2024年5月19日发(作者：小米mix3现在还值得入手吗)

DynamicTaintAnalysisforAutomaticDetection,Analysis,

andSignatureGenerationofExploitsonCommoditySoftware

JamesNewsome

jnewsome@

CarnegieMellonUniversity

Abstract

Softwarevulnerabilitieshavehadadevastatingeffect

uchasCodeRedandSlammer

cancompromisehundredsofthousandsofhostswithin

hoursorevenminutes,andcausemillionsofdollarsof

damage[25,42].Tosuccessfullycombatthesefastauto-

maticInternetattacks,weneedfastautomaticattackde-

tectionandfilteringmechanisms.

Inthispaperweproposedynamictaintanalysisforau-

tomaticdetectionofoverwriteattacks,whichincludemost

proachdoesnotneedsourcecode

orspecialcompilationforthemonitoredprogram,and

nstratethis

idea,wehaveimplementedTaintCheck,amechanismthat

canperformdynamictaintanalysisbyperformingbinary

thatTaintCheckreliably

dthatTaintCheck

producednofalsepositivesforanyofthemanydifferent

r,wedescribehowTaint-

Checkcouldimproveautomaticsignaturegenerationin

severalways.

uction

Softwarevulnerabilitiessuchasbufferoverrunsandfor-

matstringvulnerabilitieshavehadadevastatingeffecton

uchasCodeRedandSlammerex-

ploitsoftwarevulnerabilitiesandcancompromisehun-

dredsofthousandsofhostswithinhoursorevenmin-

utes,andcausemillionsofdollarsofdamage[25,42].To

successfullycombatfastInternetwormattacks,weneed

,we

needautomaticdetectionmechanismsthatcandetectnew

-

tionmechanismshouldbeeasytodeploy,resultinfew

falsepositivesandfewfalsenegatives,anddetectattacks

early,beforeasignificantfractionofvulnerablesystems

,onceanewexploitattackis

DawnSong

dawnsong@

CarnegieMellonUniversity

detected,wemustquicklydevelopfilters(

signatures)thatcanbeusedtofilteroutattackpacketsef-

ficiently,andhenceprotectvulnerablehostsfromcompro-

eanew

wormcanspreadquickly,signaturegenerationmustbe

automatic—nomanualinterventioncanrespondquickly

enoughtopreventalargenumberofvulnerablehostsfrom

beinginfectedbyanewfast-spreadingworm.

Weneedfine-grainedattackdetectorsforcommodity

proacheshavebeenproposedtode-

pproachesroughlyfallintotwo

categories:coarse-graineddetectors,thatdetectanoma-

lousbehavior,suchasscanningorunusualactivityata

certainport;andfine-graineddetectors,thatdetectattacks

onaprogram’-graineddetectors

mayresultinfrequentfalsepositives,anddonotprovide

detailedinformationaboutthevulnerabilityandhowitis

,itisdesirabletodevelopfine-grainedde-

tectorsthatproducefewerfalsepositives,andprovidede-

tailedinformationaboutthevulnerabilityandexploit.

Severalapproachesforfine-graineddetectorshavebeen

thesepreviousmechanismsrequiresourcecodeorspecial

recompilationoftheprogram,suchasStackGuard[14],

PointGuard[13],full-boundscheck[19,37],Libsafe-

Plus[5],FormatGuard[12],andCCured[27].Someof

themalsorequirerecompilingthelibraries[19,37],or

modifyingtheoriginalsourcecode,orarenotcompatible

withsomeprograms[27,13].Theseconstraintshinderthe

deploymentandapplicabilityofthesemethods,especially

forcommoditysoftware,becausesourcecodeorspecially

recompiledbinariesareoftenunavailable,andtheaddi-

tionalworkrequired(suchasrecompilingthelibrariesand

modifyingtheoriginalsourcecode)makesitinconvenient

toapplythesemethodstoabroadrangeofapplications.

Notethatmostofthelarge-scalewormattackstodateare

attacksoncommoditysoftware.

Thus,itisimportanttodesignfine-graineddetectors

,workonarbitrary

binarieswithoutrequiringsourcecodeorspeciallyre-

alisdifficulttoachievebe-

causeimportantinformation,suchastypeinformation,

ult,exist-

ingexploitdetectionmechanismsthatdonotusesource

codeorspeciallycompiledbinaryprograms,suchasLib-

Safe[6],LibFormat[36],ProgramShepherding[22],and

theNethercote-Fitzhardingeboundscheck[28],aretypi-

callytailoredfornarrowtypesofattacksandfailtodetect

manyimportanttypesofcommonattacks(seeSection7

fordetails).

Weneedautomatictoolsforexploitanalysisandsig-

efine-graineddetectorsare

expensiveandmaynotbedeployedoneveryvulnerable

host,onceanewexploitattackisdetected,itisdesir-

abletogeneratefasterfiltersthatcanbewidelydeployed

tofilteroutexploitrequestsbeforetheyreachvulnera-

blehosts/ortantmechanismiscontent-

basedfiltering,wherecontent-basedsignaturesareusedto

pattern-matchpacketpayloadstodeterminewhetherthey

t-basedfilteringiswidely

usedinintrusiondetectionsystemssuchasSnort[32],

Bro[31],andCisco’sNBARsystem[43],andhasbeen

showntobemoreeffectivethanothermechanisms,such

assource-basedfilteringforwormquarantine[26].How-

ever,thesesystemsallusemanuallygenerateddatabases

signaturegenerationisclearlytoo

slowtoreacttoawormthatinfectshundredsofthousands

to

haveautomaticexploitanalysisandsignaturegeneration

toquicklygeneratesignaturesforattackfilteringafteran

exploitattackhasbeendetected.

paper,weproposeanew

approach,dynamictaintanalysis,fortheautomaticde-

tection,analysis,andsignaturegenerationofexploitson

mictaintanalysis,welabel

dataoriginatingfromorarithmeticallyderivedfromun-

trackofthepropagationoftainteddataastheprogramex-

,whatdatainmemoryistainted),anddetect

whentainteddataisusedindangerouswaysthatcould

proachallowsustodetectover-

writeattacks,attacksthatcauseasensitivevalue(suchas

returnaddresses,functionpointers,formatstrings,etc.)to

beoverwrittenwiththeattacker’mmonly

n

attackhasbeendetected,ourdynamictaintanalysiscan

automaticallyprovideinformationaboutthevulnerability,

howthevulnerabilitywasexploited,andwhichpartofthe

howthisinformationcouldbeusedtoautomaticallygen-

eratesignaturesforattackfidevelopedan

automatictool,TaintCheck,todemonstrateourdynamic

heckoffersseveralunique

benefits:

•Doesnotrequiresourcecodeorspeciallycom-

heckoperatesonanormally

kesTaintCheck

simpleandpracticaltouseforawidevarietyofpro-

grams,includingproprietaryprogramsandcommod-

ityprogramsforwhichnosourcecodeisavailable.

•-

Check’sdefaultpolicydetectsformatstringattacks,

andoverwriteattacksthatattempttomodifyapointer

usedasareturnaddress,functionpointer,orfunc-

icycanalsobeextended

todetectotheroverwriteattacks,suchasthosethat

attempttooverwritedatausedinsystemcallsor

security-sensitivevariables.

•Has

TaintCheck

noknown

gave

false

nofalse

positives.

positives

In

in

our

its

experiments,

defaultcon-

fiscussinSection3,inmany

caseswhenafalsepositivecouldoccur,itisasymp-

tomofapotentiallyexploitablebuginthemonitored

gramswherethedefaultpolicyof

TaintCheckcouldgenerateafalsepositive,weshow

inSection3thatitisstraightforwardtoconfigure

TaintChecktoreduceoreliminatethosefalseposi-

tives.

•Enablesautomaticsemanticanalysisbasedsigna-

turegeneration.

Weproposeanewapproachforautomaticsignature

generation:usingautomaticsemanticanalysisofat-

tackpayloadstoidentifywhichpartsofthepayload

uswork

inautomaticsignaturegenerationusescontentpat-

ternextractiontogeneratesignatures[21,24,41].

Theinformationprovidedbysemanticanalysiscould

beusedtogenerateasignaturedirectly,orashintsto

ese-

manticanalysisprovidesinformationaboutthevul-

nerabilityandhowitisexploited,itcouldpotentially

allowanaccuratesignaturetobeautomaticallygen-

eratedusingfewerpayloadsthanwouldbenecessary

ir-

ingfewerattackpayloads,semanticanalysiscould

generateasignatureatanearlierstageofaworm

epidemic,thusminimizingdamagecausedbyanew

worm.

TaintCheckcouldbeusedtoperformautomaticse-

manticanalysisofattackpayloads,becauseitmoni-

torshoweachbyteofeachattackpayloadisusedby