From Ancient to Modern: Diagnosing Root Cause of Software Vulnerabilities from unexpected Crashes

Presented at DEF CON China 1.0 (2019), June 2, 2019, noon (45 minutes).

Despite the best efforts of developers, software inevitably contains flaws that may be leveraged as security vulnerabilities. Modern operating systems integrate various security mechanisms to prevent software faults from being exploited. To bypass these defenses and hijack program execution, an attacker therefore needs to constantly mutate an exploit and make many attempts. While in their attempts, the exploit triggers a security vulnerability and makes the running process terminate abnormally.

After a program has crashed and terminated abnormally, it typically leaves behind a snapshot of its crashing state in the form of a core dump. While a core dump carries a large amount of information, which has long been used for software debugging, it barely serves as informative debugging aids in locating software faults, particularly memory corruption vulnerabilities. As such, previous research mainly seeks full reproducible execution tracing to identify software vulnerabilities in crashes. However, such techniques are usually impractical for complex programs. Even for simple programs, overhead of full tracing may only be acceptable at the time of in-house testing.

In this talk, we will introduce a reverse execution technique, which takes as input a core dump, reversely executes the corresponding crashing program and automatically pinpoints the root cause of the vulnerable site hidden behind the crash. In the process of performing reverse execution, our technique typically encounters uncertainty (e.g., uncertain control or data flow) which significantly influence the capability of identifying vulnerabilities. To tackle this problem, we augment the technique with deep recurrent neural network, which poses reverse execution with the ability to perfectly infer the control and data flow leading up to the program crash. To demonstrate the utility of this technique, we have already used it to analyze hundreds of crashes pertaining to more than 300 CVEs, and successfully pinpoint the vulnerable site corresponding to each crash. Along with this talk, we will release the tool developed under our technique and make it publicly available.


Presenters:

  • Xinyu Xing - Assistant Professor, Penn State University. Research Scientist, JD.com
    Dr. Xinyu Xing is an Assistant Professor at the Pennsylvania State University, and currently working at JD Inc. as a visiting researcher. His research interest includes exploring, designing and developing tools to automate vulnerability discovery, failure reproduction, vulnerability diagnosis (and triage), exploit and security patch generation. He was the speaker at BlackHat USA, BlackHat Europe and many academic conferences (e.g., USENIX Security and CSS). He has also received best paper awards from academic conferences such as CCS and ACSAC. His works have been featured by many mainstream media, such as Technology Review, New Scientists and NYTimes etc. He was also the organizer of NSA memory corruption forensics competition. xingxinyu1983 (wechat) http://xinyuxing.org (personal site)
  • Jimmy Su - Head of security center, JD.com Silicon Valley
    Dr. Jimmy Su leads the JD security research center in Silicon Valley. He joined JD in January 2017. Before joining JD, he was the director of advanced threat research at FireEye Labs. He led the research and development of multiple world leading security products at FireEye, including network security, email security, mobile security, fraud detection, and end-point security. He led a global team including members from the United States, Pakistan, and Singapore from research to product releases on the FireEye's first machine learning based malware similarity analysis Cloud platform. This key technology advance was released on all core FireEye products including network security, email security, and mobile security. He won the Q2 2016 FireEye innovation award for his seminal work on similarity analysis. He earned his PhD degree in Computer Science at the University of California, Berkeley in 2010. After his graduation, he joined Professor Dawn Song's team as a post doc focusing on similarity analysis of x86 and Android applications. In 2011, he joined Professor Song in the mobile security startup Ensighta, leading the research and development of the automatic malware analysis platform. Ensighta was acquired by FireEye in December of 2012. He joined FireEye through the acquisition. JD security research center in Silicon Valley focuses on these seven areas: account security, APT detection, bot detection, data security, AI applications in security, Big Data applications in security, and IoT security.

Links:

Similar Presentations: