SlideShare a Scribd company logo

The System of Automatic Searching for Vulnerabilities or how to use Taint Analysis to find vulnerabilities

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days
Technology
1 of 58
The System of Automatic Searching for Vulnerabilities or how to use Taint Analysis to find vulnerabilities Alex Bazhanyuk (@ABazhanyuk) Nikita Tarakanov (@NTarakanov)
Who is Alex Bazhanyuk • Security Researcher • Organizer of Defcon Ukraine Group • Working in UC Berkley in BitBlaze project • Solves problems of automation of RE
Who is Nikita Tarakanov • Independent Security Researcher • Author of some articles in ][akep magazine • Likes to reverse engineer r0 parts • Discovered a lot of LPE vulns • Solves problems of automation of RE
Agenda • Intro • Taint analysis theory • BitBlaze theory • SASV implementation • Lulz Time • Pitfalls • Conclusion
SASV main parts • IDA Pro plugins • BitBlaze: Vine+utils, TEMU + plugins
Theory
Tainting • Taint sources: Network, Keyboard, Memory, Disk, Function outputs • Taint propagation: a data flow technique Shadow memory Whole-system Across register/memory/disk/swapping
Fundamentals of taint analysis
Taint propagation •If an operation uses the value of some tainted object, say X, to derive a value for another, say Y, then object Y becomes tainted. Object X taints the object Y •Taint operator t •X→ t(Y) •Taint operator is transitive X → t(Y) and Y→ t(Z), then X→ t(Z)
Static Taint Analysis Analysis performed over multiple paths of a program * Typically performed on a control flow graph (CFG): statements are nodes, and there is an edge between nodes if there is a possible transfer of control.
BitBlaze: Binary Analysis Infrastructure • Automatically extracting security-related properties from • binary code • Build a unified binary analysis platform for security - Static analysis + Dynamic analysis + Symbolic Analysis - Leverages recent advances in program analysis, formal methods, binary instrumentation… Solve security problems via binary analysis • More than a dozen different security applications • Over 25 research publications
BitBlaze • http://bitblaze.cs.berkeley.edu/ • TEMU,VINE • Rudder, Panorama, Renovo
TEMU
Confines TEMU • Only gcc-3.4 • Qemu 0.9.1 - TEMU • Qemu 0.10 - TCG(Tiny Code Generator)-TODO • Qemu 0.10  Qemu 1.01
VINE
The Vine Intermediate Language
Example of disasm: fc32dcec: rep stos %eax,%es:(%edi) R@eax[0x00000000][4](R) T0 R@ecx[0x00000002][4](RCW) T0 M@0xfb7bfff8[0x00000000][4](CW) T1 {15 (1231, 69624) (1231, 69625) (1231, 69626) (1231, 69627) } fc32dcec: rep stos %eax,%es:(%edi) R@eax[0x00000000][4](R) T0 R@ecx[0x00000001][4](RCW) T0 M@0xfb7bfffc[0x00000000][4](CW) T1 {15 (1231, 69628) (1231, 69629) (1231, 69630) (1231, 69631) } fc32dcee: mov %edx,%ecx R@edx[0x0000015c][4](R) T0 R@ecx[0x00000000][4](W) T0 fc32dcf0: and $0×3,%ecx I@0×00000000[0x00000003][1](R) T0 R@ecx[0x0000015c][4](RW) T0 fc32dcf5: andl $0×0,-0×4(%ebp) I@0×00000000[0x00000000][1](R) T0 M@0xfb5ae738[0x00000002][4](RW) T0 fc32dcf9: jmp 0x00000000fc32c726 J@0×00000000[0xffffea2d][4](R) T0 fc32c726: cmpl $0×0,-0×58(%ebp) I@0×00000000[0x00000000][1](R) T0 M@0xfb5ae6e4[0x00000000][4](R) T0
Taint info • T0 - means that the statement is not tainted. • T1 - means that the instruction tainted in curly brackets can be seen that there tainted and what it depends. • Here's an example of: • fc32dcec: rep stos% eax,% es: (% edi) R @ eax [0x00000000] [4] (R) T0 R @ ecx [0x00000001] [4] (RCW) T0 M @ 0xfb7bfffc [0x00000000] [4] (CW) T1 {15 (1231, 628) (1231, 629) (1231, 630) (1231, 631)} • 4 bits of information tainted and they depend on the offset: 628, 629, 630, 631. 1231 - this number is origin(kind of ID that TEMU plugin sets).
appreplay • ./vine-1.0/trace_utils/appreplay -trace font.trace -ir-out font.trace.il -assertion-on-var false-use-post-var false where: • appreplay - ocaml script that we run; • -trace - the way to the trace; • -ir-out - the path to which we write IL code. • -assertion-on-var false-use-post-var false - flags that show the format of IL code for this to false makes it more readable text.
Example of IL code: • Begins with the declaration of variables: • INPUT - it's free memory cells, those that are tested in the very beginning (back in temu), input into the program from an external source. var cond_000017_0x4010ce_00_162:reg1_t; var cond_000013_0x4010c3_00_161:reg1_t; var cond_000012_0x4010c0_00_160:reg1_t; var cond_000007_0x4010b6_00_159:reg1_t; var INPUT_10000_0000_62:reg8_t; var INPUT_10000_0001_63:reg8_t; var INPUT_10000_0002_64:reg8_t; var INPUT_10000_0003_65:reg8_t; var mem_arr_57:reg8_t[4294967296]; – memory as an array var mem_35:mem32l_t;
T_32t2_60:reg32_t = R_EAX_5:reg32_t = R_ESP_1:reg32_t; T_32t1_59:reg32_t = 0×73657930:reg32_t; T_32t2_60:reg32_t + { 0x1c8:reg32_t; T_32t3_61:reg32_t =(( var idx_144:reg32_t; cast(mem_arr_57[T_32t1_59:reg32_t + 0:reg32_t]:reg8_t)U:reg32_t var val_143:reg8_t; << 0:reg32_t | idx_144:reg32_t = cast(mem_arr_57[T_32t1_59:reg32_t 0x12fef0:reg32_t; + 1:reg32_t]:reg8_t)U:reg32_t << 8:reg32_t) val_143:reg8_t = | cast(mem_arr_57[T_32t1_59:reg32_t INPUT_10000_0000_62:reg + 2:reg32_t]:reg8_t)U:reg32_t 8_t; << 0×10:reg32_t) | mem_arr_57[idx_144:reg32 cast(mem_arr_57[T_32t1_59:reg32_t _t + 0:reg32_t]:reg8_t = + 3:reg32_t]:reg8_t)U:reg32_t << 0×18:reg32_t cast((val_143:reg8_t & ; R_EAX_5:reg32_t = 0xff:reg8_t) >> T_32t3_61:reg32_t; 0:reg8_t)L:reg8_t; }
What is STP and what it does? • STP - constraint solver for bit-vector expressions. • separate project independent of the BitBlaze • To produce STP code from IL code: • ./vine-1.0/utils/wputil trace.il -stpout stp.code • where the input is IL code, and the output is STP code
STP program example mem_arr_57_8 : ARRAY BITVECTOR(64) OF BITVECTOR(8); INPUT_10000_0000_62_4 : BITVECTOR(8); ASSERT( 0bin1 = (LET R_EAX_5_232 = 0hex73657930 IN (LET idx_144_233 = 0hex0012fef0 IN (LET val_143_234 = INPUT_10000_0000_62_4 IN (LET mem_arr_57_393 = (mem_arr_57_8 WITH [(0bin00000000000000000000000000000000 @ BVPLUS(32, idx_144_233,0hex00000000))] := (val_143_234;0hexff)[7:0]) ……. IN (cond_000017_0x4010ce_00_162_392;0bin1)))))))); Is this expression false? QUERY (FALSE); And give a counter example: COUNTEREXAMPLE;
STP output example • How to ask for a decision to STP: • ./stp stp.code • Example of STP output: ASSERT( INPUT_10000_0001_63_5 = 0×00 ); ASSERT( INPUT_10000_0002_64_6 = 0×00 ); ASSERT( INPUT_10000_0000_62_4 = 0×61 ); ASSERT( INPUT_10000_0003_65_7 = 0×00 ); Invalid.
SASV Components: • Temu (tracecap: start/stop tracing. Various additions to tracecap(hooks etc.)) • Vine (appreplay, wputil) • STP • IDA plugins: • - DangerousFunctions – finds calls to malloc,strcpy,memcpy etc. • - IndirectCalls – indirect jumps, indirect calls. • - ida2sql (zynamics) –idb in the mysql db. (http://blog.zynamics.com/2010/06/29/ida2sql-exporting-ida-databases-to- mysql/) • Iterators – wrapper for temu, vine, stp. • Various publishers – for DeviceIoControl etc.
How does SASV work?
SASV • Scheme: • Min Goal: max coverage of the dangerous code • Max Goal: max coverage of the all code
SASV basic algorithm 1. Work of IDA plugins -> dangerous places 2. Publisher(s) -> invoke targeted code 3. TEMU -> trace 4. Trace -> appreplay -> IL 5. IL -> change path algo -> IL’ 6. IL’ -> wputil -> STP_prorgam’ 7. STP_prorgam’ -> STP -> data for n+1 iteration 8. Goto #2
Diagram for new path in graph input data software TEMU Trace, alloc-file, state IL code appreplay Next Trace Iteration Changer, s ymbolic Vine execution wputil New IL’ code input stp Stp’ code data
Combo system: Dumb+Smart input data Set of new Set of new input data input data SASV Coverage Blackbox fuzzer
Disadvantages • Definition of the vulnerability is difficult task. • Performance – speed of tracing in TEMU is AWFUL
Overhead • Ideally – 1/1000. • In Reality - 1/(X * 10000) • Where X is dynamic and could be 1 to 10^N • Depends on your target (r3, r0) • Hooks quantity, etc
Implementation(Vine<->TEMU) issues • VEX != XED • VEX is part of valgrind - used for R3. • Formula only for single thread.
Get rid of that damned QEMU! • Move taint propagation to Hypervisor! • Damn good idea! • But a lot of code to port/rewrite
AV
Vulnerabilities in drivers • Overflows: stack, pool, integer • Pointer overwrite • Null pointer dereference(Plague) • Race condition(Plague) • Various logical vulnerabilities(how to automate?)
Example of issue • Total = var1 * var2 (var – could be const) • Mem = malloc(Total) • For(i=0;i<var;i++)memcpy(Mem, Mem2,CONS T) • Free(Mem)
Define Vulnerability (Memory corruption) • var = var1 operation var2 • Mem = alloc(heap, stack)(var) • Mem[var3] = var4 • Could var3 > var (write out-of-bounds) ?
Define vulnerability 1. tainted eip. (very rare in real life, look at KingSoft AV) 2. pointers and operations on them. 3. buffer overflow (hook *alloc function and change size of alloc). 4. integer operations and results(VSA). 5.Threads race condition – is there using of synchronising functions?
Concept IOCTL: Data to taint: – dwIoControlCode - to get list of supported ioctl codes – lpInBuffer - pointer(METHOD_NEITHER) and data (METHOD_BUFFERED) – nInBufferSize - size ranges – lpOutBuffer - pointer(METHOD_NEITHER) and data (METHOD_BUFFERED) – nOutBufferSize- size ranges Tracing only driver code
Shaming examples •Lulz Time!
GData Lulz #0:MiniIcpt.sys • Ioctl code 0x83170180 (METHOD_BUFFERED) • Untrusted data goes to FtlReleaseContext • Leads to decrement arbitrary memory • Leads to control of EIP • TotalCare 2011->2012(20 months old 0day) • Wooot TotalCare 2013 fixed feature 
GData Lulz #1: GDNdisIc.sys • What about control over Ndis Filter? • 0x830020E0 – NPD + switching on/off • 0x83002108 –switching on/off AutoPilot • First trigger as non-interesting vuln(NPD) • But log from DbgPrint shows Lulz
GData Lulz #2: TS4nt.sys • New!!!! • Total Care 2013(future!!!) • Processes several ioctls • METHOD_BUFFERED “signal” (NPD) • Uses pointer than check – smart!
Agnitum(?) VBEngNT.sys FAIL • VBEngNT.sys – NOT Agnitum code • VBEngNT.sys – from VirusBuster! • Plays dll role in kernel land • 50(!!!) vulnerable functions – one stupid bug • Full trust on pointers • Using by several(over 8) products • Test before you buy some r0(!!!) code!!!
TrendMicro tmtdi.sys #1 • Ioctl code 0x220044 (METHOD_BUFFERED) • No range check for size • Just check for correct address – NPD check (MmIsAddressValid) • Pool corruption in cycle • No control of overflowing data 
TrendMicro tmtdi.sys #1 • .text:0001D881 mov edi, [ebx+0Ch] • .text:0001D884 push edi ; our buffer • .text:0001D885 call esi ; MmIsAddressValid • .text:0001D887 test al, al • .text:0001D889 jz loc_1DDAB • .text:0001D88F push [ebp+output_buff_size] • .text:0001D892 push edi • .text:0001D893 push offset rules_list • .text:0001D898 call ioctl_0x220044_vuln • [..]
TrendMicro tmtdi.sys #1 • .text:000156EA mov ebx, [ebp+our_buffer_size_controlled] • .text:000156ED mov [ebp+NewIrql], al • .text:000156F0 mov eax, dword_22CA0 • .text:000156F5 mov edx, offset dword_22CA0 • .text:000156FA cmp eax, edx • .text:000156FC jz short loc_15748 • [..] • .text:00015700 mov ecx, [eax+0Ch] • .text:00015703 mov [ebx], ecx • .text:00015705 mov ecx, [eax+10h] • .text:00015708 mov [ebx+4], ecx • .text:0001570B mov ecx, [eax+14h] • .text:0001570E mov [ebx+8], ecx  write outside of the pool chunk • .text:00015711 mov ecx, [eax+18h] • .text:00015714 mov [ebx+0Ch], ecx
TrendMicro tmtdi.sys #2 • Ioctl code 0x220030 • Range check for inbuff_size >= 0x2AA • Range check for outbuff_size >= 0x4D0 • Allocs pool memory for const size 0x4D0 • And… • Zeroing it with outbuff_size length! LOL
TrendMicro tmtdi.sys #2 • .text:0001D704 cmp [ebp+inbuff_size], 2AAh • .text:0001D70B jb loc_1DDAB • .text:0001D711 mov esi, 4D0h • .text:0001D716 cmp [ebp+output_buff_size], esi • .text:0001D719 jb loc_1DDAB • .text:0001D71F push 746D74h ; Tag • .text:0001D724 push esi ; NumberOfBytes • .text:0001D725 push 0 ; PoolType • .text:0001D727 call ds:ExAllocatePoolWithTag • [..]
TrendMicro tmtdi.sys #2 • .text:0001D74B push edi ; pool_mem_const_size • .text:0001D74C lea eax, [ebp+output_buff_size] • .text:0001D74F push eax ; output_buff_size • .text:0001D750 push [ebp+NewIrql] ; inbuff • .text:0001D753 push 220030h ; ioctl_code • .text:0001D758 call ioctl_several_ioctl_codes • [..] • .text:00014918 mov esi, [ebp+output_buff_size] • [..] • .text:00014977 push dword ptr [esi] ; • .text:00014979 push 0 ; • .text:0001497B push [ebp+pool_mem_const_size] ; • .text:0001497E call memset
TrendMicro tmnciesc.sys • Ioctl code 0x222404 • Kernel Pool Corruption • Your homework ;)
Pitfalls of taint analysis • Indirect propagation • Flat model problem(data is tainted, pointer is not) – strlen problem • Const values tainting(switch problem) • More taint info(levels) – more overhead
Pitfalls of tainting r0 • Taint info lost • Check of system variables • System defense mechanism(s) (win32k.sys WATCHDOG BugCheck)
Pitfalls of tainting r0(IOCTL) • KeGetPreviousMode • IoGetCurrentProcess • Even hooking NtDeviceIoControlFile!
Conclusions • Quality -> security level • Taint analysis is not key to every vuln • SASV just another approach to automate RE • Sucks for userland software analysis • Nice approach for kernel land • But fails sometimes ;) • MS should fuzz/test/analyze what it signs!
Thanks,  •Questions? http://twitter.com/#!/ABazhanyuk http://twitter.com/#!/NTarakanov

Recommended

第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料Asuka Nakajima
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Static analysis of C++ source code
Static analysis of C++ source codeStatic analysis of C++ source code
Static analysis of C++ source codeAndrey Karpov
 
Appsec obfuscator reloaded
Appsec obfuscator reloadedAppsec obfuscator reloaded
Appsec obfuscator reloadedCyber Security Alliance
 
VERILOG CODE
VERILOG CODEVERILOG CODE
VERILOG CODEDhaval Kaneria
 
06.Loops
06.Loops06.Loops
06.LoopsIntro C# Book
 

Recommended

第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料Asuka Nakajima
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Static analysis of C++ source code
Static analysis of C++ source codeStatic analysis of C++ source code
Static analysis of C++ source codeAndrey Karpov
 
Appsec obfuscator reloaded
Appsec obfuscator reloadedAppsec obfuscator reloaded
Appsec obfuscator reloadedCyber Security Alliance
 
VERILOG CODE
VERILOG CODEVERILOG CODE
VERILOG CODEDhaval Kaneria
 
06.Loops
06.Loops06.Loops
06.LoopsIntro C# Book
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 
Beauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVMBeauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVMJarek Ratajski
 
07. Arrays
07. Arrays07. Arrays
07. ArraysIntro C# Book
 
Конверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемыеКонверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемыеPlatonov Sergey
 
Joel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDJoel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDSergey Platonov
 
Improving Android Performance at Mobiconf 2014
Improving Android Performance at Mobiconf 2014Improving Android Performance at Mobiconf 2014
Improving Android Performance at Mobiconf 2014Raimon Ràfols
 
Java simple programs
Java simple programsJava simple programs
Java simple programsVEERA RAGAVAN
 
Java Practical File Diploma
Java Practical File DiplomaJava Practical File Diploma
Java Practical File Diplomamustkeem khan
 
Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Michael Barker
 
Eta
EtaEta
EtaJarek Ratajski
 
Designing C++ portable SIMD support
Designing C++ portable SIMD supportDesigning C++ portable SIMD support
Designing C++ portable SIMD supportJoel Falcou
 
Java Simple Programs
Java Simple ProgramsJava Simple Programs
Java Simple ProgramsUpender Upr
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Best Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' MistakesBest Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' MistakesAndrey Karpov
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
07. Java Array, Set and Maps
07. Java Array, Set and Maps07. Java Array, Set and Maps
07. Java Array, Set and MapsIntro C# Book
 
verilog code
verilog codeverilog code
verilog codeMantra VLSI
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
Static analysis of C++ source code
Static analysis of C++ source codeStatic analysis of C++ source code
Static analysis of C++ source codePVS-Studio
 
Vectorization on x86: all you need to know
Vectorization on x86: all you need to knowVectorization on x86: all you need to know
Vectorization on x86: all you need to knowRoberto Agostino Vitillo
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...Andrey Karpov
 
Tesseract. Recognizing Errors in Recognition Software
Tesseract. Recognizing Errors in Recognition SoftwareTesseract. Recognizing Errors in Recognition Software
Tesseract. Recognizing Errors in Recognition SoftwareAndrey Karpov
 

More Related Content

What's hot

A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 
Beauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVMBeauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVMJarek Ratajski
 
Конверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемыеКонверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемыеPlatonov Sergey
 
Improving Android Performance at Mobiconf 2014
Improving Android Performance at Mobiconf 2014Improving Android Performance at Mobiconf 2014
Improving Android Performance at Mobiconf 2014Raimon Ràfols
 
Java simple programs
Java simple programsJava simple programs
Java simple programsVEERA RAGAVAN
 
Java Practical File Diploma
Java Practical File DiplomaJava Practical File Diploma
Java Practical File Diplomamustkeem khan
 
Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Michael Barker
 
Designing C++ portable SIMD support
Designing C++ portable SIMD supportDesigning C++ portable SIMD support
Designing C++ portable SIMD supportJoel Falcou
 
Java Simple Programs
Java Simple ProgramsJava Simple Programs
Java Simple ProgramsUpender Upr
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Best Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' MistakesBest Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' MistakesAndrey Karpov
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
07. Java Array, Set and Maps
07. Java Array, Set and Maps07. Java Array, Set and Maps
07. Java Array, Set and MapsIntro C# Book
 

What's hot (17)

A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Beauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVMBeauty and the beast - Haskell on JVM
Beauty and the beast - Haskell on JVM
 
07. Arrays
07. Arrays07. Arrays
07. Arrays
 
Конверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемыеКонверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемые
 
Joel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDJoel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMD
 
Improving Android Performance at Mobiconf 2014
Improving Android Performance at Mobiconf 2014Improving Android Performance at Mobiconf 2014
Improving Android Performance at Mobiconf 2014
 
Java simple programs
Java simple programsJava simple programs
Java simple programs
 
Java Practical File Diploma
Java Practical File DiplomaJava Practical File Diploma
Java Practical File Diploma
 
Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!
 
Eta
EtaEta
Eta
 
Designing C++ portable SIMD support
Designing C++ portable SIMD supportDesigning C++ portable SIMD support
Designing C++ portable SIMD support
 
Java Simple Programs
Java Simple ProgramsJava Simple Programs
Java Simple Programs
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
Best Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' MistakesBest Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' Mistakes
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
07. Java Array, Set and Maps
07. Java Array, Set and Maps07. Java Array, Set and Maps
07. Java Array, Set and Maps
 
verilog code
verilog codeverilog code
verilog code
 

Similar to The System of Automatic Searching for Vulnerabilities or how to use Taint Analysis to find vulnerabilities

Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
Static analysis of C++ source code
Static analysis of C++ source codeStatic analysis of C++ source code
Static analysis of C++ source codePVS-Studio
 
Vectorization on x86: all you need to know
Vectorization on x86: all you need to knowVectorization on x86: all you need to know
Vectorization on x86: all you need to knowRoberto Agostino Vitillo
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...Andrey Karpov
 
Tesseract. Recognizing Errors in Recognition Software
Tesseract. Recognizing Errors in Recognition SoftwareTesseract. Recognizing Errors in Recognition Software
Tesseract. Recognizing Errors in Recognition SoftwareAndrey Karpov
 
Lesson 24. Phantom errors
Lesson 24. Phantom errorsLesson 24. Phantom errors
Lesson 24. Phantom errorsPVS-Studio
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기Ji Hun Kim
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systemsVsevolod Stakhov
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimonSisimon Soman
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processorsRISC-V International
 
General Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics HardwareGeneral Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics HardwareDaniel Blezek
 
Anomalies in X-Ray Engine
Anomalies in X-Ray EngineAnomalies in X-Ray Engine
Anomalies in X-Ray EnginePVS-Studio
 

Similar to The System of Automatic Searching for Vulnerabilities or how to use Taint Analysis to find vulnerabilities (20)

Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 
Static analysis of C++ source code
Static analysis of C++ source codeStatic analysis of C++ source code
Static analysis of C++ source code
 
Vectorization on x86: all you need to know
Vectorization on x86: all you need to knowVectorization on x86: all you need to know
Vectorization on x86: all you need to know
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
 
Tesseract. Recognizing Errors in Recognition Software
Tesseract. Recognizing Errors in Recognition SoftwareTesseract. Recognizing Errors in Recognition Software
Tesseract. Recognizing Errors in Recognition Software
 
Lesson 24. Phantom errors
Lesson 24. Phantom errorsLesson 24. Phantom errors
Lesson 24. Phantom errors
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systems
 
CodeChecker summary 21062021
CodeChecker summary 21062021CodeChecker summary 21062021
CodeChecker summary 21062021
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimon
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processors
 
Verilog
VerilogVerilog
Verilog
 
General Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics HardwareGeneral Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics Hardware
 
Picmico
PicmicoPicmico
Picmico
 
Anomalies in X-Ray Engine
Anomalies in X-Ray EngineAnomalies in X-Ray Engine
Anomalies in X-Ray Engine
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

The System of Automatic Searching for Vulnerabilities or how to use Taint Analysis to find vulnerabilities

  • 1. The System of Automatic Searching for Vulnerabilities or how to use Taint Analysis to find vulnerabilities Alex Bazhanyuk (@ABazhanyuk) Nikita Tarakanov (@NTarakanov)
  • 2. Who is Alex Bazhanyuk • Security Researcher • Organizer of Defcon Ukraine Group • Working in UC Berkley in BitBlaze project • Solves problems of automation of RE
  • 3. Who is Nikita Tarakanov • Independent Security Researcher • Author of some articles in ][akep magazine • Likes to reverse engineer r0 parts • Discovered a lot of LPE vulns • Solves problems of automation of RE
  • 4. Agenda • Intro • Taint analysis theory • BitBlaze theory • SASV implementation • Lulz Time • Pitfalls • Conclusion
  • 5. SASV main parts • IDA Pro plugins • BitBlaze: Vine+utils, TEMU + plugins
  • 7. Tainting • Taint sources: Network, Keyboard, Memory, Disk, Function outputs • Taint propagation: a data flow technique Shadow memory Whole-system Across register/memory/disk/swapping
  • 9. Taint propagation •If an operation uses the value of some tainted object, say X, to derive a value for another, say Y, then object Y becomes tainted. Object X taints the object Y •Taint operator t •X→ t(Y) •Taint operator is transitive X → t(Y) and Y→ t(Z), then X→ t(Z)
  • 10. Static Taint Analysis Analysis performed over multiple paths of a program * Typically performed on a control flow graph (CFG): statements are nodes, and there is an edge between nodes if there is a possible transfer of control.
  • 11. BitBlaze: Binary Analysis Infrastructure • Automatically extracting security-related properties from • binary code • Build a unified binary analysis platform for security - Static analysis + Dynamic analysis + Symbolic Analysis - Leverages recent advances in program analysis, formal methods, binary instrumentation… Solve security problems via binary analysis • More than a dozen different security applications • Over 25 research publications
  • 13. TEMU
  • 14. Confines TEMU • Only gcc-3.4 • Qemu 0.9.1 - TEMU • Qemu 0.10 - TCG(Tiny Code Generator)-TODO • Qemu 0.10  Qemu 1.01
  • 15. VINE
  • 17. Example of disasm: fc32dcec: rep stos %eax,%es:(%edi) R@eax[0x00000000][4](R) T0 R@ecx[0x00000002][4](RCW) T0 M@0xfb7bfff8[0x00000000][4](CW) T1 {15 (1231, 69624) (1231, 69625) (1231, 69626) (1231, 69627) } fc32dcec: rep stos %eax,%es:(%edi) R@eax[0x00000000][4](R) T0 R@ecx[0x00000001][4](RCW) T0 M@0xfb7bfffc[0x00000000][4](CW) T1 {15 (1231, 69628) (1231, 69629) (1231, 69630) (1231, 69631) } fc32dcee: mov %edx,%ecx R@edx[0x0000015c][4](R) T0 R@ecx[0x00000000][4](W) T0 fc32dcf0: and $0×3,%ecx I@0×00000000[0x00000003][1](R) T0 R@ecx[0x0000015c][4](RW) T0 fc32dcf5: andl $0×0,-0×4(%ebp) I@0×00000000[0x00000000][1](R) T0 M@0xfb5ae738[0x00000002][4](RW) T0 fc32dcf9: jmp 0x00000000fc32c726 J@0×00000000[0xffffea2d][4](R) T0 fc32c726: cmpl $0×0,-0×58(%ebp) I@0×00000000[0x00000000][1](R) T0 M@0xfb5ae6e4[0x00000000][4](R) T0
  • 18. Taint info • T0 - means that the statement is not tainted. • T1 - means that the instruction tainted in curly brackets can be seen that there tainted and what it depends. • Here's an example of: • fc32dcec: rep stos% eax,% es: (% edi) R @ eax [0x00000000] [4] (R) T0 R @ ecx [0x00000001] [4] (RCW) T0 M @ 0xfb7bfffc [0x00000000] [4] (CW) T1 {15 (1231, 628) (1231, 629) (1231, 630) (1231, 631)} • 4 bits of information tainted and they depend on the offset: 628, 629, 630, 631. 1231 - this number is origin(kind of ID that TEMU plugin sets).
  • 19. appreplay • ./vine-1.0/trace_utils/appreplay -trace font.trace -ir-out font.trace.il -assertion-on-var false-use-post-var false where: • appreplay - ocaml script that we run; • -trace - the way to the trace; • -ir-out - the path to which we write IL code. • -assertion-on-var false-use-post-var false - flags that show the format of IL code for this to false makes it more readable text.
  • 20. Example of IL code: • Begins with the declaration of variables: • INPUT - it's free memory cells, those that are tested in the very beginning (back in temu), input into the program from an external source. var cond_000017_0x4010ce_00_162:reg1_t; var cond_000013_0x4010c3_00_161:reg1_t; var cond_000012_0x4010c0_00_160:reg1_t; var cond_000007_0x4010b6_00_159:reg1_t; var INPUT_10000_0000_62:reg8_t; var INPUT_10000_0001_63:reg8_t; var INPUT_10000_0002_64:reg8_t; var INPUT_10000_0003_65:reg8_t; var mem_arr_57:reg8_t[4294967296]; – memory as an array var mem_35:mem32l_t;
  • 21. T_32t2_60:reg32_t = R_EAX_5:reg32_t = R_ESP_1:reg32_t; T_32t1_59:reg32_t = 0×73657930:reg32_t; T_32t2_60:reg32_t + { 0x1c8:reg32_t; T_32t3_61:reg32_t =(( var idx_144:reg32_t; cast(mem_arr_57[T_32t1_59:reg32_t + 0:reg32_t]:reg8_t)U:reg32_t var val_143:reg8_t; << 0:reg32_t | idx_144:reg32_t = cast(mem_arr_57[T_32t1_59:reg32_t 0x12fef0:reg32_t; + 1:reg32_t]:reg8_t)U:reg32_t << 8:reg32_t) val_143:reg8_t = | cast(mem_arr_57[T_32t1_59:reg32_t INPUT_10000_0000_62:reg + 2:reg32_t]:reg8_t)U:reg32_t 8_t; << 0×10:reg32_t) | mem_arr_57[idx_144:reg32 cast(mem_arr_57[T_32t1_59:reg32_t _t + 0:reg32_t]:reg8_t = + 3:reg32_t]:reg8_t)U:reg32_t << 0×18:reg32_t cast((val_143:reg8_t & ; R_EAX_5:reg32_t = 0xff:reg8_t) >> T_32t3_61:reg32_t; 0:reg8_t)L:reg8_t; }
  • 22. What is STP and what it does? • STP - constraint solver for bit-vector expressions. • separate project independent of the BitBlaze • To produce STP code from IL code: • ./vine-1.0/utils/wputil trace.il -stpout stp.code • where the input is IL code, and the output is STP code
  • 23. STP program example mem_arr_57_8 : ARRAY BITVECTOR(64) OF BITVECTOR(8); INPUT_10000_0000_62_4 : BITVECTOR(8); ASSERT( 0bin1 = (LET R_EAX_5_232 = 0hex73657930 IN (LET idx_144_233 = 0hex0012fef0 IN (LET val_143_234 = INPUT_10000_0000_62_4 IN (LET mem_arr_57_393 = (mem_arr_57_8 WITH [(0bin00000000000000000000000000000000 @ BVPLUS(32, idx_144_233,0hex00000000))] := (val_143_234;0hexff)[7:0]) ……. IN (cond_000017_0x4010ce_00_162_392;0bin1)))))))); Is this expression false? QUERY (FALSE); And give a counter example: COUNTEREXAMPLE;
  • 24. STP output example • How to ask for a decision to STP: • ./stp stp.code • Example of STP output: ASSERT( INPUT_10000_0001_63_5 = 0×00 ); ASSERT( INPUT_10000_0002_64_6 = 0×00 ); ASSERT( INPUT_10000_0000_62_4 = 0×61 ); ASSERT( INPUT_10000_0003_65_7 = 0×00 ); Invalid.
  • 25. SASV Components: • Temu (tracecap: start/stop tracing. Various additions to tracecap(hooks etc.)) • Vine (appreplay, wputil) • STP • IDA plugins: • - DangerousFunctions – finds calls to malloc,strcpy,memcpy etc. • - IndirectCalls – indirect jumps, indirect calls. • - ida2sql (zynamics) –idb in the mysql db. (http://blog.zynamics.com/2010/06/29/ida2sql-exporting-ida-databases-to- mysql/) • Iterators – wrapper for temu, vine, stp. • Various publishers – for DeviceIoControl etc.
  • 26. How does SASV work?
  • 27. SASV • Scheme: • Min Goal: max coverage of the dangerous code • Max Goal: max coverage of the all code
  • 28. SASV basic algorithm 1. Work of IDA plugins -> dangerous places 2. Publisher(s) -> invoke targeted code 3. TEMU -> trace 4. Trace -> appreplay -> IL 5. IL -> change path algo -> IL’ 6. IL’ -> wputil -> STP_prorgam’ 7. STP_prorgam’ -> STP -> data for n+1 iteration 8. Goto #2
  • 29. Diagram for new path in graph input data software TEMU Trace, alloc-file, state IL code appreplay Next Trace Iteration Changer, s ymbolic Vine execution wputil New IL’ code input stp Stp’ code data
  • 30. Combo system: Dumb+Smart input data Set of new Set of new input data input data SASV Coverage Blackbox fuzzer
  • 31. Disadvantages • Definition of the vulnerability is difficult task. • Performance – speed of tracing in TEMU is AWFUL
  • 32. Overhead • Ideally – 1/1000. • In Reality - 1/(X * 10000) • Where X is dynamic and could be 1 to 10^N • Depends on your target (r3, r0) • Hooks quantity, etc
  • 33. Implementation(Vine<->TEMU) issues • VEX != XED • VEX is part of valgrind - used for R3. • Formula only for single thread.
  • 34.
  • 35. Get rid of that damned QEMU! • Move taint propagation to Hypervisor! • Damn good idea! • But a lot of code to port/rewrite
  • 36. AV
  • 37. Vulnerabilities in drivers • Overflows: stack, pool, integer • Pointer overwrite • Null pointer dereference(Plague) • Race condition(Plague) • Various logical vulnerabilities(how to automate?)
  • 38. Example of issue • Total = var1 * var2 (var – could be const) • Mem = malloc(Total) • For(i=0;i<var;i++)memcpy(Mem, Mem2,CONS T) • Free(Mem)
  • 39. Define Vulnerability (Memory corruption) • var = var1 operation var2 • Mem = alloc(heap, stack)(var) • Mem[var3] = var4 • Could var3 > var (write out-of-bounds) ?
  • 40. Define vulnerability 1. tainted eip. (very rare in real life, look at KingSoft AV) 2. pointers and operations on them. 3. buffer overflow (hook *alloc function and change size of alloc). 4. integer operations and results(VSA). 5.Threads race condition – is there using of synchronising functions?
  • 41. Concept IOCTL: Data to taint: – dwIoControlCode - to get list of supported ioctl codes – lpInBuffer - pointer(METHOD_NEITHER) and data (METHOD_BUFFERED) – nInBufferSize - size ranges – lpOutBuffer - pointer(METHOD_NEITHER) and data (METHOD_BUFFERED) – nOutBufferSize- size ranges Tracing only driver code
  • 43. GData Lulz #0:MiniIcpt.sys • Ioctl code 0x83170180 (METHOD_BUFFERED) • Untrusted data goes to FtlReleaseContext • Leads to decrement arbitrary memory • Leads to control of EIP • TotalCare 2011->2012(20 months old 0day) • Wooot TotalCare 2013 fixed feature 
  • 44. GData Lulz #1: GDNdisIc.sys • What about control over Ndis Filter? • 0x830020E0 – NPD + switching on/off • 0x83002108 –switching on/off AutoPilot • First trigger as non-interesting vuln(NPD) • But log from DbgPrint shows Lulz
  • 45. GData Lulz #2: TS4nt.sys • New!!!! • Total Care 2013(future!!!) • Processes several ioctls • METHOD_BUFFERED “signal” (NPD) • Uses pointer than check – smart!
  • 46. Agnitum(?) VBEngNT.sys FAIL • VBEngNT.sys – NOT Agnitum code • VBEngNT.sys – from VirusBuster! • Plays dll role in kernel land • 50(!!!) vulnerable functions – one stupid bug • Full trust on pointers • Using by several(over 8) products • Test before you buy some r0(!!!) code!!!
  • 47. TrendMicro tmtdi.sys #1 • Ioctl code 0x220044 (METHOD_BUFFERED) • No range check for size • Just check for correct address – NPD check (MmIsAddressValid) • Pool corruption in cycle • No control of overflowing data 
  • 48. TrendMicro tmtdi.sys #1 • .text:0001D881 mov edi, [ebx+0Ch] • .text:0001D884 push edi ; our buffer • .text:0001D885 call esi ; MmIsAddressValid • .text:0001D887 test al, al • .text:0001D889 jz loc_1DDAB • .text:0001D88F push [ebp+output_buff_size] • .text:0001D892 push edi • .text:0001D893 push offset rules_list • .text:0001D898 call ioctl_0x220044_vuln • [..]
  • 49. TrendMicro tmtdi.sys #1 • .text:000156EA mov ebx, [ebp+our_buffer_size_controlled] • .text:000156ED mov [ebp+NewIrql], al • .text:000156F0 mov eax, dword_22CA0 • .text:000156F5 mov edx, offset dword_22CA0 • .text:000156FA cmp eax, edx • .text:000156FC jz short loc_15748 • [..] • .text:00015700 mov ecx, [eax+0Ch] • .text:00015703 mov [ebx], ecx • .text:00015705 mov ecx, [eax+10h] • .text:00015708 mov [ebx+4], ecx • .text:0001570B mov ecx, [eax+14h] • .text:0001570E mov [ebx+8], ecx  write outside of the pool chunk • .text:00015711 mov ecx, [eax+18h] • .text:00015714 mov [ebx+0Ch], ecx
  • 50. TrendMicro tmtdi.sys #2 • Ioctl code 0x220030 • Range check for inbuff_size >= 0x2AA • Range check for outbuff_size >= 0x4D0 • Allocs pool memory for const size 0x4D0 • And… • Zeroing it with outbuff_size length! LOL
  • 51. TrendMicro tmtdi.sys #2 • .text:0001D704 cmp [ebp+inbuff_size], 2AAh • .text:0001D70B jb loc_1DDAB • .text:0001D711 mov esi, 4D0h • .text:0001D716 cmp [ebp+output_buff_size], esi • .text:0001D719 jb loc_1DDAB • .text:0001D71F push 746D74h ; Tag • .text:0001D724 push esi ; NumberOfBytes • .text:0001D725 push 0 ; PoolType • .text:0001D727 call ds:ExAllocatePoolWithTag • [..]
  • 52. TrendMicro tmtdi.sys #2 • .text:0001D74B push edi ; pool_mem_const_size • .text:0001D74C lea eax, [ebp+output_buff_size] • .text:0001D74F push eax ; output_buff_size • .text:0001D750 push [ebp+NewIrql] ; inbuff • .text:0001D753 push 220030h ; ioctl_code • .text:0001D758 call ioctl_several_ioctl_codes • [..] • .text:00014918 mov esi, [ebp+output_buff_size] • [..] • .text:00014977 push dword ptr [esi] ; • .text:00014979 push 0 ; • .text:0001497B push [ebp+pool_mem_const_size] ; • .text:0001497E call memset
  • 53. TrendMicro tmnciesc.sys • Ioctl code 0x222404 • Kernel Pool Corruption • Your homework ;)
  • 54. Pitfalls of taint analysis • Indirect propagation • Flat model problem(data is tainted, pointer is not) – strlen problem • Const values tainting(switch problem) • More taint info(levels) – more overhead
  • 55. Pitfalls of tainting r0 • Taint info lost • Check of system variables • System defense mechanism(s) (win32k.sys WATCHDOG BugCheck)
  • 56. Pitfalls of tainting r0(IOCTL) • KeGetPreviousMode • IoGetCurrentProcess • Even hooking NtDeviceIoControlFile!
  • 57. Conclusions • Quality -> security level • Taint analysis is not key to every vuln • SASV just another approach to automate RE • Sucks for userland software analysis • Nice approach for kernel land • But fails sometimes ;) • MS should fuzz/test/analyze what it signs!