pointless tain ng
play

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng - PowerPoint PPT Presentation

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng AsiaSlowinska,HerbertBos VrijeUniversiteitAmsterdam Whypointertain,ng? AFacks Exploitlowlevelmemoryerrors


  1. Pointless
Tain,ng?
 Evalua,ng
the
Prac,cality
of
Pointer
 Tain,ng
 Asia
Slowinska,
Herbert
Bos
 Vrije
Universiteit
Amsterdam


  2. Why
pointer
tain,ng?
 • AFacks
 Exploit
low‐level
memory
errors
 Buffer
overflows
 Dangling
pointers
 Format
strings



  3. Why
pointer
tain,ng?
 • AFacks
 Exploit
low‐level
memory
errors
 Buffer
overflows
 Dangling
pointers
 Format
strings

 Control‐diver,ng


  4. Why
pointer
tain,ng?
 • AFacks
 Exploit
low‐level
memory
errors
 Buffer
overflows
 Dangling
pointers
 Format
strings

 Control‐diver,ng
 Non‐control‐diver,ng


  5. Why
pointer
tain,ng?
 • Keyloggers,
etc.

 • AFacks
 Installed
by
users
or
by
the
way
of
exploits
 Exploit
low‐level
memory
errors
 e.g.,
trojan
 Buffer
overflows
 Dangling
pointers
 Format
strings

 Control‐diver,ng
 Non‐control‐diver,ng


  6. Why
pointer
tain,ng?
 • Keyloggers,
etc.

 • AFacks
 Installed
by
users
or
by
the
way
of
exploits
 Exploit
low‐level
memory
errors
 e.g.,
trojan
 Buffer
overflows
 Dangling
pointers
 • Pointer
tain*ng 
 Format
strings

 • Capable
of
detec,ng
 Control‐diver,ng
 • Memory
corrup,on
aFacks
 • Both
control‐
and
non‐control‐ Non‐control‐diver,ng
 diver,ng

 • Privacy‐breaching
malware
 • PROBLEMATIC


  7. Basic
tain,ng
 memory



taint
tag
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS


  8. Basic
tain,ng
 memory



taint
tag
 ret
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS


  9. Basic
tain,ng
 1.
Mark
network
data
 as
tainted.
 memory



taint
tag
 ret
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS


  10. Basic
tain,ng
 1.
Mark
network
data
 as
tainted.
 memory



taint
tag
 ret
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS


  11. Basic
tain,ng
 1.
Mark
network
data
 as
tainted.
 memory



taint
tag
 2.
Propagate
taint
 through
the
OS.
 ret
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS


  12. Basic
tain,ng
 1.
Mark
network
data
 as
tainted.
 memory



taint
tag
 2.
Propagate
taint
 through
the
OS.
 ret
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS


  13. Basic
tain,ng
 1.
Mark
network
data
 as
tainted.
 memory



taint
tag
 2.
Propagate
taint
 through
the
OS.
 ret
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS


  14. Basic
tain,ng
 1.
Mark
network
data
 as
tainted.
 memory



taint
tag
 2.
Propagate
taint
 through
the
OS.
 ret
 3.
Alert
for
 App
1
 App
2
 App
3
 dereferences
due
 to
tainted
jumps,
 func,on
calls/ Guest
OS
 returns.
 Emulator
 Host
OS


  15. Basic
tain,ng
 1.
Mark
network
data
 as
tainted.
 memory



taint
tag
 2.
Propagate
taint
 through
the
OS.
 ret
 3.
Alert
for
 App
1
 App
2
 App
3
 dereferences
due
 to
tainted
jumps,
 func,on
calls/ Guest
OS
 returns.
 Emulator
 Host
OS


  16. Basic
tain,ng
 1.
Mark
network
data
 as
tainted.
 memory



taint
tag
 2.
Propagate
taint
 through
the
OS.
 ret
 3.
Alert
for
 App
1
 App
2
 App
3
 dereferences
due
 to
tainted
jumps,
 func,on
calls/ Guest
OS
 returns.
 Emulator
 Host
OS


  17. AFacks:
(in)effec,veness
of
basic
tain,ng
 void serve(int fd) { reply
msg
 char *reply = ...; char request[64]; read(fd, request, 128); srv_send(fd, reply, 1024); } reply
 request


  18. AFacks:
(in)effec,veness
of
basic
tain,ng
 void serve(int fd) { reply
msg
 char *reply = ...; server
private
 char request[64]; data
 read(fd, request, 128); srv_send(fd, reply, 1024); } reply
 request


  19. Pointer
tain,ng
 1.
Mark
network
data
as
 tainted.
 2.
Propagate
taint
through
 the
OS.
 • AFacks
 3.
Alert
for
dereferences
 due
to
tainted
jumps,
 func,on
calls/returns.
 + 
If
 p 
is
tainted,
raise
an
alert
 on
any
dereference
of
 p

  20. Pointer
tain,ng
 1.
Mark
network
data
as
 tainted.
 2.
Propagate
taint
through
 the
OS.
 • AFacks
 • Keylogger
detec,on
 + 
If
 p 
is
tainted,
any
 3.
Alert
for
dereferences
 due
to
tainted
jumps,
 dereference
of
 p 
taints
the
 func,on
calls/returns.
 des,na,on

 + 
If
 p 
is
tainted,
raise
an
alert
 on
any
dereference
of
 p

  21. AFacks:
effec,veness
of
pointer
tain,ng
 void serve(int fd) { reply
msg
 char *reply = ...; server
private
 char request[64]; data
 read(fd, request, 128); srv_send(fd, reply, 1024); } reply
 request


  22. Pointer
tain,ng:
FPs
likely
 void serve(int fd) { char *reply; char request; read(fd, request, 1); srv_send(fd, reply, 1); }

  23. Pointer
tain,ng:
FPs
likely
 void serve(int fd) { char *reply; char request; read(fd, request, 1); reply = to_lower[request]; srv_send(fd, reply, 1); }

  24. Pointer
tain,ng:
FPs
likely
 void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143
 0x63
(‘c’)
 reply = to_lower[request]; 0x142
 0x62
(‘b’)
 srv_send(fd, reply, 1); 0x141
 0x61
(‘a’)
 } 0x100


  25. Pointer
tain,ng:
FPs
likely
 void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143
 0x63
(‘c’)
 reply = to_lower[request]; 0x142
 0x62
(‘b’)
 srv_send(fd, reply, 1); 0x141
 0x61
(‘a’)
 } request = 0x41 ‘A’ 0x100


  26. Pointer
tain,ng:
FPs
likely
 void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143
 0x63
(‘c’)
 reply = to_lower[request]; 0x142
 0x62
(‘b’)
 srv_send(fd, reply, 1); 0x141
 0x61
(‘a’)
 } request = 0x41 ‘A’ 0x100
 addr = 0x100 + request reply = *addr

  27. Pointer
tain,ng:
FPs
likely
 void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143
 0x63
(‘c’)
 reply = to_lower[request]; 0x142
 0x62
(‘b’)
 srv_send(fd, reply, 1); 0x141
 0x61
(‘a’)
 } request = 0x41 ‘A’ 0x100
 addr = 0x100 + request reply = *addr

  28. Keylogger
detec,on
 memory



taint
tag
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS
 Poten,al
malware
 Internet
browser


  29. Keylogger
detec,on
 memory



taint
tag
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS
 Poten,al
malware
 Internet
browser


  30. Keylogger
detec,on
 memory



taint
tag
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS
 Poten,al
malware
 Internet
browser


  31. Keylogger
detec,on
 memory



taint
tag
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS
 Poten,al
malware
 Internet
browser


  32. Keylogger
detec,on
 memory



taint
tag
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS
 Poten,al
malware
 Internet
browser


  33. Keylogger
detec,on
 memory



taint
tag
 App
1
 App
2
 App
3
 Guest
OS
 Emulator
 Host
OS
 Poten,al
malware
 Internet
browser


  34. Keylogger
detec,on:
FPs
likely
(again)
 struct hlist_head *head = get_list_head(filename);

  35. Keylogger
detec,on:
FPs
likely
(again)
 struct hlist_head *head = get_list_head(filename); base


  36. Keylogger
detec,on:
FPs
likely
(again)
 struct hlist_head *head = get_list_head(filename); index = hash(filename) base


  37. Keylogger
detec,on:
FPs
likely
(again)
 struct hlist_head *head = get_list_head(filename); index = hash(filename) base


  38. Keylogger
detec,on:
FPs
likely
(again)
 struct hlist_head *head = get_list_head(filename); index = hash(filename) base


  39. Keylogger
detec,on:
FPs
likely
(again)
 struct hlist_head *head = get_list_head(filename); struct dentry *dentry = head->first;

  40. Keylogger
detec,on:
FPs
likely
(again)
 dentry
of
foo.txt
 struct hlist_head *head = next
=
NULL
 get_list_head(filename); info
 struct dentry *dentry = head->first;

  41. Keylogger
detec,on:
FPs
likely
(again)
 dentry
of
foo.txt
 struct hlist_head *head = next
=
NULL
 get_list_head(“test.txt”); info
 struct dentry *dentry = head->first;

  42. Keylogger
detec,on:
FPs
likely
(again)
 dentry
of
foo.txt
 struct hlist_head *head = next
=
NULL
 get_list_head(“test.txt”); info
 dentry
of
test.txt
 struct dentry next
 *dentry = head->first; info


Recommend


More recommend