All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but...
description
Transcript of All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but...
![Page 1: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/1.jpg)
1
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward
Symbolic Execution (but might have been afraid to ask)
Edward J. Schwartz, ThanassisAvgerinos, David Brumley
Presented by: Vaibhav Rastogi
![Page 2: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/2.jpg)
2
The Root of All Evil
Humans write programs
This Talk:Computers Analyzing Programs Dynamically at Runtime
![Page 3: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/3.jpg)
3
Two Essential Runtime Analyses
Dynamic Taint Analysis:What values are derived from this source?
Forward Symbolic Execution:What input will make execution reach this line of code?
Malware Analysis
Privacy Leakage Detection
Vulnerability Detection
Automatic Test-case Generation
Input Filter Generation
Malware Analysis
![Page 4: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/4.jpg)
4
ContributionsFormalize English descriptions• An algorithm / operational
semantics
Technical highlights, caveats, issues, and
unsolved problems that are deceptively hard
Systematize recurring themes in a wealth of
previous work
![Page 5: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/5.jpg)
5
Contributions
![Page 6: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/6.jpg)
6
Dynamic Taint Analysis
How it Works
Example Policies
Issues
![Page 7: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/7.jpg)
7
Example
![Page 8: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/8.jpg)
8
Example
Input is tainted
![Page 9: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/9.jpg)
9
Taint IntroductionTainted Untainted
x
Input is tainted
![Page 10: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/10.jpg)
10
Taint Introduction
Var Val Taint ( T | F)x 7 T
![Page 11: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/11.jpg)
11
Taint PropagationTainted Untainted
x
Data derived from user input
is tainted
xy 42
![Page 12: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/12.jpg)
12
Taint Propagation
Var Val Taint ( T | F)x 7 Ty 49 T
![Page 13: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/13.jpg)
13
Taint CheckingTainted Untainted
x
Policy violation detected
xy 42
y
![Page 14: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/14.jpg)
14
So What?
x
xy 42
y
Exploit Detection
Tainted return
address
![Page 15: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/15.jpg)
15
Taint Checking
Var Val Taint ( T | F)x 7 Ty 49 T
![Page 16: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/16.jpg)
16
Taint Semantics in SIMPIL
![Page 17: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/17.jpg)
17
SIMPIL Operational Semanticstl;dr
![Page 18: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/18.jpg)
18
Operational Semantics for Tainting
![Page 19: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/19.jpg)
19
Operational Semantics for Tainting
![Page 20: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/20.jpg)
20
Example Taint Semantics
![Page 21: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/21.jpg)
21
Example Taint Policy
![Page 22: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/22.jpg)
22
Dynamic Tainting Issues
Tainted Addresses• To taint, or not to taint
Undertainting• Control flows discussed earlier
Overtainting• Sanitization
Time of Detection vs. Time of Attack• Overwritten return address detected only at return
![Page 23: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/23.jpg)
23
Dynamic Tainting Issues
x
xy 42
y
Overwritten return address detected only at return
![Page 24: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/24.jpg)
24
Tainted Addresses
Don’t taint y• Table indices, e.g. ,a[i] == i
Taint y• tcpdump uses packet data
to compute function pointers
![Page 25: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/25.jpg)
25
Dilemma
Undertainting:False Negatives Overtainting:
False Positives
![Page 26: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/26.jpg)
26
Forward Symbolic Execution
How it Works
Challenges
Proposed Solutions
![Page 27: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/27.jpg)
27
Example
bad_abs(x is input) if (x < 0) return -x if (x = 0x12345678) return -xreturn x
![Page 28: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/28.jpg)
28
Example
232 possible inputs
0x12345678
bad_abs(x is input) if (x < 0) return -x if (x = 0x12345678) return -xreturn x
What input will execute this line of code?
![Page 29: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/29.jpg)
29
Workingbad_abs(x is
input)
if (x < 0)
return -xif (x = 0x12345678)
return -xreturn x
F T
TF
x ≥ 0 x < 0
x ≥ 0 &&x == 0x12345678
x ≥ 0 &&x != 0x12345678
![Page 30: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/30.jpg)
30
Workingbad_abs(x is
input)
if (x < 0)
return -xif (x = 0x12345678)
return -xreturn x
F T
TF
x ≥ 0 x < 0
x ≥ 0 &&x == 0x12345678
x ≥ 0 &&x != 0x12345678
What input will execute this line of code?
![Page 31: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/31.jpg)
31
Operational Semantics
![Page 32: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/32.jpg)
32
Operational Semantics
![Page 33: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/33.jpg)
33
Challenges
Exponential Number of Paths
Symbolic Memory
System Calls
![Page 34: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/34.jpg)
34
Exponential Number of Paths
![Page 35: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/35.jpg)
35
Exploration Strategies
•Bounded necessary – else loops mayn’t terminate!Bounded Depth
First Search•Possibly different weights to different pathsRandom Paths
•Mix symbolic and concrete execution•Make symbolic execution follow a concrete
execution path
Concolic Execution
![Page 36: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/36.jpg)
36
Symbolic memory
• Example: tables
• Aliasing issues• Solutions:– Make unsound assumptions– Let the SMT solver do the work– Perform alias analysis
• A static analysis – may not be acceptable
• Related Problem: Symbolic jumps
addr1 = get_input()store(addr1, v)z = load(addr2)
![Page 37: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/37.jpg)
37
Symbolic Jumps
Explore jump targets found in concrete execution
Let the solver solve it
Do static analysis
The pc depends on the user input
![Page 38: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/38.jpg)
38
System and Library Calls
• What are effects of such calls?
• Manual summarization is possible in some cases
• Use results from concrete execution– Not sound
![Page 39: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/39.jpg)
39
Symbolic Execution is not Easy
• Exponential number of paths
• Exponentially sized formulas with substitution
• Solving a formula is NP-complete
s + s + s + s + s +s + s + s + s + s + s + s +s = 42
![Page 40: All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution ( but might have been afraid to ask )](https://reader035.fdocuments.us/reader035/viewer/2022062814/56816844550346895dde1aeb/html5/thumbnails/40.jpg)
40
Conclusion
• Dynamic Taint Analysis and Forward Symbolic Execution both extensively used– A number of options explored
• This talk provided– Overview of the techniques– Applications– Issues and state-of-the-art solutions