On Modular-Reduction Vulnerabilities - PowerPoint PPT Presentation

About This Presentation
Title:

On Modular-Reduction Vulnerabilities

Description:

On ModularReduction Vulnerabilities – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 20
Provided by: UlfNi1
Category:

less

Transcript and Presenter's Notes

Title: On Modular-Reduction Vulnerabilities


1
On Modular-Reduction Vulnerabilities
  • Andy King
  • University of Kent
  • a.m.king_at_kent.ac.uk
  • Neil Kettle
  • Portcullis Computer Security
  • njk_at_portcullis-security.com

2
Our agenda
analysis (automatic)
legacy C (open source)
argument combination that overflows and feeds a
buffer
exploitable manufacturer (expert and the machine)
?
3
deattack.c of OpenSSH version 2.3.0 (1 of 2)
define SSH_MAXBLOCKS (32 1024) define
SSH_BLOCKSIZE (8) ... define HASH_MINSIZE
(8 1024) define HASH_ENTRYSIZE (2) define
HASH_FACTOR(x) ((x) 3/2)
... int detect_attack(unsigned char buf,
u_int32_t len, unsigned char
IV) static u_int16_t h (u_int16_t )
NULL static u_int16_t n HASH_MINSIZE /
HASH_ENTRYSIZE register u_int32_t i, j
u_int32_t l ...
?remember
? 87387 ? len ? 262144 and len is a multiple of 8
?n (8 1024) / 2 4096
4
deattack.c of OpenSSH version 2.3.0 (2 of 2)
u_int32_t l ... if
(len gt (SSH_MAXBLOCKS SSH_BLOCKSIZE)
len SSH_BLOCKSIZE ! 0)
fatal("detect_attack bad length d", len)
for (l n l lt HASH_FACTOR(len /
SSH_BLOCKSIZE) l l ltlt 2) if (h
NULL) debug("Installing crc compensation
attack detector.") n l h
(u_int16_t ) xmalloc(n HASH_ENTRYSIZE)
else if (l gt n) n l
h (u_int16_t ) xrealloc(h, n
HASH_ENTRYSIZE)
?len ? 262144 (32 1024) 8
?len 8 0
?l 4096 212
?2141163853(87387)/16?3(len/8)/2
?n l 216 or n l 218 or
?0 2 0
?0 2 0
5
OpenSSH is the first-fruits of a new class of
vulnerability
  • So when 87387 ? len ? 262144 and len is a
    multiple of 8 then, due to 16 bit overflow, a
    buffer overflow occurs
  • Similar vulnerabilities now known to exist in
  • glibc 2.1.3
  • OpenBSD select()
  • Apache chunked encoding memcpy()
  • But integer overflows are silent and ubiquitous
    these are the known ones

6
Existing approaches (circa 2004)
  • Decision procedures such as Fourier-Motzkin
  • assume arbitrary precision
  • do not support logical and bit-ops like and ltlt
  • Congruence domains Granger, SAS, 1997
  • Müller-Olm, ESOP, 2005
  • do not support bit-ops
  • Automatic test data generation Offutt, SPE,
    1999 Gotlieb, CL, 2000
  • model word operations with finite domain
    constraints
  • use reification to enforce overflow somewhere
  • solve system and then project onto arguments
  • need 16- and 32-bit objects but SICStus imposes a
    painful 30-bit restriction

7
Tying down a taint (1 of 3)
?x ?b1,,bw?, ?? ? ?skip, ??b1,,bw,0?/x?
?i1w ?(x)i 1 __________________________________
____________________________________________ ?if
x then s1 else s2, ?? ? ?s1, ??
?i1w ?(x)i 0 __________________________________
____________________________________________ ?if
x then s1 else s2, ?? ? ?s2, ??
8
Tying down a taint (2 of 3)
bi ?(y)i ? ?(z)i for all i ? 1,w bw1
?(y)w1 ? ?(z)w1 ________________________________
__________________________________________________
___________________________ ?x y z, ?? ?
?skip, ??b1,,bw,bw1?/x?
9
Tying down a taint (3 of 3)
c1 0 ci1 (?(y)i??(z)i) ? (?(y)i?ci)
? (?(z)i?ci) for all i ? 1,w bi
?(y)i ? ?(z)i ? ci for all i ? 1,w bw1
?(y)w1 ? ?(z)w1 ? cw1 _______________________
__________________________________________________
____________________________________ ?x y z,
?? ? ?skip, ??b1,,bw,bw1?/x?
10
2-bit additionunder the microscope
  • ?(y) ?1,1,0? so 3 is untainted
  • ?(z) ?1,0,0? so 1 is untainted
  • Calculate the carry bits
  • c1 0
  • c2 (1?1) ? (1?0) ? (1?0) 1
  • c3 (1?0) ? (1?1) ? (0?1) 1
  • Calculate the sum bits
  • b1 1 ? 1 ? 0 0
  • b2 1 ? 0 ? 1 0
  • Compute the taint bit
  • b3 0 ? 0 ? 1 1

11
Formalising a hack
  • Rules for , !, and can be defined with
  • rules for lt, and
  • Let C ?k C iff Cc c?C and c ?k c
  • Then hackk(s) ?
  • ?s, ?? ?k ?(x malloc(y) s), ?? and
  • ?(y)w1 true
  • With ??hackk(s), s will surely encounter an
    overflow fed malloc at step k
  • Note that ??hack42(s) is simpler to check and,
    thus exploit, than ??hack123(s)

12
OBDD an API on bit-operations
v?
1
0
w?
1
0
1
0
x?
y?
z?
13
ROBDD (reduction 1)
1
0
1
0
1
0
14
ROBDD (reduction 2)
1
0
1
0
1
0
15
ROBDD (reduction 3)
1
0
1
0
1
0
16
Encoding taint semanticsin ROBDDs Hawkins,
JAIR, 2005
  • Use function f to encode behaviour of s by
  • if ?s, ?? ? ?skip, ?? then
  • f ?(?) ? ?(?) where
  • ?(?) ?x?var(s) ?i?1,w1 xi ? ?(x)i
  • ?(?) ?x?var(s) ?i?1,w1 xi ? ?(x)i
  • If s (x y z) then s ?(?) ? ?(?)
  • (?i?1,w xi ? (yi ? zi)) ?
  • (xw1 ? (yw1 ? zw1)) ?
  • (?i?1,w1 yi ? yi) ? (?i?1,w1 zi ? zi)

17
Ensuring a taint
  • Consider x y z w malloc(x)
  • Interested in values of x, y and z which induce
    an overflow
  • f ? x y z x33 where f is defined
    over x1, ? z33
  • f (x y z ? x33) where f is defined
    over x1, ? z33
  • f ?x1 ? ?z33 (x y z ? x33) where
    ?y(g) g0/y ? g1/y
  • Mix of constraint solving, deduction with
  • If x y z g then use g instead of

18
Need for approximation
  • Prototype implementation
  • ROBDD explosion on ltlt
  • Tactics for tractability
  • Variable reordering Rudell, ICCAD, 1993
  • Early projection Vardi, CP, 2001
  • ?x(f) lt f where . counts nodes
  • ROBDD approximation Ravi, DAC, 1998
  • f gt g where f g
  • ROBDD approximation Kettle, TACAS, 2006
  • f ? 2g where f g

19
The End
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "On Modular-Reduction Vulnerabilities" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!