efficient, context-sensitive detection of real-world semantic attacks
DESCRIPTION
Michael Bond Varun Srivastava Kathryn McKinley Vitaly Shmatikov University of Texas at Austin. Efficient, Context-Sensitive Detection of Real-World Semantic Attacks. Real Semantic Exploits & Efficient, Context-Sensitive Detection. How an applet loads a class. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/1.jpg)
Michael BondVarun SrivastavaKathryn McKinleyVitaly ShmatikovUniversity of Texas at Austin
![Page 2: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/2.jpg)
Real Semantic Exploits&
Efficient, Context-Sensitive Detection
![Page 3: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/3.jpg)
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
How an applet loads a class
![Page 4: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/4.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
![Page 5: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/5.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
Access-control security
![Page 6: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/6.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
![Page 7: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/7.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
![Page 8: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/8.jpg)
classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);
Sun Java Virtual Machine 1.3
![Page 9: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/9.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);
![Page 10: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/10.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);
![Page 11: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/11.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);
![Page 12: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/12.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);
Semantic exploit
Examples:•Omitted security check•Untrusted code executes in wrong context•Misconfigured security policy
![Page 13: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/13.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);
How to detect this exploit?
Infeasible path detection?
Does not violate semantics
(e.g., type & memory safety,
control-flow integrity)
![Page 14: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/14.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);
How to detect this exploit?
Check against specification?
No specification available
![Page 15: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/15.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);
How to detect this exploit?
Infer specification from dynamic behavior?
![Page 16: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/16.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);
Which dynamic behavior?
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
![Page 17: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/17.jpg)
loadClass(“java.util.HashMap”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121
File.exists()
loadClass(“sun/applet/AppletClassLoader”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121
File.exists()
loadClass(“MyClass”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :139
File.exists()
![Page 18: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/18.jpg)
loadClass(“java.util.HashMap”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121
File.exists()
loadClass(“sun/applet/AppletClassLoader”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121
File.exists()
loadClass(“MyClass”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :139
File.exists()
Train
Deploy
![Page 19: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/19.jpg)
classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);
![Page 20: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/20.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);
![Page 21: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/21.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);
![Page 22: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/22.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);
![Page 23: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/23.jpg)
loadClass(“java.util.HashMap”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121
File.exists()
loadClass(“sun/applet/AppletClassLoader”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121
File.exists()
loadClass(“MyClass”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :139
File.exists()
![Page 24: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/24.jpg)
loadClass(“java.util.HashMap”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121
File.exists()
loadClass(“sun/applet/AppletClassLoader”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121
File.exists()
loadClass(“MyClass”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :139
File.exists()
![Page 25: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/25.jpg)
loadClass(“java.util.HashMap”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121
File.exists()
loadClass(“sun/applet/AppletClassLoader”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121
File.exists()
loadClass(“MyClass”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :139
File.exists()
Train
Train
Deploy
![Page 26: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/26.jpg)
(Sampled & Reproduced)Real Semantic Exploits
Context sensitivity needed?
History sensitivity needed?
SlashPathMistakenly omitted security check
Yes Yes
XSLTUntrusted code executes in wrong (application) security context
Yes No
LiveConnectUntrusted code executes in wrong (applet) security context
No No
OperaPolicyMisconfigured security policy
No No
![Page 27: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/27.jpg)
ClassLoader.loadClass():312ClassLoader.loadClass():312
ClassLoader.loadClass():341ClassLoader.loadClass():341
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
FileURLLoader.walkPathComponents():121FileURLLoader.walkPathComponents():121
More
con
text
sen
siti
vit
y
![Page 28: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/28.jpg)
ClassLoader.loadClass():312ClassLoader.loadClass():312
ClassLoader.loadClass():341ClassLoader.loadClass():341
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
FileURLLoader.walkPathComponents():121FileURLLoader.walkPathComponents():121
Fals
e n
egati
ves
Fals
e p
osi
tives
More
con
text
sen
siti
vit
y
![Page 29: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/29.jpg)
ClassLoader.loadClass():312ClassLoader.loadClass():312
ClassLoader.loadClass():341ClassLoader.loadClass():341
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
FileURLLoader.walkPathComponents():121FileURLLoader.walkPathComponents():121
Fals
e n
egati
ves
Fals
e p
osi
tives
More
con
text
sen
siti
vit
y
Overh
ead
![Page 30: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/30.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
![Page 31: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/31.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
S ← walkStack ()check ( S )
S ← walkStack ()check ( S )
![Page 32: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/32.jpg)
![Page 33: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/33.jpg)
Proportional todepth & security
calls
High overhead at security calls
![Page 34: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/34.jpg)
Efficient,Depth-Limited
Context Sensitivity
![Page 35: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/35.jpg)
Represent calling context asprobabilistically unique integer
![Page 36: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/36.jpg)
Compute value at every callUse value at security calls
![Page 37: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/37.jpg)
Compute value at every callUse value at security calls
Always-available contextLow overhead at security calls
![Page 38: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/38.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
![Page 39: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/39.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
V1 ← f ( V0 , cs1 )
V0 ← 0
![Page 40: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/40.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
V1 ← f ( V0 , cs1 )
V2 ← f ( V0 , cs2 )
V0 ← 0
![Page 41: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/41.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
V1 ← f ( V0 , cs1 )
V2 ← f ( V0 , cs2 )V3 ← f ( V2 , cs3 )
V4 ← f ( V3 , cs4 )
V5 ← f ( V4 , cs5 )V6 ← f ( V5 , cs6 )
V7 ← f ( V6 , cs7 )
V0 ← 0
![Page 42: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/42.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
V1 ← f ( V0 , cs1 )check ( V1 )
V2 ← f ( V0 , cs2 )V3 ← f ( V2 , cs3 )
V4 ← f ( V3 , cs4 )
V5 ← f ( V4 , cs5 )V6 ← f ( V5 , cs6 )
V7 ← f ( V6 , cs7 )check ( V7 )
V0 ← 0
![Page 43: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/43.jpg)
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}
ClassLoader.loadClass():341ClassLoader.loadClass():341
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}
SecurityManager.checkRead()SecurityManager.checkRead()
File.checkRead():1485File.checkRead():1485
File.exists():268File.exists():268
FileURLLoader.getResource():73FileURLLoader.getResource():73
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);
V1 ← f ( V0 , cs1 )check ( V1 )
V2 ← f ( V0 , cs2 )V3 ← f ( V2 , cs3 )
V4 ← f ( V3 , cs4 )
V5 ← f ( V4 , cs5 )V6 ← f ( V5 , cs6 )
V7 ← f ( V6 , cs7 )check ( V7 )
V0 ← 0
Historysensitivity
![Page 44: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/44.jpg)
f ( V , cs ) ≡ 3V + cs (mod 232)
![Page 45: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/45.jpg)
f ( V , cs ) ≡ 3V + cs (mod 232)
Motivated by MPI data-type hashing [Langou et al. ’05] [Gropp ’00]
![Page 46: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/46.jpg)
f ( V , cs ) ≡ 3V + cs (mod 232)
Encodes entire calling context
![Page 47: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/47.jpg)
f ( V , cs ) ≡ 2 32/k V + cs (mod 232)
Encodes last k call sites
![Page 48: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/48.jpg)
f ( V , cs ) ≡ 2 32/k V + cs (mod 232)
Cheap to compute
![Page 49: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/49.jpg)
f ( V , cs ) ≡ 2 32/k V + cs (mod 232)
Cheap to computeComposition cheap to compute
![Page 50: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/50.jpg)
f ( V , cs ) ≡ 2 32/k V + cs (mod 232)
Cheap to computeComposition cheap to computeNon-commutative
![Page 51: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/51.jpg)
f ( V , cs ) ≡ 2 32/k V + cs (mod 232)
Cheap to computeComposition cheap to computeNon-commutativeProbabilistically unique (?)
![Page 52: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/52.jpg)
![Page 53: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/53.jpg)
Not proportionalto depth
Low overhead at security calls
![Page 54: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/54.jpg)
Detect all exploitswithout many false positives
Context sensitivity: 3History sensitivity: 1
![Page 55: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/55.jpg)
Real Semantic Exploit
Context sensitivity needed?
History sensitivity needed?
SlashPathMistakenly omitted security check
Yes Yes
XSLTUntrusted code executes in wrong (application) security context
Yes No
LiveConnectUntrusted code executes in wrong (applet) security context
No No
OperaPolicyMisconfigured security policy
No No
![Page 56: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/56.jpg)
Leave-one-out cross-validation on
12 benign applets8 benign XSLT inputs
![Page 57: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/57.jpg)
Leave-one-out cross-validation on
12 benign applets8 benign XSLT inputs
Depth-limited context sensitivity needed
![Page 58: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/58.jpg)
Context and history sensitivityfor unsafe languages [Forrest et al., Feng et
al.]
Context sensitivityfor anomalous paths [Inoue et al.]
![Page 59: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/59.jpg)
Context & history sensitivityactually neededfor real exploits
![Page 60: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/60.jpg)
Context & history sensitivityactually neededfor real exploits
Tension between false positives & negatives
![Page 61: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/61.jpg)
![Page 62: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/62.jpg)
check(V) { H = h(V, lastV); checkHelper(H); lastV = V; }
![Page 63: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/63.jpg)
classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)
SecurityManager.checkRead()SecurityManager.checkRead()SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
![Page 64: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/64.jpg)
classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)
classLoader.loadClass(“sun/applet/AppletClassLoader”)classLoader.loadClass(“sun/applet/AppletClassLoader”)
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess() SecurityManager.checkRead()SecurityManager.checkRead()
SecurityManager.checkRead()SecurityManager.checkRead()SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
![Page 65: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/65.jpg)
classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)
classLoader.loadClass(“sun/applet/AppletClassLoader”)classLoader.loadClass(“sun/applet/AppletClassLoader”)
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess() SecurityManager.checkRead()SecurityManager.checkRead()
SecurityManager.checkRead()SecurityManager.checkRead()SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
Train: observe behavior
Deploy: detect new behavior
![Page 66: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/66.jpg)
classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)
classLoader.loadClass(“sun/applet/AppletClassLoader”)classLoader.loadClass(“sun/applet/AppletClassLoader”)
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess() SecurityManager.checkRead()SecurityManager.checkRead()
SecurityManager.checkRead()SecurityManager.checkRead()SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);
SecurityManager.checkRead()SecurityManager.checkRead()SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
![Page 67: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/67.jpg)
classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)
classLoader.loadClass(“sun/applet/AppletClassLoader”)classLoader.loadClass(“sun/applet/AppletClassLoader”)
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():139...
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():139...
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...
![Page 68: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/68.jpg)
classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)
classLoader.loadClass(“sun/applet/AppletClassLoader”)classLoader.loadClass(“sun/applet/AppletClassLoader”)
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);
SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():139...
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():139...
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...
SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...
Train: observe behavior
Deploy: detect new behavior
Train: observe behavior
![Page 69: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/69.jpg)
C3 H1
Context sensitivity History sensitivity
![Page 70: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/70.jpg)
C3 H1
Context sensitivity History sensitivity(applets only)
![Page 71: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/71.jpg)
C0 H0 C0 H1
C1 H0 C1 H1
C3 H0 C3 H1
CH0 CH1
![Page 72: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/72.jpg)
Anomalies
(All)
C0H00 (35)
C1H00 (54)
C3H00 (110)
CH00 (194)
Anomalies
(All)
C0H10 (59)
C1H11 (90)
C3H12 (145)
CH12 (222)
![Page 73: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/73.jpg)
Anomalies
(All)
C00 (20)
C10 (40)
C32 (42)
C222 (1,573)
![Page 74: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/74.jpg)
Leave-one-out cross-validation on
12 benign applets8 benign XSLT inputs
![Page 75: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/75.jpg)
ArcTest
AtomViewer
CardTest
DiffEq
DitherTest
DrawTest
C3H0 0 0 0 0 4 0
C3H1 1 9 0 1 7 0
CH0 32 113 0 125 77 10
CH1 40 61 10 131 94 5Euler Gas Matrix Puzzle ReflFrame StringWave
C3H0 2 0 0 0 4 0
C3H1 6 1 0 1 6 0
CH0 46 14 56 10 74 9
CH1 101 28 73 12 93 0
![Page 76: Efficient, Context-Sensitive Detection of Real-World Semantic Attacks](https://reader036.vdocuments.net/reader036/viewer/2022070403/568139d6550346895da18ae9/html5/thumbnails/76.jpg)
ui resume testcase testcase2
C0 0 0 0 0
C1 1 0 0 2
C3 0 0 1 2
C 15 3 63 1,409
testcase3
testcase4
testcase5
testcase6
C0 0 0 0 0
C1 0 1 0 0
C3 0 1 0 0
C 6 2 49 1