Klewel
Player is loading...

Security testing hard to reach code
Mathias Payer, Assistant Professor at EPFL

Thursday, June 6, 2019   ·   1:50 p.m.   ·   57m  33s

Embed

Copy embed code

Transcriptions

Note: this content has been automatically generated.
00:00:00
the introduction right uh it's a pleasure to to be here i don't
00:00:04
it is i use it for computer except because i've seen it doesn't work
00:00:08
um it's a pleasure to be here and i mean this in multiple ways especially be here and
00:00:13
speaking in front of all of you it's also pleasure to be here at e. p. f. l.
00:00:17
um one bright didn't set say i'm one of the the new hires
00:00:21
exactly here for your it's been an amazing year i've really learned to enjoy
00:00:26
of being here it's it's weird being back in switzerland and working this these
00:00:31
large amounts of wonderful people here you can't sell our i'm leaving the hex five research group
00:00:37
as brian said we focused most attacks but also on the fences and
00:00:41
we've looked at different aspects of the senses an hour or premises that
00:00:46
we try to protect publications in the presence of
00:00:49
one abilities series you that applications always have older
00:00:53
buildings in redefining and designing techniques that enable us
00:00:57
to be resilient in the presence of such abilities
00:01:00
on the other hand during development you're trying to find as many of useful abilities as possible
00:01:06
and this is precisely what i'll be talking about today to focus on security testing market reach caught
00:01:13
and you're living in an area where there's there's pretty much one abilities everywhere
00:01:18
and this is not just a recent development but this has been going on for awhile actually for very long while
00:01:24
and i also like to start my talk was a picture of the the morris worm
00:01:29
which brought down all of the internet thirty three
00:01:32
years ago using a combination of stream on abilities
00:01:36
up ah for our full uh come on injection and uh
00:01:40
some some more song or tracks in addition to that but
00:01:43
t. underlining one abilities in the underlying software box
00:01:48
that are used to exploit systems today are still the same that have been
00:01:53
used to explore to systems more than thirty five years ago while the underlying
00:01:59
exploits have changed have got more sophisticated the box
00:02:04
remain the same will look at finding the stocks
00:02:07
so now it is we no longer exploits are a single piece
00:02:12
of software but we get hack rather sets of all apologies and referred
00:02:15
before about ah attacks against or private data but also attacks exploit
00:02:21
our server systems and start executing attack a control code and you systems
00:02:26
but this is not just a bus to rise and t. o. ongoing
00:02:30
a proliferation of in it of things we're opening up a boston you
00:02:35
attack surface that goes from our devices in from a fixed set of devices
00:02:40
to a large amount of devices that we own that are part of
00:02:43
t. i. o. t. system their attackers can start to spy on us by
00:02:49
watching us and see our our private behaviour attackers will
00:02:52
gain access to our private spaces by breaking smart power
00:02:56
locks or attackers will be able to take our smart
00:03:00
cards and took a turn them into remotely controlled toy vehicles
00:03:04
all the same underlying sets of one abilities and box that have been
00:03:09
used in the last thirty thirty issuers these attacks have gotten much more complicated
00:03:15
so to explore exceptional ability you need to have a sophisticated she received her a couple
00:03:20
of times before adverse trees are getting more sophisticated and while you're no longer at um
00:03:28
amateurs playing around with systems there's state actors and
00:03:32
on a kind of actors interesting taking or our systems
00:03:36
as i've said before one of the challenges if you're facing is a set of broken abstractions
00:03:41
let's say alice's writing her beautiful coherent she's using a set of abstractions like types of
00:03:47
the structure of control flow a lot of these
00:03:50
nice obstructions allow her to write a wreck sophisticated coat
00:03:55
and to work with large different different stuff persistence now bopper coworker unfortunately
00:04:00
a man who's working on this code and the bargain here and you see
00:04:04
that the screen copy operation if your if your c. programmer happiness c. programmer
00:04:08
does not checked in part and could over ride the addison buffer and then
00:04:13
add this and uh as it it isn't data is the typical buffer overflow
00:04:17
my current attacks are a little bit more of more sophisticated upfront
00:04:20
box or a little bit more sophisticated source to to show the
00:04:25
a show as an example i've now as soon as we have uh but all
00:04:30
these abstractions that we have are gone an attacker can use a different set of abstractions
00:04:36
because that's the code is being compiled down into machine code i. e. only have instructions in in memory that can
00:04:41
be executed by the sea view to see pure wraps and execute and all the looks that are active low level
00:04:47
a low level interpretations of the high level they did all this abstractions are shied away
00:04:53
it's an attacker can use abstractions at the lower level to then escalate change control
00:04:59
flow and execute arbitrary behaviour it by taking over the system and stealing our data
00:05:04
the body you're trying to do is we're trying to force some form of these these high level primitives at the lower level
00:05:12
ah second challenge that we're facing a softer complexity well i'm a big fan of formally
00:05:18
proving certain aspects of code the complexity of
00:05:21
current systems under low level nature often prohibits
00:05:25
very sophisticated proving techniques if you look at
00:05:28
google chrome for example and the support system
00:05:32
that runs book wrong here and that is more than a hundred million lines of code
00:05:36
so current systems are massively complex the consists of many interacting molecules
00:05:41
there's hundreds of people working on them that break you break up these components into different
00:05:47
different model r. t.s and compared to earlier days they are softer complexity was somewhat
00:05:53
ross noble aren't we could print out o. the
00:05:57
full system stack into full implementation and stack of papers
00:06:02
nowadays the systems are just way too complex if you would print out all source code
00:06:06
of cool chrome you would end up as a stack of three hundred and seventy meters
00:06:10
which is way too complex to actually formally works fine improve it
00:06:16
so in software security we've looked at two different aspects to protecting his large amounts of code
00:06:21
softer security testing and mitigation it's i guess yeah these are true
00:06:26
kind of or soccer no aspects that are often done either or and
00:06:32
there's there's two fundamental differences to those in software
00:06:35
testing you're trying to use a development technique too
00:06:40
use dynamic testing to develop a better understanding of the code that we're executing
00:06:46
or trying to cover as much of the code that we can they're trying
00:06:50
to find as many box as possible and you're trying to develop techniques that
00:06:54
helped them up or in finding as many of the small about is as possible
00:06:59
number mitigation is on the other hand are some kind of insurance
00:07:03
they are you're paying a low price at one time any deploy this offer
00:07:07
uh then and you get some form of protection against any of the remaining one abilities there and it caught
00:07:14
let me go look more into detail on setting is two two different approaches
00:07:18
apart so for software testing using the same code that i showed an example before
00:07:23
you could replace the string copy using some form of standardisation and you could check
00:07:28
if the if the boss for the of the data to copy into the buffer is actually of the correct size
00:07:34
so you you you make it the notice that this is the damage testing
00:07:38
to see so we need concrete inputs that drives this this program and he
00:07:43
of you therefore have to develop or saw cannot techniques that develop different inputs that we can use to test
00:07:48
a test is functions and this is where we're fussing insanity station comment
00:07:53
is too soft for testing techniques standardisation develops policies that allow us to detect
00:07:59
the the different kinds of violations like for example checking string copy or checking
00:08:03
for memory safety violations and focusing on the other hand would allow us to
00:08:08
ah to test the function in certain behaviour and to drive execution down to different parts
00:08:15
mitigation is on the other hand try to be cheap so you don't try to detect the box itself
00:08:21
so on the softer testing side we see that we would flag the bark right varied happens
00:08:26
for mitigation is on the other hand we try to prohibit exploitation
00:08:31
to assume that the string copy operation went wrong and the buffer has been over
00:08:36
for flown and has overridden the function pointed out is any ascends to the bar for
00:08:42
now before we dispatch and use this function pointer it can add an actual check and see if the
00:08:49
uh if the target that you observed at one time it's in a set of ballots targets that we have
00:08:55
inferred or learned during a static analysis during compilation
00:09:00
and you can terminate applications there's a reason why which
00:09:04
and then the last couple of years we have developed a large amount of the of the fences and mitigation said we have
00:09:11
deployed and that are now running all of your systems so
00:09:14
the last fifteen years if actually deployed a set of mitigation is
00:09:19
that prohibit a large amount of of expectations and a large amount of exploited vectors
00:09:26
and this results in the difference that before a single person could draw could use a single
00:09:32
but to write a single exploits that takes down a softer softer system in two to four hours
00:09:40
nowadays v. c. that with all of the deep voice
00:09:43
he fences we see that the cost has risen dramatically
00:09:47
you need teams of ten twenty people that work on an exploit for for three to six months
00:09:53
so actually chain together multiple boxes takeover says so the cost of explication has risen
00:09:59
on the off we've seen that if if added of each
00:10:03
to voice data execution friendship prohibits simple code injection be added
00:10:08
a random mutation to modify address spaces stacks can
00:10:12
marry safe exception handler and a bunch of other things
00:10:15
so we've we've taken the original process image we started
00:10:19
working with this of his original simple idea off of that
00:10:24
of a simple machine that executes instruction and if i don't more more checks
00:10:29
randomness diversity into the into the process image to make exploitation that much harder
00:10:36
now it makes exploitation harder it doesn't fundamentally stop that so
00:10:42
why mitigation enable us to to increase the cost of expectations
00:10:48
they do not allow us to actually prohibited explication of for first
00:10:52
place in any case and this is worse off for testing comes in
00:10:57
very try to find and discover as many security critical
00:11:01
box and that we can before we actually deployed uh
00:11:06
the stuff right just becomes a continuous process that allows us to continue to
00:11:10
test for security violations of to enable of twenty plus to increase the security people
00:11:18
a common technique that song blast amount of interest
00:11:22
in the last two or three years this first testing
00:11:26
and it's a simple technique it's a primitive technique but it's
00:11:29
the massively effective technique that enables developers to to set up
00:11:34
of the testing environment in a very short amount of time and
00:11:38
then to drive execution and testing two words there largely complex code bases
00:11:44
at its core first testing is the random testing technique that make
00:11:48
it inputs to improve test coverage to create new and more test cases
00:11:53
so let's say we haven't haven't oh i have an executable that we compiled
00:11:57
and we're we're starting with the first set of test cases that we have
00:12:00
you run this executable and we see if any of these test input crashes and this is regular softer testing
00:12:07
but this is a good start but it doesn't give us deep coverage it doesn't give us
00:12:11
a a very good knowledge over the whole process that you're running
00:12:17
we therefore developed as part of the first testing systems
00:12:19
some input generation mechanisms object that take existing inputs and
00:12:25
you take them to increase the the courts increase i create new new inputs
00:12:31
thereby triggering more more crashes and to get a deeper understanding of the program
00:12:38
well the state of the art fosters also use cockroaches of feedback so we keep track on which parts of the
00:12:44
program be actually used i used this as a feedback
00:12:47
mechanism to input generation to then create more more test cases
00:12:53
so what's the most common flaws furthers that is used
00:12:56
very very broadly nowadays as a fell the american fuzzy lot
00:13:01
uh and it's simple lives by uh does nice cute little bunny here oh this is number confers a lot
00:13:07
but then francis and tries to figure out all of these these different issues and increased
00:13:13
text coverage increase coverage of the program and if i find as many buttons as possible
00:13:20
so i think it's a very effective bark finding approach uh and on the
00:13:25
uh on the on you page if all we see that it discovered a large amount of all abilities
00:13:30
in a lot of different softer and that's just a a a set of prophecy
00:13:34
that i'm showing here instead of logos we're a large part of box for phones
00:13:39
and for things can fussing can be used in in a long two different of two different dimensions
00:13:45
either of proactively as a defence as part of
00:13:48
the software testing framework and google has one large scheme
00:13:53
working on through active defence by using
00:13:56
fussing on large amounts of open source software
00:14:00
and also internally body phones tens of thousands of box in their own software
00:14:06
so we're using this as the as the standard approach to get rid of as many books as possible
00:14:11
there's a certain set of techniques in customisation they apply to optimise
00:14:15
forcing as a proactive defence for example the programmer can guide
00:14:20
using knowledge of the code better to fasten should explore certain areas
00:14:24
alternatively it can also be used as often as as part of
00:14:28
exploitive allotment to find locations in the code better security critical one abilities
00:14:35
and there there's another large team at google their body uses the projects your team
00:14:40
or use forcing proactively as often as an offencive tool of finding what about this
00:14:47
no falling it's been around for a while and academics is pretty much ignored fussing
00:14:52
until a couple of years ago because it was deemed of an ugly to click
00:14:57
right it's not it's not formal it's not
00:15:00
there's no proving him all snow greek symbols it's
00:15:03
uh it's very simple and it's it's just ugly right now the question is how can we
00:15:11
improved this and academics and started looking at this and there's a lot of research groups that have
00:15:17
jumped on this uh on this fussing hype to
00:15:20
train and they're trying to develop new forms of techniques
00:15:25
and i would like to spend the remainder of my talk to talk to
00:15:29
you a bit about some of the first thing frontiers that we are facing
00:15:33
um on beer existing fussing techniques fail and what
00:15:37
kind of techniques we are developing in my research group
00:15:40
to push phones into new areas to spread and
00:15:44
go beyond what existing fussing uh techniques can actually do
00:15:48
potentially combining it and making it more effective in finding one
00:15:52
abilities in finding different issues and you look at three different areas
00:15:58
i'm exploring new parts by going deeper into programs that what existing fussing can do
00:16:05
well look at how we can mine in existing code how we can develop
00:16:10
techniques that take existing binary is to then use first testing on these binary is
00:16:15
by improving compared existing tools play one or two orders of magnitude
00:16:21
and to cross on on borders for example of cross across the
00:16:26
the software hardware interface there we can flows along oh a physical
00:16:31
peripheral devices in addition to just using a single user space binary
00:16:37
but let me start by exploring hard to reach code how
00:16:41
can we teach fussing to go beyond sort of checks and
00:16:45
how can you teach first thing to go deeper into program
00:16:49
because that's a fundamental taking great if you have a random technique
00:16:52
that generates you input how can be modified as input generation
00:16:57
mechanism to go deeper into other parts for a of the program
00:17:03
a challenge that many of these forces face for example if l.
00:17:07
has this this particular problem is that it often gives shall coverage
00:17:12
and it's a very simple example assume that in your program you have a
00:17:16
set of checks you have a first check a second check ups or check
00:17:21
if you read only modify and you take in fort how likely is it that you will trigger
00:17:29
of you will satisfy the first check and the second check and the search
00:17:34
the further down you go down the costs the
00:17:37
harder it gets to continuously satisfy all these uh these
00:17:42
these large amounts of checks and it's highly unlikely that you will trigger the but at the end of this depends chain
00:17:50
so the first regenerated inputs cannot bypass all of these complex sanity checks and a program
00:17:57
so there may be a sanity check for for a check
00:18:00
some the major second check for of for user uh input
00:18:05
a us another check for of forty image format and sounds it's a
00:18:09
combination of checks and it's incredibly hard for fathers to actually bypass all those
00:18:16
excess think approaches that have looked at this primarily focused on input generation sort of look that
00:18:24
maybe taking some feedback from coverage how can we create
00:18:29
you input that will then explore this complex are complex part of the program
00:18:35
so for example if all improvements to you using speech corpus generation try to create
00:18:41
better seats allowing better mutation drove or uses selective call it gets you shouldn't there's a order
00:18:47
approaches that use think analysis and simple working all week execution combining these techniques making it somewhat better
00:18:54
all of these options have the limitation of the still run into
00:18:59
into high overhead or knots the little because the on the certain check
00:19:03
and what really drives me into into the fussing area and that cost me to look
00:19:09
into fussing as a as a research area is that it's inherently a a resource optimisation problem
00:19:17
you have a finite amount of resources you're trying doing testing to
00:19:21
use these resources to find as many security critical boxes you can't
00:19:27
and you have to use your resources effectively and not waste them in in other ways
00:19:33
now when you look at this is that we should not focus on input generation or something else we can do
00:19:42
two oh actually bypass all of these hard checks like check some script uh hashes and so on
00:19:48
i mean if you look at all of these checks i sit there there's a
00:19:51
very easy way that we can uh how we can actually get past these hard checks
00:19:58
we can actually remove them and get rid of
00:20:02
because he he is car that may have these bucks or not it's intended to prevent bucks
00:20:08
many of these checks are just here to to direct the control flow towards a certain area
00:20:14
so there's checks and magic analysis checks and check sums of checks and hashes
00:20:20
for example this check in a on in lit elf compares to
00:20:23
head or the beginning of the file for the the magic string elf
00:20:29
removing his check does not remove any functionality
00:20:33
removing his check would actually enable us to drive execution fussing to different part of the program
00:20:40
so removing n. c. c.'s won't insure any any force dog and will simply five was it
00:20:46
in fact the a full user guide said if you actually have to source code for
00:20:50
the program you should remove all of these checks you should use program or not much but
00:20:56
so uh if you if you look at book rome was a hundred and and and five million lines of
00:21:00
code it's highly unlikely the single person will be able to instrument all of that so we'll have to develop
00:21:06
automated techniques to go beyond that and automatically removes his parts of the code
00:21:14
so what we have developed this uh an understanding and he starts fussing
00:21:18
and softer testing my program transformation so we start is a regular forcing approach
00:21:24
uh for example be used to use a file in this project any keep rising until
00:21:30
the philosophers is until we reach a plateau like v. you have metrics that tell us how much coverage to
00:21:37
be have in the code home what part of the functionality do we cover and it's it's we reach a plateau
00:21:43
which means we are no longer reaching you convert your no longer
00:21:48
exploring new parts of the program are no longer exploring new functionality
00:21:53
well actually the text t. n. c. c. candy that's removed
00:21:57
the n. c. c. candidates and repeat so we take the program
00:22:02
we remove all these non critical checks and then continue fussing with the uh with the modified program
00:22:10
no instead of modifying the inputs generation mechanism we have modified the program
00:22:15
oh if you have a crashing in what they can no longer say this about because we don't know
00:22:23
we have to add this additional components which is the crash
00:22:26
and allies or if the if the bogus founded a modified program
00:22:30
we have to figure out dust is but in the modified program translate
00:22:35
to your actual program i will get a bit more into detail later
00:22:39
if it if it returns true well reports a a shoe box in the ritual program or we reported falls plus
00:22:48
now we have an interesting problem how to detect and see seats
00:22:53
i've i've taught i've told you about this oracle the losses to magically detect and c. c.s
00:22:59
reset that that's a complex or we don't want to to have any heavyweight computation
00:23:03
to detect non critical checks we want to do something that's super simple and embrace precision
00:23:09
assuming that we can beat out false positives later we can be in precise up front
00:23:15
so if you look at what coverage we have already explored in
00:23:19
our uh or original testing approach will simply take all the edges that
00:23:23
have not been taken and assume that those are and seek and
00:23:27
it's it's a it's a strike over approximation all the non critical checks
00:23:33
do some shows that regular fussing bow already have explored all the other areas or
00:23:39
many of the other areas and what remains or is non critical checks for many
00:23:43
of the the edges to remain will be not fit checks this is lightweight
00:23:47
and very simple to implement to for example ah we can simply use oh
00:23:53
of program view writing to mediate conditional chops taking the binary from a
00:23:59
of from an a. equals b. and rewrite it into a knot you forcibly
00:24:05
this is very easy to implement using static binary patching or is simply view right individual binders
00:24:11
and the other advantages there's your run time or had a resulting programs we don't need to do any sophisticated
00:24:17
re compilation view riding techniques or or other mechanisms
00:24:22
and the biggest advantage when you do the analysis for the crashes after the fact
00:24:26
is that the control flow graph and the trace the execution trace through
00:24:30
the program remains the same so we can simply map but back in force
00:24:37
now
00:24:38
let's assume we have found a couple of crashes in one of these modified programs
00:24:45
we wonder are these are these false positives or artist shoe box so we collect the constraints
00:24:51
on the uh on the program using can collect racing on the crash input if we collect the
00:24:56
parts constraints and then we ask us that's all right if this is true but courses knowledge but
00:25:02
the set forward will either tell us to satisfy what and will
00:25:06
create an input to crashed original program ever done before the true but
00:25:10
or it will give us a false positive that tells his out to both this complex all because you stick
00:25:18
but this is not the whole truth right because we're working was very
00:25:21
complex program so we often have a sore choice where we wanted to time
00:25:25
remember i told you to resource constraint problem we can only give a fixed amount of time to the to the solar
00:25:32
to actually figure out if there's a a if you can
00:25:34
map the the crashing input from the modified program to rachel program
00:25:41
let me explain this using using an example on how the man and see candidates have his original programs here
00:25:48
um you reach to input variables x. n. y. u. have a simple test on x. if x. is
00:25:54
larger and it's euro but we have a a test on why or if it is equal to get if
00:26:01
so it's highly unlikely that the random input generation mechanism will actually create this input
00:26:07
well it is easy for a for x. the chances are fifty percent
00:26:11
but we we're gonna hit the the right uh right variable for why the chances are much lower
00:26:18
and it's unlikely that will create the correct and put it so
00:26:22
our after a certain amount of fussing detected this branches never executed
00:26:27
so our mechanism takes those runs and flips it and create a
00:26:30
new program or why not equals death because we have flipped the check
00:26:37
we have the immediately find the bark to collect the cost
00:26:40
constraints x. is larger than zero and why not people today if
00:26:45
we take these constraints flip them back to the original program ask us all over the
00:26:50
soul tells us to satisfy will i'm you know this is a true bach we're done perfect
00:26:58
we have actually found using program transformation about that abstracted original program
00:27:04
now a second example we have two functions are to endure some
00:27:09
program we test i larger than zero and then i smaller equals sure
00:27:15
again we detect this uh this constraint is never satisfied we flip the check
00:27:22
we find the bark you find a crash in the modified program you collect the parse constraints we flip them
00:27:29
again office over we tell us it's not uh not as viable i mean oh
00:27:33
there's a false dog and we can remove it and continue tailoring the execution somewhere else
00:27:40
now some of you may know drill or
00:27:43
draw a is of competing farther that has been used in the
00:27:50
darpa side program challenge to explore a large amount of of binary only
00:27:55
a binary only code and it uses constraint solving initially said uses the same
00:28:00
process is it starts fussing and fussing get stuck it tries to do something
00:28:05
but the idea is different as soon as the first a good start to pick one of the actions would
00:28:10
be consider and see candidates and then it's off to
00:28:14
solve or to create one input that satisfies this part
00:28:18
and the the soul returned isn't input set slices possible execute is new parts
00:28:24
and then use this and added to the original set of c. m. s.
00:28:30
now the next time that you original input modification routine will body files you seek input
00:28:36
it is highly likely that along this chain of complex checks it will destroy one of the constraints so that
00:28:43
the new willie added up input can only be used
00:28:46
once so drawer has to fall back again to constraint solving
00:28:51
and use the same constraint solving pasta again for each input that is
00:28:56
being generated to explore his area of code and this is very costly
00:29:00
so draw or is using up all the compute resources in constraints holding to create inputs
00:29:06
and there's orders of magnitude more inputs that are used
00:29:10
to explore new area then there are box to be files
00:29:14
right so to to find a bug in a certain a certain air of
00:29:18
code to given intuition you need to executed thousands or tens of thousands of times
00:29:24
so it's really hard here has to execute constraint solving tens of thousands of times to
00:29:29
get one crash which is very expensive now if you compare it to t. fussing transformational fussing
00:29:36
couple the constraint solving and the fussing aspects um so b. b. b. c.
00:29:42
was betrayed inputs and instead of asking the constraints all over as you are creating
00:29:48
uh all the the immediate stock we create new programs and continue forcing those programs
00:29:54
the only two constraints holding for the actual trash can it as if executed
00:29:59
this this parts thousands or tens of thousands of times so constraints holding is
00:30:04
read used to the set of actual crash candidates which is much lower than
00:30:08
the amount of input that you have to do is to be good fried off
00:30:11
like you do constraints all being later and decoupled from the first thing that
00:30:16
and this allows us to our explore larger parts of the code and use our resources more widely
00:30:25
uh i just we had talked about the timeout before right if you get the timeout you'd
00:30:29
least order something off here and men like inspection could be used as a second step for for
00:30:36
no after we have worked with t. fussing four year we've you've reached and
00:30:40
we see that there's a couple of uh of challenges that we're still working on
00:30:44
um as it turns out when you're selecting is not critical time units there's a transformation explosion
00:30:50
like there's so many different parts of the program that we can modify that
00:30:53
it's just the just challenging to is selected right uh to write bits and pieces
00:30:59
there's issues of falls box for the introduce a crash before we get about point
00:31:04
and constraints holdings really really hard because we are we are changeable lens train of
00:31:09
the praise the number of constraints uh and we've run into different issues of months recognition
00:31:14
they're working on these issues on trying to better use
00:31:18
the resources and as i said before this instruments optimisation problem
00:31:23
uh a case uh let's look at a case study that proved to
00:31:27
be very challenging for all the teams working on the startup cyber crime challenge
00:31:32
but that's t. fussing almost magically and beautiful the soft
00:31:37
now this is one uh as a slightly sim simplified example and so lost
00:31:43
code piece that i'm gonna show i'm just gonna highlight three aspects of that
00:31:47
so the first check s. on a magic value sort of
00:31:51
your packet has always must always begin was one to one chip
00:31:56
second there's a check gonna check so
00:32:00
so the code calculates a very specific check some on the
00:32:03
packet and always does check some succeeds you're allowed to continue
00:32:08
as a structured it's also indicates on user information that you are using the right user using the right credentials
00:32:16
now in this program and this is one of the child language used to evaluate
00:32:20
the the different side one challenge teams um as your it well i think this
00:32:27
you have to go through a total of nine rounds of this if you hit nine rounds of
00:32:32
step equals larger equal to nine your view for that is a stack of four or flow but
00:32:38
so after going through this should feel for nine times you actually get or for the buffer anyway
00:32:45
and for those that are not aware of the of the darpa cyber run challenge
00:32:50
uh it it used to be one of these start but french challenges
00:32:53
that was set up to evaluate if machines that automatic techniques can replace hackers
00:32:59
and automatically create exploits and uh explode systems and and target is kind of course
00:33:06
and this example here proved to be really really challenging for all of these automatic techniques
00:33:12
no interestingly t. fussing our approach twenty about what is and is binary started fussing this binary
00:33:20
and this card after five or six seconds that oh it no longer reaches new inputs
00:33:28
it never satisfies if step larger than than nine it flips this check as part
00:33:35
of the t. fussing approach because this allows us to reach large amount of additional caught
00:33:41
and then continued fussing there in about three or four minutes
00:33:46
we have actually discovered the underlying box tech baseball for flow
00:33:50
a bug and then ah asked the constraints over
00:33:54
and the quality execution engine to finding construct up costs
00:33:58
that is but will satisfy and find dislocation in the original code and only four
00:34:03
hours later the constraints over came back and told us this is a true but
00:34:08
and we have discovered a real one ability of satisfied this check and passed this check
00:34:14
to the other techniques had a really hard time at finding these kind of inputs and finding these kind of connections
00:34:21
let me summarise t. fussing the core idea is to mutate boasted program and the input
00:34:27
and the first outperform state of the art for there's
00:34:31
a for example drawer if off by by sixty percent
00:34:34
on these uh on these benchmarks in addition we found the uh bark
00:34:39
eh the the lao and sweet and several real world progress since then then been fixed
00:34:46
um as part of future work we're looking at uh i tell them based a
00:34:50
program transformation a better crash and allies are and and c. c. detections with static analysis
00:34:56
by shifting the wrist exactly half to some extent to explore other errors
00:35:02
so you can see this as an optimisation mechanism to allow fussing or
00:35:07
exploration to push to work certain areas of the code that you're interested in
00:35:12
and you can guide the the exploration across to these different yes
00:35:18
it works reasonably well then we are targeting binary only code and it is a different
00:35:23
a different underlying ideas instead of just modifying
00:35:28
it put your mutating boasted program and the import
00:35:32
so we've turned is from a one dimensional problem into two dimensional problem
00:35:37
uh and there's a lot more research to be done here the prototype implementation is open
00:35:43
source i've actually seen several other teams already could get up in continue text regional but
00:35:50
now oftentimes you have source code but sometimes you only have binary code
00:35:56
and you're looking into security testing binary only chorus all assume you have
00:36:01
one p. a piece of library uh some other system or
00:36:05
or or the components that are only available in binary on because
00:36:09
ideally you would have source code for everything you could just
00:36:12
become pilot and add your instrumentation additional checks and part of that
00:36:16
so you could add a senate ties are for memory safety like is then you could implement uh you could
00:36:22
compile disposing techniques to have its coverage and detailed information
00:36:25
about the execution but sometimes you only get the binary
00:36:29
and it's very cumbersome to actually and alive wineries and current best techniques
00:36:33
for binary modification combos one to two orders of magnitude over
00:36:39
so simply instrumentation for fussing comes in one order of magnitude
00:36:44
instrumentation for memory safety checks that allow you to
00:36:48
detect violations orally comes two orders of magnitude or
00:36:53
so together you have up i you end up with more than two
00:36:56
orders of magnitude overhead as you're forcing binary only code and this is a
00:37:01
huge waste of resources going back to to my initial assumption of the
00:37:07
of the binary only of soft a fixed amount of of resources that yeah
00:37:13
so we have developed a steady view writing framework that allows us to take original binary is
00:37:20
of for for sixty four bit code the lift them to a
00:37:24
a common all interpretation and build something that we call reassemble assembly
00:37:31
so we take binary code you lifted internet simply file that you can then modify using
00:37:38
using existing tools you can add instrumentation you can modify you can rewrite it you can it
00:37:44
replace code you can add code you can remove code and so
00:37:47
on we didn't do some register allocation optimisation and create new assembly code
00:37:53
uh as part of this framework yes develops to transformations uh one
00:37:57
of them is a.'s and yeah we had address senate pfizer uh
00:38:03
every senate pfizer instrumentation part of that allowing us to detect
00:38:08
uh to detect different violations bopper or flows or and and
00:38:13
similar memory corruption and the other part is a. f. l.
00:38:17
here you can add a field based edge instrumentation very good edge coverage to get
00:38:23
keeps coverage feedback about the actual execution of the program
00:38:29
the interesting aspects in the in the performance evaluation
00:38:31
is that we get the same performance as if
00:38:36
you would have compiled the system was discovered in fact one of the interesting aspects here is if you
00:38:42
look at a full cheesy see if you if you've used all evolve before as a further um a.
00:38:48
f. o. g. c. c. is actually are part of the g. c. c. environment that as if all
00:38:55
instrumentation to keep track of executed edges in the
00:38:58
code and it does this by instrument doing the ladies
00:39:03
the whole machine i. r. s. part of the of the cheesy compilation process
00:39:09
the amount of information you can recover from the binary is detailed enough
00:39:14
but we can simply v. use the uh if our original if all instrumentation and plug it back in
00:39:20
the quality that of the disassembled reassemble assembly we're
00:39:24
producing is high enough that we can reuse existing tools
00:39:28
for our a. is an address i know every cent of thousands imitation we have to use a
00:39:32
of some different tricks to get the overhead down so low enough level that enabled us to ah
00:39:39
to be very efficient ah i can i i would be happy to go into more detail after questions for me
00:39:46
i know another advantage of our system is that as soon as you produce
00:39:51
one binary this is not just the ones that approach would be getting hatchback
00:39:56
right so we can we can view right the binary once we can add ah some code we
00:40:01
can rewrite the binary get an existing techniques have to draw back that he had a an exponential explosion
00:40:08
every time you out of binary modification you doubled or tripled the
00:40:13
binary socks which if you do this multiple times obviously but just explode
00:40:18
and you always have to to for x. overhead as we don't have
00:40:22
or had a next up with some for a faulty seed is indistinguishable
00:40:26
rachel transformation we see that we can actually use this to
00:40:31
um to actually push the fussing boundary and enable more efficient
00:40:37
low level binary instrumentation to get fussing to binary only code uh and this is just
00:40:43
been except it's sure ah the actually supports you want security privacy yesterday or two days ago
00:40:51
uh i would like to end whereas the last piece of work or we're looking at
00:40:56
two in the peripheral testing and this is another of the forcing frontiers that we're exploring
00:41:04
forcing software itself is easy or somewhat easy but how do you force hardware
00:41:14
you cannot easily create arbitrary harder that allows you to feed in arbitrary data
00:41:22
and if you think about it if you've ever written a
00:41:24
device driver device drivers are written by by people or someone's
00:41:30
conservative i'm trying to be safe i'd you're expecting certain
00:41:35
input from the hardware side you're trying to protect against malicious hard of you're
00:41:41
trying to make hardware work but you're not trying to protect against english is harder
00:41:45
also by you at certain security checks you cannot test them
00:41:51
because it is fundamentally difficult to create arbitrary harder that would feed in this input
00:41:58
and we have looked at u. s. b. devices they are
00:42:04
every single device or many of the devices that
00:42:06
you're carrying your phones york are laptops your smarts of
00:42:11
whatever i would to devices they all have a lot of his
00:42:14
beeper connectors and you can connect or u. s. b. peripherals to that
00:42:19
now the u. s. b. interface is is a very broad attack surfaced
00:42:24
that allows you to feed in arbitrary interprets it now as an attacker
00:42:30
if you have access to a device you no longer get immediate access to the underlying system
00:42:36
right in the city since the invention of use p. m. for frosted make quite a bit of progress the uh
00:42:43
phones are locked down our computers are locked down you're using of trip to disgusting trips all
00:42:50
our date on this and actually get access to the data you need to log in and authenticate
00:42:56
only if you log fingerprint that's your your password or oh
00:43:02
your yours yours marquee you're allowed to log in access your data
00:43:07
now
00:43:09
they use the peripheral interface exposes part of the kernel to an outsider
00:43:16
hacker but doesn't necessarily want to log and any bug in this peripheral interface
00:43:22
a lawsuit hacker to arbitrarily comp or compromised operating system kernel and thereby take over the system
00:43:28
gaining control of all your your data and your your keys and everything else
00:43:35
an interesting lead the wispy stack and a lot of the software
00:43:38
stacks written in the in the mid nineties on is very different from
00:43:44
and we started looking at how to flaws and secure to test
00:43:48
its use beeper for interface we didn't want to create arbitrary devices and
00:43:53
while we could use it i could use a grad student accused plotting imploding out these devices it somewhat on
00:43:59
practical doesn't necessarily scale i to be looked at something more clever that allowed us to steal this much for
00:44:05
so we've taken the linux kernel reefs thrown it into a t. v. m. b. virtual listed
00:44:11
and it's actually develop take needs to have a detail page coverage in the linux kernel and uh
00:44:17
use address then it ties are kept colonel addison advice to enforcement received on top of that
00:44:23
uh we thought the fake u. s. b. device that's particularly
00:44:26
interface that allows us to feed data into the linux system
00:44:31
written input generator oh i added the use remote agent keeps track of
00:44:36
the of the execution of the code and use coverage information from this
00:44:42
ah from this part in the kernel that feeds back the data into the input generation actions
00:44:49
um does run this for two or three weeks
00:44:52
and you may have read that
00:44:55
of google
00:44:57
for android enter from box microsoft and apple have recently
00:45:02
disabled o. u. s. p. access whenever you're not logged in
00:45:07
as it turns out there's a large amount of all abilities in these parts of the code
00:45:14
and we found around sixty linux kernel one abilities out of which thirty six
00:45:21
at least are high severity and would have allowed us to arbitrarily compromise the uh
00:45:27
linux kernel address space and overwrite arbitrary data in these parts
00:45:33
interesting story be sent an email to the linux security carnal lust
00:45:39
and said he found a set of one or both he's in the uh in the code that is fairly alls
00:45:46
four minutes later we got a reply from the most hormones and said hey
00:45:51
this is actually a a big deal you need to look at this be
00:45:54
a lot of this call this report is really old and we need to
00:45:57
fix this ah you've since been working with the uh the linux security team ions
00:46:04
oh that's some of my students and myself are now linux kernel developers which is
00:46:09
a nice thing to add on on your c. and we've worked and helped fix
00:46:14
many of these underlying one abilities menu of which require
00:46:17
view writing certain parts of the linux u. s. p. stack
00:46:21
and some of these vulnerabilities are him very very deep in these uh in the softer sex very hard to mitigate
00:46:27
but it's an interesting new frontier that you're looking at and this
00:46:32
is the research we're pushing for to go to this or that
00:46:37
so let me summarise the the talk of about security testing hard to reach code
00:46:43
first thing is the modern i'm very effective way to automatically test programs for security violations but
00:46:49
find crashes enabling us to find box that could
00:46:54
be exploited inborn abilities before an attacker can do
00:46:59
the key idea of your focusing on is that this
00:47:01
is the resource oriented probe of probable optimising forced to put
00:47:06
and are using coverage information to guide mutation and to explore certain new parts in the cup
00:47:13
if quickly talked about three different projects for t.
00:47:16
forcing the transformer to forcing decor ideas to mutate both
00:47:20
the code and the inputs together so that you can
00:47:24
guide the execution of certain areas if you were interested
00:47:28
for director writer focusing on the efficiency pedigree riding
00:47:31
and combining standing binary instrumentation is compiler based instrumentation
00:47:37
four years before saying we've reached and started looking
00:47:41
at enabling fussing of peripherals to explore these new frontiers
00:47:46
i miss that i would like to thank you for your attention and i'm happy
00:47:49
to take any questions about software testing but also mitigation it's thank you very much
00:48:03
thanks a lot which are questions
00:48:10
it's
00:48:20
uh huh argo a research ah what are the limitations on the solutions or the
00:48:25
moment ah with regards to programming models ah and the blanket one machine or code
00:48:34
for for which projects to one in the process of forty plus the the
00:48:39
current implementation focuses and sorted one sixty four bit code on a linux or
00:48:45
it's a it's a research prototype if there's industry interested in applying its to other areas
00:48:51
a group is perfectly happy to tell you the station right but ah doesn't
00:48:56
have any assumption about the compiler being
00:48:59
used to ah but ah operational semantics
00:49:04
so it the original t. pausing approach focuses on on
00:49:09
x. eighty six code so we're looking at machine code
00:49:13
you can take whatever you want anything which applies to x. eighty
00:49:16
six yeah it kind either that a local programming short protocol example
00:49:22
it goes down to the third ears pierced some limitations to the especially in the in the binary rewriting of
00:49:29
because we're targeting t. c. c.'s but we may want to take this often because it gets very technical very quickly
00:49:35
um but in general you can take any arbitrary x. eighty six okay thank models on some a. v. i. restrictions
00:49:45
working
00:49:47
i'm just down from his lap and we were going to centralise didn't distributes its its structure i
00:49:56
um for us doesn't really difficult because lots of different regions talking protocol
00:50:03
and find hard to imagine you just a few it's you get down to the e.
00:50:10
yeah yeah you're next yeah you're gonna come around us shore up so with asians you mean
00:50:19
distributor components but uh each of the each of which was their own network stack and so on
00:50:25
yeah um interesting linger actually looking at fussing coyote systems with a large amounts of
00:50:31
different interconnected i. t. systems which is somewhat similar to the problem that you're looking at
00:50:36
um beef build an emulation platform that allows you to instantiate
00:50:41
sure let me go using more assumptions in the programs i've but it allows us to instantiate certain state
00:50:48
off different i. t. systems and then enable them to connect and talk to each other
00:50:53
as part of the of the simulation slash annotation for ah but it gets more challenging especially
00:51:00
v. do you have to give your of the of the h. i.
00:51:03
any for the a. p. i. n. interactions with each other on it and
00:51:09
triggering deep code is a very challenging problem t. fussing is one approach
00:51:13
to do this that allows us to simply do do the audio protracted
00:51:18
you'll be fussing approach of remove hundred both parts of the program and
00:51:21
force execution don't last oh this is only one way of doing this
00:51:26
in in alternate work you're looking at making forcing a g. i. there
00:51:33
it's a t. fussing i it depends on the scale right
00:51:35
and the complexity he fussing works really well for medium complex
00:51:40
a complex code think of it if you want to force one particular
00:51:43
module in a complex system is it or you'll be using t. for us
00:51:47
if you have multiple modules that are connected with each other you want to
00:51:51
know d. a. t. i. that these different modules used to communicate with each other
00:51:57
uh so what you've looked at as if you bought the full system analysis that
00:52:00
allows us to abstract and learn d. h. c. i. between all the different components
00:52:06
partially street static analysis where we analysed accorded how detractors
00:52:10
each other partially using some form of run time tracing
00:52:13
and this is one part where we're working with the the
00:52:15
who android security team at learning because it's a fixed constrained environment
00:52:21
the you're looking at a whiskey the different libraries how to connect with each other
00:52:26
and you're learning the h. i. how all these different parts and components play with each other
00:52:32
we can then use this information to instantiate a
00:52:35
mock environment that has to say that is actually required
00:52:40
to drive execution into this particular component so using the knowledge from
00:52:45
the earlier learning face to instantiated focus on a particular component now
00:52:51
uh as i said the scale forty first thing we can use it to explore a certain component
00:52:57
eight guy either as is required to explore the large state space
00:53:01
of multiple modules are workings each other different ones because obviously talk more
00:53:07
just a common to all the people from industry fussing works to listen to them
00:53:12
just the edge really does work and it's already worth investing i haven't actually seen yeah um
00:53:18
we need your decoding uh protocols or whatever that's where you get lots on your system you
00:53:24
can already get go get them right just posing is incredibly simple and i think the the main
00:53:32
aspect of fussing that allows it to get so much traction is that it's very easy to set up
00:53:38
by symbolic execution informal proving has the potential to go much further
00:53:43
it requires a lot of people understanding of the components and
00:53:47
a lot of the knowledge that the program actually asked was fussing
00:53:51
any developer can set of uh fussing can any two or three hours to get a couple of the low hanging fruits and then as
00:53:57
soon as you start customising and focusing on you put code more
00:54:00
complex code you have to invest more resources but it's a gradual approach
00:54:04
right it isn't very low learning curve and allows you
00:54:08
to quickly reap ah any following box thank you other questions
00:54:16
we're question
00:54:18
actually i have one record on so obviously ah
00:54:24
i just to a tree traditionally the most urgent need
00:54:28
in the most high priority you serve i'll fussing has been you know i'm six languages like c. plus plus
00:54:35
but an increasing amount of ooh code is getting in now slightly newer languages
00:54:41
like java i go and that's a functional languages where the yeah our order the
00:54:47
ah facts the utility and the challenges for
00:54:51
adapting these techniques for ah for less archaic languages
00:54:57
for first off i think you're living in a different world than i am um i i don't
00:55:02
i see massive amounts of code being written in c. in c. plus plus even nowadays
00:55:06
uh you we outpacing the the other safe code is really
00:55:12
a lot of new code is written in in other languages
00:55:15
sure just looking at the commits in indexes sixteen c. plus plus code project it it's faster what we can
00:55:23
can i so i will never run out of work right so that that said
00:55:27
oh on the low level and there's a large amount of bucks to be found
00:55:30
now to answer your question how does this is solution apply to other
00:55:35
uh other systems uh and save languages uh i think you may have rusted mind java
00:55:40
javascript ice and other kind of seconds first of these are all implemented in low level languages
00:55:46
i see the compilers one time systems uh another mechanisms or implement a low
00:55:50
level languages for what are the other part is you're working must policies i ideally
00:55:59
i've only scratched is in in one slide at the beginning right talked about the two aspects you need standardisation
00:56:04
and we need a a mechanism to drive execution just certain areas
00:56:09
standardisation part enables us to test for certain security hey
00:56:13
in c. in c. plus plus t. obvious example is memory
00:56:17
safety type safety and other aspects that these languages do not provide
00:56:22
ah but as soon as we move to say for languages on one project you're actually
00:56:27
looking at as part of the it guy analysis together is a is a good team is
00:56:31
to go beyond memory type safety and to look at i. h. p.
00:56:36
i. flow safety to think about it you you may want to um
00:56:40
to assure that the components that you have to find are used in the correct way so you have to first learn
00:56:47
of some formal specification it allows you to test for certain behaviour or you can use the specification all matter if you just
00:56:53
the the applications written seen c. plus plus or in a
00:56:57
in order high level languages they give you higher safety properties
00:57:01
so to to quickly answer your question if you look at other security
00:57:04
policies you can still use forcing to explore certain areas of the code
00:57:08
and then use other policies to well even even for example just
00:57:11
like searching finding weight of fuzz for assertion failures are a waste of
00:57:16
make assertions fair that seems to work in in any language and
00:57:19
get yeah pretty much yep yep thank you okay and any other questions

Share this talk: 

Conference Program

09:23
Welcome address
Martin Vetterli, President of EPFL
June 6, 2019 · 9:48 a.m.
1566 views
08:50
Introduction
James Larus, Dean of IC School, EPFL
June 6, 2019 · 9:58 a.m.
127 views
06:56
Introduction
Jean-Pierre Hubaux, IC Research Day co-chair
June 6, 2019 · 10:07 a.m.
228 views
53:50
Adventures in electronic voting research
Dan Wallach, Professor at Rice University, Houston, USA
June 6, 2019 · 10:14 a.m.
45:42
When foes are friends: adversarial examples as protective technologies
Carmela Troncoso, Assistant Professor at EPFL
June 6, 2019 · 11:09 a.m.
170 views
02:09
Low-Latency Metadata Protection for Organizational Networks
Ludovic Barman, LCA1|DeDiS, EPFL
June 6, 2019 · noon
148 views
02:14
Interactive comparison-based search, and who-is-th.at
Daniyar Chumbalov, INDY 1, EPFL
June 6, 2019 · 12:06 p.m.
137 views
02:21
Decentralized, Secure and Verifiable Data Sharing
David Froelicher, LCA1|DeDiS, EPFL
June 6, 2019 · 12:09 p.m.
103 views
02:18
Communication Efficient Decentralised Machine Learning
Anastasia Koloskova, MLO, EPFL
June 6, 2019 · 12:11 p.m.
736 views
01:46
Detecting the Unexpected via Image Resynthesis
Krzysztof Lis, CVLab, EPFL
June 6, 2019 · 12:14 p.m.
188 views
02:14
Sublinear Algorithms for Graph Processing
Aida Mousavifar, THL4, EPFL
June 6, 2019 · 12:16 p.m.
880 views
02:23
Protecting the Metadata of Your Secret Messages
Kirill Nikitin, DEDIS, EPFL
June 6, 2019 · 12:18 p.m.
344 views
01:55
Teaching a machine learning algorithm faster
Farnood Salehi, INDY 2, EPFL
June 6, 2019 · 12:21 p.m.
570 views
02:08
Secure Microarchitectural Design
Atri Bhattacharyya, PARSA/HexHive, EPFL
June 6, 2019 · 12:23 p.m.
3535 views
57:33
Security testing hard to reach code
Mathias Payer, Assistant Professor at EPFL
June 6, 2019 · 1:50 p.m.
297 views
01:04:22
[via Skype] Flash Boys 2.0: Frontrunning, transaction reordering, and consensus instability in decentralized exchanges
Ari Juels, Professor at Cornell Tech
June 6, 2019 · 2:49 p.m.
498 views
04:28
Best Research Presentation Award Ceremony
Bryan Ford, Jean-Pierre Hubaux, Deirdre Rochat, EPFL
June 6, 2019 · 3:54 p.m.
212 views

Recommended talks

41:46
A story of unification: from Apache Spark to MLflow
Reynold Xin, Databricks
June 12, 2019 · 9:15 a.m.
1271 views
20:42
Learning to Segment 3D Linear Structures Using Only 2D Annotations
Dr. Mateusz Kozinski, EPFL
April 19, 2018 · 11:33 a.m.
349 views