11

Security Vulnerability Analysis Security Vulnerability Analysis and Mitigation for Real-World and Mitigation for Real-World

SystemsSystemsShuo ChenShuo Chen

Center for Reliable and High-Performance ComputingCenter for Reliable and High-Performance ComputingCoordinated Science LaboratoryCoordinated Science Laboratory

University of Illinois at Urbana-Champaign University of Illinois at Urbana-Champaign

Final Exam, August 18Final Exam, August 18thth, 2005, 2005

Committee Chair: Prof. Ravi IyerCommittee Chair: Prof. Ravi Iyer Committee: Prof. Vikram Committee: Prof. Vikram AdveAdve Prof. Ravi Iyer Prof. Ravi Iyer Prof. Jose Prof. Jose Meseguer Meseguer Prof. David Nicol Prof. David Nicol

22

Analyzed security vulnerability reports in Analyzed security vulnerability reports in BugtraqBugtraq and and CERTCERT advisories advisories Most vulnerabilities can be modeled as a series Most vulnerabilities can be modeled as a series

of simple logic predicates. of simple logic predicates. Used FSM models to reason about many Used FSM models to reason about many

categories of vulnerabilities.categories of vulnerabilities. A common characteristic of most security A common characteristic of most security

vulnerabilities: vulnerabilities: pointer taintednesspointer taintedness Pointer value derived from user inputPointer value derived from user input Allow users to specify memory addresses. Allow users to specify memory addresses.

Usually due to attacks!Usually due to attacks! Developed a theorem proving approach to Developed a theorem proving approach to

reason about possibility of pointer reason about possibility of pointer taintednesstaintedness To uncover potential vulnerabilities.To uncover potential vulnerabilities.

Prelim Exam RecapPrelim Exam Recap

33

Since Prelim ExamSince Prelim Exam Questions focusedQuestions focused

Is pointer taintedness detection just an Is pointer taintedness detection just an alternative approach to existing defense alternative approach to existing defense techniques, or is it a significant techniques, or is it a significant improvement?improvement?

Is pointer taintedness detection Is pointer taintedness detection applicable to large real-world software?applicable to large real-world software?

44

Since Prelim Exam (cont.)Since Prelim Exam (cont.) ContributionsContributions

Demonstrate that a new security attack – non-Demonstrate that a new security attack – non-control-data attack, is applicable to many real-control-data attack, is applicable to many real-world software, not addressed by many current world software, not addressed by many current defense techniques. defense techniques.

Demonstrate that pointer taintedness Demonstrate that pointer taintedness detection can naturally defeat non-control-data detection can naturally defeat non-control-data attacks as well as traditional attacks. attacks as well as traditional attacks.

Demonstrate that pointer taintedness Demonstrate that pointer taintedness detection can be deployed in large systems.detection can be deployed in large systems.

By building into processor architectureBy building into processor architecture By combining theorem proving and runtime By combining theorem proving and runtime

assertionsassertions

55

Summary of My ResearchSummary of My Research

Start from the analysis of a large Start from the analysis of a large volume of security data volume of security data

Extract common characteristics of Extract common characteristics of security vulnerabilities and attackssecurity vulnerabilities and attacks

Propose new defense techniques Propose new defense techniques (supported by real-world attack (supported by real-world attack models)models)

66

PublicationsPublications S. Chen, J. Xu, E. C. Sezer, P. Gauriar and R. K. Iyer. "Non-Control-Data Attacks S. Chen, J. Xu, E. C. Sezer, P. Gauriar and R. K. Iyer. "Non-Control-Data Attacks

Are Realistic Threats," USENIX Security Symposium, 2005. Are Realistic Threats," USENIX Security Symposium, 2005. S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, R. K. Iyer. “Defeating Memory Corruption S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, R. K. Iyer. “Defeating Memory Corruption

Attacks via Pointer Taintedness Detection,” DSN, 2005. Attacks via Pointer Taintedness Detection,” DSN, 2005. S. Chen, J. Dunagan, C. Verbowski and Y.-M. Wang, “A Black-Box Tracing S. Chen, J. Dunagan, C. Verbowski and Y.-M. Wang, “A Black-Box Tracing

Technique to Identify Causes of Least-Privilege Incompatibilities,” NDSS, 2005. Technique to Identify Causes of Least-Privilege Incompatibilities,” NDSS, 2005. S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer. “Security Vulnerabilities: From Analysis S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer. “Security Vulnerabilities: From Analysis

to Detection and Masking Techniques,” Proceedings of the IEEE, 2005.to Detection and Masking Techniques,” Proceedings of the IEEE, 2005. S. Chen, K. Pattabiraman, Z. Kalbarczyk, R. K. Iyer, "Formal Reasoning of Various S. Chen, K. Pattabiraman, Z. Kalbarczyk, R. K. Iyer, "Formal Reasoning of Various

Categories of Widely Exploited Security Vulnerabilities Using Pointer Taintedness Categories of Widely Exploited Security Vulnerabilities Using Pointer Taintedness Semantics," IFIP SEC, 2004 Semantics," IFIP SEC, 2004

S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer and K. Whisnant. “Modeling and S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer and K. Whisnant. “Modeling and Evaluating the Security Threats of Transient Errors in Firewall Software,” Evaluating the Security Threats of Transient Errors in Firewall Software,” Performance Evaluation, 2004.Performance Evaluation, 2004.

S. Chen, Z. Kalbarczyk, J. Xu, R. K. Iyer. "A Data-Driven Finite State Machine S. Chen, Z. Kalbarczyk, J. Xu, R. K. Iyer. "A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities," DSN, 2003. Model for Analyzing Security Vulnerabilities," DSN, 2003.

S. Chen, J. Xu, R. K. Iyer, K. Whisnant. "Modeling and Analyzing the Security S. Chen, J. Xu, R. K. Iyer, K. Whisnant. "Modeling and Analyzing the Security Threat of Firewall Data Corruption Caused by Instruction Transient Errors," DSN, Threat of Firewall Data Corruption Caused by Instruction Transient Errors," DSN, 2002. 2002.

J. Xu, S. Chen, Z. Kalbarczyk, R. K. Iyer. "An Experimental Study of Security J. Xu, S. Chen, Z. Kalbarczyk, R. K. Iyer. "An Experimental Study of Security Vulnerabilities Caused by Errors," DSN, 2001. Vulnerabilities Caused by Errors," DSN, 2001.

9 full papers in 9 full papers in IEEE DSNIEEE DSN, , USENIX SecurityUSENIX Security, , IFIP SecurityIFIP Security, , ISOC ISOC NDSSNDSS, , Proceedings of IEEEProceedings of IEEE and and Journal of Performance Journal of Performance EvaluationEvaluation

77

Non-Control-Data Attacks Non-Control-Data Attacks Are Realistic ThreatsAre Realistic Threats

(Joint work with Jun Xu) (Joint work with Jun Xu) In USENIX Security Symposium, 2005In USENIX Security Symposium, 2005

88

Control Data Attack: Well-Known, Control Data Attack: Well-Known,

DominantDominant Control data attack: corrupt function pointers, jump Control data attack: corrupt function pointers, jump

targets and return addresses to run malicious codetargets and return addresses to run malicious code

Currently the most dominant form of memory corruption Currently the most dominant form of memory corruption attacks [attacks [CERTCERT and and Microsoft Security BulletinMicrosoft Security Bulletin]] By exploiting many vulnerabilities such as buffer overflow, format By exploiting many vulnerabilities such as buffer overflow, format

string bug, integer overflow, double free, etc. string bug, integer overflow, double free, etc.

Many current defense techniques: to enforce control data Many current defense techniques: to enforce control data integrity to provide security. integrity to provide security. Monitor system call sequences (Intrusion detection systems)Monitor system call sequences (Intrusion detection systems) Protect control data (Protect control data (Secure Program ExecutionSecure Program Execution, , MinosMinos)) Non-executable stack and heap (Non-executable stack and heap (LinuxLinux, , OpenBSDOpenBSD, , Windows XP Windows XP

SP2SP2))

99

Non-Control-Data AttackNon-Control-Data Attack Non-control-data attacks: attacks not Non-control-data attacks: attacks not

corrupting any control flow datacorrupting any control flow data

Currently very rare in realityCurrently very rare in reality Very few instances documented in literature.Very few instances documented in literature. Several papers: possible to construct non-control-data Several papers: possible to construct non-control-data

attack against synthetic programs.attack against synthetic programs. Not yet considered as a serious threatNot yet considered as a serious threat

How applicable are such attacks against How applicable are such attacks against real-real-worldworld software? software? Why rare Why rare attackers’ incapability or lack of attackers’ incapability or lack of

incentives?incentives? No focused investigation yet.No focused investigation yet.

1010

Our Claim: General Applicability of Our Claim: General Applicability of Non-Control-Data AttacksNon-Control-Data Attacks

The claim:The claim: Many real-world software applications are susceptible to Many real-world software applications are susceptible to

non-control-data attacks. non-control-data attacks. The severity of the attack consequence is equivalent to The severity of the attack consequence is equivalent to

that due to control data attacks. that due to control data attacks.

Goal of our projectGoal of our project Experimentally validate the claimExperimentally validate the claim

Construct non-control-data attacks to compromise the Construct non-control-data attacks to compromise the security of widely-used applications security of widely-used applications

Discuss limitations of current defense techniquesDiscuss limitations of current defense techniques Show that pointer taintedness detection can defeat both Show that pointer taintedness detection can defeat both

control-data attacks and non-control-data attacks.control-data attacks and non-control-data attacks.

1111

Non-Control-Data Attack against Non-Control-Data Attack against WU-FTPWU-FTP Server (via a format string bug)Server (via a format string bug)

int x;FTP_service(...) { authenticate(); x = user ID of the authenticated user; seteuid(x); while (1) { get_FTP_command(...); if (a data command?) getdatasock(...); }}getdatasock( ... ) { seteuid(0); setsockopt( ... ); seteuid(x);}

x=109, run as EUID 0x uninitialized, run as EUID 0

x=109, run as EUID 109. Lose the root privilege!

x=0, run as EUID 0

x=0, run as EUID 0

When return to service loop, still runs as EUID 0 (root). Allow me to upload /etc/passwdI can grant myself the root privilege!

Only corrupt an integer, not a control data attack.

Get a data command (e.g., PUT)Get a special SITE EXEC command. Exploit a format string vulnerability.x= 0, still run as EUID 109.

1212

/usr/local/httpd/exe/usr/local/httpd/exe

Non-Control-Data Attack against Non-Control-Data Attack against NULL-HTTPNULL-HTTP Server (via a heap overflow Server (via a heap overflow

bug)bug)

Attack the configuration string of CGI-BIN path.Attack the configuration string of CGI-BIN path. Mechanism of CGIMechanism of CGI

suppose server name = www.foo.comsuppose server name = www.foo.comCGI-BIN =CGI-BIN =

Requested URL = http://www.foo.com/cgi-binRequested URL = http://www.foo.com/cgi-bin The server executesThe server executes

Our attackOur attack Exploit the vulnerability to overwrite CGI-BIN to /binExploit the vulnerability to overwrite CGI-BIN to /bin Request URL http://www.foo.com/cgi-bin/shRequest URL http://www.foo.com/cgi-bin/sh The server executes The server executes

The server gives me a root shell!Only overwrite four characters in the CGI-BIN string.

/usr/local/httpd/exe/usr/local/httpd/exe

/bin/bin/sh/sh

/bar/bar/bar/bar

1313

Non-Control-Data Attack againstNon-Control-Data Attack against SSH SSH CommunicationsCommunications SSH Server (via an integer overflow SSH Server (via an integer overflow

bug)bug)

void do_authentication(char *user, ...) { int auth = 0; ... while (!auth) { /* Get a packet from the client */ type = packet_read(); switch (type) { ... case SSH_CMSG_AUTH_PASSWORD: if (auth_password(user, password)) auth =1; case ... } if (auth) break; } /* Perform session preparation. */ do_authenticated(…);}

auth = 0

auth = 0

Password incorrect, but auth = 1

auth = 1

Logged in without correct password

auth = 1

1414

More Non-Control-Data AttacksMore Non-Control-Data Attacks Against Against NetKitNetKit Telnet server (default Telnet Telnet server (default Telnet

server of server of Redhat LinuxRedhat Linux)) Exploit a heap overflow bugExploit a heap overflow bug Overwrite two strings:Overwrite two strings:

/bin//bin/loginlogin –h –h foo.comfoo.com -p (normal scenario) -p (normal scenario) /bin//bin/shsh –h –h –p–p -p (attack scenario) -p (attack scenario)

The server runs /bin/sh when it tries to The server runs /bin/sh when it tries to authenticate the user.authenticate the user.

Against Against GazTekGazTek HTTP server HTTP server Exploit a stack buffer overflow bugExploit a stack buffer overflow bug

Send a legitimate URL http://www.foo.com/cgi-bin/barSend a legitimate URL http://www.foo.com/cgi-bin/bar The server checks that “/..” is not embedded in the URLThe server checks that “/..” is not embedded in the URL Exploit the bug to change the URL to Exploit the bug to change the URL to

http://www.foo.com/cgi-bin/http://www.foo.com/cgi-bin/../../../../bin/sh../../../../bin/sh The server executes /bin/shThe server executes /bin/sh

1515

What Non-Control-Data Attacks What Non-Control-Data Attacks Imply?Imply?

Control data integrity is not sufficient to Control data integrity is not sufficient to ensure software security for real-world ensure software security for real-world software.software.

Many types of non-control data critical to Many types of non-control data critical to securitysecurity User identity data, configuration data, user input User identity data, configuration data, user input

text string and decision-making Booleantext string and decision-making Boolean

Once attackers have the incentive, they are Once attackers have the incentive, they are likely to succeed in non-control-data attacks. likely to succeed in non-control-data attacks.

1616

Runtime Pointer Taintedness Runtime Pointer Taintedness Detection at Processor LevelDetection at Processor Level

Joint work with Jun Xu and Nithin NakkaJoint work with Jun Xu and Nithin NakkaIn IEEE International Conference on In IEEE International Conference on

Dependable Systems and Networks (DSN), Dependable Systems and Networks (DSN), 20052005

1717

Recap: Pointer TaintednessRecap: Pointer Taintedness The root cause of many memory corruption attacks: The root cause of many memory corruption attacks: pointer pointer

taintednesstaintedness No matter whether they overwrite control-data or non-No matter whether they overwrite control-data or non-

control-datacontrol-data Many type of vulnerabilities: e.g., buffer overflow, format Many type of vulnerabilities: e.g., buffer overflow, format

string, heap corruption, integer overflow, and string, heap corruption, integer overflow, and globbingglobbing attacks. attacks. Pointer taintedness: a pointer value is derived from user Pointer taintedness: a pointer value is derived from user

inputinput In prelim, I showed a theorem proving technique to reason In prelim, I showed a theorem proving technique to reason

about possibility of pointer taintednessabout possibility of pointer taintedness

Format String 7%

Globbing2%

Heap Corruption

8%

Integer Overflow

6%

Buffer Overflow

44%

Other33%

1818

ap: argument pointer

fmt: format string pointer

Is a Format String Attack Due to Pointer Is a Format String Attack Due to Pointer Taintedness?Taintedness?

In vfprintf(), if (fmt points to “%n”) then **ap = (character count)

Vulnerable code: recv(socket,filename); sprintf(buf,”%s not found”,filename); printf(buf); /* should be printf(“%s”,buf) */Suppose user ID, CGI-BIN or critical flag in 0x1002bc20

\x20 \xbc \x02 \x10 %d %d %d %n

……

%n%n

%d%d

%d%d

%d%d

0x1002bc20 0x1002bc20

fmt: format string pointer

ap: argument pointer

High

Low

Sta

ck g

row

th

*ap is the tainted value 0x1002bc20.

1919

Runtime Pointer Taintedness Runtime Pointer Taintedness DetectionDetection

A processor architectural level mechanism to A processor architectural level mechanism to detect pointer taintednessdetect pointer taintedness On On SimpleScalarSimpleScalar processor simulator processor simulator Implemented a taintedness-aware memory systemImplemented a taintedness-aware memory system

One-bit extension for each byte, similar to the parity bit, One-bit extension for each byte, similar to the parity bit, to indicate the taintedness of this byteto indicate the taintedness of this byte

Taintedness trackingTaintedness tracking Taintedness is propagated by ALU instructionsTaintedness is propagated by ALU instructions

Taintedness initializationTaintedness initialization readread and and recv recv system calls: tag every byte of receiving system calls: tag every byte of receiving

buffer as taintedbuffer as tainted Attack detectionAttack detection

When a tainted value is dereferenced (i.e., used as a When a tainted value is dereferenced (i.e., used as a pointer).pointer).

2020

ALU taintedness tracking logic

Reg

iste

r F

ile

4 bits

4 bits

32 bits

32 bits

ALU

BitwiseOR

32 bits 36 bits

4 bits

MUX

MUX

36 bits36 bits

36 bits

36 bits

Data

Mem

ory

36 bits

36 bits

MUX

36 bits

ID/EX EX/MEM MEM/WB

MUX

Opcode

Com

pare

sp

eci

fic

log

ic

Sh

ift

speci

fic

log

ic

XO

R s

peci

fic

log

ic

MUX0 alert

jr? MUX

4 bits

0

alert

load/store?

Jump pointertaintedness detector

Data pointer taintednessdetector

8-bit byte

Taintedness bit

36 bits

store path

load path

AN

D s

peci

fic

log

ic

2121

EvaluationEvaluation Effectiveness of attack detectionEffectiveness of attack detection

Synthetic vulnerable programsSynthetic vulnerable programs Real-world network applicationsReal-world network applications

Evaluation of false positivesEvaluation of false positives Real-world network applicationsReal-world network applications SPEC 2000 benchmarksSPEC 2000 benchmarks

Potential false negative scenariosPotential false negative scenarios A few attack scenarios that are not A few attack scenarios that are not

detected detected

2222

Effectiveness of Attack Effectiveness of Attack DetectionDetection First, test on synthetic vulnerable programsFirst, test on synthetic vulnerable programs

All attacks are detected and terminatedAll attacks are detected and terminated

Stack Buffer Stack Buffer OverflowOverflow

Heap Corruption Heap Corruption AttackAttack

Format String Format String AttackAttack

Vulnerable Vulnerable programprogram

void exp1() {void exp1() {

char buf[10]; char buf[10];

scanf("%s",buf);scanf("%s",buf);

}}

void exp2() {void exp2() {

char * buf;char * buf;

buf = malloc(8); buf = malloc(8);

scanf("%s",buffer); scanf("%s",buffer);

free(p);free(p);

}}

void exp3(int s) { void exp3(int s) {

char buf[100]; char buf[100];

recv(s,buf,100,0); recv(s,buf,100,0);

printf(buf);printf(buf);

}}

Input data Input data aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaa abcd%x%x%x%n abcd%x%x%x%n

Violating Violating instructioninstruction

400a38: JR 400a38: JR $31$31 401dc0: LW $3,0(401dc0: LW $3,0($3$3)) 402d60: SW $21,0(402d60: SW $21,0($3$3))

Tainted dataTainted data $31= $31= 0x616161610x61616161 $3 = $3 = 0x616161610x61616161 $3=$3=0x646362610x64636261

2323

Attack Detection Effectiveness Attack Detection Effectiveness (cont.)(cont.)

Test on real network applicationsTest on real network applications All attacks are detectedAll attacks are detected No difference between control-data attack and non-No difference between control-data attack and non-

control-data attack from the viewpoint of pointer control-data attack from the viewpoint of pointer taintednesstaintedness

WU-FTP WU-FTP serverserver

Format string Format string attackattack

Overwrite Overwrite user IDuser ID

(non-control-data)(non-control-data)detecteddetected

GazTek GazTek HTTP serverHTTP server

Stack buffer Stack buffer overflow overflow attackattack

Overwrite Overwrite user input user input datadata

(non-control-data)(non-control-data)

detecteddetected

NULL HTTP NULL HTTP serverserver

Heap Heap corruption corruption attackattack

Overwrite Overwrite CGI-BIN CGI-BIN configconfig

(non-control-data)(non-control-data)

detecteddetected

traceroutetraceroute Double freeDouble free Function pointerFunction pointer

(control-data)(control-data)detecteddetected

2424

Evaluation of Transparency and False Evaluation of Transparency and False PositivesPositives

Transparent: precompiled binary executables can runTransparent: precompiled binary executables can run Test on network applicationsTest on network applications

No attack No attack no alert no alert Test on SPEC benchmarksTest on SPEC benchmarks

Execute 15,139 million instructions without any alertExecute 15,139 million instructions without any alert Conclusion: No known false positiveConclusion: No known false positive

BZIP2 BZIP2 GCCGCC GZIP GZIP MCF MCF PARSER PARSER VPRVPR TotalTotal

Program size Program size 321KB 321KB 4184KB 4184KB 485KB 485KB 304KB 304KB 595KB595KB 697KB697KB 6586KB6586KB

Total Total number of number of input bytes input bytes

1048KB 1048KB 77.7K77.7K 282KB 282KB 39.2KB39.2KB 743.0KB743.0KB 6.4KB6.4KB 2186KB2186KB

Total Total number of number of instructions instructions

5,951M 5,951M 110M110M 6,9266,926MM

1,6531,653MM

389M389M 108M108M 15,139M15,139M

Alert Alert generated? generated?

NoNo NoNo NoNo NoNo NoNo NoNo NoNo

2525

Potential False Negative Potential False Negative ScenariosScenarios

Incorrect array index boundary checkIncorrect array index boundary check Determining correct array size requires source Determining correct array size requires source

code analysis – very hard at binary levelcode analysis – very hard at binary level Buffer overflow within the local frameBuffer overflow within the local frame

If no pointer is tainted, no alert is raisedIf no pointer is tainted, no alert is raised Unlikely to cause severe security damage Unlikely to cause severe security damage

because attacker-controllable location is very because attacker-controllable location is very limitedlimited

Format string attack causing information Format string attack causing information leakleak This attack allows peeking a few words on the This attack allows peeking a few words on the

top of the stack. top of the stack. Cause security compromises if these words Cause security compromises if these words

contain security-critical secret, e.g., key and contain security-critical secret, e.g., key and passwordpassword

2626

Combining Static Analysis Combining Static Analysis and Runtime Detection and Runtime Detection

2727

Towards An Easier Deployment of Towards An Easier Deployment of Pointer Taintedness DetectionPointer Taintedness Detection

Advantage/limitation of static analysisAdvantage/limitation of static analysis to derive assertions (when satisfied, eliminate pointer to derive assertions (when satisfied, eliminate pointer

taintedness)taintedness) No need for hardware modification, but not easy to No need for hardware modification, but not easy to

deploy in large programsdeploy in large programs Advantage/limitation of runtime detectionAdvantage/limitation of runtime detection

Easy to deploy in large programs, but needs modification Easy to deploy in large programs, but needs modification of the processorof the processor

Can we combine the two?Can we combine the two? Static analysis to extract security specifications of critical Static analysis to extract security specifications of critical

functionsfunctions Enforce these specifications by runtime assertionsEnforce these specifications by runtime assertions Purely a software approach (of course, we can also Purely a software approach (of course, we can also

design hardware to enforce runtime assertions)design hardware to enforce runtime assertions)

2828

Verification Condition (VC) GenerationVerification Condition (VC) Generation

char *p, *q;if (a == 1) p = *p + 10;q = p - 2;*q = 12;

1: branch (~(a is 1)) 3

2: mov [p] <- ^p + 1

3: mov [q] <- ^p - 2

4: mov [^q] <- 12

compile

1: branch (~(^a is 1)) go 3

2: mov [p] <- ^^p + 10

3: mov [q] <- ^p - 2

4: mov [^q] <- 12VC(4): T(^q)=false

VC(3): T(^p)=false

VC(2): T(^^p)=false

VC(1): the specification(^a=1 => T(^^p)= false) (^a≠1 => T(^p)= false)

2929

Case Study: Case Study: free()free()typedef struct _HEAP_BLOCK { int Size; int Busy; struct _HEAP_BLOCK * Fwd,* Bak; } HEAP_BLOCK, * PHEAP_BLOCK;

char * BlockSizes;

void free(char * p){ int BlockSize,i; char * BuddyBlock,* FreedBlock; int FreeBlockListIndex,MergeExit;

FreedBlock=p-sizeof(HEAP_BLOCK); // Mark this block free. FreedBlock->Busy=0; BlockSize=FreedBlock->Size; FreeBlockListIndex = CalculateFreeBlockListIndex(BlockSize); FreeBlockListIndex=0; while (BlockSize > *(BlockSizes+FreeBlockListIndex)) { BlockSize = BlockSize / 2; FreeBlockListIndex++; } MergeExit=0; while (FreeBlockListIndex < 6 && MergeExit==0) { BuddyBlock = HEAP_BASE + (FreedBlock- HEAP_BASE) ^ BlockSize; if (BuddyBlock->Busy || BuddyBlock->Size != BlockSize) MergeExit=1; else { // Make a bigger block and free it. BlockSize*=2; FreeBlockListIndex++; if (BuddyBlock<FreedBlock) FreedBlock = BuddyBlock; BuddyBlock->Fwd->Bak=BuddyBlock->Bak; BuddyBlock->Bak->Fwd=BuddyBlock->Fwd; } } FreedBlock->Size = BlockSize; \ FreedBlock->Busy = 0; InsertTailList(FreeBlockListIndex, FreedBlock);}

inst(1) = mov [FreedBlock] <- (^ p - 16) .

inst(2) = mov [^ FreedBlock + 4] <- 0 .inst(3) = mov [BlockSize] <- ^ ((^ FreedBlock + 0)) .inst(4) = mov [FreeBlockListIndex] <- 0 .inst(5) = no-op .inst(6) = branch (~(^ ((^ BlockSizes + ^ FreeBlockListIndex)) < ^ BlockSize)) 10 .inst(7) = mov [BlockSize] <- (^ BlockSize / 2) .inst(8) = mov [FreeBlockListIndex] <- (^ FreeBlockListIndex) + 1 .inst(9) = branch true 5 .inst(10) = no-op .inst(11) = mov [MergeExit] <- 0 .inst(12) = no-op .inst(13) = branch (~(^ FreeBlockListIndex < 6 && ^ MergeExit is 0)) 28 .inst(14) = mov [BuddyBlock] <- ((HEAP_BASE + ((((^ FreedBlock - HEAP_BASE)) xor ^ BlockSize)))) .inst(15) = branch (~(~(^ ((^ BuddyBlock + 4)) is 0) || ~(^ ((^ BuddyBlock + 0)) is ^ BlockSize))) 18. inst(16) = mov [MergeExit] <- 1 .inst(17) = branch true 26 .inst(18) = no-op .inst(19) = mov [BlockSize] <- 2 .inst(20) = mov [FreeBlockListIndex] <- (^ FreeBlockListIndex) + 1 .inst(21) = branch (~(^ BuddyBlock < ^ FreedBlock)) 23 .inst(22) = mov [FreedBlock] <- ^ BuddyBlock .inst(23) = no-op .inst(24) = mov [^(^ BuddyBlock + 8) + 12] <- ^ (^ BuddyBlock + 12) .inst(25) = mov [^(^ BuddyBlock + 12) + 8] <- ^ (^ BuddyBlock + 8) .inst(26) = no-op .inst(27) = branch true 12 .inst(28) = no-op .inst(29) = mov [^ FreedBlock + 0] <- ^ BlockSize .inst(30) = mov [^ FreedBlock + 4] <- 0 .inst(31) = no-op .

Compile

VC generation

VC(1): T (^ p) = false T (^ (^ x + 8)) = false T (^ (^ x + 12)) = falsex = (((p-16) - HEAP_BASE) xor ^(p-16)) + HEAP_BASE

3030

Case Study: Case Study: free() free() (cont.)(cont.) Runtime enforcement of VC using a runtime assertionRuntime enforcement of VC using a runtime assertion

void free(char * p){ HEAP_BLOCK * x=(HEAP_BLOCK*) (HEAP_BASE + (((p-16) - HEAP_BASE) ^ (*(UINT*)(p-16)))); assert (x->Fwd->Bak == x && x->Bak->Fwd == x); … … … … ( the original source code of free() )}

EffectivenessEffectiveness/* try to hijack *f() to buffer p */int main(){ char * p; void (*f)(); p = malloc(40); *(UINT*)(p+60)=(UINT)p; *(UINT*)(p+56)=((UINT)&f)-12; free(p);}

Heap corruption attack. Assertion is violated!

3131

Case Study: Case Study: vfprintf()vfprintf()int vfprintf (char *s, char *format, char * ap){ char * p, *q; int done,state,data,n; char buf[10]; p=format; done=0; if (p==0) return 0; state=1; while (*p != 0) { if (state==1) { if (*p==’%’) state=0; else done++; } else { if (*p==’%’) { done++; } else if (*p==’d’) { data=*ap; if (data<0) { done++; data=-data; } n=0; while (data>0 && n<10) {

*(&buf+n)=data%10+’0’; data/=10; n++; }

while (n>0) { n--; done++; } } else if (*p==’s’) { q=*ap; if (q==0) break; while (*q!=0) { done++; q++; } } else if (*p==’n’) { q = *ap;

*(int *) q = done; done++; } else { done++; } state=1; } p++; } return done; }

3232

Case Study: Case Study: vfprintf() vfprintf() (cont.)(cont.)

VC(8) = (~ (^ state = 1) && ^ ^ p = ‘n’) -> (T(^ ap) = false)

Extracted VCExtracted VC

int vfpintf (FILE *s, const char *format, va_list ap) { … while (*p != 0) { assert (!(state != 1 && *p==‘n’ && !UNTAINTED(ap))); }}int printf (const char *format, ...){ return vfprintf (stdout, format, arg);}

Runtime enforcement of VC using a runtime assertionRuntime enforcement of VC using a runtime assertion

void main() { mov %esp, stack_top; ADD_UNTAINTED_ADDR (stack_top-4); printf("string=%s\ni=%d\n%n",buf,i,&j); REMOVE_UNTAINTED_ADDR (stack_top-4); scanf(“%s”,buf); printf(buf);}

Legitimate call. Assertion holds

Format string attack. Assertion is violated

3333

ConclusionsConclusions

3434

ConclusionsConclusions Most security vulnerabilities (in Bugtraq and CERT) can be Most security vulnerabilities (in Bugtraq and CERT) can be

modeled as a series of violations of logic predicatesmodeled as a series of violations of logic predicates Promising to apply formal method to analyze software Promising to apply formal method to analyze software

security (shown in prelim exam)security (shown in prelim exam)

Many real-world software can be compromised by Many real-world software can be compromised by corrupting non-control data.corrupting non-control data. Need a more comprehensive defense techniqueNeed a more comprehensive defense technique

Pointer taintedness is a unifying perspective to reason Pointer taintedness is a unifying perspective to reason about most memory corruption vulnerabilities/attacks. about most memory corruption vulnerabilities/attacks. Effective for defeating both control-data attacks and non-Effective for defeating both control-data attacks and non-

control-data attackscontrol-data attacks

Detecting about pointer taintedness is a promising Detecting about pointer taintedness is a promising direction to enhance security on real-world systemsdirection to enhance security on real-world systems Techniques explored: Techniques explored:

theorem proving (shown in prelim exam)theorem proving (shown in prelim exam) runtime detectionruntime detection combination of automatic VC generation and runtime assertioncombination of automatic VC generation and runtime assertion