TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
Download ReportTranscript TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011 Acknowledgements • Authors: Tielei Wang, Tao Wei, Guofei Gu, Wei Zou • Paper Title: TaintScope: A ChecksumAware Directed Fuzzing Tool for Automatic Software Vulnerability Detection • In Proceedings of the 31st IEEE Symposium on Security & Privacy, Oakland, CA, May 2010. • Awarded Best Student Paper 2 Outline • • • • Fuzz Testing TaintScope Performance Conclusions 3 Outline • • • • Fuzz Testing TaintScope Performance Conclusions 4 Fuzz Testing • Attempt to crash or hang a program by feeding it malformed inputs • Blackbox fuzzing – Generational – Mutation 5 Fuzz Testing: Motivation • Nobody is perfect • Programs may be very large and dificult to test • Find bugs to fix • Exploit programs for malware 6 Fuzz Testing: Challenges • Random fuzzing has to cover a huge sample space – E.g. audio signal of 4s, 32k bytes • 2256,000 possible values • Symbolic fuzzing can’t bypass checksum instructions 7 Outline • • • • Fuzz Testing TaintScope Performance Conclusions 8 TaintScope • Fuzzer that can bypass checksum – independent of the algorithm • Concentrates on data flow dependence • Uses IDA Pro Disassembler • Works like a classifier 9 TaintScope: How it Works • Identify hot bytes in input – Bytes that affect API functions • Memory management • String operations – Input bytes are tainted with unique id • Identify possible checksum points 10 TaintScope: How it Works • • • • Well-formed inputs take a true/false path Malformed inputs take a false/true path Intersection yields the check points TaintScope creates bypass rules 11 TaintScope: How it Works • Fuzzer runs with bypass rules and mutates only hot bytes • Crashes and hangs are recorded 12 TaintScope: How it Works • Crashed samples are repaired for replay – Checksum are corrected • Type of vulnerability can be analyzed 13 Outline • • • • Fuzz Testing TaintScope Performance Conclusions 14 Performance: Hot Bytes 15 Performance: Checksum 16 Performance: Vulnerabilities 17 What is accomplished? • TaintScope has found vulnerabilities in popular programs (e.g. MS Paint, Adobe Acrobat, and more) • Vendors have patched the software • Vulnerabilities have been published in – Secunia – Common Vulnerabilities and Exposure 18 MW Paint Search 19 Adobe Acrobat Search 20 Outline • • • • Fuzz Testing TaintScope Performance Conclusions 21 Conclusions • • • • • Fuzzer able to bypass checksum Works with Linux/Windows binaries 100% inputs cause crash or hang Low input samples Tested on many well-known applications and formats 22 Weakness • Doesn’t talk about code coverage • Needs to run the program several times to find information of interest • Can’t detect correctly checksums where data is encrypted with key-based algorithm 23 Improvements • Consider incorporating a tool like HyperNEAT – can learn search space patterns – work with encryption (e.g. DES S-Boxes) • Dynamic update to reduce number of runs needed to build hot bytes/checksum information 24 References 1. 2. 3. 4. 5. 6. 7. Tielei Wang’s website: http://sites.google.com/site/tieleiwang/ Month of Kernel Bugs: http://projects.infopull.com/mokb/ Month Browsers Bug: http://browserfun.blogspot.com/ Secunia: http://secunia.com/ Comon Vulnerabilities and Exposure: http://cve.mitre.org/ IDA Disassembler: http://www.hex-rays.com/idapro/ Google Images: http://images.google.com 25 QUESTIONS 26