STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities...
Transcript of STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities...
![Page 1: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/1.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
STING: Finding Name Resolution Vulnerabilities in Programs
Hayawardh Vijayakumar, Joshua Schiffman, Trent Jaeger
Systems and Internet Infrastructure Security (SIIS) LabComputer Science and Engineering Department
Pennsylvania State University
1
Friday, August 10, 2012
![Page 2: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/2.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Name Resolution
• Processes often use names to obtain access to system resources
• A nameserver (e.g.,OS) performs name resolution using namespace bindings (e.g., directory) to convert a name (e.g., filename) into a system resource (e.g., file)
! Filesystem, System V IPC, …
2
/ var mail rootP
Friday, August 10, 2012
![Page 3: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/3.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Name Resolution
• Processes often use names to obtain access to system resources
• A nameserver (e.g.,OS) performs name resolution using namespace bindings (e.g., directory) to convert a name (e.g., filename) into a system resource (e.g., file)
! Filesystem, System V IPC, …
2
/ var mail rootPopen(“/var/mail/root”)
Name(filename)
Friday, August 10, 2012
![Page 4: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/4.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Name Resolution
• Processes often use names to obtain access to system resources
• A nameserver (e.g.,OS) performs name resolution using namespace bindings (e.g., directory) to convert a name (e.g., filename) into a system resource (e.g., file)
! Filesystem, System V IPC, …
2
/ var mail rootPopen(“/var/mail/root”)
Name(filename)
Namespace (filesystem)
Friday, August 10, 2012
![Page 5: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/5.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Name Resolution
• Processes often use names to obtain access to system resources
• A nameserver (e.g.,OS) performs name resolution using namespace bindings (e.g., directory) to convert a name (e.g., filename) into a system resource (e.g., file)
! Filesystem, System V IPC, …
2
/ var mail rootPopen(“/var/mail/root”)
Name(filename) Bindings (directories)
Namespace (filesystem)
/ var mail
Friday, August 10, 2012
![Page 6: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/6.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Name Resolution
• Processes often use names to obtain access to system resources
• A nameserver (e.g.,OS) performs name resolution using namespace bindings (e.g., directory) to convert a name (e.g., filename) into a system resource (e.g., file)
! Filesystem, System V IPC, …
2
/ var mail rootPopen(“/var/mail/root”)
Name(filename) Bindings (directories)
Resource (file)
Namespace (filesystem)
/ var mail root
Friday, August 10, 2012
![Page 7: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/7.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Namespace Sharing Problems
• Security problems occur because low-integrity adversary processes share the same OS namespaces as high-integrity victim processes
! Adversary processes attempt to affect name resolution of victim processes
• Permissions for /var/mail
! Group mail can create and delete files
3
Friday, August 10, 2012
![Page 8: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/8.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
mailvar
Attacks on Name Resolution
• Improper Binding Attack
! Adversary controls bindings to redirect victim to a resource not under adversary’s control (confused deputy)
! Symbolic link, hard link attacks
! Victim expects low integrity/secrecy, gets high instead
4
/ rootvar mail
etc passwd
Vroot
Friday, August 10, 2012
![Page 9: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/9.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
mailvar
Attacks on Name Resolution
• Improper Binding Attack
! Adversary controls bindings to redirect victim to a resource not under adversary’s control (confused deputy)
! Symbolic link, hard link attacks
! Victim expects low integrity/secrecy, gets high instead
4
open(“/var/mail/root”) / rootvar mail
etc passwd
Vroot
Friday, August 10, 2012
![Page 10: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/10.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
mailvar
Attacks on Name Resolution
• Improper Binding Attack
! Adversary controls bindings to redirect victim to a resource not under adversary’s control (confused deputy)
! Symbolic link, hard link attacks
! Victim expects low integrity/secrecy, gets high instead
4
open(“/var/mail/root”) / rootvar mail
etc passwd
Vroot
Amail
Friday, August 10, 2012
![Page 11: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/11.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
mailvar
Attacks on Name Resolution
• Improper Binding Attack
! Adversary controls bindings to redirect victim to a resource not under adversary’s control (confused deputy)
! Symbolic link, hard link attacks
! Victim expects low integrity/secrecy, gets high instead
4
open(“/var/mail/root”) / rootvar mail
etc passwd
root
Link
Vroot
Amail
Friday, August 10, 2012
![Page 12: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/12.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
mailvar
Attacks on Name Resolution
• Improper Binding Attack
! Adversary controls bindings to redirect victim to a resource not under adversary’s control (confused deputy)
! Symbolic link, hard link attacks
! Victim expects low integrity/secrecy, gets high instead
4
open(“/var/mail/root”) / rootvar mailvar mail/
etc passwdpasswd
rootroot
Link
Vroot
Amail
Friday, August 10, 2012
![Page 13: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/13.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Attacks on Name Resolution
• Improper Resource Attack
! Adversary controls final resource in unexpected ways
! Untrusted search paths (e.g., Trojan library), file squatting
! Victim expects high integrity, gets low integrity instead
5
mailvar/ rootvar mail
owner root
Vroot
Friday, August 10, 2012
![Page 14: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/14.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Attacks on Name Resolution
• Improper Resource Attack
! Adversary controls final resource in unexpected ways
! Untrusted search paths (e.g., Trojan library), file squatting
! Victim expects high integrity, gets low integrity instead
5
mailvaropen(“/var/mail/root”) / rootvar mail
owner root
Vroot
Friday, August 10, 2012
![Page 15: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/15.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Attacks on Name Resolution
• Improper Resource Attack
! Adversary controls final resource in unexpected ways
! Untrusted search paths (e.g., Trojan library), file squatting
! Victim expects high integrity, gets low integrity instead
5
mailvaropen(“/var/mail/root”) / rootvar mail
owner root
Amail
Vroot
Friday, August 10, 2012
![Page 16: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/16.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Attacks on Name Resolution
• Improper Resource Attack
! Adversary controls final resource in unexpected ways
! Untrusted search paths (e.g., Trojan library), file squatting
! Victim expects high integrity, gets low integrity instead
5
mailvaropen(“/var/mail/root”) / rootvar mail root
owner mail
Amail
Vroot
Friday, August 10, 2012
![Page 17: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/17.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Attacks on Name Resolution
• Improper Resource Attack
! Adversary controls final resource in unexpected ways
! Untrusted search paths (e.g., Trojan library), file squatting
! Victim expects high integrity, gets low integrity instead
5
mailvaropen(“/var/mail/root”) / rootvar mailvar mail/ root
owner mail
root
Amail
Vroot
Friday, August 10, 2012
![Page 18: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/18.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Attacks on Name Resolution
• Race Conditions
! Adversary exploits non-atomicity in “check” and “use” of resource to conduct improper resource and improper binding attacks
! Well-known “TOCTTOU” attacks
6
mailvarVroot
lstat(“/var/mail/root”) / rootvar mailvar mail/
etc passwd
root
Friday, August 10, 2012
![Page 19: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/19.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Attacks on Name Resolution
• Race Conditions
! Adversary exploits non-atomicity in “check” and “use” of resource to conduct improper resource and improper binding attacks
! Well-known “TOCTTOU” attacks
7
mailvaropen(“/var/mail/root”) / rootvar mailvar mail/
etc passwdpasswd
rootroot
Link
Vroot
Amail
Friday, August 10, 2012
![Page 20: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/20.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
How Serious a Problem?
• Who can launch local exploits?
! Untrusted local users in a multi-user environment (e.g., university)
! Remote attackers who have broken into networked programs through bugs or misconfigurations and want to further escalate privileges
• Downloaded malware, compromised server programs, …
8
Remote Attacker
rootLocal Attacker
Friday, August 10, 2012
![Page 21: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/21.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
How Serious a Problem?
• Name resolution vulnerabilities accounts for 5-10% CVE entries each year
• These are particularly hard to eradicate as they involve multiple parties
! Programmers who write code
! OS distributors who define access control policies
! Administrators who configure end system
9
Friday, August 10, 2012
![Page 22: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/22.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Existing Program Defenses
• Name resolution attacks have been with us! TOCTTOU attacks first published by McPhee in 1974
! Like buffer overflows – known for decades
• Program API to convey intended context to OS! E.g.,
• O_EXCL flag in open(): if a resource already exists, fail
! mkstemp creates an unpredictable name
• O_NOFOLLOW don’t follow a link on this name resolution
• openat and related allow use of same directory for access
• Programmers do not always use APIs properly! Lots of exceptions
! Impractical to determine whether defenses should be on
10
Friday, August 10, 2012
![Page 23: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/23.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Program Defenses
• Often don’t work…
11
Friday, August 10, 2012
![Page 24: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/24.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Proposed System Defenses
• Many defenses have been proposed by researchers
! And broken…
! Mainly for TOCTTOU
• Cai et al. [Oakland 2009] showed
! All system defenses fundamentally limited because they do not have program knowledge
• Chari et al. [NDSS 2010] propose a system defense for improper binding attacks
! Have false positives
12
Friday, August 10, 2012
![Page 25: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/25.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
This Work’s Goal
• Given the difficulty of proper defenses, we propose actively finding name resolution vulnerabilities in programs
! So programs can be fixed to perform correct checks
! Or access control policies can be tightened
13
Friday, August 10, 2012
![Page 26: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/26.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Static Analysis
14
Friday, August 10, 2012
![Page 27: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/27.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Static Analysis
• Analyze program to find potentially vulnerable name resolution calls
! Due to complexity of checks, mainly limited to TOCTTOU
14
Friday, August 10, 2012
![Page 28: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/28.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Static Analysis
• Analyze program to find potentially vulnerable name resolution calls
! Due to complexity of checks, mainly limited to TOCTTOU
• Deficiencies
! False positives due to adversary inaccessibility
! Our runtime study found only around 5% of name resolutions were accessible to adversaries
14
Friday, August 10, 2012
![Page 29: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/29.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Static Analysis
• Analyze program to find potentially vulnerable name resolution calls
! Due to complexity of checks, mainly limited to TOCTTOU
• Deficiencies
! False positives due to adversary inaccessibility
! Our runtime study found only around 5% of name resolutions were accessible to adversaries
14
/ rootvar mail
etc hosts
Vroot
Friday, August 10, 2012
![Page 30: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/30.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Static Analysis
• Analyze program to find potentially vulnerable name resolution calls
! Due to complexity of checks, mainly limited to TOCTTOU
• Deficiencies
! False positives due to adversary inaccessibility
! Our runtime study found only around 5% of name resolutions were accessible to adversaries
14
open(“/var/mail/root”) / rootvar mail
etc hosts
Vroot
Friday, August 10, 2012
![Page 31: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/31.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Static Analysis
• Analyze program to find potentially vulnerable name resolution calls
! Due to complexity of checks, mainly limited to TOCTTOU
• Deficiencies
! False positives due to adversary inaccessibility
! Our runtime study found only around 5% of name resolutions were accessible to adversaries
14
open(“/var/mail/root”)
Adversary accessible!Needs program defense
/ rootvar mail
etc hosts
Vroot
Friday, August 10, 2012
![Page 32: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/32.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Static Analysis
• Analyze program to find potentially vulnerable name resolution calls
! Due to complexity of checks, mainly limited to TOCTTOU
• Deficiencies
! False positives due to adversary inaccessibility
! Our runtime study found only around 5% of name resolutions were accessible to adversaries
14
open(“/etc/hosts”) / rootvar mail
etc hosts
Vroot
Friday, August 10, 2012
![Page 33: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/33.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Static Analysis
• Analyze program to find potentially vulnerable name resolution calls
! Due to complexity of checks, mainly limited to TOCTTOU
• Deficiencies
! False positives due to adversary inaccessibility
! Our runtime study found only around 5% of name resolutions were accessible to adversaries
14
open(“/etc/hosts”)
Not adversary accessible!Needs no program defense
/ rootvar mail
etc hosts
Vroot
Friday, August 10, 2012
![Page 34: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/34.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Runtime Analysis
15
Friday, August 10, 2012
![Page 35: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/35.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Runtime Analysis
• Have both access control policy and program system calls
15
Friday, August 10, 2012
![Page 36: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/36.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Runtime Analysis
• Have both access control policy and program system calls
• Still, many false positives
! Program code might defend itself
• Manual audits impractical
! In our study, only 13% of adversary-accessible name resolutions are actually vulnerable
15
Friday, August 10, 2012
![Page 37: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/37.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Runtime Analysis
• Have both access control policy and program system calls
• Still, many false positives
! Program code might defend itself
• Manual audits impractical
! In our study, only 13% of adversary-accessible name resolutions are actually vulnerable
15
Friday, August 10, 2012
![Page 38: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/38.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Runtime Analysis
• Have both access control policy and program system calls
• Still, many false positives
! Program code might defend itself
• Manual audits impractical
! In our study, only 13% of adversary-accessible name resolutions are actually vulnerable
15
???
Friday, August 10, 2012
![Page 39: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/39.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Prior – Runtime Analysis
• False negatives during normal runtime
! Attacks require very specific conditions that do not occur in normal runtime
• Example: mountall untrusted search path vulnerability required:
! Launching that program in an untrusted directory, and
! Symbolic links named none and fusectl
16
Friday, August 10, 2012
![Page 40: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/40.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Our Solution
• Thus, we have to actively change the namespace to create adversarial scenarios
! And evaluate process response to scenario
• We take inspiration from “grey-box” testing
! Feed known adversarial inputs to programs and examine process response (e.g., detect SQL injection vulnerability)
17
Friday, August 10, 2012
![Page 41: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/41.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Our Solution
• Thus, we have to actively change the namespace to create adversarial scenarios
! And evaluate process response to scenario
• We take inspiration from “grey-box” testing
! Feed known adversarial inputs to programs and examine process response (e.g., detect SQL injection vulnerability)
17
VGenerate
AdversarialInput
StudyProgram Response
Friday, August 10, 2012
![Page 42: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/42.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Our Solution
• Thus, we have to actively change the namespace to create adversarial scenarios
! And evaluate process response to scenario
• We take inspiration from “grey-box” testing
! Feed known adversarial inputs to programs and examine process response (e.g., detect SQL injection vulnerability)
17
VGenerate
AdversarialInput
StudyProgram Response
‘test’; drop table name;
Friday, August 10, 2012
![Page 43: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/43.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Our Solution
• Thus, we have to actively change the namespace to create adversarial scenarios
! And evaluate process response to scenario
• We take inspiration from “grey-box” testing
! Feed known adversarial inputs to programs and examine process response (e.g., detect SQL injection vulnerability)
17
VGenerate
AdversarialInput
StudyProgram Response
‘test’; drop table name;
db.exec(‘drop table name’);
Friday, August 10, 2012
![Page 44: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/44.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Our Solution
• Thus, we have to actively change the namespace to create adversarial scenarios
! And evaluate process response to scenario
• We take inspiration from “grey-box” testing
! Feed known adversarial inputs to programs and examine process response (e.g., detect SQL injection vulnerability)
17
VGenerate
AdversarialInput
StudyProgram Response
‘test’; drop table name;
db.exec(‘drop table name’);
Vulnerable!
Friday, August 10, 2012
![Page 45: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/45.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Grey-Box Test Using OS
• OS is in charge of namespace
! Use OS to feed adversarial input in response to program name resolution requests, and study program response
! System-wide testing
• Generate Adversarial Input
• Examine Program Response
18
Friday, August 10, 2012
![Page 46: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/46.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Friday, August 10, 2012
![Page 47: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/47.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Name res syscalls
Friday, August 10, 2012
![Page 48: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/48.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Name res syscalls
Modify Namespace
Friday, August 10, 2012
![Page 49: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/49.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Allsyscalls
Name res syscalls
Modify Namespace
Friday, August 10, 2012
![Page 50: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/50.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Friday, August 10, 2012
![Page 51: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/51.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
V
V
V
V
V
V
Friday, August 10, 2012
![Page 52: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/52.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 53: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/53.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Adversary accessibility? System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 54: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/54.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Access Control Policy
Bindings adversary accessible?
Adversary accessibility? System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 55: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/55.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Access Control Policy
Bindings adversary accessible?
Adversary accessibility? Manage Attacks?
System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 56: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/56.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Access Control Policy
Bindings adversary accessible?
AttackHistory
Not AlreadyAttacked?
Adversary accessibility? Manage Attacks?
System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 57: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/57.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Access Control Policy
Bindings adversary accessible?
AttackHistory
Not AlreadyAttacked?
Adversary accessibility? Manage Attacks?
Reject Resource?
System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 58: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/58.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Access Control Policy
Bindings adversary accessible?
AttackHistory
Not AlreadyAttacked?
Reject?Not vulnerable!
Adversary accessibility? Manage Attacks?
Reject Resource?
System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 59: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/59.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Access Control Policy
Bindings adversary accessible?
AttackHistory
Not AlreadyAttacked?
Reject?Not vulnerable!
Adversary accessibility? Manage Attacks?
Rollback Namespace?Reject Resource?
System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 60: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/60.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Access Control Policy
Bindings adversary accessible?
AttackHistory
Not AlreadyAttacked?
Reject?Not vulnerable!
Rollback Namespace
Adversary accessibility? Manage Attacks?
Rollback Namespace?Reject Resource?
System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 61: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/61.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Access Control Policy
Bindings adversary accessible?
AttackHistory
Not AlreadyAttacked?
Reject?Not vulnerable!
Rollback Namespace
Adversary accessibility? Manage Attacks?
Rollback Namespace?Reject Resource?
System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 62: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/62.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Access Control Policy
Bindings adversary accessible?
AttackHistory
Not AlreadyAttacked?
Reject?Not vulnerable!
Rollback Namespace
Adversary accessibility? Manage Attacks?
Rollback Namespace?Reject Resource?
LaunchPhase
System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 63: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/63.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Solution Overview
19
V
(OS) Generate Adversarial Input
(OS) Study ProgramResponse
Namespace
/
Accept?Vulnerable!All
syscalls
Name res syscalls
Modify Namespace
Access Control Policy
Bindings adversary accessible?
AttackHistory
Not AlreadyAttacked?
Reject?Not vulnerable!
Rollback Namespace
Adversary accessibility? Manage Attacks?
Rollback Namespace?Reject Resource?
LaunchPhase
DetectPhase
System-wide?
V
V
V
V
V
V
Friday, August 10, 2012
![Page 64: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/64.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
/
varetc
passwd
Victim(user root)
User-space
Kernel
20
Friday, August 10, 2012
![Page 65: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/65.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
/
varetc
passwd
Victim(user root)
User-space
Kernel
20
Friday, August 10, 2012
![Page 66: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/66.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
fd = open(“/var/mail/root”, O_APPEND)
/
varetc
passwd
Victim(user root)
User-space
Kernel
20
Friday, August 10, 2012
![Page 67: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/67.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
fd = open(“/var/mail/root”, O_APPEND)
/
varetc
passwd
Victim(user root)
User-space
Kernel
20
Friday, August 10, 2012
![Page 68: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/68.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
fd = open(“/var/mail/root”, O_APPEND)
/
varetc
passwd
Victim(user root)
User-space
Kernel
!"#$%&'#(%&'%&)*
20
Friday, August 10, 2012
![Page 69: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/69.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
fd = open(“/var/mail/root”, O_APPEND)
/
varetc
passwd
Victim(user root)
User-space
Kernel
!"#$%&'#(%&'%&)*
20
Friday, August 10, 2012
![Page 70: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/70.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
fd = open(“/var/mail/root”, O_APPEND)
/
varetc
passwd
Victim(user root)
User-space
Kernel
!"#$%&'#(%&'%&)*
+"#$%&'#,'-./*,/0#,11.**
20
Friday, August 10, 2012
![Page 71: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/71.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
Adversary(group mail)
fd = open(“/var/mail/root”, O_APPEND)
/
varetc
passwd
Victim(user root)
User-space
Kernel
!"#$%&'#(%&'%&)*
+"#$%&'#,'-./*,/0#,11.**
20
Friday, August 10, 2012
![Page 72: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/72.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
Adversary(group mail)
fd = open(“/var/mail/root”, O_APPEND)
/
varetc
passwd
Victim(user root)
User-space
Kernel
!"#$%&'#(%&'%&)*
+"#$%&'#,'-./*,/0#,11.**
2"#3,4&15#,6,17#
89:'%;0#&,9.*<,1.=
20
Friday, August 10, 2012
![Page 73: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/73.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
Adversary(group mail)
fd = open(“/var/mail/root”, O_APPEND)
/
varetc
passwd
Victim(user root)
User-space
Kernel
delete(“/var/mail/root”);symlink(“/etc/passwd”,
“/var/mail/root”)
!"#$%&'#(%&'%&)*
+"#$%&'#,'-./*,/0#,11.**
2"#3,4&15#,6,17#
89:'%;0#&,9.*<,1.=
20
Friday, August 10, 2012
![Page 74: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/74.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
Adversary(group mail)
fd = open(“/var/mail/root”, O_APPEND)
/
var
root
etc
passwd
Victim(user root)
User-space
Kernel
delete(“/var/mail/root”);symlink(“/etc/passwd”,
“/var/mail/root”)
!"#$%&'#(%&'%&)*
+"#$%&'#,'-./*,/0#,11.**
2"#3,4&15#,6,17#
89:'%;0#&,9.*<,1.=
20
Friday, August 10, 2012
![Page 75: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/75.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Launch Phase
Adversary(group mail)
fd = open(“/var/mail/root”, O_APPEND)
/
var
root
etc
passwd
Victim(user root)
User-space
Kernel
>"#?:&@&4.#*0*A.9#1,BB
delete(“/var/mail/root”);symlink(“/etc/passwd”,
“/var/mail/root”)
!"#$%&'#(%&'%&)*
+"#$%&'#,'-./*,/0#,11.**
2"#3,4&15#,6,17#
89:'%;0#&,9.*<,1.=
20
Friday, August 10, 2012
![Page 76: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/76.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Detect Phase
/
var
rootpasswd
etc
passwd
Victim(user root)
User-space
Kernel
21
Friday, August 10, 2012
![Page 77: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/77.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Detect Phase
/
var
rootpasswd
etc
passwd
Victim(user root)
User-space
Kernel
21
Friday, August 10, 2012
![Page 78: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/78.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Detect Phase
write(fd)
/
var
rootpasswd
etc
passwd
Victim(user root)
User-space
Kernel
21
Friday, August 10, 2012
![Page 79: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/79.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Detect Phase
write(fd)
/
var
rootpasswd
etc
passwd
Victim(user root)
User-space
Kernel
21
Friday, August 10, 2012
![Page 80: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/80.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Detect Phase
write(fd)
/
var
rootpasswd
etc
passwd
Victim(user root)
User-space
Kernel
!"#C%1@9#,11.<A*#/.*:4/1.
21
Friday, August 10, 2012
![Page 81: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/81.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Detect Phase
write(fd)
/
var
rootpasswd
etc
passwd
Victim(user root)
User-space
Kernel
!"#C%1@9#,11.<A*#/.*:4/1.
21
Friday, August 10, 2012
![Page 82: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/82.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Detect Phase
write(fd)
/
var
rootpasswd
etc
passwd
Victim(user root)
User-space
Kernel
!"#C%1@9#,11.<A*#/.*:4/1.
+"#D.1:/'#-4B&./,(%B%A0
21
Friday, August 10, 2012
![Page 83: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/83.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Detect Phase
write(fd)
/
var
rootpasswd
etc
passwd
Victim(user root)
User-space
Kernel
!"#C%1@9#,11.<A*#/.*:4/1.
+"#D.1:/'#-4B&./,(%B%A0
2"#D:BB(,17#&,9.*<,1.
21
Friday, August 10, 2012
![Page 84: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/84.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Detect Phase
write(fd)
/
var
passwd
etc
Victim(user root)
User-space
Kernel
!"#C%1@9#,11.<A*#/.*:4/1.
+"#D.1:/'#-4B&./,(%B%A0
2"#D:BB(,17#&,9.*<,1.
21
Friday, August 10, 2012
![Page 85: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/85.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
root
Detect Phase
write(fd)
/
var
passwd
etc
Victim(user root)
User-space
Kernel
!"#C%1@9#,11.<A*#/.*:4/1.
+"#D.1:/'#-4B&./,(%B%A0
2"#D:BB(,17#&,9.*<,1.
>"#D.*A,/A#*0*A.9#1,BB
21
Friday, August 10, 2012
![Page 86: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/86.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Find Accessible Bindings
22
mailvaropen(“/var/
mail/root”) / rootvar mail
etc passwd
Vroot
Friday, August 10, 2012
![Page 87: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/87.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Find Accessible Bindings
• Find bindings - Shadow resolution
! Extract name resolution code inside kernel and obtain bindings before system call starts
22
mailvaropen(“/var/
mail/root”) / rootvar mail
etc passwd
Vroot
Friday, August 10, 2012
![Page 88: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/88.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Find Accessible Bindings
• Find bindings - Shadow resolution
! Extract name resolution code inside kernel and obtain bindings before system call starts
22
mailvaropen(“/var/
mail/root”) / rootvar mail
etc passwd
Vroot
Friday, August 10, 2012
![Page 89: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/89.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Find Accessible Bindings
• Find bindings - Shadow resolution
! Extract name resolution code inside kernel and obtain bindings before system call starts
• Find adversary-accessible bindings - Adversary model
! Use access control policy
• DAC model: Any other user apart from root
• MAC model: (SELinux)
22
mailvaropen(“/var/
mail/root”) / rootvar mail
etc passwd
Vroot
Friday, August 10, 2012
![Page 90: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/90.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Find Accessible Bindings
• Find bindings - Shadow resolution
! Extract name resolution code inside kernel and obtain bindings before system call starts
• Find adversary-accessible bindings - Adversary model
! Use access control policy
• DAC model: Any other user apart from root
• MAC model: (SELinux)
22
mailvaropen(“/var/
mail/root”) / rootvar mail
etc passwd
Vroot
Amail
Friday, August 10, 2012
![Page 91: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/91.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
23
mailvaropen(“/var/
mail/root”) / rootvar mail
etc passwd
Vroot
Amail
Friday, August 10, 2012
![Page 92: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/92.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Modify namespace to generate attack test case
! Existing data should be backed up
! Unix domain sockets, … cannot be recovered if deleted
! Attack should be visible only to victims of the adversary
• Not to all processes
23
mailvaropen(“/var/
mail/root”) / rootvar mail
etc passwd
Vroot
Amail
Friday, August 10, 2012
![Page 93: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/93.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Modify namespace to generate attack test case
! Existing data should be backed up
! Unix domain sockets, … cannot be recovered if deleted
! Attack should be visible only to victims of the adversary
• Not to all processes
23
mailvaropen(“/var/
mail/root”) / rootvar mail
etc passwd
Vroot
Amail
root
Link
Friday, August 10, 2012
![Page 94: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/94.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
24
Friday, August 10, 2012
![Page 95: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/95.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Solution - Union filesystems
! Combines “lower” read-only and “upper” read-write fs
24
Friday, August 10, 2012
![Page 96: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/96.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Solution - Union filesystems
! Combines “lower” read-only and “upper” read-write fs
24
Read-write upper branch
Read-only lower branch /var/root/mail
Friday, August 10, 2012
![Page 97: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/97.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Solution - Union filesystems
! Combines “lower” read-only and “upper” read-write fs
24
Read-write upper branch
Read-only lower branch
/var/root/mail
/var/root/mail/var/root/mail
Friday, August 10, 2012
![Page 98: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/98.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Solution - Union filesystems
! Combines “lower” read-only and “upper” read-write fs
• Adversary changes only upper filesystem
! Show upper or lower branch depending on adversary and system call
24
Read-write upper branch
Read-only lower branch
/var/root/mail
/var/root/mail/var/root/mail
Friday, August 10, 2012
![Page 99: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/99.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Solution - Union filesystems
! Combines “lower” read-only and “upper” read-write fs
• Adversary changes only upper filesystem
! Show upper or lower branch depending on adversary and system call
24
/var/root/mail
/var/root/mail/var/root/mail
Adversary upper branch
Original fs lower branch
Friday, August 10, 2012
![Page 100: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/100.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Solution - Union filesystems
! Combines “lower” read-only and “upper” read-write fs
• Adversary changes only upper filesystem
! Show upper or lower branch depending on adversary and system call
24
/var/root/mail
/var/root/mail/var/root/mail
V
Adversary upper branch
Original fs lower branch
A
Friday, August 10, 2012
![Page 101: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/101.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Solution - Union filesystems
! Combines “lower” read-only and “upper” read-write fs
• Adversary changes only upper filesystem
! Show upper or lower branch depending on adversary and system call
24
/var/root/mail
/var/root/mail/var/root/mail
V
Adversary upper branch
Original fs lower branch
AA is
adversary
Friday, August 10, 2012
![Page 102: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/102.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Solution - Union filesystems
! Combines “lower” read-only and “upper” read-write fs
• Adversary changes only upper filesystem
! Show upper or lower branch depending on adversary and system call
24
/var/root/mail
/var/root/mail/var/root/mail
V
Adversary upper branch
Original fs lower branch
A is not adversary
AA is
adversary
Friday, August 10, 2012
![Page 103: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/103.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Launching an Attack
• Solution - Union filesystems
! Combines “lower” read-only and “upper” read-write fs
• Adversary changes only upper filesystem
! Show upper or lower branch depending on adversary and system call
24
/var/root/mail
/var/root/mail/var/root/mail
V
Adversary upper branch
Original fs lower branch
A is not adversary
AA is
adversary
stat()
Friday, August 10, 2012
![Page 104: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/104.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Manage Attacks
25
Friday, August 10, 2012
![Page 105: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/105.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Manage Attacks
• Only run an attack test case once
! How to identify current system call originates from code that has already been tested?
25
Friday, August 10, 2012
![Page 106: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/106.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Manage Attacks
• Only run an attack test case once
! How to identify current system call originates from code that has already been tested?
• Program entry points as unique identifiers
! Program instruction calling library that performs system call
• Obtained by user-stack backtrace within kernel
• Extensions for interpreters (11-59 LOC per interpreter)
25
Friday, August 10, 2012
![Page 107: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/107.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Manage Attacks
• Only run an attack test case once
! How to identify current system call originates from code that has already been tested?
• Program entry points as unique identifiers
! Program instruction calling library that performs system call
• Obtained by user-stack backtrace within kernel
• Extensions for interpreters (11-59 LOC per interpreter)
25
./a.out
./a.out
libc
libc (syscall)
Friday, August 10, 2012
![Page 108: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/108.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Manage Attacks
• Only run an attack test case once
! How to identify current system call originates from code that has already been tested?
• Program entry points as unique identifiers
! Program instruction calling library that performs system call
• Obtained by user-stack backtrace within kernel
• Extensions for interpreters (11-59 LOC per interpreter)
25
./a.out
./a.out
libc
libc (syscall)
Friday, August 10, 2012
![Page 109: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/109.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Detect Vulnerability
• How do we know victim process has accepted or rejected the resource?
• Accept resource
! Program uses “accept” system calls on test case (“upper layer”) resource
• Reject resource
! Program retries system call at same entry point or exits without accepting
26
Friday, August 10, 2012
![Page 110: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/110.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Detect Vulnerability
• Acceptance for attacks we consider
! Not all system calls on tainted resources signify vulnerabilities.
27
Friday, August 10, 2012
![Page 111: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/111.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Recovery and Rollback
• Namespace rollback
! Wipe adversarial resource from upper branch
• Further name resolutions get resource from lower branch
! Since we operate at VFS layer, we can redirect open file descriptors to lower layer
• Process recovery
! Some processes retry – we don’t do anything
! For those that exit – we restart process
• Linux has some rollback facilities we will examine, if necessary
28
Friday, August 10, 2012
![Page 112: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/112.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Implementation
• STING as a kernel patch for Linux 2.6 and 3
! ~2700 LOC
• User-space support
! Init ramdisk scripts to mount stacked filesystem, load attack history log, load adversary model
• We have a package for Ubuntu 12.04
! apt-get install sting
• Once installed, STING automatically starts testing the whole system
! No special runtime environment or setup needed
29
Friday, August 10, 2012
![Page 113: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/113.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Results - Vulnerabilities
30
Friday, August 10, 2012
![Page 114: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/114.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Results - Vulnerabilities
30
Both old and new programs
Friday, August 10, 2012
![Page 115: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/115.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Results - Vulnerabilities
30
Special users to
root
Friday, August 10, 2012
![Page 116: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/116.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Results - Vulnerabilities
30
Known but
unfixed!
Friday, August 10, 2012
![Page 117: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/117.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Results - Vulnerabilities
30
Friday, August 10, 2012
![Page 118: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/118.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Vulnerabilities by Entrypoint
• Under DAC adversary model
! Only 4% (Fedora) and 5.7% (Ubuntu) of total name resolution entrypoints were accessible to adversaries
! Only 0.3% (Fedora) and 0.9% (Ubuntu) of total name resolutions were vulnerable
31
Friday, August 10, 2012
![Page 119: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/119.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Vulnerabilities by Entrypoint
• Under DAC adversary model
! Only 4% (Fedora) and 5.7% (Ubuntu) of total name resolution entrypoints were accessible to adversaries
! Only 0.3% (Fedora) and 0.9% (Ubuntu) of total name resolutions were vulnerable
31
Static AnalysisFalse +
Friday, August 10, 2012
![Page 120: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/120.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Vulnerabilities by Entrypoint
• Under DAC adversary model
! Only 4% (Fedora) and 5.7% (Ubuntu) of total name resolution entrypoints were accessible to adversaries
! Only 0.3% (Fedora) and 0.9% (Ubuntu) of total name resolutions were vulnerable
31
Static AnalysisFalse +
Normal RuntimeFalse +
Friday, August 10, 2012
![Page 121: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/121.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
STING detects TOCTTOU races
• STING can deterministically create races, as it is in the system
AdversaryVictim
32
Friday, August 10, 2012
![Page 122: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/122.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
STING detects TOCTTOU races
• STING can deterministically create races, as it is in the system
AdversaryVictim
32
Friday, August 10, 2012
![Page 123: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/123.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
STING detects TOCTTOU races
• STING can deterministically create races, as it is in the system
AdversaryVictim
32
Friday, August 10, 2012
![Page 124: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/124.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
STING detects TOCTTOU races
• STING can deterministically create races, as it is in the system
AdversaryVictim
32
Friday, August 10, 2012
![Page 125: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/125.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
STING creates scenarios
• That do not occur in normal runtime
33
Friday, August 10, 2012
![Page 126: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/126.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
STING creates scenarios
• That do not occur in normal runtime
33
Adversary
Friday, August 10, 2012
![Page 127: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/127.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
STING creates scenarios
• That do not occur in normal runtime
33
Adversary Victim
Friday, August 10, 2012
![Page 128: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/128.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
STING creates scenarios
• That do not occur in normal runtime
33
Adversary Victim
Friday, August 10, 2012
![Page 129: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/129.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Detects easily overlooked
34
Friday, August 10, 2012
![Page 130: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/130.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Detects easily overlooked
• Manual checks can easily overlook vulnerabilities
34
Friday, August 10, 2012
![Page 131: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/131.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Detects easily overlooked
• Manual checks can easily overlook vulnerabilities
34
Squat during create
Friday, August 10, 2012
![Page 132: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/132.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Detects easily overlooked
• Manual checks can easily overlook vulnerabilities
34
Squat during create
Symbolic link
Friday, August 10, 2012
![Page 133: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/133.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Detects easily overlooked
• Manual checks can easily overlook vulnerabilities
34
Squat during create
Symbolic link
Hard link, race conditions
Friday, August 10, 2012
![Page 134: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/134.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Detects easily overlooked
• Manual checks can easily overlook vulnerabilities
• But, misses already existing file squat!
34
Squat during create
Symbolic link
Hard link, race conditions
Friday, August 10, 2012
![Page 135: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/135.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Shows OS distributor challenge
• STING also found vulnerabilities where the problem seemed to be the system’s access control policy
! When contacted, a developer refused to fix bug claiming fault in system’s access control policy
! We found other vulnerabilities that seemed better fixed by the access control than code
• E.g., postgres init script
35
Friday, August 10, 2012
![Page 136: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/136.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Performance
• STING causes around 8% overhead on macrobenchmarks
! Noticeable overhead, but we were able to use system
! We are looking for further avenues to improve performance
36
Friday, August 10, 2012
![Page 137: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/137.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Conclusions
• Name resolution is a fundamental process
! But, has long been vulnerable to various attacks
• It is both difficult to prevent name resolution attacks and find program vulnerabilities
! We use runtime grey-box testing
• STING is a system-wide, online tool that finds name resolution vulnerabilities in programs
! By producing malicious test case when a program’s adversary can modify bindings used in resolution
• Found 21 previously-unknown vulnerabilities
! Highlights various issues
37
Friday, August 10, 2012
![Page 138: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/138.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Availability
• STING webpage : http://siis.cse.psu.edu/sting
! Please contact [email protected] for access to repository
• We envision STING be used on distributions during testing (e.g., alpha, beta) or by administrators on test systems before deployment to fix vulnerabilities before adversaries exploit them
• We have a package for Ubuntu 12.04
! apt-get install sting
38
Friday, August 10, 2012
![Page 139: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/139.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Thank You !
• Questions?
• E-mail for contact : [email protected]
39
Friday, August 10, 2012
![Page 140: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/140.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Results – Retry vs Restart
• Around 32% of programs retried, whereas the rest had to be restarted
! Programs that retry integrate well with STING
! Restarted programs may lose state
! We are investigating integrating process checkpointing for graceful recovery of process state
40
Friday, August 10, 2012
![Page 141: STING: Finding Name Resolution Vulnerabilities in Programs · • Name resolution vulnerabilities accounts for 5-10% CVE entries each year ... Prior – Static Analysis 14 Friday,](https://reader033.fdocuments.us/reader033/viewer/2022042405/5f1e4c28add3452d2e239a54/html5/thumbnails/141.jpg)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Guarantees
• If a process accepts an adversarial resource
! There is a vulnerable name resolution
! Reads may not be exploitable
• Depends on program internals
41
Friday, August 10, 2012