Binary Code Software Weakness Analysis Method based on Smart Intermediate Language in Embedded Environment 1
|
|
- Lily Ami Sherman
- 5 years ago
- Views:
Transcription
1 , pp Binary Code Software Weakness Analysis Method based on Smart Intermediate Language in Embedded Environment 1 Junho Jeong 1, Yunsik Son 2 and Seman Oh 2* 1 Electronic Commerce Institute, Dongguk University 2 Dept. of Computer Science and Engineering, Dongguk University {yanyenli, sonbug, smoh}@dongguk.edu, * Corresponding Author Abstract While software is being developed using open source and third-party libraries, analysis and security testing during the development process is very inadequate. As a result, the use of unverified third-party libraries is increasing the number of security incidents such as HeartBleed. However, it is very difficult to verify the security of binary libraries. In this paper, we propose a security vulnerability analysis method using an intermediate language that is effective in security weakness analysis to overcome the main CVE (Common Vulnerabilities Exposures) in embedded software environment. Keywords: Binary Code, Embedded Environment, Intermediate Language, Third Party Library, Vulnerability Analysis, Weakness Analysis 1. Introduction As the size of the software becomes larger, various developers develop software in order to maintain its overall quality. Various studies have been conducted to eliminate vulnerabilities found in software in order to eliminate security weaknesses. For this reason, applying a systematic and detailed development methodology that eliminates security weaknesses according to security weakness classification and analysis such as CERT Secure Coding, CWE / SANS TOP 25, etc., during the Software Development Life Cycle as well as during the development of embedded environments has become common practice [1,2]. Most of these applications, however, are methods to remove security weaknesses in advance by performing analysis on the development source code. However, in recent years, third-party libraries have become a major part of software development, and many third-party libraries are used for software development. Also, security analysis and testing of third party libraries are not being performed well during development. As a result, various security incidents such as HeartBleed, ShellShock, POODLE, and DROWN have occurred due to the use of the third-party libraries [3-8]. Thus, security verification should be performed on third-party libraries. However, in the case of third-party libraries that are provided only as a binary without source code, the syntactic structure and semantic information of many programs are removed, so security weakness analysis and potential security vulnerabilities through static analysis methods are limited. Therefore, there is a need for a method for analyzing security weaknesses in binary code. For software in embedded environments, it is important to analyze the security weakness in advance because security incidents are very important and SW accidents occurring in the environment can cause serious problems directly related to human life. Received (July 17, 2017), Review Result (October 3, 2017), Accepted (October 11, 2017) ISSN: IJSEIA Copyright c 2017 SERSC
2 However, since binary code is expressed according to the development language, target machine, operating system, and the compiler, a separate analysis method is required for each binary code to be analyzed [9-12]. Recently, studies on static analysis methods based on intermediate languages have been carried out [13-18]. The static analysis method based on the intermediate language is used to convert binary code into an intermediate language, and analyze the security weakness as an intermediate language rather than a binary code. Therefore, analysis of security weakness is done for intermediate languages and there is no need to consider the development environment of the binary code and target machine. In this paper, we propose a security weakness analysis method based on SIL (Smart Intermediate Language) to overcome major CVEs in binary code of embedded software environments. Section 2 explores security vulnerabilities that occur in major CVEs in embedded environments. Section 3 introduces the existing intermediate language and security weakness analysis techniques based on the language. In Section 4, we propose a method for analyzing security weakness based on our intermediate language, and in Section 5, we analyze the performance of the proposed method. Finally, we conclude in Section Embedded Software CVE A security vulnerability in a software means that there is already a proble m in the operation of the software, which is caused by security weaknesses. In other words, all security weaknesses inherent in software are not security vulnerabilities, but all security vulnerabilities are caused by security weaknesses. Therefore, it is most important to remove the security weakness inherent in a software in order to eliminate the security vulnerability of the software. Therefore, in order to find software security weaknesses in a specific environment, it is possible to analyze major security weaknesses mainly occurring in the environment through security vulnerabilities. In order to manage such security vulnerabilities more systematically, MITER is creating CVE [19]. CVE is a standardized list of security vulnerabilities and other information security exposures. The CVE covers 13 vulnerability representatives. Figure 1 shows a total of items of CVEs reported from 1999 to 2016, and the most common vulnerabilities in the embedded SW are DoS, Execute Code, Overflow, Bypass Something, and Gain Information, Gain Privilege, and Memory Corruption. Among these, Execute Code, DoS and Overflow vulnerabilities are more vulnerable than XSS vulnerabilities which are most frequently issued on web services. Because these three vulnerabilities have a significant impact, careful consideration of embedded software vulnerability is very important. Figure 1. Number of Vulnerabilities Reported by Type of CVE from 1999 ~ Copyright 2017 SERSC
3 Therefore, this paper proposes a method for analyzing security weaknesses that can cause these three vulnerabilities. 3. Intermediate Language and Software Weakness Analysis 3.1. Vine (Bit Blaze) BitBlaze is a unified binary analysis platform that provides a broad spectrum solution to solve a variety of security problems and consists of three components: Vine, TEMU and Rudd. Vine is a static analysis component that translates and analyzes binaries into intermediate languages. TEMU is a dynamic analysis component that monitors the entire system in detail, measures dynamic binaries, and dynamically analyzes the entire system. Rudder is a new component that combines static and dynamic analysis. The structure of Vine, which is the static analysis method component of BitBlaze, is largely divided into the front end and the rear end. The front end of Vine converts from 32-bit x86 binary code to assembly. Vine's intermediate language makes it easier to analyze programs with a platform-independent, simple-structured IL. Vine's Back End supports a variety of core program analysis and features Vine instructions that can be loaded into valid C code via the end code generator. By combining static analysis and dynamic analysis, Vine provides readable execution records created by dynamic analysis components such as TEMU. However, Vine lacks the semantic meaning of intermediate language, and it is difficult to apply it to structures such as ARM that deal with both big endian and little endian BIL (BAP) The Binary Analysis Platform (BAP) is a tool for binary code analysis and supports ARM machines as well as assembly language for x86, and provides various tools for static and dynamic analysis of binary code. The BAP receives the binary code as an input and converts it into a structure-independent intermediate language called the Binary Intermediate Language (BIL) at the front end. This intermediate language can be expressed in graph form, optimized, and can generate VC (Verification Conditions) by calculating the weakest preconditions. In addition, you can perform additional program analysis, and reverse-convert it back to assembly / binary / C code REIL Reverse Engineering Intermediate Language (REIL) is an intermediate language for representing platform-independent disassembled assembly code and can automate static analysis of assembly code in the context of software reverse engineering for vulnerability detection purposes. Implementation was completed using the commercial reverse engineering tool BinNavi. The conversion from raw assembly code to the REIL code is done by the REIL converter which converts the REIL code into a part of the original assembly code and iterates over all instructions of the input code. The translator converts each instruction independently into REIL code it does not need the information of the next command, and it does not require the information generated in the conversion of the previous instruction. Simply put, the REIL translator repeats mapping a single native instruction to a list of REIL instructions, and because of the simplicity of the REIL instruction, a single native assembly instruction is converted to many REIL instructions. However, REIL cannot translate special commands such as FPU and system calls. Copyright 2017 SERSC 55
4 3.4. SIL The SIL intermediate language is a language designed for operation in a stackbased virtual machine. The instruction set is divided into 7 operation codes according to the operation type. An opcode is represented by two bytes and can have instruction parameters as needed. The mnemonic of the opcode is defined as a combination of an alphabet and an integer meaning operation for the readability of the code. When type information is required according to the type of opcode, the type symbol is padded using '.' (dot). Intermediate language commands can have up to two operands, and can have one result value that is pushed onto the stack as a result of the operation. Each intermediate language instruction also has a type, so that each operand 1, operand 2, and result type can be formatted. The result type for type correcting is expressed as <operand 1, operand 2, arithmetic result>. In this paper, we use some modified SIL to convert binary code to SIL. Vulnerable functions that cause already well-known security weaknesses can be defined internally in advance to analyze security weaknesses. 4. Embedded Software Weakness Analysis based on SIL We propose a method for translating binary codes into intermediate languages and analyzing the security weaknesses of software using intermediate languages, similar to the existing intermediate language-based security weakness research. In this paper, we propose a methodology for analyzing buffer overflow, which is one of the most common weaknesses in the embedded environment, and we have developed a dedicated module for it. Buffer overflow is one of the most common security weaknesses that occur with stack and heap buffers. It is the most common security problem in the second half of 2000, and has been reported continuously in recent years. This problem is caused by using a vulnerable function that does not check the size of the buffer inside the source code and executes the user's command. Security problems arise when data input from external sources (file, socket, etc.) is used for these vulnerable functions. An example of the invocation sequence of a vulnerable function is shown in Figure 2. This is a typical example of a function that uses a strcpy function, known as a vulnerable function, to refer to a parameter when a buffer overflow occurs. Figure 2. Example Call Sequence using Common Vulnerable Functions Therefore, the procedure as shown in Figure 3 is performed to analyze whether the SIL code having security weakness has a vulnerability. For effective analysis of security weakness analysis, we improve the existing SIL and define the vulnerable functions in advance so that we can easily judge the use of vulnerable functions. 56 Copyright 2017 SERSC
5 Figure 3. When a Vulnerable Function References a Parameter There exists a case where the parameters of the fragile function are referred to within the analysis target function. This is the same statement as filling a big_buffer of size 256 through an iterator with 'A' characters and storing the variable in a buffer variable of size 16 as the source of the strcpy function as shown in Figure 4. Once the parameters of the vulnerable function are referenced internally, the analysis can be performed using the algorithm shown in Figure 5. Figure 4. Problematic Parameters when Passing the Internal Function Call Sequence Copyright 2017 SERSC 57
6 Figure 5. Analysis Algorithm when Referring to the Inside of the Vulnerable Function Parameter 5. Experiment To analyze the proposed method, the C source code as shown in figure 6, which has a buffer overflow, is generated as binary code and converted into SIL code, which is an early intermediate language. #include "sys_lib.h" void sample_function(char*string) { char buffer[16]; strcpy(buffer, string); return; } void main() { char big_buffer[256]; int i; for(i=0; i<256; i++) big_buffer[i] ='A'; sample_function(big_buffer); Buffer Overflow return 0; } Figure 6. C Source Code Example with buffer Overflow Security Weakness Figure 7 show the SIL code control flow of the example When analyzing the control flow of the converted SIL code, the corresponding source uses strcpy() in sample_function. In order to identify a security vulnerability, we check whether the src used in strcpy is smaller than the destination. Therefore, the data flow analysis is carried out by backward method in which input is started with sample_function(), and the following algorithm is applied as follows. First, it searches through the number of call function using vulnerable functions. Strcpy is predefined as 86 functions, so it can easily judge whether vulnerable functions are used. Afterwards, we specify the basic block from vulnerable function to ldp, and search for the variable using beige block. In the example, str.p 1 0 and lda 1 4 are variables. Since the function used is strcpy, the size of the variable lda 1 4 to be stored, and the variable str.p 1 0 to be the source, determine whether a buffer 58 Copyright 2017 SERSC
7 overflow occurs. Therefore, we need to deduce the size of the local variable through the declaration of the risk function. In the example, we can deduce that the size is 20, and the string stored in lda 1 4 by strcpy should be smaller than 16. Figure 7. SIL Code Control Flow of Example Code To check this, we can call sample_function in the main function, it sets the basic block from the area to ldp, and lda 1 0 is the corresponding parameter. In addition, we can see that the size of the variable is 256 by the bottom up method. In the previous analysis, we know that there is no problem because it is smaller than 16, so we can confirm that a buffer overflow occurs. Figure 8 shows the data flow of the SIL code. 6. Conclusion In this paper, we propose a method to perform SIL intermediate language-based analysis on security weakness inherent in embedded environment software. We propose a method to effectively analyze the buffer overflow that may occur in the stack and the heap area. As a result, we confirmed that it is possible to analyze security weakness effectively by converting binary code to SIL. However, since only one of the many security weaknesses has been analyzed, future research on methods for analyzing other major weaknesses such as Use After Free and Integer Overflow based on SIL will be conducted in the future. Ultimately, we will carry out research to implement embedded environment binary code security vulnerability integration analyzer that integrates these weakness analysis modules. Copyright 2017 SERSC 59
8 Acknowledgments Figure 8. SIL Code Data Flow Analysis of Example Code The authors gratefully acknowledge the financial support provided by Defense Acquisition Program Administration and Agency for Defense Development under the contract UD160035ED. References [1] B. Martin, M. Brown, A. Paller, D. Kirby and S. Christey, 2011 CWE/SANS top 25 most dangerous software errors, (2011) September. [2] K. Tsipenyuk, B. Chess and G. McGraw, Seven pernicious kingdoms: A taxonomy of software security errors, Journal of IEEE Security and Privacy, vol. 3, no. 6, (2005), pp [3] N. Mehta, The Heartbleed Bug, (2014) April. [4] S. Chazelas, The Shellshock vulnerability, (2014) September. [5] B. Möller, T. Duong and K. Kotowicz, This POODLE bites: exploiting the SSL 3.0 fallback, (2014). [6] N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube,... and E. Käsper, DROWN: Breaking TLS using SSLv2, Proceedings of the 25th USENIX Security Symposium, AUSTIN, USA, (2016) August [7] GRAMMATECH, Find Defects in Third-Party Code, [8] GRAMMATECH, Eliminating Vulnerabilities in Third-party Code with Binary Analysis, [9] S. Rawat and L. Mounier, Finding buffer overflow inducing loops in binary executables, Proceedings of IEEE 6th International Conference on Software Security and Reliability (SERE), Gaithersburg MD, USA, (2012). [10] J. Feist, L. Mounier and M. L. Potet, Statically detecting use after free on binary code, Journal of Computer Virology and Hacking Techniques, vol. 10, no. 3, (2014), pp Copyright 2017 SERSC
9 [11] T. Wang, T. Wei, Z. Lin and W. Zou, IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution, Proceedings of 16th Network and IT Security Symposium, (2009) San Diego, USA, February [12] B. Zhang, B. Wu, C. Feng, X. Zhang, and C. Tang, Statically detect invalid pointer dereference vulnerabilities in binary software, Proceedings of IEEE International Conference on Progress in Informatics and Computing (PIC), Nanjing, China, (2015), December [13] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam and P. Saxena, "BitBlaze: A new approach to computer security via binary analysis," Proceedings of the 4th International Conference on Information Systems Security, Hyderabad, India, (2008) December [14] D. Brumley, I. Jager, T. Avgerinos and E. J. Schwartz, BAP: A Binary Analysis Platform, Proceedings of the 23th international conference on Computer aided verification, (2011) Snowbird, USA, July [15] T. Dullien, and S. Porst, "REIL: A platform-independent intermediate representation of disassembled code for static code analysis," Proceeding of CanSecWest (2009). [16] Y. Son and Y. Lee, A Study on the Java Compiler for the Smart Virtual Machine Platform, Communications in Computer and Information Science, vol. 353, (2012), pp [17] G. C. Necula, S. McPeak, S. P. Rahul and W. Weimer, "CIL: Intermediate language and tools for analysis and transformation of C programs," Proceedings of the 11th international Conference on Compiler Construction, Grenoble, France, (2002) April [18] S. Cesare, and X. Yang, "Wire-A Formal Intermediate Language for Binary Analysis, Proceedings of IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Liverpool, UK, (2012) June [19] The MITRE Corporation, Common Vulnerabilities and Exposures, (2001). Copyright 2017 SERSC 61
10 62 Copyright 2017 SERSC
Design and Implementation of HTML5 based SVM for Integrating Runtime of Smart Devices and Web Environments
Vol.8, No.3 (2014), pp.223-234 http://dx.doi.org/10.14257/ijsh.2014.8.3.21 Design and Implementation of HTML5 based SVM for Integrating Runtime of Smart Devices and Web Environments Yunsik Son 1, Seman
More informationStaticly Detect Stack Overflow Vulnerabilities with Taint Analysis
ITM Web of Conferences 47 7, 33 (6) DOI:.5/ itmconf/6733 ITA 6 Staticly Detect Stack Overflow Vulnerabilities with Taint Analysis Zhang XING, Zhang BIN,Feng CHAO and Zhang QUAN School of Electronic Science
More informationLecture Notes on Decompilation
Lecture Notes on Decompilation 15411: Compiler Design Maxime Serrano Lecture 20 October 31, 2013 1 Introduction In this lecture, we consider the problem of doing compilation backwards - that is, transforming
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationUsing static analysis to detect use-after-free on binary code
Using static analysis to detect use-after-free on binary code Josselin Feist Laurent Mounier Marie-Laure Potet Verimag / University of Grenoble - Alpes France SDTA 2014 - Clermont-Ferrand 5 décembre 2014
More informationWhen an instruction is initially read from memory it goes to the Instruction register.
CS 320 Ch. 12 Instruction Sets Computer instructions are written in mnemonics. Mnemonics typically have a 1 to 1 correspondence between a mnemonic and the machine code. Mnemonics are the assembly language
More informationProtection and Mitigation of Software Bug Exploitation
Protection and Mitigation of Software Bug Exploitation Vartan Padaryan vartan@ispras.ru 1 How safe is latest Linux release? Command line arguments fuzzer (inspired by Brumley s article) Launch programs
More informationShuntaint: Emulation-based Security Testing for Formal Verification
Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz ramosblc@gmail.com Abstract. This paper describes an emulated approach to collect traces of program states, in order to verify
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationDetermining the Fundamental Basis of Software Vulnerabilities. Larry Wagoner NSA
Determining the Fundamental Basis of Software Vulnerabilities Larry Wagoner NSA Agenda Background Analogous background Matt Bishop work CWEs Tool reporting of CWEs KDM Analytics Determining the fundamental
More informationTransforming The Code: More Than Meets The Eye
1 / 19 Transforming The Code: More Than Meets The Eye Doni Pracner Department of Mathematics and Informatics Faculty of Sciences University of Novi Sad 12th Workshop Software Engineering, Education & Reverse
More informationRanking Vulnerability for Web Application based on Severity Ratings Analysis
Ranking Vulnerability for Web Application based on Severity Ratings Analysis Nitish Kumar #1, Kumar Rajnish #2 Anil Kumar #3 1,2,3 Department of Computer Science & Engineering, Birla Institute of Technology,
More informationSoftware security, secure programming
Software security, secure programming Lecture 4: Protecting your code against software vulnerabilities? (overview) Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Preamble Bad news several
More informationVulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.
Vulnerabilities To know your Enemy, you must become your Enemy. "The Art of War", Sun Tzu André Zúquete Security 1 Information security: Vulnerabilities & attacks threats Discouragement measures difficult
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationSoftware Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group
Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group Defence Research and Development Canada Recherche et développement pour la défense Canada Canada Agenda
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationA Study on Secure SDLC Specialized in Common Criteria
, pp.19-23 http://dx.doi.org/10.14257/astl.2015.93.05 A Study on Secure SDLC Specialized in Common Criteria Min-Gyu Lee 1, Hyo-jung Sohn 2, Baek-MinSeong 3 and Jong-Bae Kim 4* 1,2,3,4* Graduate School
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationCOMPOSABILITY, PROVABILITY, REUSABILITY (CPR) FOR SURVIVABILITY
AFRL-IF-RS-TR-2002-61 Final Technical Report April 2002 COMPOSABILITY, PROVABILITY, REUSABILITY (CPR) FOR SURVIVABILITY Kestrel Institute Sponsored by Defense Advanced Research Projects Agency DARPA Order
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationSECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER
SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER INFLUENCER @RESPONSIBLE CYBER 1 AGENDA 1. Introduction: What is security? How much
More informationATLANTIS - Assembly Trace Analysis Environment
ATLANTIS - Assembly Trace Analysis Environment Brendan Cleary, Margaret-Anne Storey, Laura Chan Dept. of Computer Science, University of Victoria, Victoria, BC, Canada bcleary@uvic.ca, mstorey@uvic.ca,
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationMachine Language Instructions Introduction. Instructions Words of a language understood by machine. Instruction set Vocabulary of the machine
Machine Language Instructions Introduction Instructions Words of a language understood by machine Instruction set Vocabulary of the machine Current goal: to relate a high level language to instruction
More informationChapter 5. A Closer Look at Instruction Set Architectures. Chapter 5 Objectives. 5.1 Introduction. 5.2 Instruction Formats
Chapter 5 Objectives Understand the factors involved in instruction set architecture design. Chapter 5 A Closer Look at Instruction Set Architectures Gain familiarity with memory addressing modes. Understand
More informationChapter 5. A Closer Look at Instruction Set Architectures
Chapter 5 A Closer Look at Instruction Set Architectures Chapter 5 Objectives Understand the factors involved in instruction set architecture design. Gain familiarity with memory addressing modes. Understand
More informationCHAPTER 5 A Closer Look at Instruction Set Architectures
CHAPTER 5 A Closer Look at Instruction Set Architectures 5.1 Introduction 199 5.2 Instruction Formats 199 5.2.1 Design Decisions for Instruction Sets 200 5.2.2 Little versus Big Endian 201 5.2.3 Internal
More informationAbstract Interpretation
Abstract Interpretation MATHE MATICAL PROGRAM CHE CKING Overview High level mathematical tools Originally conceived to help give a theoretical grounding to program analysis Useful for other kinds of analyses
More informationDetecting and exploiting integer overflows
Detecting and exploiting integer overflows Guillaume TOURON Laboratoire Verimag, Ensimag - Grenoble INP Marie-Laure Potet, Laurent Mounier 20/05/11 1 / 18 Context Binary representation Integers misinterpretation
More informationSoftware Architectural Risk Analysis (SARA): SSAI Roadmap
Software Architectural Risk Analysis (SARA): SSAI Roadmap Frédéric Painchaud DRDC Valcartier / Systems of Systems November 2010 Agenda Introduction Software Architectural Risk Analysis Linking to SSAI
More informationTaintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 is: A Fuzzing tool Checksum-Aware Directed Why a new fuzzing
More informationStatic Vulnerability Analysis
Static Vulnerability Analysis Static Vulnerability Detection helps in finding vulnerabilities in code that can be extracted by malicious input. There are different static analysis tools for different kinds
More informationSecurity Issues Formalization
Security Issues Formalization V. T. Dimitrov University of Sofia, Faculty of Mathematics and Informatics, 5 James Bourchier Blvd, 1164, Sofia, Bulgaria E-mail: cht@fmi.uni-sofia.bg Software bugs are primary
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationSecure Programming Lecture 13: Static Analysis
Secure Programming Lecture 13: Static Analysis David Aspinall 10th March 2014 Outline Overview Vulnerabilities and analysis Using static analysis Simple static analysis tasks Type checking Style checking
More informationVulnerabilities and analysis. Simple static analysis tasks Type checking Style checking
Outline Recap Secure Programming Lecture 13: Static Analysis David Aspinall 10th March 2014 Overview Vulnerabilities and analysis Using static analysis Simple static analysis tasks Type checking Style
More informationCHAPTER ASSEMBLY LANGUAGE PROGRAMMING
CHAPTER 2 8051 ASSEMBLY LANGUAGE PROGRAMMING Registers Register are used to store information temporarily: A byte of data to be processed An address pointing to the data to be fetched The vast majority
More informationOpen Access IL Optimization: Detecting and Eliminating Redundant Eflags by Flag Relevant Chain
Send Orders for Reprints to reprints@benthamscience.ae 2176 The Open Automation and Control Systems Journal, 2015, 7, 2176-2183 Open Access IL Optimization: Detecting and Eliminating Redundant Eflags by
More informationSOEN228, Winter Revision 1.2 Date: October 25,
SOEN228, Winter 2003 Revision 1.2 Date: October 25, 2003 1 Contents Flags Mnemonics Basic I/O Exercises Overview of sample programs 2 Flag Register The flag register stores the condition flags that retain
More informationBaggy bounds with LLVM
Baggy bounds with LLVM Anton Anastasov Chirantan Ekbote Travis Hance 6.858 Project Final Report 1 Introduction Buffer overflows are a well-known security problem; a simple buffer-overflow bug can often
More informationHigh-Level Language VMs
High-Level Language VMs Outline Motivation What is the need for HLL VMs? How are these different from System or Process VMs? Approach to HLL VMs Evolutionary history Pascal P-code Object oriented HLL VMs
More informationThe X86 Assembly Language Instruction Nop Means
The X86 Assembly Language Instruction Nop Means As little as 1 CPU cycle is "wasted" to execute a NOP instruction (the exact and other "assembly tricks", as explained also in this thread on Programmers.
More informationFunctional Verification of Enhanced RISC Processor
Functional Verification of Enhanced RISC Processor SHANKER NILANGI 1 1 Assistant Professor, Dept of ECE, Bheemanna Khandre Institute of Technology, Bhalki, Karnataka, India s.nilangi@gmail.com 1 SOWMYA
More informationMaking C Less Dangerous
Making C Less Dangerous Linux Security Summit August 27, 2018 Vancouver, Canada Kees ( Case ) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/danger.pdf Agenda Background Kernel
More informationArrays. What if you have a 1000 line file? Arrays
Arrays Chapter 8 page 477 11/8/06 CS150 Introduction to Computer Science 1 1 What if you have a 1000 line file? Read in the following file and print out a population graph as shown below. The maximum value
More informationDROWN - Breaking TLS using SSLv2
DROWN - Breaking TLS using SSLv2 Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper,
More informationLecture 9 Assertions and Error Handling CS240
Lecture 9 Assertions and Error Handling CS240 The C preprocessor The C compiler performs Macro expansion and directive handling Preprocessing directive lines, including file inclusion and conditional compilation,
More informationBuffer Overflows. Buffers. Administrative. COMP 435 Fall 2017 Prof. Cynthia Sturton. Buffers
dministrative Buffer Overflows COMP 435 Fall 2017 Prof. Cynthia Sturton Exam Mon., Nov. 6 Covers material since last exam, including today s lecture Review in OH Fri., Nov. 3, 10-12 FB 354 Poster group
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationStack Overflow COMP620
Stack Overflow COMP620 There are two kinds of people in America today: those who have experienced a foreign cyber attack and know it, and those who have experienced a foreign cyber attack and don t know
More informationCompiling Techniques
Lecture 10: Introduction to 10 November 2015 Coursework: Block and Procedure Table of contents Introduction 1 Introduction Overview Java Virtual Machine Frames and Function Call 2 JVM Types and Mnemonics
More information22c:111 Programming Language Concepts. Fall Types I
22c:111 Programming Language Concepts Fall 2008 Types I Copyright 2007-08, The McGraw-Hill Company and Cesare Tinelli. These notes were originally developed by Allen Tucker, Robert Noonan and modified
More informationEURECOM 6/2/2012 SYSTEM SECURITY Σ
EURECOM 6/2/2012 Name SYSTEM SECURITY 5 5 5 5 5 5 5 5 10 50 1 2 3 4 5 6 7 8 9 Σ Course material is not allowed during the exam. Try to keep your answers precise and short. You will not get extra points
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationBuffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.
Buffer Overflows A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. By: Brian Roberts What is a buffer overflow? In languages that deal with data structures
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationHeartbleed Bug. Anthony Postiglione. Department of Electrical & Computer Engineering Missouri University of Science and Technology
Heartbleed Bug Anthony Postiglione Department of Electrical & Computer Engineering Missouri University of Science and Technology avp275@mst.edu rev. 14.0 Introduction What is Heartbleed? Discovery Presentation
More informationTowards Automatic Generation of Vulnerability- Based Signatures
Towards Automatic Generation of Vulnerability- Based Signatures David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha (presented by Boniface Hicks) Systems and Internet Infrastructure Security
More informationDesign and Implementation of the Smart Virtual Machine on ios Platform for the Mobile Game Portability
, pp.23-32 http://dx.doi.org/10.14257/ijsh.2014.8.2.04 Design and Implementation of the Smart Virtual Machine on ios Platform for the Mobile Game Portability Yunsik Son 1, JaeHyun Kim 2 and YangSun Lee
More informationDon t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd
Don t Be the Developer Whose Rocket Crashes on Lift off 2015 LDRA Ltd Cost of Software Defects Consider the European Space Agency s Ariane 5 flight 501 on Tuesday, June 4 1996 Due to an error in the software
More informationStack Overflow. Faculty Workshop on Cyber Security May 23, 2012
Stack Overflow Faculty Workshop on Cyber Security May 23, 2012 Goals Learn to hack into computer systems using buffer overflow Steal sensitive data Crash computer programs Lay waste to systems throughout
More informationEmbedded TaintTracker: Lightweight Tracking of Taint Data against Buffer Overflow Attacks
Embedded TaintTracker: Lightweight Tracking of Taint Data against Buffer Overflow Attacks Ying-Dar Lin, Fan-Cheng Wu, Tze-Yau Huang Dept. of Computer Science and Information Engineering National Chiao
More informationIdentifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang ( ) Aravind Prakash ( ) Xiaolei Li ( ) Zhenkai Liang ( ) Heng Yin ( ) ( ) School of Computing,
More informationLanguage Security. Lecture 40
Language Security Lecture 40 (from notes by G. Necula) Prof. Hilfinger CS 164 Lecture 40 1 Lecture Outline Beyond compilers Looking at other issues in programming language design and tools C Arrays Exploiting
More informationApplication Specific Signal Processors S
1 Application Specific Signal Processors 521281S Dept. of Computer Science and Engineering Mehdi Safarpour 23.9.2018 Course contents Lecture contents 1. Introduction and number formats 2. Signal processor
More informationCode: analysis, bugs, and security
Code: analysis, bugs, and security supported by Bitdefender Marius Minea marius@cs.upt.ro 4 October 2017 Course goals improve skills: write robust, secure code understand program internals learn about
More informationSAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview. Tim Boland NIST May 29,
SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview Tim Boland NIST May 29, 2012 http://samate.nist.gov t.boland@nist.gov 1 NationaI Institute of Standards and Technology (NIST) NIST,
More informationTowards a Resilient Operating System for Wireless Sensor Networks
Towards a Resilient Operating System for Wireless Sensor Networks Hyoseung Kim Hojung Cha Yonsei University, Korea 2006. 6. 1. Hyoseung Kim hskim@cs.yonsei.ac.kr Motivation (1) Problems: Application errors
More informationC Programming. Course Outline. C Programming. Code: MBD101. Duration: 10 Hours. Prerequisites:
C Programming Code: MBD101 Duration: 10 Hours Prerequisites: You are a computer science Professional/ graduate student You can execute Linux/UNIX commands You know how to use a text-editing tool You should
More informationARE: Automated Reverse Engineering of Machine Code
ARE: Automated Reverse Engineering of Machine Code Vu Le, Quy Messiter, Robert Ross, and Gregory Sadosuk BAE Systems 4301 N. Fairfax Drive, Suite 800, Arlington, VA, 22203 1-703-284-84{69, 85, 97, 64}
More informationComputer Components. Software{ User Programs. Operating System. Hardware
Computer Components Software{ User Programs Operating System Hardware What are Programs? Programs provide instructions for computers Similar to giving directions to a person who is trying to get from point
More informationB.V. Patel Institute of Business Management, Computer & Information Technology, Uka Tarsadia University
Unit 1 Programming Language and Overview of C 1. State whether the following statements are true or false. a. Every line in a C program should end with a semicolon. b. In C language lowercase letters are
More informationISA: The Hardware Software Interface
ISA: The Hardware Software Interface Instruction Set Architecture (ISA) is where software meets hardware In embedded systems, this boundary is often flexible Understanding of ISA design is therefore important
More informationA Practical Approach to Programming With Assertions
A Practical Approach to Programming With Assertions Ken Bell Christian-Albrechts Universität Kiel Department of Computer Science and Applied Mathematics Real-Time Systems and Embedded Systems Group July
More information3/7/2018. Sometimes, Knowing Which Thing is Enough. ECE 220: Computer Systems & Programming. Often Want to Group Data Together Conceptually
University of Illinois at Urbana-Champaign Dept. of Electrical and Computer Engineering ECE 220: Computer Systems & Programming Structured Data in C Sometimes, Knowing Which Thing is Enough In MP6, we
More informationSecuring Applications in C/C++
Securing Applications in C/C++ Application Security Training Datasheet Security Compass 2012. Application Security Training Datasheet. Securing Applications in C/C++ 1 It has long been discussed that identifying
More informationPrinciples of Programming Pointers, Dynamic Memory Allocation, Character Arrays, and Buffer Overruns
Pointers, Dynamic Memory Allocation, Character Arrays, and Buffer Overruns What is an array? Pointers Memory issues The name of the array is actually a memory address. You can prove this by trying to print
More informationOne-Slide Summary. Lecture Outline. Language Security
Language Security Or: bringing a knife to a gun fight #1 One-Slide Summary A language s design principles and features have a strong influence on the security of programs written in that language. C s
More informationLecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems
Lecture 10 Pointless Tainting? Evaluating the Practicality of Pointer Tainting Asia Slowinska, Herbert Bos Advanced Operating Systems December 15, 2010 SOA/OS Lecture 10, Pointer Tainting 1/40 Introduction
More informationTopics Power tends to corrupt; absolute power corrupts absolutely. Computer Organization CS Data Representation
Computer Organization CS 231-01 Data Representation Dr. William H. Robinson November 12, 2004 Topics Power tends to corrupt; absolute power corrupts absolutely. Lord Acton British historian, late 19 th
More informationWhy arrays? To group distinct variables of the same type under a single name.
Lesson #7 Arrays Why arrays? To group distinct variables of the same type under a single name. Suppose you need 100 temperatures from 100 different weather stations: A simple (but time consuming) solution
More informationAssertions. Assertions - Example
References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 11/13/2003 1 Assertions Statements about input to a routine or state of a class Have two primary roles As documentation,
More informationDEPARTMENT OF COMPUTER AND MATHEMATICAL SCIENCES UNIVERSITI TEKNOLOGI MARA CAWANGAN PULAU PINANG
DEPARTMENT OF COMPUTER AND MATHEMATICAL SCIENCES UNIVERSITI TEKNOLOGI MARA CAWANGAN PULAU PINANG PROGRAMME Diploma in Civil Engineering Diploma in Mechanical Engineering COURSE/CODE Fundamentals of Computer
More informationJava Internals. Frank Yellin Tim Lindholm JavaSoft
Java Internals Frank Yellin Tim Lindholm JavaSoft About This Talk The JavaSoft implementation of the Java Virtual Machine (JDK 1.0.2) Some companies have tweaked our implementation Alternative implementations
More informationA Type System for Object Initialization In the Java TM Bytecode Language
Electronic Notes in Theoretical Computer Science 10 (1998) URL: http://www.elsevier.nl/locate/entcs/volume10.html 7 pages A Type System for Object Initialization In the Java TM Bytecode Language Stephen
More informationLab 3. Pointers Programming Lab (Using C) XU Silei
Lab 3. Pointers Programming Lab (Using C) XU Silei slxu@cse.cuhk.edu.hk Outline What is Pointer Memory Address & Pointers How to use Pointers Pointers Assignments Call-by-Value & Call-by-Address Functions
More informationRegister Reassignment for Mixed-width ISAs is an NP-Complete Problem
Register Reassignment for Mixed-width ISAs is an NP-Complete Problem Bor-Yeh Shen, Wei Chung Hsu, and Wuu Yang Institute of Computer Science and Engineering, National Chiao Tung University, Taiwan, R.O.C.
More informationSecurity Testing of Software on Embedded Devices Using x86 Platform
Security Testing of Software on Embedded Devices Using x86 Platform Yesheng Zhi( ), Yuanyuan Zhang, Juanru Li, and Dawu Gu Lab of Cryptology and Computer Security, Shanghai Jiao Tong University, Shanghai,
More informationBuffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka September 24, 2011. 1 Introduction to the topic
More informationSecure Coding Techniques
Secure Coding Techniques "... the world outside your function should be treated as hostile and bent upon your destruction" [Writing Secure Code, Howard and LeBlanc] "Distrust and caution are the parents
More informationProblem with Scanning an Infix Expression
Operator Notation Consider the infix expression (X Y) + (W U), with parentheses added to make the evaluation order perfectly obvious. This is an arithmetic expression written in standard form, called infix
More informationVerification & Validation of Open Source
Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc Open Source is Ubiquitous Most commercial and proprietary software systems have some open
More informationExposing The Misuse of The Foundation of Online Security
Exposing The Misuse of The Foundation of Online Security HLA ID: 90FZSBZFZSB 56BVCXVBVCK 23YSLUSYSLI 01GATCAGATC Cyber space is very similar to organic realm Keys & certificates are like HLA tags But,
More informationCHAPTER 5 A Closer Look at Instruction Set Architectures
CHAPTER 5 A Closer Look at Instruction Set Architectures 5.1 Introduction 293 5.2 Instruction Formats 293 5.2.1 Design Decisions for Instruction Sets 294 5.2.2 Little versus Big Endian 295 5.2.3 Internal
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More information