Upload
others
View
19
Download
0
Embed Size (px)
Citation preview
Class Overview
Yajin Zhou (http://yajin.org)
Zhejiang University
Credits: Most of the ppts are from cse443 of PSU
Learning Objectives
• Understand common vulnerabilities and attacks
• Buffer overflow, ShellShock, Encryption, Android rooting,
Meltdown attack, Smart contract …
• Understand program analysis methods/tools
• Angr, IDAPro
• Learn how to analyze programs and write exploits
• Know how to write safe code
Prerequisites
• Operating systems
• C and assembly language
• Computer systems
Instructor
• Yajin Zhou ([email protected])
• Office: 曹楼412
• Office hours: by appointments
• Class website: https://yajin.org/seclab2019summer/
• TA: Jiaqi Li (教9 211)
Course Material
• Lecture notes (posted at the class website)
• 学在浙里: http://c.zju.edu.cn
Grading
• NO Final exam!
• Homework - 85%
• Class Quiz - 15%
• Late submissions are accepted after the deadline
• a 10% penalty will be applied for each day of late submission
• Disputes of grade MUST be resolved within one week of receiving it
Ethics Statement
• This class may contain technologies whose abuse may infringe on
rights of others! Do not undertake any action which could be
perceived as technology misuse under any circumstances
unless you have received explicit permissions.
Introduction to Software/Program Security
Yajin Zhou (http://yajin.org)
Zhejiang University
Credits: Most of the ppts are from cse443 of PSU
Security vs safety
Security Overview
What is security?
Adversary
Threats
SQL Slammer[a] is a 2003 computer worm that caused
a denial of service on some Internet hosts and dramatically
slowed down general Internet traffic. It spread rapidly,
infecting most of its 75,000 victims within ten minutes.
Vulnerabilities
Attacks
Trust
Security Model
Vulnerability Reporting
Program Security I
A Simple Program
Address Space Layout
Buffer Overflow
Return-to-libc
Return-to-libc
Return-to-libc
Buffer Overflow Defenses
A Simple Program
Buffer Overflow of Local Variables
A Simple Program
Heap Overflow
Memory Safety
Prevent Memory Safety Errors
Another Program
Integer Overflow
Integer Overflow
A Simple Program Again
Parsing Errors
Secure Programing
Take Away
ROP
Buffer Overflow
ret: pop eip
程序代码分析
✦ 常用技术• 控制流图
• 数据流图
• 污点分析
• 符号执行
• 模糊测试
控制流图(Control Flow Graph)
✦ 描述程序执行顺序
数据流图(Data Flow Graph)
✦ 数据流图用来表示数据之间的关系。通常根据目的可以分为liveness
分析图,def-use图等。
def-use分析例子:通过这个分析,我们能知道数据的存活周期。比如如果在x 被use后,程序又通过def对x重新赋值,那么x的存活周期就在两次def之间。
污点分析(Taint Analysis)
✦ motivation: 分析数据在程序内部的传播
✦ 污点分析需要定义 taint source,taint sink和taint propagation rule
✦ 具体例子:使用污点分析检测应用隐私泄露• taint source:读取手机IMEI函数的返回值
• taint sink:网络发送函数。如果网络发送函数中的操作数据是被taint的,那么我们就检测到了泄露IMEI
的行为。
• taint propagation rule:根据每一条指令定义传播的规则
‣ 比如: Y = X + 1 如果 X是tainted,那么Y也变得tainted
‣ 比如 把 X写入内存地址123. 那么内存地址123的地方就是tainted。那么下一次从 内存123 拿出来的数据也是tainted。
符号执行(Symbolic Execution)
✦ 符号执行的目的是为了能在软件测试分析中尽可能多覆盖更多路径• 缺点:scalability是个问题 - 面临路径爆炸问题。另外约束求解效率也是问题
求解约束得到具体值
约束
模糊测试(Fuzzing)
✦ 自动生成不同的input,发送给程序,希望能触发程序的bug/漏洞
✦ 一个例子• Standard HTTP GET request
‣ GET /index.html HTTP/1.1
• Anomalous requests
‣ AAAAAA...AAAA /index.html HTTP/1.1
‣ GET ///////index.html HTTP/1.1
‣ GET %n%n%n%n%n%n.html HTTP/1.1
‣ GET /AAAAAAAAAAAAA.html HTTP/1.1
‣ GET /index.html HTTTTTTTTTTTTTP/1.1
‣ GET /index.html HTTP/1.1.1.1.1.1.1.1
✦ 关键点:如何生成更有效率的input,能触发更多的程序路径• dump fuzzing
• smart fuzzing:使用代码覆盖率作为指导生成更好的input
攻击及防护的演化
Attacks
Defenses
Code injection
1988
Morris worm
Code reuse
1997
Ret-to-libc
Data only
2005
Concept
2017
Attack kernel
No-execute bit
2001
XN ARM
2003
NX AMD
Control flow
2014
CFG MS
2016
CFI Samsung
PA ARM
Data flow
???
Why Security is Hard
If Security Gets in the Way
Some Lessons