1 / 28

Bravo 3 – Debugging Debian

Bravo 3 – Debugging Debian. Enrique Naudon JD Nir Nadim Taha William Wysocki. Outline. Project Overview DBI and Pintools DBI and Argument inference Results Limitations. Epoch 2. Argument Inference Cannot handle long-running/GUI applications Fuzzing Naïve Mutation only

aleron
Download Presentation

Bravo 3 – Debugging Debian

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bravo 3 – Debugging Debian Enrique Naudon JD Nir NadimTaha William Wysocki

  2. Outline • Project Overview • DBI and Pintools • DBI and Argument inference • Results • Limitations

  3. Epoch 2 • Argument Inference • Cannot handle long-running/GUI applications • Fuzzing • Naïve • Mutation only • Post Processing • Logs stored locally • Manual uniquification/verification • 106 unique bugs from ~3000 crashes

  4. Epoch 3 • Argument Inference • Support for long-running applications • Code coverage with DBI • Fuzzing • Directed fuzzing with DBI • Post Processing • Centralized logging • Completely automated • ~300 unique bugs from ~7000 crashes

  5. DBI and Pintools

  6. Dynamic Binary Inspection • Pintools Driven • Allows hooking of various functions, system calls, and instructions • Relies on Taint Propagation to determine when untrusted input may reach comprisable functions • Developed more functional taint propagation and sourcing Pintool based on Cal Diskin’s simple examples.

  7. Taint Propagation Entry Arguments Dangerous Functions Files Referenced by Entry Arguments

  8. Taint Propagation • Entry Arguments • Ultimate source of taintin our analysis Entry Arguments Dangerous Functions • Taint is primarily propagatedat the instruction level • All mov instructions are instrumented • Our taint policy is very conservative Files Referenced by Entry Arguments • Data from read() syscalls is also tainted but only when the fd was tainted

  9. File Open and Read • Open and Read syscallsare instrumented • int fd3 = Open(const char *path, …); • If any part of the path is tainted, the fd is tainted • Path taint must originate from the entry arguments Entry Arguments tainted Dangerous Functions Global Tainted FDs Files Referenced by Entry Arguments fd1 fd2 ./testprogram –input testfile fd3 testfile /home/user/Programs/testdata/ testfile

  10. File Open and Read • Read becomes a sourceof taint for analysis • On entry into read, thefd is compared with theglobal tainted list and result is saved for exit • On exit, check the result and taint all bytes read into the buffer Entry Arguments Dangerous Functions Files Referenced by Entry Arguments

  11. Dangerous Functions • Dangerous Functions • strcpy(), strncpy(), strcat(),strncat(), memcpy() Entry Arguments Dangerous Functions Lengths Destination Source Files Referenced by Entry Arguments • When the source is tainted we can observe the length of the string in memory. • We can observe the binary data at the source

  12. Dangerous Functions Indicates a tainted strcpy()source at memory location0xbffb6319 Binary value at tainted memory location. Indicates a tainted strcpy()source at memory location0xbffb6319

  13. Directed Fuzzing • thimble.py • Utilizes the heavy lifting performed by the Pintool and evaluates input sources • Input to the tool is specified as either a string or a file • Find the binary value in the input source • If there are multiple instances find one with a matching string length if it exists • Increase the length of thestring re-run the Pintooland observe new results

  14. DBI and Argument Inference

  15. DBI Assisted Type Inference • Metrics: • # threads • # processes • # instructions !module_blacklist && -> open(“arg”) • Up to 2 minutes per extension • PIN: • gs: 54x slowdown • mplayer: 138x slowdown • DynamoRIO • gs:17x slowdown • mplayer: 27x slowdown

  16. Type Inference Results

  17. Demo

  18. Results

  19. Fuzzing Results • 6885 crashes in 82 programs/40 packages • 309 “unique” bugs • 144 rated exploitable

  20. Fuzzing Results • Major hash unification • Only bugs generated post filetype inference • Fuzzed for 60 seconds per binary • Crashes in certain applications (e.g. mplayer) weren’t processed due to limitations of the analysis script

  21. Database

  22. Fuzzing Results

  23. Fuzzing Results

  24. Fuzzing Results

  25. Limitations/Future Work • Argument Inference • Structured arguments (IPs, regexes) • Cannot represent relationships • Explore other metrics for type inference • /usr/share/mime/magic + *.desktop • Verification misses crashes • Signal handlers • PinTool • Slow • Can crash some applications • DynamoRIO • Performance Counters + strace(fork/clone)

  26. Questions?

  27. END

  28. Thought

More Related