Pointless Tain,ng? Evalua,ng the Prac,cality of Pointer Tain,ng Asia Slowinska, Herbert Bos Vrije Universiteit Amsterdam
Why pointer tain,ng? • AFacks Exploit low‐level memory errors Buffer overflows Dangling pointers Format strings
Why pointer tain,ng? • AFacks Exploit low‐level memory errors Buffer overflows Dangling pointers Format strings Control‐diver,ng
Why pointer tain,ng? • AFacks Exploit low‐level memory errors Buffer overflows Dangling pointers Format strings Control‐diver,ng Non‐control‐diver,ng
Why pointer tain,ng? • Keyloggers, etc. • AFacks Installed by users or by the way of exploits Exploit low‐level memory errors e.g., trojan Buffer overflows Dangling pointers Format strings Control‐diver,ng Non‐control‐diver,ng
Why pointer tain,ng? • Keyloggers, etc. • AFacks Installed by users or by the way of exploits Exploit low‐level memory errors e.g., trojan Buffer overflows Dangling pointers • Pointer tain*ng Format strings • Capable of detec,ng Control‐diver,ng • Memory corrup,on aFacks • Both control‐ and non‐control‐ Non‐control‐diver,ng diver,ng • Privacy‐breaching malware • PROBLEMATIC
Basic tain,ng memory taint tag App 1 App 2 App 3 Guest OS Emulator Host OS
Basic tain,ng memory taint tag ret App 1 App 2 App 3 Guest OS Emulator Host OS
Basic tain,ng 1. Mark network data as tainted. memory taint tag ret App 1 App 2 App 3 Guest OS Emulator Host OS
Basic tain,ng 1. Mark network data as tainted. memory taint tag ret App 1 App 2 App 3 Guest OS Emulator Host OS
Basic tain,ng 1. Mark network data as tainted. memory taint tag 2. Propagate taint through the OS. ret App 1 App 2 App 3 Guest OS Emulator Host OS
Basic tain,ng 1. Mark network data as tainted. memory taint tag 2. Propagate taint through the OS. ret App 1 App 2 App 3 Guest OS Emulator Host OS
Basic tain,ng 1. Mark network data as tainted. memory taint tag 2. Propagate taint through the OS. ret App 1 App 2 App 3 Guest OS Emulator Host OS
Basic tain,ng 1. Mark network data as tainted. memory taint tag 2. Propagate taint through the OS. ret 3. Alert for App 1 App 2 App 3 dereferences due to tainted jumps, func,on calls/ Guest OS returns. Emulator Host OS
Basic tain,ng 1. Mark network data as tainted. memory taint tag 2. Propagate taint through the OS. ret 3. Alert for App 1 App 2 App 3 dereferences due to tainted jumps, func,on calls/ Guest OS returns. Emulator Host OS
Basic tain,ng 1. Mark network data as tainted. memory taint tag 2. Propagate taint through the OS. ret 3. Alert for App 1 App 2 App 3 dereferences due to tainted jumps, func,on calls/ Guest OS returns. Emulator Host OS
AFacks: (in)effec,veness of basic tain,ng void serve(int fd) { reply msg char *reply = ...; char request[64]; read(fd, request, 128); srv_send(fd, reply, 1024); } reply request
AFacks: (in)effec,veness of basic tain,ng void serve(int fd) { reply msg char *reply = ...; server private char request[64]; data read(fd, request, 128); srv_send(fd, reply, 1024); } reply request
Pointer tain,ng 1. Mark network data as tainted. 2. Propagate taint through the OS. • AFacks 3. Alert for dereferences due to tainted jumps, func,on calls/returns. + If p is tainted, raise an alert on any dereference of p
Pointer tain,ng 1. Mark network data as tainted. 2. Propagate taint through the OS. • AFacks • Keylogger detec,on + If p is tainted, any 3. Alert for dereferences due to tainted jumps, dereference of p taints the func,on calls/returns. des,na,on + If p is tainted, raise an alert on any dereference of p
AFacks: effec,veness of pointer tain,ng void serve(int fd) { reply msg char *reply = ...; server private char request[64]; data read(fd, request, 128); srv_send(fd, reply, 1024); } reply request
Pointer tain,ng: FPs likely void serve(int fd) { char *reply; char request; read(fd, request, 1); srv_send(fd, reply, 1); }
Pointer tain,ng: FPs likely void serve(int fd) { char *reply; char request; read(fd, request, 1); reply = to_lower[request]; srv_send(fd, reply, 1); }
Pointer tain,ng: FPs likely void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143 0x63 (‘c’) reply = to_lower[request]; 0x142 0x62 (‘b’) srv_send(fd, reply, 1); 0x141 0x61 (‘a’) } 0x100
Pointer tain,ng: FPs likely void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143 0x63 (‘c’) reply = to_lower[request]; 0x142 0x62 (‘b’) srv_send(fd, reply, 1); 0x141 0x61 (‘a’) } request = 0x41 ‘A’ 0x100
Pointer tain,ng: FPs likely void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143 0x63 (‘c’) reply = to_lower[request]; 0x142 0x62 (‘b’) srv_send(fd, reply, 1); 0x141 0x61 (‘a’) } request = 0x41 ‘A’ 0x100 addr = 0x100 + request reply = *addr
Pointer tain,ng: FPs likely void serve(int fd) { char *reply; char request; read(fd, request, 1); 0x143 0x63 (‘c’) reply = to_lower[request]; 0x142 0x62 (‘b’) srv_send(fd, reply, 1); 0x141 0x61 (‘a’) } request = 0x41 ‘A’ 0x100 addr = 0x100 + request reply = *addr
Keylogger detec,on memory taint tag App 1 App 2 App 3 Guest OS Emulator Host OS Poten,al malware Internet browser
Keylogger detec,on memory taint tag App 1 App 2 App 3 Guest OS Emulator Host OS Poten,al malware Internet browser
Keylogger detec,on memory taint tag App 1 App 2 App 3 Guest OS Emulator Host OS Poten,al malware Internet browser
Keylogger detec,on memory taint tag App 1 App 2 App 3 Guest OS Emulator Host OS Poten,al malware Internet browser
Keylogger detec,on memory taint tag App 1 App 2 App 3 Guest OS Emulator Host OS Poten,al malware Internet browser
Keylogger detec,on memory taint tag App 1 App 2 App 3 Guest OS Emulator Host OS Poten,al malware Internet browser
Keylogger detec,on: FPs likely (again) struct hlist_head *head = get_list_head(filename);
Keylogger detec,on: FPs likely (again) struct hlist_head *head = get_list_head(filename); base
Keylogger detec,on: FPs likely (again) struct hlist_head *head = get_list_head(filename); index = hash(filename) base
Keylogger detec,on: FPs likely (again) struct hlist_head *head = get_list_head(filename); index = hash(filename) base
Keylogger detec,on: FPs likely (again) struct hlist_head *head = get_list_head(filename); index = hash(filename) base
Keylogger detec,on: FPs likely (again) struct hlist_head *head = get_list_head(filename); struct dentry *dentry = head->first;
Keylogger detec,on: FPs likely (again) dentry of foo.txt struct hlist_head *head = next = NULL get_list_head(filename); info struct dentry *dentry = head->first;
Keylogger detec,on: FPs likely (again) dentry of foo.txt struct hlist_head *head = next = NULL get_list_head(“test.txt”); info struct dentry *dentry = head->first;
Keylogger detec,on: FPs likely (again) dentry of foo.txt struct hlist_head *head = next = NULL get_list_head(“test.txt”); info dentry of test.txt struct dentry next *dentry = head->first; info
Recommend
More recommend