triggering deep vulnerabilities using symbolic execution
play

Triggering Deep Vulnerabilities Using Symbolic Execution Dan - PowerPoint PPT Presentation

Oct 01, 2023 •205 likes •607 views

Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the BitBlaze group at UC Berkeley *

  1. Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the BitBlaze group at UC Berkeley * images taken from original “Alice in Wonderland”

  2. Preconditions Finding bugs and crashes is easy – Fuzzing, Bounded Model Checking, test cases Exploit generation is hard – Trigger for vulnerability? – Input transformations?

  3. Setup Program (with target condition) PoC Input SE

  4. Road map Motivation Definition and tools State explosion Scaling up Divide and conquer Binary analysis The end

  5. What is Symbolic Execution? An abstract interpretation of code – Symbolic values, not concrete Agnostic to concrete values – Values turn into formulas – Constraints concretize formulas Finds concrete input – Triggers “ interesting ” condition

  6. Using Symbolic Execution Define set of conditions at code locations – Symbolic Execution determines triggering input Testing: finding bugs in applications – Infer pre/post conditions and add assertions – Use symbolic execution to negate conditions Exploit generation: generate PoC input – Vulnerability condition is predefined

  7. Symbolic Execution Tools FuzzBALL – PoC exploits for given vulnerability conditions – http://bitblaze.cs.berkeley.edu/fuzzball.html S2E : Selective Symbolic Execution – Automatic testing of binary code – http://dslab.epfl.ch/proj/s2e KLEE – Bug finding in source code – http://ccadar.github.io/klee/

  8. Example #1: Vortex Wargame* #include <...> #include <...> void print(unsigned char *buf, int len); // print state (for debugging) void print(unsigned char *buf, int len); // print state (for debugging) #define e(); if( ((unsigned int)ptr & 0xff000000)==0xca000000 ){ win(); } #define e(); if( ((unsigned int)ptr & 0xff000000)==0xca000000 ){ win(); } int main() { int main() { unsigned char buf[512]; unsigned char buf[512]; unsigned char *ptr = buf + (sizeof(buf)/2) ; unsigned char *ptr = buf + (sizeof(buf)/2); unsigned int x; unsigned int x; while((x = getchar()) != EOF) { while((x = getchar()) != EOF) { switch(x) { switch(x) { case '\n': print(buf, sizeof(buf)); continue; break; case '\n': print(buf, sizeof(buf)); continue; break; case '\\': ptr--; break; case '\\': ptr--; break; default: e(); if(ptr > buf + sizeof(buf)) continue; ptr++[0] = x; default: e(); if(ptr > buf + sizeof(buf)) continue; ptr++[0] = x; } } } } } } * http://www.overthewire.org/wargames/

  9. Example #1: Vortex Wargame* ptr buf[512] switch (input) { case '\n': debug() // print debug information case '\': ptr--; // decrement ptr default: if (ptr & 0xff000000 == 0xca000000) win(); if (ptr < buf[len]) ptr++[0] = input; } * http://www.overthewire.org/wargames/

  10. Example #1: Vortex Wargame* ptr buf[512] Problem size: 3 n switch (input) { case '\n': debug() // print debug information case '\': ptr--; // decrement ptr default: if (ptr & 0xff000000 == 0xca000000) win(); Demo! if (ptr < buf[len]) ptr++[0] = input; } * http://www.overthewire.org/wargames/

  11. Road map Motivation Definition and tools State explosion Scaling up Divide and conquer Binary analysis The end

  12. Does Symbolic Exec. scale? Run Length Encoding: compression – Decode and expand input string – Output buffer is given – Symbolic Execution produces input – Different input/output length Evaluate performance of – KLEE – FuzzBALL

  13. RLE encoding: limitations* 100000 10000 1000 100 10 1 RLE-1 RLE-2 RLE-3 RLE-4 RLE-5 RLE-6 RLE-7 RLE-8 RLE-9 In: 3 In: 3 In: 3 In: 4 In: 5 In: 5 In: 5 In: 5 In: 7 Out: 3 Out: 4 Out: 6 Out: 2 Out: 3 Out: 6 Out: 7 Out: 12 Out: 9 KLEE FuzzBALL * Detailed results from TR Berkeley/EECS-2013-125

  14. RLE encoding: limitations* 100000 10000 1000 100 10 1 RLE-1 RLE-2 RLE-3 RLE-4 RLE-5 RLE-6 RLE-7 RLE-8 RLE-9 In: 3 In: 3 In: 3 In: 4 In: 5 In: 5 In: 5 In: 5 In: 7 Out: 3 Out: 4 Out: 6 Out: 2 Out: 3 Out: 6 Out: 7 Out: 12 Out: 9 KLEE FuzzBALL * Detailed results from TR Berkeley/EECS-2013-125

  15. RLE encoding: limitations* 100000 10000 1000 100 10 Vanilla Symbolic Execution does NOT scale! 1 RLE-1 RLE-2 RLE-3 RLE-4 RLE-5 RLE-6 RLE-7 RLE-8 RLE-9 In: 3 In: 3 In: 3 In: 4 In: 5 In: 5 In: 5 In: 5 In: 7 Out: 3 Out: 4 Out: 6 Out: 2 Out: 3 Out: 6 Out: 7 Out: 12 Out: 9 KLEE FuzzBALL * Detailed results from TR Berkeley/EECS-2013-125

  16. State explosion At each decision point – Number of paths doubles (fork) – Updated or added constraints 1 1 1, 6 1, 2 2 1, 2, 3, 1, 2, 4, 5, 1 5, 1 3 4 1, 2, 3, 1, 2, 3, 5, 1, 6 5, 1, 2 1, 2, 4, 1, 2, 4, 5 6 5, 1, 6 5, 1, 2

  17. Reasons for state explosion Too much input/output data – Not much we can do about Too much included state – Limit symbolic state Too much executed code – Divide and conquer

  18. Road map Motivation Definition and tools State explosion Scaling up Divide and conquer Binary analysis The end

  19. Interesting input sizes <10 symbolic bytes – Address, offset or pointer 20-80 symbolic bytes – Shellcode, ROP chain >200 symbolic bytes – Shellcode plus data, long ROP chains – Complete data structures

  20. Heuristics to the rescue Assume properties for transformations – Surjectivity: there exists a pre-image – Sequentiality: output is never revoked – Streaming: bounded transformation state Encoded heuristics – Prune early, prune often if target unreachable – Be greedy, prioritize paths that maximize output – Optimize array accesses

  21. RLE encoding: heuristics* 100000 10000 1000 100 10 1 RLE-1 RLE-2 RLE-3 RLE-4 RLE-5 RLE-6 RLE-7 RLE-8 RLE-9 In: 3 In: 3 In: 3 In: 4 In: 5 In: 5 In: 5 In: 5 In: 7 Out: 3 Out: 4 Out: 6 Out: 2 Out: 3 Out: 6 Out: 7 Out: 12 Out: 9 KLEE FuzzBALL FuzzBALL-heuristic * Detailed results from TR Berkeley/EECS-2013-125

  22. RLE encoding: heuristics* 100000 10000 1000 100 10 1 RLE-1 RLE-2 RLE-3 RLE-4 RLE-5 RLE-6 RLE-7 RLE-8 RLE-9 In: 3 In: 3 In: 3 In: 4 In: 5 In: 5 In: 5 In: 5 In: 7 Out: 3 Out: 4 Out: 6 Out: 2 Out: 3 Out: 6 Out: 7 Out: 12 Out: 9 KLEE FuzzBALL FuzzBALL-heuristic * Detailed results from TR Berkeley/EECS-2013-125

  23. RLE encoding: heuristics* 100000 10000 1000 100 10 Heuristics help. Heuristics help. A little. Heuristics help. A little. 1 RLE-1 RLE-2 RLE-3 RLE-4 RLE-5 RLE-6 RLE-7 RLE-8 RLE-9 In: 3 In: 3 In: 3 In: 4 In: 5 In: 5 In: 5 In: 5 In: 7 State explosion remains! Out: 3 Out: 4 Out: 6 Out: 2 Out: 3 Out: 6 Out: 7 Out: 12 Out: 9 KLEE FuzzBALL FuzzBALL-heuristic * Detailed results from TR Berkeley/EECS-2013-125

  24. Road map Motivation Definition and tools State explosion Scaling up Divide and conquer Binary analysis The end

  25. Divide and conquer Program (with target condition) Input SE

  26. Divide and conquer Program (with target condition) Input buf0 buf1 buf2 trans. trans. trans. PoC Input SE SE SE

  27. Does Symbolic Exec. scale? Hex and Run Length Decoding – Two transformations, e.g., FB41014280 → \xfbA\x01B\x80 \xfbA\x01B\x80 → AAAAAAB – We know all buffer locations Evaluate performance of – KLEE/FuzzBALL – FuzzBALL with heuristics – FuzzBALL with two iterations

  28. Example #2: HEX & RLE Demo! ASCIIHexDecode( buf0 , len0, buf1 , 4096); if (RunLengthDecode( buf1 , len1, buf2 , 4096) != -1) { if (strncmp(argv[3], (char*) buf2 , strlen(argv[3])) == 0) { printf("Correctly recovered str\n"); } } Input HEXDecode RLEDecode buf0 buf1 buf2 SE SE

  29. HEXRLE encoding: iterations 100000 10hr timeout 10000 1000 Runtime [s] 100 10 1 HEXRLE-1 HEXRLE-2 HEXRLE-3 HEXRLE-4 HEXRLE-5 HEXRLE-5 HEXRLE-6 In: 10 In: 14 In: 16 In: 18 In: 125 In: 125 In: 250 Inter: 5 Inter: 7 Inter: 8 Inter: 9 Inter: 60 Inter: 60 Inter: 120 Out: 12 Out: 9 Out: 10 Out: 11 Out: 57 Out: 57 Out: 114 KLEE / FuzzBALL FuzzBALL-heuristics FuzzBALL-HI-CFG

  30. One problem solved... Divide and conquer mitigates scaling issues We now have two new problems: – Finding transformation boundaries – Finding buffers locations

  31. Road map Motivation Definition and tools State explosion Scaling up Divide and conquer Binary analysis The end

  32. Hybrid Info. and Control-Flow Graph 1 Buffer A 2 3 4 Buffer C Buffer B 5 6 Control-Flow Graph Information-Flow Graph

  33. Trace-based binary analysis Trace allows to recover both (live) control-flow and information-flow using concrete input 1. Start with concrete input 2. Collect instruction-level trace 3. Process trace offline to discover buffers

  34. Grouping memory accesses “ Related ” accesses target same buffer – Temporal relation – Spatial relation Assume a buffer hierarchy – Layers of buffers Find “ natural ” boundaries between transformations

  35. Example #3: CVE-2010-3704 Type 1 font parsing bug in Poppler PDF-viewer Read Flate Parse Font decode Font I/O

  36. Example #3: Poppler buffers GfxFont::readEmbed FontFile(Xref*, int*) memcpy space alloc alloc alloc bf792000 828b420 829f008 82b7550 (implicit) 4096 312 34104 9887 FlateStream::getHuffmanCode FoFiType1: Word(FlateHuffmanTab*) :parse()

Recommend

Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias

Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias

Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the BitBlaze group at UC Berkeley *

386 views • 36 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nrnberg, Germany BAR20 BAR20 Motivation How secure are

352 views • 16 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
JANUS: Fast and Flexible Deep Learning via Symbolic Graph Execution of Imperative Programs Eunji

JANUS: Fast and Flexible Deep Learning via Symbolic Graph Execution of Imperative Programs Eunji

JANUS: Fast and Flexible Deep Learning via Symbolic Graph Execution of Imperative Programs Eunji Jeong , Sungwoo Cho, Gyeong-In Yu, Joo Seong Jeong, Dong-Jin Shin, Byung-Gon Chun Demo 1 Introduction Challenge Solution Results Deep Neural

452 views • 21 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure North America public Concrete execution r1 = 0xBE; r2 = 0x08 mov r1,r2 add r1,0x10 r1 = 0x18; r2 = 0x08 public 2 Symbolic execution r1 = 0xBE;

470 views • 31 slides
Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

558 views • 22 slides

More recommend