Class Overview

Yajin Zhou (http://yajin.org)

Zhejiang University

Credits: Most of the ppts are from cse443 of PSU

Learning Objectives

• Understand common vulnerabilities and attacks

• Buffer overflow, ShellShock, Encryption, Android rooting,

Meltdown attack, Smart contract …

• Understand program analysis methods/tools

• Angr, IDAPro

• Learn how to analyze programs and write exploits

• Know how to write safe code

Prerequisites

• Operating systems

• C and assembly language

• Computer systems

Instructor

• Yajin Zhou (yajin_zhou@zju.edu.cn)

• Office: 曹楼412

• Office hours: by appointments

• Class website: https://yajin.org/seclab2019summer/

• TA: Jiaqi Li (教9 211)

Course Material

• Lecture notes (posted at the class website)

• 学在浙里: http://c.zju.edu.cn

Grading

• NO Final exam!

• Homework - 85%

• Class Quiz - 15%

• Late submissions are accepted after the deadline

• a 10% penalty will be applied for each day of late submission

• Disputes of grade MUST be resolved within one week of receiving it

Ethics Statement

• This class may contain technologies whose abuse may infringe on

rights of others! Do not undertake any action which could be

perceived as technology misuse under any circumstances

unless you have received explicit permissions.

Introduction to Software/Program Security

Yajin Zhou (http://yajin.org)

Zhejiang University

Credits: Most of the ppts are from cse443 of PSU

Security vs safety

Security Overview

What is security?

Adversary

Threats

SQL Slammer[a] is a 2003 computer worm that caused

a denial of service on some Internet hosts and dramatically

slowed down general Internet traffic. It spread rapidly,

infecting most of its 75,000 victims within ten minutes.

Vulnerabilities

Attacks

Trust

Security Model

Vulnerability Reporting

Program Security I

A Simple Program

Address Space Layout

Buffer Overflow

Return-to-libc

Return-to-libc

Return-to-libc

Buffer Overflow Defenses

A Simple Program

Buffer Overflow of Local Variables

A Simple Program

Heap Overflow

Memory Safety

Prevent Memory Safety Errors

Another Program

Integer Overflow

Integer Overflow

A Simple Program Again

Parsing Errors

Secure Programing

Take Away

ROP

Buffer Overflow

ret: pop eip

程序代码分析

✦ 常用技术• 控制流图

• 数据流图

• 污点分析

• 符号执行

• 模糊测试

控制流图(Control Flow Graph)

✦ 描述程序执行顺序

数据流图(Data Flow Graph)

✦ 数据流图用来表示数据之间的关系。通常根据目的可以分为liveness

分析图，def-use图等。

def-use分析例子：通过这个分析，我们能知道数据的存活周期。比如如果在x 被use后，程序又通过def对x重新赋值，那么x的存活周期就在两次def之间。

污点分析(Taint Analysis)

✦ motivation: 分析数据在程序内部的传播

✦ 污点分析需要定义 taint source，taint sink和taint propagation rule

✦ 具体例子：使用污点分析检测应用隐私泄露• taint source：读取手机IMEI函数的返回值

• taint sink：网络发送函数。如果网络发送函数中的操作数据是被taint的，那么我们就检测到了泄露IMEI

的行为。

• taint propagation rule：根据每一条指令定义传播的规则

‣ 比如: Y = X + 1 如果 X是tainted，那么Y也变得tainted

‣ 比如 把 X写入内存地址123. 那么内存地址123的地方就是tainted。那么下一次从 内存123 拿出来的数据也是tainted。

符号执行(Symbolic Execution)

✦ 符号执行的目的是为了能在软件测试分析中尽可能多覆盖更多路径• 缺点：scalability是个问题 - 面临路径爆炸问题。另外约束求解效率也是问题

求解约束得到具体值

约束

模糊测试(Fuzzing)

✦ 自动生成不同的input，发送给程序，希望能触发程序的bug/漏洞

✦ 一个例子• Standard HTTP GET request

‣ GET /index.html HTTP/1.1

• Anomalous requests

‣ AAAAAA...AAAA /index.html HTTP/1.1

‣ GET ///////index.html HTTP/1.1

‣ GET %n%n%n%n%n%n.html HTTP/1.1

‣ GET /AAAAAAAAAAAAA.html HTTP/1.1

‣ GET /index.html HTTTTTTTTTTTTTP/1.1

‣ GET /index.html HTTP/1.1.1.1.1.1.1.1

✦ 关键点：如何生成更有效率的input，能触发更多的程序路径• dump fuzzing

• smart fuzzing：使用代码覆盖率作为指导生成更好的input

攻击及防护的演化

Attacks

Defenses

Code injection

1988

Morris worm

Code reuse

1997

Ret-to-libc

Data only

2005

Concept

2017

Attack kernel

No-execute bit

2001

XN ARM

2003

NX AMD

Control flow

2014

CFG MS

2016

CFI Samsung

PA ARM

Data flow

???

Why Security is Hard

If Security Gets in the Way

Some Lessons