intflow integer error handling with information flow
play

IntFlow: Integer Error Handling With Information Flow Tracking - PowerPoint PPT Presentation

Oct 17, 2022 •129 likes •463 views

IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D. Keromytis December 7, 2014 Columbia University mpomonis@cs.columbia.edu IntFlow Columbia

  1. IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D. Keromytis December 7, 2014 Columbia University mpomonis@cs.columbia.edu IntFlow Columbia University 1 / 29

  2. Integer Error mpomonis@cs.columbia.edu IntFlow Columbia University 2 / 29

  3. Example 1. img t *table ptr; 2. unsigned int num imgs = get num imgs(); 3. unsigned int alloc size = sizeof(img t) * num imgs; 4. table ptr = (img t *) malloc (alloc size); 5. for (i = 0; i < num imgs; i++) 6. table ptr[i] = read img(i); mpomonis@cs.columbia.edu IntFlow Columbia University 3 / 29

  4. Integer Errors Mathematical representation vs machine representation Instances: Integer overflow/underflow Precision loss Signedness change mpomonis@cs.columbia.edu IntFlow Columbia University 4 / 29

  5. Characteristics Mainly C/C++ specific: Signed integers only (Java, Python) Overflow protection (Python) Undefined: Negative → unsigned INT MAX + 1 Optimizations Expected behavior mpomonis@cs.columbia.edu IntFlow Columbia University 5 / 29

  6. Importance Can lead to buffer overflows, memory leaks etc... Integral part of exploits Erroneous memory allocation Integer overflow in top 25 most dangerous software errors > 50 vulnerability reports (CVE) in 2014 QuickTime → Signedness change launchd (iOS) → Integer overflow Wireshark → Signedness change Google Chrome → Integer overflow mpomonis@cs.columbia.edu IntFlow Columbia University 6 / 29

  7. Integer Overflow Checker (IOC)[ICSE2012] /* a = b + c */ Clang AST bool error = false; Dangerous operation a = safe add(b, c, error); Static: operation → if (error) safe function Dynamic: detect report(); errors Report and (optionally) abort Clang trunk v3.3 mpomonis@cs.columbia.edu IntFlow Columbia University 7 / 29

  8. Integer Overflow Checker (IOC)[ICSE2012] Dynamic detection mechanism Offline use Input set from user mpomonis@cs.columbia.edu IntFlow Columbia University 8 / 29

  9. IOC Issue Overly comprehensive Lack of severity level Error � = vulnerability mpomonis@cs.columbia.edu IntFlow Columbia University 9 / 29

  10. Developer Intended Violations Idioms → errors Examples Controlled umax = (unsigned) -1; Expected neg = (char) INT MAX; bahavior smax = 1 << (WIDTH - 1) - 1; Not affected by smax++; attacker IOC → report all Large list Manually distill critical errors mpomonis@cs.columbia.edu IntFlow Columbia University 10 / 29

  11. Intflow Goals: 1. Eliminate reports of developer intended violations 2. Retain and highlight critical error reports mpomonis@cs.columbia.edu IntFlow Columbia University 11 / 29

  12. IntFlow Challenges: 1. Can we identify potential vulnerabilities? 2. Can we identify potentially exploitable vulnerabilities? 3. Can we do it accurately? mpomonis@cs.columbia.edu IntFlow Columbia University 12 / 29

  13. Critical Arithmetic Errors An error is potentially critical if: 1. Untrusted source → arithmetic error e.g. read(), getenv()... OR 2. Arithmetic error → sensitive sink e.g. *alloc(), strcpy()... mpomonis@cs.columbia.edu IntFlow Columbia University 13 / 29

  14. IntFlow: Architecture mpomonis@cs.columbia.edu IntFlow Columbia University 14 / 29

  15. Static Information Flow Tracking Set of techniques analyzing data-flow Common compiler methodology Distinguishes flows to/from integer operations Pros Cons ✓ No runtime ✗ Accuracy overhead ✗ Scalability ✓ Coverage mpomonis@cs.columbia.edu IntFlow Columbia University 15 / 29

  16. IntFlow: Architecture mpomonis@cs.columbia.edu IntFlow Columbia University 16 / 29

  17. Backward Slicing: Operation → Sources mpomonis@cs.columbia.edu IntFlow Columbia University 17 / 29

  18. Forward Slicing: Source → Operation mpomonis@cs.columbia.edu IntFlow Columbia University 18 / 29

  19. Forward Slicing: Source → Operation mpomonis@cs.columbia.edu IntFlow Columbia University 19 / 29

  20. Sources Examination If sources = trusted → result = developer intended mpomonis@cs.columbia.edu IntFlow Columbia University 20 / 29

  21. Remove IOC Check mpomonis@cs.columbia.edu IntFlow Columbia University 21 / 29

  22. IntFlow: Architecture mpomonis@cs.columbia.edu IntFlow Columbia University 22 / 29

  23. Sensitive Operations Dynamic detection Operations → sensitive functions Operation → bit Check before a sensitive function Report if any bit set mpomonis@cs.columbia.edu IntFlow Columbia University 23 / 29

  24. Modes Of Operation Blacklisting mode Untrusted sources → operation Whitelisting mode Trusted sources → operation Sensitive mode Operation → sensitive sinks Combination of modes Blacklisting/Whitelisting + Sensitive ↑ Confidence - ↓ Completeness mpomonis@cs.columbia.edu IntFlow Columbia University 24 / 29

  25. Evaluation Whitelisting mode Flexible Context agnostic ✓ Untrusted sources ✓ Error propagation Upper bound on report number mpomonis@cs.columbia.edu IntFlow Columbia University 25 / 29

  26. SPEC CINT2000 250 IOC Intended IntFlow Intended 200 Number of Reported Arithmetic Errors IOC Critical IntFlow Critical 150 100 40 30 20 10 0 gzip vpr gcc crafty parser perlbmk gap vortex mpomonis@cs.columbia.edu IntFlow Columbia University 26 / 29

  27. Real-world Applications Detected vulnerabilities: CVE Number Application Error Type CVE-2009-3481 Dillo Integer Overflow CVE-2012-3481 GIMP Integer Overflow CVE-2010-1516 Swftools Integer Overflow CVE-2013-6489 Pidgin Signedness Change Produced reports Overall Dillo GIMP Swftools Pidgin IOC 330 31 231 68 0 IntFlow 82 26 13 43 0 mpomonis@cs.columbia.edu IntFlow Columbia University 27 / 29

  28. Runtime Overhead Offline use CPU-bound (e.g. grep): 50-80% IO-bound (e.g. nginx): 20% mpomonis@cs.columbia.edu IntFlow Columbia University 28 / 29

  29. Summary Coupled IFT with IOC Identified critical errors Focused on potentially exploitable vulnerabilities Code: http://nsl.cs.columbia.edu/projects/intflow mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

  30. Bonus Backup Slides mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

  31. Runtime Overhead 2 Whitelisting 1.9 Blacklisting Sensitive 1.8 1.7 Slowdown (normalized) 1.6 1.5 1.4 1.3 1.2 1.1 1 0.9 0.8 0.7 0.6 0.5 grep wget wwwx zshx tcpdump cher nginx mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

  32. Additional Evaluation Results Independent stress test (red team) Artificial vulnerabilities in popular applications IO Inputs Good: no exploit → normal execution Bad: exploit → detect and abort Aggregate result ( TP + TN Total ): 79.30% mpomonis@cs.columbia.edu IntFlow Columbia University 29 / 29

Recommend

llvm::Error Rich Error Handling in LLVM Error Handling History LLVMs APIs historically

llvm::Error Rich Error Handling in LLVM Error Handling History LLVMs APIs historically

llvm::Error Rich Error Handling in LLVM Error Handling History LLVMs APIs historically used ad-hoc approaches bools, nullptrs, string errors std::error_code C++ standard library error type Enumerable errors only Lack

273 views • 9 slides
Improving the Quality of Error-Handling Code in Systems Software using Function-Local Information

Improving the Quality of Error-Handling Code in Systems Software using Function-Local Information

Improving the Quality of Error-Handling Code in Systems Software using Function-Local Information Suman Saha Laboratoire d'Informatique de Paris 6 Regal 25 th March, 2013 Outline Motivation Contribution 1: Understanding error-handling

869 views • 62 slides
Error Handling Marco Chiarandini Department of Mathematics &amp; Computer Science University of

Error Handling Marco Chiarandini Department of Mathematics &amp; Computer Science University of

DM560 Introduction to Programming in C++ Error Handling Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark [ Based on slides by Bjarne Stroustrup ] Error Handling Outline 1. Error Handling 2

573 views • 36 slides
Compilers Error Handling Alex Aiken Error Handling Purpose of the compiler is To detect

Compilers Error Handling Alex Aiken Error Handling Purpose of the compiler is To detect

Compilers Error Handling Alex Aiken Error Handling Purpose of the compiler is To detect non-valid programs To translate the valid ones Many kinds of possible errors (e.g. in C) Error kind Example Detected

656 views • 9 slides
CPSC 213 Exceptional Control Flow: Processes, System Call Error Handling VM as a Tool for

CPSC 213 Exceptional Control Flow: Processes, System Call Error Handling VM as a Tool for

Readings for Next Two Lectures Text CPSC 213 Exceptional Control Flow: Processes, System Call Error Handling VM as a Tool for Memory Protection 2nd edition: 8.2, 8.3, 9.5 1st edition: 8.2, 8.3, 10.5 Introduction to Computer

137 views • 3 slides
Exception Handling in C++ throw - try - catch ! class InvalidNumber { }; void main() {

Exception Handling in C++ throw - try - catch ! class InvalidNumber { }; void main() {

14 . Exception Handling: Mechanism and Usage Exception Handling Synchronous Errors Asynchronous Errors An Example function : Call may result in an error double sqrt(int number); Traditional Error Handling Exit the program Return an

454 views • 8 slides
Functional Error Handling 1 / 13 Whats right with exceptions? Exceptions provide a way to

Functional Error Handling 1 / 13 Whats right with exceptions? Exceptions provide a way to

Functional Error Handling 1 / 13 Whats right with exceptions? Exceptions provide a way to consolidate error handling code and separate it from main logic, and an alternative to APIs that require callers of functions to know error

477 views • 13 slides
Error Handling in RCMS Error Handling in RCMS An Overview Francesco Lelli

Error Handling in RCMS Error Handling in RCMS An Overview Francesco Lelli

CMS Error Handling in RCMS Error Handling in RCMS An Overview Francesco Lelli Francesco.lelli@lnl.infn.it L.N.L L.N.L D.S.I. Venezia Venezia D.S.I. CMS Overview Error Handler Principles An Error Handling Framemork: Purpose

729 views • 21 slides
Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 1 Table of Contents

240 views • 12 slides
1 Handling exceptions (III) Handling exceptions (II) n try -statements can be nested and

1 Handling exceptions (III) Handling exceptions (II) n try -statements can be nested and

2.6 Error, exception and event Error and exception handling in handling Pascal n There are conditions that have to be fulfilled by a n While errors definitely can occur in Pascal programs, program that sometimes are not fulfilled, which Pascal

143 views • 3 slides
1 Benefits of exception handling Handling exceptions Generally, there are many ways to handle an

1 Benefits of exception handling Handling exceptions Generally, there are many ways to handle an

Java exception mechanism when an error or exceptional condition occurs, you throw an exception which is caught by an exception handler try { // statements that may throw an exception.. if (someCondition) Exceptions and error handling

289 views • 6 slides
Java Programming Unit 7 Error Handling. Excep8ons. (c)

Java Programming Unit 7 Error Handling. Excep8ons. (c)

Java Programming Unit 7 Error Handling. Excep8ons. (c) Yakov Fain 2014 Run8me errors An excep8on is an run-8me error that may stop

453 views • 20 slides
Control Exception Handling: Exception handling is the control of error conditions or other

Control Exception Handling: Exception handling is the control of error conditions or other

Control Exception Handling: Exception handling is the control of error conditions or other unusual events during the execution of a program. 1 Control In a language without exception handling: When an exception occurs, control

1.15k views • 19 slides
Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code

Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code

Error Handling Input-Output Writing Better Code Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code Dr. Marina De Vos University of Bath Ext: 5053 Academic Year 2012-2013 Lecture D.10. (MDV)

845 views • 81 slides
ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we

ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we

ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we will look at more detail into error handling mechanisms and the use of exceptions. Motivation: what can go wrong? The two and a half approaches

523 views • 18 slides
ERROR HANDLING IN COCOA AGENDA Objective-Cs NSError Swifts try/catch/throws Swifts

ERROR HANDLING IN COCOA AGENDA Objective-Cs NSError Swifts try/catch/throws Swifts

ERROR HANDLING IN COCOA AGENDA Objective-Cs NSError Swifts try/catch/throws Swifts Result&lt;S,F&gt; type Exceptions &amp; Assertions OBJECTIVE-C ERROR HANDLING NSERROR IN OBJECTIVE-C NSError *error = nil; NSString *string =

453 views • 28 slides
Error Handling via the Happens-Before Relation Nicholas D. Matsakis Thomas R. Gross ETH Zurich

Error Handling via the Happens-Before Relation Nicholas D. Matsakis Thomas R. Gross ETH Zurich

Error Handling via the Happens-Before Relation Nicholas D. Matsakis Thomas R. Gross ETH Zurich 1 Sunday, April 18, 2010 Exception Handling Goal of this talk: Extend exception handling into a parallel setting 2 Sunday, April 18,

1.7k views • 98 slides
CSE 331 Exceptions and Error-Handling slides created by Marty Stepp based on materials by M.

CSE 331 Exceptions and Error-Handling slides created by Marty Stepp based on materials by M.

CSE 331 Exceptions and Error-Handling slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer, Wikipedia http://www.cs.washington.edu/331/ 1 Exceptions exception : An object representing an error.

874 views • 27 slides
Error processing Errors can occur at compile-time or runtime. Error processing Errors can occur

Error processing Errors can occur at compile-time or runtime. Error processing Errors can occur

ITI 1121. Introduction to Computing II Marcel Turcotte School of Electrical Engineering and Computer Science Version of February 23, 2013 Abstract Handling errors Declaring, creating and handling exceptions Checked and unchecked

1.06k views • 103 slides
Vector Flows and integer flows Yi Wang School of mathematical sciences, Anhui University Joint

Vector Flows and integer flows Yi Wang School of mathematical sciences, Anhui University Joint

Introduction to integer flow 5-flow Conjecture and 3-flow Conjecture Vector flow Vector Flows and integer flows Yi Wang School of mathematical sciences, Anhui University Joint with Jian Cheng, Rong Luo and Cun-Quan Zhang Dec. 20, 2016,

639 views • 25 slides
or Flow-Adaptive Background-Error-Covariance Modeling for Data Assimilation using Information

or Flow-Adaptive Background-Error-Covariance Modeling for Data Assimilation using Information

Ensemble Data Assimilation without Ensembles with Application to Ocean Data Assimilation or Flow-Adaptive Background-Error-Covariance Modeling for Data Assimilation using Information from a Single Model Trajectory or E unus pluribum

523 views • 33 slides
The dos and donts of error handling Joe Armstrong A system is fault tolerant if it

The dos and donts of error handling Joe Armstrong A system is fault tolerant if it

The dos and donts of error handling Joe Armstrong A system is fault tolerant if it continues working even if something is wrong Work like this is never finished its always in-progress Hardware can fail - relatively

1.17k views • 82 slides
Ch.4: User input and error handling Ole Christian Lingjrde, Dept of Informatics, UiO 15

Ch.4: User input and error handling Ole Christian Lingjrde, Dept of Informatics, UiO 15

Ch.4: User input and error handling Ole Christian Lingjrde, Dept of Informatics, UiO 15 September 2017 (PART 2) Todays agenda A small quiz Short recapitulation of eval and exec . Live-programming of exercises 3.7, 4.1, 4.2, 4.3 Writing

825 views • 47 slides
The bright side of exceptions Introduction The Lisp Condition System Basic Error Handling

The bright side of exceptions Introduction The Lisp Condition System Basic Error Handling

The bright side of exceptions Didier Verna The bright side of exceptions Introduction The Lisp Condition System Basic Error Handling Catching and throwing errors Defining errors Didier Verna Advanced Error Handling Restarts

307 views • 17 slides

More recommend