论文信息 - Identifying Arbitrary Memory Access Vulnerabilities in Privilege-Separated Software

Identifying Arbitrary Memory Access Vulnerabilities in Privilege-Separated Software

Privilege separation is a widely used technique to secure complex software systems. With privilege separation, software components are divided into several partitions and these partitions can only communicate through limited interfaces. However, the interfaces still provide a channel for one partition to influence code in other partitions. As a result, certain memory access patterns can be leveraged by attackers to perform arbitrary memory access. We refer to this type of memory access errors by the acronym DUI (Dereference Under the Influence). In this paper, we present a systematic method to detect vulnerabilities leading to DUI through binary analysis, and to estimate the capability attackers can obtain through DUI exploits. The evaluation shows that our approach can accurately identify vulnerable code that leads to arbitrary memory access in real-world software components and programs, when they are transformed to privilege-separated designs.

[1] Adam Barth,et al. The Security Architecture of the Chromium Browser , 2009 .

[2] Hao Wang,et al. Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3] Nikolai Tillmann,et al. Demand-Driven Compositional Symbolic Execution , 2008, TACAS.

[4] Niels Provos,et al. Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[5] Corina S. Pasareanu,et al. Parallel symbolic execution for structural test generation , 2010, ISSTA '10.

[6] Dawson R. Engler,et al. EXE: automatically generating inputs of death , 2006, CCS '06.

[7] Tal Garfinkel,et al. Towards Application Security on Untrusted Operating Systems , 2008, HotSec.

[8] James C. King,et al. Symbolic execution and program testing , 1976, CACM.

[9] Zhenkai Liang,et al. Codejail: Application-Transparent Isolation of Libraries with Tight Program Interactions , 2012, ESORICS.

[10] Mark Handley,et al. Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[11] Douglas Kilpatrick,et al. Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[12] Daniel Kroening,et al. MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities , 2009 .

[13] Dawson R. Engler,et al. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[14] Mark Horowitz,et al. Implementing an untrusted operating system on trusted hardware , 2003, SOSP '03.

[15] Heng Yin,et al. Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[16] Carlos V. Rozas,et al. Innovative instructions and software model for isolated execution , 2013, HASP '13.

[17] Koushik Sen. DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[18] Heng Yin,et al. Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[19] Zhenkai Liang,et al. BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[20] P. Saxena,et al. Protecting Legacy Applications with a Purely Hardware TCB , 2015 .

[21] Emmett Witchel,et al. InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[22] Zhenkai Liang,et al. Automatic Generation of Data-Oriented Exploits , 2015, USENIX Security Symposium.

[23] David L. Dill,et al. A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[24] David Brumley,et al. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[25] Zhenkai Liang,et al. Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation , 2007, USENIX Security Symposium.

[26] Jun Xu,et al. Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[27] D. Wagner,et al. Catchconv : Symbolic execution and run-time type inference for integer conversion errors , 2007 .

[28] Michael Hicks,et al. Directed Symbolic Execution , 2011, SAS.

[29] David Brumley,et al. Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[30] Daniel J. Bernstein,et al. Some thoughts on security after ten years of qmail 1.0 , 2007, CSAW '07.

[31] Martín Abadi,et al. XFI: software guards for system address spaces , 2006, OSDI '06.

[32] Michael K. Reiter,et al. Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[33] Christopher Krügel,et al. Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[34] Stephen McCamant,et al. HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism , 2013, ESORICS.

[35] Robert Wahbe,et al. Efficient software-based fault isolation , 1994, SOSP '93.

[36] Mu Zhang,et al. AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications , 2014, NDSS.

[37] Hovav Shacham,et al. Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[38] David Brumley,et al. AEG: Automatic Exploit Generation , 2011, NDSS.

[39] Neha Narula,et al. Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[40] James Newsom,et al. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[41] Haibo Chen,et al. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[42] Daniel C. DuVarney,et al. Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[43] Bryan Ford,et al. Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[44] Stephen McCamant,et al. Measuring channel capacity to distinguish undue influence , 2009, PLAS '09.

[45] Xiaoxin Chen,et al. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[46] Geoffrey Smith,et al. Calculating bounds on information leakage using two-bit patterns , 2011, PLAS '11.

[47] Zhenkai Liang,et al. Darwin: an approach for debugging evolving programs , 2009, ESEC/FSE '09.