DYNAMIC TAINT ANALYSIS FOR
AUTOMATIC DETECTION, ANALYSIS,
AND SIGNATURE GENERATION OF
EXPLOITS ON COMMODITY
SOFTWARE
Authors: James Newsome, Dawn Song
Presenters:
Sheikh M Qumruzzaman
Khaled M Al-Naami
WELCOME AND INTRODUCTION



Overview
Dynamic Taint Analysis
TaintCheck
•
•
•
•




TaintSeed
TaintTracker
TaintAssert
Exploit Analyzer
Security Analysis of TaintCheck
Evaluation and Performance
Automatic Signature Generation
Conclusion
OVERVIEW

Worms exploit software vulnerabilities.
Buffer Overflow.
 Format String.
 Dangling Pointers.
 SQL Injection.


CodeRed and Slammer exploit vulnerabilities
and can compromise hundreds of thousands of
hosts within hours or minutes.
SLAMMER

The geographical spread of Slammer in the 30 minutes after its release.
Source: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1219056&tag=1
CODERED

Code Red’s probe rate during its re-emergence on 1 August, 2001
Source: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1219056&tag=1
WHAT DO WE NEED?
An automatic detect and defense system.
 Automatic development of attack signatures.


In this paper authors proposed new technique
‘Dynamic Taint Analysis’ and showed how it can be
used to detect and analyze software exploits
ATTACK DETECTORS


Coarse grained detectors:
Detect anomalous behavior such as scanning and do
not provide detailed information about vulnerability
and how it exploited.
Fine grained detectors:
Detect attack on a program vulnerability, and
provide detailed information about it.
Several approaches for fine grained detectors. But
most of them are not dynamic.
DYNAMIC TAINT ANALYSIS





Tainted Data: Data from un-trusted sources.
Keep track of tainted data.
Monitor program execution to track how tainted
attributes propagate
Check when tainted data is used in dangerous
ways
TaintCheck – An automatic dynamic taint analysis
tool.
TAINTCHECK
Doesn’t require source code/special compilation.
 Reliably detects most overwrite attacks.
 No known false positives.
 Enables automatic semantic analysis based signature
generation.

DESIGN AND IMPLEMENTATION
(TAINTCHECK)

TaintCheck performs dynamic taint analysis on a program by running
the program in its own emulation environment.
X86 instructions
UCode
Binary re-writer
Taint Check
X86 instructions
UCode
Courtesy: Devendra Salvi
Dynamic taint analysis
QUESTIONS?
What inputs should be tainted?
 How should the taint attribute propagate?
 What usage of tainted data should raise an alarm
as an attack?

ANSWERS
TaintSeed.
 TaintTracker.
 TaintAssert.

TaintSeed
TaintTracker
TaintAssert
Copy
Memory byte
Add
Use as
Attack
Detected
Fn Pointer
Untainted
Data
Shadow Memory
Exploit Analyzer
X
Taint Data structure
Taint Check detection of an attack
Courtesy: Devendra Salvi
TAINT SEED
 It
marks any data from untrusted sources as
“tainted”
 Each byte of memory has a four-byte shadow
memory that stores a pointer to a Taint data
structure if that location is tainted, or a
NULL pointer if it is not.
 Optionally, logging can be disabled and the
shadow memory locations can simply store a
single bit indicating taint.
Memory is mapped to TDS
ANSWERS
TaintSeed.
 TaintTracker.
 TaintAssert.

TaintSeed
TaintTracker
TaintAssert
Copy
Memory byte
Add
Use as
Attack
Detected
Fn Pointer
Untainted
Data
Shadow Memory
Exploit Analyzer
X
Taint Data structure*
Taint Check detection of an attack
Courtesy: Devendra Salvi
DYNAMIC TAINT ANALYSIS
 TaintTracker

It tracks each instruction that manipulates
data in order to determine whether the result
is tainted.
 When the result of an instruction is tainted
by one of the operands, TaintTracker sets
the shadow memory of the result to point to
the same Taint data structure as the tainted
operand.
Memory is mapped to TDS
Result is mapped to TDS
ANSWERS
TaintSeed.
 TaintTracker.
 TaintAssert.

TaintSeed
TaintTracker
TaintAssert
Copy
Memory byte
Add
Use as
Attack
Detected
Fn Pointer
Untainted
Data
Shadow Memory
Exploit Analyzer
X
Taint Data structure*
Taint Check detection of an attack
Courtesy: Devendra Salvi
DYNAMIC TAINT ANALYSIS
Taint Assert
 Default




Policy:
Jump addresses.
Format strings.
System call arguments.
Application or library specific checks.
17
- Taint assert checks whether tainted data is used in
ways that is policy defines as illegitimate.
2016/7/12

DYNAMIC TAINT ANALYSIS
Jump addresses:

Format strings:



Checks whether tainted data is used as format string
argument.
Intercept calls to the printf family of functions.
System call arguments:



Checks whether tainted data is used as a jump target.
Instrument before each Ucode jump instruction.
Checks whether the arguments specified in system calls are
tainted.
Optional policy for execv system call.
Application or library-specific checks:

To detect application or library specific attacks.
18


2016/7/12

DYNAMIC TAINT ANALYSIS
Exploit Analyzer
provide useful information about how the
exploit happened and what the exploit attempt
to do.

Usage:
Identifying vulnerabilities.
 Generating exploit signature.

19
 It
2016/7/12

SECURITY ANALYSIS FOR TAINTCHECK

The good news is:
Attacks detected by TaintCheck

The bad news is:
False Negatives
False Positives
SECURITY ANALYSIS – ATTACKS DETECTED
OVERWRITE ATTACKS

TaintCheck detects if overwriting Jump targets (such as
return addresses and function pointers) whether altered
to point to
 Existing code (existing code attack) .
 Injected code (code injection attack).
SECURITY ANALYSIS – ATTACKS DETECTED
OVERWRITE ATTACKS
 It
also detects Format String attacks:
An attacker provide malicious format string
to trick program by writing an attacker
value to an attacker chosen memory
address.
SECURITY ANALYSIS – ATTACKS DETECTED
Overwrite attacks
 Most worm attacks fall into the following
categories. up to 2005

Overwrite
Method
Value
Overwritten
SECURITY ANALYSIS – FALSE NEGATIVE
ANALYSIS – THE BAD NEWS
Attacker causes sensitive data not to be tainted.
 Scenario: Altered data originate or
arithmetically derived from trusted inputs but
influenced by untrusted inputs.
 Paper doesn’t consider tainted attribute of flags,
 Example: suppose x is tainted
If (x == 0) y = 0; else if (x == 1) y = 1; ...
same as  y = x
 However, y is not tainted as influenced
indirectly by x, via the condition flags.
Attacker might cause y to overwrite things ---------------->(Undetected)

SECURITY ANALYSIS – FALSE NEGATIVE
ANALYSIS – THE BAD NEWS – CONT’D

If TaintCheck is configured to trust inputs that
should not be trusted.

data from the network could be first written to a
file on disk, and then read back into memory.
SECURITY ANALYSIS – FALSE POSITIVE
ANALYSIS – THE BAD NEWS




Attack detected while there is no real attack
Taint Check detects that tainted data is being
used in an illegitimate way even when there is no
attack taking place.
However, it indicates there are vulnerabilities in
program
For example, the program may be using an
unchecked input as a format string.
 Fix the vulnerability using check Exploit
Analyzer…
EXPERIMENTS AND EVALUATION
Compatibility and false positives
 Evaluation of attack detection

Synthetic exploits
 Actual exploits

EVALUATION - COMPATIBILITY AND FALSE
POSITIVES

TaintCheck used to monitor some programs
for false positives.
Server programs: apache, ATPhttpd, bftpd, cfingerd,
and named.
 Client programs: ssh and firebird.
 Nonnetwork programs: gcc, ls, bzip2, make, latex,
vim, emacs, and bash.


All were normal with no false positives
EXCEPT for vim and firebird.
EVALUATION - EVALUATION OF ATTACK
DETECTION

TaintCheck ability was tested to detect
attacks:
Synthetic exploits
 Actual exploits

EVALUATION - EVALUATION OF ATTACK
DETECTION

Synthetic exploits
 They
wrote small programs for:
Return Address
Function Pointer
Format String
“gets” for long input
Same
Line input from user
Overwrote the stack –
overwrote return
address
Overwrote the stack –
overwrote function
pointer
Overwrote format
string
Attack detected as
Attack detected as func TaintCheck
return addr was
pointer was tainted
determined correctly
tainted from user input from user input
when the format string
was tainted
EVALUATION - EVALUATION OF ATTACK
DETECTION

Actual exploits
 TaintCheck evaluated on exploits to three vulnerable
servers: a web server, a finger daemon, and an FTP
server.
ATPhttpd exploit
cfingerd exploit
wu-ftpd exploit
Web server program
Finger daemon
ftp
Ver 0.4b and lower are vulnerable
to buffer overflow
Ver 1.4.2 and lower are
vulnerable to format string
Version 2.6.0 of wu-ftpd has a
format string vulnerability in
a call to vsnprintf.
malicious GET request with a very
long file name (shellcode and a
return address) was sent to server.
Return address overwritten so
when func retruns it jumps to shell
code inside the file name  remote
shell for attacker
When prompts for a user
name, exploit responds with
a string beginning with
“version” + malicious code
- cfingerd copies the whole
string into memory, but
only reads to the end of the
string “version”. Malicious
code in memory starts
working
Format string to overwrite
the return address was
detected
TaintCheck detected return addr
was tainted and identified the new
value
Detected also
TaintCheck successfully
detects both that the format
string supplied to
vsnprintf is tainted, and that
the overwritten return
address is tainted.
PERFORMANCE

TaintCheck performance was measured using:
Two “worst-case” workloads (a CPU-bound workload
and a short-lived process workload)
 In addition, common workload (a long-lived I/Obound workload).

Natively, Nullgrind, Valgrind tester
Memcheck, and under TaintCheck
 2.00 GHz Pentium 4, and 512 MB of RAM,
RedHat 8.0.

PERFORMANCE
Short-lived
processes:
cfingerd
bzip2 was instrumented cfingerd was
using TaintCheck
instrumented
to compress
a 15 MB package of
source code (Vim 6.2).
how long cfingerd
1.4.2 takes to
start and serve a
finger request
Normally
8.2 sec
0.0222 sec
Nullgrind
25.6 (3.1 times longer)
13 times longer
MemCheck
109 (13.3 times longer)
32 times longer
TaintCheck
305 (37.2 times longer)
36 times longer
Common
case:
Apache
Next slide
CPU-bound: bzip2
PERF APACHE – CONT’D

Common case

For network services the latency experienced is due to
network and/or disk I/O and the TaintCheck performance
penalty should not be noticeable.
IMPROVING PERFORMANCE
First, some performance overhead is due to the
implementation of Valgrind.
 Another x86 emulator, DynamoRio, offers much
better performance than Valgrind, due to better
caching and other optimization mechanisms.
 Also, analyze each basic block to eliminate
redundant tracking code “Optimization can be
performed”.

AUTOMATIC SIGNATURE GENERATION

Exploit detected  generate a signature to filter this exploit request.

Automatic semantic analysis of attack payloads.

Implemented using TaintCheck

Generate signature to filter out exploit requests until patching.

Previous:


Content Pattern Extraction: Considered attack payloads as opaque byte sequences.
New Approach:

Automatic Semantic Analysis: Identify which parts of the payloads are useful in a
signature.
CONCLUSION
To combat the rapid spread of new worms, an
automatic attack detection has to happen.
 Dynamic taint analysis has been presented using
TaintCheck without requiring
source code or special compilation of a program
 Identify input that caused the exploit and the
value used to overwrite the protected data (e.g.
the return address).
 Automatic signature generation using
TaintCheck.

QUESTIONS?
QUESTIONS

Thank you.