Transcript 幻灯片 1 - SJTU

Detecting Integer Overflow
Vulnerabilities in Binaries
Presented by
Ruoyu Zhang
Index
•Author & Conference & CitedBy
•Motivation & Background
•System & implementation
•Experiment Result
•Related Research
Authors
TieLei Wang
Interested in binary program analysis, reverse
engineering and fuzzing.
Detected many vulnerabilities in some popular
applications:
CVE‐2009-2989, CVE-2009-2995
CVE-2009-1882, CVE-2009-2660
CVE-2009-2347, CVE-2009-2688
….
Authors
Publications:
• A New Algorithm for Identifying Loops in
Decompilation
SAS 07
• Particle Filtering for Adaptive Sensor Fault
Detection and Identification.
ICRA 06
Conference
NDSS
Cross Site Scripting Prevention with Dynamic Data Tainting and
Static Analysis.
RICH: Automatically Protecting Against Integer-Based
Vulnerabilities.
Noncespaces: Using Randomization to Enforce Information Flow
Tracking and Thwart Cross-Site Scripting Attacks.
Conference
NDSS
Cross Site Scripting Prevention with Dynamic Data Tainting and
Static Analysis.
Cross-site scripting (XSS) is an attack against web applications in which
scripting code is injected into the output of an application that is then sent
to a user’s web browser. In the browser, this scripting code is executed
and used to transfer sensitive data to a third party (i.e., the attacker).
Currently, most approaches attempt to prevent XSS on the server side by
inspecting and modifying the data that is exchanged between the web
application and the user. Unfortunately, it is often the case that vulnerable
applications are not fixed for a considerable amount of time, leaving the
users vulnerable to attacks. The solution presented in this paper stops
XSS attacks on the client side by tracking the flow of sensitive information
inside the web browser. If sensitive information is about to be transferred
to a third party, the user can decide if this should be permitted or not. As a
result, the user has an additional protection layer when surfing the web,
without solely depending on the security of the web application.
Conference
NDSS
RICH: Automatically Protecting Against Integer-Based Vulnerabilities.
We present the design and implementation of RICH (Run-time Integer C
Hecking), a tool for efficiently detecting integer-based attacks against C
programs at run time. C integer bugs, a popular avenue of attack and frequent
programming error [1–15], occur when a variable value goes out of the range of
the machine word used to materialize it, e.g. when assigning a large 32-bit int to
a 16-bit short. We show that safe and unsafe integer operations in C can be
captured by well-known sub-typing theory. The RICH compiler extension
compiles C programs to object code that monitors its own execution to detect
integer-based attacks. We implemented RICH as an extension to the GCC
compiler and tested it on several network servers and UNIX utilities. Despite the
ubiquity of integer operations, the performance overhead of RICH is very low,
averaging about 5%. RICH found two new integer bugs and caught all but one
of the previously known bugs we tested. These results show that RICH is a
useful and lightweight software testing tool and run-time defense mechanism.
RICH may generate false positives when programmers use integer overflows
deliberately, and it can miss some integer bugs because it does not model
certain C features.
Conference
NDSS
Noncespaces: Using Randomization to Enforce Information Flow Tracking
and Thwart Cross-Site Scripting Attacks.
Cross-site scripting (XSS) vulnerabilities are among the most common and
serious web application vulnerabilities. Eliminating XSS is challenging because it
is difficult for web applications to sanitize all user inputs appropriately. We
present Noncespaces, a technique that enables web clients to distinguish
between trusted and untrusted content to prevent exploitation of XSS
vulnerabilities. Using Noncespaces, a web application randomizes the XML
namespace prefixes of tags in each document before delivering it to the client. As
long as the attacker is unable to predict the randomized prefixes, the client can
distinguish between trusted content created by the web application and untrusted
content provided by an attacker. To implement Noncespaces with minimal
changes to web applications, we leverage a popular web application architecture
to automatically apply Noncespaces to static content processed through a
popular PHP template engine. We show that with simple policies Noncespaces
thwarts popular XSS attack vectors.
CitedBy
Dynamic test generation to find integer bugs in X86 binary linux
programs.
Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux
BRICK: A Binary Tool for Run-time Detecting and Locating Integerbased vulnerability.
Dynamic Test Generation for Large Binary Programs
CVE‐2008-5238 (Xine)
an untrusted
source
……
if (version == 4) {
const uint16_t sps = _X_BE_16 (this->header+44) ? : 1;
this->w
= _X_BE_16 (this->header+42);
this->h
= _X_BE_16 (this->header+40);
this->cfs
= _X_BE_32 (this->header+24);
an integer
overflow
this->frame_len = this->w * this->h;
this->frame_size = this->frame_len * sps;
this->frame_buffer = calloc(this->frame_size, 1);
……
a sensitive
operation
CVE‐2008-1722 (CUPS)
png_get_IHDR(pp, info, &width, &height, &bit_depth, &color_type,
&interlace_type, &compression_type, &filter_type);
……
if (width == 0 || width > CUPS_IMAGE_MAX_WIDTH ||
height == 0 || height > CUPS_IMAGE_MAX_HEIGHT)
{//error
return (1);
}
an incomplete
check
img->xsize = width;
an untrusted
source
an integer
overflow
img->ysize = height;
……
if (color_type == PNG_COLOR_TYPE_GRAY ||color_type ==
PNG_COLOR_TYPE_GRAY_ALPHA)
in = malloc(img->xsize * img->ysize);
else
a sensitive
malloc(img->xsize * img->ysize * 3);
=
…… operation
}
12
CVE‐2008-2430 (VLC)
……
an untrusted
source
if( ChunkFind( p_demux, "fmt ", &i_size ) )
{
msg_Err( p_demux, "cannot find 'fmt ' chunk" );
goto error;
}
if( i_size < sizeof( WAVEFORMATEX ) - 2 )
{
msg_Err( p_demux, "invalid 'fmt ' chunk" );
goto error;
}
stream_Read( p_demux->s, NULL, 8 );
/* load waveformatex */
p_wf_ext = malloc( __EVEN( i_size ) + 2 );
……
an incomplete
check
an integer
overflow
/* Cannot fail */
a sensitive
operation
13
Basic Pattern of IO vulns
an untrusted
source
unsigned int x = read_int();
an incomplete
check
if ( x > 0x7fffffff || x==0)
abort();
unsigned int s = x*sizeof(int);
int* p=malloc(s);
an integer
overflow
memset(p, 0, x);
a heap overflow
followed
a sensitive
operation
An instance of taint‐based problem
Sink
Source
an
untrusted
source:
fread(),
fscan()
A feasible path
connecting the
source and the
sink
a sink using
tainted overflowed
data:
*alloc(),
array index,
pointer offset
What We Can Use (1/3)
Disassemble && Intermediate Representation
IDA Pro, objdump
CodeSurfer/x86, Halvar Flake [bh’04]
Executable
Libraries
What We Can Use (2/3)
Static taint analysis
Taint the untrusted data, and infer the
possible propagation of such untrusted data
Similar to type systems (e.g., CQual)
What We Can Use (3/3)
Symbolic Execution
Statically “run” the program with symbolic values
instead of concrete ones
x = x + y;
y = x – y;
x = x – y;
Sym Exe
x = x0 + y0;
y = x0 + y0– y0 = x0;
x = x0 + y0– x0 = y0;
Solvers
MiniSAT，Chaff, CVC3, STP, Z3, Yices
19
Natural Approach
Disassemble the binary to IR
From the function main, symbolically execute
each path:
Collect path constraints, and check the feasibility of the path
Track the propagation of untrusted data；
Check whether untrusted data causes integer overflows
Feasible or not???
Challenge 1: Lack of type information
During traversing, how can we determine there is
an overflow or not?
mov eax,0xffffffff
add eax,1
＝
eax = 0xffffffff
eax = eax+1
Overflow or not？
Challenge 1: Lack of type information
There is no type information in binaries
eax = 0xffffffff
eax = eax+1
If eax is “signed int”
If eax is“unsigned int”
eax = -1
eax = eax +1
eax = 4294967295
eax = eax +1
Challenge 2:
Benign Integer Overflows
Programmers (even compilers) may make use of
harmless integer overflows.
int x = read_from_file();
if(x>= ‐2 && x<= 0x7ffffffd)
GCC ‐O2
mov eax, x; // eax = x
add eax, 2; // eax = eax +2
js target
Harmless integer
overflow
Strategy: Lazy Check
Lazy check: Only check tainted values used in
sinks, instead of each arithmetic operation
mov
eax, x
shl
eax, 2
add
eax, 4
push
eax
call
malloc
Do not check whether
the add instruction
// malloc(x*4+4)
Only check the symbolic
expression “x*4+4” when
meeting “malloc”
Challenge 3: Path explosion
We need check each path, but the number of
paths through software is huge.
Strategy:
Extract security‐sensitive component
First, based on call
graph (CG), identify
the source and sink
functions
Source: introduce
untrusted data
Sink: malloc, alloc,
etc
Strategy:
Extract security‐sensitive component
Find the common
ancestors of a taint
source function node
and a sink function
node
Strategy:
Compute a chop from source to sink
Only consider paths
between sources and
possible sinks
Ignore unrelated paths
Significantly reduce the
number of paths
Put it together
Workflow:
Disassemble the binary to IR, construct the
control flow graphs and call graph
Extract the security‐sensitive component
Only select the path from a source to a sink
symbolically execute each path in the
component:
Collect path constraints, and check the feasibility of the
path；
Track the propagation of untrusted data；
Only check whether untrusted data causes integer
overflows at sink points
System Implementation
Suspicious
Paths
Lazy
Checker
Prepruning
Symbolic
Execution
Engine
Constraint
Solver
Symbolic Environments
PANDA
BESTAR Decompiler
IntScope
Binary
3rd Party Modules
Disassembler: IDA Pro
CAS: GiNaC
Constraint Solver: STP
Experiment Results
Experiment Results
Related Research
Binary Analysis
Vine:
Static analysis component in the BitBlaze project. Vine can
accurately translate each x86 instruction into a RISC-like IR and it
implements a dataflow and control flow analysis on that IR
Chevarista:
A project for automated vulnerability analysis on SPARC binary
code. It demonstrates how to translate binary code into SSA form
and model variable bounds by interval analysis to detect buffer
overflows or integer overflows.
Related Research
Symbolic Execution
Exe: automatically generating inputs of death
CCS 06 C. Cadar …
Cute: a concolic unit testing engine for c
SIGSOFT 05 K. Sen…
Archer: using symbolic path-sensitive analysis to detect memory
access errors
SIGSOFT 03 Y. Xie…
Dart: directed automated random testing
SIGPLAN 05 P. Godefroid
Basic Approach
insert a symbolic execution engine into program
source code and use a mixed execution to generate
test inputs or find potential bugs on feasible paths.
Thanks