Dynamic Detection of Address Leaks
Resumo
Um vazamento de endereço é uma vulnerabilidade de software que permite a um adversário descobrir em que parte da memória estão carregados os diversos módulos que compõem um programa. Embora aparentemente inócua, esse tipo de informação dá ao adversário meios para contornar dois populares mecanismos de proteção usados em sistemas operacionais: a randomização de espaços de endereçamento (ASLR) e a Prevenção de Execução de Dados (DEP). Neste artigo mostraremos, via um exemplo, como explorar vazamentos de endereço para tomar controle de um servidor remoto executando sobre um sistema operacional protegido tanto por ASLR quanto DEP. Mostraremos em seguida um arcabouço para instrumentação de programas que previne vazamentos em tempo de execução. Finalmente, nós usaremos uma análise estática de código que prova que algumas partes do programa não precisam ser instrumentadas para reduzir o custo imposto pela instrumentação. Defendemos assim, neste artigo a tese de que a combinação de análises estáticas e dinâmicas é um recurso efetivo e prático para proteger programas contra o vazamento de endereços.Referências
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. (2008). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In SP, pages 387–401. IEEE Computer Society.
Bhatkar, E., Duvarney, D. C., and Sekar, R. (2003). Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In USENIX Security, pages 105–120.
Buchanan, E., Roemer, R., Shacham, H., and Savage, S. (2008). When good instructions go bad: generalizing return-oriented programming to RISC. In CCS, pages 27–38. ACM.
Clause, J., Li, W., and Orso, A. (2007). Dytan: a generic dynamic taint analysis framework. In ISSTA, pages 196–206. ACM.
Cytron, R., Ferrante, J., Rosen, B. K., Wegman, M. N., and Zadeck, F. K. (1991). Efficiently computing static single assignment form and the control dependence graph. TOPLAS, 13(4):451–490.
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. (2004). Securing web application code by static analysis and runtime protection. In WWW, pages 40–52. ACM.
Keromytis, A. D., Stolfo, S. J., Yang, J., Stavrou, A., Ghosh, A., Engler, D., Dacier, M., Elder, M., and Kienzle, D. (2011). The minestrone architecture combining static and dynamic analysis techniques for software security. In SYSSEC, pages 53–56. IEEE Computer Society.
Lattner, C. and Adve, V. S. (2004). LLVM: A compilation framework for lifelong program analysis & transformation. In CGO, pages 75–88. IEEE.
Levy, E. (1996). Smashing the stack for fun and profit. Phrack, 7(49).
Newsome, J. and Song, D. X. (2005). Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In NDSS. USENIX.
Qin, F., Wang, C., Li, Z., Kim, H.-s., Zhou, Y., and Wu, Y. (2006). LIFT: A low-overhead practical information flow tracking system for detecting security attacks. In MICRO, pages 135–148. IEEE.
Quadros, G. S. and Pereira, F. M. Q. (2011). Static detection of address leaks. In SBSeg, pages 23–37.
Rimsa, A. A., D’Amorim, M., and Pereira, F. M. Q. (2011). Tainted flow analysis on e-SSA-form programs. In CC, pages 124–143. Springer.
Schwartz, E. J., Avgerinos, T., and Brumley, D. (2010). All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In S&P, pages 1–15. IEEE.
Shacham, H. (2007). The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In CCS, pages 552–561. ACM.
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. (2004). On the effectiveness of address-space randomization. In CSS, pages 298–307. ACM.
Wassermann, G. and Su, Z. (2007). Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, pages 32–41. ACM.
Xie, Y. and Aiken, A. (2006). Static detection of security vulnerabilities in scripting languages. In USENIX-SS. USENIX Association.
Zhang, R., Huang, S., Qi, Z., and Guan, H. (2011). Combining static and dynamic analysis to discover software vulnerabilities. In IMIS, pages 175–181. IEEE Computer Society.
Bhatkar, E., Duvarney, D. C., and Sekar, R. (2003). Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In USENIX Security, pages 105–120.
Buchanan, E., Roemer, R., Shacham, H., and Savage, S. (2008). When good instructions go bad: generalizing return-oriented programming to RISC. In CCS, pages 27–38. ACM.
Clause, J., Li, W., and Orso, A. (2007). Dytan: a generic dynamic taint analysis framework. In ISSTA, pages 196–206. ACM.
Cytron, R., Ferrante, J., Rosen, B. K., Wegman, M. N., and Zadeck, F. K. (1991). Efficiently computing static single assignment form and the control dependence graph. TOPLAS, 13(4):451–490.
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. (2004). Securing web application code by static analysis and runtime protection. In WWW, pages 40–52. ACM.
Keromytis, A. D., Stolfo, S. J., Yang, J., Stavrou, A., Ghosh, A., Engler, D., Dacier, M., Elder, M., and Kienzle, D. (2011). The minestrone architecture combining static and dynamic analysis techniques for software security. In SYSSEC, pages 53–56. IEEE Computer Society.
Lattner, C. and Adve, V. S. (2004). LLVM: A compilation framework for lifelong program analysis & transformation. In CGO, pages 75–88. IEEE.
Levy, E. (1996). Smashing the stack for fun and profit. Phrack, 7(49).
Newsome, J. and Song, D. X. (2005). Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In NDSS. USENIX.
Qin, F., Wang, C., Li, Z., Kim, H.-s., Zhou, Y., and Wu, Y. (2006). LIFT: A low-overhead practical information flow tracking system for detecting security attacks. In MICRO, pages 135–148. IEEE.
Quadros, G. S. and Pereira, F. M. Q. (2011). Static detection of address leaks. In SBSeg, pages 23–37.
Rimsa, A. A., D’Amorim, M., and Pereira, F. M. Q. (2011). Tainted flow analysis on e-SSA-form programs. In CC, pages 124–143. Springer.
Schwartz, E. J., Avgerinos, T., and Brumley, D. (2010). All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In S&P, pages 1–15. IEEE.
Shacham, H. (2007). The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In CCS, pages 552–561. ACM.
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. (2004). On the effectiveness of address-space randomization. In CSS, pages 298–307. ACM.
Wassermann, G. and Su, Z. (2007). Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, pages 32–41. ACM.
Xie, Y. and Aiken, A. (2006). Static detection of security vulnerabilities in scripting languages. In USENIX-SS. USENIX Association.
Zhang, R., Huang, S., Qi, Z., and Guan, H. (2011). Combining static and dynamic analysis to discover software vulnerabilities. In IMIS, pages 175–181. IEEE Computer Society.
Publicado
19/11/2012
Como Citar
QUADROS, Gabriel Silva; SOUZA, Rafael M.; PEREIRA, Fernando Magno Quintão.
Dynamic Detection of Address Leaks. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 12. , 2012, Curitiba.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2012
.
p. 44-57.
DOI: https://doi.org/10.5753/sbseg.2012.20535.