Upload
howard-chang
View
235
Download
4
Embed Size (px)
Citation preview
Dynamic Taint Analysis for Automatic Detection,
Analysis, and Signature Generation of Exploits on
Commodity Software
James NewsomeCarnegie Mellon University
Dawn SongCarnegie Mellon University
Network and Distributed Systems Security Symposium (NDSS), Feb 2005.
Outline• Security analysis of TaintCheck
• Attacks Detected by TaintCheck
• False Negative Analysis
• False Positive Analysis
• Evaluation
• TaintCheck Usage
Attacks Detected by TaintCheck
• Jump targets• Format string• ( By default policy )
Buffer overflow
char A[8] = "";unsigned short B = 1979;
Buffer overflow
strcpy(A, "excessive");
char A[8] = "";unsigned short B = 1979;
Heap Smashingprev
Anext
BDATA prev next DATA
• overwrite header section then• free() the node.
• freeing node B• *(B.pre+shift) = B.nex
• *(B.pre)== A• *(B.pre+shift)== A.next• A.next = B.next
• *(X+shift) = Y• we can overwrite the header of node B to
overwrite location (X+shift) to Y
prev
next
DATA
NODE Bprev
next
DATA
NODE Cprev
next
DATA
NODE A
Double free
• free() is called more than once with the same memory address.• will lead to undefined behaviour • corrupt internal data structures
Format string attacks
• Format string attacks• an attacker provides a malicious format string to trick the program
into leaking data or into writing an attacker-chosen value to an attacker-chosen memory address.
• E.g., use of %n, %s and %x format tokens
Format string attacks
• printf ("The magic number is: %d\n", 1911);
• printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b, &c);
Format string attacks
printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b, &c);
Format string attacks
printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b);
KEY
Format string attacks
printf() does not know that it runs out of the arguments that are provided to it. ( but it will continue fetching data)
Format string attacks
int i;
printf ("12345%n", &i);
Print nothing, but write number of characters successfully written so far into an integer pointer parameter.
Consider this
• printf (“%s%s%s%s%s%s%s%s%s%s%s%s");
• printf ("%08x %08x %08x %08x %08x\n");
Attacks Detected by TaintCheck
typedef struct {
#define OPERAND_REG 0
#define OPERAND_MEM 1
#define OPERAND_NIC 2
#define OPERAND_DISK 3
char type;
char size;
uint8_t taint;
uint32_t addr;
uint8_t *records;
} taint_operand_t;
• OPERAND_REG
• OPERAND_MEM
• OPERAND_NIC
• OPERAND_DISK
Jump Targets
• To altered PC to point to existing code (existing code attack) or injected code (code injection attack)• return addresses• function pointers• function pointer offsets
What if…
printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b);
False Negative Analysis
• A false negative occurs if an attacker can cause sensitive data to take on a value without that data becoming tainted• IIS translates ASCII input into Unicode via a table• configured to trust inputs that should not be trusted
• Default configuration: don’t trust data from network socket• Using condition flags
• if (x == 0)y = 0; else if (x == 1) y = 1; ...
False Positive Analysis
• Tainted data is being used in an illegitimate way even when there is no attack taking place.• There are vulnerabilities in the program and need to be fixed
• using unchecked input as a format string• use Exploit Analyzer
• The program performs sanity checks on tainted data before it is used.• using tainted data as jump target after checking it is within expected bounds.
Evaluation
• 2.00 GHz Pentium 4, 512 MB RAM, running RedHat 8.0• CPU-bound: bzip2
• Normal runtime 8.2s• Valgrind nullgrind: 3.1x• Memcheck: 13.3x• TaintCheck: 37.2x
• Short-lived: cfingerd• Normal runtime: 0.0222s• Valgrind nullgrind:13x• Memcheck : 32x• TaintCheck:36x
Evaluation
• Network IO Apache
TaintCheck Usage
• Individual usage: Impractical • performance overhead
• TaintCheck-enabled honeypots• Use TaintCheck to monitor all of its network services, allowing it to verify whether requests
that it receives are exploits before taking action.
• TaintCheck with OS randomization• OS randomization causes exploited application to crach• Identify which request causes the exploited application to crash and generate signature for
the attack or block future requests.
• TaintCheck in a distributed environment• Sites can share attack signature to prevent further attacks.
OS randomisationrandomize parts of the operating system
• location of
• the stack
• the heap
• the system call interface
• the instruction set