DYNAMIC TAINT ANALYSIS FOR AUTOMATIC DETECTION, ANALYSIS, AND SIGNATURE GENERATION OF EXPLOITS ON COMMODITY SOFTWARE Authors: James Newsome, Dawn Song Presenters: Sheikh M Qumruzzaman Khaled M Al-Naami.
Download ReportTranscript DYNAMIC TAINT ANALYSIS FOR AUTOMATIC DETECTION, ANALYSIS, AND SIGNATURE GENERATION OF EXPLOITS ON COMMODITY SOFTWARE Authors: James Newsome, Dawn Song Presenters: Sheikh M Qumruzzaman Khaled M Al-Naami.
DYNAMIC TAINT ANALYSIS FOR AUTOMATIC DETECTION, ANALYSIS, AND SIGNATURE GENERATION OF EXPLOITS ON COMMODITY SOFTWARE Authors: James Newsome, Dawn Song Presenters: Sheikh M Qumruzzaman Khaled M Al-Naami WELCOME AND INTRODUCTION Overview Dynamic Taint Analysis TaintCheck • • • • TaintSeed TaintTracker TaintAssert Exploit Analyzer Security Analysis of TaintCheck Evaluation and Performance Automatic Signature Generation Conclusion OVERVIEW Worms exploit software vulnerabilities. Buffer Overflow. Format String. Dangling Pointers. SQL Injection. CodeRed and Slammer exploit vulnerabilities and can compromise hundreds of thousands of hosts within hours or minutes. SLAMMER The geographical spread of Slammer in the 30 minutes after its release. Source: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1219056&tag=1 CODERED Code Red’s probe rate during its re-emergence on 1 August, 2001 Source: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1219056&tag=1 WHAT DO WE NEED? An automatic detect and defense system. Automatic development of attack signatures. In this paper authors proposed new technique ‘Dynamic Taint Analysis’ and showed how it can be used to detect and analyze software exploits ATTACK DETECTORS Coarse grained detectors: Detect anomalous behavior such as scanning and do not provide detailed information about vulnerability and how it exploited. Fine grained detectors: Detect attack on a program vulnerability, and provide detailed information about it. Several approaches for fine grained detectors. But most of them are not dynamic. DYNAMIC TAINT ANALYSIS Tainted Data: Data from un-trusted sources. Keep track of tainted data. Monitor program execution to track how tainted attributes propagate Check when tainted data is used in dangerous ways TaintCheck – An automatic dynamic taint analysis tool. TAINTCHECK Doesn’t require source code/special compilation. Reliably detects most overwrite attacks. No known false positives. Enables automatic semantic analysis based signature generation. DESIGN AND IMPLEMENTATION (TAINTCHECK) TaintCheck performs dynamic taint analysis on a program by running the program in its own emulation environment. X86 instructions UCode Binary re-writer Taint Check X86 instructions UCode Courtesy: Devendra Salvi Dynamic taint analysis QUESTIONS? What inputs should be tainted? How should the taint attribute propagate? What usage of tainted data should raise an alarm as an attack? ANSWERS TaintSeed. TaintTracker. TaintAssert. TaintSeed TaintTracker TaintAssert Copy Memory byte Add Use as Attack Detected Fn Pointer Untainted Data Shadow Memory Exploit Analyzer X Taint Data structure Taint Check detection of an attack Courtesy: Devendra Salvi TAINT SEED It marks any data from untrusted sources as “tainted” Each byte of memory has a four-byte shadow memory that stores a pointer to a Taint data structure if that location is tainted, or a NULL pointer if it is not. Optionally, logging can be disabled and the shadow memory locations can simply store a single bit indicating taint. Memory is mapped to TDS ANSWERS TaintSeed. TaintTracker. TaintAssert. TaintSeed TaintTracker TaintAssert Copy Memory byte Add Use as Attack Detected Fn Pointer Untainted Data Shadow Memory Exploit Analyzer X Taint Data structure* Taint Check detection of an attack Courtesy: Devendra Salvi DYNAMIC TAINT ANALYSIS TaintTracker It tracks each instruction that manipulates data in order to determine whether the result is tainted. When the result of an instruction is tainted by one of the operands, TaintTracker sets the shadow memory of the result to point to the same Taint data structure as the tainted operand. Memory is mapped to TDS Result is mapped to TDS ANSWERS TaintSeed. TaintTracker. TaintAssert. TaintSeed TaintTracker TaintAssert Copy Memory byte Add Use as Attack Detected Fn Pointer Untainted Data Shadow Memory Exploit Analyzer X Taint Data structure* Taint Check detection of an attack Courtesy: Devendra Salvi DYNAMIC TAINT ANALYSIS Taint Assert Default Policy: Jump addresses. Format strings. System call arguments. Application or library specific checks. 17 - Taint assert checks whether tainted data is used in ways that is policy defines as illegitimate. 2020/4/23 DYNAMIC TAINT ANALYSIS Jump addresses: Format strings: Checks whether tainted data is used as format string argument. Intercept calls to the printf family of functions. System call arguments: Checks whether tainted data is used as a jump target. Instrument before each Ucode jump instruction. Checks whether the arguments specified in system calls are tainted. Optional policy for execv system call. Application or library-specific checks: To detect application or library specific attacks. 18 2020/4/23 DYNAMIC TAINT ANALYSIS Exploit Analyzer provide useful information about how the exploit happened and what the exploit attempt to do. Usage: Identifying vulnerabilities. Generating exploit signature. 19 It 2020/4/23 SECURITY ANALYSIS FOR TAINTCHECK The good news is: Attacks detected by TaintCheck The bad news is: False Negatives False Positives SECURITY ANALYSIS – ATTACKS DETECTED OVERWRITE ATTACKS TaintCheck detects if overwriting Jump targets (such as return addresses and function pointers) whether altered to point to Existing code (existing code attack) . Injected code (code injection attack). SECURITY ANALYSIS – ATTACKS DETECTED OVERWRITE ATTACKS It also detects Format String attacks: An attacker provide malicious format string to trick program by writing an attacker value to an attacker chosen memory address. SECURITY ANALYSIS – ATTACKS DETECTED Overwrite attacks Most worm attacks fall into the following categories. up to 2005 Overwrite Method Value Overwritten SECURITY ANALYSIS – FALSE NEGATIVE ANALYSIS – THE BAD NEWS Attacker causes sensitive data not to be tainted. Scenario: Altered data originate or arithmetically derived from trusted inputs but influenced by untrusted inputs. Paper doesn’t consider tainted attribute of flags, Example: suppose x is tainted If (x == 0) y = 0; else if (x == 1) y = 1; ... same as y = x However, y is not tainted as influenced indirectly by x, via the condition flags. Attacker might cause y to overwrite things ---------------->(Undetected) SECURITY ANALYSIS – FALSE NEGATIVE ANALYSIS – THE BAD NEWS – CONT’D If TaintCheck is configured to trust inputs that should not be trusted. data from the network could be first written to a file on disk, and then read back into memory. SECURITY ANALYSIS – FALSE POSITIVE ANALYSIS – THE BAD NEWS Attack detected while there is no real attack Taint Check detects that tainted data is being used in an illegitimate way even when there is no attack taking place. However, it indicates there are vulnerabilities in program For example, the program may be using an unchecked input as a format string. Fix the vulnerability using check Exploit Analyzer… EXPERIMENTS AND EVALUATION Compatibility and false positives Evaluation of attack detection Synthetic exploits Actual exploits EVALUATION - COMPATIBILITY AND FALSE POSITIVES TaintCheck used to monitor some programs for false positives. Server programs: apache, ATPhttpd, bftpd, cfingerd, and named. Client programs: ssh and firebird. Nonnetwork programs: gcc, ls, bzip2, make, latex, vim, emacs, and bash. All were normal with no false positives EXCEPT for vim and firebird. EVALUATION - EVALUATION OF ATTACK DETECTION TaintCheck ability was tested to detect attacks: Synthetic exploits Actual exploits EVALUATION - EVALUATION OF ATTACK DETECTION Synthetic exploits They wrote small programs for: Return Address Function Pointer Format String “gets” for long input Same Line input from user Overwrote the stack – overwrote return address Overwrote the stack – overwrote function pointer Overwrote format string Attack detected as Attack detected as func TaintCheck return addr was pointer was tainted determined correctly tainted from user input from user input when the format string was tainted EVALUATION - EVALUATION OF ATTACK DETECTION Actual exploits TaintCheck evaluated on exploits to three vulnerable servers: a web server, a finger daemon, and an FTP server. ATPhttpd exploit cfingerd exploit wu-ftpd exploit Web server program Finger daemon ftp Ver 0.4b and lower are vulnerable to buffer overflow Ver 1.4.2 and lower are vulnerable to format string Version 2.6.0 of wu-ftpd has a format string vulnerability in a call to vsnprintf. malicious GET request with a very long file name (shellcode and a return address) was sent to server. Return address overwritten so when func retruns it jumps to shell code inside the file name remote shell for attacker When prompts for a user name, exploit responds with a string beginning with “version” + malicious code - cfingerd copies the whole string into memory, but only reads to the end of the string “version”. Malicious code in memory starts working Format string to overwrite the return address was detected TaintCheck detected return addr was tainted and identified the new value Detected also TaintCheck successfully detects both that the format string supplied to vsnprintf is tainted, and that the overwritten return address is tainted. PERFORMANCE TaintCheck performance was measured using: Two “worst-case” workloads (a CPU-bound workload and a short-lived process workload) In addition, common workload (a long-lived I/Obound workload). Natively, Nullgrind, Valgrind tester Memcheck, and under TaintCheck 2.00 GHz Pentium 4, and 512 MB of RAM, RedHat 8.0. PERFORMANCE Short-lived processes: cfingerd bzip2 was instrumented cfingerd was using TaintCheck instrumented to compress a 15 MB package of source code (Vim 6.2). how long cfingerd 1.4.2 takes to start and serve a finger request Normally 8.2 sec 0.0222 sec Nullgrind 25.6 (3.1 times longer) 13 times longer MemCheck 109 (13.3 times longer) 32 times longer TaintCheck 305 (37.2 times longer) 36 times longer Common case: Apache Next slide CPU-bound: bzip2 PERF APACHE – CONT’D Common case For network services the latency experienced is due to network and/or disk I/O and the TaintCheck performance penalty should not be noticeable. IMPROVING PERFORMANCE First, some performance overhead is due to the implementation of Valgrind. Another x86 emulator, DynamoRio, offers much better performance than Valgrind, due to better caching and other optimization mechanisms. Also, analyze each basic block to eliminate redundant tracking code “Optimization can be performed”. AUTOMATIC SIGNATURE GENERATION Exploit detected generate a signature to filter this exploit request. Automatic semantic analysis of attack payloads. Implemented using TaintCheck Generate signature to filter out exploit requests until patching. Previous: Content Pattern Extraction: Considered attack payloads as opaque byte sequences. New Approach: Automatic Semantic Analysis: Identify which parts of the payloads are useful in a signature. CONCLUSION To combat the rapid spread of new worms, an automatic attack detection has to happen. Dynamic taint analysis has been presented using TaintCheck without requiring source code or special compilation of a program Identify input that caused the exploit and the value used to overwrite the protected data (e.g. the return address). Automatic signature generation using TaintCheck. QUESTIONS? QUESTIONS Thank you.