2010 CodeEngn Conference 04 프로그램을 개발함에 있어서 취약점이란 언제나 존재하기 마련이다. 취약점을 찾거나 공략하는 일에 자신의 모든것을 투자하는 해커들에게 있어서, 프로그램 안에 취약점은 반드시 어딘가 “숨어”있는 것이다. 이런 숨어있는 취약점들을 찾기 위해 많은 해커들이 자신만의 노하우를 가지고 있다. 이 발표에서는 이런 수 많은 노하우들 중에 Taint Analysis를 통해 입력된 데이타들이 어떤 경로를 가지고 프로그램내에서 변조되는지에 대한 분석기법을 이야기한다. 기존의 Mutation 이나 Diffing 기반의 단순한 취약점 진단 기법들을 지나서 입력 데이터의 Life Cycle과 변조된 입력 데이터가 어떻게 프로그램의 영향을 미쳐 취약점을 유도하는지, 혹은 변조된 데이터를 기반으로 알려지지 않은 Zeroday 공격들을 탐지할 수 있는 기법들을 설명한다. 또한, Taint Analysis를 통해 효율적인 Fuzzer를 구성하는 방법에 대해 설명한다. http://codeengn.com/conference/04

1. Taint Analysis ForTaint Analysis For
Vulnerability DiscoveryVulnerability Discovery
passket # gmail.com
http://passket.tistory.com
2010. 7. 3
www.CodeEngn.com
2010 4th CodeEngn ReverseEngineering Conference

2. Motivation
Where are vulnerabilities ?
How can you find the vulnerability ?How can you find the vulnerability ?
Is there vulnerability in my program ?
Where is my data in vulnerable program ?Unknown
vulnerability in commodity program ?
Does finding zero-day-vulnerablity make money ?

3. OutlineOutline
• Basic Concepts
• Tainted Propagation on x86
• Simple Test for TaintingSimple Test for Tainting
• Into The Abyss : in the wild world
• Future Work : Raison Framework
• References• References

4. Basic Concepts

5. input data : xinput data : xinput data : xinput data : x
functionfunction
ddoutput data : youtput data : y
And Now we call this “system”

6. modify data : we call this “tainting”
input data : xinput data : xinput data : xinput data : x
functionfunction
ddoutput data : youtput data : y
we can analysis how tainted output driven
: we can call this “taint analysis”

7. How does taint analysis helpHow does taint analysis help
Our works ?
• Exploit Detections :
- Find tainted EIP registerFind tainted EIP register
- Find tainted Function Pointers
- Find tainted Stack Arguments
- Find tainted Data Structure using systemFind tainted Data Structure using system
• Now we reverse upper follows
• Finding Vulnerability

8. fOther benefits
• Solve Reachability Problems
- How can I makes PDF files to execute code block
#937 in PDF reader ?
• Zero-day Detection
I l d h b l- Include other bug class
• Helping Fuzzer Mutationsp g

9. Tainted Object
• The Object from untrusted source
untrusteduntrusted sourcesource
untrusted data #1untrusted data #1
operationoperationoperationoperation
untrusted data #2untrusted data #2

10. Tainted Object
• The Object from untrusted operation, data
untrusteduntrusted data #1data #1
untrusteduntrusted
untrusted data #2untrusted data #2 operationoperation
untrusteduntrusted
datadata
#3#3
trusted datatrusted data
#3#3

11. Tainted Object
• Untrusted Sources
- Files, Inputs, Network Reads, ...
• Tainted ObjectsTainted Objects
- Memory Locations, Process Registers

12. Taint Propagation on x86

13. Taint Propagation
• Taint Propagation is analysis for tainted object
derivation activities.
• If a tainted object X derive to Y
“Y i th t i t d bj t”- we say “Y is the tainted object”
- so, we assign this : X → T(Y)
• Taint operation is transitive
- X → T(Y), and Y → T(Z) then, X → T(Z)

14. Taint Propagation
(Tainted Objects)
memory addressmemory address
(Tainted Objects)
yy
0x0012FF700x0012FF70
ADDADD
process registerprocess register
EBXEBX
process registerprocess register
EAXEAX
EBXEBX
EAXEAX
(untainted objects)
(Tainted Objects)

15. Operation on x86Operation on x86
which derived in tainited
• Assignment Operations
- operation move X to Y
• Arithmetical Operationsp
- operation perfumes arithmatic calculus from X
• Stack Push/Pop Operations
- similar with Assignment Operationssimilar with Assignment Operations

16. Operation on x86Operation on x86
which derived in tainited
• B l O ti• Boolean Operation
- must consider if the result of the operation depend on the
value of tainted object
- ex) AND Operationex) AND Operation
A(tainted) B A && B
0 0 0(untainted)( )
0 1 0(untainted)
1 0 0(untainted)
- special case : X xor X is always untainted
1 1 1(tainted)

17. Operation on x86Operation on x86
which derived in tainited
• We analysis whole program process
- Finally, if we find tainted special object, we find a new bugs
- special object : EIP register, function pointers, etc.special object : EIP register, function pointers, etc.

18. implementations of propagation
• Just trace using breakpointsg p
- only memory locations
• Just trace using exceptions
- only memory locationsonly memory locations
• How do we trace process registers ?
- emulation or virtualization, It is only way to propagations

19. implementations of propagation
• Aft fi t th t i t d bj t i t ti h t• After we figure out the tainted object, every instruction has to
execute after emulation.
- So, we can figure out new tainted object.
• Or, register handler to process register using virtualizationOr, register handler to process register using virtualization
- this requires fully implementation for cpu emulating and
memory accessmemory access

20. Simple Test For Tainting

21. I h AbInto the Abyss :
in the wild world

22. welcome to wild world!
• P bl 1 ltith d• Problem 1 : multithread or
message-driven
• Problem II : a lot of logs
• Problem III : still can’t find ?

23. for the real world tainting
• Multithreaded or Message-Driven Program makes your fuzzer
into hang overinto hang over
- Cuz, There is no automated end of program
- So, you make fully virtualization for program
• Th f l• There are tons of log
- Is it same with mutation fuzzing ?g
- no waaaay, keep in going analysis tightly

24. tips for the real world tainting
•• Using debugger : paimei is good for it
• Construct your own emulation for programy p g
• Sometimes just use other guy’s code
- why not ? valgrind + wine + windows app.
- concentrate your major subject : finding bugsconcentrate your major subject : finding bugs.

25. tips for the real world tainting
• EX> Valgrind ls -al /

26. Extras

27. Raison Framework
automated exploit framework
still under-constructing.....

28. references
- “LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks” -
Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan zhou, Youfeng Wu - University of Illinois
- “BitBlaze: A New Approach to Computer Security via Binary Analysis” - Dawn Song
- “Dytan: A generic dynamic taint analysis framework” – James Clause, Wanchun Li, and Alessandro Orso.y g y y , ,
Georgia Institute of Technology.
- “Understanding data lifetime via whole system emulation” – Jim Chow, Tal Garfinkel, Kevi Christopher,
Mendel Rosenblum – USENIX – Stanford UniversityMendel Rosenblum USENIX Stanford University
- “Taint analysis” - edgar barbosa, H2HC 2009
- “valgrind” http://valgrind org/- valgrind - http://valgrind.org/
- “paimei & pydbg” - http://pedram.redhive.com/PyDbg/docs/
- “PyEmu” - http://code.google.com/p/pyemu/
www.CodeEngn.com
2010 4th CodeEngn ReverseEngineering Conference