TaintScope
Presented by: Hector M Lugo-Cordero, MS
CAP 6135April 12, 2011
2
Acknowledgements
• Authors: Tielei Wang, Tao Wei, Guofei Gu, Wei Zou
• Paper Title: TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
• In Proceedings of the 31st IEEE Symposium on Security & Privacy, Oakland, CA, May 2010.
• Awarded Best Student Paper
3
• Fuzz Testing
• TaintScope
• Performance
• Conclusions
OutlineOutline
4
• Fuzz Testing
• TaintScope
• Performance
• Conclusions
OutlineOutline
5
Fuzz Testing
• Attempt to crash or hang a program by feeding it malformed inputs
• Blackbox fuzzing– Generational– Mutation
6
Fuzz Testing: Motivation
• Nobody is perfect
• Programs may be very large and dificult to test
• Find bugs to fix
• Exploit programs for malware
7
Fuzz Testing: Challenges
• Random fuzzing has to cover a huge sample space– E.g. audio signal of 4s, 32k bytes
• 2256,000 possible values
• Symbolic fuzzing can’t bypass checksum instructions
8
• Fuzz Testing
• TaintScope
• Performance
• Conclusions
OutlineOutline
9
TaintScope
• Fuzzer that can bypass checksum– independent of the algorithm
• Concentrates on data flow dependence
• Uses IDA Pro Disassembler
• Works like a classifier
10
TaintScope: How it Works
• Identify hot bytes in input– Bytes that affect API functions
• Memory management• String operations
– Input bytes are tainted with unique id
• Identify possible checksum points
11
TaintScope: How it Works
• Well-formed inputs take a true/false path
• Malformed inputs take a false/true path
• Intersection yields the check points
• TaintScope creates bypass rules
12
TaintScope: How it Works
• Fuzzer runs with bypass rules and mutates only hot bytes
• Crashes and hangs are recorded
13
TaintScope: How it Works
• Crashed samples are repaired for replay– Checksum are corrected
• Type of vulnerability can be analyzed
14
• Fuzz Testing
• TaintScope
• Performance
• Conclusions
OutlineOutline
15
Performance: Hot Bytes
16
Performance: Checksum
17
Performance: Vulnerabilities
18
What is accomplished?
• TaintScope has found vulnerabilities in popular programs (e.g. MS Paint, Adobe Acrobat, and more)
• Vendors have patched the software
• Vulnerabilities have been published in– Secunia– Common Vulnerabilities and Exposure
19
MW Paint Search
20
Adobe Acrobat Search
21
• Fuzz Testing
• TaintScope
• Performance
• Conclusions
OutlineOutline
22
Conclusions
• Fuzzer able to bypass checksum
• Works with Linux/Windows binaries
• 100% inputs cause crash or hang
• Low input samples
• Tested on many well-known applications and formats
23
Weakness
• Doesn’t talk about code coverage
• Needs to run the program several times to find information of interest
• Can’t detect correctly checksums where data is encrypted with key-based algorithm
24
Improvements
• Consider incorporating a tool like HyperNEAT – can learn search space patterns – work with encryption (e.g. DES S-Boxes)
• Dynamic update to reduce number of runs needed to build hot bytes/checksum information
25
References
1. Tielei Wang’s website: http://sites.google.com/site/tieleiwang/
2. Month of Kernel Bugs: http://projects.info-pull.com/mokb/
3. Month Browsers Bug: http://browserfun.blogspot.com/4. Secunia: http://secunia.com/5. Comon Vulnerabilities and Exposure: http://
cve.mitre.org/6. IDA Disassembler: http://www.hex-rays.com/idapro/7. Google Images: http://images.google.com
26
QUESTIONS