Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted - - PowerPoint PPT Presentation

taint tracking
SMART_READER_LITE
LIVE PREVIEW

Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted - - PowerPoint PPT Presentation

Sep 17, 2023 340 likes •534 views

CS 261: Systems Security Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall 12 Announcements Exam next Wednesday Open book All lectures except for this one Presenter: Pasin No writer, but

slide-1
SLIDE 1

CS 261: Systems Security

Taint Tracking

Oct 29, 2018

  • Prof. Raluca Ada Popa

Slides adapted from Univ of Michigan 583 Fall 12

slide-2
SLIDE 2

Announcements

Exam next Wednesday

» Open book » All lectures except for this one

Presenter: Pasin No writer, but we will post slides

slide-3
SLIDE 3

Taint tracking

A commonly used tool in systems security Helps track the flow of data through a program In a nutshell: Data from sensitive sources (e.g., private or potentially malicious sources) is initially tainted Other data influenced by this data gets tainted too

slide-4
SLIDE 4

Applications

Can be used in a number of ways: Unknown Vulnerability Detection

» E.g. Taint Checking in Ruby and Perl » Any data input from an outside user is tainted (e.g., suspicious) » If it is used to set another variable, that gets tainted too » If a tainted variable gets used directly in a SQL query or a system call, flag as problematic

Malware Analysis

» What is the software doing with sensitive data? » Ex. TaintDroid » Any data from a private source (e.g., text messages) is tainted » Track where it is sent

slide-5
SLIDE 5

Dynamic Taint Analysis

Track information flow through a program at runtime Set a taint tracking policy: Identify sources of taint – “TaintSeed”

» What are you tracking?

  • Untrusted input
  • Sensitive data

Taint Policy – “TaintTracker”

» Propagation of taint

Identify taint sinks – “TaintAssert”

» Taint checking

  • Special calls

Jump statements

  • Outside network
slide-6
SLIDE 6

Taint Analysis in Action

slide-7
SLIDE 7

Example Policy

Input t = IsUntrusted(src) get_input(src)↓ t

Taint seed example: Any input from an untrusted source is tainted

BinOp t1 = τ[x1] , t2 = τ[x2] x1 + x2 ↓ t1 v t2

Taint tracker example: For a binary operation, the taint of the result is the OR of the taints of each operator input Taint assert: Any goto statement can only go to a nontainted address

Pgoto(ta) = ¬ ta

(Must be true to execute)

slide-8
SLIDE 8

10/29/2018

All You Ever Wanted to Know About Dynamic Taint Analysis

12

x = get_input( ) y = x + 42 … goto y

Input is tainted untainted tainted

x 7

Δ

Var Val T x Tainted? Var

τ

Input t = IsUntrusted(src) get_input(src)↓ t

TaintSeed

slide-9
SLIDE 9

10/29/2018

All You Ever Wanted to Know About Dynamic Taint Analysis

13

x = get_input( ) y = x + 42 … goto y

Data derived from user input is tainted untainted tainted

y 49

Δ

Var Val x 7 T y Tainted? T Var x

τ

BinOp t1 = τ[x1] , t2 = τ[x2] x1 + x2 ↓ t1 v t2

TaintTracker

slide-10
SLIDE 10

Pgoto(ta) = ¬ ta

(Must be true to execute)

10/29/2018

All You Ever Wanted to Know About Dynamic Taint Analysis

14

Policy Violation Detected

x = get_input( ) y = x + 42 … goto y

untainted tainted

Δ

Var Val x 7 y 49 Tainted? T T Var x y

τ

TaintAssert

slide-11
SLIDE 11

10/29/2018

All You Ever Wanted to Know About Dynamic Taint Analysis

15

x = get_input( ) y = … … goto y

Helpful with buffer overflow:

… strcpy(buffer,argv[1]) ; … return ;

Jumping to

  • verwritten

return address

slide-12
SLIDE 12

Pay attention to

False Negatives

» Use control flow to change value without gathering taint

Example: if (x == 0) y=0; else if (x == 1) y=1;

Equivalent to x=y;

» Tainted index into a hardcoded table

Policy – value translation is not tainted

» Hard to enumerating all sources of taint

False Positives

» Sanity Checks not removing taint

  • Requires fine-tuning
  • Taint sanitization problem
  • Usually many and a lot of taint!
slide-13
SLIDE 13

How about loading from memory?

slide-14
SLIDE 14

Memory Load

10/29/2018 19

Variables Memory

Δ

Var Val x 7 Tainted? T Var x

τ μ

Addr Val 7 42 Tainted? F Addr 7

τμ

slide-15
SLIDE 15

Problem: Memory Addresses

10/29/2018 20

x = get_input( ) y = load( x ) … goto y

All values derived from user input are tainted??

7 42

μ

Addr Val Tainted? F Addr 7

τμ

x 7

Δ

Var Val

All You Ever Wanted to Know About Dynamic Taint Analysis

slide-16
SLIDE 16

μ

Addr Val x = get_input( ) y = load( x ) … goto y

Jump target could be any untainted memory cell value

Policy 1:

10/29/2018

All You Ever Wanted to Know About Dynamic Taint Analysis

21

Load v = Δ[x] , t = τμ[v] load(x) ↓ t

Taint depends only on the memory cell

Taint Propagation 7 42 Tainted? F Addr 7

τμ

x 7

Δ

Var Val

Undertainting

Failing to identify tainted values

  • e.g., missing exploits
slide-17
SLIDE 17

jmp_table Policy Violation?

10/29/2018

All You Ever Wanted to Know About Dynamic Taint Analysis

22

x = get_input( ) y = load(jmp_table + x % 2 ) … goto y

Policy 2:

Memory

printa printb

Address expression is tainted

Load v = Δ[x] , t = τμ[v], ta = τ[x] load(x) ↓ t v ta

If either the address or the memory cell is tainted, then the value is tainted

Taint Propagation

Overtainting

Unaffected values are tainted

  • e.g., flag exploits on safe

inputs

slide-18
SLIDE 18

General Challenge State-of-the-Art is not perfect for all programs

10/29/2018

All You Ever Wanted to Know About Dynamic Taint Analysis

23

Undertainting: Policy may miss taint Overtainting: Policy may wrongly detect taint

slide-19
SLIDE 19

Summary

10/29/2018 24

  • Taint tracking can be used to track flow of private data or

suspicious inputs

  • Further reading: All You Ever Wanted to Know About

Dynamic Taint Analysis, Schwartz et al, Oakland 2010

  • Next up: Pasin on TaintDroid