Analyzing Stripped Device-Driver Executables Gogul Balakrishnan 1 Thomas Reps 2 1 NEC Laboratories...
-
Upload
francis-hampton -
Category
Documents
-
view
216 -
download
0
description
Transcript of Analyzing Stripped Device-Driver Executables Gogul Balakrishnan 1 Thomas Reps 2 1 NEC Laboratories...
Analyzing Stripped Device-Driver Executables
Gogul Balakrishnan1 Thomas Reps2
1NEC Laboratories America2University of Wisconsin
(Work done at University of Wisconsin)
2
Why Analyze Executables?• Source code is not available
– Windows drivers, libraries, viruses, worms, etc.
• Source code analysis may miss bugs– WYSINWYX phenomenon:
• What You See Is Not What You eXecute
• Better platform for finding security issues– Many exploits utilize particular quirks of a
compiler
3
Device Driver Analysis “. . . You must examine the object code to be sure it matches your
expectations, or at least will work correctly in the
kernel environment. . .”
(From a document on Microsoft’s WHDC website)
4
Device-Driver Analysis• Device Driver
– like a library that exports procedures– each procedure: actions for an I/O request
• e.g., AddDevice routine– invoked by OS when a new device is added
• referred to as “dispatch routines”
• Windows Kernel API is complex– 85% of crashes in Windows due to driver bugs [Swift et al. 2005]
“A driver’s dispatch routine does not return STATUS_PENDING on an I/O Request Packet (IRP) if it has called IoCompleteRequest on the IRP.”
PendedCompletedRequested Rule
(simplified version)
B: return value STATUS_PENDING
A: return value STATUS_PENDING
D: IoCompleteRequest
START COMPLETED
ERROR
*
A
DB
D
START
PENDING
COMPLETED
PENDING COMPLETED
ERROR
A: “return status STATUS_PENDING”
A
A,BA,B
BB: “return status STATUS_PENDING”
*
C
D C
D
C: IoMarkPending
D: IoCompleteRequest
D C,D
C
“A driver’s dispatch routine does not return STATUS_PENDING on an I/O Request Packet (IRP) if it has called IoCompleteRequest on the IRP, unless it has also called IoMarkIrpPending.”
PendedCompletedRequested Rule
7
DDA/x86: Device Driver Analyzer
8
SLAM Error Trace DDA/x86 Error Trace
9
SDV Error Trace DDA/x86 Error Trace
10
SDV Error Trace DDA/x86 Error Trace
11
SDV Error Trace DDA/x86 Error Trace
12
Analyzer
Propertyspecification
OK Errorreport
Source code
Front end
CFG + call graph+ other info
IRConstruction
IRExploratio
n
Static Program-Analysis Tools
• Malicious-code detection• Bug detection• Policy adherence
13
Analyzer
Propertyspecification
OK Errorreport
Source code
Front end
CFG + call graph+ other info
Model Constructio
n
ModelChecking
Static Program-Analysis Tools
14
Executable
Memory-accessanalyzer
CFG + call graph+ memory-access info
IRRecovery
IRExploratio
n
Static Executable-Analysis Tools
Analyzer
Propertyspecification
OK Errorreport
15
Executable
Memory-accessanalyzer
CFG + call graph+ memory-access info
ModelExtraction
ModelChecking
Static Executable-Analysis Tools
Analyzer
Propertyspecification
OK Errorreport
• Value-Set Analysis [CC04] – Combined pointer and numeric
analysis– Information about memory accesses
• Variable recovery algorithm [VMCAI07]– Structure and Type recovery
• Analyzes heap-allocated data – Recency-abstraction [SAS06]
16
Executable
Memory-accessanalyzer
CFG + call graph+ memory-access info
ModelExtraction
ModelChecking
Static Executable-Analysis Tools
Analyzer
Propertyspecification
OK Errorreport
Memory-safety violations!• Access outside of activation record• Access outside of malloc’ed block• Call/jump to data• Use of code as data
17
Memory-Access Analyzerint dispatch_routine(Irp) { int status; status = STATUS_PENDING; if(. . .) { Irp->Status=STATUS_SUCCESS; IoCompleteRequest(Irp); status=STATUS_SUCCESS; } return status;}
proc dispatch_routine sub esp, 4 mov [esp+0], STATUS_PENDING cmp . . . jnz L1 mov ecx, [esp+4] mov [ecx+12], STATUS_SUCCESS push ecx call IoCompleteRequest
mov [esp+0], STATUS_SUCCESS L1: mov eax, [esp+0] add esp, 4 retn
Memory-Access Analyzer (MAA)• Analyze a (possibly stripped) executable E
– Recover an Intermediate Representation (IR)
• Identify the procedures, data objects (V), types, and libraries that it uses
• For each instruction I, compute “AbsEnv”– AbsEnv: (V 2Values)– Values: memory addresses or numeric values– 2Values: use “value-set” abstract domain [VMCAI07]– Distinguish inter-procedural contexts also
18
19
PDEVICE_OBJECT
PDEVICE_OBJECT
PDEVICE_OBJECT
PI8042_QUEUE_PACKET
LONG
PVOID
PI8042_MOUSE_ISRPI8042_ISR_WRITE_POR
TPVOID
CON_DATA.A CON_DATA.B
DEVICE_POWER_STATE
BOOLEAN
BOOLEAN
BOOLEAN
Device Extension Structure for “moufiltr” driver
Declaration in C Source Structure in Executable
20
BYTE_4
BYTE_4
BYTE_4
BYTE_4
BYTE_4
BYTE_4
BYTE_4
BYTE_4
BYTE_4
BYTE_4 BYTE_4
BYTE_4
BYTE
BYTE
BYTE
PDEVICE_OBJECT
PDEVICE_OBJECT
PDEVICE_OBJECT
PI8042_QUEUE_PACKET
LONG
PVOID
PI8042_MOUSE_ISRPI8042_ISR_WRITE_POR
TPVOID
CON_DATA.A CON_DATA.B
DEVICE_POWER_STATE
BOOLEAN
BOOLEAN
BOOLEAN
Device Extension Structure for “moufiltr” driver
Declaration in C Source Structure identified by MAA
21
Memory-Access Analyzer (MAA)• Two aspects of AbsEnv
• Pointer analysis– information about
memory accesses
• Numeric analysis– Information about
numeric contents of data objects
proc dispatch_routine sub esp, 4 mov [esp+0], STATUS_PENDING cmp . . . jnz L1 mov ecx, [esp+4] mov [ecx+12], STATUS_SUCCESS push ecx call IoCompleteRequest
mov [esp+0], STATUS_SUCCESS L1: mov eax, [esp+0] add esp, 4 retn
22
• IR recovery followed by automaton state propagation
Executable
Memory-accessanalyzer
CFG + call graph+ memory-access info
Analyzer
Propertyspecification
OK Errorreport
API Usage Checking with Recovered IR
23
API Usage Checking with Recovered IRint dispatch_routine(...) { int status; status = STATUS_PENDING; if(...) { IoCompleteRequest(); status = STATUS_SUCCESS; } return status;}
status {STATUS_PENDING, STATUS_SUCCESS}Reachable Automaton States: {START, COMPLETED}
START COMPLETED
ERROR
*
A
DB
D
PendedCompletedRequest rule violated! (False Positive)
From Memory Access Analyzer
24
• Combine IR recovery and state-space exploration– Feedback between phases can improve both
Executable
Memory-accessanalyzer
CFG + call graph+ memory-access info
Analyzer
Propertyspecification
OK Errorreport
API Usage Checking with Recovered IR
25
Executable
Memory-access andproperty analyzer
CFG + call graph+ memory-access info
Propertyspecification
OK Errorreport
• Combine IR recovery and state-space exploration?– Feedback between phases can improve both
• ESP-like analysis [M. Das et. al.]• Qualify “AbsEnv” with property automaton states
API Usage Checking with Recovered IR
26
API Usage Checking with Recovered IRint dispatch_routine(...) { int status; status = STATUS_PENDING; if(...) { IoCompleteRequest(); status = STATUS_SUCCESS; } return status;}
START COMPLETED
ERROR
*
A
DB
D
PendedCompletedRequest rule NOT violated!
START: status {STATUS_PENDING}
COMPLETED: status {STATUS_SUCCESS}
AbsEnv qualified with automaton
state
27
API Usage Checking with Recovered IRint dispatch_routine(...) { int status; status = STATUS_PENDING; if(...) { IoCompleteRequest(); status = STATUS_SUCCESS; } return status;}
START COMPLETED
ERROR
*
A
DB
D
Actually, above automaton does NOT provide sufficient fidelity to deal with all
cases!
28
API Usage Checking with Recovered IRint dispatch_routine(...) { int status, c; c = 0; status = STATUS_PENDING;
if(...) { status = STATUS_SUCCESS; c = 1; }
if(c == 1) { IoCompleteRequest(); } return status;}
int dispatch_routine(...) { int status; status = STATUS_PENDING; if(...) { IoCompleteRequest(); status = STATUS_SUCCESS; } return status;}
29
API Usage Checking with Recovered IRint dispatch_routine(...) { int status, c; c = 0; status = STATUS_PENDING;
if(...) { status = STATUS_SUCCESS; c = 1; }
if(c == 1) { IoCompleteRequest(); } return status;}
START:
status {STATUS_PENDING, STATUS_SUCCESS}
START:
status {STATUS_PENDING}
START COMPLETED
ERROR
*
A
DB
D
30
START COMPLETED
ERROR
*
A
DB
D
API Usage Checking with Recovered IRint dispatch_routine(...) { int status, c; c = 0; status = STATUS_PENDING;
if(...) { status = STATUS_SUCCESS; c = 1; }
if(c == 1) { IoCompleteRequest(); } return status;}
START:
status {STATUS_PENDING, STATUS_SUCCESS}COMPLETED:
status {STATUS_PENDING, STATUS_SUCCESS}
PendedCompletedRequest rule violated! (False Positive)
ST_UNKNOWN
ST_PENDING
ST_NOT_PENDING
A: “status : x, where x STATUS_PENDING”
C
B
B: “status : STATUS_PENDING”
A
C: “status : ?”B A
C
C
StatusPending FSM
Finding status-variable: “The local variable (if any) that is used to initialize the value of eax just before returning from the dispatch routine is the status-variable.”
Extracting Counter-Example Traces• Harness existing tracing facilities from
Push Down Systems (PDSs)– Build PDS on-the-fly during property
checking• Symbolic representation of state space
explored– Issue a reachability query on PDS– Report witness trace for a path to the error
configuration
32
Results For “PendedCompletedRequested” Rule
33
34
Summary• Prototype tool to check device-driver executables
– 2 bugs, 10 OK, 5 false positives– Reasonable running time
• Establishes that property checking of stripped executables is a promising direction
• What next?– Automatic abstraction refinement
• Lazy Abstraction [Henzinger et al. POPL02], Property simulation [Das et al. PLDI02], Gulavani & Rajamani [TACAS06],. . .
– Automatic counter-example validation– . . .
Analyzing Stripped Device-Driver Executables
Gogul Balakrishnan1 Thomas Reps2
1NEC Laboratories America2University of Wisconsin
(Work done at University of Wisconsin)
36
Backup Slides
37
G. Balakrishnan and T. Reps, “Analyzing memory accesses in x86 executables”, CC 2004, www.cs.wisc.edu/~reps/#cc04
T. Reps, G. Balakrishnan, J. Lim, and T. Teitelbaum, “A next- generation platform for analyzing executables”, APLAS 2005, www.cs.wisc.edu/~reps/#aplas05.invited
T. Reps, G. Balakrishnan, and J. Lim, “Intermediate-representation recovery from low-level code”, PEPM 2006, www.cs.wisc.edu/~reps/#pepm06.invited
G. Balakrishnan and T. Reps, “Recency-abstraction for heap-allocated storage”, SAS 2006, www.cs.wisc.edu/~reps/#sas06-recency
G. Balakrishnan and T. Reps, “DIVINE: DIscovering Variables IN Executables”, VMCAI 2007, www.cs.wisc.edu/~reps/#vmcai07.invited
38
Current State-of-the-Art: CodeSurfer/x86
• General platform for analyzing executables
• Tracks data movement through memory– including heap
• Does not rely on debugging information• Gives information to build further
analysis– like a compiler front-end plus some more
39
Basic Approach• Recover an Intermediate Representation (IR)
from the executable– IR similar to that built by a compiler
• control-flow graph (w/ indirect jumps resolved)• call graph (w/ indirect calls resolved)• set of variables• values of pointers• used, killed, and possibly-killed variables for CFG nodes• data dependences• types of variables: base types, pointer types, structs, and
classes
• Use the recovered IR for further analysis
Without Debugging Information!
40
Scope• Programs that conform to a “standard
compilation model”– procedures– activation records– global data region– heap, etc.
• Report violations– violations of stack protocol – return address modified within procedure
41
Binary Value-SetAnalysis
Initial estimate of• code vs. data• procedures• call sites• malloc sites
• fleshed-out CFGs• fleshed-out call graph• used, killed, may-killed variables for CFG nodes• points-to sets• reports of violations
CodeSurfer/x86 Architecture
IDAPro Disassembl
er
CodeSurfer(Builds SDG)
Security Analyzers
Decompiler
Binary Rewriter
User Scripts
Memory-Access Analyzer
42
Binary
• fleshed-out CFGs• fleshed-out call graph• used, killed, may-killed variables for CFG nodes• points-to sets• reports of violations
CodeSurfer/x86 Architecture
IDAPro Disassembl
er
CodeSurfer(Builds SDG)
Security Analyzers
Decompiler
Binary Rewriter
User Scripts
Memory-Access Analyzer
VSA
ASI
Initial estimate of• code vs. data• procedures• call sites• malloc sites
43
Binary
• fleshed-out CFGs• fleshed-out call graph• used, killed, may-killed variables for CFG nodes• points-to sets• reports of violations
CodeSurfer/x86 Architecture
IDAPro Disassembl
er
CodeSurfer(Builds SDG)
Security Analyzers
Decompiler
Binary Rewriter
User Scripts
Memory-Access Analyzer
VSA
ASI
Initial estimate of• code vs. data• procedures• call sites• malloc sites
44
SLAM Error Trace DDA/x86 Error Trace
45
SDV Error Trace DDA/x86 Error Trace
46
SDV Error Trace DDA/x86 Error Trace
47
SDV Error Trace DDA/x86 Error Trace