170 likes | 322 Views
ASIACCS 2007. AutoPaG: Towards Automated Software Patch Generation with Source Code Root Cause Identification and Repair Zhiqiang Lin 1,3 Xuxian Jiang 2 , Dongyan Xu 3 , Bing Mao 1 , Li Xie 1. 1 Nanjing University 2 George Mason University 3 Purdue University March 22nd, 2007. Agenda.
E N D
ASIACCS 2007 AutoPaG: Towards Automated Software Patch Generation with Source Code Root Cause Identification and Repair Zhiqiang Lin 1,3 Xuxian Jiang 2, Dongyan Xu 3, Bing Mao 1, Li Xie 1 1Nanjing University 2George Mason University 3Purdue University March 22nd, 2007
Agenda • Motivation • Design & Implementation • Evaluation • Related Work • Conclusion
I. Vulnerability Introduced III. Official Patch released IV. Patch Installed II. Vulnerability Discovered Lifecycle of a vulnerability time A rather lengthy process
time I. Vulnerability Introduced 28 days http://www.symantec.com/enterprise/threatreport/index.jsp III. Official Patch released IV. Patch Installed II. Vulnerability Discovered Manual process is too slow 75 The time-lines of 10 recent Microsoft patches (MS06-045 to MS06-054) that are released between August and September 2006
time I. Vulnerability Introduced III. Official Patch released IV. Patch Installed II. Vulnerability Discovered Goal of AutoPaG • For fast and spreading attack (e.g., zero-day) time
I. Vulnerability Introduced II (III) (IV) Goal of AutoPaG • For fast and spreading attack (e.g., zero-day) • Make the whole thing automated • (1) Find/Identify the root cause of the vulnerability • (2) Fix/repair it automatically • Generate temporary source code patch • (3) Facilitate official patch development time
Overview of AutoPaG Note: we currently focus on the out-of-bound vulnerability, the most common and severe one, but our system is also practical to other vulnerabilities, e.g, format string
1. Out-of-Bound Detector (1/2) • Challenges: • Detect exploitation • Provide root cause context information • Where is the direct root cause statement? • Which variable or data is overflowed? • A toy example The statement (source code) or instructions (binary code) which directly causes the attack or memory corruption 1 #include <string.h> 2 int main(int argc, char **argv) { 3 char buf[4]; 4 char *p; 5 p = buf; 6 strcpy(p, argv[1]); 7 return 0; 8 } Root Cause
1. Out-of-Bound Detector (2/2) • How • Modify CCured + Call Stack #0 0x0804b0fb in ccured_fail_str (str=0x805cc73 "Ubound", file=0x805cc12 "lib/ccuredlib.c", line=3941, function=0x805daa5 "__read_at_least_f") at lib/ccuredlib.c:909 #1 0x0804b15d in ccured_fail (msgId=3, file=0x805cc12 "lib/ccuredlib.c", line=3941, function=0x805daa5 "__read_at_least_f") at lib/ccuredlib.c:923 #2 0x0804fa0f in __read_at_least_f (ptr={_p = 0xbfaa9f90, _e = 0xbfaa9f94}, n=11) at lib/ccuredlib.c:3941 #3 0x0804fa75 in __copytags_ff (dest={_p = 0xbfaa9f90, _e = 0xbfaa9f94}, src={_p = 0xbfaabed2, _e = 0xbfaabedd}, n=11) t lib/ccuredlib.c:3947 #4 0x0804a0dc in strcpy_wrapper_sff (dest=0xbfaa9f90 "", dest_e=0xbfaa9f94, src=0xbfaabed2 "aaaaaaaaaa", src_e=0xbfaabedd) at string_wrappers.h:79 #5 0x0804a006 in main (argc=2, __argv_input=0xbfaaa014) at test.c:6 1 #include <string.h> 2 int main(int argc, char **argv) { 3 char buf[4]; 4 char *p; 5 p = buf; 6 strcpy(p, argv[1]); 7 return 0; 8 }
s0Set: strcpy(p, argv[1]); v0Set: main:p sSet: strcpy(p, argv[1]); vSet: main:p 2. Root Cause Locator • Challenge: • Find out those statements (in source code) that contribute to the computation of the overflow • Catch the transitive closure of the overflowed data • How: • Backward data dependency analysis 1 #include <string.h> 2 int main(int argc, char **argv) { 3 char buf[4]; 4 char *p; 5 p = buf; 6 strcpy(p, argv[1]); 7 return 0; 8 } p = buf; char *p; char buf[4]; main:argv[1] main:buf
3. Patch Generator • Attempt to automatically repair the vulnerability. • Challenges • Determining vulnerable buffer boundaries • Keep track of the meta-data with the identified variables • Fixing out-of-bound access
Generated Patch: An example • 1 #include <string.h> • 2 int main(int argc, char **argv) { • 3 char (__FSEQ buf)[4]; • 4 char * __FSEQ p; • 5 unsigned int __cil_tmp6; • 6 char *__FSEQ __cil_tmp7; • 7 void *p_e14; • 8 void *__cil_tmp7_e15; • 9 p_e14=(void*)0; • 10 p=(char*) 0; • 11 __cil_tmp7=buf; • 12 __cil_tmp7_e15=buf+4; • 13 p=__cil_tmp7; • 14 __cil_tmp6 = cil_tmp7_e15 - __cil_tmp7; • 15 strncpy(p, argv[1], __cil_tmp6) • 16 return 0; • 17} 5: p = buf;
Related Work • Proactive Source Transformation • FOC[Rinard04], DIRA[Smirnov & Chiueh04] • Just-In-Time Execution Filtering • TaintCheck[Newsome&Song05], DACODA[Crandall05], VSEF[Newsome&Song06], Argos[Portokalidis06] … • Reactive Runtime Patching • DYBOC[Sidiroglou & Keromytis 04], STEM[Sidiroglou & Keromytis 05]
Conclusion • Towards automated source code patch generation • AutoPaG • Effective • Fast • Low overhead
Q & A Thank you For more information: {zlin, dxu}@cs.purdue.edu xjiang@gmu.edu Google: “AutoPaG”