Guarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University

Transcription

1 Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University 1

2 Vulnerabilities everywhere? 2

3 Common Languages: TIOBE 18 Jul 2018 Jul 2017 Change Language 1 1 Java 2 2 C 3 3 C Python VB.NET 6 5 C# 7 6 PHP 8 8 JavaScript 9 ++ SQL Objective-C Ratings % % 7.615% 6.361% 4.247% 3.795% 2.832% 2.831% 2.334% 1.453% Change +2.37% +7.34% +2.04% +2.82% +1.20% +0.28% -0.26% +0.22% +2.33% -0.44% 3

4 Software is highly complex Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: 1 MLoC glibc: 2 MLoC Linux kernel: 17 MLoC Low-level languages (C/C++) trade type safety and memory safety for performance 4

5 Defense: Testing vs. Mitigations Software Testing Discover bugs Development tool Result oriented Mitigations Stop exploitation Always on Low overhead 5

6 Memory Corruption 6

7 Memory error: invalid dereference Dangling pointer: (temporal) free(foo); *foo = 23; Out-of-bounds pointer: (spatial) char foo[40]; foo[42] = 23; Violation iff: pointer is read, written, or freed 7

8 Type Confusion 8

9 Type confusion through downcasts Base Greeter Exec Greeter *g = new Greeter(); Base *b = static_cast<base*>(g); Exec *e = static_cast<exec*>(b); X 9

10 C++ casting operations static_cast<toclass>(object) Compile time check No runtime type information dynamic_cast<toclass>(object) Runtime check Requires Runtime Type Information (RTTI) Not used in performance critical code 10

11 Static cast Base *b = ; a = static_cast<greeter*>(b); movq -24(%rbp), %rax movq %rax, -40(%rbp) # Load pointer # Type check # Store pointer 11

12 Dynamic cast (O2) Base *b = ; a = dynamic_cast<greeter*>(b); leaq leaq xorl movq call _ZTI7Greeter(%rip), %rdx _ZTI4Base(%rip), %rsi %ecx, %ecx %rbp, %rdi dynamic_cast@plt # Load pointer # Type check 12

13 Type confusion vtable*? Gptr class Base { Bptr x int x; }; y? class Greeter: Base { int y; vtable* virtual void Hi(); }; B G x y Base *Bptr = new Base(); Greeter *Gptr; Gptr = static_cast<greeter*>gptr; // Type Conf Gptr->y = 0x43; // Memory safety violation! Gptr->Hi(); // Control-flow hijacking 13

14 Type Confusion Demo 14

15 C++ virtual dispatch class Base { }; class Exec: public Base { public: Base virtual void exec(char *prg) { system(prg); } Greater Exec }; class Greeter: public Base { public: virtual void sayhi(char *str) { std::cout << str << std::endl; } }; Greeter *greeter = new Greeter(); greeter->sayhi("oh, hello there!"); 15

16 Simple exploitation demo int main() { Base *b1 = new Greeter(); Base *b2 = new Exec(); Greeter *g; GreeterT b1 vtable* g = static_cast<greeter*>(b1); g->sayhi("greeter says hi!"); // g[0][0](str); g = static_cast<greeter*>(b2); g->sayhi("/usr/bin/xcalc"); // g[0][0](str); } delete b1; delete b2; return 0; b2 vtable* ExecT 16

17 Sanitization 17

18 Problem: broken abstractions? C/C++ void log(int a) { printf("log: "); printf("%d", a); } void (*fun)(int) = &log; void init() { fun(15); } ASM log:... fun:.quad log init:... movl $15, %edi movq fun(%rip), %rax call *%rax 18

19 LLVM Sanitization Test cases detect bugs through assertions, segmentation faults, traps, exceptions Enforce stronger policies during testing! Address Sanitizer: memory safety Leak Sanitizer: memory leaks Memory Sanitizer: uninitialized memory UBSan: undefined behavior Thread Sanitizer: data races HexVASAN: variadic argument checker HexType: type safety 19

20 Type Safety 20

21 Type confusion detection* A static cast is checked only at compile time Dynamic casts are checked at runtime Fast but no runtime guarantees High overhead, limited to polymorphic classes HexType design: Conceptually check all casts dynamically Aggressively optimize design and implementation * TypeSanitizer: Practical Type Confusion Detection. Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Herbert Bos, Cristiano Giuffrida, Erik van der Kouwe. In CCS'16 * HexType: Efficient Detection of Type Confusion Errors for C++. Yuseok Jeon, Priyam Biswas, Scott A. Carr, Byoungyoung Lee, and Mathias Payer. In CCS'17 21

22 Making type checks explicit Enforce runtime check at all cast sites static_cast<toclass>(object) dynamic_cast<toclass>(object) reinterpret_cast<toclass>(object) (ToClass)(Object) Build global type hierarchy Keep track of the allocation type of each object Must instrument all forms of allocation Requires disjoint metadata 22

23 HexType: design Source code Instrumentation (Type casting verification) HexType Binary Clang Type Hierarchy Information LLVM Pass HexType Runtime Library Link 23

24 HexType: aggressive optimization Limit tracing to unsafe types Limit checking to unsafe casts Remove tracing of types that are never cast Remove statically verifiable casts No more RTTI for dynamic casts Replace dynamic casts with fast lookup 24

25 Demo Time! 25

26 HexType coverage 26

27 Newly discovered bugs Discovered seven new vulnerabilities: Apache Xerces C++ DOMNode DOM Character Data DOM Element DOM Text DOM ElementImpl DOM TextImpl Type Confusion! Qt base library QMapNode Base QMapNode 27

28 Sanitizer Summary: Type Safety Type confusion fundamental in today s exploits Existing sanitizers are incomplete, partial, slow HexType (Almost) full coverage (2-6x increase) Reasonable overhead (SPEC CPU: 0-32x improvement, Firefox: 0-0.5x slowdown) Future work: remaining coverage, optimizations 28

29 T-Fuzz 29

30 Fuzzing Challenges Shallow code paths Challenges Shallow coverage Hard to find deep bugs Root cause start Deep code paths check1 check2 Fuzzer-generated inputs cannot bypass complex sanity checks in the target program check3 bug Existing work limits itself to input generation end 30

31 T-Fuzz: Fuzz the Program! Option 1: generate input to bypass checks by heavy-weight program analysis techniques Driller (concolic analysis) VUzzer (dynamic taint analysis) Our idea: remove program s sanity checks Checks filter orthogonal input, e.g., magic values, checksum, or hashes (Non-Critical Check, NCC) Insight: removing NCCs is safe if (strncmp(hdr, ELF", 3) == 0) { // main program logic } else { error(); } 31

32 Design and Implementation Fuzzer generates inputs When stuck Detect NCCs* Transform program Verify crashes Transformed Programs Inputs Fuzzer (e.g. AFL) Program Transformer Crashing inputs Crash Analyzer Bug Reports False Positives *Approximation of NCCs: edged in the CFG connecting covered/uncovered nodes 32

33 Detecting NCC s Approximate NCCs as edges connecting covered and uncovered nodes in CFG Over approximate, may contain false positives Lightweight and simple to implement 33 Covered Node Uncovered Node NCC Candidates 33

34 Program Transformation start Our approach: negate NCCs Simple: static binary rewriting Zero runtime overhead in resulting target program Unchanged CFG Trace in transformed program maps to original program A == B False branch True branch end start Path constraints of original program can be recovered Negated Check A!= B False branch True branch end 34 34

35 Comparison to Symbolic Executoion Explores all code paths, tracks constraints Path explosion, e.g., loops Each branch doubles the number of code paths... Resource requirement Theoretically beautiful, limited scalability ( Path1, constraint set1)... ( Pathn, constraint setn) 35

36 Comparison to Concolic Execution Guided by concrete inputs Follows single code path, collects constraints for new code paths Reduced resource requirements Still an exponential number of paths to explore! input Not C1 C

37 Comparison to Driller (Fuzz & CE) Fuzzing until coverage wall When fuzzing gets stuck, concolic execution explores new code paths using fuzzer generated inputs Limitations SE & constraints solving slows down fuzzing Not able to bypass hard checks Fuzzer mutating SE & constraint solving Inputs target program Crashes 37

38 T-Fuzz: fuzz first, solve only crashes Fuzzing/SE decoupled SE only applied to detected crashes T-Fuzz For hard checks, T-Fuzz detects the guarded bug, but cannot verify it Fuzzer Program Transformation program SE & constraints solving Crashes T-Fuzz in action 38

39 Evaluation Implementation Fuzzer: shellphish fuzzer (python wrapper of AFL) Program Transformer: angr tracer, radare2 Crash Analyzer: 2k LoC Python hackery Evaluation DARPA CGC dataset LAVA-M dataset 4 real-world programs 39

40 DARPA CGC Dataset Improvement over Driller/AFL: 55 (45%) / 61 (58%) Driller outperforms T-Fuzz 3 due to false crashes (L1) 7 due to transformation explosion (L2) Driller (121) T-Fuzz (166) 6 10 AFL (105) 55 Method # bugs AFL 105 Driller 121 T-Fuzz 166 Driller - AFL 16 T-Fuzz - AFL 61 T-Fuzz - Driller 55 Driller - T-Fuzz 10 40

41 LAVA-M Dataset T-Fuzz outperforms VUzzer and Steelix for hard checks T-Fuzz defeated by Steelix due to transformation explosion in who, but still found more bugs than VUzzer T-Fuzz found 1 unintended bug in who Program # of bugs VUzzer Steelix T-Fuzz base unique md5sum * who 41

42 Evaluation on Real Programs Time budget: 24 hours T-Fuzz triggers more crashes than AFL T-Fuzz found 3 new bugs in latest versions of ImageMagick and libpoppler (marked by *) Program + library AFL T-Fuzz pngfix + libpng (1.7.0) 0 11 tiffinfo + libtiff (3.8.2) magick + ImageMagicK (7.0.7) pdftohtml + libpoppler (0.62.0) 0 2* 0 1* 42

43 T-Fuzz Summary Fuzzers hit coverage wall, no deep bugs T-Fuzz mutates both input and target program T-Fuzz improves over Driller/AFL by 45%/58% T-Fuzz triggeres bugs guarded by hard checks New bugs: 1 in LAVA-M, 3 in real-world programs 43

44 Conclusion 44

45 Conclusion Goal: Protect systems despite vulnerabilities Sanitization finds bugs during testing HexType brings type safety to C++ T-Fuzz explores deep program paths Combine sanitization and fuzzing for best results Source: Thank you! Questions? 45

46 Source: Word Cloud 46