Please enable JavaScript.

Coggle requires JavaScript to display documents.

2005 - Dynamic taint analysis for automatic detection, analysis, and…

- - - - Label and tracks flow of data originating from untrusted source.
      - Used to determine whether data is used for malicious purpose
      - Attacker that change the execution of a program illegitimately must cause a value derived from a trusted source to be instead derived from its own
    - - Valgrind
        
        Open sorce x86 emulator
        
        Support extensions and instrument a program as it is being executed
        
        TaintCheck instruments translated x86 code and return it to Valgrind to be executed
      - TaintSeed
        
        What input should be tainted?
        
        By default: data from network sockets
      - TaintTracker
        
        How should taint be propagated?
        
        Data movement instructions
        
        Tainted only if any byte of the data at the source
        location is tainted
        
        e.g. (LOAD, STORE, MOVE, PUSH, POP)
        
        Arithmetic instructions
        
        Tainted only if any byte of the operands is
        tainted.
        
        e.g. (ADD, SUB, XOR, etc)
        
        Add instrumnetation before each data movement
      - TaintAssert
        
        What usage of tainted data that will raise an alarm?
        
        Possible overwrite attack to taint
        
        Format Strings
        
        Checks whether tainted data is used as a format string argument to printf
        
        Format String Attacks
        
        Attacker provides malicious string format
        
        Tricking the program into leaking data or writing into an attacker chosen data to an attacker chosen memory address
        
        Application or library-specific checks
        
        Detect attacks specific to application or library
        
        Checking specified memory ranges at specified points
        
        System call arguments
        
        Check whether arguments to a system call are tainted before it is made
        
        Implemented using Valgrinds's callback mechanism
        
        Jump addresses
        
        Checks whether tainted data is used as a jump target
        
        e.g. return address, function pointer, or function pointer
        offset
        
        Attacks attempt to overwrite one of these in order to redirect control flow either to the attacker’s code, to a standard library function such as exec, or to another point in the program (possibly circumventing security checks).
        
        Implemented before each UCode jump instruction to ensure that the data specifying the jump target is not tainted. Note that IA-32 instructions that have jump-like behavior (including call and ret) are translated into UCode jump instructions by Valgrind.
      - Exploit Analyzer
        
        Provide information on detected exploit
        
        Backtracing the chain of Taint structures
        
        Information logged by TaintSeed and TaintTrackershows the relevant part of the execution path in between tainted data’s entry into the system, and its use in an exploit
        
        Information
        
        Original input buffer that the tainted data came from
        
        The program counter and call stack at every point the program operated on the relevant tainted data
        
        The point the exploit actually occurred.
      - Security analysis in TaintCheck
        
        False positive handling
        
        False negative handling
    - - Fine-grained detectors is expensive and may not be implementable in every system
      - When an attack is detected, a signature is generated for filtering further attack
      - Automatic semantic analysis based signature
        generation
        
        Obtaining overwrite values
        
        Potential techniques for further semantic analysis
      - Classifier and signature verifier
        
        Taint-Check can be used as a classifier in order to enhance automatic signature generation systems
        
        Classifying attack payloads
        
        Signature and alarm verification
    - - What is
        
        Overwrite attack
        
        Attacks that cause a sensitive value to be overwritten with the attacker’s data