Pub Date : 2023-05-01DOI: 10.1109/SPW59333.2023.00020
Ashish Kumar, B. Harris, Gang Tan
Data format specification languages such as PDF or HTML have been used extensively for exchanging structured data over the internet. While receivers of data files (e.g., PDF viewers or web browsers) perform syntax validation of files, validating deep semantic properties has not been systematically explored in practice. However, data files that violate semantic properties may cause unintended effects on receivers, such as causing them to crash or creating security breaches, as recent attacks showed. We present our tool DISV (Domain Independent Semantic Validator). It includes a declarative specification language for users to specify semantic properties of a data format. It also includes a validator that takes a data file together with a property specification and checks if the file follows the specification. We demonstrate a rich variety of properties that can be verified by our tool using eight case studies over three data formats. We also demonstrate that our tool can be used to detect advanced attacks on PDF documents.
{"title":"DISV: Domain Independent Semantic Validation of Data Files","authors":"Ashish Kumar, B. Harris, Gang Tan","doi":"10.1109/SPW59333.2023.00020","DOIUrl":"https://doi.org/10.1109/SPW59333.2023.00020","url":null,"abstract":"Data format specification languages such as PDF or HTML have been used extensively for exchanging structured data over the internet. While receivers of data files (e.g., PDF viewers or web browsers) perform syntax validation of files, validating deep semantic properties has not been systematically explored in practice. However, data files that violate semantic properties may cause unintended effects on receivers, such as causing them to crash or creating security breaches, as recent attacks showed. We present our tool DISV (Domain Independent Semantic Validator). It includes a declarative specification language for users to specify semantic properties of a data format. It also includes a validator that takes a data file together with a property specification and checks if the file follows the specification. We demonstrate a rich variety of properties that can be verified by our tool using eight case studies over three data formats. We also demonstrate that our tool can be used to detect advanced attacks on PDF documents.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"30 2","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114134866","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-05-01DOI: 10.1109/SPW59333.2023.00033
Romain Cayre, Damien Cauquil, Aurélien Francillon
In this paper, we analyze the ESP32 from a wireless security perspective. We reverse engineer the hardware and software components dedicated to Bluetooth Low Energy (BLE) on the ESP32 and ANT protocol on Nordic Semiconductors' nRF chips. Exploiting this, we then implement multiple attacks on the repurposed ESP32 targeting various wireless protocols, including ones not natively supported by the chip. We make link-layer attacks on BLE (fuzzing, jamming) and cross-protocol injections, with only software modifications. We also attack proprietary protocols on commercial devices like keyboards and ANT-based sports monitoring devices. Finally, we show the ESP32 can be repurposed to interact with Zigbee or Thread devices. In summary, we show that accessing low-level, non-documented features of the ESP32 can allow, possibly compromised, devices to mount attacks across many IoT devices.
{"title":"ESPwn32: Hacking with ESP32 System-on-Chips","authors":"Romain Cayre, Damien Cauquil, Aurélien Francillon","doi":"10.1109/SPW59333.2023.00033","DOIUrl":"https://doi.org/10.1109/SPW59333.2023.00033","url":null,"abstract":"In this paper, we analyze the ESP32 from a wireless security perspective. We reverse engineer the hardware and software components dedicated to Bluetooth Low Energy (BLE) on the ESP32 and ANT protocol on Nordic Semiconductors' nRF chips. Exploiting this, we then implement multiple attacks on the repurposed ESP32 targeting various wireless protocols, including ones not natively supported by the chip. We make link-layer attacks on BLE (fuzzing, jamming) and cross-protocol injections, with only software modifications. We also attack proprietary protocols on commercial devices like keyboards and ANT-based sports monitoring devices. Finally, we show the ESP32 can be repurposed to interact with Zigbee or Thread devices. In summary, we show that accessing low-level, non-documented features of the ESP32 can allow, possibly compromised, devices to mount attacks across many IoT devices.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"62 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132800822","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-05-01DOI: 10.1109/SPW59333.2023.00023
Jared Chandler, Adam Wick
Intrusion Detection Systems (IDS) act as a first line of defense for network infrastructure by identifying malicious traffic and reporting it to administrators. Signature-based IDS identify this traffic by attempting to parse packets according to user-supplied rules based on well-known examples of bad traffic. However, test data can be difficult to come by (due to its sensitive nature) which makes evaluating new rules difficult. In this work we discuss the limitations of an existing SMT-based synthesis approach to automatically generating malicious network traffic. We then present a survey of how IDS rules are written in practice using an open-source corpus of over 30,000 rules and discuss a road-map towards extending the existing approach with the goal of generating security test data characterizing a broad range of threats, as well as ancillary uses assisting users in writing IDS rules and identifying IDS implementation bugs. Finally, we share early results from an evaluation of one such extension which successfully generated IDS test data for over 90% of the rules evaluated.
{"title":"Research Report: Synthesizing Intrusion Detection System Test Data from Open-Source Attack Signatures","authors":"Jared Chandler, Adam Wick","doi":"10.1109/SPW59333.2023.00023","DOIUrl":"https://doi.org/10.1109/SPW59333.2023.00023","url":null,"abstract":"Intrusion Detection Systems (IDS) act as a first line of defense for network infrastructure by identifying malicious traffic and reporting it to administrators. Signature-based IDS identify this traffic by attempting to parse packets according to user-supplied rules based on well-known examples of bad traffic. However, test data can be difficult to come by (due to its sensitive nature) which makes evaluating new rules difficult. In this work we discuss the limitations of an existing SMT-based synthesis approach to automatically generating malicious network traffic. We then present a survey of how IDS rules are written in practice using an open-source corpus of over 30,000 rules and discuss a road-map towards extending the existing approach with the goal of generating security test data characterizing a broad range of threats, as well as ancillary uses assisting users in writing IDS rules and identifying IDS implementation bugs. Finally, we share early results from an evaluation of one such extension which successfully generated IDS test data for over 90% of the rules evaluated.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"23 4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122814351","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-05-01DOI: 10.1109/SPW59333.2023.00038
Tom van Goethem, Iskander Sánchez-Rola, W. Joosen
The key security principle that browsers adhere to, such as the same-origin policy and site isolation, ensure that when visiting a potentially untrusted website, the web page is loaded in an isolated environment. These security measures aim to prevent a malicious site from extracting information about cross-origin resources. However, in recent years, several techniques have been discovered that leak potentially sensitive information from responses sent by other sites. In this paper, we show that these XS-Leaks can be used to force an unwitting visitor to detect prevalent web vulnerabilities in other websites during a visit to a malicious web page. This lets an adversary leverage the computing and network resources of visitors and send malicious requests from a large variety of trustworthy IP addresses originating from residential networks. Finally, we find that currently deployed security measures are inadequate to thwart the realistic threat of cross-origin vulnerability detection.
{"title":"Scripted Henchmen: Leveraging XS-Leaks for Cross-Site Vulnerability Detection","authors":"Tom van Goethem, Iskander Sánchez-Rola, W. Joosen","doi":"10.1109/SPW59333.2023.00038","DOIUrl":"https://doi.org/10.1109/SPW59333.2023.00038","url":null,"abstract":"The key security principle that browsers adhere to, such as the same-origin policy and site isolation, ensure that when visiting a potentially untrusted website, the web page is loaded in an isolated environment. These security measures aim to prevent a malicious site from extracting information about cross-origin resources. However, in recent years, several techniques have been discovered that leak potentially sensitive information from responses sent by other sites. In this paper, we show that these XS-Leaks can be used to force an unwitting visitor to detect prevalent web vulnerabilities in other websites during a visit to a malicious web page. This lets an adversary leverage the computing and network resources of visitors and send malicious requests from a large variety of trustworthy IP addresses originating from residential networks. Finally, we find that currently deployed security measures are inadequate to thwart the realistic threat of cross-origin vulnerability detection.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125875545","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-05-01DOI: 10.1109/SPW59333.2023.00040
Alexandra Ross, Bradley Reaves
Cellular network attack research has dramatically expanded its capabilities in the last decade, but threat models routinely assume an attacker who targets a single cell with a small number of moderately-priced software defined radios. In many settings, such as mass crowd surveillance, attackers seek to gain passive or active dominance over a given area that is virtually always served by multiple cells and network operators. To do so, the only method publicly available is to naively duplicate their hardware at extensive cost. This paper presents a preliminary analysis of the feasibility of using a single software defined radio to surveil multiple networks simultaneously. Our key insight is that an attacker is often interested in only a portion of transmissions in a cell, and by design cellular transmissions are rigidly and predictably scheduled. Our system, Intercellular, rapidly schedules a single radio to tune between cells, effectively multiplexing the downlink channels of cells together. We demonstrate that radio tuning time is quite low (around 100ms), radio clocks are sufficiently stable to skip synchronization when retuning, and that even when monitoring multiple cells a radio can quite accurately count the devices served by all cells under observation. In so doing, we open new research directions advancing the efficiency and broad applicability of cellular network attacks.
{"title":"Towards Simultaneous Attacks on Multiple Cellular Networks","authors":"Alexandra Ross, Bradley Reaves","doi":"10.1109/SPW59333.2023.00040","DOIUrl":"https://doi.org/10.1109/SPW59333.2023.00040","url":null,"abstract":"Cellular network attack research has dramatically expanded its capabilities in the last decade, but threat models routinely assume an attacker who targets a single cell with a small number of moderately-priced software defined radios. In many settings, such as mass crowd surveillance, attackers seek to gain passive or active dominance over a given area that is virtually always served by multiple cells and network operators. To do so, the only method publicly available is to naively duplicate their hardware at extensive cost. This paper presents a preliminary analysis of the feasibility of using a single software defined radio to surveil multiple networks simultaneously. Our key insight is that an attacker is often interested in only a portion of transmissions in a cell, and by design cellular transmissions are rigidly and predictably scheduled. Our system, Intercellular, rapidly schedules a single radio to tune between cells, effectively multiplexing the downlink channels of cells together. We demonstrate that radio tuning time is quite low (around 100ms), radio clocks are sufficiently stable to skip synchronization when retuning, and that even when monitoring multiple cells a radio can quite accurately count the devices served by all cells under observation. In so doing, we open new research directions advancing the efficiency and broad applicability of cellular network attacks.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"84 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127482993","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-05-01DOI: 10.1109/SPW59333.2023.00024
Pottayil Harisanker Menon, Walt Woods
As the number of parsers written for a data format grows, the number of interpretations of that format's specification also grows. Often, these interpretations differ in subtle, hard-to-determine ways that can result in parser differentials – where one input passed to two parsing programs results in two semantically different behaviors. For example, two widely-used HTTP parsers have been shown to process packet headers differently, allowing for the exfiltration of private files. To help find, diagnose, and mitigate the risks of parser differentials, we present the Format Analysis Workbench (FAW), a collection of tools for collecting information on large numbers of parser/input interactions and analyzing those interactions to detect and explain differentials. This tool suite supports any number of file formats through a flexible configuration, allows for processing to be scaled horizontally, and can be run offline. It has been used for results including the analysis of more than 1 million PDF files and unifying parser behaviors across these files to identify a gold standard of validity across multiple parsers. The included statistical tools have been used to identify the root causes of parser rendering differentials, including mislabeled non-embedded fonts. Tools for instrumenting existing parsers are also included, such as PolyTracker, allowing for the analysis of blind spots which might be used to craft differentials for other parsers, or to exfiltrate large quantities of data. Through allowing users to characterize parser behaviors at scale against large corpuses of inputs, the FAW helps to mitigate security risks arising from parser behaviors by making it tractable to resolve examples of differentials back to their behavioral causes.
{"title":"Corpus-wide Analysis of Parser Behaviors via a Format Analysis Workbench","authors":"Pottayil Harisanker Menon, Walt Woods","doi":"10.1109/SPW59333.2023.00024","DOIUrl":"https://doi.org/10.1109/SPW59333.2023.00024","url":null,"abstract":"As the number of parsers written for a data format grows, the number of interpretations of that format's specification also grows. Often, these interpretations differ in subtle, hard-to-determine ways that can result in parser differentials – where one input passed to two parsing programs results in two semantically different behaviors. For example, two widely-used HTTP parsers have been shown to process packet headers differently, allowing for the exfiltration of private files. To help find, diagnose, and mitigate the risks of parser differentials, we present the Format Analysis Workbench (FAW), a collection of tools for collecting information on large numbers of parser/input interactions and analyzing those interactions to detect and explain differentials. This tool suite supports any number of file formats through a flexible configuration, allows for processing to be scaled horizontally, and can be run offline. It has been used for results including the analysis of more than 1 million PDF files and unifying parser behaviors across these files to identify a gold standard of validity across multiple parsers. The included statistical tools have been used to identify the root causes of parser rendering differentials, including mislabeled non-embedded fonts. Tools for instrumenting existing parsers are also included, such as PolyTracker, allowing for the analysis of blind spots which might be used to craft differentials for other parsers, or to exfiltrate large quantities of data. Through allowing users to characterize parser behaviors at scale against large corpuses of inputs, the FAW helps to mitigate security risks arising from parser behaviors by making it tractable to resolve examples of differentials back to their behavioral causes.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128449436","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-05-01DOI: 10.1109/SPW59333.2023.00035
A. Kellas, Alan Cao, Peter Goodman, Junfeng Yang
Compiler optimizations can introduce unexpected security weaknesses in programs. In this paper, we introduce a newly discovered form of optimization-introduced security weakness that can benefit attackers, called divergent representations. We show that when divergent representations appear near vulnerabilities, they can enable attackers to create more powerful exploits. We provide a case study of a publicly disclosed SQLite CVE that becomes exploitable because of a divergent representation. We show that divergent representations are prevalent in software by searching for code patterns that may produce divergent representations, and found candidate patterns in 44 % of scanned repositories.
{"title":"Divergent Representations: When Compiler Optimizations Enable Exploitation","authors":"A. Kellas, Alan Cao, Peter Goodman, Junfeng Yang","doi":"10.1109/SPW59333.2023.00035","DOIUrl":"https://doi.org/10.1109/SPW59333.2023.00035","url":null,"abstract":"Compiler optimizations can introduce unexpected security weaknesses in programs. In this paper, we introduce a newly discovered form of optimization-introduced security weakness that can benefit attackers, called divergent representations. We show that when divergent representations appear near vulnerabilities, they can enable attackers to create more powerful exploits. We provide a case study of a publicly disclosed SQLite CVE that becomes exploitable because of a divergent representation. We show that divergent representations are prevalent in software by searching for code patterns that may produce divergent representations, and found candidate patterns in 44 % of scanned repositories.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121176995","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-05-01DOI: 10.1109/SPW59333.2023.00028
Hadrien Barral, Georges-Axel Jaloyan, D. Naccache
Shellcodes are short, executable code fragments that are utilized in various attack scenarios where code execution is possible. When they are injected through the program's inputs, they may require to be validated by filters, the most common of which is a restriction on the allowed character set. This paper explains how to design RISC-V shellcodes capable of running arbitrary code whose UTF-8 representation uses only Unicode emojis. Our approach to this problem is inspired by code-reuse attacks and involves the use of small, reusable code snippets called gadgets. By chaining these gadgets together, we are able to build a shellcode that can bypass the constraints imposed by filters, making it more versatile and effective in a wider range of attack scenarios.
{"title":"Emoji shellcoding in RISC-V","authors":"Hadrien Barral, Georges-Axel Jaloyan, D. Naccache","doi":"10.1109/SPW59333.2023.00028","DOIUrl":"https://doi.org/10.1109/SPW59333.2023.00028","url":null,"abstract":"Shellcodes are short, executable code fragments that are utilized in various attack scenarios where code execution is possible. When they are injected through the program's inputs, they may require to be validated by filters, the most common of which is a restriction on the allowed character set. This paper explains how to design RISC-V shellcodes capable of running arbitrary code whose UTF-8 representation uses only Unicode emojis. Our approach to this problem is inspired by code-reuse attacks and involves the use of small, reusable code snippets called gadgets. By chaining these gadgets together, we are able to build a shellcode that can bypass the constraints imposed by filters, making it more versatile and effective in a wider range of attack scenarios.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"61 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116949528","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-05-01DOI: 10.1109/SPW59333.2023.00036
A. Sorniotti, Michael Weissbacher, Anil Kurmus
In little more than a decade, Go has become one of the most popular programming languages in use today. It is a statically-typed, compiled language with spatial and temporal memory safety achieved by way of strong typing, automatically inserted bounds checks, and a mark-and-sweep garbage collector. Go developers can make immediate use of a large set of native libraries, whether shipped as part of the runtime or available to be imported from community code. Alternatively Go developers can directly link to C/C++ libraries which can be called from Go sources thanks to cgo functionality. Factors that go into this decision are stability, performance, and availability. As a result developers have a choice between Go native libraries or non-native code. However, today there is little understanding how to consider security implications in this decision. Our work is the first to investigate security implications of choosing between native and non-native libraries for Go programs. We first investigate to what extent popular GitHub projects make use of cgo, revealing that this choice is in fact quite popular. We then design and build a differential fuzzer that can compare native and C/C++ implementations of the same functionality. We implement the fuzzer and test its effectiveness on four popular packages (libcrypto, libpng, libssl, and libz), describing the results and highlighting their security impact. Finally, we present two real-world case studies (anti-virus evasion including the anti-virus scanner included in Gmail plus Certificate Transparency case study) and discuss how our differential fuzzer discovered implementation differences with security impact. Our work has led to changes in Golang zlib which have since shipped.
{"title":"Go or No Go: Differential Fuzzing of Native and C Libraries","authors":"A. Sorniotti, Michael Weissbacher, Anil Kurmus","doi":"10.1109/SPW59333.2023.00036","DOIUrl":"https://doi.org/10.1109/SPW59333.2023.00036","url":null,"abstract":"In little more than a decade, Go has become one of the most popular programming languages in use today. It is a statically-typed, compiled language with spatial and temporal memory safety achieved by way of strong typing, automatically inserted bounds checks, and a mark-and-sweep garbage collector. Go developers can make immediate use of a large set of native libraries, whether shipped as part of the runtime or available to be imported from community code. Alternatively Go developers can directly link to C/C++ libraries which can be called from Go sources thanks to cgo functionality. Factors that go into this decision are stability, performance, and availability. As a result developers have a choice between Go native libraries or non-native code. However, today there is little understanding how to consider security implications in this decision. Our work is the first to investigate security implications of choosing between native and non-native libraries for Go programs. We first investigate to what extent popular GitHub projects make use of cgo, revealing that this choice is in fact quite popular. We then design and build a differential fuzzer that can compare native and C/C++ implementations of the same functionality. We implement the fuzzer and test its effectiveness on four popular packages (libcrypto, libpng, libssl, and libz), describing the results and highlighting their security impact. Finally, we present two real-world case studies (anti-virus evasion including the anti-virus scanner included in Gmail plus Certificate Transparency case study) and discuss how our differential fuzzer discovered implementation differences with security impact. Our work has led to changes in Golang zlib which have since shipped.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125531564","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-05-01DOI: 10.1109/SPW59333.2023.00022
Kelly Kaoudis, Henrik Brodin, E. Sultanik
Subtle bugs that only manifest in certain software configurations are notoriously difficult to correctly trace. Sometimes called Heisenbugs, these runtime variability flaws can result from invoking undefined behavior in languages like C and C++, or from compiler flaws. In this paper, we present a novel analysis technique for detecting and correctly diagnosing variability bugs' impact on a program through comparing control-affecting data flow across differently compiled program variants. Our UBet prototype dynamically derives a runtime control flow trace while tracing universal data flow for a program processing a given input, operating at a level of tracing completeness not achievable through similar dynamic instrumentation means. Sans compiler bugs or undefined behavior, every compile-time program configuration (i.e., compiler flags vary) should be semantically equivalent. Thus, any input for which a program variant produces inconsistent output indicates a variability bug. Our analysis compares control-affecting data flow traces from disagreeing program version runs to identify related input bytes and determine where in the program the processing variability originates. Though we initially demonstrate our technique on C++ variability bugs in Nitro, the American Department of Defense NITF (National Imagery Transmission Format) reference implementation parser, our approach applies equally to other programs and input types beyond NITF parsers. Finally, we sketch a path toward completing this work and refining our analysis, including evaluating parsers of other input formats.
{"title":"Automatically Detecting Variability Bugs Through Hybrid Control and Data Flow Analysis","authors":"Kelly Kaoudis, Henrik Brodin, E. Sultanik","doi":"10.1109/SPW59333.2023.00022","DOIUrl":"https://doi.org/10.1109/SPW59333.2023.00022","url":null,"abstract":"Subtle bugs that only manifest in certain software configurations are notoriously difficult to correctly trace. Sometimes called Heisenbugs, these runtime variability flaws can result from invoking undefined behavior in languages like C and C++, or from compiler flaws. In this paper, we present a novel analysis technique for detecting and correctly diagnosing variability bugs' impact on a program through comparing control-affecting data flow across differently compiled program variants. Our UBet prototype dynamically derives a runtime control flow trace while tracing universal data flow for a program processing a given input, operating at a level of tracing completeness not achievable through similar dynamic instrumentation means. Sans compiler bugs or undefined behavior, every compile-time program configuration (i.e., compiler flags vary) should be semantically equivalent. Thus, any input for which a program variant produces inconsistent output indicates a variability bug. Our analysis compares control-affecting data flow traces from disagreeing program version runs to identify related input bytes and determine where in the program the processing variability originates. Though we initially demonstrate our technique on C++ variability bugs in Nitro, the American Department of Defense NITF (National Imagery Transmission Format) reference implementation parser, our approach applies equally to other programs and input types beyond NITF parsers. Finally, we sketch a path toward completing this work and refining our analysis, including evaluating parsers of other input formats.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"68 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126739685","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: