retrofitting security in input parsing routines
play

Retrofitting Security in input parsing routines Jayakrishna Menon, - PowerPoint PPT Presentation

Dec 07, 2022 •334 likes •702 views

Retrofitting Security in input parsing routines Jayakrishna Menon, Christophe Hauser, Yan Shoshitaishvili, Stephen Schwab {jmenon, hauser, schwab}@isi.edu yans@asu.edu Modern defenses Vulnerabilities Many programs are still OS defenses

  1. Retrofitting Security in input parsing routines Jayakrishna Menon, Christophe Hauser, Yan Shoshitaishvili, Stephen Schwab {jmenon, hauser, schwab}@isi.edu yans@asu.edu

  2. Modern defenses Vulnerabilities Many programs are still ● OS defenses (ASLR, DEP). ● written in unsafe Compiler-level defenses ● languages like C/C++. (e.g., stack canaries). Memory corruption ● Code audit tools. ● vulnerabilities remain prominent.

  3. parsers Directly exposed to user input. ● Many custom implementations in unsafe languages (C/C++). ● Over 170 vulnerabilities reported in various parsing ● mechanisms since 1999. Varying semantics and the abundance of string ● manipulations make their implementation error-prone.

  4. Solution space

  5. Design time post-design security security Parser libraries. ● Code audits. ● Parser generators. ● Refactoring/inserting ● correct parsers. Formal methods. ● No source code? ●

  6. Binary-level approach Source code not always ● available (legacy code, uncooperative editors, untrusted IoT devices). What you see is not what ● you execute: compiler bugs, compiler “backdoors” WYSINWYX e.g., XCodeGhost (linking malicious code into executables).

  7. challenges

  8. Scaling problem Program analysis techniques are difficult to automate in a scalable and precise manner.

  9. Static analysis Symbolic execution Precise. ● Scalable. ● Unscalable. ● Imprecise. ●

  10. Dynamic analysis Precise. ● Low coverage. ●

  11. Source code Binary Types. ● Registers. ● Variable names. ● Memory locations. ● Functions. ● Basic blocks. ● ... ● ... ●

  12. How to scale to real world programs?

  13. template-based approach … to discover vulnerabilities based on templates corresponding to common classes of security bugs. … to retrofit security by patching programs at the binary-level.

  14. Initial approach classes/templates Focuses on overflows in ● buffers allocated Unconstrained input. ● statically on the stack. Under-constrained input ● size. template-based: ● Unchecked termination ● categorize causes of condition. vulnerabilities into ... ● three classes. Combines static analysis ● and symbolic execution.

  15. Unconstrained Improper usage of functions that do not check for sizes such as input. strcpy, sprintf etc.

  16. Example 1: CVE-2003-0390 int opt_atoi( char *s) { char buf[1024]; char *fmt = "String [ %s ] is not valid"; sprintf(buf, fmt, s); }

  17. Under-constrained Improper validation of size field in functions such as memcpy. input size.

  18. Example 2: CVE-2015-3329 void phar_set_inode( phar_entry_info *entry) { char tmp[1024]; memcpy(tmp, entry -> phar -> fname, entry->phar->fname_len); }

  19. Unchecked Performing operations on termination (possibly) incorrectly terminated strings. condition.

  20. 2-step Analysis approach Symbolic analysis Static analysis } Identify string Identify } program paths. } CFG manipulation destination functions. buffers (sinks). SE Dangerous Identify user Analyze backward DDG input. data-dependency. Path constraints. (Memory corruption caused by unsafe buffer manipulation)

  21. Analysis results Static Analysis Symbolic Overall execution False positive rate 6.6% 0% 0% * False negative rate 40% 0% * 40% Time 1-260s 1-400s 2-660s

  22. New bugs 2 new bugs found in the binary code of common opensource projects and libraries (in a semi-automatic setting)

  23. Retrofitting security: binary patching

  24. Remember: we focus on stack ● Adding the missing buffers. On the identified program ● checks paths, we constrain the user input such that: user_input_size < stack_buffer_size

  25. When the constraints are Adding the missing violated, we crash the program. checks This is equivalent to e.g., __sprintf_chk()

  26. Static reassembly problems: breaking internal program references. Patching the binary Partial solution: inject trampoline gadgets in padding bytes between functions (up to 15 consecutive NOPs).

  27. Inserting checks int opt_atoi(char *s) int opt_atoi(char *s) if(strlen(s)>1024) sprintf(buf, fmt, s); exit() sprintf(buf, fmt, s);

  28. More templates

  29. New template Memory allocation errors … authentication errors. … misuses of cryptographic APIs. … information leakage.

  30. New bugs 12 new bugs found in the binary code of common opensource programs and libraries (in a fully automated setting).

  31. discussion Lightweight and scalable approach. … but high rate of false negatives. … limited patching capabilities.

  32. Data structure recovery. Stumbling blocks Pointer aliasing.

  33. Future work Improve data dependence tracking. ● Leverage static reassembly techniques. ● More vulnerability templates. ● Apply to large corpus of IoT firmware. ●

  34. Key takeaways - Templates per vulnerability class. - Scalable, two-level approach based on a combination of static analysis + symbolic execution. - High-precision: we can infer semantic-agnostic patches for each class. - New bugs.

  35. ?

Recommend

Bottom-up parsing LR parsing Construct parse tree for input from leaves up LR( k ) parsing

Bottom-up parsing LR parsing Construct parse tree for input from leaves up LR( k ) parsing

Bottom-up parsing LR parsing Construct parse tree for input from leaves up LR( k ) parsing reducing a string of tokens to single start symbol L eft-to-right scan of input, R ightmost derivation (inverse of deriving a string of tokens from

413 views • 5 slides
LL1 Parsing a b $ S 1 A 4 B 3 2 a b b b 1. S --&gt; a B

LL1 Parsing a b $ S 1 A 4 B 3 2 a b b b 1. S --&gt; a B

LL1 Parsing a b $ S 1 A 4 B 3 2 a b b b 1. S --&gt; a B Input 2. B --&gt; 3. B --&gt; A S 4. A --&gt; b B Parse Stack Compare Input and Stacktop 1 LL1 Parsing a b $ S 1 A

694 views • 17 slides
Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security

370 views • 33 slides
CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3

CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3

CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3 Top-down Parsing predictive parsers 4 Suggested reading: https://en.wikipedia.org/wiki/LL_parser Top-down Parsing contd.. Also called

750 views • 46 slides
Top-Down Parsing Slides modified from Louden Book and Dr. Scherger Top Down Parsing A

Top-Down Parsing Slides modified from Louden Book and Dr. Scherger Top Down Parsing A

Compiler Design and Construction Top-Down Parsing Slides modified from Louden Book and Dr. Scherger Top Down Parsing A top-down parsing algorithm parses an input string of tokens by tracing out the steps in a leftmost derivation. Such an

1.12k views • 96 slides
Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI

Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI

Thoughts on Retrofitting Legacy Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI (April 2, 2015) Kaminsky scores 23, No. 5 Wisconsin beats Illinois 68-49 Feb 15, 2015 Somesh Jha Retrofitting

752 views • 56 slides
CCured: Type-safe Retrofitting of Legacy Code By Necula, McPeak, Weimer Presented By: Philip

CCured: Type-safe Retrofitting of Legacy Code By Necula, McPeak, Weimer Presented By: Philip

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CCured: Type-safe Retrofitting of Legacy Code By Necula,

284 views • 24 slides
Bottom Up Parsing Also known as Shift-Reduce parsing More powerful than top down Dont

Bottom Up Parsing Also known as Shift-Reduce parsing More powerful than top down Dont

9/26/2012 Bottom Up Parsing Also known as Shift-Reduce parsing More powerful than top down Dont need left factored grammars Can handle left recursion Bottom Up Parsing Attempt to construct parse tree from an input string

654 views • 6 slides
Bottom up Parsing Bottom up parsing trys to transform the input string into the start symbol.

Bottom up Parsing Bottom up parsing trys to transform the input string into the start symbol.

Bottom up Parsing Bottom up parsing trys to transform the input string into the start symbol. Moves through a sequence of sentential forms (sequence of Nonterminal or terminals). Trys to identify some substring of the sentential form that

308 views • 15 slides
Predictive Parsers LL(k) Parsing Can we avoid backtracking? Yes, if for a given input symbol and

Predictive Parsers LL(k) Parsing Can we avoid backtracking? Yes, if for a given input symbol and

10/17/2012 Predictive Parsers LL(k) Parsing Can we avoid backtracking? Yes, if for a given input symbol and given non- LL(k) terminal, we can choose the alternative appropriately. L left to right scan L leftmost derivation

396 views • 7 slides
Bottom up parsing Construct a parse tree for an input string beginning at leaves and going

Bottom up parsing Construct a parse tree for an input string beginning at leaves and going

Bottom up parsing Construct a parse tree for an input string beginning at leaves and going towards root OR Reduce a string w of input to start symbol of grammar Consider a grammar S aABe The sentential forms A Abc | b happen

1.21k views • 79 slides
Algorithms for NLP IITP, Fall 2019 Lecture 11: Parsing III Yulia Tsvetkov 1 Syntactic Parsing

Algorithms for NLP IITP, Fall 2019 Lecture 11: Parsing III Yulia Tsvetkov 1 Syntactic Parsing

Algorithms for NLP IITP, Fall 2019 Lecture 11: Parsing III Yulia Tsvetkov 1 Syntactic Parsing INPUT: The move followed a round of similar increases by other lenders, reflecting a continuing decline in that market OUTPUT:

1.36k views • 115 slides
IT350: Web &amp; Internet Programming Set 19: Security, Hacking and myspace Input to your

IT350: Web &amp; Internet Programming Set 19: Security, Hacking and myspace Input to your

IT350: Web &amp; Internet Programming Set 19: Security, Hacking and myspace Input to your Website How does a user input information to your site? How does your server-side code process the input? How do you store the input?

717 views • 12 slides
Parsing (Syntactic Structure) INPUT: Boeing is located in Seattle. OUTPUT: S 6.864: Lecture 2,

Parsing (Syntactic Structure) INPUT: Boeing is located in Seattle. OUTPUT: S 6.864: Lecture 2,

Parsing (Syntactic Structure) INPUT: Boeing is located in Seattle. OUTPUT: S 6.864: Lecture 2, Fall 2007 Parsing and Syntax I NP VP N V VP Boeing is V PP P NP located in N Seattle 1 3 Overview Syntactic Formalisms Work

400 views • 18 slides
CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing

CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing

CSC 4181 Compiler Construction Parsing 1 1 Outline Top-down v.s. Bottom-up Top-down parsing Bottom-up parsing Recursive-descent Shift-reduce parsers parsing LR(0) parsing LL(1) parsing LR(0) items LL(1) parsing

429 views • 29 slides
Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm

Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm

Outline Review LL parsing Introduction to Bottom-Up Parsing Shift-reduce parsing The LR parsing algorithm Constructing LR parsing tables 2 Top-Down Parsing: Review Top-Down Parsing: Review Top-down parsing expands a

470 views • 13 slides
Nail A Practical Tool for Parsing and Generating Data Formats Julian Bangert, Nickolai Zeldovich

Nail A Practical Tool for Parsing and Generating Data Formats Julian Bangert, Nickolai Zeldovich

Nail A Practical Tool for Parsing and Generating Data Formats Julian Bangert, Nickolai Zeldovich MIT CSAIL OSDI 14 October 2014 1 / 12 Motivation Parsing Vulnerabilities hand-crafted input parsing and output generation memory corruption

843 views • 16 slides
Parsing Input: Sequence of tokens Output: Abstract Syntax Tree CS 1622: Example: IF (

Parsing Input: Sequence of tokens Output: Abstract Syntax Tree CS 1622: Example: IF (

9/12/2012 Parsing Input: Sequence of tokens Output: Abstract Syntax Tree CS 1622: Example: IF ( ID(x) &gt; NUM(3) ) { ID(y) INCREMENT ; } Syntax Analysis if-statement cond_expr stmt_list Jonathan Misurda &gt;

255 views • 3 slides
Algorithms for NLP CS 11-711 Fall 2020 Lecture 14: Graph-based dependency parsing Emma

Algorithms for NLP CS 11-711 Fall 2020 Lecture 14: Graph-based dependency parsing Emma

Algorithms for NLP CS 11-711 Fall 2020 Lecture 14: Graph-based dependency parsing Emma Strubell Announcements No recitation on Friday (Tartan Community Day). 2 Dependency parsing 3 Dependency parsing Input buffer Transition-based

1.15k views • 77 slides
IT350: Web &amp; Internet Programming Fall 2015 Set 17: Security, Hackingand myspace Input to

IT350: Web &amp; Internet Programming Fall 2015 Set 17: Security, Hackingand myspace Input to

IT350: Web &amp; Internet Programming Fall 2015 Set 17: Security, Hackingand myspace Input to your Website How does a user input information to your site? How does your server-side code process the input? How do you store the input?

548 views • 23 slides
Algorithms for NLP Parsing I Yulia Tsvetkov CMU Slides: Ivan Titov University of

Algorithms for NLP Parsing I Yulia Tsvetkov CMU Slides: Ivan Titov University of

Algorithms for NLP Parsing I Yulia Tsvetkov CMU Slides: Ivan Titov University of Edinburgh, Taylor Berg-Kirkpatrick CMU/UCSD, Dan Klein UC Berkeley Ambiguity I saw a girl with a telescope Parsing INPUT: The move

1.51k views • 132 slides
17. Recursion 2 Building a Calculator, Formal Grammars, Extended Backus Naur Form (EBNF), Parsing

17. Recursion 2 Building a Calculator, Formal Grammars, Extended Backus Naur Form (EBNF), Parsing

17. Recursion 2 Building a Calculator, Formal Grammars, Extended Backus Naur Form (EBNF), Parsing Expressions 488 Motivation: Calculator Goal: we build a command line calculator Input: 3 + 5 Output: 8 Input: 3 / 5 Output: 0.6 Input: 3 + 5 * 20

1.37k views • 49 slides
Mathematics Teaching and Learning Robert Q. Berry, III, PhD NCTM President rberry@nctm.org

Mathematics Teaching and Learning Robert Q. Berry, III, PhD NCTM President rberry@nctm.org

Thinking about Instructional Routines in Mathematics Teaching and Learning Robert Q. Berry, III, PhD NCTM President rberry@nctm.org @robertqberry Plan for Tonight What are routines? Daily Routines School and Classroom Routines

605 views • 24 slides
IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo Stanford University, Chalmers University Motivating Example: Web Security Website uses

487 views • 28 slides

More recommend