This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
An annotated context-free grammar based vulnerability detection using LALR parser
安藤類央情報通信研究機構ネットワークセキュリティ研究所
LALR ( 先読み上昇型パーサ)を用いたCVE-2013-4371 の検出と評価
CVE-2013-4371 Realloc() vulnerability under high memory pressure
背景と設計方針 (Scalability vs False Negatives)In designing vulnerability checker, we face the difficult choice between precision and scalability. Particularly, security system design is forced to emphasize either false negatives or false positives. In todayfs large scale computing era, we conclude that a false negative rate should be as close to 0 as possible.
As of January 2013, GitHub had grown to 3 million users and 4.9 million repositories (repositories are histories of code shared on the site). [9] And by December of this year, the company hit 10 million repositories.
Two streams of computing paradigm(1940 – 2015) Imperative vs Declarative
Dalvik VM
Kurt Gödel
MainFrame
resolution
Haskel
-> x { -> y { x.call(y) } }
量子力学
集合論
ICOT
Long term trend ( 検査方式と問題領域)
ITS4ACSAC 2000
MOPSCCS 2002
MC Meta-Level CompilationOSDI 2000
MACEConcolic ExecutionUSENIX SEC 2011
COTS (ROP)Usenix 2013
AutomationNDSS 2000
Format StringUSENIX SEC 2001
MOPS (2)CCS 2004
MetaSymsploitUSENIX SEC 2013
CHUCKYCCS 2013
Computational Verification (proverif)
CCS 2012
ConfAidOSDI 2011
Metal Compiler ExtentionSSP 2002
SLAMPOPL 2002
ForNox Hot SDN 2012
DowserUSENIX SEC 2013
F7 verificationCCS 2010
StackGuardUSENIX SEC 1998
Branch Tracing (ROP) Usenix Sec 2013
ProverifSSP 2006 プロトコル検証の精緻化
複合型
設定整合性
攻撃手法の迅速化への対応
検査方法の分類■ 構文主導型 (Syntax Directed Translation) - This translator consists of a parser (or grammar) with embedded actions that immediately generate output.正規表現、有限オートマトンITS4: a static vulnerability scanner for C and C++ code, Computer Security Applications, ACSAC 2002Chucky: exposing missing checks in source code for vulnerability discovery ccs 2013
■ ルール方式 (Rule Based Translation) - Rule-based translators use the DSL of a particular rule engine to specify a set of “this goes to that” translation rules.遷移規則、プッシュダウンオートマトンUsing programmer-written compiler extensions to catch security holes SSP 2002Checking system rules using system-specific, programmer-written compiler extensions OSDI 2000
■ モデル駆動方式 (Model Driven Translation) - From the input model, a translator can emit output directly, build up strings, build up templates (documents with “holes” in them where we can stick values), or build up specialized output objectsモデル検査・実行系MOPS: an infrastructure for examining security properties of software CCS2002Chucky: exposing missing checks in source code for vulnerability discovery ccs 2013
提案手法( tagging, LALR parsing and binary search) A-1対象となるソースツリーのファイルをリストアップする
charatyp[ch]==Digit;ch=nextCh())if (p < p 16) p++ = ch;p = '\0'
if(strcmp(tkn.text, “for")==0)
Document Database処理系の状態情報(プログラム中の位置など)問い合わせ
格納
検査対象 CVE-2013-4371Xen Hypervisor
402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo));
388libxl_cpupoolinfo * libxl_list_cpupool(libxl_ctx *ctx, int *nb_pool)389{397 poolid = 0;398 for (i = 0;; i++) {399 info = xc_cpupool_getinfo(ctx->xch, poolid);400 if (info == NULL)401 break;402 tmp = realloc(ptr, (i + 1) * sizeof(libxl_cpupoolinfo));403 if (!tmp) {404 LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info");405 free(ptr);406 xc_cpupool_infofree(ctx->xch, info);407 return NULL;408 }409 ptr = tmp;410 ptr[i].poolid = info->cpupool_id;411 ptr[i].sched_id = info->sched_id;412 ptr[i].n_dom = info->n_dom;413 if (libxl_cpumap_alloc(ctx, &ptr[i].cpumap)) {414 xc_cpupool_infofree(ctx->xch, info);415 break;416 }417 memcpy(ptr[i].cpumap.map, info->cpumap, ptr[i].cpumap.size);418 poolid = info->cpupool_id + 1;419 xc_cpupool_infofree(ctx->xch, info);420 }
realloc use-after-free vulnerabilityUse-after-free vulnerability in the libxl\_list_cpupool function in the libxl toolstack library in Xen 4.2.x and 4.3.x, when running "under memory pressure," returns the original pointer when the realloc function fails, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors.
At line 402, Xen uses realloc for reallocating the memory. Note that the address of libxl\_cpupoolinfo is already assigned outside of this routine. Under high pressure, realloc can not extend the memory from the original pointer which is already obtained. in this case, realloc newly yielding the address which remaining the data to be written.
Use-after-free vulnerability in the libxl_list_cpupool function in the libxl toolstack library in Xen 4.2.x and 4.3.x, when running "under memory pressure," returns the original pointer when the realloc function fails, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors.http://www.cvedetails.com/cve/CVE-2013-4371/
We compiled our system on ubuntu12 LTS with Linux kernel 3.2.0. proposed system is hosted on Intel Xeon E5645 with 2.4 GHZ clock.
version forloop realloc functions real user sys real user sys