Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf ·...
Transcript of Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf ·...
![Page 1: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/1.jpg)
Pinpointing Vulnerabilities
Yue Chen, Mustakimur Khandaker, Zhi Wang
Florida State University
Pinpointing Vulnerabilities 1
![Page 2: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/2.jpg)
Question
• When an attack is detected, how to locate the
underlying vulnerability?
2 Pinpointing Vulnerabilities
Attack Vulnerability
![Page 3: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/3.jpg)
Example
• A control-flow violation is detected at line 6.
• The vulnerability lies at line 4 (buffer overflow).
3 Pinpointing Vulnerabilities
Root Cause
Symptom
![Page 4: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/4.jpg)
Attack Detection v.s. Vulnerability Locating
• Control-flow Integrity (CFI)
– Detect the control-flow graph violation (e.g., on
function returns)
• Taint Analysis
– Detect tainted data being loaded to PC
• System Call Interposition
– Detect abnormal syscalls made by the payload
Pinpointing Vulnerabilities 4
Manifestation of attack rarely coincides
with the vulnerabilities
![Page 5: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/5.jpg)
Ravel – Three Components
• Online attack detector
• Record & replay with instrumentation
• Offline vulnerability locator
Pinpointing Vulnerabilities 5
RAVEL: Root-cause Analysis of Vulnerabilities from Exploitation Log
![Page 6: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/6.jpg)
Ravel – Strengths
1. Reliably reproduce real-world attacks in the lab
environment
2. Low online performance overhead
– Locating vulnerabilities is time-consuming
3. Extensible:
– New attack detection and vulnerability locating
techniques can be easily integrated
– (already support a variety of vulnerability locating
techniques)
Pinpointing Vulnerabilities 6
![Page 7: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/7.jpg)
Attack Detection
• Ravel uses existing attack detection methods
– Program crash (or other exceptions)
– Abnormal system calls (sequence/arguments)
– Control-flow integrity violation (to be included)
• New methods can be easily adopted by Ravel
Pinpointing Vulnerabilities 7
![Page 8: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/8.jpg)
Record & Replay
• What to record & replay?
– All the non-deterministic inputs (e.g., network packets)
• Where to record & replay?
– Application interface
– Library interface
– Virtual machine interface
– System call interface
Pinpointing Vulnerabilities 8
![Page 9: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/9.jpg)
Record & Replay
• What to record & replay?
– All the non-deterministic inputs (e.g., network packets)
• Where to record & replay?
– Application interface
– Library interface
– Virtual machine interface
– System call interface
Pinpointing Vulnerabilities 9
More robust against attacks, with low cost
![Page 10: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/10.jpg)
Record
Pinpointing Vulnerabilities 10
System call return values
Userspace data structures modified by syscalls
Data copied from kernel to userspace
Asynchronous signals
Special instructions (e.g., RDTSC)
Synchronization primitives
![Page 11: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/11.jpg)
Replay with Instrumentation
• Some syscalls replayed without real execution
– e.g., gettimeofday
• Some syscalls need to be re-executed
– e.g., mmap
• Replay under a binary translation (BT) engine
– BT collects detailed memory accesses by the target
– Replay distinguishes syscalls made by the target from
those made by BT
Pinpointing Vulnerabilities 11
![Page 12: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/12.jpg)
Vulnerability Locator
Data-flow Analysis
Race Condition
Use-after-free Double-free
Integer Errors
Pinpointing Vulnerabilities 12
![Page 13: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/13.jpg)
Data-flow Analysis
• Analyze def-use relations between instructions
• Define: writes to a memory address
• Use: reads from a memory address
Pinpointing Vulnerabilities 13
A B write read
define use
![Page 14: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/14.jpg)
Data-flow Analysis
• Analyze def-use relations between instructions
• Define: writes to a memory address
• Use: reads from a memory address
Pinpointing Vulnerabilities 14
A B
![Page 15: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/15.jpg)
Data-flow Analysis
• Precompute a data-flow graph (DFG) – DFG: the valid def-use relations in the program
– Our prototype uses dynamic analysis
– Extra relations regarded as violations
• Violation to DFG indicates the vulnerability location – It could be the def or the use, but which one?
– Refine the results with heuristics
Pinpointing Vulnerabilities 15
![Page 16: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/16.jpg)
Data-flow Analysis
• Precompute a data-flow graph (DFG) – DFG: the valid def-use relations in the program
– Our prototype uses dynamic analysis
– Extra relations regarded as violations
• Violation to DFG indicates the vulnerability location – It could be the def or the use, but which one?
– Refine the results with heuristics
Pinpointing Vulnerabilities 16
![Page 17: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/17.jpg)
Data-flow Analysis
• Precompute a data-flow graph (DFG) – DFG: the valid def-use relations in the program
– Our prototype uses dynamic analysis
– Extra relations regarded as violations
• Violation to DFG indicates the vulnerability location – It could be the def or the use, but which one?
– Refine the results with heuristics
Pinpointing Vulnerabilities 17
![Page 18: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/18.jpg)
Data-flow Analysis Heuristics
• One def, many uses:
def is closer to the vulnerability
– Example: buffer overflow
Pinpointing Vulnerabilities 18
use use
use Normal
Violating
![Page 19: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/19.jpg)
Data-flow Analysis Heuristics
• One def, many uses:
def is closer to the vulnerability
– Example: buffer overflow
Pinpointing Vulnerabilities 19
use
def
use
use Normal
Violating
![Page 20: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/20.jpg)
Data-flow Analysis Heuristics
• One def, many uses:
def is closer to the vulnerability
– Example: buffer overflow
• Many defs, one use:
use is closer to the vulnerability
– Example: information leakage
• …
Pinpointing Vulnerabilities 20
use
def
use
use
![Page 21: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/21.jpg)
Data-flow Analysis Heuristics
• One def, many uses:
def is closer to the vulnerability
– Example: buffer overflow
• Many defs, one use:
use is closer to the vulnerability
– Example: information leakage
• …
Pinpointing Vulnerabilities 21
use
def
use
use
![Page 22: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/22.jpg)
Integer Errors
• Focus on common integer errors
– Start from common functions/instructions that take
integer operands
• E.g., memcpy, recvfrom; movs, stos…
– Search backwards for integer errors
• Example: memcpy ( void * destination, const void * source, size_t num );
Search from num backwards for integer errors.
Pinpointing Vulnerabilities 22
![Page 23: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/23.jpg)
Integer Errors
• Assignment truncation (e.g., 0x12345678 → 0x5678)
– To detect: assign from a longer to a shorter integer type
• Integer overflow/underflow (e.g., 0xFFFFFFFF + 1)
– To detect: check the RFLAGS register
• Signedness error (e.g., unsigned_int_var = signed_int_var)
– To detect: collect hints from functions and instructions
• Instructions: jg, jge, ja, jae, cmovg, cmova, idiv, div, etc.
• Functions: memmove, strncat, etc.
• Benign integer errors?
– Related to a reported vulnerability!
Pinpointing Vulnerabilities 23
![Page 24: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/24.jpg)
Integer Errors
• Assignment truncation (e.g., 0x12345678 → 0x5678)
– To detect: assign from a longer to a shorter integer type
• Integer overflow/underflow (e.g., 0xFFFFFFFF + 1)
– To detect: check the RFLAGS register
• Signedness error (e.g., unsigned_int_var = signed_int_var)
– To detect: collect hints from functions and instructions
• Instructions: jg, jge, ja, jae, cmovg, cmova, idiv, div, etc.
• Functions: memmove, strncat, etc.
• Benign integer errors?
– Related to a reported vulnerability!
Pinpointing Vulnerabilities 24
![Page 25: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/25.jpg)
Use-after-free and Double-free
• Ravel instruments memory allocation/free
functions to track the memory life-time
• Use-after-free: freed memory is accessed again
• Double-free: memory freed more than once
without re-allocation
Pinpointing Vulnerabilities 25
![Page 26: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/26.jpg)
Race Condition
• When race condition happens, the execution
deviates from the recorded one
– as we do not implement strict R&R
• When detected, use the happens-before relation
to check for race conditions
Pinpointing Vulnerabilities 26
![Page 27: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/27.jpg)
Implementation
• Record & replay:
– FreeBSD release 10.2
– Kernel modification + small user-space utility
• Vulnerability locator:
– Extended from Valgrind
Pinpointing Vulnerabilities 27
![Page 28: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/28.jpg)
Evaluation – Effectiveness
• Buffer overflow
• Integer errors
• Information leakage
• Use-after-free and double-free
• Format string vulnerabilities
Pinpointing Vulnerabilities 28
![Page 29: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/29.jpg)
CVE-2013-2028 of Nginx
Pinpointing Vulnerabilities 29
![Page 30: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/30.jpg)
CVE-2013-2028 of Nginx
Pinpointing Vulnerabilities 30
signed unsigned
signed comparison
![Page 31: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/31.jpg)
CVE-2013-2028 of Nginx
Pinpointing Vulnerabilities 31
signed unsigned larger than expected
signed comparison
![Page 32: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/32.jpg)
CVE-2013-2028 of Nginx
Pinpointing Vulnerabilities 32
signed unsigned larger than expected
buffer overflow
signed comparison
![Page 33: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/33.jpg)
CVE-2013-2028 of Nginx
Pinpointing Vulnerabilities 33
signed unsigned larger than expected
buffer overflow
signed comparison Ravel
Data-flow Violation
Signedness Conflict
Memory Exception
![Page 34: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/34.jpg)
Evaluation – Effectiveness
• More examples are in the paper (Heartbleed, etc.)
Pinpointing Vulnerabilities 34
![Page 35: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/35.jpg)
Evaluation – Performance
Performance overhead of Ravel’s online components relative to the original FreeBSD system
Pinpointing Vulnerabilities 35
![Page 37: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/37.jpg)
Backup Slides
Pinpointing Vulnerabilities 37
![Page 38: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/38.jpg)
Attack Detection Example
• Typical scenario example:
Pinpointing Vulnerabilities 38
Attack
Attacker guesses memory addresses
Program crashes (due to ASLR, DEP, etc.)
Victim forks a new process
![Page 39: Pinpointing Vulnerabilities - Computer Science, FSUww2.cs.fsu.edu/~ychen/paper/ravel_slides.pdf · • A control-flow violation is detected at line 6. ... –System call interface](https://reader033.fdocuments.us/reader033/viewer/2022051800/5ac576747f8b9ae06c8dc6ee/html5/thumbnails/39.jpg)
Attack Detection Example
• Typical scenario example:
Pinpointing Vulnerabilities 39
Attack Fork
Attacker guesses memory addresses
Program crashes (due to ASLR, DEP, etc.)
Victim forks a new process