ZH
Uploaded byZhen Huang
PPTX, PDF84 views

Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response (S&P'2016)

1) Security workarounds (SWRRs) aim to rapidly neutralize software vulnerabilities without introducing new bugs, by leveraging existing error handling mechanisms to disable vulnerable code. 2) An evaluation of SWRRs on 5 Linux applications found they could neutralize 53% of vulnerabilities unobtrusively, which is over 2 times as many as configuration workarounds alone. 3) The Talos tool automatically generates SWRRs by analyzing source code to identify error handling patterns and adding minimal instrumentation, requiring low developer effort. SWRRs introduce an average 1.3% runtime overhead.

Software
Related topics:
Software Security

Embed presentation

Download to read offline
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response Zhen Huang, Mariana D’Angelo, Dhaval Miyani, David Lie Department of Electrical and Computer Engineering University of Toronto
Drawbacks of Patching • Patching is the usual way to fix a vulnerability. • There often exists a delay between the discovery of a vulnerability and the release of its patch, a pre-patch window. 2 Discover a vulnerability Apply the patchRelease the patch pre-patch window Attackers can exploit the vulnerability!
Pre-patch Window • Our study on 131 recent vulnerabilities shows that the delay is significant. – five popular Linux server applications • 33.3% of them were patched 30 days after their discovery. A recent study indicates similar result [1]. 3 1. “A large scale exploratory analysis of software vulnerability life cycles”, ICSE 2012 52 days delay on average!
Cause of Pre-patch Window • We study bug reports to understand the time spent on each step of releasing a patch. • The complexity of constructing a correct patch is the major cause. – We found bug reports for 21 of the 131 vulnerabilities: 89% of time was spent in constructing the patch for those took more than one day to patch. – 9 of them took between two to six attempts to patch correctly. 4 vulnerability triage constructing a patch regression testingconstructing a patch Multiple attempts of patching (Quotes from a bug report) The developer: “This updates the previous patch...” .... The developer: “This patch builds on the previous one...” .... .... The tester: “I’m afraid I found a bug...”
Configuration Workarounds • To address the pre-patch window, users often resort to configuration workarounds. – leverage existing configuration settings to neutralize vulnerabilities 5 2. CVE-2014-0226. Workaround disclosed on mail-archives.apache.org. status module [2] apache HTTP server malicious request sensitive datarequest rejected
Weakness of Configuration Workarounds • However, configuration workarounds have poor coverage. • Our study on 182 vulnerabilities indicates that only 25.2% of them have configuration workarounds. – four Linux server applications and two Windows client applications (IE and Office) 6 The vast majority of vulnerabilities do not have configuration workarounds!
Security Workarounds for Rapid Response (SWRR) • SWRRs address the drawbacks of patching and configuration workarounds. • Objectives of SWRR: – security: neutralize vulnerabilities rapidly without introducing new bugs or vulnerabilities – coverage: cover many more vulnerabilities than configuration workarounds – low cost: apply to existing applications with minimum engineering effort 7
Example of an SWRR • An SWRR neutralizes a vulnerability by disabling the execution of vulnerable code. • The mechanism is simple but effective. 8 int foo(...) { .... // vulnerable code .... } int foo(...) { return error_code; .... // vulnerable code .... } SWRR
SWRR Deployment Developers can choose two deployment modes. 1. In-place SWRRs – pre-installed into an application – deactivated by default – users can activate them on the fly – can cause runtime overhead 2. Patch-based SWRRs – issued after vulnerabilities are discovered – users need to install them – no runtime overhead 9 unprotected protected by SWRR vulnerable
SWRR Reduces Pre-patch Window Full Patch In-place SWRR Patch-based SWRR SWRR eliminates these steps! • Different approaches to addressing a vulnerability
Challenges of SWRR • How to disable code execution safely? – Applications should continually run with minimum loss of functionality. – An SWRR should be unobtrusive, i.e. not causing loss of major functionality. • How to minimize human effort in generating SWRRs? 11
Error-Handling Mechanism • The existing error-handling mechanism can be leveraged to address the challenges. 12 • Readily available • Designed for unexpected situations • Can be identified using static code analysis int http_request_parse(...) { if (0 != request_check_hostname(...)) { return 0; // error-handling } .... } int request_check_hostname(...) { if (invalid_hostname) return -1; // error-handling lighttpd web server
Leverage Existing Error Code • The error code used by SWRR must be recognized by the application. 13 unsigned char* base64_decode(...) { return 0; // SWRR // vulnerable code .... } int http_auth_basic_check(...) { if (!base64_decode(...) ) { return 0; // error-handling } …. lighttpd web server
Identify Existing Error Code • Some approaches to identifying error code: – Common libraries or API functions have documentation, but most code in an application does not. – Asking developers to annotate error code for each function is tedious and time-consuming. • Instead we use heuristics to identify error code via static analysis. 14
Using Heuristics 15 Error-logging heuristic NULL return heuristic List of functions that return error code Propagate error code via info on call chains Augmented list of functions that return error code
Evaluation • Our prototype, Talos, mechanically generates and instruments SWRRs into an application. • Security, coverage, and overhead of SWRRs are evaluated using five popular Linux applications. – web servers: apache and lighttpd – web cache/proxy: squid – ftp server: proftpd – database management: sqlite 16
Security • Do SWRRs successfully neutralize vulnerabilities? • Are SWRRs unobtrusive, i.e. not causing loss of major functionality? • We analyze effectiveness and unobtrusiveness of SWRR for 11 real-world vulnerabilities. – All vulnerabilities are successfully neutralized by SWRRs. – 8 SWRRs are unobtrusive. 17 Detailed analysis of each vulnerability and its SWRR is presented in our paper.
Coverage • What is the percentage of vulnerabilities that can be neutralized with an unobtrusive SWRR? • We estimate coverage on vulnerabilities with coverage on application code and tested 320 SWRRs. 18 0.00% 20.00% 40.00% 60.00% 80.00% SWRR Configuration Workaround Obtrusive Unobtrusive 2.1x of configuration workarounds!
Overhead • We measure the increased code size and runtime overhead for in-place SWRRs. • On average, Talos adds 2% of code and causes an application to incur 1.3% of runtime overhead. 19
Conclusion • SWRRs can neutralize 53% of potential vulnerabilities unobtrusively, which is 2.1x of configuration workarounds. • SWRRs can be used just like configuration workarounds with a small 1.3% runtime overhead. • Talos mechanically generates and instruments SWRRs into existing applications, requiring minimum developer effort. 20
Thank You! contact: z.huang@mail.utoronto.ca 21
Error-logging Heuristic • We note that error-handling code often logs occurred errors. • Look for a call to error logging function, followed by a return of constant 22 if (name == NULL) { // apache’s error logging function ap_log_error(...., “Internal Error....”); // indicate error to caller return APR_EBADF; apache web server Developers annotate where they are declared
NULL Return Heuristic • A function that returns a pointer usually returns NULL to indicate an error. 23 Expr *sqlite3Expr(...) { .... return sqlite3ExprAlloc(...); } static int multiSelectOrderBy(...) { .... Expr *pNew = sqlite3Expr(...); if (pNew==0) return SQLITE_NOMEM; } sqlite3 database server
Error Propagation Heuristic • Many times the error code is propagated up/down the call chain. • There are three different error propagations: – Direct error propagation – Translated error propagation – Inferred error propagation 24
Direct Error Propagation • A caller directly use its callee’s return value as its own return value. 25 int config_insert_values_global(...) { .... return config_insert_values_internal(...); } int config_insert_values_internal(...) { if (...) { log_error_write(...); return -1; Callee returns -1 on error Caller must return -1 on error lighttpd web server
Translated Error Propagation • An error code can be translated before it is passed up the call chain. 26 SETDEFAULTS_FUNC (mod_secdownload_set_defaults) { .... if (0 != config_insert_values_global(...)) { return HANDLER_ERROR; } .... } Callee returns -1 on error lighttpd web server Caller must return HANDLER_ERROR on error
Inferred Error Propagation • The error code can be inferred down the call chain. 27 int http_request_parse (...) { .... if (0 != request_check_hostname(...)) { log_error_write(...); return 0; } lighttpd web server Callee must return non-zero on error Caller returns 0 on error
Indirect Heuristic • If a function does not have error-handling code, we disable it by disabling all its all callers. 28 foo() does not handle error funcB() handles error funcA() handles error
Talos • Talos has two phases: analyzing source code and instrumenting SWRRs. 29 Analyze Source Code Annotations Add SWRRs to Source CodeCall Graph Control Dependency Source Code with SWRRs Source Code

More Related Content

PDF
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
byenSilo
 
PPTX
Linux binary analysis and exploitation
byDharmalingam Ganesan
 
PDF
DEFCON 21: EDS: Exploitation Detection System WP
byAmr Thabet
 
PDF
Lesser Known Security Problems in PHP Applications
byZendCon
 
PPTX
Automated testing of NASA Software - part 2
byDharmalingam Ganesan
 
PPTX
java2days 2014: Attacking JavaEE Application Servers
byMartin Toshev
 
PPTX
DEFCON 21: EDS: Exploitation Detection System Slides
byAmr Thabet
 
ODP
Tracking vulnerable JARs
byDavid Jorm
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
byenSilo
 
Linux binary analysis and exploitation
byDharmalingam Ganesan
 
DEFCON 21: EDS: Exploitation Detection System WP
byAmr Thabet
 
Lesser Known Security Problems in PHP Applications
byZendCon
 
Automated testing of NASA Software - part 2
byDharmalingam Ganesan
 
java2days 2014: Attacking JavaEE Application Servers
byMartin Toshev
 
DEFCON 21: EDS: Exploitation Detection System Slides
byAmr Thabet
 
Tracking vulnerable JARs
byDavid Jorm
 

What's hot

PPTX
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
PPTX
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
byTechSecIT
 
PDF
Advanced System Security and Digital Forensics
byDr. Ramchandra Mangrulkar
 
PDF
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
byCODE BLUE
 
PDF
Secure Coding in C/C++
byDan-Claudiu Dragoș
 
PDF
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
byWaratek Ltd
 
PPTX
STAR: Stack Trace based Automatic Crash Reproduction
bySung Kim
 
PDF
.NET for hackers
byAntonio Parata
 
PDF
CheapSCAte: Attacking IoT with less than $60
byRiscure
 
PDF
Software Reliability
byHilaire (Ananda) Perera P.Eng.
 
PPTX
PVS-Studio and static code analysis technique
byAndrey Karpov
 
PDF
Building world-class security response and secure development processes
byDavid Jorm
 
PPTX
Making Security Agile
byOleg Gryb
 
PPTX
AppSec California 2016 - Making Security Agile
byOleg Gryb
 
PPT
Automated Regression Testing for Embedded Systems in Action
byAANDTech
 
PDF
Towards Malware Decompilation and Reassembly
byMarcus Botacin
 
PPTX
Static analysis as means of improving code quality
byAndrey Karpov
 
PPTX
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
bySung Kim
 
PPT
L27
byNathannyabvureMapisa
 
PDF
A Natural Language Programming Approach for Requirements-based Security Testing
byLionel Briand
 
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
byTechSecIT
 
Advanced System Security and Digital Forensics
byDr. Ramchandra Mangrulkar
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
byCODE BLUE
 
Secure Coding in C/C++
byDan-Claudiu Dragoș
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
byWaratek Ltd
 
STAR: Stack Trace based Automatic Crash Reproduction
bySung Kim
 
.NET for hackers
byAntonio Parata
 
CheapSCAte: Attacking IoT with less than $60
byRiscure
 
Software Reliability
byHilaire (Ananda) Perera P.Eng.
 
PVS-Studio and static code analysis technique
byAndrey Karpov
 
Building world-class security response and secure development processes
byDavid Jorm
 
Making Security Agile
byOleg Gryb
 
AppSec California 2016 - Making Security Agile
byOleg Gryb
 
Automated Regression Testing for Embedded Systems in Action
byAANDTech
 
Towards Malware Decompilation and Reassembly
byMarcus Botacin
 
Static analysis as means of improving code quality
byAndrey Karpov
 
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
bySung Kim
 
L27
byNathannyabvureMapisa
 
A Natural Language Programming Approach for Requirements-based Security Testing
byLionel Briand
 

Similar to Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response (S&P'2016)

PPTX
testtesttesttesttesttesttesttesttesttesttesttesttesttest
byyamisukehiro9843
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PPT
SoftwareSecurity.ppt
byssuserfb92ae
 
PDF
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
PDF
Remote file path traversal attacks for fun and profit
byDharmalingam Ganesan
 
PDF
Web Security
byKHOANGUYNNGANH
 
PPTX
Identifying & fixing the most common software vulnerabilities
byAlireza Aghamohammadi
 
PDF
I got 99 trends and a # is all of them
byRoberto Suggi Liverani
 
PPT
Vulnerability Chaining; it’s all connected
byToby Kohlenberg
 
PDF
Building Your Application Security Data Hub - OWASP AppSecUSA
byDenim Group
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
byPriyanka Aash
 
PPTX
Real-World WebAppSec Flaws - Examples and Countermeasues
byvolvent
 
PDF
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
PDF
CNIT 127: Ch 18: Source Code Auditing
bySam Bowne
 
PDF
Web Application Penetration Tests - Vulnerability Identification and Details ...
byNetsparker
 
PDF
Finding Needles in Haystacks
bysnyff
 
PDF
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
byUltraUploader
 
PPTX
Matt carroll - "Security patching system packages is fun" said no-one ever
byDevSecCon
 
PDF
Making Web Development "Secure By Default"
byDuo Security
 
PDF
E gov security_tut_session_4_lab
byMustafa Jarrar
 
testtesttesttesttesttesttesttesttesttesttesttesttesttest
byyamisukehiro9843
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
SoftwareSecurity.ppt
byssuserfb92ae
 
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
Remote file path traversal attacks for fun and profit
byDharmalingam Ganesan
 
Web Security
byKHOANGUYNNGANH
 
Identifying & fixing the most common software vulnerabilities
byAlireza Aghamohammadi
 
I got 99 trends and a # is all of them
byRoberto Suggi Liverani
 
Vulnerability Chaining; it’s all connected
byToby Kohlenberg
 
Building Your Application Security Data Hub - OWASP AppSecUSA
byDenim Group
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
byPriyanka Aash
 
Real-World WebAppSec Flaws - Examples and Countermeasues
byvolvent
 
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
CNIT 127: Ch 18: Source Code Auditing
bySam Bowne
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
byNetsparker
 
Finding Needles in Haystacks
bysnyff
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
byUltraUploader
 
Matt carroll - "Security patching system packages is fun" said no-one ever
byDevSecCon
 
Making Web Development "Secure By Default"
byDuo Security
 
E gov security_tut_session_4_lab
byMustafa Jarrar
 

Recently uploaded

PDF
AI/ML Infra Meetup | Unlock the Future of Generative AI: TorchTitan's Latest ...
byAlluxio, Inc.
 
PDF
How to Make Your AI Reliable: Comprehensive Guide to Testing AI Applications ...
byQATestLab Quality is a rule
 
PDF
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
PPTX
Performance Testing Transformation - LTB 2024
byAlexander Podelko
 
PDF
Hyperon Chain – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
PDF
2025_11_19 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
A new Vision of Software Sustainability and its Engineering: Reflections and ...
byPatricia Lago
 
PDF
How Integrating Copilot and AI Agents in Microsoft Dynamics 365
byTechWize
 
PDF
Quantum TechDocs - Technology & Compliance.pdf
byietmsoftware1
 
PPTX
Top Benefits of Hiring a Mobile App Development Company in India
byDevherds software solution
 
PDF
AOX Apps - Mobile App Development Company New York
byAOX APPS
 
PDF
DSD-INT 2025 REACT - Rapid E-flow Assessment and Communication Tool - Flores
byDeltares
 
PDF
Custom MGA Software Development: Better Apporach
byOpenkoda
 
DOCX
Open Source BI Tableau Alternatives You Can Trust.docx
byVarsha Nayak
 
PDF
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
PDF
DSD-INT 2025 The Singapore Regional Model in Delft3D FM - Zijl
byDeltares
 
PDF
virtual CISO service by Reflect Security
byreflectsecsol
 
PDF
A Complete Guide to Salesforce for Education.pdf
byVALiNTRY360
 
PDF
DSD-INT 2025 Transport and Fate of Microplastics in Fluvial System (Rhine Riv...
byDeltares
 
PPTX
Short Film Script Development Process HARMONIA
byzdolezalmedia
 
AI/ML Infra Meetup | Unlock the Future of Generative AI: TorchTitan's Latest ...
byAlluxio, Inc.
 
How to Make Your AI Reliable: Comprehensive Guide to Testing AI Applications ...
byQATestLab Quality is a rule
 
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
Performance Testing Transformation - LTB 2024
byAlexander Podelko
 
Hyperon Chain – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
2025_11_19 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
A new Vision of Software Sustainability and its Engineering: Reflections and ...
byPatricia Lago
 
How Integrating Copilot and AI Agents in Microsoft Dynamics 365
byTechWize
 
Quantum TechDocs - Technology & Compliance.pdf
byietmsoftware1
 
Top Benefits of Hiring a Mobile App Development Company in India
byDevherds software solution
 
AOX Apps - Mobile App Development Company New York
byAOX APPS
 
DSD-INT 2025 REACT - Rapid E-flow Assessment and Communication Tool - Flores
byDeltares
 
Custom MGA Software Development: Better Apporach
byOpenkoda
 
Open Source BI Tableau Alternatives You Can Trust.docx
byVarsha Nayak
 
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
DSD-INT 2025 The Singapore Regional Model in Delft3D FM - Zijl
byDeltares
 
virtual CISO service by Reflect Security
byreflectsecsol
 
A Complete Guide to Salesforce for Education.pdf
byVALiNTRY360
 
DSD-INT 2025 Transport and Fate of Microplastics in Fluvial System (Rhine Riv...
byDeltares
 
Short Film Script Development Process HARMONIA
byzdolezalmedia
 

Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response (S&P'2016)

  • 1.
    Talos: Neutralizing Vulnerabilities withSecurity Workarounds for Rapid Response Zhen Huang, Mariana D’Angelo, Dhaval Miyani, David Lie Department of Electrical and Computer Engineering University of Toronto
  • 2.
    Drawbacks of Patching •Patching is the usual way to fix a vulnerability. • There often exists a delay between the discovery of a vulnerability and the release of its patch, a pre-patch window. 2 Discover a vulnerability Apply the patchRelease the patch pre-patch window Attackers can exploit the vulnerability!
  • 3.
    Pre-patch Window • Ourstudy on 131 recent vulnerabilities shows that the delay is significant. – five popular Linux server applications • 33.3% of them were patched 30 days after their discovery. A recent study indicates similar result [1]. 3 1. “A large scale exploratory analysis of software vulnerability life cycles”, ICSE 2012 52 days delay on average!
  • 4.
    Cause of Pre-patchWindow • We study bug reports to understand the time spent on each step of releasing a patch. • The complexity of constructing a correct patch is the major cause. – We found bug reports for 21 of the 131 vulnerabilities: 89% of time was spent in constructing the patch for those took more than one day to patch. – 9 of them took between two to six attempts to patch correctly. 4 vulnerability triage constructing a patch regression testingconstructing a patch Multiple attempts of patching (Quotes from a bug report) The developer: “This updates the previous patch...” .... The developer: “This patch builds on the previous one...” .... .... The tester: “I’m afraid I found a bug...”
  • 5.
    Configuration Workarounds • Toaddress the pre-patch window, users often resort to configuration workarounds. – leverage existing configuration settings to neutralize vulnerabilities 5 2. CVE-2014-0226. Workaround disclosed on mail-archives.apache.org. status module [2] apache HTTP server malicious request sensitive datarequest rejected
  • 6.
    Weakness of Configuration Workarounds •However, configuration workarounds have poor coverage. • Our study on 182 vulnerabilities indicates that only 25.2% of them have configuration workarounds. – four Linux server applications and two Windows client applications (IE and Office) 6 The vast majority of vulnerabilities do not have configuration workarounds!
  • 7.
    Security Workarounds forRapid Response (SWRR) • SWRRs address the drawbacks of patching and configuration workarounds. • Objectives of SWRR: – security: neutralize vulnerabilities rapidly without introducing new bugs or vulnerabilities – coverage: cover many more vulnerabilities than configuration workarounds – low cost: apply to existing applications with minimum engineering effort 7
  • 8.
    Example of anSWRR • An SWRR neutralizes a vulnerability by disabling the execution of vulnerable code. • The mechanism is simple but effective. 8 int foo(...) { .... // vulnerable code .... } int foo(...) { return error_code; .... // vulnerable code .... } SWRR
  • 9.
    SWRR Deployment Developers canchoose two deployment modes. 1. In-place SWRRs – pre-installed into an application – deactivated by default – users can activate them on the fly – can cause runtime overhead 2. Patch-based SWRRs – issued after vulnerabilities are discovered – users need to install them – no runtime overhead 9 unprotected protected by SWRR vulnerable
  • 10.
    SWRR Reduces Pre-patchWindow Full Patch In-place SWRR Patch-based SWRR SWRR eliminates these steps! • Different approaches to addressing a vulnerability
  • 11.
    Challenges of SWRR •How to disable code execution safely? – Applications should continually run with minimum loss of functionality. – An SWRR should be unobtrusive, i.e. not causing loss of major functionality. • How to minimize human effort in generating SWRRs? 11
  • 12.
    Error-Handling Mechanism • Theexisting error-handling mechanism can be leveraged to address the challenges. 12 • Readily available • Designed for unexpected situations • Can be identified using static code analysis int http_request_parse(...) { if (0 != request_check_hostname(...)) { return 0; // error-handling } .... } int request_check_hostname(...) { if (invalid_hostname) return -1; // error-handling lighttpd web server
  • 13.
    Leverage Existing ErrorCode • The error code used by SWRR must be recognized by the application. 13 unsigned char* base64_decode(...) { return 0; // SWRR // vulnerable code .... } int http_auth_basic_check(...) { if (!base64_decode(...) ) { return 0; // error-handling } …. lighttpd web server
  • 14.
    Identify Existing ErrorCode • Some approaches to identifying error code: – Common libraries or API functions have documentation, but most code in an application does not. – Asking developers to annotate error code for each function is tedious and time-consuming. • Instead we use heuristics to identify error code via static analysis. 14
  • 15.
    Using Heuristics 15 Error-logging heuristic NULLreturn heuristic List of functions that return error code Propagate error code via info on call chains Augmented list of functions that return error code
  • 16.
    Evaluation • Our prototype,Talos, mechanically generates and instruments SWRRs into an application. • Security, coverage, and overhead of SWRRs are evaluated using five popular Linux applications. – web servers: apache and lighttpd – web cache/proxy: squid – ftp server: proftpd – database management: sqlite 16
  • 17.
    Security • Do SWRRssuccessfully neutralize vulnerabilities? • Are SWRRs unobtrusive, i.e. not causing loss of major functionality? • We analyze effectiveness and unobtrusiveness of SWRR for 11 real-world vulnerabilities. – All vulnerabilities are successfully neutralized by SWRRs. – 8 SWRRs are unobtrusive. 17 Detailed analysis of each vulnerability and its SWRR is presented in our paper.
  • 18.
    Coverage • What isthe percentage of vulnerabilities that can be neutralized with an unobtrusive SWRR? • We estimate coverage on vulnerabilities with coverage on application code and tested 320 SWRRs. 18 0.00% 20.00% 40.00% 60.00% 80.00% SWRR Configuration Workaround Obtrusive Unobtrusive 2.1x of configuration workarounds!
  • 19.
    Overhead • We measurethe increased code size and runtime overhead for in-place SWRRs. • On average, Talos adds 2% of code and causes an application to incur 1.3% of runtime overhead. 19
  • 20.
    Conclusion • SWRRs canneutralize 53% of potential vulnerabilities unobtrusively, which is 2.1x of configuration workarounds. • SWRRs can be used just like configuration workarounds with a small 1.3% runtime overhead. • Talos mechanically generates and instruments SWRRs into existing applications, requiring minimum developer effort. 20
  • 21.
  • 22.
    Error-logging Heuristic • Wenote that error-handling code often logs occurred errors. • Look for a call to error logging function, followed by a return of constant 22 if (name == NULL) { // apache’s error logging function ap_log_error(...., “Internal Error....”); // indicate error to caller return APR_EBADF; apache web server Developers annotate where they are declared
  • 23.
    NULL Return Heuristic •A function that returns a pointer usually returns NULL to indicate an error. 23 Expr *sqlite3Expr(...) { .... return sqlite3ExprAlloc(...); } static int multiSelectOrderBy(...) { .... Expr *pNew = sqlite3Expr(...); if (pNew==0) return SQLITE_NOMEM; } sqlite3 database server
  • 24.
    Error Propagation Heuristic •Many times the error code is propagated up/down the call chain. • There are three different error propagations: – Direct error propagation – Translated error propagation – Inferred error propagation 24
  • 25.
    Direct Error Propagation •A caller directly use its callee’s return value as its own return value. 25 int config_insert_values_global(...) { .... return config_insert_values_internal(...); } int config_insert_values_internal(...) { if (...) { log_error_write(...); return -1; Callee returns -1 on error Caller must return -1 on error lighttpd web server
  • 26.
    Translated Error Propagation •An error code can be translated before it is passed up the call chain. 26 SETDEFAULTS_FUNC (mod_secdownload_set_defaults) { .... if (0 != config_insert_values_global(...)) { return HANDLER_ERROR; } .... } Callee returns -1 on error lighttpd web server Caller must return HANDLER_ERROR on error
  • 27.
    Inferred Error Propagation •The error code can be inferred down the call chain. 27 int http_request_parse (...) { .... if (0 != request_check_hostname(...)) { log_error_write(...); return 0; } lighttpd web server Callee must return non-zero on error Caller returns 0 on error
  • 28.
    Indirect Heuristic • Ifa function does not have error-handling code, we disable it by disabling all its all callers. 28 foo() does not handle error funcB() handles error funcA() handles error
  • 29.
    Talos • Talos hastwo phases: analyzing source code and instrumenting SWRRs. 29 Analyze Source Code Annotations Add SWRRs to Source CodeCall Graph Control Dependency Source Code with SWRRs Source Code

Editor's Notes

  • #5 link to previous slide – we want to understand the cause, more explanations to quotes quotes – link to attempts of correct patch first try does not pass regression testing
  • #9 important to return an error code, explain later on
  • #10 we propose two SWRR deployment modes
  • #11 to understand how SWRRs can reduce the pre-patch window, we compare SWRR with full patch. As we can see, releasing a full patch consists of the steps of finding the location of the vulnerability, figuring out the cause of the vulnerability, constructing a patch, ensuring no functionality is broken with regression testing. And the users needs to download and install the patch. emphasize the skipping of three steps of full patch, talos icon
  • #13 Readily available: almost every decent application has error-handling code Designed for unexpected situations: safely allow an application to continually run after an error Can be identified using static code analysis: needs minimum aid from developers
  • #15 focus on the structure and purpose of the heuristics and how they fits together
  • #19 clarify on why basic coverage is reduced to effective coverage