Symbolic Execution for Bug Detection and Automated Exploit Generation

Transcription

1 Symbolic Execution for Bug Detection and Automated Exploit Generation Daniele Cono D Elia Credits: Emilio Coppa SEASON Lab season-lab.github.io May 27, / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

2 Why symbolic execution? Real-world applications of this methodology: (Testing) bug detection e.g., inputs that crash an application (Security) exploit and backdoor identification e.g., inputs to bypass authentication code (Security) malware analysis e.g., generate vulnerability-based signatures (Security) reverse engineering of crypto code e.g., obtain an input that have generated an output 2 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

3 What is symbolic execution? Introduced by James C. King in a 76 paper as a static analysis technique for executing a program symbolically. Main idea: program variables are associated with symbols a symbol represents a set of possible input values execution adds constraints on symbols, restricting the input space conditional branches cause execution to fork into multiple execution paths 3 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

4 [Example] Find inputs that cause an unsafe division 1. int foobar ( int a, int b, int c) { 2. int x = 0, y = 0, z = 0; 3. if (a!= 0) 4. x = -2; 5. if (b < 5) { 6. z = 2; 7. if ( a == 0 && c!= 0) 8. y = 1; 9. } 10. return a / ( x + y + z - 3); // critical stmt 11. } Symbolic execution can find all inputs that lead to a division by zero at line 10 4 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

5 [Example] Step-by-step symbolic execution A minimal execution state can be represented with a pair (s, pc), where pc is the set of constraints on the symbols that have been added so far to reach the statement s to evaluate next. After evaluating: 1. int foobar ( int a, int b, int c) { The execution state is thus: A mapping between symbols and variables is maintained as well. 5 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

6 [Example] Step-by-step symbolic execution After evaluating: 2. int x = 0, y = 0, z = 0; Execution tree: 5 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

7 [Example] Step-by-step symbolic execution After evaluating: 3. if (a!= 0) 4. x = -2; Execution tree: 5 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

8 [Example] Step-by-step symbolic execution After evaluating: 5. if (b < 5) { 6. z = 2; 7. if ( a == 0 && c!= 0) 8. y = 1; 9. } 5 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

9 [Example] Step-by-step symbolic execution Check for divisor equal to zero at line: 10. return a / ( x + y + z - 3); Unsafe inputs follow from path constraints of state N: α a = 0 α b < 5 α c 0 5 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

10 [Example] Discussion Given a program, can we prove that no crash is possible? 6 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

11 [Example] Discussion Given a program, can we prove that no crash is possible? In theory, yes! Symbolic execution is sound and complete. However: 1 constraints can be hard to solve 2 execution states to analyze can be many 6 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

12 [Example] Discussion Given a program, can we prove that no crash is possible? In theory, yes! Symbolic execution is sound and complete. However: 1 constraints can be hard to solve 2 execution states to analyze can be many Does symbolic execution scale to complex programs? 6 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

13 Scalability issues? From a paper on symbolic execution: For example, KLEE is a state-of-the-art forward symbolic execution engine, but in practice is limited to small programs such as /bin/ls. 7 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

14 Scalability issues? From a paper on symbolic execution: For example, KLEE is a state-of-the-art forward symbolic execution engine, but in practice is limited to small programs such as /bin/ls. Pure static symbolic execution hardly scales 7 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

15 SAGE [NDSS 08] Impact of imperfect symbolic execution: 8 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

16 SAGE [NDSS 08] (cont d) 9 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

17 Many problems to address A symbolic execution engine deals with a number of aspects: 1 memory model 2 path explosion 3 state scheduling 4 symbolic execution strategy 5 interaction with environment 6 constraint solving Each solution chooses a set of techniques and tools many trade-offs to consider (e.g., completeness vs. efficiency) different choices for different goals 10 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

18 Memory model Variables and more complex non-scalar memory objects can be represented using: index-based memory (e.g., [MAYHEM-SP12]): memory modeled as a flat memory object-based memory (e.g., [EXE-CCS06, STP-TR07]): memory as a set of distinct objects (arrays with a size) The memory model has a huge impact on symbolic constraints (what can be expressed, how solver-friendly they are, etc.) 11 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

19 Index-based memory Index-based memory: memory is a map µ : I E from 32-bit indices (i I ) to expressions (e E) load expressions e = load(µ, i): i indexes µ and the loaded value e represents the contents of the i-th memory cell store expressions store(µ, i, e): a new memory µ where i is mapped to e, i.e., µ = µ[i e] Akin to a concrete execution memory model Problem: i may reference any cell in memory Solution: try to find upper & lower bounds 12 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

20 Path explosion Each undecidable branch forks execution: exponential explosion of paths. Preconditioned symbolic execution [AEG-NDSS11] deals with this aspect by imposing preconditions on the input space: None Known Length: e.g., interesting inputs have a minimum length Known Prefix: e.g., interesting inputs have a known prefix Concolic Execution: consider only a single (concrete) value for an input By limiting the size of input space, symbolic execution can explore the target program more efficiently. However, if a precondition is too specific, no bugs or exploits will be found. 13 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

21 [Example] Preconditions // N symbolic branches if ( input [0] < 42) [...] [...] if ( input [N - 1] < 42) [...] // symbolic loop strcpy ( dest, input ); // a loop Impact of preconditions on state space: None: 2 N S Known Length: constraint that (S 1) bytes of input are not equal to \0. Loop length is known: 2 N Known Prefix: first P bytes of input are known (P < N < S; e.g., fixed string in header). 2 N P S Concolic Execution: single path 14 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

22 Concolic execution Concolic execution: mixed static/dynamic technique. Concrete values of some symbols are taken from a concrete (dynamic) execution and used in the symbolic (static) execution. Examples: use faster dynamic techniques to test code, switch temporarily to symbolic execution to make progress use concrete values when reasoning on some constraints is too hard: something is still better than nothing! (i) test program on a concrete input, (ii) track branches (taken flag + constraints), and (iii) generate a new random input test that is compliant with constraints and explores new code 15 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

23 [Example] Concolic execution void bar ( int a, int b) { int x = foo (b); if (a == x) { // some critical error } } int foo ( int v) { return ( v * v) % 50; // complex constraint } 16 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

24 [Example] Concolic execution void bar ( int a, int b) { int x = foo (b); if (a == x) { // some critical error } } int foo ( int v) { return ( v * v) % 50; // complex constraint } A purely symbolic approach may be unable to explore error path! 16 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

25 [Example] Concolic execution void bar ( int a, int b) { int x = foo (b); if (a == x) { // some critical error } } int foo ( int v) { return ( v * v) % 50; // complex constraint } A purely symbolic approach may be unable to explore error path! Concolic approach Generate random values for a and b: execute on these inputs and track path constraints. Negate constraints on the branch in order to generate new inputs that will explore the error path. 16 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

26 Path explosion (2) Static and dynamic program analysis techniques can be used to narrow the space of states. E.g.,: program slicing: identify set of programs statements that may affect the values at a given program point taint-analysis: identify variables affected (e.g., modified) by the user input 17 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

27 Symbolic executors Keeping in memory all the execution states is expensive Execution strategies: offline executors: one path at time, every run independent from the others, exploits concrete execution (e.g., [SAGE-NDSS08]) online executors: at each fork, execution state is cloned (copy-on-write); all active execution states are kept in memory, isolation is guaranteed (e.g., [KLEE-OSDI08, AEG-NDSS11]) hybrid executors: mixed approach, use of checkpoints (e.g., [MAYHEM-SP12]) Critical aspect w.r.t. scalability! 18 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

28 State scheduling Too many paths to explore: need to prioritize some over others! Several heuristics, e.g.: depth first search: popular, minimizes memory overhead random path selection: popular, avoids starvation coverage optimize search: e.g., [KLEE-OSDI08] buggy path-first: e.g., [AEG-NDSS11] loop exhaustion: e.g., [AEG-NDSS11] function pointer detection: e.g., [MAYHEM-SP12] Papers adopt different mixes of heuristics in order to reach different goals 19 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

29 Interaction with environment Environment is an input source (e.g., syscalls). Hard to consider all possible outcomes of an interaction. Environment is emulated through models, e.g.: symbolic file system: e.g., [KLEE-OSDI08] symbolic sockets: e.g., [AEG-NDSS11] libraries: e.g., [AEG-NDSS11] Side-effects are approximated (this can significantly affect completeness) 20 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

30 Symbolic file system [KLEE-OSDI08] Operations on: concrete files: actually performed symbolic files: emulated using a simple symbolic file system private to each state. User decides files number and size. N+1 branches for unconstrained symbolic file: N: one for each symbolic file 1: error scenario 21 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

31 Constraint solvers Some expressions are hard to solve (e.g., non-linear constraints) A number for popular constraint solvers: STP [STP-TR07]: used by [EXE-CCS06, KLEE-OSDI08, MineSweeper-BOTNET08] Z3 [Z3-TACAS08]: used by [FIRMALICE-NDSS15, MAYHEM-SP12] Dissolver [DISSOLVER-TR03]: initially used by [SAGE-NDSS08] Parma Polyhedra Library [PPL-SCP08]: used by [AEG-NDSS11] 22 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

32 Source code vs. binary code Some papers target source code, others binary code source code compilation decompilation IR lowering lifiting binary code Static analysis of source code can provide useful hints about input and code properties. These are often exploited by symbolic execution to explore a smaller number of paths. What are the benefits of having the source code? Which are the techniques used when evaluating binaries? 23 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

33 Source code vs. binary code (cont d) source code compilation decompilation IR lowering lifiting binary code Examples: [KLEE-OSDI08] works on LLVM bytecode (source code to IR) [FIRMALICE-NDSS15] works on VEX IR (binary code to IR) Can we convert LLVM bytecode to VEX IR and viceversa? Can we lift IA32 and x86-64 to LLVM IR? :-) 24 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

34 A few security-related examples Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware (NDSS 2015) Symbolic execution is used to find inputs that bypass authentication code Exploring Multiple Execution Paths for Malware Analysis (SSP 2007) Symbolic execution is used to find events that force malwares to show malicious behaviors 25 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

35 A few security-related examples (cont d) AEG: automatic exploit generation (NDSS 2011) Symbolic execution is used to automatically generate an exploit (e.g., find the string input that will be executed as a shell code) Unleashing MAYHEM on Binary Code (SSP 2012) Given a tainted jump, symbolic execution is used to find if instruction pointer can be modified to execute a malicious payload 26 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

36 Conclusions Symbolic execution is a very powerful technique Hardly scales in general, but is widely adopted in specific contexts: indeed, compromises are needed! Can be used to tackle many non-trivial problems......and fun things can be done with it :) 27 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

37 References [AEG-NDSS11] T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: automatic exploit generation (NDSS 2011) [DISSOLVER-TR03] Y. Hamadi. Disolver: A distributed constraint solver (Technical report, 2003) [EXE-CCS06] C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: Automatically generating inputs of death (CCS 2006) [FIRMALICE-NDSS15] Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna. FIRMALICE - automatic detection of authentication bypass vulnerabilities in binary firmware (NDSS 2015) [K-ACM76] J. C. King. Symbolic execution and program testing (ACM Comm. 1976) [KLEE-OSDI08] C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs (OSDI 2008) 28 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.

38 References (cont d) [MAYHEM-SP12] S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing MAYHEM on binary code (IEEE SSP 2012) [MineSweeper-BOTNET08] D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Botnet Detection: Countering the Largest Security Threat, chapter Automatically Identifying Trigger-based Behavior in Malware (Springer, 2008) [SAGE-NDSS08] P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated white-box fuzz testing (NDSS 2008) [Z3-TACAS08] L. De Moura and N. BjÃÿrner. Z3: An efficient SMT solver (TACAS-ETAPS 2008) [KKM-USEC05] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis (SSYM 2005) [DART-PLDI05] P. Godefroid, N. Klarlund, and K. Sen. Dart: Directed automated random testing (PLDI 2005) 29 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.