AutoPaG: Towards Automated Software Patch Generation with
Source Code Root Cause Identification and Repair
Zhiqiang Lin 1,3
Xuxian Jiang 2, Dongyan Xu 3, Bing Mao 1, Li Xie 1
1Nanjing University2George Mason University
3Purdue University
March 22nd, 2007
ASIACCS 2007ASIACCS 2007
Agenda
Motivation Design & Implementation Evaluation Related Work Conclusion
Lifecycle of a vulnerability
time
I. Vulnerability Introduced
II. Vulnerability Discovered
III. Official Patch released
IV. Patch Installed
A rather lengthy process
Manual process is too slow
time
I. Vulnerability Introduced
II. Vulnerability Discovered
III. Official Patch released
IV. Patch Installed
7575
The time-lines of 10 recent Microsoft patches (MS06-045 to MS06-054) that are released between August and September
2006
28 days http://www.symantec.com/enterprise/threatreport/index.jsp
Goal of AutoPaG
For fast and spreading attack (e.g., zero-day) timetime
I. Vulnerability Introduced
II. Vulnerability Discovered
III. Official Patch released
IV. Patch Installed
Goal of AutoPaG
For fast and spreading attack (e.g., zero-day)
Make the whole thing automated (1) Find/Identify the root cause of the
vulnerability (2) Fix/repair it automatically
Generate temporary source code patch (3) Facilitate official patch development
time
I. Vulnerability Introduced
II (III) (IV)
Overview of AutoPaG
Note: we currently focus on the out-of-bound vulnerability, the most common and severe one,
but our system is also practical to other vulnerabilities, e.g, format string
1. Out-of-Bound Detector (1/2)
Challenges: Detect exploitation Provide root cause context information
Where is the direct root cause statement? Which variable or data is overflowed?
A toy example
1 #include <string.h> 2 int main(int argc, char **argv) { 3 char buf[4]; 4 char *p; 5 p = buf; 6 strcpy(p, argv[1]); 7 return 0; 8 }
Root Cause
The statement (source code) or instructions (binary code) which directly causes the attack or memory corruption
1. Out-of-Bound Detector (2/2)
How Modify CCured + Call Stack
#0 0x0804b0fb in ccured_fail_str (str=0x805cc73 "Ubound", file=0x805cc12 "lib/ccuredlib.c", line=3941, function=0x805daa5 "__read_at_least_f") at lib/ccuredlib.c:909#1 0x0804b15d in ccured_fail (msgId=3, file=0x805cc12 "lib/ccuredlib.c", line=3941, function=0x805daa5 "__read_at_least_f") at lib/ccuredlib.c:923#2 0x0804fa0f in __read_at_least_f (ptr={_p = 0xbfaa9f90, _e = 0xbfaa9f94}, n=11) at lib/ccuredlib.c:3941#3 0x0804fa75 in __copytags_ff (dest={_p = 0xbfaa9f90, _e = 0xbfaa9f94}, src={_p = 0xbfaabed2, _e = 0xbfaabedd}, n=11) t lib/ccuredlib.c:3947#4 0x0804a0dc in strcpy_wrapper_sff (dest=0xbfaa9f90 "", dest_e=0xbfaa9f94, src=0xbfaabed2 "aaaaaaaaaa", src_e=0xbfaabedd) at string_wrappers.h:79#5 0x0804a006 in main (argc=2, __argv_input=0xbfaaa014) at test.c:6
1 #include <string.h>2 int main(int argc, char **argv) {3 char buf[4];4 char *p;5 p = buf;6 strcpy(p, argv[1]);7 return 0;8 }
2. Root Cause Locator Challenge:
Find out those statements (in source code) that contribute to the computation of the overflow
Catch the transitive closure of the overflowed data How:
Backward data dependency analysis
1 #include <string.h>2 int main(int argc, char **argv) {3 char buf[4];4 char *p;5 p = buf;6 strcpy(p, argv[1]);7 return 0;8 }
strcpy(p, argv[1]);
s0Set:sSet:
vSet:
v0Set:
strcpy(p, argv[1]);main:p
main:p
p = buf;char *p;char buf[4];
main:argv[1]main:buf
3. Patch Generator
Attempt to automatically repair the vulnerability. Challenges
Determining vulnerable buffer boundaries Keep track of the meta-data with the identified
variables Fixing out-of-bound access
Generated Patch: An example
1 #include <string.h> 2 int main(int argc, char **argv) { 3 char (__FSEQ buf)[4]; 4 char * __FSEQ p; 5 unsigned int __cil_tmp6; 6 char *__FSEQ __cil_tmp7; 7 void *p_e14; 8 void *__cil_tmp7_e15; 9 p_e14=(void*)0; 10 p=(char*) 0; 11 __cil_tmp7=buf; 12 __cil_tmp7_e15=buf+4; 13 p=__cil_tmp7; 14 __cil_tmp6 = cil_tmp7_e15 - __cil_tmp7; 15 strncpy(p, argv[1], __cil_tmp6) 16 return 0; 17}
5: p = buf;5: p = buf;
Effectiveness
Performance of generated patch
Related Work
Proactive Source Transformation FOC[Rinard04], DIRA[Smirnov & Chiueh04]
Just-In-Time Execution Filtering TaintCheck[Newsome&Song05],
DACODA[Crandall05], VSEF[Newsome&Song06], Argos[Portokalidis06] …
Reactive Runtime Patching DYBOC[Sidiroglou & Keromytis 04],
STEM[Sidiroglou & Keromytis 05]
Conclusion
Towards automated source code patch generation
AutoPaG Effective Fast Low overhead