About Dynamic Taint Analysis amp Forward Symbolic Execution but might have been afraid to ask Edward J Schwartz ThanassisAvgerinos David Brumley Presented by Vaibhav Rastogi ID: 636741
Download Presentation The PPT/PDF document "All You Ever Wanted to Know" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask)
Edward J. Schwartz, ThanassisAvgerinos, David BrumleyPresented by: Vaibhav Rastogi
1Slide2
The Root of All EvilHumans write programs
This Talk:Computers Analyzing Programs Dynamically at Runtime
2Slide3
Two Essential Runtime Analyses
Dynamic Taint Analysis:What values are derived from this source?
Forward Symbolic Execution:
What input will make execution reach this line of code?
Malware Analysis
Privacy Leakage Detection
Vulnerability Detection
Automatic Test-case Generation
Input Filter Generation
Malware Analysis
3Slide4
Contributions
4Slide5
Contributions
5Slide6
Dynamic Taint Analysis
6Slide7
Example
7Slide8
Example
8
Input is taintedSlide9
Taint Introduction
Tainted
Untainted
x
Input is tainted
9Slide10
Taint Introduction
VarValTaint ( T | F)x
7
T
10Slide11
Taint Propagation
Tainted
Untainted
x
Data derived from user input is tainted
x
y
42
11Slide12
Taint Propagation
VarValTaint ( T | F)x
7
T
y
49
T
12Slide13
Taint Checking
Tainted
Untainted
x
Policy violation detected
x
y
42
y
13Slide14
So What?
x
x
y
42
y
Exploit Detection
Tainted return address
14Slide15
Taint Checking
VarValTaint ( T | F)x
7
T
y
49
T
15Slide16
Taint Semantics in SIMPIL
16Slide17
SIMPIL Operational Semantics
tl;dr17Slide18
Operational Semantics for Tainting
18Slide19
Operational Semantics for Tainting19Slide20
Example Taint Semantics20Slide21
Example Taint Policy
21Slide22
Dynamic Tainting Issues
22Slide23
Dynamic Tainting Issues
x
x
y
42
y
Overwritten return address detected only at return
23Slide24
Tainted Addresses
24Slide25
Dilemma
25Slide26
Forward Symbolic Execution
26Slide27
Example
bad_abs(x is input) if (x < 0
)
return
-x
if
(x = 0x12345678)
return
-x
return x
27Slide28
Example
2
32
possible inputs
0x12345678
bad_abs
(x is input)
if
(x < 0
)
return
-x
if
(x = 0x12345678)
return
-xreturn x
What input will execute this line of code?
28Slide29
Working
bad_abs(x is input)
if (x < 0)
return -x
if (x = 0x12345678)
return -x
return x
F
T
T
F
x
≥ 0
x
< 0
x
≥ 0 &&
x == 0x12345678
x
≥ 0 &&
x
!= 0x12345678
29Slide30
Working
bad_abs(x is input)
if (x < 0)
return -x
if (x = 0x12345678)
return -x
return x
F
T
T
F
x
≥ 0
x
< 0
x
≥ 0 &&
x == 0x12345678
x
≥ 0 &&
x
!= 0x12345678
What input will execute this line of code?
30Slide31
Operational Semantics31Slide32
Operational Semantics32Slide33
Challenges
33Slide34
Exponential Number of Paths34Slide35
Exploration Strategies
35Slide36
Symbolic memoryExample: tablesAliasing issuesSolutions:
Make unsound assumptionsLet the SMT solver do the workPerform alias analysisA static analysis – may not be acceptableRelated Problem: Symbolic jumps36
a
ddr1 =
get_input
()
s
tore(addr1, v)
z
= load(addr2)Slide37
Symbolic Jumps
37The pc depends on the user inputSlide38
System and Library CallsWhat are effects of such calls?Manual summarization is possible in some casesUse results from concrete execution
Not sound38Slide39
Symbolic Execution is not EasyExponential number of paths
Exponentially sized formulas with substitutionSolving a formula is NP-complete39
s + s + s + s + s +
s + s + s + s + s + s + s +s = 42Slide40
ConclusionDynamic Taint Analysis and Forward Symbolic Execution both extensively usedA number of options exploredThis talk provided
Overview of the techniquesApplicationsIssues and state-of-the-art solutions40