AFRL-RY-WP-TR-2015-0017 PREVENTING EXPLOITS AGAINST SOFTWARE OF UNCERTAIN PROVENANCE (PEASOUP) David Melski GrammaTech, Inc. MAY 2015 Final Report Approved for public release; distribution unlimited. See additional restrictions described on inside pages ©2014 GrammaTech, Inc. STINFO COPY AIR FORCE RESEARCH LABORATORY SENSORS DIRECTORATE WRIGHT-PATTERSON AIR FORCE BASE, OH 45433-7320 AIR FORCE MATERIEL COMMAND UNITED STATES AIR FORCE NOTICE AND SIGNATURE PAGE Using Government drawings, specifications, or other data included in this document for any purpose other than Government procurement does not in any way obligate the U.S. Government. The fact that the Government formulated or supplied the drawings, specifications, or other data does not license the holder or any other person or corporation; or convey any rights or permission to manufacture, use, or sell any patented invention that may relate to them. This report was cleared for public release by the USAF 88th Air Base Wing (88 ABW) Public Affairs Office (PAO) and is available to the general public, including foreign nationals. Copies may be obtained from the Defense Technical Information Center (DTIC) (http://www.dtic.mil). AFRL-RY-WP-TR-2015-0017 HAS BEEN REVIEWED AND IS APPROVED FOR PUBLICATION IN ACCORDANCE WITH ASSIGNED DISTRIBUTION STATEMENT. //Signature// //Signature// KENNETH LITTLEJOHN, Program Manager DAVID G. HAGSTROM, Chief Avionics Vulnerability Mitigation Branch Avionics Vulnerability Mitigation Branch //Signature// TODD A. KASTLE, Chief Spectrum Warfare Division This report is published in the interest of scientific and technical information exchange, and its publication does not constitute the Government’s approval or disapproval of its ideas or findings. *Disseminated copies will show “//Signature//” stamped or typed above the signature blocks. Form Approved REPORT DOCUMENTATION PAGE OMB No. 0704-0188 The public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS. 1. REPORT DATE (DD-MM-YY) 2. REPORT TYPE 3. DATES COVERED (From - To) May 2015 Final 26 August 2010 – 30 November 2013 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER PREVENTING EXPLOITS AGAINST SOFTWARE OF UNCERTAIN PROVENANCE FA8650-10-C-7025 (PEASOUP) 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 69199F 6. AUTHOR(S) 5d. PROJECT NUMBER David Melski OthAF 5e. TASK NUMBER RY 5f. WORK UNIT NUMBER Y0LG 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION GrammaTech, Inc. REPORT NUMBER 531 Esty Street Ithaca, NY 14850 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING Air Force Research Laboratory Intelligence Advanced Research AGENCY ACRONYM(S) Sensors Directorate Project Activity (IARPA) AFRL/RYWA Wright-Patterson Air Force Base, OH 45433-7320 Office of the Director of National 11. SPONSORING/MONITORING Air Force Materiel Command Intelligence (ODNI) AGENCY REPORT NUMBER(S) United States Air Force Washington, DC 20511 AFRL-RY-WP-TR-2015-0017 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited. 13. SUPPLEMENTARY NOTES ©2014 GrammaTech, Inc. The U.S. Government is joint author of the work and has the right to use, modify, reproduce, release, perform, display or disclose the work. PAO Case Number 88ABW-2015-2491, Clearance Date 20 May 2015. Report contains color. 14. ABSTRACT We describe the results of the research and development of PEASOUP (Preventing Exploits Against Software of Uncertain Provenance), a technology that enables the safe execution of software executables. PEASOUP provides the following capabilities: prevents exploits of number-handling weaknesses and memory-safety weaknesses; prevents OS command injections, OS command argument injections, SQL injections, and denial-of-service exploits based on inducing a null-pointer dereference; and prevents any exploit based on arc-injection or code-injection, regardless of the type of vulnerability targeted for attack. PEASOUP also offers experimental protection against exploit of many concurrency and resource drain vulnerabilities, including: file-system Time-Of-Check-to-Time-Of-Use (TOCTOU) vulnerabilities, use of non-reentrant functions in signal handlers, deadlock vulnerabilities, atomicity violations, memory leaks, and file-handle leaks. The PEASOUP effort advanced the state-of-the-art in automatic machine-code analysis, diversification, confinement, and remediation. Specific results include: a technique for preventing command injection attacks inspired by DNA Shotgun Sequencing, a technique that often allows server programs to remain operational after an attempted null-pointer dereference, improved integer-error analyses, improved protections for heap- and stack-allocated memory, novel techniques for analyzing file input types, and a superior design for a software dynamic translator that prevents attacks against the translator. 15. SUBJECT TERMS software security, automatic binary repair, automatic binary hardening, exploit prevention 16. SECURITY CLASSIFICATION OF: 17. LIMITATION 18. NUMBER 19a. NAME OF RESPONSIBLE PERSON (Monitor) a. REPORT b. ABSTRACT c. THIS PAGE OF ABSTRACT: OF PAGES Kenneth Littlejohn Unclassified Unclassified Unclassified SAR 258 19b. TELEPHONE NUMBER (Include Area Code) N/A Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std. Z39-18 Abstract We describe the results of the research and development of PEASOUP (Preventing Exploits Against Software of Uncertain Provenance), a technology that enables the safe execution of software executables. PEASOUP provides the following capabilities: prevents exploits of number-handling weaknesses and memory-safety weaknesses; prevents OS command injections, OS command argument injections, SQL injections, and denial-of-service exploits based on inducing a null-pointer dereference; and prevents any exploit based on arc-injection or code- injection, regardless of the type of vulnerability targeted for attack. PEASOUP also offers experimental protection against exploit of many concurrency and resource drain vulnerabilities, including: file-system Time-Of-Check-to-Time-Of-Use (TOCTOU) vulnerabilities, use of non- reentrant functions in signal handlers, deadlock vulnerabilities, atomicity violations, memory leaks, and file-handle leaks. The PEASOUP effort advanced the state-of-the-art in automatic machine-code analysis, diversification, confinement, and remediation. Specific results include: a technique for preventing command injection attacks that was inspired by DNA Shotgun Sequencing, a technique that often allows server programs to remain operational even after an attempted null- pointer dereference, improved integer-error analyses and protections that apply to large programs with a low false positive rate, improved protections for heap- and stack-allocated memory, novel techniques for analyzing file input types, and a superior design for a software dynamic translator that prevents attacks against the translator. TABLE OF CONTENTS SECTION PAGE ABSTRACT I TABLE OF CONTENTS I LIST OF FIGURES V LIST OF TABLES VIII 1.0 SUMMARY 1 2.0 INTRODUCTION 3 2.1 Innovation Goals for the Proposed Research 4 2.2 Summary of the Products and Transferable Technology 5 2.3 Use of Third-Party COTS Products 7 2.4 Overview of the Technical Approach and Plan 8 2.4.1 The (Offline) Analyzer 8 2.4.2 The Execution Manager 9 2.4.3 The Intermediate Representation Database 10 2.5 Objectives, Scientific Relevance, Technical Approach and Expected Significance 10 2.5.1 Technology Leveraged in PEASOUP 10 2.5.2 Components of PEASOUP 15 2.6 Related Research 20 2.7 Project Contributors 22 2.8 Summary of Statement of Work Tasks 22 2.8.1 Phase 1 Tasks 22 2.8.2 Phase 2 Tasks 25 2.8.3 Phase 3 Tasks 26 2.8.4 Management Tasks 27 2.9 Outline of Remainder of Report 27 3.0 METHODS, ASSUMPTIONS, AND PROCEDURES 28 3.1 Evaluation Metrics and Methodology 28 3.1.1 Preliminary Phase 1 Test and Evaluation (December 2011) 29 3.1.2 Final Phase 1 Test and Evaluation (April, 2012) 32 3.1.3 Phase 2 Test and Evaluation 39 3.1.4 Phase 3 Test and Evaluation 39 3.1.5 Component Test and Evaluation 39 3.2 Platform and Environment Assumptions 43 3.3 Core Technologies 43 3.3.1 Intermediate Representation Database (IRDB) 44 3.3.2 Input Generation: The Grace Concolic Execution Engine 46 3.3.3 Input Replayer 53 3.3.4 STARS Static Analyzer 54 3.3.5 Data Delineation Analysis (DDA) 58 3.3.6 Dynamic Rewriting. 62 3.3.7 Efficient Checkpointing for Remediation 64 3.4 C1: Number-Handling Errors 69 3.4.1 Confinement of Incorrect Number-Handling Weaknesses 69 3.5 C4: Resource Drains 74 i Approved for public release: distribution unlimited. 3.6 C5: Command Injection 75 3.6.1 Threat Model 77 3.6.2 Software