Dynamic Taint Analysis for Automatic Detection,

Analysis, and Signature Generation of Exploits on

Commodity Software

James NewsomeCarnegie Mellon University

Dawn SongCarnegie Mellon University

Network and Distributed Systems Security Symposium (NDSS), Feb 2005.

Outline• Security analysis of TaintCheck

• Attacks Detected by TaintCheck

• False Negative Analysis

• False Positive Analysis

• Evaluation

• TaintCheck Usage

Attacks Detected by TaintCheck

• Jump targets• Format string• ( By default policy )

Buffer overflow

char A[8] = "";unsigned short B = 1979;

Buffer overflow

strcpy(A, "excessive");

char A[8] = "";unsigned short B = 1979;

Heap Smashingprev

Anext

BDATA prev next DATA

• overwrite header section then• free() the node.

• freeing node B• *(B.pre+shift) = B.nex

• *(B.pre)== A• *(B.pre+shift)== A.next• A.next = B.next

• *(X+shift) = Y• we can overwrite the header of node B to

overwrite location (X+shift) to Y

prev

next

DATA

NODE Bprev

next

DATA

NODE Cprev

next

DATA

NODE A

Double free

• free() is called more than once with the same memory address.• will lead to undefined behaviour • corrupt internal data structures

Format string attacks

• Format string attacks• an attacker provides a malicious format string to trick the program

into leaking data or into writing an attacker-chosen value to an attacker-chosen memory address.

• E.g., use of %n, %s and %x format tokens

Format string attacks

• printf ("The magic number is: %d\n", 1911);

• printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b, &c);

Format string attacks

printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b, &c);

Format string attacks

printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b);

KEY

Format string attacks

printf() does not know that it runs out of the arguments that are provided to it. ( but it will continue fetching data)

Format string attacks

int i;

printf ("12345%n", &i);

Print nothing, but write number of characters successfully written so far into an integer pointer parameter.

Consider this

• printf (“%s%s%s%s%s%s%s%s%s%s%s%s");

• printf ("%08x %08x %08x %08x %08x\n");

Attacks Detected by TaintCheck

typedef struct {

#define OPERAND_REG 0

#define OPERAND_MEM 1

#define OPERAND_NIC 2

#define OPERAND_DISK 3

char type;

char size;

uint8_t taint;

uint32_t addr;

uint8_t *records;

} taint_operand_t;

• OPERAND_REG

• OPERAND_MEM

• OPERAND_NIC

• OPERAND_DISK

Jump Targets

• To altered PC to point to existing code (existing code attack) or injected code (code injection attack)• return addresses• function pointers• function pointer offsets

What if…

printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b);

False Negative Analysis

• A false negative occurs if an attacker can cause sensitive data to take on a value without that data becoming tainted• IIS translates ASCII input into Unicode via a table• configured to trust inputs that should not be trusted

• Default configuration: don’t trust data from network socket• Using condition flags

• if (x == 0)y = 0; else if (x == 1) y = 1; ...

False Positive Analysis

• Tainted data is being used in an illegitimate way even when there is no attack taking place.• There are vulnerabilities in the program and need to be fixed

• using unchecked input as a format string• use Exploit Analyzer

• The program performs sanity checks on tainted data before it is used.• using tainted data as jump target after checking it is within expected bounds.

Evaluation

• 2.00 GHz Pentium 4, 512 MB RAM, running RedHat 8.0• CPU-bound: bzip2

• Normal runtime 8.2s• Valgrind nullgrind: 3.1x• Memcheck: 13.3x• TaintCheck: 37.2x

• Short-lived: cfingerd• Normal runtime: 0.0222s• Valgrind nullgrind:13x• Memcheck : 32x• TaintCheck:36x

Evaluation

• Network IO Apache

TaintCheck Usage

• Individual usage: Impractical • performance overhead

• TaintCheck-enabled honeypots• Use TaintCheck to monitor all of its network services, allowing it to verify whether requests

that it receives are exploits before taking action.

• TaintCheck with OS randomization• OS randomization causes exploited application to crach• Identify which request causes the exploited application to crash and generate signature for

the attack or block future requests.

• TaintCheck in a distributed environment• Sites can share attack signature to prevent further attacks.

OS randomisationrandomize parts of the operating system

• location of

• the stack

• the heap

• the system call interface

• the instruction set