API 퍼징을통한취약점탐지 카이스트 차상길
|
|
- Garey Shaw
- 5 years ago
- Views:
Transcription
1 API 퍼징을통한취약점탐지 카이스트 차상길
2 API Fuzzing? void foo(int x) // This is an API function { // (side-effect-free) //... } void fuzz() { while (1) { foo(rand()); } } // Fuzzer MAIN Found a crash in foo when x = 42 2
3 No Sound Result! int foo(int x) // This is an API function { // (side-effect-free) //... } int somefunc(int input) { if (input >= 42) return 0; else return foo(input); } But the function foo is never called with x = 42 in a real program! 3
4 Why API Fuzzing? How about when crossing the trust boundary? Kernel is the right target! 4
5 5
6 6
7 7
8 Kernel should be tested! 8
9 How to Find Kernel Bugs? 1. Source-based analysis 2. White-box kernel fuzzing 3. Black-box kernel fuzzing 9
10 1. Source-based Analysis #include CQUAL, Sec 04 KINT, OSDI 12 Source code is not fully available µchex, ASPLOS 16 (e.g., macos, Windows) 10
11 2. White-box Kernel Fuzzing KLEE, OSDI 08 CAB-Fuzz, ATC 16 Too many paths 11
12 3. Black-box Kernel Fuzzing? Do not need source code Not limited by path explosion Many practical black-box kernel fuzzers 12
13 3. Black-box Kernel Fuzzing read( ) write( ) a) Random-based b) Type-based? c) Hooking-based 13
14 Black-box: Random-based Fuzzer Type Weakness L a) Random-based fuzzer (e.g., tsys, sysfuzz) b) Type-aware fuzzer (e.g., iknowthis, Trinity) c) Hooking-based fuzzer (e.g., IOKit Fuzzer ) 14
15 Black-box: Random-based Fuzzer Type a) Random-based fuzzer (e.g., tsys, sysfuzz) Weakness L Shallow exploration b) Type-aware fuzzer (e.g., iknowthis, Trinity) c) Hooking-based fuzzer (e.g., IOKit Fuzzer ) 15
16 Weakness of Random-based Fuzzer WRITE(2) Linux Programmer s Manual WRITE(2) #include <unistd.h> ssize_t write(int fd, const void *buf, size_t n) write(rand(), rand(), rand()); CRASH Cannot explore deep paths 16
17 Black-box: Type-aware Fuzzer Type a) Random-based fuzzer (e.g., tsys, sysfuzz) Weakness L Shallow exploration b) Type-aware fuzzer (e.g., iknowthis, Trinity) c) Hooking-based fuzzer (e.g., IOKit Fuzzer ) 17
18 Black-box: Type-aware Fuzzer Type a) Random-based fuzzer (e.g., tsys, sysfuzz) b) Type-aware fuzzer (e.g., iknowthis, Trinity) Weakness L Shallow exploration Flow- & context-insensitivity c) Hooking-based fuzzer (e.g., IOKit Fuzzer ) 18
19 Weakness of Type-aware Fuzzer int fd = open( /tmp/test, O_WRONLY); int r = write(fd, buf, 0x100); Returns valid memory pointer write(rand_int(), rand_void(), rand_size_t()); -1 Flow-insensitive 19
20 Weakness of Type-aware Fuzzer int fd = open( /tmp/test, O_WRONLY); int r = write(fd, buf, 0x100); write(rand_fd(), rand_void(), rand_size_t()); -1 Context-insensitive 20
21 Black-box: Hooking-based Fuzzer Type a) Random-based fuzzer (e.g., tsys, sysfuzz) b) Type-aware fuzzer (e.g., iknowthis, Trinity) Weakness L Shallow exploration Flow- & context-insensitivity c) Hooking-based fuzzer (e.g., IOKit Fuzzer ) 21
22 Black-box: Hooking-based Fuzzer Type a) Random-based fuzzer (e.g., tsys, sysfuzz) Program b) Type-aware fuzzer API calls (e.g., iknowthis, Trinity) Weakness L Shallow exploration API Hooks Mutated API calls Kernel Flow- & context-insensitivity c) Hooking-based fuzzer (e.g., IOKit Fuzzer ) 22
23 Black-box: Hooking-based Fuzzer Type a) Random-based fuzzer (e.g., tsys, sysfuzz) Program b) Type-aware fuzzer API calls (e.g., iknowthis, Trinity) c) Hooking-based fuzzer (e.g., IOKit Fuzzer ) Weakness L Shallow exploration API Hooks Mutated API calls Kernel Flow- & context-insensitivity Uncontrollable call sequences 23
24 Weakness of Hooking-based Fuzzer int fd = open( /tmp/test, O_WRONLY); int r = write(fd, buf, 0x100); if(r<0) exit(-1); Cannot reach here close(fd); // if(r<0) Kernel Panic here Cannot control call sequence 24
25 Our Goal: Design a Kernel Fuzzer Type Weakness L a) Random-based fuzzer (e.g., tsys, sysfuzz) 1. Deep exploration Shallow exploration b) Type-aware fuzzer (e.g., iknowthis, Trinity) macos c) Hooking-based fuzzer (e.g., IOKit Fuzzer ) 2. Flow- & context-sensitivity Flow- & context-insensitivity 3. Controllable call sequences Uncontrollable call sequences 25
26 Our Design Principle Make it simple & practical 26
27 IMF: Inferred Model-based Fuzzer Executions 3. Controllable execution API Logs API Model Logger Inferrer Fuzzer 1. Deep exploration 2. Flow- & context-sensitivity 27
28 How to Infer API Models? Executions 3. Controllable execution API Logs API Model Logger Inferrer Fuzzer 1. Deep exploration 2. Flow- & context-sensitivity 28
29 Intuition: Various API Logs from the same Execution $ strace /bin/ls... fstat(3, {st_mode=s_ifreg 0755, st_size= ,...}) = 0 mmap(null, , PROT_READ PROT_EXEC, MAP_PRIVATE MAP_DENYWRITE, 3, 0) = 0x7f2bd963e000 mprotect(0x7f2bd97fe000, , PROT_NONE) = 0 $ strace /bin/ls... fstat(3, {st_mode=s_ifreg 0755, st_size= ,...}) = 0 mmap(null, , PROT_READ PROT_EXEC, MAP_PRIVATE MAP_DENYWRITE, 3, 0) = 0x7f9b mprotect(0x7f9b695d1000, , PROT_NONE) = 0 29
30 On macos io_iterator_t iterator; CFDictionarayRef r; io_object_t service; r = IOServiceMatching( IntelAccelerator ); iterator = IOServiceGetMatchingService(0x0, r); service = IOIteratorNext(iterator); IOServiceMatching( IntelAccelerator ) => 0xd32e0a90 IOServiceGetMatchingService(0x0,\ 0xd32e0a90) => 0x10127 IOIteratorNext(0x10127) => 0x10128 IOServiceMatching( IntelAccelerator ) => 0x487e0a90 IOServiceGetMatchingService(0x0,\ 0x487e0a90) => 0x10327 IOIteratorNext(0x10327) => 0x
31 Inferring Ordering Dependences io_iterator_t iterator; CFDictionarayRef r; io_object_t service; r = IOServiceMatching( IntelAccelerator ); iterator = IOServiceGetMatchingService(0x0, r); service = IOIteratorNext(iterator); IOServiceMatching( IntelAccelerator ) => 0xd32e0a90 IOServiceGetMatchingService(0x0,\ 0xd32e0a90) => 0x10127 IOIteratorNext(0x10127) => 0x10128 IOServiceMatching( IntelAccelerator ) => 0x487e0a90 IOServiceGetMatchingService(0x0,\ 0x487e0a90) => 0x10327 IOIteratorNext(0x10327) => 0x
32 Inferring Constant Parameters io_iterator_t iterator; CFDictionarayRef r; io_object_t service; r = IOServiceMatching( IntelAccelerator ); iterator = IOServiceGetMatchingService(0x0, r); service = IOIteratorNext(iterator); IOServiceMatching( IntelAccelerator ) => 0xd32e0a90 IOServiceGetMatchingService(0x0,\ 0xd32e0a90) => 0x10127 IOIteratorNext(0x10127) => 0x10128 IOServiceMatching( IntelAccelerator ) => 0x487e0a90 IOServiceGetMatchingService(0x0,\ 0x487e0a90) => 0x10327 IOIteratorNext(0x10327) => 0x
33 Inferring Value Dependences io_iterator_t iterator; CFDictionarayRef r; io_object_t service; r = IOServiceMatching( IntelAccelerator ); iterator = IOServiceGetMatchingService(0x0, r); service = IOIteratorNext(iterator); IOServiceMatching( IntelAccelerator ) => 0xd32e0a90 IOServiceGetMatchingService(0x0,\ 0xd32e0a90) => 0x10127 IOIteratorNext(0x10127) => 0x10128 IOServiceMatching( IntelAccelerator ) => 0x487e0a90 IOServiceGetMatchingService(0x0,\ 0x487e0a90) => 0x10327 IOIteratorNext(0x10327) => 0x
34 How to Fuzz with API Models? Executions 3. Controllable execution API Logs API Model Logger Inferrer Fuzzer 1. Deep exploration 2. Flow- & context-sensitivity 34
35 Observation: Model-based Userland Fuzzer Model (Grammar) Inputs Javascript Engine Relationships between inputs CVE
36 Our Approach: Model-based Kernel Fuzzer Model API Model (Grammar) API calls Inputs Javascript Kernel Engine Relationships between API inputs calls CVE
37 Example of an API Model io_iterator_t iterator; CFDictionarayRef r; io_object_t service; r = IOServiceMatching( IntelAccelerator ); iterator = IOServiceGetMatchingService(0x0, r); service = IOIteratorNext(iterator); 37
38 Parameter Mutation PRNG Seed Mutation probability (P) io_iterator_t iterator; # of fixed bits (F) CFDictionarayRef r; io_object_t service; r = IOServiceMatching(mut_str( IntelAccelerator )); iterator = IOServiceGetMatchingService(mut_int(0x0), mut_ptr(r)); service = IOIteratorNext(mut_int(iterator)); 38
39 API Model Replication while(loop < max_loop){ # of iterations (I) io_iterator_t iterator; CFDictionarayRef r; io_object_t service; r = IOServiceMatching(mut_str( IntelAccelerator )); iterator = IOServiceGetMatchingService(mut_int(0x0), mut_ptr(r)); service = IOIteratorNext(mut_int(iterator)); } loop++; 39
40 Evaluation Executions API Logs API Model Logger Inferrer Fuzzer 40
41 Experiment Setup macos Sierra (from ) 93 IOKitLib functions 105 apps (top 5 popular apps from 21 categories) Manually generated inputs (e.g., mouse clicks) for each program 41
42 API Model Accuracy 42
43 Comparison against IOKit Fuzzer IOKit Fuzzer: A state-of-the-art macos fuzzer developed by Google Project Zero Running time: 24 hours x 5 Apps (game category) = 120 hours IOKit Fuzzer 3 unique panics IMF 10 unique panics Crashing process: - Fuzzer process Crashing process: - Fuzzer process - reboot - mdworker - ReportCrash - mds_stores 43
44 Large-scale Bug Finding IMF Ran 12 hours for 95 API models (1,140 hours) With 95 apps from 21 categories Found 32 unique kernel panics Likely exploitable: 6 kernel panics NULL dereference: 3 kernel panics macos Sierra (from ) DoS: 23 kernel panics 44
45 macos is Still Vulnerable! IMF Ran 12 hours for 10 API models (120 hours) Found 39 unique kernel panics Likely exploitable: 25 kernel panics 5 RIP corruptions DoS: 14 kernel panics macos High Sierra (from ) 45
46 Limitation Program selection for getting API logs Reference: Optimizing Seed Selection for Fuzzing, Sec 14 Simple mutation strategy Non-deterministic bugs 46
47 Open Science 47
48 Question? 48
MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. Shankara Pailoor, Andrew Aday, Suman Jana Columbia University
MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation Shankara Pailoor, Andrew Aday, Suman Jana Columbia University 1 OS Fuzzing Popular technique to find OS vulnerabilities Primarily
More informationIntroduction to Operating Systems (Part III)
Introduction to Operating Systems (Part III) Amir H. Payberah amir@sics.se Amirkabir University of Technology (Tehran Polytechnic) Amir H. Payberah (Tehran Polytechnic) Introduction 1393/6/29 1 / 43 Operating
More informationInside ptmalloc2. Peng Xu Sep 14, 2013
Inside ptmalloc2 Peng Xu peng.p.xu@ericsson.com Sep 14, 2013 Part I basic concept and data structure Memory Translation process memory layout kernel space command line and environment variables stack heap
More informationDEBUGGING: TESTING WS 2017/2018. Martina Seidl Institute for Formal Models and Verification
DEBUGGING: TESTING WS 2017/2018 Martina Seidl Institute for Formal Models and Verification Testing is a Huge Field... 1/42 Costs of Defective Software 2/42 Testing Testing is the execution of a program
More informationFault Injection in System Calls
Fault Injection in System Calls Angelo Haller 2015-05-28 Fault Injection in System Calls 1 Angelo Haller 1 Why System Calls? 2 Trinity Bugs Found Inner Workings Fuzzing Process 3 Demo Annotated System
More informationTrinity A Linux kernel fuzz tester.
Trinity A Linux kernel fuzz tester. Presented by Dave Jones Red Hat. Slides license: CC-BY-SA Syscall fuzzing. A short history lesson.. Completely random. Circa 1991: Tsys. SVR4 Circa 2001: kg_crashme.
More informationDebugging: Love It, Hate It Or Reverse It?
Debugging: Love It, Hate It Or Reverse It? Debugging: Love It, Hate It Or Reverse It?. Julian Smith, co-founder and CTO, Undo. jsmith@undo.io http://undo.io/ Overview Testing. Debugging: Debugging with
More informationUnleashing D* on Android Kernel Drivers. Aravind Machiry
Unleashing D* on Android Kernel Drivers Aravind Machiry (@machiry_msidc) $ whoami Fourth year P.h.D Student at University of California, Santa Barbara. Vulnerability Detection in System software. machiry.github.io
More informationAutomated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar
Automated Whitebox Fuzz Testing by - Patrice Godefroid, - Michael Y. Levin and - David Molnar OUTLINE Introduction Methods Experiments Results Conclusion Introduction Fuzz testing is an effective Software
More informationBinary compatibility on NetBSD. Emmanuel Dreyfus, july 2014
Binary compatibility on NetBSD Emmanuel Dreyfus, july 2014 About me Emmanuel Dreyfus IT manager at ESPCI ParisTech as daylight job NetBSD contributor since 2001 Milter-greylist since
More informationProcesses often need to communicate. CSCB09: Software Tools and Systems Programming. Solution: Pipes. Recall: I/O mechanisms in C
2017-03-06 Processes often need to communicate CSCB09: Software Tools and Systems Programming E.g. consider a shell pipeline: ps wc l ps needs to send its output to wc E.g. the different worker processes
More informationLow-Level I/O, C++ Preview
Low-Level I/O, C++ Preview CSE 333 Spring 2018 Instructor: Justin Hsia Teaching Assistants: Danny Allen Dennis Shao Eddie Huang Kevin Bi Jack Xu Matthew Neldam Michael Poulain Renshu Gu Robby Marver Waylon
More informationSecurity Testing. John Slankas
Security Testing John Slankas jbslanka@ncsu.edu Course Slides adapted from OWASP Testing Guide v4 CSC 515 Software Security What is Security Testing? Validate security controls operate as expected What
More informationScaling CQUAL to millions of lines of code and millions of users p.1
Scaling CQUAL to millions of lines of code and millions of users Jeff Foster, Rob Johnson, John Kodumal and David Wagner {jfoster,rtjohnso,jkodumal,daw}@cs.berkeley.edu. UC Berkeley Scaling CQUAL to millions
More informationeverything is a file main.c a.out /dev/sda1 /dev/tty2 /proc/cpuinfo file descriptor int
everything is a file main.c a.out /dev/sda1 /dev/tty2 /proc/cpuinfo file descriptor int #include #include #include int open(const char *path, int flags); flagso_rdonly
More informationFile Systems: Consistency Issues
File Systems: Consistency Issues File systems maintain many data structures Free list/bit vector Directories File headers and inode structures res Data blocks File Systems: Consistency Issues All data
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationCAN STRACE MAKE YOU FAIL?
CAN STRACE MAKE YOU FAIL? Nahim El Atmani @brokenpi_pe July 15, 2016 1 DEFINITION 1.0 strace is a diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor interactions
More informationFile Descriptors and Piping
File Descriptors and Piping CSC209: Software Tools and Systems Programming Furkan Alaca & Paul Vrbik University of Toronto Mississauga https://mcs.utm.utoronto.ca/~209/ Week 8 Today s topics File Descriptors
More informationEXPLODE: a Lightweight, General System for Finding Serious Storage System Errors. Junfeng Yang, Can Sar, Dawson Engler Stanford University
EXPLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang, Can Sar, Dawson Engler Stanford University Why check storage systems? Storage system errors are among the
More informationCS 471 Operating Systems. Yue Cheng. George Mason University Fall 2017
CS 471 Operating Systems Yue Cheng George Mason University Fall 2017 Review: RAID 2 RAID o Idea: Build an awesome disk from small, cheap disks o Metrics: Capacity, performance, reliability 3 RAID o Idea:
More informationSection 3: File I/O, JSON, Generics. Meghan Cowan
Section 3: File I/O, JSON, Generics Meghan Cowan POSIX Family of standards specified by the IEEE Maintains compatibility across variants of Unix-like OS Defines API and standards for basic I/O: file, terminal
More informationLinux Forensics. Newbug Tseng Oct
Linux Forensics Newbug Tseng Oct. 2004. Contents Are u ready Go Real World Exploit Attack Detect Are u ready Linux File Permission OWNER 4 2 1 GROUP 4 2 1 OTHER 4 2 1 R R R W SUID on exection 4000 X W
More informationC provides some basic facilities C libraries help make those primitive facilities useful
Guessing Game C provides some basic facilities C libraries help make those primitive facilities useful For each routine prototype that follows, guess how to use it: What are the arguments? What is the
More informationCSE 333 SECTION 3. POSIX I/O Functions
CSE 333 SECTION 3 POSIX I/O Functions Administrivia Questions (?) HW1 Due Tonight Exercise 7 due Monday (out later today) POSIX Portable Operating System Interface Family of standards specified by the
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationThe course that gives CMU its Zip! I/O Nov 15, 2001
15-213 The course that gives CMU its Zip! I/O Nov 15, 2001 Topics Files Unix I/O Standard I/O A typical hardware system CPU chip register file ALU system bus memory bus bus interface I/O bridge main memory
More informationCSE484/CSE584 BLACK BOX TESTING AND FUZZING. Dr. Benjamin Livshits
CSE484/CSE584 BLACK BOX TESTING AND FUZZING Dr. Benjamin Livshits Approaches to Finding Security Bugs 2 Runtime Monitoring Black-box Testing Static Analysis Fuzzing Basics 3 A form of vulnerability analysis
More informationUNIX System Calls. Sys Calls versus Library Func
UNIX System Calls Entry points to the kernel Provide services to the processes One feature that cannot be changed Definitions are in C For most system calls a function with the same name exists in the
More informationTaintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 is: A Fuzzing tool Checksum-Aware Directed Why a new fuzzing
More informationCOSC Operating Systems Design, Fall Lecture Note: Unnamed Pipe and Shared Memory. Unnamed Pipes
COSC4740-01 Operating Systems Design, Fall 2001 Lecture Note: Unnamed Pipe and Shared Memory Unnamed Pipes Pipes are a form of Inter-Process Communication (IPC) implemented on Unix and Linux variants.
More informationDon't Trust Your Eye: Apple Graphics Is Compromised! CanSecWest Vancouver 2016
Don't Trust Your Eye: Apple Graphics Is Compromised! Liang Chen Marco Grassi Qidan He (@chenliang0817) (@marcograss) (@flanker_hqd) CanSecWest Vancouver 2016 About Us Liang Chen Senior Security Researcher
More informationVUzzer: Application-Aware Evolutionary Fuzzing
VUzzer: Application-Aware Evolutionary Fuzzing Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cocojar, Cristiano Giuffrida, Herbert Bos (Presenter: Dennis Andriesse ) Vrije Universiteit Amsterdam IIIT
More informationMemory management. Single process. Multiple processes. How to: All memory assigned to the process Addresses defined at compile time
Memory management Single process All memory assigned to the process Addresses defined at compile time Multiple processes. How to: assign memory manage addresses? manage relocation? manage program grow?
More informationCHIRP - Bug # Baofeng 997-S - CHIRP - No Response Issue Description. I have reviewed redmine ticket 1957 and the rejected ticket 2471
CHIRP - Bug # 3173 Status: Feedback Priority: Normal Author: John J Category: Created: 01/16/2016 Assignee: Updated: 01/20/2016 Due date: Chirp Version: daily Model affected: 997-S Platform: Linux Subject:
More informationCAP6135: Programming Project 2 (Spring 2010)
CAP6135: Programming Project 2 (Spring 2010) This project is modified from the programming project 2 in Dr. Dawn Song s course CS161: computer security in Fall 2008: http://inst.eecs.berkeley.edu/~cs161/fa08/
More informationRicardo Rocha. Department of Computer Science Faculty of Sciences University of Porto
Ricardo Rocha Department of Computer Science Faculty of Sciences University of Porto For more information please consult Advanced Programming in the UNIX Environment, 3rd Edition, W. Richard Stevens and
More informationECE 650 Systems Programming & Engineering. Spring 2018
ECE 650 Systems Programming & Engineering Spring 2018 Inter-process Communication (IPC) Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) Recall Process vs. Thread A process is
More informationFile I/0. Advanced Programming in the UNIX Environment
File I/0 Advanced Programming in the UNIX Environment File Descriptors Created and managed by the UNIX kernel. Created using open or creat system call. Used to refer to an open file UNIX System shells
More informationKLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND
Feeding the Fuzzers with KLEE Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND This presentation was created with help and commitment of the Samsung R&D Poland Mobile Security team. KLEE and
More informationOperating System Labs. Yuanbin Wu
Operating System Labs Yuanbin Wu cs@ecnu Annoucement Next Monday (28 Sept): We will have a lecture @ 4-302, 15:00-16:30 DON'T GO TO THE LABORATORY BUILDING! TA email update: ecnucchuang@163.com ecnucchuang@126.com
More informationBasic OS Progamming Abstrac7ons
Basic OS Progamming Abstrac7ons Don Porter Recap We ve introduced the idea of a process as a container for a running program And we ve discussed the hardware- level mechanisms to transi7on between the
More informationFinding User/Kernel Pointer Bugs with Type Inference p.1
Finding User/Kernel Pointer Bugs with Type Inference Rob Johnson David Wagner rtjohnso,daw}@cs.berkeley.edu. UC Berkeley Finding User/Kernel Pointer Bugs with Type Inference p.1 User/Kernel Pointer Bugs
More informationBasic OS Progamming Abstrac2ons
Basic OS Progamming Abstrac2ons Don Porter Recap We ve introduced the idea of a process as a container for a running program And we ve discussed the hardware- level mechanisms to transi2on between the
More informationRequired reading: StackGuard: Simple Stack Smash Protection for GCC
Continuing with Software Security Writing & testing for Secure Code Required reading: StackGuard: Simple Stack Smash Protection for GCC Optional reading: Basic Integer Overflows Exploiting Format String
More informationOPERATING SYSTEMS: Lesson 2: Operating System Services
OPERATING SYSTEMS: Lesson 2: Operating System Services Jesús Carretero Pérez David Expósito Singh José Daniel García Sánchez Francisco Javier García Blas Florin Isaila 1 Goals To understand what an operating
More informationFall 2017 :: CSE 306. File Systems Basics. Nima Honarmand
File Systems Basics Nima Honarmand File and inode File: user-level abstraction of storage (and other) devices Sequence of bytes inode: internal OS data structure representing a file inode stands for index
More informationIt was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to
1 2 It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to keep putting garbage characters into the command
More informationAutomotive Software Security Testing
Detecting and Addressing Cybersecurity Issues V1.1 2018-03-05 Code ahead! 2 Automated vulnerability detection and triage + = 3 How did we get here? Vector was engaged with a large, US Tier 1 and we were
More informationIntegration of the softscheck Security Testing Process into the V-Modell
Integration of the softscheck Security Testing Process into the V-Modell Wilfried Kirsch, Prof. Dr. Hartmut Pohl softscheck GmbH Köln Büro: Bonnerstr. 108. 53757 Sankt Augustin www. softscheck.com Products
More informationFile Systems. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
File Systems Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE3044: Operating Systems, Fall 2016, Jinkyu Jeong (jinkyu@skku.edu) File System Layers
More informationBlack Hat Webcast Series. C/C++ AppSec in 2014
Black Hat Webcast Series C/C++ AppSec in 2014 Who Am I Chris Rohlf Leaf SR (Security Research) - Founder / Consultant BlackHat Speaker { 2009, 2011, 2012 } BlackHat Review Board Member http://leafsr.com
More informationSystem Calls and Signals: Communication with the OS. System Call. strace./hello. Kernel. Context Switch
System Calls and Signals: Communication with the OS Jonathan Misurda jmisurda@cs.pitt.edu System Call An operation (function) that an OS provides for running applications to use CS 1550 2077 strace./hello
More information5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.
Feb 23, 2009 CSE, 409/509 Mitigation of Bugs, Life of an exploit 1) Bug inserted into code 2) Bug passes testing 3) Attacker triggers bug 4) The Attacker gains control of the program 5) Attacker causes
More information"Secure" Coding Practices Nicholas Weaver
"Secure" Coding Practices based on David Wagner s slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 2 3 This is a Remarkably Typical C Problem Computer Science 161 Fall 2016 if ((options
More informationPOSIX Shared Memory. Linux/UNIX IPC Programming. Outline. Michael Kerrisk, man7.org c 2017 November 2017
Linux/UNIX IPC Programming POSIX Shared Memory Michael Kerrisk, man7.org c 2017 mtk@man7.org November 2017 Outline 10 POSIX Shared Memory 10-1 10.1 Overview 10-3 10.2 Creating and opening shared memory
More informationSystem Calls & Signals. CS449 Spring 2016
System Calls & Signals CS449 Spring 2016 Operating system OS a layer of software interposed between the application program and the hardware Application programs Operating system Processor Main memory
More informationProgramming Internet with Socket API. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
Programming Internet with Socket API Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 10/19/2015 CSCI 445 - Fall 2015 1 Acknowledgements Some pictures
More informationAutomatic program generation for detecting vulnerabilities and errors in compilers and interpreters
Automatic program generation for detecting vulnerabilities and errors in compilers and interpreters 0368-3500 Nurit Dor Shir Landau-Feibish Noam Rinetzky Preliminaries Students will group in teams of 2-3
More informationInformation page for written examinations at Linköping University
Information page for written examinations at Linköping University Examination date 2017-08-23 Room (1) Time 8-12 Course code Exam code Course name Exam name Department Number of questions in the examination
More informationc. Typically results in an intractably large set of test cases even for small programs
Multiple-Choice Questions: 1. True or false? Generally, in practice, developers exhaustively test software. a. True b. False 2. True or false? All real software contains bugs. a. True b. False 3. Which
More informationSection 2: Processes
September 7, 2016 Contents 1 Warmup 2 1.1 Hello World............................................ 2 2 Vocabulary 2 3 Problems 3 3.1 Forks................................................ 3 3.2 Stack Allocation.........................................
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationLock, Stock And Two Smoking Apples - XNU Kernel Security
Lock, Stock And Two Smoking Apples - XNU Kernel Security Alex Plaskett (@alexjplaskett) / James Loureiro (@NerdKernel) Agenda System call fuzzing (OSXFuzz) Scaling up Code coverage IOKit and Mach fuzzing
More informationStatic Vulnerability Analysis
Static Vulnerability Analysis Static Vulnerability Detection helps in finding vulnerabilities in code that can be extracted by malicious input. There are different static analysis tools for different kinds
More informationProject 2 Overview: Part A: User space memory allocation
Project 2 Overview: Once again, this project will have 2 parts. In the first part, you will get to implement your own user space memory allocator. You will learn the complexities and details of memory
More informationCS240: Programming in C
CS240: Programming in C Lecture 15: Unix interface: low-level interface Cristina Nita-Rotaru Lecture 15/Fall 2013 1 Streams Recap Higher-level interface, layered on top of the primitive file descriptor
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationCSC 271 Software I: Utilities and Internals
CSC 271 Software I: Utilities and Internals Lecture 13 : An Introduction to File I/O in Linux File Descriptors All system calls for I/O operations refer to open files using a file descriptor (a nonnegative
More informationCSE 333 SECTION 3. POSIX I/O Functions
CSE 333 SECTION 3 POSIX I/O Functions Administrivia Questions (?) HW1 Due Tonight HW2 Due Thursday, July 19 th Midterm on Monday, July 23 th 10:50-11:50 in TBD (And regular exercises in between) POSIX
More informationFiles. Eric McCreath
Files Eric McCreath 2 What is a file? Information used by a computer system may be stored on a variety of storage mediums (magnetic disks, magnetic tapes, optical disks, flash disks etc). However, as a
More informationBasic OS Programming Abstractions (and Lab 1 Overview)
Basic OS Programming Abstractions (and Lab 1 Overview) Don Porter Portions courtesy Kevin Jeffay 1 Recap We ve introduced the idea of a process as a container for a running program This lecture: Introduce
More informationOperating System Labs. Yuanbin Wu
Operating System Labs Yuanbin Wu CS@ECNU Operating System Labs Project 3 Oral test Handin your slides Time Project 4 Due: 6 Dec Code Experiment report Operating System Labs Overview of file system File
More informationStructure-aware fuzzing
Structure-aware fuzzing for real-world projects Réka Kovács Eötvös Loránd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -> growing
More informationProcess Creation in UNIX
Process Creation in UNIX int fork() create a child process identical to parent Child process has a copy of the address space of the parent process On success: Both parent and child continue execution at
More informationSystem Call. Preview. System Call. System Call. System Call 9/7/2018
Preview Operating System Structure Monolithic Layered System Microkernel Virtual Machine Process Management Process Models Process Creation Process Termination Process State Process Implementation Operating
More informationHyo-bong Son Computer Systems Laboratory Sungkyunkwan University
File I/O Hyo-bong Son (proshb@csl.skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Unix Files A Unix file is a sequence of m bytes: B 0, B 1,..., B k,..., B m-1 All I/O
More informationOperating Systems. Lecture 06. System Calls (Exec, Open, Read, Write) Inter-process Communication in Unix/Linux (PIPE), Use of PIPE on command line
Operating Systems Lecture 06 System Calls (Exec, Open, Read, Write) Inter-process Communication in Unix/Linux (PIPE), Use of PIPE on command line March 04, 2013 exec() Typically the exec system call is
More informationSmartphone (in) Security
Smartphone (in) Security Smartphones (in)security Nicolas Economou and Alfredo Ortega October 6, 2008 In this talk: 1. Introduction 2. Smartphone Security overview 3. Explotation and shellcodes for both
More informationDART: Directed Automated Random Testing
DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC Presented by Wei Fang January 22, 2015 PLDI 2005 Page 1 June 2005 Motivation Software testing:
More informationChapter 2: System Structures
Chapter 2: System Structures Chapter 2: System Structures 2.1 Operating-System Services 2.2 User and Operating-System Interface 2.3 System Calls 2.4 Types of System Calls 2.5 System Programs 2.6 Operating-System
More informationContents. IPC (Inter-Process Communication) Representation of open files in kernel I/O redirection Anonymous Pipe Named Pipe (FIFO)
Pipes and FIFOs Prof. Jin-Soo Kim( jinsookim@skku.edu) TA JinHong Kim( jinhong.kim@csl.skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Contents IPC (Inter-Process Communication)
More informationCMSC 216 Introduction to Computer Systems Lecture 17 Process Control and System-Level I/O
CMSC 216 Introduction to Computer Systems Lecture 17 Process Control and System-Level I/O Sections 8.2-8.5, Bryant and O'Hallaron PROCESS CONTROL (CONT.) CMSC 216 - Wood, Sussman, Herman, Plane 2 Signals
More informationException-Less System Calls for Event-Driven Servers
Exception-Less System Calls for Event-Driven Servers Livio Soares and Michael Stumm University of Toronto Talk overview At OSDI'10: exception-less system calls Technique targeted at highly threaded servers
More informationAttacking the Linux PRNG on Android. David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems
Attacking the Linux PRNG on Android David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems MOTIVATION motivation_keystore_buffer_overflow We discovered CVE-2014-3100, a stack-based Buffer
More informationSoftware Security: Misc and Principles
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Misc and Principles Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationExploring System Calls with Strace by Mike Hamrick
Exploring System Calls with Strace by Mike Hamrick I m Mike Hamrick. In my career as a programmer, sysadmin, and DBA I ve used strace quite a lot to learn what programs are doing under the hood. It s often
More informationWentworth Institute of Technology COMP201 Computer Science II Spring 2015 Derbinsky. C++ Kitchen Sink. Lecture 14.
Lecture 14 1 Exceptions Iterators Random numbers Casting Enumerations Pairs The Big Three Outline 2 Error Handling It is often easier to write a program by first assuming that nothing incorrect will happen
More informationThe android vulnerability discovery in SoC. Yu Pan and Yang Dai
The android vulnerability discovery in SoC Yu Pan and Yang Dai About us Security researcher of Vulpecker Team@360 Android Vulnerabilities research Focus on kernel & driver Numerous vulnerabilities,including
More informationTriggering Deep Vulnerabilities Using Symbolic Execution
Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the
More informationMemory Mapped I/O. Michael Jantz. Prasad Kulkarni. EECS 678 Memory Mapped I/O Lab 1
Memory Mapped I/O Michael Jantz Prasad Kulkarni EECS 678 Memory Mapped I/O Lab 1 Introduction This lab discusses various techniques user level programmers can use to control how their process' logical
More informationCS 201. Files and I/O. Gerson Robboy Portland State University
CS 201 Files and I/O Gerson Robboy Portland State University A Typical Hardware System CPU chip register file ALU system bus memory bus bus interface I/O bridge main memory USB controller graphics adapter
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationA Smart Fuzzer for x86 Executables
Università degli Studi di Milano Facoltà di Scienze Matematiche, Fisiche e Naturali A Smart Fuzzer for x86 Executables Andrea Lanzi, Lorenzo Martignoni, Mattia Monga, Roberto Paleari May 19, 2007 Lanzi,
More informationRecitation 8: Tshlab + VM
Recitation 8: Tshlab + VM Instructor: TAs 1 Outline Labs Signals IO Virtual Memory 2 TshLab and MallocLab TshLab due Tuesday MallocLab is released immediately after Start early Do the checkpoint first,
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationAdventures in Fuzzing Instruction Selection. 1 EuroLLVM 2017 Justin Bogner
Adventures in Fuzzing Instruction Selection 1 EuroLLVM 2017 Justin Bogner Overview Hardening instruction selection using fuzzers Motivated by Global ISel Leveraging libfuzzer to find backend bugs Techniques
More informationFUZZING JAVASCRIPT ENGINES FOR FUN & PROFIT AREUM
FUZZING JAVASCRIPT ENGINES FOR FUN & PROFIT AREUM LEE@SSG SINGI@THEORI HITBAMS2018 - FUZZING JAVASCRIPT ENGINES FOR FUN AND PROFIT AREUM LEE Areum Lee Member @ SSG Undergrad student @ Sejong Univ Former
More informationLab 09 - Virtual Memory
Lab 09 - Virtual Memory Due: November 19, 2017 at 4:00pm 1 mmapcopy 1 1.1 Introduction 1 1.1.1 A door predicament 1 1.1.2 Concepts and Functions 2 1.2 Assignment 3 1.2.1 mmap copy 3 1.2.2 Tips 3 1.2.3
More informationPreview. Interprocess Communication with Pipe. Pipe from the Parent to the child Pipe from the child to the parent FIFO popen() with r Popen() with w
Preview Interprocess Communication with Pipe Pipe from the Parent to the child Pipe from the child to the parent FIFO popen() with r Popen() with w COCS 350 System Software, Fall 2015 1 Interprocess Communication
More information