Model Checking for Binaries - Semantic Scholar

Download PDF
4 downloads 0 Views 125KB Size Report
Comment
Nov 8, 2001 - add ebp, 2. Virus Signature mov [eax + 0Ch], ebx nop mul edx, [ebp + FFh] test ebx beqz next next: add ebp, 2. Infected Program match ...
Model Checking for Binaries Mihai Christodorescu University of Wisconsin

Virus Scanning • Viruses – Likely to become a bigger problem in the future

• Virus scanners – Check binaries for each type of virus – Virus signatures

11/08/2001

Mihai Christodorescu - [email protected]

Page 2

Virus Scanners Scanning Executable match? match? match?

Virus Scanning Engine Signature for Virus A Signature for Virus B Signature for Virus C

Clean/ Infected

11/08/2001

Update New Virus D

Signature for Virus D

Mihai Christodorescu - [email protected]

Page 3

Virus Scanner Limitations • Signatures are sequences of instructions – Small changes to infected program do not trigger a match Infected Program

Virus Signature mov [eax + 0Ch], ebx mul edx, [ebp + FFh] add ebp, 2

match next:

11/08/2001

Mihai Christodorescu - [email protected]

mov [eax + 0Ch], ebx nop mul edx, [ebp + FFh] test ebx beqz next add ebp, 2

Page 4

Is It Really A Problem? • Yes! – Virus writers are getting smarter – Viruses are better at hiding themselves Virus Decryption

irodV Virus Code uCes

11/08/2001

Virus Decryption Replicate

Mihai Christodorescu - [email protected]

irodV uCes

Page 5

What to do? • Build a better mouse trap! • Better detection tool – Use static analysis information – More flexible

=> Smart Virus Scanner Demo 1 11/08/2001

Demo 2 Mihai Christodorescu - [email protected]

Demo 3 Page 6

Smart Virus Scanner 1. Build a model of the virus code – Blueprint of virus behavior

2. Verify that program does not match the blueprint • More powerful 11/08/2001

Mihai Christodorescu - [email protected]

Page 7

Smart Virus Scanner Example Virus Model: Irrelevant instruction

Virus Signature: mov [eax + 0Ch], ebx mul edx, [ebp + FFh] add ebp, 2

mov [eax + 0Ch], ebx

Irrelevant instruction

mul edx, [ebp + FFh]

Irrelevant instruction

add ebp, 2 11/08/2001

Mihai Christodorescu - [email protected]

Page 8

Smart Virus Scanner Example Virus Model: Irrelevant instruction

Program to be checked:

mov [eax + 0Ch], ebx

Irrelevant instruction

next:

mov [eax + 0Ch], ebx nop mul edx, [ebp + FFh] test ebx beqz next add ebp, 2

mul edx, [ebp + FFh]

Irrelevant instruction

add ebp, 2 11/08/2001

Mihai Christodorescu - [email protected]

Page 9

Model Checking • Technique for checking program properties • Build a “model program” that obeys the property • Compare the program against the model

11/08/2001

Mihai Christodorescu - [email protected]

Page 10

Model Checking

Security Policy

P

Program

A

Security Automaton for P Abstract

Match?

Yes/No

Representation

of A

Security Automaton proposed by [Schneider 1999]. 11/08/2001

Mihai Christodorescu - [email protected]

Page 11

Model Checking • Security Automaton – For policy “Always release a resource after acquiring it.” Acquire

S0 Other

11/08/2001

S1 Release

Other

Mihai Christodorescu - [email protected]

Page 12

Model Checking • Abstract Representation x = read_input() y=0 z = 2 * PI result = undefined

read_input()

x>0? compute( x, y, z ) result= y,zz) ) result =compute( compute( x, x, y, z=0 write_output(result) write_output( result result ))

11/08/2001

Mihai Christodorescu - [email protected]

Page 13

Model Checking for Binaries Security Automaton for P

Binary

11/08/2001

Disassemble

Assembly Code

Analyze

IDA Pro

Transducer

(+ SDK plugins)

(on top of CodeSurfer static analysis engine)

Abstract Representation

Mihai Christodorescu - [email protected]

Verify

OK/Failed

Model Checker

Page 14

Current Status • Transducer – Works on sequences of instructions (basic blocks) to build the abstract representation – Uses only the static analysis information provided by CodeSurfer

11/08/2001

Mihai Christodorescu - [email protected]

Page 15

Current Status • Model Checker – Intra-procedural only Procedure P

Procedure Q

Not used! 11/08/2001

Mihai Christodorescu - [email protected]

Page 16

Static Analysis and Model Checking • More (precise) information from static analysis can enhance model checking • Smart Virus Scanner – “irrelevant” instructions - better identified by alias/points-to analysis

11/08/2001

Mihai Christodorescu - [email protected]

Page 17

Future Directions • Context-sensitive model checking • Better static analyses • Model checking for component systems

11/08/2001

Mihai Christodorescu - [email protected]

Page 18

References •

Schneider, F.B. Enforceable Security Policies. TR99-1759, July 27, 1999.



Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem. Checking

System Rules Using System Specific, Programmer-Written Compiler Extensions. In Proceedings of the Fourth Symposium on Operating Systems

Design and Implementation, San Diego, CA, October 2000. http://citeseer.nj.nec.com/engler00checking.html

11/08/2001

Mihai Christodorescu - [email protected]

Page 19