Beagle: Tracking System Failures for Reproducing Security Faults
Software vulnerabilities can be attributed to inherent bugs in the system. Several types of bugs introduce faults for not conforming to system specifications and failures, including crash, hang, and panic. In our work, we exploit security faults due to crash-type failures. It is difficult to reconstruct system failures after a program has crashed. Much research work has been focused on detecting program errors and identifying their root causes either by static analysis or observing their running behavior through dynamic program instrument. Our goal is to design a tool that helps isolate bugs. This tool is called BEAGLE (Bug-tracking by Execution Auditing from Generated Logs and Errors). BEAGLE periodically makes stack checkpoints of program in execution. If the software crashes, we can approximate to the latest checkpoint and infer the precise corrupt site. After identifying the site of control state corruption, tainted input analysis will determine system exploitability if untouched passed through the corrupt site. Several case studies of corrupt site detections and tainted input analysis prove the applicability of our tool.
KeywordsDynamic Analysis Software Wrapper COTS Vulnerability Testing Control State Corruption
Unable to display preview. Download preview PDF.
- [Chen and Wagner, 2002]Chen, Hao and Wagner, David (2002). MOPS: an infrastructure for examining security properties of software. In Atlury, Vijay, editor, Proceedings of the 9th ACM Conference on Computer and Communication Security (CCS-02), pages 235–244, New York. ACM Press.Google Scholar
- [Ghosh and Matthew, 1999]Ghosh, Anup K. and Schmid, Matthew (1999). An approach to testing cots software for robustness to operating system exceptions and errors. In Proceedings of the 10th International Symposium on Software Reliability Engineering.Google Scholar
- [Guyer and Lin, 2003]Guyer, Samuel Z. and Lin., Calvin (2003). Client-driven pointer analysis. In Proceedings of the 10th International Static Analysis Symposium, pages 214–236.Google Scholar
- [Hangal and Lam, 2002]Hangal, Sudheendra and Lam, Monica S. (2002). Tracking down software bugs using automatic anomaly detection. In Proceedings of the 24th International Conference on Software Engineering (ICSE-02), pages 291–301, New York. ACM Press.Google Scholar
- [Galen and Doug, 1999]Hunt, Galen and Brubacher, Doug (1999). Detours: Binary interception of Win32 functions. In Proceedings of the 3rd USENIX Windows NT Symposium (WIN-NT-99), pages 135–144, Berkeley, CA. USENIX Association.Google Scholar
- [Liblit and Aiken, 2002]Liblit, Ben and Aiken, Alex (2002). Building a better backtrace: Techniques for postmortem program analysis. Technical Report CSD-02-1203, University of California, Berkeley.Google Scholar
- [Pietrek, 1995]Pietrek, Matt (1995). Windows 95 System Programming Secrets. IDG Books.Google Scholar
- [Manish and Chiuch, 2003]Prasad, Manish and cker Chiueh, Tzi (2003). A binary rewriting defense against stack based overflow attacks. In Proceedings of the USENIX Annual Technical Conference, pages 211–224.Google Scholar
- [Shapiro and Horwitz, 1997]Shapiro, Marc and Horwitz, Susan (1997). Fast and accurate flow-insensitive points-to analysis. In Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 1–14. ACM Press.Google Scholar
- [Bjarne, 1996]Steensgaard, Bjarne (1996). Points-to analysis in almost linear time. In Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 32–41. ACM Press.Google Scholar
- [James and Jorgensen, 1999]