Guarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University
|
|
- James Stafford
- 5 years ago
- Views:
Transcription
1 Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University 1
2 Vulnerabilities everywhere? 2
3 Common Languages: TIOBE 18 Jul 2018 Jul 2017 Change Language 1 1 Java 2 2 C 3 3 C Python VB.NET 6 5 C# 7 6 PHP 8 8 JavaScript 9 ++ SQL Objective-C Ratings % % 7.615% 6.361% 4.247% 3.795% 2.832% 2.831% 2.334% 1.453% Change +2.37% +7.34% +2.04% +2.82% +1.20% +0.28% -0.26% +0.22% +2.33% -0.44% 3
4 Software is highly complex Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: 1 MLoC glibc: 2 MLoC Linux kernel: 17 MLoC Low-level languages (C/C++) trade type safety and memory safety for performance 4
5 Defense: Testing vs. Mitigations Software Testing Discover bugs Development tool Result oriented Mitigations Stop exploitation Always on Low overhead 5
6 Memory Corruption 6
7 Memory error: invalid dereference Dangling pointer: (temporal) free(foo); *foo = 23; Out-of-bounds pointer: (spatial) char foo[40]; foo[42] = 23; Violation iff: pointer is read, written, or freed 7
8 Type Confusion 8
9 Type confusion through downcasts Base Greeter Exec Greeter *g = new Greeter(); Base *b = static_cast<base*>(g); Exec *e = static_cast<exec*>(b); X 9
10 C++ casting operations static_cast<toclass>(object) Compile time check No runtime type information dynamic_cast<toclass>(object) Runtime check Requires Runtime Type Information (RTTI) Not used in performance critical code 10
11 Static cast Base *b = ; a = static_cast<greeter*>(b); movq -24(%rbp), %rax movq %rax, -40(%rbp) # Load pointer # Type check # Store pointer 11
12 Dynamic cast (O2) Base *b = ; a = dynamic_cast<greeter*>(b); leaq leaq xorl movq call _ZTI7Greeter(%rip), %rdx _ZTI4Base(%rip), %rsi %ecx, %ecx %rbp, %rdi dynamic_cast@plt # Load pointer # Type check 12
13 Type confusion vtable*? Gptr class Base { Bptr x int x; }; y? class Greeter: Base { int y; vtable* virtual void Hi(); }; B G x y Base *Bptr = new Base(); Greeter *Gptr; Gptr = static_cast<greeter*>gptr; // Type Conf Gptr->y = 0x43; // Memory safety violation! Gptr->Hi(); // Control-flow hijacking 13
14 Type Confusion Demo 14
15 C++ virtual dispatch class Base { }; class Exec: public Base { public: Base virtual void exec(char *prg) { system(prg); } Greater Exec }; class Greeter: public Base { public: virtual void sayhi(char *str) { std::cout << str << std::endl; } }; Greeter *greeter = new Greeter(); greeter->sayhi("oh, hello there!"); 15
16 Simple exploitation demo int main() { Base *b1 = new Greeter(); Base *b2 = new Exec(); Greeter *g; GreeterT b1 vtable* g = static_cast<greeter*>(b1); g->sayhi("greeter says hi!"); // g[0][0](str); g = static_cast<greeter*>(b2); g->sayhi("/usr/bin/xcalc"); // g[0][0](str); } delete b1; delete b2; return 0; b2 vtable* ExecT 16
17 Sanitization 17
18 Problem: broken abstractions? C/C++ void log(int a) { printf("log: "); printf("%d", a); } void (*fun)(int) = &log; void init() { fun(15); } ASM log:... fun:.quad log init:... movl $15, %edi movq fun(%rip), %rax call *%rax 18
19 LLVM Sanitization Test cases detect bugs through assertions, segmentation faults, traps, exceptions Enforce stronger policies during testing! Address Sanitizer: memory safety Leak Sanitizer: memory leaks Memory Sanitizer: uninitialized memory UBSan: undefined behavior Thread Sanitizer: data races HexVASAN: variadic argument checker HexType: type safety 19
20 Type Safety 20
21 Type confusion detection* A static cast is checked only at compile time Dynamic casts are checked at runtime Fast but no runtime guarantees High overhead, limited to polymorphic classes HexType design: Conceptually check all casts dynamically Aggressively optimize design and implementation * TypeSanitizer: Practical Type Confusion Detection. Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Herbert Bos, Cristiano Giuffrida, Erik van der Kouwe. In CCS'16 * HexType: Efficient Detection of Type Confusion Errors for C++. Yuseok Jeon, Priyam Biswas, Scott A. Carr, Byoungyoung Lee, and Mathias Payer. In CCS'17 21
22 Making type checks explicit Enforce runtime check at all cast sites static_cast<toclass>(object) dynamic_cast<toclass>(object) reinterpret_cast<toclass>(object) (ToClass)(Object) Build global type hierarchy Keep track of the allocation type of each object Must instrument all forms of allocation Requires disjoint metadata 22
23 HexType: design Source code Instrumentation (Type casting verification) HexType Binary Clang Type Hierarchy Information LLVM Pass HexType Runtime Library Link 23
24 HexType: aggressive optimization Limit tracing to unsafe types Limit checking to unsafe casts Remove tracing of types that are never cast Remove statically verifiable casts No more RTTI for dynamic casts Replace dynamic casts with fast lookup 24
25 Demo Time! 25
26 HexType coverage 26
27 Newly discovered bugs Discovered seven new vulnerabilities: Apache Xerces C++ DOMNode DOM Character Data DOM Element DOM Text DOM ElementImpl DOM TextImpl Type Confusion! Qt base library QMapNode Base QMapNode 27
28 Sanitizer Summary: Type Safety Type confusion fundamental in today s exploits Existing sanitizers are incomplete, partial, slow HexType (Almost) full coverage (2-6x increase) Reasonable overhead (SPEC CPU: 0-32x improvement, Firefox: 0-0.5x slowdown) Future work: remaining coverage, optimizations 28
29 T-Fuzz 29
30 Fuzzing Challenges Shallow code paths Challenges Shallow coverage Hard to find deep bugs Root cause start Deep code paths check1 check2 Fuzzer-generated inputs cannot bypass complex sanity checks in the target program check3 bug Existing work limits itself to input generation end 30
31 T-Fuzz: Fuzz the Program! Option 1: generate input to bypass checks by heavy-weight program analysis techniques Driller (concolic analysis) VUzzer (dynamic taint analysis) Our idea: remove program s sanity checks Checks filter orthogonal input, e.g., magic values, checksum, or hashes (Non-Critical Check, NCC) Insight: removing NCCs is safe if (strncmp(hdr, ELF", 3) == 0) { // main program logic } else { error(); } 31
32 Design and Implementation Fuzzer generates inputs When stuck Detect NCCs* Transform program Verify crashes Transformed Programs Inputs Fuzzer (e.g. AFL) Program Transformer Crashing inputs Crash Analyzer Bug Reports False Positives *Approximation of NCCs: edged in the CFG connecting covered/uncovered nodes 32
33 Detecting NCC s Approximate NCCs as edges connecting covered and uncovered nodes in CFG Over approximate, may contain false positives Lightweight and simple to implement 33 Covered Node Uncovered Node NCC Candidates 33
34 Program Transformation start Our approach: negate NCCs Simple: static binary rewriting Zero runtime overhead in resulting target program Unchanged CFG Trace in transformed program maps to original program A == B False branch True branch end start Path constraints of original program can be recovered Negated Check A!= B False branch True branch end 34 34
35 Comparison to Symbolic Executoion Explores all code paths, tracks constraints Path explosion, e.g., loops Each branch doubles the number of code paths... Resource requirement Theoretically beautiful, limited scalability ( Path1, constraint set1)... ( Pathn, constraint setn) 35
36 Comparison to Concolic Execution Guided by concrete inputs Follows single code path, collects constraints for new code paths Reduced resource requirements Still an exponential number of paths to explore! input Not C1 C
37 Comparison to Driller (Fuzz & CE) Fuzzing until coverage wall When fuzzing gets stuck, concolic execution explores new code paths using fuzzer generated inputs Limitations SE & constraints solving slows down fuzzing Not able to bypass hard checks Fuzzer mutating SE & constraint solving Inputs target program Crashes 37
38 T-Fuzz: fuzz first, solve only crashes Fuzzing/SE decoupled SE only applied to detected crashes T-Fuzz For hard checks, T-Fuzz detects the guarded bug, but cannot verify it Fuzzer Program Transformation program SE & constraints solving Crashes T-Fuzz in action 38
39 Evaluation Implementation Fuzzer: shellphish fuzzer (python wrapper of AFL) Program Transformer: angr tracer, radare2 Crash Analyzer: 2k LoC Python hackery Evaluation DARPA CGC dataset LAVA-M dataset 4 real-world programs 39
40 DARPA CGC Dataset Improvement over Driller/AFL: 55 (45%) / 61 (58%) Driller outperforms T-Fuzz 3 due to false crashes (L1) 7 due to transformation explosion (L2) Driller (121) T-Fuzz (166) 6 10 AFL (105) 55 Method # bugs AFL 105 Driller 121 T-Fuzz 166 Driller - AFL 16 T-Fuzz - AFL 61 T-Fuzz - Driller 55 Driller - T-Fuzz 10 40
41 LAVA-M Dataset T-Fuzz outperforms VUzzer and Steelix for hard checks T-Fuzz defeated by Steelix due to transformation explosion in who, but still found more bugs than VUzzer T-Fuzz found 1 unintended bug in who Program # of bugs VUzzer Steelix T-Fuzz base unique md5sum * who 41
42 Evaluation on Real Programs Time budget: 24 hours T-Fuzz triggers more crashes than AFL T-Fuzz found 3 new bugs in latest versions of ImageMagick and libpoppler (marked by *) Program + library AFL T-Fuzz pngfix + libpng (1.7.0) 0 11 tiffinfo + libtiff (3.8.2) magick + ImageMagicK (7.0.7) pdftohtml + libpoppler (0.62.0) 0 2* 0 1* 42
43 T-Fuzz Summary Fuzzers hit coverage wall, no deep bugs T-Fuzz mutates both input and target program T-Fuzz improves over Driller/AFL by 45%/58% T-Fuzz triggeres bugs guarded by hard checks New bugs: 1 in LAVA-M, 3 in real-world programs 43
44 Conclusion 44
45 Conclusion Goal: Protect systems despite vulnerabilities Sanitization finds bugs during testing HexType brings type safety to C++ T-Fuzz explores deep program paths Combine sanitization and fuzzing for best results Source: Thank you! Questions? 45
46 Source: Word Cloud 46
Type Confusion: Discovery, Abuse, Protection. Mathias
Type Confusion: Discovery, Abuse, Protection Mathias Payer, @gannimo http://hexhive.github.io Type confusion leads to RCE Attack surface is huge Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: glibc: Linux
More informationCS527 Software Security
Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and
More informationHexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer
HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer Motivation C++ is a popular programming language Google Chrome, Firefox,
More informationControl-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/pwn2own 2 Trends in Memory Errors* * Victor
More informationSoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14
SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14 Presenter: Mathias Payer, EPFL http://hexhive.github.io 1 Memory attacks: an ongoing war Vulnerability classes
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationCS-527 Software Security
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017 Eternal
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationCFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer
CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationVUzzer: Application-Aware Evolutionary Fuzzing
VUzzer: Application-Aware Evolutionary Fuzzing Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cocojar, Cristiano Giuffrida, Herbert Bos (Presenter: Dennis Andriesse ) Vrije Universiteit Amsterdam IIIT
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationMemory corruption: Why we can t have nice things. Mathias Payer
Memory corruption: Why we can t have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationTypeSan: Practical Type Confusion Detection
TypeSan: Practical Type Confusion Detection Hui Peng peng124@purdue.edu Istvan Haller istvan.haller@gmail.com Herbert Bos herbertb@few.vu.nl Yuseok Jeon jeon41@purdue.edu Mathias Payer mathias.payer@nebelwelt.net
More informationCopyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis
Finding security vulnerabilities by fuzzing and dynamic code analysis Security Vulnerabilities Top code security vulnerabilities don t change much: Security Vulnerabilities Top code security vulnerabilities
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationMemory Corruption: Why Protection is Hard. Mathias Payer, Purdue University
Memory Corruption: Why Protection is Hard Mathias Payer, Purdue University http://hexhive.github.io 1 Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for
More informationBlack Hat Webcast Series. C/C++ AppSec in 2014
Black Hat Webcast Series C/C++ AppSec in 2014 Who Am I Chris Rohlf Leaf SR (Security Research) - Founder / Consultant BlackHat Speaker { 2009, 2011, 2012 } BlackHat Review Board Member http://leafsr.com
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationImproving Linux development with better tools
Improving Linux development with better tools Andi Kleen Oct 2013 Intel Corporation ak@linux.intel.com Linux complexity growing Source lines in Linux kernel All source code 16.5 16 15.5 M-LOC 15 14.5 14
More informationFuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team
Fuzzing AOSP For the Masses AOSP for the Masses Attack Android Right Out of the Box Dan Austin, Google Dan Austin Google Android SDL Research Team Exploitation: Find the Needle Needles are Interesting
More informationMemory Safety for Embedded Devices with nescheck
Memory Safety for Embedded Devices with nescheck Daniele MIDI, Mathias PAYER, Elisa BERTINO Purdue University AsiaCCS 2017 Ubiquitous Computing and Security Sensors and WSNs are pervasive Small + cheap
More informationImproving Linux Development with better tools. Andi Kleen. Oct 2013 Intel Corporation
Improving Linux Development with better tools Andi Kleen Oct 2013 Intel Corporation ak@linux.intel.com Linux complexity growing Source lines in Linux kernel All source code 16.5 16 15.5 M-LOC 15 14.5 14
More informationPreventing Use-after-free with Dangling Pointers Nullification
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University
More informationEnhancing Memory Error Detection for Large-Scale Applications and Fuzz testing
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, Chengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock
More informationWriting a fuzzer. for any language with american fuzzy lop. Ariel Twistlock Labs
Writing a fuzzer for any language with american fuzzy lop Ariel Zelivansky @ Twistlock Labs What is fuzzing? Technique for testing software by providing it with random, unexpected or invalid input Dumb
More informationC++ Tutorial AM 225. Dan Fortunato
C++ Tutorial AM 225 Dan Fortunato Anatomy of a C++ program A program begins execution in the main() function, which is called automatically when the program is run. Code from external libraries can be
More informationCCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs
CCured Type-Safe Retrofitting of C Programs [Necula, McPeak,, Weimer, Condit, Harren] #1 One-Slide Summary CCured enforces memory safety and type safety in legacy C programs. CCured analyzes how you use
More informationTriggering Deep Vulnerabilities Using Symbolic Execution
Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the
More informationA Software Solution for Hardware Vulnerabilities
A Software Solution for Hardware Vulnerabilities Komail Dharsee University of Rochester Ethan Johnson University of Rochester John Criswell University of Rochester 1 / 22 Hardware Bugs! AMD recently shipped
More informationUndermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationSimple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;
Simple Overflow 1 #include int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); }
More informationsecubt Hacking the Hackers with User Space Virtualization
secubt Hacking the Hackers with User Space Virtualization Mathias Payer Mathias Payer: secubt User Space Virtualization 1 Motivation Virtualizing and encapsulating running programs
More informationIntroduction to Symbolic Execution
Introduction to Symbolic Execution Classic Symbolic Execution 1 Problem 1: Infinite execution path Problem 2: Unsolvable formulas 2 Problem 3: symbolic modeling External function calls and system calls
More informationAutomated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar
Automated Whitebox Fuzz Testing by - Patrice Godefroid, - Michael Y. Levin and - David Molnar OUTLINE Introduction Methods Experiments Results Conclusion Introduction Fuzz testing is an effective Software
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationHow Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Programming
More informationCMPSC 497 Other Memory Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory
More informationlogistics: ROP assignment
bug-finding 1 logistics: ROP assignment 2 2013 memory safety landscape 3 2013 memory safety landscape 4 different design points memory safety most extreme disallow out of bounds usually even making out-of-bounds
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationTaintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 is: A Fuzzing tool Checksum-Aware Directed Why a new fuzzing
More informationMachine-Level Programming V: Unions and Memory layout
Machine-Level Programming V: Unions and Memory layout Slides adapted from Bryant and O Hallaron Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition 1 FAQ Call conventions
More informationSoK: Sanitizing for Security
SoK: Sanitizing for Security Dokyung Song, Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, Michael Franz University of California, Irvine {dokyungs,jlettner,rajasekp,yeouln,stijnv,perl,franz}@uci.edu
More informationSoK: Sanitizing for Security
SoK: Sanitizing for Security Dokyung Song, Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, Michael Franz University of California, Irvine {dokyungs,jlettner,rajasekp,yeouln,stijnv,perl,franz}@uci.edu
More informationAutomatic program generation for detecting vulnerabilities and errors in compilers and interpreters
Automatic program generation for detecting vulnerabilities and errors in compilers and interpreters 0368-3500 Nurit Dor Shir Landau-Feibish Noam Rinetzky Preliminaries Students will group in teams of 2-3
More informationVerification & Validation of Open Source
Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc Open Source is Ubiquitous Most commercial and proprietary software systems have some open
More informationKLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND
Feeding the Fuzzers with KLEE Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND This presentation was created with help and commitment of the Samsung R&D Poland Mobile Security team. KLEE and
More informationSecurity Testing. Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT)
Security Testing TDDC90 Software Security Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More informationTesting. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?
Testing ECE/CS 5780/6780: Embedded System Design Scott R. Little Lecture 24: Introduction to Software Testing and Verification What is software testing? Running a program in order to find bugs (faults,
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationAutomated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim Contents Automated Software Analysis Techniques Background Concolic testing process Example of concolic
More informationSoftware Security IV: Fuzzing
1 Software Security IV: Fuzzing Chengyu Song Slides modified from Dawn Song 2 Administrivia Homework1 Due: Friday Oct 27 11:59pm Questions regarding reading materials Talk Security R&D in a Security Company:
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More informationTesting Error Handling Code in Device Drivers Using Characteristic Fault Injection
1 Testing Error Handling Code in Device Drivers Using Characteristic Fault Injection Jia-Ju Bai, Yu-Ping Wang, Jie Yin, Shi-Min Hu Department of Computer Science and Technology Tsinghua University Beijing,
More informationUndefined Behaviour in C
Undefined Behaviour in C Report Field of work: Scientific Computing Field: Computer Science Faculty for Mathematics, Computer Science and Natural Sciences University of Hamburg Presented by: Dennis Sobczak
More informationAutomatizing vulnerability research
Innova&on & Research Symposium Cisco and Ecole Polytechnique 8-9 April 2018 CEDRIC TESSIER INSTRUMENTATION TEAM LEADER / ctessier@quarkslab.com Automatizing vulnerability research to better face new software
More informationAnalysis/Bug-finding/Verification for Security
Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information
More informationProgram Analysis Tools
CMPT 473 Software Quality Assurance Program Analysis Tools Nick Sumner Fixing bugs is costly Why? 2 Fixing bugs is costly The longer broken code exists, the more code depends upon it. 3 Fixing bugs is
More informationIntroduction to software exploitation ISSISP 2017
Introduction to software exploitation ISSISP 2017 1 VM https://drive.google.com/open?id=0b8bzf4ybu s1kltjsnlnwqjhss1e (sha1sum: 36c32a596bbc908729ea9333f3da10918e24d767) Login / pass: issisp / issisp 2
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationAn Evil Copy: How the Loader Betrays You
An Evil Copy: How the Loader Betrays You Xinyang Ge 1,3, Mathias Payer 2 and Trent Jaeger 3 Microsoft Research 1 Purdue University 2 Penn State University 3 Page 1 Problem: A Motivating Example // main.c
More informationThe Automated Exploitation Grand Challenge. A Five-Year Retrospective
The Automated Exploitation Grand Challenge A Five-Year Retrospective Julien Vanegue IEEE Security & Privacy Langsec Workshop May 25th 2018 AEGC 2013/2018 vs DARPA Cyber Grand Challenge Was Automated Exploit
More informationMemory Corruption Vulnerabilities, Part II
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows
More informationFuzzing. compass-security.com 1
Fuzzing compass-security.com 1 Fuzzing Finding bugs by bombarding target with nonconform data Think: Flip a few bits in a PDF, then start Acrobat with that PDF Just more automated Steps: Create input corpus
More informationLecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems
Lecture 10 Pointless Tainting? Evaluating the Practicality of Pointer Tainting Asia Slowinska, Herbert Bos Advanced Operating Systems December 15, 2010 SOA/OS Lecture 10, Pointer Tainting 1/40 Introduction
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationUsing static analysis to detect use-after-free on binary code
Using static analysis to detect use-after-free on binary code Josselin Feist Laurent Mounier Marie-Laure Potet Verimag / University of Grenoble - Alpes France SDTA 2014 - Clermont-Ferrand 5 décembre 2014
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationMarx Uncovering Class Hierarchies in C++ Programs
Marx Uncovering Class Hierarchies in C++ Programs NDSS 2017, San Diego Andre Pawlowski, Moritz Contag, Victor van der Veen, Chris Ouwehand, Thorsten Holz, Herbert Bos, Elias Anthonasopoulos, Cristiano
More informationAdvanced Debugging and the Address Sanitizer
Developer Tools #WWDC15 Advanced Debugging and the Address Sanitizer Finding your undocumented features Session 413 Mike Swingler Xcode UI Infrastructure Anna Zaks LLVM Program Analysis 2015 Apple Inc.
More informationEnhancing Memory Error Detection for Larg e-scale Applications and Fuzz testing
Enhancing Memory Error Detection for Larg e-scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, C hengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock
More information18-600: Recitation #3
18-600: Recitation #3 Bomb Lab & GDB Overview September 12th, 2017 1 Today X86-64 Overview Bomb Lab Introduction GDB Tutorial 2 3 x86-64: Register Conventions Arguments passed in registers: %rdi, %rsi,
More informationAdaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationFuzzgrind: an automatic fuzzing tool
Fuzzgrind: an automatic fuzzing tool 1/55 Fuzzgrind: an automatic fuzzing tool Gabriel Campana Sogeti / ESEC gabriel.campana(at)sogeti.com Fuzzgrind: an automatic fuzzing tool 2/55 Plan 1 2 3 4 Fuzzgrind:
More informationWhat You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2,3 Frank Kargl 3 Aurélien Francillon 1 Davide Balzarotti 1 1 EURECOM 2 Siemens AG 3 Ulm University
More informationAdvanced Systems Security: New Threats
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationOvercoming Stagefright Integer Overflow Protections in Android
Overcoming Stagefright Integer Overflow Protections in Android Dan Austin (oblivion@google.com) May 2016 Agenda $ whoami Stagefright Sanitizers Sanitizers in Practice The Future $ whoami $ whoami Dan Austin
More informationUniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/
More informationContext-Switch-Directed Verification in DIVINE
Context-Switch-Directed Verification in DIVINE MEMICS 2014 Vladimír Štill Petr Ročkai Jiří Barnat Faculty of Informatics Masaryk University, Brno October 18, 2014 Vladimír Štill et al. Context-Switch-Directed
More informationUnderstanding Undefined Behavior
Session Developer Tools #WWDC17 Understanding Undefined Behavior 407 Fred Riss, Clang Team Ryan Govostes, Security Engineering and Architecture Team Anna Zaks, Program Analysis Team 2017 Apple Inc. All
More informationNew features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany
New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany Agenda AddressSanitizer (ASan): a quick reminder New features: Initialization-order-fiasco Stack-use-after-scope
More informationCauses of Software Failures
Causes of Software Failures Hardware Faults Permanent faults, e.g., wear-and-tear component Transient faults, e.g., bit flips due to radiation Software Faults (Bugs) (40% failures) Nondeterministic bugs,
More informationDART: Directed Automated Random Testing. CUTE: Concolic Unit Testing Engine. Slide Source: Koushik Sen from Berkeley
DAR: Directed Automated Random esting CUE: Concolic Unit esting Engine Slide Source: Koushik Sen from Berkeley Verification and esting We would like to prove programs correct Verification and esting We
More information'Safe' programming languages
Software Security Language-based Security: 'Safe' programming languages Erik Poll 1 Language-based security Security features & guarantees provided by programming language safety guarantees, incl. memory-safety,
More informationCMSC 330: Organization of Programming Languages. Ownership, References, and Lifetimes in Rust
CMSC 330: Organization of Programming Languages Ownership, References, and Lifetimes in Rust CMSC330 Spring 2018 1 Memory: the Stack and the Heap The stack constant-time, automatic (de)allocation Data
More informationImportant From Last Time
Important From Last Time Embedded C Pros and cons Macros and how to avoid them Intrinsics Interrupt syntax Inline assembly Today Advanced C What C programs mean How to create C programs that mean nothing
More informationA Dozen Years of Shellphish. Journey to the Cyber Grand Challenge
A Dozen Years of Shellphish Journey to the Cyber Grand Challenge 1 Zardus rhelmot 2 HEX on the beach 3 4 5 19 17 4 1 1 :-( 6 # of Shellphish players (cumulative) 40 30 20 10 0 23 29 2015 7 # of Defcons
More informationUsing Static Code Analysis to Find Bugs Before They Become Failures
Using Static Code Analysis to Find Bugs Before They Become Failures Presented by Brian Walker Senior Software Engineer, Video Product Line, Tektronix, Inc. Pacific Northwest Software Quality Conference,
More informationPage 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?
Important From Last Time Today Embedded C Pros and cons Macros and how to avoid them Intrinsics Interrupt syntax Inline assembly Advanced C What C programs mean How to create C programs that mean nothing
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationSafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin
SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin in NDSS, 2014 Alexander Hefele Fakultät für Informatik Technische Universität
More informationUnleashing D* on Android Kernel Drivers. Aravind Machiry
Unleashing D* on Android Kernel Drivers Aravind Machiry (@machiry_msidc) $ whoami Fourth year P.h.D Student at University of California, Santa Barbara. Vulnerability Detection in System software. machiry.github.io
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Homework 2 Due: Monday, February 22nd, at 11:59pm Instructions. This homework is due Monday, February 22nd, at 11:59pm. It must be submitted electronically
More information