1 security vulnerability analysis and mitigation for real-world systems shuo chen center for...
Post on 20-Dec-2015
221 Views
Preview:
TRANSCRIPT
11
Security Vulnerability Analysis Security Vulnerability Analysis and Mitigation for Real-World and Mitigation for Real-World
SystemsSystemsShuo ChenShuo Chen
Center for Reliable and High-Performance ComputingCenter for Reliable and High-Performance ComputingCoordinated Science LaboratoryCoordinated Science Laboratory
University of Illinois at Urbana-Champaign University of Illinois at Urbana-Champaign
Final Exam, August 18Final Exam, August 18thth, 2005, 2005
Committee Chair: Prof. Ravi IyerCommittee Chair: Prof. Ravi Iyer Committee: Prof. Vikram Committee: Prof. Vikram AdveAdve Prof. Ravi Iyer Prof. Ravi Iyer Prof. Jose Prof. Jose Meseguer Meseguer Prof. David Nicol Prof. David Nicol
22
Analyzed security vulnerability reports in Analyzed security vulnerability reports in BugtraqBugtraq and and CERTCERT advisories advisories Most vulnerabilities can be modeled as a series Most vulnerabilities can be modeled as a series
of simple logic predicates. of simple logic predicates. Used FSM models to reason about many Used FSM models to reason about many
categories of vulnerabilities.categories of vulnerabilities. A common characteristic of most security A common characteristic of most security
vulnerabilities: vulnerabilities: pointer taintednesspointer taintedness Pointer value derived from user inputPointer value derived from user input Allow users to specify memory addresses. Allow users to specify memory addresses.
Usually due to attacks!Usually due to attacks! Developed a theorem proving approach to Developed a theorem proving approach to
reason about possibility of pointer reason about possibility of pointer taintednesstaintedness To uncover potential vulnerabilities.To uncover potential vulnerabilities.
Prelim Exam RecapPrelim Exam Recap
33
Since Prelim ExamSince Prelim Exam Questions focusedQuestions focused
Is pointer taintedness detection just an Is pointer taintedness detection just an alternative approach to existing defense alternative approach to existing defense techniques, or is it a significant techniques, or is it a significant improvement?improvement?
Is pointer taintedness detection Is pointer taintedness detection applicable to large real-world software?applicable to large real-world software?
44
Since Prelim Exam (cont.)Since Prelim Exam (cont.) ContributionsContributions
Demonstrate that a new security attack – non-Demonstrate that a new security attack – non-control-data attack, is applicable to many real-control-data attack, is applicable to many real-world software, not addressed by many current world software, not addressed by many current defense techniques. defense techniques.
Demonstrate that pointer taintedness Demonstrate that pointer taintedness detection can naturally defeat non-control-data detection can naturally defeat non-control-data attacks as well as traditional attacks. attacks as well as traditional attacks.
Demonstrate that pointer taintedness Demonstrate that pointer taintedness detection can be deployed in large systems.detection can be deployed in large systems.
By building into processor architectureBy building into processor architecture By combining theorem proving and runtime By combining theorem proving and runtime
assertionsassertions
55
Summary of My ResearchSummary of My Research
Start from the analysis of a large Start from the analysis of a large volume of security data volume of security data
Extract common characteristics of Extract common characteristics of security vulnerabilities and attackssecurity vulnerabilities and attacks
Propose new defense techniques Propose new defense techniques (supported by real-world attack (supported by real-world attack models)models)
66
PublicationsPublications S. Chen, J. Xu, E. C. Sezer, P. Gauriar and R. K. Iyer. "Non-Control-Data Attacks S. Chen, J. Xu, E. C. Sezer, P. Gauriar and R. K. Iyer. "Non-Control-Data Attacks
Are Realistic Threats," USENIX Security Symposium, 2005. Are Realistic Threats," USENIX Security Symposium, 2005. S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, R. K. Iyer. “Defeating Memory Corruption S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, R. K. Iyer. “Defeating Memory Corruption
Attacks via Pointer Taintedness Detection,” DSN, 2005. Attacks via Pointer Taintedness Detection,” DSN, 2005. S. Chen, J. Dunagan, C. Verbowski and Y.-M. Wang, “A Black-Box Tracing S. Chen, J. Dunagan, C. Verbowski and Y.-M. Wang, “A Black-Box Tracing
Technique to Identify Causes of Least-Privilege Incompatibilities,” NDSS, 2005. Technique to Identify Causes of Least-Privilege Incompatibilities,” NDSS, 2005. S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer. “Security Vulnerabilities: From Analysis S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer. “Security Vulnerabilities: From Analysis
to Detection and Masking Techniques,” Proceedings of the IEEE, 2005.to Detection and Masking Techniques,” Proceedings of the IEEE, 2005. S. Chen, K. Pattabiraman, Z. Kalbarczyk, R. K. Iyer, "Formal Reasoning of Various S. Chen, K. Pattabiraman, Z. Kalbarczyk, R. K. Iyer, "Formal Reasoning of Various
Categories of Widely Exploited Security Vulnerabilities Using Pointer Taintedness Categories of Widely Exploited Security Vulnerabilities Using Pointer Taintedness Semantics," IFIP SEC, 2004 Semantics," IFIP SEC, 2004
S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer and K. Whisnant. “Modeling and S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer and K. Whisnant. “Modeling and Evaluating the Security Threats of Transient Errors in Firewall Software,” Evaluating the Security Threats of Transient Errors in Firewall Software,” Performance Evaluation, 2004.Performance Evaluation, 2004.
S. Chen, Z. Kalbarczyk, J. Xu, R. K. Iyer. "A Data-Driven Finite State Machine S. Chen, Z. Kalbarczyk, J. Xu, R. K. Iyer. "A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities," DSN, 2003. Model for Analyzing Security Vulnerabilities," DSN, 2003.
S. Chen, J. Xu, R. K. Iyer, K. Whisnant. "Modeling and Analyzing the Security S. Chen, J. Xu, R. K. Iyer, K. Whisnant. "Modeling and Analyzing the Security Threat of Firewall Data Corruption Caused by Instruction Transient Errors," DSN, Threat of Firewall Data Corruption Caused by Instruction Transient Errors," DSN, 2002. 2002.
J. Xu, S. Chen, Z. Kalbarczyk, R. K. Iyer. "An Experimental Study of Security J. Xu, S. Chen, Z. Kalbarczyk, R. K. Iyer. "An Experimental Study of Security Vulnerabilities Caused by Errors," DSN, 2001. Vulnerabilities Caused by Errors," DSN, 2001.
9 full papers in 9 full papers in IEEE DSNIEEE DSN, , USENIX SecurityUSENIX Security, , IFIP SecurityIFIP Security, , ISOC ISOC NDSSNDSS, , Proceedings of IEEEProceedings of IEEE and and Journal of Performance Journal of Performance EvaluationEvaluation
77
Non-Control-Data Attacks Non-Control-Data Attacks Are Realistic ThreatsAre Realistic Threats
(Joint work with Jun Xu) (Joint work with Jun Xu) In USENIX Security Symposium, 2005In USENIX Security Symposium, 2005
88
Control Data Attack: Well-Known, Control Data Attack: Well-Known,
DominantDominant Control data attack: corrupt function pointers, jump Control data attack: corrupt function pointers, jump
targets and return addresses to run malicious codetargets and return addresses to run malicious code
Currently the most dominant form of memory corruption Currently the most dominant form of memory corruption attacks [attacks [CERTCERT and and Microsoft Security BulletinMicrosoft Security Bulletin]] By exploiting many vulnerabilities such as buffer overflow, format By exploiting many vulnerabilities such as buffer overflow, format
string bug, integer overflow, double free, etc. string bug, integer overflow, double free, etc.
Many current defense techniques: to enforce control data Many current defense techniques: to enforce control data integrity to provide security. integrity to provide security. Monitor system call sequences (Intrusion detection systems)Monitor system call sequences (Intrusion detection systems) Protect control data (Protect control data (Secure Program ExecutionSecure Program Execution, , MinosMinos)) Non-executable stack and heap (Non-executable stack and heap (LinuxLinux, , OpenBSDOpenBSD, , Windows XP Windows XP
SP2SP2))
99
Non-Control-Data AttackNon-Control-Data Attack Non-control-data attacks: attacks not Non-control-data attacks: attacks not
corrupting any control flow datacorrupting any control flow data
Currently very rare in realityCurrently very rare in reality Very few instances documented in literature.Very few instances documented in literature. Several papers: possible to construct non-control-data Several papers: possible to construct non-control-data
attack against synthetic programs.attack against synthetic programs. Not yet considered as a serious threatNot yet considered as a serious threat
How applicable are such attacks against How applicable are such attacks against real-real-worldworld software? software? Why rare Why rare attackers’ incapability or lack of attackers’ incapability or lack of
incentives?incentives? No focused investigation yet.No focused investigation yet.
1010
Our Claim: General Applicability of Our Claim: General Applicability of Non-Control-Data AttacksNon-Control-Data Attacks
The claim:The claim: Many real-world software applications are susceptible to Many real-world software applications are susceptible to
non-control-data attacks. non-control-data attacks. The severity of the attack consequence is equivalent to The severity of the attack consequence is equivalent to
that due to control data attacks. that due to control data attacks.
Goal of our projectGoal of our project Experimentally validate the claimExperimentally validate the claim
Construct non-control-data attacks to compromise the Construct non-control-data attacks to compromise the security of widely-used applications security of widely-used applications
Discuss limitations of current defense techniquesDiscuss limitations of current defense techniques Show that pointer taintedness detection can defeat both Show that pointer taintedness detection can defeat both
control-data attacks and non-control-data attacks.control-data attacks and non-control-data attacks.
1111
Non-Control-Data Attack against Non-Control-Data Attack against WU-FTPWU-FTP Server (via a format string bug)Server (via a format string bug)
int x;FTP_service(...) { authenticate(); x = user ID of the authenticated user; seteuid(x); while (1) { get_FTP_command(...); if (a data command?) getdatasock(...); }}getdatasock( ... ) { seteuid(0); setsockopt( ... ); seteuid(x);}
x=109, run as EUID 0x uninitialized, run as EUID 0
x=109, run as EUID 109. Lose the root privilege!
x=0, run as EUID 0
x=0, run as EUID 0
When return to service loop, still runs as EUID 0 (root). Allow me to upload /etc/passwdI can grant myself the root privilege!
Only corrupt an integer, not a control data attack.
Get a data command (e.g., PUT)Get a special SITE EXEC command. Exploit a format string vulnerability.x= 0, still run as EUID 109.
1212
/usr/local/httpd/exe/usr/local/httpd/exe
Non-Control-Data Attack against Non-Control-Data Attack against NULL-HTTPNULL-HTTP Server (via a heap overflow Server (via a heap overflow
bug)bug)
Attack the configuration string of CGI-BIN path.Attack the configuration string of CGI-BIN path. Mechanism of CGIMechanism of CGI
suppose server name = www.foo.comsuppose server name = www.foo.comCGI-BIN =CGI-BIN =
Requested URL = http://www.foo.com/cgi-binRequested URL = http://www.foo.com/cgi-bin The server executesThe server executes
Our attackOur attack Exploit the vulnerability to overwrite CGI-BIN to /binExploit the vulnerability to overwrite CGI-BIN to /bin Request URL http://www.foo.com/cgi-bin/shRequest URL http://www.foo.com/cgi-bin/sh The server executes The server executes
The server gives me a root shell!Only overwrite four characters in the CGI-BIN string.
/usr/local/httpd/exe/usr/local/httpd/exe
/bin/bin/sh/sh
/bar/bar/bar/bar
1313
Non-Control-Data Attack againstNon-Control-Data Attack against SSH SSH CommunicationsCommunications SSH Server (via an integer overflow SSH Server (via an integer overflow
bug)bug)
void do_authentication(char *user, ...) { int auth = 0; ... while (!auth) { /* Get a packet from the client */ type = packet_read(); switch (type) { ... case SSH_CMSG_AUTH_PASSWORD: if (auth_password(user, password)) auth =1; case ... } if (auth) break; } /* Perform session preparation. */ do_authenticated(…);}
auth = 0
auth = 0
Password incorrect, but auth = 1
auth = 1
Logged in without correct password
auth = 1
1414
More Non-Control-Data AttacksMore Non-Control-Data Attacks Against Against NetKitNetKit Telnet server (default Telnet Telnet server (default Telnet
server of server of Redhat LinuxRedhat Linux)) Exploit a heap overflow bugExploit a heap overflow bug Overwrite two strings:Overwrite two strings:
/bin//bin/loginlogin –h –h foo.comfoo.com -p (normal scenario) -p (normal scenario) /bin//bin/shsh –h –h –p–p -p (attack scenario) -p (attack scenario)
The server runs /bin/sh when it tries to The server runs /bin/sh when it tries to authenticate the user.authenticate the user.
Against Against GazTekGazTek HTTP server HTTP server Exploit a stack buffer overflow bugExploit a stack buffer overflow bug
Send a legitimate URL http://www.foo.com/cgi-bin/barSend a legitimate URL http://www.foo.com/cgi-bin/bar The server checks that “/..” is not embedded in the URLThe server checks that “/..” is not embedded in the URL Exploit the bug to change the URL to Exploit the bug to change the URL to
http://www.foo.com/cgi-bin/http://www.foo.com/cgi-bin/../../../../bin/sh../../../../bin/sh The server executes /bin/shThe server executes /bin/sh
1515
What Non-Control-Data Attacks What Non-Control-Data Attacks Imply?Imply?
Control data integrity is not sufficient to Control data integrity is not sufficient to ensure software security for real-world ensure software security for real-world software.software.
Many types of non-control data critical to Many types of non-control data critical to securitysecurity User identity data, configuration data, user input User identity data, configuration data, user input
text string and decision-making Booleantext string and decision-making Boolean
Once attackers have the incentive, they are Once attackers have the incentive, they are likely to succeed in non-control-data attacks. likely to succeed in non-control-data attacks.
1616
Runtime Pointer Taintedness Runtime Pointer Taintedness Detection at Processor LevelDetection at Processor Level
Joint work with Jun Xu and Nithin NakkaJoint work with Jun Xu and Nithin NakkaIn IEEE International Conference on In IEEE International Conference on
Dependable Systems and Networks (DSN), Dependable Systems and Networks (DSN), 20052005
1717
Recap: Pointer TaintednessRecap: Pointer Taintedness The root cause of many memory corruption attacks: The root cause of many memory corruption attacks: pointer pointer
taintednesstaintedness No matter whether they overwrite control-data or non-No matter whether they overwrite control-data or non-
control-datacontrol-data Many type of vulnerabilities: e.g., buffer overflow, format Many type of vulnerabilities: e.g., buffer overflow, format
string, heap corruption, integer overflow, and string, heap corruption, integer overflow, and globbingglobbing attacks. attacks. Pointer taintedness: a pointer value is derived from user Pointer taintedness: a pointer value is derived from user
inputinput In prelim, I showed a theorem proving technique to reason In prelim, I showed a theorem proving technique to reason
about possibility of pointer taintednessabout possibility of pointer taintedness
Format String 7%
Globbing2%
Heap Corruption
8%
Integer Overflow
6%
Buffer Overflow
44%
Other33%
1818
ap: argument pointer
fmt: format string pointer
Is a Format String Attack Due to Pointer Is a Format String Attack Due to Pointer Taintedness?Taintedness?
In vfprintf(), if (fmt points to “%n”) then **ap = (character count)
Vulnerable code: recv(socket,filename); sprintf(buf,”%s not found”,filename); printf(buf); /* should be printf(“%s”,buf) */Suppose user ID, CGI-BIN or critical flag in 0x1002bc20
\x20 \xbc \x02 \x10 %d %d %d %n
……
%n%n
%d%d
%d%d
%d%d
0x1002bc20 0x1002bc20
fmt: format string pointer
ap: argument pointer
High
Low
Sta
ck g
row
th
*ap is the tainted value 0x1002bc20.
1919
Runtime Pointer Taintedness Runtime Pointer Taintedness DetectionDetection
A processor architectural level mechanism to A processor architectural level mechanism to detect pointer taintednessdetect pointer taintedness On On SimpleScalarSimpleScalar processor simulator processor simulator Implemented a taintedness-aware memory systemImplemented a taintedness-aware memory system
One-bit extension for each byte, similar to the parity bit, One-bit extension for each byte, similar to the parity bit, to indicate the taintedness of this byteto indicate the taintedness of this byte
Taintedness trackingTaintedness tracking Taintedness is propagated by ALU instructionsTaintedness is propagated by ALU instructions
Taintedness initializationTaintedness initialization readread and and recv recv system calls: tag every byte of receiving system calls: tag every byte of receiving
buffer as taintedbuffer as tainted Attack detectionAttack detection
When a tainted value is dereferenced (i.e., used as a When a tainted value is dereferenced (i.e., used as a pointer).pointer).
2020
ALU taintedness tracking logic
Reg
iste
r F
ile
4 bits
4 bits
32 bits
32 bits
ALU
BitwiseOR
32 bits 36 bits
4 bits
MUX
MUX
36 bits36 bits
36 bits
36 bits
Data
Mem
ory
36 bits
36 bits
MUX
36 bits
ID/EX EX/MEM MEM/WB
MUX
Opcode
Com
pare
sp
eci
fic
log
ic
Sh
ift
speci
fic
log
ic
XO
R s
peci
fic
log
ic
MUX0 alert
jr? MUX
4 bits
0
alert
load/store?
Jump pointertaintedness detector
Data pointer taintednessdetector
8-bit byte
Taintedness bit
36 bits
store path
load path
AN
D s
peci
fic
log
ic
2121
EvaluationEvaluation Effectiveness of attack detectionEffectiveness of attack detection
Synthetic vulnerable programsSynthetic vulnerable programs Real-world network applicationsReal-world network applications
Evaluation of false positivesEvaluation of false positives Real-world network applicationsReal-world network applications SPEC 2000 benchmarksSPEC 2000 benchmarks
Potential false negative scenariosPotential false negative scenarios A few attack scenarios that are not A few attack scenarios that are not
detected detected
2222
Effectiveness of Attack Effectiveness of Attack DetectionDetection First, test on synthetic vulnerable programsFirst, test on synthetic vulnerable programs
All attacks are detected and terminatedAll attacks are detected and terminated
Stack Buffer Stack Buffer OverflowOverflow
Heap Corruption Heap Corruption AttackAttack
Format String Format String AttackAttack
Vulnerable Vulnerable programprogram
void exp1() {void exp1() {
char buf[10]; char buf[10];
scanf("%s",buf);scanf("%s",buf);
}}
void exp2() {void exp2() {
char * buf;char * buf;
buf = malloc(8); buf = malloc(8);
scanf("%s",buffer); scanf("%s",buffer);
free(p);free(p);
}}
void exp3(int s) { void exp3(int s) {
char buf[100]; char buf[100];
recv(s,buf,100,0); recv(s,buf,100,0);
printf(buf);printf(buf);
}}
Input data Input data aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaa abcd%x%x%x%n abcd%x%x%x%n
Violating Violating instructioninstruction
400a38: JR 400a38: JR $31$31 401dc0: LW $3,0(401dc0: LW $3,0($3$3)) 402d60: SW $21,0(402d60: SW $21,0($3$3))
Tainted dataTainted data $31= $31= 0x616161610x61616161 $3 = $3 = 0x616161610x61616161 $3=$3=0x646362610x64636261
2323
Attack Detection Effectiveness Attack Detection Effectiveness (cont.)(cont.)
Test on real network applicationsTest on real network applications All attacks are detectedAll attacks are detected No difference between control-data attack and non-No difference between control-data attack and non-
control-data attack from the viewpoint of pointer control-data attack from the viewpoint of pointer taintednesstaintedness
WU-FTP WU-FTP serverserver
Format string Format string attackattack
Overwrite Overwrite user IDuser ID
(non-control-data)(non-control-data)detecteddetected
GazTek GazTek HTTP serverHTTP server
Stack buffer Stack buffer overflow overflow attackattack
Overwrite Overwrite user input user input datadata
(non-control-data)(non-control-data)
detecteddetected
NULL HTTP NULL HTTP serverserver
Heap Heap corruption corruption attackattack
Overwrite Overwrite CGI-BIN CGI-BIN configconfig
(non-control-data)(non-control-data)
detecteddetected
traceroutetraceroute Double freeDouble free Function pointerFunction pointer
(control-data)(control-data)detecteddetected
2424
Evaluation of Transparency and False Evaluation of Transparency and False PositivesPositives
Transparent: precompiled binary executables can runTransparent: precompiled binary executables can run Test on network applicationsTest on network applications
No attack No attack no alert no alert Test on SPEC benchmarksTest on SPEC benchmarks
Execute 15,139 million instructions without any alertExecute 15,139 million instructions without any alert Conclusion: No known false positiveConclusion: No known false positive
BZIP2 BZIP2 GCCGCC GZIP GZIP MCF MCF PARSER PARSER VPRVPR TotalTotal
Program size Program size 321KB 321KB 4184KB 4184KB 485KB 485KB 304KB 304KB 595KB595KB 697KB697KB 6586KB6586KB
Total Total number of number of input bytes input bytes
1048KB 1048KB 77.7K77.7K 282KB 282KB 39.2KB39.2KB 743.0KB743.0KB 6.4KB6.4KB 2186KB2186KB
Total Total number of number of instructions instructions
5,951M 5,951M 110M110M 6,9266,926MM
1,6531,653MM
389M389M 108M108M 15,139M15,139M
Alert Alert generated? generated?
NoNo NoNo NoNo NoNo NoNo NoNo NoNo
2525
Potential False Negative Potential False Negative ScenariosScenarios
Incorrect array index boundary checkIncorrect array index boundary check Determining correct array size requires source Determining correct array size requires source
code analysis – very hard at binary levelcode analysis – very hard at binary level Buffer overflow within the local frameBuffer overflow within the local frame
If no pointer is tainted, no alert is raisedIf no pointer is tainted, no alert is raised Unlikely to cause severe security damage Unlikely to cause severe security damage
because attacker-controllable location is very because attacker-controllable location is very limitedlimited
Format string attack causing information Format string attack causing information leakleak This attack allows peeking a few words on the This attack allows peeking a few words on the
top of the stack. top of the stack. Cause security compromises if these words Cause security compromises if these words
contain security-critical secret, e.g., key and contain security-critical secret, e.g., key and passwordpassword
2626
Combining Static Analysis Combining Static Analysis and Runtime Detection and Runtime Detection
2727
Towards An Easier Deployment of Towards An Easier Deployment of Pointer Taintedness DetectionPointer Taintedness Detection
Advantage/limitation of static analysisAdvantage/limitation of static analysis to derive assertions (when satisfied, eliminate pointer to derive assertions (when satisfied, eliminate pointer
taintedness)taintedness) No need for hardware modification, but not easy to No need for hardware modification, but not easy to
deploy in large programsdeploy in large programs Advantage/limitation of runtime detectionAdvantage/limitation of runtime detection
Easy to deploy in large programs, but needs modification Easy to deploy in large programs, but needs modification of the processorof the processor
Can we combine the two?Can we combine the two? Static analysis to extract security specifications of critical Static analysis to extract security specifications of critical
functionsfunctions Enforce these specifications by runtime assertionsEnforce these specifications by runtime assertions Purely a software approach (of course, we can also Purely a software approach (of course, we can also
design hardware to enforce runtime assertions)design hardware to enforce runtime assertions)
2828
Verification Condition (VC) GenerationVerification Condition (VC) Generation
char *p, *q;if (a == 1) p = *p + 10;q = p - 2;*q = 12;
1: branch (~(a is 1)) 3
2: mov [p] <- ^p + 1
3: mov [q] <- ^p - 2
4: mov [^q] <- 12
compile
1: branch (~(^a is 1)) go 3
2: mov [p] <- ^^p + 10
3: mov [q] <- ^p - 2
4: mov [^q] <- 12VC(4): T(^q)=false
VC(3): T(^p)=false
VC(2): T(^^p)=false
VC(1): the specification(^a=1 => T(^^p)= false) (^a≠1 => T(^p)= false)
2929
Case Study: Case Study: free()free()typedef struct _HEAP_BLOCK { int Size; int Busy; struct _HEAP_BLOCK * Fwd,* Bak; } HEAP_BLOCK, * PHEAP_BLOCK;
char * BlockSizes;
void free(char * p){ int BlockSize,i; char * BuddyBlock,* FreedBlock; int FreeBlockListIndex,MergeExit;
FreedBlock=p-sizeof(HEAP_BLOCK); // Mark this block free. FreedBlock->Busy=0; BlockSize=FreedBlock->Size; FreeBlockListIndex = CalculateFreeBlockListIndex(BlockSize); FreeBlockListIndex=0; while (BlockSize > *(BlockSizes+FreeBlockListIndex)) { BlockSize = BlockSize / 2; FreeBlockListIndex++; } MergeExit=0; while (FreeBlockListIndex < 6 && MergeExit==0) { BuddyBlock = HEAP_BASE + (FreedBlock- HEAP_BASE) ^ BlockSize; if (BuddyBlock->Busy || BuddyBlock->Size != BlockSize) MergeExit=1; else { // Make a bigger block and free it. BlockSize*=2; FreeBlockListIndex++; if (BuddyBlock<FreedBlock) FreedBlock = BuddyBlock; BuddyBlock->Fwd->Bak=BuddyBlock->Bak; BuddyBlock->Bak->Fwd=BuddyBlock->Fwd; } } FreedBlock->Size = BlockSize; \ FreedBlock->Busy = 0; InsertTailList(FreeBlockListIndex, FreedBlock);}
inst(1) = mov [FreedBlock] <- (^ p - 16) .
inst(2) = mov [^ FreedBlock + 4] <- 0 .inst(3) = mov [BlockSize] <- ^ ((^ FreedBlock + 0)) .inst(4) = mov [FreeBlockListIndex] <- 0 .inst(5) = no-op .inst(6) = branch (~(^ ((^ BlockSizes + ^ FreeBlockListIndex)) < ^ BlockSize)) 10 .inst(7) = mov [BlockSize] <- (^ BlockSize / 2) .inst(8) = mov [FreeBlockListIndex] <- (^ FreeBlockListIndex) + 1 .inst(9) = branch true 5 .inst(10) = no-op .inst(11) = mov [MergeExit] <- 0 .inst(12) = no-op .inst(13) = branch (~(^ FreeBlockListIndex < 6 && ^ MergeExit is 0)) 28 .inst(14) = mov [BuddyBlock] <- ((HEAP_BASE + ((((^ FreedBlock - HEAP_BASE)) xor ^ BlockSize)))) .inst(15) = branch (~(~(^ ((^ BuddyBlock + 4)) is 0) || ~(^ ((^ BuddyBlock + 0)) is ^ BlockSize))) 18. inst(16) = mov [MergeExit] <- 1 .inst(17) = branch true 26 .inst(18) = no-op .inst(19) = mov [BlockSize] <- 2 .inst(20) = mov [FreeBlockListIndex] <- (^ FreeBlockListIndex) + 1 .inst(21) = branch (~(^ BuddyBlock < ^ FreedBlock)) 23 .inst(22) = mov [FreedBlock] <- ^ BuddyBlock .inst(23) = no-op .inst(24) = mov [^(^ BuddyBlock + 8) + 12] <- ^ (^ BuddyBlock + 12) .inst(25) = mov [^(^ BuddyBlock + 12) + 8] <- ^ (^ BuddyBlock + 8) .inst(26) = no-op .inst(27) = branch true 12 .inst(28) = no-op .inst(29) = mov [^ FreedBlock + 0] <- ^ BlockSize .inst(30) = mov [^ FreedBlock + 4] <- 0 .inst(31) = no-op .
Compile
VC generation
VC(1): T (^ p) = false T (^ (^ x + 8)) = false T (^ (^ x + 12)) = falsex = (((p-16) - HEAP_BASE) xor ^(p-16)) + HEAP_BASE
3030
Case Study: Case Study: free() free() (cont.)(cont.) Runtime enforcement of VC using a runtime assertionRuntime enforcement of VC using a runtime assertion
void free(char * p){ HEAP_BLOCK * x=(HEAP_BLOCK*) (HEAP_BASE + (((p-16) - HEAP_BASE) ^ (*(UINT*)(p-16)))); assert (x->Fwd->Bak == x && x->Bak->Fwd == x); … … … … ( the original source code of free() )}
EffectivenessEffectiveness/* try to hijack *f() to buffer p */int main(){ char * p; void (*f)(); p = malloc(40); *(UINT*)(p+60)=(UINT)p; *(UINT*)(p+56)=((UINT)&f)-12; free(p);}
Heap corruption attack. Assertion is violated!
3131
Case Study: Case Study: vfprintf()vfprintf()int vfprintf (char *s, char *format, char * ap){ char * p, *q; int done,state,data,n; char buf[10]; p=format; done=0; if (p==0) return 0; state=1; while (*p != 0) { if (state==1) { if (*p==’%’) state=0; else done++; } else { if (*p==’%’) { done++; } else if (*p==’d’) { data=*ap; if (data<0) { done++; data=-data; } n=0; while (data>0 && n<10) {
*(&buf+n)=data%10+’0’; data/=10; n++; }
while (n>0) { n--; done++; } } else if (*p==’s’) { q=*ap; if (q==0) break; while (*q!=0) { done++; q++; } } else if (*p==’n’) { q = *ap;
*(int *) q = done; done++; } else { done++; } state=1; } p++; } return done; }
3232
Case Study: Case Study: vfprintf() vfprintf() (cont.)(cont.)
VC(8) = (~ (^ state = 1) && ^ ^ p = ‘n’) -> (T(^ ap) = false)
Extracted VCExtracted VC
int vfpintf (FILE *s, const char *format, va_list ap) { … while (*p != 0) { assert (!(state != 1 && *p==‘n’ && !UNTAINTED(ap))); }}int printf (const char *format, ...){ return vfprintf (stdout, format, arg);}
Runtime enforcement of VC using a runtime assertionRuntime enforcement of VC using a runtime assertion
void main() { mov %esp, stack_top; ADD_UNTAINTED_ADDR (stack_top-4); printf("string=%s\ni=%d\n%n",buf,i,&j); REMOVE_UNTAINTED_ADDR (stack_top-4); scanf(“%s”,buf); printf(buf);}
Legitimate call. Assertion holds
Format string attack. Assertion is violated
3333
ConclusionsConclusions
3434
ConclusionsConclusions Most security vulnerabilities (in Bugtraq and CERT) can be Most security vulnerabilities (in Bugtraq and CERT) can be
modeled as a series of violations of logic predicatesmodeled as a series of violations of logic predicates Promising to apply formal method to analyze software Promising to apply formal method to analyze software
security (shown in prelim exam)security (shown in prelim exam)
Many real-world software can be compromised by Many real-world software can be compromised by corrupting non-control data.corrupting non-control data. Need a more comprehensive defense techniqueNeed a more comprehensive defense technique
Pointer taintedness is a unifying perspective to reason Pointer taintedness is a unifying perspective to reason about most memory corruption vulnerabilities/attacks. about most memory corruption vulnerabilities/attacks. Effective for defeating both control-data attacks and non-Effective for defeating both control-data attacks and non-
control-data attackscontrol-data attacks
Detecting about pointer taintedness is a promising Detecting about pointer taintedness is a promising direction to enhance security on real-world systemsdirection to enhance security on real-world systems Techniques explored: Techniques explored:
theorem proving (shown in prelim exam)theorem proving (shown in prelim exam) runtime detectionruntime detection combination of automatic VC generation and runtime assertioncombination of automatic VC generation and runtime assertion
top related