Extracting Models of Security-Sensitive Operations using String-Enhanced White-Box Exploration on Binaries

Juan Caballero, Stephen McCamant, Adam Barth and Dawn Song

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2009-36
March 6, 2009

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-36.pdf

Models of security-sensitive code enable reasoning about the security implications of code. In this paper we present an approach for extracting models of security-sensitive operations directly from program binaries, which lets third-party analysts reason about a program when the source code is not available. Our approach is based on string-enhanced white-box exploration, a new technique that improves the effectiveness of current white-box exploration techniques on programs that use strings, by reasoning directly about string operations, rather than about the individual byte-level operations that comprise them. We implement our approach and use it to extract models of the closed-source content sniffing algorithms of two popular browsers: Internet Explorer 7 and Safari 3.1. We use the generated models to automatically find recently studied content-sniffing XSS attacks, and show the benefits of string- enhanced white-box exploration over current byte-level exploration techniques.


BibTeX citation:

@techreport{Caballero:EECS-2009-36,
    Author = {Caballero, Juan and McCamant, Stephen and Barth, Adam and Song, Dawn},
    Title = {Extracting Models of Security-Sensitive Operations using String-Enhanced White-Box Exploration on Binaries},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2009},
    Month = {Mar},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-36.html},
    Number = {UCB/EECS-2009-36},
    Abstract = {Models of security-sensitive code enable reasoning about the security implications of code. In this paper
we present an approach for extracting models of security-sensitive operations directly from program
binaries, which lets third-party analysts reason about a program when the source code is not available.
Our approach is based on string-enhanced white-box exploration, a new technique that improves the
effectiveness of current white-box exploration techniques on programs that use strings, by reasoning
directly about string operations, rather than about the individual byte-level operations that comprise
them. We implement our approach and use it to extract models of the closed-source content sniffing
algorithms of two popular browsers: Internet Explorer 7 and Safari 3.1. We use the generated models
to automatically find recently studied content-sniffing XSS attacks, and show the benefits of string-
enhanced white-box exploration over current byte-level exploration techniques.}
}

EndNote citation:

%0 Report
%A Caballero, Juan
%A McCamant, Stephen
%A Barth, Adam
%A Song, Dawn
%T Extracting Models of Security-Sensitive Operations using String-Enhanced White-Box Exploration on Binaries
%I EECS Department, University of California, Berkeley
%D 2009
%8 March 6
%@ UCB/EECS-2009-36
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-36.html
%F Caballero:EECS-2009-36