Cyon Andreas Cederholm Mathias Pedersen Magnus Bergman Mattias Uskali Carl Bjrkman Outline - What is TaintDroid? - Why TaintDroid? - Design challenges - Design of TaintDroid -

531 views • 26 slides

More recommend