[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery
•
2 gefällt mir•2,419 views
2010 CodeEngn Conference 04 프로그램을 개발함에 있어서 취약점이란 언제나 존재하기 마련이다. 취약점을 찾거나 공략하는 일에 자신의 모든것을 투자하는 해커들에게 있어서, 프로그램 안에 취약점은 반드시 어딘가 “숨어”있는 것이다. 이런 숨어있는 취약점들을 찾기 위해 많은 해커들이 자신만의 노하우를 가지고 있다. 이 발표에서는 이런 수 많은 노하우들 중에 Taint Analysis를 통해 입력된 데이타들이 어떤 경로를 가지고 프로그램내에서 변조되는지에 대한 분석기법을 이야기한다. 기존의 Mutation 이나 Diffing 기반의 단순한 취약점 진단 기법들을 지나서 입력 데이터의 Life Cycle과 변조된 입력 데이터가 어떻게 프로그램의 영향을 미쳐 취약점을 유도하는지, 혹은 변조된 데이터를 기반으로 알려지지 않은 Zeroday 공격들을 탐지할 수 있는 기법들을 설명한다. 또한, Taint Analysis를 통해 효율적인 Fuzzer를 구성하는 방법에 대해 설명한다. http://codeengn.com/conference/04
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie [2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery
Ähnlich wie [2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery (20)
Mehr von GangSeok Lee
Mehr von GangSeok Lee (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery
- 1. Taint Analysis ForTaint Analysis For Vulnerability DiscoveryVulnerability Discovery passket # gmail.com http://passket.tistory.com 2010. 7. 3 www.CodeEngn.com 2010 4th CodeEngn ReverseEngineering Conference
- 2. Motivation Where are vulnerabilities ? How can you find the vulnerability ?How can you find the vulnerability ? Is there vulnerability in my program ? Where is my data in vulnerable program ?Unknown vulnerability in commodity program ? Does finding zero-day-vulnerablity make money ?
- 3. OutlineOutline • Basic Concepts • Tainted Propagation on x86 • Simple Test for TaintingSimple Test for Tainting • Into The Abyss : in the wild world • Future Work : Raison Framework • References• References
- 5. input data : xinput data : xinput data : xinput data : x functionfunction ddoutput data : youtput data : y And Now we call this “system”
- 6. modify data : we call this “tainting” input data : xinput data : xinput data : xinput data : x functionfunction ddoutput data : youtput data : y we can analysis how tainted output driven : we can call this “taint analysis”
- 7. How does taint analysis helpHow does taint analysis help Our works ? • Exploit Detections : - Find tainted EIP registerFind tainted EIP register - Find tainted Function Pointers - Find tainted Stack Arguments - Find tainted Data Structure using systemFind tainted Data Structure using system • Now we reverse upper follows • Finding Vulnerability
- 8. fOther benefits • Solve Reachability Problems - How can I makes PDF files to execute code block #937 in PDF reader ? • Zero-day Detection I l d h b l- Include other bug class • Helping Fuzzer Mutationsp g
- 9. Tainted Object • The Object from untrusted source untrusteduntrusted sourcesource untrusted data #1untrusted data #1 operationoperationoperationoperation untrusted data #2untrusted data #2
- 10. Tainted Object • The Object from untrusted operation, data untrusteduntrusted data #1data #1 untrusteduntrusted untrusted data #2untrusted data #2 operationoperation untrusteduntrusted datadata #3#3 trusted datatrusted data #3#3
- 11. Tainted Object • Untrusted Sources - Files, Inputs, Network Reads, ... • Tainted ObjectsTainted Objects - Memory Locations, Process Registers
- 12. Taint Propagation on x86
- 13. Taint Propagation • Taint Propagation is analysis for tainted object derivation activities. • If a tainted object X derive to Y “Y i th t i t d bj t”- we say “Y is the tainted object” - so, we assign this : X → T(Y) • Taint operation is transitive - X → T(Y), and Y → T(Z) then, X → T(Z)
- 14. Taint Propagation (Tainted Objects) memory addressmemory address (Tainted Objects) yy 0x0012FF700x0012FF70 ADDADD process registerprocess register EBXEBX process registerprocess register EAXEAX EBXEBX EAXEAX (untainted objects) (Tainted Objects)
- 15. Operation on x86Operation on x86 which derived in tainited • Assignment Operations - operation move X to Y • Arithmetical Operationsp - operation perfumes arithmatic calculus from X • Stack Push/Pop Operations - similar with Assignment Operationssimilar with Assignment Operations
- 16. Operation on x86Operation on x86 which derived in tainited • B l O ti• Boolean Operation - must consider if the result of the operation depend on the value of tainted object - ex) AND Operationex) AND Operation A(tainted) B A && B 0 0 0(untainted)( ) 0 1 0(untainted) 1 0 0(untainted) - special case : X xor X is always untainted 1 1 1(tainted)
- 17. Operation on x86Operation on x86 which derived in tainited • We analysis whole program process - Finally, if we find tainted special object, we find a new bugs - special object : EIP register, function pointers, etc.special object : EIP register, function pointers, etc.
- 18. implementations of propagation • Just trace using breakpointsg p - only memory locations • Just trace using exceptions - only memory locationsonly memory locations • How do we trace process registers ? - emulation or virtualization, It is only way to propagations
- 19. implementations of propagation • Aft fi t th t i t d bj t i t ti h t• After we figure out the tainted object, every instruction has to execute after emulation. - So, we can figure out new tainted object. • Or, register handler to process register using virtualizationOr, register handler to process register using virtualization - this requires fully implementation for cpu emulating and memory accessmemory access
- 20. Simple Test For Tainting
- 21. I h AbInto the Abyss : in the wild world
- 22. welcome to wild world! • P bl 1 ltith d• Problem 1 : multithread or message-driven • Problem II : a lot of logs • Problem III : still can’t find ?
- 23. for the real world tainting • Multithreaded or Message-Driven Program makes your fuzzer into hang overinto hang over - Cuz, There is no automated end of program - So, you make fully virtualization for program • Th f l• There are tons of log - Is it same with mutation fuzzing ?g - no waaaay, keep in going analysis tightly
- 24. tips for the real world tainting •• Using debugger : paimei is good for it • Construct your own emulation for programy p g • Sometimes just use other guy’s code - why not ? valgrind + wine + windows app. - concentrate your major subject : finding bugsconcentrate your major subject : finding bugs.
- 25. tips for the real world tainting • EX> Valgrind ls -al /
- 26. Extras
- 27. Raison Framework automated exploit framework still under-constructing.....
- 28. references - “LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks” - Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan zhou, Youfeng Wu - University of Illinois - “BitBlaze: A New Approach to Computer Security via Binary Analysis” - Dawn Song - “Dytan: A generic dynamic taint analysis framework” – James Clause, Wanchun Li, and Alessandro Orso.y g y y , , Georgia Institute of Technology. - “Understanding data lifetime via whole system emulation” – Jim Chow, Tal Garfinkel, Kevi Christopher, Mendel Rosenblum – USENIX – Stanford UniversityMendel Rosenblum USENIX Stanford University - “Taint analysis” - edgar barbosa, H2HC 2009 - “valgrind” http://valgrind org/- valgrind - http://valgrind.org/ - “paimei & pydbg” - http://pedram.redhive.com/PyDbg/docs/ - “PyEmu” - http://code.google.com/p/pyemu/ www.CodeEngn.com 2010 4th CodeEngn ReverseEngineering Conference