1 / 17

1 Nanjing University 2 George Mason University 3 Purdue University March 22nd, 2007

ASIACCS 2007. AutoPaG: Towards Automated Software Patch Generation with Source Code Root Cause Identification and Repair Zhiqiang Lin 1,3 Xuxian Jiang 2 , Dongyan Xu 3 , Bing Mao 1 , Li Xie 1. 1 Nanjing University 2 George Mason University 3 Purdue University March 22nd, 2007. Agenda.

malana
Download Presentation

1 Nanjing University 2 George Mason University 3 Purdue University March 22nd, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ASIACCS 2007 AutoPaG: Towards Automated Software Patch Generation with Source Code Root Cause Identification and Repair Zhiqiang Lin 1,3 Xuxian Jiang 2, Dongyan Xu 3, Bing Mao 1, Li Xie 1 1Nanjing University 2George Mason University 3Purdue University March 22nd, 2007

  2. Agenda • Motivation • Design & Implementation • Evaluation • Related Work • Conclusion

  3. I. Vulnerability Introduced III. Official Patch released IV. Patch Installed II. Vulnerability Discovered Lifecycle of a vulnerability time A rather lengthy process

  4. time I. Vulnerability Introduced 28 days http://www.symantec.com/enterprise/threatreport/index.jsp III. Official Patch released IV. Patch Installed II. Vulnerability Discovered Manual process is too slow 75 The time-lines of 10 recent Microsoft patches (MS06-045 to MS06-054) that are released between August and September 2006

  5. time I. Vulnerability Introduced III. Official Patch released IV. Patch Installed II. Vulnerability Discovered Goal of AutoPaG • For fast and spreading attack (e.g., zero-day) time

  6. I. Vulnerability Introduced II (III) (IV) Goal of AutoPaG • For fast and spreading attack (e.g., zero-day) • Make the whole thing automated • (1) Find/Identify the root cause of the vulnerability • (2) Fix/repair it automatically • Generate temporary source code patch • (3) Facilitate official patch development time

  7. Overview of AutoPaG Note: we currently focus on the out-of-bound vulnerability, the most common and severe one, but our system is also practical to other vulnerabilities, e.g, format string

  8. 1. Out-of-Bound Detector (1/2) • Challenges: • Detect exploitation • Provide root cause context information • Where is the direct root cause statement? • Which variable or data is overflowed? • A toy example The statement (source code) or instructions (binary code) which directly causes the attack or memory corruption 1 #include <string.h> 2 int main(int argc, char **argv) { 3 char buf[4]; 4 char *p; 5 p = buf; 6 strcpy(p, argv[1]); 7 return 0; 8 } Root Cause

  9. 1. Out-of-Bound Detector (2/2) • How • Modify CCured + Call Stack #0 0x0804b0fb in ccured_fail_str (str=0x805cc73 "Ubound", file=0x805cc12 "lib/ccuredlib.c", line=3941, function=0x805daa5 "__read_at_least_f") at lib/ccuredlib.c:909 #1 0x0804b15d in ccured_fail (msgId=3, file=0x805cc12 "lib/ccuredlib.c", line=3941, function=0x805daa5 "__read_at_least_f") at lib/ccuredlib.c:923 #2 0x0804fa0f in __read_at_least_f (ptr={_p = 0xbfaa9f90, _e = 0xbfaa9f94}, n=11) at lib/ccuredlib.c:3941 #3 0x0804fa75 in __copytags_ff (dest={_p = 0xbfaa9f90, _e = 0xbfaa9f94}, src={_p = 0xbfaabed2, _e = 0xbfaabedd}, n=11) t lib/ccuredlib.c:3947 #4 0x0804a0dc in strcpy_wrapper_sff (dest=0xbfaa9f90 "", dest_e=0xbfaa9f94, src=0xbfaabed2 "aaaaaaaaaa", src_e=0xbfaabedd) at string_wrappers.h:79 #5 0x0804a006 in main (argc=2, __argv_input=0xbfaaa014) at test.c:6 1 #include <string.h> 2 int main(int argc, char **argv) { 3 char buf[4]; 4 char *p; 5 p = buf; 6 strcpy(p, argv[1]); 7 return 0; 8 }

  10. s0Set: strcpy(p, argv[1]); v0Set: main:p sSet: strcpy(p, argv[1]); vSet: main:p 2. Root Cause Locator • Challenge: • Find out those statements (in source code) that contribute to the computation of the overflow • Catch the transitive closure of the overflowed data • How: • Backward data dependency analysis 1 #include <string.h> 2 int main(int argc, char **argv) { 3 char buf[4]; 4 char *p; 5 p = buf; 6 strcpy(p, argv[1]); 7 return 0; 8 } p = buf; char *p; char buf[4]; main:argv[1] main:buf

  11. 3. Patch Generator • Attempt to automatically repair the vulnerability. • Challenges • Determining vulnerable buffer boundaries • Keep track of the meta-data with the identified variables • Fixing out-of-bound access

  12. Generated Patch: An example • 1 #include <string.h> • 2 int main(int argc, char **argv) { • 3 char (__FSEQ buf)[4]; • 4 char * __FSEQ p; • 5 unsigned int __cil_tmp6; • 6 char *__FSEQ __cil_tmp7; • 7 void *p_e14; • 8 void *__cil_tmp7_e15; • 9 p_e14=(void*)0; • 10 p=(char*) 0; • 11 __cil_tmp7=buf; • 12 __cil_tmp7_e15=buf+4; • 13 p=__cil_tmp7; • 14 __cil_tmp6 = cil_tmp7_e15 - __cil_tmp7; • 15 strncpy(p, argv[1], __cil_tmp6) • 16 return 0; • 17} 5: p = buf;

  13. Effectiveness

  14. Performance of generated patch

  15. Related Work • Proactive Source Transformation • FOC[Rinard04], DIRA[Smirnov & Chiueh04] • Just-In-Time Execution Filtering • TaintCheck[Newsome&Song05], DACODA[Crandall05], VSEF[Newsome&Song06], Argos[Portokalidis06] … • Reactive Runtime Patching • DYBOC[Sidiroglou & Keromytis 04], STEM[Sidiroglou & Keromytis 05]

  16. Conclusion • Towards automated source code patch generation • AutoPaG • Effective • Fast • Low overhead

  17. Q & A Thank you For more information: {zlin, dxu}@cs.purdue.edu xjiang@gmu.edu Google: “AutoPaG”

More Related