Proceedings

More documents

Recommendations

Info

UQBTng: a tool capable of automatically finding integer overflows in Win32 binaries November 27, 2005 Abstract— This paper outlines the recent work by the author to develop UQBTng, a tool capable of automatic detection of exploitable integer overflow bugs in Win32 binaries. A brief description of this programming error is given, along with rationale for focusing on Win32 assembly security checking. The tool heavily relies on the excellent UQBT[1] package; the description of the applied enhancements to UQBT is presented. Although definitely a work in progress, UQBTng already can produce results helpful for a security researcher; final section includes the analysis of the run of the tool against a binary (implementing a certain service in Windows 2000) with known integer overflows. Index Terms— computer security, integer overflow, Windows, UQBT, program verification. I. INTRODUCTION THERE is a plethora of academic papers on verification of software. Unfortunately, their usefulness for a security practician dealing with common flaws in popular operating systems and applications [2] is usually very limited, for variety of reasons. Some verification methods require a lot of effort (and knowledge) from the user to be put into formal proof of correctness, using general purpose theorem provers. Other methods, most notably ones related to model checking, require to build a model of a system to be proved, which is both labor-intensive and error prone. Finally, many papers describe methods which sound appealing, but which are applicable only to small programs. Therefore academic papers are seldom posted to or discussed on mainstream security mailing lists [3]. There are notable exceptions though. One particularly promising way is to give up trying to prove full correctness of a program (let’s name it ”verification”), as the associated cost is high. Instead one may attempt to check certain properties of a program, which are known to cause security problems1 . Ideally such properties should be local and in order to check them, one does not need to know full semantics of an analyzed program. Let’s name this approach ”checking”; a good example, with real security vulnerabilities discovered, can be found in [4]. Current popular OSes are usually written in C and C++. If there is no source available, one is faced with analyzing the resultant assembly code. While there are a number of papers related to verification or checking of C code, very few tools exist which are capable of advanced reasoning about compiled | 16 1 Observe such an approach is often a basis of a security audit of software Rafal Wojtczuk Warsaw University rafal.wojtczuk@mimuw.edu.pl C code 2 . However, this is an important issue. Particularly, MS Windows operating systems family is of great interest to security researchers, due to its popularity, long history of known security problems, and probably high number of still undiscovered flaws [5]. For all the reasons mentioned above, the author decided to invest some effort to create a tool capable of searching the Win32 assembly code for a particular vulnerability - the integer overflow bug. The tool is meant to require as little interaction from an user as possible - average size of a program or library on a typical Win32 system is measured in hundreds of kilobytes, and we cannot afford to annotate or otherwise specify semantics of too many points in the code. II. THE INTEGER OVERFLOW VULNERABILITY The title vulnerability is the cause of many recent serious security problems in many popular operating systems, even in the components designed to be secure[6]. Particularly, the Microsoft security bulletin MS05-053[10] describes a vulnerability in the GDI32.DLL library, which was remedied by adding over 50 integer overflow checks to this library . The nature of this type of vulnerability is simple - due to the limited range of numbers which can be stored in a C language integer variable, it is possible that during arithmetical operations (most often addition or multiplication) the value of the variable may silently overflow and wrap, and become smaller than the sum (or product) of the operands. If the result is used as the size of memory allocation, then subsequently a buffer overflow can occur, which may yield the attacker full control over the code execution. Example: void* vuln func(void* data, unsigned int len) { unsigned int size=len+1; char* buf=malloc(size); if (!buf) return NULL; memcpy(buf, data, len); buf[len]=0; return buf; } This function copies user-supplied data into a new buffer and null-terminates it. If an attacker can pass 0xffffffff as 2 The ”binaudit” tool, announced on www.sabre-security.com site, could be a very interesting piece of code (judging at least by the reputation of its author), yet for a long time it is still in development, and little details are known on its internals
ACADEMIC TOOLS AND REAL-LIFE BUG FINDING IN WIN32 the ”len” parameter, an integer overflow will happen when calculating ”size” variable; malloc will allocate a memory block of size 0, and the subsequent memcpy will overwrite heap memory. This vulnerability has an important feature - usually a prover/checker does not have to understand loops semantic to detect this bug; simple arithmetics should suffice. It is well known that reasoning about loops is difficult 3 - usually it is required to manually provide a loop invariant, which is not trivial. Therefore, if we focus on detecting integer overflows in memory size calculations, we have a good chance of succeeding with automated checking. Also, this vulnerability is usually quite local, in the sense that the size calculation (which should include a check for integer overflow) is usually close to the actual memory allocation, which makes it possible to reliably detect the presence or lack of the vulnerability by analyzing a single function or a small number of functions. A. Summary III. NECESSARY COMPONENTS In order to reliably reason about the assembly code, two components are needed: • a decompiler capable of decoding single assembly instructions into a form with easily accessible semantics, as well as recovering higher level C code constructions; it is not necessary to produce a real C code, but as we will see we will choose this way • theorem prover or model checker, capable of reasoning about the code semantics As we will see, we will take a (modified and enhanced) decompiler, add functionality to automatically annotate the decompiled code with assertions which check for integer overflows, and then feed the decompiled code into the checker to verify the existence of integer overflows. Two excellent, publicly available academic tools: UQBT[1] and CBMC[7] were chosen for this task 4 ; they are briefly described below. B. CBMC: Bounded Model Checking for ANSI-C CBMC[7] is a checker capable of automatically proving properties of ANSI C code. The properties are embedded in the checked code in a form of usual C ”assert” statements. CBMC is unique in its ability to support almost all features of C language; particularly, the following constructions are handled well (while other C code checkers usually have problems with them): • arithmetics with bounded integers • pointer arithmetics • bitwise operations • function pointers CBMC works best on a code without loops. When a loop is present, CBMC can be instructed to unwind it a couple of times and possibly verify that a given number of unwind 3Yes, undecidability. Each good paper should include this word at least once. 4UQBTng uses a development version of CBMC, provided by its author operations is sufficient; however, in most cases, it is not enough. But as noted above, integer overflows are usually not caused by calculations implemented by a loop. Therefore, for the purpose of checking for integer overflows only, we can remove all looping constructions from the analyzed code, without significant loss of functionality. In such case, checking with CBMC is fully automatic; if an assertion does not hold, an appropriate counterexample is presented to the user. C. UQBT: University of Queensland Binary Translator UQBT[1] is an executable translator - it takes as input a binary file from an operating system A, decompiles it, and then it can produce a binary for a different system B, preserving the binary semantics. For our purposes, the most important capability of UQBT is its ability to decompile an executable into a graph of functions. Each instruction in a function is represented by a ”semantic string”, a data structure capturing the semantics of an instruction. A lot of code is available to process semantic strings; for example, there is a function which can replace each occurrence of a subexpression (say, a dereference of a location pointed by a frame pointer minus a constant offset) in a semantic string with another expression (say, a semantic string describing a local variable). Therefore it is possible to process the instructions effectively and conveniently. Another tool was considered for the task of decompilation: The Interactive Disassembler[8]. However, IDA has numerous disadvantages: • The advanced functionality is not documented (besides sparse and insufficient comments in the header files). • Probably 5 the internal instruction representation is too close to the actual assembly; on the other hand, UQBT uses quite high level, portable representation. • There is no source available; it is a non-free software. The above issues (and a few others, less important) decided against IDA. Admittedly, IDA has some advantages; it is a very stable software and its accuracy in some aspects is very appealing (particularly, most of the PE file format analysis functionality implemented by the author so far for UQBTng is already present in IDA). However, in the long run UQBT should be the better choice. UQBT is a large piece of software; it can handle Pentium and Sparc architecture, and recognizes ELF, MSDOS .exe and (to some extent) Windows PE file formats. A useful feature is its ability to produce a C code from a binary; though not necessary for analysis (actually, analysis is done on the semantic strings, not on the C code), this makes it easy to produce input which a theorem prover or checker can work on. For our needs, the ability to decompile Win32 PE files is crucial. Functionality of UQBT had to be enhanced to process PE input files more accurately. The next section describes the most important modifications. 5 The author tried to assess some aspects of IDA advanced functionality, however it was difficult due to the lack of the documentation; therefore this description may be not 100% accurate 17 |
Page 2 and 3: | 2
Page 5 and 6: 22. Chaos Communication Congress Pr
Page 7 and 8: REPORTS 7 5 Thesis on Informational
Page 9 and 10: 10 5 Thesis on Informational- Cogni
Page 11 and 12: 5 THESIS ON INFORMATIONAL-COGNITIVE
Page 17: 5 THESIS ON INFORMATIONAL-COGNITIVE
Page 22 and 23: IV. UQBT MODIFICATIONS A. Summary A
Page 24 and 25: • if LHS of A is exactly sem str,
Page 27 and 28: Advanced Buffer Overflow Methods [o
Page 29 and 30: ADVANCED BUFFER OVERFLOW METHODS #i
Page 31 and 32: ADVANCED BUFFER OVERFLOW METHODS 0x
Page 33 and 34: ADVANCED BUFFER OVERFLOW METHODS in
Page 35: ADVANCED BUFFER OVERFLOW METHODS }
Page 38 and 39: | 34 Eine Führung in das europäis
Page 40 and 41: | 36 Die kryptische Kennung 10 eine
Page 42 and 43: | 38 senvertreter angewiesen. Die
Page 44 and 45: | 40 Anonymous Data Broadcasting by
Page 46 and 47: | 42 operate, consider the setting,
Page 48 and 49: | 44 Figure 1: Anonymous data broad
Page 51 and 52: Autodafé: An Act of Software Tortu
Page 53 and 54: AUTODAFE - AN ACT OF SOFTWARE TORTU
Page 61 and 62: Bad TRIPs What the WTO Treaty did i
Page 63 and 64: BAD TRIPS The TRIPS is especially h
Page 65: BAD TRIPS Extension of the transiti
Page 68 and 69: | 64 Collateral Damage Consequences
Page 70 and 71:
| 66 If one considers a DNSBL listi
Page 72 and 73:
| 68 • A number of sites do not h
Page 74 and 75:
| 70 to use other mailing software.
Page 76 and 77:
| 72 These kinds of checks tend to
Page 79 and 80:
COMPLETE Hard Disk Encryption with
Page 81 and 82:
COMPLETE HARD DISK ENCRYPTION WITH
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105:
Page 108 and 109:
| 104 x86-64 buffer overflow exploi
Page 110 and 111:
| 106 3 ELF64 LAYOUT AND X86-64 EXE
Page 112 and 113:
| 108 4 THE BORROWED CODE CHUNKS TE
Page 114 and 115:
| 110 5 AND DOES THIS REALLY WORK?
Page 116 and 117:
| 112 6 SINGLE WRITE EXPLOITS 9 48
Page 118 and 119:
| 114 6 SINGLE WRITE EXPLOITS 11 34
Page 120 and 121:
| 116 7 AUTOMATED EXPLOITATION 13 A
Page 122 and 123:
| 118 7 AUTOMATED EXPLOITATION 15 W
Page 124 and 125:
| 120 8 RELATED WORK 17 32 read(soc
Page 126 and 127:
| 122 11 CREDITS 19 11 Credits Than
Page 129 and 130:
Developing Intelligent Search Engin
Page 131 and 132:
DEVELOPING INTELLIGENT SEARCH ENGIN
Page 133 and 134:
DEVELOPING INTELLIGENT SEARCH ENGIN
Page 135 and 136:
Digital Identity and the Ghost in t
Page 137 and 138:
DIGITAL IDENTITY AND THE GHOST IN T
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145:
Page 148 and 149:
| 144
Page 150 and 151:
| 146
Page 153 and 154:
Esperanto, die internationale Sprac
Page 155 and 156:
ESPERANTO, DIE INTERNATIONALE SPRAC
Page 157 and 158:
ESPERANTO, DIE INTERNATIONALE SPRAC
Page 159 and 160:
Fair Code Free/Open Source Software
Page 161 and 162:
FAIR CODE 2. Von Digital Divide zu
Page 163 and 164:
FAIR CODE ökonomisch schlecht gest
Page 165 and 166:
FAIR CODE menschliches Verhalten re
Page 167:
FAIR CODE gewährleistet, und nur d
Page 170 and 171:
��
Page 172 and 173:
| 168 ��
Page 174 and 175:
| 170 ��
Page 176 and 177:
| 172 ��
Page 178 and 179:
| 174 ��
Page 180 and 181:
| 176 ��
Page 183 and 184:
Fuzzing Breaking software in an aut
Page 185 and 186:
FUZZING or protocol and fuzzing fra
Page 187 and 188:
FUZZING #define SOME_MAX 4096 if (y
Page 189 and 190:
Geometrie ohne Punkte, Geraden & Eb
Page 191 and 192:
GEOMETRIE OHNE PUNKTE, GERADEN & EB
Page 193:
GEOMETRIE OHNE PUNKTE, GERADEN & EB
Page 196 and 197:
| 192
Page 198 and 199:
| 194
Page 200 and 201:
| 196
Page 203 and 204:
Hacking OpenWRT Felix Fietkau 199 |
Page 205 and 206:
HACKING OPENWRT 1 Introduction to O
Page 207 and 208:
HACKING OPENWRT 3.2 Makefile This f
Page 209 and 210:
HACKING OPENWRT If your package is
Page 211 and 212:
HACKING OPENWRT 4.2 toolchain/ tool
Page 213 and 214:
HACKING OPENWRT To add a new platfo
Page 215 and 216:
Hopalong Casualty On automated vide
Page 217 and 218:
HOPALONG CASUALTY 2 Intro to Visual
Page 219 and 220:
HOPALONG CASUALTY Appearance As hum
Page 221 and 222:
HOPALONG CASUALTY A thorough review
Page 223 and 224:
Hosting a Hacking Challenge - CTF-s
Page 225 and 226:
HOSTING A HACKING CHALLENGE - CTF-S
Page 227 and 228:
Page 229:
Page 232 and 233:
| 228 1 Introduction Intrusion Dete
Page 234 and 235:
| 230 • Changing file owner / gro
Page 236 and 237:
| 232 Figure 2: Simple correlation
Page 239 and 240:
Lyrical I Abschluss des CCC-Poesie-
Page 241 and 242:
Magnetic Stripe Technology Joseph B
Page 243 and 244:
MAGNETIC STRIPE TECHNOLOGY black re
Page 245 and 246:
MAGNETIC STRIPE TECHNOLOGY My curre
Page 247 and 248:
MAGNETIC STRIPE TECHNOLOGY MetroCar
Page 249 and 250:
��
Page 251 and 252:
Code Listing (dmsb.c) ��
Page 253 and 254:
Memory allocator security Yves Youn
Page 255 and 256:
MEMORY ALLOCATOR SECURITY 251 |
Page 257 and 258:
MEMORY ALLOCATOR SECURITY 253 |
Page 259 and 260:
Message generation at the info laye
Page 261 and 262:
MESSAGE GENERATION AT THE INFO LAYE
Page 263 and 264:
Page 265 and 266:
Page 267 and 268:
Page 269:
Page 272 and 273:
| 268 Abstract Open Source, EU Fund
Page 274 and 275:
| 270 lines of code x1e5 1.8 1.6 1.
Page 276 and 277:
| 272 cooperation. Getting the new
Page 278 and 279:
| 274 PyPy - The new Python Impleme
Page 280 and 281:
| 276 performs abstract interpretat
Page 282 and 283:
| 278 adding short cuts for some co
Page 284 and 285:
| 280
Page 286 and 287:
| 282
Page 288 and 289:
| 284
Page 290 and 291:
| 286
Page 292 and 293:
| 288
Page 294 and 295:
| 290
Page 296 and 297:
| 292
Page 298 and 299:
| 294 Die Risiken der Nanotechnik N
Page 300 and 301:
| 296 Neue Materialien, einer der P
Page 302 and 303:
| 298 wahrscheinlich nicht ausreich
Page 304 and 305:
| 300 „State of the Future 2005
Page 307 and 308:
The Web according to W3C How to tur
Page 309 and 310:
THE WEB ACCORDING TO W3C 305 |
Page 311 and 312:
THE WEB ACCORDING TO W3C 307 |
Page 313:
THE WEB ACCORDING TO W3C our proces
Page 316 and 317:
| 312 Transparenz der Verantwortung
Page 318 and 319:
| 314 Transparenz der Verantwortung
Page 320 and 321:
| 316 (6) Wird dem Betroffenen kein
Page 322 and 323:
| 318 „anonymes Staatshandeln“
Page 324 and 325:
| 320 Die Einschränkungen der Grun
Page 326 and 327:
| 322 11 wie es insbesondere an Hei
Page 328 and 329:
��
Page 330 and 331:
��
Page 332 and 333:
| 328 ��
Page 335 and 336:
Wargames - Hacker Spielen Männlich
Page 337 and 338:
WARGAMES - HACKER SPIELEN 333 |
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Was ist technisches Wissen? Philoso
Page 357 and 358:
WAS IST TECHNISCHES WISSEN? ��
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
��
Page 369 and 370:
��
Page 371 and 372:
Page 373:
Page 376 and 377:
| 372 ��
Page 378 and 379:
��
Page 380 and 381:
��
Page 382 and 383:
| 378
Page 384 and 385:
| 380
Page 386 and 387:
| 382
Page 388 and 389:
| 384
Page 390 and 391:
| 386
Page 392 and 393:
| 388
Page 394:
| 390
show all

Proceedings

Create successful ePaper yourself

Delete template?

Save as template?