0% found this document useful (0 votes)
3K views2 pages

CS4239

Uploaded by

goxaci4105
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
3K views2 pages

CS4239

Uploaded by

goxaci4105
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Mem Errs Def Mechanisms detected in redzone. Increased mem usage with cannot access it.

d mem usage with cannot access it. CFG and CFI


redzone and shadow map. Can call uninstrumented C strings. char in C is an integer type. Strings are Control Flow Graph. Directed graph where nodes
Non-executable Memory. Code injection attacks code but mem usage shouldnt conflict with shadow array of char and must be null character terminated.
involves writing and executing data. Strategy is to map. are basic blocks (sequence of straight line code with a
Size includes the null at the end. single entry, possibly branching at end). Edges are
try and prevent injected code by making some Shadow Memory. Compact map of main memory Stack Overflow. Local buffer overflow; corruption
portions of memory non-executable. Code injected as on data and control. Violates integrity. control flow transfer between blocks. Nodes can have
to indicate whether address is accessible. Every multiple incoming and outgoing edges. Model ofhow
data is not executable does not prevent aligned 8 bytes has 9 states. First n are addressable, Control Flow Hijack. Attacker control return
vulnerability but prevents exploitation. control flow works/meant to work in a program at
8-n are not, encode in 1 shadow byte. address with chosen input. Can corrupt return source code/binary level.
Non-executable stack and data requires OS and Object redzones. Add no-access redzones around address for caller, multiple frames, data and %ebp.
hardware support, usually with a flag in page Interprocedural CFG. Nodes in call graph are
object, taking up actual virtual address space, affect Return-into-libc. Uses existing code in program.
tables.Doesn’t prevent attacks reusing existing cache, redzones may need to deal alignment. Usage of Return address overwrite is existing code to call. functions. Directed edge show function calls. f-to-g
code. redzones is a buffer overflow. Add redzones for Return Oriented Programming. Generalised edge for function g called inside function f.
Stack protection/detection. Memory error everything which is to be protected like global/stack Control Flow Integrity. Limit control flow
version of the above. Return to any code fragment
violates integrity of stack. This is not a vars and heap stuff. ending with a return type instruction. Chain multiple transfers to what program allows. Only allow control
prevention. Detecting Temporal Errors. Memory allocation fragments to execute code controlled from stack or flow within static CFG of program. A CFI violation
Reordering variables on stack. reduces not clears poison (remove red zones) if poisoned of object stack control PC. is a flow that doesn’t follow CFG.
prevent data corruption from buffer overflow. Heap Buffer Overflow. Buffer overflow on the Challenges. How to determine CFG accurately if
memory. Freeing memory poisons object memory and
Shadow stack. Don’t use normal stack for return delay re-using of memory for new alloaction. Poison heap. Usually with the program code. For a there is dynamic behavior (pointers). Computing
addresses/check integerity. Maintain shadow stack in red zone detects UAF errors. structure, we can overflow a field to update another accurate CFG is undecidable; over approximation to
a hard to buffer overflow part of memory. Prevents Fat Pointers. replace machine pointers with these field. Corrupting multiple objects depends on how allow FN.
control flow hijack from return address. Cna lead to instead. Store object meta information in pointer. malloc works where objects are located. Foward edge. Jump or call instruction. Jump/call
some synchronising issues with non trivial costs. This changes the object layout, increases mem usage gets(). inherently unsafe. Ready bytes from stdin target is indirect address. Absolute target cant be
Costs. Instrument calls forward phases of control and interfere with binary compatibility. changed by attacker. Branch target not possible as it
until new line or EOR. Amount of data written to will be a CFI error. possible != correct.
flow allows modifying function call instruction LowFat Pointers. Encode meta-info within buffer is controlled by input, no way to restrict to the
sequence. Push return addr on shadow stack machine pointer. Machine pointer size unchanged size of the buffer. Backward edge. Return instruction. Is return
and normal stack. Instrument return modifies the (achieving binary compatibility). Requires large fgets(). Safer alternative from gets(). Reads bytes target continuation of original call. Can be checked
return instruction sequence. compare normal address space. Heap provides freedom in allocation, with shadow stack defences.
stack return address with shadow stack, throw until n-1 bytes or new line then transfer to buffer. Instrumentation scheme. indirect call instruction,
check heap alloc bounds (whether access within Difference is that there is no overflow but adds
exception if different. malloc size + padding). Protects heap, stack. newline to buffer. call L(special tag), R. Success if address in register R
Stackguards. Add canary (or cookie) value between LowFat Allocator. Creates lowfat heap pointers strcpy(). Potentially unsafe. Copies s2 into s1 has matching lablel, else CFI error. Return
value to be protected and stack variables. Assumes with a special memory layout. Creates different including null terminator. Possible overflow if the size instructions are ret L. Success if return address has
buffer overflow overwrites canary/be stopped by matching label L else CFI error.
regions, where each region is for objects within a of s2 ≥ s1. Assumptions. Read-only code. Data execution
canary value (incomeplete protection). This does specific size range base on a config table. Regions 0, strnlen(). strlen() can go past non-null terminated
not remove vulnerability. Canary values are set S maps to be unrestricted. Non-lowfat pointers prevention is on.
data. This is the safer version. Limitations. Only deals with control flow. Needs to
to prevent certain attacks. NULL can prevent a always succeed in bounds check. Passing Safer string copy. strncpy() not terminated if s2 ≥
strcpy attack. Random values make it difficult for non-lowfat pointers will not cause error. be an approximation of true execution. Branching to
n, can lead to null terminations errors. strlcpy() address is impossible at runtime without attack.
attacker to predict what value to overwrite. Finding meta-info. Based on pointer, we can get
Compile flags. Checking code needed in function always null terminates. Under-approximation can cause errors.
the index and size. Then we can compute the base Format string vulnerabilities. Variable Over-approximation may allow some attacks.
epilogue to verify canary value integrity before return address from these. From the size of the table, we
instruction. Usually needs recompilation of source arguments and input can be controlled by attacker. Evaluation. Low overhead with more FN. Forward
can divide the pointer by the size and multiply it
code. Attacker guesses canary or try to discover it with the size. Possible to buffer overflow (for sprintf) and creates egde only CFi more common but overhead of shadow
through information leak. Tradeoff summary. Non-executable data has DOS if there is mismatch number of args. stack may not be small.
Addr Space Layout Randomisation. Randomise almost 0 overhead, low effectiveness and high Format string conversion. %n conversion is Blackbox Fuzzing
address of some stack, heap, globals code. In practise, compatibility except JIT compilation. Stackguard dangerous as it writes some chars written so far to Blackbox Fuzzing. Generate test case based on
only some things are randomised such as starting Very low overhead with low effectiveness and high value pointed by argument.
Temporal Error. Access memory of object which domain. Can use specs but not source code. Can
position. Usually constrained to randomise at page compatibility for source code. ASLR Low overhead,
low-medium effectiveness depending on entropy with mutate/generate input based on specs. Fast but
level. Code is required to be compiled as position has been deallocated.
high compatibility. CFI Medium overhead with Malloc. Returns pointer to aligned mem region of limited coverage.
independent in Linux. Limitations. No guarentee bug is found, but some
Protection. Dont prevent vulnerability. Just medium-high effectivness for control flow and at least n bytes. Memory is not initialised. If size is
medium compatibility. Buffer Overflow Checking 0, may return a unique pointer which can be freed. may be. Cannot prove there are no bugs as it does
makes it difficult for attack to succeeed, assuming not show correctness, no misbehavior and usually no
attacker dont know how to exploit code/data address. has medium-high overhead with high effectiveness free(). if pointer is null do nth. Undefined for some
and compatibility. guarentees.
Assumption is that attack can fail as address may be random value. Logically deallocates memory (!= Random Fuzzing. Generate random input and run
wrong but ultimately depends on the level of Binary Hardening. Detect memory error given an physical unallocated).
attakcer by making it harder for attacker to bypass. program with input. If crash, log that input.
randomness. Information leak can still leak Use-after-free. Any value in block of memory Assumptions. test case encodes the bug, buggy
information. Unspecified behavior. Provide multiple already free is accessed. Leads to undefined behavior.
Buffer Overflow Checking. Prevent by checking input causes crash. Avoid/minimal analysis of
possibilities and impose no further requirements on Reading after free usually succeeds but is a memory
all accesses are valid. Need to instrument pointer which is chosen in any instance. bug. Write after free can corrupt memory. program, no source needed.
code since only instrument code is protected. Some Implementation Defined Behavior. Unspecified Dangling Pointers. A form of UAF. There may be Test Oracle. Check the result, assumes error means
approaches includes checking of pointer arithmetic test failure.
and address of pointer access by checking variable behavior where each implementation documents how pointers still pointing to an object that was freed. Weak Test Oracle. Doesn’t check for correctness of
the choice is made. Vulnerability if those pointers are accessed. behavior/output. Weaker property may or may not
with pointer(need to store metadata), object based Undefined behavior. Anything is allowed. Double Free. Leads to undefined behavior. indicate correctness in the form of assertion failure,
(recover bounds from object), boundary checks Accessing things that are out of bounds. Compiler realloc(). deallocated old object pointed by pointer memory error, timeout and crash.
(check redzones around object). may choose the meaning.
Object bounds. Detect error outside object. Spatial Error. Access outside the bounds of an and allocate a new size. If mem cant be allocated, Functional Testing. Deriving test cases from
doesnt perform dealloaction and nothing happens. program specifications. Functional specification is the
Sub-bounds. Detect error outside subject, difficult. object. Successful calls frees the previous memory and
Allocation bounds. Detect errors outside allocated Buffer Overflow. Spatial memory error. Behavior description of intended behavior. Timely (refining
performs allocation again. specs before writing code), effective (find faults that
memory for object. is undefined - anything is allowed. This can modify
ASAN. Uses boundary checking with redzone. behavior of program. can elude other methods), widely applicable (can
Requires maintainance of shadow map, redzone Boundary Condition. Can pass the boundary just work for any spec and any type of app),
checks are incomplete since overflows are only economical(less expensive to design and execute).
Doesn’t require program code but need description of true. On-the-fly path exe. Instead of analysing the precision arithmetic, check ranges, static analysis,
intended behavior. Side benefits that reveals Path adequacy. Path testing consider combinations whole program, shift from one path to another. fuzzing, compiler warning and runtime checks.
ambiguities of spec. of decisions along paths. Each path must be executed Continue searching for failing inputs and try those
Random testing. Pick possible inputs uniformly. at least once. Number of paths when loop is involved
Operating Systems
which dont go through the same path. Directed
Avoids designer bias but may not be efficient. Closer is possibly unbounded. Partition infinite set of paths Environment Variables. Reset env vars if attacker
Automated Random Testing (DART).
to fuzzing. into finite number of classes. can control the env.
Assignment store. Set of variable-value tuples that Compiler as Trojan. Build trojan compiler to the
Systematic testing. Try to select inputs that are Coverage-based greybox fuzzing. Use codecov to
contains mappings after executing a particular line. same name as the original compiler. Use trojan
more valuable, usually by choosing representatives of give execution feedback. Focuses on inputs which can Path condition. Boolean expression in order for a
classes that are apt to fail often or not supposed to give more coverage. Not blackbox since looks compiler to build main file binary. Since trojan
partially into program. particular line to be executed. compiler has backdoor in code when compiling main
fail. Does not mean complete. This is functional Random Test Driver. Generate test driver
testing. American Fuzzy Lop. Coverage-based greybox file, there will be backdoor once main file is compiled.
automatically to simulate random env of interface. Assumptions of main file is that there is no
Random + Systematic Testing. Generates some fuzzing. Counts CFG edges executed. Coverage array Compile program with test driver to create a closed vulnerabilities in the file. Compiler and binary
boundary values first to capture corner is 64kb shared mem region by caller (overhead). executable. Run executable to see if assertions are cannot be trusted.
cases/important relationships. Cover the rest of the IsInteresting strategy. If new tuple is created in violated. Character Encoding. Unicode has variable byte
input domain by random testing. coverage(from the same trace) or transitions between Concolic. Concrete + Symbolic execution. Execute
condition and resolve branch condition using concrete length encoding for unicode. Complex schemes lead
Cluster Crashing Tests. Ideally its a semantic bucket coverage counts. to bugs especially for UTF-8.
Fuzzing strategy. Deterministic when its sequential values. Then update PC depending on condition.
analysis of test to find a reason by storing a bucket of DART approach. Maintain concrete and symbolic Right to Left Override. Using [U+202E] reverses
tests against each logical formula. In reality, its based modifications and non-deterministic for stack the characters after that, creating a false name that
on point of failure location/function/CFG path. operations and splicing test cases. states after executing each line. Start with a random
input. Then trace through the program while looks legit.
Black-box Fuzzing (Random). Random permute Architecture. Load tests, forks new process Homograph Attack. Spoof similar looking
running code. Driver wait for target process to finish. maintaing the states and constraints. On
input and try to crash. Highly effective but may have termination, negate one constraint to find the next characters by replacing them with lookalikes.
issue with codecov and checksum. Record branch coverage bitmap logs coverage bitmap
possible input and repeat. Pathname Sanitisation. Consider exact semantics
Mutational Fuzzing. Takes in seed and mutation on exit. Use shared mem as coverage bitmap. Collect
bitmap to decide if input is interesting. Terminate Challenges. Incomplete constraint solver. Negation of pathname. Replacing all ../ will not work since
ratio. Obtain an input by performing mutation op. could be problematic and solving of path constraints attacker can just add an additional instance of it to
Run the input through program to see if it crashes. when no error found or error found causes some crash
or different output. may be undecidable. target path. Using strcmp may not work because
Document outcome regardless and generate next Execution Tree. For each satisfiable leaf, there there are many equivalent pathnames.
input. When some limit is reached (iteration/time), Patching exists a concrete input for which real program will Symbolic links. File where its contents is
verify mutation dont run same input twice. Patching. Manually or automatic through dynamic reach the same leaf so we can generate tests. Path recursively a pathname. Opening a symlink is the
Independent of program and input structure. conditions associated with any 2 satisifable leaves are equivalent of opening a file at the base of the
Principle. Take well-formed input that dont crash instrumentation vs source code. Add error checks,
learn invariants and enforce, code repair from tests distinct leads to codecov. recursion.
and minimally modify/mutate it to generate slightly Pathname Canonicalisation. Takes a path and
and symbolic execution. Arithmetic Errors returns absolute path without any dots, symlinks and
abnormal input and see if it crashes. Patch delivery. Signing/verifying patches. Is
Generational Fuzzing. Generate well-formed Fixed sized ints. Various sizes allows for signed extra slashes.
downtime needed vs hotpatch. and unsigned. Signed represented as 2s complement. Hard links. Same file refers to the same inode.
inputs systematically using a grammar or a Challenges. Undecidability with FP and FN. Hard links are restricted to 1 filesystem.
specification. Provides understanding of behavior and Arbitrary precision ints. infinite precision,
Intractability (cant scale). Pratical issues like allowing no loss of precision but more storage and TOCTOU. Time of check, time of use. Check that
syntax and guides fuzzing based on this understading. invariant is true, error if cant meet condition. Use
Grammar approach. Selectively mutate input base managing FP, tradeoff accuracy v precision. time.
Floating point. Approximation of real numbers. assumes invariant from Check and use the object.
on grammar producing almost correct input. Mutate White-box fuzzing TOCTOU vulnerability. Sequence may not be
subset of inputs. Higher codecov by selectively Not associative and distributive in general. Double
Whitebox fuzzing. Complete knowledge of more precision and exponent than single in bits, but atomic. Attacker can context switch to modify things
fuzzing different portions of input. in between function calls.
Blocks approach. Each block have rules written in program. does not mean more bits guarantee more
Greybox fuzzing. Offline analysis with partial correct answers. Temp Files. Use hard to guess random filename
API form and simpler than grammar-based fuzzing. Numeric exceptions. Division by 0, under and Process Identity. ruid is the real owner of the
Identifies a rough structure of input. Aimed at knowledge of program. Use knowledge to guide
blackbox fuzzing. Symbolic path exploration. overflows. Most exceptions by default are not raised. process. euid is the effective uid, used to allow/deny
re-using previously known correct structures to Representation. n-bit unsigned ints represent
generate new inputs. Explore all program paths starting with (un)known access. ssuid is saved uid. root is privileged user,
SPIKE Fuzzer. FIFO Queue through SPIKE API inputs. 0, ...2n − 1. n-bit signed ints represents perform most ops without being denied. euid + egid
where string variables are fuzzed by SPIKE. Still Grey-box fuzzing. Combine blackbox fuzzing with −2n−1 , ..., 0, ..., 2n−1 − 1. for access control.
Unsigned Wraparound. Computation is modulo File Permissions. read, write and execute bits for
requires user to manually create the malformed input cheap code analysis. Symbolic execution. Execute files. same set for dirs and a sticky bit, whether can
but provies an API to do so. program with un-known input values. Evaluate RHS 2n . No overflow. May wraparound for extreme values. rename/delete. other bits applies if user/grp of
Structural testing. Create functional test suite symbolically, assign LHS as part of state. Execute Signed int overflow. On overflow, up to
process dont match file user/grp.
then measure structural coverage to see whats condition by trying both branches. Update PC (path implementor. No signal may be raised. Number of Changes privileges. if setuid/gid bit is on, changes
missing. This is automated but does not ensure condition) with the condition. PC become more negative values 1 more than positives excluding 0,
effective test suites. meaning positive and negative cases may need process identity when executable is executed. this
Statement testing. Each statement (node in CFG) specific. Check if PC constraint is satisfiable. On changes identity of process and effective permissions.
termination, solve constraint. Inputs. Inputs are not different handling.
must be executed at least once. Coverage is Loop counters. Avoid wraparound of loop index Possible to switch to a nobody which has no
calculated by dividing number executed with number specific concrete values but instead could be a set of privileges. Changing and reducing privilege may be
values instead. Do not know the test case. Creates due to overflow and wraparound. permanent. Only done at process level.
of statements. Fault in a statement only revealed by observable differences through mathematical output Up Conversion. Converting from smaller width to
executing it. Assumption is that statements are System calls. setuid drops root privileges to user if
from tests. Path conditions are constraints. bigger width. Preserves value including sign. euid of process is root. seteuid only changes euid
independent. Concrete executions only execute some path and does Down conversion. Converting from bigger width to
Coverage. 100% node coverage = 100% statement not guarentee a specific path. even for root. temporarily drops privileges with
smaller. Loss of precision as less bits for seteuid. setresuid sets ruid, euid and ssuid atomically,
coverage though improvement in one may not Solving constraints. Given some constraints, say representation.
improve the other by the same amount. Does not can be used to drop privilege permanently if all
YES if thereP is a solution, NO otherwise. Integer Conversion from unsigned. Up promotion usually parameters are the same.
depend on the number of test case. Node coverage constriants: ai xi ≤ c is NP complete for integers safe. Down promotion truncates and preserve low
!= Edge coverage Unprivileged slave process. Privilege monitor
and poly time for real numbers for xi . Conjunction order bits. Result mod new type. creates unprivileged child processes. fork child
Branch testing. Each branch must be executed at (and) of string match constraints are NP-complete. Conversion from signed. Up promotion is safe.
least once. Coverage calculated same way as process. change their identity to nobody. restrict file
Transcendental functions sin2 (x) + cos2 (x) = 1 is Down promotion is implementation defined. access with filesystem isolation/sandbox.
statements. Traversing all edges of graph cause all undecidable in general. Multivariate polynomials Mitigation. Input validation, consistency check,
nodes to be visited but the other way may not be
x3 + y 3 = z 3 over integers are undecidable. right size vars, usually unsigned index, arbitrary

You might also like