火龍果軟件-漏洞發(fā)掘技術(shù)趨勢(shì)—賈春福

1、1The Tendency of Software Vulnerability Detection2Contents12345Software VulnerabilitySecurity SpecificationTest Case GenerationVulnerability IdentificationOur Work3Software VulnerabilitySoftware development is complexA software vulnerability is an error in design or coding that can violate the secur

2、ity policy4Software VulnerabilitySoftware DevelopmentReal-time Execution5Software VulnerabilityDesign VulnerabilityProtocol vulnerabilitieslTCP Land vulnerabilitylTCP SYN floodl802.16: Some unauthenticated messages which are susceptible to forgery and the unencrypted management communication which r

3、eveal important management information. 6Software VulnerabilityDesign VulnerabilityApplication logic vulnerabilitieslCVE-2011-1146: The libvirt 0.8.8 in Red Hat does not properly restrict operations in a read-only connection, which allows remote attackers to cause a denial of service (host OS crash)

4、 or possibly execute arbitrary code.lCVE-2006-1856: Linux kernel 2.6.16 and earlier do not add appropriate security check to “readv” and “writev” functions, then unauthorized user can read and write files that they are not allowed to access.7Software VulnerabilityCoding VulnerabilityCoding Implement

5、ation VulnerabilitieslBuffer overflow (CVE-2010-0249)lInteger bugs (CVE-2011-1466)Overflow/UnderflowWidth conversionsSigned/Unsigned ConversionlInput validation flaws (CVE-2011-1524)Cross-site scriptingSQL injection8Vulnerability Detection Test caseIdentificationSpecificationDescribes the security p

6、roperties of softwareTriggers multiple execution paths to obtain a high code coverage Detects violations and verify security properties9Contents12345Software VulnerabilitySecurity SpecificationTest Case GenerationVulnerability Identification Our Work10Security SpecificationAutomatic tools for findin

7、g software errors require a set of specifications before they can check code: if they do not know what to check, they cannot find bugs.lAccess Control MatrixlState SpacelFuzz SpecificationlSpecific Specification11Security SpecificationAccess MatrixS is a set of subjects in a system.O is a set of obj

8、ects in a systemAccess matrix lists the access rights of S on OSystem-wide Security Policy defined by a triple (S, O, A)AOSe.g., a processe.g., a filee.g., read or write12Security SpecificationAccess ControlSecurity-Enhanced Linux (SELinux)lMandatory Access Control (MAC)lDiscretionary Access Control

9、 (DAC)Xen (A fast and secure infrastructure virtualization solution)lA similar MAC security architecture13Security SpecificationAccess MatrixA major challenge is to ensure that all sensitive operations on all objects are protected.CVE-2006-1856: In Linux kernel 2.6.16 and earlier, unauthorized user

10、can read and write files that they are not allowed to access using unchecked “readv” and “writev” functions.14Security SpecificationAccess MatrixNot consider users expectationslJava VMlVMwarelWeb BrowserCVE-2010-0249: In Microsoft IE 8 and earlier, remote attackers can execute arbitrary code on loca

11、l machine using IEs privilege. 15Security SpecificationState SpaceA computer system is composed of states.An attack is a sequence of authorized state transitions which end in a compromised state.Authorized StatesUnauthorized StatesStates TransformationVulnerableCompromised16Security SpecificationSta

12、te SpaceLimitations:lEnumeration of all possible safe and unsafe states of a system is difficult.lEvery program has different state space, complete state space does not exist.17Security SpecificationFuzz ViolationUsers ExpectationsDesigners ExpectationsSystems ExpectationsFuzz specification: All und

13、esirable characteristics that allow a threat to occur. It is also a system-wide specification.18Security SpecificationSpecificDefinition of a general specification of a system to detect violation is difficult.Represent only a subset of the spectrum of vulnerabilities lSpecification of memory operati

14、onlSpecification of integer bugslSpecification of user input flaws19Security Specification GenerationTo automatically check and verify programs security properties, the security specifications must be at the code level.The generated specification must be precise, otherwise it would result in many fa

15、lse positives and/or false negatives.20Security Specification GenerationManual Using priori knowledge. Time-consuming Error-proneSpecificationGenerationAutomatic Without priori knowledge. Can find unknown vulnerability21Security Specification Generation-ManualManually generating specifications to ch

16、eck and verify security properties are tedious and error-pronelWriting code-level security specification is time-consuming.lMaintain correctness across different version.lHuman-generated specifications can be imprecise.22Automatic Specification GenerationDaikon dynamically detects likely program inv

17、ariants by testing run-time values of program variables.DSD-Crasher captures the programs intended execution behavior with dynamic invariant detection.AutoISES automatically infers security specifications by statically analyzing source code.23Automatic Specification GenerationWaler (detect logic bug

18、s in Web applications) Specification of a softwares internal logic is not public.Infer a set of behavior specificationsUse dynamic analysis techniques to observe normal behaviors24Contents12345Software VulnerabilitySecurity SpecificationTest Case GenerationVulnerability IdentificationOur Work25Test

19、Case GenerationManual Writing test case manually is tedious and time-consumingImprecise26Test Case GenerationFuzzing Fuzzing is a form of black-box random testing.FuzzingBlack BoxTestRandomly mutates inputsProgram Execution with specified inputOutputs of executionSimple, low-code coverage27Test Case

20、 Generation-DynamicDirected FuzzinglPrecise and soundDynamic test generation uses symbolic execution to generate new test cases that expose specifically targeted behaviors.lDART, SAGE, EXE, KLEE28Test Case GenerationSymbolic Execution Symbolic execution works by collecting a set of constraints, call

21、ed the path condition, that model the values computed by the program along a single path through the code.29Test Case GenerationTaint analysisDynamic taint analysis runs a program and observes which computations are affected by predefined taint sources such as user input.30Contents12345Software Vuln

22、erabilitySecurity SpecificationTest Case GenerationVulnerability IdentificationOur Work31Vulnerability IdentificationIdentificationIdentify Violations of Security Specification and Verify Softwares Security Properties.Security Specification Test cases32Vulnerability IdentificationStatic AnalysisStat

23、ic analysis checks violations of security specification from the program text.lComprehensive: cover entire codeslLightweight: test cases are not required and no need to guess or interpret softwares behavior.33Vulnerability IdentificationStatic AnalysisExamples of Static Analysis ToolslFindBugs (Java

24、)lPMD (Java)lFxCop(.NET)lXSSDetect (.NET)34Vulnerability IdentificationStatic AnalysisLimintations:lDifficult to reason about values with sufficient precision ( concrete value of an index or size of an object, heap layout, pointers). lWill not find issues related to operational environmentslTend to

25、generate false positive and false negative35Vulnerability IdentificationRun-time DetectionNo requirement to have access to source code.Run-time detection can check software deeper properties, such as infrastructure, configuration and path errors. 36Vulnerability IdentificationRun-time DetectionDebug

26、gingVC+, gccDynamic InstrumentationValgrind Whole-system emulationBitBlaze, BAP37Contents12345Software VulnerabilitySecurity SpecificationTest Case GenerationVulnerability IdentificationOur Work38Environment-Sensitive Vulnerability DetectionEnvironment-Sensitive Vulnerability is the mismatch between the assumptions made during the development about the execution environment of the software, and the environment in which the program executes.Year 2000 problem: the practice of representing the year with two digits becomes problematic with logical errors arising upon rollover from x99