Using static analysis to detect use-after-free on binary code

Similar documents
Static analysis for exploitable vulnerability detection

Detecting and exploiting integer overflows

BINSEC: Binary-level Semantic Analysis to the Rescue

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Introduction to software exploitation ISSISP 2017

Code Analysis and Security

TI2725-C, C programming lab, course

Buffer overflow background

CSE 509: Computer Security

INTRODUCTION TO EXPLOIT DEVELOPMENT

Lecture 4 September Required reading materials for this class

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Software Security: Buffer Overflow Attacks

PRINCIPLES OF OPERATING SYSTEMS

In Java we have the keyword null, which is the value of an uninitialized reference type

CS 61C: Great Ideas in Computer Architecture C Pointers. Instructors: Vladimir Stojanovic & Nicholas Weaver

Memory Corruption Vulnerabilities, Part II

CS 241 Data Organization Binary Trees

ECE 471 Embedded Systems Lecture 22

finding vulnerabilities

Kurt Schmidt. October 30, 2018

Arrays and Memory Management

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing

Unleashing D* on Android Kernel Drivers. Aravind Machiry

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Pointers & Dynamic Memory Review C Pointers Introduce C++ Pointers

Memory Corruption 101 From Primitives to Exploit

CS161 Midterm 1 Review

Basic Buffer Overflows

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CS24 Week 2 Lecture 1

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

C BOOTCAMP DAY 2. CS3600, Northeastern University. Alan Mislove. Slides adapted from Anandha Gopalan s CS132 course at Univ.

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

Required reading: StackGuard: Simple Stack Smash Protection for GCC

Internet infrastructure

CSE 127 Computer Security

ECE264 Spring 2014 Exam 2, March 11, 2014

Pointers, Arrays, Memory: AKA the cause of those Segfaults

CS C Primer. Tyler Szepesi. January 16, 2013

CSE 333. Lecture 4 - malloc, free, struct, typedef. Hal Perkins Paul G. Allen School of Computer Science & Engineering University of Washington

CSC 1600 Memory Layout for Unix Processes"

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer

SA30228 / CVE

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14

IMPORTANT QUESTIONS IN C FOR THE INTERVIEW

CMPSC 497: Static Analysis

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lectures 5-6: Introduction to C

in memory: an evolution of attacks Mathias Payer Purdue University

Memory (Stack and Heap)

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL. Saar Amar Recon brx 2018

CS 322 Operating Systems Practice Midterm Questions

Limitations of the stack

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

Software Security: Buffer Overflow Defenses and Miscellaneous

Practical Malware Analysis

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

Detecting Integer Overflow Vulnerabilities in Binaries. Tielei Wang Institute of Computer Science and Technology, Peking University

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.

Software security, secure programming

CS 161 Computer Security

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Motivation was to facilitate development of systems software, especially OS development.

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

C Programming. Course Outline. C Programming. Code: MBD101. Duration: 10 Hours. Prerequisites:

Lectures 5-6: Introduction to C

CSE / / 60567: Computer Security. Software Security 4

CS 326 Operating Systems C Programming. Greg Benson Department of Computer Science University of San Francisco

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Low-Level C Programming. Memory map Pointers Arrays Structures

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return

High-performance computing and programming Intro to C on Unix/Linux. Uppsala universitet

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Memory management. Johan Montelius KTH

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

2. Exercises ASI Using the tools : objdump, gdb, ida,...

CSC209H Lecture 4. Dan Zingaro. January 28, 2015

Outline. Lecture 1 C primer What we will cover. If-statements and blocks in Python and C. Operators in Python and C

C Review. MaxMSP Developers Workshop Summer 2009 CNMAT

Abstract Data Types. Lecture 05 Summary. Abstract Data Types Structures in C 1/26/2009. Slides by Mark Hancock (adapted from notes by Craig Schock)

SoK: Eternal War in Memory

Data Representation and Storage. Some definitions (in C)

CSE 565 Computer Security Fall 2018

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Data Structures and Algorithms for Engineers

These problems are provided to you as a guide for practice. The questions cover important concepts covered in class.

Memory. What is memory? How is memory organized? Storage for variables, data, code etc. Text (Code) Data (Constants) BSS (Global and static variables)

How Double-Fetch Situations turn into Double-Fetch Vulnerabilities:

20: Exploits and Containment

Aryan College. Fundamental of C Programming. Unit I: Q1. What will be the value of the following expression? (2017) A + 9

Lecture 08 Control-flow Hijacking Defenses

COSC Software Engineering. Lecture 16: Managing Memory Managers

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Code: analysis, bugs, and security

Transcription:

Using static analysis to detect use-after-free on binary code Josselin Feist Laurent Mounier Marie-Laure Potet Verimag / University of Grenoble - Alpes France SDTA 2014 - Clermont-Ferrand 5 décembre 2014

Software Vulnerability A software flaw that may become a security threat... invalid memory access, arithmetic overflow, race conditions, etc. Still present in current applications and OS kernels: 5000 vulns in 2011, 5200 in 2012, 6700 in 2013... [Symantec] Multiple consequences: program crash, malware injection, priviledge escalation, etc. A major security concern... (and a business!) editors, security agencies, defense departments, etc.

Vulnerability detection in practice A 2-phase approach 1 (pseudo-random) fuzzing, fuzzing,... and fuzzing to produce a huge number of program crashes 2 in-depth manual crash analysis to identify exploitable bugs

Vulnerability detection in practice A 2-phase approach 1 (pseudo-random) fuzzing, fuzzing,... and fuzzing to produce a huge number of program crashes 2 in-depth manual crash analysis to identify exploitable bugs Consequences A time consuming activity (very small ratio exploitable flaws/simple bugs!) Would require a better tool assistance...

Work objective : automated detection of Use-after-Free Use-after-Free vulnerability (UaF) UaF = use of a dangling pointer in a program statement occurs in complex memory management applications: Firefox (CVE-2014-1512), Chrome (CVE-2014-1713), IE (CVE-2014-1763)

Work objective : automated detection of Use-after-Free Use-after-Free vulnerability (UaF) UaF = use of a dangling pointer in a program statement occurs in complex memory management applications: Firefox (CVE-2014-1512), Chrome (CVE-2014-1713), IE (CVE-2014-1763) Scientific and technical challenges a complex vulnerability pattern: triggered by # events (alloc, free, use) needs a suitable memory model: heap representation, allocation/de-allocation strategy binary code analysis: low-level representation, scalability/accuracy trade-offs

UaF example 1: information leakage 1 char * login, * passwords ; 2 login =( char *) malloc (...) ; 3 [...] 4 free ( login ); // login is now a dangling pointer 5 [...] 6 passwords =( char *) malloc (...) ; 7 // may re - allocate memory area used by login 8 [...] 9 printf ("%s\n", login ) // prints the passwords!

UaF example 2: execution hijacking 1 typedef struct { 2 void (*f)( void ); // pointer to a function 3 } st; 4 5 int main ( int argc, char * argv []) 6 { 7 st *p1; 8 char *p2; 9 p1 =( st *) malloc ( sizeof (st)); 10 free ( p1); // p1 is now a dangling pointer 11 p2= malloc ( sizeof ( int )); // memory area of p1? 12 strcpy (p2, argv [1]) ; 13 p1 ->f(); // calls any function you want... 14 return 0; 15 }

Static detection of UaF (example) extract Uaf patterns = program slices containing potential UaF

Step 1 : where and how the heap is accessed? HE = sets of all heap elements Compute at each program location l the sets of allocated and free heap elements: HA(l), HF (l) needs to identify allocation/de-allocation primitives the (abstract) value of each memory location m : AbsEnv(l, m)

Step 1 : where and how the heap is accessed? HE = sets of all heap elements Compute at each program location l the sets of allocated and free heap elements: HA(l), HF (l) needs to identify allocation/de-allocation primitives the (abstract) value of each memory location m : AbsEnv(l, m) Implemented as an abstract interpretation technique computes addresses and contents of active memory locations tracks heap pointers and pointer aliases lightweight Value-Set Analysis (VSA)

VSA : example 1 typedef struct { 2 void (*f)( void ); 3 } st; 4 5 int main ( int argc, char * argv []) 6 { 7 st *p1; 8 char *p2; 9 p1 =( st *) malloc ( sizeof (st)); 10 free (p1); 11 p2= malloc ( sizeof (int )); 12 strcpy (p2, argv [1]) ; 13 p1 ->f(); 14 return 0; 15 } Code VSA Heap 9 : p1 =( st *) malloc ( sizeof (st)) AbsEnv = ( ((Init(EBP), -4),( )), ((Init(EBP), -8),( )) ) 10 : free (p1) AbsEnv = ( ((Init(EBP), -4),( )), ((Init(EBP), -8),( )) ) 11 : p2= malloc ( sizeof ( int )) AbsEnv = ( ((Init(EBP), -4),( )), ((Init(EBP), -8),( )) ) HA = HF = HA = HF = HA = HF =

VSA : example 1 typedef struct { 2 void (*f)( void ); 3 } st; 4 5 int main ( int argc, char * argv []) 6 { 7 st *p1; 8 char *p2; 9 p1=(st*)malloc(sizeof(st)); 10 free (p1); 11 p2= malloc ( sizeof (int )); 12 strcpy (p2, argv [1]) ; 13 p1 ->f(); 14 return 0; 15 } Code VSA Heap 9 : p1 =( st *) malloc ( sizeof (st)) AbsEnv = ( ((Init(EBP), -4),(chunk 0 ), ((Init(EBP), -8),( )) ) 10 : free (p1) AbsEnv = ( ((Init(EBP), -4),( )), ((Init(EBP), -8),( )) ) 11 : p2= malloc ( sizeof ( int )) AbsEnv = ( ((Init(EBP), -4),( )), ((Init(EBP), -8),( )) ) HA = {chunk 0 } HF = HA = HF = HA = HF =

VSA : example 1 typedef struct { 2 void (*f)( void ); 3 } st; 4 5 int main ( int argc, char * argv []) 6 { 7 st *p1; 8 char *p2; 9 p1 =( st *) malloc ( sizeof (st)); 10 free(p1); 11 p2= malloc ( sizeof (int )); 12 strcpy (p2, argv [1]) ; 13 p1 ->f(); 14 return 0; 15 } Code VSA Heap 9 : p1 =( st *) malloc ( sizeof (st)) AbsEnv = ( ((Init(EBP), -4),(chunk 0 )), ((Init(EBP), -8),( )) ) 10 : free (p1) AbsEnv = ( ((Init(EBP), -4),(chunk 0 )), ((Init(EBP), -8),( ))) 11 : p2= malloc ( sizeof ( int )) AbsEnv = ( ((Init(EBP), -4),( )), ((Init(EBP), -8),( )) ) HA = {chunk 0 } HF = HA = HF = {chunk 0 } HA = HF =

VSA : example 1 typedef struct { 2 void (*f)( void ); 3 } st; 4 5 int main ( int argc, char * argv []) 6 { 7 st *p1; 8 char *p2; 9 p1 =( st *) malloc ( sizeof (st)); 10 free (p1); 11 p2=malloc(sizeof(int)); 12 strcpy (p2, argv [1]) ; 13 p1 ->f(); 14 return 0; 15 } Code VSA Heap 9 : p1 =( st *) malloc ( sizeof (st)) AbsEnv = ( ((Init(EBP), -4),(chunk 0 )), ((Init(EBP), -8),( )) ) 10 : free (p1) AbsEnv = ( ((Init(EBP), -4),(chunk 0 )), ((Init(EBP), -8),( ))) 11 : p2= malloc ( sizeof ( int )) AbsEnv = ( ((Init(EBP), -4),(chunk 0 )), ((Init(EBP), -8),(chunk 1 ))) HA = {chunk 0 } HF = HA = HF = {chunk 0 } HA = {chunk 1 } HF = {chunk 0 }

Step 2 : slicing the Control-Flow Graph AccessHeap AccessHeap(l) = set of heap elements accessed at l Example: AccessHeap(l : LDM ad, reg) = AbsEnv(l, ad) HE AccessHeap(l : STM reg, ad) = AbsEnv(l, ad) HE

Step 2 : slicing the Control-Flow Graph AccessHeap AccessHeap(l) = set of heap elements accessed at l Example: AccessHeap(l : LDM ad, reg) = AbsEnv(l, ad) HE AccessHeap(l : STM reg, ad) = AbsEnv(l, ad) HE Locate UaF on the CFG Use-after-Free = accessing a heap element which is free EnsUaf ={(l, h) h AccessHeap(l) HF (l)} Extraction of executions leading to each Use-After-Free l entry l alloc l alloc l free l free l uaf

Implementation x86 IDA Pro CFG BinNavi UaF patterns UaF Detection REIL Exploitability Analysis Memory Model Characteristics previous implementation in Jython, new one in OCAML... validation with simple examples under evaluation on a real CVE (ProFTPD, CVE 2011-4130)

Exploitability Analysis (ongoing work) decide if an UaF pattern is likely to be exploitable? Several criteria: is e re-allocated between free(e) and access(e)? strongly depend on the allocation strategy... is the size and/or content of the allocated element tainted? dependency analysis from input functions... what kind of access(e): read, write, jump? etc. Proposed approach: guided symbolic execution on the UaF pattern...

Conclusion & Perspectives Conclusions Uaf are difficult to find with pure dynamic analysis... first attempt to statically characterize UaF patterns? PoC tool

Conclusion & Perspectives Conclusions Uaf are difficult to find with pure dynamic analysis... first attempt to statically characterize UaF patterns? PoC tool Perspectives integrate the tool within the ANR BinSec plateform detection of home-made allocators ([H. Bos et al]) real-life Use-After-Free in web broswers? exploitability analysis...

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback