Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on...
-
Upload
howard-chang -
Category
Technology
-
view
235 -
download
4
Transcript of Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on...
![Page 1: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/1.jpg)
Dynamic Taint Analysis for Automatic Detection,
Analysis, and Signature Generation of Exploits on
Commodity Software
James NewsomeCarnegie Mellon University
Dawn SongCarnegie Mellon University
Network and Distributed Systems Security Symposium (NDSS), Feb 2005.
![Page 2: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/2.jpg)
Outline• Security analysis of TaintCheck
• Attacks Detected by TaintCheck
• False Negative Analysis
• False Positive Analysis
• Evaluation
• TaintCheck Usage
![Page 3: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/3.jpg)
Attacks Detected by TaintCheck
• Jump targets• Format string• ( By default policy )
![Page 4: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/4.jpg)
Buffer overflow
char A[8] = "";unsigned short B = 1979;
![Page 5: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/5.jpg)
Buffer overflow
strcpy(A, "excessive");
char A[8] = "";unsigned short B = 1979;
![Page 6: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/6.jpg)
Heap Smashingprev
Anext
BDATA prev next DATA
• overwrite header section then• free() the node.
![Page 7: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/7.jpg)
• freeing node B• *(B.pre+shift) = B.nex
• *(B.pre)== A• *(B.pre+shift)== A.next• A.next = B.next
• *(X+shift) = Y• we can overwrite the header of node B to
overwrite location (X+shift) to Y
prev
next
DATA
NODE Bprev
next
DATA
NODE Cprev
next
DATA
NODE A
![Page 8: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/8.jpg)
Double free
• free() is called more than once with the same memory address.• will lead to undefined behaviour • corrupt internal data structures
![Page 9: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/9.jpg)
Format string attacks
• Format string attacks• an attacker provides a malicious format string to trick the program
into leaking data or into writing an attacker-chosen value to an attacker-chosen memory address.
• E.g., use of %n, %s and %x format tokens
![Page 10: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/10.jpg)
Format string attacks
• printf ("The magic number is: %d\n", 1911);
• printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b, &c);
![Page 11: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/11.jpg)
Format string attacks
printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b, &c);
![Page 12: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/12.jpg)
Format string attacks
printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b);
KEY
![Page 13: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/13.jpg)
Format string attacks
printf() does not know that it runs out of the arguments that are provided to it. ( but it will continue fetching data)
![Page 14: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/14.jpg)
Format string attacks
int i;
printf ("12345%n", &i);
Print nothing, but write number of characters successfully written so far into an integer pointer parameter.
![Page 15: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/15.jpg)
Consider this
• printf (“%s%s%s%s%s%s%s%s%s%s%s%s");
• printf ("%08x %08x %08x %08x %08x\n");
![Page 16: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/16.jpg)
Attacks Detected by TaintCheck
typedef struct {
#define OPERAND_REG 0
#define OPERAND_MEM 1
#define OPERAND_NIC 2
#define OPERAND_DISK 3
char type;
char size;
uint8_t taint;
uint32_t addr;
uint8_t *records;
} taint_operand_t;
• OPERAND_REG
• OPERAND_MEM
• OPERAND_NIC
• OPERAND_DISK
![Page 17: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/17.jpg)
Jump Targets
• To altered PC to point to existing code (existing code attack) or injected code (code injection attack)• return addresses• function pointers• function pointer offsets
![Page 18: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/18.jpg)
What if…
printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b);
![Page 19: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/19.jpg)
False Negative Analysis
• A false negative occurs if an attacker can cause sensitive data to take on a value without that data becoming tainted• IIS translates ASCII input into Unicode via a table• configured to trust inputs that should not be trusted
• Default configuration: don’t trust data from network socket• Using condition flags
• if (x == 0)y = 0; else if (x == 1) y = 1; ...
![Page 20: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/20.jpg)
False Positive Analysis
• Tainted data is being used in an illegitimate way even when there is no attack taking place.• There are vulnerabilities in the program and need to be fixed
• using unchecked input as a format string• use Exploit Analyzer
• The program performs sanity checks on tainted data before it is used.• using tainted data as jump target after checking it is within expected bounds.
![Page 21: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/21.jpg)
![Page 22: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/22.jpg)
Evaluation
• 2.00 GHz Pentium 4, 512 MB RAM, running RedHat 8.0• CPU-bound: bzip2
• Normal runtime 8.2s• Valgrind nullgrind: 3.1x• Memcheck: 13.3x• TaintCheck: 37.2x
• Short-lived: cfingerd• Normal runtime: 0.0222s• Valgrind nullgrind:13x• Memcheck : 32x• TaintCheck:36x
![Page 23: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/23.jpg)
Evaluation
• Network IO Apache
![Page 24: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/24.jpg)
TaintCheck Usage
• Individual usage: Impractical • performance overhead
• TaintCheck-enabled honeypots• Use TaintCheck to monitor all of its network services, allowing it to verify whether requests
that it receives are exploits before taking action.
• TaintCheck with OS randomization• OS randomization causes exploited application to crach• Identify which request causes the exploited application to crash and generate signature for
the attack or block future requests.
• TaintCheck in a distributed environment• Sites can share attack signature to prevent further attacks.
![Page 25: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software](https://reader036.fdocuments.in/reader036/viewer/2022062420/55ce40aabb61eb8d728b4837/html5/thumbnails/25.jpg)
OS randomisationrandomize parts of the operating system
• location of
• the stack
• the heap
• the system call interface
• the instruction set