6. The one of the data tracing
Taint sources:
Network, Keyboard, Memory, Disk,
Function outputs
• Taint propagation: a data flow technique
Shadow memory
Whole-system
Across register/memory/disk/swapping
8. Taint propagation
•If an operation uses the value of some
tainted object, say X, to derive a value
for another, say Y, then object Y becomes
tainted. Object X tainted the object Y
•Taint operator t
•X→ t(Y)
•Taint operator is transitive
X → t(Y) and Y→ t(Z), then X→ t(Z)
9. Static Taint Analysis
Analysis performed over multiple paths
of a program
* Typically performed on a control flow
graph (CFG):
statements are nodes, and there is an
edge between nodes if there is a
possible transfer of control.
10.
11.
12. BitBlaze: Binary Analysis
Infrastructure
Automatically extracting security-related properties from
binary code
Build a unified binary analysis platform for security
- Static analysis + Dynamic analysis + Symbolic Analysis
- Leverages recent advances in program analysis, formal
methods, binary instrumentation…
Solve security problems via binary analysis
• More than a dozen different security applications
• Over 25 research publications
16. Create trace with the network service:
$sudo ./tracecap/temu -m 256 -net nic,vlan=0 -net tap,vlan=0,script=/etc/qemu-ifup -monitor stdio winxp.img
(qemu) load_plugin tracecap/tracecap.so
general/trace_only_after_first_taint is enabled.
general/log_external_calls is disabled.
general/write_ops_at_insn_end is enabled.
general/save_state_at_trace_stop is disabled.
tracing/tracing_table_lookup is enabled.
tracing/tracing_tainted_only is disabled.
tracing/tracing_single_thread_only is disabled.
tracing/tracing_kernel is disabled.
tracing/tracing_kernel_tainted is disabled.
tracing/tracing_kernel_partial is disabled.
network/ignore_dns is disabled.
Enabled: 0x00 Proto: 0x00 Sport: 0 Dport: 0 Src: 0.0.0.0 Dst: 0.0.0.0
Loading plugin options from: SRC_PATH/tracecap/ini/hook_plugin.ini
Loading plugins from: SRC_PATH/shared/hooks/hook_plugins
tracecap/tracecap.so is loaded successfully!
(qemu) enable_emulation
Emulation is now enabled
(qemu) taint_nic 1
(qemu) tracebyname "FileZilla_server.exe" /traces/file_zilla
(Посылаем данные по сети)
(qemu) Time of first tainted data: 1289487729.962905
(qemu) trace_stop
20. Taint
T0 - means that the statement did not tainted.
T1 - means that the instruction tainted in curly brackets can be seen
that there tainted and what it depends.
Here's an example of:
fc32dcec: rep stos% eax,% es: (% edi) R @ eax [0x00000000] [4] (R)
T0 R @ ecx [0x00000001] [4] (RCW) T0 M @ 0xfb7bfffc [0x00000000]
[4] (CW) T1 {15 (1231, 628) (1231, 629) (1231, 630) (1231, 631)}
One can see that 4 bits of information tainted and they depend on
the offset: 628, 629, 630, 631. 1231 - this number (name).
21. appreplay
./vine-1.0/trace_utils/appreplay -trace font.trace -ir-
out font.trace.il -assertion-on-var false-use-post-var
false
where:
appreplay - ocaml script that we run;
-trace - the way to the trace;
-ir-out - the path to which we write IL code.
-assertion-on-var false-use-post-var false - flags that
show the format of IL code for this to false makes it
more readable text.
22. var R_EBP_0:reg32_t;
Example of IL code: var R_ESP_1:reg32_t;
var R_ESI_2:reg32_t;
var R_EDI_3:reg32_t;
var R_EIP_4:reg32_t;
var R_EAX_5:reg32_t;
var R_EBX_6:reg32_t;
Begins with the declaration of variables: var R_ECX_7:reg32_t;
var R_EDX_8:reg32_t;
INPUT - it's free memory cells, those that var EFLAGS_9:reg32_t;
are tested in the very beginning (back in var R_CF_10:reg1_t;
temu), input into the program from an var R_PF_11:reg1_t;
external source. var R_AF_12:reg1_t;
var R_ZF_13:reg1_t;
var R_SF_14:reg1_t;
var R_OF_15:reg1_t;
var cond_000017_0x4010ce_00_162:reg1_t;
var R_CC_OP_16:reg32_t;
var R_CC_DEP1_17:reg32_t;
var R_CC_DEP2_18:reg32_t;
var cond_000013_0x4010c3_00_161:reg1_t;
var R_CC_NDEP_19:reg32_t;
var cond_000012_0x4010c0_00_160:reg1_t; var R_DFLAG_20:reg32_t;
var R_IDFLAG_21:reg32_t;
var cond_000007_0x4010b6_00_159:reg1_t;
var R_ACFLAG_22:reg32_t;
var INPUT_10000_0000_62:reg8_t; var R_EMWARN_23:reg32_t;
var R_LDT_24:reg32_t;
var INPUT_10000_0001_63:reg8_t;
var R_GDT_25:reg32_t;
var INPUT_10000_0002_64:reg8_t; var R_CS_26:reg16_t;
var INPUT_10000_0003_65:reg8_t; var R_DS_27:reg16_t;
var R_ES_28:reg16_t;
var mem_arr_57:reg8_t[4294967296]; – memory as an array var R_FS_29:reg16_t;
var mem_35:mem32l_t; var R_GS_30:reg16_t;
var R_SS_31:reg16_t;
var R_FTOP_32:reg32_t;
23. label pc_0x40143c_1: –is the name of which is the address of instruction
/*Filter IRs:*/ And the filter itself changes.
Now comes the filter initialization:
/*ASM IR:*/
{
{
var T_32t0_58:reg32_t;
/*Initializers*/ var T_32t1_59:reg32_t;
var T_32t2_60:reg32_t;
var T_32t3_61:reg32_t;
R_EAX_5:reg32_t = 0×73657930:reg32_t; T_32t2_60:reg32_t = R_ESP_1:reg32_t;
{
T_32t1_59:reg32_t = T_32t2_60:reg32_t + 0x1c8:reg32_t;
T_32t3_61:reg32_t =
var idx_144:reg32_t; (
var val_143:reg8_t;
(
cast(mem_arr_57[T_32t1_59:reg32_t +
idx_144:reg32_t = 0x12fef0:reg32_t; 0:reg32_t]:reg8_t)U:reg32_t
val_143:reg8_t = INPUT_10000_0000_62:reg8_t; << 0:reg32_t
|
mem_arr_57[idx_144:reg32_t + 0:reg32_t]:reg8_t =
cast(mem_arr_57[T_32t1_59:reg32_t +
cast((val_143:reg8_t & 0xff:reg8_t) >> 0:reg8_t)L:reg8_t; 1:reg32_t]:reg8_t)U:reg32_t
<< 8:reg32_t
)
} |
cast(mem_arr_57[T_32t1_59:reg32_t +
{
2:reg32_t]:reg8_t)U:reg32_t
var idx_146:reg32_t; << 0×10:reg32_t
)
var val_145:reg8_t;
|
idx_146:reg32_t = 0x12fef1:reg32_t; cast(mem_arr_57[T_32t1_59:reg32_t +
val_145:reg8_t = INPUT_10000_0001_63:reg8_t;
3:reg32_t]:reg8_t)U:reg32_t
<< 0×18:reg32_t
mem_arr_57[idx_146:reg32_t + 0:reg32_t]:reg8_t = ;
cast((val_145:reg8_t & 0xff:reg8_t) >> 0:reg8_t)L:reg8_t;
R_EAX_5:reg32_t = T_32t3_61:reg32_t;
}
}
24. Weakest precondition
Vine:
● CFG → DPG(DDG) → GCL → (WP form)
DPG - Program-Dependence Graphs
DDG - Data-Dependence Graphs
GCL - Guarded Command Language
WP(S,R) – S is formula, R is condition.
25.
26. What is STP and what it
does?
STP - a solver for bit-vector expressions.
This is a separate project independent of the
http://sites.google.com/site/stpfastprover/bitblaze
To produce STP code from IL code:
./vine-1.0/utils/wputil trace.il -stpout stp.code
where the input is IL code, and the output is
STP code.
27. STP program example
bv : BITVECTOR(10);
a : BOOLEAN;
QUERY(
0bin01100000[5:3]=(0bin1111001@bv[0:0])[4:2]
AND
0bin1@(IF a THEN 0bin0 ELSE 0bin1 ENDIF)=(IF a
THEN 0bin110 ELSE 0bin011 ENDIF)[1:0]
);
28. STP Example code:
Begin with the declaration of variables:
R_EBX_6_16 : BITVECTOR(32);
INPUT_10000_0003_65_7 : BITVECTOR(8);
INPUT_10000_0002_64_6 : BITVECTOR(8);
INPUT_10000_0001_63_5 : BITVECTOR(8);
mem_arr_57_8 : ARRAY BITVECTOR(64) OF BITVECTOR(8);
INPUT_10000_0000_62_4 : BITVECTOR(8);
% end free variables.
The very expression of the form question (assert)
ASSERT( 0bin1 =
(LET R_EAX_5_232 =
0hex73657930
IN
(LET idx_144_233 =
0hex0012fef0
IN
(LET val_143_234 =
INPUT_10000_0000_62_4
IN
(LET mem_arr_57_393 =
(mem_arr_57_8 WITH [(0bin00000000000000000000000000000000 @ BVPLUS(32, idx_144_233,0hex00000000))] := (val_143_234;0hexff)[7:0])
…….
IN
(cond_000017_0x4010ce_00_162_392;0bin1))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
It's a question:
This expression is not true?
QUERY (FALSE);
And to give a counter example:
COUNTEREXAMPLE;
29. STP example
How to ask for a decision at STP:
./stp stp.code
Example of STP output:
ASSERT( INPUT_10000_0001_63_5 = 0×00 );
ASSERT( INPUT_10000_0002_64_6 = 0×00 );
ASSERT( INPUT_10000_0000_62_4 = 0×61 );
ASSERT( INPUT_10000_0003_65_7 = 0×00 );
Invalid.
31. Diagram from basic method
input
data software
TEMU
Trace, alloc-file, state
appreplay
Trace
IL
code
Vine
wputil
input stp Stp
data
code
32. SASV Components:
Temu (tracecap: start/stop tracing. Various additions to tracecap(hooks etc.))
Vine (appreplay, wputil)
STP
IDA plugins:
- DangerFunctions – finds calls to malloc,strcpy,memcpy etc.
- IndirectCalls – indirect jumps, indirect calls.
- ida2sql (zynamics) –idb in the mysql db. (http://blog.zynamics.com/2010/06/29/ida2sql-exporting-ida-
databases-to-mysql/)
Iterators – wrapper for temu, vine, stp.
Various publishers – for DeviceIoControl etc.
35. SASV basic algorithm
1. Work of IDA plugins -> danger places
2. Publisher -> invoke analyzing code
3. TEMU -> trace
4. Trace -> appreplay -> IL
5. IL -> change path algo -> IL’
6. IL’ -> wputil -> STP_prorgam’
7. STP_prorgam’ -> STP -> data for n+1
iteration
8. Goto #2
36. Diagram for new path in graph
input
data software
TEMU
Trace, alloc-file, state
IL
appreplay code
Next
Iteration Trace
Changer,
symbolic
Vine execution
wputil
New IL’
input stp Stp’ code
data code
37. Complex system
1)
input data New input data
Blackbox
SASV
fuzzer
2)
input data New input
Set of input
data Coverage
data Blackbox
SASV
fuzzer
3)
Set of New input
input data new
SASV
data Blackbox
input Coverage
data fuzzer
38. Diagram from basic method
input
data software
TEMU
Trace, alloc-file, state
appreplay
Trace
IL
code
Vine
wputil
input stp Stp
data
code
39. Bitblaze vs blackbox-fuzzer
Optipng
1 byte change:
PNG format file:
PNG format file:
- 7309 iterations. Unique addresses: - initial set: 3654
- time for one iteration: 10 sec
12313. Time: 73:32 hours. Coverage: - number of iterations: 43200
GIF format file:
36.27%.
- initial set: 8442
- size first input data: 2.3Kb. - time for one iteration: 3 sec
- number of iterations: 86400
BMP format file: BMP format file:
- initial set: 2368
- 2368 iterations. Unique addresses:
- time for one iteration: 3 sec
9620. Time: 12:35 hours. Coverage: - number of iterations: 86400
2 byte change:
28.34%. PNG format file:
- initial set: 3654
- size first input data: 1.1Kb.
- time for one iteration: 10 sec
GIF format file: - number of iterations: 86400
GIF format file:
- 16884 iterations. Unique addresses: - initial set: 8442
- time for one iteration: 3 sec
10361. Time: 112:21 hours. Coverage:
- number of iterations: 172800
30.52%. BMP format file:
- initial set: 2368
- size first input data: 0.9Kb, 2.3Kb, 15Kb. - time for one iteration: 3 sec
- number of iterations: 172800