Please enable JavaScript.
Coggle requires JavaScript to display documents.
2016 - LAVA: Large-Scale Automated Vulnerability Addition (Information…
2016 - LAVA: Large-Scale Automated Vulnerability Addition
Goals
Problem
Evaluating bug finding tool is problematic due to the lack of ground-truth corpora
Information
Data-flow bug injection
Attack point
PANDA
Dynamic Taint Analysis
Liveness
How many times a tainted byte has been used in to decide branch outcome
DUA should very low liveness since it has little influence on control flow
TCN
Low TCN value indicate uncomplicated value
Computation that mixes input can be tracked since each byte can be given a set of taint label
All program code including library and kernel is subject to taint analysis
Each byte in the input is given a taint label
Plugin
file_taint
Apply taint labels to bytes read from files in linux
Leverages OSI and system call plugin to respectively determine current file offset and file related API call
Taint queries
LAVA invokes Clang insert taint queries before and after function calls
Hypervisor caLl notifies PANDA to query taint system about specific source-level variable
LAVA uses Clang to insert source hypervisor calls at potential attack points
Pandalog
Approach
Steps
Compile a version of the target program which has been instrumented with taint queries
Run instrumented version against various inputs, tracking taint, and collecting taint query results and attacking point information
Mine taint result for DUA and attack points, collecting list of potential injectable bugs
Recompile target with the source code modified with the bug
Adding bugs to program
Steps
Add code to make DUA value available at the attack point and use it to trigger the vulnerability
Finding potential attack points that are after a DUA in the program trace. Attack points are source code location where DUA might be used to make program vulnerable
Identifying execution trace location where input byte are available that do not determine control flow and have not been modified much (DUA)
DUA
Corpora
Requirement
Type
Synthetic
Historic
Dynamic taint analysis-based technique for producing ground-truth corpora by automatically injecting large numbers of realistic bug into source code
What is?
Authors
Brendan Dolan-Gavitt
Patrick Hulin
Engin Kirda