31 st IEEE Symposium on Security Privacy Taint

Outline n Introduction q q n Background Motivation Taint. Scope q q q Intuition

Fuzzing/Fuzz Testing n Feed target applications with malformed inputs e. g. , invalid, unexpected,

Fuzzing is great In the best case, malformed inputs will explore different program paths,

$A quick example re-compute a new checksum 1 void decode_image(FILE* fd){ 2. . .$

Checksum: the bottleneck Checksum is a common way to test the integrity of input

Our motivation n Penetrate checksum checks! Our Goal Introduction Taint. Scope Conclusion 7

Intuition n Disable checksum checks by control flow alteration if(checksum(Data)!= Chksum) goto L 1;

Key Questions n n n Q 1: How to locate the checksum test instructions

Taint. Scope Overview Q 1 Q 2 Checksum Locator Modified Program Q 3 Directed

A 1: Locate the checksum test instruction Key Observation 1 Checksum is usually used

A 1: Locate the checksum test instruction Key Observation 2 Well-formed inputs can pass

A 2: Effective and efficient fuzzing n Blindly mutating will create huge amount of

A 3: Generate the correct checksum The classical solution is symbolic execution Solving checksum(D

Design Summary n Directed Fuzzing q Identify and modify “hot bytes” in valid inputs

Evaluation n Component evaluation q q q n E 1: Whether Taint. Scope can

Evaluation 1: locate checksum points n We test several common checksum algorithms, including CRC

Evaluation 2: identify hot bytes n We measured the number of bytes could affect

Evaluation 3: generate correct checksum fields n n We test malformed inputs in four

Evaluation 4 : 27 previous unknown vulns MS Paint Google Picasa irfanview gstreamer Amaya

Evaluation 4 : 27 previous unknown vulns 24

Evaluation 4: 27 previous unknown vulns Introduction Taint. Scope Conclusion 25

Conclusion n n Checksum is a big challenge for fuzzing tools Taint. Scope can

Slides: 27

Download presentation

31 st IEEE Symposium on Security & Privacy Taint. Scope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection 1 1 2 Tielei Wang , Tao Wei , Guofei Gu , Wei Zou 1 Peking University, China 2 Texas A&M University, US 1

Outline n Introduction q q n Background Motivation Taint. Scope q q q Intuition System Design Evaluation . . . n Conclusion 2

Fuzzing/Fuzz Testing n Feed target applications with malformed inputs e. g. , invalid, unexpected, or random test cases q q Proven to be remarkably successful E. g. , randomly mutate well-formed inputs and runs the target application with the “mutations” Malformed Input Fuzzer Introduction crash Application Taint. Scope Conclusion 3

Fuzzing is great In the best case, malformed inputs will explore different program paths, and trigger security vulnerabilities However… Introduction Taint. Scope Conclusion 4

$A quick example re-compute a new checksum 1 void decode_image(FILE* fd){ 2. . .$

A quick example re-compute a new checksum 1 void decode_image(FILE* fd){ 2. . . 3 int length = get_length(fd); read the attached 4 int recomputed_chksum = checksum(fd, length); checksum 5 int chksum_in_file = get_checksum(fd); //line 6 is used to check the integrity of inputs 6 if(chksum_in_file != recomputed_chksum) 7 error(); 8 int Width = get_width(fd); compare tow values 9 int Height = get_height(fd); 10 int size = Width*Height*sizeof(int); //integer overflow 11 int* p = malloc(size); 12. . . n Malformed images will be dropped when the decoder function detects checksums mismatch Introduction Taint. Scope Conclusion 5

Checksum: the bottleneck Checksum is a common way to test the integrity of input data Most mutations are blocked at the checksum test point if(checksum(Data)!= Chksum) Introduction Taint. Scope Conclusion 6

Our motivation n Penetrate checksum checks! Our Goal Introduction Taint. Scope Conclusion 7

Intuition n Disable checksum checks by control flow alteration if(checksum(Data)!= Chksum) goto L 1; exit(); L 1: continue(); Modified Original program n n Fuzz the modified program Repair the checksum fields in malformed inputs that can crash the modified program Introduction Taint. Scope Conclusion 8

Key Questions n n n Q 1: How to locate the checksum test instructions in a binary program? Q 2: How to effectively and efficiently fuzz for security vulnerability detection? Q 3: How to generate the correct checksum value for the invalid inputs that can crash the modified program? Introduction Taint. Scope Conclusion 9

Taint. Scope Overview Q 1 Q 2 Checksum Locator Modified Program Q 3 Directed Fuzzer Instruction Profile Execution Monitor Crashed Samples Checksum Repairer Hot Bytes Info Reports 10

A 1: Locate the checksum test instruction Key Observation 1 Checksum is usually used to protect a large number of input bytes Data n n Chksum if(checksum(Data) != Chksum) Based on fine-grained taint analysis, we first find the conditional jump instructions (e. g. , jz, je) that depend on more than a certain number of input bytes Take these conditional jump instructions as candidates Introduction Taint. Scope Conclusion 11

A 1: Locate the checksum test instruction Key Observation 2 Well-formed inputs can pass the checksum test, but most malformed inputs cannot n We log the behaviors of candidate conditional jump instructions Introduction Taint. Scope Conclusion 12

A 1: Locate the checksum test instruction Key Observation 2 Well-formed inputs can pass the checksum test, but most malformed inputs cannot n ① We log the behaviors of candidate conditional jump instructions Run well-formed inputs, identify the always-taken and always-not-taken insts Introduction Taint. Scope Conclusion 13

A 1: Locate the checksum test instruction Key Observation 2 Well-formed inputs can pass the checksum test, but most malformed inputs cannot n ① ② We log the behaviors of candidate conditional jump instructions Run well-formed inputs, identify the always-taken and always-not-taken insts Run malformed inputs, also identify the always-taken and always-not-taken insts Introduction Taint. Scope Conclusion 14

A 1: Locate the checksum test instruction Key Observation 2 Well-formed inputs can pass the checksum test, but most malformed inputs cannot n ① ② ③ We log the behaviors of candidate conditional jump instructions Run well-formed inputs, identify the always-taken and always-not-taken insts Run malformed inputs, also identify the always-taken and always-not-taken insts Identify the conditional jump inst that behaves completely different when processing well-formed and malformed inputs Introduction Taint. Scope Conclusion 15

A 2: Effective and efficient fuzzing n Blindly mutating will create huge amount of redundant test cases --- ineffective and inefficient Directly modifying “width” or “height" 1 void decode_image(FILE* fd){ 2. . . fields will trigger the bug easily. . . 6 if(chksum_in_file != recomputed_chksu goto 8; 7 error(); 8 int Width = get_width(fd); 9 int Height = get_height(fd); 10 int size = Width*Height*sizeof(int); //integer overflow 11 int* p = malloc(size); 12 … n Directed fuzzing: focus on modifying the “hot bytes” that refer to the input bytes flow into critical system/library calls q Memory allocation, string operation… Introduction Taint. Scope Conclusion 16

A 3: Generate the correct checksum The classical solution is symbolic execution Solving checksum(D ata)== Chksum is hard or and constraint solving impossible, if both Data and Chksum are symbolic n values n We use combined concrete/symbolic execution q q q Only leave the bytes in the checksum field as symbolic values Collect and solve the trace constraints on Chksum when reaching the checksum test inst. Note that: n n checksum(Data) is a runtime determinable constant value. Chksum originates from the checksum field, but may be transformed, such as from hex/oct to dec number, from little-endian to big-endian. Introduction Taint. Scope Conclusion 17

Design Summary n Directed Fuzzing q Identify and modify “hot bytes” in valid inputs to generate malformed inputs n n On top of PIN binary instrumentation platform Checksum-aware Fuzzing q q q Locate checksum check points and checksum fields. Modify the program to accept all kinds input data Generate correct checksum fields for malformed inputs that can crash the modified program n Offline symbolically execute the trace, using STP solver Introduction Taint. Scope Conclusion 18

Evaluation n Component evaluation q q q n E 1: Whether Taint. Scope can locate checksum points and checksum fields? E 2: How many hot byte in a valid input? E 3: Whether Taint. Scope can generate a correct checksum field? Overall evaluation q E 4: Whether Taint. Scope can detect previous unknown vulnerabilities in real-world applications? Introduction Taint. Scope Conclusion 19

Evaluation 1: locate checksum points n We test several common checksum algorithms, including CRC 32, MD 5, Adler 32. Taint. Scope accurately located the check statements. Introduction Taint. Scope Conclusion 20

Evaluation 2: identify hot bytes n We measured the number of bytes could affect the size arguments in memory allocation functions Introduction Taint. Scope Conclusion 21

Evaluation 3: generate correct checksum fields n n We test malformed inputs in four kinds of file formats. Taint. Scope is able to generate correct checksum fields. Introduction Taint. Scope Conclusion 22

Evaluation 4 : 27 previous unknown vulns MS Paint Google Picasa irfanview gstreamer Amaya dillo Introduction Taint. Scope Adobe Acrobat Image. Magick Winamp XEmacs wx. Widgets PDFlib Conclusion 23

Evaluation 4 : 27 previous unknown vulns 24

Evaluation 4: 27 previous unknown vulns Introduction Taint. Scope Conclusion 25

Conclusion n n Checksum is a big challenge for fuzzing tools Taint. Scope can perform: q Directed fuzzing n n q Checksum-aware fuzzing n n n Identify which bytes flow into system/library calls. dramatically reduce the mutation space. Disable checksum checks by control flow alternation. Generate correct checksum fields in invalid inputs. Taint. Scope detected dozens of serious previous unknown vulnerabilities. Introduction Taint. Scope Conclusion 26

Thanks for your attention!