Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

146 views

Published on

A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

Published in: Technology
  • Be the first to comment

  • Be the first to like this

A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

  1. 1. a look into the sanitizer family by Akul Pillai
  2. 2. >_ whoami ● Akul Pillai (Twitter: @akulpillai) ● 2nd year CSE BTech Student @ Amrita School of Engineering, Amritapuri ● aka k4iz3n, CTF Player @teambi0s ● Reverse Engineering and Binary Exploitation ● Organizing team @ InCTF and InCTFj
  3. 3. >_ Agenda ● What are Sanitizers? ○ Overview ○ Characteristics ● Address Sanitizer (ASan) ○ Usage & Working ● Undefined Behaviour Sanitizer (UBSan) ○ Usage & Working ● Sanitizers in Action (demos)
  4. 4. >_ What are Sanitizers? ● A family of dynamic testing tools available in Clang, GCC and Xcode that allows you to perform runtime analysis on your code. ● Detects bugs such as ○ buffer overflows ○ signed integer overflows ○ uninitialized memory reads ○ data races, etc ● An amazing fuzzer aid
  5. 5. >_ Types of Sanitizers There are fundamentally 4 types of Sanitizers: >_ Address Sanitizer detects invalid address usage bugs >_ Undefined Behaviour Sanitizer finds unspecified code semantic bugs >_ Thread Sanitizer detects threading bugs >_ Memory Sanitizer finds uninitialized memory access bugs
  6. 6. >_ Characteristics of Sanitizers ● Compiler Instrumented ○ The compiler adds checks inlined into the generated code ● Checks are performed dynamically during runtime ● A detailed report is created and outputted Meaning only bugs that are encountered during execution are reported.
  7. 7. >_ Agenda ● What are Sanitizers? ○ Types ○ Characteristics ● Address Sanitizer (ASan) ○ Usage & Working ● Undefined Behaviour Sanitizer (UBSan) ○ Usage & Working ● Sanitizers in Action (demos)
  8. 8. >_ Address Sanitizer (ASan) ● Open source tool developed by Google. ● Is a fast memory corruption bug detector ● ASan can detect: ○ Use after free (dangling pointer dereference) ○ Heap buffer overflow ○ Stack buffer overflow ○ Global buffer overflow ○ Use after return ○ Use after scope
  9. 9. >_ ASan - Usage Ships with the following compilers, and can be enabled using the following flags: ○ GCC & Clang: -fsanitize=address ○ Xcode : Runtime Sanitization > Enable Address Sanitizer
  10. 10. >_ ASan - Working *address = ...; // or: ... = *address; if (IsPoisoned(address)) { ReportError(address, kAccessSize, kIsWrite); } *address = ...; // or: ... = *address; after instrumentation:
  11. 11. >_ ASan - Memory Mapping ● Uses memory mapping in a way to optimize performance ● The virtual address space is divided into 2 disjoint classes: ○ Main application memory (Mem): this memory is used by the regular application code. ○ Shadow memory (Shadow): This memory contains the shadow values (or metadata).
  12. 12. >_ ASan - Memory Mapping 0 7 6 5 4 3 2 1 -1 addressable unaddressable/poisoned shadow 8 bytes of main memory is mapped to 1 byte of shadow memory
  13. 13. >_ ASan - Instrumentation shadow_address = MemToShadow(address); if (ShadowIsPoisoned(shadow_address)) { ReportError(address, kAccessSize, kIsWrite); } if (IsPoisoned(address)) { ReportError(address, kAccessSize, kIsWrite); } *address = ...; // or: ... = *address; using shadow memory:
  14. 14. >_ ASan - buffer overflow
  15. 15. >_ ASan - use after free
  16. 16. >_ Agenda ● What are Sanitizers? ○ Types ○ Characteristics ● Address Sanitizer (ASan) ○ Usage & Working ● Undefined Behaviour Sanitizer (UBSan) ○ Usage & Working ● Sanitizers in Action (demos)
  17. 17. >_ Undefined Behaviour Sanitizer (UBSan) ● Undefined Behavior describes the result of any operation with unspecified semantics, such as ○ dividing by zero ○ loading memory from a misaligned pointer ○ dereferencing a null pointer. ● UBSan detects: ○ out-of-bounds access of arrays ○ integer overflow ○ out-of-range casts to, from, or between floating-point types and other types.
  18. 18. >_ UBSan - Usage Ships with the following compilers, and can be enabled using the following flags: ○ GCC & Clang: -fsanitize=undefined ○ Xcode : Runtime Sanitization > Enable Undefined Behaviour Sanitizer
  19. 19. >_ UBSan - integer overflow
  20. 20. >_ UBSan - Working demo
  21. 21. >_ UBSan - Working -fsanitize=alignment -fsanitize=bool -fsanitize=builtin -fsanitize=bounds -fsanitize=enum -fsanitize=float-cast-overflow -fsanitize=nullability-arg -fsanitize=object-size -fsanitize=pointer-overflow -fsanitize=return -fsanitize=shift -fsanitize=vptr
  22. 22. >_ UBSan - array out of bounds
  23. 23. >_ UBSan - Working demo
  24. 24. >_ questions?

×