TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Report
TaintScope
Presented by:
Hector M Lugo-Cordero, MS
CAP 6135
April 12, 2011
Acknowledgements
• Authors: Tielei Wang, Tao Wei, Guofei Gu,
Wei Zou
• Paper Title: TaintScope: A ChecksumAware Directed Fuzzing Tool for Automatic
Software Vulnerability Detection
• In Proceedings of the 31st IEEE
Symposium on Security & Privacy,
Oakland, CA, May 2010.
• Awarded Best Student Paper
2
Outline
•
•
•
•
Fuzz Testing
TaintScope
Performance
Conclusions
3
Outline
•
•
•
•
Fuzz Testing
TaintScope
Performance
Conclusions
4
Fuzz Testing
• Attempt to crash or hang a program by
feeding it malformed inputs
• Blackbox fuzzing
– Generational
– Mutation
5
Fuzz Testing: Motivation
• Nobody is perfect
• Programs may be very large and dificult to
test
• Find bugs to fix
• Exploit programs for malware
6
Fuzz Testing: Challenges
• Random fuzzing has to cover a huge
sample space
– E.g. audio signal of 4s, 32k bytes
• 2256,000 possible values
• Symbolic fuzzing can’t bypass checksum
instructions
7
Outline
•
•
•
•
Fuzz Testing
TaintScope
Performance
Conclusions
8
TaintScope
• Fuzzer that can bypass checksum
– independent of the algorithm
• Concentrates on data flow dependence
• Uses IDA Pro Disassembler
• Works like a classifier
9
TaintScope: How it Works
• Identify hot bytes in input
– Bytes that affect API functions
• Memory management
• String operations
– Input bytes are tainted with unique id
• Identify possible checksum points
10
TaintScope: How it Works
•
•
•
•
Well-formed inputs take a true/false path
Malformed inputs take a false/true path
Intersection yields the check points
TaintScope creates bypass rules
11
TaintScope: How it Works
• Fuzzer runs with bypass rules and
mutates only hot bytes
• Crashes and hangs are recorded
12
TaintScope: How it Works
• Crashed samples are repaired for replay
– Checksum are corrected
• Type of vulnerability can be analyzed
13
Outline
•
•
•
•
Fuzz Testing
TaintScope
Performance
Conclusions
14
Performance: Hot Bytes
15
Performance: Checksum
16
Performance: Vulnerabilities
17
What is accomplished?
• TaintScope has found vulnerabilities in
popular programs (e.g. MS Paint, Adobe
Acrobat, and more)
• Vendors have patched the software
• Vulnerabilities have been published in
– Secunia
– Common Vulnerabilities and Exposure
18
MW Paint Search
19
Adobe Acrobat Search
20
Outline
•
•
•
•
Fuzz Testing
TaintScope
Performance
Conclusions
21
Conclusions
•
•
•
•
•
Fuzzer able to bypass checksum
Works with Linux/Windows binaries
100% inputs cause crash or hang
Low input samples
Tested on many well-known applications
and formats
22
Weakness
• Doesn’t talk about code coverage
• Needs to run the program several times to
find information of interest
• Can’t detect correctly checksums where
data is encrypted with key-based algorithm
23
Improvements
• Consider incorporating a tool like
HyperNEAT
– can learn search space patterns
– work with encryption (e.g. DES S-Boxes)
• Dynamic update to reduce number of runs
needed to build hot bytes/checksum
information
24
References
1.
2.
3.
4.
5.
6.
7.
Tielei Wang’s website:
http://sites.google.com/site/tieleiwang/
Month of Kernel Bugs: http://projects.infopull.com/mokb/
Month Browsers Bug: http://browserfun.blogspot.com/
Secunia: http://secunia.com/
Comon Vulnerabilities and Exposure:
http://cve.mitre.org/
IDA Disassembler:
http://www.hex-rays.com/idapro/
Google Images: http://images.google.com
25
QUESTIONS
26

similar documents