[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery
2 likes2,426 views
The document discusses taint analysis for vulnerability discovery, addressing the identification of vulnerabilities in programs and the propagation of tainted data. It details how taint analysis can assist in exploit detection and finding zero-day vulnerabilities, alongside potential implementation strategies for tracking tainted objects in memory. The outline includes basic concepts, practical applications, and references to related work.
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery
- 1. Taint Analysis ForTaint Analysis For Vulnerability DiscoveryVulnerability Discovery passket # gmail.com http://passket.tistory.com 2010. 7. 3 www.CodeEngn.com 2010 4th CodeEngn ReverseEngineering Conference
- 2. Motivation Where are vulnerabilities ? How can you find the vulnerability ?How can you find the vulnerability ? Is there vulnerability in my program ? Where is my data in vulnerable program ?Unknown vulnerability in commodity program ? Does finding zero-day-vulnerablity make money ?
- 3. OutlineOutline • Basic Concepts • Tainted Propagation on x86 • Simple Test for TaintingSimple Test for Tainting • Into The Abyss : in the wild world • Future Work : Raison Framework • References• References
- 5. input data : xinput data : xinput data : xinput data : x functionfunction ddoutput data : youtput data : y And Now we call this “system”
- 6. modify data : we call this “tainting” input data : xinput data : xinput data : xinput data : x functionfunction ddoutput data : youtput data : y we can analysis how tainted output driven : we can call this “taint analysis”
- 7. How does taint analysis helpHow does taint analysis help Our works ? • Exploit Detections : - Find tainted EIP registerFind tainted EIP register - Find tainted Function Pointers - Find tainted Stack Arguments - Find tainted Data Structure using systemFind tainted Data Structure using system • Now we reverse upper follows • Finding Vulnerability
- 8. fOther benefits • Solve Reachability Problems - How can I makes PDF files to execute code block #937 in PDF reader ? • Zero-day Detection I l d h b l- Include other bug class • Helping Fuzzer Mutationsp g
- 9. Tainted Object • The Object from untrusted source untrusteduntrusted sourcesource untrusted data #1untrusted data #1 operationoperationoperationoperation untrusted data #2untrusted data #2
- 10. Tainted Object • The Object from untrusted operation, data untrusteduntrusted data #1data #1 untrusteduntrusted untrusted data #2untrusted data #2 operationoperation untrusteduntrusted datadata #3#3 trusted datatrusted data #3#3
- 11. Tainted Object • Untrusted Sources - Files, Inputs, Network Reads, ... • Tainted ObjectsTainted Objects - Memory Locations, Process Registers
- 12. Taint Propagation on x86
- 13. Taint Propagation • Taint Propagation is analysis for tainted object derivation activities. • If a tainted object X derive to Y “Y i th t i t d bj t”- we say “Y is the tainted object” - so, we assign this : X → T(Y) • Taint operation is transitive - X → T(Y), and Y → T(Z) then, X → T(Z)
- 14. Taint Propagation (Tainted Objects) memory addressmemory address (Tainted Objects) yy 0x0012FF700x0012FF70 ADDADD process registerprocess register EBXEBX process registerprocess register EAXEAX EBXEBX EAXEAX (untainted objects) (Tainted Objects)
- 15. Operation on x86Operation on x86 which derived in tainited • Assignment Operations - operation move X to Y • Arithmetical Operationsp - operation perfumes arithmatic calculus from X • Stack Push/Pop Operations - similar with Assignment Operationssimilar with Assignment Operations
- 16. Operation on x86Operation on x86 which derived in tainited • B l O ti• Boolean Operation - must consider if the result of the operation depend on the value of tainted object - ex) AND Operationex) AND Operation A(tainted) B A && B 0 0 0(untainted)( ) 0 1 0(untainted) 1 0 0(untainted) - special case : X xor X is always untainted 1 1 1(tainted)
- 17. Operation on x86Operation on x86 which derived in tainited • We analysis whole program process - Finally, if we find tainted special object, we find a new bugs - special object : EIP register, function pointers, etc.special object : EIP register, function pointers, etc.
- 18. implementations of propagation • Just trace using breakpointsg p - only memory locations • Just trace using exceptions - only memory locationsonly memory locations • How do we trace process registers ? - emulation or virtualization, It is only way to propagations
- 19. implementations of propagation • Aft fi t th t i t d bj t i t ti h t• After we figure out the tainted object, every instruction has to execute after emulation. - So, we can figure out new tainted object. • Or, register handler to process register using virtualizationOr, register handler to process register using virtualization - this requires fully implementation for cpu emulating and memory accessmemory access
- 20. Simple Test For Tainting
- 21. I h AbInto the Abyss : in the wild world
- 22. welcome to wild world! • P bl 1 ltith d• Problem 1 : multithread or message-driven • Problem II : a lot of logs • Problem III : still can’t find ?
- 23. for the real world tainting • Multithreaded or Message-Driven Program makes your fuzzer into hang overinto hang over - Cuz, There is no automated end of program - So, you make fully virtualization for program • Th f l• There are tons of log - Is it same with mutation fuzzing ?g - no waaaay, keep in going analysis tightly
- 24. tips for the real world tainting •• Using debugger : paimei is good for it • Construct your own emulation for programy p g • Sometimes just use other guy’s code - why not ? valgrind + wine + windows app. - concentrate your major subject : finding bugsconcentrate your major subject : finding bugs.
- 25. tips for the real world tainting • EX> Valgrind ls -al /
- 26. Extras
- 27. Raison Framework automated exploit framework still under-constructing.....
- 28. references - “LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks” - Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan zhou, Youfeng Wu - University of Illinois - “BitBlaze: A New Approach to Computer Security via Binary Analysis” - Dawn Song - “Dytan: A generic dynamic taint analysis framework” – James Clause, Wanchun Li, and Alessandro Orso.y g y y , , Georgia Institute of Technology. - “Understanding data lifetime via whole system emulation” – Jim Chow, Tal Garfinkel, Kevi Christopher, Mendel Rosenblum – USENIX – Stanford UniversityMendel Rosenblum USENIX Stanford University - “Taint analysis” - edgar barbosa, H2HC 2009 - “valgrind” http://valgrind org/- valgrind - http://valgrind.org/ - “paimei & pydbg” - http://pedram.redhive.com/PyDbg/docs/ - “PyEmu” - http://code.google.com/p/pyemu/ www.CodeEngn.com 2010 4th CodeEngn ReverseEngineering Conference