0
Upcoming SlideShare
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Standard text messaging rates apply

# Georgy Nosenko - An introduction to the use SMT solvers for software security

912

Published on

Published in: Technology, News & Politics
6 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Views
Total Views
912
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
29
0
Likes
6
Embeds 0
No embeds

No notes for slide

### Transcript

• 1. SMT Solvers for Software Security George Nosenko, Security researcher at Digital Security
• 2. SMT Solvers for Software Security #whoami • Member of DSecRG. • System Developer • Reverse Engineer • Security Researcher © 2002—2013, Digital Security
• 3. SMT Solvers in very simple terms What is a SMT Solver? Just like the first time using a SMT constraint solver © 2002—2013, Digital Security
• 4. SMT Solvers in very simple terms What is a SMT Solver?  Solver is a program  You ask a question “What is the meaning of life?”  Solver tries to answer “42” © 2002—2013, Digital Security
• 5. SMT Solvers in very simple terms How can I ask a question?  Question is a logical formula b+2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)  SMT-LIB: Language for expressing formulas http://smtlib.org/  All solvers understand this language © 2002—2013, Digital Security
• 6. SMT Solvers in very simple terms What solver should I choose? There are many SMT-solvers (over 20) CVC3, CVC4, STP, Alt-Ergo, Yices, Z3, etc Z3 is my choice  Efficient SMT solver  Open Source Project: http://z3.codeplex.com  Python, C/C++, .NET binding  Available online  Support Windows & Linux © 2002—2013, Digital Security
• 7. SMT Solvers in very simple terms SAT or not SAT? Ask a question.  structure of formula  declaration  precondition  postcondition  answer  sat, unsat, unknown  satisfiability  validity  model Taint Nobody Got Time for Crash © 2002—2013, Digital Security (declare-const work Int) (declare-const sleep Int) (declare-const fun Int) (assert (>= work 40)) (assert (>= sleep 42)) (assert (>= fun work)) (assert (= (+ work (+ sleep fun)) 168)) (check-sat) (get-model) sat (model (sleep: 42, fun: 63, work 63) http://rise4fun.com/Z3/pLpMc
• 8. SMT Solvers in very simple terms Properties of SMT solvers  Mathematical precision  Expressive power  Data model  Efficient implementation Support Bit-vector & Array © 2002—2013, Digital Security
• 9. SMT Solvers for Software Security SMT Solvers for Software Security © 2002—2013, Digital Security
• 10. SMT Solvers for Software Security Applications  Bug Hunting  Fuzzing (whitebox or blackbox)  Program Verification & Analysis  Exploit Generation  PoC, AEG, APEG  Automate generate payload  Protection Analysis  Obfuscation  Crypto Analysis  Malware Analysis © 2002—2013, Digital Security
• 11. SMT Solvers for Software Security What’s the point? Idea: convert portions of code into logical formulas, and use SMT solver to prove properties about them add eax, ebx xor ebx, ebx sub ecx, 0x123 setz bl add eax, ebx Is this snippet equivalent to “add eax, ebx”? sub bl, bl What value must EAX have at the beginning movzx ebx, bl add ebx, 0xbbbbbbbb of this snippet in order for EAX to be 0x12345678 after the snippet executes? add eax, ebx http://recon.cx/2012/schedule/attachments/52_semantics-based-methods.pdf Taint Nobody Got Time for Crash © 2002—2013, Digital Security
• 12. SMT Solvers for Software Security BV Operations in SMT-LIB 2.0 =/bvcomp distinct ite bvand bvor bvxor bvnot bvnand bvnor bvxnor bvneg bvadd bvmul bvudiv bvurem bvsub bvsdiv bvsrem bvsmod bvshl bvlshr bvashr bvult bvule bvugt bvuge bvslt bvsle bvsgt bvsge concat extract bvshl bvlshr bvashr repeat zero_extend sign_extend rotate_left rotate_right Slides - SMT Workshop 2013 © 2002—2013, Digital Security
• 13. SMT Solvers for Software Security Array Operations in SMT-LIB 2.0: select-store axioms 1. Expression (select a i) returns the value stored at position i of the array a; 2. And (store a i v) returns a new array identical to a, but on position i it contains the value v. (declare-const x Int) (declare-const y Int) (declare-const a1 (Array Int Int)) (assert (= (select a1 x) x)) (assert (= (store a1 x y) a1)) (check-sat) © 2002—2013, Digital Security
• 14. SMT Solvers for Software Security Binary Analysis Platform: http://bap.ece.cmu.edu/ BIL code for add %rax, %rbx addr 0x0 @asm "add %rax,%rbx" label pc_0x0 T_t1:u64 = R_RBX:u64 T_t2:u64 = R_RAX:u64 R_RBX:u64 = R_RBX:u64 + T_t2:u64 R_CF:bool = R_RBX:u64 < T_t1:u64 R_OF:bool = high:bool((T_t1:u64 ^ ~T_t2:u64) & (T_t1:u64 ^ R_RBX:u64)) R_AF:bool = 0x10:u64 == (0x10:u64 & (R_RBX:u64 ^ T_t1:u64^T_t2:u64)) R_PF:bool = ~low:bool(let T_acc:u64 := R_RBX:u64 >> 4:u64 ^ R_RBX:u64 in let T_acc:u64 := T_acc:u64 >> 2:u64 ^ T_acc:u64 in T_acc:u64 >> 1:u64 ^ T_acc:u64) R_SF:bool = high:bool(R_RBX:u64) R_ZF:bool = 0:u64 == R_RBX:u64 © 2002—2013, Digital Security
• 15. SMT Solvers for Software Security Bug Hunting © 2002—2013, Digital Security
• 16. Bug Hunting Vulnerability related with Integer  CWE-190,191,192,194,196       May cause: Bypass sanity check Buffer Overflow Dangling Pointer Use after free Application specific © 2002—2013, Digital Security
• 17. Bug Hunting Integer Overflow in Linux Kernel. CVE-2013-2596 © 2002—2013, Digital Security
• 18. Bug Hunting Integer Overflow in Linux Kernel. CVE-2013-2596 static int fb_mmap(struct file *file, struct vm_area_struct * vma){ if (!info) return -ENODEV; ... off = vma->vm_pgoff << PAGE_SHIFT; fb = info->fbops; if (!fb) return -ENODEV; ... /* frame buffer memory */ start = info->fix.smem_start; len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.smem_len); if (off >= len) { /* memory mapped io */ off -= len; ... start = info->fix.mmio_start; len = PAGE_ALIGN((start & ~PAGE_MASK) + info>fix.mmio_len); } mutex_unlock(&info->mm_lock); start &= PAGE_MASK; if ((vma->vm_end - vma->vm_start + off) > len) return -EINVAL; ... fb_pgprotect(file, vma, off); if (io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT, vma->vm_end - vma->vm_start, vma>vm_page_prot)) return -EAGAIN; return 0; } © 2002—2013, Digital Security
• 19. Bug Hunting How does Motochopper work? 1728 open("/dev/graphics/fb0", O_RDWR) = 6 ... 1728 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x400f2000 ... 1728 munmap(0x4015b000, 9433088) = 0 1728 mmap2(NULL, 9437184, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x4015b000 1728 munmap(0x4015b000, 9437184) = 0 1728 mmap2(NULL, 9441280, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = -1 EINVAL (Invalid argument) 1728 mmap2(NULL, 1728 mmap2(NULL, (Out of memory) 1728 mmap2(NULL, (Out of memory) ... (Out of memory) 1728 mmap2(NULL, NAME 2415919104, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x70900) = -1 ENOMEM 2231369728, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7b900) = -1 ENOMEM 2214592512, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7c900) = -1 ENOMEM 2113929216, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x82900) = 0x4015b000 mmap2 - map files or devices into memory #include <sys/mman.h> void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset); © 2002—2013, Digital Security
• 20. Bug Hunting Integer Overflow in Linux Kernel. CVE-2013-2596 © 2002—2013, Digital Security
• 21. Bug Hunting Integer Overflow in OpenSSH. CVE-2002-0639 © 2002—2013, Digital Security
• 22. Bug Hunting Integer Overflow in OpenSSH. CVE-2002-0639 input_userauth_info_response(){ ... u_int nresp; ... nresp = packet_get_int(); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) response[i] = packet_get_string(NULL); } packet_check_eom(); } © 2002—2013, Digital Security
• 23. Bug Hunting Integer Overflow in OpenSSH. CVE-2002-0639 (declare-const sizeof (_ BitVec 32)) (declare-const nresp (_ BitVec 32)) (declare-const mult (_ BitVec 32)) (assert ( = 4 sizeof (assert ( = mult nresp*sizeof (_ bv4 32))) (bvmul nresp sizeof))) (assert ( bvugt nresp (assert ( bvult nresp mult nresp)) (get-model) © 2002—2013, Digital Security ; (_ bv0 32) )) ; nresp > 0 (assert ( = mult (_ bv256 32))) nresp*sizeof = 256 (check-sat) ; sizeof (char*) = ; nresp*sizeof < ;
• 24. Bug Hunting Verification & Static analyze with SMT  Single collaborative framework  It’s not heuristic bug-finding  It allows user to manipulate  Functional specification  Prove that source code satisfies specification  Expands with plug-ins  ACSL is a behavioral specification language © 2002—2013, Digital Security
• 25. Bug Hunting Jessie: verification tools for C programs  Jessie is a plug-in for the Frama-C  Functional Checking  Safety Checking  Memory Safety  Integer Overflow  Checking Termination © 2002—2013, Digital Security
• 26. Bug Hunting Jessie: Integer Overflow Safety #pragma JessieTerminationPolicy(user) //@ requires n >= 0 && valid_range(t,0,n−1); int binary_search(long t[], int n, long v) { int l = 0, u = n-1; //@ loop invariant 0 <= l && u <= n−1; while (l <= u) { int m = l + (u - l) / 2; //int m = (l + u) / 2; if (t[m] < v) l = m + 1; else if (t[m] > v) u = m - 1; else return m; } return -1; } > frama-c -jessie binary-search.c © 2002—2013, Digital Security
• 27. Bug Hunting Immunity Debugger & SMT: Infrastructure SequenceAnalyzer – Models x86 as operations over a set of SMT primitives. Solver – Ctypes interface to the CVC3 SMT solver API. Supports a variety of theories including quantifier free, bit-vector arithmetic, linear arithmetic etc. CodeGraph/PathGenerator – Purely static CFG building and path generation. PathWalker – SMT based path traversal. Each conditional jump is checked for feasibility and the path discarded if not SAT. BugChecker – Subclasses provide the check_ins method which will be passed the SMT context representing the current path. © 2002—2013, Digital Security
• 28. Bug Hunting Immunity Debugger & SMT: !find_int_overwlow.py © 2002—2013, Digital Security
• 29. SMT in protection analysis PROTECTION ANALYSIS © 2002—2013, Digital Security
• 30. SMT in protection analysis Using SMT to defeat simple hashing algorithms def round_hash(a, b, c, d): out = [ ] for i, n in enumerate((a, b, c, d)): nn = 0 for j in range(32): nn |= (rotl(n, SCRAMBLE_TABLE[(i << 2)+j]) & 1) << j nn ^= XOR_TABLE[i] out.append(nn) out[0] = rotl(out[0], ROT_TABLE[0]) out[1] = rotl(out[1], ROT_TABLE[1]) out[2] = rotl(out[2], ROT_TABLE[2]) out[3] = rotl(out[2], ROT_TABLE[3]) return out a ^= c b ^= d for i in range(128): a, b, c, d = round_hash(a, b, c, d) © 2002—2013, Digital Security
• 31. SMT in protection analysis Automated KeyGen Generation. Kao’s Toy Project © 2002—2013, Digital Security
• 32. SMT in protection analysis Automated KeyGen Generation. Kao’s Toy Project  Lift the checking algorithm to BIL ./toil -binrange ~/toyproject.exe 0x401105 0x401111 -o checkUnlockCode.il  Convert BIL to single static assignment form (SSA), unroll loop ./iltrans -il checkUnlockCode.il -to-ssa -simp-ssa -to-cfg -unroll 31 -rm-cycles -rm-indirect-ast -to-ast -normalize-mem -flatten-mem -pp-ast checkUnlockUnroll.il egrep -v '^cjmp.*\$' checkUnlockUnroll.il > checkUnlockUnrollOpt.il  Convert BIL to SMT-formula ./topredicate -il checkUnlockUnrollOpt.il -noopt -solver z3 -stp-out checkLoop.smt line 18: assert --> define-fun alg () (Array (_ BitVec 32) (_ BitVec 8)) line 921: false --> ?mem_array_83_670 © 2002—2013, Digital Security
• 33. SMT in protection analysis Create precondition and postcondition © 2002—2013, Digital Security
• 34. AEG Automatic Exploit Generation  Automatically craft an input that redirects control flow Loosely defined as “Given a program and a vulnerability, automatically craft an input that redirects control flow to malicious code”  Automated Payload Creation © 2002—2013, Digital Security
• 35. AEG Automatically craft an input that hijacks control flow  Get the trace to vulnerable code  Convert the trace into set of constraints Freach  Generate the set of conditions that make code exploitable Fexploit = Cval U Caddr  Solve (Freach U Fexploit)  SMT-solver defines required input © 2002—2013, Digital Security
• 36. AEG Automatically craft an input that hijacks control flow Freach = { t0= eax + ebx, zf ==1 } Cval = { eax = 0xdeadbeef } Caddr = { t1= ebp + 4, t1 = ebp +ecx } Fexploit = Cval U Caddr © 2002—2013, Digital Security