[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery
Upcoming SlideShare
Loading in...5
×
 

[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery

on

  • 1,074 views

2010 CodeEngn Conference 04 ...

2010 CodeEngn Conference 04

프로그램을 개발함에 있어서 취약점이란 언제나 존재하기 마련이다. 취약점을 찾거나 공략하는 일에 자신의 모든것을 투자하는 해커들에게 있어서, 프로그램 안에 취약점은 반드시 어딘가 “숨어”있는 것이다. 이런 숨어있는 취약점들을 찾기 위해 많은 해커들이 자신만의 노하우를 가지고 있다. 이 발표에서는 이런 수 많은 노하우들 중에 Taint Analysis를 통해 입력된 데이타들이 어떤 경로를 가지고 프로그램내에서 변조되는지에 대한 분석기법을 이야기한다. 기존의 Mutation 이나 Diffing 기반의 단순한 취약점 진단 기법들을 지나서 입력 데이터의 Life Cycle과 변조된 입력 데이터가 어떻게 프로그램의 영향을 미쳐 취약점을 유도하는지, 혹은 변조된 데이터를 기반으로 알려지지 않은 Zeroday 공격들을 탐지할 수 있는 기법들을 설명한다. 또한, Taint Analysis를 통해 효율적인 Fuzzer를 구성하는 방법에 대해 설명한다.

http://codeengn.com/conference/04

Statistics

Views

Total Views
1,074
Views on SlideShare
1,074
Embed Views
0

Actions

Likes
1
Downloads
12
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery [2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability discovery Presentation Transcript

  • Taint Analysis ForTaint Analysis ForVulnerability DiscoveryVulnerability Discoverypassket # gmail.comhttp://passket.tistory.com2010. 7. 3www.CodeEngn.com2010 4th CodeEngn ReverseEngineering Conference
  • MotivationWhere are vulnerabilities ?How can you find the vulnerability ?How can you find the vulnerability ?Is there vulnerability in my program ?Where is my data in vulnerable program ?Unknownvulnerability in commodity program ?Does finding zero-day-vulnerablity make money ?
  • OutlineOutline• Basic Concepts• Tainted Propagation on x86• Simple Test for TaintingSimple Test for Tainting• Into The Abyss : in the wild world• Future Work : Raison Framework• References• References
  • Basic Concepts
  • input data : xinput data : xinput data : xinput data : xfunctionfunctionddoutput data : youtput data : yAnd Now we call this “system”
  • modify data : we call this “tainting”input data : xinput data : xinput data : xinput data : xfunctionfunctionddoutput data : youtput data : ywe can analysis how tainted output driven: we can call this “taint analysis”
  • How does taint analysis helpHow does taint analysis helpOur works ?• Exploit Detections :- Find tainted EIP registerFind tainted EIP register- Find tainted Function Pointers- Find tainted Stack Arguments- Find tainted Data Structure using systemFind tainted Data Structure using system• Now we reverse upper follows• Finding Vulnerability
  • fOther benefits• Solve Reachability Problems- How can I makes PDF files to execute code block#937 in PDF reader ?• Zero-day DetectionI l d h b l- Include other bug class• Helping Fuzzer Mutationsp g
  • Tainted Object• The Object from untrusted sourceuntrusteduntrusted sourcesourceuntrusted data #1untrusted data #1operationoperationoperationoperationuntrusted data #2untrusted data #2
  • Tainted Object• The Object from untrusted operation, datauntrusteduntrusted data #1data #1untrusteduntrusteduntrusted data #2untrusted data #2 operationoperationuntrusteduntrusteddatadata#3#3trusted datatrusted data#3#3
  • Tainted Object• Untrusted Sources- Files, Inputs, Network Reads, ...• Tainted ObjectsTainted Objects- Memory Locations, Process Registers
  • Taint Propagation on x86
  • Taint Propagation• Taint Propagation is analysis for tainted objectderivation activities.• If a tainted object X derive to Y“Y i th t i t d bj t”- we say “Y is the tainted object”- so, we assign this : X → T(Y)• Taint operation is transitive- X → T(Y), and Y → T(Z) then, X → T(Z)
  • Taint Propagation(Tainted Objects)memory addressmemory address(Tainted Objects)yy0x0012FF700x0012FF70ADDADDprocess registerprocess registerEBXEBXprocess registerprocess registerEAXEAXEBXEBXEAXEAX(untainted objects)(Tainted Objects)
  • Operation on x86Operation on x86which derived in tainited• Assignment Operations- operation move X to Y• Arithmetical Operationsp- operation perfumes arithmatic calculus from X• Stack Push/Pop Operations- similar with Assignment Operationssimilar with Assignment Operations
  • Operation on x86Operation on x86which derived in tainited• B l O ti• Boolean Operation- must consider if the result of the operation depend on thevalue of tainted object- ex) AND Operationex) AND OperationA(tainted) B A && B0 0 0(untainted)( )0 1 0(untainted)1 0 0(untainted)- special case : X xor X is always untainted1 1 1(tainted)
  • Operation on x86Operation on x86which derived in tainited• We analysis whole program process- Finally, if we find tainted special object, we find a new bugs- special object : EIP register, function pointers, etc.special object : EIP register, function pointers, etc.
  • implementations of propagation• Just trace using breakpointsg p- only memory locations• Just trace using exceptions- only memory locationsonly memory locations• How do we trace process registers ?- emulation or virtualization, It is only way to propagations
  • implementations of propagation• Aft fi t th t i t d bj t i t ti h t• After we figure out the tainted object, every instruction has toexecute after emulation.- So, we can figure out new tainted object.• Or, register handler to process register using virtualizationOr, register handler to process register using virtualization- this requires fully implementation for cpu emulating andmemory accessmemory access
  • Simple Test For Tainting
  • I h AbInto the Abyss :in the wild world
  • welcome to wild world!• P bl 1 ltith d• Problem 1 : multithread ormessage-driven• Problem II : a lot of logs• Problem III : still can’t find ?
  • for the real world tainting• Multithreaded or Message-Driven Program makes your fuzzerinto hang overinto hang over- Cuz, There is no automated end of program- So, you make fully virtualization for program• Th f l• There are tons of log- Is it same with mutation fuzzing ?g- no waaaay, keep in going analysis tightly
  • tips for the real world tainting•• Using debugger : paimei is good for it• Construct your own emulation for programy p g• Sometimes just use other guy’s code- why not ? valgrind + wine + windows app.- concentrate your major subject : finding bugsconcentrate your major subject : finding bugs.
  • tips for the real world tainting• EX> Valgrind ls -al /
  • Extras
  • Raison Frameworkautomated exploit frameworkstill under-constructing.....
  • references- “LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks” -Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan zhou, Youfeng Wu - University of Illinois- “BitBlaze: A New Approach to Computer Security via Binary Analysis” - Dawn Song- “Dytan: A generic dynamic taint analysis framework” – James Clause, Wanchun Li, and Alessandro Orso.y g y y , ,Georgia Institute of Technology.- “Understanding data lifetime via whole system emulation” – Jim Chow, Tal Garfinkel, Kevi Christopher,Mendel Rosenblum – USENIX – Stanford UniversityMendel Rosenblum USENIX Stanford University- “Taint analysis” - edgar barbosa, H2HC 2009- “valgrind” http://valgrind org/- valgrind - http://valgrind.org/- “paimei & pydbg” - http://pedram.redhive.com/PyDbg/docs/- “PyEmu” - http://code.google.com/p/pyemu/www.CodeEngn.com2010 4th CodeEngn ReverseEngineering Conference