Extracting Models of Security-Sensitive Operations using String-Enhanced White-Box Exploration on Binaries

Juan Caballero and Stephen McCamant and Adam Barth and Dawn Song

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2009-36

March 6, 2009

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-36.pdf

Models of security-sensitive code enable reasoning about the security implications of code. In this paper we present an approach for extracting models of security-sensitive operations directly from program binaries, which lets third-party analysts reason about a program when the source code is not available. Our approach is based on string-enhanced white-box exploration, a new technique that improves the effectiveness of current white-box exploration techniques on programs that use strings, by reasoning directly about string operations, rather than about the individual byte-level operations that comprise them. We implement our approach and use it to extract models of the closed-source content sniffing algorithms of two popular browsers: Internet Explorer 7 and Safari 3.1. We use the generated models to automatically find recently studied content-sniffing XSS attacks, and show the benefits of string- enhanced white-box exploration over current byte-level exploration techniques.

BibTeX citation:

@techreport{Caballero:EECS-2009-36,
    Author= {Caballero, Juan and McCamant, Stephen and Barth, Adam and Song, Dawn},
    Title= {Extracting Models of Security-Sensitive Operations using String-Enhanced White-Box Exploration on Binaries},
    Year= {2009},
    Month= {Mar},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-36.html},
    Number= {UCB/EECS-2009-36},
    Abstract= {Models of security-sensitive code enable reasoning about the security implications of code. In this paper
we present an approach for extracting models of security-sensitive operations directly from program
binaries, which lets third-party analysts reason about a program when the source code is not available.
Our approach is based on string-enhanced white-box exploration, a new technique that improves the
effectiveness of current white-box exploration techniques on programs that use strings, by reasoning
directly about string operations, rather than about the individual byte-level operations that comprise
them. We implement our approach and use it to extract models of the closed-source content sniffing
algorithms of two popular browsers: Internet Explorer 7 and Safari 3.1. We use the generated models
to automatically find recently studied content-sniffing XSS attacks, and show the benefits of string-
enhanced white-box exploration over current byte-level exploration techniques.},
}

EndNote citation:

%0 Report
%A Caballero, Juan 
%A McCamant, Stephen 
%A Barth, Adam 
%A Song, Dawn 
%T Extracting Models of Security-Sensitive Operations using String-Enhanced White-Box Exploration on Binaries
%I EECS Department, University of California, Berkeley
%D 2009
%8 March 6
%@ UCB/EECS-2009-36
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-36.html
%F Caballero:EECS-2009-36