SlideShare une entreprise Scribd logo

Taint scope

Télécharger en tant que PPTX, PDF
G
geeksec80
Technologie
1  sur  34
A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1 Peking University, China 2 Texas A&M University, US
2  Checksum – a way to check the integrity of data. Used in network protocols and files. data Checksum function data Checksum field Fuzzing – generating malformed inputs and feeding them to the application.  Dynamic Taint Analysis – runs a program and observes which computations are affected by predefined taint sources (e.g. input) 
3  The input mutation space is enormous .  Most malformed inputs dropped at an early stage, if the program employs a checksum mechanism.
4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 void decode_image(FILE* fd){ ... int length = get_length(fd); int recomputed_chksum = checksum(fd, length); int chksum_in_file = get_checksum(fd); //line 6 is used to check the integrity of inputs if(chksum_in_file != recomputed_chksum) error(); int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); ... for(i=0; i<Height; i++){// read ith row to p read_row(p+Width*i, i, fd);
5  To infer whether/where a program checks the integrity of input.  Identify which input bytes can flow into sensitive points: Taint analysis at byte level – monitors how application uses the input data.  Create malformed input focusing the “hot bytes”.  Repair checksum fields in input, to expose vulnerability.  Fully automatic  Found 27 new vulnerability – acrobat reader, google picasa and more.
6 1. 2. 3. 4. Dynamic taint tracing Detecting checksum Directed fuzzing Repairing crashed samples
7 Modified Crashed Program Samples Checksum Locator Directed Fuzzer Instruction Profile Execution Monitor Checksum Repairer Hot Bytes Info Reports
8  Runs the program with well-formed input.  Execution  Which input bytes related to arguments of API functions (e.g.  monitor records: malloc, strcpy) – “hot bytes” report. Which bytes each conditional jump instruction depends on (e.g. JZ, JE, JB) – checksum report.  Considering only data flow (no control flow).
9  Instruments instructions – movement (e.g. MOV, PUSH), arithmetic (e.g. SUB, ADD), logic (e.g. AND, XOR)  Taints all values written by an instruction with union of all taint labels associated with values used by that instruction.  Considering also eflags register. eax {0x6, 0x7}, ebx {0x8, 0x9} add eax, ebx eax {0x6, 0x7, 0x8, 0x9}, eflags
10 Input size is 1024 bytes “hot bytes” report: 8 9 10 11 int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); … 0x8048d5b: invoking malloc: [0x8,0xf] …
11 Input size is 1024 bytes checksum report: 6 7 if(chksum_in_file != recomputed_chksum) error(); … 0x8048d4f: JZ: 1024: [0x0,0x3ff] …
12 Checksum detector:  identify    potential checksum check points the recomputed checksum value depends on many input bytes Instruments conditional jump. Before execution, checks whether the number of marks associated with eflags register exceeds a threshold. Problem with decompressed bytes.
13 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot
14 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot  Run well-formed inputs, identify the always-taken and always-not-taken instructions.
15 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot   Run well-formed inputs, identify the always-taken and always-not-taken instructions. Run malformed inputs, also identify the always-taken and always-not-taken instructions.
16 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot    Run well-formed inputs, identify the always-taken and always-not-taken instructions. Run malformed inputs, also identify the always-taken and always-not-taken instructions. Identify the conditional jump instructions that behaves completely different when processing well-formed and malformed inputs.
17 Checksum detector:  Creates bypass rules – always-taken, always-not-taken 6 7 if(chksum_in_file != recomputed_chksum) error(); … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … 0x8048d4f: JZ: always-taken
18 Checksum detector:  Checksum 6 7 field identification if(chksum_in_file != recomputed_chksum) error(); Input bytes that affects chksum_in_file are the checksum field.
19  Generates malformed test cases – feeds them to the original or instrumented program.  According to the bypass rules, alters the execution traces at check points – sets the eflags register.
20  All malformed test cases are constructed based on the “hot bytes” information  Using attack heuristics: bytes that influence memory allocation are set to small, large or negative. bytes that flow into string functions are replaced by characters such as %n, %p.  Output – test cases that could cause to crash or consume 100% CPU.
21 6 7 8 9 10 11 if(chksum_in_file != recomputed_chksum) error(); int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); Checksum report … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … Bypass info 0x8048d4f: JZ: always-taken “hot bytes” report … 0x8048d5b: invoking malloc: [0x8,0xf] …
22 6 if(chksum_in_file != recomputed_chksum) 7 error(); 8 int Width = get_width(input_file); 9 Before executing 0x8048d4f, int Height = get_height(input_file); 10 int size = Width*Height*sizeof(int); 11 the fuzzer sets the flag int* p = malloc(size); in eflags Checksum report to an … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … Bypass info 0x8048d4f: JZ: always-taken ZF opposite value … “hot bytes” report 0x8048d5b: invoking malloc: [0x8,0xf] …
23  Fixing is expensive - fixes checksum fields only in test cases that caused crashing.  How? Cr – row data in the checksum field D – input data protected by checksum filed Checksum() – the complete checksum algorithm T – transformation We want to pass the constraint: Checksum(D) == T(Cr)
24 Using symbolic execution to solve: Checksum(D) == T(Cr) Checksum(D) is a runtime determinable constant: c== T(Cr) Only Cr is a symbolic value.  Common transformations (e.g. converting from hex/oct to decimal), can be solved by existing solvers (STP).
25 If the new test case cause the original program to crash, a potential vulnerability is detected!
26 An incomplete list of applications:
27 “hot bytes” identification results – memory allocation
28 Checksum identification results: Threshold = 16
29 Correct checksum fields:
30 27 previous unknown Vulnerabilities: MS Paint Google Picasa irfanview gstreamer Amaya dillo Adobe Acrobat ImageMagick Winamp XEmacs wxWidgets PDFlib
31 Vulnerabilities detected by TaintScope:
32  TaintScope cannot deal with secure integrity check schemes (e.g. cryptographic hash algorithms, digital signature) – impossible to generate valid test cases.  Limited effectiveness when all input data are encrypted (tracking decrypted data).  Checksum check points identification can be affected by the quality of inputs.  Not tracks control flow propagation.  Not all instructions of x86 are instrumented by the execution monitor.
33 TaintScope can perform:  Directed fuzzing   Identify which bytes flow into system/library calls. dramatically reduce the mutation space.  Checksum-aware   fuzzing Disable checksum checks by control flow alternation. Generate correct checksum fields in invalid inputs.
34

Recommandé

Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Andrey Karpov
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Iroftieurobsdcon
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
Fuzzing python modules
Fuzzing python modulesFuzzing python modules
Fuzzing python modulesdelimitry
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary ExploitationFlorian Müller
 

Recommandé

Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Andrey Karpov
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Iroftieurobsdcon
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
Fuzzing python modules
Fuzzing python modulesFuzzing python modules
Fuzzing python modulesdelimitry
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary ExploitationFlorian Müller
 
セキュキャンのススメ
セキュキャンのススメセキュキャンのススメ
セキュキャンのススメshutingrz
 
Taint analysis
Taint analysisTaint analysis
Taint analysisEdgar Barbosa
 
Argosの紹介 #x86study
Argosの紹介 #x86studyArgosの紹介 #x86study
Argosの紹介 #x86studyTokoroten Nakayama
 
Dynamic PHP web-application analysis
Dynamic PHP web-application analysisDynamic PHP web-application analysis
Dynamic PHP web-application analysisax330d
 
Hsbd taint
Hsbd taintHsbd taint
Hsbd taintTai Nguyen Thanh
 
Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)James Clause
 
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-Asuka Nakajima
 
Risky Business - Is the Risk Worth the Reward?
Risky Business - Is the Risk Worth the Reward? Risky Business - Is the Risk Worth the Reward?
Risky Business - Is the Risk Worth the Reward? Empowered Presentations
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Monitoring InfluxEnterprise
Monitoring InfluxEnterpriseMonitoring InfluxEnterprise
Monitoring InfluxEnterpriseInfluxData
 
Secure erasure code based cloud storage system with secure data forwarding
Secure erasure code based cloud storage system with secure data forwardingSecure erasure code based cloud storage system with secure data forwarding
Secure erasure code based cloud storage system with secure data forwardingPriyank Rupera
 
ONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEMONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEMRohit malav
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for MiddlewareManuel Brugnoli
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OYourHelper1
 
Application-Specific Models and Pointcuts using a Logic Meta Language
Application-Specific Models and Pointcuts using a Logic Meta LanguageApplication-Specific Models and Pointcuts using a Logic Meta Language
Application-Specific Models and Pointcuts using a Logic Meta LanguageESUG
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
Lec05 buffers basic_examples
Lec05 buffers basic_examplesLec05 buffers basic_examples
Lec05 buffers basic_examplesTaras Zakharchenko
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical fileAnkit Dixit
 
Java IO Streams V4
Java IO Streams V4Java IO Streams V4
Java IO Streams V4Sunil OS
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 

Contenu connexe

En vedette

セキュキャンのススメ
セキュキャンのススメセキュキャンのススメ
セキュキャンのススメshutingrz
 
Dynamic PHP web-application analysis
Dynamic PHP web-application analysisDynamic PHP web-application analysis
Dynamic PHP web-application analysisax330d
 
Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)James Clause
 
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-Asuka Nakajima
 
Risky Business - Is the Risk Worth the Reward?
Risky Business - Is the Risk Worth the Reward? Risky Business - Is the Risk Worth the Reward?
Risky Business - Is the Risk Worth the Reward? Empowered Presentations
 

En vedette (8)

セキュキャンのススメ
セキュキャンのススメセキュキャンのススメ
セキュキャンのススメ
 
Taint analysis
Taint analysisTaint analysis
Taint analysis
 
Argosの紹介 #x86study
Argosの紹介 #x86studyArgosの紹介 #x86study
Argosの紹介 #x86study
 
Dynamic PHP web-application analysis
Dynamic PHP web-application analysisDynamic PHP web-application analysis
Dynamic PHP web-application analysis
 
Hsbd taint
Hsbd taintHsbd taint
Hsbd taint
 
Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)Taint-based Dynamic Analysis (CoC Research Day 2009)
Taint-based Dynamic Analysis (CoC Research Day 2009)
 
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
 
Risky Business - Is the Risk Worth the Reward?
Risky Business - Is the Risk Worth the Reward? Risky Business - Is the Risk Worth the Reward?
Risky Business - Is the Risk Worth the Reward?
 

Similaire à Taint scope

[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Monitoring InfluxEnterprise
Monitoring InfluxEnterpriseMonitoring InfluxEnterprise
Monitoring InfluxEnterpriseInfluxData
 
Secure erasure code based cloud storage system with secure data forwarding
Secure erasure code based cloud storage system with secure data forwardingSecure erasure code based cloud storage system with secure data forwarding
Secure erasure code based cloud storage system with secure data forwardingPriyank Rupera
 
ONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEMONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEMRohit malav
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for MiddlewareManuel Brugnoli
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OYourHelper1
 
Application-Specific Models and Pointcuts using a Logic Meta Language
Application-Specific Models and Pointcuts using a Logic Meta LanguageApplication-Specific Models and Pointcuts using a Logic Meta Language
Application-Specific Models and Pointcuts using a Logic Meta LanguageESUG
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical fileAnkit Dixit
 
Java IO Streams V4
Java IO Streams V4Java IO Streams V4
Java IO Streams V4Sunil OS
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...Andrey Karpov
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -evechiportal
 
Vulnerability analysis and practical data flow analysis visualization
Vulnerability analysis and practical data flow analysis visualizationVulnerability analysis and practical data flow analysis visualization
Vulnerability analysis and practical data flow analysis visualizationJeong Wook (Matt) Oh
 
Advances in Unit Testing: Theory and Practice
Advances in Unit Testing: Theory and PracticeAdvances in Unit Testing: Theory and Practice
Advances in Unit Testing: Theory and PracticeTao Xie
 

Similaire à Taint scope (20)

[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Monitoring InfluxEnterprise
Monitoring InfluxEnterpriseMonitoring InfluxEnterprise
Monitoring InfluxEnterprise
 
Secure erasure code based cloud storage system with secure data forwarding
Secure erasure code based cloud storage system with secure data forwardingSecure erasure code based cloud storage system with secure data forwarding
Secure erasure code based cloud storage system with secure data forwarding
 
ONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEMONLINE STUDENT MANAGEMENT SYSTEM
ONLINE STUDENT MANAGEMENT SYSTEM
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for Middleware
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/O
 
Application-Specific Models and Pointcuts using a Logic Meta Language
Application-Specific Models and Pointcuts using a Logic Meta LanguageApplication-Specific Models and Pointcuts using a Logic Meta Language
Application-Specific Models and Pointcuts using a Logic Meta Language
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Lec05 buffers basic_examples
Lec05 buffers basic_examplesLec05 buffers basic_examples
Lec05 buffers basic_examples
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical file
 
Java IO Streams V4
Java IO Streams V4Java IO Streams V4
Java IO Streams V4
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
Vulnerability analysis and practical data flow analysis visualization
Vulnerability analysis and practical data flow analysis visualizationVulnerability analysis and practical data flow analysis visualization
Vulnerability analysis and practical data flow analysis visualization
 
Advances in Unit Testing: Theory and Practice
Advances in Unit Testing: Theory and PracticeAdvances in Unit Testing: Theory and Practice
Advances in Unit Testing: Theory and Practice
 

Plus de geeksec80

Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)geeksec80
 
Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)geeksec80
 
Sipoc diagram
Sipoc diagramSipoc diagram
Sipoc diagramgeeksec80
 
Python arsenal for re (1)
Python arsenal for re (1)Python arsenal for re (1)
Python arsenal for re (1)geeksec80
 
Python arsenal for re
Python arsenal for rePython arsenal for re
Python arsenal for regeeksec80
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebertgeeksec80
 
44 con slides (1)
44 con slides (1)44 con slides (1)
44 con slides (1)geeksec80
 
44 con slides
44 con slides44 con slides
44 con slidesgeeksec80
 
Rpc调试通用
Rpc调试通用Rpc调试通用
Rpc调试通用geeksec80
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpgeeksec80
 
Taking browsers fuzzing new
Taking browsers fuzzing newTaking browsers fuzzing new
Taking browsers fuzzing newgeeksec80
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]geeksec80
 
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelDeep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelgeeksec80
 
2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)geeksec80
 
12058 woot13-kholia
12058 woot13-kholia12058 woot13-kholia
12058 woot13-kholiageeksec80
 
Https interception proxies
Https interception proxiesHttps interception proxies
Https interception proxiesgeeksec80
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida pythongeeksec80
 
Automated antlr tree walker
Automated antlr tree walkerAutomated antlr tree walker
Automated antlr tree walkergeeksec80
 

Plus de geeksec80 (19)

Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)
 
Sipoc diagram (1)
Sipoc diagram (1)Sipoc diagram (1)
Sipoc diagram (1)
 
Sipoc diagram
Sipoc diagramSipoc diagram
Sipoc diagram
 
Python arsenal for re (1)
Python arsenal for re (1)Python arsenal for re (1)
Python arsenal for re (1)
 
Python arsenal for re
Python arsenal for rePython arsenal for re
Python arsenal for re
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
 
44 con slides (1)
44 con slides (1)44 con slides (1)
44 con slides (1)
 
44 con slides
44 con slides44 con slides
44 con slides
 
Fuzz nt
Fuzz ntFuzz nt
Fuzz nt
 
Rpc调试通用
Rpc调试通用Rpc调试通用
Rpc调试通用
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wp
 
Taking browsers fuzzing new
Taking browsers fuzzing newTaking browsers fuzzing new
Taking browsers fuzzing new
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_levelDeep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
 
2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)
 
12058 woot13-kholia
12058 woot13-kholia12058 woot13-kholia
12058 woot13-kholia
 
Https interception proxies
Https interception proxiesHttps interception proxies
Https interception proxies
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
 
Automated antlr tree walker
Automated antlr tree walkerAutomated antlr tree walker
Automated antlr tree walker
 

Dernier

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Dernier (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Taint scope

  • 1. A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1 Peking University, China 2 Texas A&M University, US
  • 2. 2  Checksum – a way to check the integrity of data. Used in network protocols and files. data Checksum function data Checksum field Fuzzing – generating malformed inputs and feeding them to the application.  Dynamic Taint Analysis – runs a program and observes which computations are affected by predefined taint sources (e.g. input) 
  • 3. 3  The input mutation space is enormous .  Most malformed inputs dropped at an early stage, if the program employs a checksum mechanism.
  • 4. 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 void decode_image(FILE* fd){ ... int length = get_length(fd); int recomputed_chksum = checksum(fd, length); int chksum_in_file = get_checksum(fd); //line 6 is used to check the integrity of inputs if(chksum_in_file != recomputed_chksum) error(); int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); ... for(i=0; i<Height; i++){// read ith row to p read_row(p+Width*i, i, fd);
  • 5. 5  To infer whether/where a program checks the integrity of input.  Identify which input bytes can flow into sensitive points: Taint analysis at byte level – monitors how application uses the input data.  Create malformed input focusing the “hot bytes”.  Repair checksum fields in input, to expose vulnerability.  Fully automatic  Found 27 new vulnerability – acrobat reader, google picasa and more.
  • 6. 6 1. 2. 3. 4. Dynamic taint tracing Detecting checksum Directed fuzzing Repairing crashed samples
  • 8. 8  Runs the program with well-formed input.  Execution  Which input bytes related to arguments of API functions (e.g.  monitor records: malloc, strcpy) – “hot bytes” report. Which bytes each conditional jump instruction depends on (e.g. JZ, JE, JB) – checksum report.  Considering only data flow (no control flow).
  • 9. 9  Instruments instructions – movement (e.g. MOV, PUSH), arithmetic (e.g. SUB, ADD), logic (e.g. AND, XOR)  Taints all values written by an instruction with union of all taint labels associated with values used by that instruction.  Considering also eflags register. eax {0x6, 0x7}, ebx {0x8, 0x9} add eax, ebx eax {0x6, 0x7, 0x8, 0x9}, eflags
  • 10. 10 Input size is 1024 bytes “hot bytes” report: 8 9 10 11 int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); … 0x8048d5b: invoking malloc: [0x8,0xf] …
  • 11. 11 Input size is 1024 bytes checksum report: 6 7 if(chksum_in_file != recomputed_chksum) error(); … 0x8048d4f: JZ: 1024: [0x0,0x3ff] …
  • 12. 12 Checksum detector:  identify    potential checksum check points the recomputed checksum value depends on many input bytes Instruments conditional jump. Before execution, checks whether the number of marks associated with eflags register exceeds a threshold. Problem with decompressed bytes.
  • 13. 13 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot
  • 14. 14 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot  Run well-formed inputs, identify the always-taken and always-not-taken instructions.
  • 15. 15 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot   Run well-formed inputs, identify the always-taken and always-not-taken instructions. Run malformed inputs, also identify the always-taken and always-not-taken instructions.
  • 16. 16 Refinement: Well-formed inputs can pass the checksum test, but most malformed inputs cannot    Run well-formed inputs, identify the always-taken and always-not-taken instructions. Run malformed inputs, also identify the always-taken and always-not-taken instructions. Identify the conditional jump instructions that behaves completely different when processing well-formed and malformed inputs.
  • 17. 17 Checksum detector:  Creates bypass rules – always-taken, always-not-taken 6 7 if(chksum_in_file != recomputed_chksum) error(); … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … 0x8048d4f: JZ: always-taken
  • 18. 18 Checksum detector:  Checksum 6 7 field identification if(chksum_in_file != recomputed_chksum) error(); Input bytes that affects chksum_in_file are the checksum field.
  • 19. 19  Generates malformed test cases – feeds them to the original or instrumented program.  According to the bypass rules, alters the execution traces at check points – sets the eflags register.
  • 20. 20  All malformed test cases are constructed based on the “hot bytes” information  Using attack heuristics: bytes that influence memory allocation are set to small, large or negative. bytes that flow into string functions are replaced by characters such as %n, %p.  Output – test cases that could cause to crash or consume 100% CPU.
  • 21. 21 6 7 8 9 10 11 if(chksum_in_file != recomputed_chksum) error(); int Width = get_width(input_file); int Height = get_height(input_file); int size = Width*Height*sizeof(int); int* p = malloc(size); Checksum report … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … Bypass info 0x8048d4f: JZ: always-taken “hot bytes” report … 0x8048d5b: invoking malloc: [0x8,0xf] …
  • 22. 22 6 if(chksum_in_file != recomputed_chksum) 7 error(); 8 int Width = get_width(input_file); 9 Before executing 0x8048d4f, int Height = get_height(input_file); 10 int size = Width*Height*sizeof(int); 11 the fuzzer sets the flag int* p = malloc(size); in eflags Checksum report to an … 0x8048d4f: JZ: 1024: [0x0,0x3ff] … Bypass info 0x8048d4f: JZ: always-taken ZF opposite value … “hot bytes” report 0x8048d5b: invoking malloc: [0x8,0xf] …
  • 23. 23  Fixing is expensive - fixes checksum fields only in test cases that caused crashing.  How? Cr – row data in the checksum field D – input data protected by checksum filed Checksum() – the complete checksum algorithm T – transformation We want to pass the constraint: Checksum(D) == T(Cr)
  • 24. 24 Using symbolic execution to solve: Checksum(D) == T(Cr) Checksum(D) is a runtime determinable constant: c== T(Cr) Only Cr is a symbolic value.  Common transformations (e.g. converting from hex/oct to decimal), can be solved by existing solvers (STP).
  • 25. 25 If the new test case cause the original program to crash, a potential vulnerability is detected!
  • 26. 26 An incomplete list of applications:
  • 27. 27 “hot bytes” identification results – memory allocation
  • 30. 30 27 previous unknown Vulnerabilities: MS Paint Google Picasa irfanview gstreamer Amaya dillo Adobe Acrobat ImageMagick Winamp XEmacs wxWidgets PDFlib
  • 32. 32  TaintScope cannot deal with secure integrity check schemes (e.g. cryptographic hash algorithms, digital signature) – impossible to generate valid test cases.  Limited effectiveness when all input data are encrypted (tracking decrypted data).  Checksum check points identification can be affected by the quality of inputs.  Not tracks control flow propagation.  Not all instructions of x86 are instrumented by the execution monitor.
  • 33. 33 TaintScope can perform:  Directed fuzzing   Identify which bytes flow into system/library calls. dramatically reduce the mutation space.  Checksum-aware   fuzzing Disable checksum checks by control flow alternation. Generate correct checksum fields in invalid inputs.
  • 34. 34