Combining static analyses for helping detection and exploitability vulnerabilities in binary code Laurent Mounier, Josselin Feist, Marie-Laure Potet, Sanjay Rawat VERIMAG University of Grenoble November 2013 Combining static analyses for helping detection and exploitability vulnerabilities in binary code 1/62
64
Embed
Combining static analyses for helping detection and ...seminaire-dga.gforge.inria.fr/2013/20131108_MarieLau...2013/11/08 · Combining static analyses for helping detection and exploitability
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Combining static analyses for helpingdetection and exploitability vulnerabilities in
Dynamic taint analysis: TEMU (Berkeley), Dytan (GeorgiaTech), TaintScope (Pekin Univ.)
Exploitability: !Exploitable (an extension of Windbg) , AEG(CMU), Mayem (CMU)
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 5/62
Challenges
Engineering of vulnerability analysis
Automatize as much as possible the vulnerability detection stepFormalisation of skills in term of exploitability
Scientific challenges
New vulnerabilities such as Use after FreeStatic analysis at the binary level (scalability/accuracy)Traces analysis leading to an exploitMemory models adapted for exploitability and symbolicanalyses
⇒ Tools helping detection and traces classification.
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 6/62
4 Use-after-free detection and exploitabilityUaFOur approachDetectionExploitabilityPrototype
5 BibliographieBibliographie
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 7/62
Our approach/Objective
⇒ Identifying exploitable paths and building appropriate inputs (atesting approach)
Using static analysis in order to slice interesting behaviours
structural patterns and static taint analysis (SERE11)
Using static/dynamic analysis for exploitability condition
Symbolic exploitability conditions and memory model(CSTVA12)
Using mutation algorithms and SMT solvers to produce inputs
fitness function and mutations (ECND10, SECTEST11)
⇒ Content of the presentation: Static taint analysis, vulnerablepath detection, Use after free detection, Ongoing works⇒ Prototype for limitation/relevance/scalability evaluation
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 8/62
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 20/62
Implementation and Possible improvements
Implementation
Taint and VSA intra-procedural analyses using BinNaviLarge approximations
Tested improvements:
Restrict VSA to registers and memory locations involved inaddress computations: backward analysis tracking registersused as memory destinationAn inter-procedural taint based on a lightweight value analysis
ToDo
Take into account the size of memory transfersStridded intervals in particular for a fine-grained arraytreatment
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 21/62
Reps & Balakrishnan VSA
Objective = program verification
4 distinct memory regions
global, local, heap and registers
Value representation
Stridded intervals on a k-bits memory:s[l , u] = {i ∈ [−2k−1, 2k−1 − 1] | l ≤ i ≤ u, i ≡ l mod s}
↪→ good representation for array/field access operations
Iterative VSA
iterate VSA and “structure identification” techniques to refinememory addresses recognition
widening and affine relation analysis to retrieve index-basedarray iterations
Recency-abstraction for heap-allocation (strong/weak update)
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 22/62
Debray’s et al. Alias Analysis
Value-analysis to identify alias between memory references: register sets containing same values at same locations
4 Use-after-free detection and exploitabilityUaFOur approachDetectionExploitabilityPrototype
5 BibliographieBibliographie
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 43/62
Proposed approach
Goal : extract subgraphs of CFG leading to exploitableUse-After-Free
Approach
2 steps :1 : Detection of Use-After-Free
Value analysisCharacterization of Use-After-Free
2 : Exploitability of Use-After-Free
Determining possible re-allocationsExploitability condition (ongoing work)
Semi-automatic : manually description of allocation strategies
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 44/62
Memory model and VSA
Modelling heap
HE = all possible memory blocks in the heap
Member of HE represented (heapi , sizei ) (simplified in chunki )
HA(pc) (resp. HF (pc)) member of HE allocated (resp. freed)
HA : PC → P(HE )
HF : PC → P(HE )
HA(pc) ∩ HF (pc) = ∅
VSA for detection
Track allocation, free and heap accesses
size of allocation (for exploitability)
One allocation = new chunk
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 45/62
Transfer functions for heap operations
1: function malloc(pc, size)2: id := id max ;3: id max + +;4: HA := HA← {pc 7→ (HA(pc) ∪ {(baseid , size)})};5: point alloc := point alloc ← {(baseid , size) 7→ pc};6: return (baseid , size)7: end function
1: function Free(pc, (basex , size))2: HA := HA← {pc 7→ (HA(pc) \ {(basex , size)})};3: HF := HF ← {pc 7→ (HF (pc) ∪ {(basex , size)})};4: point free := point free ← {(basex , size) 7→5: {point free(basex , size) ∪ pc}};6: end function
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 46/62
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 48/62
Detection: characterization of Use-After-Free
AccessHeap
AccessHeap returns all elements of HE that are accessed at pcExamples with REIL memory transfer instructions:
AccessHeap(LDM ad , , reg) = AbsEnv(ad) ∩ HE .
AccessHeap(STM reg , , ad) = AbsEnv(ad) ∩ HE
Research the use of a freed element of the heap
EnsUaf ={(pc, chunk) | chunk ∈ AccessHeap(pc) ∩ HF (pc)}Extraction of executions leading to each Use-After-Free: allreachable nodes including the following paths:
pcentry → pcallocpcalloc → pcfreepcfree → pcuaf
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 49/62
Example: Use-After-Free detection and extraction
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 50/62
4 Use-after-free detection and exploitabilityUaFOur approachDetectionExploitabilityPrototype
5 BibliographieBibliographie
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 51/62
Exploitability
⇒ We consider a Uaf as exploitable if another pointer point to thesame memory zone (∼ alias unwanted).
Steps
1 Determine paths where new allocations take place betweenthe free and use locations
2 Determine if some allocations can reallocate the same memoryarea: based on a particular allocation strategy (worst case, allallocations are considered as dangerous)
3 Is the size of new allocations a tainted value? Is the contentmodified by a tainted value?
4 How is the AccessHeap used: a read, write or jump patterns?
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 52/62
1. Extracting paths with re-allocations
Replay allocations between free → use
Allocation order is important for exploitability
Find all ”heap operations paths” (with loop summary)
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 53/62
2. Replay re-allocations
Reallocate of the same memory area
Simulate an allocator on each ”heap operation path” replayingVSA
Allocator modelisation (with potentially a new heap model):Define some general behaviour/property of allocator :
→ P1 : Heap space is divided into blocks. Blocks are classifiedaccording to their size and state (allocated/freed)
→ P2 : A new block can take place into a freed block→ P3 : A freed block can be split→ P4 : Two freed blocks can be consolidated→ ...
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 54/62
3 and 4. Dangerousity: taintness and type of HeapAccess
1
2 typedef struct {
3 void (*f)(void);
4 } st;
5
6 void nothing ()
7 {
8 printf("Nothing\n");
9 }
10
11 int main(int argc , char * argv [])
12 {
13 st *p1;
14 char *p2;
15 p1=(st*) malloc(sizeof(st));
16 p1->f=& nothing;
17 free(p1);
18 p2=malloc(strlen(argv [1])); // size is tainted
19 strcpy(p2,argv [1]); // content of p2 is tainted
20 p1->f(); // Access as a jump
21 return 0;
22 }
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 55/62
Discussions on the approach
Separating detection / exploitability
Triggering Use-After-Free independent of the allocationstrategy
Programming error, always present”Cause” of Use-After-Free
Exploitability of Use-After-Free depending on the allocationstrategy
What has happened between the free / use of the item?” Consequence” of Use-After-Free
Advantage of this approach:
Using ”classic” technique for detectingStudy of exploitability on a subset of possible executions of theprogramFor an Use-After-Free detected opportunity to study severalallocation strategies (or worst case)
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 56/62
4 Use-after-free detection and exploitabilityUaFOur approachDetectionExploitabilityPrototype
5 BibliographieBibliographie
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 61/62
Sofia Bekrar, Chaouki Bekrar, Roland Groz, and Laurent Mounier.
A taint based approach for smart fuzzing.In Giuliano Antoniol, Antonia Bertolino, and Yvan Labiche, editors, Proceedings of SecTest, pages 818–825,2012.
Josselin Feist, Laurent Mounier, and Marie-Laure Potet.
Statically detecting Use-after-Free on binary code.In Proc. of GreHack 2013, Grenoble (France), November 2013 (to appear).
Gustavo Grieco, Laurent Mounier, Marie-Laure Potet, and Sanjay Rawat.
A stack model for symbolic buffer overflow exploitability analysis.In Proceedings of CSTVA (ICST Workshop), pages 216–217, Luxembourg, march 2013. IEEE.
Sanjay Rawat, Dumitru Ceara, Laurent Mounier, and Marie-Laure Potet.
Combining static and dynamic analysis for vulnerability detection.MDV’10, Modeling and Detecting Vulnerabilities workshop, associated to ICST 2010, IEEE digital Library,2013.
Sanjay Rawat and Laurent Mounier.
Offset-aware mutation based fuzzing for buffer overflow vulnerabilities: Few preliminary results.In Proc. of The Second International Workshop on Security Testing (SECTEST). IEEE, 2011.
Sanjay Rawat and Laurent Mounier.
Finding buffer overflow inducing loops in binary executables.In Proceedings of Sixth International Conference on Software Security and Reliability (SERE), pages177–186, Gaithersburg, Maryland, USA, 2012. IEEE.
Combining static analyses for helping detection and exploitability vulnerabilities in binary code 62/62
GreHack’13: int. symposium in Grey-Hat Hacking
Conference
I PC: The Grugq, Fermin J Serna, Manuel Egele, Eric Filiol, etcI Papers: 28% (9/32) acceptance rate
I Invited Speakers: H. Bos, H. Flake, J. CaballeroI Speakers: Ruo Ando (Japan), E. Leverett(IOActive US) . . .
I 220 attendeesI 50% security engineersI several pentest teams (italia, spain, france)
I 95% of last wave tickets sold within 1 morning !