James Newsome and Stephen McCamant and Dawn Song

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2009-47

April 7, 2009

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-47.pdf

The channel capacity of a program is a quantitative measure of the amount of control that the inputs to a program have over its outputs. Because it corresponds to worst-case assumptions about the probability distribution over those inputs, it is particularly appropriate for security applications where the inputs are under the control of an adversary. We introduce a family of complementary techniques for measuring channel capacity automatically using a decision procedure (SAT or #SAT solver), which give either exact or narrow probabilistic bounds.

We then apply these techniques to the problem of analyzing false positives produced by dynamic taint analysis used to detect control-flow hijacking in commodity software. Dynamic taint analysis is based on the principle that an attacker should not be able to control values such as function pointers and return addresses, but it uses a simple binary approximation of control that commonly leads to both false positive and false negative errors. Based on channel capacity, we propose a more refined quantitative measure of influence, which can effectively distinguish between true attacks and false positives. We use a practical implementation of our influence measuring techniques, integrated with a dynamic taint analysis operating on x86 binaries, to classify tainting warnings produced by vulnerable network servers, such as those attacked by the Blaster and SQL Slammer worms. Influence measurement correctly distinguishes real attacks from tainting false positives, a task that would otherwise need to be done manually.


BibTeX citation:

@techreport{Newsome:EECS-2009-47,
    Author= {Newsome, James and McCamant, Stephen and Song, Dawn},
    Title= {Measuring Channel Capacity to Distinguish Undue Influence},
    Year= {2009},
    Month= {Apr},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-47.html},
    Number= {UCB/EECS-2009-47},
    Abstract= {The channel capacity of a program is a quantitative
measure of the amount of control that the inputs to a
program have over its outputs.  Because it corresponds
to worst-case assumptions about the probability
distribution over those inputs, it is particularly
appropriate for security applications where the inputs
are under the control of an adversary.  We introduce a
family of complementary techniques for measuring
channel capacity automatically using a decision
procedure (SAT or #SAT solver), which give either exact
or narrow probabilistic bounds.

We then apply these techniques to the problem of
analyzing false positives produced by dynamic taint
analysis used to detect control-flow hijacking in
commodity software.  Dynamic taint analysis is based on
the principle that an attacker should not be able to
control values such as function pointers and return
addresses, but it uses a simple binary approximation of
control that commonly leads to both false positive and
false negative errors.  Based on channel capacity, we
propose a more refined quantitative measure of
influence, which can effectively distinguish between
true attacks and false positives.  We use a practical
implementation of our influence measuring techniques,
integrated with a dynamic taint analysis operating on
x86 binaries, to classify tainting warnings produced by
vulnerable network servers, such as those attacked by
the Blaster and SQL Slammer worms.  Influence
measurement correctly distinguishes real attacks from
tainting false positives, a task that would otherwise
need to be done manually.},
}

EndNote citation:

%0 Report
%A Newsome, James 
%A McCamant, Stephen 
%A Song, Dawn 
%T Measuring Channel Capacity to Distinguish Undue Influence
%I EECS Department, University of California, Berkeley
%D 2009
%8 April 7
%@ UCB/EECS-2009-47
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-47.html
%F Newsome:EECS-2009-47