Ravel: Pinpointing Vulnerabilities
dataera
132 views
39 slides
Jun 29, 2017
Slide 1 of 39
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
About This Presentation
A Time Machine to pinpoint vulnerabilities.
Memory-based vulnerabilities are a major source of attack vectors. They allow attackers to gain unauthorized access to computers and their data. Previous research has made significant progress in detecting attacks. However, developers still need to locate...
Slide Content
Pinpointing Vulnerabilities
Yue Chen, Mustakimur Khandaker, Zhi Wang
Florida State University
Pinpointing Vulnerabilities 1
Yue Chen, Mustakimur Khandaker, Zhi Wang
Florida State University
Pinpointing Vulnerabilities 1
Question
•When an attack is detected, how to locate the
underlying vulnerability?
2 Pinpointing Vulnerabilities
Attack Vulnerability
•When an attack is detected, how to locate the
underlying vulnerability?
2 Pinpointing Vulnerabilities
Attack Vulnerability
Example
•A control-flow violation is detected at line 6.
•The vulnerability lies at line 4 (buffer overflow).
3 Pinpointing Vulnerabilities
Root Cause
Symptom
•A control-flow violation is detected at line 6.
•The vulnerability lies at line 4 (buffer overflow).
3 Pinpointing Vulnerabilities
Root Cause
Symptom
Attack Detection v.s. Vulnerability Locating
•Control-flow Integrity (CFI)
–Detect the control-flow graph violation (e.g., on
function returns)
•Taint Analysis
–Detect tainted data being loaded to PC
•System Call Interposition
–Detect abnormal syscalls made by the payload
Pinpointing Vulnerabilities 4
Manifestation of attack rarely coincides
with the vulnerabilities
•Control-flow Integrity (CFI)
–Detect the control-flow graph violation (e.g., on
function returns)
•Taint Analysis
–Detect tainted data being loaded to PC
•System Call Interposition
–Detect abnormal syscalls made by the payload
Pinpointing Vulnerabilities 4
Manifestation of attack rarely coincides
with the vulnerabilities
Ravel – Three Components
•Online attack detector
•Record & replay with instrumentation
•Offline vulnerability locator
Pinpointing Vulnerabilities 5
RAVEL:
Root-cause
Analysis of
Vulnerabilities from
Exploitation
Log
•Online attack detector
•Record & replay with instrumentation
•Offline vulnerability locator
Pinpointing Vulnerabilities 5
RAVEL:
Root-cause
Analysis of
Vulnerabilities from
Exploitation
Log
Ravel – Strengths
1.Reliably reproduce real-world attacks in the lab
environment
2.Low online performance overhead
–Locating vulnerabilities is time-consuming
3.Extensible:
–New attack detection and vulnerability locating
techniques can be easily integrated
–(already support a variety of vulnerability locating
techniques)
Pinpointing Vulnerabilities 6
1.Reliably reproduce real-world attacks in the lab
environment
2.Low online performance overhead
–Locating vulnerabilities is time-consuming
3.Extensible:
–New attack detection and vulnerability locating
techniques can be easily integrated
–(already support a variety of vulnerability locating
techniques)
Pinpointing Vulnerabilities 6
Attack Detection
•Ravel uses existing attack detection methods
–Program crash (or other exceptions)
–Abnormal system calls (sequence/arguments)
–Control-flow integrity violation (to be included)
•New methods can be easily adopted by Ravel
Pinpointing Vulnerabilities 7
•Ravel uses existing attack detection methods
–Program crash (or other exceptions)
–Abnormal system calls (sequence/arguments)
–Control-flow integrity violation (to be included)
•New methods can be easily adopted by Ravel
Pinpointing Vulnerabilities 7
Record & Replay
•What to record & replay?
–All the non-deterministic inputs (e.g., network packets)
•Where to record & replay?
–Application interface
–Library interface
–Virtual machine interface
–System call interface
Pinpointing Vulnerabilities 8
•What to record & replay?
–All the non-deterministic inputs (e.g., network packets)
•Where to record & replay?
–Application interface
–Library interface
–Virtual machine interface
–System call interface
Pinpointing Vulnerabilities 8
Record & Replay
•What to record & replay?
–All the non-deterministic inputs (e.g., network packets)
•Where to record & replay?
–Application interface
–Library interface
–Virtual machine interface
–System call interface
Pinpointing Vulnerabilities 9
More robust against attacks, with low cost
•What to record & replay?
–All the non-deterministic inputs (e.g., network packets)
•Where to record & replay?
–Application interface
–Library interface
–Virtual machine interface
–System call interface
Pinpointing Vulnerabilities 9
More robust against attacks, with low cost
Record
Pinpointing Vulnerabilities 10
System call return values
Userspace data structures modified by syscalls
Data copied from kernel to userspace
Asynchronous signals
Special instructions (e.g., RDTSC)
Synchronization primitives
Pinpointing Vulnerabilities 10
System call return values
Userspace data structures modified by syscalls
Data copied from kernel to userspace
Asynchronous signals
Special instructions (e.g., RDTSC)
Synchronization primitives
Replay with Instrumentation
•Some syscalls replayed without real execution
–e.g., gettimeofday
•Some syscalls need to be re-executed
–e.g., mmap
•Replay under a binary translation (BT) engine
–BT collects detailed memory accesses by the target
–Replay distinguishes syscalls made by the target from
those made by BT
Pinpointing Vulnerabilities 11
•Some syscalls replayed without real execution
–e.g., gettimeofday
•Some syscalls need to be re-executed
–e.g., mmap
•Replay under a binary translation (BT) engine
–BT collects detailed memory accesses by the target
–Replay distinguishes syscalls made by the target from
those made by BT
Pinpointing Vulnerabilities 11
Vulnerability Locator
Data-flow Analysis
Race Condition
Use-after-free
Double-free
Integer Errors
Pinpointing Vulnerabilities 12
Data-flow Analysis
Race Condition
Use-after-free
Double-free
Integer Errors
Pinpointing Vulnerabilities 12
Data-flow Analysis
•Analyze def-use relations between instructions
•Define: writes to a memory address
•Use: reads from a memory address
Pinpointing Vulnerabilities 13
A B
write read
define use
•Analyze def-use relations between instructions
•Define: writes to a memory address
•Use: reads from a memory address
Pinpointing Vulnerabilities 13
A B
write read
define use
Data-flow Analysis
•Analyze def-use relations between instructions
•Define: writes to a memory address
•Use: reads from a memory address
Pinpointing Vulnerabilities 14
A B
•Analyze def-use relations between instructions
•Define: writes to a memory address
•Use: reads from a memory address
Pinpointing Vulnerabilities 14
A B
Data-flow Analysis
•Precompute a data-flow graph (DFG)
–DFG: the valid def-use relations in the program
–Our prototype uses dynamic analysis
–Extra relations regarded as violations
•Violation to DFG indicates the vulnerability location
–It could be the def or the use, but which one?
–Refine the results with heuristics
Pinpointing Vulnerabilities 15
•Precompute a data-flow graph (DFG)
–DFG: the valid def-use relations in the program
–Our prototype uses dynamic analysis
–Extra relations regarded as violations
•Violation to DFG indicates the vulnerability location
–It could be the def or the use, but which one?
–Refine the results with heuristics
Pinpointing Vulnerabilities 15
Data-flow Analysis
•Precompute a data-flow graph (DFG)
–DFG: the valid def-use relations in the program
–Our prototype uses dynamic analysis
–Extra relations regarded as violations
•Violation to DFG indicates the vulnerability location
–It could be the def or the use, but which one?
–Refine the results with heuristics
Pinpointing Vulnerabilities 16
•Precompute a data-flow graph (DFG)
–DFG: the valid def-use relations in the program
–Our prototype uses dynamic analysis
–Extra relations regarded as violations
•Violation to DFG indicates the vulnerability location
–It could be the def or the use, but which one?
–Refine the results with heuristics
Pinpointing Vulnerabilities 16
Data-flow Analysis
•Precompute a data-flow graph (DFG)
–DFG: the valid def-use relations in the program
–Our prototype uses dynamic analysis
–Extra relations regarded as violations
•Violation to DFG indicates the vulnerability location
–It could be the def or the use, but which one?
–Refine the results with heuristics
Pinpointing Vulnerabilities 17
•Precompute a data-flow graph (DFG)
–DFG: the valid def-use relations in the program
–Our prototype uses dynamic analysis
–Extra relations regarded as violations
•Violation to DFG indicates the vulnerability location
–It could be the def or the use, but which one?
–Refine the results with heuristics
Pinpointing Vulnerabilities 17
Data-flow Analysis Heuristics
•One def, many uses:
def is closer to the vulnerability
–Example: buffer overflow
Pinpointing Vulnerabilities 18
use
use
use
Normal
Violating
•One def, many uses:
def is closer to the vulnerability
–Example: buffer overflow
Pinpointing Vulnerabilities 18
use
use
use
Normal
Violating
Data-flow Analysis Heuristics
•One def, many uses:
def is closer to the vulnerability
–Example: buffer overflow
Pinpointing Vulnerabilities 19
use
def
use
use
Normal
Violating
•One def, many uses:
def is closer to the vulnerability
–Example: buffer overflow
Pinpointing Vulnerabilities 19
use
def
use
use
Normal
Violating
Data-flow Analysis Heuristics
•One def, many uses:
def is closer to the vulnerability
–Example: buffer overflow
•Many defs, one use:
use is closer to the vulnerability
–Example: information leakage
•…
Pinpointing Vulnerabilities 20
use
def
use
use
•One def, many uses:
def is closer to the vulnerability
–Example: buffer overflow
•Many defs, one use:
use is closer to the vulnerability
–Example: information leakage
•…
Pinpointing Vulnerabilities 20
use
def
use
use
Data-flow Analysis Heuristics
•One def, many uses:
def is closer to the vulnerability
–Example: buffer overflow
•Many defs, one use:
use is closer to the vulnerability
–Example: information leakage
•…
Pinpointing Vulnerabilities 21
use
def
use
use
•One def, many uses:
def is closer to the vulnerability
–Example: buffer overflow
•Many defs, one use:
use is closer to the vulnerability
–Example: information leakage
•…
Pinpointing Vulnerabilities 21
use
def
use
use
Integer Errors
•Focus on common integer errors
–Start from common functions/instructions that take
integer operands
•E.g., memcpy, recvfrom; movs, stos…
–Search backwards for integer errors
•Example:
memcpy ( void * destination, const void * source, size_t num );
Search from num backwards for integer errors.
Pinpointing Vulnerabilities 22
•Focus on common integer errors
–Start from common functions/instructions that take
integer operands
•E.g., memcpy, recvfrom; movs, stos…
–Search backwards for integer errors
•Example:
memcpy ( void * destination, const void * source, size_t num );
Search from num backwards for integer errors.
Pinpointing Vulnerabilities 22
Integer Errors
•Assignment truncation (e.g., 0x12345678 → 0x5678)
–To detect: assign from a longer to a shorter integer type
•Integer overflow/underflow (e.g., 0xFFFFFFFF + 1)
–To detect: check the RFLAGS register
•Signedness error (e.g., unsigned_int_var = signed_int_var)
–To detect: collect hints from functions and instructions
•Instructions: jg, jge, ja, jae, cmovg, cmova, idiv, div, etc.
•Functions: memmove, strncat, etc.
•Benign integer errors?
–Related to a reported vulnerability!
Pinpointing Vulnerabilities 23
•Assignment truncation (e.g., 0x12345678 → 0x5678)
–To detect: assign from a longer to a shorter integer type
•Integer overflow/underflow (e.g., 0xFFFFFFFF + 1)
–To detect: check the RFLAGS register
•Signedness error (e.g., unsigned_int_var = signed_int_var)
–To detect: collect hints from functions and instructions
•Instructions: jg, jge, ja, jae, cmovg, cmova, idiv, div, etc.
•Functions: memmove, strncat, etc.
•Benign integer errors?
–Related to a reported vulnerability!
Pinpointing Vulnerabilities 23
Integer Errors
•Assignment truncation (e.g., 0x12345678 → 0x5678)
–To detect: assign from a longer to a shorter integer type
•Integer overflow/underflow (e.g., 0xFFFFFFFF + 1)
–To detect: check the RFLAGS register
•Signedness error (e.g., unsigned_int_var = signed_int_var)
–To detect: collect hints from functions and instructions
•Instructions: jg, jge, ja, jae, cmovg, cmova, idiv, div, etc.
•Functions: memmove, strncat, etc.
•Benign integer errors?
–Related to a reported vulnerability!
Pinpointing Vulnerabilities 24
•Assignment truncation (e.g., 0x12345678 → 0x5678)
–To detect: assign from a longer to a shorter integer type
•Integer overflow/underflow (e.g., 0xFFFFFFFF + 1)
–To detect: check the RFLAGS register
•Signedness error (e.g., unsigned_int_var = signed_int_var)
–To detect: collect hints from functions and instructions
•Instructions: jg, jge, ja, jae, cmovg, cmova, idiv, div, etc.
•Functions: memmove, strncat, etc.
•Benign integer errors?
–Related to a reported vulnerability!
Pinpointing Vulnerabilities 24
Use-after-free and Double-free
•Ravel instruments memory allocation/free
functions to track the memory life-time
•Use-after-free: freed memory is accessed again
•Double-free: memory freed more than once
without re-allocation
Pinpointing Vulnerabilities 25
•Ravel instruments memory allocation/free
functions to track the memory life-time
•Use-after-free: freed memory is accessed again
•Double-free: memory freed more than once
without re-allocation
Pinpointing Vulnerabilities 25
Race Condition
•When race condition happens, the execution
deviates from the recorded one
– as we do not implement strict R&R
•When detected, use the happens-before relation
to check for race conditions
Pinpointing Vulnerabilities 26
•When race condition happens, the execution
deviates from the recorded one
– as we do not implement strict R&R
•When detected, use the happens-before relation
to check for race conditions
Pinpointing Vulnerabilities 26
Implementation
•Record & replay:
–FreeBSD release 10.2
–Kernel modification + small user-space utility
•Vulnerability locator:
–Extended from Valgrind
Pinpointing Vulnerabilities 27
•Record & replay:
–FreeBSD release 10.2
–Kernel modification + small user-space utility
•Vulnerability locator:
–Extended from Valgrind
Pinpointing Vulnerabilities 27
Evaluation – Effectiveness
•Buffer overflow
•Integer errors
•Information leakage
•Use-after-free and double-free
•Format string vulnerabilities
Pinpointing Vulnerabilities 28
•Buffer overflow
•Integer errors
•Information leakage
•Use-after-free and double-free
•Format string vulnerabilities
Pinpointing Vulnerabilities 28
CVE-2013-2028 of Nginx
Pinpointing Vulnerabilities 29
Pinpointing Vulnerabilities 29
CVE-2013-2028 of Nginx
Pinpointing Vulnerabilities 30
signed unsigned
signed comparison
Pinpointing Vulnerabilities 30
signed unsigned
signed comparison
CVE-2013-2028 of Nginx
Pinpointing Vulnerabilities 31
signed unsigned larger than expected
signed comparison
Pinpointing Vulnerabilities 31
signed unsigned larger than expected
signed comparison
CVE-2013-2028 of Nginx
Pinpointing Vulnerabilities 32
signed unsigned larger than expected
buffer overflow
signed comparison
Pinpointing Vulnerabilities 32
signed unsigned larger than expected
buffer overflow
signed comparison
CVE-2013-2028 of Nginx
Pinpointing Vulnerabilities 33
signed unsigned larger than expected
buffer overflow
signed comparison Ravel
Data-flow
Violation
Signedness
Conflict
Memory
Exception
Pinpointing Vulnerabilities 33
signed unsigned larger than expected
buffer overflow
signed comparison Ravel
Data-flow
Violation
Signedness
Conflict
Memory
Exception
Evaluation – Effectiveness
•More examples are in the paper (Heartbleed, etc.)
Pinpointing Vulnerabilities 34
•More examples are in the paper (Heartbleed, etc.)
Pinpointing Vulnerabilities 34
Evaluation – Performance
Performance overhead of Ravel’s online components relative to the original FreeBSD system
Pinpointing Vulnerabilities 35
Performance overhead of Ravel’s online components relative to the original FreeBSD system
Pinpointing Vulnerabilities 35
Pinpointing Vulnerabilities
Q&A
Pinpointing Vulnerabilities 36
http://YueChen.me
Q&A
Pinpointing Vulnerabilities 36
http://YueChen.me
Backup Slides
Pinpointing Vulnerabilities 37
Pinpointing Vulnerabilities 37
Attack Detection Example
•Typical scenario example:
Pinpointing Vulnerabilities 38
Attack
Attacker guesses
memory addresses
Program crashes
(due to ASLR, DEP, etc.)
Victim forks
a new process
•Typical scenario example:
Pinpointing Vulnerabilities 38
Attack
Attacker guesses
memory addresses
Program crashes
(due to ASLR, DEP, etc.)
Victim forks
a new process
Attack Detection Example
•Typical scenario example:
Pinpointing Vulnerabilities 39
Attack Fork
Attacker guesses
memory addresses
Program crashes
(due to ASLR, DEP, etc.)
Victim forks
a new process
•Typical scenario example:
Pinpointing Vulnerabilities 39
Attack Fork
Attacker guesses
memory addresses
Program crashes
(due to ASLR, DEP, etc.)
Victim forks
a new process
Tags
find vulnerability
integer errors
vulnerability
vulnerability locating
double-free
stack overflow
heap overflow
data-floe integrity
format string vulnerabilities
memory instrumentation
system security
use-after-free
information leakage
buffer overflow
use after free
binary translation
attack
information leak
record & replay
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 132
- Slides 39
- Favorites 1
- Age 3078 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views