14. 検査対象② CVE-2013-4371
Use-after-free Xen Hypervisor
402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo));
388libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool)
389{
390 libxl_cpupoolinfo *ptr, *tmp;
397 poolid = 0;
398 for (i = 0;; i++) {
399 info = xc_cpupool_getinfo(ctx->xch, poolid);
400 if (info == NULL)
401 break;
402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo));
403 if (!tmp) {
404 LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool
info");
405 free(ptr);
406 xc_cpupool_infofree(ctx->xch, info);
407 return NULL;
408 }
409 ptr = tmp;
410 ptr[i].poolid = info->cpupool_id;
411 ptr[i].sched_id = info->sched_id;
412 ptr[i].n_dom = info->n_dom;
413 if (libxl_cpumap_alloc(ctx, &ptr[i].cpumap)) {
414 xc_cpupool_infofree(ctx->xch, info);
415 break;
416 }
417 memcpy(ptr[i].cpumap.map, info->cpumap, ptr[i].cpumap.size);
418 poolid = info->cpupool_id + 1;
419 xc_cpupool_infofree(ctx->xch, info);
realloc use-after-free vulnerability
Use-after-free vulnerability in the
libxl_list_cpupool function in the libxl
toolstack library in Xen 4.2.x and 4.3.x,
when running "under memory pressure,"
returns the original pointer when the
realloc function fails, which allows local
users to cause a denial of service (heap
corruption and crash) and possibly
execute arbitrary code via unspecified
vectors.
At line 402, Xen uses realloc for
reallocating the memory. Note that the
address of libxl_cpupoolinfo is already
assigned outside of this routine. Under high
pressure, realloc can not extend the
memory from the original pointer which is
already obtained. in this case, realloc newly
yielding the address which remaining the
data to be written.
Boundary(終了条件)が
緩いループ (pressureを
かけやすい)
Reallocの返り値がポインタ
15. 検査方法の分類
■構文主導型 (Syntax Directed Translation)
- This translator consists of a parser (or grammar) with embedded actions that immediately
generate output.
正規表現、有限オートマトン
ITS4: a static vulnerability scanner for C and C++ code, Computer Security Applications, ACSAC 2002
Chucky: exposing missing checks in source code for vulnerability discovery ccs 2013
■ルール方式 (Rule Based Translation)
- Rule-based translators use the DSL of a particular rule engine to specify a set of “this goes to that”
translation rules.
遷移規則、プッシュダウンオートマトン
Using programmer-written compiler extensions to catch security holes SSP 2002
Checking system rules using system-specific, programmer-written compiler extensions OSDI 2000
■モデル駆動方式 (Model Driven Translation)
- From the input model, a translator can emit output directly, build up strings, build up templates
(documents with “holes” in them where we can stick values), or build up specialized output objects
モデル検査・Concolic execution
MOPS: an infrastructure for examining security properties of software CCS2002
KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs,
Usenix Sec 2011
16. LALR 上昇型最右導出法
for ( i = 0 ;; i ++ )
++
{ }
i=0
assign; φ; increment
loop pattern C
=
statement
https://github.com/RuoAndo/Saturator/tree/master/Saturator-14
Loop block
realloc ( )
statement
expression
block
pattern
17. Attack surfaceの削減: 削除可能パスの検出 # global -t cmdtable_lookup
cmdtable_lookup tools/libxl/xl_cmdtable.c 390
20struct cmd_spec cmd_table[] = {
34 { "list",
35 &main_list,
36 "List information about all/some domains",
37 "[options] [Domain]¥n",
38 "-l, --long Output all VM details¥n"
39 "-v, --verbose Prints out UUIDs",
40 },
134 { "migrate-receive",
135 &main_migrate_receive,
136 "Restore a domain from a saved state",
137 "- for internal use only",
138},
341 { "cpupool-create",
342 &main_cpupoolcreate,
343 "Create a CPU pool based an ConfigFile",
344 "[options] <ConfigFile> [vars]",
345 "-h, --help Print this help.n"
346 "-f=FILE, --defconfig=FILE Use the given
configuration file.n"
347 "-n, --dryrun Dry run - prints the
resulting configuration."
348 },
削除可能パス
18. node invocation edge H M S
xen401 1111 193297 7149 2 45 48
xen451 1792 406859 11513 6 5 27
xen420 1542 344695 9566 5 3 49
xen434 1630 367031 10077 5 28 54
xen403 1123 193480 7191 2 44 41
xen461 1783 435286 11795 6 41 25
xen441 1676 389811 10516 5 56 40
xen342 907 163628 5070 2 27 8
xen410 1302 195986 7977 2 54 28
xen343 908 163832 5082 2 26 36
xen453 1795 407036 11546 6 16 7
xen464 1783 436076 11809 6 34 9
xen341 906 163088 5036 2 28 40
xen412 1309 196290 8008 2 54 49
xen415 1384 197232 8560 2 57 32
xen471 2281 466237 16291 7 13 20
xen413 1310 196503 8024 2 56 9
xen340 906 1628849 7250 30 11 28
xen442 1679 389955 10554 5 47 17
xen480 2299 442614 15769 7 51 48
xen423 1550 345345 9670 5 12 36
CVE-2013-4371: realloc Use-after-free vulnerability
Xen 3.4.0 Released
Submitted by stacklet on Tue, 05/26/2009 -
2:34pm
in Xen 3 domU kernel
The latest open source release of Xen is now
available. The new version is 3.4.0:
http://www.xen.org/download
Stacklet has pre-compiled 32 and 64-bit domU
kernels for installation into images that do not
provide a Xen 3 kernel. Please note that these
domU kernels are backward compatible with
earlier 3.* releases of Xen, eg. you can run these
domU kernels with a 3.3.1 hypervisor.
http://stacklet.com/downloads/kernels/xen/xen
domU32bit
http://stacklet.com/downloads/kernels/xen/xen
domU64bit
Linux 2.6.18 with Xen 3.4.0
Linux 2.6.18 with Xen 3.4.0 support
source tarball