TaintScope

1. TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011

2. Acknowledgements • Authors: Tielei Wang, Tao Wei, Guofei Gu, Wei Zou • Paper Title: TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection • In Proceedings of the 31st IEEE Symposium on Security & Privacy, Oakland, CA, May 2010. • Awarded Best Student Paper

3. Outline • Fuzz Testing • TaintScope • Performance • Conclusions

4. Outline • Fuzz Testing • TaintScope • Performance • Conclusions

5. Fuzz Testing • Attempt to crash or hang a program by feeding it malformed inputs • Blackbox fuzzing • Generational • Mutation

6. Fuzz Testing: Motivation • Nobody is perfect • Programs may be very large and dificult to test • Find bugs to fix • Exploit programs for malware VS

7. Fuzz Testing: Challenges • Random fuzzing has to cover a huge sample space • E.g. audio signal of 4s, 32k bytes • 2256,000possible values • Symbolic fuzzing can’t bypass checksum instructions

8. Outline • Fuzz Testing • TaintScope • Performance • Conclusions

9. TaintScope • Fuzzer that can bypass checksum • independent of the algorithm • Concentrates on data flow dependence • Uses IDA Pro Disassembler • Works like a classifier

10. TaintScope: How it Works • Identify hot bytes in input • Bytes that affect API functions • Memory management • String operations • Input bytes are tainted with unique id • Identify possible checksum points

11. TaintScope: How it Works • Well-formed inputs take a true/false path • Malformed inputs take a false/true path • Intersection yields the check points • TaintScope creates bypass rules

12. TaintScope: How it Works • Fuzzer runs with bypass rules and mutates only hot bytes • Crashes and hangs are recorded

13. TaintScope: How it Works • Crashed samples are repaired for replay • Checksum are corrected • Type of vulnerability can be analyzed

14. Outline • Fuzz Testing • TaintScope • Performance • Conclusions

15. Performance: Hot Bytes

16. Performance: Checksum

17. Performance: Vulnerabilities

18. What is accomplished? • TaintScope has found vulnerabilities in popular programs (e.g. MS Paint, Adobe Acrobat, and more) • Vendors have patched the software • Vulnerabilities have been published in • Secunia • Common Vulnerabilities and Exposure

19. MW Paint Search

20. Adobe Acrobat Search

21. Outline • Fuzz Testing • TaintScope • Performance • Conclusions

22. Conclusions • Fuzzer able to bypass checksum • Works with Linux/Windows binaries • 100% inputs cause crash or hang • Low input samples • Tested on many well-known applications and formats

23. Weakness • Doesn’t talk about code coverage • Needs to run the program several times to find information of interest • Can’t detect correctly checksums where data is encrypted with key-based algorithm

24. Improvements • Consider incorporating a tool like HyperNEAT • can learn search space patterns • work with encryption (e.g. DES S-Boxes) • Dynamic update to reduce number of runs needed to build hot bytes/checksum information

25. References • Tielei Wang’s website: http://sites.google.com/site/tieleiwang/ • Month of Kernel Bugs: http://projects.info-pull.com/mokb/ • Month Browsers Bug: http://browserfun.blogspot.com/ • Secunia: http://secunia.com/ • Comon Vulnerabilities and Exposure: http://cve.mitre.org/ • IDA Disassembler: http://www.hex-rays.com/idapro/ • Google Images: http://images.google.com

26. QUESTIONS ¿?