Model Checking for Binaries Mihai Christodorescu University of Wisconsin
Virus Scanning • Viruses – Likely to become a bigger problem in the future
• Virus scanners – Check binaries for each type of virus – Virus signatures
11/08/2001
Mihai Christodorescu -
[email protected]
Page 2
Virus Scanners Scanning Executable match? match? match?
Virus Scanning Engine Signature for Virus A Signature for Virus B Signature for Virus C
Clean/ Infected
11/08/2001
Update New Virus D
Signature for Virus D
Mihai Christodorescu -
[email protected]
Page 3
Virus Scanner Limitations • Signatures are sequences of instructions – Small changes to infected program do not trigger a match Infected Program
Virus Signature mov [eax + 0Ch], ebx mul edx, [ebp + FFh] add ebp, 2
match next:
11/08/2001
Mihai Christodorescu -
[email protected]
mov [eax + 0Ch], ebx nop mul edx, [ebp + FFh] test ebx beqz next add ebp, 2
Page 4
Is It Really A Problem? • Yes! – Virus writers are getting smarter – Viruses are better at hiding themselves Virus Decryption
irodV Virus Code uCes
11/08/2001
Virus Decryption Replicate
Mihai Christodorescu -
[email protected]
irodV uCes
Page 5
What to do? • Build a better mouse trap! • Better detection tool – Use static analysis information – More flexible
=> Smart Virus Scanner Demo 1 11/08/2001
Demo 2 Mihai Christodorescu -
[email protected]
Demo 3 Page 6
Smart Virus Scanner 1. Build a model of the virus code – Blueprint of virus behavior
2. Verify that program does not match the blueprint • More powerful 11/08/2001
Mihai Christodorescu -
[email protected]
Page 7
Smart Virus Scanner Example Virus Model: Irrelevant instruction
Virus Signature: mov [eax + 0Ch], ebx mul edx, [ebp + FFh] add ebp, 2
mov [eax + 0Ch], ebx
Irrelevant instruction
mul edx, [ebp + FFh]
Irrelevant instruction
add ebp, 2 11/08/2001
Mihai Christodorescu -
[email protected]
Page 8
Smart Virus Scanner Example Virus Model: Irrelevant instruction
Program to be checked:
mov [eax + 0Ch], ebx
Irrelevant instruction
next:
mov [eax + 0Ch], ebx nop mul edx, [ebp + FFh] test ebx beqz next add ebp, 2
mul edx, [ebp + FFh]
Irrelevant instruction
add ebp, 2 11/08/2001
Mihai Christodorescu -
[email protected]
Page 9
Model Checking • Technique for checking program properties • Build a “model program” that obeys the property • Compare the program against the model
11/08/2001
Mihai Christodorescu -
[email protected]
Page 10
Model Checking
Security Policy
P
Program
A
Security Automaton for P Abstract
Match?
Yes/No
Representation
of A
Security Automaton proposed by [Schneider 1999]. 11/08/2001
Mihai Christodorescu -
[email protected]
Page 11
Model Checking • Security Automaton – For policy “Always release a resource after acquiring it.” Acquire
S0 Other
11/08/2001
S1 Release
Other
Mihai Christodorescu -
[email protected]
Page 12
Model Checking • Abstract Representation x = read_input() y=0 z = 2 * PI result = undefined
read_input()
x>0? compute( x, y, z ) result= y,zz) ) result =compute( compute( x, x, y, z=0 write_output(result) write_output( result result ))
11/08/2001
Mihai Christodorescu -
[email protected]
Page 13
Model Checking for Binaries Security Automaton for P
Binary
11/08/2001
Disassemble
Assembly Code
Analyze
IDA Pro
Transducer
(+ SDK plugins)
(on top of CodeSurfer static analysis engine)
Abstract Representation
Mihai Christodorescu -
[email protected]
Verify
OK/Failed
Model Checker
Page 14
Current Status • Transducer – Works on sequences of instructions (basic blocks) to build the abstract representation – Uses only the static analysis information provided by CodeSurfer
11/08/2001
Mihai Christodorescu -
[email protected]
Page 15
Current Status • Model Checker – Intra-procedural only Procedure P
Procedure Q
Not used! 11/08/2001
Mihai Christodorescu -
[email protected]
Page 16
Static Analysis and Model Checking • More (precise) information from static analysis can enhance model checking • Smart Virus Scanner – “irrelevant” instructions - better identified by alias/points-to analysis
11/08/2001
Mihai Christodorescu -
[email protected]
Page 17
Future Directions • Context-sensitive model checking • Better static analyses • Model checking for component systems
11/08/2001
Mihai Christodorescu -
[email protected]
Page 18
References •
Schneider, F.B. Enforceable Security Policies. TR99-1759, July 27, 1999.
•
Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem. Checking
System Rules Using System Specific, Programmer-Written Compiler Extensions. In Proceedings of the Fourth Symposium on Operating Systems
Design and Implementation, San Diego, CA, October 2000. http://citeseer.nj.nec.com/engler00checking.html
11/08/2001
Mihai Christodorescu -
[email protected]
Page 19