IntFlow: Integer Error Handling With Information Flow Tracking

Transcription

1 IntFlow Columbia University 1 / 29 IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D. Keromytis December 7, 2014 Columbia University

2 Integer Error IntFlow Columbia University 2 / 29

3 Example IntFlow Columbia University 3 / img t *table ptr; 2. unsigned int num imgs = get num imgs(); 3. unsigned int alloc size = sizeof(img t) * num imgs; 4. table ptr = (img t *) malloc(alloc size); 5. for (i = 0; i < num imgs; i++) 6. table ptr[i] = read img(i);

4 Integer Errors IntFlow Columbia University 4 / 29 Mathematical representation vs machine representation Instances: Integer overflow/underflow Precision loss Signedness change

5 Characteristics IntFlow Columbia University 5 / 29 Mainly C/C++ specific: Signed integers only (Java, Python) Overflow protection (Python) Undefined: Negative unsigned INT MAX + 1 Optimizations Expected behavior

6 Importance IntFlow Columbia University 6 / 29 Can lead to buffer overflows, memory leaks etc... Integral part of exploits Erroneous memory allocation Integer overflow in top 25 most dangerous software errors > 50 vulnerability reports (CVE) in 2014 QuickTime Signedness change launchd (ios) Integer overflow Wireshark Signedness change Google Chrome Integer overflow

7 Integer Overflow Checker (IOC)[ICSE2012] IntFlow Columbia University 7 / 29 Clang AST Dangerous operation Static: operation safe function Dynamic: detect errors Report and (optionally) abort Clang trunk v3.3 /* a = b + c */ bool error = false; a = safe add(b, c, error); if (error) report();

8 Integer Overflow Checker (IOC)[ICSE2012] IntFlow Columbia University 8 / 29 Dynamic detection mechanism Offline use Input set from user

9 IOC Issue IntFlow Columbia University 9 / 29 Overly comprehensive Lack of severity level Error vulnerability

10 Developer Intended Violations IntFlow Columbia University 10 / 29 Idioms errors Controlled Expected bahavior Not affected by attacker IOC report all Large list Manually distill critical errors Examples umax = (unsigned) -1; neg = (char) INT MAX; smax = 1 << (WIDTH - 1) - 1; smax++;

11 Intflow IntFlow Columbia University 11 / 29 Goals: 1. Eliminate reports of developer intended violations 2. Retain and highlight critical error reports

12 IntFlow IntFlow Columbia University 12 / 29 Challenges: 1. Can we identify potential vulnerabilities? 2. Can we identify potentially exploitable vulnerabilities? 3. Can we do it accurately?

13 Critical Arithmetic Errors IntFlow Columbia University 13 / 29 An error is potentially critical if: 1. Untrusted source arithmetic error e.g. read(), getenv()... OR 2. Arithmetic error sensitive sink e.g. *alloc(), strcpy()...

14 IntFlow: Architecture IntFlow Columbia University 14 / 29

15 Static Information Flow Tracking IntFlow Columbia University 15 / 29 Set of techniques analyzing data-flow Common compiler methodology Distinguishes flows to/from integer operations Pros No runtime overhead Coverage Cons Accuracy Scalability

16 IntFlow: Architecture IntFlow Columbia University 16 / 29

17 Backward Slicing: Operation Sources IntFlow Columbia University 17 / 29

18 Forward Slicing: Source Operation IntFlow Columbia University 18 / 29

19 Forward Slicing: Source Operation IntFlow Columbia University 19 / 29

20 IntFlow Columbia University 20 / 29 Sources Examination If sources = trusted result = developer intended

21 Remove IOC Check IntFlow Columbia University 21 / 29

22 IntFlow: Architecture IntFlow Columbia University 22 / 29

23 Sensitive Operations IntFlow Columbia University 23 / 29 Dynamic detection Operations sensitive functions Operation bit Check before a sensitive function Report if any bit set

24 Modes Of Operation IntFlow Columbia University 24 / 29 Blacklisting mode Untrusted sources operation Whitelisting mode Trusted sources operation Sensitive mode Operation sensitive sinks Combination of modes Blacklisting/Whitelisting + Sensitive Confidence - Completeness

25 Evaluation IntFlow Columbia University 25 / 29 Whitelisting mode Flexible Context agnostic Untrusted sources Error propagation Upper bound on report number

26 SPEC CINT2000 IntFlow Columbia University 26 / 29 Number of Reported Arithmetic Errors IOC Intended IOC Critical IntFlow Intended IntFlow Critical 0 gzip vpr gcc crafty parser perlbmk gap vortex

27 Real-world Applications IntFlow Columbia University 27 / 29 Detected vulnerabilities: CVE Number Application Error Type CVE Dillo Integer Overflow CVE GIMP Integer Overflow CVE Swftools Integer Overflow CVE Pidgin Signedness Change Produced reports Overall Dillo GIMP Swftools Pidgin IOC IntFlow

28 Runtime Overhead IntFlow Columbia University 28 / 29 Offline use CPU-bound (e.g. grep): 50-80% IO-bound (e.g. nginx): 20%

29 Summary IntFlow Columbia University 29 / 29 Coupled IFT with IOC Identified critical errors Focused on potentially exploitable vulnerabilities Code:

30 Bonus IntFlow Columbia University 29 / 29 Backup Slides

31 Runtime Overhead IntFlow Columbia University 29 / 29 Slowdown (normalized) Whitelisting Blacklisting Sensitive grep wget wwwx zshx tcpdump cher nginx

32 Additional Evaluation Results IntFlow Columbia University 29 / 29 Independent stress test (red team) Artificial vulnerabilities in popular applications IO Inputs Good: no exploit normal execution Bad: exploit detect and abort Aggregate result ( TP+TN Total ): 79.30%