K-Miner Uncovering Memory Corruption in Linux

Similar documents
ECE 598 Advanced Operating Systems Lecture 12

Towards Automatic Generation of Vulnerability- Based Signatures

Testing Error Handling Code in Device Drivers Using Characteristic Fault Injection

Verification & Validation of Open Source

FlowTwist: Efficient Context-Sensitive Inside- Out Taint Analysis for Large Codebases

Improving Linux Development with better tools. Andi Kleen. Oct 2013 Intel Corporation

Language Security. Lecture 40

How Double-Fetch Situations turn into Double-Fetch Vulnerabilities:

A program execution is memory safe so long as memory access errors never occur:

Hyperkernel: Push-Button Verification of an OS Kernel

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

in memory: an evolution of attacks Mathias Payer Purdue University

CSCI 6411: Operating Systems. Acknowledgements: Some slide material derived from Silberschatz, et al.

CSC 1600 Memory Layout for Unix Processes"

Improving Linux development with better tools

Subversive-C: Abusing and Protecting Dynamic Message Dispatch

o Code, executable, and process o Main memory vs. virtual memory

Lucas Davi University of Duisburg-Essen, Germany ICRI-SC Associated Researcher

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer

Finding User/Kernel Pointer Bugs with Type Inference p.1

Fuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team

Scaling CQUAL to millions of lines of code and millions of users p.1

Windows architecture. user. mode. Env. subsystems. Executive. Device drivers Kernel. kernel. mode HAL. Hardware. Process B. Process C.

APISan: Sanitizing API Usages through Semantic Cross-checking

Operating System Architecture. CS3026 Operating Systems Lecture 03

CS 550 Operating Systems Spring System Call

15-411: LLVM. Jan Hoffmann. Substantial portions courtesy of Deby Katz

From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel

MC: Meta-level Compilation

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

One-Slide Summary. Lecture Outline. Language Security

Code: analysis, bugs, and security

DR. CHECKER. A Soundy Analysis for Linux Kernel Drivers. University of California, Santa Barbara. USENIX Security seclab

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

OS Structure. Kevin Webb Swarthmore College January 25, Relevant xkcd:

How to Sandbox IIS Automatically without 0 False Positive and Negative

CMPSC 497 Other Memory Vulnerabilities

Dynamic Memory Management! Goals of this Lecture!

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages

Lowering and Backend in libfirm

Optimizing for Bugs Fixed

Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization

The Low-Level Bounded Model Checker LLBMC

First order of Business

Just-in-Time Code Reuse

Lecture 1: Course Overview

Adaptive Android Kernel Live Patching

"Secure" Coding Practices Nicholas Weaver

System Administration and Network Security

Improving Integer Security for Systems with KINT. Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS

SGXBounds Memory Safety for Shielded Execution

Understanding the Genetic Makeup of Linux Device Drivers

Memory Corruption 101 From Primitives to Exploit

Operating System Structure

Linux Security Summit Europe 2018

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo

Limitations of the stack

Baggy bounds with LLVM

CodeTickler: Automated Software Testing as a Service. Cris%an Zamfir, Vitaly Chipounov, George Candea

Dynamic Memory Management

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

ECE 471 Embedded Systems Lecture 22

Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

CSE 565 Computer Security Fall 2018

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

Linux Kernel Futex Fun: Exploiting CVE Dougall Johnson

csci3411: Operating Systems

Android Kernel Security

Hardware Enclave Attacks CS261

Dynamic Memory Allocation. Zhaoguo Wang

CA341 - Comparative Programming Languages

Operating System Structure

Preventing Use-after-free with Dangling Pointers Nullification

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

On the Effectiveness of Type-based Control Flow Integrity

INITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS

OpenCL: History & Future. November 20, 2017

Developing Real-Time Applications

THREADS: (abstract CPUs)

A Translation Framework for Automatic Translation of Annotated LLVM IR into OpenCL Kernel Function

ROSE-CIRM Detecting C-Style Errors in UPC Code

SECURING SOFTWARE AGAINST LIBRARY ATTACKS

[0569] p 0318 garbage

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Static Analysis in Practice

Shoal: smart allocation and replication of memory for parallel programs

Dynamic Memory Management

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

In Java we have the keyword null, which is the value of an uninitialized reference type

CS2141 Software Development using C/C++ Debugging

Jailbreaking. Apple Watch. Max Bazaliy. December 4-7, 2017

Memory (Stack and Heap)

Fundamentals of Programming Session 12

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features. WANG, YONG a.k.a. Pandora Lab of Ali Security

Dowsing for overflows: a guided fuzzer to find buffer boundary violations

Transcription:

K-Miner Uncovering Memory Corruption in Linux David Gens Simon Schmitt Ahmad-Reza Sadeghi Cyber Security Center (CYSEC) Technische Universität Darmstadt Lucas Davi Universität of Duisburg-Essen

Why Static Analysis?

Big Picture KERNEL FILES COMPILER Memory Corruption: Use-After-Free Double Free Use-After-Return Memory Leaks OS HARDWARE

Big Picture KERNEL FILES COMPILER Attacke r Memory Corruption: Use-After-Free Double Free Use-After-Return Memory Leaks OS HARDWARE Static Analysis at compile time. Dynamic Analysis at run time.

Data-Flow Analysis: Graphs void main() { int a = 1; int *p; if (a!= 0) p = &a; Entry: int a = 1 int main *p printf p = &a } printf( %d\n, *p); Call Graph printf( %d\n, *p); Control-Flow Graph

Data-Flow Analysis: Graphs void main() { int a = 1; int *p; Pointer p Obj_p Obj_a a a p=&a Stack } if (a!= 0) p = &a; printf( %d\n, *p); p phi *p Pointer Value-Flow Constraint Assignment Graph Graph

Source-Sink Analysis kalloc_x p alloc SOURCE void main() { int *p = alloc(); p=alloc() if (p!= NULL) free(p); free SINK } free(p); phi free SINK There exists a path that reaches two sinks.

Scalability and Precision High Complexity + + + Context-Sensitive Field-Sensitive Inter-Procedural Analysis Low Complexity

Kernel Static Analysis - History Sparse [by Torvalds] APISAN [Yun et al. USENIX 16] Smatch [by Charpenter] Coccinelle [Padioleau et al. EuroSys 08] EBA [Abal et al. Springer 17] 2002 2003 2008 2016 2017

Linux Kernel: Lines of Code 25M 20M 15M 10M Lines of Code 5M 0 M 1.0 1.2 2.0 2.2 2.6 3.0 3.2 3.6 3.19 4.0 4.2 4.6 4.10 4.12 Version

Contributions and Challenges Analysis Format Large Codebase Expandability Data-Flow Analysis Different Kernel Versions Transformation of the kernel source into the LLVM intermediate representation Scaling inter-procedural Data-Flow Analysis to millions of kernel code lines A modular design, adding new checkers is straightforward Combine existing and novel approaches for inter-procedural bug checkers Reports of different kernel versions can be managed using a web-based interface

Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Syscall API Vulnerabilities have to be exploited though system calls KERNEL Driver API HARDWARE

Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Vulnerabilities have to be exploited though system calls HARDWARE

Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Vulnerabilities have to be exploited though system calls HARDWARE

Enabling Data-Flow Analysis Idea: Partitioning the kernel along the system call API System calls are the interface between user- and kernelspace Attacke r Vulnerabilities have to be exploited though system calls HARDWARE

Design and Workflow KERNEL FILES COMPILER MAKE FILE IR Pre-Processing Model Memory Obj Define Contexts Init Contexts K-MINER

Design and Workflow KERNEL FILES COMPILER MAKE FILE IR K-MINER Pre-Processing Model Memory Obj Define Contexts Init Contexts Partitioner Report Engine Bug Checker global_x global_y Memory-Corruption Report: Use-After-Return: global_x -> local_y

Implementation Details K-Miner builds on top of LLVM and SVF Environment Setup: Register allocation sites by using a list of kernel allocation functions for dynamically allocated objects Context Handling: Defines syscalls and initcalls contexts Performs a call-graph analysis and pointer analysis Multi-Level reduction of relevant partitions Bug Checker: Exploit LLVM s Pass-Infrastructure Covers Use-After-Return, Double-Free and Memory-Leaks Performs particular analysis and several validation checks

Use-After-Return Checker void sys_foo() { do_foo() return } 6 global_p local_x void do_foo() { int local_x = 1 add_x(&local_x) if(cond()) remove_x() return } 3 5 null remove_x 4 add_x 2 3 1 void add_x(int *p) { global_p = p } 1 2 do_foo 5 void remove_foo() { 6 global_p = NULL } 4 Value-Flow Graph

Use-After-Return Checker void sys_foo() { do_foo() return } 6 global_p local_x void do_foo() { int local_x = 1 add_x(&local_x) if(cond()) remove_x() return } 3 5 null remove_x 4 add_x 2 3 1 void add_x(int *p) { global_p = p } 1 2 do_foo 5 void remove_foo() { 6 global_p = NULL } 4 Value-Flow Graph

Evaluation Coverage: Four Kernel Versions ca. 300 system calls Scalability: Ø 25 min. per system call Ø 12 GB memory usage Real-world Impact: CVE-2014-3153 (UAR) CVE-2015-8962 (DFree) Extensibility: Additional bug checkers can be added as Passes Version MLoC Functions Run-Time Globals Memory Locals UAR MLeak Total Pointer DFree v3.19 15.5 1667/9933 796.69s 124/13624 8.765 GB 6967/419554 7/40 3/131 97248/5689390 1/13 v4.02 2086/104247 16.3 1435.62s 122/14771 13.23 GB 9309/451451 11/46 2/106 127894/571316 0/19 v4.06 2208/104430 17.1 1502.54s 126/14989 11.76 GB 9947/453052 3/50 2/104 133313/6174471 0/31 v4.10 2246/120794 22.1 2312.14s 157/16530 12.86 GB 9873/518394 0/65 1/105 128253/7091977 0/22

https://github.com/ssl-tud/k-miner

https://github.com/ssl-tud/k-miner Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback