h ow to r epair v ulnerabilities
play

H OW TO R EPAIR V ULNERABILITIES ? Correcting vulnerable logic, e.g. - PowerPoint PPT Presentation

A UTOMATIC P ROGRAM R EPAIR Zhen Huang 1 Penn State University Spring 2019 CMPSC 447, Software Security P RE PATCH W INDOW Attackers can leverage the window of time before a vulnerability is addressed. Attackers can exploit the


  1. A UTOMATIC P ROGRAM R EPAIR Zhen Huang 1 Penn State University Spring 2019 CMPSC 447, Software Security

  2. P RE ‐ PATCH W INDOW  Attackers can leverage the window of time before a vulnerability is addressed. Attackers can exploit the vulnerability! pre‐patch window Users Apply the Patch Vendor Releases a Patch Discovery of a Vulnerability 2

  3. P RE ‐ PATCH W INDOW IS S IGNIFICANT  Study on 130 real‐world vulnerabilities [1]  7‐30 days for 1/4 vulnerabilities  30+ days for 1/3 vulnerabilities  52 days on average 1. Z. Huang, M. D’Angelo, D. Miyani, D. Lie. Talos: Neutralizing Vulnerabilities with Security Workaround for Rapid Response . IEEE Symposium on Security & Privacy 2016. 3

  4. I SSUES OF M ANUAL R EPAIR  Time required to construct a correct fix is significant.  It accounts for 89% of the time for releasing a patch. Multiple attempts of patching (Quotes from a bug report)  Constructing a correct fix is non‐trivial. The developer: “This updates the previous patch...”  Some vulnerabilities are fixed only after .... several attempts. The developer: “This patch builds on the previous one...” .... The developer: “I’ve just committed more changes...” .... .... 4 The tester: “I’m afraid I found a bug...”

  5. O UR G OAL  Automatically repair software vulnerabilities i.e. automated program repair  Focuses on source code repair  Easier for developers to adopt 5

  6. H OW TO R EPAIR V ULNERABILITIES ?  Correcting vulnerable logic, e.g. race condition  Preventing vulnerable code from being executed  Adding checks to detect vulnerability‐triggering inputs Is the value of payload correct? Heartbleed Vulnerability: Official fix: memcpy(bp, pl, payload); If (… payload… > ...length) return 0; …. memcpy(bp, pl, payload); Client can craft the value of payload 6 to acquire sensitive data.

  7. T WO T YPES OF R EPAIRS  Mitigation  Preventing vulnerabilities from being triggered  Rapid  Fix  Removing vulnerabilities  Slow 7

  8. M ITIGATION  Prevents execution of vulnerable code to thwarts exploits  Rapidly closes pre‐patch window  Unobtrusiveness is desirable  Only vulnerable code should be affected  Trade off between functionality loss and security 8

  9. S ECURITY W ORKAROUND FOR R APID R ESPONSE (SWRR)  Designed to be simple and unobtrusive int foo(...) { int foo(…) { return error_code; .... SWRR .... // vulnerable code // vulnerable code .... .... }  Oblivious to vulnerability types  Requires minimum developer effort 9

  10. H OW TO A CHIEVE U NOBTRUSIVENESS ?  Terminate the target program?  Throw an exception?  Return to caller? What value to return? int foo(...) { return ?; .... // vulnerable code .... 10

  11. U SING E XISTING E RROR R ETURN V ALUES  Leveraging target program’s own error handling mechanism apache HTTP server call malicious request SWRR Main Module Status error request rejected Module 11

  12. I DENTIFYING E RROR R ETURN V ALUES  Documentation of common libraries or API functions  Developers’ annotations  Observing behaviors of applications  Analyzing error propagation  Using heuristics 12

  13. A NALYZING E RROR P ROPAGATION Downward Propagation Upward Propagation Int bar() { Int bar() { foo: NULL bar: ‐2 …. if (foo() == NULL) if (spam() == ‐3) return ‐2; bar: ‐2 spam: ‐3 return ‐2; …. Direct Propagation Int ham() { bar: ‐2 …. return bar(); ham: ‐2 …. 13

  14. U SING H EURISTICS Error Logging Return NULL int baz() { char *foo() { .… …. If (error) { if (error) log_msg(“ERROR!”); return NULL; return ‐1; …. } …. 14

  15. C OMBINING E RROR P ROPAGATION A NALYSIS AND H EURISTICS Function Error Return Value foo NULL bar ‐2 spam ‐3 ham ‐2 15

  16. G ENERATING SWRR S  An SWRR is simply a return statement:  return error; char *foo() { Function Error Return return NULL; SWRR ….. Value foo NULL bar ‐2 Int bar() { spam ‐3 return ‐2; SWRR ….. ham ‐2 16

  17. S TATE ‐ OF ‐ ART T OOLS  Talos  Generates source code SWRRs  Uses static program analysis  Instruments SWRRs into the source code of a target program https://github.com/huang‐zhen/talos  RVM  Generates binary code SWRRs  Instruments SWRRs into the binary of a target program 17 https://gitlab.com/zhenhuang/RVM

  18. T ALOS D EMO – T ARGET V ULNERABILITY 18

  19. T ALOS D EMO – G ENERATING CFG & CDG Talos generates CFG and CDG for apache http server 2.4.7 19

  20. T ALOS D EMO – I DENTIFYING E RROR R ETURN V ALUES Talos identifies error return values Found error return value for status_handler status_handler function 20

  21. T ALOS D EMO – S YNTHESIZING AND I NSERTING SWRR Talos synthesizes and inserts an SWRR into status_handler function status_handler function 21

  22. M ITIGATION : S UMMARY  Prevents adversaries to exploit vulnerabilities  Disallows the execution of vulnerable code  Exchanges functionality loss for security  The challenge is to preserve unobtrusiveness 22

  23. M ITIGATION : S TRENGTHS & D RAWBACKS  Strengths  Patch is simple and effective  Can be deployed rapidly  Drawbacks  Causes functionality loss 23

  24. F IX  Removes vulnerabilities from code  Preserves program functionality  Fix correctness is desired particularly for vulnerabilities 24

  25. S TEPS TO PRODUCE A FIX 1. Finding the faulty statement 2. Synthesizing a patch 3. Testing patch correctness (optional) 25

  26. T WO APPROACHES TO PRODUCE A FIX  Example‐based repair  Bottom‐up, relies on concrete example inputs  Property‐based repair  Top‐down, uses expert‐defined properties 26

  27. E XAMPLE ‐ BASED R EPAIR  Requires human‐labelled example inputs  Positive tests – expected program behavior  Negative tests – expose the defect Positive Tests Negative Tests Before the fix Pass Fail After the fix Pass Pass 27

  28. A F AULTY P ROGRAM // returns x‐y if x > y; 0 if x == y; y‐x if x < y 1 int distance(int x, int y) { 2 int result; 3 if (x >y) 4 result = x ‐ y; 5 else if (x == y) 6 result = 0; 7 else 8 result = x ‐ y; // should be y ‐ x 9 return result; Input# Label 10 } x y distance (expected) distance (actual) 1 Positive 2 1 1 1 2 Positive 3 3 0 0 28 3 Negative 1 4 3 ‐3 4 Negative 0 5 5 ‐5

  29. E XAMPLE ‐ BASED : FINDING THE FAULTY STATEMENT  Statistical fault localization  Faulty statement is executed more in negative tests but fewer in positive tests  Run the target program to collect execution count of each statement: #passed and #failed 29

  30. S TATISTICAL FAULT LOCALIZATION Compute a suspiciousness score for each 1. statement Rank each statement by its susp. score 2. Statement Susp. Score #failed #passed 8 result = x ‐y 1.0 2 0 5 else if (x == y) 0.67 2 1 3 if (x > y) 0.5 2 2 4 result = x ‐ y 0.0 0 1 30 6 result = 0 0.0 0 1

  31. E XAMPLE ‐ BASED : S YNTHESIZING A P ATCH  Using pre‐defined ways  Adding a guard, e.g. if (…) result = x – y;  Modifying RHS of the assignment, e.g. result = y ‐ x;  ….  Learning from correct code  Borrowing code from other similar programs 31

  32. M ODIFYING RHS OF AN ASSIGNMENT 1. Replacing the RHS with f(…)  … can be function parameters and local variables 2. Finding the constraint that f(…) needs to satisfy for the given example inputs 3, x==1 and y==4 f(x, y) = 5, x==0 and y==5 3. Concretizing f(x, y) 32

  33. C ONCRETIZING F ( X , Y )  Constants  3 works for input #3 but not input #4  5 works for input #4 but not input #3  Arithmetic  f(x, y) x + y  f(x, y) y – x  Comparison  Logic  …. 33

  34. L EARNING FROM CORRECT CODE  Focuses on missing checks for error‐ triggering inputs  E.g. check on input to prevent buffer overflow  Requires a donor program  Performs same functionality  Accepts same inputs  Contains a check for error‐triggering inputs  Borrows the check from the donor program 34

  35. B ORROWING THE C HECK FROM T HE D ONOR P ROGRAM  Can we borrow the check from FEH (donor) and transfer it to CWebP (recipient)? FEH Overflow Check CWebP Buffer Overflow int ReadJPEG(…) { char load(…) { …. …. // overflow error if (height>16) { rgb = malloc(stride * cinfo.height); // quit …. } } …. } 35

  36. C HALLENGES  How to identify the required check?  How to transfer the check from the donor to the recipient?  The check is implemented in the code of the donor 36

  37. I DENTIFYING THE C HECK  Using a seed input and an error‐triggering input  Seed input passes the check  Error‐triggering input fails the check  Running the donor program with both inputs to identify such check  Search all checks in the donor program Checks Seed Input Error Input if (height > 16) pass fail 37 …. …. ….

  38. T RANSFERRING THE CHECK  How to transfer the check to the recipient program? Lifts the check to an application‐ 1. independent form Finds a location in the recipient to insert the 2. check Translates the check back to program 3. expressions in the recipient Inserts the check into the recipient 4. 38

Recommend


More recommend